🏠 Overview ✅ Implementation Tasks ✅ epic-driver-and-confidentiality-management-ui-task-003

Wire Feature Flag Guard to Org Service

epic-driver-and-confidentiality-management-ui-task-003 — Connect the DriverFeatureFlagGuard widget to the OrgFeatureFlagService Riverpod provider so that guard state reacts to live organization context changes. Write unit tests verifying that the guard renders child content when the driver flag is enabled and renders an empty SizedBox.shrink() when disabled. Ensure no driver UI leaks through for non-Blindeforbundet organizations.

critical priority low complexity integration pending frontend specialist Tier 1

Acceptance Criteria

DriverFeatureFlagGuard consumes OrgFeatureFlagService via Riverpod ref.watch() and rebuilds reactively when the driver feature flag changes
When driver feature flag is enabled, the guard renders its child widget without any wrapping or modification
When driver feature flag is disabled, the guard renders SizedBox.shrink() and the child widget tree is never built
When the active organization changes from Blindeforbundet to a non-Blindeforbundet org at runtime, the guard immediately collapses to SizedBox.shrink() without requiring a navigation event
When the active organization changes from non-Blindeforbundet to Blindeforbundet, the guard immediately renders child content
No driver-specific UI (buttons, screens, labels, navigation items) is accessible or visible for organizations without the driver feature flag enabled
Unit tests cover: flag enabled renders child, flag disabled renders SizedBox.shrink(), flag toggled at runtime collapses/expands correctly, null/uninitialized org state defaults to disabled
Widget test confirms no driver UI leakage by querying child widget type in disabled state and asserting it is not present in the widget tree
Guard does not introduce observable frame drops or layout jank when toggling state

Technical Requirements

frameworks
Flutter
Riverpod
performance requirements
Guard state evaluation must complete within a single frame (< 16ms)
Riverpod provider subscription must not cause unnecessary widget rebuilds outside DriverFeatureFlagGuard subtree
security requirements
Feature flag evaluation must be performed on the client based on server-provided org configuration — never trust client-side override
Guard must not expose any driver route names or widget keys in the accessibility tree when disabled
OrgFeatureFlagService must source flag state from authenticated Supabase session context — anonymous state defaults to disabled
ui components
DriverFeatureFlagGuard
SizedBox.shrink()

Execution Context

Execution Tier
Tier 1

Tier 1 - 540 tasks

Can start after Tier 0 completes

Implementation Notes

Use ConsumerWidget (not StatelessWidget) so the guard can call ref.watch(orgFeatureFlagServiceProvider.select((s) => s.driverFeatureEnabled)) — using .select() avoids rebuilding on unrelated org flag changes. The guard should have a simple conditional: if (isEnabled) return child; return const SizedBox.shrink(); — avoid any animation or transition here as this is a security boundary, not a UX transition. Override the provider in tests via ProviderScope overrides. Do not use any BuildContext extension for flag checking — always go through the Riverpod provider to keep testability clean.

Ensure the provider itself has been implemented and tested in task-002 before this task begins.

Testing Requirements

Unit tests using flutter_test with ProviderContainer overrides to simulate enabled/disabled flag states. Widget tests using pumpWidget with overridden Riverpod providers. Test matrix: (1) flag enabled → child rendered, (2) flag disabled → SizedBox.shrink() rendered, (3) flag toggled live → widget tree updates, (4) org switched mid-session → guard reacts, (5) null org state → defaults to disabled. Aim for 100% branch coverage on the guard widget itself.

No integration tests required for this isolated widget.

Component
Driver Feature Flag Guard Widget
ui low
Dependencies (1)
Implement the DriverFeatureFlagGuard widget that wraps all driver-related UI subtrees and conditionally renders or suppresses them based on the organization's feature flag state. The guard must integrate with the OrgFeatureFlagService via Riverpod, show a zero-UI empty widget for organizations without the driver feature enabled, and avoid any layout artifacts when suppressed. epic-driver-and-confidentiality-management-ui-task-002
Epic Risks (3)
high impact medium prob technical

The declaration acknowledgement screen has the most complex accessibility requirements of any screen in this feature: scrollable long-form legal text, a conditional checkbox that is only enabled after reading, and a timestamp capture. Incorrect focus management or missing semantics annotations could fail VoiceOver navigation or cause the screen reader to announce the checkbox as available before the driver has scrolled, undermining the legal validity of the acknowledgement.

Mitigation & Contingency

Mitigation: Build the acknowledgement screen against the WCAG 2.2 AA checklist from the start, not as a post-hoc audit. Use semantics-wrapper-widget and live-region-announcer from the platform's accessibility toolkit. Include a VoiceOver test session in the acceptance criteria with a tester using the screen reader.

Contingency: If WCAG compliance cannot be fully achieved within the sprint, ship the screen with a documented list of accessibility gaps and a follow-up sprint commitment. Do not block the declaration workflow launch if the core interaction works but a non-critical semantics annotation is missing.

medium impact medium prob integration

Drivers receive a push notification with a deep link to the declaration acknowledgement screen for a specific assignment. If the deep link handler does not correctly route to the right screen and assignment context — particularly when the app is launched cold from the notification — the driver may see a blank screen or the wrong declaration.

Mitigation & Contingency

Mitigation: Implement and test all three notification scenarios: app foregrounded, app backgrounded, and cold start. Use the platform's existing deep-link-handler infrastructure. Add integration tests that simulate notification tap events and assert correct screen and data loading.

Contingency: If cold-start deep link routing proves unreliable, implement a notification-centre fallback where the driver can find the pending declaration from the notification centre screen, ensuring the workflow can always complete even if the direct deep link fails.

medium impact low prob technical

If the driver-feature-flag-guard has any rendering edge case — such as a brief flash of driver UI before the flag value is loaded, or a guard that fails open on a flag service error — driver-specific UI elements could be momentarily visible to coordinators in organizations that have not opted in, causing confusion and potentially a support escalation.

Mitigation & Contingency

Mitigation: Default the guard to rendering nothing (not a loading indicator) until the flag value is definitively resolved. Treat flag service errors as flag-disabled to fail closed. Write widget tests covering the loading, disabled, and enabled states including the error case.

Contingency: If fail-closed cannot be guaranteed within the sprint, add a server-side RLS check on the driver assignment endpoints so that even if the UI guard leaks, the data layer refuses to return driver data for organizations without the flag enabled.

Quick Links
All Tasks Execution Plan