Vendor Management · stage 1 of 5

Requirements

Ask gate

Define procurement needs and create RFP

Requirements

The front-end of the vendor lifecycle: define the procurement need and turn it into a structured RFP / RFI / RFQ that vendors can respond to comparably. Every downstream stage reads from the requirements and the scoring methodology this stage produces.

Scope

Need definition and solicitation design: gathering and prioritizing stakeholder requirements, then expressing them as a solicitation document with evaluation criteria and a scoring methodology. Requirements decides what we're asking vendors for and how we'll judge them — not which vendor wins (evaluate) or what terms get signed (negotiate).

What to do

  • Gather stakeholder needs and classify them by priority so vendors and evaluators share one understanding of what matters.
  • Write requirements precisely enough that vendor responses come back comparable rather than apples-to-oranges.
  • Define the evaluation criteria and scoring methodology now — evaluate will run against exactly what's set here.
  • Make the solicitation answerable: a requirement no vendor could respond to cleanly is a defect.

What NOT to do

  • Don't score or shortlist vendors — there are no responses yet; that's evaluate.
  • Don't negotiate terms or pricing; that's negotiate.
  • Don't ship criteria the evaluate stage couldn't actually apply.
  • Don't leave a stakeholder need unstated that later stages will be measured against.

How the engine runs this stage

1Elaborate

collaborative · plan the work, fan out discovery, declare outputs

Discovery fan-out

knowledge artifactRfp DocumentRequest for proposal with categorized requirements, evaluation criteria, and submission guidelines.

RFP Document

Request for proposal with categorized requirements, evaluation criteria, and submission guidelines.

Content Guide

Structure the RFP for clear, comparable vendor responses:

  • Business context -- what the organization needs and why
  • Requirements -- categorized as mandatory, preferred, and nice-to-have with business justification
  • Technical specifications -- integration, performance, data, and security requirements
  • Evaluation criteria -- weighted scoring methodology defined before vendor contact
  • SLA expectations -- measurable thresholds for availability, performance, and support
  • Submission guidelines -- response format, timeline, and evaluation process

Quality Signals

  • Requirements are specific enough to enable objective vendor comparison
  • Evaluation criteria and weights are defined before receiving vendor responses
  • Technical specifications include integration and data handling requirements
  • The RFP is structured to enable apples-to-apples comparison

Phase guidance

phase overrideELABORATION- "RFP document includes weighted evaluation criteria with scoring methodology defined before vendor contact"

Requirements Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

  • "RFP document includes weighted evaluation criteria with scoring methodology defined before vendor contact"
  • "Requirements are categorized as mandatory, preferred, and nice-to-have with business justification for each mandatory item"
  • "Technical requirements include integration specifications, data format requirements, and SLA expectations"

Bad criteria — vague (no clear check)

  • "Requirements are defined"
  • "RFP is written"
  • "Needs are documented"

Outputs produced

output templateRfp DocumentProcurement requirements with evaluation criteria, weights, and submission guidelines.

RFP Document

Procurement requirements with evaluation criteria, weights, and submission guidelines.

Expected Artifacts

  • Requirements -- categorized as mandatory, preferred, and nice-to-have with business justification
  • Evaluation criteria -- weighted criteria with scoring methodology defined before vendor contact
  • Technical specifications -- integration requirements, data formats, and SLA expectations
  • Submission guidelines -- format, deadline, and evaluation process communicated to vendors

Quality Signals

  • Requirements are categorized with business justification for each mandatory item
  • Evaluation criteria have weights defined before any vendor contact
  • Technical requirements are specific enough for objective vendor comparison
  • Requirements are validated against business needs

2Review

pre-execute · agents audit the planned spec before any code lands
review agentSpecificityThe agent **MUST** verify the RFP and its requirement set are specific enough for objective vendor evaluation. Vague requirements produce incomparable responses; ambiguous evaluation criteria let preferred vendors win on rationale, not substance.

Mandate: The agent MUST verify the RFP and its requirement set are specific enough for objective vendor evaluation. Vague requirements produce incomparable responses; ambiguous evaluation criteria let preferred vendors win on rationale, not substance.

Check

The agent MUST verify, file feedback for any violation:

  • Priority classification with justification — Every requirement is classified mandatory / preferred / nice-to-have, and every mandatory item has a business-need justification cited to a source (stakeholder note, ticket, strategic doc) — not "industry standard."
  • Testable specifications — Every requirement is phrased so a vendor response can be marked yes / no / partial against named evidence. "Must be performant" or "must be scalable" are reject-worthy unless they include measurable thresholds.
  • Pre-contact evaluation methodology — Evaluation criteria, category weights (summing to 100), and the scoring scale with anchor points are documented before the RFP goes to vendors. A methodology defined after responses arrive is reject-worthy.
  • SLA expectations with measurable thresholds — Every SLA expectation in the RFP names a metric, a threshold, a measurement method, and a remedy. Descriptive language ("high availability", "responsive support") without numbers is reject-worthy.
  • Non-negotiables present — Data handling, security, compliance, and exit-provision sections exist in the RFP, even when brief.
  • Response template provided — The RFP includes a structured response template (yes / no / partial + evidence field + reference customer field where applicable) so responses are comparable.

Common failure modes to look for

  • A requirements section that lists features without naming the stakeholder or business outcome behind each
  • A mandatory requirement that no plausible vendor in the market can meet (the team will end up rewriting it under pressure)
  • Evaluation weights that don't sum to 100, or weights with no rationale
  • SLA language using adjectives ("fast", "reliable") instead of numbers
  • An RFP whose length or complexity will discourage qualified vendors from responding
  • Procurement-platform-specific templates or named compliance auditors embedded in the plugin default (those belong in a project overlay)

3Execute

per-unit baton · Analyst → Specifier → Verifier
hat 1AnalystAnalyze the business need behind the procurement and translate it into a structured, prioritized requirement set. You are the plan role of the requirements stage. Your output is the input the specifier reads to draft the RFP — if the requirement set is vague, the RFP will be vague, and vendor responses will be incomparable.

Focus: Analyze the business need behind the procurement and translate it into a structured, prioritized requirement set. You are the plan role of the requirements stage. Your output is the input the specifier reads to draft the RFP — if the requirement set is vague, the RFP will be vague, and vendor responses will be incomparable.

Process

1. Identify the requesting stakeholders and the business problem

Before listing features, name who is asking and what business outcome the procurement is meant to enable. A requirement that no stakeholder owns is a requirement nobody will accept the vendor against later.

  • List each stakeholder group affected (business unit, IT, security, legal, finance, end users) with at least one named primary contact per group.
  • State the business outcome in one paragraph: what changes if this procurement succeeds, what continues to fail if it doesn't, and what existing system or process is being replaced or augmented.
  • Cite the source of each business need — a meeting note, a strategic plan section, a ticket, a documented incident — not "leadership wants this."

2. Gather requirements cross-functionally

A common failure mode is gathering the requirement set from a single stakeholder, then discovering integration / security / compliance gaps after the RFP is out. Walk the cross-functional surface up front.

For each stakeholder group, document:

  • Functional needs — what the procurement must do for them
  • Integration needs — what existing systems it must connect to, what data flows in / out
  • Non-functional needs — performance, availability, scale, geography, language, accessibility
  • Compliance / security needs — data classification, regulatory regime, retention, audit, identity / access patterns
  • Operational needs — support hours, escalation, change management cadence, lifecycle expectations

3. Classify by priority with business justification

Every requirement is one of three categories. The classification is the contract — mandatory items are go / no-go; preferred items shape scoring; nice-to-have items are tiebreakers.

PriorityDefinitionJustification required
MandatoryMust be met or the vendor is disqualifiedStakeholder-cited business reason — "without this, we can't ship the regulated workflow"
PreferredStrongly desired; weighted in scoringWhy it matters and roughly how much
Nice-to-haveUseful but won't influence ranking on its ownBrief note; no detailed justification needed

A requirement with no business justification is not a requirement — it's a preference. Reject any item that can't survive the question "what happens if no vendor offers this?"

4. Benchmark against the market

Before locking the requirement set, do a rough market scan. The goal isn't to pick a vendor — it's to make sure the mandatory list is achievable.

  • For each mandatory item, name at least two market segments / product categories that plausibly offer it.
  • If no vendor in the market plausibly offers an item, decide: re-classify as preferred, re-scope the requirement, or escalate the gap to the requesting stakeholders before the RFP is written.

5. Hand off to the specifier

The artifact you produce is a structured list of named requirements with priority and business justification per item. The specifier reads it and produces the RFP, evaluation criteria, and scoring methodology. Your handoff is complete when every requirement is named, classified, justified, and source-cited.

Anti-patterns (RFC 2119)

  • The agent MUST NOT gather the requirement set from a single stakeholder when the procurement crosses functional boundaries (any vendor that touches identity, data, or production systems crosses boundaries).
  • The agent MUST NOT list features without connecting each to a business need and a stakeholder source.
  • The agent MUST NOT mark a requirement mandatory without naming what fails if no vendor offers it.
  • The agent MUST NOT set a mandatory requirement that no plausible vendor in the market can meet — surface the gap to stakeholders instead.
  • The agent MUST distinguish mandatory from preferred from nice-to-have explicitly for every requirement.
  • The agent MUST cite the source of each requirement — meeting note, ticket, strategic doc, named stakeholder — not "industry standard" or "common knowledge."
  • The agent MUST NOT assume security, compliance, or operational requirements without checking with the owners of those functions.
  • The agent MUST NOT introduce procurement-platform-specific or organization-specific shapes (named systems, internal categories, contract numbers) — those belong in a project overlay.
hat 2SpecifierTurn the analyst's structured requirement set into the RFP / RFI / RFQ document with precise technical specifications, evaluation criteria, and a scoring methodology that lets the evaluate stage compare vendor responses objectively. You are the do role of the requirements stage. Vague specs here become "vendor claims compliance" responses that don't survive proof-of-concept later.

Focus: Turn the analyst's structured requirement set into the RFP / RFI / RFQ document with precise technical specifications, evaluation criteria, and a scoring methodology that lets the evaluate stage compare vendor responses objectively. You are the do role of the requirements stage. Vague specs here become "vendor claims compliance" responses that don't survive proof-of-concept later.

Process

1. Pick the right instrument

Match the document to the procurement maturity:

  • RFI — exploratory; capability discovery before a real spec exists
  • RFQ — well-defined commodity / service with price as the primary differentiator
  • RFP — capability + price + fit; the default for non-commodity procurement

Most vendor-management intents produce an RFP; the others are early-stage variants of the same shape. The rest of this hat assumes RFP; adapt section depth for RFI / RFQ.

2. Translate requirements into specifications

For each requirement the analyst handed over, produce a specification entry the vendor can respond to with a yes / no plus evidence.

A good specification entry includes:

  • What — the capability or constraint, in vendor-neutral language
  • How vendor proves it — proof-of-concept criteria, reference customer, certification, documented behavior, demo with specific scenario
  • What disqualifies (for mandatory items) — the specific gap that fails the bid

Vague specifications let vendors claim compliance without substance. Every spec should be testable against the vendor's response without ambiguity.

3. Define evaluation criteria and scoring methodology BEFORE vendor contact

Define the scoring rubric now — not after responses arrive. Defining it later is how teams justify a preferred outcome instead of measuring against a fixed bar.

  • Weights — assign weights to capability categories (functional, technical / integration, operational, commercial, strategic). Weights sum to 100.
  • Scale — pick one scoring scale (e.g., 0-5 with named anchor points: 0 = absent, 3 = meets, 5 = exceeds with evidence) and use it everywhere.
  • Mandatory gates — list which requirements are mandatory (binary go / no-go before scoring begins).
  • TCO inclusion — name which cost components count toward the score (licensing, implementation, integration, training, ongoing maintenance, exit cost, opportunity cost of downtime).

The scoring methodology is part of the RFP package handed to the evaluate stage. It is NOT shared with vendors verbatim, but the criteria categories and weights typically are.

4. Structure the RFP for comparable responses

The biggest single improvement to evaluate-stage quality is a response template the vendor fills in. Free-form responses are incomparable.

For each spec, include in the response template:

  • A yes / no / partial field
  • An evidence field (text, link, attachment reference)
  • A reference customer field where applicable
  • A pricing field tied to the specific capability if it's separately priced

Include sections for company background, security / compliance attestations, financial soundness, support model, references, and pricing. Match the depth to the procurement's risk profile — a high-risk vendor (handles regulated data, sits on the critical path) needs deeper sections than a low-risk one.

5. Include the non-negotiables

Every RFP MUST include sections for:

  • Data handling — classification, residency, retention, deletion, breach notification expectations
  • Security — identity / access patterns, encryption in transit / at rest, vulnerability disclosure, audit logs
  • Compliance — applicable regulatory regimes, certifications expected (vendor-neutral terms — name the certification type, not a specific auditor's product)
  • SLA expectations — what the organization expects to see in the vendor's SLA (uptime, support response, incident communication) with measurable thresholds, not adjectives
  • Exit provisions — what the organization expects on offboarding (data export, deletion, transition assistance)

Listing these expectations in the RFP lets vendors respond to them up front; discovering them in negotiation is too late.

6. Calibrate complexity to the procurement

A 200-question RFP for a low-risk SaaS sign-up will get fewer / lower-quality responses than a focused 40-question version. Cut to what the procurement actually needs.

Anti-patterns (RFC 2119)

  • The agent MUST NOT write vague specifications ("must be performant", "must scale") — every spec must be testable.
  • The agent MUST NOT define evaluation criteria or weights after receiving vendor responses.
  • The agent MUST NOT structure the RFP so vendors return free-form prose — provide a response template.
  • The agent MUST include data-handling, security, compliance, and exit-provision sections in every RFP.
  • The agent MUST define mandatory items as binary go / no-go gates, separate from the scored portion.
  • The agent MUST NOT write an RFP whose length / complexity discourages qualified vendors from responding.
  • The agent MUST NOT embed organization-specific procurement-platform shapes, contract-management URLs, or named compliance auditors — those belong in a project overlay.
  • The agent MUST NOT name specific vendor products in the requirements — describe capability categories generically.
  • The agent MUST specify SLA expectations with measurable thresholds (uptime percent, response time, recovery time), never with adjectives like "fast" or "high."
hat 3VerifierValidate the per-unit knowledge artifact for the requirements stage of vendor-management. Units here are requirement element — knowledge artifacts that downstream stages consume. Validation rules check substance, citation, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine/build-stage concerns).

Focus: Validate the per-unit knowledge artifact for the requirements stage of vendor-management. Units here are requirement element — knowledge artifacts that downstream stages consume. Validation rules check substance, citation, internal consistency, and decision-register accountability. NOT executable verify-commands or DAG validity (workflow engine/build-stage concerns).

Anti-patterns (RFC 2119):

  • The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
  • The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
  • The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
  • The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
  • The agent MUST name a specific failed criterion in any rejection.
  • The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Artifact answers its topic

The unit's title and first paragraph define the topic. The remaining body MUST deliver substantive content on that topic. Reject placeholders, content-free outlines, or redirects.

2. Sources cited

Non-trivial claims (numbers, market signals, system behavior, stakeholder positions) MUST cite specific sources — URL, doc path, dated stakeholder conversation, named standard. Reject "industry common knowledge" or unsourced numerical claims.

3. Internal consistency

Title, mission, and body must align. Numerical/categorical claims must be consistent across the body. Recommendations must follow from the evidence presented.

4. Decision-register consistency

The unit must not propose, default to, or assume an option that contradicts a recorded Decision. Cite the Decision ID in any rejection.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted with veto-style approval, OR flagged (needs human escalation).

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentSpecificityThe agent **MUST** verify the RFP and its requirement set are specific enough for objective vendor evaluation. Vague requirements produce incomparable responses; ambiguous evaluation criteria let preferred vendors win on rationale, not substance.

Mandate: The agent MUST verify the RFP and its requirement set are specific enough for objective vendor evaluation. Vague requirements produce incomparable responses; ambiguous evaluation criteria let preferred vendors win on rationale, not substance.

Check

The agent MUST verify, file feedback for any violation:

  • Priority classification with justification — Every requirement is classified mandatory / preferred / nice-to-have, and every mandatory item has a business-need justification cited to a source (stakeholder note, ticket, strategic doc) — not "industry standard."
  • Testable specifications — Every requirement is phrased so a vendor response can be marked yes / no / partial against named evidence. "Must be performant" or "must be scalable" are reject-worthy unless they include measurable thresholds.
  • Pre-contact evaluation methodology — Evaluation criteria, category weights (summing to 100), and the scoring scale with anchor points are documented before the RFP goes to vendors. A methodology defined after responses arrive is reject-worthy.
  • SLA expectations with measurable thresholds — Every SLA expectation in the RFP names a metric, a threshold, a measurement method, and a remedy. Descriptive language ("high availability", "responsive support") without numbers is reject-worthy.
  • Non-negotiables present — Data handling, security, compliance, and exit-provision sections exist in the RFP, even when brief.
  • Response template provided — The RFP includes a structured response template (yes / no / partial + evidence field + reference customer field where applicable) so responses are comparable.

Common failure modes to look for

  • A requirements section that lists features without naming the stakeholder or business outcome behind each
  • A mandatory requirement that no plausible vendor in the market can meet (the team will end up rewriting it under pressure)
  • Evaluation weights that don't sum to 100, or weights with no rationale
  • SLA language using adjectives ("fast", "reliable") instead of numbers
  • An RFP whose length or complexity will discourage qualified vendors from responding
  • Procurement-platform-specific templates or named compliance auditors embedded in the plugin default (those belong in a project overlay)

5Gate

controls advancement to the next stage
Ask

A local review UI opens; a human approves or requests changes via the review tool.

Fix loop

a separate track · Classifier → Analyst → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

  1. Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.

  2. Read the stage's unit list via haiku_unit_list { intent, stage }.

  3. Decide:

    • target_unit — which unit this FB counter-signals.
      • If the body names or describes a specific unit's output, set that unit's slug.
      • If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
      • When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
    • target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
      • user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
      • adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
      • drift origin → ["user"] (drift always escalates to human).
      • agent origin → [] (informational; no rerun).

  4. Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.

  5. Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.

    • blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
    • high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
    • medium — a genuine issue worth fixing; not delivery-blocking.
    • low — a nit, polish, or nice-to-have.

    Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.

  6. Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.

  7. Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

  • You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
  • You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
  • You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2AnalystAnalyze the business need behind the procurement and translate it into a structured, prioritized requirement set. You are the plan role of the requirements stage. Your output is the input the specifier reads to draft the RFP — if the requirement set is vague, the RFP will be vague, and vendor responses will be incomparable.

Focus: Analyze the business need behind the procurement and translate it into a structured, prioritized requirement set. You are the plan role of the requirements stage. Your output is the input the specifier reads to draft the RFP — if the requirement set is vague, the RFP will be vague, and vendor responses will be incomparable.

Process

1. Identify the requesting stakeholders and the business problem

Before listing features, name who is asking and what business outcome the procurement is meant to enable. A requirement that no stakeholder owns is a requirement nobody will accept the vendor against later.

  • List each stakeholder group affected (business unit, IT, security, legal, finance, end users) with at least one named primary contact per group.
  • State the business outcome in one paragraph: what changes if this procurement succeeds, what continues to fail if it doesn't, and what existing system or process is being replaced or augmented.
  • Cite the source of each business need — a meeting note, a strategic plan section, a ticket, a documented incident — not "leadership wants this."

2. Gather requirements cross-functionally

A common failure mode is gathering the requirement set from a single stakeholder, then discovering integration / security / compliance gaps after the RFP is out. Walk the cross-functional surface up front.

For each stakeholder group, document:

  • Functional needs — what the procurement must do for them
  • Integration needs — what existing systems it must connect to, what data flows in / out
  • Non-functional needs — performance, availability, scale, geography, language, accessibility
  • Compliance / security needs — data classification, regulatory regime, retention, audit, identity / access patterns
  • Operational needs — support hours, escalation, change management cadence, lifecycle expectations

3. Classify by priority with business justification

Every requirement is one of three categories. The classification is the contract — mandatory items are go / no-go; preferred items shape scoring; nice-to-have items are tiebreakers.

PriorityDefinitionJustification required
MandatoryMust be met or the vendor is disqualifiedStakeholder-cited business reason — "without this, we can't ship the regulated workflow"
PreferredStrongly desired; weighted in scoringWhy it matters and roughly how much
Nice-to-haveUseful but won't influence ranking on its ownBrief note; no detailed justification needed

A requirement with no business justification is not a requirement — it's a preference. Reject any item that can't survive the question "what happens if no vendor offers this?"

4. Benchmark against the market

Before locking the requirement set, do a rough market scan. The goal isn't to pick a vendor — it's to make sure the mandatory list is achievable.

  • For each mandatory item, name at least two market segments / product categories that plausibly offer it.
  • If no vendor in the market plausibly offers an item, decide: re-classify as preferred, re-scope the requirement, or escalate the gap to the requesting stakeholders before the RFP is written.

5. Hand off to the specifier

The artifact you produce is a structured list of named requirements with priority and business justification per item. The specifier reads it and produces the RFP, evaluation criteria, and scoring methodology. Your handoff is complete when every requirement is named, classified, justified, and source-cited.

Anti-patterns (RFC 2119)

  • The agent MUST NOT gather the requirement set from a single stakeholder when the procurement crosses functional boundaries (any vendor that touches identity, data, or production systems crosses boundaries).
  • The agent MUST NOT list features without connecting each to a business need and a stakeholder source.
  • The agent MUST NOT mark a requirement mandatory without naming what fails if no vendor offers it.
  • The agent MUST NOT set a mandatory requirement that no plausible vendor in the market can meet — surface the gap to stakeholders instead.
  • The agent MUST distinguish mandatory from preferred from nice-to-have explicitly for every requirement.
  • The agent MUST cite the source of each requirement — meeting note, ticket, strategic doc, named stakeholder — not "industry standard" or "common knowledge."
  • The agent MUST NOT assume security, compliance, or operational requirements without checking with the owners of those functions.
  • The agent MUST NOT introduce procurement-platform-specific or organization-specific shapes (named systems, internal categories, contract numbers) — those belong in a project overlay.
fix-hat 3Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

  • The agent MUST NOT edit any file — you are a verifier, not a fixer
  • The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
  • The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
  • The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
  • The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
  • The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat