NFR Discovery, Risk, and Constraints
Why this chapter matters
Non-functional requirements decide frontend architecture more often than feature requirements do. Performance, accessibility, privacy, reliability, security, cost, localization, and operability shape the system before a component is written.
NFR discovery map
Discovery questions
| Area | Questions |
|---|---|
| user and product | Which users are harmed most by failure, delay, or confusion? |
| performance | What device, network, route, and interaction budgets matter? |
| accessibility | Which input methods and assistive flows are required for completion? |
| reliability | Which dependencies can fail, and what should users see? |
| security | Which browser trust boundaries, scripts, tokens, and storage choices exist? |
| privacy | Which data classes are collected, rendered, cached, logged, or sent to vendors? |
| compliance | Which audit, retention, consent, or jurisdiction constraints apply? |
| operations | Who gets paged, what dashboard exists, and how is rollback performed? |
Risk classification
| Risk class | Examples | Required response |
|---|---|---|
| low | internal read-only utility | lightweight review and tests |
| medium | authenticated dashboard, editable profile | explicit NFRs and route readiness checklist |
| high | checkout, billing, identity, health, finance | review packet, threat model, performance budget, rollback drill |
| critical | regulated data, money movement, AI tool action | formal approval, audit trail, kill switch, incident runbook |
Constraint register
For each significant surface, maintain this small register:
| Constraint | Value | Owner | Verification | Review trigger |
|---|---|---|---|---|
| target device/network | ||||
| route performance budget | ||||
| data classification | ||||
| accessibility requirement | ||||
| reliability behavior | ||||
| rollback requirement |
Review checklist
- Are NFRs discovered before architecture choice?
- Are constraints written as verifiable statements?
- Is risk classification proportional to user harm?
- Are privacy and telemetry included, not bolted on later?
- Does each constraint have an owner and review trigger?
Exercises
- Build an NFR register for a route you know well.
- Classify three product surfaces by risk class and justify the gates.
- Identify one hidden privacy constraint in a feature that appears harmless.
Source lens
This chapter feeds production readiness, frontend security, observability, performance budgets, and Part XII review packets.