ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Spec 235: harden baseline truth and onboarding flows (#271)
Some checks failed
Main Confidence / confidence (push) Failing after 54s
Details

Browse Source 
## Summary
- harden baseline capture truth, compare readiness, and monitoring explanations around latest inventory eligibility, blocked prerequisites, and zero-subject outcomes
- improve onboarding verification and bootstrap recovery handling, including admin-consent callback invalidation and queued execution legitimacy/report behavior
- align workspace findings/workspace overview signals and refresh the related spec, roadmap, and spec-candidate artifacts

## Validation
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php tests/Feature/Baselines/BaselineCaptureTest.php tests/Feature/Baselines/BaselineCompareFindingsTest.php tests/Feature/Baselines/BaselineSnapshotBackfillTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Operations/QueuedExecutionAuditTrailTest.php tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php`

## Notes
- browser validation was not re-run in this pass

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #271
This commit is contained in:
ahmido 2026-04-24 05:44:54 +00:00
parent 603d509b8f
commit 2752515da5
68 changed files with 4871 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/agents/copilot-instructions.md vendored
View File

@ -246,6 +246,8 @@ ## Active Technologies
- Existing PostgreSQL `operation_runs` records and current session/query-backed monitoring navigation state; no new persistence (233-stale-run-visibility)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `App\Models\BaselineProfile`, `App\Support\Baselines\BaselineProfileStatus`, `App\Support\Badges\BadgeCatalog`, `App\Support\Badges\BadgeDomain`, `Database\Factories\TenantFactory`, `App\Console\Commands\SeedBackupHealthBrowserFixture`, existing tenant-truth and baseline-profile Pest tests (234-dead-transitional-residue)
- Existing PostgreSQL `baseline_profiles` and `tenants` tables; no new persistence and no schema migration in this slice (234-dead-transitional-residue)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces (235-baseline-capture-truth)
- Existing PostgreSQL tables only; no new table or schema migration is planned in the mainline slice (235-baseline-capture-truth)
- PHP 8.4.15 (feat/005-bulk-operations)
@ -280,9 +282,9 @@ ## Code Style
PHP 8.4.15: Follow standard conventions
## Recent Changes
- 235-baseline-capture-truth: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces
- 234-dead-transitional-residue: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `App\Models\BaselineProfile`, `App\Support\Baselines\BaselineProfileStatus`, `App\Support\Badges\BadgeCatalog`, `App\Support\Badges\BadgeDomain`, `Database\Factories\TenantFactory`, `App\Console\Commands\SeedBackupHealthBrowserFixture`, existing tenant-truth and baseline-profile Pest tests
- 233-stale-run-visibility: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament widgets/resources/pages, Pest v4, `App\Models\OperationRun`, `App\Support\Operations\OperationRunFreshnessState`, `App\Services\Operations\OperationLifecycleReconciler`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\OpsUx\ActiveRuns`, `App\Support\Badges\BadgeCatalog` / `BadgeRenderer`, `App\Support\Workspaces\WorkspaceOverviewBuilder`, `App\Support\OperationRunLinks`
- 232-operation-run-link-contract: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament Resources/Pages/Widgets, Pest v4, `App\Support\OperationRunLinks`, `App\Support\System\SystemOperationRunLinks`, `App\Support\Navigation\CanonicalNavigationContext`, `App\Support\Navigation\RelatedNavigationResolver`, existing workspace and tenant authorization helpers
<!-- MANUAL ADDITIONS START -->
### Pre-production compatibility check

50
.specify/memory/constitution.md
View File

@ -1,32 +1,28 @@
<!--
Sync Impact Report
- Version change: 2.7.0 -> 2.8.0
- Modified principles: None
- Version change: 2.8.0 -> 2.9.0
- Modified principles:
- Added provider-boundary guardrail set under First Provider Is Not
Platform Core (PROV-001 with sub-rules PROV-002 through PROV-005)
- Expanded Governance review expectations for provider-owned vs
platform-core boundaries
- Added sections:
- Pre-Production Lean Doctrine (LEAN-001): forbids legacy aliases,
migration shims, dual-write logic, and compatibility fixtures in a
pre-production codebase; includes AI-agent verification checklist,
review rule, and explicit exit condition at first production deploy
- Shared Pattern First For Cross-Cutting Interaction Classes
(XCUT-001): requires shared contracts/presenters/builders for
notifications, status messaging, action links, dashboard signals,
navigation, and similar interaction classes before any local
domain-specific variant is allowed
- First Provider Is Not Platform Core (PROV-001): keeps Microsoft as
the current first provider without allowing provider-specific
semantics to silently become platform-core truth; requires explicit
review of provider-owned vs platform-core seams and prefers bounded
extraction over speculative multi-provider frameworks
- Removed sections: None
- Templates requiring updates:
- .specify/templates/spec-template.md: added "Compatibility posture"
default block ✅
- .specify/templates/spec-template.md: add cross-cutting shared-pattern
reuse block ✅
- .specify/templates/plan-template.md: add shared pattern and system
fit section ✅
- .specify/templates/tasks-template.md: add cross-cutting reuse task
- .specify/templates/spec-template.md: add provider-boundary platform
core check ✅
- .specify/templates/plan-template.md: add provider-boundary planning
fields + constitution check ✅
- .specify/templates/tasks-template.md: add provider-boundary task
requirements ✅
- .specify/templates/checklist-template.md: add shared-pattern reuse
- .specify/templates/checklist-template.md: add provider-boundary
review checks ✅
- .github/agents/copilot-instructions.md: added "Pre-production
compatibility check" agent checklist ✅
- Commands checked:
- N/A `.specify/templates/commands/*.md` directory is not present
- Follow-up TODOs: None
@ -66,6 +62,15 @@ ### No Premature Abstraction (ABSTR-001)
- Test convenience alone is not sufficient justification for a new abstraction.
- Narrow abstractions are allowed when required for security, tenant isolation, auditability, compliance evidence, or queue/job execution correctness.
### First Provider Is Not Platform Core (PROV-001)
- Microsoft is the current first provider, not the platform core.
- Shared platform-owned contracts, taxonomies, identifiers, compare semantics, and operator vocabulary MUST NOT silently become Microsoft-shaped truth just because Microsoft is the only provider today.
- Shared platform-owned boundaries SHOULD prefer neutral core terms such as `provider`, `connection`, `target scope`, `governed subject`, and `operation` unless the feature is intentionally provider-owned and explicitly bounded.
- Shared core terms at shared boundaries (PROV-002): if a boundary is reused across multiple domains, features, or workflows, the default is neutral platform language rather than provider-specific labels or semantics.
- No accidental deepening of provider coupling (PROV-003): a feature MAY retain provider-specific semantics at a provider-owned seam, but it MUST NOT spread those semantics deeper into platform-core contracts, shared persistence truth, shared taxonomies, or shared UI language without proving that the narrower current-release truth genuinely requires it.
- Shared-boundary review is mandatory (PROV-004): when a feature touches a shared provider/platform seam, the spec, plan, and review MUST state whether the seam is provider-owned or platform-core, what provider-specific semantics remain, and why that choice is the narrowest correct implementation now.
- Prefer bounded extraction over premature generalization (PROV-005): if an existing hotspot is too Microsoft-specific, the default remedy is a bounded normalization or extraction of that hotspot, not a speculative multi-provider framework with unused extension points.
### No New Persisted Truth Without Source-of-Truth Need (PERSIST-001)
- New tables, persisted entities, or stored artifacts MUST represent real product truth that survives independently of the originating request, run, or view.
- Persisted storage is justified only when at least one of these is true: it is a source of truth, has an independent lifecycle, must be audited independently, must outlive its originating run/request, is required for permissions/routing/compliance evidence, or is required for stable operator workflows over time.
@ -1608,6 +1613,7 @@ ### Scope, Compliance, and Review Expectations
- Specs and PRs that introduce new persisted truth, abstractions, states, DTO/presenter layers, or taxonomies MUST include the proportionality review required by BLOAT-001.
- Runtime-changing or test-affecting specs and PRs MUST include testing/lane/runtime impact covering actual test-purpose classification, affected lanes, fixture/helper/factory/seed/context cost changes, any heavy-family expansion, expected budget/baseline/trend effect, escalation decisions, and the minimal validation commands.
- Specs, plans, task lists, and review checklists MUST surface the test-governance questions needed to catch lane drift, hidden defaults, and runtime-cost escalation before merge.
- Specs and PRs that touch shared provider/platform seams MUST classify the touched boundary as provider-owned or platform-core, keep provider-specific semantics out of platform-core contracts and vocabulary unless explicitly justified, and record whether any remaining hotspot is resolved in-feature or escalated as a follow-up spec.
- Specs and PRs that change operator-facing surfaces MUST classify each
affected surface under DECIDE-001 and justify any new Primary
Decision Surface or workflow-first navigation change.
@ -1625,4 +1631,4 @@ ### Versioning Policy (SemVer)
- **MINOR**: new principle/section or materially expanded guidance.
- **MAJOR**: removing/redefining principles in a backward-incompatible way.
**Version**: 2.7.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2025-07-19
**Version**: 2.9.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-23

19
.specify/templates/checklist-template.md
View File

@ -32,18 +32,23 @@ ## Shared Pattern Reuse
- [ ] CHK008 The change extends the shared path where it is sufficient, or the deviation is explicitly documented with product reason, preserved consistency, ownership cost, and spread-control.
- [ ] CHK009 The change does not create a parallel operator-facing UX language for the same interaction class unless a bounded exception is recorded.
## Provider Boundary And Vocabulary
- [ ] CHK010 The change states whether any touched shared seam is provider-owned, platform-core, or mixed, and provider-specific semantics do not silently spread into platform-core contracts, taxonomy, identifiers, compare semantics, or operator vocabulary.
- [ ] CHK011 Any retained provider-specific shared boundary is justified as a bounded current-release exception or an explicit follow-up-spec need instead of becoming permanent platform truth by default.
## Signals, Exceptions, And Test Depth
- [ ] CHK010 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
- [ ] CHK011 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
- [ ] CHK012 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
- [ ] CHK013 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
- [ ] CHK012 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
- [ ] CHK013 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
- [ ] CHK014 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
- [ ] CHK015 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
## Review Outcome
- [ ] CHK014 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
- [ ] CHK015 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
- [ ] CHK016 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
- [ ] CHK016 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
- [ ] CHK017 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
- [ ] CHK018 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
## Notes

12
.specify/templates/plan-template.md
View File

@ -54,6 +54,17 @@ ## Shared Pattern & System Fit
- **Why the existing abstraction was sufficient or insufficient**: [Short explanation tied to current-release truth]
- **Bounded deviation / spread control**: [none / describe the exception boundary and containment rule]
## Provider Boundary & Portability Fit
> **Fill when the feature touches shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth. Docs-only or template-only work may use concise `N/A`.**
- **Shared provider/platform boundary touched?**: [yes / no / N/A]
- **Provider-owned seams**: [List or `N/A`]
- **Platform-core seams**: [List or `N/A`]
- **Neutral platform terms / contracts preserved**: [List or `N/A`]
- **Retained provider-specific semantics and why**: [none / short explanation]
- **Bounded extraction or follow-up path**: [none / document-in-feature / follow-up-spec / N/A]
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
@ -82,6 +93,7 @@ ## Constitution Check
- Behavioral state (STATE-001): new states/statuses/reason codes change behavior, routing, permissions, lifecycle, audit, retention, or retry handling; presentation-only distinctions stay derived
- UI semantics (UI-SEM-001): avoid turning badges, explanation text, trust/confidence labels, or detail summaries into mandatory interpretation frameworks; prefer direct domain-to-UI mapping
- Shared pattern first (XCUT-001): cross-cutting interaction classes reuse existing shared contracts/presenters/builders/renderers first; any deviation is explicit, bounded, and justified against current-release truth
- Provider boundary (PROV-001): shared provider/platform seams are classified as provider-owned vs platform-core; provider-specific semantics stay out of platform-core contracts, taxonomy, identifiers, compare semantics, and operator vocabulary unless explicitly justified; bounded extraction beats speculative multi-provider frameworks
- V1 explicitness / few layers (V1-EXP-001, LAYER-001): prefer direct implementation, local mappings, and small helpers; any new layer replaces an old one or proves the old one cannot serve
- Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
- Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests

17
.specify/templates/spec-template.md
View File

@ -47,6 +47,16 @@ ## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches not
- **Consistency impact**: [What must stay aligned across interaction structure, copy, status semantics, actions, and deep links]
- **Review focus**: [What reviewers must verify to prevent parallel local patterns]
## Provider Boundary / Platform Core Check *(mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write `N/A - no shared provider/platform boundary touched`)*
- **Shared provider/platform boundary touched?**: [yes/no]
- **Boundary classification**: [provider-owned / platform-core / mixed / N/A]
- **Seams affected**: [contracts, models, taxonomies, query keys, labels, filters, compare strategy, etc.]
- **Neutral platform terms preserved or introduced**: [List them or `N/A`]
- **Provider-specific semantics retained and why**: [none / bounded current-release necessity]
- **Why this does not deepen provider coupling accidentally**: [Short explanation]
- **Follow-up path**: [none / document-in-feature / follow-up-spec]
## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)*
Use this section to classify UI and surface risk once. If the feature does
@ -234,6 +244,13 @@ ## Requirements *(mandatory)*
- record any allowed deviation, the consistency it must preserve, and its ownership/spread-control cost,
- and make the reviewer focus explicit so parallel local UX paths do not appear silently.
**Constitution alignment (PROV-001):** If this feature touches a shared provider/platform seam, the spec MUST:
- classify each touched seam as provider-owned or platform-core,
- keep provider-specific semantics out of platform-core contracts, taxonomies, identifiers, compare semantics, and operator vocabulary unless explicitly justified,
- name the neutral platform terms or shared contracts being preserved,
- explain why any retained provider-specific semantics are the narrowest current-release truth,
- and state whether the remaining hotspot is resolved in-feature or escalated as a follow-up spec.
**Constitution alignment (TEST-GOV-001):** If this feature changes runtime behavior or tests, the spec MUST describe:
- the actual test-purpose classification (`Unit`, `Feature`, `Heavy-Governance`, or `Browser`) and why that classification matches the real proving purpose,
- the affected validation lane(s) and why they are the narrowest sufficient proof,

5
.specify/templates/tasks-template.md
View File

@ -51,6 +51,11 @@ # Tasks: [FEATURE NAME]
- extending the shared path when it is sufficient for current-release truth,
- or recording a bounded exception task that documents why the shared path is insufficient, what consistency must still be preserved, and how spread is controlled,
- and ensuring reviewer proof covers whether the feature converged on the shared path or knowingly introduced a bounded exception.
**Provider Boundary / Platform Core (PROV-001)**: If this feature touches shared provider/platform seams, tasks MUST include:
- classifying each touched seam as provider-owned or platform-core,
- preventing provider-specific semantics from spreading into platform-core contracts, persistence truth, taxonomies, compare semantics, or operator vocabulary unless explicitly justified,
- implementing bounded normalization or extraction where a current hotspot is too provider-shaped, rather than introducing speculative multi-provider frameworks,
- and recording `document-in-feature` or `follow-up-spec` when a bounded provider-specific hotspot remains.
**UI / Surface Guardrails**: If this feature adds or changes operator-facing surfaces or the workflow that governs them, tasks MUST include:
- carrying forward the spec's native/custom classification, shared-family relevance, state-layer ownership, and exception need into implementation work without renaming the same decision,
- classifying any triggered repository signals with one handling mode (`hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`),

2
apps/platform/.pnpm-store/v10/index/0b/ca168cf47717cd729635bda393b1716cdf87a6af915c030f6558770206a939-playwright@1.59.1.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/1c/157f44983cd73e418a267dc8fcc888295857f40cb0308a532a20c07f69dcc0-playwright-core@1.59.1.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/27/da99c96fbe40aff4f4dc8dff378ed1d1bfd467467f2a7d955f1a8c79d154b7-rollup@4.60.2.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/74/ecbedc0b96ddadb035b64722e319a537208c6b8b53fb812ffb9b71917d3976-color-name@1.1.4.json
View File

@ -1 +1 @@
{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776593337482,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776593337489,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776593337495,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776593337500,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}
{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776976148151,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776976148156,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776976148162,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776976148168,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}

2
apps/platform/.pnpm-store/v10/index/75/61f31dad96a845c8fced44f4e8eba1c313289976992ac4a258752289abbfa5-@types+estree@1.0.8.json
View File

@ -1 +1 @@
{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776593336106,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776593336125,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776593336132,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776593336138,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776593336144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}
{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776976148127,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776976148139,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776976148143,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776976148144,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776976148144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}

2
apps/platform/.pnpm-store/v10/index/76/129ff74dd4fcf41963a6e834db4019d59b1bce5601b8d3ff5c58a19202ec50-rxjs@7.8.2.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/a0/916ef781d06fe29576e49440bef09e99aa9df98bb0e03f9c087a6fa107d300-tslib@2.8.1.json
View File

@ -1 +1 @@
{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776593335180,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776593335194,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776593335198,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776593335206,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776593335213,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776593335219,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776593335230,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776593335236,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776593335243,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776593335251,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776593335258,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776593335264,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776593335271,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776593335278,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}
{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776976148162,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776976148164,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776976148166,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776976148173,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776976148180,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776976148185,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776976148187,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776976148192,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776976148195,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776976148199,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776976148200,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776976148210,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776976148214,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776976148225,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}

2
apps/platform/.pnpm-store/v10/index/c1/6c890e501ab71937d1925eafe19e0964b6d3db00e365fe3798d4da3cbaa074-axios@1.15.0.json
View File

File diff suppressed because one or more lines are too long

308
apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
View File

@ -598,7 +598,9 @@ public function content(Schema $schema): Schema
->tooltip(fn (): ?string => $this->canStartAnyBootstrap()
? null
: 'You do not have permission to start bootstrap actions.')
->action(fn () => $this->startBootstrap((array) ($this->data['bootstrap_operation_types'] ?? []))),
->action(fn (Get $get) => $this->startBootstrap(
$this->normalizeBootstrapOperationTypes((array) ($get('bootstrap_operation_types') ?? [])),
)),
]),
Text::make(fn (): string => $this->bootstrapRunsLabel())
->hidden(fn (): bool => $this->bootstrapRunsLabel() === ''),
@ -606,9 +608,11 @@ public function content(Schema $schema): Schema
])
->afterValidation(function (): void {
$types = $this->data['bootstrap_operation_types'] ?? [];
$this->selectedBootstrapOperationTypes = is_array($types)
? array_values(array_filter($types, static fn ($v): bool => is_string($v) && $v !== ''))
: [];
$this->selectedBootstrapOperationTypes = $this->normalizeBootstrapOperationTypes(
is_array($types) ? $types : [],
);
$this->persistBootstrapSelection($this->selectedBootstrapOperationTypes);
$this->touchOnboardingSessionStep('bootstrap');
}),
@ -642,6 +646,10 @@ public function content(Schema $schema): Schema
->badge()
->color(fn (): string => $this->completionSummaryBootstrapColor()),
]),
Callout::make('Bootstrap needs attention')
->description(fn (): string => $this->completionSummaryBootstrapRecoveryMessage())
->warning()
->visible(fn (): bool => $this->showCompletionSummaryBootstrapRecovery()),
Callout::make('After completion')
->description('This action is recorded in the audit log and cannot be undone from this wizard.')
->info()
@ -733,10 +741,111 @@ private function loadOnboardingDraft(User $user, TenantOnboardingSession|int|str
$bootstrapTypes = $draft->state['bootstrap_operation_types'] ?? [];
$this->selectedBootstrapOperationTypes = is_array($bootstrapTypes)
? array_values(array_filter($bootstrapTypes, static fn ($v): bool => is_string($v) && $v !== ''))
? $this->normalizeBootstrapOperationTypes($bootstrapTypes)
: [];
}
/**
* @param array<int|string, mixed> $operationTypes
* @return array<int, string>
*/
private function normalizeBootstrapOperationTypes(array $operationTypes): array
{
$supportedTypes = array_keys($this->supportedBootstrapCapabilities());
$normalized = [];
foreach ($operationTypes as $key => $value) {
if (is_string($value)) {
$normalizedValue = trim($value);
if ($normalizedValue !== '' && in_array($normalizedValue, $supportedTypes, true)) {
$normalized[] = $normalizedValue;
}
continue;
}
if (! is_string($key) || trim($key) === '') {
continue;
}
$isSelected = match (true) {
is_bool($value) => $value,
is_int($value) => $value === 1,
is_string($value) => in_array(strtolower(trim($value)), ['1', 'true', 'on', 'yes'], true),
default => false,
};
$normalizedKey = trim($key);
if ($isSelected && in_array($normalizedKey, $supportedTypes, true)) {
$normalized[] = $normalizedKey;
}
}
return array_values(array_unique($normalized));
}
/**
* @return array<string, string>
*/
private function supportedBootstrapCapabilities(): array
{
return [
'inventory_sync' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
'compliance.snapshot' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
];
}
/**
* @param array<int, string> $operationTypes
*/
private function persistBootstrapSelection(array $operationTypes): void
{
$user = auth()->user();
if (! $user instanceof User) {
abort(403);
}
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return;
}
$normalized = $this->normalizeBootstrapOperationTypes($operationTypes);
$existing = $this->onboardingSession->state['bootstrap_operation_types'] ?? null;
$existing = is_array($existing)
? $this->normalizeBootstrapOperationTypes($existing)
: [];
if ($normalized === $existing) {
return;
}
try {
$this->setOnboardingSession($this->mutationService()->mutate(
draft: $this->onboardingSession,
actor: $user,
expectedVersion: $this->expectedDraftVersion(),
incrementVersion: false,
mutator: function (TenantOnboardingSession $draft) use ($normalized): void {
$state = is_array($draft->state) ? $draft->state : [];
$state['bootstrap_operation_types'] = $normalized;
$draft->state = $state;
},
));
} catch (OnboardingDraftConflictException) {
$this->handleDraftConflict();
return;
} catch (OnboardingDraftImmutableException) {
$this->handleImmutableDraft();
return;
}
}
/**
* @return Collection<int, TenantOnboardingSession>
*/
@ -1464,6 +1573,7 @@ private function initializeWizardData(): void
// Ensure all entangled schema state paths exist at render time.
// Livewire v4 can throw when entangling to missing nested array keys.
$this->data['notes'] ??= '';
$this->data['bootstrap_operation_types'] ??= [];
$this->data['override_blocked'] ??= false;
$this->data['override_reason'] ??= '';
$this->data['new_connection'] ??= [];
@ -1534,7 +1644,7 @@ private function initializeWizardData(): void
$types = $draft->state['bootstrap_operation_types'] ?? null;
if (is_array($types)) {
$this->data['bootstrap_operation_types'] = array_values(array_filter($types, static fn ($v): bool => is_string($v) && $v !== ''));
$this->data['bootstrap_operation_types'] = $this->normalizeBootstrapOperationTypes($types);
}
}
@ -2966,7 +3076,7 @@ public function startBootstrap(array $operationTypes): void
}
$registry = app(ProviderOperationRegistry::class);
$types = array_values(array_unique(array_filter($operationTypes, static fn ($v): bool => is_string($v) && trim($v) !== '')));
$types = $this->normalizeBootstrapOperationTypes($operationTypes);
$types = array_values(array_filter(
$types,
@ -3236,18 +3346,18 @@ private function bootstrapOperationSucceeded(TenantOnboardingSession $draft, str
private function resolveBootstrapCapability(string $operationType): ?string
{
return match ($operationType) {
'inventory_sync' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
'compliance.snapshot' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
default => null,
};
return $this->supportedBootstrapCapabilities()[$operationType] ?? null;
}
private function canStartAnyBootstrap(): bool
{
return $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC)
|| $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC)
|| $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP);
foreach ($this->supportedBootstrapCapabilities() as $capability) {
if ($this->currentUserCan($capability)) {
return true;
}
}
return false;
}
private function currentUserCan(string $capability): bool
@ -3498,33 +3608,59 @@ private function completionSummaryVerificationDetail(): string
private function completionSummaryBootstrapLabel(): string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return 'Skipped';
return $this->completionSummarySelectedBootstrapTypes() === []
? 'Skipped'
: 'Selected';
}
if ($this->completionSummaryBootstrapActionRequiredDetail() !== null) {
return 'Action required';
}
$runs = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
$runs = is_array($runs) ? $runs : [];
if ($runs === []) {
return 'Skipped';
if ($runs !== []) {
return 'Started';
}
return 'Started';
return $this->completionSummarySelectedBootstrapTypes() === []
? 'Skipped'
: 'Selected';
}
private function completionSummaryBootstrapDetail(): string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return 'No bootstrap actions selected';
$selectedTypes = $this->completionSummarySelectedBootstrapTypes();
return $selectedTypes === []
? 'No bootstrap actions selected'
: sprintf('%d action(s) selected', count($selectedTypes));
}
$runs = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
$runs = is_array($runs) ? $runs : [];
$selectedTypes = $this->completionSummarySelectedBootstrapTypes();
$actionRequiredDetail = $this->completionSummaryBootstrapActionRequiredDetail();
if ($runs === []) {
if ($selectedTypes === []) {
return 'No bootstrap actions selected';
}
return sprintf('%d operation(s) started', count($runs));
if ($actionRequiredDetail !== null) {
return $actionRequiredDetail;
}
if ($runs === []) {
return sprintf('%d action(s) selected', count($selectedTypes));
}
if (count($runs) < count($selectedTypes)) {
return sprintf('%d of %d action(s) started', count($runs), count($selectedTypes));
}
return sprintf('%d action(s) started', count($runs));
}
private function completionSummaryBootstrapSummary(): string
@ -3536,11 +3672,130 @@ private function completionSummaryBootstrapSummary(): string
);
}
private function showCompletionSummaryBootstrapRecovery(): bool
{
return $this->completionSummaryBootstrapActionRequiredDetail() !== null;
}
private function completionSummaryBootstrapRecoveryMessage(): string
{
return 'Selected bootstrap actions must complete before activation. Return to Bootstrap to remove the selected actions and skip this optional step, or resolve the required permission and start the blocked action again.';
}
private function completionSummaryBootstrapColor(): string
{
return $this->completionSummaryBootstrapLabel() === 'Started'
? 'info'
: 'gray';
return match ($this->completionSummaryBootstrapLabel()) {
'Action required' => 'warning',
'Started' => 'info',
'Selected' => 'warning',
default => 'gray',
};
}
private function completionSummaryBootstrapActionRequiredDetail(): ?string
{
$reasonCode = $this->completionSummaryBootstrapReasonCode();
if (! in_array($reasonCode, ['bootstrap_failed', 'bootstrap_partial_failure'], true)) {
return null;
}
$run = $this->completionSummaryBootstrapFailedRun();
if (! $run instanceof OperationRun) {
return $reasonCode === 'bootstrap_partial_failure'
? 'A bootstrap action needs attention'
: 'A bootstrap action failed';
}
$context = is_array($run->context ?? null) ? $run->context : [];
$operatorLabel = data_get($context, 'reason_translation.operator_label');
if (is_string($operatorLabel) && trim($operatorLabel) !== '') {
return trim($operatorLabel);
}
return match ($run->outcome) {
OperationRunOutcome::PartiallySucceeded->value => 'A bootstrap action needs attention',
OperationRunOutcome::Blocked->value => 'A bootstrap action was blocked',
default => 'A bootstrap action failed',
};
}
private function completionSummaryBootstrapReasonCode(): ?string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return null;
}
$reasonCode = $this->lifecycleService()->snapshot($this->onboardingSession)['reason_code'] ?? null;
return is_string($reasonCode) ? $reasonCode : null;
}
private function completionSummaryBootstrapFailedRun(): ?OperationRun
{
return once(function (): ?OperationRun {
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return null;
}
$runMap = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
if (! is_array($runMap)) {
return null;
}
$runIds = array_values(array_filter(array_map(
static fn (mixed $value): ?int => is_numeric($value) ? (int) $value : null,
$runMap,
)));
if ($runIds === []) {
return null;
}
return OperationRun::query()
->whereIn('id', $runIds)
->where('status', OperationRunStatus::Completed->value)
->whereIn('outcome', [
OperationRunOutcome::Blocked->value,
OperationRunOutcome::Failed->value,
OperationRunOutcome::PartiallySucceeded->value,
])
->latest('id')
->first();
});
}
/**
* @return array<int, string>
*/
private function completionSummarySelectedBootstrapTypes(): array
{
$selectedTypes = $this->data['bootstrap_operation_types'] ?? null;
if (is_array($selectedTypes)) {
$normalized = $this->normalizeBootstrapOperationTypes($selectedTypes);
if ($normalized !== []) {
return $normalized;
}
}
if ($this->selectedBootstrapOperationTypes !== []) {
return $this->normalizeBootstrapOperationTypes($this->selectedBootstrapOperationTypes);
}
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return [];
}
$persistedTypes = $this->onboardingSession->state['bootstrap_operation_types'] ?? null;
return is_array($persistedTypes)
? $this->normalizeBootstrapOperationTypes($persistedTypes)
: [];
}
public function completeOnboarding(): void
@ -4139,9 +4394,10 @@ public function updateSelectedProviderConnectionInline(int $providerConnectionId
private function bootstrapOperationOptions(): array
{
$registry = app(ProviderOperationRegistry::class);
$supportedTypes = array_keys($this->supportedBootstrapCapabilities());
return collect($registry->all())
->reject(fn (array $definition, string $type): bool => $type === 'provider.connection.check')
->filter(fn (array $definition, string $type): bool => in_array($type, $supportedTypes, true))
->mapWithKeys(fn (array $definition, string $type): array => [$type => (string) ($definition['label'] ?? $type)])
->all();
}

37
apps/platform/app/Filament/Resources/BaselineProfileResource.php
View File

@ -9,6 +9,7 @@
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineTenantAssignment;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
@ -840,7 +841,17 @@ private static function compareReadinessIcon(BaselineProfile $profile): ?string
private static function profileNextStep(BaselineProfile $profile): string
{
return match (self::compareAvailabilityReason($profile)) {
$compareAvailabilityReason = self::compareAvailabilityReason($profile);
if ($compareAvailabilityReason === null) {
$latestCaptureEnvelope = self::latestBaselineCaptureEnvelope($profile);
if ($latestCaptureEnvelope instanceof ReasonResolutionEnvelope && trim($latestCaptureEnvelope->shortExplanation) !== '') {
return $latestCaptureEnvelope->shortExplanation;
}
}
return match ($compareAvailabilityReason) {
BaselineReasonCodes::COMPARE_INVALID_SCOPE,
BaselineReasonCodes::COMPARE_MIXED_SCOPE,
BaselineReasonCodes::COMPARE_UNSUPPORTED_SCOPE => 'Review the governed subject selection before starting compare.',
@ -858,6 +869,30 @@ private static function latestAttemptedSnapshot(BaselineProfile $profile): ?Base
return app(BaselineSnapshotTruthResolver::class)->resolveLatestAttemptedSnapshot($profile);
}
private static function latestBaselineCaptureEnvelope(BaselineProfile $profile): ?ReasonResolutionEnvelope
{
$run = OperationRun::query()
->where('workspace_id', (int) $profile->workspace_id)
->where('type', 'baseline_capture')
->where('context->baseline_profile_id', (int) $profile->getKey())
->where('status', 'completed')
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
if (! $run instanceof OperationRun) {
return null;
}
$reasonCode = data_get($run->context, 'reason_code');
if (! is_string($reasonCode) || trim($reasonCode) === '') {
return null;
}
return app(ReasonPresenter::class)->forOperationRun($run, 'artifact_truth');
}
private static function compareAvailabilityReason(BaselineProfile $profile): ?string
{
$status = $profile->status instanceof BaselineProfileStatus

14
apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php
View File

@ -19,6 +19,7 @@
use App\Support\OperationRunLinks;
use App\Support\OpsUx\OperationUxPresenter;
use App\Support\OpsUx\OpsUxBrowserEvents;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\Rbac\WorkspaceUiEnforcement;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Actions\Action;
@ -105,15 +106,10 @@ private function captureAction(): Action
if (! $result['ok']) {
$reasonCode = is_string($result['reason_code'] ?? null) ? (string) $result['reason_code'] : 'unknown';
$message = match ($reasonCode) {
BaselineReasonCodes::CAPTURE_ROLLOUT_DISABLED => 'Full-content baseline capture is currently disabled for controlled rollout.',
BaselineReasonCodes::CAPTURE_PROFILE_NOT_ACTIVE => 'This baseline profile is not active.',
BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT => 'The selected tenant is not available for this baseline profile.',
BaselineReasonCodes::CAPTURE_INVALID_SCOPE => 'This baseline profile has an invalid governed-subject scope. Review the baseline definition before capturing.',
BaselineReasonCodes::CAPTURE_UNSUPPORTED_SCOPE => 'This baseline profile includes governed subjects that are not currently supported for capture.',
default => 'Reason: '.str_replace('.', ' ', $reasonCode),
};
$translation = app(ReasonPresenter::class)->forArtifactTruth($reasonCode, 'artifact_truth');
$message = is_string($translation?->shortExplanation) && trim($translation->shortExplanation) !== ''
? trim($translation->shortExplanation)
: 'Reason: '.str_replace('.', ' ', $reasonCode);
Notification::make()
->title('Cannot start capture')

48
apps/platform/app/Http/Controllers/AdminConsentCallbackController.php
View File

@ -4,6 +4,7 @@
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderConsentStatus;
@ -54,6 +55,8 @@ public function __invoke(
error: $error,
);
$this->invalidateResumableOnboardingVerificationState($tenant, $connection);
$legacyStatus = $status === 'ok' ? 'success' : 'failed';
$auditMetadata = [
'source' => 'admin.consent.callback',
@ -98,6 +101,7 @@ public function __invoke(
'status' => $status,
'error' => $error,
'consentGranted' => $consentGranted,
'verificationStateLabel' => $this->verificationStateLabel($connection),
]);
}
@ -197,4 +201,48 @@ private function parseState(?string $state): ?string
return $state;
}
private function verificationStateLabel(ProviderConnection $connection): string
{
$verificationStatus = $connection->verification_status instanceof ProviderVerificationStatus
? $connection->verification_status
: ProviderVerificationStatus::tryFrom((string) $connection->verification_status);
if ($verificationStatus === ProviderVerificationStatus::Unknown) {
return $connection->consent_status === ProviderConsentStatus::Granted
? 'Needs verification'
: 'Not verified';
}
return ucfirst(str_replace('_', ' ', $verificationStatus?->value ?? 'unknown'));
}
private function invalidateResumableOnboardingVerificationState(Tenant $tenant, ProviderConnection $connection): void
{
TenantOnboardingSession::query()
->where('tenant_id', (int) $tenant->getKey())
->resumable()
->each(function (TenantOnboardingSession $draft) use ($connection): void {
$state = is_array($draft->state) ? $draft->state : [];
$providerConnectionId = $state['provider_connection_id'] ?? null;
$providerConnectionId = is_numeric($providerConnectionId) ? (int) $providerConnectionId : null;
if ($providerConnectionId !== null && $providerConnectionId !== (int) $connection->getKey()) {
return;
}
unset(
$state['verification_operation_run_id'],
$state['verification_run_id'],
$state['bootstrap_operation_runs'],
$state['bootstrap_operation_types'],
$state['bootstrap_run_ids'],
);
$state['connection_recently_updated'] = true;
$draft->state = $state;
$draft->save();
});
}
}

330
apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php
View File

@ -11,6 +11,7 @@
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Baselines\BaselineCaptureService;
use App\Services\Baselines\BaselineContentCapturePhase;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\BaselineSnapshotItemNormalizer;
@ -29,7 +30,6 @@
use App\Support\Inventory\InventoryPolicyTypeMeta;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
@ -71,13 +71,24 @@ public function handle(
InventoryMetaContract $metaContract,
AuditLogger $auditLogger,
OperationRunService $operationRunService,
?CurrentStateHashResolver $hashResolver = null,
?BaselineContentCapturePhase $contentCapturePhase = null,
mixed $arg5 = null,
mixed $arg6 = null,
?BaselineSnapshotItemNormalizer $snapshotItemNormalizer = null,
?BaselineFullContentRolloutGate $rolloutGate = null,
): void {
$hashResolver ??= app(CurrentStateHashResolver::class);
$contentCapturePhase ??= app(BaselineContentCapturePhase::class);
$captureService = $arg5 instanceof BaselineCaptureService
? $arg5
: app(BaselineCaptureService::class);
$hashResolver = $arg5 instanceof CurrentStateHashResolver
? $arg5
: ($arg6 instanceof CurrentStateHashResolver
? $arg6
: app(CurrentStateHashResolver::class));
$contentCapturePhase = $arg5 instanceof BaselineContentCapturePhase
? $arg5
: ($arg6 instanceof BaselineContentCapturePhase
? $arg6
: app(BaselineContentCapturePhase::class));
$snapshotItemNormalizer ??= app(BaselineSnapshotItemNormalizer::class);
$rolloutGate ??= app(BaselineFullContentRolloutGate::class);
@ -118,10 +129,124 @@ public function handle(
$rolloutGate->assertEnabled();
}
$latestInventorySyncRun = $this->resolveLatestInventorySyncRun($sourceTenant);
$latestInventorySyncRunId = $latestInventorySyncRun instanceof OperationRun
? (int) $latestInventorySyncRun->getKey()
$previousCurrentSnapshot = $profile->resolveCurrentConsumableSnapshot();
$previousCurrentSnapshotId = $previousCurrentSnapshot instanceof BaselineSnapshot
? (int) $previousCurrentSnapshot->getKey()
: null;
$previousCurrentSnapshotExists = $previousCurrentSnapshotId !== null;
$preflightEligibility = is_array(data_get($context, 'baseline_capture.eligibility'))
? data_get($context, 'baseline_capture.eligibility')
: [];
$inventoryEligibility = $captureService->latestInventoryEligibilityDecision($sourceTenant, $effectiveScope, $truthfulTypes);
$latestInventorySyncRunId = is_numeric($inventoryEligibility['inventory_sync_run_id'] ?? null)
? (int) $inventoryEligibility['inventory_sync_run_id']
: null;
$eligibilityContext = $captureService->eligibilityContextPayload($inventoryEligibility, phase: 'runtime_recheck');
$eligibilityContext['changed_after_enqueue'] = ($preflightEligibility['ok'] ?? null) === true
&& ! ($inventoryEligibility['ok'] ?? false);
$eligibilityContext['preflight_inventory_sync_run_id'] = is_numeric($preflightEligibility['inventory_sync_run_id'] ?? null)
? (int) $preflightEligibility['inventory_sync_run_id']
: null;
$eligibilityContext['preflight_reason_code'] = is_string($preflightEligibility['reason_code'] ?? null)
? (string) $preflightEligibility['reason_code']
: null;
$context['baseline_capture'] = array_merge(
is_array($context['baseline_capture'] ?? null) ? $context['baseline_capture'] : [],
[
'inventory_sync_run_id' => $latestInventorySyncRunId,
'eligibility' => $eligibilityContext,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$this->operationRun->update(['context' => $context]);
$this->operationRun->refresh();
$context = is_array($this->operationRun->context) ? $this->operationRun->context : [];
if (! ($inventoryEligibility['ok'] ?? false)) {
$reasonCode = is_string($inventoryEligibility['reason_code'] ?? null)
? (string) $inventoryEligibility['reason_code']
: BaselineReasonCodes::CAPTURE_INVENTORY_MISSING;
$summaryCounts = [
'total' => 0,
'processed' => 0,
'succeeded' => 0,
'failed' => 0,
];
$blockedContext = $context;
$blockedContext['reason_code'] = $reasonCode;
$blockedContext['baseline_capture'] = array_merge(
is_array($blockedContext['baseline_capture'] ?? null) ? $blockedContext['baseline_capture'] : [],
[
'reason_code' => $reasonCode,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
);
$blockedContext['result'] = array_merge(
is_array($blockedContext['result'] ?? null) ? $blockedContext['result'] : [],
[
'current_baseline_changed' => false,
],
);
$this->operationRun->update([
'context' => $blockedContext,
'summary_counts' => $summaryCounts,
]);
$this->operationRun->refresh();
$this->auditStarted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
effectiveScope: $effectiveScope,
inventorySyncRunId: $latestInventorySyncRunId,
);
$operationRunService->finalizeBlockedRun(
run: $this->operationRun,
reasonCode: $reasonCode,
message: $this->blockedInventoryMessage(
$reasonCode,
(bool) ($eligibilityContext['changed_after_enqueue'] ?? false),
),
);
$this->operationRun->refresh();
$this->auditCompleted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
snapshot: null,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
inventorySyncRunId: $latestInventorySyncRunId,
wasNewSnapshot: false,
evidenceCaptureStats: [
'requested' => 0,
'succeeded' => 0,
'skipped' => 0,
'failed' => 0,
'throttled' => 0,
],
gaps: [
'count' => 0,
'by_reason' => [],
],
currentBaselineChanged: false,
reasonCode: $reasonCode,
);
return;
}
$inventoryResult = $this->collectInventorySubjects(
sourceTenant: $sourceTenant,
@ -154,6 +279,7 @@ public function handle(
'failed' => 0,
'throttled' => 0,
];
$phaseResult = [];
$phaseGaps = [];
$resumeToken = null;
@ -222,6 +348,91 @@ public function handle(
],
];
if ($subjectsTotal === 0) {
$snapshotResult = $this->captureNoDataSnapshotArtifact(
$profile,
$identityHash,
$snapshotSummary,
);
$snapshot = $snapshotResult['snapshot'];
$wasNewSnapshot = $snapshotResult['was_new_snapshot'];
$summaryCounts = [
'total' => 0,
'processed' => 0,
'succeeded' => 0,
'failed' => 0,
];
$updatedContext = is_array($this->operationRun->context) ? $this->operationRun->context : [];
$updatedContext['reason_code'] = BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS;
$updatedContext['baseline_capture'] = array_merge(
is_array($updatedContext['baseline_capture'] ?? null) ? $updatedContext['baseline_capture'] : [],
[
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'subjects_total' => 0,
'inventory_sync_run_id' => $latestInventorySyncRunId,
'evidence_capture' => $phaseStats,
'gaps' => [
'count' => $gapsCount,
'by_reason' => $gapsByReason,
'subjects' => is_array($phaseResult['gap_subjects'] ?? null) && $phaseResult['gap_subjects'] !== []
? array_values($phaseResult['gap_subjects'])
: null,
],
'resume_token' => $resumeToken,
'current_baseline_changed' => false,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$updatedContext['result'] = array_merge(
is_array($updatedContext['result'] ?? null) ? $updatedContext['result'] : [],
[
'snapshot_id' => (int) $snapshot->getKey(),
'snapshot_identity_hash' => $identityHash,
'was_new_snapshot' => $wasNewSnapshot,
'items_captured' => 0,
'snapshot_lifecycle' => $snapshot->lifecycleState()->value,
'current_baseline_changed' => false,
],
);
$this->operationRun->update([
'context' => $updatedContext,
'summary_counts' => $summaryCounts,
]);
$this->operationRun->refresh();
$operationRunService->updateRun(
$this->operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::PartiallySucceeded->value,
summaryCounts: $summaryCounts,
);
$this->operationRun->refresh();
$this->auditCompleted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
snapshot: $snapshot,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
inventorySyncRunId: $latestInventorySyncRunId,
wasNewSnapshot: $wasNewSnapshot,
evidenceCaptureStats: $phaseStats,
gaps: [
'count' => $gapsCount,
'by_reason' => $gapsByReason,
],
currentBaselineChanged: false,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
return;
}
$snapshotResult = $this->captureSnapshotArtifact(
$profile,
$identityHash,
@ -236,6 +447,9 @@ public function handle(
$profile->update(['active_snapshot_id' => $snapshot->getKey()]);
}
$profile->refresh();
$currentBaselineChanged = $this->currentBaselineChanged($profile, $previousCurrentSnapshotId);
$warningsRecorded = $gapsByReason !== [] || $resumeToken !== null;
$warningsRecorded = $warningsRecorded || ($captureMode === BaselineCaptureMode::FullContent && ($snapshotItems['fidelity_counts']['meta'] ?? 0) > 0);
$outcome = $warningsRecorded ? OperationRunOutcome::PartiallySucceeded->value : OperationRunOutcome::Succeeded->value;
@ -269,6 +483,9 @@ public function handle(
: null,
],
'resume_token' => $resumeToken,
'current_baseline_changed' => $currentBaselineChanged,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$updatedContext['result'] = [
@ -277,6 +494,7 @@ public function handle(
'was_new_snapshot' => $wasNewSnapshot,
'items_captured' => $snapshotItems['items_count'],
'snapshot_lifecycle' => $snapshot->lifecycleState()->value,
'current_baseline_changed' => $currentBaselineChanged,
];
$this->operationRun->update(['context' => $updatedContext]);
@ -295,6 +513,8 @@ public function handle(
'count' => $gapsCount,
'by_reason' => $gapsByReason,
],
currentBaselineChanged: $currentBaselineChanged,
reasonCode: null,
);
}
@ -651,6 +871,51 @@ private function captureSnapshotArtifact(
}
}
/**
* @param array<string, mixed> $summaryJsonb
* @return array{snapshot: BaselineSnapshot, was_new_snapshot: bool}
*/
private function captureNoDataSnapshotArtifact(
BaselineProfile $profile,
string $identityHash,
array $summaryJsonb,
): array {
$snapshot = $this->createBuildingSnapshot($profile, $identityHash, $summaryJsonb, 0);
$this->rememberSnapshotOnRun(
snapshot: $snapshot,
identityHash: $identityHash,
wasNewSnapshot: true,
expectedItems: 0,
persistedItems: 0,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
$snapshot->markIncomplete(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS, [
'expected_identity_hash' => $identityHash,
'expected_items' => 0,
'persisted_items' => 0,
'producer_run_id' => (int) $this->operationRun->getKey(),
'was_empty_capture' => true,
]);
$snapshot->refresh();
$this->rememberSnapshotOnRun(
snapshot: $snapshot,
identityHash: $identityHash,
wasNewSnapshot: true,
expectedItems: 0,
persistedItems: 0,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
return [
'snapshot' => $snapshot,
'was_new_snapshot' => true,
];
}
private function findExistingConsumableSnapshot(BaselineProfile $profile, string $identityHash): ?BaselineSnapshot
{
$existing = BaselineSnapshot::query()
@ -783,6 +1048,32 @@ private function countByPolicyType(array $items): array
return $counts;
}
private function currentBaselineChanged(BaselineProfile $profile, ?int $previousCurrentSnapshotId): bool
{
$currentSnapshot = $profile->resolveCurrentConsumableSnapshot();
$currentSnapshotId = $currentSnapshot instanceof BaselineSnapshot
? (int) $currentSnapshot->getKey()
: null;
return $currentSnapshotId !== null && $currentSnapshotId !== $previousCurrentSnapshotId;
}
private function blockedInventoryMessage(string $reasonCode, bool $changedAfterEnqueue): string
{
return match ($reasonCode) {
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED => $changedAfterEnqueue
? 'Capture blocked because the latest inventory sync changed after the run was queued.'
: 'Capture blocked because the latest inventory sync was blocked.',
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED => $changedAfterEnqueue
? 'Capture blocked because the latest inventory sync failed after the run was queued.'
: 'Capture blocked because the latest inventory sync failed.',
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE => $changedAfterEnqueue
? 'Capture blocked because the latest inventory coverage became unusable after the run was queued.'
: 'Capture blocked because the latest inventory coverage was not usable for this baseline scope.',
default => 'Capture blocked because no credible inventory basis was available.',
};
}
private function auditStarted(
AuditLogger $auditLogger,
Tenant $tenant,
@ -820,7 +1111,7 @@ private function auditCompleted(
AuditLogger $auditLogger,
Tenant $tenant,
BaselineProfile $profile,
BaselineSnapshot $snapshot,
?BaselineSnapshot $snapshot,
?User $initiator,
BaselineCaptureMode $captureMode,
int $subjectsTotal,
@ -828,6 +1119,8 @@ private function auditCompleted(
bool $wasNewSnapshot,
array $evidenceCaptureStats,
array $gaps,
bool $currentBaselineChanged,
?string $reasonCode,
): void {
$auditLogger->log(
tenant: $tenant,
@ -841,8 +1134,10 @@ private function auditCompleted(
'capture_mode' => $captureMode->value,
'inventory_sync_run_id' => $inventorySyncRunId,
'subjects_total' => $subjectsTotal,
'snapshot_id' => (int) $snapshot->getKey(),
'snapshot_identity_hash' => (string) $snapshot->snapshot_identity_hash,
'snapshot_id' => $snapshot?->getKey(),
'snapshot_identity_hash' => $snapshot instanceof BaselineSnapshot ? (string) $snapshot->snapshot_identity_hash : null,
'reason_code' => $reasonCode,
'current_baseline_changed' => $currentBaselineChanged,
'was_new_snapshot' => $wasNewSnapshot,
'evidence_capture' => $evidenceCaptureStats,
'gaps' => $gaps,
@ -878,17 +1173,4 @@ private function mergeGapCounts(array ...$gaps): array
return $merged;
}
private function resolveLatestInventorySyncRun(Tenant $tenant): ?OperationRun
{
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', OperationRunType::InventorySync->value)
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
return $run instanceof OperationRun ? $run : null;
}
}

3
apps/platform/app/Livewire/BulkOperationProgress.php
View File

@ -4,7 +4,6 @@
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Support\OpsUx\ActiveRuns;
use App\Support\OpsUx\OpsUxBrowserEvents;
use Filament\Facades\Filament;
use Illuminate\Support\Collection;
@ -92,7 +91,7 @@ public function refreshRuns(): void
$activeCount = (clone $query)->count();
$this->runs = (clone $query)->limit(6)->get();
$this->overflowCount = max(0, $activeCount - 5);
$this->hasActiveRuns = ActiveRuns::existForTenantId($tenantId);
$this->hasActiveRuns = $activeCount > 0;
}
public function render(): \Illuminate\Contracts\View\View

5
apps/platform/app/Notifications/OperationRunCompleted.php
View File

@ -25,12 +25,17 @@ public function toDatabase(object $notifiable): array
{
$message = OperationUxPresenter::terminalDatabaseNotificationMessage($this->run, $notifiable);
$reasonEnvelope = app(ReasonPresenter::class)->forOperationRun($this->run, 'notification');
$baselineTruthChanged = data_get($this->run->context, 'baseline_capture.current_baseline_changed');
if ($reasonEnvelope !== null) {
$message['reason_translation'] = $reasonEnvelope->toArray();
$message['diagnostic_reason_code'] = $reasonEnvelope->diagnosticCode();
}
if (is_bool($baselineTruthChanged)) {
$message['baseline_truth_changed'] = $baselineTruthChanged;
}
return $message;
}
}

147
apps/platform/app/Services/Baselines/BaselineCaptureService.php
View File

@ -16,6 +16,9 @@
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Baselines\BaselineScope;
use App\Support\Baselines\BaselineSupportCapabilityGuard;
use App\Support\Inventory\InventoryCoverage;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use InvalidArgumentException;
@ -62,6 +65,16 @@ public function startCapture(
];
}
$truthfulTypes = $effectiveScope->toEffectiveScopeContext($this->capabilityGuard, 'capture')['truthful_types'] ?? null;
$inventoryEligibility = $this->latestInventoryEligibilityDecision($sourceTenant, $effectiveScope, is_array($truthfulTypes) ? $truthfulTypes : null);
if (! $inventoryEligibility['ok']) {
return [
'ok' => false,
'reason_code' => $inventoryEligibility['reason_code'],
];
}
$captureMode = $profile->capture_mode instanceof BaselineCaptureMode
? $profile->capture_mode
: BaselineCaptureMode::Opportunistic;
@ -75,6 +88,10 @@ public function startCapture(
'source_tenant_id' => (int) $sourceTenant->getKey(),
'effective_scope' => $effectiveScope->toEffectiveScopeContext($this->capabilityGuard, 'capture'),
'capture_mode' => $captureMode->value,
'baseline_capture' => [
'inventory_sync_run_id' => $inventoryEligibility['inventory_sync_run_id'],
'eligibility' => $this->eligibilityContextPayload($inventoryEligibility, phase: 'preflight'),
],
];
$run = $this->runs->ensureRunWithIdentity(
@ -114,4 +131,134 @@ private function validatePreconditions(BaselineProfile $profile, Tenant $sourceT
return null;
}
/**
* @param list<string>|null $truthfulTypes
* @return array{
* ok: bool,
* reason_code: ?string,
* inventory_sync_run_id: ?int,
* inventory_outcome: ?string,
* effective_types: list<string>,
* covered_types: list<string>,
* uncovered_types: list<string>
* }
*/
public function latestInventoryEligibilityDecision(
Tenant $sourceTenant,
BaselineScope $effectiveScope,
?array $truthfulTypes = null,
): array {
$effectiveTypes = is_array($truthfulTypes) && $truthfulTypes !== []
? array_values(array_unique(array_filter($truthfulTypes, 'is_string')))
: $effectiveScope->allTypes();
sort($effectiveTypes, SORT_STRING);
$run = OperationRun::query()
->where('tenant_id', (int) $sourceTenant->getKey())
->where('type', OperationRunType::InventorySync->value)
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
if (! $run instanceof OperationRun) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_MISSING,
'inventory_sync_run_id' => null,
'inventory_outcome' => null,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
$outcome = is_string($run->outcome) ? trim($run->outcome) : null;
if ($outcome === OperationRunOutcome::Blocked->value) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
if ($outcome === OperationRunOutcome::Failed->value) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
$coverage = InventoryCoverage::fromContext($run->context);
$coveredTypes = $coverage instanceof InventoryCoverage
? array_values(array_intersect($effectiveTypes, $coverage->coveredTypes()))
: [];
sort($coveredTypes, SORT_STRING);
$uncoveredTypes = array_values(array_diff($effectiveTypes, $coveredTypes));
sort($uncoveredTypes, SORT_STRING);
if ($coveredTypes === []) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
return [
'ok' => true,
'reason_code' => null,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => $coveredTypes,
'uncovered_types' => $uncoveredTypes,
];
}
/**
* @param array{
* ok: bool,
* reason_code: ?string,
* inventory_sync_run_id: ?int,
* inventory_outcome: ?string,
* effective_types: list<string>,
* covered_types: list<string>,
* uncovered_types: list<string>
* } $decision
* @return array<string, mixed>
*/
public function eligibilityContextPayload(array $decision, string $phase): array
{
return [
'phase' => $phase,
'ok' => (bool) ($decision['ok'] ?? false),
'reason_code' => is_string($decision['reason_code'] ?? null) ? $decision['reason_code'] : null,
'inventory_sync_run_id' => is_numeric($decision['inventory_sync_run_id'] ?? null)
? (int) $decision['inventory_sync_run_id']
: null,
'inventory_outcome' => is_string($decision['inventory_outcome'] ?? null) ? $decision['inventory_outcome'] : null,
'effective_types' => array_values(array_filter((array) ($decision['effective_types'] ?? []), 'is_string')),
'covered_types' => array_values(array_filter((array) ($decision['covered_types'] ?? []), 'is_string')),
'uncovered_types' => array_values(array_filter((array) ($decision['uncovered_types'] ?? []), 'is_string')),
];
}
}

53
apps/platform/app/Services/Findings/FindingAssignmentHygieneService.php
View File

@ -68,12 +68,27 @@ public function issueQuery(
string $reasonFilter = self::FILTER_ALL,
bool $applyOrdering = true,
): Builder {
$visibleTenants = $this->visibleTenants($workspace, $user);
$visibleTenantIds = array_map(
static fn (Tenant $tenant): int => (int) $tenant->getKey(),
$visibleTenants,
return $this->issueQueryForVisibleTenantIds(
$workspace,
$this->visibleTenantIds($workspace, $user),
$tenantId,
$reasonFilter,
$applyOrdering,
);
}
/**
* @param array<int, int> $visibleTenantIds
* @return Builder<Finding>
*/
private function issueQueryForVisibleTenantIds(
Workspace $workspace,
array $visibleTenantIds,
?int $tenantId = null,
string $reasonFilter = self::FILTER_ALL,
bool $applyOrdering = true,
): Builder {
if ($tenantId !== null && ! in_array($tenantId, $visibleTenantIds, true)) {
$visibleTenantIds = [];
} elseif ($tenantId !== null) {
@ -155,9 +170,22 @@ function ($join): void {
*/
public function summary(Workspace $workspace, User $user, ?int $tenantId = null): array
{
$allIssues = $this->issueQuery($workspace, $user, $tenantId, self::FILTER_ALL, applyOrdering: false);
$brokenAssignments = $this->issueQuery($workspace, $user, $tenantId, self::REASON_BROKEN_ASSIGNMENT, applyOrdering: false);
$staleInProgress = $this->issueQuery($workspace, $user, $tenantId, self::REASON_STALE_IN_PROGRESS, applyOrdering: false);
return $this->summaryForVisibleTenantIds(
$workspace,
$this->visibleTenantIds($workspace, $user),
$tenantId,
);
}
/**
* @param array<int, int> $visibleTenantIds
* @return array{unique_issue_count: int, broken_assignment_count: int, stale_in_progress_count: int}
*/
public function summaryForVisibleTenantIds(Workspace $workspace, array $visibleTenantIds, ?int $tenantId = null): array
{
$allIssues = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::FILTER_ALL, applyOrdering: false);
$brokenAssignments = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::REASON_BROKEN_ASSIGNMENT, applyOrdering: false);
$staleInProgress = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::REASON_STALE_IN_PROGRESS, applyOrdering: false);
return [
'unique_issue_count' => (clone $allIssues)->count(),
@ -166,6 +194,17 @@ public function summary(Workspace $workspace, User $user, ?int $tenantId = null)
];
}
/**
* @return array<int, int>
*/
public function visibleTenantIds(Workspace $workspace, User $user): array
{
return array_map(
static fn (Tenant $tenant): int => (int) $tenant->getKey(),
$this->visibleTenants($workspace, $user),
);
}
/**
* @return array<string, string>
*/

16
apps/platform/app/Services/OperationRunService.php
View File

@ -29,6 +29,8 @@
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
use App\Support\ReasonTranslation\ReasonTranslator;
use App\Support\Tenants\TenantOperabilityReasonCode;
use App\Support\Verification\BlockedVerificationReportFactory;
use App\Support\Verification\VerificationReportWriter;
use Illuminate\Database\QueryException;
use Illuminate\Support\Facades\DB;
use InvalidArgumentException;
@ -942,11 +944,23 @@ public function finalizeExecutionLegitimacyBlockedRun(
'context' => $context,
]);
return $this->finalizeBlockedRun(
$run = $this->finalizeBlockedRun(
run: $run->fresh(),
reasonCode: $decision->reasonCode?->value ?? ExecutionDenialReasonCode::ExecutionPrerequisiteInvalid->value,
message: $decision->reasonCode?->message() ?? 'Operation blocked before queued execution could begin.',
);
if ($run->type === 'provider.connection.check') {
VerificationReportWriter::write(
run: $run,
checks: BlockedVerificationReportFactory::checks($run),
identity: BlockedVerificationReportFactory::identity($run),
);
$run->refresh();
}
return $run;
}
private function invokeDispatcher(callable $dispatcher, OperationRun $run): void

53
apps/platform/app/Services/Operations/QueuedExecutionLegitimacyGate.php
View File

@ -11,6 +11,7 @@
use App\Models\Tenant;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Services\Auth\WorkspaceCapabilityResolver;
use App\Services\Tenants\TenantOperabilityService;
use App\Support\Operations\ExecutionAuthorityMode;
use App\Support\Operations\ExecutionDenialReasonCode;
@ -34,6 +35,7 @@ class QueuedExecutionLegitimacyGate
public function __construct(
private readonly OperationRunCapabilityResolver $operationRunCapabilityResolver,
private readonly CapabilityResolver $capabilityResolver,
private readonly WorkspaceCapabilityResolver $workspaceCapabilityResolver,
private readonly TenantOperabilityService $tenantOperabilityService,
private readonly WriteGateInterface $writeGate,
) {}
@ -71,12 +73,8 @@ public function evaluate(OperationRun $run): QueuedExecutionLegitimacyDecision
return QueuedExecutionLegitimacyDecision::deny($context, $checks, ExecutionDenialReasonCode::InitiatorNotEntitled);
}
if ($context->requiredCapability !== null && $context->tenant instanceof Tenant) {
$checks['capability'] = $this->capabilityResolver->can(
$context->initiator,
$context->tenant,
$context->requiredCapability,
) ? 'passed' : 'failed';
if ($context->requiredCapability !== null) {
$checks['capability'] = $this->initiatorHasRequiredCapability($context) ? 'passed' : 'failed';
if ($checks['capability'] === 'failed') {
return QueuedExecutionLegitimacyDecision::deny(
@ -106,7 +104,7 @@ public function evaluate(OperationRun $run): QueuedExecutionLegitimacyDecision
tenant: $context->tenant,
question: $operabilityQuestion,
workspaceId: $context->workspaceId,
lane: TenantInteractionLane::AdministrativeManagement,
lane: $this->laneForContext($context),
);
$checks['tenant_operability'] = $operability->allowed ? 'passed' : 'failed';
@ -228,6 +226,35 @@ private function resolveProviderConnectionId(array $context): ?int
return is_numeric($providerConnectionId) ? (int) $providerConnectionId : null;
}
private function initiatorHasRequiredCapability(QueuedExecutionContext $context): bool
{
if (! $context->initiator instanceof User || ! is_string($context->requiredCapability) || $context->requiredCapability === '') {
return false;
}
if (str_starts_with($context->requiredCapability, 'workspace')) {
if ($context->workspaceId <= 0) {
return false;
}
return $this->workspaceCapabilityResolver->can(
$context->initiator,
$context->run->tenant?->workspace ?? $context->run->workspace()->firstOrFail(),
$context->requiredCapability,
);
}
if (! $context->tenant instanceof Tenant) {
return false;
}
return $this->capabilityResolver->can(
$context->initiator,
$context->tenant,
$context->requiredCapability,
);
}
/**
* @return list<string>
*/
@ -262,4 +289,16 @@ private function requiresWriteGate(QueuedExecutionContext $context): bool
{
return in_array('write_gate', $context->prerequisiteClasses, true);
}
private function laneForContext(QueuedExecutionContext $context): TenantInteractionLane
{
$runContext = is_array($context->run->context) ? $context->run->context : [];
$wizardFlow = data_get($runContext, 'wizard.flow');
if (is_string($wizardFlow) && trim($wizardFlow) === 'managed_tenant_onboarding') {
return TenantInteractionLane::OnboardingWorkflow;
}
return TenantInteractionLane::AdministrativeManagement;
}
}

33
apps/platform/app/Support/Baselines/BaselineCompareStats.php
View File

@ -14,6 +14,7 @@
use App\Services\Baselines\BaselineSnapshotTruthResolver;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\Ui\OperatorExplanation\CountDescriptor;
use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
use Illuminate\Support\Facades\Cache;
@ -120,7 +121,8 @@ public static function forTenant(?Tenant $tenant): self
$effectiveSnapshot = $truthResolution['effective_snapshot'] ?? null;
$snapshotId = $effectiveSnapshot instanceof BaselineSnapshot ? (int) $effectiveSnapshot->getKey() : null;
$snapshotReasonCode = is_string($truthResolution['reason_code'] ?? null) ? (string) $truthResolution['reason_code'] : null;
$snapshotReasonMessage = self::missingSnapshotMessage($snapshotReasonCode);
$latestCaptureRun = self::latestBaselineCaptureRun($profile);
$snapshotReasonMessage = self::missingSnapshotMessage($snapshotReasonCode, $latestCaptureRun);
try {
$profileScope = $profile->normalizedScope();
@ -905,8 +907,35 @@ private static function empty(
);
}
private static function missingSnapshotMessage(?string $reasonCode): ?string
private static function latestBaselineCaptureRun(BaselineProfile $profile): ?OperationRun
{
return OperationRun::query()
->where('workspace_id', (int) $profile->workspace_id)
->where('type', OperationRunType::BaselineCapture->value)
->where('context->baseline_profile_id', (int) $profile->getKey())
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
}
private static function missingSnapshotMessage(?string $reasonCode, ?OperationRun $latestCaptureRun = null): ?string
{
$latestCaptureEnvelope = $latestCaptureRun instanceof OperationRun
? app(ReasonPresenter::class)->forOperationRun($latestCaptureRun, 'artifact_truth')
: null;
if ($latestCaptureEnvelope !== null
&& in_array($latestCaptureEnvelope->internalCode, [
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED,
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE,
BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
], true)
&& trim($latestCaptureEnvelope->shortExplanation) !== '') {
return $latestCaptureEnvelope->shortExplanation;
}
return match ($reasonCode) {
BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => 'The latest baseline capture is still building. Compare becomes available after a complete snapshot is finalized.',
BaselineReasonCodes::COMPARE_SNAPSHOT_INCOMPLETE => 'The latest baseline capture is incomplete and there is no current complete snapshot to compare against.',

27
apps/platform/app/Support/Baselines/BaselineReasonCodes.php
View File

@ -22,6 +22,16 @@ final class BaselineReasonCodes
public const string CAPTURE_UNSUPPORTED_SCOPE = 'baseline.capture.unsupported_scope';
public const string CAPTURE_INVENTORY_MISSING = 'baseline.capture.inventory_missing';
public const string CAPTURE_INVENTORY_BLOCKED = 'baseline.capture.inventory_blocked';
public const string CAPTURE_INVENTORY_FAILED = 'baseline.capture.inventory_failed';
public const string CAPTURE_UNUSABLE_COVERAGE = 'baseline.capture.unusable_coverage';
public const string CAPTURE_ZERO_SUBJECTS = 'baseline.capture.zero_subjects';
public const string SNAPSHOT_BUILDING = 'baseline.snapshot.building';
public const string SNAPSHOT_INCOMPLETE = 'baseline.snapshot.incomplete';
@ -73,6 +83,11 @@ public static function all(): array
self::CAPTURE_ROLLOUT_DISABLED,
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::CAPTURE_ZERO_SUBJECTS,
self::SNAPSHOT_BUILDING,
self::SNAPSHOT_INCOMPLETE,
self::SNAPSHOT_SUPERSEDED,
@ -128,7 +143,12 @@ public static function trustImpact(?string $reasonCode): ?string
self::CAPTURE_MISSING_SOURCE_TENANT,
self::CAPTURE_PROFILE_NOT_ACTIVE,
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE => 'unusable',
self::CAPTURE_UNSUPPORTED_SCOPE,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::CAPTURE_ZERO_SUBJECTS => 'unusable',
default => null,
};
}
@ -148,6 +168,10 @@ public static function absencePattern(?string $reasonCode): ?string
self::CAPTURE_MISSING_SOURCE_TENANT,
self::CAPTURE_PROFILE_NOT_ACTIVE,
self::CAPTURE_ROLLOUT_DISABLED,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::COMPARE_NO_ASSIGNMENT,
self::COMPARE_PROFILE_NOT_ACTIVE,
self::COMPARE_NO_ELIGIBLE_TARGET,
@ -159,6 +183,7 @@ public static function absencePattern(?string $reasonCode): ?string
self::SNAPSHOT_SUPERSEDED,
self::COMPARE_SNAPSHOT_SUPERSEDED => 'blocked_prerequisite',
self::SNAPSHOT_CAPTURE_FAILED => 'unavailable',
self::CAPTURE_ZERO_SUBJECTS => 'missing_input',
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE => 'unavailable',
default => null,

2
apps/platform/app/Support/OpsUx/ActiveRuns.php
View File

@ -22,7 +22,7 @@ public static function existForTenantId(?int $tenantId): bool
return OperationRun::query()
->where('tenant_id', $tenantId)
->active()
->healthyActive()
->exists();
}

75
apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php
View File

@ -8,6 +8,7 @@
use App\Support\Badges\BadgeCatalog;
use App\Support\Badges\BadgeDomain;
use App\Support\Baselines\BaselineCompareReasonCode;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\OperationCatalog;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
@ -141,9 +142,37 @@ private function baselineCaptureHeadline(
array $counts,
?OperatorExplanationPattern $operatorExplanation,
): string {
$reasonCode = (string) data_get($context, 'baseline_capture.reason_code', data_get($context, 'reason_code', ''));
$subjectsTotal = $this->intValue(data_get($context, 'baseline_capture.subjects_total'));
$resumeToken = data_get($context, 'baseline_capture.resume_token');
$gapCount = $this->intValue(data_get($context, 'baseline_capture.gaps.count'));
$changedAfterEnqueue = data_get($context, 'baseline_capture.eligibility.changed_after_enqueue') === true;
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_MISSING) {
return 'The baseline capture could not continue because no current inventory basis was available.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory sync changed after the run was queued.'
: 'The baseline capture was blocked because the latest inventory sync was blocked.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_FAILED) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory sync failed after the run was queued.'
: 'The baseline capture was blocked because the latest inventory sync failed.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory coverage became unusable after the run was queued.'
: 'The baseline capture could not produce a usable baseline because the latest inventory coverage was not credible.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS) {
return 'The baseline capture finished without a usable baseline because no governed subjects were in scope.';
}
if ($subjectsTotal === 0) {
return 'No baseline was captured because no governed subjects were ready.';
@ -629,9 +658,55 @@ private function pushCandidate(array &$candidates, ?string $code, ?string $label
*/
private function baselineCaptureCandidates(array &$candidates, array $context): void
{
$reasonCode = (string) data_get($context, 'baseline_capture.reason_code', data_get($context, 'reason_code', ''));
$subjectsTotal = $this->intValue(data_get($context, 'baseline_capture.subjects_total'));
$gapCount = $this->intValue(data_get($context, 'baseline_capture.gaps.count'));
$resumeToken = data_get($context, 'baseline_capture.resume_token');
$changedAfterEnqueue = data_get($context, 'baseline_capture.eligibility.changed_after_enqueue') === true;
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_MISSING) {
$this->pushCandidate($candidates, $reasonCode, 'Run tenant sync first', 'No current inventory basis was available for this baseline capture.', 95);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory sync was blocked',
$changedAfterEnqueue
? 'The latest inventory sync changed after the run was queued and blocked the capture.'
: 'The latest inventory sync was blocked before this capture could produce a trustworthy baseline.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_FAILED) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory sync failed',
$changedAfterEnqueue
? 'The latest inventory sync failed after the run was queued, so the capture stopped without refreshing baseline truth.'
: 'The latest inventory sync failed before this capture could produce a trustworthy baseline.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory coverage unusable',
$changedAfterEnqueue
? 'The latest inventory coverage became unusable after the run was queued, so the capture stopped without refreshing baseline truth.'
: 'The latest inventory sync did not produce usable governed-subject coverage for this baseline capture.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS) {
$this->pushCandidate($candidates, $reasonCode, 'No subjects were in scope', 'No governed subjects were available for this baseline capture.', 95);
}
if ($subjectsTotal === 0) {
$this->pushCandidate($candidates, 'no_subjects_in_scope', 'No governed subjects captured', 'No governed subjects were available for this baseline capture.', 95);

24
apps/platform/app/Support/OpsUx/OperationUxPresenter.php
View File

@ -547,6 +547,11 @@ private static function terminalSupportingLines(OperationRun $run): array
$lines[] = $guidance;
}
$baselineTruthChange = self::baselineTruthChangeLine($run);
if ($baselineTruthChange !== null) {
$lines[] = $baselineTruthChange;
}
$summary = SummaryCountsNormalizer::renderSummaryLine(is_array($run->summary_counts) ? $run->summary_counts : []);
if ($summary !== null) {
$lines[] = $summary;
@ -560,6 +565,25 @@ private static function terminalSupportingLines(OperationRun $run): array
return array_values(array_filter($lines, static fn (string $line): bool => trim($line) !== ''));
}
private static function baselineTruthChangeLine(OperationRun $run): ?string
{
if ((string) $run->type !== 'baseline_capture') {
return null;
}
$changed = data_get($run->context, 'baseline_capture.current_baseline_changed');
if ($changed === true) {
return 'Current baseline truth was updated.';
}
if ($changed === false) {
return 'Current baseline truth was unchanged.';
}
return null;
}
/**
* @return array{label:string, url:?string, target:string}
*/

1
apps/platform/app/Support/ReasonTranslation/ReasonPresenter.php
View File

@ -44,6 +44,7 @@ public function forOperationRun(OperationRun $run, string $surface = 'detail'):
$contextReasonCode = data_get($context, 'execution_legitimacy.reason_code')
?? data_get($context, 'reason_code')
?? data_get($context, 'baseline_capture.reason_code')
?? data_get($context, 'baseline_compare.reason_code');
if (is_string($contextReasonCode) && trim($contextReasonCode) !== '') {

77
apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php
View File

@ -51,8 +51,8 @@ public function translate(
$artifactKey === null && $this->providerReasonTranslator->canTranslate($reasonCode) => $this->providerReasonTranslator->translate($reasonCode, $surface, $context),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineCompareReasonCode::tryFrom($reasonCode) instanceof BaselineCompareReasonCode => $this->translateBaselineCompareReason($reasonCode),
$artifactKey === null && BaselineCompareReasonCode::tryFrom($reasonCode) instanceof BaselineCompareReasonCode => $this->translateBaselineCompareReason($reasonCode),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode),
$artifactKey === null && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode, $context),
$artifactKey === null && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode, $context),
$artifactKey === self::EXECUTION_DENIAL_ARTIFACT,
$artifactKey === null && ExecutionDenialReasonCode::tryFrom($reasonCode) instanceof ExecutionDenialReasonCode => ExecutionDenialReasonCode::tryFrom($reasonCode)?->toReasonResolutionEnvelope($surface, $context),
$artifactKey === null && LifecycleReconciliationReason::tryFrom($reasonCode) instanceof LifecycleReconciliationReason => LifecycleReconciliationReason::tryFrom($reasonCode)?->toReasonResolutionEnvelope($surface, $context),
@ -116,7 +116,10 @@ private function fallbackTranslate(
return $this->fallbackReasonTranslator->translate($reasonCode, $surface, $context);
}
private function translateBaselineReason(string $reasonCode): ReasonResolutionEnvelope
/**
* @param array<string, mixed> $context
*/
private function translateBaselineReason(string $reasonCode, array $context = []): ReasonResolutionEnvelope
{
[$operatorLabel, $shortExplanation, $actionability, $nextStep] = match ($reasonCode) {
BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT => [
@ -138,6 +141,51 @@ private function translateBaselineReason(string $reasonCode): ReasonResolutionEn
'prerequisite_missing',
'Enable the rollout before retrying full-content baseline work.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_MISSING => [
'Run tenant sync first',
$this->baselineCaptureTruthImpactExplanation(
'No current inventory basis was available for this baseline capture.',
$context,
),
'prerequisite_missing',
'Run inventory sync for this tenant, then capture the baseline again.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED => [
'Latest inventory sync was blocked',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync was blocked, so this capture could not use a credible upstream basis.',
$context,
),
'prerequisite_missing',
'Review the blocked inventory sync, fix the prerequisite, and rerun sync before capturing again.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED => [
'Latest inventory sync failed',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync failed, so this capture could not use a credible upstream basis.',
$context,
),
'prerequisite_missing',
'Review the failed inventory sync, fix the error, and rerun sync before capturing again.',
],
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE => [
'Latest inventory coverage unusable',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync did not produce usable governed-subject coverage for this baseline capture.',
$context,
),
'prerequisite_missing',
'Run inventory sync until the governed subject types show current coverage, then capture again.',
],
BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS => [
'No subjects were in scope',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory basis was credible, but no governed subjects were in scope for this baseline capture.',
$context,
),
'prerequisite_missing',
'Review the baseline scope and tenant inventory, then capture again when governed subjects are available.',
],
BaselineReasonCodes::SNAPSHOT_BUILDING,
BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => [
'Baseline still building',
@ -242,6 +290,29 @@ private function translateBaselineReason(string $reasonCode): ReasonResolutionEn
);
}
/**
* @param array<string, mixed> $context
*/
private function baselineCaptureTruthImpactExplanation(string $baseExplanation, array $context): string
{
$changed = data_get($context, 'baseline_capture.current_baseline_changed');
$previousSnapshotExists = data_get($context, 'baseline_capture.previous_current_snapshot_exists');
if ($changed === true) {
return $baseExplanation.' TenantPilot updated the current baseline truth with a new consumable snapshot.';
}
if ($previousSnapshotExists === true) {
return $baseExplanation.' TenantPilot kept the last trustworthy baseline in place.';
}
if ($previousSnapshotExists === false) {
return $baseExplanation.' No current trustworthy baseline is available yet.';
}
return $baseExplanation;
}
private function translateBaselineCompareReason(string $reasonCode): ReasonResolutionEnvelope
{
$enum = BaselineCompareReasonCode::tryFrom($reasonCode);

34
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php
View File

@ -71,6 +71,7 @@ public function build(Workspace $workspace, User $user): array
->all();
$this->capabilityResolver->primeMemberships($user, $accessibleTenantIds);
$visibleFindingsTenantIds = $this->visibleFindingTenantIds($accessibleTenants, $user);
$canViewAlerts = $this->workspaceCapabilityResolver->can($user, $workspace, Capabilities::ALERTS_VIEW);
$navigationContext = $this->workspaceOverviewNavigationContext();
@ -136,8 +137,8 @@ public function build(Workspace $workspace, User $user): array
'action_url' => $calmness['next_action']['url'] ?? ChooseTenant::getUrl(panel: 'admin'),
];
$myFindingsSignal = $this->myFindingsSignal($workspaceId, $accessibleTenants, $user);
$findingsHygieneSignal = $this->findingsHygieneSignal($workspace, $user);
$myFindingsSignal = $this->myFindingsSignal($workspaceId, $visibleFindingsTenantIds, $user);
$findingsHygieneSignal = $this->findingsHygieneSignal($workspace, $visibleFindingsTenantIds);
$zeroTenantState = null;
@ -210,18 +211,11 @@ private function accessibleTenants(Workspace $workspace, User $user): Collection
}
/**
* @param Collection<int, Tenant> $accessibleTenants
* @param array<int, int> $visibleTenantIds
* @return array<string, mixed>
*/
private function myFindingsSignal(int $workspaceId, Collection $accessibleTenants, User $user): array
private function myFindingsSignal(int $workspaceId, array $visibleTenantIds, User $user): array
{
$visibleTenantIds = $accessibleTenants
->filter(fn (Tenant $tenant): bool => $this->capabilityResolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW))
->pluck('id')
->map(static fn (mixed $id): int => (int) $id)
->values()
->all();
$assignedCounts = $visibleTenantIds === []
? null
: $this->scopeToVisibleTenants(
@ -271,9 +265,9 @@ private function myFindingsSignal(int $workspaceId, Collection $accessibleTenant
/**
* @return array<string, mixed>
*/
private function findingsHygieneSignal(Workspace $workspace, User $user): array
private function findingsHygieneSignal(Workspace $workspace, array $visibleTenantIds): array
{
$summary = $this->findingAssignmentHygieneService->summary($workspace, $user);
$summary = $this->findingAssignmentHygieneService->summaryForVisibleTenantIds($workspace, $visibleTenantIds);
$uniqueIssueCount = $summary['unique_issue_count'];
$brokenAssignmentCount = $summary['broken_assignment_count'];
$staleInProgressCount = $summary['stale_in_progress_count'];
@ -297,6 +291,20 @@ private function findingsHygieneSignal(Workspace $workspace, User $user): array
];
}
/**
* @param Collection<int, Tenant> $accessibleTenants
* @return array<int, int>
*/
private function visibleFindingTenantIds(Collection $accessibleTenants, User $user): array
{
return $accessibleTenants
->filter(fn (Tenant $tenant): bool => $this->capabilityResolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW))
->pluck('id')
->map(static fn (mixed $id): int => (int) $id)
->values()
->all();
}
private function findingsHygieneDescription(int $brokenAssignmentCount, int $staleInProgressCount): string
{
if ($brokenAssignmentCount === 0 && $staleInProgressCount === 0) {

17
apps/platform/database/migrations/2026_03_23_000001_add_lifecycle_state_to_baseline_snapshots_table.php
View File

@ -156,7 +156,9 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
'was_empty_capture' => ($expectedItems ?? $producerExpectedItems ?? $producerSubjectsTotal) === 0 && $persistedItems === 0,
];
if ($expectedItems !== null && $expectedItems === $persistedItems) {
if ($expectedItems !== null
&& $expectedItems === $persistedItems
&& ! ($expectedItems === 0 && $persistedItems === 0)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
@ -167,7 +169,10 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
];
}
if ($producerSucceeded && $producerExpectedItems !== null && $producerExpectedItems === $persistedItems) {
if ($producerSucceeded
&& $producerExpectedItems !== null
&& $producerExpectedItems === $persistedItems
&& ! ($producerExpectedItems === 0 && $persistedItems === 0)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
@ -184,11 +189,11 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
$producerSubjectsTotal,
], static fn (?int $value): bool => $value !== null), true)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
'failed_at' => null,
'lifecycle_state' => BaselineSnapshotLifecycleState::Incomplete->value,
'completed_at' => null,
'failed_at' => $producerRun->completed_at ?? $row->updated_at ?? $row->captured_at ?? $row->created_at,
'completion_meta' => $completionMeta + [
'finalization_reason_code' => 'baseline.snapshot.legacy_empty_capture_proof',
'finalization_reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
],
];
}

2
apps/platform/resources/views/admin-consent-callback.blade.php
View File

@ -20,7 +20,7 @@
<p><strong>Tenant:</strong> {{ $tenant->name }} ({{ $tenant->graphTenantId() }})</p>
@isset($connection)
<p><strong>Connection:</strong> {{ $connection->connection_type->value === 'platform' ? 'Platform connection' : 'Dedicated connection' }}</p>
<p><strong>Verification state:</strong> {{ ucfirst($connection->verification_status->value) }}</p>
<p><strong>Verification state:</strong> {{ $verificationStateLabel ?? ucfirst($connection->verification_status->value) }}</p>
@endisset
<p>
<span class="status {{ $status === 'ok' ? 'ok' : ($status === 'consent_denied' ? 'warning' : 'error') }}">

2
apps/platform/tests/Browser/Spec172DeferredOperatorSurfacesSmokeTest.php
View File

@ -54,7 +54,7 @@
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
$operationsIndexUrl = route('admin.operations.index');
$operationsIndexUrl = OperationRunLinks::index($tenant);
$page = visit(TenantResource::getUrl('view', ['record' => $tenant->getRouteKey()], panel: 'admin'));

57
apps/platform/tests/Feature/AdminConsentCallbackTest.php
View File

@ -2,7 +2,9 @@
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Models\Workspace;
use App\Models\OperationRun;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Foundation\Testing\RefreshDatabase;
@ -20,6 +22,8 @@
]));
$response->assertOk();
$response->assertSeeText('Verification state:');
$response->assertSeeText('Needs verification');
$response->assertSee(
route('filament.admin.resources.tenants.view', ['tenant' => $tenant->external_id, 'record' => $tenant]),
false,
@ -60,6 +64,57 @@
$response->assertSee(route('admin.onboarding'), false);
});
it('invalidates resumable onboarding verification state for the same platform connection after a successful callback', function () {
$tenant = Tenant::factory()->create([
'tenant_id' => 'tenant-verify-reset',
'name' => 'Reset Tenant',
'status' => Tenant::STATUS_ONBOARDING,
]);
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => $tenant->graphTenantId(),
'is_default' => true,
]);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'provider.connection.check',
]);
$draft = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => (string) $tenant->tenant_id,
'current_step' => 'verify',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'verification_run_id' => (int) $run->getKey(),
'bootstrap_operation_runs' => [123, 456],
'bootstrap_operation_types' => ['inventory_sync'],
'bootstrap_run_ids' => [123, 456],
],
]);
$this->get(route('admin.consent.callback', [
'tenant' => $tenant->tenant_id,
'admin_consent' => 'true',
]))->assertOk();
$draft->refresh();
expect($draft->state['verification_operation_run_id'] ?? null)->toBeNull()
->and($draft->state['verification_run_id'] ?? null)->toBeNull()
->and($draft->state['bootstrap_operation_runs'] ?? null)->toBeNull()
->and($draft->state['bootstrap_operation_types'] ?? null)->toBeNull()
->and($draft->state['bootstrap_run_ids'] ?? null)->toBeNull()
->and($draft->state['connection_recently_updated'] ?? null)->toBeTrue();
});
it('creates tenant and provider connection when callback tenant does not exist', function () {
$workspace = Workspace::factory()->create();
@ -101,6 +156,8 @@
]));
$response->assertOk();
$response->assertSeeText('Verification state:');
$response->assertSeeText('Not verified');
$connection = ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())

30
apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php
View File

@ -15,6 +15,7 @@
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\WorkspaceCapabilityResolver;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Livewire\Livewire;
@ -135,6 +136,35 @@
->assertSee('Ambiguous matches');
});
it('allows entitled viewers to open blocked baseline-capture run detail surfaces', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
'completed_at' => now(),
]);
Filament::setTenant(null, true);
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
session([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
Livewire::actingAs($user)
->test(TenantlessOperationRunViewer::class, ['run' => $run])
->assertSee('Latest inventory sync failed');
});
it('keeps governance summary surfaces deny-as-not-found for workspace members without tenant entitlement', function (): void {
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([

4
apps/platform/tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php
View File

@ -18,6 +18,9 @@
'capture_mode' => BaselineCaptureMode::Opportunistic->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -26,6 +29,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Audit Policy A',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_AUDIT'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);

9
apps/platform/tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php
View File

@ -34,12 +34,9 @@
'display_name' => 'Isolated Policy',
]);
$lastSeenRun = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::InventorySync->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
$lastSeenRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
], attributes: [
'completed_at' => now(),
]);

4
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php
View File

@ -20,6 +20,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -41,6 +44,7 @@
'assignment_target_count' => 1,
],
'last_seen_at' => now()->subHour(),
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$snapshotPayload = [

4
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php
View File

@ -29,6 +29,9 @@
'capture_mode' => BaselineCaptureMode::FullContent->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -50,6 +53,7 @@
'assignment_target_count' => 1,
],
'last_seen_at' => now()->subHour(),
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
expect(PolicyVersion::query()->where('policy_id', (int) $policy->getKey())->count())->toBe(0);

9
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php
View File

@ -34,12 +34,9 @@
'display_name' => 'Policy Capture Meta',
]);
$lastSeenRun = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::InventorySync->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
$lastSeenRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
], attributes: [
'completed_at' => now(),
]);

270
apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php
View File

@ -6,6 +6,7 @@
use App\Models\BaselineSnapshotItem;
use App\Models\InventoryItem;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Services\Baselines\BaselineCaptureService;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\InventoryMetaContract;
@ -18,6 +19,28 @@
use App\Support\Baselines\BaselineSubjectKey;
use Illuminate\Support\Facades\Queue;
function createBaselineCaptureInventoryBasis(
Tenant $tenant,
array $statusByType,
array $attributes = [],
): OperationRun {
return createInventorySyncOperationRunWithCoverage($tenant, $statusByType, [], $attributes);
}
function runBaselineCaptureJob(
OperationRun $run,
?OperationRunService $operationRunService = null,
): void {
$operationRunService ??= app(OperationRunService::class);
(new CaptureBaselineSnapshotJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$operationRunService,
);
}
// --- T031: Capture enqueue + precondition tests ---
it('enqueues capture for an active profile and creates an operation run', function () {
@ -29,6 +52,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
/** @var BaselineCaptureService $service */
$service = app(BaselineCaptureService::class);
@ -53,10 +79,119 @@
expect($effectiveScope['foundation_types'])->toBe([]);
expect($effectiveScope['all_types'])->toBe(['deviceConfiguration']);
expect($effectiveScope['foundations_included'])->toBeFalse();
expect(data_get($context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
expect(data_get($context, 'baseline_capture.eligibility.phase'))->toBe('preflight');
expect(data_get($context, 'baseline_capture.eligibility.ok'))->toBeTrue();
expect(data_get($context, 'baseline_capture.eligibility.covered_types'))->toBe(['deviceConfiguration']);
expect(data_get($context, 'baseline_capture.eligibility.uncovered_types'))->toBe([]);
Queue::assertPushed(CaptureBaselineSnapshotJob::class);
});
it('rejects capture when no current inventory sync exists', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_MISSING);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory sync was blocked', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'blocked',
'completed_at' => now(),
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory sync failed without falling back to an older success', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'failed',
'completed_at' => now(),
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory coverage is unusable for the baseline scope', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceCompliancePolicy' => 'succeeded',
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture for a draft profile with reason code', function () {
Queue::fake();
@ -126,6 +261,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$service = app(BaselineCaptureService::class);
@ -148,6 +286,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$inventoryA = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -156,6 +297,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy A',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E1'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$inventoryB = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -164,6 +306,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy B',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E2'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$inventoryC = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -172,6 +315,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy C',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E3'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -187,13 +331,7 @@
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');
@ -269,6 +407,14 @@
expect(data_get($meta, 'meta_contract'))->toBeNull();
}
expect(data_get($run->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
expect(data_get($run->context, 'baseline_capture.eligibility.phase'))->toBe('runtime_recheck');
expect(data_get($run->context, 'baseline_capture.eligibility.ok'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.eligibility.changed_after_enqueue'))->toBeFalse();
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.previous_current_snapshot_exists'))->toBeFalse();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeTrue();
$profile->refresh();
expect($profile->active_snapshot_id)->toBe((int) $snapshot->getKey());
});
@ -311,12 +457,16 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->count(2)->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceConfiguration',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'stable_field' => 'value'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -336,8 +486,7 @@
initiator: $user,
);
$job1 = new CaptureBaselineSnapshotJob($run1);
$job1->handle($idService, $metaContract, $auditLogger, $opService);
(new CaptureBaselineSnapshotJob($run1))->handle($idService, $metaContract, $auditLogger, $opService);
$snapshotCountAfterFirst = BaselineSnapshot::query()
->where('baseline_profile_id', $profile->getKey())
@ -361,8 +510,7 @@
],
]);
$job2 = new CaptureBaselineSnapshotJob($run2);
$job2->handle($idService, $metaContract, $auditLogger, $opService);
(new CaptureBaselineSnapshotJob($run2))->handle($idService, $metaContract, $auditLogger, $opService);
$snapshotCountAfterSecond = BaselineSnapshot::query()
->where('baseline_profile_id', $profile->getKey())
@ -371,14 +519,68 @@
expect($snapshotCountAfterSecond)->toBe(1);
});
// --- EC-005: Empty scope produces empty snapshot without errors ---
it('captures an empty snapshot when no inventory items match the scope', function () {
it('blocks a queued capture when the latest inventory basis fails after enqueue and keeps the prior current baseline', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['nonExistentPolicyType'], 'foundation_types' => []],
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$previousSnapshot = BaselineSnapshot::factory()->complete()->create([
'workspace_id' => $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
$profile->update(['active_snapshot_id' => (int) $previousSnapshot->getKey()]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
Queue::fake();
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeTrue();
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'failed',
'completed_at' => now(),
]);
/** @var OperationRun $run */
$run = $result['run'];
runBaselineCaptureJob($run);
$run->refresh();
$profile->refresh();
expect($run->status)->toBe('completed');
expect($run->outcome)->toBe('blocked');
expect($profile->active_snapshot_id)->toBe((int) $previousSnapshot->getKey());
expect(data_get($run->context, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
expect(data_get($run->context, 'baseline_capture.reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'baseline_capture.previous_current_snapshot_exists'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.eligibility.changed_after_enqueue'))->toBeTrue();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeFalse();
});
// --- EC-005: Zero-subject captures stay visible but non-authoritative ---
it('records a zero-subject capture as partially succeeded with a non-consumable snapshot', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$opService = app(OperationRunService::class);
@ -389,22 +591,22 @@
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'source_tenant_id' => (int) $tenant->getKey(),
'effective_scope' => ['policy_types' => ['nonExistentPolicyType'], 'foundation_types' => []],
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
],
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');
expect($run->outcome)->toBe('succeeded');
expect($run->outcome)->toBe('partially_succeeded');
expect(data_get($run->context, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($run->context, 'baseline_capture.reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($run->context, 'baseline_capture.subjects_total'))->toBe(0);
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'result.snapshot_lifecycle'))->toBe(BaselineSnapshotLifecycleState::Incomplete->value);
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
expect((int) ($counts['total'] ?? 0))->toBe(0);
@ -415,7 +617,12 @@
->first();
expect($snapshot)->not->toBeNull();
expect($snapshot?->lifecycleState())->toBe(BaselineSnapshotLifecycleState::Incomplete);
expect(data_get($snapshot?->completion_meta_jsonb ?? [], 'finalization_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', $snapshot->getKey())->count())->toBe(0);
$profile->refresh();
expect($profile->active_snapshot_id)->toBeNull();
});
it('captures all inventory items when scope has empty policy_types (all types)', function () {
@ -425,17 +632,23 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => [], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceCompliancePolicy' => 'succeeded',
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceConfiguration',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceCompliancePolicy',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
// Foundation types are excluded by default (unless foundation_types is selected).
@ -443,6 +656,7 @@
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'assignmentFilter',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -458,13 +672,7 @@
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');

19
apps/platform/tests/Feature/Baselines/BaselineCompareFindingsTest.php
View File

@ -1335,12 +1335,19 @@
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'policy-a',
'policy_type' => 'deviceConfiguration',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E1'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$operationRuns = app(OperationRunService::class);
@ -1366,18 +1373,6 @@
$captureRun->refresh();
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
InventoryItem::query()
->where('tenant_id', (int) $tenant->getKey())
->update([
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$snapshotId = (int) ($profile->fresh()?->active_snapshot_id ?? 0);
expect($snapshotId)->toBeGreaterThan(0);

7
apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php
View File

@ -60,7 +60,7 @@ function classifyLegacySnapshotForTest(BaselineSnapshot $snapshot): array
->and(data_get($classification, 'completion_meta.persisted_items'))->toBe(2);
});
it('classifies proven empty legacy captures as complete when the producer run confirms zero subjects', function (): void {
it('classifies proven empty legacy captures as incomplete no-data snapshots when the producer run confirms zero subjects', function (): void {
$workspace = Workspace::factory()->create();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $workspace->getKey(),
@ -86,8 +86,9 @@ function classifyLegacySnapshotForTest(BaselineSnapshot $snapshot): array
$classification = classifyLegacySnapshotForTest($snapshot);
expect($classification['lifecycle_state'])->toBe(BaselineSnapshotLifecycleState::Complete->value)
->and(data_get($classification, 'completion_meta.was_empty_capture'))->toBeTrue();
expect($classification['lifecycle_state'])->toBe(BaselineSnapshotLifecycleState::Incomplete->value)
->and(data_get($classification, 'completion_meta.was_empty_capture'))->toBeTrue()
->and(data_get($classification, 'completion_meta.finalization_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
});
it('classifies ambiguous legacy snapshots as incomplete with a conservative reason code', function (): void {

28
apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php
View File

@ -42,3 +42,31 @@
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee($explanation?->nextActionText ?? '');
});
it('renders no-data baseline-capture result surfaces with the shared zero-subject explanation', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);
$snapshot = BaselineSnapshot::factory()->incomplete(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS)->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
$truth = app(ArtifactTruthPresenter::class)->forBaselineSnapshot($snapshot->fresh());
$explanation = $truth->operatorExplanation;
$this->actingAs($user)
->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin'))
->assertOk()
->assertSee('Result meaning')
->assertSee($explanation?->evaluationResultLabel() ?? '')
->assertSee('Result trust')
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee($explanation?->nextActionText ?? '');
});

90
apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php
View File

@ -10,6 +10,7 @@
use App\Models\BaselineSnapshot;
use App\Models\BaselineTenantAssignment;
use App\Models\OperationRun;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Baselines\Compare\CompareStrategyRegistry;
use App\Support\Baselines\Compare\IntuneCompareStrategy;
use App\Support\Governance\GovernanceSubjectTaxonomyRegistry;
@ -407,3 +408,92 @@
->assertSet('uncoveredTypes', ['deviceCompliancePolicy'])
->assertSet('fidelity', 'meta');
});
it('shows the latest blocked capture explanation when no consumable baseline exists yet', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
BaselineTenantAssignment::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'baseline_profile_id' => (int) $profile->getKey(),
]);
OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::BaselineCapture->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Blocked->value,
'completed_at' => now(),
'context' => [
'baseline_profile_id' => (int) $profile->getKey(),
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
]);
Livewire::test(BaselineCompareLanding::class)
->assertSet('state', 'no_snapshot')
->assertSet('snapshotId', null)
->assertSet('message', 'The latest inventory sync failed, so this capture could not use a credible upstream basis.');
});
it('keeps compare available against the prior consumable snapshot after a zero-subject capture', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);
$snapshot = BaselineSnapshot::factory()->complete()->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
BaselineTenantAssignment::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'baseline_profile_id' => (int) $profile->getKey(),
]);
OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::BaselineCapture->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::PartiallySucceeded->value,
'completed_at' => now(),
'context' => [
'baseline_profile_id' => (int) $profile->getKey(),
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'current_baseline_changed' => false,
'previous_current_snapshot_exists' => true,
],
],
]);
Livewire::test(BaselineCompareLanding::class)
->assertSet('state', 'idle')
->assertSet('snapshotId', (int) $snapshot->getKey())
->assertActionEnabled('compareNow');
});

28
apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php
View File

@ -93,6 +93,9 @@ function seedCaptureProfileForTenant(
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = seedCaptureProfileForTenant($tenant);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
@ -124,6 +127,31 @@ function seedCaptureProfileForTenant(
expect($run)->not->toBeNull();
expect($run?->status)->toBe('queued');
expect(data_get($run?->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
});
it('shows the shared capture block on the start surface when no credible inventory basis exists', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = seedCaptureProfileForTenant($tenant, BaselineCaptureMode::Opportunistic, [
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::actingAs($user)
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
->assertActionVisible('capture')
->assertActionHasLabel('capture', 'Capture baseline')
->assertActionEnabled('capture')
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
->assertNotified('Cannot start capture')
->assertStatus(200);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('does not start full-content capture when rollout is disabled', function (): void {

46
apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php
View File

@ -93,6 +93,44 @@ function visibleLivewireText(Testable $component): string
->and(mb_strpos($pageText, 'Decision'))->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});
it('shows the shared blocked-inventory explanation for baseline capture runs without a usable snapshot', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
'failure_summary' => [
['reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED, 'message' => 'Capture blocked because the latest inventory sync failed.'],
],
'completed_at' => now(),
]);
$truth = app(ArtifactTruthPresenter::class)->forOperationRun($run->fresh());
$explanation = $truth->operatorExplanation;
Filament::setTenant(null, true);
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
session([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
Livewire::actingAs($user)
->test(TenantlessOperationRunViewer::class, ['run' => $run])
->assertSee('Blocked by prerequisite')
->assertSee($explanation?->evaluationResultLabel() ?? '')
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee('Latest inventory sync failed')
->assertSee($explanation?->nextActionText ?? '');
});
it('shows operator explanation facts for baseline compare runs with nested compare reason context', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
@ -328,6 +366,9 @@ function visibleLivewireText(Testable $component): string
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
@ -344,7 +385,10 @@ function visibleLivewireText(Testable $component): string
->and(data_get($effectiveScope, 'legacy_projection.foundation_types'))->toBe([])
->and(data_get($effectiveScope, 'selected_type_keys'))->toBe(['deviceConfiguration'])
->and(data_get($effectiveScope, 'allowed_type_keys'))->toBe(['deviceConfiguration'])
->and(data_get($effectiveScope, 'unsupported_type_keys'))->toBe([]);
->and(data_get($effectiveScope, 'unsupported_type_keys'))->toBe([])
->and(data_get($run->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey())
->and(data_get($run->context, 'baseline_capture.eligibility.phase'))->toBe('preflight')
->and(data_get($run->context, 'baseline_capture.eligibility.ok'))->toBeTrue();
});
it('normalizes legacy compare assignment overrides into canonical effective scope without rewriting the override row', function (): void {

2
apps/platform/tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php
View File

@ -71,5 +71,5 @@
->assertSee('Recent operations');
});
expect(count(DB::getQueryLog()))->toBeLessThan(80);
expect(count(DB::getQueryLog()))->toBeLessThanOrEqual(86);
});

2
apps/platform/tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php
View File

@ -17,7 +17,7 @@
'finding_lifecycle',
'tenant_lifecycle',
])
->and(array_keys($rules))->toHaveCount(16)
->and(array_keys($rules))->toHaveCount(17)
->and($bindings)->not->toBeEmpty();
foreach ($bindings as $binding) {

384
apps/platform/tests/Feature/ManagedTenantOnboardingWizardTest.php
View File

@ -198,6 +198,197 @@
->assertSee('The provider connection will be used for all Graph API calls.');
});
it('renders selected bootstrap actions in the review summary before any bootstrap run starts', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'cdcdcdcd-cdcd-cdcd-cdcd-cdcdcdcdcdcd';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Bootstrap Selected Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $entraTenantId,
'entra_tenant_name' => 'Bootstrap Selected Tenant',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'bootstrap_operation_types' => ['inventory_sync', 'compliance.snapshot'],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$component
->assertDontSee('Bootstrap needs attention')
->assertDontSee('Selected bootstrap actions must complete before activation. Return to Bootstrap to remove the selected actions and skip this optional step, or resolve the required permission and start the blocked action again.');
$summaryMethod = new \ReflectionMethod($component->instance(), 'completionSummaryBootstrapSummary');
$summaryMethod->setAccessible(true);
expect($summaryMethod->invoke($component->instance()))->toBe('Selected - 2 action(s) selected');
});
it('renders blocked bootstrap runs as action required in the review summary', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'efefefef-efef-efef-efef-efefefefefef';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Bootstrap Blocked Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$verificationRun = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $entraTenantId,
'entra_tenant_name' => 'Bootstrap Blocked Tenant',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$bootstrapRun = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'inventory_sync',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Blocked->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'reason_translation' => [
'operator_label' => 'Permission required',
],
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $verificationRun->getKey(),
'bootstrap_operation_types' => ['inventory_sync', 'compliance.snapshot'],
'bootstrap_operation_runs' => ['inventory_sync' => (int) $bootstrapRun->getKey()],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$summaryMethod = new \ReflectionMethod($component->instance(), 'completionSummaryBootstrapSummary');
$summaryMethod->setAccessible(true);
expect($summaryMethod->invoke($component->instance()))->toBe('Action required - Permission required');
});
it('initializes entangled wizard state keys to avoid Livewire entangle errors', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
@ -213,10 +404,198 @@
Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class)
->assertSet('data.notes', '')
->assertSet('data.bootstrap_operation_types', [])
->assertSet('data.override_blocked', false)
->assertSet('data.override_reason', '');
});
it('persists selected bootstrap actions in the onboarding draft state', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'dededede-dede-dede-dede-dededededede';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Persist Bootstrap Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'bootstrap',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$persistMethod = new \ReflectionMethod($component->instance(), 'persistBootstrapSelection');
$persistMethod->setAccessible(true);
$persistMethod->invoke($component->instance(), ['inventory_sync', 'compliance.snapshot']);
$session->refresh();
expect($session->state['bootstrap_operation_types'] ?? null)->toBe(['inventory_sync', 'compliance.snapshot']);
});
it('filters unsupported bootstrap selections from persisted onboarding drafts', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => $workspace->getKey(),
'user_id' => $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$tenantGuid = '12121212-1212-1212-1212-121212121212';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $tenantGuid,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Acme',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $tenantGuid,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $tenantGuid,
'entra_tenant_name' => 'Acme',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $tenantGuid,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'bootstrap_operation_types' => [
'inventory_sync',
'compliance.snapshot',
'restore.execute',
'entra_group_sync',
'directory_role_definitions.sync',
],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$normalizeMethod = new \ReflectionMethod($component->instance(), 'normalizeBootstrapOperationTypes');
$normalizeMethod->setAccessible(true);
expect($normalizeMethod->invoke($component->instance(), [
'inventory_sync',
'compliance.snapshot',
'restore.execute',
'entra_group_sync',
'directory_role_definitions.sync',
]))->toBe(['inventory_sync', 'compliance.snapshot']);
$optionsMethod = new \ReflectionMethod($component->instance(), 'bootstrapOperationOptions');
$optionsMethod->setAccessible(true);
expect(array_keys($optionsMethod->invoke($component->instance())))->toBe(['inventory_sync', 'compliance.snapshot']);
});
it('returns resumable drafts with missing provider connections to the provider connection step', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
@ -1045,7 +1424,10 @@
]),
]);
$component->call('startBootstrap', ['inventory_sync', 'compliance.snapshot']);
$component->call('startBootstrap', [
'inventory_sync' => true,
'compliance.snapshot' => true,
]);
Bus::assertDispatchedTimes(\App\Jobs\ProviderInventorySyncJob::class, 1);
Bus::assertNotDispatched(\App\Jobs\ProviderComplianceSnapshotJob::class);

56
apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php
View File

@ -13,6 +13,7 @@
use App\Support\Audit\AuditActorType;
use App\Support\Audit\AuditOutcome;
use App\Support\Baselines\BaselineCaptureMode;
use App\Support\Baselines\BaselineReasonCodes;
it('derives summary-first audit semantics for baseline capture workflow events', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
@ -79,3 +80,58 @@
->and($completed?->targetDisplayLabel())->not->toBeNull()
->and((int) $completed?->operation_run_id)->toBe((int) $run->getKey());
});
it('records no-data baseline capture audit metadata without claiming baseline truth changed', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'capture_mode' => BaselineCaptureMode::Opportunistic->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$operationRunService = app(OperationRunService::class);
$run = $operationRunService->ensureRunWithIdentity(
tenant: $tenant,
type: 'baseline_capture',
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'source_tenant_id' => (int) $tenant->getKey(),
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
'baseline_capture' => [
'inventory_sync_run_id' => (int) $inventorySyncRun->getKey(),
'eligibility' => [
'phase' => 'preflight',
'ok' => true,
'inventory_sync_run_id' => (int) $inventorySyncRun->getKey(),
'covered_types' => ['deviceConfiguration'],
'uncovered_types' => [],
],
],
],
initiator: $user,
);
(new CaptureBaselineSnapshotJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$operationRunService,
);
$completed = AuditLog::query()
->where('tenant_id', (int) $tenant->getKey())
->where('action', 'baseline.capture.completed')
->latest('id')
->first();
expect($completed)->not->toBeNull();
expect(data_get($completed?->metadata, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($completed?->metadata, 'current_baseline_changed'))->toBeFalse();
expect(data_get($completed?->metadata, 'snapshot_id'))->not->toBeNull();
});

75
apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php
View File

@ -5,6 +5,7 @@
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
@ -175,3 +176,77 @@ function governanceRunViewer(TestCase $testCase, $user, Tenant $tenant, Operatio
expect(mb_strpos($pageText, 'Missing sections'))->toBeLessThan(mb_strpos($pageText, 'Secondary causes'))
->and($pageText)->toContain('stale evidence');
});
it('shows failed-latest-inventory baseline capture summaries before diagnostics', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
],
'failure_summary' => [[
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'message' => 'Capture blocked because the latest inventory sync failed.',
]],
'completed_at' => now(),
]);
$component = governanceRunViewer($this, $user, $tenant, $run)
->assertSee('The baseline capture was blocked because the latest inventory sync failed.')
->assertSee('Latest inventory sync failed')
->assertSee('Artifact impact')
->assertSee('Dominant cause');
$pageText = governanceVisibleText($component);
expect(mb_strpos($pageText, 'The baseline capture was blocked because the latest inventory sync failed.'))
->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});
it('shows zero-subject baseline capture summaries before diagnostics', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'partially_succeeded',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
],
'summary_counts' => [
'total' => 0,
'processed' => 0,
'failed' => 0,
],
'completed_at' => now(),
]);
$component = governanceRunViewer($this, $user, $tenant, $run)
->assertSee('The baseline capture finished without a usable baseline because no governed subjects were in scope.')
->assertSee('No subjects were in scope')
->assertSee('Primary next step');
$pageText = governanceVisibleText($component);
expect(mb_strpos($pageText, 'The baseline capture finished without a usable baseline because no governed subjects were in scope.'))
->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});

70
apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php
View File

@ -5,6 +5,7 @@
use App\Notifications\OperationRunCompleted;
use App\Notifications\OperationRunQueued;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\OperationRunLinks;
use App\Support\Auth\PlatformCapabilities;
use App\Support\System\SystemOperationRunLinks;
@ -232,6 +233,75 @@ function spec230ExpectedNotificationIcon(string $status): string
$this->get(data_get($notification?->data, 'actions.0.url'))->assertSuccessful();
});
it('includes baseline truth status in blocked baseline-capture terminal notifications', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => (int) $user->getKey(),
'initiator_name' => $user->name,
'type' => 'baseline_capture',
'status' => 'queued',
'outcome' => 'pending',
'context' => [
'baseline_capture' => [
'current_baseline_changed' => false,
'previous_current_snapshot_exists' => true,
],
],
]);
app(OperationRunService::class)->finalizeBlockedRun(
run: $run,
reasonCode: BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
message: 'Capture blocked because the latest inventory sync failed.',
);
$notification = $user->notifications()->latest('id')->first();
expect($notification)->not->toBeNull()
->and(data_get($notification?->data, 'baseline_truth_changed'))->toBeFalse()
->and(data_get($notification?->data, 'reason_translation.operator_label'))->toBe('Latest inventory sync failed')
->and(data_get($notification?->data, 'diagnostic_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED)
->and(array_values(data_get($notification?->data, 'supporting_lines', [])))->toContain('Current baseline truth was unchanged.');
});
it('does not emit terminal notifications for initiator-null baseline-capture runs', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => null,
'initiator_name' => 'System',
'type' => 'baseline_capture',
'status' => 'queued',
'outcome' => 'pending',
'context' => [
'baseline_capture' => [
'current_baseline_changed' => false,
],
],
]);
app(OperationRunService::class)->finalizeBlockedRun(
run: $run,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
message: 'Capture completed without governed subjects in scope.',
);
expect($user->notifications()->count())->toBe(0);
});
it('uses the system operation route for completed notifications delivered to platform users', function (): void {
$platformUser = PlatformUser::factory()->create([
'capabilities' => [

110
apps/platform/tests/Feature/Onboarding/OnboardingVerificationTest.php
View File

@ -11,7 +11,12 @@
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\OperationRunService;
use App\Support\OperationRunLinks;
use App\Support\Operations\ExecutionAuthorityMode;
use App\Support\Operations\ExecutionDenialReasonCode;
use App\Support\Operations\QueuedExecutionContext;
use App\Support\Operations\QueuedExecutionLegitimacyDecision;
use App\Support\Verification\VerificationReportSchema;
use App\Support\Verification\VerificationReportWriter;
use App\Support\Workspaces\WorkspaceContext;
@ -340,6 +345,111 @@
->not->toContain('data-shared-zone="diagnostics"');
});
it('renders a queued legitimacy blocked verification report in the wizard instead of the empty state', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = '20202020-2020-2020-2020-202020202020';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Blocked queued verification connection',
'is_default' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'user_id' => (int) $user->getKey(),
'initiator_name' => $user->name,
'type' => 'provider.connection.check',
'status' => 'queued',
'outcome' => 'pending',
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider_connection_id' => (int) $connection->getKey(),
'entra_tenant_id' => $entraTenantId,
],
],
]);
$context = new QueuedExecutionContext(
run: $run,
operationType: 'provider.connection.check',
workspaceId: (int) $workspace->getKey(),
tenant: $tenant,
initiator: $user,
authorityMode: ExecutionAuthorityMode::ActorBound,
requiredCapability: 'providers.view',
providerConnectionId: (int) $connection->getKey(),
targetScope: [
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider_connection_id' => (int) $connection->getKey(),
'entra_tenant_id' => $entraTenantId,
],
);
$decision = QueuedExecutionLegitimacyDecision::deny(
context: $context,
checks: [
'workspace_scope' => 'passed',
'tenant_scope' => 'passed',
'capability' => 'not_applicable',
'tenant_operability' => 'failed',
'execution_prerequisites' => 'not_applicable',
],
reasonCode: ExecutionDenialReasonCode::TenantNotOperable,
);
app(OperationRunService::class)->finalizeExecutionLegitimacyBlockedRun($run, $decision);
TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'verify',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$this->actingAs($user)
->followingRedirects()
->get('/admin/onboarding')
->assertSuccessful()
->assertSee('Status: Blocked')
->assertSee(ExecutionDenialReasonCode::TenantNotOperable->message())
->assertDontSee('Verification report unavailable');
});
it('keeps one onboarding verification path per state while leaving workflow actions on the wizard step', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();

10
apps/platform/tests/Feature/Operations/QueuedExecutionAuditTrailTest.php
View File

@ -9,6 +9,7 @@
use App\Support\Operations\ExecutionDenialReasonCode;
use App\Support\Operations\QueuedExecutionContext;
use App\Support\Operations\QueuedExecutionLegitimacyDecision;
use App\Support\Verification\VerificationReportSchema;
it('writes a blocked terminal audit trail with execution denial context', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
@ -64,6 +65,8 @@
->latest('id')
->first();
$report = data_get($run->context, 'verification_report');
expect($audit)->not->toBeNull()
->and($audit?->action)->toBe('operation.blocked')
->and($audit?->status)->toBe('blocked')
@ -74,5 +77,10 @@
->and(data_get($audit?->metadata, 'denial_class'))->toBe('initiator_invalid')
->and(data_get($audit?->metadata, 'authority_mode'))->toBe('actor_bound')
->and(data_get($audit?->metadata, 'acting_identity_type'))->toBe('user')
->and($run->summary_counts)->toBe(['total' => 4]);
->and($run->summary_counts)->toBe(['total' => 4])
->and($report)->toBeArray()
->and(VerificationReportSchema::isValidReport($report))->toBeTrue()
->and(data_get($report, 'checks.0.key'))->toBe('provider.connection.check')
->and(data_get($report, 'summary.overall'))->toBe('blocked')
->and(data_get($report, 'checks.0.message'))->toBe(ExecutionDenialReasonCode::InitiatorNotEntitled->message());
});

91
apps/platform/tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php
View File

@ -3,6 +3,8 @@
declare(strict_types=1);
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Support\Auth\Capabilities;
use App\Services\Operations\QueuedExecutionLegitimacyGate;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
@ -53,6 +55,95 @@
]);
});
it('allows onboarding verification runs for onboarding tenants when they originate from the onboarding wizard', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$tenant->forceFill([
'status' => 'onboarding',
])->save();
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
]);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => (int) $user->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Queued->value,
'outcome' => OperationRunOutcome::Pending->value,
'context' => [
'execution_authority_mode' => ExecutionAuthorityMode::ActorBound->value,
'provider_connection_id' => (int) $connection->getKey(),
'wizard' => [
'flow' => 'managed_tenant_onboarding',
'step' => 'verification',
],
],
]);
$decision = app(QueuedExecutionLegitimacyGate::class)->evaluate($run);
expect($decision->allowed)->toBeTrue()
->and($decision->reasonCode)->toBeNull()
->and($decision->checks)->toMatchArray([
'workspace_scope' => 'passed',
'tenant_scope' => 'passed',
'capability' => 'passed',
'tenant_operability' => 'passed',
'execution_prerequisites' => 'passed',
]);
});
it('allows workspace-scoped onboarding bootstrap capabilities during queued reauthorization', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$tenant->forceFill([
'status' => 'onboarding',
])->save();
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
]);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => (int) $user->getKey(),
'type' => 'inventory_sync',
'status' => OperationRunStatus::Queued->value,
'outcome' => OperationRunOutcome::Pending->value,
'context' => [
'execution_authority_mode' => ExecutionAuthorityMode::ActorBound->value,
'provider_connection_id' => (int) $connection->getKey(),
'required_capability' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
'wizard' => [
'flow' => 'managed_tenant_onboarding',
'step' => 'bootstrap',
],
],
]);
$decision = app(QueuedExecutionLegitimacyGate::class)->evaluate($run);
expect($decision->allowed)->toBeTrue()
->and($decision->reasonCode)->toBeNull()
->and($decision->checks)->toMatchArray([
'workspace_scope' => 'passed',
'tenant_scope' => 'passed',
'capability' => 'passed',
'tenant_operability' => 'passed',
'execution_prerequisites' => 'passed',
]);
});
it('denies actor-bound execution when the initiator loses capability', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');

30
docs/product/roadmap.md
View File

@ -3,7 +3,7 @@ # Product Roadmap
> Strategic thematic blocks and release trajectory.
> This is the "big picture" — not individual specs.
**Last updated**: 2026-04-22
**Last updated**: 2026-04-24
---
@ -13,7 +13,7 @@ ## Release History
|---------|-------|--------|
| **R1 "Golden Master Governance"** | Baseline drift as production feature, operations polish | **Done** |
| **R1 cont.** | Ops canonicalization, action surface contract, ops-ux enforcement | **Done** |
| **R2 "Tenant Reviews & Evidence"** | Evidence packs, stored reports, permission posture, alerts | **Partial** |
| **R2 "Tenant Reviews, Evidence & Control Foundation"** | Evidence packs, stored reports, canonical control catalog, permission posture, alerts | **Partial** |
| **R2 cont.** | Alert escalation + notification routing | **Done** |
---
@ -21,11 +21,11 @@ ## Release History
## Active / Near-term
### Governance & Architecture Hardening
Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction.
Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands.
Canonical run-view trust semantics, execution-time authorization continuity, tenant-owned query canon, findings workflow enforcement, Livewire trust-boundary reduction, operation-type canonicalization, provider-boundary hardening, target-scope neutrality, and governed-subject vocabulary enforcement.
Goal: Turn the new audit constitution into enforceable backend and workflow guardrails before further governance surface area lands, while preventing the Governance-of-Record platform core from drifting into provider-specific or operation-type dual semantics.
**Active specs**: 144
**Specced follow-through (draft)**: 149 (queued execution reauthorization), 150 (tenant-owned query canon), 151 (findings workflow backstop), 152 (Livewire context locking), 214 (governance outcome compression), 216 (provider dispatch gate)
**Specced follow-through (draft)**: 149 (queued execution reauthorization), 150 (tenant-owned query canon), 151 (findings workflow backstop), 152 (Livewire context locking), 214 (governance outcome compression), 216 (provider dispatch gate). Next foundation candidates: Canonical Operation Type Source of Truth, Provider Boundary Hardening, Provider Identity & Target Scope Neutrality, Platform Vocabulary Boundary Enforcement for Governed Subject Keys.
**Operator truth initiative** (sequenced): Operator Outcome Taxonomy (Spec 156) → Reason Code Translation (Spec 157) → Artifact Truth Semantics (Spec 158) → Governance Operator Outcome Compression (Spec 214, draft). Humanized Diagnostic Summaries for Governance Operations is now Spec 220 (draft) as the run-detail adoption slice, while Provider Dispatch Gate Unification is now Spec 216 (draft) as the adjacent hardening lane.
**Source**: architecture audit 2026-03-15, audit constitution, semantic clarity audit 2026-03-21, product spec-candidates
@ -79,13 +79,25 @@ ### R2.0 Canonical Control Catalog Foundation
- Microsoft subject and workload bindings for tenant-near technical controls
- Small seed catalog for v1 families such as strong authentication, conditional access, privileged access, endpoint baseline or hardening, sharing boundaries, mail protection, audit retention, and delegated admin boundaries
- Referenceable from Baseline Profiles, Compare and Drift, Findings, Exceptions, StoredReports, and EvidenceItems
- Foundation for later framework mappings, readiness views, and auditor packs
- Foundation for later framework mappings, readiness views, customer review workspaces, and auditor packs
- Explicitly not a late compliance feature: this is the semantic platform layer for tenant reviews, evidence packs, findings, exceptions, stored reports, and future readiness views
### R1.x Foundation Hardening — Governance Platform Anti-Drift
Stabilize the Governance-of-Record platform semantics before additional Microsoft domains, compliance overlays, or multi-cloud execution expand the surface area.
**Goal**: Keep Golden Master Governance from becoming provider-specific feature growth by hardening the platform seams underneath OperationRuns, ProviderConnections, governed subjects, and shared vocabulary.
- Canonical Operation Type Source of Truth for persistence, dispatch, UI labels, audit, alerts, notifications, and reporting
- Provider Boundary Hardening so provider-specific behavior stays inside provider adapters and registries
- Provider Identity & Target Scope Neutrality so Entra-specific identifiers do not become generic platform truth
- Platform Vocabulary Boundary Enforcement for Governed Subject Keys so `policy_type` and similar provider/domain terms do not leak into the platform core
- No AWS/GCP/SaaS connector implementation in this slice; this is anti-drift foundation work only
### R2 Completion — Evidence & Exception Workflows
- Review pack export (Spec 109 — done)
- Exception/risk-acceptance workflow for Findings → Spec 154 (draft)
- Formal evidence/review-pack entity foundation → Spec 153 (evidence snapshots, draft) + Spec 155 (tenant review layer / review packs, draft)
- Workspace-level PII override for review packs → deferred from 109
- Customer Review Workspace / Read-only View v1 → sharpen customer-facing review consumption: baseline status, latest reviews, findings, accepted risks, evidence/review-pack downloads, customer-safe redaction, and no admin/remediation actions
### Findings Workflow v2 / Execution Layer
Turn findings from a reviewable register into an accountable operating flow with clear ownership, personal queues, intake, hygiene, and minimal escalation.
@ -144,10 +156,10 @@ ### PSA / Ticketing Handoff
**Scope direction**: start with one-way handoff and internal visibility, not full bidirectional sync or full ITSM modeling.
### Compliance Readiness & Executive Review Packs
On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, and key security signals into one coherent deliverable. CIS-aligned baseline libraries plus NIS2-/BSI-oriented readiness views (without certification claims). Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs.
On-demand review packs that combine governance findings, accepted risks, evidence, baseline/drift posture, canonical control coverage, and key security signals into one coherent deliverable. CIS-aligned baseline libraries plus NIS2-/BSI-oriented readiness views depend on the Canonical Control Catalog and Evidence-to-Control mapping and remain explicitly without certification claims. Executive / CISO / customer-facing report surfaces alongside operator-facing detail views. Exportable auditor-ready and management-ready outputs.
**Goal**: Make TenantPilot sellable as an MSP-facing governance and review platform for German midmarket and compliance-oriented customers who want structured tenant reviews and management-ready outputs on demand.
**Why it matters**: Turns existing governance data into a clear customer-facing value proposition. Strengthens MSP sales story beyond backup and restore. Creates a repeatable "review on demand" workflow for quarterly reviews, security health checks, and audit preparation.
**Depends on**: Canonical Control Catalog Foundation, StoredReports / EvidenceItems foundation, Tenant Review runs, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity.
**Depends on**: Canonical Control Catalog Foundation, Evidence-to-Control mapping, StoredReports / EvidenceItems foundation, Tenant Review runs, Customer Review Workspace / Read-only View, Findings + Risk Acceptance workflow, evidence / signal ingestion, export pipeline maturity.
**Scope direction**: Start as compliance readiness and review packaging. Avoid formal certification language or promises. Position as governance evidence, management reporting, and audit preparation.
**Modeling principle**: Compliance and governance requirements are modeled through a framework-neutral canonical control catalog plus technical interpretations and versioned framework overlays, not as separate technical object worlds per framework. Readiness views, evidence packs, baseline libraries, and auditor outputs are generated from that shared domain model.
@ -214,7 +226,7 @@ ## Infrastructure & Platform Debt
| Item | Risk | Status |
|------|------|--------|
| No `.env.example` in repo | Onboarding friction | Open |
| No CI pipeline config | No automated quality gate | Open |
| CI pipeline config status drift | Roadmap debt list may be stale because workflow files exist and should be re-audited | Review needed |
| No PHPStan/Larastan | No static analysis | Open |
| SQLite for tests vs PostgreSQL in prod | Schema drift risk | Open |
| No formal release process | Manual deploys | Open |

1041
docs/product/spec-candidates.md
View File

File diff suppressed because it is too large Load Diff

36
specs/235-baseline-capture-truth/checklists/requirements.md Normal file
View File

@ -0,0 +1,36 @@
# Specification Quality Checklist: Baseline Capture Truthful Outcomes and Upstream Guardrails
**Purpose**: Capture specification completeness and quality at planning handoff, while keeping post-plan status notes aligned with the current artifact set
**Created**: 2026-04-23
**Feature**: [spec.md](../spec.md)
## Content Quality
- [x] No implementation algorithms, code diffs, or migration steps
- [x] Focused on user value and business needs
- [x] Repo-specific constitutional and surface-contract references remain intentional and bounded
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation algorithms or file-by-file execution steps leak into specification
## Notes
- This checklist records the spec's readiness at planning handoff; `plan.md`, `research.md`, `data-model.md`, `quickstart.md`, and `tasks.md` now exist as the implementation-facing artifacts for this feature.
- Repo-specific constitutional contract references are intentional and bounded; the spec still avoids implementation algorithms, code diffs, migration steps, and file-by-file implementation plans.
- No clarification markers remain, and the current scope is fully aligned across spec, plan, tasks, and supporting artifacts for implementation.

164
specs/235-baseline-capture-truth/data-model.md Normal file
View File

@ -0,0 +1,164 @@
# Data Model: Baseline Capture Truthful Outcomes and Upstream Guardrails
## Overview
This feature does not add a new persisted entity. It tightens the behavioral contract of three existing truths:
1. `BaselineProfile.active_snapshot_id` defines the current consumable baseline anchor.
2. `BaselineSnapshot.lifecycle_state` plus `completion_meta_jsonb` define whether a captured artifact is consumable.
3. `OperationRun` outcome, summary counts, and context define the operator-visible truth for blocked and no-data capture attempts.
## Entities
### BaselineProfile
**Table / Model**: `baseline_profiles` / `App\Models\BaselineProfile`
**Relevant fields**:
| Field | Type | Purpose in this feature |
|------|------|--------------------------|
| `id` | integer | Baseline identity |
| `workspace_id` | integer | Workspace isolation boundary |
| `status` | enum | Only active profiles can promote a new current snapshot |
| `capture_mode` | enum | Existing capture fidelity setting |
| `scope_jsonb` | jsonb | Determines in-scope policy types / foundations |
| `active_snapshot_id` | nullable integer | Current baseline truth pointer |
**Relationships**:
- `activeSnapshot(): BelongsTo`
- `snapshots(): HasMany`
- `resolveCurrentConsumableSnapshot(): ?BaselineSnapshot`
**Behavioral rule added by this feature**:
- `active_snapshot_id` only changes when the capture attempt yields a consumable snapshot.
- Blocked latest-inventory preconditions and zero-subject/no-data captures must not clear or advance the pointer.
### BaselineSnapshot
**Table / Model**: `baseline_snapshots` / `App\Models\BaselineSnapshot`
**Relevant fields**:
| Field | Type | Purpose in this feature |
|------|------|--------------------------|
| `id` | integer | Snapshot artifact identity |
| `workspace_id` | integer | Workspace isolation boundary |
| `baseline_profile_id` | integer | Owning baseline profile |
| `snapshot_identity_hash` | string | Deduplication / equality proof for captured content |
| `captured_at` | timestamp | Artifact recency |
| `completed_at` | nullable timestamp | Completion boundary |
| `lifecycle_state` | enum | `building`, `complete`, `incomplete` |
| `summary_jsonb` | jsonb | Aggregate capture counts / fidelity / gaps |
| `completion_meta_jsonb` | jsonb | Completion proof and finalization reason details |
**Existing lifecycle reused**:
- `complete`: Consumable snapshot truth.
- `incomplete`: Non-consumable artifact truth.
**Behavioral rule added by this feature**:
- If a zero-subject capture persists a snapshot row, it remains `incomplete` and non-consumable.
- The no-data finalization reason is stored in `completion_meta_jsonb` rather than introducing a new lifecycle state.
- Zero-subject capture must not reuse a historical complete snapshot as if it were the result of the current attempt.
**Expected completion metadata keys**:
| Key | Type | Meaning |
|-----|------|---------|
| `expected_items` | integer | Number of items the job expected to persist |
| `persisted_items` | integer | Number of items actually persisted |
| `producer_run_id` | integer | Owning `baseline_capture` run |
| `was_empty_capture` | boolean | Indicates zero-subject/no-data attempt |
| `finalization_reason_code` | string | Existing or new baseline reason code when incomplete |
### OperationRun
**Table / Model**: `operation_runs` / existing Operations subsystem
**Relevant fields**:
| Field | Type | Purpose in this feature |
|------|------|--------------------------|
| `id` | integer | Operation identity |
| `operation_type` | enum/string | `baseline_capture` |
| `status` | enum/string | `queued`, `running`, `completed` |
| `outcome` | enum/string | `blocked`, `partially_succeeded`, `succeeded`, existing failure outcomes |
| `summary_counts` | json | Flat numeric counts only |
| `context` | json | Detailed capture explanation |
**New or newly-required context keys**:
| Path | Type | Meaning |
|------|------|---------|
| `baseline_capture.reason_code` | string | Dominant blocked or no-data reason |
| `baseline_capture.inventory_sync_run_id` | nullable integer | Latest relevant inventory basis consulted |
| `baseline_capture.subjects_total` | integer | Number of in-scope subjects discovered when subject evaluation runs |
| `baseline_capture.current_baseline_changed` | boolean | Whether the capture attempt changed current consumable truth |
| `baseline_capture.eligibility` | object/array | Optional structured detail about upstream inventory credibility |
| `result.snapshot_id` | nullable integer | Persisted snapshot artifact, if any |
| `result.snapshot_lifecycle` | nullable string | Lifecycle of the persisted or reused snapshot artifact when one is attached to the result |
**Outcome rules introduced or tightened by this feature**:
- `completed + blocked`: The run started, but the latest inventory basis was not credible when execution actually occurred.
- `completed + partially_succeeded`: Zero-subject/no-data capture or existing warning/gap semantics where a run completed without producing a full trustworthy baseline refresh.
- `completed + succeeded`: Reserved for captures that produce or reuse a consumable snapshot truth and leave the effective baseline anchored to that consumable snapshot.
### Upstream Inventory Basis
**Source**: Existing inventory sync `OperationRun` and `InventoryItem` records
**Purpose in this feature**:
- Determine whether a baseline capture may start.
- Determine whether a queued capture is still valid when it executes.
- Determine how many in-scope subjects are currently available for capture.
**Behavioral rule added by this feature**:
- Only the latest relevant inventory sync may authorize capture.
- No earlier successful run may be used as silent fallback when a newer relevant run is blocked, failed, or missing.
## Relationships
| From | To | Relationship | Feature consequence |
|------|----|--------------|---------------------|
| `BaselineProfile` | `BaselineSnapshot` | one-to-many | A profile may have multiple attempted snapshots, but only consumable ones may become current truth |
| `BaselineProfile` | `BaselineSnapshot` | one active snapshot pointer | Pointer remains on last consumable snapshot when new attempt is blocked or no-data |
| `OperationRun` | `BaselineProfile` | contextual | Capture run context references the profile being captured |
| `OperationRun` | `BaselineSnapshot` | contextual | Run context references produced artifact if one exists |
| `InventoryItem` / inventory sync run | `BaselineProfile` capture attempt | derived eligibility | Determines whether capture may produce trustworthy baseline truth |
## State Transitions
### Capture start-time preflight
| Condition | Run created? | Result |
|-----------|--------------|--------|
| Profile inactive / archived / tenant mismatch / scope empty | no | Existing precondition rejection |
| Latest relevant inventory basis missing / blocked / failed / unusable | no | Shared baseline-capture reason code returned to start surface |
| Latest relevant inventory basis credible | yes | `baseline_capture` run enqueued |
### Queued runtime execution
| Condition | Run terminal state | Snapshot effect | Current baseline effect |
|-----------|--------------------|-----------------|-------------------------|
| Latest relevant inventory becomes non-credible after enqueue | `completed + blocked` | none | unchanged |
| Credible inventory but `subjects_total = 0` | `completed + partially_succeeded` | optional non-consumable no-data artifact | unchanged |
| Credible inventory and consumable capture produced or reused | `completed + succeeded` or existing warning-driven `partially_succeeded` | consumable snapshot | remains anchored to the consumable current snapshot |
| Persist / completion proof failure | existing failure / incomplete semantics | incomplete snapshot | unchanged |
## Invariants
- A non-consumable snapshot must never become current baseline truth automatically.
- A green baseline-capture outcome must imply that a consumable snapshot truth exists after the run.
- `summary_counts` stay flat and numeric-only even when blocked/no-data truth is carried by context and reason code.
- Compare-readiness surfaces derive from consumable baseline truth, not merely from the existence of a latest run.
## Conditional Legacy Edge
Existing legacy backfill logic can classify historical empty captures as `complete`. This feature does not change historical rows by default, but if implementation proves that those historical rows still participate in current runtime truth, the legacy classification rule must be adjusted inside this feature and re-proved with `BaselineSnapshotBackfillTest`.

267
specs/235-baseline-capture-truth/plan.md Normal file
View File

@ -0,0 +1,267 @@
# Implementation Plan: Baseline Capture Truthful Outcomes and Upstream Guardrails
**Branch**: `235-baseline-capture-truth` | **Date**: 2026-04-23 | **Spec**: [spec.md](./spec.md)
**Input**: Feature specification from `/specs/235-baseline-capture-truth/spec.md`
**Note**: This plan keeps the slice intentionally narrow. It reuses the existing `BaselineSnapshot` lifecycle/usability model and the existing Ops UX explanation path, then hardens only baseline-capture eligibility, outcome mapping, no-data artifact handling, and current-baseline promotion.
## Summary
Harden baseline capture so it only succeeds when there is a credible inventory basis and at least one in-scope subject produces a consumable snapshot. The implementation will extend the existing capture reason-code family, make `BaselineCaptureService` evaluate the latest relevant inventory sync before enqueue, re-check the same prerequisite inside `CaptureBaselineSnapshotJob`, map zero-subject captures to `partially_succeeded` plus no-data artifact truth, keep `BaselineProfile.active_snapshot_id` anchored to the last consumable snapshot, and route operator messaging through the existing `ReasonTranslator`, `BaselineCompareStats`, and `GovernanceRunDiagnosticSummaryBuilder` paths instead of adding page-local copy branches.
## Technical Context
**Language/Version**: PHP 8.4.15, Laravel 12, Filament v5, Livewire v4
**Primary Dependencies**: `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces
**Storage**: Existing PostgreSQL tables only; no new table or schema migration is planned in the mainline slice
**Testing**: Pest v4 feature tests through Laravel Sail
**Validation Lanes**: `fast-feedback`, `confidence`
**Target Platform**: Laravel admin web application in Sail containers with workspace-admin routes under `/admin` and tenant routes under `/admin/t/{tenant}`
**Project Type**: Monorepo with one Laravel runtime in `apps/platform` and spec artifacts at repository root
**Performance Goals**: Preserve current capture request and queued-job behavior; add at most one focused latest-inventory eligibility lookup per capture attempt and no new high-cardinality UI rendering path
**Constraints**: No stale successful inventory fallback, no new persisted entity or lifecycle state, no new generic artifact-truth framework, no auth-plane expansion, and no drift of message semantics into page-local copy
**Scale/Scope**: One existing queued workflow (`baseline_capture`), one reason-code family extension, two existing start surfaces, one snapshot detail surface, one Monitoring run-detail explanation path, and focused baseline/Monitoring test families
## Filament v5 Implementation Contract
- **Livewire v4.0+ compliance**: Preserved. The plan changes existing Filament actions and shared presenters only; it introduces no legacy Livewire patterns.
- **Provider registration location**: Unchanged. Panel providers remain registered in `apps/platform/bootstrap/providers.php`.
- **Global search coverage**: `BaselineProfileResource` and `BaselineSnapshotResource` both keep global search disabled via `$isGloballySearchable = false`, so this slice adds no global-search exposure and no new view/edit requirement.
- **Destructive actions**: No destructive action is added or changed. The existing `Archive baseline profile` action already uses `->requiresConfirmation()` and remains on its current path.
- **Asset strategy**: No new assets are planned. Deployment expectations remain unchanged, including `cd apps/platform && php artisan filament:assets` only when future work introduces registered assets.
- **Testing plan**: Prove the slice with focused Pest feature coverage for baseline capture service/start surfaces, retained consumable happy-path success, compare landing readiness, snapshot-detail no-data truth, Monitoring run summaries, and the existing audit/terminal-notification contract for `baseline_capture`.
## UI / Surface Guardrail Plan
- **Guardrail scope**: changed surfaces
- **Native vs custom classification summary**: native
- **Shared-family relevance**: status messaging, header actions, run-detail explanations, audit-aligned summaries
- **State layers in scope**: page, detail
- **Handling modes by drift class or surface**: review-mandatory
- **Repository-signal treatment**: review-mandatory
- **Special surface test profiles**: `standard-native-filament`, `monitoring-state-page`
- **Required tests or manual smoke**: `functional-core`, `state-contract`
- **Exception path and spread control**: none planned; any unavoidable message deviation must stay bounded to the existing baseline shared presenter/translator path
- **Active feature PR close-out entry**: `Guardrail`
## Shared Pattern & System Fit
- **Cross-cutting feature marker**: yes
- **Systems touched**: baseline capture start surfaces, compare availability/readiness surfaces, baseline snapshot truth presentation, Monitoring run detail, audit prose, canonical reason translation
- **Shared abstractions reused**: `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `OperationRunService`, `OperationUxPresenter`, `GovernanceRunDiagnosticSummaryBuilder`, `OperatorExplanationBuilder`
- **New abstraction introduced? why?**: none planned. If inventory-eligibility logic needs reuse across start-time and runtime recheck, keep it as a narrow `BaselineCaptureService`-owned method or tiny baseline-local helper rather than a new registry/resolver layer.
- **Why the existing abstraction was sufficient or insufficient**: Existing abstractions are sufficient for translation, explanation, and compare-readiness messaging. The current gap is that capture eligibility and no-data truth do not yet feed those shared paths consistently.
- **Bounded deviation / spread control**: none
## Constitution Check
*GATE: Passed before Phase 0 research. Re-check after Phase 1 design: still passed with no new persistence, no new UI framework, and no auth-plane drift.*
| Gate | Status | Plan Notes |
|------|--------|------------|
| Inventory-first / read-write separation | PASS | The slice makes capture depend on the latest credible inventory truth and does not introduce any new Graph write or preview path. |
| RBAC, workspace isolation, tenant isolation | PASS | No new routes or capabilities are introduced; existing `/admin`, `/admin/t/{tenant}`, and canonical Monitoring entitlement rules remain authoritative. |
| Run observability / Ops-UX lifecycle | PASS | Existing `baseline_capture` `OperationRun` remains the queued-work truth. Known start-surface preconditions may still short-circuit with no run, while queued runtime rechecks will resolve through `OperationRunService` only. |
| Shared pattern first | PASS | The plan extends existing reason translation and run-summary builders instead of adding page-local message trees. |
| Proportionality / no premature abstraction | PASS | No new persistence or subsystem is planned. The only structural addition is a bounded extension of existing capture reason codes plus reuse of current services/presenters. |
| Persisted truth / behavioral state | PASS | No new table or snapshot lifecycle state is added. No-data capture uses existing snapshot lifecycle/usability semantics if an artifact row is kept. |
| Badge semantics / Filament-native discipline | PASS | Existing badge/outcome semantics remain centralized; touched surfaces stay on native Filament actions and shared presenters. |
| Filament v5 / Livewire v4 contract | PASS | Provider registration, global-search posture, and destructive-action discipline remain unchanged and compliant. |
| Test governance | PASS | Proof stays in focused baseline and Monitoring feature lanes without heavy-governance or browser expansion. |
## Test Governance Check
- **Test purpose / classification by changed surface**: `Feature` for service/start-surface, compare-readiness, retained consumable success, snapshot-detail truth, and Monitoring truth
- **Affected validation lanes**: `fast-feedback`, `confidence`
- **Why this lane mix is the narrowest sufficient proof**: The business truth lives in existing capture execution, existing Filament surfaces, and existing Monitoring detail. Focused feature tests prove the slice end-to-end without widening into browser or heavy-governance families.
- **Narrowest proving command(s)**:
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCaptureTest.php`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Notifications/OperationRunNotificationTest.php`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineSnapshotBackfillTest.php` only if legacy empty-snapshot classification changes prove necessary during implementation
- **Fixture / helper / factory / seed / context cost risks**: Moderate. The slice needs explicit inventory-run outcome fixtures (`no inventory`, `blocked`, `failed`, `unusable coverage`, `after-enqueue drift to non-credible`, `credible but zero subjects`, `previous complete snapshot still current`) and must keep those scenarios opt-in rather than adding new default helpers.
- **Expensive defaults or shared helper growth introduced?**: No. New inventory eligibility scenarios should stay local to baseline capture tests.
- **Heavy-family additions, promotions, or visibility changes**: none
- **Surface-class relief / special coverage rule**: `standard-native relief` for profile/compare surfaces, `monitoring-state-page` for run-detail explanation assertions
- **Closing validation and reviewer handoff**: Reviewers should verify that no test still encodes empty capture as unconditional success, that unusable coverage and after-enqueue prerequisite drift are proved explicitly, that `active_snapshot_id` never advances on blocked/zero-subject capture paths, that compare landing still derives readiness from consumable baseline truth, that snapshot detail distinguishes no-data evidence from current baseline truth, and that Monitoring, audit prose, and terminal notification copy lead with the same dominant cause before diagnostics.
- **Budget / baseline / trend follow-up**: none expected beyond a small increase in baseline and Monitoring feature assertions
- **Review-stop questions**: Did any new helper start hiding expensive inventory/run setup? Did the plan accidentally widen into compare-engine or generic artifact-state work? Did any runtime branch bypass `OperationRunService`? Did any surface add local copy that duplicates the shared reason/summary path?
- **Escalation path**: `document-in-feature` unless legacy empty-snapshot backfill proves structurally necessary, in which case reassess inside this feature before widening further
- **Active feature PR close-out entry**: `Guardrail`
- **Why no dedicated follow-up spec is needed**: The slice is a bounded hardening change on one existing workflow and one existing operator truth family. Only a forced legacy-row reclassification problem would justify widening further.
## Project Structure
### Documentation (this feature)
```text
specs/235-baseline-capture-truth/
├── spec.md
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── checklists/
│ └── requirements.md
└── tasks.md
```
No contracts artifact is planned because this feature changes no external API, route contract, or standalone logical interaction contract.
### Source Code (repository root)
```text
apps/platform/
├── app/
│ ├── Filament/
│ │ ├── Pages/
│ │ │ └── BaselineCompareLanding.php
│ │ └── Resources/
│ │ ├── BaselineSnapshotResource/
│ │ │ └── Pages/
│ │ │ └── ViewBaselineSnapshot.php
│ │ └── BaselineProfileResource/
│ │ └── Pages/
│ │ └── ViewBaselineProfile.php
│ ├── Jobs/
│ │ └── CaptureBaselineSnapshotJob.php
│ ├── Models/
│ │ ├── BaselineProfile.php
│ │ └── BaselineSnapshot.php
│ ├── Notifications/
│ │ └── OperationRunCompleted.php
│ ├── Services/
│ │ ├── OperationRunService.php
│ │ └── Baselines/
│ │ └── BaselineCaptureService.php
│ └── Support/
│ ├── Baselines/
│ │ ├── BaselineCompareStats.php
│ │ └── BaselineReasonCodes.php
│ ├── OpsUx/
│ │ ├── GovernanceRunDiagnosticSummaryBuilder.php
│ │ └── OperationUxPresenter.php
│ ├── ReasonTranslation/
│ │ └── ReasonTranslator.php
│ └── Ui/
│ └── OperatorExplanation/
│ └── OperatorExplanationBuilder.php
└── tests/
├── Feature/
│ ├── Authorization/
│ │ └── OperatorExplanationSurfaceAuthorizationTest.php
│ ├── Baselines/
│ │ ├── BaselineCaptureTest.php
│ │ └── BaselineSnapshotBackfillTest.php
│ ├── Filament/
│ │ ├── BaselineCaptureResultExplanationSurfaceTest.php
│ │ ├── BaselineCompareLandingStartSurfaceTest.php
│ │ ├── BaselineProfileCaptureStartSurfaceTest.php
│ │ └── OperationRunBaselineTruthSurfaceTest.php
│ ├── Notifications/
│ │ └── OperationRunNotificationTest.php
│ └── Monitoring/
│ ├── AuditCoverageGovernanceTest.php
│ └── GovernanceOperationRunSummariesTest.php
```
**Structure Decision**: Keep the work entirely inside the existing Laravel runtime in `apps/platform`. The slice changes one existing queued workflow, two existing Filament start surfaces, one immutable snapshot detail surface, shared compare-readiness and explanation helpers, the existing audit/notification composition path, and focused regression families. No new module or subsystem is introduced.
## Complexity Tracking
No constitutional violation is planned. No complexity exception is currently required.
| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| — | — | — |
## Proportionality Review
- **Current operator problem**: Baseline capture can report success even when no trustworthy baseline exists, which directly misleads operators and auditors.
- **Existing structure is insufficient because**: `BaselineCaptureService` currently validates only profile/tenant/scope preconditions, and `CaptureBaselineSnapshotJob` promotes `active_snapshot_id` whenever a consumable snapshot exists or can be reused, including all-zero paths that are not decision-grade.
- **Narrowest correct implementation**: Extend the existing capture reason-code family, reuse the existing snapshot lifecycle/usability model, add one shared inventory-eligibility evaluation path for start-time and runtime recheck, and adapt existing translator/stats/run-summary surfaces.
- **Ownership cost created**: A few new reason-code translations, one extra eligibility branch in capture service/job, a small amount of extra run-context metadata, and focused regression fixtures for inventory-run truth.
- **Alternative intentionally rejected**: A generic artifact-no-data framework or stale-inventory fallback. The first imports too much structure; the second would preserve false reassurance.
- **Release truth**: current-release truth
## Phase 0 Research Summary
- `BaselineCaptureService` is the current start-time gate and can reject capture without creating an `OperationRun`; it is the right place for latest-inventory eligibility preflight.
- `CaptureBaselineSnapshotJob` currently updates `active_snapshot_id` whenever the resulting snapshot is consumable and currently treats `expected_items === 0` as a valid complete capture. That is the concrete root of the false-green/no-data promotion problem.
- `BaselineReasonCodes`, `ReasonTranslator`, `BaselineCompareStats`, and `GovernanceRunDiagnosticSummaryBuilder` already centralize the operator language for baseline truth and Monitoring explanations; they are the right shared paths to extend.
- `BaselineProfile::resolveCurrentConsumableSnapshot()` already falls back to the latest complete snapshot when `active_snapshot_id` is unusable, so preserving the previous trustworthy baseline is already supported if the capture path stops advancing `active_snapshot_id` incorrectly.
- `OperationRunOutcome::PartiallySucceeded` already exists and is already rendered consistently across Ops UX, badges, and Monitoring; no new run-outcome family is needed.
- Legacy empty-snapshot backfill currently classifies proven empty captures as `complete`. The mainline plan does not widen into migration/backfill unless implementation proves that historical empty snapshots still act as current truth in active runtime paths.
## Phase 1 Design Summary
- `research.md` records the product and architectural decisions: strict latest-inventory truth, no stale fallback, no new snapshot state, and reuse of shared reason/summary infrastructure.
- `data-model.md` documents the touched existing truths: `BaselineProfile.active_snapshot_id`, `BaselineSnapshot.lifecycle_state` plus completion metadata, and `OperationRun.context` keys for inventory eligibility and current-baseline-change effect.
- `quickstart.md` gives the narrow validation order for service preflight, queued runtime recheck, no-data capture, compare-readiness truth, snapshot-detail truth, Monitoring explanation, and audit/notification alignment.
- No contracts artifact is planned because this slice changes no external API or logical interaction contract.
## Phase 1 — Agent Context Update
Run after artifact generation:
- `.specify/scripts/bash/update-agent-context.sh copilot`
## Implementation Strategy
### Phase A — Extend capture eligibility around the latest credible inventory run
**Goal**: Make capture start and queued execution agree on whether the latest relevant inventory basis is trustworthy enough to build a baseline.
| Step | File | Change |
|------|------|--------|
| A.1 | `apps/platform/app/Support/Baselines/BaselineReasonCodes.php` | Add the bounded capture reason codes for missing latest inventory, blocked latest inventory, failed latest inventory, unusable coverage, and zero-subject outcome. Keep them in the existing reason-code family. |
| A.2 | `apps/platform/app/Services/Baselines/BaselineCaptureService.php` | Extend `validatePreconditions()` with a reusable latest-inventory eligibility decision that inspects the most recent relevant inventory sync and returns the new capture reason codes without creating an `OperationRun` when the block is already known at start time. |
| A.3 | `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php` | Add operator-safe translations and next steps for the new baseline-capture reason codes so profile/start-surface, Monitoring, and audit-aligned prose stay consistent. |
| A.4 | `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` | Re-check the same eligibility after the run starts, so prerequisite drift between page load and execution resolves through `OperationRunService` with `completed + blocked` rather than a false green run. |
### Phase B — Stop no-data captures from becoming current baseline truth
**Goal**: Treat zero-subject capture as real audit evidence with follow-up, not as a trustworthy baseline refresh, and keep compare readiness anchored to the same consumable-truth contract.
| Step | File | Change |
|------|------|--------|
| B.1 | `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` | Split the zero-subject path from the normal consumable-snapshot path before any existing consumable snapshot is reused or `active_snapshot_id` is advanced. |
| B.2 | `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` | Map zero-subject capture to `OperationRunOutcome::PartiallySucceeded`, record the new reason code in run context, keep numeric `summary_counts`, record `baseline_capture.subjects_total`, record `result.snapshot_lifecycle` when an artifact exists, and record whether current baseline truth changed. |
| B.3 | `apps/platform/app/Models/BaselineSnapshot.php` and job call sites | Reuse the existing lifecycle/usability model if a no-data artifact row is retained: mark it non-consumable via existing incomplete semantics and store the finalization reason in `completion_meta_jsonb` rather than introducing a new snapshot state. |
| B.4 | `apps/platform/app/Models/BaselineProfile.php` and job promotion path | Preserve the previously consumable snapshot by ensuring `active_snapshot_id` is updated only when the new capture result is actually consumable. |
| B.5 | `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php` and `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php` | Distinguish current trustworthy baseline truth from no-data evidence on snapshot and profile detail surfaces so operators do not read a zero-subject artifact as a normal refresh. |
| B.6 | `apps/platform/app/Support/Baselines/BaselineCompareStats.php` | Extend compare-readiness and missing-snapshot guidance so compare landing and profile-level compare affordances can explain why compare is unavailable after a blocked, failed, or zero-subject capture without inferring success from snapshot existence or the latest run alone. |
| B.7 | `apps/platform/app/Filament/Pages/BaselineCompareLanding.php` | Keep compare availability derived from consumable baseline truth and show the updated explanation-first guidance when the latest capture failed, drifted to a non-credible prerequisite, or produced no usable baseline. |
### Phase C — Align Monitoring explanation and shared audit/notification copy with the hardened capture truth
**Goal**: Make Monitoring and the existing completion summary path speak the same truthful baseline-capture language as the hardened capture and compare-readiness surfaces.
| Step | File | Change |
|------|------|--------|
| C.1 | `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php` | Teach baseline-capture summaries to distinguish blocked latest-inventory prerequisites, after-enqueue prerequisite drift, and zero-subject no-data captures from normal success before diagnostics are shown. |
| C.2 | `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php`, and `apps/platform/app/Notifications/OperationRunCompleted.php` | Keep Monitoring, audit prose, and terminal notification copy aligned to the same dominant baseline-capture reason, whether current baseline truth changed, and initiator-aware notification rules. |
### Phase D — Audit, test, and edge-condition follow-through
**Goal**: Lock the hardened truth into the existing regression families and keep historical edge cases explicit.
| Step | File | Change |
|------|------|--------|
| D.1 | `apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php` | Replace the implicit “empty capture succeeds” assumption with explicit coverage for no inventory, blocked inventory, failed inventory, unusable coverage, after-enqueue prerequisite drift, zero subjects, and previous snapshot preservation. |
| D.2 | `apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php`, `apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php`, `apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php` | Prove capture preflight messaging, compare readiness, snapshot-detail no-data truth, and no-data explanation on the affected Filament surfaces. |
| D.3 | `apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php`, `apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php`, `apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php`, and `apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php` | Prove Monitoring detail separates blocked/no-data capture truth from raw counts and generic success wording, and that audit summary plus terminal notification copy preserve the same dominant reason with initiator-aware delivery rules. |
| D.4 | `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php` | Keep the authorized happy-path surface access proof explicit and preserve 404 vs 403 semantics on the touched explanation-first surfaces. |
| D.5 | `apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php` | Only if implementation proves legacy empty snapshots still participate in active runtime truth, adjust the legacy classification rule and regression accordingly inside this feature instead of adding a second follow-up spec. |
## Risks and Mitigations
- **Local copy drift on capture surfaces**: Existing Filament actions currently branch on reason code locally. Mitigation: converge on `ReasonTranslator` instead of adding more local message cases.
- **Zero-subject path still reuses a historical empty complete snapshot**: Current job flow can reuse an existing consumable snapshot before creating a new one. Mitigation: short-circuit zero-subject handling before `findExistingConsumableSnapshot()` or any `active_snapshot_id` promotion logic can make it authoritative.
- **Queued runtime recheck bypasses Ops-UX rules**: It is easy to update context only and forget terminal run outcome. Mitigation: all blocked/partial terminal states remain service-owned through `OperationRunService` and keep numeric summary counts.
- **Legacy empty backfill broadens the slice unexpectedly**: Historical classification may need adjustment if runtime truth still depends on it. Mitigation: treat it as a conditional step inside this feature, only if a focused regression proves it is necessary.
## Post-Design Re-check
The package remains constitution-compliant, Livewire v4 / Filament v5 compliant, and narrow. It introduces no new persistence, no new UI framework, no new auth plane, and no new operation type. It reuses the existing baseline snapshot lifecycle/usability truth and the existing shared reason/Monitoring explanation paths, and the generated implementation artifacts are aligned for execution.

164
specs/235-baseline-capture-truth/quickstart.md Normal file
View File

@ -0,0 +1,164 @@
# Quickstart: Baseline Capture Truthful Outcomes and Upstream Guardrails
## Purpose
Validate that baseline capture no longer reports green success when the upstream inventory basis is not credible or when the capture finds zero in-scope subjects, confirm that the previous consumable baseline remains the effective compare anchor until a new consumable snapshot exists, and verify that Monitoring, audit prose, and terminal notification copy stay aligned to the same dominant truth.
## Preconditions
1. Sail services are running.
2. The workspace has a tenant, baseline profile, and inventory fixtures available for the targeted tests.
3. Baseline resources remain Filament v5 / Livewire v4 surfaces; no extra asset build is expected beyond standard PHP/test tooling.
## Validation Flow
### 1. Start-surface preflight blocks non-credible inventory truth
**Goal**: Known upstream problems are rejected before enqueue and use the shared reason-code family.
Check:
- No latest relevant inventory sync exists.
- Latest relevant inventory sync is blocked or failed.
- Latest relevant inventory sync exists but does not provide usable in-scope coverage.
Expected result:
- Capture does not enqueue a run.
- The start surface shows the shared translated baseline-capture reason.
- No success wording appears.
## 2. Runtime recheck blocks prerequisite drift after enqueue
**Goal**: If the latest relevant inventory state changes after page load or after enqueue, the queued run still resolves truthfully.
Check:
- Enqueue capture with a credible latest inventory basis.
- Change the latest relevant inventory run to a blocked/failed/unusable-coverage/non-credible state before the job evaluates subjects.
Expected result:
- The run ends as `completed + blocked`.
- Monitoring and run-detail explanation lead with the upstream inventory reason.
- No snapshot becomes the current consumable baseline.
## 3. Consumable capture still produces succeeded baseline truth
**Goal**: A clean capture with at least one resolved in-scope subject still succeeds and advances effective baseline truth.
Check:
- Use a credible latest inventory run whose effective in-scope subject count is greater than zero.
- Ensure the capture completes without warning conditions that would intentionally downgrade the run to `partially_succeeded`.
Expected result:
- The run ends as `completed + succeeded`.
- A consumable snapshot is produced or reused consistently with the current truth contract.
- `BaselineProfile.active_snapshot_id` remains anchored to the consumable current snapshot after the run, whether that required a new pointer update or reuse of the already-current consumable snapshot.
- Run context and audit summary preserve the same metadata contract for success, including the eligibility decision, upstream inventory reference, and whether current baseline truth changed.
## 4. Zero-subject capture produces no-data truth, not a green refresh
**Goal**: A capture with zero in-scope subjects remains visible but cannot silently refresh current baseline truth.
Check:
- Use a credible latest inventory run whose effective in-scope subject count is zero.
Expected result:
- The run ends as `completed + partially_succeeded`.
- The dominant reason is the zero-subject/no-data capture code.
- Any retained snapshot artifact is non-consumable.
- `BaselineProfile.active_snapshot_id` remains on the previous consumable snapshot.
## 5. Compare readiness stays anchored to consumable baseline truth
**Goal**: Compare surfaces must reflect whether a usable baseline actually exists, not whether a capture was merely attempted.
Check:
- Trigger a blocked capture after a previously successful baseline exists.
- Trigger a zero-subject capture after a previously successful baseline exists.
- Trigger a blocked or zero-subject capture when no previous consumable baseline exists.
Expected result:
- With a previous consumable baseline, compare remains available against that prior truth and explains that the latest capture did not refresh baseline truth.
- The profile-level compare affordance reflects the same truthful availability state and guidance as compare landing.
- Without any consumable baseline, compare remains unavailable and explains why.
## 6. Monitoring summary stays explanation-first
**Goal**: Operators should immediately see whether the run was blocked upstream or completed with no usable baseline.
Check:
- Open the run detail for a blocked latest-inventory capture.
- Open the run detail for a failed latest-inventory capture.
- Open the run detail for a zero-subject capture.
Expected result:
- The summary headline differentiates blocked upstream prerequisites, failed latest inventory, and no-data capture.
- Raw numeric counts remain secondary diagnostics.
## 7. Audit prose and terminal notification stay aligned with run truth
**Goal**: Interactive runs, initiator-null runs, and audit coverage must preserve the same dominant baseline-capture reason without introducing notification drift.
Check:
- Complete an interactive blocked baseline-capture run and inspect the terminal `OperationRunCompleted` payload.
- Complete an interactive zero-subject baseline-capture run and inspect the terminal `OperationRunCompleted` payload.
- Complete an initiator-null or scheduled baseline-capture run with blocked or no-data truth.
- Inspect the governance audit coverage surface or assertions for the same runs.
Expected result:
- Interactive terminal notifications use the same dominant blocked or no-data reason vocabulary as Monitoring.
- Initiator-null runs emit no terminal DB notification while preserving Monitoring and audit truth.
- Audit prose records the same dominant cause and whether current baseline truth changed.
## Commands
Run the narrowest proof set from repository root:
```bash
export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent
export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCaptureTest.php
export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php
export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php
```
Run the legacy edge check only if implementation touches historical empty-snapshot classification:
```bash
export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineSnapshotBackfillTest.php
```
## Manual Smoke Focus
If a manual UI check is needed after automated proof:
1. Open a baseline profile detail page and verify the capture header action shows the translated upstream block when inventory truth is not credible.
2. Open compare landing after a zero-subject capture and verify it explains whether the prior consumable baseline still anchors compare availability.
3. Open the Monitoring run detail and verify the headline distinguishes upstream block from no-data capture before showing counts.
4. Verify an interactive run shows aligned terminal notification wording, while an initiator-null run leaves notification delivery suppressed and keeps Monitoring as the audit surface.
## Close-out Record
Record the feature close-out outcome here and mirror it into the active PR description:
1. `Guardrail` status for the changed native Filament surfaces.
2. Whether `standard-native-filament` and `monitoring-state-page` coverage both ran successfully.
3. Whether `T022` stayed `document-in-feature` or required a follow-up for legacy empty-snapshot behavior.
### Recorded Outcome
- `Guardrail`: pass
- `standard-native-filament`: pass
- `monitoring-state-page`: pass
- `T022`: implemented in feature; legacy empty complete snapshots are now backfilled as incomplete no-data captures with `baseline.capture.zero_subjects`

55
specs/235-baseline-capture-truth/research.md Normal file
View File

@ -0,0 +1,55 @@
# Research: Baseline Capture Truthful Outcomes and Upstream Guardrails
## Decision 1: The latest relevant inventory sync is the only authoritative upstream basis for baseline capture
- **Decision**: Evaluate baseline-capture eligibility against the latest relevant inventory sync outcome and coverage. Do not fall back to an older successful run when the latest relevant run is missing, blocked, failed, or otherwise not credible.
- **Rationale**: The operator problem is false reassurance. Any stale-success fallback would preserve the exact failure mode this feature is meant to remove.
- **Alternatives considered**:
- Use the most recent successful inventory sync even if a newer one failed. Rejected because it hides current upstream truth.
- Allow capture to proceed and only warn later. Rejected because a green run can still be interpreted as a trustworthy baseline refresh.
## Decision 2: Reuse the existing baseline reason-code family and shared translator path
- **Decision**: Add the new blocked/no-data reasons to `BaselineReasonCodes` and translate them through `ReasonTranslator` instead of introducing surface-local message trees.
- **Rationale**: The same reasons must be understood on start surfaces, compare-readiness surfaces, Monitoring summaries, and audit-aligned explanations. A single translator path keeps those surfaces coherent.
- **Alternatives considered**:
- Keep separate copy in each Filament page. Rejected because wording and operator guidance would drift immediately.
- Create a brand-new presenter family for baseline capture. Rejected because the existing translator and Ops UX summary builders already cover this responsibility.
## Decision 3: Zero-subject capture is a truthful no-data outcome, not a successful baseline refresh
- **Decision**: When capture finds zero in-scope subjects, complete the run as `partially_succeeded`, record a dedicated no-data reason code, and ensure any persisted snapshot artifact remains non-consumable by reusing existing incomplete lifecycle semantics.
- **Rationale**: Zero captured subjects is real evidence, but it does not produce a trustworthy baseline for compare and must not be represented as a successful refresh.
- **Alternatives considered**:
- Keep zero-subject capture as `succeeded`. Rejected because it produces a false-green operator signal.
- Add a new `no_data` snapshot lifecycle state. Rejected because existing incomplete/non-consumable semantics already express the required truth without widening the state model.
## Decision 4: Current baseline truth remains anchored to the last consumable snapshot
- **Decision**: Only advance `BaselineProfile.active_snapshot_id` when the new capture result is consumable. Blocked captures and zero-subject captures leave the previous consumable snapshot in place.
- **Rationale**: The product already has `BaselineProfile::resolveCurrentConsumableSnapshot()`. The narrowest correct hardening is to stop promoting non-truthful results rather than inventing a second pointer or state family.
- **Alternatives considered**:
- Store a second pointer for “latest attempted snapshot.” Rejected because the existing latest-attempt and run-detail paths already provide diagnostics.
- Clear `active_snapshot_id` on blocked or zero-subject capture. Rejected because it would discard previously trustworthy truth and make compare availability noisier than necessary.
## Decision 5: Monitoring and compare-readiness surfaces extend the existing shared explanation builders
- **Decision**: Drive dominant explanation text through `BaselineCompareStats` and `GovernanceRunDiagnosticSummaryBuilder`, with `ReasonTranslator` supplying the operator-safe wording.
- **Rationale**: These shared helpers already own the explanation-first contract for baseline truth and Monitoring. Extending them keeps the feature inside existing UX boundaries.
- **Alternatives considered**:
- Add special-case summaries directly in `ViewBaselineProfile` and `BaselineCompareLanding`. Rejected because those pages are consumers, not the source of truth.
- Push explanation logic into ad-hoc JSON context parsing per test/page. Rejected because it spreads behavior and makes regressions harder to prove.
## Decision 6: Legacy empty-snapshot backfill changes stay conditional
- **Decision**: Do not widen the feature into a migration or blanket backfill reclassification unless focused implementation evidence shows historical empty complete snapshots still participate in current runtime truth.
- **Rationale**: The spec explicitly scopes compatibility work out unless it is required. The current-release problem is the live capture path, not historical rows in the abstract.
- **Alternatives considered**:
- Immediately rewrite all historical empty snapshots. Rejected because it widens the feature without proof that runtime truth currently depends on it.
- Ignore the possibility completely. Rejected because the existing legacy backfill test demonstrates a concrete edge that may need adjustment if runtime truth reaches it.
## Resolved Clarifications
- No new table, external API contract, or operation type is required.
- `OperationRunOutcome::PartiallySucceeded` already exists and is the correct no-data outcome family.
- Filament global search remains out of scope because the relevant resources already disable it.

264
specs/235-baseline-capture-truth/spec.md Normal file
View File

@ -0,0 +1,264 @@
# Feature Specification: Baseline Capture Truthful Outcomes and Upstream Guardrails
**Feature Branch**: `235-baseline-capture-truth`
**Created**: 2026-04-23
**Status**: Draft
**Input**: User description: "Baseline Capture Truthful Outcomes and Upstream Guardrails"
## Spec Candidate Check *(mandatory — SPEC-GATE-001)*
- **Problem**: Baseline capture can still present a green success path when no credible baseline was actually produced because the upstream inventory basis was unusable or because zero in-scope subjects resolved.
- **Today's failure**: Operators can read a completed baseline capture run, an all-zero summary, or an empty/reused artifact as if the baseline was successfully refreshed even when there is no trustworthy baseline to compare against.
- **User-visible improvement**: Capture start surfaces warn early, run detail states the real cause and next action first, and a failed or no-data capture no longer silently replaces the last trustworthy baseline.
- **Smallest enterprise-capable version**: Reuse the existing snapshot lifecycle/usability rules from Spec 159 and the existing governance run-summary path from Spec 220, then harden only inventory eligibility, capture outcome mapping, reason codes, and no-data artifact promotion rules for baseline capture.
- **Explicit non-goals**: No redesign of the whole `OperationRun` platform, no broad rewrite of inventory coverage semantics, no compare-engine redesign, no generic no-data framework for all operation types, no new artifact-lifecycle taxonomy, and no silent stale-inventory fallback.
- **Permanent complexity imported**: A bounded extension of existing `BaselineReasonCodes`, translation/presenter mappings for baseline capture truth, a few targeted start-surface and run-detail states, and focused regression coverage.
- **Why now**: This is a near-term governance hardening item and a direct trust gap in one of TenantPilot's core promises: a captured baseline must be meaningful and safe to reason about.
- **Why not local**: The failure crosses capture execution, capture preflight, snapshot promotion, compare availability, Monitoring run detail, and audit/notification translation. A local copy fix would leave the same false-green semantics active elsewhere.
- **Approval class**: Core Enterprise
- **Red flags triggered**: Cross-cutting status messaging; queued-work truth semantics; current-release operator trust on a core governance artifact. Defense: the slice stays narrow by reusing existing baseline snapshot and Ops UX primitives rather than inventing a new generic framework.
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexität: 1 | Produktnähe: 2 | Wiederverwendung: 2 | **Gesamt: 11/12**
- **Decision**: approve
## Spec Scope Fields *(mandatory)*
- **Scope**: workspace
- **Primary Routes**: `/admin/baseline-profiles/{record}`, `/admin/baseline-snapshots/{record}`, `/admin/t/{tenant}/baseline-compare`, `/admin/operations/{run}`
- **Data Ownership**: workspace-owned `BaselineProfile` and `BaselineSnapshot` truth, tenant-scoped baseline capture and inventory `OperationRun` context, workspace audit entries
- **RBAC**: Existing workspace membership plus current baseline visibility/capture capability on `/admin`, tenant entitlement plus current compare capability on `/admin/t/{tenant}/...`, and existing Monitoring visibility plus tenant entitlement for tenant-bound run detail
## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, alerts, navigation entry points, evidence/report viewers, or any other existing shared operator interaction family; otherwise write `N/A - no shared interaction family touched`)*
- **Cross-cutting feature?**: yes
- **Interaction class(es)**: status messaging, header actions, run-detail explanations, audit prose, reason translation, terminal notification copy
- **Systems touched**: baseline capture start surfaces, baseline compare availability surfaces, snapshot-truth presentation, Monitoring run detail, audit summary text, canonical reason translation
- **Existing pattern(s) to extend**: existing `BaselineCompareStats` preflight reason-code path, existing snapshot lifecycle/usability contract from Spec 159, and the governance run-summary-first path from Spec 220
- **Shared contract / presenter / builder / renderer to reuse**: `App\Support\Baselines\BaselineReasonCodes`, `App\Support\Baselines\BaselineCompareStats`, `App\Services\OperationRunService`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\OpsUx\GovernanceRunDiagnosticSummaryBuilder`, `App\Support\Ui\OperatorExplanation\OperatorExplanationBuilder`, and the existing `ReasonTranslator`
- **Why the existing shared path is sufficient or insufficient**: The existing shared path already handles compare unavailability, centralized reason translation, and summary-first governance run explanations. The gap is baseline capture truthfulness, not the lack of a shared presentation path.
- **Allowed deviation and why**: none
- **Consistency impact**: The same reason code and operator message must mean the same thing on the profile view, compare landing, snapshot view, Monitoring run detail, audit summary, and any terminal notification derived from the run.
- **Review focus**: Verify that no page-local copy branch or ad-hoc status mapping appears outside the shared baseline reason/summary/explanation path.
## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)*
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
|---|---|---|---|---|---|---|
| Baseline profile view capture truth and header actions | yes | Native Filament + shared baseline/Ops UX primitives | header actions, status messaging | page, header action, related detail | no | n/a |
| Baseline compare landing availability and guidance | yes | Native Filament + shared baseline stats | header actions, status messaging, navigation handoff | page, action, explanation | no | n/a |
| Baseline snapshot detail no-data artifact messaging | yes | Native Filament + shared truth presenters | status messaging, related navigation | detail, artifact truth | no | n/a |
| Monitoring run detail for baseline capture | yes | Native Filament + shared Ops UX presenters | status messaging, run summaries, audit-aligned explanation | detail, diagnostics | no | n/a |
## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|---|---|---|---|---|---|---|---|
| Baseline profile view capture truth and header actions | Secondary Context Surface | Decide whether a new capture is safe to start or whether the current trustworthy baseline should remain in place | Effective current baseline truth, latest capture truth, next safe action | Historical snapshots, raw run context, low-level capture gaps | Not primary because it is one profile's context page, not the tenant-wide decision queue | Follows baseline maintenance workflow | Removes the need to jump to Monitoring just to learn whether capture is safe |
| Baseline compare landing availability and guidance | Primary Decision Surface | Decide whether compare can run now or whether prerequisite work is required first | Assigned profile, consumable baseline truth, dominant block reason, next action | Compare matrix, related run detail, raw artifact history | Primary because it is the tenant-scoped decision entry for compare | Follows tenant baseline review workflow | Stops operators from opening matrix or Monitoring first to discover a prerequisite failure |
| Baseline snapshot detail no-data artifact messaging | Secondary Context Surface | Decide whether a captured artifact is trustworthy, historical, or only an audit trace | Lifecycle/usability, produced-run effect, whether the artifact can become current truth | Raw metadata, counts, related run diagnostics | Not primary because it explains an artifact after the operator chooses to inspect it | Follows artifact review after capture | Prevents operators from reading a zero-item artifact as a normal complete baseline |
| Monitoring run detail for baseline capture | Tertiary Evidence / Diagnostics Surface | Understand why the run did or did not produce a usable baseline after execution | Dominant cause, next step, effect on current baseline truth | Raw JSON, numeric counts, low-level inventory references | Not primary because it is investigation after a run exists | Follows Monitoring and audit review workflow | Keeps investigation focused by stating the real capture truth before raw diagnostics |
## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Baseline profile view capture truth and header actions | Detail / Record | View-first Resource | Capture baseline or keep current trustworthy snapshot | Header-led record view | n/a | Secondary safe actions in existing header grouping order | Existing archive action only, still on detail header with confirmation | `/admin/baseline-profiles` | `/admin/baseline-profiles/{record}` | Workspace context and related tenant assignment context | Baseline profiles / Baseline profile | Whether current baseline truth is still trustworthy and whether a new capture is safe | none |
| Baseline compare landing availability and guidance | Workflow / Start Surface | Explanation-first Action Landing | Run compare or fix the prerequisite first | Single-page workflow entry | forbidden | Pure navigation to compare matrix or related record stays secondary | none | `/admin/t/{tenant}/baseline-compare` | `/admin/t/{tenant}/baseline-compare` | Tenant chip, assigned profile, current baseline state | Baseline compare / Compare | Whether compare is safe to run now and why not if blocked | none |
| Baseline snapshot detail no-data artifact messaging | Detail / Record | Immutable Artifact Detail | Open related record or accept that the artifact is only historical/no-data evidence | Record detail page | required from list | Related-record links only | none | `/admin/baseline-snapshots` | `/admin/baseline-snapshots/{record}` | Workspace context, related profile, producing run | Baseline snapshots / Baseline snapshot | Whether the artifact is consumable current truth, historical, or only a no-data trace | Existing immutable-artifact exemption |
| Monitoring run detail for baseline capture | Detail / Diagnostics | Operation Run Detail | Open related baseline profile or rerun inventory/capture with the right prerequisite | Run detail page | n/a | Related artifact/navigation actions stay secondary | none | `/admin/operations` | `/admin/operations/{run}` | Workspace context plus tenant context when the run is tenant-bound | Operations / Operation run | Why the run did not produce a usable baseline and what effect it had on current baseline truth | Existing Monitoring diagnostics exemption |
## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| Baseline profile view capture truth and header actions | Workspace baseline manager | Decide whether to start a capture now | Detail / Record | Will a new capture produce a trustworthy baseline or should I fix prerequisites first? | Current effective snapshot truth, latest capture result, prerequisite summary, next step | Raw gap details, low-level inventory run metadata | execution outcome, artifact usability, lifecycle/history | Microsoft tenant + TenantPilot | Capture baseline; Compare now | Archive baseline profile |
| Baseline compare landing availability and guidance | Tenant operator | Decide whether compare can start now | Workflow / Start Surface | Can I trust the current baseline enough to compare this tenant right now? | Assigned profile, baseline availability, blocking reason or readiness message, next action | Compare matrix deep detail, raw run diagnostics | artifact usability, readiness, execution history | simulation only | Compare now; Open compare matrix | none |
| Baseline snapshot detail no-data artifact messaging | Workspace baseline manager | Decide whether a specific artifact can be trusted or safely ignored as historical/no-data evidence | Detail / Record | Is this snapshot a usable current baseline, a historical artifact, or a no-data trace? | Lifecycle/usability, producing run effect, current-vs-historical truth | Raw metadata, raw counts, low-level subject resolution detail | artifact usability, lifecycle/history | TenantPilot only | Open related record | none |
| Monitoring run detail for baseline capture | Workspace operator | Diagnose the real cause of a non-usable capture result | Detail / Diagnostics | Why did this capture not give me a trustworthy baseline? | Dominant reason, next step, whether current baseline changed | Raw JSON, low-level counts, internal IDs | execution outcome, readiness, artifact usability | read-only | Open related profile; Open related snapshot if present | none |
## Proportionality Review *(mandatory when structural complexity is introduced)*
- **New source of truth?**: no
- **New persisted entity/table/artifact?**: no
- **New abstraction?**: no
- **New enum/state/reason family?**: yes, a bounded extension of the existing baseline capture reason-code family
- **New cross-domain UI framework/taxonomy?**: no
- **Current operator problem**: A core governance workflow can report success without a trustworthy baseline, which directly misleads operators and auditors.
- **Existing structure is insufficient because**: The current shape checks capture completion too loosely and lets status/outcome, snapshot existence, and compare availability drift apart across start surfaces, Monitoring, and artifact truth.
- **Narrowest correct implementation**: Reuse existing `BaselineSnapshot` lifecycle/usability semantics and existing Ops UX summary/explanation builders, then add only the missing eligibility rules, reason codes, and promotion guardrails for baseline capture.
- **Ownership cost**: Small ongoing cost in one reason-code family, one translation path, a handful of presenter branches, and focused baseline/Monitoring regression tests.
- **Alternative intentionally rejected**: A page-local copy fix or a generic artifact-truth framework. The first would leave contradictory behavior active elsewhere; the second would import much more structure than the problem needs.
- **Release truth**: current-release truth
### Compatibility posture
This feature assumes a pre-production environment.
Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests remain out of scope unless implementation proves that one existing historical baseline-capture path must be backfilled deliberately.
Canonical replacement is preferred over preservation.
## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
- **Test purpose / classification**: Feature
- **Validation lane(s)**: fast-feedback, confidence
- **Why this classification and these lanes are sufficient**: The change is proved by baseline capture outcome mapping, compare-start availability, and Monitoring run-detail truth on existing runtime paths. Focused feature coverage is the narrowest sufficient proof; no browser or heavy-governance lane is needed.
- **New or expanded test families**: Expand baseline capture service/start-surface coverage, compare availability coverage, Monitoring baseline-capture run-detail truth coverage, and one positive plus one negative authorization case on affected surfaces.
- **Fixture / helper cost impact**: Low-to-moderate. Tests can reuse current baseline/inventory fixtures but need explicit seeded inventory-run outcomes for no inventory, blocked inventory, failed inventory, valid-zero-subjects, and previous-good-snapshot preservation.
- **Heavy-family visibility / justification**: none
- **Special surface test profile**: mixed: standard-native-filament + monitoring-state-page
- **Standard-native relief or required special coverage**: Ordinary feature coverage is sufficient, but it must include both profile-level action surfaces and Monitoring run detail so explanation and promotion truth cannot drift apart.
- **Reviewer handoff**: Confirm that no test still encodes "empty capture succeeds", that the last trustworthy snapshot remains current after blocked/no-data capture paths, that Monitoring leads with the dominant explanation before raw JSON, and that 404 vs 403 behavior is preserved on the touched surfaces.
- **Budget / baseline / trend impact**: Low increase in baseline and Monitoring feature assertions only; no new heavy or browser baseline expected.
- **Escalation needed**: none
- **Active feature PR close-out entry**: Guardrail
- **Planned validation commands**:
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCaptureTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Block false-green capture starts (Priority: P1)
As a baseline manager, I need baseline capture to stop telling me it succeeded when there was no credible inventory basis to build from.
**Why this priority**: This is the core trust repair. If the feature does not eliminate false-green capture outcomes, the main problem remains.
**Independent Test**: Can be fully tested by seeding baseline profiles with no inventory run, blocked inventory run, and failed inventory run, then asserting that capture start/execution returns deterministic blocked truth and never advances effective baseline state.
**Acceptance Scenarios**:
1. **Given** an active baseline profile and no relevant inventory sync for the target tenant, **When** a baseline manager tries to capture a new baseline, **Then** the operator-facing result explains that inventory must run first, and the resulting truth never lands on `succeeded`.
2. **Given** an active baseline profile and the latest relevant inventory sync ended `blocked` or `failed`, **When** capture is started, **Then** the capture result is blocked with a baseline-capture-specific reason code, and the previously effective complete snapshot remains current baseline truth.
---
### User Story 2 - Keep no-data captures visible but non-authoritative (Priority: P2)
As a baseline manager, I need a zero-subject capture to be visible as an auditable event without being treated like a trustworthy current baseline.
**Why this priority**: Zero-subject captures are the sharpest form of silent false reassurance after bad upstream prerequisites.
**Independent Test**: Can be fully tested by capturing against valid inventory that resolves zero in-scope subjects and verifying partial success, no promotion of baseline truth, and no-data artifact messaging where an artifact exists.
**Acceptance Scenarios**:
1. **Given** a credible inventory basis but zero subjects in the effective baseline scope, **When** capture runs, **Then** the run ends `partially_succeeded` with a stable `zero_subjects` reason code and does not replace the current consumable snapshot.
2. **Given** a previous complete snapshot exists and a later capture resolves zero in-scope subjects, **When** operators inspect the profile, snapshot, or compare-start surface, **Then** the product still points to the earlier trustworthy snapshot as current baseline truth and renders the newer result only as no-data evidence.
---
### User Story 3 - Explain all-zero capture truth on Monitoring surfaces (Priority: P3)
As an operator reviewing capture history, I need Monitoring to tell me why a capture produced no usable baseline before showing raw counts or JSON.
**Why this priority**: Even with corrected outcomes, operators will still lose trust if Monitoring forces them to decode all-zero counts manually.
**Independent Test**: Can be fully tested by opening seeded baseline capture runs in Monitoring and asserting that the dominant cause and next step are visible before diagnostics.
**Acceptance Scenarios**:
1. **Given** a baseline capture run was blocked because the latest inventory sync failed, **When** an operator opens the Monitoring run detail page, **Then** the page leads with that blocked prerequisite and the next step before raw diagnostics.
2. **Given** a baseline capture run technically completed processing but resolved zero in-scope subjects, **When** an operator opens the Monitoring run detail page, **Then** the page states that no usable baseline was captured, explains the zero-subject result, and clarifies that current baseline truth was not advanced.
### Edge Cases
- The latest relevant inventory sync is blocked or failed, but an older successful inventory sync still exists. The system must not silently fall back to the older success in V1.
- A zero-subject capture may persist a snapshot row or related artifact for audit purposes. If it does, that artifact must remain non-consumable and visibly marked as no-data evidence.
- A blocked or no-data capture can occur while a prior complete snapshot is still current. Operator surfaces must show that the old trustworthy snapshot remains effective.
- A capture can be preflight-blocked on the start surface and still need the same protection at execution time if prerequisite state changes after page load.
- Scheduled or initiator-null capture runs must keep current Ops UX behavior: no terminal DB notification, Monitoring remains the audit surface, and the same dominant-cause explanation still applies.
## Requirements *(mandatory)*
**Constitution alignment (required):** This feature changes existing baseline capture runtime behavior and operator truth but introduces no new Microsoft Graph endpoint, no new `OperationRun` type, and no new contract-registry object family. Existing capture start actions stay confirmation-gated, execution remains auditable and observable, and tenant/workspace isolation remains unchanged.
**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** This feature does not add new persistence or a new abstraction layer. It extends an existing reason-code family because the current baseline capture truth is too weak and because page-local messaging would duplicate semantics across profile, compare, snapshot, and Monitoring surfaces.
**Constitution alignment (XCUT-001):** This is a cross-cutting interaction slice. It must extend the existing baseline reason/translation/stats path and the existing Ops UX run-summary path. No page may introduce a parallel local explanation language for blocked or no-data baseline capture outcomes.
**Constitution alignment (TEST-GOV-001):** Proof stays in focused feature coverage for baseline capture service/start surfaces and Monitoring run detail. No new heavy-governance or browser coverage is required. New fixtures must remain explicit and scenario-driven rather than becoming default test setup.
**Constitution alignment (OPS-UX):** Existing `baseline_capture` runs continue to use the three-surface feedback contract: start-intent feedback, active progress surfaces, and one terminal DB notification for interactive runs. `OperationRun.status` and `OperationRun.outcome` remain service-owned via `OperationRunService`. `summary_counts` remain numeric-only and compliant with existing summary-count rules. Scheduled or initiator-null runs still skip terminal DB notification. Regression coverage must prove that blocked/no-data capture truth does not bypass service-owned transitions.
**Constitution alignment (RBAC-UX):** The affected planes are admin `/admin` for baseline profile/snapshot surfaces, tenant-context `/admin/t/{tenant}/baseline-compare` for compare availability, and canonical `/admin/operations/{run}` Monitoring for capture detail. Non-members or non-entitled tenant viewers continue to receive 404. Members lacking the required current capability continue to receive 403. Server-side enforcement remains authoritative on every touched action/start surface. No raw capability strings or role-name checks may be introduced.
**Constitution alignment (OPS-EX-AUTH-001):** No `/auth/*` behavior is added or broadened.
**Constitution alignment (BADGE-001):** Any changed availability or no-data wording must stay centralized through existing baseline reason/badge/presenter semantics rather than ad-hoc page mappings.
**Constitution alignment (UI-FIL-001):** The feature reuses existing native Filament header actions, detail sections, and shared presenters. No local replacement markup is introduced for badges, alerts, or status language.
**Constitution alignment (UI-NAMING-001):** Primary operator-facing language must stay baseline-domain specific and consistent across buttons, modals, Monitoring summaries, notifications, and audit prose: `Capture baseline`, `Compare now`, `Run tenant sync first`, `Latest inventory sync failed`, `No subjects were in scope`, and `No usable baseline was captured`.
**Constitution alignment (DECIDE-001):** This feature does not add a new primary surface. It hardens one existing primary decision surface (`BaselineCompareLanding`), two secondary context surfaces (profile/snapshot detail), and one tertiary diagnostics surface (Monitoring run detail) so the first decision is based on trustworthy baseline truth rather than inferred success.
**Constitution alignment (UI-CONST-001 / UI-SURF-001 / ACTSURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001 / HDR-001):** The action hierarchy stays unchanged. Navigation remains separate from mutation. Existing compare and capture header actions keep their current placement. No new action groups or destructive actions are introduced.
**Constitution alignment (ACTSURF-001 - action hierarchy):** Existing visible safe header actions remain meaningful and bounded: one capture action and one compare action stay peer visible actions, mode-specific full-content labels replace the default labels instead of adding extra peer actions, and additional safe actions stay grouped under `More`. No new mixed catch-all action groups are added.
**Constitution alignment (OPSURF-001):** The default-visible truth on touched surfaces must stay operator-first: current trustworthy baseline, dominant failure/no-data cause, next action, and effect on baseline truth before raw implementation detail.
**Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** The feature extends existing explanation layers because direct mapping from `status = completed` or zero counts to the UI is insufficient. It must not create a second artifact-truth source beside the existing snapshot lifecycle/usability contract.
**Constitution alignment (Filament Action Surfaces):** The Action Surface Contract remains satisfied. Each touched Filament surface keeps one primary inspect/open model, no redundant view actions are added, no empty `ActionGroup` placeholders are introduced, and destructive-action placement remains unchanged.
**Constitution alignment (UX-001 — Layout & Information Architecture):** Existing profile/snapshot view layouts and explanation-first workflow layouts remain in place. This feature changes explanation and availability truth, not overall screen layout.
### Functional Requirements
- **FR-235-001**: Baseline capture eligibility MUST evaluate the most recent relevant inventory sync for the same workspace and target tenant scope using terminal outcome and coverage usability, not `status = completed` alone.
- **FR-235-002**: The system MUST treat each of the following as non-credible capture prerequisites with deterministic baseline-capture reason codes in `BaselineReasonCodes`: no relevant inventory sync exists, the latest relevant inventory sync is `blocked`, the latest relevant inventory sync is `failed`, or the latest relevant inventory sync lacks usable coverage for baseline subject resolution.
- **FR-235-003**: Baseline capture start surfaces MUST preflight known non-credible inventory prerequisites and explain the block with the same reason-code family used at runtime. Server-side capture execution remains authoritative if prerequisite state changes after page load.
- **FR-235-004**: When baseline capture is attempted without a credible inventory basis, the resulting operator truth MUST never land on `succeeded`. The terminal capture truth MUST use a blocked prerequisite outcome with the matching baseline-capture reason code.
- **FR-235-005**: `Succeeded` MUST be reserved for capture runs that produce or reuse a consumable baseline snapshot backed by at least one resolved in-scope subject and that leave effective baseline truth anchored to that consumable snapshot.
- **FR-235-006**: When inventory is credible but zero in-scope subjects resolve, baseline capture MUST finish as `partially_succeeded` with a stable `baseline.capture.zero_subjects` reason code.
- **FR-235-007**: A zero-subject capture MUST NOT advance `active_snapshot_id` or any equivalent effective-baseline pointer. The previously effective complete snapshot, if one exists, remains current baseline truth.
- **FR-235-008**: If implementation persists a snapshot row or related artifact for a zero-subject capture, that artifact MUST reuse the existing snapshot lifecycle/usability contract, remain non-consumable by default, render as a no-data capture artifact on operator surfaces, and never become current baseline truth automatically.
- **FR-235-009**: Capture eligibility in V1 MUST NOT silently fall back to an older successful inventory sync when a newer relevant inventory sync is blocked, failed, or otherwise non-credible. Older successful inventory runs may be shown as historical context only.
- **FR-235-010**: Monitoring run detail for baseline capture MUST lead with one dominant operator-safe explanation and next action before raw JSON, low-level counts, or internal identifiers.
- **FR-235-011**: Baseline capture run context, summary, and audit prose MUST record the chosen eligibility decision, the upstream inventory run reference when present, the terminal baseline-capture reason code, and whether current baseline truth changed.
- **FR-235-012**: Existing baseline compare availability surfaces, including `BaselineCompareLanding` and profile-level compare affordances, MUST derive availability from effective consumable baseline truth after hardened capture outcomes, not from snapshot existence or latest capture completion alone.
- **FR-235-013**: The feature MUST keep copy and translation centralized by extending `BaselineReasonCodes`, `ReasonTranslator`, `BaselineCompareStats`, and the existing Ops UX summary/explanation path rather than adding page-local message branches.
- **FR-235-014**: Existing `Capture baseline` and `Capture baseline (full content)` actions MUST remain confirmation-gated, capability-enforced, and placed on their current surfaces. This feature changes truth and explanation only, not action topology.
- **FR-235-015**: Regression coverage MUST replace existing assumptions that an empty or all-zero baseline capture is a benign success and MUST cover no inventory, blocked inventory, failed inventory, zero-subject capture, and preservation of the previously trustworthy snapshot.
### Assumptions
- Existing snapshot lifecycle/usability semantics from Spec 159 remain the baseline artifact truth source.
- Existing governance run-summary/explanation primitives from Spec 220 remain the Monitoring explanation path.
- The product chooses strict truthful capture behavior in V1: no silent stale-inventory fallback.
- Zero-subject results may remain visible as audit evidence, but they do not become authoritative baseline truth.
### Dependencies and Related Specs
- Spec 159 (`baseline-snapshot-truth`) remains the source of truth for snapshot lifecycle/usability semantics.
- Spec 220 (`governance-run-summaries`) remains the shared Monitoring explanation path for dominant-cause run detail.
- Specs 116-119 remain the shipped baseline drift/cutover foundation that this spec hardens on the capture side.
- Existing baseline compare availability and reason translation paths remain in scope for reuse, not redesign.
## UI Action Matrix *(mandatory when Filament is changed)*
| Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
|---|---|---|---|---|---|---|---|---|---|---|
| Baseline profile view | `app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php` | One visible capture action (`Capture baseline` or `Capture baseline (full content)` depending on mode), one visible compare action (`Compare now` or `Compare now (full content)` depending on mode), plus secondary safe actions grouped under `More` | Existing list `recordUrl()` to view page | Existing `View` / `Edit` pattern unchanged | None | Existing create CTA unchanged on list | Same visible capture/compare actions plus existing related navigation and grouped secondary actions | Existing save/cancel unchanged | Yes | Capture/compare actions stay confirmation-gated and capability-enforced. Capture baseline remains the primary visible header action; Compare now remains a justified visible secondary safe action on this record page because the operator's same-context decision is whether to refresh baseline truth first or use the current trustworthy snapshot immediately. Mode-specific full-content labels replace the default labels rather than adding extra peer header actions. Existing archive action remains the only destructive action and still requires confirmation. |
| Baseline compare landing | `app/Filament/Pages/BaselineCompareLanding.php` | `Compare now`, `Compare now (full content)` | n/a | None | None | Existing `Open compare matrix` remains the single empty/blocked-state CTA where applicable | n/a | n/a | Yes, via compare run/audit | This feature changes readiness and blocking guidance only. The page remains the primary compare decision/start surface. |
| Baseline snapshot view | `app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php` | None | Existing clickable list row | Existing related-record navigation only | None | None by design | Existing related-record actions only | n/a | No direct mutation audit | Immutable-resource exemption remains. This feature changes lifecycle/usability explanation for no-data artifacts only. |
| Monitoring run detail | Existing Monitoring run detail surface resolved through `OperationUxPresenter` | Existing related navigation only | n/a | n/a | n/a | n/a | Existing related navigation only | n/a | Yes | No new actions are introduced. The body must show the dominant baseline-capture truth before diagnostics. |
### Key Entities *(include if feature involves data)*
- **BaselineProfile**: The workspace-owned governance definition whose effective baseline truth must remain anchored to the last consumable snapshot.
- **BaselineSnapshot**: The captured baseline artifact whose existing lifecycle/usability semantics determine whether it can become current baseline truth.
- **Inventory Sync OperationRun**: The upstream tenant-scoped execution record whose credibility determines whether baseline capture may trust the current inventory basis.
- **Baseline Capture OperationRun**: The execution record that communicates blocked, partial, or successful capture truth to operators, Monitoring, audit, and notifications.
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-235-001**: In focused regression coverage, 100% of baseline-capture attempts without a credible inventory basis end without `succeeded` and expose a deterministic baseline-capture reason code.
- **SC-235-002**: In focused regression coverage, 100% of valid-zero-subject capture scenarios end `partially_succeeded`, do not advance effective baseline truth, and preserve the previously consumable snapshot when one exists.
- **SC-235-003**: On the default-visible baseline profile, compare landing, snapshot detail, and Monitoring run-detail surfaces touched by this feature, operators can identify the dominant cause and next step without opening raw diagnostics.
- **SC-235-004**: No automated test path or default-visible operator surface treats an all-zero baseline capture as an unconditional successful baseline refresh after this feature lands.
- **SC-235-005**: Compare availability remains aligned to effective consumable baseline truth after every covered blocked or no-data capture regression path.

231
specs/235-baseline-capture-truth/tasks.md Normal file
View File

@ -0,0 +1,231 @@
# Tasks: Baseline Capture Truthful Outcomes and Upstream Guardrails
**Input**: Design documents from `/specs/235-baseline-capture-truth/`
**Prerequisites**: `plan.md`, `spec.md`, `research.md`, `data-model.md`, `quickstart.md`
**Tests**: Required. This feature changes runtime behavior and operator truth on an existing queued workflow, so Pest coverage must be added or updated in `apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php`, `apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php`, `apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php`, `apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php`, `apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php`, `apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php`, `apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php`, `apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php`, and `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`. `apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php` remains conditional and is only updated if implementation proves historical empty complete snapshots still affect current runtime truth.
**Operations**: Existing `baseline_capture` `OperationRun` remains canonical. Tasks below explicitly preserve the Ops-UX 3-surface feedback contract, keep `OperationRun.status` and `OperationRun.outcome` service-owned through `apps/platform/app/Services/OperationRunService.php`, keep `summary_counts` flat and numeric-only, avoid any queued/running DB notification drift, and preserve initiator-null Monitoring-only behavior for scheduled/system runs.
**RBAC**: No new authorization model is introduced, but the touched admin `/admin`, tenant-context `/admin/t/{tenant}/baseline-compare`, and Monitoring `/admin/operations/{run}` surfaces must preserve current capability enforcement and `404` versus `403` semantics through existing helpers and regression coverage in `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`.
**UI Naming**: Operator-facing copy must remain baseline-domain specific and centralized through `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php`, `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, and `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php`. No task may introduce page-local copy branches for blocked or no-data baseline capture truth.
**Cross-Cutting Shared Pattern Reuse**: This is a shared interaction slice. Extend `apps/platform/app/Support/Baselines/BaselineReasonCodes.php`, `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php`, `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, and `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php` before considering any local UI branching.
**UI / Surface Guardrails**: `review-mandatory` slice. Surfaces stay `native` Filament plus shared baseline/Ops UX primitives. Required coverage is `standard-native-filament` plus `monitoring-state-page`; no exception path is planned.
**Filament UI Action Surfaces**: No new Resource, Page, or destructive action is introduced. `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php`, `apps/platform/app/Filament/Pages/BaselineCompareLanding.php`, and `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php` keep their current action topology, existing confirmation-gated capture actions, and current global-search-disabled posture.
**Badges**: No new badge domain or outcome family is introduced. Existing blocked and `partially_succeeded` semantics remain centralized through current outcome and Ops UX renderers; avoid ad-hoc badge/status mappings in Filament.
**Organization**: Tasks are grouped by user story so each slice stays independently testable. Recommended delivery order is `US1` then `US2` then `US3`, because zero-subject and Monitoring truth depend on the shared reason-code and run-context groundwork from the false-green capture fix.
## Test Governance Checklist
- [X] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [X] New or changed tests stay in the smallest honest family, and any heavy-governance or browser addition is explicit.
- [X] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
- [X] Planned validation commands cover the change without pulling in unrelated lane cost.
- [X] The declared surface test profile or `standard-native-filament` relief is explicit.
- [X] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.
## Phase 1: Setup (Shared Anchors)
**Purpose**: Lock the implementation anchors and proving commands before touching runtime truth.
- [X] T001 [P] Verify the feature anchor inventory across `apps/platform/app/Services/Baselines/BaselineCaptureService.php`, `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php`, `apps/platform/app/Support/Baselines/BaselineReasonCodes.php`, `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php`, `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php`, `apps/platform/app/Filament/Pages/BaselineCompareLanding.php`, and `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php`
- [X] T002 [P] Verify the narrow proving commands, guardrail class, and validation-lane expectations in `specs/235-baseline-capture-truth/plan.md` and `specs/235-baseline-capture-truth/quickstart.md`
**Checkpoint**: Runtime anchors and proof commands are locked before implementation begins.
---
## Phase 2: Foundational (Blocking Truth Boundaries)
**Purpose**: Audit the shared boundaries that every story depends on so the implementation does not widen or drift into local fixes.
**CRITICAL**: No user story work should begin until this phase is complete.
- [X] T003 [P] Audit latest relevant inventory lookup, terminal-outcome interpretation, and no-stale-fallback boundaries in `apps/platform/app/Services/Baselines/BaselineCaptureService.php` and `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php`
- [X] T004 [P] Audit current baseline promotion and consumability boundaries in `apps/platform/app/Models/BaselineProfile.php`, `apps/platform/app/Models/BaselineSnapshot.php`, and `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php`
- [X] T005 [P] Audit shared explanation and copy consumers across `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php`, `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php`, `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php`, `apps/platform/app/Filament/Pages/BaselineCompareLanding.php`, and `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php`
- [X] T006 [P] Audit existing `baseline_capture` run-truth enforcement in `apps/platform/app/Services/OperationRunService.php`, `apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php`, `apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php`, and `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php` so service-owned transitions, numeric `summary_counts`, and `404` versus `403` expectations are explicit before story work begins
**Checkpoint**: The shared inventory, artifact-truth, Ops-UX, and auth boundaries are explicit and safe to extend.
---
## Phase 3: User Story 1 - Block False-Green Capture Starts (Priority: P1) 🎯 MVP
**Goal**: Prevent baseline capture from reporting success when the latest relevant inventory basis is missing, blocked, failed, or otherwise non-credible.
**Independent Test**: Seed no inventory, blocked latest inventory, failed latest inventory, unusable coverage, and after-enqueue drift scenarios, then prove capture start or execution never lands on `succeeded` and never advances effective baseline truth.
### Tests for User Story 1
- [X] T007 [P] [US1] Expand `apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php` for no inventory, blocked latest inventory, failed latest inventory, unusable coverage, after-enqueue prerequisite drift, older-success-does-not-fallback, and clean consumable-success scenarios including the success-path run-context and audit metadata contract
- [X] T008 [P] [US1] Expand `apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php` for shared preflight blocking copy and preserved confirmation-gated capture action topology on `Capture baseline` and `Capture baseline (full content)` actions
- [X] T009 [P] [US1] Expand `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php` to preserve the authorized happy-path access proof plus `404` versus `403` semantics on the profile capture explanation path and related Monitoring/detail surfaces touched by blocked prerequisite truth
### Implementation for User Story 1
- [X] T010 [P] [US1] Extend `apps/platform/app/Support/Baselines/BaselineReasonCodes.php` with deterministic capture-prerequisite reason codes for missing inventory, blocked inventory, failed inventory, unusable coverage, and `baseline.capture.zero_subjects`
- [X] T011 [P] [US1] Extend `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php` with centralized operator-safe wording and next steps for `Run tenant sync first`, `Latest inventory sync failed`, `Latest inventory sync was blocked`, unusable-coverage outcomes, and `No subjects were in scope`
- [X] T012 [US1] Implement latest relevant inventory eligibility preflight in `apps/platform/app/Services/Baselines/BaselineCaptureService.php` so known non-credible prerequisites short-circuit before `OperationRun` creation
- [X] T013 [US1] Re-check latest relevant inventory inside `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` and resolve blocked terminal truth through `apps/platform/app/Services/OperationRunService.php` with numeric `summary_counts`, upstream inventory run reference, chosen eligibility decision, terminal reason code, current-baseline-change flag, and no queued/running DB-notification drift
- [X] T014 [US1] Update `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php` and any capture-result explanation consumers to use the shared translated prerequisite truth while preserving existing confirmation-gated action placement and capability enforcement
**Checkpoint**: User Story 1 is independently functional and capture can no longer false-green on non-credible latest inventory truth.
---
## Phase 4: User Story 2 - Keep No-Data Captures Visible but Non-Authoritative (Priority: P2)
**Goal**: Let zero-subject captures remain auditable without allowing them to replace the current trustworthy baseline.
**Independent Test**: Capture against credible inventory that resolves zero in-scope subjects and verify `partially_succeeded`, no promotion of baseline truth, and clear no-data artifact messaging on affected surfaces.
### Tests for User Story 2
- [X] T015 [P] [US2] Expand `apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php` for zero-subject capture, preserved previous consumable snapshot, and absence of `succeeded` when no usable baseline was captured
- [X] T016 [P] [US2] Expand `apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php` for no-data artifact messaging, current-versus-historical truth on profile and snapshot explanation surfaces, and profile-level compare affordance guidance after blocked or no-data capture outcomes
- [X] T017 [P] [US2] Expand `apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php` for prior-trustworthy-baseline preservation versus no-current-baseline guidance after blocked latest-inventory and zero-subject capture outcomes
### Implementation for User Story 2
- [X] T018 [US2] Refactor zero-subject handling in `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` to short-circuit before existing consumable snapshot reuse or `active_snapshot_id` promotion, emit `OperationRunOutcome::PartiallySucceeded`, and record the no-data reason, `baseline_capture.subjects_total`, `result.snapshot_lifecycle` when present, plus effect on current baseline truth
- [X] T019 [US2] Reuse existing lifecycle/usability semantics in `apps/platform/app/Models/BaselineSnapshot.php` and the finalization payloads from `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php` so any zero-subject artifact stays non-consumable and stores no-data finalization metadata instead of a new lifecycle state
- [X] T020 [US2] Preserve `BaselineProfile::resolveCurrentConsumableSnapshot()` behavior in `apps/platform/app/Models/BaselineProfile.php` and update `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php` plus `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php` to distinguish current trustworthy baseline from no-data evidence
- [X] T021 [US2] Update `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Filament/Pages/BaselineCompareLanding.php`, and profile-level compare affordances in `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php` so compare availability derives from effective consumable baseline truth after blocked, failed, or no-data capture outcomes rather than latest capture completion or snapshot existence alone
- [X] T022 [US2] If implementation proves historical empty complete snapshots still influence current runtime truth, adjust the relevant legacy finalization path and `apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php` inside the same slice; otherwise record in `specs/235-baseline-capture-truth/quickstart.md` and the active PR close-out note that no compatibility backfill change was required
**Checkpoint**: User Story 2 is independently functional and zero-subject capture remains visible without becoming authoritative baseline truth.
---
## Phase 5: User Story 3 - Explain All-Zero Capture Truth On Monitoring Surfaces (Priority: P3)
**Goal**: Ensure Monitoring leads with the dominant blocked or no-data explanation before raw counts or JSON.
**Independent Test**: Open seeded blocked and zero-subject baseline capture runs in Monitoring and verify the dominant cause and next step appear before diagnostics.
### Tests for User Story 3
- [X] T023 [P] [US3] Expand `apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php` for blocked latest inventory, failed latest inventory, after-enqueue drift, and zero-subject no-usable-baseline headlines
- [X] T024 [P] [US3] Expand `apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php`, `apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php`, and `apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php` for consistent blocked or `partially_succeeded` baseline-capture truth, audit summary wording including whether current baseline truth changed, and initiator-aware terminal notification behavior
### Implementation for User Story 3
- [X] T025 [P] [US3] Extend `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php` with dominant explanation and next-step branches for blocked latest inventory, after-enqueue drift, failed inventory, unusable coverage, and zero-subject no-data capture
- [X] T026 [US3] Reconcile shared run-detail and operator-explanation consumption across `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, and `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php` so Monitoring, compare landing, and audit prose use the same baseline-domain vocabulary and explicitly communicate whether current baseline truth changed without page-local fallbacks
- [X] T027 [US3] Update `apps/platform/app/Notifications/OperationRunCompleted.php` and any baseline-capture completion payload helpers so terminal notification copy reflects the same dominant reason, communicates whether current baseline truth changed, and preserves initiator-aware delivery rules for interactive versus initiator-null runs
**Checkpoint**: User Story 3 is independently functional and Monitoring explains blocked/no-data baseline truth before diagnostics.
---
## Phase 6: Polish & Cross-Cutting Validation
**Purpose**: Finish formatting, verify there is no local truth drift, and run the narrow proving pack.
- [X] T028 [P] Search the touched runtime and surface files `apps/platform/app/Services/Baselines/BaselineCaptureService.php`, `apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php`, `apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php`, `apps/platform/app/Support/Baselines/BaselineCompareStats.php`, `apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php`, `apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php`, `apps/platform/app/Filament/Pages/BaselineCompareLanding.php`, `apps/platform/app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php`, `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`, and `apps/platform/app/Support/Ui/OperatorExplanation/OperatorExplanationBuilder.php` to confirm no page-local explanation branches or stale-success fallback logic remain
- [X] T029 Run formatting for all touched PHP and test files with `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- [X] T030 [P] Run the baseline capture and Filament surface validation pack from `specs/235-baseline-capture-truth/quickstart.md` against `apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php`, `apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php`, `apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php`, and `apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php`
- [X] T031 [P] Run the Monitoring, audit/notification, and authorization validation pack from `specs/235-baseline-capture-truth/quickstart.md` against `apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php`, `apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php`, `apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php`, `apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php`, and `apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`
- [X] T032 [P] Run `apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php` only if `T022` changed legacy empty-snapshot classification behavior
- [X] T033 Record the Guardrail close-out entry in `specs/235-baseline-capture-truth/quickstart.md` and the active PR description for `Guardrail` status, `standard-native-filament` plus `monitoring-state-page` coverage, and whether `T022` resolved as `document-in-feature` or required a follow-up
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: Starts immediately and locks anchors plus proving commands.
- **Foundational (Phase 2)**: Depends on Setup and blocks all story work until shared truth boundaries are explicit.
- **User Story 1 (Phase 3)**: Depends on Foundational and is the MVP cut.
- **User Story 2 (Phase 4)**: Depends on User Story 1 because zero-subject truth builds on the new reason-code and eligibility groundwork in the same capture workflow.
- **User Story 3 (Phase 5)**: Depends on User Story 1 and User Story 2 because Monitoring must reflect the final blocked and no-data truth contract.
- **Polish (Phase 6)**: Depends on all completed story work.
### User Story Dependencies
- **US1**: No dependency beyond Foundational.
- **US2**: Depends on US1 shared reason-code, run-context, and preflight/runtime truth changes.
- **US3**: Depends on US1 and US2 shared truth being complete.
### Within Each User Story
- Write the story tests first and confirm they fail before implementation is considered complete.
- Keep copy and explanation centralized through shared baseline and Ops UX helpers.
- Preserve current confirmation-gated action topology and existing capability enforcement.
- Preserve `OperationRunService` ownership of terminal status and outcome transitions.
- Finish story-level validation before moving to the next dependent story.
### Parallel Opportunities
- `T001` and `T002` can run in parallel during Setup.
- `T003`, `T004`, `T005`, and `T006` can run in parallel during Foundational work.
- `T007`, `T008`, and `T009` can run in parallel for User Story 1; `T010` and `T011` can also proceed in parallel before `T012` through `T014`.
- `T015`, `T016`, and `T017` can run in parallel for User Story 2 before the implementation sequence `T018` through `T022`.
- `T023` and `T024` can run in parallel for User Story 3 before `T025` through `T027`.
- `T030`, `T031`, and `T032` can run in parallel during final validation when their prerequisites are satisfied.
---
## Parallel Example: User Story 1
```bash
# User Story 1 tests in parallel
T007 apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php
T008 apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php
T009 apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php
# Shared reason and translation groundwork in parallel
T010 apps/platform/app/Support/Baselines/BaselineReasonCodes.php
T011 apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php
```
## Parallel Example: User Story 2
```bash
# User Story 2 tests in parallel
T015 apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php
T016 apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php
T017 apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php
```
## Parallel Example: User Story 3
```bash
# User Story 3 tests in parallel
T023 apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php
T024 apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php
```
---
## Implementation Strategy
### MVP First (User Story 1 Only)
1. Complete Phase 1: Setup.
2. Complete Phase 2: Foundational.
3. Complete Phase 3: User Story 1.
4. Run `T029` and `T030` before widening the slice.
### Incremental Delivery
1. Ship User Story 1 to eliminate false-green capture starts and runtime success on non-credible latest inventory.
2. Ship User Story 2 to keep zero-subject captures visible but non-authoritative.
3. Ship User Story 3 to align Monitoring with the hardened capture truth.
4. Finish with the final formatting, validation, and guardrail close-out tasks.
### Parallel Team Strategy
1. One contributor can prepare the shared reason-code and translation groundwork while another prepares the User Story 1 proof surfaces.
2. After User Story 1 lands, one contributor can take the zero-subject runtime path while another prepares the User Story 2 surface tests.
3. User Story 3 can start once the blocked and no-data run-context truth is stable enough for Monitoring and Ops UX proof.
---
## Notes
- `[P]` tasks target different files or independent proof surfaces and can be worked in parallel once upstream blockers are cleared.
- `[US1]`, `[US2]`, and `[US3]` map directly to the feature specification user stories.
- No `contracts/` artifact is required for this feature because there is no external API or route contract change.
- The suggested MVP scope is Phase 1 through Phase 3 only.