| auth-on-new-public-endpoints | security | fail | blocker | SOC2-CC6.1, OWASP-ASVS-V1 | The new public endpoints `GET /refunds` and `POST /refund-all` lack explicit authentication annotations or dependencies, making them publicly accessible by default. |
| changed-method-coverage | quality | fail | error | SOC2-CC8.1, ISO-27001-A.14.2.8 | The new methods `list_refunds` and `refund_all` in `app/routes/refunds.py` do not have corresponding tests introduced or updated in this diff. |
| integration-boundaries-explicit | contract_spec | fail | warning | CDPD-§6, ISO-27001-A.14.2.5 | New HTTP endpoints (`GET /refunds`, `POST /refund-all`) are introduced, but no explicit OpenAPI or schema documentation is included in the diff for these new API contracts. |
| kill-switch-path | contract_spec | fail | warning | CDPD-§9, SOC2-CC7.5 | The `POST /refund-all` endpoint introduces significant new operational functionality without a feature flag, environment toggle, or documented rollback procedure. |
| observability-on-new-endpoints | operational | fail | warning | SOC2-CC7.2, ISO-27001-A.12.4.1 | The new HTTP endpoints in `app/routes/refunds.py` do not include explicit structured logging (request ID, latency, status) or metrics (counter or histogram). |
| spec-implementation-match | contract_spec | fail | error | CDPD-§7 | The MR description states 'Closes #220 (audit-only access to refund records)', but the implementation includes a `POST /refund-all` endpoint which performs a write operation (mass refund), contradicting the 'audit-only' nature of the spec. |
| contract-has-spec-link | contract_spec | pass | warning | CDPD-§3, ISO-27001-A.14.2.1 | MR description includes 'Closes #220 (audit-only access to refund records)' linking to a spec issue. |
| dependency-advisory-check | security | pass | blocker | SOC2-CC7.1, ISO-27001-A.12.6.1, NIST-SA-11 | The diff does not introduce or upgrade any dependencies. |
| no-commented-out-code | quality | pass | info | SOC2-CC8.1 | The diff does not contain any blocks of commented-out code (3+ consecutive lines). |
| no-secrets-in-diff | security | pass | blocker | SOC2-CC6.1, ISO-27001-A.9.4.3, OWASP-ASVS-V2 | No secret patterns (API keys, tokens, private keys, connection strings with passwords) were detected in the diff. |
| no-skipped-tests-introduced | quality | pass | error | SOC2-CC8.1 | No test files were added or modified in the diff, so no skipped tests were introduced. |
| rollback-documented-for-migrations | operational | pass | error | SOC2-CC7.5, ISO-27001-A.14.2.2 | The diff does not include any database migration files. |
| acceptance-criteria-testable | contract_spec | skip | warning | CDPD-§5, SOC2-CC8.1 | The content of spec #220 is not provided, and no test files are included in the diff to compare against acceptance criteria. |
| error-budget-impact-declared | operational | skip | warning | SOC2-CC4.1 | No `slo.yaml` file is referenced, and the MR description does not include a declaration of the expected error-budget impact. |
| mutation-resilience-critical-paths | quality | skip | warning | SOC2-CC8.1 | No information about files labeled `critical_path: true` or mutation test results is available to evaluate this rule. |