Baseline NFRs for oxFlow — the qualities the system must exhibit beyond functional behaviour. Grouped by concern area. Short by design — full NFR specs (test plans, SLAs, performance budgets) come in PRD and dev handoff.
Related docs: glossary.md · business-rules.md · roles-permissions.md
Requirement Target Status Estimate with 1000+ Items loads without lag UI interactive within 2s (p95) 🟡 Anomaly Review completes a full scan Under 5s on a typical estimate (~500 items) 🟡 Worksheet re-computation on edit Under 200ms for a single-item change 🟡 Adjudication import (Excel/PDF) Under 10s per file 🟡 Workbench live-cost queries (actual + committed) Under 3s per query 🟡 Director Dashboard loads across N projects Under 5s for 50 active projects 🟡 Export to Excel / PDF Under 15s for a 1000-item estimate 🟡 AI query response time (natural language project queries) Under 10s (p95) 🟡
All numbers are working targets subject to refinement during load testing.
2. Security
Requirement Detail Status Role-based access control As per roles-permissions.md; enforced server-side 🟢 Audit logging Log all write actions on Commercials Rules, Submit, Publish, Adjudication lock/re-open, Variation state transitions, Code edits, User Role changes 🟡 Audit log retention Immutable, retain for project lifetime + 7 years 🟡 HTTPS enforced All traffic; HSTS enabled 🟢 Data at rest encryption AES-256 or equivalent 🟢 Authentication SSO via Microsoft 365 🟢 Session management Idle timeout (configurable, default 30 min); no cross-device session sharing 🟡 Secrets management Integration credentials (Xero, Workbench, AI) stored encrypted; rotatable 🟡
3. Collaboration
Requirement Detail Status Real-time multi-user editing per Estimate Per-Item explicit locking; presence indicators for active editors 🟡 Concurrent read Unlimited; read-only views for non-editors 🟢 Admin override of lock Admins can forcibly release a stale lock 🟢
4. Data lifecycle
Requirement Detail Status Benchmark rate library migration One-off import of the Benchmark resource library, preserving codes, descriptions, rates, groupings, units, categories 🟡 Benchmark full data migration All active estimates, libraries, and historical data migrated 🟡 Benchmark decommissioning Full cutover; Benchmark licenses terminated post-migration 🟡 Disaster recovery RPO < 24h, RTO < 4h (targets) 🟡
Migration detail lives in migration-benchmark.md
5. Training & support
Requirement Detail Status Structured user training Role-based training sessions for all Oxcon users prior to Go-Live 🟢 Training materials User guides, quick-reference cards, video walkthroughs 🟡 Post-launch support (tiered) Essential tier (infrastructure + reliability) and Priority Partnership tier (dedicated developer access, 4-hour SLA, quarterly roadmap reviews) 🟢
6. Hosting & operations
Requirement Detail Status Cloud-hosted Managed infrastructure; cloud provider TBD 🟡 Environments Separate staging and production; staging mirrors production data model with scrubbed data 🟡 Domain / DNS / SSL Managed; certificates auto-renewed 🟢 Security patches & dependency updates Monthly cadence; emergency patches out-of-band 🟢 Uptime monitoring Automated alerting; 99.5% target for business hours, 99.0% monthly 🟡 Performance monitoring Server health checks; alerts on p95 latency regression 🟡
7. Observability
Requirement Detail Status Structured application logs Request ID, User ID, action, entity ID, timestamp 🟡 Error tracking Client and server errors captured with stack traces and context 🟡 Feature-level metrics Per-estimator usage counts, feature-touch rates (for roadmap prioritisation) 🟡