| ID | Requirement | Priority |
|----|-------------|----------|
| FR‑001 | Record a numeric score (0‑100) for each piece of content, derived from weighted engagement signals (likes, shares, watch‑time, purchase‑rate). | Must |
| FR‑002 | Store anonymous viewer identifiers (hashed, salted tokens) to prevent duplicate scoring while keeping PII out of analytics. | Must |
| FR‑003 | Provide real‑time updates to the content page (WebSocket or SSE) when the score changes. | Should |
| FR‑004 | Expose a RESTful API for fetching score data, filtered by date range, geography, and content‑rating. | Must |
| FR‑005 | Include an admin dashboard with charts (trend lines, heat maps) and export‑to‑CSV capability. | Should |
| FR‑006 | Integrate with existing age‑verification service (e.g., AgeCheck API) and refuse scoring for unverified users. | Must |
| FR‑007 | Offer a privacy toggle for creators to hide the score from public view while retaining internal analytics. | Could |
| FR‑008 | Log immutable audit events (score calculation, manual overrides) to an append‑only store for compliance audits. | Must |
| NFR‑001 | Scalability – support up to 10 M concurrent viewers and 1 M score updates per minute with <150 ms latency. |
| NFR‑002 | Security – data at rest encrypted (AES‑256); API protected with JWT + scopes (score:read, score:write). |
| NFR‑003 | Reliability – 99.9 % uptime SLA; automatic failover to a secondary region. |
| NFR‑004 | Observability – metrics exported to Prometheus (request latency, error rates, score‑calc time). |
| NFR‑005 | Compliance – GDPR “right to be forgotten” – delete all tokens linked to a given viewer upon request within 24 h. |
| Control | Implementation | |---------|----------------| | Authentication | JWT signed with RS256; short‑lived access tokens (15 min). | | Authorization | Scope‑based (read/write/audit). | | Data Encryption | At‑rest: AES‑256 (RDS encryption). In‑transit: TLS 1.3. | | Tokenization | Viewer identifiers hashed with per‑tenant salt; never stored in plaintext. | | Rate Limiting | 100 requests/second per IP for public endpoints; stricter for rating endpoint. | | Input Validation | JSON schema validation; rating limited to 1‑5; score bounded 0‑100. | | Audit Trail | Immutable append‑only logs; signed entries (HMAC‑SHA256). | | GDPR/CCPA | Endpoint to delete all rows linked to a token; automatic purge after 30 days of inactivity. | | Pen‑Testing | Annual third‑party assessment; continuous SAST/DAST in CI pipeline. | puremature131130janetmasonkeepingscorex
[Insert recommended actions or next steps based on the report's findings.] [Insert recommended actions or next steps based on
[Insert list of sources cited in the report, following the chosen citation style.] including key findings and recommendations.]
[Insert brief summary of the report, including key findings and recommendations.]
