Non-Functional Review Criteria

Security
- PASS: auth/authz, secret handling, and threat mitigations in place.
- CONCERNS: minor gaps with clear owners.
- FAIL: critical exposure or missing controls.
Performance
- PASS: metrics meet targets with profiling evidence.
- CONCERNS: trending toward limits or missing baselines.
- FAIL: breaches SLO/SLA or introduces resource leaks.
Reliability
- PASS: error handling, retries, health checks verified.
- CONCERNS: partial coverage or missing telemetry.
- FAIL: no recovery path or crash scenarios unresolved.
Maintainability
- PASS: clean code, tests, and documentation shipped together.
- CONCERNS: duplication, low coverage, or unclear ownership.
- FAIL: absent tests, tangled implementations, or no observability.
Default to CONCERNS when targets or evidence are undefined—force the team to clarify before sign-off.

Source: Murat NFR assessment guidance.