# ACS Diagnose — Credential-Free Readiness Audit

**Audit date:** 6 July 2026  
**Scope:** Work that can be completed before production credentials, hosting access and OBD hardware are available

## Completed and evidenced

| Requirement | Evidence | Verification |
|---|---|---|
| Product scope, safety boundaries and offline behavior | `docs/acs-diagnose-mvp-prd.md`, edge/offline UX specification | Diagnostic evaluator passes 14 scenarios and 19 rules |
| Versioned immutable scan record | `docs/acs-diagnose-schema.json` | JSON parses and platform check confirms schema version 1.1.0 |
| Native/backend API contract | `docs/acs-diagnose-openapi.yaml` | OpenAPI YAML parses with 19 paths |
| Credential-free backend | `backend/` | Syntax checks and in-process API tests pass |
| Development authentication and server-owned roles | `/auth/exchange`, access/refresh tokens, fake identities disabled in production | API ownership/staff tests pass |
| Accounts, consent and Mercedes vehicles | account/consent/vehicle routes | Tested through the API handler |
| Offline scan upload and duplicate protection | scan ingestion, canonical evidence hash and idempotency records | Matching retry reconciles; changed evidence returns `SCAN_HASH_CONFLICT` |
| Scan history and explanation state | scan list/detail/explanation routes and worker queue | API checks pass; fake development explainer fails closed in production |
| OpenAI explanation boundary | Responses API adapter, strict schema, minimized evidence, semantic guard and deterministic safety fallback | Mock Responses API tests prove `store: false`, identity removal and unsafe/invented-code rejection |
| Optional photo consent and private storage | JPEG attachment route, metadata sanitizer and private upload path | Test proves no upload before consent and stored bytes contain no supplied EXIF/GPS metadata |
| Staff preparation security | step-up token, queue purpose, append-only review/audit events | Test proves missing step-up/purpose is rejected and opening is audited |
| Privacy request records | export/correction/account, vehicle and scan deletion requests | Routes implemented; database blueprint included |
| Privacy export fulfillment | Purpose-scoped background export, authenticated download and seven-day expiry | Tests prove cross-account denial and omission of another customer's data |
| Worker crash recovery | Fifteen-minute database lease with capped retry/dead state | Test proves stale lease recovery without taking a live worker's job |
| WhatsApp customer handoff | backend service request and prototype links | Tests and rendered prototype confirm `wa.me/97339680866` with prefilled text |
| No WhatsApp API dependency | architecture, PRD and environment names | Platform check rejects old WhatsApp API credential names |
| Native client foundations | Swift and Kotlin API models, protected offline queues and strict WhatsApp validation | Both native cores compile; 4 iOS and 2 Android tests pass |
| Retention enforcement | Mobile 30-day queue purge plus server scan/photo/session/idempotency/audit/job sweep | Automated tests prove expired payload/file removal and preservation of current records |
| cPanel deployment preparation | architecture, SQL migration, deployment checklist and archive | `backend/deploy/acs-diagnose-api.tar.gz` builds and excludes secrets/data |

Run the complete credential-free gate from the repository root:

```bash
npm run diagnose:check
```

Expected result:

```text
ACS Diagnose platform check passed: API syntax, contract invariants, security flows, WhatsApp handoff, and diagnostic rules.
```

## Correctly waiting for credentials or external access

| Item | Why it cannot be completed responsibly now | Required input |
|---|---|---|
| Real Bahrain OTP | Issuer, audience, SDK and token validation are provider-specific | Selected provider project/configuration and test numbers |
| OpenAI explanations | Production calls, retention settings and structured-output evaluation require the account | API key/project and approved model access |
| Production token and field encryption | Secrets must be generated and stored on the production host, not committed | Signing secret/key pair, encryption key and lookup-HMAC key |
| Production database adapter verification | Host engine/version and connection behavior must be tested against the actual dedicated database | cPanel database name/user/password/host and confirmed MariaDB version |
| Live deployment | No FTP/SFTP/cPanel endpoint or credentials exist in this workspace | Restricted SFTP/FTP or cPanel file access plus application path |
| DNS/TLS | The API subdomain must be created and issued a certificate on the host | cPanel/DNS access |

The existing Zoho `.env.example` is not FTP access and cannot be repurposed.

## Correctly waiting for hardware

| Item | Required evidence from the ordered adapter |
|---|---|
| BLE service/characteristic implementation | Real discovery and notification/write characteristics on iOS and Android |
| ELM/STN command allowlist validation | Actual firmware responses and proof that only read commands are issued |
| Connection/retry timings | Discovery, initialization, K-line/CAN latency and malformed-response thresholds |
| Mercedes coverage matrix | Workshop comparisons across chassis, engines and generic OBD availability |
| Background/reconnection behavior | Real iOS/Android tests with ignition cycling, range loss and app backgrounding |

## Native validation status

- iOS compiled with installed Xcode 26.3 and passed four tests: ACS WhatsApp destination,
  offline queue identity, 30-day purge behavior and scan-ID path traversal rejection.
- Android compiled against API 35 using the checksum-pinned Gradle 8.9 wrapper and a verified
  temporary Temurin JDK 17. It passed two tests covering ACS WhatsApp destination and API wire
  field names.
- Android pending scan payloads use Android Keystore AES-256-GCM encryption. iOS queue files
  use complete file protection and atomic writes.

Full SwiftUI/Compose application screens and BLE modules remain later implementation phases.
BLE behavior cannot be validated until the ordered adapter arrives.

## Release prohibition

Do not upload real customer scans, photographs, phone numbers, plates or VINs to the current
development JSON store. A pilot release remains prohibited until production identity,
database, encryption, legal/privacy review, staff safety wording review and hardware acceptance
are complete.
