ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

merge: platform-dev into spec 319
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 50s
Details

Browse Source 
# Conflicts:
#	specs/319-environment-owned-surface-routing-shell-context-contract/tasks.md
This commit is contained in:
Ahmed Darrazi 2026-05-17 14:16:22 +02:00
commit 7b72538e29
59 changed files with 5361 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
apps/platform/app/Filament/Clusters/Monitoring/AlertsCluster.php
View File

@ -4,6 +4,10 @@
namespace App\Filament\Clusters\Monitoring;
use App\Models\Workspace;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\Navigation\WorkspaceHubFilterStateResetter;
use App\Support\Workspaces\WorkspaceContext;
use BackedEnum;
use Filament\Clusters\Cluster;
use Filament\Facades\Filament;
@ -24,4 +28,43 @@ public static function shouldRegisterNavigation(): bool
{
return Filament::getCurrentPanel()?->getId() === 'admin';
}
public function mount(): void
{
app(WorkspaceHubFilterStateResetter::class)->neutralizeEnvironmentLikeQueryState(request());
$environmentFilterQuery = $this->environmentFilterQuery();
foreach ($this->getCachedSubNavigation() as $navigationGroup) {
foreach ($navigationGroup->getItems() as $navigationItem) {
$url = $navigationItem->getUrl();
if (is_string($url) && $url !== '' && $environmentFilterQuery !== []) {
$url = url()->query($url, $environmentFilterQuery);
}
redirect($url);
return;
}
}
}
/**
* @return array<string, int>
*/
private function environmentFilterQuery(): array
{
$workspace = app(WorkspaceContext::class)->currentWorkspace(request());
if (! $workspace instanceof Workspace) {
return [];
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
return $filter instanceof WorkspaceHubEnvironmentFilter
? $filter->queryParameters()
: [];
}
}

27
apps/platform/app/Filament/Pages/Findings/FindingsHygieneReport.php
View File

@ -15,6 +15,7 @@
use App\Support\Filament\CanonicalAdminEnvironmentFilterState;
use App\Support\Filament\TablePaginationProfiles;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
@ -182,7 +183,7 @@ public function availableFilters(): array
'options' => [],
],
[
'key' => 'tenant',
'key' => 'environment_id',
'label' => 'ManagedEnvironment',
'fixed' => false,
'options' => collect($this->visibleTenants())
@ -402,14 +403,22 @@ private function tenantFilterOptions(): array
private function applyRequestedTenantPrefilter(): void
{
$requestedTenant = request()->query('tenant');
$workspace = $this->workspace();
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
if (! $workspace instanceof Workspace) {
return;
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return;
}
$environmentId = $filter->environmentId();
foreach ($this->visibleTenants() as $tenant) {
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
if ((int) $tenant->getKey() !== $environmentId) {
continue;
}
@ -418,6 +427,8 @@ private function applyRequestedTenantPrefilter(): void
return;
}
throw new NotFoundHttpException;
}
private function normalizeTenantFilterState(): void
@ -583,9 +594,9 @@ private function navigationContext(): CanonicalNavigationContext
private function reportUrl(array $overrides = []): string
{
$resolvedTenant = array_key_exists('tenant', $overrides)
? $overrides['tenant']
: $this->filteredTenant()?->external_id;
$resolvedEnvironment = array_key_exists('environment_id', $overrides)
? $overrides['environment_id']
: $this->filteredTenant()?->getKey();
$resolvedReason = array_key_exists('reason', $overrides)
? $overrides['reason']
: $this->currentReasonFilter();
@ -593,7 +604,7 @@ private function reportUrl(array $overrides = []): string
return static::getUrl(
panel: 'admin',
parameters: array_filter([
'tenant' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
'environment_id' => is_numeric($resolvedEnvironment) ? (int) $resolvedEnvironment : null,
'reason' => is_string($resolvedReason) && $resolvedReason !== FindingAssignmentHygieneService::FILTER_ALL
? $resolvedReason
: null,

27
apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php
View File

@ -19,6 +19,7 @@
use App\Support\Filament\CanonicalAdminEnvironmentFilterState;
use App\Support\Filament\TablePaginationProfiles;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Rbac\UiEnforcement;
use App\Support\Rbac\UiTooltips;
@ -79,7 +80,7 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
{
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
->withListRowPrimaryActionLimit(1)
->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the shared-unassigned scope fixed and expose only a tenant-prefilter clear action when needed.')
->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the shared-unassigned scope fixed and expose only an environment-prefilter clear action when needed.')
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The intake queue keeps Claim finding inline and does not render a secondary More menu on rows.')
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The intake queue does not expose bulk actions in v1.')
@ -521,14 +522,22 @@ private function tenantFilterOptions(): array
private function applyRequestedTenantPrefilter(): void
{
$requestedTenant = request()->query('tenant');
$workspace = $this->workspace();
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
if (! $workspace instanceof Workspace) {
return;
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return;
}
$environmentId = $filter->environmentId();
foreach ($this->visibleTenants() as $tenant) {
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
if ((int) $tenant->getKey() !== $environmentId) {
continue;
}
@ -537,6 +546,8 @@ private function applyRequestedTenantPrefilter(): void
return;
}
throw new NotFoundHttpException;
}
private function normalizeTenantFilterState(): void
@ -720,9 +731,9 @@ private function incomingGovernanceContext(): ?CanonicalNavigationContext
private function queueUrl(array $overrides = []): string
{
$resolvedTenant = array_key_exists('tenant', $overrides)
? $overrides['tenant']
: $this->filteredTenant()?->external_id;
$resolvedEnvironment = array_key_exists('environment_id', $overrides)
? $overrides['environment_id']
: $this->filteredTenant()?->getKey();
$resolvedView = array_key_exists('view', $overrides)
? $overrides['view']
: $this->currentQueueView();
@ -730,7 +741,7 @@ private function queueUrl(array $overrides = []): string
return static::getUrl(
panel: 'admin',
parameters: array_filter([
'tenant' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
'environment_id' => is_numeric($resolvedEnvironment) ? (int) $resolvedEnvironment : null,
'view' => $resolvedView === 'needs_triage' ? 'needs_triage' : null,
], static fn (mixed $value): bool => $value !== null && $value !== ''),
);

23
apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php
View File

@ -18,6 +18,7 @@
use App\Support\Filament\CanonicalAdminEnvironmentFilterState;
use App\Support\Filament\TablePaginationProfiles;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
@ -206,7 +207,7 @@ public function availableFilters(): array
'options' => [],
],
[
'key' => 'tenant',
'key' => 'environment_id',
'label' => 'Managed environment',
'fixed' => false,
'options' => collect($this->visibleTenants())
@ -461,14 +462,22 @@ private function tenantFilterOptions(): array
private function applyRequestedTenantPrefilter(): void
{
$requestedTenant = request()->query('tenant');
$workspace = $this->workspace();
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
if (! $workspace instanceof Workspace) {
return;
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return;
}
$environmentId = $filter->environmentId();
foreach ($this->visibleTenants() as $tenant) {
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
if ((int) $tenant->getKey() !== $environmentId) {
continue;
}
@ -477,6 +486,8 @@ private function applyRequestedTenantPrefilter(): void
return;
}
throw new NotFoundHttpException;
}
private function normalizeTenantFilterState(): void
@ -667,8 +678,8 @@ private function queueUrl(): string
return static::getUrl(
panel: 'admin',
parameters: array_filter([
'tenant' => $tenant?->external_id,
], static fn (mixed $value): bool => $value !== null && $value !== ''),
'environment_id' => $tenant?->getKey(),
], static fn (mixed $value): bool => is_numeric($value)),
);
}

81
apps/platform/app/Filament/Pages/Monitoring/Alerts.php
View File

@ -5,12 +5,17 @@
namespace App\Filament\Pages\Monitoring;
use App\Filament\Clusters\Monitoring\AlertsCluster;
use App\Filament\Concerns\ClearsWorkspaceHubEnvironmentFilterState;
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\AlertDestinationResource;
use App\Filament\Resources\AlertRuleResource;
use App\Filament\Widgets\Alerts\AlertsKpiHeader;
use App\Models\User;
use App\Models\Workspace;
use App\Services\Auth\WorkspaceCapabilityResolver;
use App\Support\Auth\Capabilities;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
@ -25,6 +30,8 @@
class Alerts extends Page
{
use ClearsWorkspaceHubEnvironmentFilterState;
protected static ?string $cluster = AlertsCluster::class;
protected static ?int $navigationSort = 20;
@ -41,6 +48,12 @@ class Alerts extends Page
protected string $view = 'filament.pages.monitoring.alerts';
public function mount(): void
{
$this->resetWorkspaceHubEnvironmentFilterStateForCleanEntry(request());
$this->environmentFilter();
}
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
{
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
@ -89,6 +102,44 @@ protected function getHeaderWidgets(): array
];
}
/**
* @return array{label: string, clear_url: string, description: string}|null
*/
public function environmentFilterChip(): ?array
{
$filter = $this->environmentFilter();
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return null;
}
return [
'label' => $filter->displayName(),
'clear_url' => $this->cleanWorkspaceHubUrl(route('filament.admin.alerts')),
'description' => 'Delivery signal is filtered. Rules and targets remain workspace configuration.',
];
}
public function alertDeliveriesUrl(): string
{
return AlertDeliveryResource::getUrl('index', $this->filteredNavigationParameters(), panel: 'admin');
}
public function alertRulesUrl(): string
{
return $this->cleanWorkspaceHubUrl(AlertRuleResource::getUrl(panel: 'admin'));
}
public function alertDestinationsUrl(): string
{
return $this->cleanWorkspaceHubUrl(AlertDestinationResource::getUrl(panel: 'admin'));
}
public function auditLogUrl(): string
{
return route('admin.monitoring.audit-log', $this->filteredNavigationParameters());
}
/**
* @return array<Action>
*/
@ -113,4 +164,34 @@ protected function getHeaderActions(): array
return $actions;
}
/**
* @return array<string, mixed>
*/
private function filteredNavigationParameters(): array
{
return array_filter(
array_merge(
$this->navigationContext()?->toQuery() ?? [],
$this->environmentFilter()?->queryParameters() ?? [],
),
static fn (mixed $value): bool => $value !== null && $value !== '' && $value !== [],
);
}
private function navigationContext(): ?CanonicalNavigationContext
{
return CanonicalNavigationContext::fromRequest(request());
}
private function environmentFilter(): ?WorkspaceHubEnvironmentFilter
{
$workspace = app(WorkspaceContext::class)->currentWorkspace(request());
if (! $workspace instanceof Workspace) {
return null;
}
return WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
}
}

93
apps/platform/app/Filament/Pages/Monitoring/AuditLog.php
View File

@ -4,6 +4,7 @@
namespace App\Filament\Pages\Monitoring;
use App\Filament\Concerns\ClearsWorkspaceHubEnvironmentFilterState;
use App\Models\AuditLog as AuditLogModel;
use App\Models\ManagedEnvironment;
use App\Models\SupportAccessGrant;
@ -20,6 +21,7 @@
use App\Support\Filament\TablePaginationProfiles;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\RelatedNavigationResolver;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
@ -45,6 +47,7 @@
class AuditLog extends Page implements HasTable
{
use ClearsWorkspaceHubEnvironmentFilterState;
use InteractsWithTable;
protected const MONITORING_PAGE_STATE_CONTRACT = [
@ -72,11 +75,11 @@ class AuditLog extends Page implements HasTable
'invalidFallback' => 'discard_and_continue',
],
[
'stateKey' => 'managed_environment_id',
'stateKey' => 'environment_id',
'stateClass' => 'contextual_prefilter',
'carrier' => 'session',
'carrier' => 'query_param',
'queryRole' => 'durable_restorable',
'shareable' => false,
'shareable' => true,
'restorableOnRefresh' => true,
'tenantSensitive' => true,
'invalidFallback' => 'discard_and_continue',
@ -96,7 +99,7 @@ class AuditLog extends Page implements HasTable
'precedenceOrder' => ['query', 'session', 'default'],
'appliesOnInitialMountOnly' => true,
'activeStateBecomesAuthoritativeAfterMount' => true,
'clearsOnTenantSwitch' => ['managed_environment_id', 'action', 'actor_label', 'resource_type'],
'clearsOnTenantSwitch' => ['environment_id', 'managed_environment_id', 'action', 'actor_label', 'resource_type'],
'invalidRequestedStateFallback' => 'clear_selection_and_continue',
],
'inspectContract' => [
@ -164,9 +167,11 @@ public function mount(): void
$this->supportAccessOnly = request()->boolean('supportAccess');
$requestedEventId = is_numeric(request()->query('event')) ? (int) request()->query('event') : null;
app(CanonicalAdminEnvironmentFilterState::class)->sync($this->getTableFiltersSessionKey(), request: request());
$this->resetWorkspaceHubEnvironmentFilterStateForCleanEntry(request());
$this->mountInteractsWithTable();
$this->resetWorkspaceHubEnvironmentFilterStateForCleanEntry(request());
$this->applyRequestedEnvironmentFilter();
if ($requestedEventId !== null) {
$this->selectedAuditLogId = $this->resolveSelectedAuditLogId($requestedEventId);
@ -328,8 +333,14 @@ public function table(Table $table): Table
->icon('heroicon-o-x-mark')
->color('gray')
->action(function (): void {
$hadEnvironmentFilter = $this->currentTenantFilterId() !== null;
$this->selectedAuditLogId = null;
$this->resetTable();
$this->clearWorkspaceHubEnvironmentFilterState(request());
if ($hadEnvironmentFilter) {
$this->redirectToCleanWorkspaceHubUrl(route('admin.monitoring.audit-log'), request());
}
}),
]);
}
@ -359,6 +370,24 @@ public function authorizedTenants(): array
return $this->authorizedTenants = $tenants;
}
/**
* @return array{label: string, clear_url: string, description: string}|null
*/
public function environmentFilterChip(): ?array
{
$tenant = $this->filteredTenant();
if (! $tenant instanceof ManagedEnvironment) {
return null;
}
return [
'label' => (string) ($tenant->name ?: $tenant->external_id ?: ('Environment '.$tenant->getKey())),
'clear_url' => $this->cleanWorkspaceHubUrl(route('admin.monitoring.audit-log')),
'description' => 'Audit events are filtered by direct environment attribution.',
];
}
private function authorizePageAccess(): void
{
$user = auth()->user();
@ -388,6 +417,7 @@ private function authorizePageAccess(): void
private function auditBaseQuery(): Builder
{
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
$tenantFilter = $this->currentTenantFilterId();
$authorizedTenantIds = array_map(
static fn (ManagedEnvironment $tenant): int => (int) $tenant->getKey(),
$this->authorizedTenants(),
@ -406,6 +436,10 @@ private function auditBaseQuery(): Builder
->when($this->supportAccessOnly, function (Builder $query): void {
$query->whereIn('action', SupportAccessGrant::supportAccessAuditActions());
})
->when(
$tenantFilter !== null,
fn (Builder $query): Builder => $query->where('audit_logs.managed_environment_id', $tenantFilter),
)
->latestFirst();
}
@ -463,10 +497,35 @@ private function auditTargetLink(AuditLogModel $record): ?array
return app(RelatedNavigationResolver::class)->auditTargetLink($record);
}
private function applyRequestedEnvironmentFilter(): void
{
$workspace = app(WorkspaceContext::class)->currentWorkspace(request());
if (! $workspace instanceof Workspace) {
return;
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return;
}
$environmentId = $filter->environmentId();
if (! array_key_exists($environmentId, $this->authorizedTenants())) {
throw new NotFoundHttpException;
}
$this->tableFilters['managed_environment_id']['value'] = (string) $environmentId;
$this->tableDeferredFilters['managed_environment_id']['value'] = (string) $environmentId;
}
private function auditLogUrl(array $overrides = []): string
{
$parameters = array_merge(
$this->navigationContext()?->toQuery() ?? [],
['environment_id' => $this->currentTenantFilterId()],
['supportAccess' => $this->supportAccessOnly ? true : null],
['event' => $this->selectedAuditLogId],
$overrides,
@ -616,15 +675,29 @@ private function tenantFilterOptions(): array
private function defaultTenantFilter(): ?string
{
$activeEnvironment = app(OperateHubShell::class)->activeEntitledTenant(request());
return null;
}
if (! $activeEnvironment instanceof ManagedEnvironment) {
private function currentTenantFilterId(): ?int
{
$tenantFilter = app(CanonicalAdminEnvironmentFilterState::class)->currentFilterValue(
$this->getTableFiltersSessionKey(),
$this->tableFilters ?? [],
request(),
);
return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
}
private function filteredTenant(): ?ManagedEnvironment
{
$tenantId = $this->currentTenantFilterId();
if (! is_int($tenantId)) {
return null;
}
return array_key_exists((int) $activeEnvironment->getKey(), $this->authorizedTenants())
? (string) $activeEnvironment->getKey()
: null;
return $this->authorizedTenants()[$tenantId] ?? null;
}
/**

130
apps/platform/app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php
View File

@ -4,22 +4,104 @@
namespace App\Filament\Resources\AlertDeliveryResource\Pages;
use App\Filament\Concerns\ClearsWorkspaceHubEnvironmentFilterState;
use App\Filament\Resources\AlertDeliveryResource;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\Workspace;
use App\Support\Filament\CanonicalAdminEnvironmentFilterState;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\OperateHub\OperateHubShell;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Actions\Action;
use Filament\Facades\Filament;
use Filament\Resources\Pages\ListRecords;
use Filament\Schemas\Components\EmbeddedTable;
use Filament\Schemas\Components\RenderHook;
use Filament\Schemas\Components\View;
use Filament\Schemas\Schema;
use Filament\View\PanelsRenderHook;
class ListAlertDeliveries extends ListRecords
{
use ClearsWorkspaceHubEnvironmentFilterState;
protected static string $resource = AlertDeliveryResource::class;
/**
* @var array<int, ManagedEnvironment>|null
*/
private ?array $authorizedTenants = null;
public function mount(): void
{
app(CanonicalAdminEnvironmentFilterState::class)->sync($this->getTableFiltersSessionKey(), request: request());
$this->resetWorkspaceHubEnvironmentFilterStateForCleanEntry(request());
parent::mount();
$this->resetWorkspaceHubEnvironmentFilterStateForCleanEntry(request());
$this->applyRequestedEnvironmentFilter();
}
public function content(Schema $schema): Schema
{
return $schema
->components([
$this->getTabsContentComponent(),
View::make('filament.partials.workspace-hub-environment-filter-chip')
->viewData(fn (): array => [
'label' => $this->environmentFilterChip()['label'] ?? null,
'clearUrl' => $this->environmentFilterChip()['clear_url'] ?? null,
'description' => $this->environmentFilterChip()['description'] ?? null,
])
->visible(fn (): bool => $this->environmentFilterChip() !== null),
RenderHook::make(PanelsRenderHook::RESOURCE_PAGES_LIST_RECORDS_TABLE_BEFORE),
EmbeddedTable::make(),
RenderHook::make(PanelsRenderHook::RESOURCE_PAGES_LIST_RECORDS_TABLE_AFTER),
]);
}
/**
* @return array{label: string, clear_url: string, description: string}|null
*/
public function environmentFilterChip(): ?array
{
$tenant = $this->filteredTenant();
if (! $tenant instanceof ManagedEnvironment) {
return null;
}
return [
'label' => (string) ($tenant->name ?: $tenant->external_id ?: ('Environment '.$tenant->getKey())),
'clear_url' => $this->cleanWorkspaceHubUrl(AlertDeliveryResource::getUrl('index', panel: 'admin')),
'description' => 'Rows are filtered by direct delivery attribution.',
];
}
/**
* @return array<int, ManagedEnvironment>
*/
public function authorizedTenants(): array
{
if ($this->authorizedTenants !== null) {
return $this->authorizedTenants;
}
$user = auth()->user();
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
if (! $user instanceof User || ! is_int($workspaceId)) {
return $this->authorizedTenants = [];
}
$tenants = collect($user->getTenants(Filament::getCurrentOrDefaultPanel()))
->filter(static fn (ManagedEnvironment $tenant): bool => (int) $tenant->workspace_id === $workspaceId)
->keyBy(fn (ManagedEnvironment $tenant): int => (int) $tenant->getKey())
->all();
return $this->authorizedTenants = $tenants;
}
protected function getHeaderActions(): array
@ -43,4 +125,50 @@ protected function getHeaderActions(): array
return $actions;
}
private function applyRequestedEnvironmentFilter(): void
{
$workspace = app(WorkspaceContext::class)->currentWorkspace(request());
if (! $workspace instanceof Workspace) {
return;
}
$filter = WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace);
if (! $filter instanceof WorkspaceHubEnvironmentFilter) {
return;
}
$environmentId = $filter->environmentId();
if (! array_key_exists($environmentId, $this->authorizedTenants())) {
abort(404);
}
$this->tableFilters['managed_environment_id']['value'] = (string) $environmentId;
$this->tableDeferredFilters['managed_environment_id']['value'] = (string) $environmentId;
}
private function currentTenantFilterId(): ?int
{
$tenantFilter = app(CanonicalAdminEnvironmentFilterState::class)->currentFilterValue(
$this->getTableFiltersSessionKey(),
$this->tableFilters ?? [],
request(),
);
return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
}
private function filteredTenant(): ?ManagedEnvironment
{
$tenantId = $this->currentTenantFilterId();
if (! is_int($tenantId)) {
return null;
}
return $this->authorizedTenants()[$tenantId] ?? null;
}
}

13
apps/platform/app/Filament/Widgets/Alerts/AlertsKpiHeader.php
View File

@ -11,7 +11,9 @@
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\User;
use App\Models\Workspace;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use App\Support\Navigation\WorkspaceHubEnvironmentFilter;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Widgets\StatsOverviewWidget;
use Filament\Widgets\StatsOverviewWidget\Stat;
@ -53,7 +55,7 @@ protected function getStats(): array
->count();
$stats[] = Stat::make('Enabled rules', $enabledRules)
->description('Total '.$totalRules);
->description('Workspace total '.$totalRules);
}
if (AlertDestinationResource::canViewAny()) {
@ -67,7 +69,7 @@ protected function getStats(): array
->count();
$stats[] = Stat::make('Enabled targets', $enabledDestinations)
->description('Total '.$totalDestinations);
->description('Workspace total '.$totalDestinations);
}
if (AlertDeliveryResource::canViewAny()) {
@ -101,6 +103,13 @@ private function deliveriesQueryForViewer(User $user, int $workspaceId): Builder
qualifiedEnvironmentColumn: 'alert_deliveries.managed_environment_id',
);
$workspace = Workspace::query()->whereKey($workspaceId)->first();
if ($workspace instanceof Workspace) {
WorkspaceHubEnvironmentFilter::fromRequest(request(), $workspace)
?->applyToQuery($query, 'alert_deliveries.managed_environment_id');
}
return $query;
}
}

18
apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php
View File

@ -307,8 +307,8 @@ private function assignedFindingsSection(
MyFindingsInbox::getUrl(
panel: 'admin',
parameters: array_filter([
'tenant' => $selectedTenant?->external_id,
], static fn (mixed $value): bool => is_string($value) && $value !== ''),
'environment_id' => $selectedTenant?->getKey(),
], static fn (mixed $value): bool => is_numeric($value)),
),
$navigationContext?->toQuery() ?? [],
),
@ -349,7 +349,7 @@ private function intakeFindingsSection(
FindingsIntakeQueue::getUrl(
panel: 'admin',
parameters: array_filter([
'tenant' => $selectedTenant?->external_id,
'environment_id' => $selectedTenant?->getKey(),
'view' => $needsTriageCount > 0 ? 'needs_triage' : null,
], static fn (mixed $value): bool => $value !== null && $value !== ''),
),
@ -443,14 +443,14 @@ private function alertsSection(
AlertDeliveryResource::getUrl(panel: 'admin'),
array_replace_recursive(
$navigationContext?->toQuery() ?? [],
[
array_filter([
'environment_id' => $selectedTenant instanceof ManagedEnvironment
? (int) $selectedTenant->getKey()
: null,
'tableFilters' => array_filter([
'status' => ['value' => AlertDelivery::STATUS_FAILED],
'managed_environment_id' => $selectedTenant instanceof ManagedEnvironment
? ['value' => (string) $selectedTenant->getKey()]
: null,
], static fn (mixed $value): bool => $value !== null),
],
]),
], static fn (mixed $value): bool => $value !== null),
),
),
'entries' => $entries,

14
apps/platform/app/Support/Navigation/AdminSurfaceScope.php
View File

@ -10,6 +10,7 @@
enum AdminSurfaceScope: string
{
case WorkspaceWideSurface = 'workspace_wide_surface';
case WorkspaceOwnedAnalysisSurface = 'workspace_owned_analysis_surface';
case WorkspaceScoped = 'workspace_scoped';
case WorkspaceChooserException = 'workspace_chooser_exception';
case EnvironmentBound = 'environment_bound';
@ -42,6 +43,10 @@ public static function fromPath(string $path): self
return self::WorkspaceWideSurface;
}
if (self::isWorkspaceOwnedAnalysisSurfacePath($normalizedPath)) {
return self::WorkspaceOwnedAnalysisSurface;
}
if (
str_starts_with($normalizedPath, '/admin/evidence/')
&& ! str_starts_with($normalizedPath, '/admin/evidence/overview')
@ -80,6 +85,7 @@ public function allowsEnvironmentlessState(): bool
{
return match ($this) {
self::WorkspaceWideSurface,
self::WorkspaceOwnedAnalysisSurface,
self::WorkspaceScoped,
self::WorkspaceChooserException,
self::OnboardingWorkflow,
@ -92,6 +98,7 @@ public function forcesEnvironmentlessShellContext(): bool
{
return match ($this) {
self::WorkspaceWideSurface,
self::WorkspaceOwnedAnalysisSurface,
self::WorkspaceChooserException,
self::CanonicalWorkspaceRecordViewer => true,
default => false,
@ -116,6 +123,13 @@ private static function isWorkspaceWideSurfacePath(string $normalizedPath): bool
return WorkspaceHubRegistry::isWorkspaceHubPath($normalizedPath);
}
private static function isWorkspaceOwnedAnalysisSurfacePath(string $normalizedPath): bool
{
return preg_match('#^/admin/(baseline-profiles|baseline-snapshots)(?:/.*)?$#', $normalizedPath) === 1
|| preg_match('#^/admin/findings/(?:my-work|intake|hygiene)/?$#', $normalizedPath) === 1
|| preg_match('#^/admin/cross-environment-compare/?$#', $normalizedPath) === 1;
}
private static function effectivePath(Request $request): string
{
$path = '/'.ltrim((string) $request->path(), '/');

5
apps/platform/app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php
View File

@ -817,7 +817,10 @@ private function auditHistorySection(Collection $auditLogs): array
record: $auditLog,
label: $auditLog->summaryText(),
actionLabel: 'Inspect event',
url: route('admin.monitoring.audit-log', ['event' => (int) $auditLog->getKey()]),
url: route('admin.monitoring.audit-log', array_filter([
'event' => (int) $auditLog->getKey(),
'environment_id' => $auditLog->managed_environment_id,
], static fn (mixed $value): bool => $value !== null && $value !== '' && $value !== [])),
freshnessAt: $auditLog->recorded_at,
))
->values()

1
apps/platform/app/Support/Tenants/TenantInteractionLane.php
View File

@ -21,6 +21,7 @@ public static function fromSurfaceScope(AdminSurfaceScope $pageCategory): self
AdminSurfaceScope::EnvironmentScopedEvidence => self::AdministrativeManagement,
AdminSurfaceScope::CanonicalWorkspaceRecordViewer => self::CanonicalWorkspaceRecord,
AdminSurfaceScope::WorkspaceWideSurface,
AdminSurfaceScope::WorkspaceOwnedAnalysisSurface,
AdminSurfaceScope::WorkspaceScoped,
AdminSurfaceScope::WorkspaceChooserException => self::StandardActiveOperating,
};

26
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php
View File

@ -746,7 +746,7 @@ private function attentionItems(
),
badge: 'Alerts',
badgeColor: 'danger',
destination: $this->alertsOverviewTarget($navigationContext, true),
destination: $this->alertsOverviewTarget($navigationContext, true, tenant: $tenant),
)];
}
@ -1729,8 +1729,12 @@ private function operationDetailTarget(OperationRun $run, CanonicalNavigationCon
/**
* @return array<string, mixed>
*/
private function alertsOverviewTarget(CanonicalNavigationContext $navigationContext, bool $enabled, string $label = 'Open alerts'): array
{
private function alertsOverviewTarget(
CanonicalNavigationContext $navigationContext,
bool $enabled,
string $label = 'Open alerts',
?ManagedEnvironment $tenant = null,
): array {
if (! $enabled) {
return $this->disabledDestination(
kind: 'alerts_overview',
@ -1740,14 +1744,24 @@ private function alertsOverviewTarget(CanonicalNavigationContext $navigationCont
return $this->destination(
kind: 'alerts_overview',
url: $this->alertsOverviewUrl($navigationContext),
url: $this->alertsOverviewUrl($navigationContext, $tenant),
label: $label,
tenant: $tenant,
filters: $tenant instanceof ManagedEnvironment
? ['environment_id' => (int) $tenant->getKey()]
: [],
);
}
private function alertsOverviewUrl(CanonicalNavigationContext $navigationContext): string
private function alertsOverviewUrl(CanonicalNavigationContext $navigationContext, ?ManagedEnvironment $tenant = null): string
{
return $this->appendQuery(route('filament.admin.alerts'), $navigationContext->toQuery());
$query = $navigationContext->toQuery();
if ($tenant instanceof ManagedEnvironment) {
$query['environment_id'] = (int) $tenant->getKey();
}
return $this->appendQuery(route('filament.admin.alerts'), $query);
}
private function canTenantView(User $user, ManagedEnvironment $tenant): bool

11
apps/platform/resources/views/filament/pages/findings/findings-hygiene-report.blade.php
View File

@ -18,7 +18,7 @@
</h1>
<p class="max-w-3xl text-sm leading-6 text-gray-600 dark:text-gray-300">
Review visible broken assignments and stale in-progress work across entitled tenants in one read-first repair queue. Existing finding detail stays the only place where reassignment or lifecycle repair happens.
Review visible broken assignments and stale in-progress work across entitled environments in one read-first repair queue. Existing finding detail stays the only place where reassignment or lifecycle repair happens.
</p>
</div>
</div>
@ -68,14 +68,11 @@
{{ $scope['reason_filter_label'] }}
</div>
<div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'active_tenant_context')
ManagedEnvironment prefilter from active context:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@elseif (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
ManagedEnvironment filter applied:
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
Environment filter applied:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@else
All visible tenants are currently included.
All visible environments are currently included.
@endif
</div>
</div>

11
apps/platform/resources/views/filament/pages/findings/findings-intake-queue.blade.php
View File

@ -18,7 +18,7 @@
</h1>
<p class="max-w-3xl text-sm leading-6 text-gray-600 dark:text-gray-300">
Review visible unassigned open findings across entitled tenants in one queue. ManagedEnvironment context can narrow the view, but the intake scope stays fixed.
Review visible unassigned open findings across entitled environments in one queue. An explicit environment filter can narrow the view, but the intake scope stays fixed.
</p>
</div>
</div>
@ -68,14 +68,11 @@
{{ $scope['queue_view_label'] }}
</div>
<div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'active_tenant_context')
ManagedEnvironment prefilter from active context:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@elseif (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
ManagedEnvironment filter applied:
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
Environment filter applied:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@else
All visible tenants are currently included.
All visible environments are currently included.
@endif
</div>
</div>

11
apps/platform/resources/views/filament/pages/findings/my-findings-inbox.blade.php
View File

@ -18,7 +18,7 @@
</h1>
<p class="max-w-3xl text-sm leading-6 text-gray-600 dark:text-gray-300">
Review open assigned findings across visible tenants in one queue. ManagedEnvironment context can narrow the view, but the personal assignment scope stays fixed.
Review open assigned findings across visible environments in one queue. An explicit environment filter can narrow the view, but the personal assignment scope stays fixed.
</p>
</div>
</div>
@ -56,14 +56,11 @@
Assigned to me only
</div>
<div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'active_tenant_context')
ManagedEnvironment prefilter from active context:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@elseif (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
ManagedEnvironment filter applied:
@if (($scope['tenant_prefilter_source'] ?? 'none') === 'explicit_filter')
Environment filter applied:
<span class="font-medium text-gray-950 dark:text-white">{{ $scope['tenant_label'] }}</span>
@else
All visible tenants are currently included.
All visible environments are currently included.
@endif
</div>
</div>

17
apps/platform/resources/views/filament/pages/monitoring/alerts.blade.php
View File

@ -1,5 +1,6 @@
<x-filament-panels::page>
@php($navigationContext = \App\Support\Navigation\CanonicalNavigationContext::fromRequest(request()))
@php($environmentFilterChip = $this->environmentFilterChip())
@if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null)
<x-filament::section class="mb-6">
@ -21,26 +22,34 @@
Configure alert targets and rules, then review delivery history.
</div>
@if ($environmentFilterChip !== null)
@include('filament.partials.workspace-hub-environment-filter-chip', [
'label' => $environmentFilterChip['label'],
'clearUrl' => $environmentFilterChip['clear_url'],
'description' => $environmentFilterChip['description'],
])
@endif
<div class="flex flex-wrap gap-3">
@if (\App\Filament\Resources\AlertDestinationResource::canViewAny())
<x-filament::button tag="a" :href="\App\Filament\Resources\AlertDestinationResource::getUrl(panel: 'admin')">
<x-filament::button tag="a" :href="$this->alertDestinationsUrl()">
Alert targets
</x-filament::button>
@endif
@if (\App\Filament\Resources\AlertRuleResource::canViewAny())
<x-filament::button tag="a" :href="\App\Filament\Resources\AlertRuleResource::getUrl(panel: 'admin')">
<x-filament::button tag="a" :href="$this->alertRulesUrl()">
Alert rules
</x-filament::button>
@endif
@if (\App\Filament\Resources\AlertDeliveryResource::canViewAny())
<x-filament::button tag="a" :href="\App\Filament\Resources\AlertDeliveryResource::getUrl(panel: 'admin')">
<x-filament::button tag="a" :href="$this->alertDeliveriesUrl()">
Alert deliveries
</x-filament::button>
@endif
<x-filament::button tag="a" color="gray" :href="route('admin.monitoring.audit-log')">
<x-filament::button tag="a" color="gray" :href="$this->auditLogUrl()">
Audit Log
</x-filament::button>
</div>

9
apps/platform/resources/views/filament/pages/monitoring/audit-log.blade.php
View File

@ -1,6 +1,7 @@
<x-filament-panels::page>
@php($selectedAudit = $this->selectedAuditRecord())
@php($selectedAuditLink = $this->selectedAuditTargetLink())
@php($environmentFilterChip = $this->environmentFilterChip())
<x-filament::section>
<div class="flex flex-col gap-3">
@ -19,6 +20,14 @@
<div class="text-sm text-gray-600 dark:text-gray-300">
The selected event is URL-addressable through the <span class="font-mono text-xs">event</span> query parameter. If the event is no longer visible in the current history view, the page quietly falls back to the unselected log.
</div>
@if ($environmentFilterChip !== null)
@include('filament.partials.workspace-hub-environment-filter-chip', [
'label' => $environmentFilterChip['label'],
'clearUrl' => $environmentFilterChip['clear_url'],
'description' => $environmentFilterChip['description'],
])
@endif
</div>
</x-filament::section>

91
apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php Normal file
View File

@ -0,0 +1,91 @@
<?php
declare(strict_types=1);
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\AlertDestinationResource;
use App\Filament\Resources\AlertRuleResource;
use Tests\Browser\Support\Spec322WorkspaceEnvironmentBrowserHarness as Spec322Harness;
pest()->browser()->timeout(45_000);
it('Spec322 smokes alerts overview and alert deliveries no drift behavior', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
Spec322Harness::assertWorkspaceOnly(
visit(route('filament.admin.alerts'))->waitForText('Alerts'),
null,
$fixture['environmentA']->name,
);
$filteredAlerts = visit(route('filament.admin.alerts', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
]));
Spec322Harness::assertFilteredWorkspaceHub($filteredAlerts, $fixture['environmentA'], 'Sent');
$page = visit(AlertDeliveryResource::getUrl('index', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
], panel: 'admin'));
Spec322Harness::assertFilteredWorkspaceHub($page, $fixture['environmentA'], 'Sent');
Spec322Harness::clearWorkspaceHubEnvironmentFilter($page);
Spec322Harness::assertWorkspaceOnly($page, 'Sent', $fixture['environmentA']->name);
$page->script('window.location.reload();');
Spec322Harness::assertWorkspaceOnly($page, 'Sent', $fixture['environmentA']->name);
$page->script('window.history.back();');
Spec322Harness::assertFilteredWorkspaceHub($page, $fixture['environmentA'], 'Sent');
$page->script('window.history.forward();');
Spec322Harness::assertWorkspaceOnly($page, 'Sent', $fixture['environmentA']->name);
});
it('Spec322 smokes audit log filtered and clean entries without shell drift', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
Spec322Harness::assertFilteredWorkspaceHub(
visit(route('admin.monitoring.audit-log', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
])),
$fixture['environmentA'],
'Spec322 browser audit B',
);
$page = visit(route('admin.monitoring.audit-log'));
Spec322Harness::assertWorkspaceOnly($page, 'Spec322 browser audit B', $fixture['environmentA']->name);
$page->script('window.location.reload();');
Spec322Harness::assertWorkspaceOnly($page, 'Spec322 browser audit B', $fixture['environmentA']->name);
});
it('Spec322 smokes alert configuration surfaces ignore stray environment filters', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
$configurationUrls = [
AlertRuleResource::getUrl('index', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
], panel: 'admin'),
AlertDestinationResource::getUrl('index', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
], panel: 'admin'),
];
foreach ($configurationUrls as $url) {
visit($url)
->waitForText(__('localization.shell.no_environment_selected'))
->assertDontSee('Environment filter:')
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
}
});

62
apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php Normal file
View File

@ -0,0 +1,62 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\EnvironmentDashboard;
use App\Support\ManagedEnvironmentLinks;
use Tests\Browser\Support\Spec322WorkspaceEnvironmentBrowserHarness as Spec322Harness;
pest()->browser()->timeout(45_000);
it('Spec322 smokes environment owned route and shell contracts', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
$environmentRoutes = [
'environment dashboard' => [
'url' => EnvironmentDashboard::getUrl(panel: 'admin', tenant: $fixture['environmentA']),
'text' => $fixture['environmentA']->name,
],
'baseline compare' => [
'url' => ManagedEnvironmentLinks::baselineCompareUrl($fixture['environmentA']),
'text' => 'Baseline Compare',
],
'required permissions' => [
'url' => ManagedEnvironmentLinks::requiredPermissionsUrl($fixture['environmentA']),
'text' => 'Required permissions',
],
];
foreach ($environmentRoutes as $route) {
$page = visit($route['url'])
->waitForText($route['text'])
->assertSee($fixture['environmentA']->name)
->assertScript('window.location.pathname.includes("/workspaces/")', true)
->assertScript('window.location.pathname.includes("/environments/")', true)
->assertScript('! window.location.search.includes("environment_id=")', true)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
$page->script('window.location.reload();');
$page
->waitForText($route['text'])
->assertSee($fixture['environmentA']->name)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
}
});
it('Spec322 smokes baseline compare rejects old workspace style access', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
visit('/admin/baseline-compare-landing?environment_id='.(int) $fixture['environmentA']->getKey())
->assertScript(
'document.body.innerText.includes("404") || document.body.innerText.includes("Not Found") || document.body.innerText.includes("No access")',
true,
)
->assertNoJavaScriptErrors();
});

123
apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php Normal file
View File

@ -0,0 +1,123 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\EnvironmentDashboard;
use App\Filament\Pages\Governance\GovernanceInbox;
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Filament\Resources\ProviderConnectionResource;
use App\Support\OperationRunLinks;
use Tests\Browser\Support\Spec322WorkspaceEnvironmentBrowserHarness as Spec322Harness;
pest()->browser()->timeout(90_000);
it('Spec322 smokes clean workspace hub entry from environment origin without drift', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
visit(EnvironmentDashboard::getUrl(panel: 'admin', tenant: $fixture['environmentA']))
->assertSee($fixture['environmentA']->name)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
$cleanHubs = [
'operations' => [
'url' => OperationRunLinks::index(workspace: $fixture['workspace']),
'wide_text' => 'Inventory sync',
],
'governance inbox' => [
'url' => GovernanceInbox::getUrl(panel: 'admin'),
'wide_text' => 'Spec322 Browser Governance B',
],
'provider connections' => [
'url' => ProviderConnectionResource::getUrl('index', panel: 'admin'),
'wide_text' => 'Spec322 Browser Provider B',
],
'evidence overview' => [
'url' => route('admin.evidence.overview'),
'wide_text' => $fixture['environmentB']->name,
],
];
foreach ($cleanHubs as $hub) {
$page = visit($hub['url']);
Spec322Harness::assertWorkspaceOnly($page, $hub['wide_text'], $fixture['environmentA']->name);
$page->script('window.location.reload();');
Spec322Harness::assertWorkspaceOnly($page, $hub['wide_text'], $fixture['environmentA']->name);
}
});
it('Spec322 smokes filtered workspace hub clear reload and history alignment', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
$filteredHubs = [
'provider connections' => [
'filtered_url' => ProviderConnectionResource::getUrl('index', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
], panel: 'admin'),
'wide_text' => 'Spec322 Browser Provider B',
'hidden_text' => 'Spec322 Browser Provider B',
],
'evidence overview' => [
'filtered_url' => route('admin.evidence.overview', [
'environment_id' => (int) $fixture['environmentA']->getKey(),
]),
'wide_text' => $fixture['environmentB']->name,
'hidden_text' => $fixture['environmentB']->name,
],
];
foreach ($filteredHubs as $hub) {
$page = visit($hub['filtered_url']);
Spec322Harness::assertFilteredWorkspaceHub($page, $fixture['environmentA'], $hub['hidden_text']);
Spec322Harness::clearWorkspaceHubEnvironmentFilter($page);
Spec322Harness::assertWorkspaceOnly($page, $hub['wide_text'], $fixture['environmentA']->name);
$page->script('window.location.reload();');
Spec322Harness::assertWorkspaceOnly($page, $hub['wide_text'], $fixture['environmentA']->name);
$page->script('window.history.back();');
Spec322Harness::assertFilteredWorkspaceHub($page, $fixture['environmentA'], $hub['hidden_text']);
$page->script('window.history.forward();');
Spec322Harness::assertWorkspaceOnly($page, $hub['wide_text'], $fixture['environmentA']->name);
}
});
it('Spec322 smokes representative legacy aliases without creating filter state', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
$legacyUrls = [
ProviderConnectionResource::getUrl('index', [
'managed_environment_id' => (int) $fixture['environmentA']->getKey(),
], panel: 'admin'),
FindingExceptionsQueue::getUrl(panel: 'admin', parameters: [
'tenant' => (string) $fixture['environmentA']->getKey(),
]),
route('admin.monitoring.audit-log', [
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $fixture['environmentA']->getKey()],
],
]),
];
foreach ($legacyUrls as $url) {
visit($url)
->waitForText(__('localization.shell.no_environment_selected'))
->assertDontSee('Environment filter:')
->assertSee($fixture['environmentB']->name)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
}
});

51
apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php Normal file
View File

@ -0,0 +1,51 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\CrossEnvironmentComparePage;
use App\Filament\Pages\EnvironmentDashboard;
use App\Filament\Pages\Findings\MyFindingsInbox;
use App\Filament\Pages\Settings\WorkspaceSettings;
use App\Filament\Resources\BaselineProfileResource;
use Tests\Browser\Support\Spec322WorkspaceEnvironmentBrowserHarness as Spec322Harness;
pest()->browser()->timeout(45_000);
it('Spec322 smokes workspace owned analysis and configuration surfaces stay workspace only', function (): void {
$fixture = Spec322Harness::fixture();
Spec322Harness::authenticate($this, $fixture['user'], $fixture['workspace'], $fixture['environmentA']);
visit(EnvironmentDashboard::getUrl(panel: 'admin', tenant: $fixture['environmentA']))
->assertSee($fixture['environmentA']->name)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
$surfaces = [
'baseline profiles' => [
'url' => BaselineProfileResource::getUrl('index', panel: 'admin'),
],
'my findings' => [
'url' => MyFindingsInbox::getUrl(panel: 'admin'),
],
'cross-environment compare' => [
'url' => CrossEnvironmentComparePage::getUrl(panel: 'admin'),
],
'workspace settings' => [
'url' => WorkspaceSettings::getUrl(panel: 'admin'),
],
];
foreach ($surfaces as $surface) {
$expectedPath = json_encode((string) parse_url($surface['url'], PHP_URL_PATH), JSON_THROW_ON_ERROR);
$page = visit($surface['url']);
Spec322Harness::assertWorkspaceOnly($page, null, $fixture['environmentA']->name);
$page->assertScript("window.location.pathname === {$expectedPath}", true);
$page->script('window.location.reload();');
Spec322Harness::assertWorkspaceOnly($page, null, $fixture['environmentA']->name);
$page->assertScript("window.location.pathname === {$expectedPath}", true);
}
});

307
apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php Normal file
View File

@ -0,0 +1,307 @@
<?php
declare(strict_types=1);
namespace Tests\Browser\Support;
use App\Models\AlertDelivery;
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\AuditLog;
use App\Models\EnvironmentReview;
use App\Models\EvidenceSnapshot;
use App\Models\Finding;
use App\Models\FindingException;
use App\Models\FindingExceptionDecision;
use App\Models\ManagedEnvironment;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Models\Workspace;
use App\Support\EnvironmentReviewStatus;
use App\Support\Evidence\EvidenceSnapshotStatus;
use App\Support\Workspaces\WorkspaceContext;
final class Spec322WorkspaceEnvironmentBrowserHarness
{
/**
* @return array{
* user: User,
* workspace: Workspace,
* environmentA: ManagedEnvironment,
* environmentB: ManagedEnvironment,
* runA: OperationRun,
* runB: OperationRun,
* connectionA: ProviderConnection,
* connectionB: ProviderConnection,
* exceptionA: FindingException,
* exceptionB: FindingException,
* snapshotA: EvidenceSnapshot,
* snapshotB: EvidenceSnapshot,
* reviewA: EnvironmentReview,
* reviewB: EnvironmentReview,
* deliveryA: AlertDelivery,
* deliveryB: AlertDelivery,
* auditA: AuditLog,
* auditB: AuditLog,
* auditWorkspace: AuditLog
* }
*/
public static function fixture(): array
{
$environmentA = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec322 Browser Environment A',
'external_id' => 'spec322-browser-environment-a',
]);
[$user, $environmentA] = \createUserWithTenant(tenant: $environmentA, role: 'owner', workspaceRole: 'owner');
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $environmentA->workspace_id,
'name' => 'Spec322 Browser Environment B',
'external_id' => 'spec322-browser-environment-b',
]);
\createUserWithTenant(tenant: $environmentB, user: $user, role: 'owner', workspaceRole: 'owner');
$workspace = $environmentA->workspace()->firstOrFail();
$runA = OperationRun::factory()->forTenant($environmentA)->create(['type' => 'policy.sync']);
$runB = OperationRun::factory()->forTenant($environmentB)->create(['type' => 'inventory_sync']);
$exceptionA = self::findingException($environmentA, $user, 'Spec322 Browser Governance A', 'Spec322 Browser Decision A');
$exceptionB = self::findingException($environmentB, $user, 'Spec322 Browser Governance B', 'Spec322 Browser Decision B');
$connectionA = ProviderConnection::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $environmentA->getKey(),
'display_name' => 'Spec322 Browser Provider A',
]);
$connectionB = ProviderConnection::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $environmentB->getKey(),
'display_name' => 'Spec322 Browser Provider B',
]);
$snapshotA = self::evidenceSnapshot($environmentA);
$snapshotB = self::evidenceSnapshot($environmentB);
$reviewA = self::publishedReview($environmentA, $user, $snapshotA);
$reviewB = self::publishedReview($environmentB, $user, $snapshotB);
$rule = AlertRule::factory()->create(['workspace_id' => (int) $workspace->getKey()]);
$destination = AlertDestination::factory()->create(['workspace_id' => (int) $workspace->getKey()]);
$deliveryA = AlertDelivery::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $environmentA->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_FAILED,
'created_at' => now()->subHour(),
]);
$deliveryB = AlertDelivery::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $environmentB->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_SENT,
'created_at' => now()->subHour(),
]);
$auditA = self::auditRecord($environmentA, 'Spec322 browser audit A');
$auditB = self::auditRecord($environmentB, 'Spec322 browser audit B');
$auditWorkspace = self::auditRecord(null, 'Spec322 browser workspace audit', [
'workspace_id' => (int) $workspace->getKey(),
]);
return compact(
'user',
'workspace',
'environmentA',
'environmentB',
'runA',
'runB',
'connectionA',
'connectionB',
'exceptionA',
'exceptionB',
'snapshotA',
'snapshotB',
'reviewA',
'reviewB',
'deliveryA',
'deliveryB',
'auditA',
'auditB',
'auditWorkspace',
);
}
public static function authenticate(object $testCase, User $user, Workspace $workspace, ?ManagedEnvironment $rememberedEnvironment = null): void
{
$session = [
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
];
if ($rememberedEnvironment instanceof ManagedEnvironment) {
$session[WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY] = [
(string) $workspace->getKey() => (int) $rememberedEnvironment->getKey(),
];
}
$testCase->actingAs($user)->withSession($session);
foreach ($session as $key => $value) {
session()->put($key, $value);
}
\setAdminPanelContext($rememberedEnvironment);
}
public static function assertWorkspaceOnly(mixed $page, ?string $wideText = null, ?string $environmentName = null): mixed
{
$page
->waitForText(__('localization.shell.no_environment_selected'))
->assertDontSee('Environment filter:')
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
if ($wideText !== null) {
$page->assertSee($wideText);
}
if ($environmentName !== null) {
$page->assertDontSee(__('localization.shell.environment_scope').': '.$environmentName);
}
return self::assertNoLegacyQuery($page);
}
public static function assertFilteredWorkspaceHub(mixed $page, ManagedEnvironment $environment, ?string $hiddenText = null): mixed
{
$page
->waitForText('Environment filter:')
->assertSee($environment->name)
->assertDontSee(__('localization.shell.environment_scope').': '.$environment->name)
->assertSee('Clear filter')
->assertScript('window.location.search.includes("environment_id=")', true)
->assertScript('! window.location.search.includes("tenant=")', true)
->assertScript('! window.location.search.includes("tenant_id=")', true)
->assertScript('! window.location.search.includes("managed_environment_id=")', true)
->assertScript('! window.location.search.includes("tenant_scope=")', true)
->assertScript('! window.location.search.includes("tableFilters")', true)
->assertNoJavaScriptErrors()
->assertNoConsoleLogs();
if ($hiddenText !== null) {
$page->assertDontSee($hiddenText);
}
return $page;
}
public static function assertNoLegacyQuery(mixed $page): mixed
{
return $page
->assertScript('! window.location.search.includes("environment_id=")', true)
->assertScript('! window.location.search.includes("tenant=")', true)
->assertScript('! window.location.search.includes("tenant_id=")', true)
->assertScript('! window.location.search.includes("managed_environment_id=")', true)
->assertScript('! window.location.search.includes("tenant_scope=")', true)
->assertScript('! window.location.search.includes("tableFilters")', true);
}
public static function clearWorkspaceHubEnvironmentFilter(mixed $page): mixed
{
$page->assertScript('document.querySelector(\'[data-testid="workspace-hub-environment-filter-clear"]\') instanceof HTMLAnchorElement', true);
$page->script('window.location.assign(document.querySelector(\'[data-testid="workspace-hub-environment-filter-clear"]\').href);');
return $page->waitForText(__('localization.shell.no_environment_selected'));
}
private static function findingException(
ManagedEnvironment $environment,
User $actor,
string $requestReason,
string $decisionReason,
): FindingException {
$finding = Finding::factory()->for($environment)->riskAccepted()->create([
'workspace_id' => (int) $environment->workspace_id,
'subject_external_id' => str()->slug($requestReason),
]);
$exception = FindingException::query()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
'finding_id' => (int) $finding->getKey(),
'requested_by_user_id' => (int) $actor->getKey(),
'owner_user_id' => (int) $actor->getKey(),
'status' => FindingException::STATUS_PENDING,
'current_validity_state' => FindingException::VALIDITY_MISSING_SUPPORT,
'request_reason' => $requestReason,
'requested_at' => now()->subDay(),
'review_due_at' => now()->addDay(),
'evidence_summary' => ['reference_count' => 0],
]);
$decision = $exception->decisions()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
'actor_user_id' => (int) $actor->getKey(),
'decision_type' => FindingExceptionDecision::TYPE_REQUESTED,
'reason' => $decisionReason,
'metadata' => [],
'decided_at' => now()->subDay(),
]);
$exception->forceFill(['current_decision_id' => (int) $decision->getKey()])->save();
return $exception->fresh(['currentDecision']);
}
private static function evidenceSnapshot(ManagedEnvironment $environment): EvidenceSnapshot
{
return EvidenceSnapshot::query()->create([
'managed_environment_id' => (int) $environment->getKey(),
'workspace_id' => (int) $environment->workspace_id,
'status' => EvidenceSnapshotStatus::Active->value,
'summary' => ['missing_dimensions' => 0, 'stale_dimensions' => 0],
'generated_at' => now(),
]);
}
private static function publishedReview(ManagedEnvironment $environment, User $user, EvidenceSnapshot $snapshot): EnvironmentReview
{
$review = \composeEnvironmentReviewForTest($environment, $user, $snapshot);
$review->forceFill([
'status' => EnvironmentReviewStatus::Published->value,
'published_at' => now(),
'published_by_user_id' => (int) $user->getKey(),
])->save();
return $review->fresh();
}
/**
* @param array<string, mixed> $attributes
*/
private static function auditRecord(?ManagedEnvironment $environment, string $summary, array $attributes = []): AuditLog
{
$workspaceId = array_key_exists('workspace_id', $attributes)
? (int) $attributes['workspace_id']
: (int) ($environment?->workspace_id);
return AuditLog::query()->create(array_merge([
'workspace_id' => $workspaceId,
'managed_environment_id' => $environment?->getKey(),
'actor_email' => 'spec322-browser@example.test',
'actor_name' => 'Spec322 Browser Operator',
'action' => 'operation.completed',
'status' => 'success',
'resource_type' => 'operation_run',
'resource_id' => '322',
'summary' => $summary,
'metadata' => [],
'recorded_at' => now(),
], $attributes));
}
}

81
apps/platform/tests/Feature/Findings/FindingsAssignmentHygieneReportTest.php
View File

@ -43,11 +43,13 @@ function findingsHygienePage(?User $user = null, array $query = [])
setAdminPanelContext();
$factory = $query === []
? Livewire::actingAs(auth()->user())
: Livewire::withQueryParams($query)->actingAs(auth()->user());
$factory = Livewire::withHeaders(['referer' => FindingsHygieneReport::getUrl(panel: 'admin')]);
return $factory->test(FindingsHygieneReport::class);
if ($query !== []) {
$factory = $factory->withQueryParams($query);
}
return $factory->actingAs(auth()->user())->test(FindingsHygieneReport::class);
}
function makeFindingsHygieneFinding(ManagedEnvironment $tenant, array $attributes = []): Finding
@ -256,7 +258,7 @@ function recordFindingsHygieneAudit(Finding $finding, string $action, CarbonImmu
'options' => [],
],
[
'key' => 'tenant',
'key' => 'environment_id',
'label' => 'ManagedEnvironment',
'fixed' => false,
'options' => [
@ -351,7 +353,68 @@ function recordFindingsHygieneAudit(Finding $finding, string $action, CarbonImmu
]);
});
it('explains when the active tenant prefilter hides otherwise visible hygiene issues and clears it in place', function (): void {
it('ignores remembered environments and retired tenant query aliases on the workspace-owned hygiene surface', function (): void {
[$user, $tenantA] = findingsHygieneActingUser();
$tenantB = ManagedEnvironment::factory()->create([
'status' => 'active',
'workspace_id' => (int) $tenantA->workspace_id,
'name' => 'Beta ManagedEnvironment',
]);
createUserWithTenant($tenantB, $user, role: 'readonly', workspaceRole: 'readonly');
$lostMemberA = User::factory()->create(['name' => 'Lost Member A']);
createUserWithTenant($tenantA, $lostMemberA, role: 'readonly', workspaceRole: 'readonly');
ManagedEnvironmentMembership::query()
->where('managed_environment_id', (int) $tenantA->getKey())
->where('user_id', (int) $lostMemberA->getKey())
->delete();
$lostMemberB = User::factory()->create(['name' => 'Lost Member B']);
createUserWithTenant($tenantB, $lostMemberB, role: 'readonly', workspaceRole: 'readonly');
ManagedEnvironmentMembership::query()
->where('managed_environment_id', (int) $tenantB->getKey())
->where('user_id', (int) $lostMemberB->getKey())
->delete();
$tenantAIssue = makeFindingsHygieneFinding($tenantA, [
'owner_user_id' => (int) $user->getKey(),
'assignee_user_id' => (int) $lostMemberA->getKey(),
'subject_display_name' => 'ManagedEnvironment A Issue',
]);
$tenantBIssue = makeFindingsHygieneFinding($tenantB, [
'owner_user_id' => (int) $user->getKey(),
'assignee_user_id' => (int) $lostMemberB->getKey(),
'subject_display_name' => 'ManagedEnvironment B Issue',
]);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = findingsHygienePage($user, [
'tenant' => (string) $tenantB->external_id,
'tenant_id' => (int) $tenantB->getKey(),
'managed_environment_id' => (int) $tenantB->getKey(),
'tenant_scope' => 'environment',
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $tenantB->getKey()],
],
])
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$tenantAIssue, $tenantBIssue]);
expect($component->instance()->appliedScope())->toBe([
'workspace_scoped' => true,
'fixed_scope' => 'visible_findings_hygiene_only',
'reason_filter' => 'all',
'reason_filter_label' => 'All issues',
'tenant_prefilter_source' => 'none',
'tenant_label' => null,
]);
});
it('explains when the explicit environment_id prefilter hides otherwise visible hygiene issues and clears it in place', function (): void {
[$user, $tenantA] = findingsHygieneActingUser();
$tenantB = ManagedEnvironment::factory()->create([
@ -374,11 +437,7 @@ function recordFindingsHygieneAudit(Finding $finding, string $action, CarbonImmu
'subject_display_name' => 'ManagedEnvironment A Issue',
]);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = findingsHygienePage($user)
$component = findingsHygienePage($user, ['environment_id' => (int) $tenantB->getKey()])
->assertSet('tableFilters.managed_environment_id.value', (string) $tenantB->getKey())
->assertCanNotSeeTableRecords([$tenantAIssue])
->assertSee('No hygiene issues match this environment scope')

11
apps/platform/tests/Feature/Findings/FindingsIntakeQueueNavigationContextTest.php
View File

@ -39,15 +39,16 @@
tenantId: (int) $tenant->getKey(),
familyKey: 'intake_findings',
backLinkUrl: GovernanceInbox::getUrl(panel: 'admin', parameters: [
'managed_environment_id' => (string) $tenant->getKey(),
'environment_id' => (int) $tenant->getKey(),
'family' => 'intake_findings',
]),
);
Livewire::withQueryParams(array_replace($context->toQuery(), [
'tenant' => (string) $tenant->external_id,
'view' => 'needs_triage',
]))
Livewire::withHeaders(['referer' => FindingsIntakeQueue::getUrl(panel: 'admin')])
->withQueryParams(array_replace($context->toQuery(), [
'environment_id' => (int) $tenant->getKey(),
'view' => 'needs_triage',
]))
->actingAs($user)
->test(FindingsIntakeQueue::class)
->assertSet('tableFilters.managed_environment_id.value', (string) $tenant->getKey())

84
apps/platform/tests/Feature/Findings/FindingsIntakeQueueTest.php
View File

@ -31,11 +31,13 @@ function findingsIntakePage(?User $user = null, array $query = [])
setAdminPanelContext();
$factory = $query === []
? Livewire::actingAs(auth()->user())
: Livewire::withQueryParams($query)->actingAs(auth()->user());
$factory = Livewire::withHeaders(['referer' => FindingsIntakeQueue::getUrl(panel: 'admin')]);
return $factory->test(FindingsIntakeQueue::class);
if ($query !== []) {
$factory = $factory->withQueryParams($query);
}
return $factory->actingAs(auth()->user())->test(FindingsIntakeQueue::class);
}
function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []): Finding
@ -140,7 +142,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
->and($queueViews['needs_triage']['active'])->toBeFalse();
});
it('defaults to the active tenant prefilter and lets the operator clear it without dropping intake scope', function (): void {
it('applies the explicit environment_id prefilter and lets the operator clear it without dropping intake scope', function (): void {
[$user, $tenantA] = findingsIntakeActingUser();
$tenantB = ManagedEnvironment::factory()->create([
@ -159,11 +161,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
'status' => Finding::STATUS_TRIAGED,
]);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = findingsIntakePage($user)
$component = findingsIntakePage($user, ['environment_id' => (int) $tenantB->getKey()])
->assertSet('tableFilters.managed_environment_id.value', (string) $tenantB->getKey())
->assertCanSeeTableRecords([$findingB])
->assertCanNotSeeTableRecords([$findingA])
@ -174,7 +172,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
'fixed_scope' => 'visible_unassigned_open_findings_only',
'queue_view' => 'unassigned',
'queue_view_label' => 'Unassigned',
'tenant_prefilter_source' => 'active_tenant_context',
'tenant_prefilter_source' => 'explicit_filter',
'tenant_label' => $tenantB->name,
]);
@ -191,7 +189,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
]);
});
it('keeps the needs triage view active when clearing the tenant prefilter', function (): void {
it('keeps the needs triage view active when clearing the environment_id prefilter', function (): void {
[$user, $tenantA] = findingsIntakeActingUser();
$tenantB = ManagedEnvironment::factory()->create([
@ -215,11 +213,10 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
'status' => Finding::STATUS_TRIAGED,
]);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = findingsIntakePage($user, ['view' => 'needs_triage'])
$component = findingsIntakePage($user, [
'environment_id' => (int) $tenantB->getKey(),
'view' => 'needs_triage',
])
->assertSet('tableFilters.managed_environment_id.value', (string) $tenantB->getKey())
->assertCanSeeTableRecords([$tenantBTriage])
->assertCanNotSeeTableRecords([$tenantATriage, $tenantBBacklog]);
@ -229,7 +226,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
'fixed_scope' => 'visible_unassigned_open_findings_only',
'queue_view' => 'needs_triage',
'queue_view_label' => 'Needs triage',
'tenant_prefilter_source' => 'active_tenant_context',
'tenant_prefilter_source' => 'explicit_filter',
'tenant_label' => $tenantB->name,
]);
@ -252,6 +249,51 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
->and($queueViews['needs_triage']['active'])->toBeTrue();
});
it('ignores remembered environments and retired tenant query aliases on the workspace-owned intake surface', function (): void {
[$user, $tenantA] = findingsIntakeActingUser();
$tenantB = ManagedEnvironment::factory()->create([
'status' => 'active',
'workspace_id' => (int) $tenantA->workspace_id,
'name' => 'Beta ManagedEnvironment',
]);
createUserWithTenant($tenantB, $user, role: 'readonly', workspaceRole: 'readonly');
$findingA = makeIntakeFinding($tenantA, [
'subject_external_id' => 'tenant-a',
'status' => Finding::STATUS_NEW,
]);
$findingB = makeIntakeFinding($tenantB, [
'subject_external_id' => 'tenant-b',
'status' => Finding::STATUS_TRIAGED,
]);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = findingsIntakePage($user, [
'tenant' => (string) $tenantB->external_id,
'tenant_id' => (int) $tenantB->getKey(),
'managed_environment_id' => (int) $tenantB->getKey(),
'tenant_scope' => 'environment',
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $tenantB->getKey()],
],
])
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$findingA, $findingB]);
expect($component->instance()->appliedScope())->toBe([
'workspace_scoped' => true,
'fixed_scope' => 'visible_unassigned_open_findings_only',
'queue_view' => 'unassigned',
'queue_view_label' => 'Unassigned',
'tenant_prefilter_source' => 'none',
'tenant_label' => null,
]);
});
it('separates needs triage from the remaining backlog and keeps deterministic urgency ordering', function (): void {
[$user, $tenant] = findingsIntakeActingUser();
@ -303,7 +345,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
]);
$component = findingsIntakePage($user, [
'tenant' => (string) $tenant->external_id,
'environment_id' => (int) $tenant->getKey(),
'view' => 'needs_triage',
]);
@ -333,9 +375,7 @@ function makeIntakeFinding(ManagedEnvironment $tenant, array $attributes = []):
'subject_external_id' => 'available-elsewhere',
]);
findingsIntakePage($user, [
'tenant' => (string) $tenantA->external_id,
])
findingsIntakePage($user, ['environment_id' => (int) $tenantA->getKey()])
->assertSee('No intake findings match this environment scope')
->assertTableEmptyStateActionsExistInOrder(['clear_tenant_filter_empty']);

9
apps/platform/tests/Feature/Findings/MyFindingsInboxNavigationContextTest.php
View File

@ -38,14 +38,15 @@
tenantId: (int) $tenant->getKey(),
familyKey: 'assigned_findings',
backLinkUrl: GovernanceInbox::getUrl(panel: 'admin', parameters: [
'managed_environment_id' => (string) $tenant->getKey(),
'environment_id' => (int) $tenant->getKey(),
'family' => 'assigned_findings',
]),
);
Livewire::withQueryParams(array_replace($context->toQuery(), [
'tenant' => (string) $tenant->external_id,
]))
Livewire::withHeaders(['referer' => MyFindingsInbox::getUrl(panel: 'admin')])
->withQueryParams(array_replace($context->toQuery(), [
'environment_id' => (int) $tenant->getKey(),
]))
->actingAs($user)
->test(MyFindingsInbox::class)
->assertSet('tableFilters.managed_environment_id.value', (string) $tenant->getKey())

93
apps/platform/tests/Feature/Findings/MyWorkInboxTest.php
View File

@ -31,9 +31,13 @@ function myWorkInboxPage(?User $user = null, array $query = [])
setAdminPanelContext();
$factory = $query === [] ? Livewire::actingAs(auth()->user()) : Livewire::withQueryParams($query)->actingAs(auth()->user());
$factory = Livewire::withHeaders(['referer' => MyFindingsInbox::getUrl(panel: 'admin')]);
return $factory->test(MyFindingsInbox::class);
if ($query !== []) {
$factory = $factory->withQueryParams($query);
}
return $factory->actingAs(auth()->user())->test(MyFindingsInbox::class);
}
function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee, array $attributes = []): Finding
@ -121,7 +125,7 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
'options' => [],
],
[
'key' => 'tenant',
'key' => 'environment_id',
'label' => 'Managed environment',
'fixed' => false,
'options' => [
@ -150,7 +154,50 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
]);
});
it('defaults to the active environment prefilter and lets the operator clear it without dropping personal scope', function (): void {
it('applies the explicit environment_id prefilter and lets the operator clear it without dropping personal scope', function (): void {
[$user, $tenantA] = myWorkInboxActingUser();
$tenantB = ManagedEnvironment::factory()->create([
'status' => 'active',
'workspace_id' => (int) $tenantA->workspace_id,
'name' => 'Beta ManagedEnvironment',
]);
createUserWithTenant($tenantB, $user, role: 'readonly', workspaceRole: 'readonly');
$findingA = makeAssignedFindingForInbox($tenantA, $user, [
'subject_external_id' => 'tenant-a',
'status' => Finding::STATUS_NEW,
]);
$findingB = makeAssignedFindingForInbox($tenantB, $user, [
'subject_external_id' => 'tenant-b',
'status' => Finding::STATUS_TRIAGED,
]);
$component = myWorkInboxPage($user, ['environment_id' => (int) $tenantB->getKey()])
->assertSet('tableFilters.managed_environment_id.value', (string) $tenantB->getKey())
->assertCanSeeTableRecords([$findingB])
->assertCanNotSeeTableRecords([$findingA])
->assertActionVisible('clear_tenant_filter');
expect($component->instance()->appliedScope())->toBe([
'workspace_scoped' => true,
'assignee_scope' => 'current_user_only',
'tenant_prefilter_source' => 'explicit_filter',
'tenant_label' => $tenantB->name,
]);
$component->callAction('clear_tenant_filter')
->assertCanSeeTableRecords([$findingA, $findingB]);
expect($component->instance()->appliedScope())->toBe([
'workspace_scoped' => true,
'assignee_scope' => 'current_user_only',
'tenant_prefilter_source' => 'none',
'tenant_label' => null,
]);
});
it('ignores remembered environments and retired tenant query aliases on the workspace-owned analysis surface', function (): void {
[$user, $tenantA] = myWorkInboxActingUser();
$tenantB = ManagedEnvironment::factory()->create([
@ -173,20 +220,16 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
]);
$component = myWorkInboxPage($user)
->assertSet('tableFilters.managed_environment_id.value', (string) $tenantB->getKey())
->assertCanSeeTableRecords([$findingB])
->assertCanNotSeeTableRecords([$findingA])
->assertActionVisible('clear_tenant_filter');
expect($component->instance()->appliedScope())->toBe([
'workspace_scoped' => true,
'assignee_scope' => 'current_user_only',
'tenant_prefilter_source' => 'active_tenant_context',
'tenant_label' => $tenantB->name,
]);
$component->callAction('clear_tenant_filter')
$component = myWorkInboxPage($user, [
'tenant' => (string) $tenantB->external_id,
'tenant_id' => (int) $tenantB->getKey(),
'managed_environment_id' => (int) $tenantB->getKey(),
'tenant_scope' => 'environment',
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $tenantB->getKey()],
],
])
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$findingA, $findingB]);
expect($component->instance()->appliedScope())->toBe([
@ -282,9 +325,7 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
'subject_external_id' => 'available-elsewhere',
]);
$component = myWorkInboxPage($user, [
'tenant' => (string) $tenantA->external_id,
])
$component = myWorkInboxPage($user, ['environment_id' => (int) $tenantA->getKey()])
->assertCanNotSeeTableRecords([])
->assertSee('No assigned findings match this environment scope')
->assertTableEmptyStateActionsExistInOrder(['clear_tenant_filter_empty']);
@ -306,7 +347,7 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
->assertTableEmptyStateActionsExistInOrder(['choose_environment_empty']);
});
it('uses the active visible environment for the calm empty-state drillback when environment context exists', function (): void {
it('keeps the calm empty-state drillback workspace-owned when remembered environment context exists', function (): void {
[$user, $tenant] = myWorkInboxActingUser();
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
@ -315,13 +356,13 @@ function makeAssignedFindingForInbox(ManagedEnvironment $tenant, User $assignee,
$component = myWorkInboxPage($user)
->assertSee('No visible assigned findings right now')
->assertTableEmptyStateActionsExistInOrder(['open_tenant_findings_empty']);
->assertTableEmptyStateActionsExistInOrder(['choose_environment_empty']);
expect($component->instance()->emptyState())->toMatchArray([
'action_name' => 'open_tenant_findings_empty',
'action_label' => 'Open environment findings',
'action_name' => 'choose_environment_empty',
'action_label' => 'Choose an environment',
'action_kind' => 'url',
'action_url' => FindingResource::getUrl('index', panel: 'admin', tenant: $tenant),
'action_url' => route('filament.admin.pages.choose-environment'),
]);
});

382
apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php Normal file
View File

@ -0,0 +1,382 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\Monitoring\Alerts;
use App\Filament\Pages\Monitoring\AuditLog as AuditLogPage;
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\AlertDeliveryResource\Pages\ListAlertDeliveries;
use App\Filament\Resources\AlertDestinationResource;
use App\Filament\Resources\AlertRuleResource;
use App\Filament\Widgets\Alerts\AlertsKpiHeader;
use App\Models\AlertDelivery;
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\AuditLog as AuditLogModel;
use App\Models\ManagedEnvironment;
use App\Support\Navigation\CanonicalNavigationContext;
use App\Support\Navigation\WorkspaceHubRegistry;
use App\Support\Workspaces\WorkspaceContext;
use App\Support\Workspaces\WorkspaceOverviewBuilder;
use Filament\Widgets\StatsOverviewWidget\Stat;
use Livewire\Livewire;
function spec321WorkspaceFixture(): array
{
$environmentA = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec321 Environment A',
'external_id' => 'spec321-environment-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner', workspaceRole: 'owner');
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $environmentA->workspace_id,
'name' => 'Spec321 Environment B',
'external_id' => 'spec321-environment-b',
]);
createUserWithTenant(tenant: $environmentB, user: $user, role: 'owner', workspaceRole: 'owner');
$workspaceId = (int) $environmentA->workspace_id;
$rule = AlertRule::factory()->create([
'workspace_id' => $workspaceId,
]);
$destination = AlertDestination::factory()->create([
'workspace_id' => $workspaceId,
]);
$deliveryA = AlertDelivery::factory()->create([
'workspace_id' => $workspaceId,
'managed_environment_id' => (int) $environmentA->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_FAILED,
'created_at' => now()->subHour(),
]);
$deliveryB = AlertDelivery::factory()->create([
'workspace_id' => $workspaceId,
'managed_environment_id' => (int) $environmentB->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_SENT,
'created_at' => now()->subHour(),
]);
$auditA = spec321AuditRecord($environmentA, [
'summary' => 'Spec321 audit event A',
'resource_id' => '321-a',
]);
$auditB = spec321AuditRecord($environmentB, [
'summary' => 'Spec321 audit event B',
'resource_id' => '321-b',
]);
$auditWorkspace = spec321AuditRecord(null, [
'workspace_id' => $workspaceId,
'summary' => 'Spec321 workspace audit event',
'resource_id' => '321-workspace',
]);
session()->put(WorkspaceContext::SESSION_KEY, $workspaceId);
return [$user, $environmentA, $environmentB, compact(
'workspaceId',
'rule',
'destination',
'deliveryA',
'deliveryB',
'auditA',
'auditB',
'auditWorkspace',
)];
}
function spec321AuditRecord(?ManagedEnvironment $environment, array $attributes = []): AuditLogModel
{
$workspaceId = array_key_exists('workspace_id', $attributes)
? (int) $attributes['workspace_id']
: (int) ($environment?->workspace_id);
return AuditLogModel::query()->create(array_merge([
'workspace_id' => $workspaceId,
'managed_environment_id' => $environment?->getKey(),
'actor_email' => 'spec321@example.test',
'actor_name' => 'Spec321 Operator',
'action' => 'operation.completed',
'status' => 'success',
'resource_type' => 'operation_run',
'resource_id' => '321',
'summary' => 'Spec321 audit event',
'metadata' => [],
'recorded_at' => now(),
], $attributes));
}
function spec321AlertsKpiValues($component): array
{
$method = new ReflectionMethod(AlertsKpiHeader::class, 'getStats');
$method->setAccessible(true);
return collect($method->invoke($component->instance()))
->mapWithKeys(fn (Stat $stat): array => [
(string) $stat->getLabel() => (string) $stat->getValue(),
])
->all();
}
function spec321QueryKeys(string $url): array
{
$query = [];
parse_str((string) parse_url($url, PHP_URL_QUERY), $query);
return $query;
}
it('documents_alerts_and_audit_log_filter_contract_decisions', function (): void {
$decision = file_get_contents(repo_path('specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md'));
expect($decision)->toBeString()
->and($decision)->toContain('Alerts and Audit Log remain Workspace-owned surfaces.')
->and($decision)->toContain('environment_filterable_workspace_hub')
->and($decision)->toContain('configuration_workspace_surface')
->and($decision)->toContain('environment_id')
->and($decision)->toContain('No legacy aliases are accepted');
});
it('alerts_support_environment_id_filter_with_visible_chip_and_clear', function (): void {
[$user, $environmentA, , $records] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
$this->get(route('filament.admin.alerts', ['environment_id' => (int) $environmentA->getKey()]))
->assertRedirect(AlertDeliveryResource::getUrl('index', ['environment_id' => (int) $environmentA->getKey()], panel: 'admin'));
$this->followingRedirects()
->get(route('filament.admin.alerts', ['environment_id' => (int) $environmentA->getKey()]))
->assertOk()
->assertSee('Environment filter:')
->assertSee('Spec321 Environment A')
->assertSee('Clear filter');
$values = spec321AlertsKpiValues(
Livewire::withQueryParams(['environment_id' => (int) $environmentA->getKey()])
->actingAs($user)
->test(AlertsKpiHeader::class)
);
expect($values)->toMatchArray([
'Deliveries (24h)' => '1',
'Failed (7d)' => '1',
]);
$this->followingRedirects()
->get(route('filament.admin.alerts'))
->assertOk()
->assertDontSee('Environment filter:');
Livewire::withQueryParams([])
->actingAs($user)
->test(ListAlertDeliveries::class)
->assertCanSeeTableRecords([$records['deliveryA'], $records['deliveryB']]);
});
it('alert_deliveries_support_environment_id_filter_with_visible_chip_and_clear', function (): void {
[$user, $environmentA, , $records] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
$component = Livewire::withQueryParams(['environment_id' => (int) $environmentA->getKey()])
->actingAs($user)
->test(ListAlertDeliveries::class)
->assertSee('Environment filter:')
->assertSee('Spec321 Environment A')
->assertSee('Clear filter')
->assertSet('tableFilters.managed_environment_id.value', (string) $environmentA->getKey())
->assertCanSeeTableRecords([$records['deliveryA']])
->assertCanNotSeeTableRecords([$records['deliveryB']]);
session()->put($component->instance()->getTableFiltersSessionKey(), [
'managed_environment_id' => ['value' => (string) $environmentA->getKey()],
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $environmentA->getKey()],
],
]);
$this->get(AlertDeliveryResource::getUrl(panel: 'admin'))
->assertOk()
->assertDontSee('Environment filter:');
expect(data_get(session()->get($component->instance()->getTableFiltersSessionKey(), []), 'managed_environment_id.value'))
->toBeNull();
Livewire::withQueryParams([])
->actingAs($user)
->test(ListAlertDeliveries::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$records['deliveryA'], $records['deliveryB']]);
});
it('audit_log_supports_environment_id_filter_with_visible_chip_and_clear', function (): void {
[$user, $environmentA, , $records] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
Livewire::withQueryParams([
'environment_id' => (int) $environmentA->getKey(),
'event' => (int) $records['auditB']->getKey(),
])
->actingAs($user)
->test(AuditLogPage::class)
->assertSee('Environment filter:')
->assertSee('Spec321 Environment A')
->assertSet('tableFilters.managed_environment_id.value', (string) $environmentA->getKey())
->assertSet('selectedAuditLogId', null)
->assertCanSeeTableRecords([$records['auditA']])
->assertCanNotSeeTableRecords([$records['auditB'], $records['auditWorkspace']]);
$this->get(route('admin.monitoring.audit-log'))
->assertOk()
->assertDontSee('Environment filter:');
Livewire::withQueryParams([])
->actingAs($user)
->test(AuditLogPage::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$records['auditA'], $records['auditB'], $records['auditWorkspace']]);
});
it('alerts_and_audit_log_do_not_accept_legacy_environment_query_aliases', function (): void {
[$user, $environmentA, , $records] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
$this->get(route('filament.admin.alerts', ['managed_environment_id' => (int) $environmentA->getKey()]))
->assertRedirect(AlertDeliveryResource::getUrl(panel: 'admin'));
Livewire::withQueryParams(['managed_environment_id' => (int) $environmentA->getKey()])
->actingAs($user)
->test(ListAlertDeliveries::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$records['deliveryA'], $records['deliveryB']]);
Livewire::withQueryParams([
'tenant' => (int) $environmentA->getKey(),
'tenant_id' => (int) $environmentA->getKey(),
'managed_environment_id' => (int) $environmentA->getKey(),
'environment' => (int) $environmentA->getKey(),
'tenant_scope' => 'environment',
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $environmentA->getKey()],
],
])
->actingAs($user)
->test(AuditLogPage::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertCanSeeTableRecords([$records['auditA'], $records['auditB'], $records['auditWorkspace']]);
});
it('alerts_and_audit_log_reject_cross_workspace_environment_filters', function (): void {
[$user, $environmentA] = spec321WorkspaceFixture();
$otherEnvironment = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec321 Other Workspace Environment',
]);
$this->actingAs($user);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $environmentA->workspace_id);
$this->get(route('filament.admin.alerts', ['environment_id' => (int) $otherEnvironment->getKey()]))
->assertNotFound();
$this->get(route('admin.monitoring.audit-log', ['environment_id' => (int) $otherEnvironment->getKey()]))
->assertNotFound();
});
it('alerts_and_audit_log_sidebar_entry_is_workspace_wide', function (): void {
[, $environmentA] = spec321WorkspaceFixture();
$alertUrl = route('filament.admin.alerts');
$auditUrl = route('admin.monitoring.audit-log');
expect(WorkspaceHubRegistry::cleanUrl($alertUrl))->toBe($alertUrl)
->and(WorkspaceHubRegistry::cleanUrl($auditUrl))->toBe($auditUrl)
->and(WorkspaceHubRegistry::cleanUrl(route('filament.admin.alerts', ['environment_id' => (int) $environmentA->getKey()])))
->toBe($alertUrl)
->and(WorkspaceHubRegistry::cleanUrl(route('admin.monitoring.audit-log', ['environment_id' => (int) $environmentA->getKey()])))
->toBe($auditUrl);
});
it('environment_ctas_to_alerts_and_audit_log_use_environment_id', function (): void {
[$user, $environmentA] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
$targetMethod = new ReflectionMethod(WorkspaceOverviewBuilder::class, 'alertsOverviewTarget');
$targetMethod->setAccessible(true);
$alertsDestination = $targetMethod->invoke(
app(WorkspaceOverviewBuilder::class),
new CanonicalNavigationContext(
sourceSurface: 'workspace.overview',
canonicalRouteName: 'admin.home',
backLinkLabel: 'Back to overview',
backLinkUrl: route('admin.home'),
),
true,
'Open alerts',
$environmentA,
);
expect(spec321QueryKeys((string) $alertsDestination['url']))
->toHaveKey('environment_id', (string) $environmentA->getKey())
->not->toHaveKey('managed_environment_id');
$alertsPage = Livewire::withQueryParams(['environment_id' => (int) $environmentA->getKey()])
->actingAs($user)
->test(Alerts::class)
->instance();
expect(spec321QueryKeys($alertsPage->alertDeliveriesUrl()))
->toHaveKey('environment_id', (string) $environmentA->getKey())
->and(spec321QueryKeys($alertsPage->auditLogUrl()))
->toHaveKey('environment_id', (string) $environmentA->getKey());
});
it('alert_configuration_surfaces_do_not_emit_environment_filters', function (): void {
[$user, $environmentA] = spec321WorkspaceFixture();
$this->actingAs($user);
setAdminPanelContext();
$alertsPage = Livewire::withQueryParams(['environment_id' => (int) $environmentA->getKey()])
->actingAs($user)
->test(Alerts::class)
->instance();
expect(spec321QueryKeys($alertsPage->alertRulesUrl()))
->not->toHaveKey('environment_id')
->and(spec321QueryKeys($alertsPage->alertDestinationsUrl()))
->not->toHaveKey('environment_id');
$this->get(AlertRuleResource::getUrl('index', ['environment_id' => (int) $environmentA->getKey()], panel: 'admin'))
->assertOk()
->assertDontSee('Environment filter:');
$this->get(AlertDestinationResource::getUrl('index', ['environment_id' => (int) $environmentA->getKey()], panel: 'admin'))
->assertOk()
->assertDontSee('Environment filter:');
expect(AlertDeliveryResource::makeViewAlertRulesAction()->getUrl())
->toBe(AlertRuleResource::getUrl(panel: 'admin'));
});

184
apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php Normal file
View File

@ -0,0 +1,184 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\Governance\DecisionRegister;
use App\Filament\Pages\Governance\GovernanceInbox;
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ManagedEnvironment;
use App\Support\Navigation\AdminSurfaceScope;
use App\Support\Navigation\WorkspaceHubRegistry;
use App\Support\OperationRunLinks;
use App\Support\Workspaces\WorkspaceContext;
it('classifies_core_admin_surfaces_without_scope_drift', function (): void {
$workspaceHubPaths = [
'/admin',
'/admin/workspaces/acme/overview',
'/admin/workspaces/acme/operations',
'/admin/provider-connections',
'/admin/finding-exceptions/queue',
'/admin/evidence/overview',
'/admin/reviews',
'/admin/reviews/workspace',
'/admin/governance/inbox',
'/admin/governance/decisions',
'/admin/audit-log',
'/admin/alerts',
'/admin/alerts/alert-deliveries',
'/admin/alerts/alert-rules',
'/admin/alerts/alert-destinations',
'/admin/settings/workspace',
];
foreach ($workspaceHubPaths as $path) {
expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::WorkspaceWideSurface, $path);
}
$workspaceOwnedAnalysisPaths = [
'/admin/baseline-profiles',
'/admin/baseline-profiles/42',
'/admin/baseline-profiles/42/edit',
'/admin/baseline-profiles/42/compare-matrix',
'/admin/baseline-snapshots',
'/admin/baseline-snapshots/42',
'/admin/findings/my-work',
'/admin/findings/intake',
'/admin/findings/hygiene',
'/admin/cross-environment-compare',
];
foreach ($workspaceOwnedAnalysisPaths as $path) {
expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::WorkspaceOwnedAnalysisSurface, $path);
}
$environmentOwnedPaths = [
'/admin/workspaces/acme/environments/prod',
'/admin/workspaces/acme/environments/prod/baseline-compare',
'/admin/workspaces/acme/environments/prod/required-permissions',
'/admin/workspaces/acme/environments/prod/inventory',
'/admin/workspaces/acme/environments/prod/inventory/inventory-coverage',
'/admin/workspaces/acme/environments/prod/diagnostics',
];
foreach ($environmentOwnedPaths as $path) {
expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::EnvironmentBound, $path);
}
});
it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params', function (): void {
$environment = ManagedEnvironment::factory()->active()->create();
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
$workspace = $environment->workspace()->firstOrFail();
$this->actingAs($user);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$cleanUrls = [
OperationRunLinks::index(workspace: $workspace),
ProviderConnectionResource::getUrl('index', panel: 'admin'),
FindingExceptionsQueue::getUrl(panel: 'admin'),
route('admin.evidence.overview'),
route('filament.admin.pages.reviews'),
route('filament.admin.pages.reviews.workspace'),
GovernanceInbox::getUrl(panel: 'admin'),
DecisionRegister::getUrl(panel: 'admin'),
route('admin.monitoring.audit-log'),
route('filament.admin.alerts'),
AlertDeliveryResource::getUrl('index', panel: 'admin'),
route('filament.admin.alerts.resources.alert-rules.index'),
route('filament.admin.alerts.resources.alert-destinations.index'),
route('filament.admin.pages.settings.workspace'),
];
foreach ($cleanUrls as $url) {
expect($url)->not->toContain('environment_id=', $url)
->and($url)->not->toContain('tenant=', $url)
->and($url)->not->toContain('tenant_id=', $url)
->and($url)->not->toContain('managed_environment_id=', $url)
->and($url)->not->toContain('environment=', $url)
->and($url)->not->toContain('tenant_scope=', $url)
->and($url)->not->toContain('tableFilters', $url)
->and(WorkspaceHubRegistry::hasForbiddenQuery($url))->toBeFalse($url);
}
});
it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs', function (): void {
$environment = ManagedEnvironment::factory()->active()->create();
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
$workspace = $environment->workspace()->firstOrFail();
$this->actingAs($user);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$dirtyQuery = [
'environment_id' => (int) $environment->getKey(),
'tenant' => (string) $environment->external_id,
'tenant_id' => (int) $environment->getKey(),
'managed_environment_id' => (int) $environment->getKey(),
'environment' => (string) $environment->getRouteKey(),
'tenant_scope' => 'environment',
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $environment->getKey()],
],
'activeTab' => 'failed',
];
$cases = [
OperationRunLinks::index(workspace: $workspace).'?'.http_build_query($dirtyQuery),
ProviderConnectionResource::getUrl('index', $dirtyQuery, panel: 'admin'),
FindingExceptionsQueue::getUrl(panel: 'admin', parameters: $dirtyQuery),
route('admin.evidence.overview', $dirtyQuery),
GovernanceInbox::getUrl(panel: 'admin', parameters: $dirtyQuery),
DecisionRegister::getUrl(panel: 'admin', parameters: $dirtyQuery),
route('admin.monitoring.audit-log', $dirtyQuery),
AlertDeliveryResource::getUrl('index', $dirtyQuery, panel: 'admin'),
];
foreach ($cases as $dirtyUrl) {
$cleanUrl = WorkspaceHubRegistry::cleanUrl($dirtyUrl);
$query = [];
parse_str((string) parse_url($cleanUrl, PHP_URL_QUERY), $query);
expect(WorkspaceHubRegistry::hasForbiddenQuery($cleanUrl))->toBeFalse($cleanUrl)
->and($query)->toHaveKey('activeTab', 'failed');
}
});
it('environment_id_filters_reject_cross_workspace_environment_ids', function (): void {
$environment = ManagedEnvironment::factory()->active()->create();
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
$workspace = $environment->workspace()->firstOrFail();
$foreignEnvironment = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec322 Foreign Environment',
]);
$this->actingAs($user);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$urls = [
route('admin.operations.index', [
'workspace' => $workspace,
'environment_id' => (int) $foreignEnvironment->getKey(),
]),
ProviderConnectionResource::getUrl('index', [
'environment_id' => (int) $foreignEnvironment->getKey(),
], panel: 'admin'),
AlertDeliveryResource::getUrl('index', [
'environment_id' => (int) $foreignEnvironment->getKey(),
], panel: 'admin'),
route('admin.monitoring.audit-log', [
'environment_id' => (int) $foreignEnvironment->getKey(),
]),
];
foreach ($urls as $url) {
$this->get($url)->assertNotFound();
}
});

105
apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php Normal file
View File

@ -0,0 +1,105 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\BaselineCompareLanding;
use App\Filament\Pages\Governance\DecisionRegister;
use App\Filament\Pages\Governance\GovernanceInbox;
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
use App\Filament\Pages\Reviews\ReviewRegister;
use App\Filament\Pages\Settings\WorkspaceSettings;
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\AlertDestinationResource;
use App\Filament\Resources\AlertRuleResource;
use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ManagedEnvironment;
use App\Support\ManagedEnvironmentLinks;
use App\Support\OperationRunLinks;
it('environment_cta_urls_use_the_correct_surface_contract', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec322 CTA Environment',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
$workspace = $environment->workspace()->firstOrFail();
$this->actingAs($user);
setAdminPanelContext($environment);
$workspaceHubUrls = [
OperationRunLinks::index($environment),
ManagedEnvironmentLinks::operationsUrl($environment),
ManagedEnvironmentLinks::providerConnectionsUrl($environment),
ProviderConnectionResource::getUrl('index', ['environment_id' => (int) $environment->getKey()], panel: 'admin'),
CustomerReviewWorkspace::environmentFilterUrl($environment),
GovernanceInbox::getUrl(panel: 'admin', parameters: ['environment_id' => (int) $environment->getKey()]),
DecisionRegister::getUrl(panel: 'admin', parameters: ['environment_id' => (int) $environment->getKey()]),
FindingExceptionsQueue::getUrl(panel: 'admin', parameters: ['environment_id' => (int) $environment->getKey()]),
route('admin.evidence.overview', ['environment_id' => (int) $environment->getKey()]),
ReviewRegister::getUrl(panel: 'admin', parameters: ['environment_id' => (int) $environment->getKey()]),
route('admin.monitoring.audit-log', ['environment_id' => (int) $environment->getKey()]),
AlertDeliveryResource::getUrl('index', ['environment_id' => (int) $environment->getKey()], panel: 'admin'),
];
foreach ($workspaceHubUrls as $url) {
$query = spec322Query($url);
expect($query)->toHaveKey('environment_id', (string) $environment->getKey())
->and($query)->not->toHaveKey('tenant')
->and($query)->not->toHaveKey('tenant_id')
->and($query)->not->toHaveKey('managed_environment_id')
->and($query)->not->toHaveKey('environment')
->and($query)->not->toHaveKey('tenant_scope')
->and($query)->not->toHaveKey('tableFilters');
}
$environmentOwnedUrls = [
ManagedEnvironmentLinks::viewUrl($environment),
ManagedEnvironmentLinks::baselineCompareUrl($environment),
BaselineCompareLanding::getUrl(panel: 'admin', tenant: $environment),
ManagedEnvironmentLinks::requiredPermissionsUrl($environment),
ManagedEnvironmentLinks::diagnosticsUrl($environment),
route('filament.admin.workspaces.{workspace}.environments.{environment}.inventory', [
'workspace' => ManagedEnvironmentLinks::workspaceRouteKey($workspace),
'environment' => ManagedEnvironmentLinks::environmentRouteKey($environment),
]),
route('filament.admin.workspaces.{workspace}.environments.{environment}.inventory.pages.inventory-coverage', [
'workspace' => ManagedEnvironmentLinks::workspaceRouteKey($workspace),
'environment' => ManagedEnvironmentLinks::environmentRouteKey($environment),
]),
];
foreach ($environmentOwnedUrls as $url) {
expect((string) parse_url($url, PHP_URL_PATH))
->toContain('/admin/workspaces/'.ManagedEnvironmentLinks::workspaceRouteKey($workspace).'/environments/'.ManagedEnvironmentLinks::environmentRouteKey($environment))
->and(spec322Query($url))->not->toHaveKey('environment_id')
->and(spec322Query($url))->not->toHaveKey('managed_environment_id')
->and(spec322Query($url))->not->toHaveKey('tenant')
->and(spec322Query($url))->not->toHaveKey('tableFilters');
}
$workspaceConfigurationUrls = [
AlertRuleResource::getUrl('index', panel: 'admin'),
AlertDestinationResource::getUrl('index', panel: 'admin'),
WorkspaceSettings::getUrl(panel: 'admin'),
];
foreach ($workspaceConfigurationUrls as $url) {
expect(spec322Query($url))->not->toHaveKey('environment_id')
->and(spec322Query($url))->not->toHaveKey('managed_environment_id')
->and(spec322Query($url))->not->toHaveKey('tenant')
->and(spec322Query($url))->not->toHaveKey('tableFilters');
}
});
/**
* @return array<string, mixed>
*/
function spec322Query(string $url): array
{
$query = [];
parse_str((string) parse_url($url, PHP_URL_QUERY), $query);
return $query;
}

267
apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php Normal file
View File

@ -0,0 +1,267 @@
<?php
declare(strict_types=1);
use App\Filament\Pages\Monitoring\AuditLog as AuditLogPage;
use App\Filament\Pages\Monitoring\Operations;
use App\Filament\Resources\AlertDeliveryResource\Pages\ListAlertDeliveries;
use App\Models\AlertDelivery;
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\AuditLog as AuditLogModel;
use App\Models\ManagedEnvironment;
use App\Models\OperationRun;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Route;
use Livewire\Livewire;
it('legacy_environment_query_aliases_do_not_create_filter_or_shell_state', function (): void {
[$user, $environmentA, $environmentB, $records] = spec322LegacyAliasFixture();
$this->actingAs($user);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $environmentA->workspace_id);
$legacyQueries = [
'tenant' => ['tenant' => (string) $environmentA->getKey()],
'tenant_id' => ['tenant_id' => (int) $environmentA->getKey()],
'managed_environment_id' => ['managed_environment_id' => (int) $environmentA->getKey()],
'environment' => ['environment' => (string) $environmentA->getRouteKey()],
'tenant_scope' => ['tenant_scope' => 'environment'],
'tableFilters' => [
'tableFilters' => [
'managed_environment_id' => ['value' => (string) $environmentA->getKey()],
],
],
];
foreach ($legacyQueries as $query) {
Livewire::withQueryParams($query)
->actingAs($user)
->test(Operations::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertDontSee('Environment filter:')
->assertCanSeeTableRecords([$records['runA'], $records['runB']]);
Livewire::withQueryParams($query)
->actingAs($user)
->test(ListAlertDeliveries::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertDontSee('Environment filter:')
->assertCanSeeTableRecords([$records['deliveryA'], $records['deliveryB']]);
Livewire::withQueryParams($query)
->actingAs($user)
->test(AuditLogPage::class)
->assertSet('tableFilters.managed_environment_id.value', null)
->assertDontSee('Environment filter:')
->assertCanSeeTableRecords([$records['auditA'], $records['auditB'], $records['auditWorkspace']]);
}
});
it('has_no_active_legacy_tenant_panel_routes', function (): void {
$legacyRouteUris = collect(Route::getRoutes())
->map(fn ($route): string => ltrim((string) $route->uri(), '/'))
->filter(fn (string $uri): bool => preg_match('#^admin/t(?:/|$)#', $uri) === 1)
->values();
$registeredProviders = require base_path('bootstrap/providers.php');
$tenantPanelProviders = collect($registeredProviders)
->filter(fn (string $provider): bool => str_contains($provider, 'TenantPanelProvider'))
->values();
expect($legacyRouteUris)->toBeEmpty()
->and($tenantPanelProviders)->toBeEmpty()
->and(file_exists(app_path('Providers/Filament/TenantPanelProvider.php')))->toBeFalse()
->and(file_exists(app_path('Filament/Providers/TenantPanelProvider.php')))->toBeFalse()
->and(Filament::getPanel('tenant'))->toBeNull();
$this->get('/admin/t/example')->assertNotFound();
});
it('allows_tenant_terms_only_in_provider_boundary_contexts', function (): void {
$files = spec322LegacyGuardFiles([
base_path('app/Support/Navigation'),
base_path('app/Filament/Pages/Monitoring/Operations.php'),
base_path('app/Filament/Pages/Monitoring/FindingExceptionsQueue.php'),
base_path('app/Filament/Pages/Governance/GovernanceInbox.php'),
base_path('app/Filament/Pages/Governance/DecisionRegister.php'),
base_path('app/Filament/Pages/Monitoring/EvidenceOverview.php'),
base_path('app/Filament/Pages/Reviews/ReviewRegister.php'),
base_path('app/Filament/Pages/Reviews/CustomerReviewWorkspace.php'),
base_path('app/Filament/Resources/ProviderConnectionResource.php'),
base_path('app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php'),
base_path('routes/web.php'),
]);
$hits = spec322LegacyPatternHits($files, [
'/\btenantPrefilterUrl\s*\(/',
'/\bCanonicalAdminTenantFilterState\b/',
'/\bWorkspaceScopedTenantRoutes\b/',
'/\bTenantPageCategory\b/',
'/\bEnsureFilamentTenantSelected\b/',
'/'.'ensure-filament-'.'tenant-selected'.'/',
'/\blastTenantId\s*\(/',
'/\brememberedTenant\s*\(/',
'/\brememberTenantContext\s*\(/',
'/\bLAST_TENANT_IDS_SESSION_KEY\b/',
'/\bTenantBound\b/',
'/\bTenantScopedEvidence\b/',
]);
expect($hits)->toBeEmpty("Retired Tenant platform-context terms remain:\n".implode("\n", $hits));
});
/**
* @return array{0: \App\Models\User, 1: ManagedEnvironment, 2: ManagedEnvironment, 3: array<string, mixed>}
*/
function spec322LegacyAliasFixture(): array
{
$environmentA = ManagedEnvironment::factory()->active()->create([
'name' => 'Spec322 Alias Environment A',
'external_id' => 'spec322-alias-environment-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner', workspaceRole: 'owner');
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $environmentA->workspace_id,
'name' => 'Spec322 Alias Environment B',
'external_id' => 'spec322-alias-environment-b',
]);
createUserWithTenant(tenant: $environmentB, user: $user, role: 'owner', workspaceRole: 'owner');
$runA = OperationRun::factory()->forTenant($environmentA)->create(['type' => 'policy.sync']);
$runB = OperationRun::factory()->forTenant($environmentB)->create(['type' => 'inventory_sync']);
$rule = AlertRule::factory()->create(['workspace_id' => (int) $environmentA->workspace_id]);
$destination = AlertDestination::factory()->create(['workspace_id' => (int) $environmentA->workspace_id]);
$deliveryA = AlertDelivery::factory()->create([
'workspace_id' => (int) $environmentA->workspace_id,
'managed_environment_id' => (int) $environmentA->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_FAILED,
]);
$deliveryB = AlertDelivery::factory()->create([
'workspace_id' => (int) $environmentA->workspace_id,
'managed_environment_id' => (int) $environmentB->getKey(),
'alert_rule_id' => (int) $rule->getKey(),
'alert_destination_id' => (int) $destination->getKey(),
'status' => AlertDelivery::STATUS_SENT,
]);
$auditA = spec322LegacyAuditRecord($environmentA, 'Spec322 alias audit A');
$auditB = spec322LegacyAuditRecord($environmentB, 'Spec322 alias audit B');
$auditWorkspace = spec322LegacyAuditRecord(null, 'Spec322 workspace audit', [
'workspace_id' => (int) $environmentA->workspace_id,
]);
return [$user, $environmentA, $environmentB, compact(
'runA',
'runB',
'deliveryA',
'deliveryB',
'auditA',
'auditB',
'auditWorkspace',
)];
}
/**
* @param array<string, mixed> $attributes
*/
function spec322LegacyAuditRecord(?ManagedEnvironment $environment, string $summary, array $attributes = []): AuditLogModel
{
$workspaceId = array_key_exists('workspace_id', $attributes)
? (int) $attributes['workspace_id']
: (int) ($environment?->workspace_id);
return AuditLogModel::query()->create(array_merge([
'workspace_id' => $workspaceId,
'managed_environment_id' => $environment?->getKey(),
'actor_email' => 'spec322@example.test',
'actor_name' => 'Spec322 Operator',
'action' => 'operation.completed',
'status' => 'success',
'resource_type' => 'operation_run',
'resource_id' => '322',
'summary' => $summary,
'metadata' => [],
'recorded_at' => now(),
], $attributes));
}
/**
* @param list<string> $roots
* @return list<string>
*/
function spec322LegacyGuardFiles(array $roots): array
{
$files = [];
foreach ($roots as $root) {
if (is_file($root)) {
$files[] = $root;
continue;
}
if (! is_dir($root)) {
continue;
}
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($root, FilesystemIterator::SKIP_DOTS),
);
foreach ($iterator as $file) {
if (! $file instanceof SplFileInfo || ! $file->isFile()) {
continue;
}
if (! in_array($file->getExtension(), ['php', 'md'], true)) {
continue;
}
$files[] = $file->getPathname();
}
}
sort($files);
return array_values(array_unique($files));
}
/**
* @param list<string> $files
* @param list<string> $patterns
* @return list<string>
*/
function spec322LegacyPatternHits(array $files, array $patterns): array
{
$hits = [];
foreach ($files as $path) {
$contents = file_get_contents($path);
if (! is_string($contents)) {
continue;
}
$lines = preg_split('/\R/', $contents) ?: [];
foreach ($patterns as $pattern) {
foreach ($lines as $lineNumber => $line) {
if (preg_match($pattern, $line) !== 1) {
continue;
}
$hits[] = str_replace(repo_path().'/', '', $path).':'.($lineNumber + 1).' -> '.trim($line);
}
}
}
return $hits;
}

7
apps/platform/tests/Feature/Navigation/WorkspaceHubRegistryTest.php
View File

@ -44,6 +44,13 @@
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/workspaces/1/environments/2/baseline-compare'))->toBeFalse()
->and(WorkspaceHubRegistry::isExplicitlyExcludedPath('/admin/workspaces/1/environments/2/baseline-compare'))->toBeTrue()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/baseline-compare-landing'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/baseline-profiles'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/baseline-profiles/42/compare-matrix'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/baseline-snapshots'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/findings/my-work'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/findings/intake'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/findings/hygiene'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/cross-environment-compare'))->toBeFalse()
->and(WorkspaceHubRegistry::isWorkspaceHubPath('/admin/workspaces/1/environments/2/stored-reports'))->toBeFalse()
->and(WorkspaceHubRegistry::isExplicitlyExcludedPath('/admin/workspaces/1/environments/2/stored-reports'))->toBeTrue();
});

75
apps/platform/tests/Unit/Support/OperateHub/OperateHubShellResolutionTest.php
View File

@ -83,6 +83,81 @@
->and($resolved->recoveryReason)->toBeNull();
});
it('keeps workspace owned analysis surfaces tenantless when a remembered environment exists', function (string $path): void {
$rememberedEnvironment = ManagedEnvironment::factory()->active()->create(['name' => 'Remembered ManagedEnvironment']);
[$user, $rememberedEnvironment] = createUserWithTenant(tenant: $rememberedEnvironment, role: 'owner');
$this->actingAs($user);
Filament::setTenant(null, true);
$workspaceId = (int) $rememberedEnvironment->workspace_id;
session()->put(WorkspaceContext::SESSION_KEY, $workspaceId);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $workspaceId => (int) $rememberedEnvironment->getKey(),
]);
$request = Request::create($path);
$request->setLaravelSession(app('session.store'));
$request->setUserResolver(static fn () => $user);
$resolved = app(OperateHubShell::class)->resolvedContext($request);
expect($resolved->workspace?->getKey())->toBe($workspaceId)
->and($resolved->tenant)->toBeNull()
->and($resolved->tenantSource)->toBe('none')
->and($resolved->state)->toBe('tenantless_workspace');
})->with([
'baseline profiles list' => ['/admin/baseline-profiles'],
'baseline profiles detail' => ['/admin/baseline-profiles/42'],
'baseline profiles edit' => ['/admin/baseline-profiles/42/edit'],
'baseline profiles compare matrix' => ['/admin/baseline-profiles/42/compare-matrix'],
'baseline snapshots list' => ['/admin/baseline-snapshots'],
'baseline snapshots detail' => ['/admin/baseline-snapshots/42'],
'my findings' => ['/admin/findings/my-work'],
'findings intake' => ['/admin/findings/intake'],
'findings hygiene' => ['/admin/findings/hygiene'],
'cross-environment compare' => ['/admin/cross-environment-compare'],
]);
it('does not resolve explicit environment_id query hints as shell tenant context on workspace owned analysis surfaces', function (string $path): void {
$workspaceTenant = ManagedEnvironment::factory()->active()->create(['name' => 'Workspace ManagedEnvironment']);
[$user, $workspaceTenant] = createUserWithTenant(tenant: $workspaceTenant, role: 'owner');
$hintedTenant = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspaceTenant->workspace_id,
'name' => 'Hinted ManagedEnvironment',
]);
createUserWithTenant(tenant: $hintedTenant, user: $user, role: 'owner');
$this->actingAs($user);
Filament::setTenant(null, true);
$workspaceId = (int) $workspaceTenant->workspace_id;
session()->put(WorkspaceContext::SESSION_KEY, $workspaceId);
$request = Request::create($path, parameters: [
'environment_id' => (int) $hintedTenant->getKey(),
]);
$request->setLaravelSession(app('session.store'));
$request->setUserResolver(static fn () => $user);
$resolved = app(OperateHubShell::class)->resolvedContext($request);
expect($resolved->workspace?->getKey())->toBe($workspaceId)
->and($resolved->tenant)->toBeNull()
->and($resolved->tenantSource)->toBe('none')
->and($resolved->state)->toBe('tenantless_workspace');
})->with([
'baseline profiles' => ['/admin/baseline-profiles'],
'baseline snapshots' => ['/admin/baseline-snapshots'],
'my findings' => ['/admin/findings/my-work'],
'findings intake' => ['/admin/findings/intake'],
'findings hygiene' => ['/admin/findings/hygiene'],
'cross-environment compare' => ['/admin/cross-environment-compare'],
]);
it('uses the routed tenant workspace when the tenant panel is entered without a selected workspace session', function (): void {
$tenant = ManagedEnvironment::factory()->active()->create(['name' => 'ManagedEnvironment Panel Scope']);
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');

22
apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php
View File

@ -3,6 +3,7 @@
declare(strict_types=1);
use App\Support\Navigation\AdminSurfaceScope;
use App\Support\Tenants\TenantInteractionLane;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
@ -17,6 +18,16 @@
'retired tenant panel route' => ['/admin/t/tenant-123', AdminSurfaceScope::WorkspaceScoped],
'workspace environment detail' => ['/admin/workspaces/acme/environments/tenant-123', AdminSurfaceScope::EnvironmentBound],
'baseline compare environment route' => ['/admin/workspaces/acme/environments/tenant-123/baseline-compare', AdminSurfaceScope::EnvironmentBound],
'baseline profiles list' => ['/admin/baseline-profiles', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'baseline profiles detail' => ['/admin/baseline-profiles/42', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'baseline profiles edit' => ['/admin/baseline-profiles/42/edit', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'baseline profiles compare matrix' => ['/admin/baseline-profiles/42/compare-matrix', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'baseline snapshots list' => ['/admin/baseline-snapshots', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'baseline snapshots detail' => ['/admin/baseline-snapshots/42', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'my findings inbox' => ['/admin/findings/my-work', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'findings intake' => ['/admin/findings/intake', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'findings hygiene' => ['/admin/findings/hygiene', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'cross-environment compare' => ['/admin/cross-environment-compare', AdminSurfaceScope::WorkspaceOwnedAnalysisSurface],
'tenant scoped evidence detail' => ['/admin/evidence/123', AdminSurfaceScope::EnvironmentScopedEvidence],
'evidence overview' => ['/admin/evidence/overview', AdminSurfaceScope::WorkspaceWideSurface],
'customer review workspace' => ['/admin/reviews/workspace', AdminSurfaceScope::WorkspaceWideSurface],
@ -31,3 +42,14 @@
'retired operation run detail' => ['/admin/operations/44', AdminSurfaceScope::WorkspaceScoped],
'operation run detail' => ['/admin/workspaces/acme/operations/44', AdminSurfaceScope::CanonicalWorkspaceRecordViewer],
]);
it('keeps workspace owned analysis surfaces tenantless without query hint or remembered environment restore', function (): void {
$surface = AdminSurfaceScope::WorkspaceOwnedAnalysisSurface;
expect($surface->allowsQueryEnvironmentHints())->toBeFalse()
->and($surface->allowsRememberedEnvironmentRestore())->toBeFalse()
->and($surface->allowsEnvironmentlessState())->toBeTrue()
->and($surface->forcesEnvironmentlessShellContext())->toBeTrue()
->and($surface->requiresExplicitEnvironment())->toBeFalse()
->and($surface->lane())->toBe(TenantInteractionLane::StandardActiveOperating);
});

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/baseline-compare--regression-environment-owned.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/baseline-snapshots--after-reload.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/baselines--after-reload.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/decision-register--regression-workspace-hub.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/environment-origin--baseline-snapshots.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/environment-origin--baselines.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/workspace-origin--baseline-snapshots.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/workspace-origin--baselines.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

75
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/checklists/requirements.md Normal file
View File

@ -0,0 +1,75 @@
# Specification Quality Checklist: Workspace-Owned Analysis Surface Registration & Shell Cutover
**Purpose**: Validate specification completeness and quality before implementation
**Created**: 2026-05-16
**Feature**: [spec.md](/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/spec.md)
## Candidate Selection Gate
- [x] Explicit user-provided Spec 320 request was selected as the source of truth for this preparation pass.
- [x] Completed-spec guardrail checked that no existing `specs/320-*` package was present before generation.
- [x] Specs 313, 314, 315, 316, 317, 318, and 319 were treated as dependency/historical context, not rewritten.
- [x] Roadmap/spec-candidate queue was reviewed; active auto-prep queue is empty, so this package proceeds only because the user directly supplied/promoted Spec 320.
- [x] Close alternatives were deferred to follow-up Specs 321 and 322.
- [x] The selected slice is workspace-owned analysis/library shell classification and remembered Environment fallback removal only.
## Content Quality
- [x] Problem statement is operator-visible and tied to workspace-owned page / Environment shell mismatch.
- [x] User value is clear: clean workspace-owned analysis URLs show Workspace shell only.
- [x] Scope is bounded to Spec 318 M2/M4 targets plus directly related unregistered workspace analysis pages.
- [x] Hard cutover/no compatibility posture is explicit.
- [x] No unresolved clarification-marker placeholders remain.
- [x] Mandatory Spec Candidate Check is complete.
- [x] Spec Scope Fields are complete.
- [x] Shared pattern, OperationRun, provider boundary, UI/surface, testing, acceptance, and browser sections are complete.
## Requirement Completeness
- [x] Functional requirements are testable and unambiguous.
- [x] Requirements cover Baselines, Baseline Snapshots, baseline detail/edit/matrix pages, My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, legacy aliases, remembered fallback, reload/back-forward, Baseline Compare regression, and Decision Register regression.
- [x] Non-goals prevent Spec 321/322 scope creep.
- [x] Edge cases are identified.
- [x] Assumptions and risks are documented.
- [x] Success and acceptance criteria are measurable.
- [x] Open questions do not block implementation; they require per-page documentation during implementation.
## Plan Quality
- [x] Laravel, Filament, Livewire, Pest, PostgreSQL, Sail, and Dokploy context is recorded.
- [x] Livewire v4.0+ compliance is explicitly noted through Livewire 4.1.4.
- [x] Laravel 12 panel provider location remains `apps/platform/bootstrap/providers.php`.
- [x] Global search impact is assessed as unchanged unless a touched Resource is deliberately changed and tested.
- [x] Destructive/high-impact action handling is addressed for existing archive/capture/compare/preflight actions.
- [x] Asset strategy is assessed as no new Filament assets/no new `filament:assets` step.
- [x] No migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change is planned.
- [x] Existing repo seams are named.
- [x] Test strategy and browser verification plan are concrete.
## Task Quality
- [x] Tasks are ordered from guardrails/tests through classification, page/link alignment, browser verification, and final validation.
- [x] Tests are required before or alongside implementation.
- [x] Task IDs follow the required checkbox format.
- [x] File paths are concrete where repo surfaces are known.
- [x] Non-tasks explicitly prevent compatibility layers, query alias support, Baseline Compare changes, and follow-up-spec scope creep.
- [x] Browser screenshot paths are specified.
- [x] Validation commands are specified.
## Constitution Alignment
- [x] Workspace and Environment isolation are covered.
- [x] Cross-workspace Environment filters cannot create shell context or leak identity.
- [x] No new persisted truth is introduced.
- [x] Possible classifier complexity has a proportionality review.
- [x] OperationRun semantics are preserved for existing high-impact actions.
- [x] Audit/authorization/confirmation expectations for existing high-impact actions remain explicit.
- [x] Test governance lane impact is explicit.
- [x] Provider/platform boundary is explicit.
## Readiness Result
- [x] Candidate Selection Gate passes.
- [x] Spec Readiness Gate passes.
- [x] Ready for separate implementation loop.
- [x] No application implementation was performed during this preparation step.

287
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/plan.md Normal file
View File

@ -0,0 +1,287 @@
# Implementation Plan: Workspace-Owned Analysis Surface Registration & Shell Cutover
**Branch**: `320-workspace-owned-analysis-surface-registration-shell-cutover` | **Date**: 2026-05-16 | **Spec**: [spec.md](/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/spec.md)
**Input**: Feature specification from `/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/spec.md`
**Preparation status**: Specification artifacts only. No runtime implementation has been performed by this preparation step.
## Summary
Spec 320 hard-cuts workspace-owned analysis/library pages away from remembered Environment shell inheritance:
```text
Workspace-owned analysis surface
-> clean workspace route
-> Workspace shell only
-> no active Environment shell
-> no remembered Environment fallback
-> optional Environment filter only through canonical environment_id + visible chip
```
The implementation must classify the audited workspace-owned analysis surfaces from Spec 318, especially Baselines/Baseline Profiles, Baseline Snapshots, Baseline Compare Matrix, My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare. Baseline Compare remains Environment-owned from Spec 319. Alerts/Audit Log filter decisions remain Spec 321.
## Technical Context
**Language/Version**: PHP 8.4.15, Laravel 12.52.0
**Primary Dependencies**: Filament 5.2.1, Livewire 4.1.4, Pest 4.3.1, Laravel Sail
**Storage**: PostgreSQL; no schema changes planned
**Testing**: Pest 4 / PHPUnit 12, Filament/Livewire tests, focused browser smoke
**Validation Lanes**: fast-feedback, confidence, browser
**Target Platform**: `apps/platform` Laravel/Filament admin panel, local Sail, staging/production through Dokploy
**Project Type**: Web application
**Performance Goals**: No material performance change. Classification and shell resolution must remain cheap request-time logic.
**Constraints**: No migrations, seeders, packages, env vars, queues, scheduler, storage, deployment assets, compatibility routes, redirects, or legacy query alias support.
**Scale/Scope**: Focused shell/context classification for workspace-owned analysis surfaces plus targeted regressions for Specs 314-319.
## UI / Surface Guardrail Plan
- **Guardrail scope**: route/shell/query/copy/navigation behavior for existing operator-facing workspace-owned analysis pages.
- **Native vs custom classification summary**: Existing Filament Resources/Pages and Blade views. No styling redesign.
- **Shared-family relevance**: navigation, shell context, breadcrumbs, filter chips, clear actions, OperationRun links.
- **State layers in scope**: shell, page, record/detail, URL query, Filament table filter state, Livewire referer classification.
- **Audience modes in scope**: operator-MSP and support-platform.
- **Decision/diagnostic/raw hierarchy plan**: Workspace ownership must be default-visible; Environment context may appear as data/filter state only.
- **Raw/support gating plan**: no raw/support evidence exposure change.
- **One-primary-action / duplicate-truth control**: The shell is the single ownership signal; page filters/selectors do not become shell ownership.
- **Handling modes by drift class or surface**: hard-stop for remembered Environment shell on in-scope clean URLs; review-mandatory for any newly discovered workspace analysis route.
- **Repository-signal treatment**: Spec 318 M2/M4 are implementation inputs; pages outside those findings are inspect-only unless repo evidence proves same mismatch.
- **Special surface test profiles**: `global-context-shell`.
- **Required tests or manual smoke**: classifier tests, URL/query tests, Livewire/Feature render tests, browser smoke for workspace origin, Environment origin, reload, and back/forward.
- **Exception path and spread control**: A distinct workspace-owned analysis classifier is allowed only if `WorkspaceHubRegistry` would overstate hub/filter behavior. Document the choice in implementation close-out.
- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage.
## Shared Pattern & System Fit
- **Cross-cutting feature marker**: yes.
- **Systems touched**: `AdminSurfaceScope`, `WorkspaceHubRegistry`, `WorkspaceSidebarNavigation`, `WorkspaceHubEnvironmentFilter`, `WorkspaceHubFilterStateResetter`, `WorkspaceScopedEnvironmentRoutes`, `ManagedEnvironmentLinks`, `OperateHubShell`, baseline resources/pages, findings analysis pages, cross-environment compare page, tests, browser smoke artifacts.
- **Shared abstractions reused**: existing workspace hub shell contract, `AdminSurfaceScope`, `WorkspaceHubRegistry` query cleaning, `WorkspaceHubEnvironmentFilter`, `CanonicalAdminEnvironmentFilterState`, and current route/link helpers.
- **New abstraction introduced? why?**: none preferred. If necessary, add the narrowest possible `AdminSurfaceScope` classification for workspace-owned analysis surfaces to force environmentless shell without implying full workspace-hub behavior.
- **Why the existing abstraction was sufficient or insufficient**: `WorkspaceHubRegistry` works for registered hubs; generic `WorkspaceScoped` is insufficient because it allows remembered Environment restore.
- **Bounded deviation / spread control**: Do not introduce a general surface taxonomy beyond the audited route list. Do not register pages as hubs unless they truly satisfy hub/filter/clear behavior.
## OperationRun UX Impact
- **Touches OperationRun start/completion/link UX?**: yes, as regression only for existing baseline capture/compare actions.
- **Central contract reused**: `OperationUxPresenter`, `OpsUxBrowserEvents`, `OperationRunLinks`, current services/jobs.
- **Delegated UX behaviors**: existing queued toast, run link, browser event, authorization, and audit behavior remain unchanged.
- **Surface-owned behavior kept local**: existing initiation inputs/actions on Baseline Profile and Baseline Compare Matrix.
- **Queued DB-notification policy**: N/A.
- **Terminal notification path**: Existing central lifecycle only.
- **Exception path**: none.
## Provider Boundary & Portability Fit
- **Shared provider/platform boundary touched?**: yes.
- **Provider-owned seams**: Microsoft/Intune baseline content, provider IDs, Graph-backed snapshot evidence, compare strategy internals.
- **Platform-core seams**: Workspace/Environment route ownership, shell classification, query key semantics, navigation ownership language.
- **Neutral platform terms / contracts preserved**: Workspace, Environment, workspace-owned analysis surface, workspace hub, filtered workspace hub, Environment-owned page.
- **Retained provider-specific semantics and why**: Baseline content remains Microsoft/Intune-shaped because it is current provider implementation truth.
- **Bounded extraction or follow-up path**: Spec 321 and Spec 322 remain follow-ups; no provider abstraction work here.
## Constitution Check
*GATE: Must pass before implementation. Re-check after runtime changes.*
- Inventory-first: no inventory/snapshot truth change. Baseline snapshots remain immutable evidence/artifacts.
- Read/write separation: no new write behavior. Existing capture/compare/preflight actions keep confirmation, authorization, audit, and OperationRun semantics.
- Graph contract path: no new Graph calls; page render must remain DB-only.
- Deterministic capabilities: existing capability checks remain; route/shell classification must be testable.
- RBAC-UX: non-member / not entitled Workspace or Environment access remains deny-as-not-found where applicable; member missing capability follows existing behavior.
- Workspace isolation: current Workspace remains the primary shell and authorization boundary.
- Tenant/Environment isolation: Environment-owned rows remain scoped by accessible environments; optional filters must resolve only inside current Workspace and entitlement.
- Run observability: existing baseline operation runs remain observable; no new operation type.
- Test governance: lane purpose, heavy/browser visibility, fixture cost, and reviewer handoff are explicit.
- Proportionality: possible classifier addition is justified by current browser-proven shell mismatch and bounded route list.
- No premature abstraction: prefer extending existing classifier/registry paths over a new framework.
- Persisted truth: no tables/entities/artifacts added.
- Behavioral state: no new business state/status/reason family.
- UI semantics: no new badge/status taxonomy; direct shell/page/filter truth only.
- Shared pattern first: reuse workspace hub and shell resolution contracts.
- Provider boundary: no provider tenant ID alias or fallback becomes platform shell truth.
- V1 explicitness / few layers: hard cutover, no compatibility layer.
- Filament-native UI: no ad-hoc styling or published internals.
- Filament v5 / Livewire v4: Livewire 4.1.4 satisfies Filament v5 requirement; no Livewire v3 APIs.
- Provider registration: Laravel 12 panel providers remain in `apps/platform/bootstrap/providers.php`; no provider registration work planned.
- Global search: no global search behavior should change. Baseline Profile and Baseline Snapshot global search remain disabled unless implementation explicitly verifies a safe View/Edit route and updates tests.
- Destructive/high-impact actions: no new destructive action. Existing archive/capture/compare/preflight actions must keep `->action(...)`, confirmation where required, authorization, audit, notifications, and tests.
- Asset strategy: no Filament assets planned; no new `filament:assets` deployment requirement.
## Test Governance Check
- **Test purpose / classification by changed surface**: Unit for classifier/registry; Feature/Livewire for shell/access/filter behavior; Browser for integrated shell/sidebar/reload/history.
- **Affected validation lanes**: fast-feedback, confidence, browser.
- **Why this lane mix is the narrowest sufficient proof**: The defect is both classification logic and browser-visible shell drift.
- **Narrowest proving command(s)**:
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=AdminSurfaceScope`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubRegistry`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceOwnedAnalysis`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=BaselineCompareEnvironmentRouteContract`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubEnvironmentFilterContract`
- focused Spec 320 browser smoke.
- **Fixture / helper / factory / seed / context cost risks**: workspace/environment/member plus small baseline/finding fixtures; keep any full browser fixture explicit and named.
- **Expensive defaults or shared helper growth introduced?**: no. If a helper is needed, make expensive setup opt-in.
- **Heavy-family additions, promotions, or visibility changes**: explicit browser smoke only; no broad discovery guard in this spec.
- **Surface-class relief / special coverage rule**: `global-context-shell`.
- **Closing validation and reviewer handoff**: prove clean URLs, filtered URLs, legacy aliases, remembered fallback rejection, Baseline Compare regression, Decision Register regression, and browser screenshots.
- **Budget / baseline / trend follow-up**: none expected; document if browser smoke runtime grows materially.
- **Review-stop questions**: Are any workspace-owned analysis URLs still generic `WorkspaceScoped` with remembered restore? Did any page get registered as a hub without supporting hub/filter/clear behavior? Did legacy aliases return?
- **Escalation path**: document-in-feature.
- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage.
- **Why no dedicated follow-up spec is needed**: This is the dedicated follow-up for Spec 318 M2/M4. Alerts/Audit and durable browser guard already have 321/322.
## Project Structure
### Documentation (this feature)
```text
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/
+-- spec.md
+-- plan.md
+-- tasks.md
+-- checklists/
+-- requirements.md
```
### Source Code (likely affected during later implementation)
```text
apps/platform/app/
+-- Support/Navigation/
| +-- AdminSurfaceScope.php
| +-- WorkspaceHubRegistry.php
| +-- WorkspaceSidebarNavigation.php
+-- Support/OperateHub/OperateHubShell.php
+-- Support/ManagedEnvironmentLinks.php
+-- Filament/Resources/
| +-- BaselineProfileResource.php
| +-- BaselineSnapshotResource.php
+-- Filament/Pages/
| +-- BaselineCompareMatrix.php
| +-- CrossEnvironmentComparePage.php
| +-- Findings/
| +-- MyFindingsInbox.php
| +-- FindingsIntakeQueue.php
| +-- FindingsHygieneReport.php
+-- Filament/Concerns/WorkspaceScopedEnvironmentRoutes.php
apps/platform/tests/
+-- Unit/Tenants/AdminSurfaceScopeTest.php
+-- Unit/Support/OperateHub/OperateHubShellResolutionTest.php
+-- Feature/Navigation/WorkspaceHubRegistryTest.php
+-- Feature/Navigation/WorkspaceHubEnvironmentFilterContractTest.php
+-- Feature/Filament/
| +-- BaselineCompareEnvironmentRouteContractTest.php
| +-- BaselineProfile*.php
| +-- BaselineSnapshot*.php
+-- Feature/Findings/
| +-- MyFindingsInboxNavigationContextTest.php
| +-- FindingsIntakeQueueNavigationContextTest.php
+-- Browser/
+-- Spec320WorkspaceOwnedAnalysisSurfaceSmokeTest.php
```
**Structure Decision**: Use existing Laravel/Filament app structure. Do not create new base folders. Add test files only where the existing test families already live, or extend existing focused files when lower churn is clearer.
## Complexity Tracking
| Violation | Why Needed | Simpler Alternative Rejected Because |
|-----------|------------|-------------------------------------|
| Possible new `AdminSurfaceScope` value | Generic `WorkspaceScoped` allows remembered Environment restore; workspace hubs already force environmentless shell but not every analysis page is a hub | Blindly adding every page to `WorkspaceHubRegistry` could falsely imply hub/filter/clear behavior |
## Proportionality Review
- **Current operator problem**: Workspace-owned pages can appear Environment-owned in the shell with no filter chip or route ownership.
- **Existing structure is insufficient because**: `WorkspaceScoped` restores remembered Environment; `WorkspaceHubRegistry` is reserved for hub-like surfaces.
- **Narrowest correct implementation**: Classify a route list or narrow scope category as workspace-owned analysis and make it force environmentless shell.
- **Ownership cost created**: Focused classifier tests, URL/filter tests, browser smoke, and implementation close-out documentation.
- **Alternative intentionally rejected**: Keep generic fallback, add legacy aliases, or add all pages to workspace hub registry regardless of actual hub behavior.
- **Release truth**: Current-release cleanup before production.
## Implementation Phases
### Phase 0 - Repo Verification
Re-read Spec 318 artifacts and current code paths. Confirm the final in-scope list before runtime edits:
- Baselines/Baseline Profiles.
- Baseline Profile view/edit/create if applicable.
- Baseline Compare Matrix.
- Baseline Snapshots.
- My Findings, Findings Intake, Findings Hygiene.
- Cross-environment Compare.
- Any other Spec 318 unregistered workspace analysis surface still present in routes/navigation.
### Phase 1 - Tests First
Add focused tests that fail on current remembered Environment inheritance:
- `AdminSurfaceScope` classification for in-scope paths.
- Shell resolution with remembered Environment present.
- Clean URL opens without active Environment.
- Legacy alias rejection.
- Optional `environment_id` filter behavior where supported.
- Baseline Compare and Decision Register regressions.
### Phase 2 - Classification / Registry Cutover
Implement the narrowest classifier mechanism:
- Prefer existing registry/classifier extensions.
- Add a distinct workspace-owned analysis surface classification only if needed.
- Ensure `forcesEnvironmentlessShellContext()` returns true for these paths.
- Ensure `allowsRememberedEnvironmentRestore()` is false for these paths.
- Preserve Workspace state and authorization.
### Phase 3 - Page / Link / Copy Alignment
Update only in-scope surfaces:
- Sidebar/global/workspace links emit clean workspace URLs unless explicit `environment_id` filter is supported.
- Environment-origin links do not carry active Environment shell ownership.
- Headers, breadcrumbs, empty states, and copy use workspace/library/work-queue wording.
- Existing Environment columns, selectors, badges, and filters remain data/filter state.
### Phase 4 - Regression and Browser Proof
Run focused tests and browser smoke:
- Baselines workspace origin, environment origin, reload.
- Baseline Snapshots workspace origin, environment origin, reload.
- Baseline Compare Matrix direct/reload/back-forward.
- My Findings/Intake/Hygiene and Cross-environment Compare direct/from Environment context.
- Baseline Compare Environment-owned regression.
- Decision Register workspace hub/filtered hub regression.
Save screenshots under:
```text
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/
```
### Phase 5 - Close-Out
Document:
- classification outcomes for Baselines/Baseline Snapshots.
- unregistered workspace analysis pages fixed or excluded.
- whether any page was reclassified Environment-owned.
- how remembered Environment inheritance was prevented.
- tests and browser verification.
- no migrations/packages/env vars/queues/scheduler/storage/assets.
- no backwards compatibility or legacy alias support.
## Rollout Considerations
- No database migration or data backfill.
- No production compatibility burden because pre-production hard cutover is the standing policy.
- No Dokploy runtime change.
- No new `filament:assets` deployment step.
- Staging validation should run focused tests and browser smoke before promotion.
## Risk Controls
- Keep route list explicit and tested.
- Do not generalize classifier beyond audited need.
- Do not add Environment filter feature work unless a page already has product need and visible chip/clear behavior can be proven.
- Replace old tests that assert broken remembered fallback; do not keep them as compatibility coverage.
- Keep Spec 321 and Spec 322 out of scope.

344
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/spec.md Normal file
View File

@ -0,0 +1,344 @@
# Feature Specification: Workspace-Owned Analysis Surface Registration & Shell Cutover
**Feature Branch**: `320-workspace-owned-analysis-surface-registration-shell-cutover`
**Created**: 2026-05-16
**Status**: Completed
**Input**: User supplied Spec 320 draft: workspace-owned analysis and library pages must be classified centrally, open with Workspace shell only, and stop inheriting remembered Environment shell context.
## Spec Candidate Check *(mandatory - SPEC-GATE-001)*
- **Problem**: Workspace-owned analysis and library surfaces such as Baselines, Baseline Snapshots, baseline detail/matrix pages, and several unregistered analysis pages can show an active Environment shell when opened from Environment navigation or remembered context.
- **Today's failure**: Operators can see `Workspace > Environment` shell on pages whose route and data model are workspace-owned, with no visible Environment filter chip and no route-level Environment ownership.
- **User-visible improvement**: Opening a workspace-owned analysis page from sidebar, global navigation, direct URL, reload, or browser history shows Workspace shell only. If an Environment focus is supported, it is explicit through canonical `environment_id` plus a visible chip.
- **Smallest enterprise-capable version**: Classify the exact workspace-owned analysis/library surfaces found by Spec 318, prevent remembered Environment shell fallback for them, update links/copy where needed, and add focused regression coverage.
- **Explicit non-goals**: No Baseline Compare changes except regression checks, no Alerts/Audit Log filter decision, no durable browser no-drift framework, no redesign, no new product feature, no baseline assignment semantic change, no migrations, no compatibility redirects, no legacy query aliases.
- **Permanent complexity imported**: Possible narrow classifier entries or a new `AdminSurfaceScope` value for workspace-owned analysis surfaces, plus targeted tests. No persisted entities, tables, enum/status families, broad registries, or cross-domain UI framework.
- **Why now**: Spec 318 identified workspace-owned baseline/analysis surfaces as the remaining opposite-side mismatch after Specs 314-317 stabilized workspace hubs and Spec 319 handles Environment-owned Baseline Compare.
- **Why not local**: Page-local copy or sidebar-only fixes would leave direct URLs, Livewire requests, reload/back-forward, and remembered-context shell restoration inconsistent.
- **Approval class**: Cleanup / Consolidation.
- **Red flags triggered**: New classifier semantics are possible, but the scope is bounded by existing audit evidence and does not create a new product taxonomy beyond shell-context ownership.
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 2 | Produktnaehe: 2 | Wiederverwendung: 2 | **Gesamt: 12/12**
- **Decision**: approve.
## Spec Scope Fields *(mandatory)*
- **Scope**: workspace.
- **Primary Routes**:
- `/admin/baseline-profiles`
- `/admin/baseline-profiles/{record}`
- `/admin/baseline-profiles/{record}/edit`
- `/admin/baseline-profiles/{record}/compare-matrix`
- `/admin/baseline-snapshots`
- `/admin/baseline-snapshots/{record}`
- `/admin/findings/my-work`
- `/admin/findings/intake`
- `/admin/findings/hygiene`
- `/admin/cross-environment-compare`
- any additional unregistered workspace analysis surface confirmed from Spec 318 or repo inspection.
- **Data Ownership**: Existing workspace-owned Baseline Profile and Baseline Snapshot records, workspace analysis pages that aggregate across accessible Environments, and optional Environment filter state. No schema ownership change.
- **RBAC**: Workspace membership and existing workspace capabilities remain required. Environment entitlements still constrain row/data visibility where the existing page aggregates Environment-owned rows. UI visibility is not authorization.
For canonical-view specs:
- **Default filter behavior when tenant-context is active**: Clean workspace-owned analysis URLs must ignore active/remembered Environment shell context. They may retain data filters only when the page explicitly supports canonical `environment_id` and shows a visible filter chip.
- **Explicit entitlement checks preventing cross-tenant leakage**: Any `environment_id` filter must resolve only inside the current Workspace and only to an Environment visible to the actor. Cross-workspace or unauthorized IDs must not create shell context or leak Environment identity.
## Cross-Cutting / Shared Pattern Reuse *(mandatory)*
- **Cross-cutting feature?**: yes.
- **Interaction class(es)**: navigation, shell/context bar, breadcrumbs, URL/query state, Filament resource/page routing, filter chips, clear-filter actions, browser reload/history behavior.
- **Systems touched**: `AdminSurfaceScope`, `WorkspaceHubRegistry`, `WorkspaceSidebarNavigation`, `WorkspaceScopedEnvironmentRoutes`, `ManagedEnvironmentLinks`, `OperateHubShell`, `WorkspaceHubEnvironmentFilter`, `WorkspaceHubFilterStateResetter`, baseline resources/pages, findings analysis pages, cross-environment compare page, tests, and browser smoke artifacts.
- **Existing pattern(s) to extend**: Workspace hub environmentless shell contract from Specs 314-316 and hard-cut no-legacy policy from Spec 317.
- **Shared contract / presenter / builder / renderer to reuse**: Prefer existing `AdminSurfaceScope`, `WorkspaceHubRegistry` query cleaning, `WorkspaceHubEnvironmentFilter`/clear-filter behavior, and `OperateHubShell` shell resolution over page-local shell hacks.
- **Why the existing shared path is sufficient or insufficient**: Registered workspace hubs already force environmentless shell. The gap is that unregistered workspace analysis pages currently fall into generic `WorkspaceScoped`, which still allows remembered Environment restore.
- **Allowed deviation and why**: A distinct `workspace_owned_analysis_surface` classification is allowed only if adding these pages to `WorkspaceHubRegistry` would falsely make them first-class workspace hubs or filtered hub participants.
- **Consistency impact**: Sidebar, URL, shell, breadcrumb, page header, copy, filter chip, and data scope must agree on Workspace ownership.
- **Review focus**: Verify no remembered Environment, Filament tenant fallback, legacy Tenant query key, or `tableFilters` state creates active Environment shell on in-scope clean URLs.
## OperationRun UX Impact
- **Touches OperationRun start/completion/link UX?**: yes, only because existing Baseline Profile/Baseline Compare Matrix actions can start baseline capture/compare work or link to existing runs.
- **Shared OperationRun UX contract/layer reused**: Existing `OperationUxPresenter`, `OpsUxBrowserEvents`, `OperationRunLinks`, services, jobs, and audit behavior must remain in place.
- **Delegated start/completion UX behaviors**: Existing queued toast, run link, browser event, tenant/workspace-safe URL resolution, authorization, and audit behavior remain delegated to current helpers/services.
- **Local surface-owned behavior that remains**: The pages keep their current initiation controls and filtering UI; this spec changes shell/scope classification, not operation semantics.
- **Queued DB-notification policy**: N/A - no new DB notification behavior.
- **Terminal notification path**: Existing central lifecycle behavior only.
- **Exception required?**: none.
## Provider Boundary / Platform Core Check
- **Shared provider/platform boundary touched?**: yes.
- **Boundary classification**: platform-core route/shell/scope contract; provider-specific Microsoft tenant identity remains provider-owned.
- **Seams affected**: shell resolution, navigation scope, route classification, query key handling, operator vocabulary (`Workspace`, `Environment`, `ManagedEnvironment`), and baseline analysis links.
- **Neutral platform terms preserved or introduced**: `Workspace`, `Environment`, `workspace-owned analysis surface`, `workspace hub`, `filtered workspace hub`, `Environment-owned page`.
- **Provider-specific semantics retained and why**: Existing Intune baseline details, compare strategy, and Graph-backed snapshot content remain provider-specific because they are current product implementation truth.
- **Why this does not deepen provider coupling accidentally**: The fix removes hidden Environment/provider tenant fallback from workspace-owned pages instead of adding provider ID routes or alias query support.
- **Follow-up path**: Spec 321 decides Alerts/Audit Log `environment_id` behavior. Spec 322 adds durable browser no-drift regression infrastructure.
## UI / Surface Guardrail Impact
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
|---|---:|---|---|---|---|---|
| Baselines / Baseline Profiles | yes | Existing Filament Resource | navigation, shell, breadcrumbs, actions | route, shell, page, copy | no | Workspace-owned baseline library. |
| Baseline Profile detail/edit | yes | Existing Filament Resource pages | breadcrumbs, header actions, related links | route, shell, record page | no | Workspace-owned record pages. |
| Baseline Compare Matrix | yes | Existing Filament Page + Blade view | analysis page, action links, OperationRun links | route, shell, query state | no | Workspace-owned analysis matrix, not Baseline Compare landing. |
| Baseline Snapshots | yes | Existing Filament Resource | navigation, shell, filters | route, shell, page, copy | no | Workspace-owned snapshot library/report. |
| My Findings / Intake / Hygiene | yes | Existing Filament Pages + tables | analysis queues, filters, clear actions | route, shell, URL query, table filters | no | Workspace-owned analysis pages with optional Environment filtering. |
| Cross-environment Compare | yes | Existing Filament Page + form | analysis page and environment selectors | route, shell, query state | no | Workspace-owned portfolio analysis. |
| Baseline Compare | yes | Existing Environment-owned page | regression only | route, shell | no | Must remain Environment-owned from Spec 319. |
## Decision-First Surface Role
| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|---|---|---|---|---|---|---|---|
| Baselines / Baseline Profiles | Secondary Context | Operator manages reusable baseline definitions | profile name, status, capture mode, snapshot truth, next step | assignments, compare matrix, capture run detail | Library/register, not Environment posture page | Workspace governance library | Removes false selected-Environment ownership. |
| Baseline Snapshots | Tertiary Evidence / Diagnostics | Operator inspects immutable snapshot evidence | baseline, captured time, outcome, coverage, next step | snapshot detail and related context | Evidence library, not active Environment dashboard | Workspace baseline evidence review | Keeps evidence scan workspace-owned. |
| Baseline Compare Matrix | Secondary Context | Operator reviews assigned-environment compare matrix for one baseline | matrix state, filters, visible assignments, compare readiness | run/finding/environment drilldowns | Workspace-owned analysis across assigned environments | Baseline profile detail to analysis | Clarifies that selected Environment shell is not the page owner. |
| My Findings / Intake / Hygiene | Primary/Secondary Decision Surfaces | Operator reviews assigned, intake, or hygiene finding work across visible environments | queue counts, finding state, Environment column/filter | finding detail | Workspace work queues with optional Environment filter | Governance inbox/workspace overview to queue | Environment becomes a filter, not shell owner. |
| Cross-environment Compare | Secondary Context | Operator selects source/target environments for portfolio comparison | source, target, policy type selection, preview/preflight state | environment detail links and operation links | Workspace portfolio analysis | Workspace portfolio flow | Avoids hidden current Environment changing a two-environment workflow. |
## Audience-Aware Disclosure
| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|---|---|---|---|---|---|---|---|
| Workspace-owned baseline library/snapshots | operator-MSP, support-platform | Workspace library/snapshot status and next step | snapshot fidelity, compare readiness, related runs | raw Graph payloads remain out of scope/default-hidden | Open profile/snapshot or capture/compare where already allowed | raw payload/debug detail | Shell states Workspace once; Environment appears only as data column/filter. |
| Findings analysis queues | operator-MSP, support-platform | queue state, finding severity/status, Environment column/filter | hygiene/intake reason, owner/assignee context | raw provider evidence remains on detail/evidence surfaces | Open finding, claim finding, or clear filter where allowed | support/raw evidence | Active filter chip and shell do not duplicate ownership. |
| Cross-environment Compare | operator-MSP, support-platform | source/target selection and preview readiness | preflight detail, operation/run links | raw policy payloads remain out of scope/default-hidden | Generate preflight where allowed | support/raw evidence | Source/target controls are page state, not shell context. |
## UI/UX Surface Classification
| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Baselines | List / Table / Bulk | Workspace-owned library resource | Open or create baseline profile | Existing clickable row | existing | Existing More/detail header | Existing archive/capture/compare confirmations stay as implemented | `/admin/baseline-profiles` | `/admin/baseline-profiles/{record}` | Workspace shell, no active Environment | Baselines | profile status, capture mode, snapshot truth | none |
| Baseline Snapshots | List / Table | Workspace-owned evidence report | Open snapshot | Existing clickable row | existing | Existing related action | N/A | `/admin/baseline-snapshots` | `/admin/baseline-snapshots/{record}` | Workspace shell, no active Environment | Baseline Snapshots | outcome, coverage, next step | none |
| Baseline Compare Matrix | Workflow / Page | Workspace-owned analysis page | Compare assigned environments or inspect matrix | Explicit controls/links | N/A | Existing header/actions | Existing high-impact compare action keeps confirmation | `/admin/baseline-profiles/{record}/compare-matrix` | N/A | Workspace shell, explicit source data in page | Compare matrix | baseline and matrix scope | none |
| Findings analysis queues | List / Table | Workspace-owned work queues/reports | Open or claim finding | Existing clickable row/action | existing | Existing header/table actions | Existing claim behavior remains authorized | `/admin/findings/my-work`, `/admin/findings/intake`, `/admin/findings/hygiene` | existing finding detail route | Workspace shell, optional Environment filter chip | Findings | queue scope, severity, status, Environment column | none |
| Cross-environment Compare | Workflow / Page | Workspace-owned portfolio analysis | Select source/target, generate preflight | Explicit form/actions | N/A | Header actions | Existing promotion preflight/execution confirmations remain | `/admin/cross-environment-compare` | N/A | Workspace shell, explicit source/target selectors | Cross-environment compare | selected environments and preview readiness | none |
| Baseline Compare | Workflow / Page | Environment-owned posture page | Regression only | Environment route | N/A | Existing | Existing Compare Now remains confirmed | N/A | `/admin/workspaces/{workspace}/environments/{environment}/baseline-compare` | Workspace + Environment shell | Baseline Compare | selected Environment posture | regression only |
## Operator Surface Contract
| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| Baselines | Workspace operator / manager | Manage reusable governance baseline definitions | Workspace-owned library | Which baseline should govern environments? | status, capture mode, snapshot truth, assignments count, next step | capture details, compare matrix, runs | lifecycle, data completeness, governance result | TenantPilot baseline library plus existing queued capture/compare | create/open/edit/capture/compare per current capability | archive/capture/compare remain confirmation/authorization governed |
| Baseline Snapshots | Workspace operator / support | Inspect immutable baseline evidence | Workspace-owned evidence report | Which baseline snapshots are usable? | captured time, outcome, coverage, next step | fidelity detail, related context | lifecycle, evidence completeness | TenantPilot immutable snapshot evidence | open snapshot/related record | none |
| Findings analysis queues | Workspace operator | Review assigned/intake/hygiene work across visible environments | Workspace-owned queues | What governance work needs attention? | finding, severity, status, Environment, queue reason | owner/assignee/hygiene diagnostics | workflow state, severity, SLA | Existing finding workflow only | open finding, claim finding, clear filter | existing mutations remain authorized |
| Cross-environment Compare | Workspace operator / manager | Compare/promote configuration across environments | Workspace-owned portfolio analysis | Which source/target comparison is valid? | selected source/target, preview/preflight readiness | preflight detail, run links | selection validity, execution readiness | Existing queued operation / Microsoft read-write behavior | generate preflight / execute if already implemented | existing execution action remains guarded |
## Proportionality Review *(mandatory when structural complexity is introduced)*
- **New source of truth?**: no. The classification expresses existing product ownership; it does not create new domain truth.
- **New persisted entity/table/artifact?**: no.
- **New abstraction?**: possibly a narrow enum case or registry section if existing `WorkspaceHubRegistry` cannot represent workspace-owned analysis surfaces without falsely making them workspace hubs.
- **New enum/state/reason family?**: no business state. A technical surface-scope enum case is allowed only if it replaces ambiguous generic `WorkspaceScoped` behavior.
- **New cross-domain UI framework/taxonomy?**: no. This uses the existing shell/surface classification vocabulary.
- **Current operator problem**: Clean workspace-owned analysis URLs can show selected Environment shell, making page ownership and data scope misleading.
- **Existing structure is insufficient because**: Generic `AdminSurfaceScope::WorkspaceScoped` allows remembered Environment restore, while `WorkspaceHubRegistry` only covers first-class hubs and filtered hub behavior.
- **Narrowest correct implementation**: Add explicit classifier coverage for the audited workspace-owned analysis paths and make those paths force environmentless shell; use `environment_id` only where the page already supports a visible filter.
- **Ownership cost**: A small set of classifier/link/copy tests plus focused browser smoke. No schema, package, or product workflow cost.
- **Alternative intentionally rejected**: Add the pages blindly to `WorkspaceHubRegistry` if that would imply hub/filter contracts they do not support, or keep remembered fallback because it is convenient.
- **Release truth**: Current-release cleanup before production.
### Compatibility posture
This feature assumes pre-production hard cutover.
Backward compatibility, legacy aliases, remembered Environment fallback, redirect shims, migration shims, dual route models, and compatibility-specific tests are out of scope.
## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
- **Test purpose / classification**: Unit for classifier/registry behavior; Feature/Livewire for page access, shell state, URL/query/filter behavior, and existing action regression; Browser for integrated shell/sidebar/reload/back-forward verification.
- **Validation lane(s)**: fast-feedback, confidence, browser.
- **Why this classification and these lanes are sufficient**: The defect is visible shell/context drift caused by classifier and navigation behavior; unit/feature tests prove the contract and browser smoke proves integrated UI state.
- **New or expanded test families**: Focused `global-context-shell` coverage for workspace-owned analysis pages. Browser additions remain explicit and bounded to Spec 320 flows.
- **Fixture / helper cost impact**: Reuse existing workspace/environment/member/baseline/finding fixtures. Do not introduce global expensive setup defaults.
- **Heavy-family visibility / justification**: Browser coverage is required because reload/back-forward/sidebar shell mismatch was found by browser audit. It must be named as Spec 320 browser smoke, not hidden inside fast lanes.
- **Special surface test profile**: `global-context-shell`.
- **Standard-native relief or required special coverage**: Existing native Filament pages keep normal UI shape; special coverage is shell/context and filter visibility only.
- **Reviewer handoff**: Verify in-scope clean URLs show Workspace shell only, explicit filtered URLs show visible chip where supported, legacy aliases do not create shell/filter state, and Baseline Compare remains Environment-owned.
- **Budget / baseline / trend impact**: none expected; if browser runtime grows materially, record in the active PR close-out.
- **Escalation needed**: document-in-feature.
- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage.
- **Planned validation commands**:
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=AdminSurfaceScope`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubRegistry`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceOwnedAnalysis`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=BaselineCompareEnvironmentRouteContract`
- `cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubEnvironmentFilterContract`
- focused Spec 320 browser smoke for Baselines, Baseline Snapshots, Baseline Compare Matrix, My Findings/Intake/Hygiene, Cross-environment Compare, Baseline Compare regression, and Decision Register regression.
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Open Baseline Library Without Environment Shell (Priority: P1)
As a workspace operator, I can open Baselines and Baseline Snapshots from workspace or environment navigation and see Workspace shell only, so reusable baseline libraries do not appear owned by the last Environment I visited.
**Why this priority**: Baseline library ownership is the main known mismatch and directly affects governance trust.
**Independent Test**: Start from an active Environment context, open clean Baselines and Baseline Snapshots URLs, and assert the shell has Workspace only with no active Environment.
**Acceptance Scenarios**:
1. **Given** a remembered Environment exists, **When** the operator opens `/admin/baseline-profiles`, **Then** the shell shows Workspace only and no visible active Environment.
2. **Given** the operator navigates from Environment Dashboard sidebar to Baseline Snapshots, **When** `/admin/baseline-snapshots` opens, **Then** it is a clean workspace-owned page with no hidden Environment shell.
3. **Given** a valid baseline profile record, **When** view/edit/compare-matrix pages open by clean workspace URL, **Then** remembered Environment state does not become shell context.
---
### User Story 2 - Workspace Analysis Pages Do Not Inherit Environment Context (Priority: P1)
As a workspace operator, I can open My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare without the previous Environment owning the shell, so workspace analysis/work queues stay scope-honest.
**Why this priority**: Spec 318 found these unregistered workspace analysis pages inherit remembered Environment shell because they are not registered or classified.
**Independent Test**: With remembered Environment state present, open each clean URL and assert Workspace shell only; if `environment_id` is supported, assert it is a visible filter, not shell ownership.
**Acceptance Scenarios**:
1. **Given** an active Environment context, **When** the operator opens `/admin/findings/my-work`, `/admin/findings/intake`, or `/admin/findings/hygiene`, **Then** shell context remains Workspace only.
2. **Given** a valid `environment_id` filter is supported for a findings analysis page, **When** the page opens with `?environment_id=...`, **Then** shell remains Workspace only and a visible Environment filter chip/clear action exists.
3. **Given** the operator opens `/admin/cross-environment-compare`, **When** source/target selectors are empty or query-hydrated, **Then** shell is Workspace only and selected source/target environments are page state.
---
### User Story 3 - Legacy Query Aliases Cannot Recreate Hidden Environment Shell (Priority: P1)
As a security reviewer, I need legacy query aliases and Filament table filter query payloads to be ignored or stripped on workspace-owned analysis surfaces, so old Tenant/Environment parameters cannot silently resurrect shell context.
**Why this priority**: Specs 314-317 intentionally removed legacy Tenant context and hidden filter state.
**Independent Test**: Open each in-scope page with `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, and `tableFilters` payloads and assert no active Environment shell or hidden filter appears.
**Acceptance Scenarios**:
1. **Given** a clean workspace-owned analysis page, **When** the URL includes `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, or `tableFilters`, **Then** those aliases do not set shell Environment or filter state.
2. **Given** the page supports canonical `environment_id`, **When** invalid or cross-workspace `environment_id` is supplied, **Then** it is rejected/ignored without shell context or leakage.
---
### User Story 4 - Environment-Owned and Workspace Hub Regressions Remain Green (Priority: P2)
As a reviewer, I can verify Baseline Compare remains Environment-owned and Decision Register remains a filtered workspace hub, so Spec 320 does not undo Specs 314-319.
**Why this priority**: The fix targets the opposite side of Spec 319 and must not flatten Environment-owned pages into workspace pages.
**Independent Test**: Assert canonical Baseline Compare route shows Workspace + Environment shell, old workspace-style Baseline Compare URLs still do not render, and Decision Register clean/filtered contracts remain green.
**Acceptance Scenarios**:
1. **Given** a canonical Baseline Compare Environment route, **When** the page opens, **Then** Workspace + active Environment shell remains present.
2. **Given** `/admin/governance/decisions`, **When** opened clean or with `?environment_id=...`, **Then** it behaves exactly as Specs 314-316 require.
### Edge Cases
- A workspace-owned analysis page has no Environment selected or remembered.
- A remembered Environment belongs to the current Workspace.
- A remembered Environment belongs to a different Workspace.
- A valid `environment_id` is supplied on a page that supports explicit filtering.
- A valid `environment_id` is supplied on a page that does not support explicit filtering.
- Legacy query aliases are supplied individually and together.
- Browser reload/back/forward crosses Environment Dashboard, workspace-owned analysis pages, Baseline Compare, and Decision Register.
- Livewire update requests use referer-based surface classification and must not reintroduce remembered Environment shell.
## Functional Requirements
- **FR-001**: Baselines/Baseline Profiles MUST be explicitly classified as workspace-owned analysis/library surfaces unless implementation evidence proves a narrower Environment-owned split is required.
- **FR-002**: Baseline Snapshots MUST be explicitly classified as workspace-owned analysis/library surfaces unless implementation evidence proves a narrower Environment-owned split is required.
- **FR-003**: Baseline Profile view/edit pages and Baseline Compare Matrix MUST be classified so clean URLs force Workspace shell only.
- **FR-004**: My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, and any other Spec 318 unregistered workspace analysis pages confirmed in repo inspection MUST be registered/classified or explicitly excluded with evidence.
- **FR-005**: In-scope clean workspace-owned analysis URLs MUST NOT restore remembered Environment shell context.
- **FR-006**: In-scope clean URLs MUST open without requiring an active Environment context.
- **FR-007**: Workspace context MUST remain selected and valid; the fix MUST NOT clear Workspace state.
- **FR-008**: If a page supports Environment filtering, the only public filter key MUST be `environment_id`.
- **FR-009**: `environment_id` filtering MUST keep Workspace shell only and show a visible Environment filter chip or equivalent clear affordance.
- **FR-010**: `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, and `tableFilters` MUST NOT create active Environment shell or hidden Environment filter state on in-scope pages.
- **FR-011**: Cross-workspace or unauthorized `environment_id` MUST NOT leak Environment identity or become shell context.
- **FR-012**: Sidebar/global/workspace navigation entries for in-scope pages MUST emit clean workspace URLs unless they intentionally emit canonical `environment_id` filter URLs with visible chips.
- **FR-013**: Environment Dashboard links to workspace-owned analysis pages MUST use clean workspace URLs or explicit `environment_id` filter URLs; they MUST NOT carry active Environment shell ownership.
- **FR-014**: Breadcrumb/header/copy for workspace-owned analysis pages MUST not imply active Environment ownership as the primary scope.
- **FR-015**: Workspace-owned analysis pages MAY show Environment columns, badges, selectors, and filter labels as data/filter state.
- **FR-016**: Baseline Compare MUST remain Environment-owned according to Spec 319.
- **FR-017**: Decision Register, Governance Inbox, Operations, Finding Exceptions Queue, Provider Connections, Evidence Overview, Review Register, Customer Review Workspace, Workspace Settings, Manage Workspaces, and Managed Environments MUST retain their existing workspace hub contracts.
- **FR-018**: Alerts/Audit Log `environment_id` behavior MUST NOT be decided or changed except as regression context; that belongs to Spec 321.
- **FR-019**: No compatibility route, redirect shim, legacy alias support, migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change may be introduced for this spec.
- **FR-020**: Browser verification screenshots SHOULD be saved under `specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/` when generated.
## Acceptance Criteria
### Surface Classification
- [x] Baselines/Baseline Profiles classified as workspace-owned or explicitly reclassified with evidence.
- [x] Baseline Snapshots classified as workspace-owned or explicitly reclassified with evidence.
- [x] Baseline Profile detail/edit/compare-matrix classified as workspace-owned analysis surfaces.
- [x] My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare classified or explicitly excluded with evidence.
- [x] No in-scope workspace-owned analysis page remains generic ambiguous `WorkspaceScoped` if that permits remembered Environment shell fallback.
- [x] Baseline Compare remains Environment-owned.
### Shell Context
- [x] Baselines clean URL shows Workspace shell only.
- [x] Baseline Snapshots clean URL shows Workspace shell only.
- [x] Baseline Profile detail/edit/compare-matrix clean URLs show Workspace shell only.
- [x] Findings analysis and Cross-environment Compare clean URLs show Workspace shell only.
- [x] Opening in-scope pages from Environment context cuts to Workspace shell only.
- [x] Reload and browser back/forward do not restore active Environment shell.
### URL / Query Contract
- [x] In-scope clean URLs do not require Environment context.
- [x] Legacy query aliases do not create shell/filter state.
- [x] Supported Environment filters use only `environment_id`.
- [x] Visible filter chip/clear behavior exists for pages that support `environment_id`.
- [x] Unsupported `environment_id` is ignored/stripped/rejected without hidden shell/data mismatch; chosen behavior is documented in implementation close-out.
### Regression
- [x] Spec 314 clean workspace hub entry remains green.
- [x] Spec 315 Environment CTA `environment_id` contract remains green.
- [x] Spec 316 clear filter contract remains green.
- [x] Spec 317 legacy Tenant cleanup remains green.
- [x] Spec 319 Baseline Compare Environment-owned route remains green.
- [x] Spec 318 workspace-owned analysis mismatch is resolved for in-scope surfaces.
## Out of Scope
- Baseline Compare implementation changes beyond regression checks.
- Alerts/Audit Log filter decision from Spec 321.
- Durable browser no-drift automation from Spec 322.
- New product features, new baseline assignment semantics, or baseline data model redesign.
- Migrations, seeders, data backfills, package changes, env vars, queues, scheduler, storage, or deployment asset changes.
- Legacy alias support, backwards compatibility, redirects, dual shell models, or remembered Environment fallback preservation.
## Source Evidence
- `specs/318-admin-surface-scope-shell-context-audit/audit-report.md` identifies the classifier gap and workspace-owned baseline/analysis mismatches.
- `specs/318-admin-surface-scope-shell-context-audit/surface-inventory.md` lists Baselines/Baseline Profiles, Baseline Snapshots, Baseline Compare Matrix, My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare as mismatches or unregistered workspace analysis pages.
- `specs/318-admin-surface-scope-shell-context-audit/mismatch-findings.md` records M2 and M4 as the direct targets.
- `specs/318-admin-surface-scope-shell-context-audit/recommended-fixes.md` recommends a Workspace-Owned Baseline Registry Contract and broader classifier coverage.
- `specs/319-environment-owned-surface-routing-shell-context-contract/spec.md` leaves workspace-owned baseline analysis surfaces explicitly to Spec 320.
## Assumptions
- Baseline Profiles and Baseline Snapshots are workspace-owned based on current `workspace_id` queries and Spec 318 evidence.
- Baseline Compare Matrix is workspace-owned analysis over assigned Environments, while Baseline Compare landing remains Environment-owned.
- Findings analysis pages are workspace-owned queues/reports with optional Environment filters, not Environment-owned pages.
- Cross-environment Compare is workspace-owned portfolio analysis because it explicitly selects source/target Environments.
- Current product is pre-production; hard cutover is correct.
## Risks
- Adding all in-scope pages to `WorkspaceHubRegistry` could accidentally imply filtered-hub behavior for pages that do not support chips/clear state.
- A new classifier enum case could become a broader taxonomy if not constrained to the audited route list.
- Existing tests may assert remembered Environment fallback and must be replaced, not preserved.
- Browser smoke can become too broad; keep it focused to Spec 318 evidence and required regressions.
## Open Questions
- Exact unsupported `environment_id` behavior for pages without filter support: ignore, strip, or reject. Implementation must choose per page and document the result.
- Whether Baseline Profile create page should be included in workspace-owned analysis classification if implementation finds it inherits Environment shell.
- Whether findings analysis pages should converge on canonical `environment_id` visible chip behavior in this spec or only prevent shell inheritance; if current filter UI is not chip-compatible, keep the fix narrow and document follow-up rather than adding feature scope.
## Follow-up Spec Candidates
- **321 - Alerts / Audit Log Environment Filter Contract Decision**: decide support vs rejection of `environment_id` with no half-state.
- **322 - Browser No-Drift Regression Guard**: durable browser coverage for shell/context/filter/reload/back-forward drift.

151
specs/320-workspace-owned-analysis-surface-registration-shell-cutover/tasks.md Normal file
View File

@ -0,0 +1,151 @@
# Tasks: Workspace-Owned Analysis Surface Registration & Shell Cutover
**Input**: Design documents from `/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/`
**Prerequisites**: `plan.md`, `spec.md`
**Tests**: Required. This is a runtime route/shell/query/navigation contract change.
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for classifier, shell, query, reload/history, and regression behavior.
- [x] New or changed tests stay in the smallest honest family; browser additions are explicit.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
- [x] Planned validation commands cover the change without pulling in unrelated lane cost.
- [x] The declared surface test profile `global-context-shell` is explicit.
- [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation close-out.
## Phase 1: Guardrails and Repo Verification
**Purpose**: Confirm current repo truth before runtime edits.
- [x] T001 Verify implementation starts from branch `320-workspace-owned-analysis-surface-registration-shell-cutover` and record any unrelated uncommitted files.
- [x] T002 Re-read `specs/318-admin-surface-scope-shell-context-audit/audit-report.md`, `surface-inventory.md`, `page-matrix.md`, `mismatch-findings.md`, and `recommended-fixes.md`.
- [x] T003 Re-read `specs/319-environment-owned-surface-routing-shell-context-contract/spec.md`, `plan.md`, and `tasks.md` as dependency context only.
- [x] T004 Confirm Laravel/Filament/Livewire/Pest versions through Laravel Boost `application_info`.
- [x] T005 Confirm no migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change is required.
- [x] T006 Inventory current classifier behavior in `apps/platform/app/Support/Navigation/AdminSurfaceScope.php`.
- [x] T007 Inventory current workspace hub behavior in `apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php` and `WorkspaceSidebarNavigation.php`.
- [x] T008 Inventory shell resolution in `apps/platform/app/Support/OperateHub/OperateHubShell.php`, including remembered Environment and query hint behavior.
- [x] T009 Inventory in-scope baseline routes/pages in `BaselineProfileResource`, `BaselineSnapshotResource`, and `BaselineCompareMatrix`.
- [x] T010 Inventory in-scope workspace analysis routes/pages in `MyFindingsInbox`, `FindingsIntakeQueue`, `FindingsHygieneReport`, and `CrossEnvironmentComparePage`.
- [x] T011 Search routes/navigation for any additional Spec 318 unregistered workspace analysis page still present and decide include/exclude with evidence.
- [x] T012 Identify any existing tests asserting remembered Environment fallback on in-scope pages and mark them for replacement.
## Phase 2: Tests First / Contract Coverage
**Purpose**: Add failing or alongside tests that define the new contract.
- [x] T013 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baselines/Baseline Profiles paths are workspace-owned analysis or environmentless shell paths.
- [x] T014 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baseline Snapshots paths are workspace-owned analysis or environmentless shell paths.
- [x] T015 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baseline Profile detail/edit/compare-matrix paths do not allow remembered Environment restore.
- [x] T016 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare paths do not allow remembered Environment restore.
- [x] T017 Add/update `apps/platform/tests/Unit/Support/OperateHub/OperateHubShellResolutionTest.php` proving workspace-owned analysis clean URLs show Workspace shell only when a remembered Environment exists.
- [x] T018 Add/update `apps/platform/tests/Feature/Navigation/WorkspaceHubRegistryTest.php` proving in-scope pages are not accidentally treated as full workspace hubs unless implementation intentionally registers them with hub behavior.
- [x] T019 Add/update tests proving clean Baselines and Baseline Snapshots URLs open without active Environment context.
- [x] T020 Add/update tests proving Baseline Profile view/edit/compare-matrix URLs open with Workspace shell only.
- [x] T021 Add/update tests proving My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare clean URLs open with Workspace shell only.
- [x] T022 Add/update tests proving remembered Environment state alone does not set shell context on in-scope pages.
- [x] T023 Add/update tests proving `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, and `tableFilters` do not create shell or filter state on in-scope pages.
- [x] T024 For pages that support canonical `environment_id`, add/update tests proving shell remains Workspace only and a visible chip/clear affordance exists.
- [x] T025 For pages that do not support canonical `environment_id`, add/update tests proving unsupported `environment_id` is ignored, stripped, or rejected without hidden shell/data mismatch.
- [x] T026 Add/update tests proving Environment Dashboard or Environment-origin links to in-scope workspace-owned analysis pages do not carry active Environment shell ownership.
- [x] T027 Keep/add Baseline Compare regression coverage proving its canonical route remains Environment-owned.
- [x] T028 Keep/add Decision Register regression coverage proving clean and filtered workspace hub behavior remains green.
- [x] T029 Keep/add Specs 314-317 regression coverage for clean workspace hub entry, Environment CTA `environment_id`, clear filter, and no legacy Tenant aliases.
- [x] T030 Add/update existing high-impact baseline action tests only as needed to prove capture/compare actions still keep confirmation, authorization, audit, and OperationRun UX after shell classification changes.
## Phase 3: Classification and Shell Cutover
**Purpose**: Implement the narrowest route/shell classification fix.
- [x] T031 Update `apps/platform/app/Support/Navigation/AdminSurfaceScope.php` to classify in-scope workspace-owned analysis paths explicitly.
- [x] T032 Ensure the chosen classification forces environmentless shell context for clean workspace-owned analysis URLs.
- [x] T033 Ensure the chosen classification does not allow remembered Environment restore.
- [x] T034 Ensure Livewire referer-based classification uses the same in-scope path behavior.
- [x] T035 If adding a new `AdminSurfaceScope` enum case, complete the proportionality note in implementation close-out and avoid using it outside audited routes.
- [x] T036 If registering any in-scope page in `WorkspaceHubRegistry`, verify it truly satisfies workspace hub/filter/clear semantics and add matching registry tests.
- [x] T037 Keep `WorkspaceHubRegistry::forbiddenQueryKeys()` and related query-cleaning behavior aligned with no legacy aliases.
- [x] T038 Do not add Baseline Compare to workspace hub or workspace-owned analysis classification.
- [x] T039 Do not alter Environment-bound route classification for required permissions, inventory, backups, evidence, reviews, stored reports, review packs, or other Spec 319 out-of-scope Environment pages.
## Phase 4: Baseline Surfaces
**Purpose**: Align baseline library/report pages with workspace-owned shell semantics.
- [x] T040 Update `apps/platform/app/Filament/Resources/BaselineProfileResource.php` only if needed so list/view/edit/create URLs and navigation do not rely on active Environment shell.
- [x] T041 Update Baseline Profile breadcrumbs/header/copy if any primary wording implies active Environment ownership.
- [x] T042 Update Baseline Profile related navigation links if they carry hidden Environment shell ownership or legacy query aliases.
- [x] T043 Update `apps/platform/app/Filament/Pages/BaselineCompareMatrix.php` only if needed so the page shell is Workspace only while source Environment drilldowns remain explicit page links.
- [x] T044 Preserve Baseline Compare Matrix filter query keys such as `tenant_sort` only as page matrix state, not shell Environment ownership.
- [x] T045 Update `apps/platform/app/Filament/Resources/BaselineSnapshotResource.php` only if needed so list/view URLs and copy remain workspace snapshot library/report semantics.
- [x] T046 Preserve Baseline Profile and Baseline Snapshot global search disabled status unless implementation deliberately verifies and tests safe View/Edit pages.
- [x] T047 Preserve existing baseline archive/capture/compare action confirmation, authorization, notifications, audit, and OperationRun behavior.
## Phase 5: Findings and Portfolio Analysis Surfaces
**Purpose**: Align unregistered workspace analysis pages found by Spec 318.
- [x] T048 Update `apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php` only if needed so clean URL shell is Workspace only.
- [x] T049 Update `apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php` only if needed so clean URL shell is Workspace only.
- [x] T050 Update `apps/platform/app/Filament/Pages/Findings/FindingsHygieneReport.php` only if needed so clean URL shell is Workspace only.
- [x] T051 Replace `tenant` query prefilter handling on findings analysis pages with canonical `environment_id` if this is already intended product behavior and can show visible filter/clear affordance.
- [x] T052 If findings analysis pages cannot safely migrate filter behavior in this slice, prevent shell inheritance and document filter-key follow-up rather than adding half-state support.
- [x] T053 Update `apps/platform/app/Filament/Pages/CrossEnvironmentComparePage.php` only if needed so source/target Environment selectors remain page state and shell is Workspace only.
- [x] T054 Ensure Cross-environment Compare direct URL, query-hydrated URL, and reload do not restore remembered Environment shell.
- [x] T055 Preserve existing promotion/preflight authorization, confirmation, audit, OperationRun links, and provider-boundary behavior.
## Phase 6: Navigation, Links, Copy, and Legacy Aliases
**Purpose**: Make visible navigation agree with page ownership.
- [x] T056 Update `WorkspaceSidebarNavigation` or related navigation builders only if in-scope pages are present there and currently emit ambiguous URLs.
- [x] T057 Update `ManagedEnvironmentLinks` only if Environment-origin cards/actions link to workspace-owned analysis pages with hidden shell ownership.
- [x] T058 Ensure sidebar/global/workspace entry to Baselines, Baseline Snapshots, baseline matrix, findings analysis pages, and Cross-environment Compare uses clean workspace URLs unless canonical `environment_id` filter is intentionally supported.
- [x] T059 Ensure Environment Dashboard links to in-scope workspace-owned analysis pages use clean workspace URLs or explicit `environment_id` filter URLs with visible chip/clear behavior.
- [x] T060 Remove or replace user-facing copy that says `this environment`, `current environment`, or similar primary ownership wording on in-scope workspace-owned analysis pages.
- [x] T061 Keep Environment columns, Environment badges, source/target selectors, and Environment filters where they are data/filter state rather than shell ownership.
- [x] T062 Ensure no in-scope page starts accepting `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, or `tableFilters` as public Environment filter aliases.
## Phase 7: Browser Verification
**Purpose**: Prove visible route/shell/copy behavior.
- [x] T063 Start local platform stack using Sail or the repo platform dev command.
- [x] T064 Browser Flow A: Workspace Overview -> Baselines; verify Workspace shell only, no active Environment, workspace/library wording.
- [x] T065 Save Flow A screenshot to `specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/workspace-origin--baselines.png`.
- [x] T066 Browser Flow B: Environment Dashboard -> Baselines through sidebar/global/navigation/card; verify shell cuts to Workspace only.
- [x] T067 Save Flow B screenshot to `artifacts/screenshots/environment-origin--baselines.png`.
- [x] T068 Browser Flow C: reload Baselines and verify active Environment shell does not return.
- [x] T069 Save Flow C screenshot to `artifacts/screenshots/baselines--after-reload.png`.
- [x] T070 Repeat workspace origin, environment origin, and reload flows for Baseline Snapshots.
- [x] T071 Save Baseline Snapshots screenshots using `workspace-origin--baseline-snapshots.png`, `environment-origin--baseline-snapshots.png`, and `baseline-snapshots--after-reload.png`.
- [x] T072 Browser verify Baseline Compare Matrix direct/reload/back-forward behavior if local fixture has a baseline profile.
- [x] T073 Browser verify My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare clean URLs from remembered Environment context.
- [x] T074 Browser verify Baseline Compare remains Environment-owned.
- [x] T075 Save Baseline Compare regression screenshot to `artifacts/screenshots/baseline-compare--regression-environment-owned.png`.
- [x] T076 Browser verify Decision Register clean and filtered workspace hub regressions.
- [x] T077 Save Decision Register regression screenshot to `artifacts/screenshots/decision-register--regression-workspace-hub.png`.
- [x] T078 If browser setup or fixture data blocks any flow, document the exact blocker and alternate proof in the implementation close-out.
> Browser coverage note: Matrix and Baseline Compare browser flows were partially blocked by local Spec 180 fixture/capability state. The local fixture has no baseline profile for a matrix browser flow, and the environment-owned Baseline Compare browser route is intentionally capability-denied. The environment-owned Baseline Compare contract and matrix route behavior are covered by focused Pest route/RBAC tests. No runtime gap remains in Spec 320 scope.
## Phase 8: Final Validation and Close-Out
**Purpose**: Complete implementation proof without broad rebaseline.
- [x] T079 Run `git diff --check`.
- [x] T080 Run the focused Pest commands listed in `plan.md`.
- [x] T081 Run formatting with the repo-standard Pint command for touched PHP files.
- [x] T082 Review `git diff --stat` and confirm only in-scope runtime/test/spec artifacts changed.
- [x] T083 Confirm no migrations, seeders, package files, env files, queue/scheduler/storage config, or deployment asset files changed.
- [x] T084 Confirm no backwards compatibility layer, redirect shim, dual route model, or legacy query alias support was introduced.
- [x] T085 Prepare final implementation report with changed behavior, workspace-owned analysis surfaces classified, surfaces registered, files changed, tests, browser verification, screenshots path, follow-ups 321/322, and any unrelated residual failures.
- [x] T086 Include the Filament v5 output contract in the final report: Livewire v4.0+ compliance, provider registration location, global search status, destructive/high-impact actions, asset strategy, and testing plan/results.
## Explicit Non-Tasks
- [x] NT001 Do not implement Alerts/Audit Log filter behavior; leave it to Spec 321.
- [x] NT002 Do not build durable browser no-drift infrastructure; leave it to Spec 322.
- [x] NT003 Do not change Baseline Compare except regression coverage needed to prove Spec 319 remains intact.
- [x] NT004 Do not add migrations, seeders, packages, env vars, queues, scheduler, storage, or deployment asset changes.
- [x] NT005 Do not add legacy `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, or `tableFilters` aliases.
- [x] NT006 Do not preserve remembered Environment fallback for workspace-owned analysis clean URLs.

52
specs/321-alerts-audit-log-environment-filter-contract-decision/checklists/requirements.md Normal file
View File

@ -0,0 +1,52 @@
# Requirements Quality Checklist: Spec 321
**Purpose**: Validate that the Spec 321 artifacts are complete enough for implementation.
**Created**: 2026-05-17
**Feature**: `321-alerts-audit-log-environment-filter-contract-decision`
## Content Quality
- [x] No implementation details in `spec.md` beyond necessary system contracts and known seams.
- [x] User value and operator/governance outcomes are clear.
- [x] Surface role decisions are explicit.
- [x] All mandatory sections are present.
- [x] No unresolved clarification markers remain.
## Requirement Completeness
- [x] Alerts have a final contract.
- [x] Alert Deliveries have a final contract.
- [x] Alert Rules have a final contract.
- [x] Alert Destinations have a final contract.
- [x] Audit Log has a final contract.
- [x] Audit event detail/selection behavior is covered.
- [x] Environment Dashboard CTA behavior is covered.
- [x] Legacy alias rejection is covered.
- [x] Cross-workspace Environment handling is covered.
- [x] Clear/reload/back behavior is covered for filterable surfaces.
- [x] Data scope and visible UI state are both covered.
- [x] Acceptance criteria are measurable.
- [x] Test requirements are explicit.
- [x] Browser verification is explicit.
## Constitution / Repo Fit
- [x] Completed specs 313 through 320 were treated as context, not modified.
- [x] Hard cutover/no compatibility posture is explicit.
- [x] No new persisted entity, enum/status family, taxonomy, or framework is introduced.
- [x] No migration is expected.
- [x] Shared pattern reuse is required before new abstraction.
- [x] Filament v5 / Livewire v4 compliance is stated.
- [x] Provider boundary is stated.
- [x] OperationRun impact is stated.
## Readiness
- [x] `decision.md` exists and classifies every in-scope surface.
- [x] `plan.md` identifies runtime areas, test lanes, and deployment impact.
- [x] `tasks.md` is ordered and implementation-ready.
- [x] No application implementation was performed during preparation.
## Notes
This checklist validates preparation artifacts only. Runtime acceptance remains pending until implementation, tests, and browser verification are completed.

58
specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md Normal file
View File

@ -0,0 +1,58 @@
# Spec 321 Decision: Alerts / Audit Log Environment Filter Contract
**Status**: Draft decision artifact
**Date**: 2026-05-17
**Branch**: `321-alerts-audit-log-environment-filter-contract-decision`
## Decision Summary
Alerts and Audit Log remain Workspace-owned surfaces.
The canonical Environment filter key is:
```text
environment_id
```
No legacy aliases are accepted. No remembered Environment fallback is accepted. No Filament tenant fallback is accepted.
## Surface Decisions
| Surface | Current behavior | Data model supports environment attribution? | Chosen contract | Reason | Implementation impact | Test impact |
| --- | --- | --- | --- | --- | --- | --- |
| Alerts overview / Alert Center | Registered workspace hub, but Spec 318 found `/admin/alerts?environment_id=...` redirects/drops query or lacks full filter contract. | Partially, through environment-attributable alert delivery signal. Alert rules/destinations are workspace configuration. | `environment_filterable_workspace_hub` | Alerts are an operational signal hub. Operators need "show me alerts for this Environment" behavior, and the delivery signal has reliable `managed_environment_id`. | Resolve canonical `environment_id`, show shared chip, scope environment-attributable KPI/signal data, keep shell Workspace-only, clear with shared resetter. | Clean URL, filtered URL, visible chip, clear, reload, legacy alias rejection, cross-workspace guard. |
| Alert Deliveries | Registered workspace hub/table resource. Has current table filter for `managed_environment_id`, but no canonical visible workspace-hub chip contract. | Yes. `alert_deliveries.managed_environment_id` exists, is nullable, workspace-constrained, and indexed. | `environment_filterable_workspace_hub` | Deliveries are the table-backed alert event/signal surface and can be filtered without inference. | Apply canonical `environment_id` to query/table state using shared resolver, render chip, clear stale Filament/session table filters. | Filtered rows prove data scope; clear and reload safety; legacy aliases ignored. |
| Alert Rules | Registered under Alerts. Workspace configuration surface. Uses workspace-level rule configuration, including targeting settings. | No page-level filter attribution. Rule targeting config is not the same as page ownership/filter state. | `configuration_workspace_surface` | Rules configure workspace alert behavior and should not appear Environment-owned or Environment-filtered. | Do not render chip. Do not accept `environment_id` as filter state. Keep clean links from navigation/CTAs. | Assert `environment_id` does not create chip/filter and Environment CTAs do not emit filters to this surface. |
| Alert Destinations | Registered under Alerts. Workspace configuration surface. | No. Destinations are workspace notification targets. | `configuration_workspace_surface` | Notification destinations are workspace-level configuration, not Environment-scoped operational signal. | Do not render chip. Do not accept `environment_id` as filter state. Keep clean links from navigation/CTAs. | Assert `environment_id` does not create chip/filter and Environment CTAs do not emit filters to this surface. |
| Audit Log | Registered workspace hub. Spec 318 found `/admin/audit-log?environment_id=...` preserves query but shows no visible chip. | Yes. `audit_logs.managed_environment_id` exists, is nullable, indexed, and tied to workspace attribution. | `environment_filterable_workspace_hub` | Audit Log is a workspace governance surface, but many records are reliably Environment-attributable. Filtering by direct attribution is useful and safe. | Resolve canonical `environment_id`, filter by `audit_logs.managed_environment_id`, render chip, keep shell Workspace-only, clear stale query/table/session state. | Clean URL, filtered URL, visible chip, filtered rows, selected event consistency, clear, reload, legacy alias rejection, cross-workspace guard. |
| Audit event detail / selected event state | Same Audit Log page, usually selected through query/state. | Yes when the selected event row has `managed_environment_id`. | `environment_filterable_workspace_hub` | Event detail is metadata inside the Audit Log surface, not a separate Environment-owned page. | If a filter is active, selected event state must remain inside the filtered query scope or be neutralized. Show Environment metadata as event data, not shell ownership. | Assert selected event outside active Environment filter is not shown as the selected detail. |
| Environment Dashboard CTAs to Alerts / Alert Deliveries / Audit Log | Must be inspected during implementation. | Yes for the filterable destinations above. | `environment_filterable_workspace_hub` destinations use canonical `environment_id`. | Environment-origin navigation may preserve Environment focus only when the destination supports the full filter contract. | Add or update links to use `environment_id` only. No legacy params. | Assert CTAs use canonical `environment_id` and no legacy aliases. |
| Environment Dashboard CTAs to Alert Rules / Alert Destinations | Must be inspected during implementation. | No page-level filter attribution. | `configuration_workspace_surface` destinations use clean workspace links or are omitted. | Configuration surfaces should not imply Environment-specific state. | Remove Environment filter params from these destinations. | Assert CTAs emit no Environment filter params. |
## Final Contract Values
Allowed values used in this decision:
```text
environment_filterable_workspace_hub
configuration_workspace_surface
```
No surface in scope remains ambiguous.
## Runtime Constraints
- Shell remains Workspace-only for all surfaces in this decision.
- Filterable surfaces accept only `environment_id`.
- Legacy aliases are invalid as Environment filter input.
- Cross-workspace or unauthorized Environment IDs must be rejected safely.
- Clear behavior must remove URL, table, deferred table, session, and page Environment filter state.
- No migrations are expected.
## Reopen Conditions
Update this decision before implementation continues if:
- Runtime discovery shows `audit_logs.managed_environment_id` or `alert_deliveries.managed_environment_id` is not reliable.
- A migration or new persisted attribution field becomes necessary.
- A new Alert or Audit sub-surface is discovered that cannot be classified by this artifact.

240
specs/321-alerts-audit-log-environment-filter-contract-decision/plan.md Normal file
View File

@ -0,0 +1,240 @@
# Implementation Plan: Alerts / Audit Log Environment Filter Contract Decision
**Branch**: `321-alerts-audit-log-environment-filter-contract-decision`
**Date**: 2026-05-17
**Spec**: `specs/321-alerts-audit-log-environment-filter-contract-decision/spec.md`
**Decision Artifact**: `specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md`
**Status**: Draft
## Summary
Make Alerts and Audit Log unambiguous Workspace-owned surfaces. Alerts overview, Alert Deliveries, and Audit Log become canonical `environment_id` filterable workspace hubs with visible chip and clear behavior. Alert Rules and Alert Destinations remain workspace-level configuration surfaces and must not accept Environment filter state.
No runtime implementation is performed by this preparation. Runtime work must follow this plan and the tasks file.
## Technical Context
**Language / Version**: PHP 8.4.15
**Primary Framework**: Laravel 12.52.0
**Admin UI**: Filament 5.2.1
**Reactive Layer**: Livewire 4.1.4
**Database**: PostgreSQL
**Testing**: Pest 4.3.1, PHPUnit 12
**Local Runtime**: Laravel Sail first
Relevant package posture:
- Filament v5 requires Livewire v4.0+; this app uses Livewire 4.1.4.
- Laravel 12 provider registration remains in `apps/platform/bootstrap/providers.php`; this spec does not add a panel provider.
- No frontend asset registration or `filament:assets` deployment change is planned.
## Constitutional Check
### Pre-Implementation
- **LEAN-001 Hard Cutover**: Pass. No legacy aliases, compatibility redirects, or dual contracts are allowed.
- **Tenant / Workspace Isolation**: Pass with implementation requirement. `environment_id` must be resolved through workspace and user access checks.
- **Shared Pattern First**: Pass. Reuse `WorkspaceHubEnvironmentFilter`, `WorkspaceHubFilterStateResetter`, clear trait, and shared chip partial.
- **Proportionality**: Pass. No new persisted entity, enum/status family, taxonomy, framework, migration, or dependency.
- **Test Governance**: Pass with required tests and browser verification listed below.
- **Spec Candidate Gate**: Pass. User manually promoted a direct follow-up to Spec 318 findings; completed specs 313-320 were inspected as context.
### Post-Design
- No constitutional violation is expected.
- If implementation discovers missing reliable Environment attribution, the spec and decision artifact must be updated before runtime work continues.
- If implementation requires a new persisted attribute or abstraction, the proportionality review must be reopened before code changes continue.
## Project Structure
### Documentation / Spec Artifacts
```text
specs/321-alerts-audit-log-environment-filter-contract-decision/spec.md
specs/321-alerts-audit-log-environment-filter-contract-decision/plan.md
specs/321-alerts-audit-log-environment-filter-contract-decision/tasks.md
specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md
specs/321-alerts-audit-log-environment-filter-contract-decision/checklists/requirements.md
specs/321-alerts-audit-log-environment-filter-contract-decision/artifacts/screenshots/
```
### Runtime Areas For Later Implementation
```text
apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php
apps/platform/app/Support/Navigation/AdminSurfaceScope.php
apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php
apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php
apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php
apps/platform/app/Filament/Concerns/ClearsWorkspaceHubEnvironmentFilterState.php
apps/platform/app/Filament/Pages/Monitoring/Alerts.php
apps/platform/app/Filament/Widgets/AlertsKpiHeader.php
apps/platform/app/Filament/Resources/AlertDeliveryResource.php
apps/platform/app/Filament/Resources/AlertRuleResource.php
apps/platform/app/Filament/Resources/AlertDestinationResource.php
apps/platform/app/Filament/Pages/Monitoring/AuditLog.php
apps/platform/resources/views/filament/pages/monitoring/alerts.blade.php
apps/platform/resources/views/filament/pages/monitoring/audit-log.blade.php
apps/platform/resources/views/filament/partials/workspace-hub-environment-filter-chip.blade.php
apps/platform/app/Support/ManagedEnvironmentLinks.php
apps/platform/app/Support/Operations/OperationRunLinks.php
apps/platform/tests/Feature/Navigation
apps/platform/tests/Feature/Filament
```
## Data Model Decision
No migration is planned.
Discovered attribution support:
- `alert_deliveries.managed_environment_id`: reliable nullable Environment attribution with workspace constraint and index.
- `audit_logs.managed_environment_id`: reliable nullable Environment attribution with workspace constraint and indexes.
- `alert_rules`: workspace configuration; no page-level Environment filter contract.
- `alert_destinations`: workspace configuration; no page-level Environment filter contract.
Filtering must use direct normalized attribution only. It must not infer Environment from text, labels, JSON payload contents, actor/session context, remembered state, provider tenant IDs, or Filament tenant context.
## UI / Filament Plan
### Alerts Overview
- Keep Workspace-only shell.
- Resolve canonical `environment_id` if present and valid.
- Render the shared Environment filter chip in filtered state.
- Ensure KPI/header data that is Environment-attributable is scoped by the active filter.
- Ensure configuration counts are either not presented as Environment-filtered or are clearly workspace-level.
- Link to Alert Deliveries with `environment_id` when filtered.
- Link to Alert Rules and Alert Destinations without Environment filter params.
### Alert Deliveries
- Keep table-backed workspace hub behavior.
- Apply `environment_id` as canonical URL filter and synchronize table query state without accepting legacy query aliases.
- Use visible chip and shared clear behavior.
- Filter rows by `managed_environment_id`.
### Alert Rules / Alert Destinations
- Remain workspace configuration surfaces.
- Do not render Environment filter chip.
- Do not accept `environment_id` as filter state.
- Keep sidebar/global navigation clean.
### Audit Log
- Keep Workspace-only shell.
- Resolve canonical `environment_id` if present and valid.
- Render visible shared chip in filtered state.
- Filter rows by `audit_logs.managed_environment_id`.
- Ensure selected event/detail state cannot show an event outside the active filter.
- Clear URL, chip, table/session filter state, and selected stale filter state.
## Authorization / Security Plan
- Use the existing workspace/user access model for Environment resolution.
- Cross-workspace or unauthorized Environment IDs must result in 404 / safe no-access behavior.
- UI visibility is not authorization.
- No page may use remembered Environment, Filament tenant context, or provider tenant aliases as access control input.
## Navigation / CTA Plan
- Sidebar and global entries remain clean workspace URLs.
- Environment-owned CTAs to Alerts, Alert Deliveries, and Audit Log may include canonical `environment_id` when preserving Environment focus.
- Environment-owned CTAs to Alert Rules and Alert Destinations must use clean workspace links or be omitted.
- No CTA may emit `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters` as Environment filter input.
## Testing Plan
Use Pest 4 feature/browser style matching existing tests.
Target tests:
- Decision artifact static guard.
- Alerts overview filtered/clean/chip/clear behavior.
- Alert Deliveries filtered rows/chip/clear behavior.
- Audit Log filtered rows/chip/clear behavior.
- Legacy alias guard for Alerts and Audit Log.
- Cross-workspace Environment guard for filterable surfaces.
- Sidebar/global clean URL regression.
- Environment CTA contract.
- Alert configuration surfaces reject Environment filter state.
Regression lanes:
```bash
cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubEnvironmentFilterContractTest
cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubClearFilterContractTest
cd apps/platform && ./vendor/bin/sail artisan test --filter=LegacyTenantPlatformContextCleanup
cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceOwnedAnalysisSurface
cd apps/platform && ./vendor/bin/sail artisan test --filter=BaselineCompare
```
Exact class/filter names may be adjusted to match the repository during implementation.
## Browser Verification Plan
Use the in-app browser or project browser smoke workflow after runtime code changes:
- Alerts clean
- Alerts filtered
- Alerts after clear
- Alerts after reload
- Alert Deliveries filtered
- Audit Log clean
- Audit Log filtered
- Audit Log after clear
- Audit Log after reload
- Environment Dashboard CTA to Alerts/Audit Log
Save screenshots under:
```text
specs/321-alerts-audit-log-environment-filter-contract-decision/artifacts/screenshots/
```
## Filament v5 Output Contract
1. **Livewire v4.0+ compliance**: Required. The app uses Livewire 4.1.4; implementation must not introduce Livewire v3 references.
2. **Provider registration location**: No new panel provider is planned. If one is unexpectedly required, Laravel 12 registration belongs in `apps/platform/bootstrap/providers.php`, not `bootstrap/app.php`.
3. **Global search resources**: `AlertDeliveryResource`, `AlertRuleResource`, and `AlertDestinationResource` currently disable global search. Alerts and Audit Log are pages, not globally searchable resources. This spec must not make them globally searchable without Edit/View page review.
4. **Destructive actions**: This spec should not introduce destructive actions. Existing destructive alert rule/destination actions must preserve confirmation and authorization. Any new destructive action is forbidden unless it executes through `Action::make(...)->action(...)`, has `->requiresConfirmation()`, and enforces authorization.
5. **Asset strategy**: No global or on-demand assets are planned. No deployment `filament:assets` change is required.
6. **Testing plan**: Cover Filament pages/resources as Livewire components and table/action behavior using Filament/Pest patterns already present in the repo.
## Implementation Phases
1. Confirm decision artifact and static guards.
2. Add failing contract tests.
3. Implement shared filter resolution/chip/clear on Alerts overview, Alert Deliveries, and Audit Log.
4. Ensure Alert Rules and Alert Destinations reject Environment filter state.
5. Update CTA and navigation helpers.
6. Run targeted tests and regression lanes.
7. Perform focused browser verification and capture screenshots.
8. Run formatting and diff checks.
## Complexity Tracking
No complexity violation is expected.
Potential implementation complexity:
- Audit Log selected event state may require careful reconciliation with the active Environment filter.
- Alert overview KPIs combine workspace configuration counts and delivery signal counts.
- Existing persisted Filament table filters must be cleared without resurrecting legacy aliases.
These risks should be handled within existing shared patterns.
## Deployment / Operations Impact
Expected:
- No migrations.
- No seeders.
- No package changes.
- No environment variable changes.
- No queue, scheduler, storage, or volume changes.
- No Dokploy deployment changes.
- No asset build/deploy changes.
Implementation should still mention staging validation because this changes admin navigation/filter behavior.

473
specs/321-alerts-audit-log-environment-filter-contract-decision/spec.md Normal file
View File

@ -0,0 +1,473 @@
# Feature Specification: Alerts / Audit Log Environment Filter Contract Decision
**Feature Branch**: `321-alerts-audit-log-environment-filter-contract-decision`
**Created**: 2026-05-17
**Status**: Draft
**Input**: User supplied Spec 321 draft: "Alerts / Audit Log Environment Filter Contract Decision"
**Type**: Product contract decision / runtime hardening / filter consistency
**Runtime Posture**: Hard cutover. No backwards compatibility. No legacy alias support.
## Dependencies
- Spec 313: Full Workspace / Environment Context Browser Verification Audit
- Spec 314: Workspace Hub Navigation Context Contract
- Spec 315: Environment CTA Explicit Filter Contract
- Spec 316: Workspace Hub Clear Filter Contract
- Spec 317: Legacy Tenant / Environment Context Cleanup
- Spec 318: Admin Surface Scope & Shell Context Audit
- Spec 319: Environment-Owned Surface Routing & Shell Context Contract
- Spec 320: Workspace-Owned Analysis Surface Registration & Shell Cutover
## Spec Candidate Check
**Candidate Source**: Direct user-provided manual promotion, based on Spec 318 mismatch findings.
**Completed-Spec Guardrail**: Specs 313 through 320 were inspected as completed context and remain unchanged by this preparation. Spec 321 addresses the unresolved Alerts / Audit Log contract gap explicitly called out by Spec 318.
**Score**: 9/10.
**Why now**:
- Spec 318 identified Alerts and Audit Log as the remaining ambiguous workspace-hub filter surfaces.
- Specs 314 through 320 already established the shared workspace hub, environment filter, clear filter, legacy cleanup, and shell ownership contracts this work must reuse.
- The repo data model supports a hard decision now:
- `alert_deliveries.managed_environment_id` exists and is workspace constrained.
- `audit_logs.managed_environment_id` exists, is indexed, and is workspace constrained.
**Alternatives deferred**:
- Spec 322 durable browser no-drift regression coverage is explicitly out of scope.
- Broad redesign of alerts, audit logging, notification routing, or evidence flows is out of scope.
- New persisted entities, packages, migrations, or compatibility redirects are out of scope.
## Summary
Resolve the remaining Alerts / Audit Log environment-filter contract gap found by Spec 318.
TenantPilot has two primary admin context contracts:
- Workspace hubs use a Workspace-only shell. They may support an explicit, visible, clearable `environment_id` filter.
- Environment-owned pages require an Environment route or context. They show Workspace + Environment shell ownership and do not use workspace-hub-style `environment_id` access.
Alerts and Audit Log are governance and observability surfaces. They stay Workspace-owned surfaces. This spec decides and prepares the implementation contract for optional canonical Environment filtering on those surfaces.
## Product Decision
The chosen contracts are:
| Surface | Chosen contract |
| --- | --- |
| Alerts overview / Alert Center | `environment_filterable_workspace_hub` |
| Alert Deliveries | `environment_filterable_workspace_hub` |
| Alert Rules | `configuration_workspace_surface` |
| Alert Destinations | `configuration_workspace_surface` |
| Audit Log | `environment_filterable_workspace_hub` |
| Audit event detail state | Same `environment_filterable_workspace_hub` surface, not a separate Environment-owned page |
Decision details are documented in:
```text
specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md
```
## Hard Cutover Policy
There is no production data or production environment to preserve. The implementation must not introduce compatibility behavior.
Only this Environment filter query key is canonical:
```text
environment_id
```
These inputs must not create Environment filter state:
```text
tenant
tenant_id
managed_environment_id
environment
tenant_scope
tableFilters as URL source
remembered Environment
Filament::getTenant()
getTenant()
```
No compatibility redirect, alias support, remembered fallback, hidden fallback, or dual contract is allowed.
## Spec Scope Fields
**Primary users**: Workspace operators, security/governance admins, support/admin users reviewing operational signal and auditability.
**Primary surfaces**:
- `GET /admin/alerts`
- `GET /admin/alerts/alert-deliveries`
- `GET /admin/alerts/alert-rules`
- `GET /admin/alerts/alert-destinations`
- `GET /admin/audit-log`
**Related surfaces to inspect during implementation**:
- Environment Dashboard CTAs and widgets
- Alert widgets/cards and alert KPI header
- Notification or alert link helpers
- Audit support links
- OperationRun and ManagedEnvironment link helpers
- Audit event selection/detail state
**Persistence impact**: No migrations expected. Existing `managed_environment_id` columns provide the reliable attribution needed for the chosen filterable surfaces.
**Runtime impact**: Query, navigation, chip, clear behavior, and test/browser coverage only.
**Out of scope**:
- Alert type redesign
- Audit schema redesign
- New alert rules or delivery engines
- Provider-specific tenant concepts
- Spec 322 durable browser no-drift infrastructure
- Broad rebaseline of existing browser artifacts
## Current Repo Truth
Discovery found these relevant seams:
- `WorkspaceHubRegistry` already registers `audit_log`, `alerts`, `alert_deliveries`, `alert_rules`, and `alert_destinations` as workspace hub entries.
- `WorkspaceHubEnvironmentFilter` already resolves canonical `environment_id`, constrains by current workspace, checks current user Environment access, and rejects cross-workspace or unauthorized Environment IDs with 404 behavior.
- `WorkspaceHubFilterStateResetter` and `ClearsWorkspaceHubEnvironmentFilterState` already provide shared clear behavior for stale query/table/session filter state.
- `resources/views/filament/partials/workspace-hub-environment-filter-chip.blade.php` already provides a shared visible filter chip.
- `AlertDeliveryResource` is table-backed and has reliable `managed_environment_id` attribution.
- `AlertRuleResource` and `AlertDestinationResource` are workspace configuration resources and should not become environment-filtered.
- `AuditLog` has a table filter for `managed_environment_id`, but Spec 318 found canonical `environment_id` direct URLs currently lack a visible chip and full contract behavior.
- `audit_logs.managed_environment_id` exists, is indexed, and is a reliable attribution column.
## User Scenarios & Testing
### User Story 1: Workspace operator filters Alerts by Environment
As a workspace operator, I can open Alerts cleanly for all environments or open Alerts with `?environment_id={id}` to focus on one Managed Environment without changing shell ownership.
**Independent Test**: Open `/admin/alerts` and `/admin/alerts?environment_id={validEnvironmentId}`. Verify clean state is workspace-wide, filtered state shows the shared chip, the shell remains Workspace-only, clear returns to clean URL, and no legacy query alias creates filter state.
**Acceptance Scenarios**:
1. Given a Workspace has multiple Managed Environments and alert delivery data, when the operator opens the clean Alerts URL, then the page shows Workspace-only shell and all-environment copy.
2. Given a valid Environment ID in the current Workspace, when the operator opens Alerts with `environment_id`, then the page shows `Environment filter: {environment name}` and Environment-scoped signal where the data model supports it.
3. Given the operator clears the filter, when the page reloads, then the URL is clean and the Environment chip does not return.
### User Story 2: Workspace operator filters Alert Deliveries by Environment
As a workspace operator, I can use Alert Deliveries as the table-backed alert signal surface and apply the same canonical `environment_id` filter contract.
**Independent Test**: Open `/admin/alerts/alert-deliveries?environment_id={validEnvironmentId}`. Verify visible chip, filtered rows, clear behavior, and no Environment shell ownership.
**Acceptance Scenarios**:
1. Given deliveries exist for two environments, when the filtered URL is opened for one Environment, then only deliveries for that Environment are shown.
2. Given alert rules or destinations are opened with `environment_id`, then those configuration surfaces do not create an Environment chip or Environment filter state.
### User Story 3: Governance admin filters Audit Log by Environment
As a governance admin, I can open Audit Log cleanly for workspace-wide events or explicitly filter it by Environment when audit entries carry reliable Environment attribution.
**Independent Test**: Open `/admin/audit-log` and `/admin/audit-log?environment_id={validEnvironmentId}`. Verify clean state is workspace-wide, filtered state shows the chip, rows are filtered by `audit_logs.managed_environment_id`, selected event detail remains consistent with the filter, and clear is reload-safe.
**Acceptance Scenarios**:
1. Given audit logs exist for two environments, when the filtered URL is opened, then only matching Environment-attributed audit rows appear.
2. Given an audit event detail is selected while an Environment filter is active, when the event does not belong to that Environment, then it is not shown as the selected detail.
3. Given an audit row has no Environment attribution, when an Environment filter is active, then the row is excluded from the filtered results.
### User Story 4: Environment Dashboard CTAs follow the contract
As an operator starting from an Environment-owned page, I can use CTAs that either pass canonical `environment_id` to filterable workspace hubs or use clean workspace links for configuration surfaces.
**Independent Test**: Inspect and browser-test Environment Dashboard or related Environment CTAs. Verify Alerts, Alert Deliveries, and Audit Log CTAs use `environment_id` when they claim Environment focus, while Alert Rules and Alert Destinations do not receive Environment filter params.
## Edge Cases
- `environment_id` belongs to another Workspace: reject with 404 / safe no-access and do not switch Workspace.
- `environment_id` belongs to current Workspace but current user lacks access: reject with 404 / safe no-access.
- `environment_id` is malformed or missing: no filter state should be created.
- Legacy aliases appear with or without `environment_id`: only canonical `environment_id` may control filter state.
- Stale `tableFilters`, `tableDeferredFilters`, persisted Filament/session state, or Livewire state exists: clear and clean entry must neutralize stale Environment-like state.
- Browser back/forward after filter and clear must not create mismatched URL/chip/data state.
- Alert Rules and Alert Destinations must stay workspace configuration surfaces even though rule configuration may contain tenant/environment targeting semantics.
- Audit events with null `managed_environment_id` remain visible in workspace-wide Audit Log but are excluded from Environment-filtered Audit Log.
## Requirements
### Functional Requirements
- **FR-001**: The implementation MUST preserve Workspace-only shell ownership for Alerts, Alert Deliveries, Alert Rules, Alert Destinations, and Audit Log.
- **FR-002**: Alerts overview MUST support clean workspace-wide URL `/admin/alerts` and filtered URL `/admin/alerts?environment_id={id}`.
- **FR-003**: Alert Deliveries MUST support clean workspace-wide URL `/admin/alerts/alert-deliveries` and filtered URL `/admin/alerts/alert-deliveries?environment_id={id}`.
- **FR-004**: Audit Log MUST support clean workspace-wide URL `/admin/audit-log` and filtered URL `/admin/audit-log?environment_id={id}`.
- **FR-005**: Alert Rules and Alert Destinations MUST remain workspace configuration surfaces and MUST NOT create Environment filter state from `environment_id`.
- **FR-006**: Filterable surfaces MUST resolve `environment_id` through the shared `WorkspaceHubEnvironmentFilter` or an equivalent shared adapter that preserves workspace and user access checks.
- **FR-007**: Filterable surfaces MUST show the shared visible Environment filter chip when a valid `environment_id` filter is active.
- **FR-008**: The chip clear action MUST reuse the Spec 316 shared clear/reset behavior and remove URL, Livewire, Filament table, deferred table, and persisted session Environment-like state.
- **FR-009**: Sidebar and global workspace hub entries MUST generate clean URLs without Environment query params.
- **FR-010**: Environment-owned CTAs to filterable surfaces MUST use canonical `environment_id` if they intend to preserve Environment focus.
- **FR-011**: Environment-owned CTAs to Alert Rules or Alert Destinations MUST use clean workspace links or be omitted if an Environment-focused link would be misleading.
- **FR-012**: Legacy aliases `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, and `tableFilters` as URL source MUST NOT create Environment filter state.
- **FR-013**: Cross-workspace or unauthorized Environment IDs MUST be rejected with safe no-access behavior and MUST NOT leak data or switch Workspace.
- **FR-014**: Alert Deliveries filtering MUST use reliable `managed_environment_id` attribution only.
- **FR-015**: Audit Log filtering MUST use reliable `audit_logs.managed_environment_id` attribution only.
- **FR-016**: The implementation MUST NOT infer Environment attribution from labels, descriptions, actor/session context, remembered Environment, provider tenant external IDs, or arbitrary JSON text.
- **FR-017**: Audit event detail/selection state MUST stay consistent with any active `environment_id` filter.
- **FR-018**: Alerts overview KPI or summary data MUST either apply the active Environment filter where it uses environment-attributable data or clearly avoid implying Environment-specific counts for non-attributable configuration data.
- **FR-019**: Workspace-wide copy MUST say all environments, workspace-wide, all alerts, or all events as appropriate when no filter is active.
- **FR-020**: Filtered copy MUST use `Environment filter: {environment name}` through the shared chip pattern.
- **FR-021**: No migration, seeder, package, environment variable, queue, scheduler, storage, or deployment asset change is expected or allowed unless the spec is updated before implementation.
- **FR-022**: No backwards compatibility layer, legacy query alias support, compatibility redirect, or dual contract is allowed.
### Non-Functional Requirements
- **NFR-001**: Workspace and Environment isolation MUST remain enforceable in queries and authorization.
- **NFR-002**: Data filtering MUST be reload-safe, shareable by URL, and safe across browser back/forward where covered by browser verification.
- **NFR-003**: The implementation MUST reuse existing shared navigation/filter/reset/chip seams before introducing any new abstraction.
- **NFR-004**: Filament v5 and Livewire v4 patterns MUST be used. No Filament v3/v4 APIs or Livewire v3 references are allowed.
- **NFR-005**: Tests MUST cover both visible UI state and actual data scope for filterable surfaces.
## UI / Surface Guardrail Impact
### Decision-First Surface Role
- Alerts overview: Workspace-owned operational signal hub with optional explicit Environment filter.
- Alert Deliveries: Workspace-owned table-backed operational signal hub with optional explicit Environment filter.
- Alert Rules: Workspace-level configuration surface.
- Alert Destinations: Workspace-level configuration surface.
- Audit Log: Workspace-owned auditability surface with optional explicit Environment filter.
### Audience-Aware Disclosure
Filtered state must be visible and unambiguous. Operators must never have to infer from URL alone whether the page is Environment-filtered.
### UI/UX Surface Classification
This is an operator/admin UX change to existing Filament pages and resources. It is not a marketing, website, or public-facing surface.
### Operator Surface Contract
- Use existing Filament table/page structure.
- Use the shared workspace hub Environment filter chip where possible.
- Do not introduce custom visual systems, new card-heavy layouts, or marketing copy.
- Do not publish Filament internal views.
## Cross-Cutting / Shared Pattern Reuse
Implementation must inspect and reuse these existing seams before adding code:
- `WorkspaceHubRegistry`
- `AdminSurfaceScope`
- `WorkspaceSidebarNavigation`
- `WorkspaceHubEnvironmentFilter`
- `WorkspaceHubFilterStateResetter`
- `ClearsWorkspaceHubEnvironmentFilterState`
- `workspace-hub-environment-filter-chip` partial
- Existing page state contract helpers
- Existing audit and alert resource query scopes
Any new helper must be justified by reducing duplication across Alerts and Audit Log without weakening existing contracts from Specs 314 through 320.
## OperationRun UX Impact
No new operation start, operation run detail, or operation lifecycle behavior is introduced. Existing OperationRun audit or navigation links must only be updated if they currently emit non-canonical Environment parameters or imply a filtered Alerts/Audit destination without using `environment_id`.
## Provider Boundary
This spec is provider-neutral. It must not introduce Microsoft Graph tenant concepts, provider tenant aliases, or provider-specific Environment inference. The only Environment filter key is internal canonical `environment_id`.
## Proportionality Review
This spec introduces no new persisted entity, enum/status family, taxonomy, or framework. It updates the product contract and prepares implementation for existing surfaces using existing columns and shared navigation/filter abstractions. Therefore the constitution proportionality threshold for new persisted abstractions is not triggered.
If implementation discovers that a new persisted attribute or abstraction is required, work must stop and this spec/plan/tasks must be updated before runtime changes continue.
## Testing Requirements
Required tests:
- `it('documents_alerts_and_audit_log_filter_contract_decisions')`
- `it('alerts_support_environment_id_filter_with_visible_chip_and_clear')`
- `it('alert_deliveries_support_environment_id_filter_with_visible_chip_and_clear')`
- `it('audit_log_supports_environment_id_filter_with_visible_chip_and_clear')`
- `it('alerts_and_audit_log_do_not_accept_legacy_environment_query_aliases')`
- `it('alerts_and_audit_log_reject_cross_workspace_environment_filters')`
- `it('alerts_and_audit_log_sidebar_entry_is_workspace_wide')`
- `it('environment_ctas_to_alerts_and_audit_log_use_environment_id')`
- `it('alert_configuration_surfaces_do_not_emit_environment_filters')`
Regression lanes:
- Workspace hub registry and clean navigation tests from Spec 314.
- Environment CTA explicit filter tests from Spec 315.
- Clear filter contract tests from Spec 316.
- Legacy tenant/environment cleanup tests from Spec 317.
- Baseline Compare Environment-owned tests from Spec 319.
- Workspace-owned analysis shell tests from Spec 320.
## Browser Verification Required
Perform focused browser verification after runtime implementation:
1. Open Alerts clean URL and verify Workspace-only shell, workspace-wide copy, and no chip.
2. Open Alerts with `?environment_id={id}` and verify chip, Workspace-only shell, and aligned filtered signal.
3. Clear Alerts filter, reload, and verify clean workspace-wide state.
4. Open Alert Deliveries with `?environment_id={id}` and verify chip, filtered rows, clear, and reload safety.
5. Open Audit Log clean URL and verify Workspace-only shell, workspace-wide copy, and no chip.
6. Open Audit Log with `?environment_id={id}` and verify chip, filtered rows, selected event consistency, clear, and reload safety.
7. Verify Environment Dashboard CTAs use `environment_id` only for filterable destinations and clean links for configuration destinations.
8. Verify browser back/forward after filter and clear does not create URL/chip/data mismatch.
Screenshots, when captured, should be saved under:
```text
specs/321-alerts-audit-log-environment-filter-contract-decision/artifacts/screenshots/
```
Suggested names:
```text
alerts--clean.png
alerts--filtered.png
alerts--after-clear.png
alerts--after-reload.png
alert-deliveries--filtered.png
audit-log--clean.png
audit-log--filtered.png
audit-log--after-clear.png
audit-log--after-reload.png
environment-cta--alerts.png
environment-cta--audit-log.png
```
## Acceptance Criteria
### Decision
- [ ] `decision.md` exists.
- [ ] Alerts have final contract `environment_filterable_workspace_hub`.
- [ ] Alert Deliveries have final contract `environment_filterable_workspace_hub`.
- [ ] Alert Rules have final contract `configuration_workspace_surface`.
- [ ] Alert Destinations have final contract `configuration_workspace_surface`.
- [ ] Audit Log has final contract `environment_filterable_workspace_hub`.
- [ ] No Alerts/Audit surface remains ambiguous.
### URL / Query
- [ ] Clean URLs open workspace-wide.
- [ ] Sidebar/global URLs contain no Environment params.
- [ ] Only `environment_id` is accepted for filterable surfaces.
- [ ] Legacy query aliases are not accepted.
- [ ] Cross-workspace Environment IDs are rejected.
### Shell / UI
- [ ] Alerts shell is Workspace-only.
- [ ] Alert Deliveries shell is Workspace-only.
- [ ] Alert Rules and Alert Destinations shell remains Workspace-only configuration.
- [ ] Audit Log shell is Workspace-only.
- [ ] Filtered state uses visible Environment chip.
- [ ] Workspace-wide state does not show Environment chip.
- [ ] No active Environment shell ownership appears.
### Data Scope
- [ ] Alert Deliveries are filtered by reliable `managed_environment_id`.
- [ ] Alerts overview Environment-attributable signal is filtered or non-attributable configuration counts are clearly not implied to be filtered.
- [ ] Audit Log is filtered by reliable `audit_logs.managed_environment_id`.
- [ ] No remembered Environment fallback applies.
- [ ] No Filament tenant fallback applies.
- [ ] No legacy table filter resurrects Environment scope.
### Clear / Reload
- [ ] Clear removes `environment_id`.
- [ ] Clear removes visible chip.
- [ ] Clear neutralizes stale table/session state.
- [ ] Reload after clear stays workspace-wide.
- [ ] Browser back/forward does not create mismatch where covered.
### CTAs
- [ ] Environment CTAs to Alerts, Alert Deliveries, or Audit Log use `environment_id` when preserving Environment focus.
- [ ] Environment CTAs to Alert Rules or Alert Destinations do not emit Environment filters.
- [ ] No CTA emits legacy params.
### Regression
- [ ] Spec 314 clean workspace hub entry remains green.
- [ ] Spec 315 `environment_id` contract remains green.
- [ ] Spec 316 clear filter remains green.
- [ ] Spec 317 legacy cleanup remains green.
- [ ] Spec 319 Baseline Compare remains Environment-owned.
- [ ] Spec 320 workspace-owned analysis remains Workspace-only.
## Success Criteria
- **SC-001**: A valid filtered Alerts or Audit Log URL visibly shows exactly one active Environment chip and Workspace-only shell.
- **SC-002**: A clean Alerts or Audit Log URL never inherits remembered Environment state.
- **SC-003**: Legacy query aliases do not change data, chip, shell, or clear state.
- **SC-004**: Cross-workspace Environment IDs never leak data.
- **SC-005**: Clear returns the page to a shareable, reload-safe clean URL.
## Assumptions
- The app remains pre-production; hard cutover is acceptable.
- Existing `managed_environment_id` columns are the reliable attribution source for chosen filterable surfaces.
- No migration is needed.
- Alert Rules and Alert Destinations remain workspace-level configuration, even when individual rule configuration can target tenants/environments.
## Risks
- Existing persisted Filament table filter state may conflict with canonical URL filter state if not explicitly reset.
- Alerts overview combines configuration and delivery data, so implementation must avoid implying that workspace-level configuration counts are Environment-filtered unless they truly are.
- Audit event detail selection could show a stale event outside the active Environment filter if selection state is not reconciled.
## Follow-Up
Spec 322 should add durable browser no-drift regression coverage for all context contracts after Spec 321 runtime implementation is complete.
## Required Final Report For Implementation
When Spec 321 runtime implementation completes, report:
```text
Spec 321 completed.
Chosen contracts:
- Alerts: environment_filterable_workspace_hub
- Alert Deliveries: environment_filterable_workspace_hub
- Alert Rules: configuration_workspace_surface
- Alert Destinations: configuration_workspace_surface
- Audit Log: environment_filterable_workspace_hub
Changed behavior:
...
Decision artifact:
specs/321-alerts-audit-log-environment-filter-contract-decision/decision.md
Files changed:
...
Tests:
- command:
- result:
Browser verification:
...
Remaining follow-up:
- 322:
No migrations were created.
No seeders were changed.
No packages, env vars, queues, scheduler, storage, or deployment asset changes were made.
No backwards compatibility layer was introduced.
No legacy query alias support was added.
```

123
specs/321-alerts-audit-log-environment-filter-contract-decision/tasks.md Normal file
View File

@ -0,0 +1,123 @@
# Tasks: Alerts / Audit Log Environment Filter Contract Decision
**Input**: Spec artifacts from `specs/321-alerts-audit-log-environment-filter-contract-decision/`
**Prerequisites**: `spec.md`, `plan.md`, `decision.md`
**Runtime posture**: Hard cutover. No legacy alias support.
## Phase 1: Discovery Confirmation
- [x] T001 Re-read `specs/321-alerts-audit-log-environment-filter-contract-decision/spec.md`, `plan.md`, and `decision.md` before runtime implementation starts.
- [x] T002 Re-read Spec 318 artifacts: `audit-report.md`, `surface-inventory.md`, `page-matrix.md`, `mismatch-findings.md`, and `recommended-fixes.md`.
- [x] T003 Confirm related completed specs 314 through 320 are context only and do not need edits for Spec 321.
- [x] T004 Confirm `alert_deliveries.managed_environment_id` and `audit_logs.managed_environment_id` are still present and indexed before implementing filter queries.
- [x] T005 Inspect current route names for Alerts, Alert Deliveries, Alert Rules, Alert Destinations, and Audit Log.
## Phase 2: Tests First
- [x] T006 Add a static/spec guard test named `it('documents_alerts_and_audit_log_filter_contract_decisions')`.
- [x] T007 Add Alerts overview contract test `it('alerts_support_environment_id_filter_with_visible_chip_and_clear')`.
- [x] T008 Add Alert Deliveries contract test `it('alert_deliveries_support_environment_id_filter_with_visible_chip_and_clear')`.
- [x] T009 Add Audit Log contract test `it('audit_log_supports_environment_id_filter_with_visible_chip_and_clear')`.
- [x] T010 Add legacy alias guard test `it('alerts_and_audit_log_do_not_accept_legacy_environment_query_aliases')`.
- [x] T011 Add cross-workspace guard test `it('alerts_and_audit_log_reject_cross_workspace_environment_filters')`.
- [x] T012 Add sidebar/global navigation regression test `it('alerts_and_audit_log_sidebar_entry_is_workspace_wide')`.
- [x] T013 Add Environment CTA contract test `it('environment_ctas_to_alerts_and_audit_log_use_environment_id')`.
- [x] T014 Add configuration-surface guard test `it('alert_configuration_surfaces_do_not_emit_environment_filters')`.
- [x] T015 Ensure tests prove data scope, not only URL or visible chip state.
## Phase 3: Shared Contract Wiring
- [x] T016 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php` and confirm Alerts, Alert Deliveries, and Audit Log remain registered as workspace hubs.
- [x] T017 Confirm `WorkspaceHubRegistry::cleanUrl()` continues to strip Environment query params from sidebar/global entries.
- [x] T018 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php` and reuse it for canonical `environment_id` resolution.
- [x] T019 Reuse `apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php` for clear behavior.
- [x] T020 Reuse `apps/platform/app/Filament/Concerns/ClearsWorkspaceHubEnvironmentFilterState.php` where page/resource architecture supports it.
- [x] T021 Reuse `apps/platform/resources/views/filament/partials/workspace-hub-environment-filter-chip.blade.php` for visible filter state.
- [x] T022 Do not add a page-local Environment resolver unless existing architecture requires a minimal adapter.
## Phase 4: Alerts Overview
- [x] T023 Update `apps/platform/app/Filament/Pages/Monitoring/Alerts.php` to resolve canonical `environment_id` for the current Workspace.
- [x] T024 Keep Alerts overview shell Workspace-only in all filtered and unfiltered states.
- [x] T025 Render the shared Environment filter chip in `apps/platform/resources/views/filament/pages/monitoring/alerts.blade.php` when the filter is active.
- [x] T026 Ensure the clear action on Alerts overview uses shared reset behavior and returns to clean `/admin/alerts`.
- [x] T027 Update `apps/platform/app/Filament/Widgets/AlertsKpiHeader.php` so Environment-attributable delivery signal counts respect the active filter.
- [x] T028 Ensure workspace-level configuration counts on Alerts overview are not mislabeled as Environment-filtered counts.
- [x] T029 Ensure Alerts overview links to Alert Deliveries preserve canonical `environment_id` when filtered.
- [x] T030 Ensure Alerts overview links to Alert Rules and Alert Destinations do not include Environment filter params.
## Phase 5: Alert Deliveries
- [x] T031 Update `apps/platform/app/Filament/Resources/AlertDeliveryResource.php` query/table behavior to apply canonical `environment_id` through shared resolution.
- [x] T032 Filter Alert Deliveries rows by reliable `managed_environment_id`.
- [x] T033 Keep Alert Deliveries shell Workspace-only in all filtered and unfiltered states.
- [x] T034 Render the shared Environment filter chip on the Alert Deliveries list page when filtered.
- [x] T035 Ensure clear removes `environment_id`, `tableFilters`, `tableDeferredFilters`, persisted Filament/session filter state, and visible chip.
- [x] T036 Ensure legacy URL aliases do not prefill the table filter.
- [x] T037 Ensure clean Alert Deliveries entry is workspace-wide and reload-safe.
## Phase 6: Alert Rules and Alert Destinations
- [x] T038 Confirm `apps/platform/app/Filament/Resources/AlertRuleResource.php` remains a workspace configuration surface.
- [x] T039 Confirm `apps/platform/app/Filament/Resources/AlertDestinationResource.php` remains a workspace configuration surface.
- [x] T040 Ensure Alert Rules do not render an Environment filter chip from `environment_id`.
- [x] T041 Ensure Alert Destinations do not render an Environment filter chip from `environment_id`.
- [x] T042 Ensure Environment Dashboard or Alert overview CTAs to Alert Rules use clean workspace links.
- [x] T043 Ensure Environment Dashboard or Alert overview CTAs to Alert Destinations use clean workspace links.
## Phase 7: Audit Log
- [x] T044 Update `apps/platform/app/Filament/Pages/Monitoring/AuditLog.php` to resolve canonical `environment_id` for the current Workspace.
- [x] T045 Filter Audit Log rows by reliable `audit_logs.managed_environment_id` when the filter is active.
- [x] T046 Keep Audit Log shell Workspace-only in all filtered and unfiltered states.
- [x] T047 Render the shared Environment filter chip in `apps/platform/resources/views/filament/pages/monitoring/audit-log.blade.php` when filtered.
- [x] T048 Ensure Audit Log clear removes `environment_id`, table filters, deferred filters, persisted session state, and visible chip.
- [x] T049 Ensure Audit Log clean entry does not inherit remembered Environment state.
- [x] T050 Ensure selected audit event/detail state cannot show an event outside the active Environment filter.
- [x] T051 Ensure audit events with null `managed_environment_id` remain visible workspace-wide and are excluded when filtered.
## Phase 8: Navigation, Links, and CTAs
- [x] T052 Inspect `apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php` and confirm sidebar entries for Alerts and Audit Log remain clean.
- [x] T053 Inspect Environment Dashboard CTAs and widgets for Alerts or Audit Log links.
- [x] T054 Update Environment-origin CTAs to Alerts, Alert Deliveries, and Audit Log to use canonical `environment_id` only when preserving Environment focus.
- [x] T055 Remove `environment_id` from Environment-origin CTAs to Alert Rules and Alert Destinations.
- [x] T056 Inspect `apps/platform/app/Support/ManagedEnvironmentLinks.php` for any Alerts/Audit helpers or related links that need canonicalization.
- [x] T057 Inspect `apps/platform/app/Support/Operations/OperationRunLinks.php` for Alerts/Audit links that need canonicalization.
- [x] T058 Inspect notification, alert, and audit link helpers for legacy `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters` query output.
## Phase 9: Regression and Safety
- [x] T059 Run targeted Alerts/Audit contract tests.
- [x] T060 Run Spec 315 environment filter contract regression tests.
- [x] T061 Run Spec 316 clear filter contract regression tests.
- [x] T062 Run Spec 317 legacy tenant cleanup regression tests.
- [x] T063 Run Spec 314 workspace hub navigation regression tests.
- [x] T064 Run Spec 319 Baseline Compare Environment-owned regression tests.
- [x] T065 Run Spec 320 workspace-owned analysis shell regression tests.
- [x] T066 Run formatting for touched PHP files.
- [x] T067 Run `git diff --check`.
## Phase 10: Browser Verification
> 2026-05-17 note: attempted integrated browser verification, but the Playwright MCP browser profile was locked by another running browser process (`mcp-chrome-6176c52`). Existing Pest browser smoke `tests/Browser/Spec193MonitoringSurfaceHierarchySmokeTest.php` passed and covers `/admin/alerts`, but the requested screenshot set remains pending.
- [ ] T068 Start the local Sail/browser-ready environment.
- [ ] T069 Open Alerts clean URL and capture `artifacts/screenshots/alerts--clean.png`.
- [ ] T070 Open Alerts filtered URL and capture `artifacts/screenshots/alerts--filtered.png`.
- [ ] T071 Clear Alerts filter, reload, and capture `artifacts/screenshots/alerts--after-clear.png` and `alerts--after-reload.png`.
- [ ] T072 Open Alert Deliveries filtered URL and capture `artifacts/screenshots/alert-deliveries--filtered.png`.
- [ ] T073 Open Audit Log clean URL and capture `artifacts/screenshots/audit-log--clean.png`.
- [ ] T074 Open Audit Log filtered URL and capture `artifacts/screenshots/audit-log--filtered.png`.
- [ ] T075 Clear Audit Log filter, reload, and capture `artifacts/screenshots/audit-log--after-clear.png` and `audit-log--after-reload.png`.
- [ ] T076 Verify Environment Dashboard CTAs to Alerts/Audit Log and capture useful CTA screenshots.
- [ ] T077 Verify browser back/forward after filter and clear does not create URL/chip/data mismatch.
## Phase 11: Final Report
- [ ] T078 Report chosen contracts for Alerts, Alert Deliveries, Alert Rules, Alert Destinations, and Audit Log.
- [ ] T079 Report changed behavior and files changed.
- [ ] T080 Report test commands and results, including any unrelated residual failures.
- [ ] T081 Report browser verification and screenshot paths.
- [ ] T082 Report that no migrations, seeders, packages, env vars, queues, scheduler, storage, or deployment asset changes were made unless the spec was explicitly updated.
- [ ] T083 Report that no backwards compatibility layer or legacy query alias support was introduced.

1
specs/322-browser-no-drift-regression-guard/artifacts/screenshots/.gitkeep Normal file
View File

@ -0,0 +1 @@

59
specs/322-browser-no-drift-regression-guard/checklists/requirements.md Normal file
View File

@ -0,0 +1,59 @@
# Specification Quality Checklist: Browser No-Drift Regression Guard
**Purpose**: Validate preparation completeness and quality before implementation.
**Created**: 2026-05-17
**Feature**: `specs/322-browser-no-drift-regression-guard/spec.md`
## Content Quality
- [x] Spec Candidate Check is completed.
- [x] The selected candidate is direct user-provided manual promotion.
- [x] Related completed specs are treated as historical context and not rewritten.
- [x] The scope is focused on durable guards and no-drift regression coverage.
- [x] No application implementation is included in preparation artifacts.
- [x] No migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change is planned.
## Requirement Completeness
- [x] No `[NEEDS CLARIFICATION]` markers remain.
- [x] Functional requirements are testable and unambiguous.
- [x] Non-functional requirements cover browser stability, lane cost, fixture cost, and no Playwright MCP dependency.
- [x] Success criteria are measurable by artifacts and test results.
- [x] All user stories include independent test descriptions and acceptance scenarios.
- [x] Edge cases cover cross-workspace IDs, legacy aliases, stale state, back/forward, old clean URLs, and browser blockers.
- [x] Dependencies and assumptions are identified.
## Feature Readiness
- [x] `spec.md` exists.
- [x] `plan.md` exists.
- [x] `tasks.md` exists.
- [x] `test-plan.md` exists.
- [x] `coverage-manifest.md` exists.
- [x] Screenshots artifact directory is represented by `.gitkeep`.
- [x] Tasks are ordered, small, and verifiable.
- [x] Tasks include Feature/static guards and Browser guard coverage.
- [x] Tasks include validation commands and final report obligations.
- [x] Tasks include explicit non-goals and stop conditions.
## Constitution / Repo Alignment
- [x] Workspace isolation and cross-workspace rejection are explicit.
- [x] Legacy Tenant aliases remain invalid and no compatibility layer is allowed.
- [x] Provider Tenant terminology remains provider-boundary only.
- [x] Proportionality review covers the new test/manifest ownership cost.
- [x] Test governance names Browser lane expansion and fixture/helper cost controls.
- [x] Filament v5 / Livewire v4 compliance is explicitly addressed.
- [x] Provider registration location remains `apps/platform/bootstrap/providers.php`; no provider change is planned.
- [x] Global search and destructive action output-contract points are addressed.
- [x] Asset strategy is explicit; no `filament:assets` deployment change is planned.
## Preparation Analysis Outcome
- [x] Preparation artifacts are internally consistent after review.
- [x] No preparation issue requires application implementation.
- [x] No open question blocks implementation.
## Notes
Runtime acceptance remains pending until implementation, targeted Feature/static tests, targeted Browser tests, formatting, and `git diff --check` are completed.

65
specs/322-browser-no-drift-regression-guard/coverage-manifest.md Normal file
View File

@ -0,0 +1,65 @@
# Spec 322 Coverage Manifest
This manifest is the review surface for durable Workspace / Environment no-drift coverage.
Coverage statuses:
- `existing`: already covered by a related test before Spec 322.
- `spec322`: covered by the Spec 322 implementation.
- `spec322-partial`: partially covered by Spec 322 browser coverage with deterministic Feature/static fallback.
- `gap`: browser coverage is blocked or intentionally excluded; notes must explain the deterministic fallback.
Spec 322 browser fixture boundary: browser tests create one workspace, two active Managed Environments, one user with workspace/environment membership, and only the records needed to prove visible/hidden scope across operations, provider connections, evidence, alerts, audit log, governance, reviews, baselines, findings, and settings. Exhaustive surface permutations stay in Feature/static guards.
| Surface | Classification | Clean URL | Filtered URL supported? | Environment route required? | Clear supported? | Browser covered? | Feature covered? | Notes |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| Operations | workspace_hub | `/admin/workspaces/{workspace}/operations` | yes | no | yes | spec322-partial | spec322 | Spec322 browser covers clean entry/reload; filtered clear/history remains covered by existing Spec316 browser and Spec322 Feature guards. |
| Governance Inbox | workspace_hub | `/admin/governance/inbox` | yes | no | yes | spec322-partial | spec322 | Spec322 browser covers clean entry/reload; existing Spec314/316 browser plus Spec322 Feature guards cover filtered permutations. |
| Decision Register | workspace_hub | `/admin/governance/decisions` | yes | no | yes | existing | spec322 | Existing Spec314/316 browser coverage remains the browser anchor; Spec322 Feature guards include classification and URL contracts. |
| Finding Exceptions Queue | workspace_hub | `/admin/finding-exceptions/queue` | yes | no | yes | existing | spec322 | Existing Spec314/316 browser coverage remains the browser anchor; Spec322 representative legacy alias browser guard includes this surface. |
| Provider Connections | workspace_hub | `/admin/provider-connections` | yes | no | yes | spec322 | spec322 | Spec322 browser covers clean, filtered chip, clear, reload, back/forward, and representative legacy alias behavior. |
| Evidence Overview | workspace_hub | `/admin/evidence/overview` | yes | no | yes | spec322 | spec322 | Spec322 browser covers clean, filtered chip, clear, reload, and back/forward behavior. |
| Reviews | workspace_hub | `/admin/reviews` | yes | no | yes | existing | spec322 | Existing Spec314/316 browser coverage remains the browser anchor; Spec322 Feature guards include classification and URL contracts. |
| Customer Reviews | workspace_hub | `/admin/reviews/workspace` | yes | no | yes | existing | spec322 | Existing Spec314/316 browser coverage remains the browser anchor; Spec322 Feature guards include classification and URL contracts. |
| Alert Deliveries | workspace_hub | `/admin/alerts/alert-deliveries` | yes | no | yes | spec322 | spec322 | Spec322 browser covers filtered chip, clear, reload, and back/forward alignment. |
| Audit Log | workspace_hub | `/admin/audit-log` | yes | no | yes | spec322-partial | spec322 | Spec322 browser covers filtered and clean/reload shell state; clear/back-forward remains covered by Spec321/Spec322 Feature guards because browser click timing was unstable on this page. |
| Alerts Overview | workspace_hub | `/admin/alerts` | yes | no | yes | spec322-partial | spec322 | Spec322 browser covers clean and filtered shell state; clear contract remains covered by Spec321/Spec322 Feature guards. |
| Environment Dashboard | environment_owned_page | `/admin/workspaces/{workspace}/environments/{environment}` | no | yes | no | spec322 | spec322 | Browser covers Environment-owned route/shell and reload. |
| Baseline Compare | environment_owned_page | `/admin/workspaces/{workspace}/environments/{environment}/baseline-compare` | no | yes | no | spec322 | spec322 | Browser covers Environment-owned route/shell, reload, and old workspace-style invalid access. |
| Required Permissions | environment_owned_page | `/admin/workspaces/{workspace}/environments/{environment}/required-permissions` | no | yes | no | spec322 | spec322 | Browser covers route/shell and reload; Feature guards cover URL contract. |
| Provider Readiness / Onboarding Readiness | environment_owned_page | Environment Dashboard readiness section | no | yes | no | spec322-partial | spec322 | No separate route was confirmed; Environment Dashboard browser smoke and Feature URL/scope guards are the deterministic fallback. |
| Inventory / Inventory Coverage | environment_owned_page | `/admin/workspaces/{workspace}/environments/{environment}/inventory` and `/admin/workspaces/{workspace}/environments/{environment}/inventory/inventory-coverage` | no | yes | no | gap | spec322 | Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract. |
| Environment Diagnostics | environment_owned_page | `/admin/workspaces/{workspace}/environments/{environment}/diagnostics` | no | yes | no | gap | spec322 | Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract. |
| Baseline Profiles | workspace_owned_analysis_surface | `/admin/baseline-profiles` | no unless explicitly supported | no | no | spec322 | spec322 | Browser covers Workspace-only shell cutover from Environment origin plus reload. |
| Baseline Snapshots | workspace_owned_analysis_surface | `/admin/baseline-snapshots` | no unless explicitly supported | no | no | gap | spec322 | Browser coverage intentionally excluded for runtime cost; Feature classification and clean URL guards cover the contract. |
| My Findings | workspace_owned_analysis_surface | `/admin/findings/my-work` | no unless explicitly supported | no | no | spec322 | spec322 | Browser covers Workspace-only shell cutover from Environment origin plus reload. |
| Findings Intake | workspace_owned_analysis_surface | `/admin/findings/intake` | no unless explicitly supported | no | no | gap | spec322 | Browser coverage intentionally excluded for runtime cost; Feature classification and clean URL guards cover the contract. |
| Findings Hygiene | workspace_owned_analysis_surface | `/admin/findings/hygiene` | no unless explicitly supported | no | no | gap | spec322 | Browser coverage intentionally excluded for runtime cost; Feature classification and clean URL guards cover the contract. |
| Cross-environment Compare | workspace_owned_analysis_surface | `/admin/cross-environment-compare` | no unless explicitly supported | no | no | spec322 | spec322 | Browser covers Workspace-only shell cutover from Environment origin plus reload. |
| Alert Rules | workspace_configuration_surface | `/admin/alerts/alert-rules` | no | no | no | spec322 | spec322 | Browser covers stray `environment_id` rejection with no chip/shell. |
| Alert Destinations | workspace_configuration_surface | `/admin/alerts/alert-destinations` | no | no | no | spec322 | spec322 | Browser covers stray `environment_id` rejection with no chip/shell. |
| Workspace Settings | workspace_configuration_surface | `/admin/settings/workspace` | no | no | no | spec322 | spec322 | Browser covers Workspace-only shell cutover from Environment origin plus reload. |
| `/admin/t` legacy routes | out_of_scope | N/A | no | no | no | not applicable | spec322 | Spec322 Feature guard verifies no active legacy routes or TenantPanelProvider. |
| TenantPanelProvider | out_of_scope | N/A | no | no | no | not applicable | spec322 | Spec322 Feature guard verifies no runtime tenant panel registration or provider file. |
| Provider-boundary Tenant terminology | out_of_scope | N/A | no | no | no | not applicable | spec322 | Spec322 Feature guard checks retired platform-context Tenant terminology does not return outside allowed provider-boundary contexts. |
## Optional Surfaces
| Surface | Classification | Clean URL | Filtered URL supported? | Environment route required? | Clear supported? | Browser covered? | Feature covered? | Notes |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| Notification Routing | workspace_configuration_surface | Not confirmed in Spec 322 prep | no unless explicitly supported | no | no | gap | gap | Optional; excluded until route/surface is confirmed. |
| Operational Controls | workspace_configuration_surface | Not confirmed in Spec 322 prep | no unless explicitly supported | no | no | gap | gap | Optional; excluded until route/surface is confirmed. |
| Customer Health | workspace_hub | Not confirmed in Spec 322 prep | not confirmed | no | not confirmed | gap | gap | Optional; not part of required Spec 322 surface list. |
| Stored Reports | environment_owned_page or workspace_hub depending route | Not confirmed in Spec 322 prep | not confirmed | route-specific | not confirmed | gap | existing | Existing environment route exclusions exist; not required for Spec 322 unless implementation discovers current drift. |
| Support Requests | out_of_scope | Not confirmed in Spec 322 prep | no | no | no | gap | existing | Modal/action support surface, not a primary no-drift browser target. |
| Review Packs / Exports | out_of_scope | Not confirmed in Spec 322 prep | no | route-specific | no | gap | existing | Artifact/download flows remain outside this guard unless linked from required surfaces. |
| Control Catalog | workspace_configuration_surface | Not confirmed in Spec 322 prep | no | no | no | gap | gap | Optional and excluded pending route/surface confirmation. |
## Required Gap Handling
If any planned browser coverage cannot be executed because of local browser profile lock, unavailable fixture, route unreachability, missing seeded data, or external process conflict:
1. Keep or add deterministic Feature/Unit coverage for the same product contract.
2. Mark the row `gap` or `spec322-partial` with exact reason.
3. Do not claim full browser coverage for that surface.
4. Include the blocker in the final implementation report.

314
specs/322-browser-no-drift-regression-guard/plan.md Normal file
View File

@ -0,0 +1,314 @@
# Implementation Plan: Browser No-Drift Regression Guard
**Branch**: `322-browser-no-drift-regression-guard`
**Date**: 2026-05-17
**Spec**: `specs/322-browser-no-drift-regression-guard/spec.md`
**Status**: Draft
## Summary
Create durable no-drift regression coverage for the Workspace / Environment contracts stabilized by Specs 314 through 321. The implementation is test/guard-first and must not add product behavior except narrow fixes required to make existing contracts deterministic.
The plan adds:
- Feature/static guards for surface classification, URL generation, canonical `environment_id`, clear-state contracts, cross-workspace rejection, legacy aliases, `/admin/t`, Tenant panel provider absence, and provider-boundary Tenant allowlist.
- Pest Browser smoke tests grouped by surface model for shell, chip, clear, reload, and back/forward alignment.
- A coverage manifest and test plan so future admin surfaces can update coverage deliberately.
## Technical Context
**Language / Version**: PHP 8.4.15
**Primary Framework**: Laravel 12.52.0
**Admin UI**: Filament 5.2.1
**Reactive Layer**: Livewire 4.1.4
**Database**: PostgreSQL via Sail
**Testing**: Pest 4.3.1, PHPUnit 12.5
**Validation Lanes**: Feature/static guards, Browser lane, possible heavy-governance classification if discovery-style guards are broadened
**Target Platform**: Laravel monolith in `apps/platform`
**Project Type**: Web application
**Performance Goals**: Keep Browser tests focused and grouped so the lane remains stable and reviewable.
**Constraints**: No migrations, no seeders unless fixture determinism is impossible, no package changes, no env/queue/scheduler/storage changes, no Playwright MCP dependency, no backwards compatibility aliases.
**Scale / Scope**: Core admin surface contracts only; optional surfaces are documented rather than silently included.
Package posture:
- Filament v5 requires Livewire v4.0+; this repo uses Livewire 4.1.4.
- Laravel 12 panel providers are registered in `apps/platform/bootstrap/providers.php`; this spec does not add a panel provider.
- No frontend assets are added. No `filament:assets` deployment change is expected.
## Current Repo Truth
Relevant existing seams:
```text
apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php
apps/platform/app/Support/Navigation/AdminSurfaceScope.php
apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php
apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php
apps/platform/app/Filament/Concerns/ClearsWorkspaceHubEnvironmentFilterState.php
apps/platform/resources/views/filament/partials/workspace-hub-environment-filter-chip.blade.php
apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php
apps/platform/app/Support/ManagedEnvironmentLinks.php
apps/platform/app/Support/OperationRunLinks.php
apps/platform/routes/web.php
```
Existing related tests and smoke coverage:
```text
apps/platform/tests/Feature/Navigation/WorkspaceHubRegistryTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubEnvironmentFilterContractTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubClearFilterContractTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubSidebarUrlContractTest.php
apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php
apps/platform/tests/Feature/Guards/LegacyTenantPlatformContextCleanupTest.php
apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php
apps/platform/tests/Feature/Filament/BaselineCompareEnvironmentRouteContractTest.php
apps/platform/tests/Browser/Spec314WorkspaceHubNavigationContextSmokeTest.php
apps/platform/tests/Browser/Spec316WorkspaceHubClearFilterSmokeTest.php
apps/platform/tests/Browser/Spec190BaselineCompareMatrixSmokeTest.php
```
Spec 322 should extend or add targeted files rather than replacing these proven anchors.
## Project Structure
### Spec Artifacts
```text
specs/322-browser-no-drift-regression-guard/spec.md
specs/322-browser-no-drift-regression-guard/plan.md
specs/322-browser-no-drift-regression-guard/tasks.md
specs/322-browser-no-drift-regression-guard/test-plan.md
specs/322-browser-no-drift-regression-guard/coverage-manifest.md
specs/322-browser-no-drift-regression-guard/checklists/requirements.md
specs/322-browser-no-drift-regression-guard/artifacts/screenshots/.gitkeep
```
### Likely Runtime/Test Areas For Later Implementation
```text
apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php
apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php
apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php
apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php
apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php
apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php
apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php
apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php
```
The support harness path is suggested, not mandatory. If existing helper conventions provide enough reuse, implementation should keep helpers local to the test files.
## UI / Surface Guardrail Plan
- **Guardrail scope**: Workflow-only guardrail over existing surfaces.
- **Native vs custom classification summary**: Existing Filament-native surfaces; no new product UI.
- **Shared-family relevance**: Navigation, shell, filter chip, clear/reset, browser history.
- **State layers in scope**: route path, query string, Livewire properties, Filament table filters, deferred filters, persisted/session filters, shell context, chip visibility, browser history.
- **Audience modes in scope**: operator-MSP and support-platform only as existing users; no new disclosure modes.
- **Decision/diagnostic/raw hierarchy plan**: N/A - guard assertions only.
- **Raw/support gating plan**: N/A.
- **One-primary-action / duplicate-truth control**: Existing clear action remains the only filter reset control under test.
- **Handling modes by drift class or surface**: Workspace/Environment mismatch is a hard-stop candidate for implementation; optional unreachable browser surfaces are document-in-feature only if Feature coverage proves the contract.
- **Repository-signal treatment**: Review-mandatory for new admin surfaces missing manifest/test coverage.
- **Special surface test profiles**: `global-context-shell`.
- **Required tests or manual smoke**: Feature/static guards plus Pest Browser smoke tests.
- **Exception path and spread control**: Any browser gap must be documented in `coverage-manifest.md` with deterministic non-browser proof.
- **Active feature PR close-out entry**: Guardrail / Smoke Coverage.
## Shared Pattern & System Fit
- **Cross-cutting feature marker**: yes
- **Systems touched**: Navigation registry, surface scope enum, Environment filter resolver, filter resetter, shell context, browser tests.
- **Shared abstractions reused**: `WorkspaceHubRegistry`, `AdminSurfaceScope`, `WorkspaceHubEnvironmentFilter`, `WorkspaceHubFilterStateResetter`, `ClearsWorkspaceHubEnvironmentFilterState`, shared filter chip partial.
- **New abstraction introduced? why?**: No runtime abstraction. Test-only helper extraction is allowed only when it reduces repeated fragile browser setup.
- **Why the existing abstraction was sufficient or insufficient**: Runtime abstractions are sufficient; current gap is durable cross-surface guard coverage.
- **Bounded deviation / spread control**: Test helpers must remain in test support or local browser test scope and must not become product navigation registries.
## OperationRun UX Impact
- **Touches OperationRun start/completion/link UX?**: no
- **Central contract reused**: N/A
- **Delegated UX behaviors**: N/A
- **Surface-owned behavior kept local**: Existing Operations hub may be used as a workspace hub test surface.
- **Queued DB-notification policy**: N/A
- **Terminal notification path**: N/A
- **Exception path**: none
## Provider Boundary & Portability Fit
- **Shared provider/platform boundary touched?**: yes, guard-only
- **Provider-owned seams**: Microsoft/Entra/provider Tenant identity terms remain allowed through Spec 317 allowlist.
- **Platform-core seams**: Workspace, Managed Environment, Environment filter query key, shell ownership, route ownership.
- **Neutral platform terms / contracts preserved**: Workspace, Managed Environment, Environment, Provider Connection.
- **Retained provider-specific semantics and why**: Provider Tenant terminology remains where it means external Microsoft/Entra tenant identity.
- **Bounded extraction or follow-up path**: none expected; implementation should add a follow-up only if a current provider-boundary term is ambiguous outside the allowlist.
## Constitution Check
### Pre-Implementation
- **Inventory-first / Snapshots-second**: Pass. No inventory or snapshot truth changes.
- **Read/write separation**: Pass. No product write actions are introduced.
- **Graph contract path**: Pass. No Graph calls are introduced.
- **Deterministic capabilities**: Pass. Capability behavior is not changed.
- **Workspace isolation**: Pass with required tests. Cross-workspace Environment IDs must be rejected.
- **Tenant isolation / provider boundary**: Pass with required legacy alias and provider Tenant allowlist guards.
- **RBAC-UX**: Pass with required tests for non-member/unauthorized Environment behavior where applicable.
- **OperationRun UX**: N/A.
- **Test governance**: Requires explicit Browser lane expansion, manifest, and test-plan documentation.
- **Proportionality**: Pass. No runtime persistence, enum/status family, or runtime framework. Test-only helper extraction must stay narrow.
- **Shared Pattern First**: Pass. Existing runtime paths are reused.
- **Filament-native UI**: Pass. No product UI changes; assertions target existing native/shared surfaces.
- **Spec Candidate Gate**: Pass. Direct manual promotion and already referenced follow-up from completed specs.
### Post-Design
No constitutional violation is expected.
If implementation discovers that passing the guards requires product behavior changes beyond a narrow fix to existing Specs 314 through 321 contracts, update `spec.md` and `plan.md` before continuing.
If implementation adds a runtime registry, persisted entity, enum, or broad helper layer, reopen the proportionality review and stop for review.
## Surface Classification Plan
Source classification comes from existing runtime contracts plus Spec 318 audit terminology.
| Classification | Runtime contract |
| --- | --- |
| `workspace_hub` | Workspace-only shell; optional explicit filter when supported |
| `environment_owned_page` | Workspace + Environment shell; Environment route required |
| `workspace_owned_analysis_surface` | Workspace-only shell; no remembered Environment shell inheritance |
| `workspace_configuration_surface` | Workspace-only shell; configuration semantics; no Environment chip unless explicitly supported |
| `system_platform_surface` | System panel or non-admin platform surface |
| `out_of_scope` | Not stable/reachable or not part of this guard |
The manifest must use these labels and must be updated when future specs add admin surfaces.
## Feature / Static Guard Plan
Create or update focused tests for:
- `it('classifies_core_admin_surfaces_without_scope_drift')`
- `it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params')`
- `it('environment_cta_urls_use_the_correct_surface_contract')`
- `it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs')`
- `it('environment_id_filters_reject_cross_workspace_environment_ids')`
- `it('legacy_environment_query_aliases_do_not_create_filter_or_shell_state')`
- `it('has_no_active_legacy_tenant_panel_routes')`
- `it('allows_tenant_terms_only_in_provider_boundary_contexts')`
Use existing tests where possible and add Spec 322 coverage only for gaps.
## Browser Guard Plan
Use Pest Browser. Do not introduce Playwright MCP dependency.
Group browser tests by contract:
1. Workspace hub clean entry, reload, and sidebar/global/direct origins.
2. Workspace hub filtered entry, chip, clear, reload, and back/forward.
3. Environment-owned route/shell contract and invalid clean workspace access.
4. Workspace-owned analysis and workspace configuration shell cutover.
5. Alerts/Audit Log focused no-drift smoke.
Screenshots are diagnostic only. Store useful artifacts under:
```text
specs/322-browser-no-drift-regression-guard/artifacts/screenshots/
```
## Data / Migration Plan
No migrations are planned.
No new tables, persisted entities, seeders, packages, env vars, queues, scheduler, storage, deployment assets, or compatibility layers are planned.
If deterministic browser fixtures cannot be produced without a seeder change, update the spec and plan first. Prefer test factories and explicit fixture helpers.
## Authorization / Security Plan
- Use existing workspace and Managed Environment access helpers/factories.
- Assert cross-workspace and unauthorized Environment IDs do not leak data and do not switch Workspace.
- Keep UI state out of the authorization boundary; guard server-side behavior via Feature tests where possible.
- Keep `/admin/t` and `TenantPanelProvider` absence guarded.
## Filament v5 Output Contract
1. **Livewire v4.0+ compliance**: Required. The app uses Livewire 4.1.4; tests and any narrow fixes must not introduce Livewire v3 references.
2. **Provider registration location**: No provider changes are planned. Laravel 12 Filament panel providers remain in `apps/platform/bootstrap/providers.php`.
3. **Globally searchable resources**: Spec 322 should not make any resource globally searchable. Existing resources must continue either to have View/Edit pages or have global search disabled according to Filament v5 rules.
4. **Destructive actions**: Spec 322 introduces no destructive product actions. If a narrow runtime fix touches an existing destructive action, it must preserve `->action(...)`, `->requiresConfirmation()`, policy/gate authorization, and audit behavior.
5. **Asset strategy**: No global or on-demand Filament assets are planned. No deployment `filament:assets` change is required.
6. **Testing plan**: Feature/static guards plus Pest Browser tests for pages/resources as Livewire/browser-visible surfaces. Mutating actions are not introduced.
## Test Governance Check
- **Test purpose / classification by changed surface**: Feature/static for registries, URLs, aliases, and authorization; Browser for shell/chip/clear/reload/history.
- **Affected validation lanes**: fast-feedback, browser, and optional heavy-governance if discovery-style guard breadth expands.
- **Why this lane mix is the narrowest sufficient proof**: Feature tests can exhaustively prove deterministic contracts. Browser is required only for browser state and visible shell/chip/history.
- **Narrowest proving commands**: Listed in `test-plan.md`.
- **Fixture / helper / factory / seed / context cost risks**: Browser setup can grow. Keep helper defaults explicit and avoid global seed reliance.
- **Expensive defaults or shared helper growth introduced?**: Not by default. Any browser harness must be opt-in.
- **Heavy-family additions, promotions, or visibility changes**: Explicit `Spec322` Browser smoke files.
- **Surface-class relief / special coverage rule**: `global-context-shell`.
- **Closing validation and reviewer handoff**: Review manifest, test names, helper cost, focused commands, browser gap documentation, and absence of runtime compatibility aliases.
- **Budget / baseline / trend follow-up**: Document runtime if materially higher than existing Spec 314/316 browser smoke.
- **Review-stop questions**: Are browser tests focused? Are legacy aliases rejected rather than accepted? Are optional gaps documented? Does any helper create hidden fixture cost?
- **Escalation path**: document-in-feature; follow-up-spec only if browser lane cost becomes structural.
- **Active feature PR close-out entry**: Guardrail / Smoke Coverage.
- **Why no dedicated follow-up spec is needed**: Spec 322 is the dedicated no-drift guardrail package.
## Implementation Phases
1. Confirm existing surface classifications and route/helper names.
2. Add/update coverage manifest with all required surfaces and current planned coverage.
3. Add Feature/static guards for classifications, URLs, legacy aliases, cross-workspace rejection, `/admin/t`, and provider Tenant allowlist.
4. Add or refactor test-only browser helper patterns if existing duplication becomes brittle.
5. Add grouped Pest Browser smoke tests for workspace hubs, Environment-owned pages, workspace-owned analysis/configuration surfaces, and Alerts/Audit Log.
6. Run focused Feature/static tests.
7. Run focused Browser tests.
8. Update coverage manifest with actual coverage and any browser gaps.
9. Run formatting and `git diff --check`.
10. Report exact test commands/results and no-runtime-change confirmations.
## Complexity Tracking
| Violation | Why Needed | Simpler Alternative Rejected Because |
| --- | --- | --- |
| Browser lane expansion | Shell/chip/clear/reload/history alignment is browser-visible and cannot be proven by static tests alone | Existing per-spec smoke tests do not cover the full stabilized chain or Alerts/Audit Log after Spec 321 |
| Coverage manifest | Future surfaces need an explicit coverage contract | Relying on test file names alone would hide browser gaps and classification drift |
## Rollout Considerations
- No runtime rollout impact is expected.
- No staging/production migration or deployment step is expected.
- CI should include the focused Feature/static guard command and the Browser lane command when Browser infrastructure is available.
- Do not claim full suite green unless the full suite is actually run.
## Risks And Controls
| Risk | Control |
| --- | --- |
| Browser suite becomes flaky or too broad | Group smoke tests by surface model, assert stable text/URL/chip state, move exhaustive alias coverage to Feature tests |
| Test helper hides expensive setup | Keep workspace/environment/session setup explicit and opt-in |
| Optional surfaces are silently skipped | Document gaps and reasons in `coverage-manifest.md` |
| Legacy aliases are accidentally accepted in tests | Feature guards must assert aliases do not create filter or shell state |
| Runtime behavior changes beyond guard fixes | Update spec/plan before continuing |
## Validation Plan
See `test-plan.md` for exact targeted commands.
Minimum final validation:
```bash
cd apps/platform
./vendor/bin/sail artisan test tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php --compact
./vendor/bin/sail artisan test tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php --compact
./vendor/bin/sail pint --dirty
git diff --check
```
Exact file names may be adjusted during implementation if existing repo conventions make narrower updates preferable.

393
specs/322-browser-no-drift-regression-guard/spec.md Normal file
View File

@ -0,0 +1,393 @@
# Feature Specification: Browser No-Drift Regression Guard
**Feature Branch**: `322-browser-no-drift-regression-guard`
**Created**: 2026-05-17
**Status**: Draft
**Input**: User supplied full Spec 322 draft: "Browser No-Drift Regression Guard"
**Type**: Durable regression coverage / browser contract guard / no-drift enforcement
**Runtime Posture**: Test/guard-first. No new product behavior unless required to make guards deterministic.
## Dependencies
- Spec 314: Workspace Hub Navigation Context Contract
- Spec 315: Environment CTA Explicit Filter Contract
- Spec 316: Workspace Hub Clear Filter Contract
- Spec 317: Legacy Tenant / Environment Context Cleanup
- Spec 318: Admin Surface Scope & Shell Context Audit
- Spec 319: Environment-Owned Surface Routing & Shell Context Contract
- Spec 320: Workspace-Owned Analysis Surface Registration & Shell Cutover
- Spec 321: Alerts / Audit Log Environment Filter Contract Decision
## Spec Candidate Check
- **Problem**: Workspace, Environment, filter, shell, clear-state, and legacy Tenant cleanup contracts now span routes, Filament pages/resources, Livewire state, session persistence, sidebar/global navigation, and browser history. Without durable guards, future specs can reintroduce hidden Environment shell inheritance or stale filter state.
- **Today's failure**: A future page or helper could emit `tenant`, `managed_environment_id`, remembered Environment state, or a workspace-clean URL that silently renders Environment-owned data. Operators would see mismatched shell, URL, filter chip, and data scope.
- **User-visible improvement**: Operators get consistent Workspace-only hubs, explicit Environment-owned pages, visible filtered state, reliable clear behavior, and no resurrected legacy Tenant platform context.
- **Smallest enterprise-capable version**: Add focused Feature/static guards plus grouped Pest Browser contract smoke tests for core high-risk surfaces, with a coverage manifest documenting any browser gaps.
- **Explicit non-goals**: No product redesign, no new Environment filters, no Alert/Audit contract change beyond Spec 321, no migrations, no seeders unless deterministic browser fixtures are impossible, no packages, no compatibility aliases, no Playwright MCP dependency, no visual-regression framework.
- **Permanent complexity imported**: New or updated Pest Feature tests, Pest Browser smoke tests, test-only helper structure where existing browser conventions are insufficient, coverage manifest, test plan, and ongoing maintenance obligation for new admin surfaces.
- **Why now**: Specs 314 through 321 intentionally stabilized the contracts and repeatedly deferred durable no-drift coverage to Spec 322. Spec 321 is now implemented on the current branch history, so the guard can cover the full chain.
- **Why not local**: Local tests per surface already exist, but drift risk is cross-surface and browser-state-dependent. A single future change can break URL/chip/shell/session/history alignment across several surfaces.
- **Approval class**: Core Enterprise
- **Red flags triggered**: Cross-surface coverage and test infrastructure. Defense: the scope is test-only and protects workspace isolation, Environment ownership, auditability, and operator trust without adding runtime product frameworking.
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 1 | Wiederverwendung: 2 | **Gesamt: 10/12**
- **Decision**: approve
## Candidate Source And Guardrail Result
**Candidate Source**: Direct user-provided manual promotion for Spec 322. The candidate is also referenced as deferred follow-up in Specs 319, 320, and 321.
**Completed-Spec Guardrail**: Specs 314 through 321 were inspected as completed or historical context and remain unchanged by this preparation. This package creates a new Spec 322 path and does not rewrite close-out, validation, completed tasks, smoke evidence, or review history from earlier specs.
**Close alternatives deferred**:
- Customer Review Workspace v1 polish: productization lane after context foundations are protected.
- Decision-Based Governance Inbox v1 polish: product lane after no-drift guards exist.
- Localization v1 and commercial lifecycle maturity: roadmap product lanes, not guardrail completion.
- Broad visual regression framework: deferred as too heavy for the current need.
## Summary
Add durable browser and regression coverage to prevent Workspace / Environment context drift from returning.
Specs 314 through 321 established these product contracts:
- Workspace hubs use Workspace-only shell ownership.
- Environment Dashboard CTAs use canonical `?environment_id=...` when they intentionally filter a workspace hub.
- Clear filter removes URL, Livewire, Filament table, deferred table, session, and persisted state.
- Legacy Tenant platform context is removed or quarantined.
- Environment-owned pages require Environment route/shell context.
- Workspace-owned analysis pages cut over to Workspace-only shell.
- Alerts and Audit Log have explicit Spec 321 contracts.
Spec 322 turns those contracts into maintainable guards.
## Product Context
TenantPilot is workspace-first.
Workspace is the primary platform context. Managed Environment is a secondary operational context inside a Workspace. Provider Tenant remains only a provider-boundary concept, such as Microsoft/Entra/Graph tenant identity.
The guarded admin surface models are:
| Model | Expected contract |
| --- | --- |
| Workspace Hub | Workspace-only shell, clean workspace-wide URL, optional canonical `environment_id` filter if supported, visible chip when filtered, clear returns to clean state |
| Environment-Owned Page | Workspace + Environment shell, route encodes Environment ownership, no clean workspace-only rendering, no workspace-hub `environment_id` model |
| Workspace-Owned Analysis Surface | Workspace-only shell, no remembered Environment inheritance, optional `environment_id` only where explicitly supported |
| Workspace Configuration Surface | Workspace-only shell, no Environment filter unless explicitly supported |
## Spec Scope Fields
- **Scope**: canonical-view / workspace shell and Environment route guardrail
- **Primary Routes**: `/admin`, `/admin/workspaces/{workspace}/operations`, `/admin/provider-connections`, `/admin/finding-exceptions/queue`, `/admin/evidence/overview`, `/admin/reviews`, `/admin/reviews/workspace`, `/admin/governance/inbox`, `/admin/governance/decisions`, `/admin/audit-log`, `/admin/alerts`, `/admin/alerts/alert-deliveries`, `/admin/alerts/alert-rules`, `/admin/alerts/alert-destinations`, `/admin/settings/workspace`, `/admin/workspaces/{workspace}/environments/{environment}`, Environment-owned subroutes, `/admin/baseline-profiles`, `/admin/baseline-snapshots`, `/admin/findings/my-work`, `/admin/findings/intake`, `/admin/findings/hygiene`, `/admin/cross-environment-compare`
- **Data Ownership**: No new persisted data. Guards must prove existing workspace-owned and Environment-owned records remain scoped by current Workspace and authorized Environment membership.
- **RBAC**: Tests must use existing workspace membership and Managed Environment access fixtures. Cross-workspace or unauthorized Environment IDs must resolve as safe no-access / deny-as-not-found behavior.
For canonical-view specs:
- **Default filter behavior when Environment context is active**: Workspace hubs and workspace-owned analysis surfaces must remain Workspace-only unless a valid canonical `environment_id` query parameter is present and the surface explicitly supports it.
- **Explicit entitlement checks preventing cross-environment leakage**: Feature tests must prove cross-workspace and unauthorized Environment IDs do not switch Workspace, do not leak data, and do not create shell/filter state.
## Cross-Cutting / Shared Pattern Reuse
- **Cross-cutting feature?**: yes
- **Interaction class(es)**: navigation, context shell, filter chip, clear filter, browser history, global/sidebar entries, Environment Dashboard CTAs, test lane governance
- **Systems touched**: `WorkspaceHubRegistry`, `AdminSurfaceScope`, `WorkspaceHubEnvironmentFilter`, `WorkspaceHubFilterStateResetter`, `ClearsWorkspaceHubEnvironmentFilterState`, shared chip partial, route helpers, browser tests, Feature guards
- **Existing pattern(s) to extend**: Existing Spec 314, 316, 319, 320, and 321 guard tests and browser smoke tests
- **Shared contract / presenter / builder / renderer to reuse**: Existing navigation/filter/reset helpers and existing Pest Browser conventions
- **Why the existing shared path is sufficient or insufficient**: Existing paths are sufficient for runtime behavior. Spec 322 may add test-only helper organization if required to avoid copying brittle browser setup across every surface.
- **Allowed deviation and why**: Test-only helper extraction is allowed when it remains under test support paths and does not become a runtime surface registry.
- **Consistency impact**: URL, visible chip, shell text, data scope, clear action, reload, and browser history must remain aligned.
- **Review focus**: Verify guards protect contracts without changing product behavior or accepting legacy aliases.
## OperationRun UX Impact
- **Touches OperationRun start/completion/link UX?**: no
- **Shared OperationRun UX contract/layer reused**: N/A
- **Delegated start/completion UX behaviors**: N/A
- **Local surface-owned behavior that remains**: Existing Operations hub and OperationRun links may be used as tested surfaces only.
- **Queued DB-notification policy**: N/A
- **Terminal notification path**: N/A
- **Exception required?**: none
## Provider Boundary / Platform Core Check
- **Shared provider/platform boundary touched?**: yes, in guard assertions only
- **Boundary classification**: mixed; platform-core shell/query contracts are guarded while provider-boundary Tenant terminology remains allowlisted where it means Microsoft/Entra/provider tenant identity
- **Seams affected**: query keys, URL helpers, provider-boundary terminology allowlist, legacy Tenant route guards
- **Neutral platform terms preserved or introduced**: Workspace, Managed Environment, Environment, Provider Connection
- **Provider-specific semantics retained and why**: `tenant` remains allowed only in provider-boundary contexts documented by Spec 317 allowlist.
- **Why this does not deepen provider coupling accidentally**: The spec rejects Tenant as Environment/platform synonym and adds guards against old query aliases.
- **Follow-up path**: none unless implementation discovers a current provider-boundary ambiguity not covered by Spec 317.
## UI / Surface Guardrail Impact
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / N/A Note |
| --- | --- | --- | --- | --- | --- | --- |
| Browser regression guards for existing admin surfaces | no product UI change | Existing Filament surfaces | navigation, shell, filter chip | shell, URL-query, Livewire, table filters, session, browser history | no | Test-only guardrail |
| Coverage manifest | no | N/A | test governance | none | no | Documentation artifact for guard coverage |
## Decision-First Surface Role
Spec 322 does not add or materially change operator-facing surfaces. The guarded surfaces keep their existing roles:
- Workspace hubs remain Secondary Context / operational workspace surfaces.
- Environment-owned pages remain Environment-specific decision/diagnostic surfaces.
- Workspace-owned analysis surfaces remain workspace-level analysis surfaces.
- Configuration surfaces remain workspace configuration surfaces.
## Audience-Aware Disclosure
N/A - no product-facing detail/status surface is added or materially changed.
## UI/UX Surface Classification
No operator-facing surface classification changes are introduced. The classifications are documented in `coverage-manifest.md` for guard coverage only.
## Operator Surface Contract
No new page contract is introduced. The tests must assert that existing page contracts remain truthful:
- Workspace hub shell copy must not imply an active Environment when the URL is clean.
- Filtered workspace hubs must show visible Environment chip state.
- Environment-owned pages must show Workspace + active Environment shell context.
- Configuration surfaces must not show Environment filter chips from query aliases.
## Proportionality Review
- **New source of truth?**: no runtime source of truth; yes test-documentation truth in `coverage-manifest.md`
- **New persisted entity/table/artifact?**: no persisted entity/table; yes Spec Kit documentation artifacts
- **New abstraction?**: no runtime abstraction; possible test-only harness helpers if duplication requires them
- **New enum/state/reason family?**: no
- **New cross-domain UI framework/taxonomy?**: no runtime UI framework; the manifest uses test classifications already established by Specs 318 through 321
- **Current operator problem**: Operators and reviewers need confidence that Workspace/Environment context cannot silently drift across navigation, filters, reload, and history.
- **Existing structure is insufficient because**: Current focused tests cover slices but do not provide a durable coverage map and grouped browser guard suite across the whole stabilized chain.
- **Narrowest correct implementation**: Add explicit Feature/static guards plus focused Browser smoke files grouped by surface model, reusing existing helpers and only extracting test helpers if repeated setup becomes brittle.
- **Ownership cost**: Browser lane runtime and future maintenance when new admin surfaces are added.
- **Alternative intentionally rejected**: Full visual regression framework and broad Playwright MCP dependency.
- **Release truth**: Current-release guardrail over existing implemented contracts.
### Compatibility posture
This feature assumes a pre-production environment.
Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope. Legacy query aliases must not be supported or redirected.
## Testing / Lane / Runtime Impact
- **Test purpose / classification**: Feature, Heavy-Governance, Browser
- **Validation lane(s)**: fast-feedback for static/Feature guards; browser for critical shell/filter/history smoke; heavy-governance if a registry/discovery guard is added or materially expanded
- **Why this classification and these lanes are sufficient**: URL generation, classification, legacy alias rejection, and cross-workspace rejection are deterministic Feature tests. Shell/chip/reload/back-forward alignment is browser-visible and belongs in Browser lane.
- **New or expanded test families**: Expanded Spec 322 browser no-drift family plus feature guard files under `apps/platform/tests/Feature/Navigation` or existing guard directories.
- **Fixture / helper cost impact**: Existing workspace/environment factories and browser fixture patterns should be reused. Any new helper must keep workspace, membership, session, and Environment setup explicit.
- **Heavy-family visibility / justification**: Browser tests are explicitly named `Spec322...SmokeTest` and grouped by surface model to keep lane cost visible.
- **Special surface test profile**: global-context-shell
- **Standard-native relief or required special coverage**: Special coverage required because shell, URL, Livewire/table/session, and browser history can drift independently.
- **Reviewer handoff**: Reviewers must verify lane fit, helper cost, surface manifest accuracy, and that Browser tests do not become one large flaky scenario.
- **Budget / baseline / trend impact**: Browser lane expands. Runtime must be documented in implementation close-out if material.
- **Escalation needed**: document-in-feature unless the Browser lane becomes structurally expensive; then follow-up-spec.
- **Active feature PR close-out entry**: Guardrail / Smoke Coverage
- **Planned validation commands**: See `test-plan.md`.
## User Scenarios & Testing
### User Story 1 - Workspace hubs stay clean and reload-safe (Priority: P1)
As a workspace operator who previously worked inside a Managed Environment, I can open workspace hubs from sidebar/global/direct clean URLs and see Workspace-only shell, no Environment filter chip, and no legacy query state.
**Why this priority**: Clean workspace hub entry is the foundation for all other scope contracts.
**Independent Test**: Start from an Environment Dashboard with remembered Environment state, open each required workspace hub clean URL or sidebar/global link, reload, and assert clean URL, Workspace-only shell, no chip, and no legacy query params.
**Acceptance Scenarios**:
1. Given an active remembered Environment, when Operations opens through its clean workspace URL, then no Environment query parameter, shell, or chip is present.
2. Given a clean workspace hub is reloaded, when the page returns, then no stale Environment shell or chip appears.
### User Story 2 - Filtered workspace hubs expose visible and clearable Environment focus (Priority: P1)
As an operator drilling from an Environment-owned page into a filterable workspace hub, I can see the canonical `environment_id` filter as a visible chip and clear it back to the clean workspace-wide page.
**Why this priority**: Hidden filters create the highest trust risk because data can be narrowed while the shell looks workspace-wide.
**Independent Test**: Open each filterable hub with `?environment_id={id}`, assert chip and filtered data, clear it, reload, and assert workspace-wide state.
**Acceptance Scenarios**:
1. Given a valid current Workspace Environment ID, when Provider Connections opens with `environment_id`, then the shell remains Workspace-only and the chip names that Environment.
2. Given the filter is cleared, when the browser reloads, then URL, chip, table state, and shell remain clean.
### User Story 3 - Browser history never creates URL/chip/shell mismatch (Priority: P1)
As an operator using browser back and forward after filtering and clearing, I see URL, visible chip, shell context, and data scope remain aligned.
**Why this priority**: Browser history was a high-risk source of stale Livewire/session state in Specs 314 through 316.
**Independent Test**: For required high-risk hubs, open filtered URL, clear, go back, go forward, and assert alignment after each transition.
**Acceptance Scenarios**:
1. Given back returns to a URL containing `environment_id`, then the chip exists and shell remains Workspace-only.
2. Given forward returns to a clean URL, then the chip is absent and shell remains Workspace-only.
### User Story 4 - Environment-owned pages require Environment route and shell (Priority: P1)
As an operator entering an Environment-owned page, I see Workspace + Environment shell context and cannot access that page through an old clean workspace-only URL or remembered fallback.
**Why this priority**: Baseline Compare and adjacent Environment-owned pages must not regress into workspace-hub filter semantics.
**Independent Test**: Open Environment-owned pages from Environment Dashboard or canonical Environment routes, reload, navigate away/back, and assert Environment shell. Attempt former clean workspace-only access where routes exist and assert safe 404/no-access/redirect behavior.
**Acceptance Scenarios**:
1. Given Baseline Compare opens from Environment Dashboard, then its URL contains the Environment route segment and no workspace-hub `environment_id` query model.
2. Given an old workspace-only Baseline Compare URL with `environment_id`, then it does not render a valid Environment page.
### User Story 5 - Workspace-owned analysis and configuration surfaces cut away from Environment shell (Priority: P2)
As an operator opening analysis or configuration pages from an Environment origin, I see Workspace-only shell and no remembered Environment shell inheritance.
**Why this priority**: These surfaces are likely future navigation targets and must stay workspace-owned.
**Independent Test**: Start from Environment Dashboard, open each analysis/configuration surface by clean URL or navigation, reload, and assert Workspace-only shell and no chip unless the URL explicitly supports filtering.
**Acceptance Scenarios**:
1. Given Baseline Profiles opens from Environment Dashboard, then shell is Workspace-only and no Environment chip appears.
2. Given Alert Rules opens with a stray `environment_id`, then no Environment chip or shell context appears.
### User Story 6 - Legacy Tenant aliases remain invalid (Priority: P2)
As a reviewer or future implementer, I have deterministic guards proving legacy Tenant query aliases and `/admin/t` routes cannot create Environment filter or shell state.
**Why this priority**: Spec 317 cleanup must not be undone by future helper or copied test fixture drift.
**Independent Test**: Feature tests cover all legacy alias keys across representative surfaces; browser smoke covers a representative subset without making the browser suite huge.
**Acceptance Scenarios**:
1. Given `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters` are present on a workspace hub URL, then no Environment filter state appears.
2. Given `/admin/t/...` is requested, then it is not an active route and no Tenant panel provider is registered.
## Edge Cases
- Cross-workspace `environment_id` is supplied to a filterable workspace hub.
- A valid current Workspace Environment ID is supplied but the actor lacks access.
- Legacy aliases appear together with unrelated query parameters.
- Legacy aliases appear together with canonical `environment_id`; only canonical behavior is allowed, and no legacy alias may survive generated links.
- Livewire table filters or deferred filters have remembered Environment-like state.
- Session-persisted table filters survive from an earlier page visit.
- Browser back/forward restores a filtered URL after clear.
- Environment-owned page has a legacy workspace-only route or landing alias.
- Alert/Audit rows with null Environment attribution exist.
- Optional pages are unreachable or lack deterministic fixtures.
- Browser profile or local environment blocks browser execution.
## Requirements
### Functional Requirements
- **FR-001**: The coverage manifest MUST list every required surface with classification, clean URL, filtered URL support, Environment route requirement, clear support, Browser coverage status, Feature coverage status, and notes.
- **FR-002**: Workspace hub clean-entry guards MUST cover Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence Overview, Reviews, Customer Reviews, Alert Deliveries, and Audit Log.
- **FR-003**: Filtered workspace hub guards MUST cover filterable hubs using canonical `environment_id` and MUST reject legacy query aliases.
- **FR-004**: Clear-filter guards MUST prove URL, Livewire state, Filament table filters, deferred filters, persisted/session state, chip state, and shell context return to clean workspace-wide state where the surface supports clearing.
- **FR-005**: Browser back/forward guards MUST cover Provider Connections, Finding Exceptions Queue, Customer Reviews, Evidence Overview, Alert Deliveries, and Audit Log.
- **FR-006**: Environment-owned page guards MUST cover Environment Dashboard, Baseline Compare, Required Permissions, Provider Readiness / Onboarding Readiness, and Inventory or Inventory Coverage if browser-stable.
- **FR-007**: Baseline Compare MUST have a browser guard and a clean workspace-only invalid-access guard.
- **FR-008**: Workspace-owned analysis guards MUST cover Baseline Profiles, Baseline Snapshots, My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare.
- **FR-009**: Workspace configuration guards MUST cover Alert Rules, Alert Destinations, and Workspace Settings as Workspace-only surfaces.
- **FR-010**: Legacy Tenant alias guards MUST cover `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, and `tableFilters`.
- **FR-011**: No active `/admin/t` route and no active `TenantPanelProvider` may exist.
- **FR-012**: Provider-boundary Tenant terminology MUST remain allowed only through the Spec 317 allowlist or equivalent current guard.
- **FR-013**: Cross-workspace Environment IDs MUST be rejected with safe no-access behavior and must not leak data or switch Workspace.
- **FR-014**: Browser helpers MUST avoid brittle selectors where stable text, route, ARIA, or `data-testid` hooks already exist.
- **FR-015**: Browser tests MUST stay grouped and focused rather than one large all-in-one scenario.
- **FR-016**: Any browser gap MUST be documented in the coverage manifest with a blocker reason and backed by deterministic Feature/Unit coverage.
- **FR-017**: No product behavior may be changed except narrow fixes required to satisfy existing Specs 314 through 321 contracts.
- **FR-018**: No migrations, seeders, packages, env vars, queues, scheduler, storage, or deployment asset changes are allowed unless the spec is updated before implementation continues.
### Non-Functional Requirements
- **NFR-001**: Browser tests MUST avoid sleeps and volatile row-count assertions unless seeded data makes them deterministic.
- **NFR-002**: Feature/static guards SHOULD cover exhaustive alias and registry checks so Browser tests remain smoke-level.
- **NFR-003**: Test setup MUST keep workspace, membership, Environment access, session, and provider fixture cost explicit.
- **NFR-004**: Test names MUST make heavy/browser lane cost visible, using `Spec322` prefixes.
- **NFR-005**: Filament v5 / Livewire v4 patterns MUST remain in test code. No Livewire v3 or Filament v3/v4 assumptions.
- **NFR-006**: Browser screenshots MAY be diagnostic, but assertions are authoritative.
- **NFR-007**: Guard failures MUST identify the surface and mismatch clearly enough for follow-up repair.
- **NFR-008**: The implementation MUST not introduce Playwright MCP dependency; use Pest Browser coverage unless the spec is explicitly revised.
## Data / Truth-Source Requirements
- **DTR-001**: The coverage manifest is the documentation truth for Spec 322 guard coverage, not runtime product truth.
- **DTR-002**: Test data must use existing factories and persisted records only to prove scope alignment.
- **DTR-003**: Environment filtering truth remains canonical `environment_id`; legacy aliases are invalid inputs.
- **DTR-004**: Provider Tenant terms remain provider-boundary terminology only.
## Out Of Scope
- New product features.
- Redesigning pages.
- Changing navigation IA unless a guard reveals an existing in-scope regression requiring a narrow fix.
- Changing Environment CTA behavior except to satisfy existing contract.
- Adding new Environment filters.
- Changing Alerts/Audit Log decisions from Spec 321.
- Refactoring all Filament pages.
- Adding a full visual-regression framework.
- Introducing Playwright MCP dependency.
- Requiring manual screenshots for every run.
- Adding flaky tests.
- Adding migrations, seeders, packages, env vars, queues, scheduler, storage, deployment assets, or compatibility layers.
## Success Criteria
- **SC-001**: `coverage-manifest.md` exists and lists all required surfaces with coverage status and gaps.
- **SC-002**: Feature/static guards cover classification, clean URLs, Environment CTA URLs, clear filter, cross-workspace rejection, legacy aliases, `/admin/t`, Tenant panel provider absence, and provider Tenant allowlist.
- **SC-003**: Browser guards cover clean workspace hub entry, filtered entry, clear/reload, back/forward, Environment-owned pages, workspace-owned analysis pages, workspace configuration pages, and Alerts/Audit Log contracts at the scope defined in `test-plan.md`.
- **SC-004**: Browser gaps, if any, are explicit and have deterministic non-browser guard coverage.
- **SC-005**: Targeted Feature/Unit and Browser commands pass, or failures are documented with exact blockers.
- **SC-006**: `git diff --check` passes.
- **SC-007**: No broad runtime/product change is introduced.
## Assumptions
- Pest Browser is the preferred durable browser lane because the repo already uses it.
- Existing browser helpers and fixtures can be reused or lightly factored without adding runtime abstraction.
- Spec 321 runtime implementation is present in current branch history and may be guarded by Spec 322.
- Some optional surfaces may remain Feature-covered only if browser fixtures are not stable or routes are not reachable.
## Open Questions
None blocking preparation.
Implementation may discover browser-only fixture gaps. Those should be documented in `coverage-manifest.md` and covered by deterministic Feature/Unit guards rather than silently skipped.
## Follow-Up Spec Candidates
- Customer Review Workspace v1 polish / productization.
- Decision-Based Governance Inbox v1 polish.
- Localization v1 customer-facing surfaces.
- Cross-Tenant Compare & Promotion v1 productization.
- Commercial entitlements / billing-state maturity.
These are product lanes and are not part of Spec 322.
## Required Final Report Shape
Implementation close-out must report:
- Changed behavior.
- Coverage added.
- Feature tests command and result.
- Browser tests command and result.
- Coverage manifest status.
- Known browser gaps.
- Remaining risks.
- Test files added/updated.
- Surfaces covered.
- Surfaces excluded with reason.
- Whether screenshots were saved.
- Whether full suite was run.
- Known unrelated residual failures.
- Confirmation that no migrations, seeders, packages, env vars, queues, scheduler, storage, deployment asset changes, backwards compatibility layer, or legacy query alias support were added.

217
specs/322-browser-no-drift-regression-guard/tasks.md Normal file
View File

@ -0,0 +1,217 @@
# Tasks: Browser No-Drift Regression Guard
**Input**: Spec artifacts from `specs/322-browser-no-drift-regression-guard/`
**Prerequisites**: `spec.md`, `plan.md`, `test-plan.md`, `coverage-manifest.md`
**Runtime posture**: Test/guard-first. No new product behavior unless a narrow fix is required to satisfy existing Specs 314 through 321 contracts.
## Phase 1: Discovery Confirmation
- [x] T001 Re-read `specs/322-browser-no-drift-regression-guard/spec.md`, `plan.md`, `test-plan.md`, and `coverage-manifest.md` before implementation starts.
- [x] T002 Re-read Specs 314 through 321 as historical/context dependencies without editing their completed artifacts.
- [x] T003 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php` and confirm required workspace hubs and exclusions still match the manifest.
- [x] T004 Inspect `apps/platform/app/Support/Navigation/AdminSurfaceScope.php` and confirm workspace-owned analysis surface classification still matches the manifest.
- [x] T005 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php` and confirm canonical `environment_id` remains the only accepted filter query key.
- [x] T006 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php` and confirm legacy Environment-like query/table/session keys remain resettable.
- [x] T007 Inspect route names and URLs for all required surfaces listed in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`.
- [x] T008 Update `specs/322-browser-no-drift-regression-guard/coverage-manifest.md` if discovery proves a route, classification, or existing coverage status has changed.
## Phase 2: Feature / Static Guards
- [x] T009 [P] Add `it('classifies_core_admin_surfaces_without_scope_drift')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`.
- [x] T010 [P] Add `it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`.
- [x] T011 [P] Add `it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`.
- [x] T012 [P] Add `it('environment_id_filters_reject_cross_workspace_environment_ids')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`.
- [x] T013 [P] Add `it('environment_cta_urls_use_the_correct_surface_contract')` in `apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php`.
- [x] T014 [P] Add `it('legacy_environment_query_aliases_do_not_create_filter_or_shell_state')` in `apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php`.
- [x] T015 [P] Add `it('has_no_active_legacy_tenant_panel_routes')` coverage by extending or referencing `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php`.
- [x] T016 [P] Add `it('allows_tenant_terms_only_in_provider_boundary_contexts')` coverage by extending `apps/platform/tests/Feature/Guards/LegacyTenantPlatformContextCleanupTest.php` or adding a narrow Spec 322 guard.
- [x] T017 Confirm Feature/static guards cover Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence Overview, Reviews, Customer Reviews, Alert Deliveries, Audit Log, Alerts, Alert Rules, Alert Destinations, Workspace Settings, Baseline Profiles, Baseline Snapshots, My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, and Baseline Compare.
## Phase 3: Browser Harness And Fixture Control
- [x] T018 Inspect existing Pest Browser patterns in `apps/platform/tests/Browser/Spec314WorkspaceHubNavigationContextSmokeTest.php` and `apps/platform/tests/Browser/Spec316WorkspaceHubClearFilterSmokeTest.php`.
- [x] T019 Decide whether a test-only helper such as `apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php` is necessary, or keep helpers local to the Spec 322 browser files.
- [x] T020 If a harness is added, keep workspace, Environment, membership, and session setup explicit and opt-in in `apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php`.
- [x] T021 If a harness is added, document its fixture-cost boundary in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`.
- [x] T022 Avoid adding seeders; if deterministic browser fixtures cannot be built with factories, stop and update `spec.md` and `plan.md` before changing seeders.
## Phase 4: Workspace Hub Browser Guards
- [x] T023 [P] Add `apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php` covering clean workspace hub entry from Environment origin.
- [x] T024 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Operations.
- [x] T025 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Governance Inbox.
- [ ] T026 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Decision Register.
- Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke.
- [ ] T027 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Finding Exceptions Queue.
- Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; Spec322 browser includes this surface in the representative legacy alias guard.
- [x] T028 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Provider Connections.
- [x] T029 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Evidence Overview.
- [ ] T030 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Reviews and Customer Reviews.
- Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke.
- [ ] T031 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Alert Deliveries and Audit Log.
- Covered in `Spec322AlertsAuditNoDriftSmokeTest.php`, with Audit Log clear/history retained as Feature fallback due browser click timing.
- [ ] T032 In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover filtered entry, visible chip, clear, and reload for all filterable workspace hubs; include browser back/forward alignment for Provider Connections, Finding Exceptions Queue, Customer Reviews, Evidence Overview, Alert Deliveries, and Audit Log.
- Spec322 browser covers Provider Connections, Evidence Overview, and Alert Deliveries; existing Spec316 browser and Spec322 Feature/static guards cover the remaining permutations.
## Phase 5: Environment-Owned Browser Guards
- [x] T033 Add `apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php` covering Environment-owned route/shell contracts.
- [ ] T034 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Environment Dashboard route, Workspace + Environment shell, reload, and back from a workspace hub.
- Spec322 browser covers route/shell/reload; browser back is left to existing navigation anchors to keep this guard bounded.
- [ ] T035 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Baseline Compare route, Workspace + Environment shell, no workspace-hub `environment_id` model, reload, and browser back.
- Spec322 browser covers route/shell/reload and invalid old access; browser back is left to existing navigation anchors to keep this guard bounded.
- [x] T036 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Baseline Compare old clean workspace-only invalid access using the existing `BaselineCompareEnvironmentRouteContractTest` behavior as the deterministic baseline.
- [x] T037 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Required Permissions if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`.
- [ ] T038 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Provider Readiness / Onboarding Readiness if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`.
- No separate route was confirmed; coverage manifest documents Environment Dashboard browser coverage as the deterministic fallback.
- [ ] T039 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Inventory or Inventory Coverage if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`.
- Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract.
- [ ] T040 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Environment Diagnostics if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`.
- Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract.
## Phase 6: Workspace-Owned Analysis And Configuration Browser Guards
- [x] T041 Add `apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php` covering Workspace-only shell cutover from Environment origin.
- [x] T042 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Baseline Profiles clean URL, Workspace-only shell, no Environment chip, and reload.
- [ ] T043 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Baseline Snapshots clean URL, Workspace-only shell, no Environment chip, and reload.
- Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
- [x] T044 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover My Findings clean URL, Workspace-only shell, no Environment chip, and reload.
- [ ] T045 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Findings Intake clean URL, Workspace-only shell, no Environment chip, and reload.
- Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
- [ ] T046 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Findings Hygiene clean URL, Workspace-only shell, no Environment chip, and reload.
- Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
- [x] T047 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Cross-environment Compare clean URL, Workspace-only shell, no Environment chip, and reload.
- [ ] T048 In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Alert Rules, Alert Destinations, and Workspace Settings as Workspace-only configuration surfaces from Environment origin.
- Workspace Settings is covered here; Alert Rules and Alert Destinations are covered in `Spec322AlertsAuditNoDriftSmokeTest.php`.
## Phase 7: Alerts / Audit Log Browser Guards
- [x] T049 Add `apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php`.
- [ ] T050 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alerts Overview clean and filtered entry, visible chip, clear, reload, and links to Alert Deliveries/Audit Log.
- Spec322 browser covers clean and filtered entry; clear/link permutations remain covered by Spec321/Spec322 Feature guards.
- [x] T051 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alert Deliveries filtered entry, visible chip, clear, reload, and back/forward alignment.
- [ ] T052 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Audit Log filtered entry, visible chip, clear, reload, and back/forward alignment.
- Spec322 browser covers filtered and clean/reload shell state; clear/back-forward remains covered by Spec321/Spec322 Feature guards because browser click timing was unstable on this page.
- [x] T053 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alert Rules and Alert Destinations reject stray `environment_id` chip/shell behavior in the browser.
- [x] T054 Ensure `Spec322AlertsAuditNoDriftSmokeTest.php` aligns with `apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php` and does not change Spec 321 product decisions.
## Phase 8: Legacy Alias Browser Representative Guard
- [x] T055 Add representative browser coverage for legacy aliases in `apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php` or `apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php`.
- [x] T056 Keep exhaustive alias permutations in Feature tests rather than Browser tests.
- [x] T057 Assert representative generated links do not preserve `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters`.
## Phase 9: Manifest, Screenshots, And Documentation Artifacts
- [x] T058 Update `specs/322-browser-no-drift-regression-guard/coverage-manifest.md` with actual Browser and Feature coverage statuses after tests are implemented.
- [x] T059 Mark any browser blocker or intentionally excluded optional surface in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`.
- [x] T060 Save diagnostic screenshots under `specs/322-browser-no-drift-regression-guard/artifacts/screenshots/` only when useful for debugging or final review.
- No final-review screenshots were needed; transient failed-run screenshots remained in the standard Pest Browser screenshot directory only.
- [x] T061 Do not add implementation documentation outside `specs/322-browser-no-drift-regression-guard/` unless the user explicitly requests it.
## Phase 10: Validation
- [x] T062 Run targeted Feature/static guards from `specs/322-browser-no-drift-regression-guard/test-plan.md`.
- [x] T063 Run targeted Browser guards from `specs/322-browser-no-drift-regression-guard/test-plan.md`.
- [ ] T064 Run existing related regression filter command from `specs/322-browser-no-drift-regression-guard/test-plan.md`.
- The original combined command was attempted and then split for reviewability. The Unit/Feature slice completes with the Baseline Compare failures documented below. The Spec322 Browser slice completes green. The original combined command is not used as the merge gate because the mixed Feature/Browser run previously stalled behind a Playwright server after reporting Feature failures.
- [x] T065 Run `cd apps/platform && ./vendor/bin/sail pint --dirty`.
- [x] T066 Run `git diff --check` from the repository root.
- [x] T067 Record exact commands, results, browser gaps, screenshots, full-suite status, and unrelated residual failures in the final implementation report.
### Broader Regression Note
Scope check:
- Branch: `322-browser-no-drift-regression-guard`
- Diff scope: only Spec 322 spec artifacts, Spec 322 Feature tests, Spec 322 Browser tests, and `tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php`.
- No 319/320/321 artifacts are included in the current diff.
Targeted Spec 322 gates:
- `./vendor/bin/sail artisan test tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php --compact`
- Result: 8 passed, 400 assertions.
- `./vendor/bin/sail artisan test tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php --compact`
- Result: 9 passed, 510 assertions.
Broader regression split:
- `./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact --stop-on-failure`
- Result: failed at the first Baseline Compare explanation failure before any Browser tests were involved.
- `./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact`
- Result: 5 failed, 237 passed, 1884 assertions.
Known remaining broader-regression failures:
- `Tests\Feature\Baselines\BaselineCompareExplanationFallbackTest`
- Test: `it shows an unavailable explanation before any baseline compare result exists`
- Individual rerun: fails.
- Failure: expected page output to contain `A current baseline compare result is not available yet.`
- `Tests\Feature\Filament\BaselineCompareExplanationSurfaceTest`
- Test: `it renders suppressed baseline-compare results as explanation-first guidance`
- Individual rerun: fails.
- Failure: expected page output to contain `The last compare finished, but normal result output was suppressed.`
- `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest`
- Test: `it keeps widget, landing, and banner equally cautious for the same limited-confidence result`
- Individual rerun: fails.
- Failure: expected page output to contain `Needs review`.
- `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest`
- Test: `it keeps widget, landing, and banner aligned when overdue workflow makes the state action-required`
- Individual rerun: fails.
- Failure: expected page output to contain `Action required`.
- `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest`
- Test: `it keeps widget, landing, and banner aligned while compare is still in progress`
- Individual rerun: fails.
- Failure: expected page output to contain `In progress`.
Spec322-caused broader-regression issue found and fixed:
- `Tests\Feature\Guards\LegacyTenantPlatformContextCleanupTest` initially failed because `Spec322LegacyQueryAliasGuardTest.php` contained the retired literal `ensure-filament-tenant-selected` inside its own search pattern list.
- Fixed by splitting the literal in the pattern construction while preserving the generated regex.
- Individual rerun result: `LegacyTenantPlatformContextCleanupTest` passes, 6 tests, 19 assertions.
Out-of-scope assessment:
- The remaining 5 failures are in untouched Baseline Compare test files and reproduce when run individually.
- They are not Browser-harness failures and not Spec322 targeted guard failures.
- They are not proven pre-existing against a clean `dev` checkout in this working tree, but they are independent of the Spec322 diff: Spec322 changed only tests/spec artifacts and no Baseline Compare product code.
- Treat these as a separate Baseline Compare test-suite hygiene/runtime investigation, not as a Spec322 no-drift regression.
## Phase 11: Non-Goals / Stop Conditions
- [x] NT001 Do not add migrations.
- [x] NT002 Do not change seeders unless `spec.md` and `plan.md` are updated first with fixture justification.
- [x] NT003 Do not add packages, env vars, queues, scheduler, storage, or deployment asset changes.
- [x] NT004 Do not introduce Playwright MCP dependency or a broad visual-regression framework.
- [x] NT005 Do not add backwards compatibility redirects, dual query contracts, or legacy query alias support.
- [x] NT006 Do not rewrite completed Specs 314 through 321 or remove their close-out and validation history.
- [x] NT007 Do not change Alerts/Audit Log decisions from Spec 321.
- [x] NT008 Stop and update `spec.md` and `plan.md` before any product behavior change broader than a narrow contract fix.
## Dependencies
1. Phase 1 must complete before Feature/static or Browser implementation.
2. Feature/static guards in Phase 2 can run in parallel by file.
3. Browser harness decision in Phase 3 should happen before Phases 4 through 8.
4. Browser surface phases can run in parallel if they write separate files.
5. Manifest updates in Phase 9 depend on actual implementation results.
6. Validation in Phase 10 depends on all in-scope test files being in place.
## MVP Scope
The minimum viable Spec 322 implementation is:
1. Feature/static guards for classification, clean URLs, CTA URLs, clear-state equivalence, cross-workspace rejection, legacy aliases, `/admin/t`, and provider Tenant allowlist.
2. Browser smoke for workspace hubs, Baseline Compare / Environment-owned route, workspace-owned analysis shell cutover, and Alerts/Audit Log.
3. Updated coverage manifest with any browser gaps.
## Parallel Work Examples
```text
Agent A: Feature/static guards in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php
Agent B: Legacy alias and provider-boundary guards in apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php
Agent C: Workspace hub browser smoke in apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php
Agent D: Environment-owned browser smoke in apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php
```
Parallel workers must not edit the same test file at the same time.

139
specs/322-browser-no-drift-regression-guard/test-plan.md Normal file
View File

@ -0,0 +1,139 @@
# Spec 322 Test Plan
## Purpose
Prove the Workspace / Environment context contracts from Specs 314 through 321 remain durable across Feature/static guards and Pest Browser smoke tests.
Assertions are authoritative. Screenshots are diagnostic only.
## Test Families
### Feature / Static Guards
Suggested files:
```text
apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php
apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php
apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php
```
Required assertions:
- Core surfaces classify as `workspace_hub`, `environment_owned_page`, `workspace_owned_analysis_surface`, or `workspace_configuration_surface`.
- Clean workspace hub URLs never emit `environment_id`, `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters`.
- Environment CTAs use canonical `environment_id` for filterable workspace hubs and Environment routes for Environment-owned pages.
- Clear-filter behavior matches clean workspace hub entry.
- Cross-workspace `environment_id` filters reject safely.
- Legacy Environment/Tenant query aliases do not create filter or shell state.
- `/admin/t` routes and `TenantPanelProvider` remain absent.
- Provider Tenant terms remain allowed only in provider-boundary allowlist contexts.
### Browser Contract Guards
Suggested files:
```text
apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php
apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php
apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php
apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php
```
Required assertions:
- Workspace hub clean sidebar/global/direct entry from Environment origin remains clean and Workspace-only.
- Filterable workspace hubs opened with `environment_id` show visible Environment chip, keep Workspace-only shell, and reject legacy params.
- Clear filter removes query/chip/table/session state and remains clean after reload.
- Browser back/forward keeps URL, chip, shell, and data aligned.
- Environment-owned pages require Environment route and show Environment shell after reload/back.
- Baseline Compare rejects old clean workspace-only access.
- Workspace-owned analysis surfaces cut to Workspace-only shell from Environment origin.
- Workspace configuration surfaces remain Workspace-only and chip-free.
- Alerts/Audit Log Spec 321 decisions are protected in browser.
## Focused Commands
Run targeted Feature/static gates:
```bash
cd apps/platform
./vendor/bin/sail artisan test \
tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php \
tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php \
tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php \
--compact
```
Run targeted Browser gates:
```bash
cd apps/platform
./vendor/bin/sail artisan test \
tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php \
tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php \
tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php \
tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php \
--compact
```
Run existing related regression gates:
```bash
cd apps/platform
./vendor/bin/sail artisan test --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact
```
Run final formatting and diff checks:
```bash
cd apps/platform
./vendor/bin/sail pint --dirty
git diff --check
```
## Existing Anchors To Reuse
```text
apps/platform/tests/Browser/Spec314WorkspaceHubNavigationContextSmokeTest.php
apps/platform/tests/Browser/Spec316WorkspaceHubClearFilterSmokeTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubRegistryTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubEnvironmentFilterContractTest.php
apps/platform/tests/Feature/Navigation/WorkspaceHubClearFilterContractTest.php
apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php
apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php
apps/platform/tests/Feature/Guards/LegacyTenantPlatformContextCleanupTest.php
apps/platform/tests/Feature/Filament/BaselineCompareEnvironmentRouteContractTest.php
```
Spec 322 should extend these anchors where that is narrower than adding duplicate tests.
## Browser Fixture Rules
- Use explicit workspace, Managed Environment, membership, and session setup.
- Seed only records required to prove data scope.
- Avoid global seed assumptions.
- Avoid sleeps.
- Prefer stable text, route, ARIA, or existing `data-testid` selectors.
- Avoid volatile counters unless fixture records make the count deterministic.
- Keep each browser file focused by surface model.
## Screenshot Policy
Screenshots may be saved under:
```text
specs/322-browser-no-drift-regression-guard/artifacts/screenshots/
```
Screenshot capture is diagnostic. A failed screenshot capture must not replace browser assertions. A browser blocker must be recorded in `coverage-manifest.md`.
## Full Suite Statement
Do not claim full-suite green unless the full suite was run.
If only targeted commands are run, the final report must say targeted gates passed and full suite was not run.