Every Goal Alignment Audit check

When the core journeys your PRD promises do not exist as connected sequences of routes, components, and API handlers, users hit dead ends mid-flow: an onboarding that never reaches the dashboard, a checkout that cannot finalize, a sign-up that drops the user into a blank screen. This is the most direct form of product failure. It drives immediate refund requests, churn spikes, and one-star reviews, and it erodes trust in the product's core value proposition. From a user-experience perspective, broken core flows rank above every other severity class because they block the primary job-to-be-done the product exists to serve.

Why this severity: Critical because a missing or broken core user flow blocks the product's primary job-to-be-done and prevents any user from completing the journey the PRD promised.

When your data model does not cover entities the PRD requires, features that depend on that data silently degrade or fail at runtime. A missing join table for team membership means multi-user collaboration can never persist correctly. A missing audit_results relation means you cannot display scores — the kind of gap that surfaces only after launch, when fixing it requires a migration, a data backfill, and coordinated API changes. ISO 25010:2011 functional suitability defines this as a core quality dimension: software must fulfill its stated functional requirements. Any entity absent from the schema is a hard blocker, not a soft deficiency.

Why this severity: High because missing schema entities block entire feature areas from functioning, requiring migrations and coordinated changes to fix after data has been written.

Scope creep in AI-generated code is a distinct failure mode from human-authored scope creep: the AI adds entire subsystems — admin dashboards, SSO flows, multi-tenancy layers — that were never requested, each carrying its own attack surface, maintenance cost, and regression risk. An unreviewed team collaboration system added without a PRD requirement means unapproved access control logic is live in production, and any bug in that logic is your liability. ISO 25010:2011 maintainability penalizes excess implementation directly: code that does not correspond to a requirement has no spec to validate it against and no owner to maintain it.

Why this severity: Critical because unrequested subsystems introduce unreviewed security logic and maintenance burden with no specification to validate correctness against.

Orphaned features are different from scope creep: they are incomplete implementations that were started and abandoned. An unlinked route that handles user data is reachable by anyone who knows the URL, even if no navigation link exposes it — no access control review was ever completed because the feature was never shipped intentionally. An unqueried database table accumulates data that is never cleaned up and never audited. ISO 25010:2011 maintainability flags dead code as a direct quality defect: it increases cognitive load for future developers and creates latent risk.

Why this severity: Medium because orphaned routes are reachable despite appearing abandoned, creating unreviewed access surface that may handle sensitive operations without proper guards.

Navigation is the primary map users carry in their heads of how your product is organized. When the sidebar, navbar, or routing hierarchy fails to reflect the information architecture described in the PRD — sections missing, features buried under the wrong parent, URL structure contradicting the product's mental model — users cannot find features that actually exist, support volume rises around 'where is X?' questions, and first-session retention drops because the product feels smaller or more confusing than it is. Discoverability failures of this kind also undermine SEO and accessibility landmarks by misrepresenting page hierarchy to crawlers and screen readers.

Why this severity: High because a mismatched navigation hides shipped features from users and distorts the product's mental model, though it does not strictly block a determined user from reaching functionality via direct URLs.

PRD-specified error states are requirements, not suggestions. When a user hits their usage quota and your app returns an unhandled 429 or a generic error page instead of the renewal prompt your PRD specified, you have broken the user experience the product owner signed off on. More critically, unhandled error paths often expose raw API error messages, stack traces, or internal IDs to end users — a violation of both good UX and basic information security hygiene. ISO 25010:2011 reliability requires that specified failure scenarios are handled gracefully, not just that happy paths work.

Why this severity: Medium because unhandled PRD error states degrade user experience and may leak internal error details, but do not directly expose a security-critical attack vector.

Technical constraint violations discovered late are among the most expensive defects to fix. If your PRD required PostgreSQL for compliance reasons and the AI chose SQLite, or if it required a self-hosted deployment and the codebase is locked to a managed platform, you face a rewrite — not a refactor. Vendor lock-in violations against explicit PRD constraints can also carry legal and contractual consequences, particularly in enterprise or regulated environments. ISO 25010:2011 portability measures exactly this: whether the system operates within its specified technical environment.

Why this severity: High because stack constraint violations discovered after development require partial rewrites to fix and may introduce compliance or contractual risk if the violated constraint was regulatory.

Non-functional requirements define the quality bar your product must meet, not just its feature set. A PRD that requires WCAG 2.1 AA compliance means you have committed to accessibility for users with disabilities — omitting ARIA labels and semantic HTML is a functional failure against that commitment, not a cosmetic gap. A performance target of sub-2s load time is a user retention requirement backed by data: conversion drops measurably above that threshold. Security NFRs like encryption at rest are often compliance requirements under GDPR, HIPAA, or SOC 2. ISO 25010:2011 covers functional suitability and reliability jointly — both require that NFRs are demonstrably addressed, not just aspirationally listed.

Why this severity: High because unaddressed non-functional requirements represent commitments to users, compliance frameworks, or business stakeholders that the codebase silently fails to honor.