Allow Shall Not Prohibitions
Rules
- •Use SHALL NOT when the requirement is a true prohibition (forbidden state/action).
- •Avoid only:
- •Double negatives (meaning flips risk).
- •“Positive-washing” rewrites that weaken intent (e.g., “store only as needed” without defining and enforcing the forbidden case).
- •Make each prohibition testable:
- •Add a fit criterion that can be audited/tested.
- •Call out side-channels (timing, error messages) when relevant.
- •Don’t leak bypass details in requirements (especially for abuse/moderation):
- •Prefer “The system SHALL NOT reveal the reason…” over enumerating detection rules.
Prompt snippet (copy/paste)
text
When converting policy into requirements: - Keep prohibitions as SHALL NOT when negation is semantically primary. - Avoid double negatives. - For each SHALL NOT, add: rationale + fit criterion + edge cases. - Do not reveal bypass details; describe the forbidden information disclosure at a high level.