Skip to main content

NFR Discovery, Risk, and Constraints

Why this chapter matters

Non-functional requirements decide frontend architecture more often than feature requirements do. Performance, accessibility, privacy, reliability, security, cost, localization, and operability shape the system before a component is written.

NFR discovery map

Discovery questions

AreaQuestions
user and productWhich users are harmed most by failure, delay, or confusion?
performanceWhat device, network, route, and interaction budgets matter?
accessibilityWhich input methods and assistive flows are required for completion?
reliabilityWhich dependencies can fail, and what should users see?
securityWhich browser trust boundaries, scripts, tokens, and storage choices exist?
privacyWhich data classes are collected, rendered, cached, logged, or sent to vendors?
complianceWhich audit, retention, consent, or jurisdiction constraints apply?
operationsWho gets paged, what dashboard exists, and how is rollback performed?

Risk classification

Risk classExamplesRequired response
lowinternal read-only utilitylightweight review and tests
mediumauthenticated dashboard, editable profileexplicit NFRs and route readiness checklist
highcheckout, billing, identity, health, financereview packet, threat model, performance budget, rollback drill
criticalregulated data, money movement, AI tool actionformal approval, audit trail, kill switch, incident runbook

Constraint register

For each significant surface, maintain this small register:

ConstraintValueOwnerVerificationReview trigger
target device/network
route performance budget
data classification
accessibility requirement
reliability behavior
rollback requirement

Review checklist

  • Are NFRs discovered before architecture choice?
  • Are constraints written as verifiable statements?
  • Is risk classification proportional to user harm?
  • Are privacy and telemetry included, not bolted on later?
  • Does each constraint have an owner and review trigger?

Exercises

  1. Build an NFR register for a route you know well.
  2. Classify three product surfaces by risk class and justify the gates.
  3. Identify one hidden privacy constraint in a feature that appears harmless.

Source lens

This chapter feeds production readiness, frontend security, observability, performance budgets, and Part XII review packets.