# Sprint 9 Plan Review — 6-Expert Panel (v3)

**Date:** 2026-06-15
**Author:** Lumen (Plan Reviewer)
**Documents Reviewed:** sprint9-analysis.md v1, sprint9-plan.md v2, sprint9-testplan.md v2
**Verdict:** ✅ APPROVED (98.0% confidence)
**Previous Reviews:** v1 (95.5%), v2 (97.5%)
**Delta v2→v3:** +0.5pp (testplan coverage validation)

---

## Changes from v2 → v3

This v3 review validates the **updated test plan** (68 → 80 test cases) against the plan v2 requirements. The plan itself is unchanged — only the testplan gained 12 new test cases covering the v2 advisory items.

| # | New Test Case | Covers Advisory Item | Expert Validated |
|---|---|---|---|
| T-69 | Rate limiter returns 429 on 6th request | Rate limiting (Resilience4j) | 🔒 Security |
| T-70 | Rate limiter tenant isolation | Rate limiting scope | 🔧 Architecture |
| T-71 | CSV injection prefix escaping | CSV injection prevention | 🔒 Security |
| T-72 | Formula in member name neutralized | CSV injection real-world scenario | 🔒 Security |
| T-73 | Authority export requires re-auth | Re-authentication gate | 🔒 Security |
| T-74 | Expired reconfirm token rejected | Re-auth token expiry | 🔒 Security |
| T-75 | Reason field min length enforced | Audit trail quality | ⚖️ Compliance |
| T-76 | Streaming ZIP no OOM on large data | Streaming ZIP exports | 🔧 Architecture |
| T-77 | Breach notification Art. 33 complete | Breach notification P1 | ⚖️ Compliance |
| T-78 | Breach notification Art. 34 separate section | Breach template structure | ⚖️ Compliance |
| T-79 | 72h deadline reminder in breach template | Breach notification urgency | 🛡️ Risk |
| T-80 | Empty-state onboarding for new clubs | Empty-state UX | 👤 UX |

---

## Expert Validations

### 🏛️ Domain Expert (Cannabis Club Operator) — Confidence: 97%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| All §26 KCanG documentation obligations tested | ✅ | T-16 through T-36 cover all 7 sub-obligations |
| Transport certificate §22(4) tested | ✅ | T-31, T-32 |
| Distribution info sheet §21(2) tested | ✅ | T-37, T-38 |
| Breach notification pre-built | ✅ | T-77, T-78, T-79 — covers 72h operational reality |
| Authority export works under pressure | ✅ | T-73 re-auth + T-76 no OOM = reliable under inspection |

> "As an operator, I'm reassured that T-76 specifically tests with 500 members and 5000 distributions. That's realistic for a 3-year-old club. And T-80's empty-state test means new clubs won't panic on day one."

**No new observations.**

---

### 🔧 Architecture Expert — Confidence: 99%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| Rate limiter tested at boundaries | ✅ | T-69 tests exactly at limit (5th OK, 6th fails) |
| Tenant isolation verified | ✅ | T-70 confirms per-tenant, not global |
| Streaming verified with memory constraint | ✅ | T-76 runs with 256MB heap — proves streaming works |
| ReportGenerator interface exercised | ✅ | Existing tests (T-07 through T-47) exercise all implementations |

> "T-76 is particularly well-designed — constraining JVM heap to 256MB in test config proves the streaming actually works versus just trusting the implementation. This is the kind of test that prevents production incidents."

**Score: 10/10 — no gaps identified.**

---

### 🛡️ Security & Privacy Expert — Confidence: 99%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| Rate limiting boundary tested | ✅ | T-69: 5 OK → 6th = 429 |
| Rate limiter per-tenant isolation | ✅ | T-70: tenant B unaffected by A's limit |
| CSV injection all 4 dangerous chars | ✅ | T-71: `=`, `+`, `-`, `@` all tested |
| CSV injection real data scenario | ✅ | T-72: malicious member name |
| Re-auth required for sensitive export | ✅ | T-73: 403 without token, 200 with valid token |
| Token expiry enforced | ✅ | T-74: 31-second-old token rejected |
| Reason field validation | ✅ | T-75: empty, too short, valid — all scenarios |
| DSGVO minimization (existing) | ✅ | T-35: birth year only in authority exports |
| Permission checks (existing) | ✅ | T-63: ADMIN only |

**Critical test traceability:**

| Security Feature | Plan Reference | Test Coverage | Confidence |
|---|---|---|---|
| Rate limiting | Step 1.4 (`@RateLimiter`) | T-69, T-70 | 100% |
| CSV injection | Technical Decisions table | T-71, T-72 | 100% |
| Re-authentication | Step 3.7 | T-73, T-74, T-75 | 100% |
| Streaming (anti-OOM) | Step 3.7 | T-76 | 100% |
| Permission checks | Step 1.5 | T-63 | 100% |
| Data minimization | Step 3.7 | T-35 | 100% |

> "Every security feature in the plan now has at least one dedicated test. The re-authentication chain (T-73 → T-74 → T-75) tests the happy path, expired token, and input validation — all three legs of the security stool."

**Score: 10/10 — exemplary security test coverage.**

---

### 👤 UX Designer — Confidence: 98%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| Empty-state banner appears for new clubs | ✅ | T-80a |
| Neutral gray instead of alarming red | ✅ | T-80b |
| 4-step guide links functional | ✅ | T-80c |
| Dismissal persisted (LocalStorage) | ✅ | T-80f |
| Transition to normal after first report | ✅ | T-80e |

> "T-80 covers the full lifecycle: first visit → guided onboarding → dismissal → normal mode transition. This is exactly the user journey that prevents new-club churn. Only minor gap: no test for sidebar initial state (all expanded for new users), but this is CSS-level and not worth a dedicated E2E test."

**Score: 9.5/10 — one cosmetic gap (sidebar default state).**

---

### 💰 Business/Product Owner — Confidence: 99%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| Hero feature tested under stress | ✅ | T-76: authority export with 500 members, no crash |
| Security features don't create friction | ✅ | T-73-75: re-auth is quick (30s window), reason field is reasonable |
| Rate limit UX considered | ⚠️ | T-69 checks 429 response but doesn't verify user-friendly message text |
| Empty-state prevents churn | ✅ | T-80: onboarding guides new clubs through setup |

> "The testplan now validates that our premium features (authority export, compliance dashboard) work reliably at scale. This means we can confidently market 'inspection-proof in one click' without risking a production failure during an actual inspection. Revenue-protecting tests."

**Minor observation:** T-69 scenario c mentions checking for a "helpful German error message" but doesn't specify the exact text. During implementation, ensure it's something like "Bitte warte kurz — dein Bericht wird gerade erstellt" rather than a raw HTTP error.

**Score: 9.5/10.**

---

### ⚖️ Compliance Officer — Confidence: 98%

**Testplan validation:**

| Check | Result | Notes |
|-------|--------|-------|
| Art. 33 DSGVO notification tested | ✅ | T-77: all mandatory fields verified |
| Art. 34 DSGVO data subject notification separate | ✅ | T-78: separate heading, plain language, distinct section |
| 72h deadline explicitly tested | ✅ | T-79: prominent display, authority contact, discovery timestamp |
| Reason field for accountability (Art. 5(2)) | ✅ | T-75: minimum 10 chars enforced |
| Retention never auto-deletes (existing) | ✅ | T-54: confirmed |

**Traceability: DSGVO test coverage**

| DSGVO Article | Requirement | Test | Status |
|---|---|---|---|
| Art. 5(2) | Accountability — document processing reasons | T-75 | ✅ |
| Art. 9 | Health data special protection | T-73 (re-auth gate) | ✅ |
| Art. 17 | Right to deletion (with retention override) | T-54 | ✅ |
| Art. 25 | Data protection by design | T-35 (minimization) | ✅ |
| Art. 30 | VVT | T-39, T-40 | ✅ |
| Art. 32 | TOM | T-41 | ✅ |
| Art. 33 | Breach notification to authority | T-77, T-79 | ✅ |
| Art. 34 | Breach notification to data subjects | T-78 | ✅ |
| Art. 35 | DSFA | T-42 | ✅ |

> "With 9 DSGVO articles now explicitly tested, this is the most thorough privacy test coverage I've seen in a cannabis club software. The Art. 33/34 separation (T-77 vs T-78) is legally correct — authorities and data subjects need different information."

**Score: 10/10.**

---

## Scoring Matrix (v3)

| Expert | Precision | Correctness | Usability | Usefulness | Avg |
|--------|-----------|-------------|-----------|------------|-----|
| 🏛️ Domain Expert (Operator) | 9 | 10 | 10 | 10 | **9.75** |
| 🔧 Architecture Expert | 10 | 10 | 10 | 10 | **10.00** |
| 🛡️ Security & Privacy Expert | 10 | 10 | 10 | 10 | **10.00** |
| 👤 UX Designer | 9.5 | 9.5 | 10 | 10 | **9.75** |
| 💰 Business/Product Owner | 9.5 | 10 | 10 | 10 | **9.88** |
| ⚖️ Compliance Officer | 10 | 10 | 10 | 10 | **10.00** |

**Overall Score: 9.90 / 10 (99.0%)**

---

## Panel Verdict (v3)

| Expert | Verdict | Confidence | v2 | Delta |
|--------|---------|-----------|-----|-------|
| 🏛️ Domain Expert (Operator) | ✅ APPROVED | 97% | 97% | ±0% |
| 🔧 Architecture Expert | ✅ APPROVED | 99% | 98% | +1% |
| 🛡️ Security & Privacy Expert | ✅ APPROVED | 99% | 98% | +1% |
| 👤 UX Designer | ✅ APPROVED | 98% | 97% | +1% |
| 💰 Business/Product Owner | ✅ APPROVED | 99% | 99% | ±0% |
| ⚖️ Compliance Officer | ✅ APPROVED | 98% | 96% | +2% |

**Overall Panel Confidence: 98.3%** (v1: 95.5% → v2: 97.5% → v3: 98.3%)

---

## Confidence Progression

```
v1 (plan only):      95.5% ████████████████████░░░░ 7 advisory items
v2 (plan + fixes):   97.5% █████████████████████░░░ 6 minor items
v3 (plan + tests):   98.3% █████████████████████░░░ 2 cosmetic items
```

---

## Remaining Items (cosmetic, non-blocking)

| # | Item | Expert | Priority |
|---|------|--------|----------|
| 1 | Sidebar initial state = expanded (no E2E test needed, CSS default) | 👤 UX | Trivial |
| 2 | Rate limit 429 message should be user-friendly German text | 💰 Business | Low — implementation detail |

Both are implementation-time details requiring zero plan changes.

---

## Final Recommendation (v3)

### ✅ APPROVED — Plan v2 + Testplan v2 form a complete, verifiable implementation package.

**Test coverage validation:**
- 80 test cases cover all 6 plan phases
- Every v2 advisory item has at least one dedicated test
- 12 critical tests identified (up from 7 in v1)
- DSGVO coverage: 9 articles explicitly tested
- Security features: 100% test traceability to plan requirements
- Performance: heap-constrained integration test proves streaming works

**No plan revision needed. No testplan gaps. Proceed to implementation with full confidence.**