7 User Stories — M3 (AI Q2 Delivery)
In-flight delivery stories, keyed to PRD Appendix A
Milestone M3 — AI Q2 Delivery (Jun 2026), plus the CAD/P&ID open-standard FRs that landed alongside it. Status labels mirror PRD Appendix A.
8 Contextual data chat
8.0.1 US-M3-01 — Workspace-scoped natural-language query
FR-APP-02 (single-turn, In Progress Q2), FR-APP-03 (multi-turn, Q3 Target)
As an Integrity Engineer, I want to ask natural-language questions scoped to my workspace and campaign so that I can find relevant findings without manual filtering.
- Given a selected workspace and campaign, when I ask a single-turn question, then the answer draws only on that workspace’s data. (Multi-turn context retention is FR-APP-03, targeted for M4 — accuracy at 2+ turns is currently below release bar.)
- Given a query that implies a high-consequence action, when the assistant proposes it, then it requires explicit human-in-the-loop confirmation before any action is taken.
- Given no grounded data supports an answer, when the assistant responds, then it states it cannot find supporting data rather than fabricating a result.
8.0.2 US-M3-02 — Chat grounded on the 3D map
FR-APP-04 (Q3 Target), FR-APP-05 (Q3 Target)
As a Data Explorer, I want chat answers to highlight the relevant assets and overlays in the 3D model so that I can see where a finding is, not just read about it.
- Given an answer that references specific assets, when it is returned, then those assets are selectable/highlighted in the 3D view.
- Given an interactive overlay (thermal, gas, OGI) is available for the asset, when I open the result, then the relevant overlay can be toggled on in context.
9 Sensor-native analysis
9.0.1 US-M3-03 — Multi-modal anomaly review
FR-SCN-01 / FR-SCN-02 / FR-SCN-03 (Q3 Target)
As an Integrity Engineer, I want OGI, calibrated thermal, and gas readings ingested and rendered natively so that I can review anomalies across modalities in one place.
- Given a campaign with OGI/thermal/gas data, when it is ingested, then each modality is parsed, associated to its asset, and viewable without external tools.
- Given a modality file is malformed or unsupported, when ingestion runs, then it is rejected with a clear reason and does not block the other modalities.
10 Automated reporting
10.0.1 US-M3-04 — One-click finding export
FR-APP-06 (Q3 Target)
As an Integrity Engineer, I want to export the active workspace selection and defect findings to PDF/Word so that I can share a defensible record without re-keying.
- Given a set of selected findings, when I export, then the document includes asset IDs, evidence references, severity, and recommended actions.
- Given an export is generated, when I open it, then content matches what is shown on screen (no missing or placeholder fields).
11 CAD & P&ID open standards
11.0.1 US-M3-05 — Click-through from 3D element to engineering identity
FR-CAD-01 (IFC4, In Progress Q2), FR-CAD-07 (dual-tagging, In Progress Q2)
As an Integrity Engineer, I want to select a 3D element and see its standard engineering identity so that I can move from a visual anomaly to its asset record without manual cross-referencing.
- Given an IFC4 model for the unit, when I select an equipment item, then its IFC class, tag, material/lining, and source are shown.
- Given a legacy CAD tag and an operator/DEXPI tag for the same asset, when I open either, then both resolve to the same asset record via the dual-tagging cross-reference.
- Given a tag the dual-tagging rules cannot resolve, when resolution fails, then the item is flagged for manual mapping rather than silently mismatched.
11.0.2 US-M3-06 — P&ID structure from a clicked asset
FR-CAD-06 (DEXPI ingestion, In Progress Q2)
As an Integrity Engineer, I want logical P&ID structure ingested via DEXPI so that a clicked asset shows its nozzles, connected lines, and connections.
- Given a DEXPI P&ID for the unit, when I view an equipment item, then its nozzles (with service), connected pipe runs, and source-to-target connections are listed.
- Given a non-compliant CAD export, when the DEXPI file is ingested, then it is sanitized and parsed rather than failing outright.
12 Agent reliability
12.0.1 US-M3-08 — Graceful degradation on backend faults
FR-APP-13 (failure recovery, In Progress Q2)
As an Integrity Engineer, I want the chat assistant to fail safely when a backend dependency errors so that I get a clear message instead of a broken or hallucinated answer.
- Given a Supabase RLS denial or query timeout, when it occurs, then the assistant returns an empty/no-access result rather than crashing or leaking another workspace’s data.
- Given a Gemini rate-limit or timeout, when it occurs, then the request retries/backs off and the user sees a clear “try again” message rather than a stalled UI.
- Given an expired or tampered JWT, when a request is made, then it is rejected with a re-authentication prompt, not a silent failure.
12.0.2 US-M3-09 — Trustworthy chat backed by accuracy gates
FR-APP-14 (agent evaluation gate, In Progress Q2)
As an Integrity Engineer, I want the chat assistant’s classification/query/report accuracy validated against a benchmark before each release so that I can trust its answers in day-to-day use.
- Given a new build of the classifier, executor, or reporter agent, when it is proposed for release, then it must pass the accuracy benchmark thresholds before shipping.
- Given a benchmark regression (e.g. below-target accuracy on a query category), when detected, then the release is blocked until resolved.
- Given multi-turn conversation accuracy remains below target, when a user starts a new conversation, then the assistant is scoped to single-turn queries only for M3 rather than silently degrading on follow-ups.
12.0.3 US-M3-10 — Persona-tailored workspace view
FR-APP-15 (persona-tailored workspace scoping, In Progress Q2)
As a Data Explorer, I want the chat workspace tailored to my role so that I see the framing and results relevant to exploration rather than engineering sign-off tasks.
- Given a Data Explorer persona, when I open a workspace, then the chat surface presents exploration-oriented framing (discovery, browsing) distinct from the Integrity Engineer’s action-oriented framing.
- Given an Integrity Engineer persona, when the same underlying data is queried, then results are framed toward verification/action rather than raw exploration.
- Given multiple workspaces I have access to, when I switch between them, then the persona-tailored framing is preserved per workspace.
12.0.4 US-M3-11 — Query firewall against injection and malicious input
FR-APP-16 (SQL-injection & malicious-input defense, In Progress Q2)
As an Integrity Engineer, I want the chat assistant’s generated SQL to be firewalled against injection and malicious input so that a crafted question can never modify data or escape my workspace’s scope.
- Given a generated query, when it contains DML/DDL (INSERT/UPDATE/DELETE/DROP/ALTER) or an injection pattern (e.g. SLEEP, CHR/ASCII obfuscation), then it is rejected before execution.
- Given a query attempting to reference another workspace’s data, when it is generated, then the workspace scope is enforced and the cross-workspace reference is blocked.
- Given a rejected query, when the assistant responds, then the user sees a safe refusal rather than a raw database error or partial result.
Coverage note: this starter intentionally covers the highest-value in-flight FRs. Remaining M4 FRs are to be added as they enter active development. FR-AI-01’s story (grounded damage-mechanism suggestions) moved to m4 when the FR slipped past the M3/Jun 2026 window; the old MVP-demonstration-sequence FR was retired outright (determined not to be a KAP/milestone requirement); FR-PRT-02 slipped to M4 and has no story yet. FR-APP-02 was split (2026-07-03) into FR-APP-02 (single-turn chat), FR-APP-13 (failure recovery), FR-APP-14 (evaluation gate), FR-APP-15 (persona-tailored workspaces), and FR-APP-16 (SQL-injection/malicious-input defense, added 2026-07-03) — see US-M3-08/09/10/11.