feat: platform sellable smoke matrix (spec 355)

Added artifacts, screenshots, and documentation for the platform sellable smoke matrix. Fixed a bug in FindingRiskGovernanceResolver and updated related tests.

apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php

@@ -171,7 +171,7 @@ public function resolveWarningMessage(Finding $finding, ?FindingException $excep
 
         if (! $exception instanceof FindingException) {
             return $finding->isRiskAccepted()
-                ? 'This finding is marked as accepted risk without a valid exception record.'
+                ? __('localization.accepted_risk_guidance.reason_missing_support')
                 : null;
         }
 
@@ -186,24 +186,22 @@ public function resolveWarningMessage(Finding $finding, ?FindingException $excep
 
         if ($finding->isRiskAccepted()) {
             return match ($this->resolveFindingState($finding, $exception, $now)) {
-                'risk_accepted_without_valid_exception' => 'This finding is marked as accepted risk without a valid exception record.',
-                'expiring_exception' => 'The linked exception is still valid, but it is nearing expiry and needs review.',
-                'expired_exception' => 'The linked exception has expired and no longer governs accepted risk.',
-                'revoked_exception' => 'The linked exception was revoked and no longer governs accepted risk.',
-                'rejected_exception' => 'The linked exception was rejected and does not govern accepted risk.',
+                'risk_accepted_without_valid_exception' => __('localization.accepted_risk_guidance.reason_missing_support'),
+                'expiring_exception' => __('localization.accepted_risk_guidance.reason_expiring'),
+                'expired_exception' => __('localization.accepted_risk_guidance.reason_expired'),
+                'revoked_exception', 'rejected_exception' => __('localization.accepted_risk_guidance.reason_revoked_or_rejected'),
                 default => null,
             };
         }
 
         if ($exception->requiresFreshDecisionForFinding($finding)) {
-            return 'This finding changed after the earlier exception decision; a fresh decision is required.';
+            return __('localization.accepted_risk_guidance.reason_fresh_decision_required');
         }
 
         return match ($exceptionStatus) {
-            FindingException::STATUS_EXPIRING => 'The linked exception is nearing expiry and needs review.',
-            FindingException::STATUS_EXPIRED => 'The linked exception has expired and no longer governs accepted risk.',
-            FindingException::STATUS_REVOKED => 'The linked exception was revoked and no longer governs accepted risk.',
-            FindingException::STATUS_REJECTED => 'The linked exception was rejected and does not govern accepted risk.',
+            FindingException::STATUS_EXPIRING => __('localization.accepted_risk_guidance.reason_expiring'),
+            FindingException::STATUS_EXPIRED => __('localization.accepted_risk_guidance.reason_expired'),
+            FindingException::STATUS_REVOKED, FindingException::STATUS_REJECTED => __('localization.accepted_risk_guidance.reason_revoked_or_rejected'),
             default => null,
         };
     }

apps/platform/tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php

@@ -237,7 +237,8 @@ function spec354QueueException(
         ->test(FindingExceptionsQueue::class)
         ->assertSee(__('localization.accepted_risk_guidance.reason_expiring'))
         ->assertSee(__('localization.accepted_risk_guidance.impact_expiring'))
-        ->assertDontSee('The current accepted-risk governance window is still active, but it is nearing expiry and needs review.');
+        ->assertDontSee('The current accepted-risk governance window is still active, but it is nearing expiry and needs review.')
+        ->assertDontSee('The linked exception is still valid, but it is nearing expiry and needs review.');
 
     app()->setLocale($originalLocale);
 });

specs/355-platform-sellable-smoke-matrix/artifacts/blocked-fixtures.md

@@ -0,0 +1,41 @@
+# Blocked Fixtures
+
+Status: inventoried  
+Spec: `specs/355-platform-sellable-smoke-matrix/spec.md`
+
+Use this file only when a required smoke state cannot be exercised honestly with current local/testing data.
+
+## Available States
+
+- Provider blocker:
+  `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-provider-blocker`, user `smoke-requester+352@tenantpilot.local`
+- Review-output blocker with existing draft:
+  `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-review-output`, review `#31`
+- Review-output owner surface with reusable open-draft path:
+  `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-review-output`, user `smoke-requester+352@tenantpilot.local`
+- Calm no-urgent-action dashboard:
+  `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-no-urgent`
+- Evidence incomplete with customer-safe boundary and operation proof:
+  workspace `wp`, `environment=spec342-demo-evidence-incomplete`, operation `#24`
+- Governance Inbox queue item:
+  workspace `wp`, `environment=spec342-demo-accepted-risks`
+- Accepted-risk focused review lane:
+  workspace `wp`, `environment=spec342-demo-accepted-risks`
+- Accepted-risk expiring, expired, and incomplete states used for the browser matrix:
+  workspace `wp`, `environment=spec342-demo-accepted-risks`, exceptions `#7`, `#8`, `#9`
+
+## Missing States
+
+- Clean provider verification-failed demo record was not persisted in the local DB during the Spec 355 run. Provider verification guidance was therefore verified through the provider-blocked permissions path and the Provider Connections owner surface instead.
+- Pending-renewal non-lapsed and lapsed accepted-risk cases were not re-run in the Spec 355 browser matrix, even though Spec 354 already has dedicated browser and feature coverage for them.
+
+## Blockers
+
+- The dedicated Spec 354 browser fixture user (`spec354-browser-wj5ugjux@example.test`) did not remain reusable through the Playwright smoke-login flow in this local browser session, even though the route itself responded correctly. To avoid a false negative, the accepted-risk queue proof was run against the stable workspace `wp` operator fixture instead.
+- Clean expiring and expired accepted-risk states in workspace `wp` needed small local-only fixture augmentation via `tinker` because the persisted demo records mixed expiring and incomplete governance semantics.
+
+## Next Actions
+
+- Keep the smoke matrix conservative.
+- Do not invent repo code or broaden runtime scope just to clear a blocked flow.
+- If Spec 355 needs a future repeatable fixture pack, add a dedicated local seeder in a follow-up slice rather than widening this verification gate.

specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-readiness-report.md

@@ -0,0 +1,51 @@
+# Platform Sellable Readiness Report
+
+Status: browser run complete  
+Spec: `specs/355-platform-sellable-smoke-matrix/spec.md`
+
+## Executive Summary
+
+Spec 355 browser-verified all 10 required sellable smoke flows and captured all 12 required screenshots. No open P0 or P1 issues remain. One dependency-gate defect was found during the accepted-risk queue run: the German focused-review lane still leaked English dominant warning copy. That issue was fixed in-scope with targeted Spec 354 regression coverage and the affected browser flow was re-run before close-out.
+
+## Pass / Fail / Blocked Count
+
+- PASS: 8
+- PASS WITH NOTES: 2
+- BLOCKED: 0
+- FAIL P1: 0
+- FAIL P0: 0
+
+## P0 / P1 / P2 / P3 Findings
+
+- P0: none
+- P1: none
+- P2: none
+- P3: Review detail in customer-workspace context still shows redundant self-link actions inside the output-guidance card.
+- P3: Accepted-risk queue verification depended on small local-only fixture augmentation because the persisted demo data mixed expiring and incomplete governance semantics.
+- P3: Broad family regression filters for `Spec351` through `Spec354` were attempted in Sail but were killed with exit `137`; close-out therefore relies on narrower affected Spec 354 regressions plus browser proof.
+
+## Demo Readiness
+
+Near-demo-ready. The core operator narrative is coherent and screenshot-backed, but a small amount of polish remains around redundant review-detail affordances and fixture repeatability.
+
+## Sellable Foundation Readiness
+
+Sellable foundation-ready. The integrated operator loop now holds together across dashboard, provider, review, accepted risk, governance inbox, evidence, and operation proof surfaces without open P0/P1 blockers.
+
+## Customer-Safe Boundary Assessment
+
+Verified. Blocked review output, internal-only evidence posture, and operation proof all stayed clearly non-customer-safe where appropriate. No tested flow overclaimed shareability while evidence or review readiness was still limited.
+
+## Operator Workflow Assessment
+
+Verified. Each tested owner surface exposed one dominant next action or one dominant decision zone within a few seconds of landing on the page. Dashboard guidance routed cleanly into provider or review owner surfaces, Governance Inbox preserved queue-to-owner continuity, and evidence plus operation proof stayed subordinate to the governing operator task instead of replacing it with diagnostics-first detail.
+
+## Recommended Decision
+
+Close with notes. Spec 355 meets its verification gate and does not carry open P0/P1 findings. Keep the two P3 items as follow-up polish rather than widening this slice.
+
+## Notes
+
+- Full-suite execution was not run.
+- The broad `Spec351` to `Spec354` family filters were attempted and documented, but the current container killed them with exit `137`.
+- The accepted-risk localization defect was fixed and re-verified before this report was finalized.

specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-smoke-matrix.md

@@ -0,0 +1,28 @@
+# Platform Sellable Smoke Matrix
+
+Status: browser run complete  
+Spec: `specs/355-platform-sellable-smoke-matrix/spec.md`  
+Purpose: Browser-first sellable-readiness verification across the current operator owner surfaces.
+
+## Result Legend
+
+- `PASS`: browser-verified and productized enough
+- `PASS WITH NOTES`: works, but minor P2/P3 notes remain
+- `BLOCKED`: fixture/state missing or dependency gate prevents honest verification
+- `FAIL P1`: operator-flow or hierarchy issue that blocks close
+- `FAIL P0`: safety, scope, authorization, or runtime issue
+
+## Matrix
+
+| Flow ID | Flow name | Surface | Environment / fixture | State tested | Expected primary action | Actual primary action | Scope preserved | Customer-safe boundary correct | Console errors | Network/server errors | Screenshot | Result | Severity | Notes |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| F1 | Environment Dashboard -> provider blocker | Environment Dashboard -> Required Permissions | `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-provider-blocker` | provider blocker outranks lower-priority review output | open provider-readiness owner surface | `Review permissions` -> `/admin/workspaces/spec-352-guidance-browser-audit/environments/spec-352-audit-provider-blocker/required-permissions` | yes | yes | none observed | none observed | `01-dashboard-provider-blocker.png`, `02-provider-required-permissions-target.png` | PASS | none | Dashboard guidance stayed navigation-first and landed on a matching blocker explanation. |
+| F2 | Environment Dashboard -> review-output blocker | Environment Dashboard -> review owner surface | `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-review-output` | review-output blocker with no provider blocker | open review-output owner surface | `Open draft review` -> `/admin/workspaces/33/environments/spec-352-audit-review-output/environment-reviews/31` | yes | yes | none observed | none observed | `03-dashboard-review-output-blocker.png` | PASS | none | Primary CTA matched Spec 351 review-output resolve logic. |
+| F3 | Customer Review Workspace resolve loop | Customer Review Workspace | `environment_id=52`, review `#31` | blocked output with existing draft | repo-backed dominant review action | `Open draft review` | yes | yes | none observed | none observed | `04-customer-review-workspace-resolve-action.png` | PASS | none | Draft state was explicit, no empty state appeared, and publish was not presented as the dominant action while blocked. |
+| F4 | Review detail in customer-workspace context | Environment Review detail | review `#31` opened from customer workspace | customer-workspace detail continuity | no duplicate CTA rail; clear output readiness | output readiness and limitations stayed distinct; no competing top rail | yes | yes | none observed | none observed | `05-review-detail-customer-workspace-context.png` | PASS WITH NOTES | P3 | Output guidance card still contains redundant self-link actions that loop back to the same review detail. |
+| F5 | Provider guidance owner surfaces | Provider Connections / Required Permissions | `environment_id=51` plus required-permissions deep link | provider blocker | one provider-readiness next step | `Open required permissions` | yes | yes | none observed | none observed | `06-provider-guidance.png` | PASS | none | Provider Connections explained blocker reason and impact before raw provider details. |
+| F6 | Accepted-risk owner flow | Finding Exceptions Queue / Exception Detail | `workspace=wp`, `environment=spec342-demo-accepted-risks`, exceptions `#7`, `#8`, `#9` | expiring, expired, incomplete | review accepted risk or owner-surface follow-up | focused queue guidance stayed dominant; no fake remediation CTA | yes | yes | none observed | none observed | `07-accepted-risk-expiring.png`, `08-accepted-risk-expired.png` | PASS WITH NOTES | P3 | Expired and expiring priority behaved correctly. Spec 355 used local-only fixture augmentation and exposed a German-locale copy leak that was fixed in-scope before close-out. |
+| F7 | Governance Inbox continuity | Governance Inbox | `workspace=wp`, `environment=spec342-demo-accepted-risks` | queue item follow-up | open owner surface with one clear next action | `Review accepted risk` deep-linked to the focused queue lane with back-link context | yes | yes | none observed | none observed | `09-governance-inbox.png` | PASS | none | Governance Inbox remained the queue-clearing surface instead of duplicating dashboard-style guidance. |
+| F8 | Evidence path support | Evidence Overview | `workspace=wp`, `environment=spec342-demo-evidence-incomplete`, operation `#24` | evidence incomplete / internal-only output boundary | inspect evidence basis or supporting proof | `Review customer output` | yes | yes | none observed | none observed | `10-evidence-overview.png` | PASS | none | Evidence stayed decision-first and explicitly warned that the output was not ready for external sharing. |
+| F9 | Operation proof | Operation detail | `workspace=wp`, `environment=spec342-demo-evidence-incomplete`, operation `#24` | linked proof with internal-only impact | open run proof without competing with owner CTA | operation proof showed scope, outcome, and follow-up guidance | yes | yes | none observed | none observed | `11-operation-proof.png` | PASS | none | Operation truth remained traceable and did not overclaim governance health or customer-safe status. |
+| F10 | Calm no-urgent-action state | Environment Dashboard | `workspace=spec-352-guidance-browser-audit`, `environment=spec-352-audit-no-urgent` | no urgent action | calm no-action state | `Review environment` with calm-state framing | yes | yes | none observed | none observed | `12-no-urgent-action.png` | PASS | none | Quiet state was productized and did not collapse into an empty or broken screen. |

specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/.gitkeep

@@ -0,0 +1 @@
+

specs/355-platform-sellable-smoke-matrix/checklists/requirements.md

@@ -0,0 +1,36 @@
+# Requirements Checklist: Spec 355 - Platform Sellable Smoke Matrix
+
+Purpose: Validate preparation readiness only. This checklist does not certify implementation, runtime tests, or browser proof.
+
+## Candidate And Guardrail
+
+- [x] CHK001 The candidate source is explicit: direct user-provided Spec 355 draft plus current operator-surface repo truth.
+- [x] CHK002 No completed spec package is being reopened or normalized back to preparation state.
+- [x] CHK003 The selected slice stays verification-first and does not expand into portal, renderer, AI, workflow-engine, or navigation-rewrite scope.
+
+## Repo Truth Alignment
+
+- [x] CHK004 The prep names the exact current owner surfaces instead of inventing new sellable-readiness pages.
+- [x] CHK005 The prep records the dependency ambiguity across Specs 351-354 explicitly and turns it into a first-phase implementation gate.
+- [x] CHK006 Existing smoke helpers and browser-test history are captured as context rather than being treated as automatic proof for Spec 355.
+- [x] CHK007 Evidence Overview and operation detail coverage gaps are recorded instead of being hidden behind a broad "already audited" claim.
+
+## Constitution And Scope
+
+- [x] CHK008 The spec forbids new persistence, a new readiness entity, a new workflow engine, a new provider framework, and broad surface rewrites.
+- [x] CHK009 Provider/platform boundary handling is explicit and keeps Spec 355 in verification mode rather than broadening shared seams.
+- [x] CHK010 Existing RBAC, audit, and `OperationRun` ownership remain explicit and unchanged.
+- [x] CHK011 UI/Productization coverage is explicit for all in-scope strategic surfaces.
+
+## Artifact And Task Readiness
+
+- [x] CHK012 The smoke matrix artifact exists with the required columns and required flow rows.
+- [x] CHK013 The readiness report artifact exists with the required executive-summary sections.
+- [x] CHK014 The tasks are ordered, verifiable, and include repo state, fixture inventory, browser flows, classification, optional minimal fixes, and final regression work.
+- [x] CHK015 No blocking preparation question remains; runtime dependency and fixture uncertainty are surfaced as explicit implementation gates, not silent assumptions.
+
+## Review Outcome
+
+- [x] Ready for implementation prep handoff.
+- [x] Main caveat recorded: final readiness classification remains gated on dependency re-verification and honest fixture availability during implementation.
+- [x] This checklist validates preparation only. No application implementation, runtime test execution, or browser smoke has been performed in this prep step.

specs/355-platform-sellable-smoke-matrix/plan.md

@@ -0,0 +1,273 @@
+# Implementation Plan: Spec 355 - Platform Sellable Smoke Matrix
+
+- Branch: `355-platform-sellable-smoke-matrix`
+- Date: 2026-06-05
+- Spec: `specs/355-platform-sellable-smoke-matrix/spec.md`
+- Input: Spec 355 draft plus repo inspection of dashboard, provider readiness, review output, accepted-risk, governance, evidence, and operations proof surfaces.
+
+## Summary
+
+Run one bounded, browser-first sellable-readiness gate across the current operator/productization surfaces and capture the result as a matrix plus readiness report.
+
+The slice stays narrow:
+
+- verify existing owner surfaces end-to-end instead of building another feature
+- inventory fixture truth before claiming anything is testable
+- classify flows as pass, pass with notes, blocked, fail P1, or fail P0
+- allow only direct P0/P1 fixes on the owning surface when a browser-verified issue is in scope
+- preserve current RBAC, audit, `OperationRun`, provider-boundary, and customer-safe truth
+
+## Technical Context
+
+- Language/Version: PHP 8.4.15, Laravel 12.52.x
+- UI stack: Filament 5.2.x, Livewire 4.x
+- Database: PostgreSQL, no schema change planned
+- Artifact storage: markdown and screenshots under `specs/355-platform-sellable-smoke-matrix/artifacts/`
+- Testing: browser-first verification plus targeted Pest unit/feature/browser coverage only when a direct P0/P1 fix is necessary
+- Validation lanes: browser + confidence + fast-feedback
+- Local runtime posture: Sail-first
+- Deployment/runtime impact: none expected; no env, migration, queue-family, scheduler, storage, or panel/provider change is planned
+- Global search: unchanged; Spec 355 does not make any surface globally searchable
+
+## Current Repo Truth That Constrains The Slice
+
+- The primary product surfaces already exist and are route-inventory-backed:
+  - Environment Dashboard (`UI-011`, page report `ui-002-environment-dashboard.md`)
+  - Provider Connections (`UI-072`, page report `ui-009-provider-connections.md`)
+  - Required Permissions (`UI-077`, page report `ui-077-required-permissions.md`)
+  - Governance Inbox (`UI-028`, page report `ui-004-governance-inbox.md`)
+  - Finding Exceptions Queue (`UI-026`, page report `ui-012-finding-exceptions-queue.md`)
+  - Exception Detail (`UI-036`, page report `ui-036-exception-detail.md`)
+  - Customer Review Workspace (`UI-038`, page report `ui-006-customer-review-workspace.md`)
+  - Environment Review Detail (`UI-040`, page report `ui-040-environment-review-detail.md`)
+  - Operations hub (`UI-016`, page report `ui-003-operations.md`)
+  - Evidence Overview (`UI-044`, route-inventory only today)
+  - workspace operation detail (`UI-017`, route-inventory only today)
+- Existing browser smoke coverage already exists in the repo for:
+  - Governance Inbox (`Spec346...SmokeTest`)
+  - review-output guidance (`Spec351...SmokeTest`)
+  - dashboard guidance (`Spec352...SmokeTest`)
+  - provider-readiness guidance (`Spec353...SmokeTest`)
+  - accepted-risk guidance (`Spec354...SmokeTest`)
+- Current dependency signals are not perfectly normalized:
+  - Spec 351 is commit-backed and implemented, but still carries residual P2 browser audit notes and a `Draft` spec header.
+  - Spec 352 is the cleanest implemented baseline.
+  - Spec 353 is marked implemented with close-out audit pending.
+  - Spec 354 is commit-backed and screenshot-backed, but still lacks the cleanest spec-package close-out shape.
+- Existing local/testing helpers already exist for some states:
+  - local smoke login route: `admin.local.smoke-login`
+  - review-output ready-path fixture command: `tenantpilot:review-output:seed-browser-fixture`
+- Evidence Overview and workspace operation detail have lighter durable audit coverage than the other strategic surfaces. Spec 355 should use its own artifact package first instead of broadening the audit registry by default.
+
+## Domain / Model Implications
+
+- No schema or migration change is planned.
+- No new persisted readiness classification, queue, or release-gate entity is allowed.
+- Existing truth stays on the current runtime owners:
+  - environment guidance: `EnvironmentDashboardSummaryBuilder`
+  - provider readiness: existing provider-connection and required-permissions derivation paths
+  - review output: existing review-output readiness and resolve-action paths
+  - accepted risk: existing finding-exception and governance resolver paths
+  - evidence: existing evidence snapshot/evidence overview truth
+  - proof: existing `OperationRun` hub and detail truth
+- New durable artifacts are limited to:
+  - `artifacts/platform-sellable-smoke-matrix.md`
+  - `artifacts/platform-sellable-readiness-report.md`
+  - optional `artifacts/blocked-fixtures.md`
+  - screenshots under `artifacts/screenshots/`
+
+## UI / Filament / Livewire Implications
+
+- Filament v5 continues to run on Livewire v4.x; no version or API drift is permitted.
+- No panel/provider registration change is allowed; `apps/platform/bootstrap/providers.php` remains untouched.
+- No new asset registration is planned, so there is no expected `filament:assets` deployment change for this spec.
+- Existing destructive or high-impact actions must keep their current confirmation, authorization, notification, and audit posture even if Spec 355 changes their prominence, disabled state, or label.
+- Spec 355 must not create a second CTA rail on detail surfaces simply to make a smoke matrix easier to pass.
+
+## RBAC / Policy Implications
+
+- Workspace membership and entitled environment access remain the only scope authorities.
+- Guidance, filters, and deep links must remain scope-safe and must not reintroduce hidden `tenant` query dependence where Specs 313/315/316 already constrained hub filtering behavior.
+- Any direct fix must preserve current 404 vs 403 semantics and current policy ownership.
+- The smoke matrix itself must classify wrong-scope or wrong-workspace continuity as a blocker, not as cosmetic drift.
+
+## Audit / Logging / Evidence Implications
+
+- Existing audit, `OperationRun`, and proof ownership remain authoritative.
+- The readiness report must explicitly state whether:
+  - console errors were observed
+  - network/server errors were observed
+  - customer-safe boundaries were upheld
+- No new audit stream, notification family, or support artifact is planned.
+- Browser screenshots and matrix/report notes are the close-out evidence for this gate.
+
+## Data / Migration Implications
+
+- No database migration, backfill, or persisted projection is planned.
+- No compatibility shims are justified because this is a verification/productization gate, not a data-shape replacement.
+- Existing local/testing fixture helpers may be reused, but Spec 355 must not add new product persistence just to make demo data easier.
+
+## Rollout Considerations
+
+- No feature flag is expected because this slice is a verification gate over existing surfaces.
+- If no P0/P1 fix is required, rollout impact is documentation/artifact-only.
+- If a direct P0/P1 fix is required, staging/browser proof should re-run the affected flow before the platform is called sellable-ready.
+- The final report must clearly distinguish:
+  - ready/pass flows
+  - pass-with-notes flows
+  - blocked flows caused by fixture or dependency gaps
+  - failure flows caused by real operator or safety issues
+
+## UI / Surface Guardrail Plan
+
+- **Guardrail scope**:
+  - Environment Dashboard
+  - Provider Connections / Required Permissions
+  - Customer Review Workspace / Environment Review Detail
+  - Finding Exceptions Queue / Exception Detail
+  - Governance Inbox
+  - Evidence Overview / Evidence basis
+  - Operations hub / operation proof
+- **Affected surfaces**:
+  - `apps/platform/app/Filament/Pages/EnvironmentDashboard.php`
+  - `apps/platform/app/Filament/Resources/ProviderConnectionResource.php`
+  - `apps/platform/app/Filament/Pages/EnvironmentRequiredPermissions.php`
+  - `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
+  - `apps/platform/app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php`
+  - `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`
+  - `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`
+  - `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php`
+  - `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`
+  - `apps/platform/app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php`
+  - `apps/platform/app/Filament/Resources/OperationRunResource.php`
+- **Native vs custom**: preserve current Filament-native surfaces and shared guidance/proof helpers; do not introduce a custom sellable-readiness runtime layer
+- **Shared-family relevance**:
+  - next-action guidance
+  - proof/deep-link behavior
+  - customer-safe disclosure
+  - queue routing
+  - dashboard signal hierarchy
+- **Handling modes**:
+  - strategic operator surfaces: `review-mandatory`
+  - missing fixture states: `report-only`
+  - direct P0/P1 regressions: `hard-stop-candidate`
+  - out-of-scope structural drift: `exception-required` or `follow-up-spec`
+- **Required tests / smoke**:
+  - browser matrix is mandatory
+  - targeted feature/unit/browser coverage only when a direct fix lands
+- **UI/Productization coverage**:
+  - use existing page reports where they already exist
+  - keep Spec 355 artifacts as the primary proof package
+  - use `unresolved-pages.md` only if Evidence Overview or operation detail needs an explicit durable blocker note after a fix attempt
+
+## Shared Pattern And System Fit
+
+- **Preferred reuse path**:
+  - current `ResolutionCase` / `ResolutionAction` contract
+  - current dashboard operator-guidance path
+  - current Governance Inbox deep-link/routing path
+  - current `OperationRunUrl` / `OperationRunLinks`
+- **Likely implementation shape**:
+  - no new product runtime layer
+  - matrix/report/screenshot artifacts only
+  - if needed, direct surface-local fixes that reuse existing guidance or link helpers
+- **Avoid**:
+  - new cross-surface guidance registry
+  - new sellability status persistence
+  - new portal/readiness workflow
+  - new provider/platform abstraction
+
+## OperationRun UX Impact
+
+Spec 355 does not create a new `OperationRun` type and does not introduce new queued/start behavior.
+
+Implementation responsibility is limited to:
+
+- verifying existing `Open operation` / `View run` links
+- ensuring proof links do not become the dominant CTA when a higher-priority owner action exists
+- ensuring scope-safe operation URLs remain truthful
+
+## Likely Runtime Files
+
+| Area | Repo-real files |
+|---|---|
+| Dashboard | `apps/platform/app/Filament/Pages/EnvironmentDashboard.php`, `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php` |
+| Provider readiness | `apps/platform/app/Filament/Resources/ProviderConnectionResource.php`, `apps/platform/app/Filament/Pages/EnvironmentRequiredPermissions.php`, provider-readiness support classes |
+| Review output | `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`, `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`, review-output guidance support classes |
+| Accepted risk | `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`, `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`, `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php` |
+| Governance queue | `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php`, `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php` |
+| Evidence | `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`, `apps/platform/app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php` |
+| Operations proof | `apps/platform/app/Filament/Resources/OperationRunResource.php`, `apps/platform/app/Support/OpsUx/OperationRunUrl.php`, `apps/platform/app/Support/OperationRunLinks.php` |
+| Smoke helpers | `apps/platform/routes/web.php`, `apps/platform/app/Console/Commands/SeedReviewOutputBrowserFixture.php`, existing browser smoke tests |
+
+## Likely Test Files
+
+| Layer | Planned file or reuse path |
+|---|---|
+| Browser | `apps/platform/tests/Browser/Spec355PlatformSellableSmokeMatrixSmokeTest.php` only if a durable automated smoke adds value during implementation |
+| Feature/Livewire | targeted regressions on existing Spec 351/352/353/354 or owner-surface tests only when a direct fix lands |
+| Unit | none expected unless a direct P0/P1 fix changes deterministic guidance/link selection |
+
+## Likely Artifact Files
+
+| Artifact | Purpose |
+|---|---|
+| `specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-smoke-matrix.md` | primary browser verification matrix |
+| `specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-readiness-report.md` | executive close/fix/defer recommendation |
+| `specs/355-platform-sellable-smoke-matrix/artifacts/blocked-fixtures.md` | explicit fixture blockers when states cannot be exercised honestly |
+| `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/*` | first-screen proof images |
+
+## Implementation Approach
+
+### Phase 0 - Repo State And Dependency Gate
+
+1. Re-read `spec.md`, `plan.md`, `tasks.md`, `repo-truth-map.md`, and `checklists/requirements.md`.
+2. Run `git status --short --branch`, `git diff --stat`, and `git log -1 --oneline`, then record them in the repo-truth map.
+3. Re-verify Specs 351-354 at runtime-proof level, not by one metadata field alone.
+4. If Spec 354 still has the specifically named dependency concerns open, or if the implementation package cannot prove browser-verified close-readiness, record the blocker and do not publish a final `demo-ready` or `sellable foundation-ready` verdict.
+
+### Phase 1 - Fixture Inventory
+
+1. Inventory reusable local/testing/browser helpers already present in the repo.
+2. Confirm which real states can be exercised now:
+   - provider blocker
+   - review-output blocker
+   - ready draft/publish path
+   - accepted risk expiring/expired/incomplete
+   - governance inbox queue item
+   - evidence missing/stale
+   - operation follow-up/proof
+   - no urgent action
+3. Record missing states in `artifacts/blocked-fixtures.md` instead of silently broadening runtime scope.
+
+### Phase 2 - Browser Smoke Matrix
+
+1. Run the 10 required flows using visible UI, URLs, and in-browser inspection only.
+2. Capture the required screenshot set or explain each missing screenshot in the matrix.
+3. Record:
+   - expected primary action
+   - actual primary action
+   - scope continuity result
+   - customer-safe boundary result
+   - console/network/server error observations
+
+### Phase 3 - Classification And Readiness Report
+
+1. Complete the matrix with `PASS`, `PASS WITH NOTES`, `BLOCKED`, `FAIL P1`, or `FAIL P0`.
+2. Count pass/fail/blocked results and summarize them in the readiness report.
+3. Do not treat `BLOCKED` as equivalent to pass.
+4. Keep readiness language conservative when dependencies or fixtures remain unresolved.
+
+### Phase 4 - Minimal P0/P1 Fixes Only
+
+1. If a direct P0/P1 runtime issue is proven and in scope, add the narrowest failing targeted test first.
+2. Patch only the owning surface or direct helper.
+3. Re-run the affected browser flow and update the matrix/report/screenshot set.
+4. Do not widen Spec 355 into a redesign or a new feature lane.
+
+### Phase 5 - Regression And Close-Out
+
+1. Run the targeted regression commands listed in the spec.
+2. Run `pint --dirty` and `git diff --check` if code changed.
+3. Report whether the full suite was or was not run.
+4. Close with a readiness decision and an explicit list of any deferred follow-up specs.

specs/355-platform-sellable-smoke-matrix/repo-truth-map.md

@@ -0,0 +1,175 @@
+# Repo Truth Map: Spec 355 - Platform Sellable Smoke Matrix
+
+Status: implementation complete / browser-verified  
+Branch: `355-platform-sellable-smoke-matrix`  
+Date: 2026-06-05  
+Baseline commit before prep branch: `a9c54205` (`feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425)`)
+
+## Branch And Working-Tree Safety
+
+- Starting branch before prep: `platform-dev`
+- Initial `git status --short --branch`: clean
+- Initial `git diff --stat`: empty
+- Spec Kit branch created via repo script:
+  - `.specify/scripts/bash/create-new-feature.sh --json --short-name 'platform-sellable-smoke-matrix' --number 355 'Platform Sellable Smoke Matrix'`
+- Current branch after setup: `355-platform-sellable-smoke-matrix`
+- Current uncommitted change before writing prep artifacts: only `specs/355-platform-sellable-smoke-matrix/`
+
+## Why 355 Was Selected
+
+- The user provided Spec 355 directly, so this is not an auto-selected backlog refresh.
+- Specs 351-354 already productized the main operator-guidance lanes, but they did so one surface at a time.
+- The next honest question is integrated sellability, not another isolated feature:
+  - Does the first blocker make sense?
+  - Does the next action stay dominant?
+  - Does scope continuity survive the click?
+  - Are customer-safe boundaries still truthful?
+  - Do evidence and proof surfaces support trust instead of pulling the operator into diagnostics-first detail?
+
+## Why Close Alternatives Were Deferred
+
+- Spec 356 (`Review Pack PDF/HTML Renderer v1`) depends on the underlying operator/productization flow being coherent first.
+- Spec 357 (`Customer Portal Boundary Contract`) should not be promoted before customer-safe boundary truth is proven inside the current operator surfaces.
+- Spec 358 (`Private AI Resolution Suggestion Foundation`) is intentionally later than human-guided workflow stability.
+- Spec 359 (`Localization v1`) is a likely follow-up if this matrix exposes mixed-language or dominant-copy gaps, but it should not hide workflow incoherence.
+- Spec 360 (`Portfolio / Cross-Tenant Action Readiness`) is broader than the current single-platform sellable gate.
+
+## Completed-Spec Guardrail Result
+
+| Related spec | Current repo signal | Guardrail handling for Spec 355 |
+|---|---|---|
+| Spec 351 - Review Output Resolve Actions v1 | commit `d4e4d2d1`, checked implementation tasks, residual P2 browser notes, spec header still `Draft` | runtime context only; do not normalize or silently erase historical findings |
+| Spec 352 - Environment Dashboard Operator Guidance Consolidation | commit `9a564d6b`, repo-truth says implemented | direct dependency; use as the dashboard baseline |
+| Spec 353 - Provider Connections Resolution Guidance v1 | commit `d2876af9`, spec says implemented with close-out audit pending | runtime context only; use committed behavior, not checklist wording, as truth |
+| Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1 | commit `a9c54205`, checked tasks, screenshots, browser smoke test file exists, spec header still `Draft` | direct dependency; verify named blocker conditions explicitly before final readiness verdict |
+
+No completed spec package is being normalized back into preparation-only wording.
+
+## Dependency Gate Verification
+
+Spec 355's own draft required:
+
+- Specs 351-354 closed/committed
+- Spec 354 patched, browser-verified, and free of specific open P1/P2 findings around:
+  - accepted-risk state priority
+  - approval queue scope continuity
+  - dominant guidance localization
+  - fake/inert recommended action semantics
+
+The implementation-phase verification completed this gate:
+
+- accepted-risk state priority: verified in browser on expired and expiring focused queue states
+- approval queue scope continuity: verified from Governance Inbox into the focused accepted-risk lane with preserved back-link context
+- dominant guidance localization: initially failed in the German focused queue lane because `FindingRiskGovernanceResolver` returned hardcoded English warning copy; fixed in-scope and re-verified
+- fake or inert recommended action semantics: not observed in the tested flows
+
+Result:
+
+- implementation proceeded legitimately
+- final readiness language is no longer blocked by the Spec 354 dependency gate
+
+## Primary Runtime Surfaces
+
+| Surface | Repo truth | Why it matters to Spec 355 |
+|---|---|---|
+| `EnvironmentDashboard` | environment-owned command surface with implemented top guidance from Spec 352 | starting point for first-blocker coherence |
+| `ProviderConnectionResource` | workspace provider hub with implemented guidance from Spec 353 | provider-owner destination for dashboard blocker routing |
+| `EnvironmentRequiredPermissions` | environment-bound provider-readiness surface with implemented guidance from Spec 353 | verifies decision-first provider blocker explanation |
+| `CustomerReviewWorkspace` | workspace review hub with implemented review-output guidance and action mapping from Spec 351 | owner surface for review-output blocker resolution |
+| `ViewEnvironmentReview` | review-owner detail surface | verifies no duplicate CTA rails and customer-safe boundary discipline |
+| `FindingExceptionsQueue` | workspace accepted-risk queue with implemented guidance from Spec 354 | owner surface for accepted-risk follow-up |
+| `ViewFindingException` | accepted-risk lifecycle detail | verifies accepted-risk guidance continuity and action safety |
+| `GovernanceInbox` | workspace-wide operator queue with existing productization and browser smoke history | cross-domain workbench continuity check |
+| `EvidenceOverview` | workspace-wide evidence hub | verifies evidence path and calm/blocked evidence messaging |
+| `ViewEvidenceSnapshot` | evidence basis detail | owner proof surface for evidence detail when review/provider flows deep-link into it |
+| `OperationRunResource` / operation detail routes | workspace operation proof truth | verifies run proof and follow-up traceability |
+
+## Existing Proof And Browser Assets
+
+| Asset | Current repo truth |
+|---|---|
+| Local/testing login helper | `/admin/local/smoke-login` exists in `apps/platform/routes/web.php` |
+| Review ready-path fixture helper | `tenantpilot:review-output:seed-browser-fixture` exists |
+| Browser smoke for Governance Inbox | `apps/platform/tests/Browser/Spec346GovernanceInboxOperatorWorkflowSmokeTest.php` exists |
+| Browser smoke for review-output actions | `apps/platform/tests/Browser/Spec351ReviewOutputResolveActionsSmokeTest.php` exists |
+| Browser smoke for dashboard guidance | `apps/platform/tests/Browser/Spec352EnvironmentDashboardGuidanceSmokeTest.php` exists |
+| Browser smoke for provider readiness | `apps/platform/tests/Browser/Spec353ProviderReadinessGuidanceSmokeTest.php` exists |
+| Browser smoke for accepted-risk guidance | `apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php` exists |
+| Existing screenshots for key flows | Spec packages 351-354 already contain screenshots for dashboard, provider, review, and accepted-risk surfaces |
+
+## Coverage Gaps That Spec 355 Should Not Hide
+
+| Area | Repo truth | Implication |
+|---|---|---|
+| Evidence Overview (`UI-044`) | route-inventory entry exists, but no page report or screenshot is currently linked there | use Spec 355 artifacts first; do not claim strong durable audit history yet |
+| Workspace operation detail (`UI-017`) | route-inventory entry exists, but no page report is linked there | use Spec 355 matrix/report to capture proof-path observations |
+| Spec 351 close-out state | historical browser notes still mention residual P2 items | the sellable gate must verify whether those notes still reproduce |
+| Spec 354 close-out shape | screenshots exist, but no spec-package browser-flow audit artifact is present | dependency gate must be runtime-verified, not assumed |
+
+## Existing Fixture And Context Signals
+
+| Need | Current signal |
+|---|---|
+| Review-output blocked flow | Spec 351 smoke history plus current runtime surface and fixture command |
+| Review-output ready flow | `tenantpilot:review-output:seed-browser-fixture` exists |
+| Provider blocker flow | Spec 352/353 smoke history plus current provider-readiness surfaces |
+| Accepted-risk expiring / expired flow | Spec 354 runtime, screenshots, and browser smoke test exist |
+| Governance Inbox item flow | Governance Inbox page and existing browser smoke exist |
+| Evidence path | Evidence Overview and evidence-detail surfaces exist, but fixture richness must still be inventoried |
+| Operation proof path | operation hub/detail surfaces and proof-link helpers exist, but fixture richness must still be inventoried |
+| No urgent action state | dashboard/provider/review surfaces already claim calm states in neighboring specs; Spec 355 must verify a calm case still exists in current data |
+
+## Fixture Inventory Actually Used
+
+| Need | Verified local fixture used in Spec 355 |
+|---|---|
+| Dashboard provider blocker | workspace `spec-352-guidance-browser-audit`, environment `spec-352-audit-provider-blocker`, smoke-login user `smoke-requester+352@tenantpilot.local` |
+| Dashboard review-output blocker | workspace `spec-352-guidance-browser-audit`, environment `spec-352-audit-review-output`, review `#31` |
+| Customer Review Workspace | `environment_id=52`, draft review `#31` |
+| Accepted-risk expiring / expired / incomplete | workspace `wp`, environment `spec342-demo-accepted-risks`, exceptions `#7`, `#8`, `#9` after local-only fixture augmentation |
+| Governance Inbox item | workspace `wp`, environment `spec342-demo-accepted-risks` |
+| Evidence incomplete | workspace `wp`, environment `spec342-demo-evidence-incomplete`, operation `#24` |
+| Operation proof | workspace `wp`, environment `spec342-demo-evidence-incomplete`, operation `#24` |
+| Calm no-urgent-action state | workspace `spec-352-guidance-browser-audit`, environment `spec-352-audit-no-urgent` |
+
+## Browser Matrix Outcome
+
+- 10 of 10 required flows were exercised in the browser
+- 12 of 12 required screenshots were captured under `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/`
+- no browser console errors were observed in the Playwright session
+- no failing network or server responses were observed in the verified flows
+- one in-scope defect was found and fixed during the run:
+  - `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php` no longer emits hardcoded English accepted-risk warning messages in the German focused queue lane
+
+## Regression Outcome
+
+- targeted affected Spec 354 regressions passed after the localization fix:
+  - `tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php`
+  - `tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php`
+  - `tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php`
+- `./vendor/bin/sail php ./vendor/bin/pint --dirty` passed
+- `git diff --check` passed
+- broader `Spec351` through `Spec354` family-filter runs were attempted in Sail but were killed with exit `137`, so close-out rests on the narrower affected regressions plus browser proof
+
+## Draft-To-Repo Corrections That Must Stay Explicit
+
+1. Spec 355 is not a greenfield "sellable mode". It is a verification package over already-existing surfaces.
+2. Evidence Overview and operation detail are real surfaces, but their durable audit/report coverage is lighter than dashboard/provider/review/risk/governance.
+3. Browser proof already exists around many adjacent specs, but no current artifact ties them together into one integrated sellable-readiness call.
+4. Dependency truth for Specs 351-354 is strong but not cosmetically uniform; implementation must verify real blocker closure before claiming readiness.
+
+## Out Of Scope Confirmed By Repo Truth
+
+- no new portal or customer-facing standalone product surface
+- no PDF/HTML review-pack renderer
+- no AI guidance or private AI runtime consumer
+- no provider execution rewrite
+- no Governance Inbox or dashboard rebuild
+- no new persistence or new release-gate entity
+
+## Actual Narrow Implementation Shape
+
+- browser-first verification across the current owner surfaces
+- spec-local matrix, report, screenshot, and fixture artifacts
+- one bounded runtime fix in a pre-existing accepted-risk warning resolver
+- one targeted feature-test expansion to lock the localization boundary

specs/355-platform-sellable-smoke-matrix/spec.md

@@ -0,0 +1,456 @@
+# Feature Specification: Spec 355 - Platform Sellable Smoke Matrix
+
+**Feature Branch**: `355-platform-sellable-smoke-matrix`  
+**Created**: 2026-06-05  
+**Status**: Draft  
+**Type**: Productization gate / browser smoke matrix / sellable readiness / operator-flow verification  
+**Depends on**: Specs 351, 352, 353, 354  
+**Runtime posture**: Verification-first. Browser/readiness gate with minimal fixes only when a verified P0/P1 issue is directly in scope. No new product surface, no new framework, no customer portal, no PDF renderer, no AI lane, and no broad navigation rewrite.  
+**Input**: Direct user-provided Spec 355 draft plus repo truth from current operator/productization surfaces, existing browser smoke tests, and adjacent Specs 351-354.
+
+## Dependencies And Repo-Truth Adjustments
+
+Spec 355 is a bounded readiness gate over already repo-real operator surfaces:
+
+- `App\Filament\Pages\EnvironmentDashboard`
+- `App\Filament\Resources\ProviderConnectionResource`
+- `App\Filament\Pages\EnvironmentRequiredPermissions`
+- `App\Filament\Pages\Reviews\CustomerReviewWorkspace`
+- `App\Filament\Resources\EnvironmentReviewResource\Pages\ViewEnvironmentReview`
+- `App\Filament\Pages\Monitoring\FindingExceptionsQueue`
+- `App\Filament\Resources\FindingExceptionResource\Pages\ViewFindingException`
+- `App\Filament\Pages\Governance\GovernanceInbox`
+- `App\Filament\Pages\Monitoring\EvidenceOverview`
+- `App\Filament\Resources\EvidenceSnapshotResource\Pages\ViewEvidenceSnapshot`
+- `App\Filament\Resources\OperationRunResource`
+
+Repo-truth adjustments against the user draft:
+
+- Specs 351-354 are commit-backed on `platform-dev`, but the close-out metadata is not perfectly uniform across their spec packages. Spec 355 must treat dependency verification as an explicit first-phase gate instead of assuming all neighboring packages are perfectly normalized.
+- Spec 351 has checked implementation tasks and a commit (`d4e4d2d1`), but its spec header still says `Draft` and its browser-flow audit records residual P2 observations. Spec 355 may depend on the implemented runtime truth, but must not silently treat historical P2 notes as already closed.
+- Spec 352 is the cleanest dependency signal: repo-truth and page-report artifacts both describe the dashboard guidance slice as implemented.
+- Spec 353 marks itself `Implemented (close-out audit pending)` and has a commit (`d2876af9`), but some checklist language still reflects prep wording. Spec 355 should rely on runtime truth plus committed tests/screenshots, not on any single metadata field alone.
+- Spec 354 has a commit (`a9c54205`), checked implementation tasks, screenshots, and an existing browser smoke test file, but the spec header still says `Draft` and the spec package does not yet contain a dedicated browser-flow audit report. Spec 355 must verify whether the specific named dependency concerns are actually closed before issuing a sellable-readiness verdict.
+- Existing browser smoke assets already exist for Governance Inbox, review-output guidance, provider-readiness guidance, accepted-risk guidance, and dashboard guidance. Spec 355 should reuse that repo history as context, but the sellable-readiness claim must come from a fresh cross-surface matrix rather than from neighboring spec assertions alone.
+- `docs/ui-ux-enterprise-audit/route-inventory.md` already covers most in-scope surfaces. Evidence Overview (`UI-044`) and workspace operation detail (`UI-017`) still lack the same durable page-report depth as other strategic surfaces, so Spec 355 should use its own artifacts first and only expand the audit registry if a minimal P0/P1 fix materially changes those surfaces.
+
+## Spec Candidate Check *(mandatory - SPEC-GATE-001)*
+
+- **Problem**: TenantPilot now has several productized operator flows, but they were implemented across separate specs. The platform can still feel fragmented if the first blocker, next action, scope boundary, customer-safe boundary, and proof path do not line up across dashboard, provider, review, risk, evidence, governance, and operations surfaces.
+- **Today's failure**: An MSP operator can still land in a troubleshooting maze where one page says "provider blocked", another says "review blocked", a detail page promotes the wrong CTA, accepted-risk wording drifts from review wording, or proof links and environment scope feel disconnected.
+- **User-visible improvement**: A sellable smoke matrix proves whether the current platform feels like one governed MSP operating system: one dominant next action, correct scope continuity, conservative customer-safe boundaries, and coherent evidence/proof paths across the most important workflows.
+- **Smallest enterprise-capable version**: Verify the existing surfaces end-to-end in a browser, capture screenshots, classify failures, and allow only direct P0/P1 fixes on the owning surfaces when absolutely necessary to make the platform coherent enough for operator demo/sellable-readiness use.
+- **Explicit non-goals**: No customer portal, no PDF/HTML renderer, no AI guidance, no PSA/ITSM handoff, no new provider execution logic, no new resolution-adapter rollout, no dashboard rewrite, no Governance Inbox rewrite, no EvidenceSnapshot generation rewrite, no new database table, and no broad localization initiative.
+- **Permanent complexity imported**: One spec-local smoke matrix, one readiness report, optional blocked-fixture notes, screenshots, and at most targeted regression tests for direct P0/P1 fixes. No new persisted product truth, no new enum family, no new framework, and no new workflow engine are intended.
+- **Why now**: Specs 351-354 created a strong operator-guidance foundation, but the next sellability question is cross-surface coherence, not another isolated feature. This is the bounded gate before broader follow-up lanes such as renderers, customer portal contracts, or private AI assistance.
+- **Why not local**: A page-local review on only dashboard, only provider readiness, or only accepted risk would miss the actual productization risk, which is cross-surface contradiction and broken continuity. The smallest honest slice is one integrated browser matrix across the existing owner surfaces.
+- **Approval class**: Core Enterprise.
+- **Red flags triggered**: Strategic operator surfaces, cross-surface workflow assertions, customer-safe boundary verification, and browser-heavy proof. Defense: the slice is verification-first, forbids broad runtime expansion, reuses existing product truth, and allows only minimal P0/P1 fixes.
+- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 1 | **Gesamt: 10/12**
+- **Decision**: approve with strict dependency-gate and no-new-surface guardrails.
+
+## Candidate Source And Completed-Spec Guardrail
+
+- **Candidate source**:
+  - direct user-provided Spec 355 draft
+  - immediate follow-through over Specs 351-354
+  - existing UI audit registry, route inventory, and browser smoke coverage across the affected operator surfaces
+- **Completed-spec guardrail result**:
+  - no `specs/355-*` package existed before this preparation run
+  - Specs 351-354 are adjacent historical/runtime context only and must not be rewritten back into preparation-only wording
+  - no completed task markers, screenshots, or historical findings are being removed from any earlier spec package
+- **Close alternatives deferred**:
+  - Spec 356 - Review Pack PDF/HTML Renderer v1
+  - Spec 357 - Customer Portal Boundary Contract
+  - Spec 358 - Private AI Resolution Suggestion Foundation
+  - Spec 359 - Localization v1
+  - Spec 360 - Portfolio / Cross-Tenant Action Readiness
+- **Smallest viable implementation slice**: browser-verify the current productized operator surfaces, record a defensible pass/fail/blocked matrix, and only patch direct P0/P1 issues on the owning surfaces when the issue is clearly in scope and cheaply provable.
+
+## Spec Scope Fields *(mandatory)*
+
+- **Scope**: workspace-wide hubs plus environment-bound owner surfaces, verified as one integrated operator flow.
+- **Primary Routes**:
+  - `/admin/workspaces/{workspace}/environments/{environment}`
+  - `/admin/provider-connections`
+  - `/admin/workspaces/{workspace}/environments/{environment}/required-permissions`
+  - `/admin/reviews/workspace`
+  - `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews/{record}`
+  - `/admin/finding-exceptions/queue`
+  - `/admin/workspaces/{workspace}/environments/{environment}/finding-exceptions/{record}`
+  - `/admin/governance/inbox`
+  - `/admin/evidence/overview`
+  - `/admin/workspaces/{workspace}/operations`
+  - `/admin/workspaces/{workspace}/operations/{run}`
+- **Data Ownership**:
+  - existing dashboard, provider, review, accepted-risk, evidence, and `OperationRun` truth remain authoritative
+  - smoke matrix, readiness report, blocked-fixture notes, and screenshots are spec-package artifacts only
+  - no new database persistence is introduced
+- **RBAC**:
+  - existing workspace membership, environment entitlement, and capability checks remain authoritative
+  - no new authorization plane or capability family is introduced
+  - any minimal fix must preserve `404` for out-of-scope access and current capability-enforced mutation behavior
+
+For mixed workspace-hub and environment-owner verification:
+
+- **Default filter behavior when environment-context is active**: workspace hubs may use explicit `environment_id` filters where already repo-real, but they must not depend on hidden shell/session scope or stale `tenant` query behavior.
+- **Explicit entitlement checks preventing cross-tenant leakage**: all deep links and proof routes must continue to resolve through the current workspace membership plus entitled environment scope only.
+
+## UI Surface Impact *(mandatory - UI-COV-001)*
+
+- [ ] No UI surface impact
+- [x] Existing page changed
+- [x] Navigation changed
+- [ ] Filament panel/provider surface changed
+- [ ] New modal/drawer/wizard/action added
+- [ ] New table/form/state added
+- [x] Customer-facing surface changed
+- [x] Dangerous action changed
+- [x] Status/evidence/review presentation changed
+- [x] Workspace/environment context presentation changed
+
+## UI/Productization Coverage *(mandatory when UI Surface Impact is not "No UI surface impact")*
+
+- **Route/page/surface**:
+  - Environment Dashboard top guidance and CTA continuity
+  - Provider Connections and Required Permissions
+  - Customer Review Workspace and Environment Review detail
+  - Finding Exceptions Queue and Exception Detail
+  - Governance Inbox
+  - Evidence Overview and evidence-basis drill-through
+  - Operations hub / operation proof detail
+- **Current or new page archetype**:
+  - existing strategic workspace or environment operator surfaces only
+  - no new page archetype is introduced
+- **Design depth**:
+  - Environment Dashboard, Provider Connections, Governance Inbox, Customer Review Workspace, Evidence Overview, and Operations are Strategic Surfaces
+  - Environment Review detail, Exception Detail, and Required Permissions remain existing detail/domain surfaces with high productization sensitivity
+- **Repo-truth level**: repo-verified runtime surfaces
+- **Existing pattern reused**:
+  - Specs 351-354 operator-guidance patterns
+  - current page reports for dashboard, provider connections, required permissions, customer review workspace, environment review detail, governance inbox, operations, finding exceptions queue, and exception detail
+  - current route inventory for Evidence Overview and operation detail
+- **New pattern required**: none in the product. The only new artifact pattern is the spec-local smoke matrix and readiness report.
+- **Screenshot required**: yes, under `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/`
+- **Page audit required**:
+  - no broad UI audit rewrite by default
+  - use existing page reports plus Spec 355 artifacts as the primary verification package
+  - if a minimal P0/P1 fix materially changes Evidence Overview or operation detail, record the audit follow-up explicitly during close-out
+- **Customer-safe review required**: yes, because review-output, evidence, accepted-risk, and operation-proof flows may otherwise overclaim customer-ready or shareable output
+- **Dangerous-action review required**: yes; publish, approve/reject, renew/revoke, and other state-changing actions must remain confirmation- and authorization-safe even when the smoke matrix evaluates prominence or disabled state
+- **Coverage files updated or explicitly not needed**:
+  - [ ] `docs/ui-ux-enterprise-audit/route-inventory.md`
+  - [ ] `docs/ui-ux-enterprise-audit/design-coverage-matrix.md`
+  - [x] `docs/ui-ux-enterprise-audit/page-reports/...`
+  - [ ] `docs/ui-ux-enterprise-audit/strategic-surfaces.md`
+  - [ ] `docs/ui-ux-enterprise-audit/grouped-follow-up-candidates.md`
+  - [x] `docs/ui-ux-enterprise-audit/unresolved-pages.md`
+  - [ ] `N/A - no reachable UI surface impact`
+- **No-impact rationale when applicable**: N/A
+
+## Cross-Cutting / Shared Pattern Reuse *(mandatory)*
+
+- **Cross-cutting feature?**: yes
+- **Interaction class(es)**: dashboard signals, next-action guidance, status messaging, proof links, evidence/report viewers, governance queue routing, and customer-safe review messaging
+- **Systems touched**:
+  - `App\Support\EnvironmentDashboard\EnvironmentDashboardSummaryBuilder`
+  - `App\Support\ResolutionGuidance\ResolutionCase`
+  - `App\Support\ResolutionGuidance\ResolutionAction`
+  - `App\Support\ReviewPacks\ReviewPackOutputResolutionGuidance`
+  - `App\Services\Findings\FindingRiskGovernanceResolver`
+  - `App\Support\GovernanceInbox\GovernanceInboxSectionBuilder`
+  - `App\Support\OperationRunLinks`
+  - `App\Support\OpsUx\OperationRunUrl`
+  - existing provider-readiness summary and required-permissions builders
+- **Existing pattern(s) to extend**:
+  - Specs 351-354 guidance hierarchy and owner-surface continuity
+  - existing `OperationRun` proof-link helpers
+  - current page-report and route-inventory productization registry
+- **Shared contract / presenter / builder / renderer to reuse**:
+  - `ResolutionCase` / `ResolutionAction`
+  - `GovernanceActionCatalog`
+  - `EnvironmentDashboardSummaryBuilder`
+  - `GovernanceInboxSectionBuilder`
+  - `OperationRunUrl` / `OperationRunLinks`
+- **Why the existing shared path is sufficient or insufficient**: the repo already has the operator-guidance and proof-link paths needed for this gate. Spec 355 should verify and minimally align them, not invent a second integration framework.
+- **Allowed deviation and why**: none inside product runtime. Spec-local matrix/report artifacts are allowed because the product itself has no current sellable-readiness artifact surface.
+- **Consistency impact**: one dominant next action, conservative customer-safe claims, stable canonical nouns, consistent deep-link behavior, and diagnostics-secondary disclosure must stay aligned across all tested surfaces.
+- **Review focus**: prevent duplicate local CTA rails, fake remediation actions, raw-first detail defaults, broken proof links, and cross-surface terminology drift.
+
+## OperationRun UX Impact *(mandatory)*
+
+- **Touches OperationRun start/completion/link UX?**: deep-link and proof continuity only
+- **Shared OperationRun UX contract/layer reused**:
+  - existing `OperationRunUrl`
+  - existing `OperationRunLinks`
+  - existing workspace operation hub and operation detail resource routes
+- **Delegated start/completion UX behaviors**:
+  - `Open operation` / `View run` link continuity
+  - tenant/workspace-safe URL resolution
+  - proof/deep-link behavior only
+- **Local surface-owned behavior that remains**: deciding whether operation proof is the right secondary follow-up or whether it should remain tertiary diagnostics beneath a more important next action
+- **Queued DB-notification policy**: unchanged
+- **Terminal notification path**: unchanged
+- **Exception required?**: none
+
+## Provider Boundary / Platform Core Check *(mandatory)*
+
+- **Shared provider/platform boundary touched?**: yes, as verification-only mixed context
+- **Boundary classification**: mixed
+- **Seams affected**:
+  - provider-owned readiness surfaces: Provider Connections, Required Permissions
+  - platform-core operator surfaces: Environment Dashboard, Customer Review Workspace, Governance Inbox, Evidence Overview, accepted-risk owner surfaces, Operations
+- **Neutral platform terms preserved or introduced**:
+  - provider blocker
+  - review output blocker
+  - accepted risk
+  - evidence basis
+  - operation proof
+  - customer-safe boundary
+- **Provider-specific semantics retained and why**: Microsoft/provider-specific permission and consent wording remains only on the provider-owned surfaces where current repo truth already requires it.
+- **Why this does not deepen provider coupling accidentally**: Spec 355 does not add new shared taxonomy, persistence, or provider abstraction. It only verifies the current provider-owned and platform-core seams behave coherently.
+- **Follow-up path**: `document-in-feature` if the smoke matrix uncovers a provider/platform drift that is out of scope for a minimal direct fix
+
+## UI / Surface Guardrail Impact *(mandatory)*
+
+| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
+|---|---|---|---|---|---|---|
+| Environment Dashboard top guidance and CTA continuity | yes | Native Filament dashboard plus shared guidance payload | dashboard signals, proof links, next-action guidance | page, header, URL | no | existing route only |
+| Provider Connections / Required Permissions | yes | Native Filament resource + page | provider-readiness guidance, blocker routing | page, table/filter, detail | no | existing routes only |
+| Customer Review Workspace / Environment Review detail | yes | Native Filament page + resource detail | review-output guidance, customer-safe disclosure, action hierarchy | page, detail, URL | no | existing routes only |
+| Finding Exceptions Queue / Exception Detail | yes | Native Filament page + resource detail | accepted-risk guidance, governance continuity | page, detail, URL | no | existing routes only |
+| Governance Inbox | yes | Native Filament page | cross-domain queue routing, next-action labels | page, URL | no | existing route only |
+| Evidence Overview / Evidence basis drill-through | yes | Native Filament page + resource detail | evidence/proof disclosure, customer-safe boundary | page, detail, table/filter | no | current page-report depth is lighter than other strategic surfaces |
+| Operations hub / operation proof | yes | Native Filament route + resource detail | proof links, monitoring detail, diagnostics hierarchy | page, detail, URL | no | current route-inventory coverage exists; close-out may need extra note |
+
+## Decision-First Surface Role *(mandatory)*
+
+| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
+|---|---|---|---|---|---|---|---|
+| Environment Dashboard | Primary Decision Surface | Decide what blocks the environment first | blocker, reason, impact, one next action | proof rails, diagnostics, secondary links | primary because it is the environment command surface | environment-first operating flow | avoids opening multiple admin pages before understanding the blocker |
+| Provider Connections / Required Permissions | Primary Decision Surface | Resolve provider readiness blocker safely | blocker category, why it matters, one next action | matrix, verification detail, technical disclosure | primary when provider readiness is the top blocker | provider-owner flow | avoids badge/count interpretation work |
+| Customer Review Workspace | Primary Decision Surface | Decide what is needed before customer-safe output | output readiness, limitation boundary, one next action | deeper review/evidence context | primary when review output is the top blocker | review-owner flow | avoids review-detail reconstruction |
+| Environment Review detail | Secondary Context | Validate the selected review and perform source-owned actions | readiness state, limitations, source-owned action hierarchy | evidence, history, proof | secondary because the workspace owns the overview decision | review-owner detail flow | avoids duplicate equal-weight decision homes |
+| Finding Exceptions Queue | Primary Decision Surface | Decide which accepted risk needs governance action now | risk state, why it matters, one next action | deeper evidence/history | primary because it owns accepted-risk triage | accepted-risk owner flow | avoids status-badge translation |
+| Governance Inbox | Primary Decision Surface | Clear cross-domain governance follow-up | queue summary, why it matters, one next action | deeper owner-surface context after click | primary as the cross-domain workbench, but not the owner for every domain action | daily operator queue | avoids hunting across many hubs |
+| Evidence Overview | Secondary Context | Decide whether evidence is sufficient to trust or share an output | readiness/proof summary, stale/missing evidence state | raw evidence rows and detail | secondary because evidence supports other owner surfaces | evidence/proof support flow | avoids raw-report-first reading |
+| Operations hub / operation proof | Tertiary Evidence / Diagnostics | Verify truth of a referenced operation or follow-up | run status, outcome, environment/source linkage | full operation context and technical detail | tertiary because proof should not compete with the primary workflow CTA | proof-verification flow | keeps monitoring detail out of first-decision space unless needed |
+
+## Audience-Aware Disclosure *(mandatory)*
+
+| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
+|---|---|---|---|---|---|---|---|
+| Dashboard and provider/review/risk owner surfaces | operator-MSP, manager | blocker, impact, next action, scope | related proof, secondary links | raw payloads, technical diagnostics | yes | raw/support detail remains secondary | the blocker is stated once and not restated as a competing CTA rail |
+| Customer Review Workspace and review detail | operator-MSP, customer-safe operator handoff | release/readiness state, customer-safe boundary, next action | evidence basis, accepted-risk summary | internal rationale, raw metadata, debug detail | yes | internal-only detail remains secondary | customer-ready claim is kept distinct from internal draft/proof detail |
+| Governance Inbox | operator-MSP | queue summary, why it matters, one next step | lane-specific detail after inspection | raw/support data belongs on owner surfaces | yes | deep diagnostics stay off the first screen | inbox routes into owner surfaces rather than duplicating their truths |
+| Evidence Overview | operator-MSP, support where authorized | missing/stale/ready evidence state and what it blocks | evidence source detail, row-level artifact state | raw payload detail, fingerprints, support-only data | yes, if blocked | raw/support detail remains secondary | evidence supports a blocker; it does not restate every owner-surface summary |
+| Operations hub / operation proof | operator-MSP, support-platform | run status, outcome, environment/source association | full run context, summary counts, timestamps | raw support details and deep technical context | no new primary beyond proof verification | deep diagnostics remain tertiary | proof answers "did it happen?" without becoming the default action rail |
+
+## UI/UX Surface Classification *(mandatory)*
+
+| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| Environment Dashboard | Dashboard / Workbench | Command surface | Open the dominant owner surface | page-level CTA | N/A | compact subordinate links | none in this spec | environment dashboard route | owner surface route | workspace + environment | Environment Dashboard | top blocker and next action | none |
+| Provider Connections | List / Table / Bulk | Strategic integration list | Open required permissions, grant consent, or run verification | table inspect/open | existing | More / supporting links | existing grouped actions only | `/admin/provider-connections` | current record/detail routes | workspace + optional environment filter | Provider Connections | blocker category and next action | none |
+| Required Permissions | Detail / Guidance | Guidance-first diagnostic detail | Review missing permission category or verification blocker | page-level sections | N/A | supporting diagnostic sections | none introduced | required-permissions route | N/A | workspace + environment | Required Permissions | blocker and why it matters | none |
+| Customer Review Workspace | Dashboard / Workbench | Customer-safe operator hub | Create/open/refresh/publish only when repo-backed and safe | page-level CTA | existing list/detail entry points | supporting actions below dominant CTA | source-owned destructive actions stay secondary | `/admin/reviews/workspace` | review detail route | workspace + explicit environment filter | Customer Review Workspace | output readiness and next action | none |
+| Environment Review Detail | Detail / Record | Review-owner detail | Validate or execute the source-owned action | existing detail/open model | existing | contextual detail only | existing header actions only | environment review list | current detail route | workspace + environment + record | Environment Review | readiness, limitations, primary owner action | none |
+| Finding Exceptions Queue / Detail | Queue + Record Detail | Accepted-risk owner surfaces | Review accepted risk or execute source-owned lifecycle action | queue inspect/open then detail | existing | supporting context | existing approve/reject/renew/revoke placement | queue route | current detail route | workspace or environment + record | Accepted Risk / Exception | governance state and next action | none |
+| Governance Inbox | Queue | Cross-domain operator queue | Open the owning surface for the active case | queue inspect/open | existing | secondary context only | none introduced | `/admin/governance/inbox` | owner surface route | workspace + optional environment filter | Governance Inbox | why this item matters and what to open | none |
+| Evidence Overview / Operation proof | List / Detail | Evidence / diagnostics support | Inspect evidence or verify operation proof | current list/detail model | existing where available | diagnostics and technical detail remain secondary | none introduced | `/admin/evidence/overview`, `/admin/workspaces/{workspace}/operations` | current detail routes | workspace + optional environment filter | Evidence / Operation | readiness or run truth needed for trust | none |
+
+## Operator Surface Contract *(mandatory)*
+
+| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+|---|---|---|---|---|---|---|---|---|---|---|
+| Environment Dashboard | MSP operator / manager | Decide what to do first in this environment | command surface | What blocks this environment first? | top blocker, impact, one next step | proof and secondary diagnostics | provider, review, governance, evidence, operations | navigation-only in this spec | open owner surface | none introduced |
+| Provider readiness owner surfaces | MSP operator / manager | Resolve provider blocker safely | strategic list/detail | What provider readiness issue matters now? | blocker category, effect on TenantPilot, one next action | permission matrix, technical verification detail | consent, permission, verification freshness | existing source-owned provider actions only | grant consent, run verification, open permissions | existing provider actions remain guarded |
+| Review owner surfaces | MSP operator / manager | Resolve blocked output or confirm ready output | workspace hub + detail | What is preventing customer-safe output? | readiness, limitations, one next action | deeper evidence and lifecycle detail | publication, output readiness, evidence completeness | existing review actions only | create/open/refresh/publish when safe | existing publish/refresh/create actions stay source-owned |
+| Accepted-risk owner surfaces | MSP operator / manager | Review accepted-risk governance coverage | queue + detail | Which accepted risk needs action and why? | governance state, impact, one next action | history, deeper evidence, related context | expiry, freshness, governance support | existing exception actions only | review accepted risk | approve/reject/renew/revoke remain guarded |
+| Governance Inbox | MSP operator / manager | Route cross-domain work to the right owner surface | queue | What governance item should I clear next? | queue summary, reason, one next step | full owner-surface detail after open | queue state, severity, follow-up need | navigation-only in this spec | open owner surface | none introduced |
+| Evidence / Operations proof | MSP operator / support | Verify proof and trust boundaries | evidence/monitoring support | Is the referenced evidence or run trustworthy and in scope? | readiness/proof summary, environment/source association | raw detail, technical context, timestamps | evidence completeness, run status, run outcome | none | inspect evidence or run | none introduced |
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+- **New source of truth?**: no
+- **New persisted entity/table/artifact?**: no product persistence; spec artifacts only
+- **New abstraction?**: no
+- **New enum/state/reason family?**: no
+- **New cross-domain UI framework/taxonomy?**: no
+- **Current operator problem**: the platform may still feel fragmented across already-productized flows even when each individual flow works in isolation.
+- **Existing structure is insufficient because**: isolated specs and page-local tests do not prove the integrated sellable operator experience.
+- **Narrowest correct implementation**: one browser smoke matrix, one readiness report, and only minimal direct P0/P1 fixes on current owner surfaces.
+- **Ownership cost**: artifact upkeep, screenshots, and regression verification only.
+- **Alternative intentionally rejected**: broad navigation or workflow redesign, new portal, or new guidance engine.
+- **Release truth**: current-release truth.
+
+### Compatibility posture
+
+This feature assumes the repo's current pre-production posture.
+
+Backward compatibility, migration shims, data-shape aliases, and legacy fixtures are out of scope unless a minimal direct fix explicitly proves they are needed, which is not expected for this verification gate.
+
+## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
+
+- **Livewire version contract**: unchanged; current repo truth remains Livewire v4.x.
+- **Filament panel/provider registration**: unchanged; `apps/platform/bootstrap/providers.php` remains authoritative and is not part of this slice.
+- **Global search**: unchanged; no resource is made globally searchable by this spec.
+- **Test purpose / classification**:
+  - Browser for the integrated sellable smoke matrix
+  - Feature/Livewire and/or Unit only if a direct P0/P1 fix needs targeted proof
+- **Validation lane(s)**: browser + confidence + fast-feedback
+- **Why this lane mix is the narrowest sufficient proof**: the primary question is cross-surface operator trust and workflow continuity. Browser verification must lead; code-level tests are only needed to guard a direct in-scope fix.
+- **New or expanded test families**: none by default; one bounded `Spec355` browser smoke or targeted regression additions only if needed
+- **Fixture / helper cost impact**: may reuse existing smoke-login and local/testing fixture commands; no new persisted product fixture truth is planned
+- **Heavy-family visibility / justification**: browser coverage is explicit because this is a sellable-readiness gate over strategic operator surfaces
+- **Special surface test profile**:
+  - `monitoring-state-page` for Operations proof
+  - `shared-detail-family` for review and exception detail
+  - `standard-native-filament` elsewhere
+- **Reviewer handoff**: reviewers must confirm that blocked flows are not misclassified as pass, that dependency caveats are documented, and that any fix stayed direct and owner-surface-local.
+- **Budget / baseline / trend impact**: none expected beyond one bounded browser verification/reporting slice
+- **Escalation needed**: `document-in-feature` if dependency close-out or fixture blockers remain; `follow-up-spec` only if repeated structural drift appears
+- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage
+- **Planned validation commands**:
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec351`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec352`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec353`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec354`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=CustomerReviewWorkspace`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=EnvironmentDashboard`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ProviderConnection`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=FindingException`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ResolutionGuidance`
+  - `cd apps/platform && ./vendor/bin/sail pint --dirty`
+  - `git diff --check`
+
+## Functional Requirements
+
+- **FR-355-001**: Spec 355 must produce `artifacts/platform-sellable-smoke-matrix.md` with the required matrix columns and one row per required smoke flow.
+- **FR-355-002**: Spec 355 must verify at least these flows when fixture truth exists: Environment Dashboard -> provider blocker, Environment Dashboard -> review-output blocker, Customer Review Workspace resolve loop, Environment Review detail in customer-workspace context, Provider Connections / Required Permissions, accepted-risk owner surfaces, Governance Inbox, Evidence Overview / evidence basis, operation proof, and calm no-urgent-action state.
+- **FR-355-003**: Each tested surface must answer, within one first-screen decision view, what the state is, why it matters, and what the next action is.
+- **FR-355-004**: Each tested flow must verify one dominant primary action and no competing duplicate CTA rails.
+- **FR-355-005**: Each tested flow must verify workspace/environment/source-record scope continuity and document any stale query or hidden-context dependency.
+- **FR-355-006**: Each tested flow must verify customer-safe boundaries and explicitly fail if blocked/internal/limited output is shown as customer-safe or shareable.
+- **FR-355-007**: Each tested flow must record browser-visible errors, console errors, and network/server errors when present.
+- **FR-355-008**: Required screenshots must be saved under `artifacts/screenshots/` or marked blocked with a concrete reason in the matrix.
+- **FR-355-009**: The readiness report must classify the platform as `demo-ready`, `near-demo-ready`, `not demo-ready`, `sellable foundation-ready`, or `blocked`.
+- **FR-355-010**: Blocked flows must remain `BLOCKED` and must not be re-labeled as pass because the operator guessed what the page should have done.
+- **FR-355-011**: Only verified P0/P1 issues may be fixed in-spec, and only when the fix is direct, narrow, and covered by targeted proof.
+- **FR-355-012**: If a direct P0/P1 fix is applied, the affected flow must be re-run and the matrix/report must reflect the post-fix result.
+- **FR-355-013**: The final close-out for Spec 355 must state clearly whether full-suite validation was or was not run.
+
+## Non-Functional Requirements
+
+- **NFR-355-001**: Verification-first. The spec must prefer browser evidence and artifact honesty over optimistic product claims.
+- **NFR-355-002**: No new runtime architecture, persistence, or workflow engine may be introduced.
+- **NFR-355-003**: Existing RBAC, audit, confirmation, and `OperationRun` ownership must remain authoritative.
+- **NFR-355-004**: No live provider or Graph call may be introduced during render as part of any minimal smoke-fix.
+- **NFR-355-005**: The smoke package must stay reviewable and bounded: one spec directory, one matrix, one readiness report, targeted screenshots, and optional blocked-fixture notes only.
+- **NFR-355-006**: The readiness verdict must remain conservative whenever dependencies or fixtures are incomplete.
+- **NFR-355-007**: No claim of sellable readiness may be made without browser-backed evidence stored in the spec package.
+
+## UX Requirements
+
+- The first visible state on each tested surface must be decision-first, not diagnostics-first.
+- Exactly one action may be visually primary per tested case.
+- Raw diagnostics, matrices, JSON-like detail, and support-only context must remain secondary or collapsed by default.
+- Calm/no-urgent-action states must not read as empty or broken.
+- Navigation continuity must feel intentional: the operator should not wonder why the CTA landed on a different story than the source page suggested.
+
+## RBAC / Security Requirements
+
+- Existing workspace membership and environment entitlement remain authoritative and must be smoke-verified where relevant.
+- Customer-safe output must not overclaim when evidence is incomplete, publication is blocked, accepted risk is expired/incomplete, or the export is limited/internal-only.
+- Dangerous actions must keep current confirmation and authorization posture even if Spec 355 changes their prominence, disabled state, or label.
+- The smoke matrix must classify wrong-scope, wrong-workspace, or unauthorized-link exposure as P0.
+
+## Auditability / Observability Requirements
+
+- Existing `OperationRun`, audit-log, and verification ownership remain authoritative.
+- The smoke matrix and readiness report must explicitly state whether console, network, or server errors were observed.
+- Any minimal fix must preserve existing audit and proof-link behavior; Spec 355 is not allowed to create a second proof path.
+
+## Data / Truth-Source Requirements
+
+- Existing surface truth remains derived from the current repo runtime only.
+- Smoke artifacts under `specs/355-platform-sellable-smoke-matrix/artifacts/` are the only new durable artifacts.
+- No database table, snapshot, or persisted readiness classifier may be introduced.
+
+## Acceptance Criteria
+
+- **AC1**: `artifacts/platform-sellable-smoke-matrix.md` exists and lists all required flows with result/status fields.
+- **AC2**: Required screenshots exist or each missing screenshot is explicitly explained.
+- **AC3**: No open P0/P1 remains at close unless the user explicitly chooses to defer it.
+- **AC4**: Customer-safe boundary handling is browser-verified on the relevant review/evidence/risk flows.
+- **AC5**: Workspace/environment continuity is browser-verified on the relevant dashboard/provider/review/governance/evidence/operations flows.
+- **AC6**: Each key surface in the matrix shows one dominant next action or is explicitly failed for not doing so.
+- **AC7**: No fake remediation or unsupported execution action is introduced as part of a smoke-driven fix.
+- **AC8**: `artifacts/platform-sellable-readiness-report.md` exists and states a conservative readiness classification.
+- **AC9**: The targeted regression commands named in this spec remain green after any direct in-scope fix.
+- **AC10**: No migration, new package, new panel/provider change, new queue family, or new persisted truth is introduced by this spec.
+
+## Success Criteria
+
+- An MSP operator can move from first blocker to owning surface to proof/follow-up without hitting a contradictory or diagnostics-first product path.
+- The platform no longer requires hidden context knowledge to understand which page owns the next step.
+- Customer-safe output claims stay conservative and truthful across the tested flows.
+- The readiness report gives a defensible close/fix/defer recommendation without hand-waving over blocked fixtures or open critical findings.
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - Follow the dominant blocker path (Priority: P1)
+
+As an MSP operator, I can open an environment, understand the highest-priority blocker, and land on the owning surface that shows the same story and one safe next step.
+
+**Independent Test**: Browser verification of dashboard -> provider blocker and dashboard -> review-output blocker continuity with matching blocker language, preserved scope, and one dominant CTA.
+
+### User Story 2 - Resolve review and accepted-risk follow-up without CTA conflict (Priority: P1)
+
+As an MSP operator, I can use the review-output and accepted-risk owner surfaces without competing action rails, fake buttons, or diagnostics overtaking the main next step.
+
+**Independent Test**: Browser verification of Customer Review Workspace, Environment Review detail, Finding Exceptions Queue, and Exception Detail with one dominant next action and conservative secondary disclosure.
+
+### User Story 3 - Verify evidence and proof before trusting customer-safe output (Priority: P1)
+
+As an MSP operator, I can verify whether evidence and operation proof support the current claim before I treat the output as ready or shareable.
+
+**Independent Test**: Browser verification of Evidence Overview/evidence-basis links and operation proof links, plus explicit checks that blocked or limited outputs do not present themselves as customer-ready.
+
+### User Story 4 - See a calm no-urgent-action state and a defensible readiness verdict (Priority: P2)
+
+As a product owner or demo operator, I can distinguish a calm ready state from a broken/empty page and get a final readiness classification that honestly reflects what was and was not proven.
+
+**Independent Test**: Browser verification of at least one no-urgent-action state when fixture truth exists, plus a completed readiness report that counts pass/fail/blocked flows conservatively.
+
+## Risks
+
+- **Risk 1 - Dependency ambiguity**: neighboring spec packages do not all carry identical close-out metadata. Mitigation: explicit dependency gate in Phase 1 and conservative blocked/readiness language.
+- **Risk 2 - Fixture incompleteness**: one or more target states may not exist in current local/demo data. Mitigation: inventory fixtures first, record blocked states explicitly, and avoid false pass claims.
+- **Risk 3 - Scope creep into redesign**: productization pain across many surfaces can tempt a broad rewrite. Mitigation: allow only direct P0/P1 fixes on owner surfaces.
+- **Risk 4 - Customer-safe overclaim**: a smoke flow may accidentally trust internal-only detail, stale evidence, or expired accepted risk. Mitigation: treat any such case as at least P1 and usually P0 when output safety is affected.
+- **Risk 5 - Browser-only proof drift**: manual browser success without stored artifacts can become unreviewable. Mitigation: save screenshots and fill the matrix/report as the source of truth.
+
+## Follow-Up Candidates
+
+- Spec 356 - Review Pack PDF/HTML Renderer v1
+- Spec 357 - Customer Portal Boundary Contract
+- Spec 358 - Private AI Resolution Suggestion Foundation
+- Spec 359 - Localization v1
+- Spec 360 - Portfolio / Cross-Tenant Action Readiness
+
+## Assumptions
+
+- Existing dashboard/provider/review/risk/evidence/operations surfaces already contain enough repo-real behavior to make a meaningful integrated sellable-readiness call without inventing new flows.
+- Existing smoke-login and local/testing fixture helpers are sufficient to exercise at least the core required flows, or blocked states can be documented honestly without widening scope.
+- Any direct P0/P1 fix will be local to an existing owner surface and will not require new persistence or framework work.
+- The user wants preparation artifacts only in this turn; no application implementation is performed as part of the prep.
+
+## Open Questions
+
+No blocking preparation questions remain.
+
+Implementation should still verify two runtime gates before declaring the platform ready:
+
+- whether Spec 354's specifically named dependency concerns are demonstrably closed on the current repo truth
+- whether all required smoke states can be exercised with current local/testing fixtures or whether some flows must remain `BLOCKED`

specs/355-platform-sellable-smoke-matrix/tasks.md

@@ -0,0 +1,161 @@
+# Tasks: Spec 355 - Platform Sellable Smoke Matrix
+
+**Input**: `specs/355-platform-sellable-smoke-matrix/spec.md`, `plan.md`, `repo-truth-map.md`, `artifacts/platform-sellable-smoke-matrix.md`, `artifacts/platform-sellable-readiness-report.md`, and `checklists/requirements.md`
+
+**Tests**: Browser verification is required. Targeted Pest unit/feature/browser coverage is required only if a direct in-scope P0/P1 fix is applied.
+
+## Test Governance Checklist
+
+- [x] Lane assignment is explicit and narrow: browser-first for the matrix, targeted unit/feature/browser only when a direct fix lands.
+- [x] New or changed tests stay in the smallest honest family, and any browser addition beyond artifact capture is explicit.
+- [x] Shared helpers, factories, seeds, and context defaults stay cheap by default.
+- [x] Planned validation commands cover the slice without pulling unrelated lane cost.
+- [x] The affected surfaces remain the current strategic/operator owner surfaces, not a new runtime family.
+- [x] No new persisted product truth, workflow engine, or provider/platform abstraction is planned.
+
+## Phase 1: Preparation And Repo Truth
+
+**Purpose**: Keep the verification gate bounded to current repo truth and surface any dependency blockers before browser work starts.
+
+- [x] T001 Re-read `spec.md`, `plan.md`, `tasks.md`, `repo-truth-map.md`, and `checklists/requirements.md`.
+- [x] T002 Re-run `git status --short --branch`, `git diff --stat`, and `git log -1 --oneline`, then update `specs/355-platform-sellable-smoke-matrix/repo-truth-map.md`.
+- [x] T003 Re-verify the current runtime truth in:
+  - `apps/platform/app/Filament/Pages/EnvironmentDashboard.php`
+  - `apps/platform/app/Filament/Resources/ProviderConnectionResource.php`
+  - `apps/platform/app/Filament/Pages/EnvironmentRequiredPermissions.php`
+  - `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
+  - `apps/platform/app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php`
+  - `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`
+  - `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`
+  - `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php`
+  - `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`
+  - `apps/platform/app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php`
+  - `apps/platform/app/Filament/Resources/OperationRunResource.php`
+- [x] T004 Re-verify Specs 351-354 as dependency truth, using commits, checked tasks, browser smoke assets, screenshots, and recorded findings rather than trusting one metadata field alone.
+- [x] T005 If Spec 354 still has any of the named dependency concerns open (`accepted-risk state priority`, `approval queue scope continuity`, `dominant guidance localization`, or `fake/inert recommended action semantics`), record the blocker explicitly in `repo-truth-map.md` and do not issue a final sellable-readiness verdict.
+- [x] T006 Confirm no migration, package, env var, queue family, scheduler, storage, panel/provider, asset-registration, or global-search change is required for the baseline verification path.
+
+## Phase 2: Fixture Inventory
+
+**Purpose**: Determine which required states can be exercised honestly before the browser matrix is run.
+
+- [x] T007 Inventory existing local/testing/browser helpers:
+  - `admin.local.smoke-login`
+  - `tenantpilot:review-output:seed-browser-fixture`
+  - existing browser smoke tests for Specs 346, 351, 352, 353, and 354
+- [x] T008 Record available or missing fixture truth for:
+  - provider blocker
+  - review-output blocker
+  - ready draft / publish path
+  - accepted risk expiring
+  - accepted risk expired
+  - accepted risk incomplete
+  - pending renewal non-lapsed and lapsed if repo-backed
+  - governance inbox item
+  - evidence missing or stale
+  - operation follow-up / proof
+  - no urgent action
+- [x] T009 Update `specs/355-platform-sellable-smoke-matrix/artifacts/blocked-fixtures.md` for any state that cannot be exercised honestly with current repo fixtures.
+- [x] T010 Keep `repo-truth-map.md` current if runtime inspection proves the smoke matrix must narrow or explicitly block one or more flows.
+
+## Phase 3: Browser Smoke Matrix
+
+**Purpose**: Run the required cross-surface flows and capture first-screen proof.
+
+- [x] T011 Run Flow 1: Environment Dashboard -> provider blocker, and verify provider readiness outranks review-output guidance when both signals exist.
+- [x] T012 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/01-dashboard-provider-blocker.png`.
+- [x] T013 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/02-provider-required-permissions-target.png`.
+- [x] T014 Run Flow 2: Environment Dashboard -> review-output blocker, and verify the primary action lands on the review-output owner surface expected by Spec 351.
+- [x] T015 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/03-dashboard-review-output-blocker.png`.
+- [x] T016 Run Flow 3: Customer Review Workspace -> review-output resolve loop, and verify no fake action or duplicate primary rail appears during the loop.
+- [x] T017 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/04-customer-review-workspace-resolve-action.png`.
+- [x] T018 Run Flow 4: Environment Review detail in `customer_workspace` context, and verify output readiness remains clear without reintroducing a duplicate CTA rail.
+- [x] T019 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/05-review-detail-customer-workspace-context.png`.
+- [x] T020 Run Flow 5: Provider Connections / Required Permissions, and verify missing permissions or verification blockers are explained before raw diagnostic detail.
+- [x] T021 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/06-provider-guidance.png`.
+- [x] T022 Run Flow 6: Finding Exceptions / accepted-risk states, and verify expired/expiring governance outranks weaker pending-renewal or informational states where fixture truth exists.
+- [x] T023 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/07-accepted-risk-expiring.png`.
+- [x] T024 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/08-accepted-risk-expired.png`.
+- [x] T025 Run Flow 7: Governance Inbox, and verify it stays the queue-clearing command surface instead of becoming a second dashboard summary.
+- [x] T026 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/09-governance-inbox.png`.
+- [x] T027 Run Flow 8: Evidence Overview / evidence basis, and verify missing or stale evidence is understandable without defaulting to raw-report presentation.
+- [x] T028 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/10-evidence-overview.png`.
+- [x] T029 Run Flow 9: operation proof, and verify the linked run belongs to the expected environment/source context and does not overclaim governance health.
+- [x] T030 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/11-operation-proof.png`.
+- [x] T031 Run Flow 10: no urgent action state, and verify the calm state does not read as empty, broken, or warning-heavy.
+- [x] T032 Save `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/12-no-urgent-action.png`.
+- [x] T033 Record console errors, network/server errors, final URL/scope state, and customer-safe boundary observations for every flow in `artifacts/platform-sellable-smoke-matrix.md`.
+
+## Phase 4: Classification And Readiness Report
+
+**Purpose**: Turn browser observations into a conservative sellable-readiness result.
+
+- [x] T034 Fill `specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-smoke-matrix.md` with expected primary action, actual primary action, scope result, customer-safe result, errors, screenshot path, and classification for every required flow.
+- [x] T035 Mark missing states/screenshots as `BLOCKED` instead of `PASS`.
+- [x] T036 Write `specs/355-platform-sellable-smoke-matrix/artifacts/platform-sellable-readiness-report.md` with:
+  - Executive Summary
+  - pass/fail/blocked counts
+  - P0/P1/P2/P3 findings
+  - demo readiness
+  - sellable foundation readiness
+  - customer-safe boundary assessment
+  - operator workflow assessment
+  - recommended close/fix/defer decision
+- [x] T037 Keep the readiness report conservative when dependency verification or fixture coverage is incomplete.
+
+## Phase 5: Minimal P0/P1 Fixes Only
+
+**Purpose**: Allow only direct in-scope runtime correction when the smoke matrix proves a blocking issue.
+
+- [x] T038 If a verified P0/P1 issue is directly in scope, add the narrowest failing targeted test before editing runtime code.
+- [x] T039 Apply only the minimal owner-surface fix required to address the verified P0/P1 issue. Do not add a new product surface, persistence, taxonomy, or framework.
+- [x] T040 Re-run the affected browser flow after the fix and update the screenshot, matrix row, and readiness report.
+- [x] T041 If a verified issue is out of scope or fixture-blocked, document it in the readiness report as a deferred blocker and do not broaden Spec 355.
+
+Execution note:
+The only runtime patch in this slice closed a Spec 354 dependency-gate defect in dominant accepted-risk guidance localization. It stayed in scope because Spec 355 explicitly required that gate to be clear before close-out, and the fix was bounded to an existing warning-message resolver plus targeted regression coverage.
+
+## Phase 6: Regression And Final Validation
+
+**Purpose**: Prove any direct fix stayed bounded and did not regress the adjacent guidance slices.
+
+- [ ] T042 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec351`.
+- [ ] T043 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec352`.
+- [ ] T044 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec353`.
+- [ ] T045 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec354`.
+- [ ] T046 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=CustomerReviewWorkspace`.
+- [ ] T047 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=EnvironmentDashboard`.
+- [ ] T048 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ProviderConnection`.
+- [x] T049 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=FindingException`.
+- [x] T050 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ResolutionGuidance`.
+- [x] T051 Run any new direct-fix test file added in Phase 5.
+- [x] T052 Run `cd apps/platform && ./vendor/bin/sail pint --dirty` if runtime files changed.
+- [x] T053 Run `git diff --check`.
+- [x] T054 Record explicitly whether the full suite was or was not run.
+
+Execution note:
+Broad family filters (`Spec351`-`Spec354`) were attempted via direct `pest` equivalents, but the current Sail container repeatedly killed those wide runs with exit `137`. Narrower affected Spec 354 regressions were run instead and are recorded in the readiness report.
+
+## Non-Goals Checklist
+
+- [x] NT001 Do not add Customer Portal, PDF/HTML renderer, AI guidance, PSA/ITSM handoff, or a new workflow engine.
+- [x] NT002 Do not redesign Environment Dashboard, Governance Inbox, Evidence Overview, Customer Review Workspace, or Operations as part of this spec.
+- [x] NT003 Do not add new provider execution logic, provider framework, or Graph render calls.
+- [x] NT004 Do not add a new persisted sellable-readiness, smoke-result, or fixture-truth entity.
+- [x] NT005 Do not treat blocked fixture states as pass or infer customer-safe readiness without browser evidence.
+- [x] NT006 Do not reopen or normalize historical spec packages 351-354 during this slice.
+
+## Required Final Report Content
+
+When implementation later completes, report:
+
+- branch
+- files changed
+- flows tested
+- screenshot count
+- pass/fail/blocked summary
+- P0/P1/P2/P3 findings
+- readiness decision
+- tests run
+- whether full suite was run
+- deferred follow-up specs