Spec 197: standardize shared detail family contracts (#237)

## Summary
- standardize the shared verification report family across operation detail, onboarding, and tenant verification widget hosts
- standardize normalized settings and normalized diff family wrappers across policy, policy version, and finding detail hosts
- add parity and guard coverage plus the full Spec 197 artifacts, including recorded manual smoke evidence

## Testing
- focused Sail regression pack from `specs/197-shared-detail-contract/quickstart.md`
- local integrated-browser manual smoke for SC-197-003 and SC-197-004

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #237

.codex/prompts/tenantpilot.audit.md

@@ -0,0 +1,76 @@
+---
+description: Scan the TenantPilot repository for architecture and safety violations against the workspace-first, RBAC-first, audit-first governance model.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architecture Auditor reviewing TenantPilot / TenantAtlas.
+
+This is not a generic code review. Audit the repository against the TenantPilot audit constitution at `docs/audits/tenantpilot-architecture-audit-constitution.md`.
+
+## Audit focus
+
+Prioritize:
+
+- workspace and tenant isolation
+- route model binding safety
+- Filament resources, pages, relation managers, widgets, and actions
+- Livewire public properties and serialized state risks
+- jobs, queue boundaries, and backend authorization rechecks
+- provider access boundaries
+- `OperationRun` consistency
+- findings, exceptions, review, drift, and baseline workflow integrity
+- audit trail completeness
+- wrong-tenant regression coverage
+- unauthorized action coverage
+- workflow misuse and invalid transition coverage
+
+## Output rules
+
+Classify every finding as exactly one of:
+
+- Constitutional Violation
+- Architectural Drift
+- Workflow Trust Gap
+- Test Blind Spot
+
+Assign one severity:
+
+- Severity 1: Critical
+- Severity 2: High
+- Severity 3: Medium
+- Severity 4: Low
+
+Anything directly touching isolation, RBAC, secrets, or auditability must not be rated Low.
+
+For each finding provide:
+
+1. Title
+2. Classification
+3. Severity
+4. Affected Area
+5. Evidence with specific files, classes, methods, routes, or test gaps
+6. Why this matters in TenantPilot
+7. Recommended structural correction
+8. Delivery recommendation: `hotfix`, `follow-up refactor`, or `dedicated spec required`
+
+## Constraints
+
+- Do not praise the codebase.
+- Do not focus on style unless it affects architecture or safety.
+- Do not suggest random patterns without proving fit.
+- Group multiple symptoms under one deeper diagnosis when appropriate.
+- Be explicit when a local fix is insufficient and a dedicated spec is required.
+
+## Repository context
+
+TenantPilot is an enterprise SaaS product for Intune and Microsoft 365 governance, backup, restore, inventory, drift detection, findings, exceptions, operations, and auditability.
+
+The strategic priorities are:
+
+- workspace-first context modeling
+- capability-first RBAC
+- strong auditability
+- deterministic workflow semantics
+- provider access through canonical boundaries
+- minimal duplication of domain logic across UI surfaces
+
+Return the audit as a concise but substantive findings report.

.codex/prompts/tenantpilot.spec-candidates.md

@@ -0,0 +1,104 @@
+---
+description: Turn TenantPilot architecture audit findings into bounded spec candidates without colliding with active spec numbering.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architect working on TenantPilot / TenantAtlas.
+
+Your task is to produce spec candidates, not implementation code.
+
+Before writing anything, read and use these repository files as binding context:
+
+- `docs/audits/tenantpilot-architecture-audit-constitution.md`
+- `docs/audits/2026-03-15-audit-spec-candidates.md`
+- `specs/110-ops-ux-enforcement/spec.md`
+- `specs/111-findings-workflow-sla/spec.md`
+- `specs/134-audit-log-foundation/spec.md`
+- `specs/138-managed-tenant-onboarding-draft-identity/spec.md`
+
+## Goal
+
+Turn the existing audit-derived problem clusters into exactly four proposed follow-up spec candidates.
+
+The four candidate themes are:
+
+1. queued execution reauthorization and scope continuity
+2. tenant-owned query canon and wrong-tenant guards
+3. findings workflow enforcement and audit backstop
+4. Livewire context locking and trusted-state reduction
+
+## Numbering rule
+
+- Do not invent or reserve fixed spec numbers unless the current repository state proves they are available.
+- If numbering is uncertain, use `Candidate A`, `Candidate B`, `Candidate C`, and `Candidate D`.
+- Only recommend a numbering strategy; do not force numbering in the output when collisions are possible.
+
+## Output requirements
+
+Create exactly four spec candidates, one per problem class.
+
+For each candidate provide:
+
+1. Candidate label or confirmed spec number
+2. Working title
+3. Status: `Proposed`
+4. Summary
+5. Why this is needed now
+6. Boundary to existing specs
+7. Problem statement
+8. Goals
+9. Non-goals
+10. Scope
+11. Target model
+12. Key requirements
+13. Risks if not implemented
+14. Dependencies and sequencing notes
+15. Delivery recommendation: `hotfix`, `dedicated spec`, or `phased spec`
+16. Suggested implementation priority: `Critical`, `High`, or `Medium`
+17. Suggested slug
+
+At the end provide:
+
+A. Recommended implementation order
+B. Which candidates can run in parallel
+C. Which candidate should start first and why
+D. A numbering strategy recommendation if active spec numbers are not yet known
+
+## Writing rules
+
+- Write in English.
+- Use formal enterprise spec language.
+- Be concrete and opinionated.
+- Focus on structural integrity, not patch-level fixes.
+- Treat the audit constitution as binding.
+- Explicitly say when UI-only authorization is insufficient.
+- Explicitly say when Livewire public state must be treated as untrusted input.
+- Explicitly say when negative-path regression tests are required.
+- Explicitly say when `OperationRun` or audit semantics must be extended or hardened.
+- Do not duplicate adjacent specs; state the boundary clearly.
+- Do not collapse all four themes into one umbrella spec.
+
+## Candidate-specific direction
+
+### Candidate A — queued execution reauthorization and scope continuity
+
+- Treat this as an execution trust problem, not a simple `authorize()` omission.
+- Cover dispatch-time actor and context capture, handle-time scope revalidation, capability reauthorization, execution denial semantics, and audit visibility.
+- Define what happens when authorization or tenant operability changes between dispatch and execution.
+
+### Candidate B — tenant-owned query canon and wrong-tenant guards
+
+- Treat this as canonical data-access hardening.
+- Cover tenant-owned and workspace-owned query rules, route model binding safety, canonical query paths, anti-pattern elimination, and required wrong-tenant regression tests.
+- Focus on ownership enforcement, not generic repository-pattern advice.
+
+### Candidate C — findings workflow enforcement and audit backstop
+
+- Treat this as a workflow-truth problem.
+- Cover formal lifecycle enforcement, invalid transition prevention, reopen and recurrence semantics, and audit backstop requirements.
+- Make clear how this extends but does not duplicate Spec 111.
+
+### Candidate D — Livewire context locking and trusted-state reduction
+
+- Treat this as a UI/server trust-boundary hardening problem.
+- Cover locked identifiers, untrusted public state, server-side reconstruction of workflow truth, sensitive-state reduction, and misuse regression tests.
+- Make clear how this complements but does not duplicate Spec 138.

.dockerignore

@@ -1,5 +1,12 @@
 node_modules/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
+dist/
+build/
 vendor/
+apps/platform/vendor/
 coverage/
 .git/
 .DS_Store
@@ -16,12 +23,19 @@ Dockerfile*
 *.tmp
 *.swp
 public/build/
+apps/platform/public/build/
 public/hot/
+apps/platform/public/hot/
 public/storage/
+apps/platform/public/storage/
 storage/framework/
+apps/platform/storage/framework/
 storage/logs/
+apps/platform/storage/logs/
 storage/debugbar/
+apps/platform/storage/debugbar/
 storage/*.key
+apps/platform/storage/*.key
 /references/
 .idea/
 .vscode/

.github/agents/copilot-instructions.md

@@ -2,6 +2,14 @@ # TenantAtlas Development Guidelines
 
 Auto-generated from all feature plans. Last updated: 2025-12-22
 
+## Relocation override
+- The authoritative Laravel application root is `apps/platform`.
+- Human-facing commands should use `cd apps/platform && ...`.
+- Repo-root tooling may delegate via `./scripts/platform-sail` when it cannot set a nested working directory.
+- Repo-root JavaScript orchestration uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If any generated technology note below conflicts with the current repo, trust `apps/platform/composer.json`, `apps/platform/package.json`, and the live Laravel application metadata over stale generated entries.
+
 ## Active Technologies
 - PHP 8.4.15 + Laravel 12, Filament v4, Livewire v3 (feat/005-bulk-operations)
 - PostgreSQL (app), SQLite in-memory (tests) (feat/005-bulk-operations)
@@ -39,27 +47,183 @@ ## Active Technologies
 - PostgreSQL (existing tables: `workspaces`, `workspace_memberships`, `users`, `audit_logs`) (107-workspace-chooser)
 - PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Framework v12 (109-review-pack-export)
 - PostgreSQL (jsonb columns for summary/options), local filesystem (`exports` disk) for ZIP artifacts (109-review-pack-export)
+- PHP 8.4 + Laravel 12, Filament v5, Livewire v4 (116-baseline-drift-engine)
+- PHP 8.4, Laravel 12, Filament v5, Livewire v4 + Laravel framework, Filament admin panels, Livewire, PostgreSQL JSONB persistence, Laravel Sail (120-secret-redaction-integrity)
+- PostgreSQL (`policy_versions`, `operation_runs`, `audit_logs`, related evidence tables) (120-secret-redaction-integrity)
+- PHP 8.4.15 / Laravel 12 + Filament v5 + Livewire v4.0+ + Tailwind CSS v4 (121-workspace-switch-fix)
+- PostgreSQL + session-backed workspace context; no schema changes (121-workspace-switch-fix)
+- PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4, Pest v4 (122-empty-state-consistency)
+- PostgreSQL + existing workspace/tenant session context; no schema changes (122-empty-state-consistency)
+- PHP 8.4 runtime target on Laravel 12 code conventions; Composer constraint `php:^8.2` + Laravel 12, Filament v5.2.1, Livewire v4, Pest v4, Laravel Sail (123-operations-auto-refresh)
+- PostgreSQL primary app database (123-operations-auto-refresh)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Tailwind CSS 4, existing `CoverageCapabilitiesResolver`, `InventoryPolicyTypeMeta`, `BadgeCatalog`, and `TagBadgeCatalog` (124-inventory-coverage-table)
+- N/A for this feature; page remains read-only and uses registry/config-derived runtime data while PostgreSQL remains unchanged (124-inventory-coverage-table)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Tailwind CSS 4, existing `BadgeCatalog` / `BadgeRenderer`, existing UI enforcement helpers, existing Filament resources, relation managers, widgets, and Livewire table components (125-table-ux-standardization)
+- PostgreSQL remains unchanged; this feature is presentation-layer and behavior-layer only (125-table-ux-standardization)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4.0+, Tailwind CSS v4, Pest v4, existing `BadgeCatalog` / `BadgeRenderer`, existing `TagBadgeCatalog` / `TagBadgeRenderer`, existing Filament resource tables (126-filter-ux-standardization)
+- PostgreSQL remains unchanged; session persistence uses Filament-native session keys and existing workspace/tenant contex (126-filter-ux-standardization)
+- PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Sail, Microsoft Graph provider stack (127-rbac-inventory-backup)
+- PostgreSQL for tenant-owned inventory, backup items, versions, verification outcomes, and operation runs (127-rbac-inventory-backup)
+- PostgreSQL via Laravel Sail (128-rbac-baseline-compare)
+- PostgreSQL via Laravel Sail plus session-backed workspace and tenant contex (129-workspace-admin-home)
+- PostgreSQL via Laravel Sail using existing `baseline_snapshots`, `baseline_snapshot_items`, and JSONB presentation source fields (130-structured-snapshot-rendering)
+- PostgreSQL via Laravel Sail, plus existing session-backed workspace and tenant contex (131-cross-resource-navigation)
+- PostgreSQL via Laravel Sail plus existing workspace and tenant context, existing Eloquent relations, and provider-derived identifiers already stored in domain records (132-guid-context-resolver)
+- PostgreSQL via Laravel Sail; no schema change expected (133-detail-page-template)
+- PostgreSQL via Laravel Sail; existing `audit_logs` table expanded in place; JSON context payload remains application-shaped rather than raw archival payloads (134-audit-log-foundation)
+- PHP 8.4 on Laravel 12 + Filament v5, Livewire v4, Pest v4, Laravel Sail (135-canonical-tenant-context-resolution)
+- PostgreSQL application database (135-canonical-tenant-context-resolution)
+- PostgreSQL application database and session-backed Filament table state (136-admin-canonical-tenant)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Laravel Sail, Pest v4, PHPUnit v12 (137-platform-provider-identity)
+- PostgreSQL via Laravel migrations and encrypted model casts (137-platform-provider-identity)
+- PHP 8.4 (Laravel 12) + Filament v5 (Livewire v4), Laravel Blade, existing onboarding/verification support classes (139-verify-access-permissions-assist)
+- PostgreSQL; existing JSON-backed onboarding draft state and `OperationRun.context.verification_report` (139-verify-access-permissions-assist)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, PostgreSQL, Laravel Sail, Pest v4, existing `OperationRunService`, `ProviderOperationStartGate`, onboarding services, workspace audit logging (140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp)
+- PostgreSQL tables including `managed_tenant_onboarding_sessions`, `operation_runs`, `tenants`, and provider-connection-backed tenant records (140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp)
+- PostgreSQL via Laravel Sail for existing source records and JSON payloads; no new persistence introduced (141-shared-diff-presentation-foundation)
+- PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4, shared `App\Support\Diff` foundation from Spec 141 (142-rbac-role-definition-diff-ux-upgrade)
+- PostgreSQL via Laravel Sail for existing `findings.evidence_jsonb`; no schema or persistence changes (142-rbac-role-definition-diff-ux-upgrade)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4 (143-tenant-lifecycle-operability-context-semantics)
+- PostgreSQL via Laravel Eloquent models and workspace/tenant scoped tables (143-tenant-lifecycle-operability-context-semantics)
+- PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Gates and Policies, `OperateHubShell`, `OperationRunLinks` (144-canonical-operation-viewer-context-decoupling)
+- PostgreSQL plus session-backed workspace and remembered tenant context (no schema changes) (144-canonical-operation-viewer-context-decoupling)
+- PHP 8.4.15 with Laravel 12, Filament v5, Livewire v4.0+ + Filament Actions/Tables/Infolists, Laravel Gates/Policies, `UiEnforcement`, `WorkspaceUiEnforcement`, `ActionSurfaceDeclaration`, `BadgeCatalog`, `TenantOperabilityService`, `OnboardingLifecycleService` (145-tenant-action-taxonomy-lifecycle-safe-visibility)
+- PostgreSQL for tenants, onboarding sessions, audit logs, operation runs, and workspace membership data (145-tenant-action-taxonomy-lifecycle-safe-visibility)
+- PostgreSQL (existing tenant and operation records only; no schema changes planned) (146-central-tenant-status-presentation)
+- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned (147-tenant-selector-remembered-context-enforcement)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing support-layer helpers such as `UiEnforcement`, `CapabilityResolver`, `WorkspaceContext`, `OperateHubShell`, `TenantOperabilityService`, and `TenantActionPolicySurface` (148-central-tenant-operability-policy)
+- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned for the first implementation slice (148-central-tenant-operability-policy)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing `OperationRunService`, `TrackOperationRun`, `ProviderOperationStartGate`, `TenantOperabilityService`, `CapabilityResolver`, and `WriteGateInterface` seams (149-queued-execution-reauthorization)
+- PostgreSQL-backed application data plus queue-serialized `OperationRun` context; no schema migration planned for the first implementation slice (149-queued-execution-reauthorization)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, PostgreSQL, Pest 4 (150-tenant-owned-query-canon-and-wrong-tenant-guards)
+- PostgreSQL with existing `findings` and `audit_logs` tables; no new storage engine or external log store (151-findings-workflow-backstop)
+- PostgreSQL with existing workspace-, tenant-, onboarding-, and audit-related tables; no new persistent storage planned for the first slice (152-livewire-context-locking)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `StoredReport`, `Finding`, `OperationRun`, and `AuditLog` infrastructure (153-evidence-domain-foundation)
+- PostgreSQL with JSONB-backed snapshot metadata; existing private storage remains a downstream-consumer concern, not a primary evidence-foundation store (153-evidence-domain-foundation)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing Finding, AuditLog, EvidenceSnapshot, CapabilityResolver, WorkspaceCapabilityResolver, and UiEnforcement patterns (001-finding-risk-acceptance)
+- PostgreSQL with new tenant-owned exception tables and JSONB-backed supporting metadata (001-finding-risk-acceptance)
+- PHP 8.4, Laravel 12, Livewire 4, Filament 5 + Filament resources/pages/actions, Eloquent models, queued Laravel jobs, existing `EvidenceSnapshotService`, existing `ReviewPackService`, capability registry, `OperationRunService` (155-tenant-review-layer)
+- PostgreSQL with JSONB-backed summary payloads and tenant/workspace ownership columns (155-tenant-review-layer)
+- PostgreSQL-backed existing domain records; no new business-domain table is required for the first slice; shared taxonomy reference will live in repository documentation and code-level metadata (156-operator-outcome-taxonomy)
+- PostgreSQL-backed existing records such as `operation_runs`, tenant governance records, onboarding workflow state, and provider connection state; no new business-domain table is required for the first slice (157-reason-code-translation)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BadgeCatalog` / `BadgeRenderer` / `OperatorOutcomeTaxonomy`, `ReasonPresenter`, `OperationRunService`, `TenantReviewReadinessGate`, existing baseline/evidence/review/review-pack resources and canonical pages (158-artifact-truth-semantics)
+- PostgreSQL with existing JSONB-backed `summary`, `summary_jsonb`, and `context` payloads on baseline snapshots, evidence snapshots, tenant reviews, review packs, and operation runs; no new primary storage required for the first slice (158-artifact-truth-semantics)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, Laravel queue workers, existing `OperationRunService`, `TrackOperationRun`, `OperationUxPresenter`, `ReasonPresenter`, `BadgeCatalog` domain badges, and current Operations Monitoring pages (160-operation-lifecycle-guarantees)
+- PostgreSQL for `operation_runs`, `jobs`, and `failed_jobs`; JSONB-backed `context`, `summary_counts`, and `failure_summary`; configuration in `config/queue.php` and `config/tenantpilot.php` (160-operation-lifecycle-guarantees)
+- PostgreSQL (via Sail) plus existing read models persisted in application tables (161-operator-explanation-layer)
+- PHP 8.4 / Laravel 12, Blade, Alpine via Filament, Tailwind CSS v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `OperationRun` and baseline compare services (162-baseline-gap-details)
+- PostgreSQL with JSONB-backed `operation_runs.context`; no new tables required (162-baseline-gap-details)
+- PostgreSQL via existing application tables, especially `operation_runs.context` and baseline snapshot summary JSON (163-baseline-subject-resolution)
+- PHP 8.4, Laravel 12, Blade views, Alpine via Filament v5 / Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `OperationRunResource`, `TenantlessOperationRunViewer`, `EnterpriseDetailBuilder`, `ArtifactTruthPresenter`, `OperationUxPresenter`, and `SummaryCountsNormalizer` (164-run-detail-hardening)
+- PostgreSQL with existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change planned (164-run-detail-hardening)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BaselineCompareStats`, `BaselineCompareExplanationRegistry`, `ReasonPresenter`, `BadgeCatalog` or `BadgeRenderer`, `UiEnforcement`, and `OperationRunLinks` (165-baseline-summary-trust)
+- PostgreSQL with existing baseline, findings, and `operation_runs` tables plus JSONB-backed compare context; no schema change planned (165-baseline-summary-trust)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `Finding`, `FindingException`, `FindingRiskGovernanceResolver`, `BadgeCatalog`, `BadgeRenderer`, `FilterOptionCatalog`, and tenant dashboard widgets (166-finding-governance-health)
+- PostgreSQL using existing `findings`, `finding_exceptions`, related decision tables, and existing DB-backed summary sources; no schema changes required (166-finding-governance-health)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ArtifactTruthPresenter`, `OperationUxPresenter`, `RelatedNavigationResolver`, `AppServiceProvider`, `BadgeCatalog`, `BadgeRenderer`, and current Filament resource/page seams (167-derived-state-memoization)
+- PostgreSQL unchanged; feature adds no persistence and relies on request-local in-memory state only (167-derived-state-memoization)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `BaselineCompareLanding`, `BaselineCompareNow`, `NeedsAttention`, `BaselineCompareCoverageBanner`, and `RequestScopedDerivedStateStore` from Spec 167 (168-tenant-governance-aggregate-contract)
+- PostgreSQL unchanged; no new persistence, cache store, or durable summary artifac (168-tenant-governance-aggregate-contract)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `ActionSurfaceDeclaration`, `ActionSurfaceValidator`, `ActionSurfaceDiscovery`, `ActionSurfaceExemptions`, and Filament Tables / Actions APIs (169-action-surface-v11)
+- PostgreSQL unchanged; no new persistence, cache store, queue payload, or durable artifac (169-action-surface-v11)
+- PHP 8.4, Laravel 12, Livewire v4, Filament v5 + `laravel/framework`, `filament/filament`, `livewire/livewire`, `pestphp/pest` (170-system-operations-surface-alignment)
+- PostgreSQL with existing `operation_runs` and `audit_logs` tables; no schema changes (170-system-operations-surface-alignment)
+- PHP 8.4, Laravel 12, Livewire v4, Filament v5, Tailwind CSS v4 + `laravel/framework`, `filament/filament`, `livewire/livewire`, `pestphp/pest` (171-operations-naming-consolidation)
+- PostgreSQL with existing `operation_runs`, notification payloads, workspace records, and tenant records; no schema changes (171-operations-naming-consolidation)
+- PostgreSQL with existing `operation_runs`, `managed_tenant_onboarding_sessions`, tenant records, and workspace records; no schema changes (172-deferred-operator-surfaces-retrofit)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `TenantDashboard`, `DashboardKpis`, `NeedsAttention`, `BaselineCompareNow`, `RecentDriftFindings`, `RecentOperations`, `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `FindingResource`, `OperationRunLinks`, and canonical admin Operations page (173-tenant-dashboard-truth-alignment)
+- PostgreSQL unchanged; no new persistence, cache store, or durable dashboard summary artifac (173-tenant-dashboard-truth-alignment)
+- PHP 8.4, Laravel 12, Filament v5, Livewire v4, Blade + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `ArtifactTruthPresenter`, `ArtifactTruthEnvelope`, `TenantReviewReadinessGate`, `EvidenceSnapshotService`, `TenantReviewRegisterService`, and current evidence/review/review-pack resources and pages (174-evidence-freshness-publication-trust)
+- PostgreSQL with existing `evidence_snapshots`, `evidence_snapshot_items`, `tenant_reviews`, and `review_packs` tables using current summary JSON and timestamps; no schema change planned (174-evidence-freshness-publication-trust)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, `WorkspaceRecentOperations`, `FindingResource`, `BaselineCompareLanding`, `EvidenceSnapshotResource`, `TenantReviewResource`, and canonical admin Operations routes (175-workspace-governance-attention)
+- PostgreSQL unchanged; no new persistence, cache table, or materialized aggregate is introduced (175-workspace-governance-attention)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `TenantResource`, `ProviderConnectionResource`, `TenantVerificationReport`, `BadgeCatalog`, `BadgeRenderer`, `TenantOperabilityService`, `ProviderConsentStatus`, `ProviderVerificationStatus`, and shared provider-state Blade partials (179-provider-truth-cleanup)
+- PostgreSQL unchanged; no new table, column, or persisted artifact is introduced (179-provider-truth-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `InventoryItem`, `OperationRun`, `InventoryCoverage`, `InventoryPolicyTypeMeta`, `CoverageCapabilitiesResolver`, `InventoryKpiHeader`, `InventoryCoverage` page, and `OperationRunResource` enterprise-detail stack (177-inventory-coverage-truth)
+- PostgreSQL; existing `inventory_items` rows and `operation_runs.context` / `operation_runs.summary_counts` JSONB are reused with no schema change (177-inventory-coverage-truth)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages (178-ops-truth-alignment)
+- PostgreSQL unchanged; existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change (178-ops-truth-alignment)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `RestoreRunResource`, `RestoreService`, `RestoreRiskChecker`, `RestoreDiffGenerator`, `OperationRunResource`, `TenantlessOperationRunViewer`, shared badge infrastructure, and existing RBAC or write-gate helpers (181-restore-safety-integrity)
+- PostgreSQL with existing `restore_runs` and `operation_runs` records plus JSON or array-backed `metadata`, `preview`, `results`, and `context`; no schema change planned (181-restore-safety-integrity)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BackupSetResource`, `BackupItemsRelationManager`, `PolicyVersionResource`, `RestoreRunResource`, `CreateRestoreRun`, `AssignmentBackupService`, `VersionService`, `PolicySnapshotService`, `RestoreRiskChecker`, `BadgeRenderer`, `PolicySnapshotModeBadge`, `EnterpriseDetailBuilder`, and existing RBAC helpers (176-backup-quality-truth)
+- PostgreSQL with existing tenant-owned `backup_sets`, `backup_items`, `policy_versions`, and restore wizard input state; JSON-backed `metadata`, `snapshot`, `assignments`, and `scope_tags`; no schema change planned (176-backup-quality-truth)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `DashboardKpis`, `NeedsAttention`, `BackupSetResource`, `BackupScheduleResource`, `BackupQualityResolver`, `BackupQualitySummary`, `ScheduleTimeService`, shared badge infrastructure, and existing RBAC helpers (180-tenant-backup-health)
+- PostgreSQL with existing tenant-owned `backup_sets`, `backup_items`, and `backup_schedules` records plus existing JSON-backed backup metadata; no schema change planned (180-tenant-backup-health)
+- PHP 8.4.15, Laravel 12, Blade, Livewire v4, Filament v5.2.x, Tailwind CSS v4, Vite 7 + `laravel/framework`, `filament/filament`, `livewire/livewire`, `laravel/sail`, `laravel-vite-plugin`, `tailwindcss`, `vite`, `pestphp/pest`, `drizzle-kit`, PostgreSQL, Redis, Docker Compose (182-platform-relocation)
+- PostgreSQL, Redis, filesystem storage under the Laravel app `storage/` tree, plus existing Vite build artifacts in `public/build`; no new database persistence planned (182-platform-relocation)
+- PHP 8.4.15 and Laravel 12 for `apps/platform`; Node.js 20+ with pnpm 10 workspace tooling; Astro v6 for `apps/website`; Bash and Docker Compose for root orchestration + `laravel/framework`, `filament/filament`, `livewire/livewire`, `laravel/sail`, `vite`, `tailwindcss`, `pnpm` workspaces, Astro, existing `./scripts/platform-sail` wrapper, repo-root Docker Compose (183-website-workspace-foundation)
+- Existing PostgreSQL, Redis, and filesystem storage for `apps/platform`; static build artifacts for `apps/website`; repository-managed workspace manifests and docs; no new database persistence (183-website-workspace-foundation)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5 widgets and resources, Livewire v4, Pest v4, existing `TenantDashboard`, `DashboardKpis`, `NeedsAttention`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreRunResource`, `RestoreSafetyResolver`, `RestoreResultAttention`, `OperationRunLinks`, and existing RBAC helpers (184-dashboard-recovery-honesty)
+- PostgreSQL with existing tenant-owned `backup_sets`, `restore_runs`, and linked `operation_runs`; no schema change planned (184-dashboard-recovery-honesty)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, tenant dashboard widgets, `WorkspaceCapabilityResolver`, `CapabilityResolver`, and the current workspace overview Blade surfaces (185-workspace-recovery-posture-visibility)
+- PostgreSQL unchanged; no schema change, new cache table, or persisted workspace recovery artifact is planned (185-workspace-recovery-posture-visibility)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5 resources and table filters, Livewire v4 `ListRecords`, Pest v4, Laravel Sail, existing `TenantResource`, `ListTenants`, `WorkspaceOverviewBuilder`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, `RecoveryReadiness`, and shared badge infrastructure (186-tenant-registry-recovery-triage)
+- PostgreSQL with existing tenant-owned `tenants`, `backup_sets`, `backup_items`, `restore_runs`, `policies`, and membership records; no schema change planned (186-tenant-registry-recovery-triage)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantResource`, `TenantDashboard`, `CanonicalAdminTenantFilterState`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, and continuity-aware backup or restore list pages (187-portfolio-triage-arrival-context)
+- PostgreSQL unchanged; no new tables, caches, or durable workflow artifacts (187-portfolio-triage-arrival-context)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `ProviderConnection` model, `ProviderConnectionResolver`, `ProviderConnectionStateProjector`, `ProviderConnectionMutationService`, `ProviderConnectionHealthCheckJob`, `StartVerification`, `ProviderConnectionResource`, `TenantResource`, system directory pages, `BadgeCatalog`, `BadgeRenderer`, and shared provider-state Blade entries (188-provider-connection-state-cleanup)
+- PostgreSQL with one narrow schema addition (`is_enabled`) followed by final removal of legacy `status` and `health_status` columns and their indexes (188-provider-connection-state-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantResource`, `TenantDashboard`, `PortfolioArrivalContext`, `TenantBackupHealthResolver`, `RestoreSafetyResolver`, `BadgeCatalog`, `UiEnforcement`, and `AuditRecorder` patterns (189-portfolio-triage-review-state)
+- PostgreSQL via Laravel Eloquent with one new table `tenant_triage_reviews` and no new external caches or background stores (189-portfolio-triage-review-state)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BaselineCompareService`, `BaselineSnapshotTruthResolver`, `BaselineCompareStats`, `RelatedNavigationResolver`, `CanonicalNavigationContext`, `BadgeCatalog`, and `UiEnforcement` patterns (190-baseline-compare-matrix)
+- PostgreSQL via existing `baseline_profiles`, `baseline_snapshots`, `baseline_snapshot_items`, `baseline_tenant_assignments`, `operation_runs`, and `findings` tables; no new persistence planned (190-baseline-compare-matrix)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `BaselineCompareMatrixBuilder`, `BadgeCatalog`, `CanonicalNavigationContext`, and `UiEnforcement` patterns (191-baseline-compare-operator-mode)
+- PostgreSQL via existing baseline, assignment, compare-run, and finding tables; no new persistence planned (191-baseline-compare-operator-mode)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `UiEnforcement`, `RelatedNavigationResolver`, `ActionSurfaceValidator`, and page-local Filament action builders (192-record-header-discipline)
+- PostgreSQL through existing workspace-owned and tenant-owned resource models; no schema change planned (192-record-header-discipline)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `OperateHubShell`, `CanonicalNavigationContext`, `CanonicalAdminTenantFilterState`, `UiEnforcement`, `ActionSurfaceValidator`, and Filament page or resource action builders (193-monitoring-action-hierarchy)
+- PostgreSQL through existing workspace-owned and tenant-owned models; no schema change planned (193-monitoring-action-hierarchy)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `UiEnforcement`, existing audit loggers (`AuditLogger`, `WorkspaceAuditLogger`, `SystemConsoleAuditLogger`), existing mutation services (`FindingExceptionService`, `FindingWorkflowService`, `TenantReviewLifecycleService`, `EvidenceSnapshotService`, `OperationRunTriageService`) (194-governance-friction-hardening)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ActionSurfaceDiscovery`, `ActionSurfaceValidator`, `ActionSurfaceExemptions`, `GovernanceActionCatalog`, `UiEnforcement`, `WorkspaceContext`, and existing system/onboarding/auth helpers (195-action-surface-closure)
+- PostgreSQL through existing workspace-owned, tenant-owned, and system-visible models; no schema change planned (195-action-surface-closure)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `DependencyQueryService`, `DependencyTargetResolver`, `TenantRequiredPermissionsViewModelBuilder`, `ArtifactTruthPresenter`, `WorkspaceContext`, Filament `InteractsWithTable`, Filament `TableComponent`, and existing badge and action-surface helpers (196-hard-filament-nativity-cleanup)
+- PostgreSQL through existing tenant-owned and workspace-context models (`InventoryItem`, `InventoryLink`, `TenantPermission`, `EvidenceSnapshot`, `TenantReview`); no schema change planned (196-hard-filament-nativity-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, Laravel Sail, existing `BaselineScope`, `InventoryPolicyTypeMeta`, `BaselineSupportCapabilityGuard`, `BaselineCaptureService`, and `BaselineCompareService` (202-governance-subject-taxonomy)
+- PostgreSQL via existing `baseline_profiles.scope_jsonb`, `baseline_tenant_assignments.override_scope_jsonb`, and `operation_runs.context`; no new tables planned (202-governance-subject-taxonomy)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BaselineCompareService`, `CompareBaselineToTenantJob`, `SubjectResolver`, `CurrentStateHashResolver`, `DriftHasher`, `BaselineCompareSummaryAssessor`, and finding lifecycle services (203-baseline-compare-strategy)
+- PostgreSQL via existing baseline snapshots, baseline snapshot items, `operation_runs`, findings, and baseline scope JSON; no new top-level tables planned (203-baseline-compare-strategy)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `GovernanceSubjectTaxonomyRegistry`, `BaselineScope`, `CompareStrategyRegistry`, `OperationCatalog`, `OperationRunType`, `ReasonTranslator`, `ReasonResolutionEnvelope`, `ProviderReasonTranslator`, and current Filament monitoring or review surfaces (204-platform-core-vocabulary-hardening)
+- PostgreSQL via existing `operation_runs.type`, `operation_runs.context`, `baseline_profiles.scope_jsonb`, `baseline_snapshot_items`, findings, evidence payloads, and current config-backed registries; no new top-level tables planned (204-platform-core-vocabulary-hardening)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BaselineCompareService`, `CompareBaselineToTenantJob`, `CompareStrategyRegistry`, `IntuneCompareStrategy`, `CurrentStateHashResolver`, and current finding lifecycle services (205-compare-job-cleanup)
+- PostgreSQL via existing baseline snapshots, baseline snapshot items, inventory items, `operation_runs`, findings, and current run-context JSON; no new storage planned (205-compare-job-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `VerificationReportViewer`, `VerificationReportChangeIndicator`, `PolicyNormalizer`, `VersionDiff`, `DriftFindingDiffBuilder`, and `SettingsCatalogSettingsTable` (197-shared-detail-contract)
+- PostgreSQL unchanged; no new persistence, cache store, or durable UI artifact (197-shared-detail-contract)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
 ## Project Structure
 
 ```text
-src/
-tests/
+apps/
+  platform/
+  website/
+docs/
+specs/
+scripts/
 ```
 
 ## Commands
 
-# Add commands for PHP 8.4.15
+- Root workspace:
+  - `corepack pnpm install`
+  - `corepack pnpm dev:platform`
+  - `corepack pnpm dev:website`
+  - `corepack pnpm dev`
+  - `corepack pnpm build:website`
+  - `corepack pnpm build:platform`
+- Platform app:
+  - `cd apps/platform && ./vendor/bin/sail up -d`
+  - `cd apps/platform && ./vendor/bin/sail pnpm dev`
+  - `cd apps/platform && ./vendor/bin/sail pnpm build`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact`
 
 ## Code Style
 
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
-- 110-ops-ux-enforcement: Added PHP 8.4.x + Laravel 12, Filament v5, Livewire v4
-- 109-review-pack-export: Added PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Framework v12
-- 109-review-pack-export: Added [if applicable, e.g., PostgreSQL, CoreData, files or N/A]
+- 197-shared-detail-contract: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `VerificationReportViewer`, `VerificationReportChangeIndicator`, `PolicyNormalizer`, `VersionDiff`, `DriftFindingDiffBuilder`, and `SettingsCatalogSettingsTable`
+- 205-compare-job-cleanup: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BaselineCompareService`, `CompareBaselineToTenantJob`, `CompareStrategyRegistry`, `IntuneCompareStrategy`, `CurrentStateHashResolver`, and current finding lifecycle services
+- 204-platform-core-vocabulary-hardening: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `GovernanceSubjectTaxonomyRegistry`, `BaselineScope`, `CompareStrategyRegistry`, `OperationCatalog`, `OperationRunType`, `ReasonTranslator`, `ReasonResolutionEnvelope`, `ProviderReasonTranslator`, and current Filament monitoring or review surfaces
 <!-- MANUAL ADDITIONS START -->
 <!-- MANUAL ADDITIONS END -->

.github/copilot-instructions.md

@@ -40,7 +40,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -254,7 +254,7 @@ ## Testing
   - Source: https://filamentphp.com/docs/5.x/testing/testing-actions — “Testing actions”
 
 ## Deployment / Ops
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -291,8 +291,12 @@ ## Application Structure & Architecture
 - Stick to existing directory structure; don't create new base folders without approval.
 - Do not change the application's dependencies without approval.
 
+## Workspace Commands
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+
 ## Frontend Bundling
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Replies
 - Be concise in your explanations - focus on what's important rather than explaining obvious details.
@@ -372,28 +376,29 @@ ## Enums
 ## Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
-- Open the application in the browser by running `vendor/bin/sail open`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
-    - Install Composer packages: `vendor/bin/sail composer install`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+- The canonical application working directory is `apps/platform`. Repo-root launchers such as MCP or VS Code tasks may use `./scripts/platform-sail`, but that helper is compatibility-only.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 ## Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 ## Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ### Database
@@ -404,7 +409,7 @@ ### Database
 - Use Laravel's query builder for very complex database operations.
 
 ### Model Creation
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 - For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.
@@ -428,10 +433,10 @@ ### Configuration
 ### Testing
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ### Vite Error
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -460,7 +465,7 @@ ### Models
 ## Livewire
 
 - Use the `search-docs` tool to find exact version-specific documentation for how to write Livewire and Livewire tests.
-- Use the `vendor/bin/sail artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
+- Use the `cd apps/platform && ./vendor/bin/sail artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
 - State should live on the server, with the UI reflecting it.
 - All Livewire requests hit the Laravel backend; they're like regular HTTP requests. Always validate form data and run authorization checks in Livewire actions.
 
@@ -504,8 +509,8 @@ ## Testing Livewire
 
 ## Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test`, simply run `vendor/bin/sail bin pint` to fix any formatting issues.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test`, simply run `cd apps/platform && ./vendor/bin/sail bin pint` to fix any formatting issues.
 
 === pest/core rules ===
 
@@ -514,7 +519,7 @@ ### Testing
 - If you need to verify a feature is working, write or update a Unit / Feature test.
 
 ### Pest Tests
-- All tests must be written using Pest. Use `vendor/bin/sail artisan make:test --pest {name}`.
+- All tests must be written using Pest. Use `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
 - You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files - these are core to the application.
 - Tests should test all of the happy paths, failure paths, and weird paths.
 - Tests live in the `tests/Feature` and `tests/Unit` directories.
@@ -527,9 +532,9 @@ ### Pest Tests
 
 ### Running Tests
 - Run the minimal number of tests using an appropriate filter before finalizing code edits.
-- To run all tests: `vendor/bin/sail artisan test --compact`.
-- To run all tests in a file: `vendor/bin/sail artisan test --compact tests/Feature/ExampleTest.php`.
-- To filter on a particular test name: `vendor/bin/sail artisan test --compact --filter=testName` (recommended after making a change to a related file).
+- To run all tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact`.
+- To run all tests in a file: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ExampleTest.php`.
+- To filter on a particular test name: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName` (recommended after making a change to a related file).
 - When the tests relating to your changes are passing, ask the user if they would like to run the entire test suite to ensure everything is still passing.
 
 ### Pest Assertions

.github/prompts/tenantpilot.audit.prompt.md

@@ -0,0 +1,76 @@
+---
+description: Scan the TenantPilot repository for architecture and safety violations against the workspace-first, RBAC-first, audit-first governance model.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architecture Auditor reviewing TenantPilot / TenantAtlas.
+
+This is not a generic code review. Audit the repository against the TenantPilot audit constitution at `docs/audits/tenantpilot-architecture-audit-constitution.md`.
+
+## Audit focus
+
+Prioritize:
+
+- workspace and tenant isolation
+- route model binding safety
+- Filament resources, pages, relation managers, widgets, and actions
+- Livewire public properties and serialized state risks
+- jobs, queue boundaries, and backend authorization rechecks
+- provider access boundaries
+- `OperationRun` consistency
+- findings, exceptions, review, drift, and baseline workflow integrity
+- audit trail completeness
+- wrong-tenant regression coverage
+- unauthorized action coverage
+- workflow misuse and invalid transition coverage
+
+## Output rules
+
+Classify every finding as exactly one of:
+
+- Constitutional Violation
+- Architectural Drift
+- Workflow Trust Gap
+- Test Blind Spot
+
+Assign one severity:
+
+- Severity 1: Critical
+- Severity 2: High
+- Severity 3: Medium
+- Severity 4: Low
+
+Anything directly touching isolation, RBAC, secrets, or auditability must not be rated Low.
+
+For each finding provide:
+
+1. Title
+2. Classification
+3. Severity
+4. Affected Area
+5. Evidence with specific files, classes, methods, routes, or test gaps
+6. Why this matters in TenantPilot
+7. Recommended structural correction
+8. Delivery recommendation: `hotfix`, `follow-up refactor`, or `dedicated spec required`
+
+## Constraints
+
+- Do not praise the codebase.
+- Do not focus on style unless it affects architecture or safety.
+- Do not suggest random patterns without proving fit.
+- Group multiple symptoms under one deeper diagnosis when appropriate.
+- Be explicit when a local fix is insufficient and a dedicated spec is required.
+
+## Repository context
+
+TenantPilot is an enterprise SaaS product for Intune and Microsoft 365 governance, backup, restore, inventory, drift detection, findings, exceptions, operations, and auditability.
+
+The strategic priorities are:
+
+- workspace-first context modeling
+- capability-first RBAC
+- strong auditability
+- deterministic workflow semantics
+- provider access through canonical boundaries
+- minimal duplication of domain logic across UI surfaces
+
+Return the audit as a concise but substantive findings report.

.github/prompts/tenantpilot.spec-candidates.prompt.md

@@ -0,0 +1,105 @@
+---
+description: Turn TenantPilot architecture audit findings into bounded spec candidates without colliding with active spec numbering.
+agent: speckit.specify
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architect working on TenantPilot / TenantAtlas.
+
+Your task is to produce spec candidates, not implementation code.
+
+Before writing anything, read and use these repository files as binding context:
+
+- `docs/audits/tenantpilot-architecture-audit-constitution.md`
+- `docs/audits/2026-03-15-audit-spec-candidates.md`
+- `specs/110-ops-ux-enforcement/spec.md`
+- `specs/111-findings-workflow-sla/spec.md`
+- `specs/134-audit-log-foundation/spec.md`
+- `specs/138-managed-tenant-onboarding-draft-identity/spec.md`
+
+## Goal
+
+Turn the existing audit-derived problem clusters into exactly four proposed follow-up spec candidates.
+
+The four candidate themes are:
+
+1. queued execution reauthorization and scope continuity
+2. tenant-owned query canon and wrong-tenant guards
+3. findings workflow enforcement and audit backstop
+4. Livewire context locking and trusted-state reduction
+
+## Numbering rule
+
+- Do not invent or reserve fixed spec numbers unless the current repository state proves they are available.
+- If numbering is uncertain, use `Candidate A`, `Candidate B`, `Candidate C`, and `Candidate D`.
+- Only recommend a numbering strategy; do not force numbering in the output when collisions are possible.
+
+## Output requirements
+
+Create exactly four spec candidates, one per problem class.
+
+For each candidate provide:
+
+1. Candidate label or confirmed spec number
+2. Working title
+3. Status: `Proposed`
+4. Summary
+5. Why this is needed now
+6. Boundary to existing specs
+7. Problem statement
+8. Goals
+9. Non-goals
+10. Scope
+11. Target model
+12. Key requirements
+13. Risks if not implemented
+14. Dependencies and sequencing notes
+15. Delivery recommendation: `hotfix`, `dedicated spec`, or `phased spec`
+16. Suggested implementation priority: `Critical`, `High`, or `Medium`
+17. Suggested slug
+
+At the end provide:
+
+A. Recommended implementation order
+B. Which candidates can run in parallel
+C. Which candidate should start first and why
+D. A numbering strategy recommendation if active spec numbers are not yet known
+
+## Writing rules
+
+- Write in English.
+- Use formal enterprise spec language.
+- Be concrete and opinionated.
+- Focus on structural integrity, not patch-level fixes.
+- Treat the audit constitution as binding.
+- Explicitly say when UI-only authorization is insufficient.
+- Explicitly say when Livewire public state must be treated as untrusted input.
+- Explicitly say when negative-path regression tests are required.
+- Explicitly say when `OperationRun` or audit semantics must be extended or hardened.
+- Do not duplicate adjacent specs; state the boundary clearly.
+- Do not collapse all four themes into one umbrella spec.
+
+## Candidate-specific direction
+
+### Candidate A — queued execution reauthorization and scope continuity
+
+- Treat this as an execution trust problem, not a simple `authorize()` omission.
+- Cover dispatch-time actor and context capture, handle-time scope revalidation, capability reauthorization, execution denial semantics, and audit visibility.
+- Define what happens when authorization or tenant operability changes between dispatch and execution.
+
+### Candidate B — tenant-owned query canon and wrong-tenant guards
+
+- Treat this as canonical data-access hardening.
+- Cover tenant-owned and workspace-owned query rules, route model binding safety, canonical query paths, anti-pattern elimination, and required wrong-tenant regression tests.
+- Focus on ownership enforcement, not generic repository-pattern advice.
+
+### Candidate C — findings workflow enforcement and audit backstop
+
+- Treat this as a workflow-truth problem.
+- Cover formal lifecycle enforcement, invalid transition prevention, reopen and recurrence semantics, and audit backstop requirements.
+- Make clear how this extends but does not duplicate Spec 111.
+
+### Candidate D — Livewire context locking and trusted-state reduction
+
+- Treat this as a UI/server trust-boundary hardening problem.
+- Cover locked identifiers, untrusted public state, server-side reconstruction of workflow truth, sensitive-state reduction, and misuse regression tests.
+- Make clear how this complements but does not duplicate Spec 138.

.github/skills/giteaflow/SKILL.md

@@ -0,0 +1,8 @@
+---
+name: giteaflow
+description: Describe what this skill does and when to use it. Include keywords that help agents identify relevant tasks.
+---
+
+<!-- Tip: Use /create-skill in chat to generate content with agent assistance -->
+
+comit all changes, push to remote, and create a pull request against dev with gitea mcp

.gitignore

@@ -15,22 +15,42 @@
 /.zed
 /auth.json
 /node_modules
+/apps/platform/node_modules
+/apps/website/node_modules
+/.pnpm-store
+/apps/website/.astro
 dist/
 build/
 coverage/
 /public/build
+/apps/platform/public/build
+/apps/website/dist
 /public/hot
+/apps/platform/public/hot
 /public/storage
+/apps/platform/public/storage
 /storage/*.key
+/apps/platform/storage/*.key
 /storage/pail
+/apps/platform/storage/pail
 /storage/framework
+/apps/platform/storage/framework
 /storage/logs
+/apps/platform/storage/logs
 /storage/debugbar
+/apps/platform/storage/debugbar
 /vendor
+/apps/platform/vendor
 /bootstrap/cache
+/apps/platform/bootstrap/cache
 Homestead.json
 Homestead.yaml
 Thumbs.db
 /references
+/tests/Browser/Screenshots
 *.tmp
 *.swp
+/apps/platform/.env
+/apps/platform/.env.*
+/apps/website/.env
+/apps/website/.env.*

.npmignore

@@ -1,8 +1,14 @@
 dist/
 build/
 public/build/
+apps/platform/public/build/
 node_modules/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
 vendor/
+apps/platform/vendor/
 *.log
 .env
 .env.*

.prettierignore

@@ -2,12 +2,22 @@ node_modules/
 dist/
 build/
 public/build/
+apps/platform/public/build/
 public/hot/
+apps/platform/public/hot/
 public/storage/
+apps/platform/public/storage/
 coverage/
 vendor/
+apps/platform/vendor/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
 storage/
+apps/platform/storage/
 bootstrap/cache/
+apps/platform/bootstrap/cache/
 package-lock.json
 yarn.lock
 pnpm-lock.yaml

.specify/memory/spec-approval-rubric.md

@@ -0,0 +1,236 @@
+# TenantPilot Spec Approval Rubric (Anti-Overengineering Guardrails)
+
+## Leitsatz
+
+> Kein neuer Layer ohne klaren Operatorgewinn, und kein neuer Spec nur für interne semantische Schönheit.
+
+Ein neuer Spec ist nur dann stark genug, wenn er **sichtbar mehr Produktwahrheit oder Operator-Wirkung** erzeugt als er dauerhafte Systemkomplexität importiert.
+
+Jeder Spec muss zwei Dinge gleichzeitig beweisen:
+
+1. Welches echte Problem wird gelöst?
+2. Warum ist diese Lösung die kleinste enterprise-taugliche Form?
+
+Wenn der Spec nur interne Eleganz, feinere Semantik oder mehr Konsistenz bringt, aber keinen klaren Workflow-, Trust- oder Audit-Gewinn, dann ist er **verdächtig**.
+
+---
+
+## 5 Pflichtfragen vor jeder Freigabe
+
+Ein Spec darf nur weiterverfolgt werden, wenn diese 5 Fragen sauber beantwortet sind.
+
+### A. Welcher konkrete Operator-Workflow wird besser?
+
+Nicht abstrakt „Konsistenz verbessern", sondern konkret: welcher Nutzer, auf welcher Fläche, in welchem Schritt, mit welchem heutigen Schmerz, und was danach schneller, sicherer oder ehrlicher wird.
+
+Wenn kein klarer Vorher/Nachher-Workflow benennbar ist → Spec ist zu abstrakt.
+
+### B. Welche falsche oder gefährliche Produktaussage wird verhindert?
+
+Legitime Antworten:
+
+- Falscher „alles okay"-Eindruck
+- Irreführende Recovery-Claims
+- Unsaubere Ownership
+- Fehlende nächste Aktion
+- Fehlende Audit-Nachvollziehbarkeit
+- Tenant/Workspace Leakage
+- RBAC-Missverständnisse
+
+Wenn ein Spec weder Workflow noch Trust verbessert → kaum zu rechtfertigen.
+
+### C. Was ist die kleinste brauchbare Version?
+
+Explizit benennen:
+
+- Was ist die v1-Minimalversion?
+- Welche Teile sind bewusst nicht enthalten?
+- Welche Generalisierung wird absichtlich verschoben?
+
+Wenn v1 wie ein Framework, eine Plattform oder eine universelle Taxonomie klingt → zu groß.
+
+### D. Welche dauerhafte Komplexität entsteht?
+
+Nicht nur Implementierungsaufwand, sondern Dauerfolgen:
+
+- Neue Models / Tables?
+- Neue Enums / Statusachsen?
+- Neue UI-Semantik?
+- Neue cross-surface Contracts?
+- Neue Tests, die dauerhaft gepflegt werden müssen?
+- Neue Begriffe, die jeder verstehen muss?
+
+Wenn die Liste lang ist → Produktgewinn muss entsprechend hoch sein.
+
+### E. Warum jetzt?
+
+Legitime Gründe:
+
+- Blockiert Kernworkflow
+- Verhindert gefährliche Fehlinterpretation
+- Ist Voraussetzung für unmittelbar folgende Hauptdomäne
+- Beseitigt echten systemischen Widerspruch
+- Wird bereits von mehreren Flächen schmerzhaft benötigt
+
+Schwache Gründe:
+
+- „wäre sauberer"
+- „brauchen wir später bestimmt"
+- „passt gut zur Architektur"
+- „macht das Modell vollständiger"
+
+---
+
+## 4 Spec-Klassen
+
+Jeden Kandidaten zwingend in genau eine Klasse einordnen.
+
+### Klasse 1 — Core Enterprise Spec
+
+Mindestens eins muss stimmen:
+
+- Schützt echte System-/Tenant-/RBAC-Korrektheit
+- Verhindert falsche Governance-/Recovery-/Audit-Aussagen
+- Schließt klaren Workflow-Gap
+- Beseitigt cross-surface Widerspruch mit realem Operator-Schaden
+- Ist echte Voraussetzung für eine wichtige Produktfunktion
+
+Dürfen Komplexität einführen, aber nur gezielt.
+
+### Klasse 2 — Workflow Compression Spec
+
+Gut, wenn sie:
+
+- Klickpfade verkürzen
+- Kontextverlust senken
+- Return-/Drilldown-Kontinuität verbessern
+- Triage-/Review-/Run-Bearbeitung beschleunigen
+
+Nützlich, aber klein halten.
+
+### Klasse 3 — Cleanup / Consolidation
+
+- Vereinfachung, Zusammenführung, Entkopplung
+- Entfernen von Legacy / Duplikaten
+- Reduktion unnötiger Schichten
+
+Explizit erwünscht als Gegengewicht zu Wachstum.
+
+### Klasse 4 — Premature / Defer
+
+Wenn der Kandidat hauptsächlich bringt:
+
+- Neue Semantik, Frameworks, Taxonomien
+- Generalisierung für künftige Fälle
+- Infrastruktur ohne breite aktuelle Nutzung
+
+→ Nicht freigeben. Verschieben oder brutal einkürzen.
+
+---
+
+## Rote Flaggen
+
+Wenn **zwei oder mehr** zutreffen → Spec muss aktiv verteidigt werden.
+
+| # | Rote Flagge | Prüffrage |
+|---|---|---|
+| 1 | **Neue Achsen** — neues Truth-Modell, Statusdimension, Taxonomie, Bewertungsachse | Braucht der Operator das wirklich, oder nur das Modell? |
+| 2 | **Neue Meta-Infrastruktur** — Presenter, Resolver, Catalog, Matrix, Registry, Builder, Policy-Layer | Sehr hoher Beweiswert nötig. |
+| 3 | **Viele Flächen, wenig Nutzerwert** — 6 Flächen „harmonisiert", kein klarer Nutzerflow besser | Architektur um ihrer selbst willen? |
+| 4 | **Klingt nach Foundation** — foundation, framework, generalized, reusable, future-proof, canonical semantics | Fast immer erklärungsbedürftig. |
+| 5 | **Mehr Begriffe als Outcomes** — lange semantische Erklärung, Nutzerverbesserung kaum in einem Satz | Verdächtig. |
+| 6 | **Mehrere Mikrospecs für eine Domäne** — foundation + semantics + presentation + hardening + integration | Zu fein zerlegt. |
+
+---
+
+## Grüne Flaggen
+
+- Löst klar beobachtbaren Operator-Schmerz
+- Verbessert echte Entscheidungssituation
+- Verhindert konkrete Fehlinterpretation
+- Reduziert Navigation oder Denkaufwand
+- Vereinfacht bereits existierende Komplexität
+- Führt wenig neue Begriffe ein
+- Hat klare Nicht-Ziele
+- Ist in einer Sitzung gut erklärbar
+- Braucht keine neue Meta-Schicht
+- Macht mehrere Flächen einfacher statt abstrakter
+
+---
+
+## Bewertungsraster (0–2 pro Dimension)
+
+| Dimension | 0 | 1 | 2 |
+|---|---|---|---|
+| **Nutzen** | unklar | lokal nützlich | klarer Workflow-/Trust-/Audit-Gewinn |
+| **Dringlichkeit** | kann warten | sinnvoll bald | blockiert oder schützt Wichtiges jetzt |
+| **Scope-Disziplin** | wirkt wie Framework/Plattform | etwas breit | klar begrenzte v1 |
+| **Komplexitätslast** | hohe dauerhafte Last | mittel | niedrig / gut beherrschbar |
+| **Produktnähe** | vor allem intern/architektonisch | gemischt | direkt spürbar für Operatoren |
+| **Wiederverwendung belegt** | hypothetisch | wahrscheinlich | bereits an mehreren echten Stellen nötig |
+
+### Auswertung
+
+| Score | Entscheidung |
+|---|---|
+| **10–12** | Freigabefähig |
+| **7–9** | Nur freigeben wenn Scope enger gezogen wird |
+| **4–6** | Verschieben oder zu Cleanup/Micro-Follow-up downgraden |
+| **0–3** | Nicht freigeben |
+
+---
+
+## TenantPilot-spezifische Regeln
+
+### Regel A — Keine neue semantische Achse ohne UI-Beweis
+
+Wo wird sie sichtbar? Warum reichen bestehende Achsen nicht? Welche Fehlentscheidung bleibt ohne sie bestehen?
+
+### Regel B — Keine neue Support-/Presentation-Schicht ohne ≥ 3 echte Verbraucher
+
+Registry, Resolver, Catalog, Presenter, Matrix, Explanation-Layer → nur mit mindestens drei echten (nicht künstlich erzeugten) Verbrauchern. Sonst lokal lösen.
+
+### Regel C — Keine Spec-Aufspaltung unterhalb Operator-Domäne
+
+Wenn ein Thema nicht eigenständig als Operator-Problem beschrieben werden kann → kein eigener Spec.
+
+### Regel D — Jeder neue Status braucht eine echte Folgehandlung
+
+Neue Status/Outcome nur erlaubt wenn sie etwas Konkretes ändern: andere nächste Aktion, anderes Routing, andere Audit-Bedeutung, andere Workflow-Behandlung.
+
+### Regel E — Consolidation ist ein legitimer Spec-Typ
+
+Zusammenführen von Semantik, Reduktion von Komplexität, Entfernen von Parallelmodellen, Vereinfachung von Navigation/Resolvern, Rückbau unnötiger Zwischenlayer — aktiv Platz geben.
+
+---
+
+## Freigabe-Template (Pflichtabschnitt in spec.md)
+
+```markdown
+## Spec Candidate Check
+
+- **Problem**: [Konkreter Operator-Schmerz oder Trust-Gap heute]
+- **Today's failure**: [Welche Fehlentscheidung / Verlangsamung / irreführende Produktaussage passiert aktuell?]
+- **User-visible improvement**: [Was wird konkret schneller, sicherer oder ehrlicher?]
+- **Smallest enterprise-capable version**: [Kleinste Version die das Problem sauber löst]
+- **Explicit non-goals**: [Was wird bewusst nicht modelliert/generalisiert/frameworkisiert?]
+- **Permanent complexity imported**: [Neue Models, Status, Enums, Services, Support-Layer, Tests, UI-Konzepte, Begriffe]
+- **Why now**: [Warum jetzt wichtiger als später?]
+- **Why not local**: [Warum reicht keine lokale, schmale Lösung?]
+- **Approval class**: [Core Enterprise / Workflow Compression / Cleanup / Defer]
+- **Red flags triggered**: [Welche roten Flaggen treffen zu?]
+- **Score**: [Nutzen: _ | Dringlichkeit: _ | Scope: _ | Komplexität: _ | Produktnähe: _ | Wiederverwendung: _ | **Gesamt: _/12**]
+- **Decision**: [approve / shrink / merge / defer / reject]
+```
+
+---
+
+## Erlaubt vs. Verdächtig (Schnellreferenz)
+
+| Erlaubt | Verdächtig |
+|---|---|
+| Echte Workflow-Specs | Neue truth sub-axes |
+| Governance-/Finding-/Review-Bearbeitbarkeit | Neue explanation frameworks |
+| Trust-/Audit-/RBAC-Härtung | Neue presentation taxonomies |
+| Portfolio-Operator-Durchsatzverbesserungen | Neue generalized support layers |
+| Consolidation-Specs | Mikro-Specs für bereits stark zerlegte Domänen |

.specify/templates/plan-template.md

@@ -48,8 +48,45 @@ ## Constitution Check
 - Ops-UX system runs: initiator-null runs emit no terminal DB notification; audit remains via Monitoring; tenant-wide alerting goes through Alerts (not OperationRun notifications)
 - Automation: queued/scheduled ops use locks + idempotency; handle 429/503 with backoff+jitter
 - Data minimization: Inventory stores metadata + whitelisted meta; logs contain no secrets/tokens
+- Proportionality (PROP-001): any new structure, layer, persisted truth, or semantic machinery is justified by current release truth, current operator workflow, and why a narrower solution is insufficient
+- No premature abstraction (ABSTR-001): no new factories, registries, resolvers, strategy systems, interfaces, type registries, or orchestration pipelines before at least 2 real concrete cases exist, unless security, tenant isolation, auditability, compliance evidence, or queue correctness require it now
+- Persisted truth (PERSIST-001): new tables/entities/artifacts represent independent product truth or lifecycle; convenience projections and UI helpers stay derived
+- Behavioral state (STATE-001): new states/statuses/reason codes change behavior, routing, permissions, lifecycle, audit, retention, or retry handling; presentation-only distinctions stay derived
+- UI semantics (UI-SEM-001): avoid turning badges, explanation text, trust/confidence labels, or detail summaries into mandatory interpretation frameworks; prefer direct domain-to-UI mapping
+- V1 explicitness / few layers (V1-EXP-001, LAYER-001): prefer direct implementation, local mappings, and small helpers; any new layer replaces an old one or proves the old one cannot serve
+- Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
 - Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests
-- Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a record inspection affordance (prefer `recordUrl()` clickable rows; do not render a lone View row action), keep max 2 visible row actions with the rest in “More”, group bulk actions, require confirmations for destructive actions (typed confirmation for large/bulk where applicable), write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action; tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Filament-native UI (UI-FIL-001): admin/operator surfaces use native Filament components or shared primitives first; no ad-hoc status UI, local semantic color/border decisions, or hand-built replacements when native/shared semantics exist; any exception is explicitly justified
+- UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): every changed operator-facing surface is classified as exactly one allowed surface type; ad-hoc interaction models are forbidden
+- Decision-first operating model (DECIDE-001): each changed
+  operator-facing surface is classified as Primary Decision,
+  Secondary Context, or Tertiary Evidence / Diagnostics; primary
+  surfaces justify the human-in-the-loop moment, default-visible info
+  is limited to first-decision needs, deep proof is progressive
+  disclosed, one governance case stays decidable in one context where
+  practical, navigation follows workflows not storage structures, and
+  automation / alerts reduce attention load instead of adding noise
+- UI/UX inspect model (UI-HARD-001): each list surface has exactly one primary inspect/open model; redundant View beside row click or identifier click is forbidden; edit-as-inspect is limited to Config-lite resources
+- UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): standard CRUD and Registry rows expose at most one inline safe shortcut; destructive actions are grouped or in the detail header; queue exceptions are catalogued, justified, and tested
+- UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): scope signals are truthful, canonical nouns stay stable across shells, critical operational truth is default-visible, and standard lists remain scanable
+- UI/UX placeholder ban (UI-HARD-001): empty `ActionGroup` / `BulkActionGroup` placeholders and declaration-only UI conformance are forbidden
+- UI naming (UI-NAMING-001): operator-facing labels use `Verb + Object`; scope (`Workspace`, `Tenant`) is never the primary action label; source/domain is secondary unless disambiguation is required; runs/toasts/audit prose use the same domain vocabulary; implementation-first terms do not appear in primary operator UI
+- Operator surfaces (OPSURF-001): `/admin` defaults are operator-first; default-visible content avoids raw implementation detail; diagnostics are explicitly revealed secondarily
+- Operator surfaces (OPSURF-001): execution outcome, data completeness, governance result, and lifecycle/readiness are modeled as distinct status dimensions when all apply; they are not collapsed into one ambiguous status
+- Operator surfaces (OPSURF-001): every mutating action communicates whether it changes TenantPilot only, the Microsoft tenant, or simulation only before execution
+- Operator surfaces (OPSURF-001): dangerous actions follow configuration → safety checks/simulation → preview → hard confirmation where required → execute, unless a spec documents an explicit exemption and replacement safeguards
+- Operator surfaces (OPSURF-001): workspace and tenant context remain explicit in navigation, actions, and page semantics; tenant surfaces do not silently expose workspace-wide actions
+- Operator surfaces (OPSURF-001): each new or materially refactored operator-facing page defines a page contract covering persona, surface type, operator question, default-visible info, diagnostics-only info, status dimensions, mutation scope, primary actions, and dangerous actions
+- Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a surface-appropriate inspect affordance, remove redundant View when row click or identifier click already opens the same destination, keep standard CRUD/Registry rows to inspect plus at most one inline safe shortcut, group or relocate the rest to “More” or detail header, forbid empty bulk/overflow groups, require confirmations for destructive actions, write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted
+- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action (see HDR-001); tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Action-surface discipline (ACTSURF-001 / HDR-001): every changed
+  surface declares one broad action-surface class; the spec names the
+  one likely next operator action; navigation is separated from
+  mutation; record/detail/edit pages keep at most one visible primary
+  header action; monitoring/workbench surfaces separate scope/context,
+  selection actions, navigation, and object actions; risky or rare
+  actions are grouped and ordered by meaning/frequency/risk; any special
+  type or workflow-hub exception is explicit and justified
 ## Project Structure
 
 ### Documentation (this feature)
@@ -113,9 +150,20 @@ # [REMOVE IF UNUSED] Option 3: Mobile + API (when "iOS/Android" detected)
 
 ## Complexity Tracking
 
-> **Fill ONLY if Constitution Check has violations that must be justified**
+> **Fill when Constitution Check has violations that must be justified OR when BLOAT-001 is triggered by new persistence, abstractions, states, or semantic frameworks.**
 
 | Violation | Why Needed | Simpler Alternative Rejected Because |
 |-----------|------------|-------------------------------------|
 | [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
 | [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |
+
+## Proportionality Review
+
+> **Fill when the feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table/artifact, interface/contract/registry/resolver, taxonomy/classification system, or cross-domain UI framework.**
+
+- **Current operator problem**: [What present-day workflow or risk requires this?]
+- **Existing structure is insufficient because**: [Why the current code cannot serve safely or clearly]
+- **Narrowest correct implementation**: [Why this shape is the smallest viable one]
+- **Ownership cost created**: [Maintenance, testing, cognitive load, migration, or review burden]
+- **Alternative intentionally rejected**: [Simpler option and why it failed]
+- **Release truth**: [Current-release truth or future-release preparation]

.specify/templates/spec-template.md

@@ -5,6 +5,24 @@ # Feature Specification: [FEATURE NAME]
 **Status**: Draft  
 **Input**: User description: "$ARGUMENTS"
 
+## Spec Candidate Check *(mandatory — SPEC-GATE-001)*
+
+<!-- This section MUST be completed before the spec progresses beyond Draft.
+     See .specify/memory/spec-approval-rubric.md for the full rubric. -->
+
+- **Problem**: [Konkreter Operator-Schmerz oder Trust-Gap heute]
+- **Today's failure**: [Welche Fehlentscheidung / Verlangsamung / irreführende Produktaussage passiert aktuell?]
+- **User-visible improvement**: [Was wird konkret schneller, sicherer oder ehrlicher?]
+- **Smallest enterprise-capable version**: [Kleinste Version die das Problem sauber löst]
+- **Explicit non-goals**: [Was wird bewusst nicht modelliert/generalisiert/frameworkisiert?]
+- **Permanent complexity imported**: [Neue Models, Status, Enums, Services, Support-Layer, Tests, UI-Konzepte, Begriffe]
+- **Why now**: [Warum jetzt wichtiger als später?]
+- **Why not local**: [Warum reicht keine lokale, schmale Lösung?]
+- **Approval class**: [Core Enterprise / Workflow Compression / Cleanup / Defer]
+- **Red flags triggered**: [Welche roten Flaggen treffen zu? Wenn ≥ 2: explizite Verteidigung nötig]
+- **Score**: [Nutzen: _ | Dringlichkeit: _ | Scope: _ | Komplexität: _ | Produktnähe: _ | Wiederverwendung: _ | **Gesamt: _/12**]
+- **Decision**: [approve / shrink / merge / defer / reject]
+
 ## Spec Scope Fields *(mandatory)*
 
 - **Scope**: [workspace | tenant | canonical-view]
@@ -17,6 +35,59 @@ ## Spec Scope Fields *(mandatory)*
 - **Default filter behavior when tenant-context is active**: [e.g., prefilter to current tenant]
 - **Explicit entitlement checks preventing cross-tenant leakage**: [Describe checks]
 
+## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds or materially changes an operator-facing surface,
+fill out one row per affected surface. This role is orthogonal to the
+Action Surface Class / Surface Type below.
+
+| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
+|---|---|---|---|---|---|---|---|
+| e.g. Review inbox | Primary Decision Surface | Review and release queued governance work | Case summary, severity, recommendation, required action | Full evidence, raw payloads, audit trail, provider diagnostics | Primary because it is the queue where operators decide and clear work | Follows pending-decisions workflow, not storage objects | Removes search across runs, findings, and audit pages |
+
+## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds or materially changes an operator-facing list, detail, queue, audit, config, or report surface,
+fill out one row per affected surface. Declare the broad Action Surface
+Class first, then the detailed Surface Type. Keep this table in sync
+with the Decision-First Surface Role section above.
+
+| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| e.g. Tenant policies page | List / Table / Bulk | CRUD / List-first Resource | Open policy for review | Full-row click | required | One inline safe shortcut + More | More / detail header | /admin/t/{tenant}/policies | /admin/t/{tenant}/policies/{record} | Tenant chip scopes rows and actions | Policies / Policy | Policy health, drift, assignment coverage | none |
+
+## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds a new operator-facing page or materially refactors
+one, fill out one row per affected page/surface. The contract MUST show
+how one governance case or operator task becomes decidable without
+unnecessary cross-page reconstruction.
+
+| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+|---|---|---|---|---|---|---|---|---|---|---|
+| e.g. Tenant policies page | Tenant operator | Decide whether policy state needs follow-up | List/detail | What needs action right now? | Policy health, drift, assignment coverage | Raw payloads, provider IDs, low-level API details | lifecycle, data completeness, governance result | TenantPilot only / Microsoft tenant / simulation only | Sync policies, View policy | Restore policy |
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+Fill this section if the feature introduces any of the following:
+- a new source of truth
+- a new persisted entity, table, or artifact
+- a new abstraction (interface, contract, registry, resolver, strategy, factory, orchestration layer)
+- a new enum, status family, reason code family, or lifecycle category
+- a new cross-domain UI framework, taxonomy, or classification system
+
+- **New source of truth?**: [yes/no]
+- **New persisted entity/table/artifact?**: [yes/no]
+- **New abstraction?**: [yes/no]
+- **New enum/state/reason family?**: [yes/no]
+- **New cross-domain UI framework/taxonomy?**: [yes/no]
+- **Current operator problem**: [What present-day workflow or risk does this solve?]
+- **Existing structure is insufficient because**: [Why the current implementation shape cannot safely or clearly solve it]
+- **Narrowest correct implementation**: [Why this is the smallest viable solution]
+- **Ownership cost**: [What maintenance, testing, review, migration, or conceptual cost this adds]
+- **Alternative intentionally rejected**: [What simpler option was considered and why it was not sufficient]
+- **Release truth**: [Current-release truth or future-release preparation]
+
 ## User Scenarios & Testing *(mandatory)*
 
 <!--
@@ -94,6 +165,16 @@ ## Requirements *(mandatory)*
 (preview/confirmation/audit), tenant isolation, run observability (`OperationRun` type/identity/visibility), and tests.
 If security-relevant DB-only actions intentionally skip `OperationRun`, the spec MUST describe `AuditLog` entries.
 
+**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** If this feature introduces new persistence,
+new abstractions, new states, or new semantic layers, the spec MUST explain:
+- which current operator workflow or current product truth requires the addition now,
+- why a narrower implementation is insufficient,
+- whether the addition is current-release truth or future-release preparation,
+- what ownership cost it creates,
+- and how the choice follows the default bias of deriving before persisting, replacing before layering, and being explicit before generic.
+If the feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table, interface/contract/registry/resolver,
+or taxonomy/classification system, the Proportionality Review section above is mandatory.
+
 **Constitution alignment (OPS-UX):** If this feature creates/reuses an `OperationRun`, the spec MUST:
 - explicitly state compliance with the Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification),
 - state that `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`),
@@ -119,9 +200,86 @@ ## Requirements *(mandatory)*
 **Constitution alignment (BADGE-001):** If this feature changes status-like badges (status/outcome/severity/risk/availability/boolean),
 the spec MUST describe how badge semantics stay centralized (no ad-hoc mappings) and which tests cover any new/changed values.
 
+**Constitution alignment (UI-FIL-001):** If this feature adds or changes Filament or Blade UI for admin/operator surfaces, the spec MUST describe:
+- which native Filament components or shared UI primitives are used,
+- whether any local replacement markup was avoided for badges, alerts, buttons, or status surfaces,
+- how semantic emphasis is expressed through Filament props or central primitives rather than page-local color/border classes,
+- and any exception where Filament or a shared primitive was insufficient, including why the exception is necessary and how it avoids introducing a new local status language.
+
+**Constitution alignment (UI-NAMING-001):** If this feature adds or changes operator-facing buttons, header actions, run titles,
+notifications, audit prose, or related helper copy, the spec MUST describe:
+- the target object,
+- the operator verb,
+- whether source/domain disambiguation is actually needed,
+- how the same domain vocabulary is preserved across button labels, modal titles, run titles, notifications, and audit prose,
+- and how implementation-first terms are kept out of primary operator-facing labels.
+
+**Constitution alignment (DECIDE-001):** If this feature adds or changes operator-facing surfaces, the spec MUST describe:
+- whether each affected surface is a Primary Decision Surface,
+  Secondary Context Surface, or Tertiary Evidence / Diagnostics
+  Surface, and why,
+- which human-in-the-loop moment each primary surface supports,
+- what MUST be visible immediately for the first decision,
+- what is preserved but only revealed on demand,
+- why any new primary surface cannot live inside an existing decision
+  context,
+- how navigation follows operator workflows rather than storage
+  structures,
+- how one governance case remains decidable in one focused context,
+- how any new automation, notifications, or autonomous governance logic
+  reduce search/review/click load,
+- and how the resulting default experience is calmer and clearer rather
+  than merely larger.
+
+**Constitution alignment (UI-CONST-001 / UI-SURF-001 / ACTSURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001 / HDR-001):** If this feature adds or changes an operator-facing surface, the spec MUST describe:
+- the chosen broad action-surface class and why it is the correct classification,
+- the chosen detailed surface type and why it is the correct refinement,
+- the one most likely next operator action,
+- the one and only primary inspect/open model,
+- whether row click is required, allowed, or forbidden,
+- whether explicit View or Inspect is present, and why it is present or forbidden,
+- where pure navigation lives and why it is not competing with mutation,
+- where secondary actions live,
+- where destructive actions live,
+- how grouped actions are ordered by meaning, frequency, and risk,
+- the canonical collection route and canonical detail route,
+- the scope signals shown to the operator and what real effect each one has,
+- the canonical noun used across routes, labels, runs, notifications, and audit prose,
+- which critical operational truth is visible by default,
+- and any catalogued exception type, rationale, and dedicated test coverage.
+
+**Constitution alignment (ACTSURF-001 - action hierarchy):** If this
+feature adds or materially changes header actions, row actions, bulk
+actions, or workbench controls, the spec MUST describe:
+- how navigation, mutation, context signals, selection actions, and
+  dangerous actions are separated,
+- why any visible secondary action deserves primary-plane placement,
+- why any ActionGroup is structured rather than a mixed catch-all,
+- and why any workflow-hub, wizard, system, or other special-type
+  exception is genuine rather than a convenience shortcut.
+
+**Constitution alignment (OPSURF-001):** If this feature adds or materially refactors an operator-facing surface, the spec MUST describe:
+- how the default-visible content stays operator-first on `/admin` and avoids raw implementation detail,
+- which diagnostics are secondary and how they are explicitly revealed,
+- which status dimensions are shown separately (execution outcome, data completeness, governance result, lifecycle/readiness) and why,
+- how each mutating action communicates its mutation scope before execution (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
+- how dangerous actions follow the safe-execution pattern (configuration, safety checks/simulation, preview, hard confirmation where required, execute),
+- how workspace and tenant context remain explicit in navigation, action copy, and page semantics,
+- and the page contract for each new or materially refactored operator-facing page.
+
+**Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** If this feature adds UI semantics, presenters, explanation layers,
+status taxonomies, or other interpretation layers, the spec MUST describe:
+- why direct mapping from canonical domain truth to UI is insufficient,
+- which existing layer is replaced or why no existing layer can serve,
+- how the feature avoids creating redundant truth across models, service results, presenters, summaries, wrappers, and persisted mirrors,
+- and how tests focus on business consequences rather than thin indirection alone.
+
 **Constitution alignment (Filament Action Surfaces):** If this feature adds or modifies any Filament Resource / RelationManager / Page,
 the spec MUST include a “UI Action Matrix” (see below) and explicitly state whether the Action Surface Contract is satisfied.
+The same section MUST state that each affected surface has exactly one primary inspect/open model, that redundant View actions are absent,
+that empty `ActionGroup` / `BulkActionGroup` placeholders are absent, and that destructive actions follow the required placement rules for the chosen surface type.
 If the contract is not satisfied, the spec MUST include an explicit exemption with rationale.
+The same section MUST also state whether UI-FIL-001 is satisfied and identify any approved exception.
 **Constitution alignment (UX-001 — Layout & Information Architecture):** If this feature adds or modifies any Filament screen,
 the spec MUST describe compliance with UX-001: Create/Edit uses Main/Aside layout (3-col grid), all fields inside Sections/Cards
 (no naked inputs), View pages use Infolists (not disabled edit forms), status badges use BADGE-001, empty states have a specific
@@ -150,7 +308,7 @@ ## UI Action Matrix *(mandatory when Filament is changed)*
 If this feature adds/modifies any Filament Resource / RelationManager / Page, fill out the matrix below.
 
 For each surface, list the exact action labels, whether they are destructive (confirmation? typed confirmation?),
-RBAC gating (capability + enforcement helper), and whether the mutation writes an audit log.
+RBAC gating (capability + enforcement helper), whether the mutation writes an audit log, and any exemption or exception used.
 
 | Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
 |---|---|---|---|---|---|---|---|---|---|

.specify/templates/tasks-template.md

@@ -32,25 +32,95 @@ # Tasks: [FEATURE NAME]
 - destructive-like actions use `->requiresConfirmation()` (authorization still server-side),
 - cross-plane deny-as-not-found (404) checks where applicable,
 - at least one positive + one negative authorization test.
+**UI Naming**: If this feature adds or changes operator-facing actions, run titles, notifications, audit prose, or helper copy, tasks MUST include:
+- aligning primary action labels to `Verb + Object`,
+- keeping scope terms (`Workspace`, `Tenant`) out of primary action labels unless they are the actual target object,
+- using source/domain terms only where same-screen disambiguation is required,
+- aligning button labels, modal titles, run titles, notifications, and audit prose to the same domain vocabulary,
+- removing implementation-first wording from primary operator-facing copy.
+**Operator Surfaces**: If this feature adds or materially refactors an operator-facing page or flow, tasks MUST include:
+- classifying each affected surface as Primary Decision, Secondary
+  Context, or Tertiary Evidence / Diagnostics and keeping that role in
+  sync with the governing spec,
+- defining the human-in-the-loop moment and justifying any new Primary
+  Decision Surface against existing decision contexts,
+- filling the spec’s UI/UX Surface Classification for every affected surface,
+- filling the spec’s Operator Surface Contract for every affected page,
+- keeping default-visible content limited to first-decision needs and
+  moving proof, payloads, and diagnostics into progressive disclosure,
+- making default-visible content operator-first and moving JSON payloads, raw IDs, internal field names, provider error details, and low-level metadata into explicitly revealed diagnostics surfaces,
+- keeping each governance case decidable in one focused context where
+  practical instead of forcing cross-page reconstruction,
+- modeling execution outcome, data completeness, governance result, and lifecycle/readiness as distinct status dimensions when applicable,
+- making mutation scope legible before execution for every state-changing action (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
+- implementing the safe-execution flow for dangerous actions (configuration, safety checks/simulation, preview, hard confirmation where required, execute) or documenting an approved exemption,
+- keeping canonical nouns stable across routes, buttons, run titles, notifications, and audit prose,
+- keeping navigation aligned to operator workflows rather than storage
+  structures,
+- ensuring new automation, alerts, or autonomous flows reduce
+  search/review/click load instead of adding noise, extra lists, or
+  extra detail work,
+- preserving a calm, prioritized default state that distinguishes
+  actionable work from worth-watching context and reference-only
+  information,
+- keeping scope signals truthful and ensuring critical operational truth is visible by default,
+- keeping standard CRUD / Registry rows scanable rather than prose-heavy,
+- keeping workspace and tenant context explicit in navigation, actions, and page semantics so tenant pages do not silently expose workspace-wide actions.
 **Filament UI Action Surfaces**: If this feature adds/modifies any Filament Resource / RelationManager / Page, tasks MUST include:
 - filling the spec’s “UI Action Matrix” for all changed surfaces,
+- assigning exactly one broad action-surface class to every changed
+  operator-facing surface and keeping the detailed surface type in sync
+  with the spec,
+- identifying the one likely next operator action for each changed
+  surface and shaping the visible hierarchy around it,
 - implementing required action surfaces (header/row/bulk/empty-state CTA for lists; header actions for view; consistent save/cancel on create/edit),
-- ensuring every List/Table has a record inspection affordance (prefer `recordUrl()` clickable rows; do not render a lone View row action),
-- enforcing the “max 2 visible row actions; everything else in More ActionGroup” rule,
+- ensuring every List/Table has exactly one primary inspect/open model with the correct surface-appropriate affordance,
+- removing redundant View/Inspect actions when row click or identifier click already opens the same destination,
+- keeping standard CRUD / Registry rows to inspect/open plus at most one inline safe shortcut,
+- separating navigation from mutation so pure context changes do not
+  compete visually with state-changing actions,
+- moving additional secondary actions into More or the detail header,
+- ordering visible actions and grouped actions by meaning, frequency,
+  and risk rather than append order,
+- placing destructive actions in More or the detail header for standard lists and using catalogued exceptions only where allowed,
+- ensuring workbench and monitoring surfaces separate scope/context,
+  selection actions, navigation, and object actions instead of mixing
+  them into one flat header zone,
 - grouping bulk actions via BulkActionGroup,
+- preventing empty `ActionGroup` / `BulkActionGroup` placeholders,
 - adding confirmations for destructive actions (and typed confirmation where required by scale),
 - adding `AuditLog` entries for relevant mutations,
+- using native Filament components or shared UI primitives before any local Blade/Tailwind assembly for badges, alerts, buttons, and semantic status surfaces,
+- avoiding page-local semantic color, border, rounding, or highlight styling when Filament props or shared primitives can express the same state,
+- documenting any workflow-hub, wizard, utility/system, or other
+  special-type exception in the spec/PR and adding dedicated test
+  coverage,
+- documenting any catalogued UI exception in the spec/PR and adding dedicated test coverage,
+- documenting any UI-FIL-001 exception with rationale in the spec/PR,
 - adding/updated tests that enforce the contract and block merge on violations, OR documenting an explicit exemption with rationale.
 **Filament UI UX-001 (Layout & IA)**: If this feature adds/modifies any Filament screen, tasks MUST include:
 - ensuring Create/Edit pages use Main/Aside layout (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)),
 - ensuring all form fields are inside Sections/Cards (no naked inputs at root schema level),
 - ensuring View pages use Infolists (not disabled edit forms); status badges use BADGE-001,
 - ensuring empty states show a specific title + explanation + exactly 1 CTA; non-empty tables move CTA to header,
-- capping header actions to max 1 primary + 1 secondary (rest grouped),
+- enforcing ACTSURF-001 / HDR-001 action discipline: record/detail/edit
+  pages keep at most 1 visible primary header action; pure navigation
+  moves to contextual placement; destructive or governance-changing
+  actions are separated and require friction; monitoring/workbench
+  surfaces use their own layered hierarchy; rare actions live in
+  structured Action Groups; every affected surface passes the few-second
+  scan rule,
 - using shared layout builders (e.g., `MainAsideForm`, `MainAsideInfolist`, `StandardTableDefaults`) where available,
 - OR documenting an explicit exemption with rationale if UX-001 is not fully satisfied.
 **Badges**: If this feature changes status-like badge semantics, tasks MUST use `BadgeCatalog` / `BadgeRenderer` (BADGE-001),
 avoid ad-hoc mappings in Filament, and include mapping tests for any new/changed values.
+**Proportionality / Anti-Bloat**: If this feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table/artifact,
+interface/contract/registry/resolver, taxonomy/classification system, or cross-domain UI framework, tasks MUST include:
+- completing the spec’s Proportionality Review,
+- implementing the narrowest correct shape justified by current-release truth,
+- removing or replacing superseded layers where practical instead of stacking new ones on top,
+- keeping convenience projections and UI helpers derived unless independent persistence is explicitly justified,
+- and adding tests around business consequences, permissions, lifecycle behavior, isolation, or audit responsibilities rather than thin indirection alone.
 
 **Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
 
@@ -197,6 +267,7 @@ ## Phase N: Polish & Cross-Cutting Concerns
 - [ ] TXXX Performance optimization across all stories
 - [ ] TXXX [P] Additional unit tests (if requested) in tests/unit/
 - [ ] TXXX Security hardening
+- [ ] TXXX Proportionality cleanup: remove or collapse superseded layers introduced during implementation
 - [ ] TXXX Run quickstart.md validation
 
 ---

Agents.md

@@ -25,12 +25,14 @@ ## Scope Reference
 - Tenant-scoped RBAC and audit logs
 
 ## Workflow (Spec Kit)
-1. Read `.specify/constitution.md`
+1. Read `.specify/memory/constitution.md`
 2. For new work: create/update `specs/<NNN>-<slug>/spec.md`
 3. Produce `specs/<NNN>-<slug>/plan.md`
 4. Break into `specs/<NNN>-<slug>/tasks.md`
 5. Implement changes in small PRs
 
+Any spec that introduces a new persisted entity, abstraction, enum/status family, or taxonomy/framework must include the proportionality review required by the constitution before implementation starts.
+
 If requirements change during implementation, update spec/plan before continuing.
 
 ## Workflow (SDD in diesem Repo)
@@ -316,12 +318,13 @@ ## Security
 ## Commands
 
 ### Sail (preferred locally)
-- `./vendor/bin/sail up -d`
-- `./vendor/bin/sail down`
-- `./vendor/bin/sail composer install`
-- `./vendor/bin/sail artisan migrate`
-- `./vendor/bin/sail artisan test`
-- `./vendor/bin/sail artisan` (general)
+- `cd apps/platform && ./vendor/bin/sail up -d`
+- `cd apps/platform && ./vendor/bin/sail down`
+- `cd apps/platform && ./vendor/bin/sail composer install`
+- `cd apps/platform && ./vendor/bin/sail artisan migrate`
+- `cd apps/platform && ./vendor/bin/sail artisan test`
+- `cd apps/platform && ./vendor/bin/sail artisan` (general)
+- Root helper for tooling only: `./scripts/platform-sail ...`
 
 ### Drizzle (local DB tooling, if configured)
 - Use only for local/dev workflows.
@@ -333,10 +336,10 @@ ### Drizzle (local DB tooling, if configured)
 (Agents should confirm the exact script names in `package.json` before suggesting them.)
 
 ### Non-Docker fallback (only if needed)
-- `composer install`
-- `php artisan serve`
-- `php artisan migrate`
-- `php artisan test`
+- `cd apps/platform && composer install`
+- `cd apps/platform && php artisan serve`
+- `cd apps/platform && php artisan migrate`
+- `cd apps/platform && php artisan test`
 
 ### Frontend/assets/tooling (if present)
 - `pnpm install`
@@ -350,11 +353,11 @@ ## Where to look first
 - `.specify/`
 - `AGENTS.md`
 - `README.md`
-- `app/`
-- `database/`
-- `routes/`
-- `resources/`
-- `config/`
+- `apps/platform/app/`
+- `apps/platform/database/`
+- `apps/platform/routes/`
+- `apps/platform/resources/`
+- `apps/platform/config/`
 
 ---
 
@@ -431,7 +434,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -668,7 +671,7 @@ ## Testing
 
 ## Deployment / Ops
 
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -681,7 +684,7 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.4.15
 - filament/filament (FILAMENT) - v5
 - laravel/framework (LARAVEL) - v12
 - laravel/prompts (PROMPTS) - v0
@@ -718,7 +721,9 @@ ## Application Structure & Architecture
 
 ## Frontend Bundling
 
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Documentation Files
 
@@ -810,28 +815,28 @@ ## PHPDoc Blocks
 # Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
-- Open the application in the browser by running `vendor/bin/sail open`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
-    - Install Composer packages: `vendor/bin/sail composer install`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 # Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 # Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ## Database
@@ -844,7 +849,7 @@ ## Database
 
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 
@@ -875,11 +880,11 @@ ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ## Vite Error
 
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -910,15 +915,15 @@ ### Models
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test --format agent`, simply run `vendor/bin/sail bin pint --format agent` to fix any formatting issues.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test --format agent`, simply run `cd apps/platform && ./vendor/bin/sail bin pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
 
 ## Pest
 
-- This project uses Pest for testing. Create tests: `vendor/bin/sail artisan make:test --pest {name}`.
-- Run tests: `vendor/bin/sail artisan test --compact` or filter: `vendor/bin/sail artisan test --compact --filter=testName`.
+- This project uses Pest for testing. Create tests: `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact` or filter: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
 - CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
 - IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.

GEMINI.md

@@ -156,12 +156,13 @@ ## Security
 ## Commands
 
 ### Sail (preferred locally)
-- `./vendor/bin/sail up -d`
-- `./vendor/bin/sail down`
-- `./vendor/bin/sail composer install`
-- `./vendor/bin/sail artisan migrate`
-- `./vendor/bin/sail artisan test`
-- `./vendor/bin/sail artisan` (general)
+- `cd apps/platform && ./vendor/bin/sail up -d`
+- `cd apps/platform && ./vendor/bin/sail down`
+- `cd apps/platform && ./vendor/bin/sail composer install`
+- `cd apps/platform && ./vendor/bin/sail artisan migrate`
+- `cd apps/platform && ./vendor/bin/sail artisan test`
+- `cd apps/platform && ./vendor/bin/sail artisan` (general)
+- Root helper for tooling only: `./scripts/platform-sail ...`
 
 ### Drizzle (local DB tooling, if configured)
 - Use only for local/dev workflows.
@@ -173,10 +174,10 @@ ### Drizzle (local DB tooling, if configured)
 (Agents should confirm the exact script names in `package.json` before suggesting them.)
 
 ### Non-Docker fallback (only if needed)
-- `composer install`
-- `php artisan serve`
-- `php artisan migrate`
-- `php artisan test`
+- `cd apps/platform && composer install`
+- `cd apps/platform && php artisan serve`
+- `cd apps/platform && php artisan migrate`
+- `cd apps/platform && php artisan test`
 
 ### Frontend/assets/tooling (if present)
 - `pnpm install`
@@ -190,11 +191,11 @@ ## Where to look first
 - `.specify/`
 - `AGENTS.md`
 - `README.md`
-- `app/`
-- `database/`
-- `routes/`
-- `resources/`
-- `config/`
+- `apps/platform/app/`
+- `apps/platform/database/`
+- `apps/platform/routes/`
+- `apps/platform/resources/`
+- `apps/platform/config/`
 
 ---
 
@@ -271,7 +272,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -508,7 +509,7 @@ ## Testing
 
 ## Deployment / Ops
 
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -521,7 +522,7 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.4.15
 - filament/filament (FILAMENT) - v5
 - laravel/framework (LARAVEL) - v12
 - laravel/prompts (PROMPTS) - v0
@@ -558,7 +559,9 @@ ## Application Structure & Architecture
 
 ## Frontend Bundling
 
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Documentation Files
 
@@ -650,28 +653,28 @@ ## PHPDoc Blocks
 # Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
-- Open the application in the browser by running `vendor/bin/sail open`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
-    - Install Composer packages: `vendor/bin/sail composer install`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 # Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 # Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ## Database
@@ -684,7 +687,7 @@ ## Database
 
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 
@@ -715,11 +718,11 @@ ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ## Vite Error
 
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -750,15 +753,15 @@ ### Models
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test --format agent`, simply run `vendor/bin/sail bin pint --format agent` to fix any formatting issues.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test --format agent`, simply run `cd apps/platform && ./vendor/bin/sail bin pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
 
 ## Pest
 
-- This project uses Pest for testing. Create tests: `vendor/bin/sail artisan make:test --pest {name}`.
-- Run tests: `vendor/bin/sail artisan test --compact` or filter: `vendor/bin/sail artisan test --compact --filter=testName`.
+- This project uses Pest for testing. Create tests: `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact` or filter: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
 - CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
 - IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.

README.md

@@ -1,19 +1,50 @@
-<p align="center"><a href="https://laravel.com" target="_blank"><img src="https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg" width="400" alt="Laravel Logo"></a></p>
+# TenantPilot Workspace
 
-<p align="center">
-<a href="https://github.com/laravel/framework/actions"><img src="https://github.com/laravel/framework/workflows/tests/badge.svg" alt="Build Status"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/dt/laravel/framework" alt="Total Downloads"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/v/laravel/framework" alt="Latest Stable Version"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/l/laravel/framework" alt="License"></a>
-</p>
+TenantPilot is an Intune management platform built around a stable Laravel application in
+`apps/platform` and, starting with Spec 183, a standalone public Astro website in
+`apps/website`. The repository root is now the official JavaScript workspace entry point and
+orchestrates app-local commands without becoming a runtime itself.
 
-## TenantPilot setup
+## Multi-App Topology
+
+- `apps/platform`: the Laravel 12 + Filament v5 + Livewire v4 product runtime
+- `apps/website`: the Astro v6 public website runtime
+- repo root: workspace manifests, documentation, scripts, editor tooling, and `docker-compose.yml`
+- `./scripts/platform-sail`: platform-only compatibility helper for tooling that cannot set `cwd`
+
+## Official Root Commands
+
+- Install workspace-managed JavaScript dependencies: `corepack pnpm install`
+- Start the platform stack: `corepack pnpm dev:platform`
+- Start the website dev server: `corepack pnpm dev:website`
+- Start platform + website together: `corepack pnpm dev`
+- Build the website: `corepack pnpm build:website`
+- Build platform frontend assets: `corepack pnpm build:platform`
+
+## App-Local Commands
+
+### Platform
+
+- Install PHP dependencies: `cd apps/platform && composer install`
+- Start Sail: `cd apps/platform && ./vendor/bin/sail up -d`
+- Generate the app key: `cd apps/platform && ./vendor/bin/sail artisan key:generate`
+- Run migrations and seeders: `cd apps/platform && ./vendor/bin/sail artisan migrate --seed`
+- Run frontend watch/build inside Sail: `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail pnpm build`
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact`
+
+### Website
+
+- Start the dev server: `cd apps/website && pnpm dev`
+- Build the static site: `cd apps/website && pnpm build`
+
+## Port Overrides
+
+- Platform HTTP and Vite ports: set `APP_PORT` and or `VITE_PORT` before `corepack pnpm dev:platform` or `cd apps/platform && ./vendor/bin/sail up -d`
+- Website dev server port: set `WEBSITE_PORT` before `corepack pnpm dev:website` or pass `--port <port>` to `cd apps/website && pnpm dev`
+- Parallel local development keeps both apps isolated, even when one or both ports are overridden
+
+## Platform Setup Notes
 
-- Local dev (Sail-first):
-  - Start stack: `./vendor/bin/sail up -d`
-  - Init DB: `./vendor/bin/sail artisan migrate --seed`
-  - Tests: `./vendor/bin/sail artisan test`
-  - Policy sync: `./vendor/bin/sail artisan intune:sync-policies`
 - Filament admin: `/admin` (seed user `test@example.com`, set password via factory or `artisan tinker`).
 - Microsoft Graph (Intune) env vars:
   - `GRAPH_TENANT_ID`
@@ -25,10 +56,17 @@ ## TenantPilot setup
     - **Missing permissions?** Scope tags will show as "Unknown (ID: X)" - add `DeviceManagementRBAC.Read.All`
 - Deployment (Dokploy, staging → production):
   - Containerized deploy; ensure Postgres + Redis are provisioned (see `docker-compose.yml` for local baseline).
+  - Run application commands from `apps/platform`, including `php artisan filament:assets`.
   - Run migrations on staging first, validate backup/restore flows, then promote to production.
   - Ensure queue workers are running for jobs (e.g., policy sync) after deploy.
   - Keep secrets/env in Dokploy, never in code.
 
+## Platform relocation rollout notes
+
+- Open branches that still touch legacy root app paths should merge `dev` first, then remap file moves from `app/`, `bootstrap/`, `config/`, `database/`, `lang/`, `public/`, `resources/`, `routes/`, `storage/`, and `tests/` into `apps/platform/...`.
+- Keep using merge-based catch-up on shared feature branches; do not rebase long-lived shared branches just to absorb the relocation.
+- VS Code tasks expose the official root workspace commands, while MCP launchers remain platform-only and delegate through `./scripts/platform-sail`.
+
 ## Bulk operations (Feature 005)
 
 - Bulk actions are available in Filament resource tables (Policies, Policy Versions, Backup Sets, Restore Runs).
@@ -39,8 +77,23 @@ ### Troubleshooting
 
 - **Progress stuck on “Queued…”** usually means the queue worker is not running (or not processing the queue you expect).
   - Prefer using the Sail/Docker worker (see `docker-compose.yml`) rather than starting an additional local `php artisan queue:work`.
-  - Check worker status/logs: `./vendor/bin/sail ps` and `./vendor/bin/sail logs -f queue`.
+  - Check worker status/logs: `cd apps/platform && ./vendor/bin/sail ps` and `cd apps/platform && ./vendor/bin/sail logs -f queue`.
 - **Exit code 137** for `queue:work` typically means the process was killed (often OOM). Increase Docker memory/limits or run the worker inside the container.
+- **Moved app but old commands still fail** usually means the command is still being run from repo root. Switch to `cd apps/platform && ...` or use `./scripts/platform-sail ...` only for tooling that cannot set `cwd`.
+
+## Rollback checklist
+
+1. Revert the relocation commit or merge on your feature branch instead of hard-resetting shared history.
+2. Preserve any local app env overrides before switching commits: `cp apps/platform/.env /tmp/tenantatlas.platform.env.backup` if needed.
+3. Stop local containers and clean generated artifacts: `cd apps/platform && ./vendor/bin/sail down -v`, then remove `apps/platform/vendor`, `apps/platform/node_modules`, `apps/platform/public/build`, and `apps/platform/public/hot` if they need a clean rebuild.
+4. After rollback, restore the matching env file for the restored topology and rerun the documented setup flow for that commit.
+5. Notify owners of open feature branches that the topology changed so they can remap outstanding work before the next merge from `dev`.
+
+## Deployment unknowns
+
+- Dokploy build context for a repo-root compose file plus an app-root Laravel runtime still needs staging confirmation.
+- Production web, queue, and scheduler working directories must be verified explicitly after the move; do not assume repo root and app root behave interchangeably.
+- Any Dokploy volume mounts or storage persistence paths that previously targeted repo-root `storage/` must be reviewed against `apps/platform/storage/`.
 
 ### Configuration
 
@@ -64,7 +117,7 @@ ## Graph Contract Registry & Drift Guard
   - Sanitizes `$select`/`$expand` to allowed fields; logs warnings on trim.
   - Derived @odata.type values within the family are accepted for preview/restore routing.
   - Capability fallback: on 400s related to select/expand, retries without those clauses and surfaces warnings.
-- Drift check: `php artisan graph:contract:check [--tenant=]` runs lightweight probes against contract endpoints to detect capability/shape issues; useful in staging/CI (prod optional).
+- Drift check: `cd apps/platform && php artisan graph:contract:check [--tenant=]` runs lightweight probes against contract endpoints to detect capability/shape issues; useful in staging/CI (prod optional).
 - If Graph returns capability errors, TenantPilot downgrades safely, records warnings/audit entries, and avoids breaking preview/restore flows.
 
 ## Policy Settings Display
@@ -89,54 +142,3 @@ ## Policy JSON Viewer (Feature 002)
   - Scrollable container with max height to prevent page overflow
 - **Usage**: See `specs/002-filament-json/quickstart.md` for detailed examples and configuration
 - **Performance**: Optimized for payloads up to 1 MB; auto-collapse improves initial render for large snapshots
-
-## About Laravel
-
-Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
-
-- [Simple, fast routing engine](https://laravel.com/docs/routing).
-- [Powerful dependency injection container](https://laravel.com/docs/container).
-- Multiple back-ends for [session](https://laravel.com/docs/session) and [cache](https://laravel.com/docs/cache) storage.
-- Expressive, intuitive [database ORM](https://laravel.com/docs/eloquent).
-- Database agnostic [schema migrations](https://laravel.com/docs/migrations).
-- [Robust background job processing](https://laravel.com/docs/queues).
-- [Real-time event broadcasting](https://laravel.com/docs/broadcasting).
-
-Laravel is accessible, powerful, and provides tools required for large, robust applications.
-
-## Learning Laravel
-
-Laravel has the most extensive and thorough [documentation](https://laravel.com/docs) and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework. You can also check out [Laravel Learn](https://laravel.com/learn), where you will be guided through building a modern Laravel application.
-
-If you don't feel like reading, [Laracasts](https://laracasts.com) can help. Laracasts contains thousands of video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
-
-## Laravel Sponsors
-
-We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the [Laravel Partners program](https://partners.laravel.com).
-
-### Premium Partners
-
-- **[Vehikl](https://vehikl.com)**
-- **[Tighten Co.](https://tighten.co)**
-- **[Kirschbaum Development Group](https://kirschbaumdevelopment.com)**
-- **[64 Robots](https://64robots.com)**
-- **[Curotec](https://www.curotec.com/services/technologies/laravel)**
-- **[DevSquad](https://devsquad.com/hire-laravel-developers)**
-- **[Redberry](https://redberry.international/laravel-development)**
-- **[Active Logic](https://activelogic.com)**
-
-## Contributing
-
-Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions).
-
-## Code of Conduct
-
-In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct).
-
-## Security Vulnerabilities
-
-If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [taylor@laravel.com](mailto:taylor@laravel.com). All security vulnerabilities will be promptly addressed.
-
-## License
-
-The Laravel framework is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT).

app/Filament/Pages/BaselineCompareLanding.php

@@ -1,304 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages;
-
-use App\Filament\Resources\FindingResource;
-use App\Models\BaselineTenantAssignment;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Baselines\BaselineCompareService;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Notifications\Notification;
-use Filament\Pages\Page;
-use UnitEnum;
-
-class BaselineCompareLanding extends Page
-{
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-scale';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Governance';
-
-    protected static ?string $navigationLabel = 'Baseline Compare';
-
-    protected static ?int $navigationSort = 10;
-
-    protected static ?string $title = 'Baseline Compare';
-
-    protected string $view = 'filament.pages.baseline-compare-landing';
-
-    public ?string $state = null;
-
-    public ?string $message = null;
-
-    public ?string $profileName = null;
-
-    public ?int $profileId = null;
-
-    public ?int $snapshotId = null;
-
-    public ?int $operationRunId = null;
-
-    public ?int $findingsCount = null;
-
-    /** @var array<string, int>|null */
-    public ?array $severityCounts = null;
-
-    public ?string $lastComparedAt = null;
-
-    public static function canAccess(): bool
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return false;
-        }
-
-        $tenant = Tenant::current();
-
-        if (! $tenant instanceof Tenant) {
-            return false;
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        return $resolver->can($user, $tenant, Capabilities::TENANT_VIEW);
-    }
-
-    public function mount(): void
-    {
-        $tenant = Tenant::current();
-
-        if (! $tenant instanceof Tenant) {
-            $this->state = 'no_tenant';
-            $this->message = 'No tenant selected.';
-
-            return;
-        }
-
-        $assignment = BaselineTenantAssignment::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->first();
-
-        if (! $assignment instanceof BaselineTenantAssignment) {
-            $this->state = 'no_assignment';
-            $this->message = 'This tenant has no baseline assignment. A workspace manager can assign a baseline profile to this tenant.';
-
-            return;
-        }
-
-        $profile = $assignment->baselineProfile;
-
-        if ($profile === null) {
-            $this->state = 'no_assignment';
-            $this->message = 'The assigned baseline profile no longer exists.';
-
-            return;
-        }
-
-        $this->profileName = (string) $profile->name;
-        $this->profileId = (int) $profile->getKey();
-        $this->snapshotId = $profile->active_snapshot_id !== null ? (int) $profile->active_snapshot_id : null;
-
-        if ($this->snapshotId === null) {
-            $this->state = 'no_snapshot';
-            $this->message = 'The baseline profile has no active snapshot yet. A workspace manager needs to capture a snapshot first.';
-
-            return;
-        }
-
-        $latestRun = OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('type', 'baseline_compare')
-            ->latest('id')
-            ->first();
-
-        if ($latestRun instanceof OperationRun && in_array($latestRun->status, ['queued', 'running'], true)) {
-            $this->state = 'comparing';
-            $this->operationRunId = (int) $latestRun->getKey();
-            $this->message = 'A baseline comparison is currently in progress.';
-
-            return;
-        }
-
-        if ($latestRun instanceof OperationRun && $latestRun->finished_at !== null) {
-            $this->lastComparedAt = $latestRun->finished_at->diffForHumans();
-        }
-
-        $scopeKey = 'baseline_profile:'.$profile->getKey();
-
-        $findingsQuery = Finding::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('source', 'baseline.compare')
-            ->where('scope_key', $scopeKey);
-
-        $totalFindings = (int) (clone $findingsQuery)->count();
-
-        if ($totalFindings > 0) {
-            $this->state = 'ready';
-            $this->findingsCount = $totalFindings;
-            $this->severityCounts = [
-                'high' => (int) (clone $findingsQuery)->where('severity', Finding::SEVERITY_HIGH)->count(),
-                'medium' => (int) (clone $findingsQuery)->where('severity', Finding::SEVERITY_MEDIUM)->count(),
-                'low' => (int) (clone $findingsQuery)->where('severity', Finding::SEVERITY_LOW)->count(),
-            ];
-
-            if ($latestRun instanceof OperationRun) {
-                $this->operationRunId = (int) $latestRun->getKey();
-            }
-
-            return;
-        }
-
-        if ($latestRun instanceof OperationRun && $latestRun->status === 'completed' && $latestRun->outcome === 'succeeded') {
-            $this->state = 'ready';
-            $this->findingsCount = 0;
-            $this->operationRunId = (int) $latestRun->getKey();
-            $this->message = 'No drift findings for this baseline comparison. The tenant matches the baseline.';
-
-            return;
-        }
-
-        $this->state = 'idle';
-        $this->message = 'Baseline profile is assigned and has a snapshot. Run "Compare Now" to check for drift.';
-    }
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header action: Compare Now (confirmation modal, capability-gated).')
-            ->exempt(ActionSurfaceSlot::InspectAffordance, 'This is a tenant-scoped landing page, not a record inspect surface.')
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'This page does not render table rows with secondary actions.')
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'This page has no bulk actions.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Page renders explicit empty states for missing tenant, missing assignment, and missing snapshot, with guidance messaging.')
-            ->exempt(ActionSurfaceSlot::DetailHeader, 'This page does not have a record detail header; it uses a page header action instead.');
-    }
-
-    /**
-     * @return array<Action>
-     */
-    protected function getHeaderActions(): array
-    {
-        return [
-            $this->compareNowAction(),
-        ];
-    }
-
-    private function compareNowAction(): Action
-    {
-        return Action::make('compareNow')
-            ->label('Compare Now')
-            ->icon('heroicon-o-play')
-            ->requiresConfirmation()
-            ->modalHeading('Start baseline comparison')
-            ->modalDescription('This will compare the current tenant inventory against the assigned baseline snapshot and generate drift findings.')
-            ->visible(fn (): bool => $this->canCompare())
-            ->disabled(fn (): bool => ! in_array($this->state, ['idle', 'ready'], true))
-            ->action(function (): void {
-                $user = auth()->user();
-
-                if (! $user instanceof User) {
-                    Notification::make()->title('Not authenticated')->danger()->send();
-
-                    return;
-                }
-
-                $tenant = Tenant::current();
-
-                if (! $tenant instanceof Tenant) {
-                    Notification::make()->title('No tenant context')->danger()->send();
-
-                    return;
-                }
-
-                $service = app(BaselineCompareService::class);
-                $result = $service->startCompare($tenant, $user);
-
-                if (! ($result['ok'] ?? false)) {
-                    Notification::make()
-                        ->title('Cannot start comparison')
-                        ->body('Reason: '.($result['reason_code'] ?? 'unknown'))
-                        ->danger()
-                        ->send();
-
-                    return;
-                }
-
-                $run = $result['run'] ?? null;
-
-                if ($run instanceof OperationRun) {
-                    $this->operationRunId = (int) $run->getKey();
-                }
-
-                $this->state = 'comparing';
-
-                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                OperationUxPresenter::queuedToast($run instanceof OperationRun ? (string) $run->type : 'baseline_compare')
-                    ->actions($run instanceof OperationRun ? [
-                        Action::make('view_run')
-                            ->label('View run')
-                            ->url(OperationRunLinks::view($run, $tenant)),
-                    ] : [])
-                    ->send();
-            });
-    }
-
-    private function canCompare(): bool
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return false;
-        }
-
-        $tenant = Tenant::current();
-
-        if (! $tenant instanceof Tenant) {
-            return false;
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        return $resolver->can($user, $tenant, Capabilities::TENANT_SYNC);
-    }
-
-    public function getFindingsUrl(): ?string
-    {
-        $tenant = Tenant::current();
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return FindingResource::getUrl('index', tenant: $tenant);
-    }
-
-    public function getRunUrl(): ?string
-    {
-        if ($this->operationRunId === null) {
-            return null;
-        }
-
-        $tenant = Tenant::current();
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return OperationRunLinks::view($this->operationRunId, $tenant);
-    }
-}

app/Filament/Pages/DriftLanding.php

@@ -1,295 +0,0 @@
-<?php
-
-namespace App\Filament\Pages;
-
-use App\Filament\Resources\FindingResource;
-use App\Jobs\GenerateDriftFindingsJob;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Drift\DriftRunSelector;
-use App\Services\OperationRunService;
-use App\Services\Operations\BulkSelectionIdentity;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Pages\Page;
-use UnitEnum;
-
-class DriftLanding extends Page
-{
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-arrows-right-left';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Governance';
-
-    protected static ?string $navigationLabel = 'Drift';
-
-    protected string $view = 'filament.pages.drift-landing';
-
-    public ?string $state = null;
-
-    public ?string $message = null;
-
-    public ?string $scopeKey = null;
-
-    public ?int $baselineRunId = null;
-
-    public ?int $currentRunId = null;
-
-    public ?string $baselineFinishedAt = null;
-
-    public ?string $currentFinishedAt = null;
-
-    public ?int $operationRunId = null;
-
-    /** @var array<string, int>|null */
-    public ?array $statusCounts = null;
-
-    public static function canAccess(): bool
-    {
-        return FindingResource::canAccess();
-    }
-
-    public function mount(): void
-    {
-        $tenant = Tenant::current();
-
-        $user = auth()->user();
-        if (! $user instanceof User) {
-            abort(403, 'Not allowed');
-        }
-
-        $latestSuccessful = OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('type', 'inventory_sync')
-            ->where('status', OperationRunStatus::Completed->value)
-            ->whereIn('outcome', [
-                OperationRunOutcome::Succeeded->value,
-                OperationRunOutcome::PartiallySucceeded->value,
-            ])
-            ->whereNotNull('completed_at')
-            ->orderByDesc('completed_at')
-            ->first();
-
-        if (! $latestSuccessful instanceof OperationRun) {
-            $this->state = 'blocked';
-            $this->message = 'No successful inventory runs found yet.';
-
-            return;
-        }
-
-        $latestContext = is_array($latestSuccessful->context) ? $latestSuccessful->context : [];
-        $scopeKey = (string) ($latestContext['selection_hash'] ?? '');
-
-        if ($scopeKey === '') {
-            $this->state = 'blocked';
-            $this->message = 'No inventory scope key was found on the latest successful inventory run.';
-
-            return;
-        }
-
-        $this->scopeKey = $scopeKey;
-
-        $selector = app(DriftRunSelector::class);
-        $comparison = $selector->selectBaselineAndCurrent($tenant, $scopeKey);
-
-        if ($comparison === null) {
-            $this->state = 'blocked';
-            $this->message = 'Need at least 2 successful runs for this scope to calculate drift.';
-
-            return;
-        }
-
-        $baseline = $comparison['baseline'];
-        $current = $comparison['current'];
-
-        $this->baselineRunId = (int) $baseline->getKey();
-        $this->currentRunId = (int) $current->getKey();
-
-        $this->baselineFinishedAt = $baseline->completed_at?->toDateTimeString();
-        $this->currentFinishedAt = $current->completed_at?->toDateTimeString();
-
-        $existingOperationRun = OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('type', 'drift_generate_findings')
-            ->where('context->scope_key', $scopeKey)
-            ->where('context->baseline_operation_run_id', (int) $baseline->getKey())
-            ->where('context->current_operation_run_id', (int) $current->getKey())
-            ->latest('id')
-            ->first();
-
-        if ($existingOperationRun instanceof OperationRun) {
-            $this->operationRunId = (int) $existingOperationRun->getKey();
-        }
-
-        $exists = Finding::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('scope_key', $scopeKey)
-            ->where('baseline_operation_run_id', $baseline->getKey())
-            ->where('current_operation_run_id', $current->getKey())
-            ->exists();
-
-        if ($exists) {
-            $this->state = 'ready';
-            $newCount = (int) Finding::query()
-                ->where('tenant_id', $tenant->getKey())
-                ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-                ->where('scope_key', $scopeKey)
-                ->where('baseline_operation_run_id', $baseline->getKey())
-                ->where('current_operation_run_id', $current->getKey())
-                ->where('status', Finding::STATUS_NEW)
-                ->count();
-
-            $this->statusCounts = [Finding::STATUS_NEW => $newCount];
-
-            return;
-        }
-
-        $existingOperationRun?->refresh();
-
-        if ($existingOperationRun instanceof OperationRun
-            && in_array($existingOperationRun->status, ['queued', 'running'], true)
-        ) {
-            $this->state = 'generating';
-            $this->operationRunId = (int) $existingOperationRun->getKey();
-
-            return;
-        }
-
-        if ($existingOperationRun instanceof OperationRun
-            && $existingOperationRun->status === 'completed'
-        ) {
-            $counts = is_array($existingOperationRun->summary_counts ?? null) ? $existingOperationRun->summary_counts : [];
-            $created = (int) ($counts['created'] ?? 0);
-
-            if ($existingOperationRun->outcome === 'failed') {
-                $this->state = 'error';
-                $this->message = 'Drift generation failed for this comparison. See the run for details.';
-                $this->operationRunId = (int) $existingOperationRun->getKey();
-
-                return;
-            }
-
-            if ($created === 0) {
-                $this->state = 'ready';
-                $this->statusCounts = [Finding::STATUS_NEW => 0];
-                $this->message = 'No drift findings for this comparison. If you changed settings after the current run, run Inventory Sync again to capture a newer snapshot.';
-                $this->operationRunId = (int) $existingOperationRun->getKey();
-
-                return;
-            }
-        }
-
-        /** @var CapabilityResolver $resolver */
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $resolver->can($user, $tenant, Capabilities::TENANT_SYNC)) {
-            $this->state = 'blocked';
-            $this->message = 'You can view existing drift findings and run history, but you do not have permission to generate drift.';
-
-            return;
-        }
-
-        /** @var BulkSelectionIdentity $selection */
-        $selection = app(BulkSelectionIdentity::class);
-        $selectionIdentity = $selection->fromQuery([
-            'scope_key' => $scopeKey,
-            'baseline_operation_run_id' => (int) $baseline->getKey(),
-            'current_operation_run_id' => (int) $current->getKey(),
-        ]);
-
-        /** @var OperationRunService $opService */
-        $opService = app(OperationRunService::class);
-
-        $opRun = $opService->enqueueBulkOperation(
-            tenant: $tenant,
-            type: 'drift_generate_findings',
-            targetScope: [
-                'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
-            ],
-            selectionIdentity: $selectionIdentity,
-            dispatcher: function ($operationRun) use ($tenant, $user, $baseline, $current, $scopeKey): void {
-                GenerateDriftFindingsJob::dispatch(
-                    tenantId: (int) $tenant->getKey(),
-                    userId: (int) $user->getKey(),
-                    baselineRunId: (int) $baseline->getKey(),
-                    currentRunId: (int) $current->getKey(),
-                    scopeKey: $scopeKey,
-                    operationRun: $operationRun,
-                );
-            },
-            initiator: $user,
-            extraContext: [
-                'scope_key' => $scopeKey,
-                'baseline_operation_run_id' => (int) $baseline->getKey(),
-                'current_operation_run_id' => (int) $current->getKey(),
-            ],
-            emitQueuedNotification: false,
-        );
-
-        $this->operationRunId = (int) $opRun->getKey();
-        $this->state = 'generating';
-
-        if (! $opRun->wasRecentlyCreated) {
-            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-            OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                ->actions([
-                    Action::make('view_run')
-                        ->label('View run')
-                        ->url(OperationRunLinks::view($opRun, $tenant)),
-                ])
-                ->send();
-
-            return;
-        }
-
-        OpsUxBrowserEvents::dispatchRunEnqueued($this);
-        OperationUxPresenter::queuedToast((string) $opRun->type)
-            ->actions([
-                Action::make('view_run')
-                    ->label('View run')
-                    ->url(OperationRunLinks::view($opRun, $tenant)),
-            ])
-            ->send();
-    }
-
-    public function getFindingsUrl(): string
-    {
-        return FindingResource::getUrl('index', tenant: Tenant::current());
-    }
-
-    public function getBaselineRunUrl(): ?string
-    {
-        if (! is_int($this->baselineRunId)) {
-            return null;
-        }
-
-        return route('admin.operations.view', ['run' => $this->baselineRunId]);
-    }
-
-    public function getCurrentRunUrl(): ?string
-    {
-        if (! is_int($this->currentRunId)) {
-            return null;
-        }
-
-        return route('admin.operations.view', ['run' => $this->currentRunId]);
-    }
-
-    public function getOperationRunUrl(): ?string
-    {
-        if (! is_int($this->operationRunId)) {
-            return null;
-        }
-
-        return OperationRunLinks::view($this->operationRunId, Tenant::current());
-    }
-}

app/Filament/Pages/InventoryCoverage.php

@@ -1,86 +0,0 @@
-<?php
-
-namespace App\Filament\Pages;
-
-use App\Filament\Clusters\Inventory\InventoryCluster;
-use App\Filament\Widgets\Inventory\InventoryKpiHeader;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Inventory\CoverageCapabilitiesResolver;
-use App\Support\Auth\Capabilities;
-use App\Support\Inventory\InventoryPolicyTypeMeta;
-use BackedEnum;
-use Filament\Pages\Page;
-use UnitEnum;
-
-class InventoryCoverage extends Page
-{
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-table-cells';
-
-    protected static ?int $navigationSort = 3;
-
-    protected static string|UnitEnum|null $navigationGroup = 'Inventory';
-
-    protected static ?string $navigationLabel = 'Coverage';
-
-    protected static ?string $cluster = InventoryCluster::class;
-
-    protected string $view = 'filament.pages.inventory-coverage';
-
-    public static function canAccess(): bool
-    {
-        $tenant = Tenant::current();
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            return false;
-        }
-
-        /** @var CapabilityResolver $resolver */
-        $resolver = app(CapabilityResolver::class);
-
-        return $resolver->isMember($user, $tenant)
-            && $resolver->can($user, $tenant, Capabilities::TENANT_VIEW);
-    }
-
-    protected function getHeaderWidgets(): array
-    {
-        return [
-            InventoryKpiHeader::class,
-        ];
-    }
-
-    /**
-     * @var array<int, array<string, mixed>>
-     */
-    public array $supportedPolicyTypes = [];
-
-    /**
-     * @var array<int, array<string, mixed>>
-     */
-    public array $foundationTypes = [];
-
-    public function mount(): void
-    {
-        $resolver = app(CoverageCapabilitiesResolver::class);
-
-        $this->supportedPolicyTypes = collect(InventoryPolicyTypeMeta::supported())
-            ->map(function (array $row) use ($resolver): array {
-                $type = (string) ($row['type'] ?? '');
-
-                return array_merge($row, [
-                    'dependencies' => $type !== '' && $resolver->supportsDependencies($type),
-                ]);
-            })
-            ->all();
-
-        $this->foundationTypes = collect(InventoryPolicyTypeMeta::foundations())
-            ->map(function (array $row): array {
-                return array_merge($row, [
-                    'dependencies' => false,
-                ]);
-            })
-            ->all();
-    }
-}

app/Filament/Pages/Monitoring/AuditLog.php

@@ -1,41 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages\Monitoring;
-
-use App\Support\OperateHub\OperateHubShell;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Pages\Page;
-use UnitEnum;
-
-class AuditLog extends Page
-{
-    protected static bool $isDiscovered = false;
-
-    protected static bool $shouldRegisterNavigation = false;
-
-    protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
-
-    protected static ?string $navigationLabel = 'Audit Log';
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-clipboard-document-list';
-
-    protected static ?string $slug = 'audit-log';
-
-    protected static ?string $title = 'Audit Log';
-
-    protected string $view = 'filament.pages.monitoring.audit-log';
-
-    /**
-     * @return array<Action>
-     */
-    protected function getHeaderActions(): array
-    {
-        return app(OperateHubShell::class)->headerActions(
-            scopeActionName: 'operate_hub_scope_audit_log',
-            returnActionName: 'operate_hub_return_audit_log',
-        );
-    }
-}

app/Filament/Pages/Monitoring/Operations.php

@@ -1,149 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages\Monitoring;
-
-use App\Filament\Resources\OperationRunResource;
-use App\Filament\Widgets\Operations\OperationsKpiHeader;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\OperateHub\OperateHubShell;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Facades\Filament;
-use Filament\Forms\Concerns\InteractsWithForms;
-use Filament\Forms\Contracts\HasForms;
-use Filament\Pages\Page;
-use Filament\Tables\Concerns\InteractsWithTable;
-use Filament\Tables\Contracts\HasTable;
-use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Builder;
-use UnitEnum;
-
-class Operations extends Page implements HasForms, HasTable
-{
-    use InteractsWithForms;
-    use InteractsWithTable;
-
-    public string $activeTab = 'all';
-
-    protected static bool $isDiscovered = false;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-queue-list';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
-
-    protected static ?string $title = 'Operations';
-
-    // Must be non-static
-    protected string $view = 'filament.pages.monitoring.operations';
-
-    public function mount(): void
-    {
-        $this->mountInteractsWithTable();
-    }
-
-    protected function getHeaderWidgets(): array
-    {
-        return [
-            OperationsKpiHeader::class,
-        ];
-    }
-
-    /**
-     * @return array<Action>
-     */
-    protected function getHeaderActions(): array
-    {
-        $operateHubShell = app(OperateHubShell::class);
-
-        $actions = [
-            Action::make('operate_hub_scope_operations')
-                ->label($operateHubShell->scopeLabel(request()))
-                ->color('gray')
-                ->disabled(),
-        ];
-
-        $activeTenant = $operateHubShell->activeEntitledTenant(request());
-
-        if ($activeTenant instanceof Tenant) {
-            $actions[] = Action::make('operate_hub_back_to_tenant_operations')
-                ->label('Back to '.$activeTenant->name)
-                ->icon('heroicon-o-arrow-left')
-                ->color('gray')
-                ->url(\App\Filament\Pages\TenantDashboard::getUrl(panel: 'tenant', tenant: $activeTenant));
-
-            $actions[] = Action::make('operate_hub_show_all_tenants')
-                ->label('Show all tenants')
-                ->color('gray')
-                ->action(function (): void {
-                    Filament::setTenant(null, true);
-
-                    app(WorkspaceContext::class)->clearLastTenantId(request());
-
-                    $this->removeTableFilter('tenant_id');
-
-                    $this->redirect('/admin/operations');
-                });
-        }
-
-        return $actions;
-    }
-
-    public function updatedActiveTab(): void
-    {
-        $this->resetPage();
-    }
-
-    public function table(Table $table): Table
-    {
-        return OperationRunResource::table($table)
-            ->query(function (): Builder {
-                $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-                $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
-
-                $query = OperationRun::query()
-                    ->with('user')
-                    ->latest('id')
-                    ->when(
-                        $workspaceId,
-                        fn (Builder $query): Builder => $query->where('workspace_id', (int) $workspaceId),
-                    )
-                    ->when(
-                        ! $workspaceId,
-                        fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
-                    )
-                    ->when(
-                        $activeTenant instanceof Tenant,
-                        fn (Builder $query): Builder => $query->where('tenant_id', (int) $activeTenant->getKey()),
-                    );
-
-                return $this->applyActiveTab($query);
-            });
-    }
-
-    private function applyActiveTab(Builder $query): Builder
-    {
-        return match ($this->activeTab) {
-            'active' => $query->whereIn('status', [
-                OperationRunStatus::Queued->value,
-                OperationRunStatus::Running->value,
-            ]),
-            'succeeded' => $query
-                ->where('status', OperationRunStatus::Completed->value)
-                ->where('outcome', OperationRunOutcome::Succeeded->value),
-            'partial' => $query
-                ->where('status', OperationRunStatus::Completed->value)
-                ->where('outcome', OperationRunOutcome::PartiallySucceeded->value),
-            'failed' => $query
-                ->where('status', OperationRunStatus::Completed->value)
-                ->where('outcome', OperationRunOutcome::Failed->value),
-            default => $query,
-        };
-    }
-}

app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -1,142 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages\Operations;
-
-use App\Filament\Resources\OperationRunResource;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Auth\CapabilityResolver;
-use App\Support\OperateHub\OperateHubShell;
-use App\Support\OperationRunLinks;
-use Filament\Actions\Action;
-use Filament\Actions\ActionGroup;
-use Filament\Pages\Page;
-use Filament\Schemas\Components\EmbeddedSchema;
-use Filament\Schemas\Schema;
-use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Str;
-
-class TenantlessOperationRunViewer extends Page
-{
-    use AuthorizesRequests;
-
-    protected static bool $shouldRegisterNavigation = false;
-
-    protected static bool $isDiscovered = false;
-
-    protected static ?string $title = 'Operation run';
-
-    protected string $view = 'filament.pages.operations.tenantless-operation-run-viewer';
-
-    public OperationRun $run;
-
-    public bool $opsUxIsTabHidden = false;
-
-    /**
-     * @return array<Action|ActionGroup>
-     */
-    protected function getHeaderActions(): array
-    {
-        $operateHubShell = app(OperateHubShell::class);
-
-        $actions = [
-            Action::make('operate_hub_scope_run_detail')
-                ->label($operateHubShell->scopeLabel(request()))
-                ->color('gray')
-                ->disabled(),
-        ];
-
-        $activeTenant = $operateHubShell->activeEntitledTenant(request());
-
-        if ($activeTenant instanceof Tenant) {
-            $actions[] = Action::make('operate_hub_back_to_tenant_run_detail')
-                ->label('← Back to '.$activeTenant->name)
-                ->color('gray')
-                ->url(\App\Filament\Pages\TenantDashboard::getUrl(panel: 'tenant', tenant: $activeTenant));
-
-            $actions[] = Action::make('operate_hub_show_all_operations')
-                ->label('Show all operations')
-                ->color('gray')
-                ->url(fn (): string => route('admin.operations.index'));
-        } else {
-            $actions[] = Action::make('operate_hub_back_to_operations')
-                ->label('Back to Operations')
-                ->color('gray')
-                ->url(fn (): string => route('admin.operations.index'));
-        }
-
-        $actions[] = Action::make('refresh')
-            ->label('Refresh')
-            ->icon('heroicon-o-arrow-path')
-            ->color('gray')
-            ->url(fn (): string => isset($this->run)
-                ? route('admin.operations.view', ['run' => (int) $this->run->getKey()])
-                : route('admin.operations.index'));
-
-        if (! isset($this->run)) {
-            return $actions;
-        }
-
-        $user = auth()->user();
-        $tenant = $this->run->tenant;
-
-        if ($tenant instanceof Tenant && (! $user instanceof User || ! app(CapabilityResolver::class)->isMember($user, $tenant))) {
-            $tenant = null;
-        }
-
-        $related = OperationRunLinks::related($this->run, $tenant);
-
-        $relatedActions = [];
-
-        foreach ($related as $label => $url) {
-            $relatedActions[] = Action::make(Str::slug((string) $label, '_'))
-                ->label((string) $label)
-                ->url((string) $url)
-                ->openUrlInNewTab();
-        }
-
-        if ($relatedActions !== []) {
-            $actions[] = ActionGroup::make($relatedActions)
-                ->label('Open')
-                ->icon('heroicon-o-arrow-top-right-on-square')
-                ->color('gray');
-        }
-
-        return $actions;
-    }
-
-    public function mount(OperationRun $run): void
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        $this->authorize('view', $run);
-
-        $this->run = $run->loadMissing(['workspace', 'tenant', 'user']);
-    }
-
-    public function infolist(Schema $schema): Schema
-    {
-        return OperationRunResource::infolist($schema);
-    }
-
-    public function defaultInfolist(Schema $schema): Schema
-    {
-        return $schema
-            ->record($this->run)
-            ->columns(2);
-    }
-
-    public function content(Schema $schema): Schema
-    {
-        return $schema->schema([
-            EmbeddedSchema::make('infolist'),
-        ]);
-    }
-}

app/Filament/Pages/TenantRequiredPermissions.php

@@ -1,235 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Filament\Resources\TenantResource;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\WorkspaceMembership;
-use App\Services\Intune\TenantRequiredPermissionsViewModelBuilder;
-use App\Support\Workspaces\WorkspaceContext;
-use Filament\Pages\Page;
-
-class TenantRequiredPermissions extends Page
-{
-    protected static bool $isDiscovered = false;
-
-    protected static bool $shouldRegisterNavigation = false;
-
-    protected static ?string $slug = 'tenants/{tenant}/required-permissions';
-
-    protected static ?string $title = 'Required permissions';
-
-    protected string $view = 'filament.pages.tenant-required-permissions';
-
-    public string $status = 'missing';
-
-    public string $type = 'all';
-
-    /**
-     * @var array<int, string>
-     */
-    public array $features = [];
-
-    public string $search = '';
-
-    /**
-     * @var array<string, mixed>
-     */
-    public array $viewModel = [];
-
-    public ?Tenant $scopedTenant = null;
-
-    public static function canAccess(): bool
-    {
-        return static::hasScopedTenantAccess(static::resolveScopedTenant());
-    }
-
-    public function currentTenant(): ?Tenant
-    {
-        return $this->scopedTenant;
-    }
-
-    public function mount(): void
-    {
-        $tenant = static::resolveScopedTenant();
-
-        if (! $tenant instanceof Tenant || ! static::hasScopedTenantAccess($tenant)) {
-            abort(404);
-        }
-
-        $this->scopedTenant = $tenant;
-
-        $queryFeatures = request()->query('features', $this->features);
-
-        $state = TenantRequiredPermissionsViewModelBuilder::normalizeFilterState([
-            'status' => request()->query('status', $this->status),
-            'type' => request()->query('type', $this->type),
-            'features' => is_array($queryFeatures) ? $queryFeatures : [],
-            'search' => request()->query('search', $this->search),
-        ]);
-
-        $this->status = $state['status'];
-        $this->type = $state['type'];
-        $this->features = $state['features'];
-        $this->search = $state['search'];
-
-        $this->refreshViewModel();
-    }
-
-    public function updatedStatus(): void
-    {
-        $this->refreshViewModel();
-    }
-
-    public function updatedType(): void
-    {
-        $this->refreshViewModel();
-    }
-
-    public function updatedFeatures(): void
-    {
-        $this->refreshViewModel();
-    }
-
-    public function updatedSearch(): void
-    {
-        $this->refreshViewModel();
-    }
-
-    public function applyFeatureFilter(string $feature): void
-    {
-        $feature = trim($feature);
-
-        if ($feature === '') {
-            return;
-        }
-
-        if (in_array($feature, $this->features, true)) {
-            $this->features = array_values(array_filter(
-                $this->features,
-                static fn (string $value): bool => $value !== $feature,
-            ));
-        } else {
-            $this->features[] = $feature;
-        }
-
-        $this->features = array_values(array_unique($this->features));
-
-        $this->refreshViewModel();
-    }
-
-    public function clearFeatureFilter(): void
-    {
-        $this->features = [];
-
-        $this->refreshViewModel();
-    }
-
-    public function resetFilters(): void
-    {
-        $this->status = 'missing';
-        $this->type = 'all';
-        $this->features = [];
-        $this->search = '';
-
-        $this->refreshViewModel();
-    }
-
-    private function refreshViewModel(): void
-    {
-        $tenant = $this->scopedTenant;
-
-        if (! $tenant instanceof Tenant) {
-            $this->viewModel = [];
-
-            return;
-        }
-
-        $builder = app(TenantRequiredPermissionsViewModelBuilder::class);
-
-        $this->viewModel = $builder->build($tenant, [
-            'status' => $this->status,
-            'type' => $this->type,
-            'features' => $this->features,
-            'search' => $this->search,
-        ]);
-
-        $filters = $this->viewModel['filters'] ?? null;
-
-        if (is_array($filters)) {
-            $this->status = (string) ($filters['status'] ?? $this->status);
-            $this->type = (string) ($filters['type'] ?? $this->type);
-            $this->features = is_array($filters['features'] ?? null) ? $filters['features'] : $this->features;
-            $this->search = (string) ($filters['search'] ?? $this->search);
-        }
-    }
-
-    public function reRunVerificationUrl(): string
-    {
-        $tenant = $this->scopedTenant;
-
-        if ($tenant instanceof Tenant) {
-            return TenantResource::getUrl('view', ['record' => $tenant]);
-        }
-
-        return route('admin.onboarding');
-    }
-
-    public function manageProviderConnectionUrl(): ?string
-    {
-        $tenant = $this->scopedTenant;
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return ProviderConnectionResource::getUrl('index', ['tenant' => $tenant], panel: 'admin');
-    }
-
-    protected static function resolveScopedTenant(): ?Tenant
-    {
-        $routeTenant = request()->route('tenant');
-
-        if ($routeTenant instanceof Tenant) {
-            return $routeTenant;
-        }
-
-        if (is_string($routeTenant) && $routeTenant !== '') {
-            return Tenant::query()
-                ->where('external_id', $routeTenant)
-                ->first();
-        }
-
-        return null;
-    }
-
-    private static function hasScopedTenantAccess(?Tenant $tenant): bool
-    {
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            return false;
-        }
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if ($workspaceId === null || (int) $tenant->workspace_id !== (int) $workspaceId) {
-            return false;
-        }
-
-        $isWorkspaceMember = WorkspaceMembership::query()
-            ->where('workspace_id', (int) $workspaceId)
-            ->where('user_id', (int) $user->getKey())
-            ->exists();
-
-        if (! $isWorkspaceMember) {
-            return false;
-        }
-
-        return $user->canAccessTenant($tenant);
-    }
-}

app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php

@@ -1,22 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources\AlertDeliveryResource\Pages;
-
-use App\Filament\Resources\AlertDeliveryResource;
-use App\Support\OperateHub\OperateHubShell;
-use Filament\Resources\Pages\ListRecords;
-
-class ListAlertDeliveries extends ListRecords
-{
-    protected static string $resource = AlertDeliveryResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return app(OperateHubShell::class)->headerActions(
-            scopeActionName: 'operate_hub_scope_alerts',
-            returnActionName: 'operate_hub_return_alerts',
-        );
-    }
-}

app/Filament/Resources/BackupScheduleResource/Pages/ListBackupSchedules.php

@@ -1,48 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\BackupScheduleResource\Pages;
-
-use App\Filament\Resources\BackupScheduleResource;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListBackupSchedules extends ListRecords
-{
-    protected static string $resource = BackupScheduleResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [$this->makeHeaderCreateAction()];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        return [$this->makeEmptyStateCreateAction()];
-    }
-
-    private function tableHasRecords(): bool
-    {
-        return $this->getTableRecords()->count() > 0;
-    }
-
-    private function makeHeaderCreateAction(): Actions\CreateAction
-    {
-        return $this->makeCreateAction()
-            ->visible(fn (): bool => $this->tableHasRecords());
-    }
-
-    private function makeEmptyStateCreateAction(): Actions\CreateAction
-    {
-        return $this->makeCreateAction();
-    }
-
-    private function makeCreateAction(): Actions\CreateAction
-    {
-        return Actions\CreateAction::make()
-            ->label('New backup schedule')
-            ->disabled(fn (): bool => ! BackupScheduleResource::canCreate())
-            ->tooltip(fn (): ?string => BackupScheduleResource::canCreate()
-                ? null
-                : 'You do not have permission to create backup schedules.');
-    }
-}

app/Filament/Resources/BackupSetResource/Pages/ListBackupSets.php

@@ -1,43 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\BackupSetResource\Pages;
-
-use App\Filament\Resources\BackupSetResource;
-use App\Support\Auth\Capabilities;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListBackupSets extends ListRecords
-{
-    protected static string $resource = BackupSetResource::class;
-
-    private function tableHasRecords(): bool
-    {
-        return $this->getTableRecords()->count() > 0;
-    }
-
-    protected function getHeaderActions(): array
-    {
-        $create = Actions\CreateAction::make();
-        UiEnforcement::forAction($create)
-            ->requireCapability(Capabilities::TENANT_SYNC)
-            ->apply();
-
-        return [
-            $create->visible(fn (): bool => $this->tableHasRecords()),
-        ];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        $create = Actions\CreateAction::make();
-        UiEnforcement::forAction($create)
-            ->requireCapability(Capabilities::TENANT_SYNC)
-            ->apply();
-
-        return [
-            $create,
-        ];
-    }
-}

app/Filament/Resources/BackupSetResource/Pages/ViewBackupSet.php

@@ -1,11 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\BackupSetResource\Pages;
-
-use App\Filament\Resources\BackupSetResource;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewBackupSet extends ViewRecord
-{
-    protected static string $resource = BackupSetResource::class;
-}

app/Filament/Resources/BaselineProfileResource.php

@@ -1,410 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources;
-
-use App\Filament\Resources\BaselineProfileResource\Pages;
-use App\Models\BaselineProfile;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Support\Audit\AuditActionId;
-use App\Support\Auth\Capabilities;
-use App\Support\Badges\BadgeDomain;
-use App\Support\Badges\BadgeRenderer;
-use App\Support\Inventory\InventoryPolicyTypeMeta;
-use App\Support\Rbac\WorkspaceUiEnforcement;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Actions\ActionGroup;
-use Filament\Actions\BulkActionGroup;
-use Filament\Facades\Filament;
-use Filament\Forms\Components\Select;
-use Filament\Forms\Components\Textarea;
-use Filament\Forms\Components\TextInput;
-use Filament\Infolists\Components\TextEntry;
-use Filament\Notifications\Notification;
-use Filament\Resources\Resource;
-use Filament\Schemas\Components\Section;
-use Filament\Schemas\Schema;
-use Filament\Tables\Columns\TextColumn;
-use Filament\Tables\Table;
-use Illuminate\Auth\Access\AuthorizationException;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Database\Eloquent\Model;
-use UnitEnum;
-
-class BaselineProfileResource extends Resource
-{
-    protected static bool $isScopedToTenant = false;
-
-    protected static ?string $model = BaselineProfile::class;
-
-    protected static ?string $slug = 'baseline-profiles';
-
-    protected static bool $isGloballySearchable = false;
-
-    protected static ?string $recordTitleAttribute = 'name';
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Governance';
-
-    protected static ?string $navigationLabel = 'Baselines';
-
-    protected static ?int $navigationSort = 1;
-
-    public static function shouldRegisterNavigation(): bool
-    {
-        if (Filament::getCurrentPanel()?->getId() !== 'admin') {
-            return false;
-        }
-
-        return parent::shouldRegisterNavigation();
-    }
-
-    public static function canViewAny(): bool
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return false;
-        }
-
-        $workspace = self::resolveWorkspace();
-
-        if (! $workspace instanceof Workspace) {
-            return false;
-        }
-
-        $resolver = app(\App\Services\Auth\WorkspaceCapabilityResolver::class);
-
-        return $resolver->isMember($user, $workspace)
-            && $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_VIEW);
-    }
-
-    public static function canCreate(): bool
-    {
-        return self::hasManageCapability();
-    }
-
-    public static function canEdit(Model $record): bool
-    {
-        return self::hasManageCapability();
-    }
-
-    public static function canDelete(Model $record): bool
-    {
-        return self::hasManageCapability();
-    }
-
-    public static function canView(Model $record): bool
-    {
-        return self::canViewAny();
-    }
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header action: Create baseline profile (capability-gated).')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Secondary row actions (edit, archive) under "More".')
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'No bulk mutations for baseline profiles in v1.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List defines empty-state create CTA.')
-            ->satisfy(ActionSurfaceSlot::DetailHeader, 'View page provides capture + edit actions.');
-    }
-
-    public static function getEloquentQuery(): Builder
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        return parent::getEloquentQuery()
-            ->with(['activeSnapshot', 'createdByUser'])
-            ->when(
-                $workspaceId !== null,
-                fn (Builder $query): Builder => $query->where('workspace_id', (int) $workspaceId),
-            )
-            ->when(
-                $workspaceId === null,
-                fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
-            );
-    }
-
-    public static function form(Schema $schema): Schema
-    {
-        return $schema
-            ->schema([
-                Section::make('Profile')
-                    ->schema([
-                        TextInput::make('name')
-                            ->required()
-                            ->maxLength(255)
-                            ->helperText('A descriptive name for this baseline profile.'),
-                        Textarea::make('description')
-                            ->rows(3)
-                            ->maxLength(1000)
-                            ->helperText('Explain the purpose and scope of this baseline.'),
-                        TextInput::make('version_label')
-                            ->label('Version label')
-                            ->maxLength(50)
-                            ->placeholder('e.g. v2.1 — February rollout')
-                            ->helperText('Optional label to identify this version.'),
-                        Select::make('status')
-                            ->required()
-                            ->options([
-                                BaselineProfile::STATUS_DRAFT => 'Draft',
-                                BaselineProfile::STATUS_ACTIVE => 'Active',
-                                BaselineProfile::STATUS_ARCHIVED => 'Archived',
-                            ])
-                            ->default(BaselineProfile::STATUS_DRAFT)
-                            ->native(false)
-                            ->helperText('Only active baselines are enforced during compliance checks.'),
-                    ])
-                    ->columns(2)
-                    ->columnSpanFull(),
-                Section::make('Scope')
-                    ->schema([
-                        Select::make('scope_jsonb.policy_types')
-                            ->label('Policy type scope')
-                            ->multiple()
-                            ->options(self::policyTypeOptions())
-                            ->helperText('Leave empty to include all policy types.')
-                            ->native(false),
-                    ])
-                    ->columnSpanFull(),
-            ]);
-    }
-
-    public static function infolist(Schema $schema): Schema
-    {
-        return $schema
-            ->schema([
-                Section::make('Profile')
-                    ->schema([
-                        TextEntry::make('name'),
-                        TextEntry::make('status')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::BaselineProfileStatus))
-                            ->color(BadgeRenderer::color(BadgeDomain::BaselineProfileStatus))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::BaselineProfileStatus)),
-                        TextEntry::make('version_label')
-                            ->label('Version')
-                            ->placeholder('—'),
-                        TextEntry::make('description')
-                            ->placeholder('No description')
-                            ->columnSpanFull(),
-                    ])
-                    ->columns(2)
-                    ->columnSpanFull(),
-                Section::make('Scope')
-                    ->schema([
-                        TextEntry::make('scope_jsonb.policy_types')
-                            ->label('Policy type scope')
-                            ->badge()
-                            ->formatStateUsing(function (string $state): string {
-                                $options = self::policyTypeOptions();
-
-                                return $options[$state] ?? $state;
-                            })
-                            ->placeholder('All policy types'),
-                    ])
-                    ->columnSpanFull(),
-                Section::make('Metadata')
-                    ->schema([
-                        TextEntry::make('createdByUser.name')
-                            ->label('Created by')
-                            ->placeholder('—'),
-                        TextEntry::make('activeSnapshot.captured_at')
-                            ->label('Last snapshot')
-                            ->dateTime()
-                            ->placeholder('No snapshot yet'),
-                        TextEntry::make('created_at')
-                            ->dateTime(),
-                        TextEntry::make('updated_at')
-                            ->dateTime(),
-                    ])
-                    ->columns(2)
-                    ->columnSpanFull(),
-            ]);
-    }
-
-    public static function table(Table $table): Table
-    {
-        $workspace = self::resolveWorkspace();
-
-        return $table
-            ->defaultSort('name')
-            ->columns([
-                TextColumn::make('name')
-                    ->searchable()
-                    ->sortable(),
-                TextColumn::make('status')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::BaselineProfileStatus))
-                    ->color(BadgeRenderer::color(BadgeDomain::BaselineProfileStatus))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::BaselineProfileStatus))
-                    ->sortable(),
-                TextColumn::make('version_label')
-                    ->label('Version')
-                    ->placeholder('—'),
-                TextColumn::make('activeSnapshot.captured_at')
-                    ->label('Last snapshot')
-                    ->dateTime()
-                    ->placeholder('No snapshot'),
-                TextColumn::make('created_at')
-                    ->dateTime()
-                    ->sortable()
-                    ->toggleable(isToggledHiddenByDefault: true),
-            ])
-            ->actions([
-                Action::make('view')
-                    ->label('View')
-                    ->url(fn (BaselineProfile $record): string => static::getUrl('view', ['record' => $record]))
-                    ->icon('heroicon-o-eye'),
-                ActionGroup::make([
-                    Action::make('edit')
-                        ->label('Edit')
-                        ->url(fn (BaselineProfile $record): string => static::getUrl('edit', ['record' => $record]))
-                        ->icon('heroicon-o-pencil-square')
-                        ->visible(fn (): bool => self::hasManageCapability()),
-                    self::archiveTableAction($workspace),
-                ])->label('More'),
-            ])
-            ->bulkActions([
-                BulkActionGroup::make([])->label('More'),
-            ])
-            ->emptyStateHeading('No baseline profiles')
-            ->emptyStateDescription('Create a baseline profile to define what "good" looks like for your tenants.')
-            ->emptyStateActions([
-                Action::make('create')
-                    ->label('Create baseline profile')
-                    ->url(fn (): string => static::getUrl('create'))
-                    ->icon('heroicon-o-plus')
-                    ->visible(fn (): bool => self::hasManageCapability()),
-            ]);
-    }
-
-    public static function getRelations(): array
-    {
-        return [
-            BaselineProfileResource\RelationManagers\BaselineTenantAssignmentsRelationManager::class,
-        ];
-    }
-
-    public static function getPages(): array
-    {
-        return [
-            'index' => Pages\ListBaselineProfiles::route('/'),
-            'create' => Pages\CreateBaselineProfile::route('/create'),
-            'view' => Pages\ViewBaselineProfile::route('/{record}'),
-            'edit' => Pages\EditBaselineProfile::route('/{record}/edit'),
-        ];
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function policyTypeOptions(): array
-    {
-        return collect(InventoryPolicyTypeMeta::all())
-            ->filter(fn (array $row): bool => filled($row['type'] ?? null))
-            ->mapWithKeys(fn (array $row): array => [
-                (string) $row['type'] => (string) ($row['label'] ?? $row['type']),
-            ])
-            ->sort()
-            ->all();
-    }
-
-    /**
-     * @param  array<string, mixed>  $metadata
-     */
-    public static function audit(BaselineProfile $record, AuditActionId $actionId, array $metadata): void
-    {
-        $workspace = $record->workspace;
-
-        if ($workspace === null) {
-            return;
-        }
-
-        $actor = auth()->user();
-
-        app(WorkspaceAuditLogger::class)->log(
-            workspace: $workspace,
-            action: $actionId->value,
-            context: ['metadata' => $metadata],
-            actor: $actor instanceof User ? $actor : null,
-            resourceType: 'baseline_profile',
-            resourceId: (string) $record->getKey(),
-        );
-    }
-
-    private static function resolveWorkspace(): ?Workspace
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if ($workspaceId === null) {
-            return null;
-        }
-
-        return Workspace::query()->whereKey($workspaceId)->first();
-    }
-
-    private static function hasManageCapability(): bool
-    {
-        $user = auth()->user();
-        $workspace = self::resolveWorkspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return false;
-        }
-
-        $resolver = app(\App\Services\Auth\WorkspaceCapabilityResolver::class);
-
-        return $resolver->isMember($user, $workspace)
-            && $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE);
-    }
-
-    private static function archiveTableAction(?Workspace $workspace): Action
-    {
-        $action = Action::make('archive')
-            ->label('Archive')
-            ->icon('heroicon-o-archive-box')
-            ->color('warning')
-            ->requiresConfirmation()
-            ->modalHeading('Archive baseline profile')
-            ->modalDescription('Archiving is permanent in v1. This profile can no longer be used for captures or compares.')
-            ->visible(fn (BaselineProfile $record): bool => $record->status !== BaselineProfile::STATUS_ARCHIVED && self::hasManageCapability())
-            ->action(function (BaselineProfile $record): void {
-                if (! self::hasManageCapability()) {
-                    throw new AuthorizationException;
-                }
-
-                $record->forceFill(['status' => BaselineProfile::STATUS_ARCHIVED])->save();
-
-                self::audit($record, AuditActionId::BaselineProfileArchived, [
-                    'baseline_profile_id' => (int) $record->getKey(),
-                    'name' => (string) $record->name,
-                ]);
-
-                Notification::make()
-                    ->title('Baseline profile archived')
-                    ->success()
-                    ->send();
-            });
-
-        if ($workspace instanceof Workspace) {
-            $action = WorkspaceUiEnforcement::forTableAction($action, $workspace)
-                ->requireCapability(Capabilities::WORKSPACE_BASELINES_MANAGE)
-                ->destructive()
-                ->apply();
-        }
-
-        return $action;
-    }
-}

app/Filament/Resources/BaselineProfileResource/Pages/EditBaselineProfile.php

@@ -1,48 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources\BaselineProfileResource\Pages;
-
-use App\Filament\Resources\BaselineProfileResource;
-use App\Models\BaselineProfile;
-use App\Support\Audit\AuditActionId;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\EditRecord;
-
-class EditBaselineProfile extends EditRecord
-{
-    protected static string $resource = BaselineProfileResource::class;
-
-    /**
-     * @param  array<string, mixed>  $data
-     * @return array<string, mixed>
-     */
-    protected function mutateFormDataBeforeSave(array $data): array
-    {
-        $policyTypes = $data['scope_jsonb']['policy_types'] ?? [];
-        $data['scope_jsonb'] = ['policy_types' => is_array($policyTypes) ? array_values($policyTypes) : []];
-
-        return $data;
-    }
-
-    protected function afterSave(): void
-    {
-        $record = $this->record;
-
-        if (! $record instanceof BaselineProfile) {
-            return;
-        }
-
-        BaselineProfileResource::audit($record, AuditActionId::BaselineProfileUpdated, [
-            'baseline_profile_id' => (int) $record->getKey(),
-            'name' => (string) $record->name,
-            'status' => (string) $record->status,
-        ]);
-
-        Notification::make()
-            ->title('Baseline profile updated')
-            ->success()
-            ->send();
-    }
-}

app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php

@@ -1,171 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources\BaselineProfileResource\Pages;
-
-use App\Filament\Resources\BaselineProfileResource;
-use App\Models\BaselineProfile;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Baselines\BaselineCaptureService;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Workspaces\WorkspaceContext;
-use Filament\Actions\Action;
-use Filament\Actions\EditAction;
-use Filament\Forms\Components\Select;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewBaselineProfile extends ViewRecord
-{
-    protected static string $resource = BaselineProfileResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            $this->captureAction(),
-            EditAction::make()
-                ->visible(fn (): bool => $this->hasManageCapability()),
-        ];
-    }
-
-    private function captureAction(): Action
-    {
-        return Action::make('capture')
-            ->label('Capture Snapshot')
-            ->icon('heroicon-o-camera')
-            ->color('primary')
-            ->visible(fn (): bool => $this->hasManageCapability())
-            ->disabled(fn (): bool => ! $this->hasManageCapability())
-            ->tooltip(fn (): ?string => ! $this->hasManageCapability() ? 'You need manage permission to capture snapshots.' : null)
-            ->requiresConfirmation()
-            ->modalHeading('Capture Baseline Snapshot')
-            ->modalDescription('Select the source tenant whose current inventory will be captured as the baseline snapshot.')
-            ->form([
-                Select::make('source_tenant_id')
-                    ->label('Source Tenant')
-                    ->options(fn (): array => $this->getWorkspaceTenantOptions())
-                    ->required()
-                    ->searchable(),
-            ])
-            ->action(function (array $data): void {
-                $user = auth()->user();
-
-                if (! $user instanceof User || ! $this->hasManageCapability()) {
-                    Notification::make()
-                        ->title('Permission denied')
-                        ->danger()
-                        ->send();
-
-                    return;
-                }
-
-                /** @var BaselineProfile $profile */
-                $profile = $this->getRecord();
-                $sourceTenant = Tenant::query()->find((int) $data['source_tenant_id']);
-
-                if (! $sourceTenant instanceof Tenant) {
-                    Notification::make()
-                        ->title('Source tenant not found')
-                        ->danger()
-                        ->send();
-
-                    return;
-                }
-
-                $service = app(BaselineCaptureService::class);
-                $result = $service->startCapture($profile, $sourceTenant, $user);
-
-                if (! $result['ok']) {
-                    Notification::make()
-                        ->title('Cannot start capture')
-                        ->body('Reason: '.str_replace('.', ' ', (string) ($result['reason_code'] ?? 'unknown')))
-                        ->danger()
-                        ->send();
-
-                    return;
-                }
-
-                $run = $result['run'] ?? null;
-
-                if (! $run instanceof \App\Models\OperationRun) {
-                    Notification::make()
-                        ->title('Cannot start capture')
-                        ->body('Reason: missing operation run')
-                        ->danger()
-                        ->send();
-
-                    return;
-                }
-
-                $viewAction = Action::make('view_run')
-                    ->label('View run')
-                    ->url(OperationRunLinks::view($run, $sourceTenant));
-
-                if (! $run->wasRecentlyCreated && in_array((string) $run->status, ['queued', 'running'], true)) {
-                    OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                    OperationUxPresenter::alreadyQueuedToast((string) $run->type)
-                        ->actions([$viewAction])
-                        ->send();
-
-                    return;
-                }
-
-                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                OperationUxPresenter::queuedToast((string) $run->type)
-                    ->actions([$viewAction])
-                    ->send();
-            });
-    }
-
-    /**
-     * @return array<int, string>
-     */
-    private function getWorkspaceTenantOptions(): array
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if ($workspaceId === null) {
-            return [];
-        }
-
-        return Tenant::query()
-            ->where('workspace_id', $workspaceId)
-            ->orderBy('name')
-            ->pluck('name', 'id')
-            ->all();
-    }
-
-    private function hasManageCapability(): bool
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return false;
-        }
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if ($workspaceId === null) {
-            return false;
-        }
-
-        $workspace = Workspace::query()->whereKey($workspaceId)->first();
-
-        if (! $workspace instanceof Workspace) {
-            return false;
-        }
-
-        $resolver = app(\App\Services\Auth\WorkspaceCapabilityResolver::class);
-
-        return $resolver->isMember($user, $workspace)
-            && $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE);
-    }
-}

app/Filament/Resources/EntraGroupResource.php

@@ -1,246 +0,0 @@
-<?php
-
-namespace App\Filament\Resources;
-
-use App\Filament\Resources\EntraGroupResource\Pages;
-use App\Models\EntraGroup;
-use App\Models\Tenant;
-use App\Support\Badges\BadgeDomain;
-use App\Support\Badges\BadgeRenderer;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use BackedEnum;
-use Filament\Infolists\Components\TextEntry;
-use Filament\Infolists\Components\ViewEntry;
-use Filament\Resources\Resource;
-use Filament\Schemas\Components\Section;
-use Filament\Schemas\Schema;
-use Filament\Tables;
-use Filament\Tables\Filters\SelectFilter;
-use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Builder;
-use UnitEnum;
-
-class EntraGroupResource extends Resource
-{
-    protected static bool $isScopedToTenant = false;
-
-    protected static ?string $model = EntraGroup::class;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-user-group';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Directory';
-
-    protected static ?string $navigationLabel = 'Groups';
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::ListOnlyReadOnly)
-            ->exempt(ActionSurfaceSlot::ListHeader, 'Directory groups list intentionally has no header actions; sync is started from the sync-runs surface.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'No secondary row actions are provided on this read-only list.')
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are intentionally omitted for directory groups.')
-            ->exempt(ActionSurfaceSlot::ListEmptyState, 'Empty-state CTA is intentionally omitted; groups appear after sync.');
-    }
-
-    public static function form(Schema $schema): Schema
-    {
-        return $schema;
-    }
-
-    public static function infolist(Schema $schema): Schema
-    {
-        return $schema
-            ->schema([
-                Section::make('Group')
-                    ->schema([
-                        TextEntry::make('display_name')->label('Name'),
-                        TextEntry::make('entra_id')->label('Entra ID')->copyable(),
-                        TextEntry::make('type')
-                            ->badge()
-                            ->state(fn (EntraGroup $record): string => static::groupTypeLabel(static::groupType($record))),
-                        TextEntry::make('security_enabled')
-                            ->label('Security')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::BooleanEnabled))
-                            ->color(BadgeRenderer::color(BadgeDomain::BooleanEnabled))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::BooleanEnabled))
-                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::BooleanEnabled)),
-                        TextEntry::make('mail_enabled')
-                            ->label('Mail')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::BooleanEnabled))
-                            ->color(BadgeRenderer::color(BadgeDomain::BooleanEnabled))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::BooleanEnabled))
-                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::BooleanEnabled)),
-                        TextEntry::make('last_seen_at')->label('Last seen')->dateTime()->placeholder('—'),
-                    ])
-                    ->columns(2)
-                    ->columnSpanFull(),
-
-                Section::make('Raw groupTypes')
-                    ->schema([
-                        ViewEntry::make('group_types')
-                            ->label('')
-                            ->view('filament.infolists.entries.snapshot-json')
-                            ->state(fn (EntraGroup $record) => $record->group_types ?? [])
-                            ->columnSpanFull(),
-                    ])
-                    ->columnSpanFull(),
-            ]);
-    }
-
-    public static function table(Table $table): Table
-    {
-        return $table
-            ->defaultSort('display_name')
-            ->modifyQueryUsing(function (Builder $query): Builder {
-                $tenantId = Tenant::current()?->getKey();
-
-                return $query->when($tenantId, fn (Builder $q) => $q->where('tenant_id', $tenantId));
-            })
-            ->recordUrl(static fn (EntraGroup $record): ?string => static::canView($record)
-                ? static::getUrl('view', ['record' => $record])
-                : null)
-            ->columns([
-                Tables\Columns\TextColumn::make('display_name')
-                    ->label('Name')
-                    ->searchable(),
-                Tables\Columns\TextColumn::make('entra_id')
-                    ->label('Entra ID')
-                    ->copyable()
-                    ->toggleable(),
-                Tables\Columns\TextColumn::make('type')
-                    ->label('Type')
-                    ->badge()
-                    ->state(fn (EntraGroup $record): string => static::groupTypeLabel(static::groupType($record)))
-                    ->color(fn (EntraGroup $record): string => static::groupTypeColor(static::groupType($record))),
-                Tables\Columns\TextColumn::make('last_seen_at')
-                    ->label('Last seen')
-                    ->since(),
-            ])
-            ->filters([
-                SelectFilter::make('stale')
-                    ->label('Stale')
-                    ->options([
-                        '1' => 'Stale',
-                        '0' => 'Fresh',
-                    ])
-                    ->query(function (Builder $query, array $data): Builder {
-                        $value = $data['value'] ?? null;
-
-                        if ($value === null || $value === '') {
-                            return $query;
-                        }
-
-                        $stalenessDays = (int) config('directory_groups.staleness_days', 30);
-                        $cutoff = now('UTC')->subDays(max(1, $stalenessDays));
-
-                        if ((string) $value === '1') {
-                            return $query->where(function (Builder $q) use ($cutoff): void {
-                                $q->whereNull('last_seen_at')
-                                    ->orWhere('last_seen_at', '<', $cutoff);
-                            });
-                        }
-
-                        return $query->where('last_seen_at', '>=', $cutoff);
-                    }),
-
-                SelectFilter::make('group_type')
-                    ->label('Type')
-                    ->options([
-                        'security' => 'Security',
-                        'microsoft365' => 'Microsoft 365',
-                        'mail' => 'Mail-enabled',
-                        'unknown' => 'Unknown',
-                    ])
-                    ->query(function (Builder $query, array $data): Builder {
-                        $value = (string) ($data['value'] ?? '');
-
-                        if ($value === '') {
-                            return $query;
-                        }
-
-                        return match ($value) {
-                            'microsoft365' => $query->whereJsonContains('group_types', 'Unified'),
-                            'security' => $query
-                                ->where('security_enabled', true)
-                                ->where(function (Builder $q): void {
-                                    $q->whereNull('group_types')
-                                        ->orWhereJsonDoesntContain('group_types', 'Unified');
-                                }),
-                            'mail' => $query
-                                ->where('mail_enabled', true)
-                                ->where(function (Builder $q): void {
-                                    $q->whereNull('group_types')
-                                        ->orWhereJsonDoesntContain('group_types', 'Unified');
-                                }),
-                            'unknown' => $query
-                                ->where(function (Builder $q): void {
-                                    $q->whereNull('group_types')
-                                        ->orWhereJsonDoesntContain('group_types', 'Unified');
-                                })
-                                ->where('security_enabled', false)
-                                ->where('mail_enabled', false),
-                            default => $query,
-                        };
-                    }),
-            ])
-            ->actions([])
-            ->bulkActions([]);
-    }
-
-    public static function getEloquentQuery(): Builder
-    {
-        return parent::getEloquentQuery()->latest('id');
-    }
-
-    public static function getPages(): array
-    {
-        return [
-            'index' => Pages\ListEntraGroups::route('/'),
-            'view' => Pages\ViewEntraGroup::route('/{record}'),
-        ];
-    }
-
-    private static function groupType(EntraGroup $record): string
-    {
-        $groupTypes = $record->group_types;
-
-        if (is_array($groupTypes) && in_array('Unified', $groupTypes, true)) {
-            return 'microsoft365';
-        }
-
-        if ($record->security_enabled) {
-            return 'security';
-        }
-
-        if ($record->mail_enabled) {
-            return 'mail';
-        }
-
-        return 'unknown';
-    }
-
-    private static function groupTypeLabel(string $type): string
-    {
-        return match ($type) {
-            'microsoft365' => 'Microsoft 365',
-            'security' => 'Security',
-            'mail' => 'Mail-enabled',
-            default => 'Unknown',
-        };
-    }
-
-    private static function groupTypeColor(string $type): string
-    {
-        return match ($type) {
-            'microsoft365' => 'info',
-            'security' => 'success',
-            'mail' => 'warning',
-            default => 'gray',
-        };
-    }
-}

app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php

@@ -1,11 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\EntraGroupResource\Pages;
-
-use App\Filament\Resources\EntraGroupResource;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewEntraGroup extends ViewRecord
-{
-    protected static string $resource = EntraGroupResource::class;
-}

app/Filament/Resources/FindingResource/Pages/ListFindings.php

@@ -1,320 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\FindingResource\Pages;
-
-use App\Filament\Resources\FindingResource;
-use App\Jobs\BackfillFindingLifecycleJob;
-use App\Models\Finding;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Findings\FindingWorkflowService;
-use App\Services\OperationRunService;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Rbac\UiEnforcement;
-use App\Support\Rbac\UiTooltips;
-use Filament\Actions;
-use Filament\Forms\Components\TextInput;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ListRecords;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Arr;
-use Throwable;
-
-class ListFindings extends ListRecords
-{
-    protected static string $resource = FindingResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            UiEnforcement::forAction(
-                Actions\Action::make('backfill_lifecycle')
-                    ->label('Backfill findings lifecycle')
-                    ->icon('heroicon-o-wrench-screwdriver')
-                    ->color('gray')
-                    ->requiresConfirmation()
-                    ->modalHeading('Backfill findings lifecycle')
-                    ->modalDescription('This will backfill legacy Findings data (lifecycle fields, SLA due dates, and drift duplicate consolidation) for the current tenant. The operation runs in the background.')
-                    ->action(function (OperationRunService $operationRuns): void {
-                        $user = auth()->user();
-
-                        if (! $user instanceof User) {
-                            abort(403);
-                        }
-
-                        $tenant = \Filament\Facades\Filament::getTenant();
-
-                        if (! $tenant instanceof Tenant) {
-                            abort(404);
-                        }
-
-                        $opRun = $operationRuns->ensureRunWithIdentity(
-                            tenant: $tenant,
-                            type: 'findings.lifecycle.backfill',
-                            identityInputs: [
-                                'tenant_id' => (int) $tenant->getKey(),
-                                'trigger' => 'backfill',
-                            ],
-                            context: [
-                                'workspace_id' => (int) $tenant->workspace_id,
-                                'initiator_user_id' => (int) $user->getKey(),
-                            ],
-                            initiator: $user,
-                        );
-
-                        $runUrl = OperationRunLinks::view($opRun, $tenant);
-
-                        if ($opRun->wasRecentlyCreated === false) {
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                                ->actions([
-                                    Actions\Action::make('view_run')
-                                        ->label('View run')
-                                        ->url($runUrl),
-                                ])
-                                ->send();
-
-                            return;
-                        }
-
-                        $operationRuns->dispatchOrFail($opRun, function () use ($tenant, $user): void {
-                            BackfillFindingLifecycleJob::dispatch(
-                                tenantId: (int) $tenant->getKey(),
-                                workspaceId: (int) $tenant->workspace_id,
-                                initiatorUserId: (int) $user->getKey(),
-                            );
-                        });
-
-                        OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                        OperationUxPresenter::queuedToast((string) $opRun->type)
-                            ->body('The backfill will run in the background. You can continue working while it completes.')
-                            ->actions([
-                                Actions\Action::make('view_run')
-                                    ->label('View run')
-                                    ->url($runUrl),
-                            ])
-                            ->send();
-                    })
-            )
-                ->preserveVisibility()
-                ->requireCapability(Capabilities::TENANT_MANAGE)
-                ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
-                ->apply(),
-
-            UiEnforcement::forAction(
-                Actions\Action::make('triage_all_matching')
-                    ->label('Triage all matching')
-                    ->icon('heroicon-o-check')
-                    ->color('gray')
-                    ->requiresConfirmation()
-                    ->visible(fn (): bool => $this->getStatusFilterValue() === Finding::STATUS_NEW)
-                    ->modalDescription(function (): string {
-                        $count = $this->getAllMatchingCount();
-
-                        return "You are about to triage {$count} finding".($count === 1 ? '' : 's').' matching the current filters.';
-                    })
-                    ->form(function (): array {
-                        $count = $this->getAllMatchingCount();
-
-                        if ($count <= 100) {
-                            return [];
-                        }
-
-                        return [
-                            TextInput::make('confirmation')
-                                ->label('Type TRIAGE to confirm')
-                                ->required()
-                                ->in(['TRIAGE'])
-                                ->validationMessages([
-                                    'in' => 'Please type TRIAGE to confirm.',
-                                ]),
-                        ];
-                    })
-                    ->action(function (FindingWorkflowService $workflow): void {
-                        $query = $this->buildAllMatchingQuery();
-                        $count = (clone $query)->count();
-
-                        if ($count === 0) {
-                            Notification::make()
-                                ->title('No matching findings')
-                                ->body('There are no new findings matching the current filters to triage.')
-                                ->warning()
-                                ->send();
-
-                            return;
-                        }
-
-                        $user = auth()->user();
-                        $tenant = \Filament\Facades\Filament::getTenant();
-
-                        if (! $user instanceof User) {
-                            abort(403);
-                        }
-
-                        if (! $tenant instanceof Tenant) {
-                            abort(404);
-                        }
-
-                        $triagedCount = 0;
-                        $skippedCount = 0;
-                        $failedCount = 0;
-
-                        $query->orderBy('id')->chunkById(200, function ($findings) use ($workflow, $tenant, $user, &$triagedCount, &$skippedCount, &$failedCount): void {
-                            foreach ($findings as $finding) {
-                                if (! $finding instanceof Finding) {
-                                    $skippedCount++;
-
-                                    continue;
-                                }
-
-                                if (! in_array((string) $finding->status, [
-                                    Finding::STATUS_NEW,
-                                    Finding::STATUS_REOPENED,
-                                    Finding::STATUS_ACKNOWLEDGED,
-                                ], true)) {
-                                    $skippedCount++;
-
-                                    continue;
-                                }
-
-                                try {
-                                    $workflow->triage($finding, $tenant, $user);
-                                    $triagedCount++;
-                                } catch (Throwable) {
-                                    $failedCount++;
-                                }
-                            }
-                        });
-
-                        $this->deselectAllTableRecords();
-                        $this->resetPage();
-
-                        $body = "Triaged {$triagedCount} finding".($triagedCount === 1 ? '' : 's').'.';
-                        if ($skippedCount > 0) {
-                            $body .= " Skipped {$skippedCount}.";
-                        }
-                        if ($failedCount > 0) {
-                            $body .= " Failed {$failedCount}.";
-                        }
-
-                        Notification::make()
-                            ->title('Bulk triage completed')
-                            ->body($body)
-                            ->status($failedCount > 0 ? 'warning' : 'success')
-                            ->send();
-                    })
-            )
-                ->preserveVisibility()
-                ->requireCapability(Capabilities::TENANT_FINDINGS_TRIAGE)
-                ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
-                ->apply(),
-        ];
-    }
-
-    protected function buildAllMatchingQuery(): Builder
-    {
-        $query = Finding::query();
-
-        $tenantId = \Filament\Facades\Filament::getTenant()?->getKey();
-
-        if (! is_numeric($tenantId)) {
-            return $query->whereRaw('1 = 0');
-        }
-
-        $query->where('tenant_id', (int) $tenantId);
-
-        $query->where('status', Finding::STATUS_NEW);
-
-        $findingType = $this->getFindingTypeFilterValue();
-        if (is_string($findingType) && $findingType !== '') {
-            $query->where('finding_type', $findingType);
-        }
-
-        if ($this->filterIsActive('overdue')) {
-            $query->whereNotNull('due_at')->where('due_at', '<', now());
-        }
-
-        if ($this->filterIsActive('high_severity')) {
-            $query->whereIn('severity', [
-                Finding::SEVERITY_HIGH,
-                Finding::SEVERITY_CRITICAL,
-            ]);
-        }
-
-        if ($this->filterIsActive('my_assigned')) {
-            $userId = auth()->id();
-
-            if (is_numeric($userId)) {
-                $query->where('assignee_user_id', (int) $userId);
-            } else {
-                $query->whereRaw('1 = 0');
-            }
-        }
-
-        $scopeKeyState = $this->getTableFilterState('scope_key') ?? [];
-        $scopeKey = Arr::get($scopeKeyState, 'scope_key');
-        if (is_string($scopeKey) && $scopeKey !== '') {
-            $query->where('scope_key', $scopeKey);
-        }
-
-        $runIdsState = $this->getTableFilterState('run_ids') ?? [];
-        $baselineRunId = Arr::get($runIdsState, 'baseline_operation_run_id');
-        if (is_numeric($baselineRunId)) {
-            $query->where('baseline_operation_run_id', (int) $baselineRunId);
-        }
-
-        $currentRunId = Arr::get($runIdsState, 'current_operation_run_id');
-        if (is_numeric($currentRunId)) {
-            $query->where('current_operation_run_id', (int) $currentRunId);
-        }
-
-        return $query;
-    }
-
-    private function filterIsActive(string $filterName): bool
-    {
-        $state = $this->getTableFilterState($filterName);
-
-        if ($state === true) {
-            return true;
-        }
-
-        if (is_array($state)) {
-            $isActive = Arr::get($state, 'isActive');
-
-            return $isActive === true;
-        }
-
-        return false;
-    }
-
-    protected function getAllMatchingCount(): int
-    {
-        return (int) $this->buildAllMatchingQuery()->count();
-    }
-
-    protected function getStatusFilterValue(): string
-    {
-        $state = $this->getTableFilterState('status') ?? [];
-        $value = Arr::get($state, 'value');
-
-        return is_string($value) && $value !== ''
-            ? $value
-            : Finding::STATUS_NEW;
-    }
-
-    protected function getFindingTypeFilterValue(): ?string
-    {
-        $state = $this->getTableFilterState('finding_type') ?? [];
-        $value = Arr::get($state, 'value');
-
-        return is_string($value) && $value !== ''
-            ? $value
-            : null;
-    }
-}

app/Filament/Resources/FindingResource/Pages/ViewFinding.php

@@ -1,22 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\FindingResource\Pages;
-
-use App\Filament\Resources\FindingResource;
-use Filament\Actions;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewFinding extends ViewRecord
-{
-    protected static string $resource = FindingResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\ActionGroup::make(FindingResource::workflowActions())
-                ->label('Actions')
-                ->icon('heroicon-o-ellipsis-vertical')
-                ->color('gray'),
-        ];
-    }
-}

app/Filament/Resources/OperationRunResource.php

@@ -1,482 +0,0 @@
-<?php
-
-namespace App\Filament\Resources;
-
-use App\Filament\Support\VerificationReportChangeIndicator;
-use App\Filament\Support\VerificationReportViewer;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\VerificationCheckAcknowledgement;
-use App\Support\Badges\BadgeDomain;
-use App\Support\Badges\BadgeRenderer;
-use App\Support\OperateHub\OperateHubShell;
-use App\Support\OperationCatalog;
-use App\Support\OperationRunLinks;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use App\Support\OpsUx\RunDetailPolling;
-use App\Support\OpsUx\RunDurationInsights;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Actions;
-use Filament\Facades\Filament;
-use Filament\Forms\Components\DatePicker;
-use Filament\Infolists\Components\TextEntry;
-use Filament\Infolists\Components\ViewEntry;
-use Filament\Resources\Resource;
-use Filament\Schemas\Components\Section;
-use Filament\Schemas\Schema;
-use Filament\Tables;
-use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Builder;
-use UnitEnum;
-
-class OperationRunResource extends Resource
-{
-    protected static bool $isScopedToTenant = false;
-
-    protected static ?string $model = OperationRun::class;
-
-    protected static ?string $slug = 'operations';
-
-    protected static bool $shouldRegisterNavigation = false;
-
-    protected static bool $isGloballySearchable = false;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-queue-list';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
-
-    protected static ?string $navigationLabel = 'Operations';
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::RunLog)
-            ->withDefaults(new ActionSurfaceDefaults(
-                moreGroupLabel: 'More',
-                exportIsDefaultBulkActionForReadOnly: false,
-            ))
-            ->exempt(
-                ActionSurfaceSlot::ListHeader,
-                'Run-log list intentionally has no list-header actions; navigation actions are provided by Monitoring shell pages.',
-            )
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->exempt(
-                ActionSurfaceSlot::ListBulkMoreGroup,
-                'Operation runs are immutable records; bulk export is deferred and tracked outside this retrofit.',
-            )
-            ->exempt(
-                ActionSurfaceSlot::ListEmptyState,
-                'Empty-state action is intentionally omitted; users can adjust filters/date range in-page.',
-            )
-            ->exempt(
-                ActionSurfaceSlot::DetailHeader,
-                'Tenantless detail view is informational and currently has no header actions.',
-            );
-    }
-
-    public static function getEloquentQuery(): Builder
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
-
-        return parent::getEloquentQuery()
-            ->with('user')
-            ->latest('id')
-            ->when($workspaceId, fn (Builder $query) => $query->where('workspace_id', (int) $workspaceId))
-            ->when(! $workspaceId, fn (Builder $query) => $query->whereRaw('1 = 0'));
-    }
-
-    public static function form(Schema $schema): Schema
-    {
-        return $schema;
-    }
-
-    public static function infolist(Schema $schema): Schema
-    {
-        return $schema
-            ->schema([
-                Section::make('Run')
-                    ->schema([
-                        TextEntry::make('type')
-                            ->badge()
-                            ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state)),
-                        TextEntry::make('status')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
-                            ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
-                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
-                        TextEntry::make('outcome')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
-                            ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
-                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome)),
-                        TextEntry::make('initiator_name')->label('Initiator'),
-                        TextEntry::make('target_scope_display')
-                            ->label('Target')
-                            ->getStateUsing(fn (OperationRun $record): ?string => static::targetScopeDisplay($record))
-                            ->visible(fn (OperationRun $record): bool => static::targetScopeDisplay($record) !== null)
-                            ->columnSpanFull(),
-                        TextEntry::make('target_scope_empty_state')
-                            ->label('Target')
-                            ->getStateUsing(static fn (): string => 'No target scope details were recorded for this run.')
-                            ->visible(fn (OperationRun $record): bool => static::targetScopeDisplay($record) === null)
-                            ->columnSpanFull(),
-                        TextEntry::make('elapsed')
-                            ->label('Elapsed')
-                            ->getStateUsing(fn (OperationRun $record): string => RunDurationInsights::elapsedHuman($record)),
-                        TextEntry::make('expected_duration')
-                            ->label('Expected')
-                            ->getStateUsing(fn (OperationRun $record): string => RunDurationInsights::expectedHuman($record) ?? '—'),
-                        TextEntry::make('stuck_guidance')
-                            ->label('')
-                            ->getStateUsing(fn (OperationRun $record): ?string => RunDurationInsights::stuckGuidance($record))
-                            ->visible(fn (OperationRun $record): bool => RunDurationInsights::stuckGuidance($record) !== null),
-                        TextEntry::make('created_at')->dateTime(),
-                        TextEntry::make('started_at')->dateTime()->placeholder('—'),
-                        TextEntry::make('completed_at')->dateTime()->placeholder('—'),
-                        TextEntry::make('run_identity_hash')->label('Identity hash')->copyable(),
-                    ])
-                    ->extraAttributes([
-                        'x-init' => '$wire.set(\'opsUxIsTabHidden\', document.hidden)',
-                        'x-on:visibilitychange.window' => '$wire.set(\'opsUxIsTabHidden\', document.hidden)',
-                    ])
-                    ->poll(function (OperationRun $record, $livewire): ?string {
-                        if (($livewire->opsUxIsTabHidden ?? false) === true) {
-                            return null;
-                        }
-
-                        if (filled($livewire->mountedActions ?? null)) {
-                            return null;
-                        }
-
-                        return RunDetailPolling::interval($record);
-                    })
-                    ->columns(2)
-                    ->columnSpanFull(),
-
-                Section::make('Counts')
-                    ->schema([
-                        ViewEntry::make('summary_counts')
-                            ->label('')
-                            ->view('filament.infolists.entries.snapshot-json')
-                            ->state(fn (OperationRun $record): array => $record->summary_counts ?? [])
-                            ->columnSpanFull(),
-                    ])
-                    ->visible(fn (OperationRun $record): bool => ! empty($record->summary_counts))
-                    ->columnSpanFull(),
-
-                Section::make('Failures')
-                    ->schema([
-                        ViewEntry::make('failure_summary')
-                            ->label('')
-                            ->view('filament.infolists.entries.snapshot-json')
-                            ->state(fn (OperationRun $record): array => $record->failure_summary ?? [])
-                            ->columnSpanFull(),
-                    ])
-                    ->visible(fn (OperationRun $record): bool => ! empty($record->failure_summary))
-                    ->columnSpanFull(),
-
-                Section::make('Verification report')
-                    ->schema([
-                        ViewEntry::make('verification_report')
-                            ->label('')
-                            ->view('filament.components.verification-report-viewer')
-                            ->state(fn (OperationRun $record): ?array => VerificationReportViewer::report($record))
-                            ->viewData(function (OperationRun $record): array {
-                                $report = VerificationReportViewer::report($record);
-                                $fingerprint = is_array($report) ? VerificationReportViewer::fingerprint($report) : null;
-
-                                $changeIndicator = VerificationReportChangeIndicator::forRun($record);
-
-                                $previousRunUrl = null;
-
-                                if ($changeIndicator !== null) {
-                                    $tenant = Filament::getTenant();
-
-                                    $previousRunUrl = $tenant instanceof Tenant
-                                        ? OperationRunLinks::view($changeIndicator['previous_report_id'], $tenant)
-                                        : OperationRunLinks::tenantlessView($changeIndicator['previous_report_id']);
-                                }
-
-                                $acknowledgements = VerificationCheckAcknowledgement::query()
-                                    ->where('tenant_id', (int) ($record->tenant_id ?? 0))
-                                    ->where('workspace_id', (int) ($record->workspace_id ?? 0))
-                                    ->where('operation_run_id', (int) $record->getKey())
-                                    ->with('acknowledgedByUser')
-                                    ->get()
-                                    ->mapWithKeys(static function (VerificationCheckAcknowledgement $ack): array {
-                                        $user = $ack->acknowledgedByUser;
-
-                                        return [
-                                            (string) $ack->check_key => [
-                                                'check_key' => (string) $ack->check_key,
-                                                'ack_reason' => (string) $ack->ack_reason,
-                                                'acknowledged_at' => $ack->acknowledged_at?->toJSON(),
-                                                'expires_at' => $ack->expires_at?->toJSON(),
-                                                'acknowledged_by' => $user instanceof User
-                                                    ? [
-                                                        'id' => (int) $user->getKey(),
-                                                        'name' => (string) $user->name,
-                                                    ]
-                                                    : null,
-                                            ],
-                                        ];
-                                    })
-                                    ->all();
-
-                                return [
-                                    'run' => [
-                                        'id' => (int) $record->getKey(),
-                                        'type' => (string) $record->type,
-                                        'status' => (string) $record->status,
-                                        'outcome' => (string) $record->outcome,
-                                        'started_at' => $record->started_at?->toJSON(),
-                                        'completed_at' => $record->completed_at?->toJSON(),
-                                    ],
-                                    'fingerprint' => $fingerprint,
-                                    'changeIndicator' => $changeIndicator,
-                                    'previousRunUrl' => $previousRunUrl,
-                                    'acknowledgements' => $acknowledgements,
-                                ];
-                            })
-                            ->columnSpanFull(),
-                    ])
-                    ->visible(fn (OperationRun $record): bool => VerificationReportViewer::shouldRenderForRun($record))
-                    ->columnSpanFull(),
-
-                Section::make('Context')
-                    ->schema([
-                        ViewEntry::make('context')
-                            ->label('')
-                            ->view('filament.infolists.entries.snapshot-json')
-                            ->state(function (OperationRun $record): array {
-                                $context = $record->context ?? [];
-                                $context = is_array($context) ? $context : [];
-
-                                if (array_key_exists('verification_report', $context)) {
-                                    $context['verification_report'] = [
-                                        'redacted' => true,
-                                        'note' => 'Rendered in the Verification report section.',
-                                    ];
-                                }
-
-                                return $context;
-                            })
-                            ->columnSpanFull(),
-                    ])
-                    ->columnSpanFull(),
-            ]);
-    }
-
-    public static function table(Table $table): Table
-    {
-        return $table
-            ->defaultSort('created_at', 'desc')
-            ->columns([
-                Tables\Columns\TextColumn::make('status')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
-                Tables\Columns\TextColumn::make('type')
-                    ->label('Operation')
-                    ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))
-                    ->searchable()
-                    ->sortable(),
-                Tables\Columns\TextColumn::make('initiator_name')
-                    ->label('Initiator')
-                    ->searchable(),
-                Tables\Columns\TextColumn::make('created_at')
-                    ->label('Started')
-                    ->since()
-                    ->sortable(),
-                Tables\Columns\TextColumn::make('duration')
-                    ->getStateUsing(function (OperationRun $record): string {
-                        if ($record->started_at && $record->completed_at) {
-                            return $record->completed_at->diffForHumans($record->started_at, true);
-                        }
-
-                        return '—';
-                    }),
-                Tables\Columns\TextColumn::make('outcome')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome)),
-            ])
-            ->filters([
-                Tables\Filters\SelectFilter::make('tenant_id')
-                    ->label('Tenant')
-                    ->options(function (): array {
-                        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
-
-                        if ($activeTenant instanceof Tenant) {
-                            return [
-                                (string) $activeTenant->getKey() => $activeTenant->getFilamentName(),
-                            ];
-                        }
-
-                        $user = auth()->user();
-
-                        if (! $user instanceof User) {
-                            return [];
-                        }
-
-                        return collect($user->getTenants(Filament::getCurrentOrDefaultPanel()))
-                            ->mapWithKeys(static fn (Tenant $tenant): array => [
-                                (string) $tenant->getKey() => $tenant->getFilamentName(),
-                            ])
-                            ->all();
-                    })
-                    ->default(function (): ?string {
-                        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
-
-                        if (! $activeTenant instanceof Tenant) {
-                            return null;
-                        }
-
-                        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
-
-                        if ($workspaceId === null || (int) $activeTenant->workspace_id !== (int) $workspaceId) {
-                            return null;
-                        }
-
-                        return (string) $activeTenant->getKey();
-                    })
-                    ->searchable(),
-                Tables\Filters\SelectFilter::make('type')
-                    ->options(function (): array {
-                        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
-
-                        if ($workspaceId === null) {
-                            return [];
-                        }
-
-                        return OperationRun::query()
-                            ->where('workspace_id', (int) $workspaceId)
-                            ->select('type')
-                            ->distinct()
-                            ->orderBy('type')
-                            ->pluck('type', 'type')
-                            ->all();
-                    }),
-                Tables\Filters\SelectFilter::make('status')
-                    ->options([
-                        OperationRunStatus::Queued->value => 'Queued',
-                        OperationRunStatus::Running->value => 'Running',
-                        OperationRunStatus::Completed->value => 'Completed',
-                    ]),
-                Tables\Filters\SelectFilter::make('outcome')
-                    ->options(OperationRunOutcome::uiLabels(includeReserved: false)),
-                Tables\Filters\SelectFilter::make('initiator_name')
-                    ->label('Initiator')
-                    ->options(function (): array {
-                        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
-
-                        if ($workspaceId === null) {
-                            return [];
-                        }
-
-                        $tenant = Filament::getTenant();
-                        $tenantId = $tenant instanceof Tenant && (int) $tenant->workspace_id === (int) $workspaceId
-                            ? (int) $tenant->getKey()
-                            : null;
-
-                        return OperationRun::query()
-                            ->where('workspace_id', (int) $workspaceId)
-                            ->when($tenantId, fn (Builder $query): Builder => $query->where('tenant_id', $tenantId))
-                            ->whereNotNull('initiator_name')
-                            ->select('initiator_name')
-                            ->distinct()
-                            ->orderBy('initiator_name')
-                            ->pluck('initiator_name', 'initiator_name')
-                            ->all();
-                    })
-                    ->searchable(),
-                Tables\Filters\Filter::make('created_at')
-                    ->label('Created')
-                    ->form([
-                        DatePicker::make('created_from')
-                            ->label('From'),
-                        DatePicker::make('created_until')
-                            ->label('Until'),
-                    ])
-                    ->default(fn (): array => [
-                        'created_from' => now()->subDays(30),
-                        'created_until' => now(),
-                    ])
-                    ->query(function (Builder $query, array $data): Builder {
-                        $from = $data['created_from'] ?? null;
-                        if ($from) {
-                            $query->whereDate('created_at', '>=', $from);
-                        }
-
-                        $until = $data['created_until'] ?? null;
-                        if ($until) {
-                            $query->whereDate('created_at', '<=', $until);
-                        }
-
-                        return $query;
-                    }),
-            ])
-            ->actions([
-                Actions\ViewAction::make()
-                    ->label('View run')
-                    ->url(fn (OperationRun $record): string => route('admin.operations.view', ['run' => (int) $record->getKey()])),
-            ])
-            ->bulkActions([]);
-    }
-
-    public static function getPages(): array
-    {
-        return [];
-    }
-
-    private static function targetScopeDisplay(OperationRun $record): ?string
-    {
-        $context = is_array($record->context) ? $record->context : [];
-
-        $targetScope = $context['target_scope'] ?? null;
-        if (! is_array($targetScope)) {
-            return null;
-        }
-
-        $entraTenantName = $targetScope['entra_tenant_name'] ?? null;
-        $entraTenantId = $targetScope['entra_tenant_id'] ?? null;
-        $directoryContextId = $targetScope['directory_context_id'] ?? null;
-
-        $entraTenantName = is_string($entraTenantName) ? trim($entraTenantName) : null;
-        $entraTenantId = is_string($entraTenantId) ? trim($entraTenantId) : null;
-
-        $directoryContextId = match (true) {
-            is_string($directoryContextId) => trim($directoryContextId),
-            is_int($directoryContextId) => (string) $directoryContextId,
-            default => null,
-        };
-
-        $entra = null;
-
-        if ($entraTenantName !== null && $entraTenantName !== '') {
-            $entra = $entraTenantId ? "{$entraTenantName} ({$entraTenantId})" : $entraTenantName;
-        } elseif ($entraTenantId !== null && $entraTenantId !== '') {
-            $entra = $entraTenantId;
-        }
-
-        $parts = array_values(array_filter([
-            $entra,
-            $directoryContextId ? "directory_context_id: {$directoryContextId}" : null,
-        ], fn (?string $value): bool => $value !== null && $value !== ''));
-
-        return $parts !== [] ? implode(' · ', $parts) : null;
-    }
-}

app/Filament/Resources/PolicyResource/Pages/ListPolicies.php

@@ -1,99 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\PolicyResource\Pages;
-
-use App\Filament\Resources\PolicyResource;
-use App\Jobs\SyncPoliciesJob;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\OperationRunService;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListPolicies extends ListRecords
-{
-    protected static string $resource = PolicyResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [$this->makeSyncAction()];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        return [$this->makeSyncAction()];
-    }
-
-    private function makeSyncAction(): Actions\Action
-    {
-        return UiEnforcement::forAction(
-            Actions\Action::make('sync')
-                ->label('Sync from Intune')
-                ->icon('heroicon-o-arrow-path')
-                ->color('primary')
-                ->requiresConfirmation()
-                ->modalHeading('Sync policies from Intune')
-                ->modalDescription('This queues a background sync operation for supported policy types in the current tenant.')
-                ->action(function (self $livewire): void {
-                    $tenant = Tenant::current();
-                    $user = auth()->user();
-
-                    if (! $user instanceof User || ! $tenant instanceof Tenant) {
-                        abort(404);
-                    }
-
-                    $requestedTypes = array_map(
-                        static fn (array $typeConfig): string => (string) $typeConfig['type'],
-                        config('tenantpilot.supported_policy_types', [])
-                    );
-
-                    sort($requestedTypes);
-
-                    /** @var OperationRunService $opService */
-                    $opService = app(OperationRunService::class);
-                    $opRun = $opService->ensureRun(
-                        tenant: $tenant,
-                        type: 'policy.sync',
-                        inputs: [
-                            'scope' => 'all',
-                            'types' => $requestedTypes,
-                        ],
-                        initiator: $user
-                    );
-
-                    if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'], true)) {
-                        OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-                        OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                            ->actions([
-                                Actions\Action::make('view_run')
-                                    ->label('View run')
-                                    ->url(OperationRunLinks::view($opRun, $tenant)),
-                            ])
-                            ->send();
-
-                        return;
-                    }
-
-                    $opService->dispatchOrFail($opRun, function () use ($tenant, $requestedTypes, $opRun): void {
-                        SyncPoliciesJob::dispatch((int) $tenant->getKey(), $requestedTypes, null, $opRun);
-                    });
-                    OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-                    OperationUxPresenter::queuedToast((string) $opRun->type)
-                        ->actions([
-                            Actions\Action::make('view_run')
-                                ->label('View run')
-                                ->url(OperationRunLinks::view($opRun, $tenant)),
-                        ])
-                        ->send();
-                })
-        )
-            ->requireCapability(Capabilities::TENANT_SYNC)
-            ->tooltip('You do not have permission to sync policies.')
-            ->apply();
-    }
-}

app/Filament/Resources/PolicyVersionResource/Pages/ViewPolicyVersion.php

@@ -1,22 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\PolicyVersionResource\Pages;
-
-use App\Filament\Resources\PolicyVersionResource;
-use Filament\Resources\Pages\ViewRecord;
-use Filament\Support\Enums\Width;
-use Illuminate\Contracts\View\View;
-
-class ViewPolicyVersion extends ViewRecord
-{
-    protected static string $resource = PolicyVersionResource::class;
-
-    protected Width|string|null $maxContentWidth = Width::Full;
-
-    public function getFooter(): ?View
-    {
-        return view('filament.resources.policy-version-resource.pages.view-policy-version-footer', [
-            'record' => $this->getRecord(),
-        ]);
-    }
-}

app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php

@@ -1,874 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\ProviderConnectionResource\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Jobs\ProviderComplianceSnapshotJob;
-use App\Jobs\ProviderInventorySyncJob;
-use App\Models\OperationRun;
-use App\Models\ProviderConnection;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Intune\AuditLogger;
-use App\Services\Providers\CredentialManager;
-use App\Services\Providers\ProviderOperationStartGate;
-use App\Services\Verification\StartVerification;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Actions\Action;
-use Filament\Forms\Components\TextInput;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\EditRecord;
-use Illuminate\Database\Eloquent\Model;
-
-class EditProviderConnection extends EditRecord
-{
-    protected static string $resource = ProviderConnectionResource::class;
-
-    public ?string $scopedTenantExternalId = null;
-
-    protected bool $shouldMakeDefault = false;
-
-    protected bool $defaultWasChanged = false;
-
-    public function mount($record): void
-    {
-        parent::mount($record);
-
-        $recordTenant = $this->record instanceof ProviderConnection
-            ? ProviderConnectionResource::resolveTenantForRecord($this->record)
-            : null;
-
-        if ($recordTenant instanceof Tenant) {
-            $this->scopedTenantExternalId = (string) $recordTenant->external_id;
-
-            return;
-        }
-
-        $tenantIdFromQuery = request()->query('tenant_id');
-
-        if (is_string($tenantIdFromQuery) && $tenantIdFromQuery !== '') {
-            $this->scopedTenantExternalId = $tenantIdFromQuery;
-
-            return;
-        }
-
-        $tenant = request()->route('tenant');
-
-        if ($tenant instanceof Tenant) {
-            $this->scopedTenantExternalId = (string) $tenant->external_id;
-
-            return;
-        }
-
-        if (is_string($tenant) && $tenant !== '') {
-            $this->scopedTenantExternalId = $tenant;
-        }
-    }
-
-    protected function mutateFormDataBeforeSave(array $data): array
-    {
-        $this->shouldMakeDefault = (bool) ($data['is_default'] ?? false);
-        unset($data['is_default']);
-
-        return $data;
-    }
-
-    protected function afterSave(): void
-    {
-        $record = $this->getRecord();
-
-        $tenant = $record instanceof ProviderConnection
-            ? ($record->tenant ?? $this->currentTenant())
-            : $this->currentTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return;
-        }
-
-        $changedFields = array_values(array_diff(array_keys($record->getChanges()), ['updated_at']));
-
-        if ($this->shouldMakeDefault && ! $record->is_default) {
-            $record->makeDefault();
-            $this->defaultWasChanged = true;
-        }
-
-        $hasDefault = $tenant->providerConnections()
-            ->where('provider', $record->provider)
-            ->where('is_default', true)
-            ->exists();
-
-        if (! $hasDefault) {
-            $record->makeDefault();
-            $this->defaultWasChanged = true;
-        }
-
-        $user = auth()->user();
-        $actorId = $user instanceof User ? (int) $user->getKey() : null;
-        $actorEmail = $user instanceof User ? $user->email : null;
-        $actorName = $user instanceof User ? $user->name : null;
-
-        if ($changedFields !== []) {
-            app(AuditLogger::class)->log(
-                tenant: $tenant,
-                action: 'provider_connection.updated',
-                context: [
-                    'metadata' => [
-                        'provider' => $record->provider,
-                        'entra_tenant_id' => $record->entra_tenant_id,
-                        'fields' => $changedFields,
-                    ],
-                ],
-                actorId: $actorId,
-                actorEmail: $actorEmail,
-                actorName: $actorName,
-                resourceType: 'provider_connection',
-                resourceId: (string) $record->getKey(),
-                status: 'success',
-            );
-        }
-
-        if ($this->defaultWasChanged) {
-            app(AuditLogger::class)->log(
-                tenant: $tenant,
-                action: 'provider_connection.default_set',
-                context: [
-                    'metadata' => [
-                        'provider' => $record->provider,
-                        'entra_tenant_id' => $record->entra_tenant_id,
-                    ],
-                ],
-                actorId: $actorId,
-                actorEmail: $actorEmail,
-                actorName: $actorName,
-                resourceType: 'provider_connection',
-                resourceId: (string) $record->getKey(),
-                status: 'success',
-            );
-        }
-    }
-
-    protected function getHeaderActions(): array
-    {
-        $tenant = $this->currentTenant();
-
-        return [
-            Actions\DeleteAction::make()
-                ->visible(false),
-
-            Actions\ActionGroup::make([
-                UiEnforcement::forAction(
-                    Action::make('view_last_check_run')
-                        ->label('View last check run')
-                        ->icon('heroicon-o-eye')
-                        ->color('gray')
-                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
-                            && OperationRun::query()
-                                ->where('tenant_id', $tenant->getKey())
-                                ->where('type', 'provider.connection.check')
-                                ->where('context->provider_connection_id', (int) $record->getKey())
-                                ->exists())
-                        ->url(function (ProviderConnection $record): ?string {
-                            $tenant = $this->currentTenant();
-
-                            if (! $tenant instanceof Tenant) {
-                                return null;
-                            }
-
-                            $run = OperationRun::query()
-                                ->where('tenant_id', $tenant->getKey())
-                                ->where('type', 'provider.connection.check')
-                                ->where('context->provider_connection_id', (int) $record->getKey())
-                                ->orderByDesc('id')
-                                ->first();
-
-                            if (! $run instanceof OperationRun) {
-                                return null;
-                            }
-
-                            return OperationRunLinks::view($run, $tenant);
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_VIEW)
-                    ->tooltip('You do not have permission to view provider connections.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('check_connection')
-                        ->label('Check connection')
-                        ->icon('heroicon-o-check-badge')
-                        ->color('success')
-                        ->visible(function (ProviderConnection $record): bool {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            return $tenant instanceof Tenant
-                            && $user instanceof User
-                                && $user->canAccessTenant($tenant)
-                                && $record->status !== 'disabled';
-                        })
-                        ->action(function (ProviderConnection $record, StartVerification $verification): void {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($tenant)) {
-                                abort(404);
-                            }
-
-                            $initiator = $user;
-
-                            $result = $verification->providerConnectionCheck(
-                                tenant: $tenant,
-                                connection: $record,
-                                initiator: $initiator,
-                            );
-
-                            if ($result->status === 'scope_busy') {
-                                Notification::make()
-                                    ->title('Scope busy')
-                                    ->body('Another provider operation is already running for this connection.')
-                                    ->warning()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                        Action::make('manage_connections')
-                                            ->label('Manage Provider Connections')
-                                            ->url(ProviderConnectionResource::getUrl('index', tenant: $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'deduped') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $result->run->type)
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                        Action::make('manage_connections')
-                                            ->label('Manage Provider Connections')
-                                            ->url(ProviderConnectionResource::getUrl('index', tenant: $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'blocked') {
-                                $reasonCode = is_string($result->run->context['reason_code'] ?? null)
-                                    ? (string) $result->run->context['reason_code']
-                                    : 'unknown_error';
-
-                                Notification::make()
-                                    ->title('Connection check blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
-                                    ->warning()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                        Action::make('manage_connections')
-                                            ->label('Manage Provider Connections')
-                                            ->url(ProviderConnectionResource::getUrl('index', tenant: $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $result->run->type)
-                                ->actions([
-                                    Action::make('view_run')
-                                        ->label('View run')
-                                        ->url(OperationRunLinks::view($result->run, $tenant)),
-                                ])
-                                ->send();
-                        })
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('update_credentials')
-                        ->label('Update credentials')
-                        ->icon('heroicon-o-key')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->modalDescription('Client secret is stored encrypted and will never be shown again.')
-                        ->visible(fn (): bool => $tenant instanceof Tenant)
-                        ->form([
-                            TextInput::make('client_id')
-                                ->label('Client ID')
-                                ->required()
-                                ->maxLength(255),
-                            TextInput::make('client_secret')
-                                ->label('Client secret')
-                                ->password()
-                                ->required()
-                                ->maxLength(255),
-                        ])
-                        ->action(function (array $data, ProviderConnection $record, CredentialManager $credentials, AuditLogger $auditLogger): void {
-                            $tenant = $this->currentTenant();
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $credentials->upsertClientSecretCredential(
-                                connection: $record,
-                                clientId: (string) $data['client_id'],
-                                clientSecret: (string) $data['client_secret'],
-                            );
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.credentials_updated',
-                                context: [
-                                    'metadata' => [
-                                        'provider' => $record->provider,
-                                        'entra_tenant_id' => $record->entra_tenant_id,
-                                        'client_id' => (string) $data['client_id'],
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                            );
-
-                            Notification::make()
-                                ->title('Credentials updated')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                    ->tooltip('You do not have permission to manage provider connections.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('set_default')
-                        ->label('Set as default')
-                        ->icon('heroicon-o-star')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
-                            && $record->status !== 'disabled'
-                            && ! $record->is_default
-                            && ProviderConnection::query()
-                                ->where('tenant_id', $tenant->getKey())
-                                ->where('provider', $record->provider)
-                                ->count() > 1)
-                        ->action(function (ProviderConnection $record, AuditLogger $auditLogger): void {
-                            $tenant = $this->currentTenant();
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $record->makeDefault();
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.default_set',
-                                context: [
-                                    'metadata' => [
-                                        'provider' => $record->provider,
-                                        'entra_tenant_id' => $record->entra_tenant_id,
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                            );
-
-                            Notification::make()
-                                ->title('Default connection updated')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                    ->tooltip('You do not have permission to manage provider connections.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('inventory_sync')
-                        ->label('Inventory sync')
-                        ->icon('heroicon-o-arrow-path')
-                        ->color('info')
-                        ->visible(function (ProviderConnection $record): bool {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            return $tenant instanceof Tenant
-                                && $user instanceof User
-                                && $user->canAccessTenant($tenant)
-                                && $record->status !== 'disabled';
-                        })
-                        ->action(function (ProviderConnection $record, ProviderOperationStartGate $gate): void {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($tenant)) {
-                                abort(404);
-                            }
-
-                            $initiator = $user;
-
-                            $result = $gate->start(
-                                tenant: $tenant,
-                                connection: $record,
-                                operationType: 'inventory_sync',
-                                dispatcher: function (OperationRun $operationRun) use ($tenant, $initiator, $record): void {
-                                    ProviderInventorySyncJob::dispatch(
-                                        tenantId: (int) $tenant->getKey(),
-                                        userId: (int) $initiator->getKey(),
-                                        providerConnectionId: (int) $record->getKey(),
-                                        operationRun: $operationRun,
-                                    );
-                                },
-                                initiator: $initiator,
-                            );
-
-                            if ($result->status === 'scope_busy') {
-                                Notification::make()
-                                    ->title('Scope is busy')
-                                    ->body('Another provider operation is already running for this connection.')
-                                    ->danger()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'deduped') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $result->run->type)
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'blocked') {
-                                $reasonCode = is_string($result->run->context['reason_code'] ?? null)
-                                    ? (string) $result->run->context['reason_code']
-                                    : 'unknown_error';
-
-                                Notification::make()
-                                    ->title('Inventory sync blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
-                                    ->warning()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $result->run->type)
-                                ->actions([
-                                    Action::make('view_run')
-                                        ->label('View run')
-                                        ->url(OperationRunLinks::view($result->run, $tenant)),
-                                ])
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->tooltip('You do not have permission to run provider operations.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('compliance_snapshot')
-                        ->label('Compliance snapshot')
-                        ->icon('heroicon-o-shield-check')
-                        ->color('info')
-                        ->visible(function (ProviderConnection $record): bool {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            return $tenant instanceof Tenant
-                                && $user instanceof User
-                                && $user->canAccessTenant($tenant)
-                                && $record->status !== 'disabled';
-                        })
-                        ->action(function (ProviderConnection $record, ProviderOperationStartGate $gate): void {
-                            $tenant = $this->currentTenant();
-                            $user = auth()->user();
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($tenant)) {
-                                abort(404);
-                            }
-
-                            $initiator = $user;
-
-                            $result = $gate->start(
-                                tenant: $tenant,
-                                connection: $record,
-                                operationType: 'compliance.snapshot',
-                                dispatcher: function (OperationRun $operationRun) use ($tenant, $initiator, $record): void {
-                                    ProviderComplianceSnapshotJob::dispatch(
-                                        tenantId: (int) $tenant->getKey(),
-                                        userId: (int) $initiator->getKey(),
-                                        providerConnectionId: (int) $record->getKey(),
-                                        operationRun: $operationRun,
-                                    );
-                                },
-                                initiator: $initiator,
-                            );
-
-                            if ($result->status === 'scope_busy') {
-                                Notification::make()
-                                    ->title('Scope is busy')
-                                    ->body('Another provider operation is already running for this connection.')
-                                    ->danger()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'deduped') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $result->run->type)
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'blocked') {
-                                $reasonCode = is_string($result->run->context['reason_code'] ?? null)
-                                    ? (string) $result->run->context['reason_code']
-                                    : 'unknown_error';
-
-                                Notification::make()
-                                    ->title('Compliance snapshot blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
-                                    ->warning()
-                                    ->actions([
-                                        Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($result->run, $tenant)),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $result->run->type)
-                                ->actions([
-                                    Action::make('view_run')
-                                        ->label('View run')
-                                        ->url(OperationRunLinks::view($result->run, $tenant)),
-                                ])
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->tooltip('You do not have permission to run provider operations.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('enable_connection')
-                        ->label('Enable connection')
-                        ->icon('heroicon-o-play')
-                        ->color('success')
-                        ->requiresConfirmation()
-                        ->visible(fn (ProviderConnection $record): bool => $record->status === 'disabled')
-                        ->action(function (ProviderConnection $record, AuditLogger $auditLogger): void {
-                            $tenant = $this->currentTenant();
-
-                            if (! $tenant instanceof Tenant) {
-                                return;
-                            }
-
-                            $hadCredentials = $record->credential()->exists();
-                            $previousStatus = (string) $record->status;
-
-                            $status = $hadCredentials ? 'connected' : 'needs_consent';
-                            $errorReasonCode = null;
-                            $errorMessage = null;
-
-                            $record->update([
-                                'status' => $status,
-                                'health_status' => 'unknown',
-                                'last_health_check_at' => null,
-                                'last_error_reason_code' => $errorReasonCode,
-                                'last_error_message' => $errorMessage,
-                            ]);
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.enabled',
-                                context: [
-                                    'metadata' => [
-                                        'provider' => $record->provider,
-                                        'entra_tenant_id' => $record->entra_tenant_id,
-                                        'from_status' => $previousStatus,
-                                        'to_status' => $status,
-                                        'credentials_present' => $hadCredentials,
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                            );
-
-                            if (! $hadCredentials) {
-                                Notification::make()
-                                    ->title('Connection enabled (needs consent)')
-                                    ->body('Grant admin consent before running checks or operations.')
-                                    ->warning()
-                                    ->send();
-
-                                return;
-                            }
-
-                            Notification::make()
-                                ->title('Provider connection enabled')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                    ->tooltip('You do not have permission to manage provider connections.')
-                    ->preserveVisibility()
-                    ->apply(),
-
-                UiEnforcement::forAction(
-                    Action::make('disable_connection')
-                        ->label('Disable connection')
-                        ->icon('heroicon-o-archive-box-x-mark')
-                        ->color('danger')
-                        ->requiresConfirmation()
-                        ->visible(fn (ProviderConnection $record): bool => $record->status !== 'disabled')
-                        ->action(function (ProviderConnection $record, AuditLogger $auditLogger): void {
-                            $tenant = $this->currentTenant();
-
-                            if (! $tenant instanceof Tenant) {
-                                return;
-                            }
-
-                            $previousStatus = (string) $record->status;
-
-                            $record->update([
-                                'status' => 'disabled',
-                            ]);
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.disabled',
-                                context: [
-                                    'metadata' => [
-                                        'provider' => $record->provider,
-                                        'entra_tenant_id' => $record->entra_tenant_id,
-                                        'from_status' => $previousStatus,
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                            );
-
-                            Notification::make()
-                                ->title('Provider connection disabled')
-                                ->warning()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                    ->tooltip('You do not have permission to manage provider connections.')
-                    ->preserveVisibility()
-                    ->apply(),
-            ])
-                ->label('Actions')
-                ->icon('heroicon-o-ellipsis-vertical')
-                ->color('gray'),
-        ];
-    }
-
-    protected function getFormActions(): array
-    {
-        $tenant = $this->currentTenant();
-
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            return [
-                $this->getCancelFormAction(),
-            ];
-        }
-
-        $capabilityResolver = app(CapabilityResolver::class);
-
-        if ($capabilityResolver->can($user, $tenant, Capabilities::PROVIDER_MANAGE)) {
-            return parent::getFormActions();
-        }
-
-        return [
-            $this->getCancelFormAction(),
-        ];
-    }
-
-    protected function handleRecordUpdate(Model $record, array $data): Model
-    {
-        $tenant = $record instanceof ProviderConnection
-            ? ($record->tenant ?? $this->currentTenant())
-            : $this->currentTenant();
-
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            abort(404);
-        }
-
-        $capabilityResolver = app(CapabilityResolver::class);
-
-        if (! $capabilityResolver->isMember($user, $tenant)) {
-            abort(404);
-        }
-
-        if (! $capabilityResolver->can($user, $tenant, Capabilities::PROVIDER_MANAGE)) {
-            abort(403);
-        }
-
-        return parent::handleRecordUpdate($record, $data);
-    }
-
-    private function currentTenant(): ?Tenant
-    {
-        if (isset($this->record) && $this->record instanceof ProviderConnection) {
-            $recordTenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-            if ($recordTenant instanceof Tenant) {
-                return $recordTenant;
-            }
-        }
-
-        if (is_string($this->scopedTenantExternalId) && $this->scopedTenantExternalId !== '') {
-            return Tenant::query()
-                ->where('external_id', $this->scopedTenantExternalId)
-                ->first();
-        }
-
-        $tenant = request()->route('tenant');
-
-        if ($tenant instanceof Tenant) {
-            return $tenant;
-        }
-
-        if (is_string($tenant) && $tenant !== '') {
-            return Tenant::query()
-                ->where('external_id', $tenant)
-                ->first();
-        }
-
-        $tenantFromCreateResolution = ProviderConnectionResource::resolveTenantForCreate();
-
-        if ($tenantFromCreateResolution instanceof Tenant) {
-            return $tenantFromCreateResolution;
-        }
-
-        return Tenant::current();
-    }
-}

app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php

@@ -1,28 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\ProviderConnectionResource\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Support\Auth\Capabilities;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewProviderConnection extends ViewRecord
-{
-    protected static string $resource = ProviderConnectionResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            UiEnforcement::forAction(
-                Actions\Action::make('edit')
-                    ->label('Edit')
-                    ->icon('heroicon-o-pencil-square')
-                    ->url(fn (): string => ProviderConnectionResource::getUrl('edit', ['record' => $this->record]))
-            )
-                ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                ->apply(),
-        ];
-    }
-}

app/Filament/Resources/RestoreRunResource/Pages/ListRestoreRuns.php

@@ -1,43 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\RestoreRunResource\Pages;
-
-use App\Filament\Resources\RestoreRunResource;
-use App\Support\Auth\Capabilities;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListRestoreRuns extends ListRecords
-{
-    protected static string $resource = RestoreRunResource::class;
-
-    private function tableHasRecords(): bool
-    {
-        return $this->getTableRecords()->count() > 0;
-    }
-
-    protected function getHeaderActions(): array
-    {
-        $create = Actions\CreateAction::make();
-        UiEnforcement::forAction($create)
-            ->requireCapability(Capabilities::TENANT_MANAGE)
-            ->apply();
-
-        return [
-            $create->visible(fn (): bool => $this->tableHasRecords()),
-        ];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        $create = Actions\CreateAction::make();
-        UiEnforcement::forAction($create)
-            ->requireCapability(Capabilities::TENANT_MANAGE)
-            ->apply();
-
-        return [
-            $create,
-        ];
-    }
-}

app/Filament/Resources/RestoreRunResource/Pages/ViewRestoreRun.php

@@ -1,11 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\RestoreRunResource\Pages;
-
-use App\Filament\Resources\RestoreRunResource;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewRestoreRun extends ViewRecord
-{
-    protected static string $resource = RestoreRunResource::class;
-}

app/Filament/Resources/TenantResource/Pages/EditTenant.php

@@ -1,38 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\TenantResource;
-use App\Models\Tenant;
-use App\Support\Auth\Capabilities;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Actions\Action;
-use Filament\Resources\Pages\EditRecord;
-
-class EditTenant extends EditRecord
-{
-    protected static string $resource = TenantResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\ViewAction::make(),
-            UiEnforcement::forAction(
-                Action::make('archive')
-                    ->label('Archive')
-                    ->color('danger')
-                    ->requiresConfirmation()
-                    ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                    ->action(function (Tenant $record): void {
-                        $record->delete();
-                    })
-            )
-                ->requireCapability(Capabilities::TENANT_DELETE)
-                ->tooltip('You do not have permission to archive tenants.')
-                ->preserveVisibility()
-                ->destructive()
-                ->apply(),
-        ];
-    }
-}

app/Filament/Resources/TenantResource/Pages/ListTenants.php

@@ -1,33 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\TenantResource;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListTenants extends ListRecords
-{
-    protected static string $resource = TenantResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\Action::make('add_tenant')
-                ->label('Add tenant')
-                ->icon('heroicon-m-plus')
-                ->url(route('admin.onboarding'))
-                ->visible(fn (): bool => $this->getTableRecords()->count() > 0),
-        ];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        return [
-            Actions\Action::make('add_tenant')
-                ->label('Add tenant')
-                ->icon('heroicon-m-plus')
-                ->url(route('admin.onboarding')),
-        ];
-    }
-}

app/Filament/Resources/TenantResource/Pages/ViewTenant.php

@@ -1,307 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Filament\Resources\TenantResource;
-use App\Filament\Widgets\Tenant\AdminRolesSummaryWidget;
-use App\Filament\Widgets\Tenant\RecentOperationsSummary;
-use App\Filament\Widgets\Tenant\TenantArchivedBanner;
-use App\Filament\Widgets\Tenant\TenantVerificationReport;
-use App\Jobs\RefreshTenantRbacHealthJob;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Intune\AuditLogger;
-use App\Services\OperationRunService;
-use App\Services\Verification\StartVerification;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OperationRunType;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewTenant extends ViewRecord
-{
-    protected static string $resource = TenantResource::class;
-
-    public function getHeaderWidgetsColumns(): int|array
-    {
-        return 1;
-    }
-
-    protected function getHeaderWidgets(): array
-    {
-        return [
-            TenantArchivedBanner::class,
-            RecentOperationsSummary::class,
-            TenantVerificationReport::class,
-            AdminRolesSummaryWidget::class,
-        ];
-    }
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\ActionGroup::make([
-                UiEnforcement::forAction(
-                    Actions\Action::make('provider_connections')
-                        ->label('Provider connections')
-                        ->icon('heroicon-o-link')
-                        ->url(fn (Tenant $record): string => ProviderConnectionResource::getUrl('index', ['tenant_id' => $record->external_id], panel: 'admin'))
-                )
-                    ->requireCapability(Capabilities::PROVIDER_VIEW)
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('edit')
-                        ->label('Edit')
-                        ->icon('heroicon-o-pencil-square')
-                        ->url(fn (Tenant $record): string => TenantResource::getUrl('edit', ['record' => $record]))
-                )
-                    ->requireCapability(Capabilities::TENANT_MANAGE)
-                    ->apply(),
-                Actions\Action::make('admin_consent')
-                    ->label('Admin consent')
-                    ->icon('heroicon-o-clipboard-document')
-                    ->url(fn (Tenant $record) => TenantResource::adminConsentUrl($record))
-                    ->visible(fn (Tenant $record) => TenantResource::adminConsentUrl($record) !== null)
-                    ->openUrlInNewTab(),
-                Actions\Action::make('open_in_entra')
-                    ->label('Open in Entra')
-                    ->icon('heroicon-o-arrow-top-right-on-square')
-                    ->url(fn (Tenant $record) => TenantResource::entraUrl($record))
-                    ->visible(fn (Tenant $record) => TenantResource::entraUrl($record) !== null)
-                    ->openUrlInNewTab(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('verify')
-                        ->label('Verify configuration')
-                        ->icon('heroicon-o-check-badge')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (Tenant $record): bool => $record->isActive())
-                        ->action(function (
-                            Tenant $record,
-                            StartVerification $verification,
-                        ): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($record)) {
-                                abort(404);
-                            }
-
-                            $result = $verification->providerConnectionCheckForTenant(
-                                tenant: $record,
-                                initiator: $user,
-                                extraContext: [
-                                    'surface' => [
-                                        'kind' => 'tenant_view_header',
-                                    ],
-                                ],
-                            );
-
-                            $runUrl = OperationRunLinks::tenantlessView($result->run);
-
-                            if ($result->status === 'scope_busy') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                Notification::make()
-                                    ->title('Another operation is already running')
-                                    ->body('Please wait for the active run to finish.')
-                                    ->warning()
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'deduped') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $result->run->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'blocked') {
-                                $reasonCode = is_string($result->run->context['reason_code'] ?? null)
-                                    ? (string) $result->run->context['reason_code']
-                                    : 'unknown_error';
-
-                                $actions = [
-                                    Actions\Action::make('view_run')
-                                        ->label('View run')
-                                        ->url($runUrl),
-                                ];
-
-                                $nextSteps = $result->run->context['next_steps'] ?? [];
-                                $nextSteps = is_array($nextSteps) ? $nextSteps : [];
-
-                                foreach ($nextSteps as $index => $step) {
-                                    if (! is_array($step)) {
-                                        continue;
-                                    }
-
-                                    $label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
-                                    $url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
-
-                                    if ($label === '' || $url === '') {
-                                        continue;
-                                    }
-
-                                    $actions[] = Actions\Action::make('next_step_'.$index)
-                                        ->label($label)
-                                        ->url($url);
-
-                                    break;
-                                }
-
-                                Notification::make()
-                                    ->title('Verification blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
-                                    ->warning()
-                                    ->actions($actions)
-                                    ->send();
-
-                                return;
-                            }
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $result->run->type)
-                                ->actions([
-                                    Actions\Action::make('view_run')
-                                        ->label('View run')
-                                        ->url($runUrl),
-                                ])
-                                ->send();
-                        }),
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->apply(),
-                TenantResource::rbacAction(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('refresh_rbac')
-                        ->label('Refresh RBAC status')
-                        ->icon('heroicon-o-arrow-path')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (Tenant $record): bool => $record->isActive())
-                        ->action(function (Tenant $record): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($record)) {
-                                abort(404);
-                            }
-
-                            /** @var OperationRunService $runs */
-                            $runs = app(OperationRunService::class);
-
-                            $opRun = $runs->ensureRun(
-                                tenant: $record,
-                                type: OperationRunType::RbacHealthCheck->value,
-                                inputs: [
-                                    'tenant_id' => (int) $record->getKey(),
-                                    'surface' => 'tenant_view_header',
-                                ],
-                                initiator: $user,
-                            );
-
-                            $runUrl = OperationRunLinks::tenantlessView($opRun);
-
-                            if ($opRun->wasRecentlyCreated === false) {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            RefreshTenantRbacHealthJob::dispatch(
-                                (int) $record->getKey(),
-                                (int) $user->getKey(),
-                                $opRun,
-                            );
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $opRun->type)
-                                ->actions([
-                                    Actions\Action::make('view_run')
-                                        ->label('View run')
-                                        ->url($runUrl),
-                                ])
-                                ->send();
-                        }),
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('archive')
-                        ->label('Deactivate')
-                        ->color('danger')
-                        ->icon('heroicon-o-archive-box-x-mark')
-                        ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                        ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                            $record->delete();
-
-                            $auditLogger->log(
-                                tenant: $record,
-                                action: 'tenant.archived',
-                                resourceType: 'tenant',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                                context: [
-                                    'metadata' => [
-                                        'internal_tenant_id' => (int) $record->getKey(),
-                                        'tenant_guid' => (string) $record->tenant_id,
-                                    ],
-                                ]
-                            );
-
-                            Notification::make()
-                                ->title('Tenant deactivated')
-                                ->body('The tenant has been archived and hidden from lists.')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::TENANT_DELETE)
-                    ->destructive()
-                    ->apply(),
-            ])
-                ->label('Actions')
-                ->icon('heroicon-o-ellipsis-vertical')
-                ->color('gray'),
-        ];
-    }
-}

app/Filament/Resources/Workspaces/Pages/ListWorkspaces.php

@@ -1,48 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\Workspaces\Pages;
-
-use App\Filament\Resources\Workspaces\WorkspaceResource;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListWorkspaces extends ListRecords
-{
-    protected static string $resource = WorkspaceResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [$this->makeHeaderCreateAction()];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        return [$this->makeEmptyStateCreateAction()];
-    }
-
-    private function tableHasRecords(): bool
-    {
-        return $this->getTableRecords()->count() > 0;
-    }
-
-    private function makeHeaderCreateAction(): Actions\CreateAction
-    {
-        return $this->makeCreateAction()
-            ->visible(fn (): bool => $this->tableHasRecords());
-    }
-
-    private function makeEmptyStateCreateAction(): Actions\CreateAction
-    {
-        return $this->makeCreateAction();
-    }
-
-    private function makeCreateAction(): Actions\CreateAction
-    {
-        return Actions\CreateAction::make()
-            ->label('New workspace')
-            ->disabled(fn (): bool => ! WorkspaceResource::canCreate())
-            ->tooltip(fn (): ?string => WorkspaceResource::canCreate()
-                ? null
-                : 'You do not have permission to create workspaces.');
-    }
-}

app/Filament/Support/VerificationReportViewer.php

@@ -1,92 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Support;
-
-use App\Models\OperationRun;
-use App\Support\Verification\VerificationReportFingerprint;
-use App\Support\Verification\VerificationReportSanitizer;
-use App\Support\Verification\VerificationReportSchema;
-
-final class VerificationReportViewer
-{
-    /**
-     * @return array<string, mixed>|null
-     */
-    public static function report(OperationRun $run): ?array
-    {
-        $context = is_array($run->context) ? $run->context : [];
-        $report = $context['verification_report'] ?? null;
-
-        if (! is_array($report)) {
-            return null;
-        }
-
-        $report = VerificationReportSanitizer::sanitizeReport($report);
-
-        if (! VerificationReportSchema::isValidReport($report)) {
-            return null;
-        }
-
-        return $report;
-    }
-
-    public static function previousReportId(array $report): ?int
-    {
-        $previousReportId = $report['previous_report_id'] ?? null;
-
-        if (is_int($previousReportId) && $previousReportId > 0) {
-            return $previousReportId;
-        }
-
-        if (is_string($previousReportId) && ctype_digit(trim($previousReportId))) {
-            return (int) trim($previousReportId);
-        }
-
-        return null;
-    }
-
-    public static function fingerprint(array $report): ?string
-    {
-        $fingerprint = $report['fingerprint'] ?? null;
-
-        if (is_string($fingerprint)) {
-            $fingerprint = strtolower(trim($fingerprint));
-
-            if (preg_match('/^[a-f0-9]{64}$/', $fingerprint)) {
-                return $fingerprint;
-            }
-        }
-
-        return VerificationReportFingerprint::forReport($report);
-    }
-
-    public static function previousRun(OperationRun $run, array $report): ?OperationRun
-    {
-        $previousReportId = self::previousReportId($report);
-
-        if ($previousReportId === null) {
-            return null;
-        }
-
-        $previous = OperationRun::query()
-            ->whereKey($previousReportId)
-            ->where('tenant_id', (int) $run->tenant_id)
-            ->where('workspace_id', (int) $run->workspace_id)
-            ->first();
-
-        return $previous instanceof OperationRun ? $previous : null;
-    }
-
-    public static function shouldRenderForRun(OperationRun $run): bool
-    {
-        $context = is_array($run->context) ? $run->context : [];
-
-        if (array_key_exists('verification_report', $context)) {
-            return true;
-        }
-
-        return in_array((string) $run->type, ['provider.connection.check'], true);
-    }
-}

app/Filament/Widgets/Dashboard/BaselineCompareNow.php

@@ -1,91 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Dashboard;
-
-use App\Models\BaselineTenantAssignment;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use Filament\Facades\Filament;
-use Filament\Widgets\Widget;
-
-class BaselineCompareNow extends Widget
-{
-    protected static bool $isLazy = false;
-
-    protected string $view = 'filament.widgets.dashboard.baseline-compare-now';
-
-    /**
-     * @return array<string, mixed>
-     */
-    protected function getViewData(): array
-    {
-        $tenant = Filament::getTenant();
-
-        $empty = [
-            'hasAssignment' => false,
-            'profileName' => null,
-            'findingsCount' => 0,
-            'highCount' => 0,
-            'mediumCount' => 0,
-            'lowCount' => 0,
-            'lastComparedAt' => null,
-            'landingUrl' => null,
-        ];
-
-        if (! $tenant instanceof Tenant) {
-            return $empty;
-        }
-
-        $assignment = BaselineTenantAssignment::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->with('baselineProfile')
-            ->first();
-
-        if (! $assignment instanceof BaselineTenantAssignment || $assignment->baselineProfile === null) {
-            return $empty;
-        }
-
-        $profile = $assignment->baselineProfile;
-        $scopeKey = 'baseline_profile:'.$profile->getKey();
-
-        $findingsQuery = Finding::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('source', 'baseline.compare')
-            ->where('scope_key', $scopeKey)
-            ->where('status', Finding::STATUS_NEW);
-
-        $findingsCount = (int) (clone $findingsQuery)->count();
-        $highCount = (int) (clone $findingsQuery)
-            ->where('severity', Finding::SEVERITY_HIGH)
-            ->count();
-        $mediumCount = (int) (clone $findingsQuery)
-            ->where('severity', Finding::SEVERITY_MEDIUM)
-            ->count();
-        $lowCount = (int) (clone $findingsQuery)
-            ->where('severity', Finding::SEVERITY_LOW)
-            ->count();
-
-        $latestRun = OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('type', 'baseline_compare')
-            ->where('context->baseline_profile_id', (string) $profile->getKey())
-            ->whereNotNull('completed_at')
-            ->latest('completed_at')
-            ->first();
-
-        return [
-            'hasAssignment' => true,
-            'profileName' => (string) $profile->name,
-            'findingsCount' => $findingsCount,
-            'highCount' => $highCount,
-            'mediumCount' => $mediumCount,
-            'lowCount' => $lowCount,
-            'lastComparedAt' => $latestRun?->finished_at?->diffForHumans(),
-            'landingUrl' => \App\Filament\Pages\BaselineCompareLanding::getUrl(tenant: $tenant),
-        ];
-    }
-}

app/Filament/Widgets/Dashboard/DashboardKpis.php

@@ -1,89 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Dashboard;
-
-use App\Filament\Resources\FindingResource;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\OpsUx\ActiveRuns;
-use Filament\Facades\Filament;
-use Filament\Widgets\StatsOverviewWidget;
-use Filament\Widgets\StatsOverviewWidget\Stat;
-
-class DashboardKpis extends StatsOverviewWidget
-{
-    protected static bool $isLazy = false;
-
-    protected int|string|array $columnSpan = 'full';
-
-    protected function getPollingInterval(): ?string
-    {
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return ActiveRuns::existForTenant($tenant) ? '10s' : null;
-    }
-
-    /**
-     * @return array<Stat>
-     */
-    protected function getStats(): array
-    {
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [
-                Stat::make('Open drift findings', 0),
-                Stat::make('High severity drift', 0),
-                Stat::make('Active operations', 0),
-                Stat::make('Inventory active', 0),
-            ];
-        }
-
-        $tenantId = (int) $tenant->getKey();
-
-        $openDriftFindings = (int) Finding::query()
-            ->where('tenant_id', $tenantId)
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('status', Finding::STATUS_NEW)
-            ->count();
-
-        $highSeverityDriftFindings = (int) Finding::query()
-            ->where('tenant_id', $tenantId)
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('status', Finding::STATUS_NEW)
-            ->where('severity', Finding::SEVERITY_HIGH)
-            ->count();
-
-        $activeRuns = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->active()
-            ->count();
-
-        $inventoryActiveRuns = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'inventory_sync')
-            ->active()
-            ->count();
-
-        return [
-            Stat::make('Open drift findings', $openDriftFindings)
-                ->url(FindingResource::getUrl('index', tenant: $tenant)),
-            Stat::make('High severity drift', $highSeverityDriftFindings)
-                ->color($highSeverityDriftFindings > 0 ? 'danger' : 'gray')
-                ->url(FindingResource::getUrl('index', tenant: $tenant)),
-            Stat::make('Active operations', $activeRuns)
-                ->color($activeRuns > 0 ? 'warning' : 'gray')
-                ->url(route('admin.operations.index')),
-            Stat::make('Inventory active', $inventoryActiveRuns)
-                ->color($inventoryActiveRuns > 0 ? 'warning' : 'gray')
-                ->url(route('admin.operations.index')),
-        ];
-    }
-}

app/Filament/Widgets/Dashboard/NeedsAttention.php

@@ -1,158 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Dashboard;
-
-use App\Filament\Pages\DriftLanding;
-use App\Filament\Resources\FindingResource;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\ActiveRuns;
-use Filament\Facades\Filament;
-use Filament\Widgets\Widget;
-
-class NeedsAttention extends Widget
-{
-    protected static bool $isLazy = false;
-
-    protected string $view = 'filament.widgets.dashboard.needs-attention';
-
-    /**
-     * @return array<string, mixed>
-     */
-    protected function getViewData(): array
-    {
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [
-                'pollingInterval' => null,
-                'items' => [],
-                'healthyChecks' => [],
-            ];
-        }
-
-        $tenantId = (int) $tenant->getKey();
-
-        $items = [];
-
-        $highSeverityCount = (int) Finding::query()
-            ->where('tenant_id', $tenantId)
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('status', Finding::STATUS_NEW)
-            ->where('severity', Finding::SEVERITY_HIGH)
-            ->count();
-
-        if ($highSeverityCount > 0) {
-            $items[] = [
-                'title' => 'High severity drift findings',
-                'body' => "{$highSeverityCount} finding(s) need review.",
-                'url' => FindingResource::getUrl('index', tenant: $tenant),
-                'badge' => 'Drift',
-                'badgeColor' => 'danger',
-            ];
-        }
-
-        $latestDriftSuccess = OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'drift_generate_findings')
-            ->where('status', 'completed')
-            ->where('outcome', 'succeeded')
-            ->whereNotNull('completed_at')
-            ->latest('completed_at')
-            ->first();
-
-        if (! $latestDriftSuccess) {
-            $items[] = [
-                'title' => 'No drift scan yet',
-                'body' => 'Generate drift after you have at least two successful inventory runs.',
-                'url' => DriftLanding::getUrl(tenant: $tenant),
-                'badge' => 'Drift',
-                'badgeColor' => 'warning',
-            ];
-        } else {
-            $isStale = $latestDriftSuccess->completed_at?->lt(now()->subDays(7)) ?? true;
-
-            if ($isStale) {
-                $items[] = [
-                    'title' => 'Drift stale',
-                    'body' => 'Last drift scan is older than 7 days.',
-                    'url' => DriftLanding::getUrl(tenant: $tenant),
-                    'badge' => 'Drift',
-                    'badgeColor' => 'warning',
-                ];
-            }
-        }
-
-        $latestDriftFailure = OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'drift_generate_findings')
-            ->where('status', 'completed')
-            ->where('outcome', 'failed')
-            ->latest('id')
-            ->first();
-
-        if ($latestDriftFailure instanceof OperationRun) {
-            $items[] = [
-                'title' => 'Drift generation failed',
-                'body' => 'Investigate the latest failed run.',
-                'url' => OperationRunLinks::view($latestDriftFailure, $tenant),
-                'badge' => 'Operations',
-                'badgeColor' => 'danger',
-            ];
-        }
-
-        $activeRuns = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->active()
-            ->count();
-
-        if ($activeRuns > 0) {
-            $items[] = [
-                'title' => 'Operations in progress',
-                'body' => "{$activeRuns} run(s) are active.",
-                'url' => OperationRunLinks::index($tenant),
-                'badge' => 'Operations',
-                'badgeColor' => 'warning',
-            ];
-        }
-
-        $items = array_slice($items, 0, 5);
-
-        $healthyChecks = [];
-
-        if ($items === []) {
-            $healthyChecks = [
-                [
-                    'title' => 'Drift findings look healthy',
-                    'body' => 'No high severity drift findings are open.',
-                    'url' => FindingResource::getUrl('index', tenant: $tenant),
-                    'linkLabel' => 'View findings',
-                ],
-                [
-                    'title' => 'Drift scans are up to date',
-                    'body' => $latestDriftSuccess?->completed_at
-                        ? 'Last drift scan: '.$latestDriftSuccess->completed_at->diffForHumans(['short' => true]).'.'
-                        : 'Drift scan history is available in Drift.',
-                    'url' => DriftLanding::getUrl(tenant: $tenant),
-                    'linkLabel' => 'Open Drift',
-                ],
-                [
-                    'title' => 'No active operations',
-                    'body' => 'Nothing is currently running for this tenant.',
-                    'url' => OperationRunLinks::index($tenant),
-                    'linkLabel' => 'View operations',
-                ],
-            ];
-        }
-
-        return [
-            'pollingInterval' => ActiveRuns::existForTenant($tenant) ? '10s' : null,
-            'items' => $items,
-            'healthyChecks' => $healthyChecks,
-        ];
-    }
-}

app/Filament/Widgets/Dashboard/RecentOperations.php

@@ -1,81 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Dashboard;
-
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\Badges\BadgeDomain;
-use App\Support\Badges\BadgeRenderer;
-use App\Support\OperationCatalog;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\ActiveRuns;
-use Filament\Facades\Filament;
-use Filament\Tables\Columns\TextColumn;
-use Filament\Tables\Table;
-use Filament\Widgets\TableWidget;
-use Illuminate\Database\Eloquent\Builder;
-
-class RecentOperations extends TableWidget
-{
-    protected static bool $isLazy = false;
-
-    protected int|string|array $columnSpan = 'full';
-
-    public function table(Table $table): Table
-    {
-        $tenant = Filament::getTenant();
-
-        return $table
-            ->heading('Recent Operations')
-            ->query($this->getQuery())
-            ->poll(fn (): ?string => ($tenant instanceof Tenant) && ActiveRuns::existForTenant($tenant) ? '10s' : null)
-            ->paginated([10])
-            ->columns([
-                TextColumn::make('short_id')
-                    ->label('Run')
-                    ->state(fn (OperationRun $record): string => '#'.$record->getKey())
-                    ->copyable()
-                    ->copyableState(fn (OperationRun $record): string => (string) $record->getKey()),
-                TextColumn::make('type')
-                    ->label('Operation')
-                    ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))
-                    ->limit(40)
-                    ->tooltip(fn (OperationRun $record): string => OperationCatalog::label((string) $record->type)),
-                TextColumn::make('status')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
-                TextColumn::make('outcome')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome)),
-                TextColumn::make('created_at')
-                    ->label('Started')
-                    ->since(),
-            ])
-            ->recordUrl(fn (OperationRun $record): ?string => $tenant instanceof Tenant
-                ? OperationRunLinks::view($record, $tenant)
-                : null)
-            ->emptyStateHeading('No operations yet')
-            ->emptyStateDescription('Once you run inventory sync, drift generation, or restores, they\'ll show up here.');
-    }
-
-    /**
-     * @return Builder<OperationRun>
-     */
-    private function getQuery(): Builder
-    {
-        $tenant = Filament::getTenant();
-        $tenantId = $tenant instanceof Tenant ? $tenant->getKey() : null;
-
-        return OperationRun::query()
-            ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
-            ->latest('created_at');
-    }
-}

app/Filament/Widgets/Inventory/InventoryKpiHeader.php

@@ -1,166 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Inventory;
-
-use App\Models\InventoryItem;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Services\Inventory\CoverageCapabilitiesResolver;
-use App\Support\Badges\BadgeDomain;
-use App\Support\Badges\BadgeRenderer;
-use App\Support\Inventory\InventoryKpiBadges;
-use App\Support\Inventory\InventoryPolicyTypeMeta;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use Filament\Facades\Filament;
-use Filament\Widgets\StatsOverviewWidget;
-use Filament\Widgets\StatsOverviewWidget\Stat;
-use Illuminate\Support\Facades\Blade;
-use Illuminate\Support\HtmlString;
-
-class InventoryKpiHeader extends StatsOverviewWidget
-{
-    protected static bool $isLazy = false;
-
-    protected int|string|array $columnSpan = 'full';
-
-    /**
-     * Inventory KPI aggregation source-of-truth:
-     * - `inventory_items.policy_type`
-     * - `config('tenantpilot.supported_policy_types')` + `config('tenantpilot.foundation_types')` meta (`restore`, `risk`)
-     * - dependency capability via `CoverageCapabilitiesResolver`
-     *
-     * @return array<Stat>
-     */
-    protected function getStats(): array
-    {
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [
-                Stat::make('Total items', 0),
-                Stat::make('Coverage', '0%')->description('Restorable 0 • Partial 0'),
-                Stat::make('Last inventory sync', '—'),
-                Stat::make('Active ops', 0),
-                Stat::make('Inventory ops', 0)->description('Dependencies 0 • Risk 0'),
-            ];
-        }
-
-        $tenantId = (int) $tenant->getKey();
-
-        /** @var array<string, int> $countsByPolicyType */
-        $countsByPolicyType = InventoryItem::query()
-            ->where('tenant_id', $tenantId)
-            ->selectRaw('policy_type, COUNT(*) as aggregate')
-            ->groupBy('policy_type')
-            ->pluck('aggregate', 'policy_type')
-            ->map(fn ($value): int => (int) $value)
-            ->all();
-
-        $totalItems = array_sum($countsByPolicyType);
-
-        $restorableItems = 0;
-        $partialItems = 0;
-        $riskItems = 0;
-
-        foreach ($countsByPolicyType as $policyType => $count) {
-            if (InventoryPolicyTypeMeta::isRestorable($policyType)) {
-                $restorableItems += $count;
-            } elseif (InventoryPolicyTypeMeta::isPartial($policyType)) {
-                $partialItems += $count;
-            }
-
-            if (InventoryPolicyTypeMeta::isHighRisk($policyType)) {
-                $riskItems += $count;
-            }
-        }
-
-        $coveragePercent = $totalItems > 0
-            ? (int) round(($restorableItems / $totalItems) * 100)
-            : 0;
-
-        $lastRun = OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'inventory_sync')
-            ->where('status', OperationRunStatus::Completed->value)
-            ->whereNotNull('completed_at')
-            ->latest('completed_at')
-            ->latest('id')
-            ->first();
-
-        $lastInventorySyncTimeLabel = '—';
-        $lastInventorySyncStatusLabel = '—';
-        $lastInventorySyncStatusColor = 'gray';
-        $lastInventorySyncStatusIcon = 'heroicon-m-clock';
-        $lastInventorySyncViewUrl = null;
-
-        if ($lastRun instanceof OperationRun) {
-            $timestamp = $lastRun->completed_at ?? $lastRun->started_at ?? $lastRun->created_at;
-
-            if ($timestamp) {
-                $lastInventorySyncTimeLabel = $timestamp->diffForHumans(['short' => true]);
-            }
-
-            $outcome = (string) ($lastRun->outcome ?? OperationRunOutcome::Pending->value);
-            $badge = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, $outcome);
-            $lastInventorySyncStatusLabel = $badge->label;
-            $lastInventorySyncStatusColor = $badge->color;
-            $lastInventorySyncStatusIcon = (string) ($badge->icon ?? 'heroicon-m-clock');
-
-            $lastInventorySyncViewUrl = route('admin.operations.view', ['run' => (int) $lastRun->getKey()]);
-        }
-
-        $badgeColor = $lastInventorySyncStatusColor;
-
-        $lastInventorySyncDescription = Blade::render(<<<'BLADE'
-            <div class="flex items-center gap-2">
-                <x-filament::badge :color="$badgeColor" size="sm">
-                    {{ $statusLabel }}
-                </x-filament::badge>
-
-                @if ($viewUrl)
-                    <x-filament::link :href="$viewUrl" size="sm">
-                        View run
-                    </x-filament::link>
-                @endif
-            </div>
-            BLADE, [
-            'badgeColor' => $badgeColor,
-            'statusLabel' => $lastInventorySyncStatusLabel,
-            'viewUrl' => $lastInventorySyncViewUrl,
-        ]);
-
-        $activeOps = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->active()
-            ->count();
-
-        $inventoryOps = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'inventory_sync')
-            ->active()
-            ->count();
-
-        $resolver = app(CoverageCapabilitiesResolver::class);
-
-        $dependenciesItems = 0;
-        foreach ($countsByPolicyType as $policyType => $count) {
-            if ($policyType !== '' && $resolver->supportsDependencies($policyType)) {
-                $dependenciesItems += $count;
-            }
-        }
-
-        return [
-            Stat::make('Total items', $totalItems),
-            Stat::make('Coverage', $coveragePercent.'%')
-                ->description(new HtmlString(InventoryKpiBadges::coverage($restorableItems, $partialItems))),
-            Stat::make('Last inventory sync', $lastInventorySyncTimeLabel)
-                ->description(new HtmlString($lastInventorySyncDescription)),
-            Stat::make('Active ops', $activeOps),
-            Stat::make('Inventory ops', $inventoryOps)
-                ->description(new HtmlString(InventoryKpiBadges::inventoryOps($dependenciesItems, $riskItems))),
-        ];
-    }
-}

app/Http/Controllers/ClearTenantContextController.php

@@ -1,30 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Http\Controllers;
-
-use App\Support\Workspaces\WorkspaceContext;
-use Filament\Facades\Filament;
-use Illuminate\Http\RedirectResponse;
-use Illuminate\Http\Request;
-
-final class ClearTenantContextController
-{
-    public function __invoke(Request $request): RedirectResponse
-    {
-        Filament::setTenant(null, true);
-
-        app(WorkspaceContext::class)->clearLastTenantId($request);
-
-        $previousUrl = url()->previous();
-
-        $previousHost = parse_url((string) $previousUrl, PHP_URL_HOST);
-
-        if ($previousHost !== null && $previousHost !== $request->getHost()) {
-            return redirect()->to('/admin/operations');
-        }
-
-        return redirect()->to((string) $previousUrl);
-    }
-}

app/Http/Controllers/TenantOnboardingController.php

@@ -1,39 +0,0 @@
-<?php
-
-namespace App\Http\Controllers;
-
-use App\Support\Workspaces\WorkspaceContext;
-use Illuminate\Http\RedirectResponse;
-use Illuminate\Http\Request;
-use Illuminate\Support\Str;
-
-class TenantOnboardingController extends Controller
-{
-    public function __invoke(Request $request): RedirectResponse
-    {
-        $clientId = config('graph.client_id');
-        $redirectUri = route('admin.consent.callback');
-        $targetTenant = $request->string('tenant')->toString() ?: config('graph.tenant_id', 'organizations');
-        $tenantSegment = $targetTenant ?: 'organizations';
-
-        abort_if(empty($clientId) || empty($redirectUri), 500, 'Graph client not configured');
-
-        $state = Str::uuid()->toString();
-        $request->session()->put('tenant_onboard_state', $state);
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId($request);
-
-        if ($workspaceId !== null) {
-            $request->session()->put('tenant_onboard_workspace_id', (int) $workspaceId);
-        }
-
-        $url = "https://login.microsoftonline.com/{$tenantSegment}/v2.0/adminconsent?".http_build_query([
-            'client_id' => $clientId,
-            'redirect_uri' => $redirectUri,
-            'scope' => 'https://graph.microsoft.com/.default',
-            'state' => $state,
-        ]);
-
-        return redirect()->away($url);
-    }
-}

app/Jobs/CaptureBaselineSnapshotJob.php

@@ -1,285 +0,0 @@
-<?php
-
-namespace App\Jobs;
-
-use App\Jobs\Middleware\TrackOperationRun;
-use App\Models\BaselineProfile;
-use App\Models\BaselineSnapshot;
-use App\Models\BaselineSnapshotItem;
-use App\Models\InventoryItem;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Baselines\BaselineSnapshotIdentity;
-use App\Services\Intune\AuditLogger;
-use App\Services\OperationRunService;
-use App\Support\Baselines\BaselineScope;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use Illuminate\Bus\Queueable;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Bus\Dispatchable;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Queue\SerializesModels;
-use RuntimeException;
-
-class CaptureBaselineSnapshotJob implements ShouldQueue
-{
-    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
-
-    public ?OperationRun $operationRun = null;
-
-    public function __construct(
-        public OperationRun $run,
-    ) {
-        $this->operationRun = $run;
-    }
-
-    /**
-     * @return array<int, object>
-     */
-    public function middleware(): array
-    {
-        return [new TrackOperationRun];
-    }
-
-    public function handle(
-        BaselineSnapshotIdentity $identity,
-        AuditLogger $auditLogger,
-        OperationRunService $operationRunService,
-    ): void {
-        if (! $this->operationRun instanceof OperationRun) {
-            $this->fail(new RuntimeException('OperationRun context is required for CaptureBaselineSnapshotJob.'));
-
-            return;
-        }
-
-        $context = is_array($this->operationRun->context) ? $this->operationRun->context : [];
-        $profileId = (int) ($context['baseline_profile_id'] ?? 0);
-        $sourceTenantId = (int) ($context['source_tenant_id'] ?? 0);
-
-        $profile = BaselineProfile::query()->find($profileId);
-
-        if (! $profile instanceof BaselineProfile) {
-            throw new RuntimeException("BaselineProfile #{$profileId} not found.");
-        }
-
-        $sourceTenant = Tenant::query()->find($sourceTenantId);
-
-        if (! $sourceTenant instanceof Tenant) {
-            throw new RuntimeException("Source Tenant #{$sourceTenantId} not found.");
-        }
-
-        $initiator = $this->operationRun->user_id
-            ? User::query()->find($this->operationRun->user_id)
-            : null;
-
-        $effectiveScope = BaselineScope::fromJsonb($context['effective_scope'] ?? null);
-
-        $this->auditStarted($auditLogger, $sourceTenant, $profile, $initiator);
-
-        $snapshotItems = $this->collectSnapshotItems($sourceTenant, $effectiveScope, $identity);
-
-        $identityHash = $identity->computeIdentity($snapshotItems);
-
-        $snapshot = $this->findOrCreateSnapshot(
-            $profile,
-            $identityHash,
-            $snapshotItems,
-        );
-
-        $wasNewSnapshot = $snapshot->wasRecentlyCreated;
-
-        if ($profile->status === BaselineProfile::STATUS_ACTIVE) {
-            $profile->update(['active_snapshot_id' => $snapshot->getKey()]);
-        }
-
-        $summaryCounts = [
-            'total' => count($snapshotItems),
-            'processed' => count($snapshotItems),
-            'succeeded' => count($snapshotItems),
-            'failed' => 0,
-        ];
-
-        $operationRunService->updateRun(
-            $this->operationRun,
-            status: OperationRunStatus::Completed->value,
-            outcome: OperationRunOutcome::Succeeded->value,
-            summaryCounts: $summaryCounts,
-        );
-
-        $updatedContext = is_array($this->operationRun->context) ? $this->operationRun->context : [];
-        $updatedContext['result'] = [
-            'snapshot_id' => (int) $snapshot->getKey(),
-            'snapshot_identity_hash' => $identityHash,
-            'was_new_snapshot' => $wasNewSnapshot,
-            'items_captured' => count($snapshotItems),
-        ];
-        $this->operationRun->update(['context' => $updatedContext]);
-
-        $this->auditCompleted($auditLogger, $sourceTenant, $profile, $snapshot, $initiator, $snapshotItems);
-    }
-
-    /**
-     * @return array<int, array{subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, meta_jsonb: array<string, mixed>}>
-     */
-    private function collectSnapshotItems(
-        Tenant $sourceTenant,
-        BaselineScope $scope,
-        BaselineSnapshotIdentity $identity,
-    ): array {
-        $query = InventoryItem::query()
-            ->where('tenant_id', $sourceTenant->getKey());
-
-        if (! $scope->isEmpty()) {
-            $query->whereIn('policy_type', $scope->policyTypes);
-        }
-
-        $items = [];
-
-        $query->orderBy('policy_type')
-            ->orderBy('external_id')
-            ->chunk(500, function ($inventoryItems) use (&$items, $identity): void {
-                foreach ($inventoryItems as $inventoryItem) {
-                    $metaJsonb = is_array($inventoryItem->meta_jsonb) ? $inventoryItem->meta_jsonb : [];
-                    $baselineHash = $identity->hashItemContent($metaJsonb);
-
-                    $items[] = [
-                        'subject_type' => 'policy',
-                        'subject_external_id' => (string) $inventoryItem->external_id,
-                        'policy_type' => (string) $inventoryItem->policy_type,
-                        'baseline_hash' => $baselineHash,
-                        'meta_jsonb' => [
-                            'display_name' => $inventoryItem->display_name,
-                            'category' => $inventoryItem->category,
-                            'platform' => $inventoryItem->platform,
-                        ],
-                    ];
-                }
-            });
-
-        return $items;
-    }
-
-    /**
-     * @param  array<int, array{subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, meta_jsonb: array<string, mixed>}>  $snapshotItems
-     */
-    private function findOrCreateSnapshot(
-        BaselineProfile $profile,
-        string $identityHash,
-        array $snapshotItems,
-    ): BaselineSnapshot {
-        $existing = BaselineSnapshot::query()
-            ->where('workspace_id', $profile->workspace_id)
-            ->where('baseline_profile_id', $profile->getKey())
-            ->where('snapshot_identity_hash', $identityHash)
-            ->first();
-
-        if ($existing instanceof BaselineSnapshot) {
-            return $existing;
-        }
-
-        $snapshot = BaselineSnapshot::create([
-            'workspace_id' => (int) $profile->workspace_id,
-            'baseline_profile_id' => (int) $profile->getKey(),
-            'snapshot_identity_hash' => $identityHash,
-            'captured_at' => now(),
-            'summary_jsonb' => [
-                'total_items' => count($snapshotItems),
-                'policy_type_counts' => $this->countByPolicyType($snapshotItems),
-            ],
-        ]);
-
-        foreach (array_chunk($snapshotItems, 100) as $chunk) {
-            $rows = array_map(
-                fn (array $item): array => [
-                    'baseline_snapshot_id' => (int) $snapshot->getKey(),
-                    'subject_type' => $item['subject_type'],
-                    'subject_external_id' => $item['subject_external_id'],
-                    'policy_type' => $item['policy_type'],
-                    'baseline_hash' => $item['baseline_hash'],
-                    'meta_jsonb' => json_encode($item['meta_jsonb']),
-                    'created_at' => now(),
-                    'updated_at' => now(),
-                ],
-                $chunk,
-            );
-
-            BaselineSnapshotItem::insert($rows);
-        }
-
-        return $snapshot;
-    }
-
-    /**
-     * @param  array<int, array{policy_type: string}>  $items
-     * @return array<string, int>
-     */
-    private function countByPolicyType(array $items): array
-    {
-        $counts = [];
-
-        foreach ($items as $item) {
-            $type = (string) $item['policy_type'];
-            $counts[$type] = ($counts[$type] ?? 0) + 1;
-        }
-
-        ksort($counts);
-
-        return $counts;
-    }
-
-    private function auditStarted(
-        AuditLogger $auditLogger,
-        Tenant $tenant,
-        BaselineProfile $profile,
-        ?User $initiator,
-    ): void {
-        $auditLogger->log(
-            tenant: $tenant,
-            action: 'baseline.capture.started',
-            context: [
-                'metadata' => [
-                    'operation_run_id' => (int) $this->operationRun->getKey(),
-                    'baseline_profile_id' => (int) $profile->getKey(),
-                    'baseline_profile_name' => (string) $profile->name,
-                ],
-            ],
-            actorId: $initiator?->id,
-            actorEmail: $initiator?->email,
-            actorName: $initiator?->name,
-            resourceType: 'baseline_profile',
-            resourceId: (string) $profile->getKey(),
-        );
-    }
-
-    private function auditCompleted(
-        AuditLogger $auditLogger,
-        Tenant $tenant,
-        BaselineProfile $profile,
-        BaselineSnapshot $snapshot,
-        ?User $initiator,
-        array $snapshotItems,
-    ): void {
-        $auditLogger->log(
-            tenant: $tenant,
-            action: 'baseline.capture.completed',
-            context: [
-                'metadata' => [
-                    'operation_run_id' => (int) $this->operationRun->getKey(),
-                    'baseline_profile_id' => (int) $profile->getKey(),
-                    'baseline_profile_name' => (string) $profile->name,
-                    'snapshot_id' => (int) $snapshot->getKey(),
-                    'snapshot_identity_hash' => (string) $snapshot->snapshot_identity_hash,
-                    'items_captured' => count($snapshotItems),
-                    'was_new_snapshot' => $snapshot->wasRecentlyCreated,
-                ],
-            ],
-            actorId: $initiator?->id,
-            actorEmail: $initiator?->email,
-            actorName: $initiator?->name,
-            resourceType: 'operation_run',
-            resourceId: (string) $this->operationRun->getKey(),
-        );
-    }
-}

app/Jobs/CompareBaselineToTenantJob.php

@@ -1,394 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Jobs;
-
-use App\Jobs\Middleware\TrackOperationRun;
-use App\Models\BaselineProfile;
-use App\Models\BaselineSnapshotItem;
-use App\Models\Finding;
-use App\Models\InventoryItem;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Baselines\BaselineSnapshotIdentity;
-use App\Services\Drift\DriftHasher;
-use App\Services\Intune\AuditLogger;
-use App\Services\OperationRunService;
-use App\Support\Baselines\BaselineScope;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use Illuminate\Bus\Queueable;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Bus\Dispatchable;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Queue\SerializesModels;
-use RuntimeException;
-
-class CompareBaselineToTenantJob implements ShouldQueue
-{
-    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
-
-    public ?OperationRun $operationRun = null;
-
-    public function __construct(
-        public OperationRun $run,
-    ) {
-        $this->operationRun = $run;
-    }
-
-    /**
-     * @return array<int, object>
-     */
-    public function middleware(): array
-    {
-        return [new TrackOperationRun];
-    }
-
-    public function handle(
-        DriftHasher $driftHasher,
-        BaselineSnapshotIdentity $snapshotIdentity,
-        AuditLogger $auditLogger,
-        OperationRunService $operationRunService,
-    ): void {
-        if (! $this->operationRun instanceof OperationRun) {
-            $this->fail(new RuntimeException('OperationRun context is required for CompareBaselineToTenantJob.'));
-
-            return;
-        }
-
-        $context = is_array($this->operationRun->context) ? $this->operationRun->context : [];
-        $profileId = (int) ($context['baseline_profile_id'] ?? 0);
-        $snapshotId = (int) ($context['baseline_snapshot_id'] ?? 0);
-
-        $profile = BaselineProfile::query()->find($profileId);
-
-        if (! $profile instanceof BaselineProfile) {
-            throw new RuntimeException("BaselineProfile #{$profileId} not found.");
-        }
-
-        $tenant = Tenant::query()->find($this->operationRun->tenant_id);
-
-        if (! $tenant instanceof Tenant) {
-            throw new RuntimeException("Tenant #{$this->operationRun->tenant_id} not found.");
-        }
-
-        $initiator = $this->operationRun->user_id
-            ? User::query()->find($this->operationRun->user_id)
-            : null;
-
-        $effectiveScope = BaselineScope::fromJsonb($context['effective_scope'] ?? null);
-        $scopeKey = 'baseline_profile:' . $profile->getKey();
-
-        $this->auditStarted($auditLogger, $tenant, $profile, $initiator);
-
-        $baselineItems = $this->loadBaselineItems($snapshotId);
-        $currentItems = $this->loadCurrentInventory($tenant, $effectiveScope, $snapshotIdentity);
-
-        $driftResults = $this->computeDrift($baselineItems, $currentItems);
-
-        $upsertedCount = $this->upsertFindings(
-            $driftHasher,
-            $tenant,
-            $profile,
-            $scopeKey,
-            $driftResults,
-        );
-
-        $severityBreakdown = $this->countBySeverity($driftResults);
-
-        $summaryCounts = [
-            'total' => count($driftResults),
-            'processed' => count($driftResults),
-            'succeeded' => $upsertedCount,
-            'failed' => count($driftResults) - $upsertedCount,
-            'high' => $severityBreakdown[Finding::SEVERITY_HIGH] ?? 0,
-            'medium' => $severityBreakdown[Finding::SEVERITY_MEDIUM] ?? 0,
-            'low' => $severityBreakdown[Finding::SEVERITY_LOW] ?? 0,
-        ];
-
-        $operationRunService->updateRun(
-            $this->operationRun,
-            status: OperationRunStatus::Completed->value,
-            outcome: OperationRunOutcome::Succeeded->value,
-            summaryCounts: $summaryCounts,
-        );
-
-        $updatedContext = is_array($this->operationRun->context) ? $this->operationRun->context : [];
-        $updatedContext['result'] = [
-            'findings_total' => count($driftResults),
-            'findings_upserted' => $upsertedCount,
-            'severity_breakdown' => $severityBreakdown,
-        ];
-        $this->operationRun->update(['context' => $updatedContext]);
-
-        $this->auditCompleted($auditLogger, $tenant, $profile, $initiator, $summaryCounts);
-    }
-
-    /**
-     * Load baseline snapshot items keyed by "policy_type|subject_external_id".
-     *
-     * @return array<string, array{subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, meta_jsonb: array<string, mixed>}>
-     */
-    private function loadBaselineItems(int $snapshotId): array
-    {
-        $items = [];
-
-        BaselineSnapshotItem::query()
-            ->where('baseline_snapshot_id', $snapshotId)
-            ->orderBy('id')
-            ->chunk(500, function ($snapshotItems) use (&$items): void {
-                foreach ($snapshotItems as $item) {
-                    $key = $item->policy_type . '|' . $item->subject_external_id;
-                    $items[$key] = [
-                        'subject_type' => (string) $item->subject_type,
-                        'subject_external_id' => (string) $item->subject_external_id,
-                        'policy_type' => (string) $item->policy_type,
-                        'baseline_hash' => (string) $item->baseline_hash,
-                        'meta_jsonb' => is_array($item->meta_jsonb) ? $item->meta_jsonb : [],
-                    ];
-                }
-            });
-
-        return $items;
-    }
-
-    /**
-     * Load current inventory items keyed by "policy_type|external_id".
-     *
-     * @return array<string, array{subject_external_id: string, policy_type: string, current_hash: string, meta_jsonb: array<string, mixed>}>
-     */
-    private function loadCurrentInventory(
-        Tenant $tenant,
-        BaselineScope $scope,
-        BaselineSnapshotIdentity $snapshotIdentity,
-    ): array {
-        $query = InventoryItem::query()
-            ->where('tenant_id', $tenant->getKey());
-
-        if (! $scope->isEmpty()) {
-            $query->whereIn('policy_type', $scope->policyTypes);
-        }
-
-        $items = [];
-
-        $query->orderBy('policy_type')
-            ->orderBy('external_id')
-            ->chunk(500, function ($inventoryItems) use (&$items, $snapshotIdentity): void {
-                foreach ($inventoryItems as $inventoryItem) {
-                    $metaJsonb = is_array($inventoryItem->meta_jsonb) ? $inventoryItem->meta_jsonb : [];
-                    $currentHash = $snapshotIdentity->hashItemContent($metaJsonb);
-
-                    $key = $inventoryItem->policy_type . '|' . $inventoryItem->external_id;
-                    $items[$key] = [
-                        'subject_external_id' => (string) $inventoryItem->external_id,
-                        'policy_type' => (string) $inventoryItem->policy_type,
-                        'current_hash' => $currentHash,
-                        'meta_jsonb' => [
-                            'display_name' => $inventoryItem->display_name,
-                            'category' => $inventoryItem->category,
-                            'platform' => $inventoryItem->platform,
-                        ],
-                    ];
-                }
-            });
-
-        return $items;
-    }
-
-    /**
-     * Compare baseline items vs current inventory and produce drift results.
-     *
-     * @param  array<string, array{subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, meta_jsonb: array<string, mixed>}>  $baselineItems
-     * @param  array<string, array{subject_external_id: string, policy_type: string, current_hash: string, meta_jsonb: array<string, mixed>}>  $currentItems
-     * @return array<int, array{change_type: string, severity: string, subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, current_hash: string, evidence: array<string, mixed>}>
-     */
-    private function computeDrift(array $baselineItems, array $currentItems): array
-    {
-        $drift = [];
-
-        foreach ($baselineItems as $key => $baselineItem) {
-            if (! array_key_exists($key, $currentItems)) {
-                $drift[] = [
-                    'change_type' => 'missing_policy',
-                    'severity' => Finding::SEVERITY_HIGH,
-                    'subject_type' => $baselineItem['subject_type'],
-                    'subject_external_id' => $baselineItem['subject_external_id'],
-                    'policy_type' => $baselineItem['policy_type'],
-                    'baseline_hash' => $baselineItem['baseline_hash'],
-                    'current_hash' => '',
-                    'evidence' => [
-                        'change_type' => 'missing_policy',
-                        'policy_type' => $baselineItem['policy_type'],
-                        'display_name' => $baselineItem['meta_jsonb']['display_name'] ?? null,
-                    ],
-                ];
-
-                continue;
-            }
-
-            $currentItem = $currentItems[$key];
-
-            if ($baselineItem['baseline_hash'] !== $currentItem['current_hash']) {
-                $drift[] = [
-                    'change_type' => 'different_version',
-                    'severity' => Finding::SEVERITY_MEDIUM,
-                    'subject_type' => $baselineItem['subject_type'],
-                    'subject_external_id' => $baselineItem['subject_external_id'],
-                    'policy_type' => $baselineItem['policy_type'],
-                    'baseline_hash' => $baselineItem['baseline_hash'],
-                    'current_hash' => $currentItem['current_hash'],
-                    'evidence' => [
-                        'change_type' => 'different_version',
-                        'policy_type' => $baselineItem['policy_type'],
-                        'display_name' => $baselineItem['meta_jsonb']['display_name'] ?? null,
-                        'baseline_hash' => $baselineItem['baseline_hash'],
-                        'current_hash' => $currentItem['current_hash'],
-                    ],
-                ];
-            }
-        }
-
-        foreach ($currentItems as $key => $currentItem) {
-            if (! array_key_exists($key, $baselineItems)) {
-                $drift[] = [
-                    'change_type' => 'unexpected_policy',
-                    'severity' => Finding::SEVERITY_LOW,
-                    'subject_type' => 'policy',
-                    'subject_external_id' => $currentItem['subject_external_id'],
-                    'policy_type' => $currentItem['policy_type'],
-                    'baseline_hash' => '',
-                    'current_hash' => $currentItem['current_hash'],
-                    'evidence' => [
-                        'change_type' => 'unexpected_policy',
-                        'policy_type' => $currentItem['policy_type'],
-                        'display_name' => $currentItem['meta_jsonb']['display_name'] ?? null,
-                    ],
-                ];
-            }
-        }
-
-        return $drift;
-    }
-
-    /**
-     * Upsert drift findings using stable fingerprints.
-     *
-     * @param  array<int, array{change_type: string, severity: string, subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string, current_hash: string, evidence: array<string, mixed>}>  $driftResults
-     */
-    private function upsertFindings(
-        DriftHasher $driftHasher,
-        Tenant $tenant,
-        BaselineProfile $profile,
-        string $scopeKey,
-        array $driftResults,
-    ): int {
-        $upsertedCount = 0;
-        $tenantId = (int) $tenant->getKey();
-
-        foreach ($driftResults as $driftItem) {
-            $fingerprint = $driftHasher->fingerprint(
-                tenantId: $tenantId,
-                scopeKey: $scopeKey,
-                subjectType: $driftItem['subject_type'],
-                subjectExternalId: $driftItem['subject_external_id'],
-                changeType: $driftItem['change_type'],
-                baselineHash: $driftItem['baseline_hash'],
-                currentHash: $driftItem['current_hash'],
-            );
-
-            Finding::query()->updateOrCreate(
-                [
-                    'tenant_id' => $tenantId,
-                    'fingerprint' => $fingerprint,
-                ],
-                [
-                    'finding_type' => Finding::FINDING_TYPE_DRIFT,
-                    'source' => 'baseline.compare',
-                    'scope_key' => $scopeKey,
-                    'subject_type' => $driftItem['subject_type'],
-                    'subject_external_id' => $driftItem['subject_external_id'],
-                    'severity' => $driftItem['severity'],
-                    'status' => Finding::STATUS_NEW,
-                    'evidence_jsonb' => $driftItem['evidence'],
-                    'baseline_operation_run_id' => null,
-                    'current_operation_run_id' => (int) $this->operationRun->getKey(),
-                ],
-            );
-
-            $upsertedCount++;
-        }
-
-        return $upsertedCount;
-    }
-
-    /**
-     * @param  array<int, array{severity: string}>  $driftResults
-     * @return array<string, int>
-     */
-    private function countBySeverity(array $driftResults): array
-    {
-        $counts = [];
-
-        foreach ($driftResults as $item) {
-            $severity = $item['severity'];
-            $counts[$severity] = ($counts[$severity] ?? 0) + 1;
-        }
-
-        return $counts;
-    }
-
-    private function auditStarted(
-        AuditLogger $auditLogger,
-        Tenant $tenant,
-        BaselineProfile $profile,
-        ?User $initiator,
-    ): void {
-        $auditLogger->log(
-            tenant: $tenant,
-            action: 'baseline.compare.started',
-            context: [
-                'metadata' => [
-                    'operation_run_id' => (int) $this->operationRun->getKey(),
-                    'baseline_profile_id' => (int) $profile->getKey(),
-                    'baseline_profile_name' => (string) $profile->name,
-                ],
-            ],
-            actorId: $initiator?->id,
-            actorEmail: $initiator?->email,
-            actorName: $initiator?->name,
-            resourceType: 'baseline_profile',
-            resourceId: (string) $profile->getKey(),
-        );
-    }
-
-    private function auditCompleted(
-        AuditLogger $auditLogger,
-        Tenant $tenant,
-        BaselineProfile $profile,
-        ?User $initiator,
-        array $summaryCounts,
-    ): void {
-        $auditLogger->log(
-            tenant: $tenant,
-            action: 'baseline.compare.completed',
-            context: [
-                'metadata' => [
-                    'operation_run_id' => (int) $this->operationRun->getKey(),
-                    'baseline_profile_id' => (int) $profile->getKey(),
-                    'baseline_profile_name' => (string) $profile->name,
-                    'findings_total' => $summaryCounts['total'] ?? 0,
-                    'high' => $summaryCounts['high'] ?? 0,
-                    'medium' => $summaryCounts['medium'] ?? 0,
-                    'low' => $summaryCounts['low'] ?? 0,
-                ],
-            ],
-            actorId: $initiator?->id,
-            actorEmail: $initiator?->email,
-            actorName: $initiator?->name,
-            resourceType: 'operation_run',
-            resourceId: (string) $this->operationRun->getKey(),
-        );
-    }
-}

app/Jobs/GenerateDriftFindingsJob.php

@@ -1,153 +0,0 @@
-<?php
-
-namespace App\Jobs;
-
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Services\Drift\DriftFindingGenerator;
-use App\Services\OperationRunService;
-use App\Services\Operations\TargetScopeConcurrencyLimiter;
-use Illuminate\Bus\Queueable;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Bus\Dispatchable;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Queue\SerializesModels;
-use Illuminate\Support\Facades\Log;
-use RuntimeException;
-use Throwable;
-
-class GenerateDriftFindingsJob implements ShouldQueue
-{
-    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
-
-    public ?OperationRun $operationRun = null;
-
-    /**
-     * @param  array<string, mixed>  $context
-     */
-    public function __construct(
-        public int $tenantId,
-        public int $userId,
-        public int $baselineRunId,
-        public int $currentRunId,
-        public string $scopeKey,
-        ?OperationRun $operationRun = null,
-        public array $context = [],
-    ) {
-        $this->operationRun = $operationRun;
-    }
-
-    public function handle(
-        DriftFindingGenerator $generator,
-        OperationRunService $runs,
-        TargetScopeConcurrencyLimiter $limiter,
-    ): void {
-        Log::info('GenerateDriftFindingsJob: started', [
-            'tenant_id' => $this->tenantId,
-            'baseline_operation_run_id' => $this->baselineRunId,
-            'current_operation_run_id' => $this->currentRunId,
-            'scope_key' => $this->scopeKey,
-        ]);
-
-        if (! $this->operationRun instanceof OperationRun) {
-            throw new RuntimeException('OperationRun is required for drift generation.');
-        }
-
-        $this->operationRun->refresh();
-
-        if ($this->operationRun->status === 'completed') {
-            return;
-        }
-
-        $opContext = is_array($this->operationRun->context) ? $this->operationRun->context : [];
-        $targetScope = is_array($opContext['target_scope'] ?? null) ? $opContext['target_scope'] : [];
-
-        $lock = $limiter->acquireSlot($this->tenantId, $targetScope);
-
-        if (! $lock) {
-            $delay = (int) config('tenantpilot.bulk_operations.poll_interval_seconds', 3);
-            $this->release(max(1, $delay));
-
-            return;
-        }
-
-        try {
-            $tenant = Tenant::query()->find($this->tenantId);
-            if (! $tenant instanceof Tenant) {
-                throw new RuntimeException('Tenant not found.');
-            }
-
-            $baseline = OperationRun::query()
-                ->whereKey($this->baselineRunId)
-                ->where('tenant_id', $tenant->getKey())
-                ->where('type', 'inventory_sync')
-                ->first();
-            if (! $baseline instanceof OperationRun) {
-                throw new RuntimeException('Baseline run not found.');
-            }
-
-            $current = OperationRun::query()
-                ->whereKey($this->currentRunId)
-                ->where('tenant_id', $tenant->getKey())
-                ->where('type', 'inventory_sync')
-                ->first();
-            if (! $current instanceof OperationRun) {
-                throw new RuntimeException('Current run not found.');
-            }
-
-            $runs->updateRun($this->operationRun, 'running');
-
-            $counts = is_array($this->operationRun->summary_counts ?? null) ? $this->operationRun->summary_counts : [];
-            if ((int) ($counts['total'] ?? 0) === 0) {
-                $runs->incrementSummaryCounts($this->operationRun, ['total' => 1]);
-            }
-
-            $created = $generator->generate(
-                tenant: $tenant,
-                baseline: $baseline,
-                current: $current,
-                scopeKey: $this->scopeKey,
-            );
-
-            Log::info('GenerateDriftFindingsJob: completed', [
-                'tenant_id' => $this->tenantId,
-                'baseline_operation_run_id' => $this->baselineRunId,
-                'current_operation_run_id' => $this->currentRunId,
-                'scope_key' => $this->scopeKey,
-                'created_findings_count' => $created,
-            ]);
-
-            $runs->incrementSummaryCounts($this->operationRun, [
-                'processed' => 1,
-                'succeeded' => 1,
-                'created' => $created,
-            ]);
-
-            $runs->maybeCompleteBulkRun($this->operationRun);
-        } catch (Throwable $e) {
-            Log::error('GenerateDriftFindingsJob: failed', [
-                'tenant_id' => $this->tenantId,
-                'baseline_operation_run_id' => $this->baselineRunId,
-                'current_operation_run_id' => $this->currentRunId,
-                'scope_key' => $this->scopeKey,
-                'error' => $e->getMessage(),
-            ]);
-
-            $runs->incrementSummaryCounts($this->operationRun, [
-                'processed' => 1,
-                'failed' => 1,
-            ]);
-
-            $runs->appendFailures($this->operationRun, [[
-                'code' => 'drift_generate_findings.failed',
-                'message' => $e->getMessage(),
-            ]]);
-
-            $runs->maybeCompleteBulkRun($this->operationRun);
-
-            throw $e;
-        } finally {
-            $lock->release();
-        }
-    }
-}

app/Jobs/GenerateReviewPackJob.php

@@ -1,392 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Jobs;
-
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\ReviewPack;
-use App\Models\StoredReport;
-use App\Models\Tenant;
-use App\Services\OperationRunService;
-use App\Services\ReviewPackService;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-use App\Support\ReviewPackStatus;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Queue\Queueable;
-use Illuminate\Support\Facades\Log;
-use Illuminate\Support\Facades\Storage;
-use Throwable;
-use ZipArchive;
-
-class GenerateReviewPackJob implements ShouldQueue
-{
-    use Queueable;
-
-    public function __construct(
-        public int $reviewPackId,
-        public int $operationRunId,
-    ) {}
-
-    public function handle(OperationRunService $operationRunService): void
-    {
-        $reviewPack = ReviewPack::query()->find($this->reviewPackId);
-        $operationRun = OperationRun::query()->find($this->operationRunId);
-
-        if (! $reviewPack instanceof ReviewPack || ! $operationRun instanceof OperationRun) {
-            Log::warning('GenerateReviewPackJob: missing records', [
-                'review_pack_id' => $this->reviewPackId,
-                'operation_run_id' => $this->operationRunId,
-            ]);
-
-            return;
-        }
-
-        $tenant = $reviewPack->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            $this->markFailed($reviewPack, $operationRun, $operationRunService, 'tenant_not_found', 'Tenant not found');
-
-            return;
-        }
-
-        // Mark running via OperationRunService (auto-sets started_at)
-        $operationRunService->updateRun($operationRun, OperationRunStatus::Running->value);
-        $reviewPack->update(['status' => ReviewPackStatus::Generating->value]);
-
-        try {
-            $this->executeGeneration($reviewPack, $operationRun, $tenant, $operationRunService);
-        } catch (Throwable $e) {
-            $this->markFailed($reviewPack, $operationRun, $operationRunService, 'generation_error', $e->getMessage());
-
-            throw $e;
-        }
-    }
-
-    private function executeGeneration(ReviewPack $reviewPack, OperationRun $operationRun, Tenant $tenant, OperationRunService $operationRunService): void
-    {
-        $options = $reviewPack->options ?? [];
-        $includePii = (bool) ($options['include_pii'] ?? true);
-        $includeOperations = (bool) ($options['include_operations'] ?? true);
-        $tenantId = (int) $tenant->getKey();
-
-        // 1. Collect StoredReports
-        $storedReports = StoredReport::query()
-            ->where('tenant_id', $tenantId)
-            ->whereIn('report_type', [
-                StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
-                StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
-            ])
-            ->get()
-            ->keyBy('report_type');
-
-        // 2. Collect open findings
-        $findings = Finding::query()
-            ->where('tenant_id', $tenantId)
-            ->whereIn('status', Finding::openStatusesForQuery())
-            ->orderBy('severity')
-            ->orderBy('created_at')
-            ->get();
-
-        // 3. Collect tenant hardening fields
-        $hardening = [
-            'rbac_last_checked_at' => $tenant->rbac_last_checked_at?->toIso8601String(),
-            'rbac_last_setup_at' => $tenant->rbac_last_setup_at?->toIso8601String(),
-            'rbac_canary_results' => $tenant->rbac_canary_results,
-            'rbac_last_warnings' => $tenant->rbac_last_warnings,
-            'rbac_scope_mode' => $tenant->rbac_scope_mode,
-        ];
-
-        // 4. Collect recent OperationRuns (30 days)
-        $recentOperations = $includeOperations
-            ? OperationRun::query()
-                ->where('tenant_id', $tenantId)
-                ->where('created_at', '>=', now()->subDays(30))
-                ->orderByDesc('created_at')
-                ->get()
-            : collect();
-
-        // 5. Data freshness
-        $dataFreshness = $this->computeDataFreshness($storedReports, $findings, $tenant);
-
-        // 6. Build file map
-        $fileMap = $this->buildFileMap(
-            storedReports: $storedReports,
-            findings: $findings,
-            hardening: $hardening,
-            recentOperations: $recentOperations,
-            tenant: $tenant,
-            dataFreshness: $dataFreshness,
-            includePii: $includePii,
-            includeOperations: $includeOperations,
-        );
-
-        // 7. Assemble ZIP
-        $tempFile = tempnam(sys_get_temp_dir(), 'review-pack-');
-
-        try {
-            $this->assembleZip($tempFile, $fileMap);
-
-            // 8. Compute SHA-256
-            $sha256 = hash_file('sha256', $tempFile);
-            $fileSize = filesize($tempFile);
-
-            // 9. Store on exports disk
-            $filePath = sprintf(
-                'review-packs/%s/%s.zip',
-                $tenant->external_id,
-                now()->format('Y-m-d-His'),
-            );
-
-            Storage::disk('exports')->put($filePath, file_get_contents($tempFile));
-        } finally {
-            if (file_exists($tempFile)) {
-                unlink($tempFile);
-            }
-        }
-
-        // 10. Compute fingerprint
-        $fingerprint = app(ReviewPackService::class)->computeFingerprint($tenant, $options);
-
-        // 11. Compute summary
-        $summary = [
-            'finding_count' => $findings->count(),
-            'report_count' => $storedReports->count(),
-            'operation_count' => $recentOperations->count(),
-            'data_freshness' => $dataFreshness,
-        ];
-
-        // 12. Update ReviewPack
-        $retentionDays = (int) config('tenantpilot.review_pack.retention_days', 90);
-        $reviewPack->update([
-            'status' => ReviewPackStatus::Ready->value,
-            'fingerprint' => $fingerprint,
-            'sha256' => $sha256,
-            'file_size' => $fileSize,
-            'file_path' => $filePath,
-            'file_disk' => 'exports',
-            'generated_at' => now(),
-            'expires_at' => now()->addDays($retentionDays),
-            'summary' => $summary,
-        ]);
-
-        // 13. Mark OperationRun completed (auto-sends OperationRunCompleted notification)
-        $operationRunService->updateRun(
-            $operationRun,
-            status: OperationRunStatus::Completed->value,
-            outcome: OperationRunOutcome::Succeeded->value,
-            summaryCounts: $summary,
-        );
-    }
-
-    /**
-     * @param  \Illuminate\Support\Collection<string, StoredReport>  $storedReports
-     * @param  \Illuminate\Database\Eloquent\Collection<int, Finding>  $findings
-     * @return array<string, ?string>
-     */
-    private function computeDataFreshness($storedReports, $findings, Tenant $tenant): array
-    {
-        return [
-            'permission_posture' => $storedReports->get(StoredReport::REPORT_TYPE_PERMISSION_POSTURE)?->updated_at?->toIso8601String(),
-            'entra_admin_roles' => $storedReports->get(StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)?->updated_at?->toIso8601String(),
-            'findings' => $findings->max('updated_at')?->toIso8601String() ?? $findings->max('created_at')?->toIso8601String(),
-            'hardening' => $tenant->rbac_last_checked_at?->toIso8601String(),
-        ];
-    }
-
-    /**
-     * Build the file map for the ZIP contents.
-     *
-     * @return array<string, string>
-     */
-    private function buildFileMap(
-        $storedReports,
-        $findings,
-        array $hardening,
-        $recentOperations,
-        Tenant $tenant,
-        array $dataFreshness,
-        bool $includePii,
-        bool $includeOperations,
-    ): array {
-        $files = [];
-
-        // findings.csv
-        $files['findings.csv'] = $this->buildFindingsCsv($findings, $includePii);
-
-        // hardening.json
-        $files['hardening.json'] = json_encode($hardening, JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR);
-
-        // metadata.json
-        $files['metadata.json'] = json_encode([
-            'version' => '1.0',
-            'tenant_id' => $tenant->external_id,
-            'tenant_name' => $includePii ? $tenant->name : '[REDACTED]',
-            'generated_at' => now()->toIso8601String(),
-            'options' => [
-                'include_pii' => $includePii,
-                'include_operations' => $includeOperations,
-            ],
-        ], JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR);
-
-        // operations.csv
-        $files['operations.csv'] = $this->buildOperationsCsv($recentOperations, $includePii);
-
-        // reports/entra_admin_roles.json
-        $entraReport = $storedReports->get(StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES);
-        $files['reports/entra_admin_roles.json'] = json_encode(
-            $entraReport ? $this->redactReportPayload($entraReport->payload ?? [], $includePii) : [],
-            JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR,
-        );
-
-        // reports/permission_posture.json
-        $postureReport = $storedReports->get(StoredReport::REPORT_TYPE_PERMISSION_POSTURE);
-        $files['reports/permission_posture.json'] = json_encode(
-            $postureReport ? $this->redactReportPayload($postureReport->payload ?? [], $includePii) : [],
-            JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR,
-        );
-
-        // summary.json
-        $files['summary.json'] = json_encode([
-            'data_freshness' => $dataFreshness,
-            'finding_count' => $findings->count(),
-            'report_count' => $storedReports->count(),
-            'operation_count' => $recentOperations->count(),
-        ], JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR);
-
-        return $files;
-    }
-
-    /**
-     * Build findings CSV content.
-     *
-     * @param  \Illuminate\Database\Eloquent\Collection<int, Finding>  $findings
-     */
-    private function buildFindingsCsv($findings, bool $includePii): string
-    {
-        $handle = fopen('php://temp', 'r+');
-        fputcsv($handle, ['id', 'finding_type', 'severity', 'status', 'title', 'description', 'created_at', 'updated_at']);
-
-        foreach ($findings as $finding) {
-            fputcsv($handle, [
-                $finding->id,
-                $finding->finding_type,
-                $finding->severity,
-                $finding->status,
-                $includePii ? ($finding->title ?? '') : '[REDACTED]',
-                $includePii ? ($finding->description ?? '') : '[REDACTED]',
-                $finding->created_at?->toIso8601String(),
-                $finding->updated_at?->toIso8601String(),
-            ]);
-        }
-
-        rewind($handle);
-        $content = stream_get_contents($handle);
-        fclose($handle);
-
-        return $content;
-    }
-
-    /**
-     * Build operations CSV content.
-     */
-    private function buildOperationsCsv($operations, bool $includePii): string
-    {
-        $handle = fopen('php://temp', 'r+');
-        fputcsv($handle, ['id', 'type', 'status', 'outcome', 'initiator', 'started_at', 'completed_at']);
-
-        foreach ($operations as $operation) {
-            fputcsv($handle, [
-                $operation->id,
-                $operation->type,
-                $operation->status,
-                $operation->outcome,
-                $includePii ? ($operation->user?->name ?? '') : '[REDACTED]',
-                $operation->started_at?->toIso8601String(),
-                $operation->completed_at?->toIso8601String(),
-            ]);
-        }
-
-        rewind($handle);
-        $content = stream_get_contents($handle);
-        fclose($handle);
-
-        return $content;
-    }
-
-    /**
-     * Redact PII from a report payload.
-     *
-     * @param  array<string, mixed>  $payload
-     * @return array<string, mixed>
-     */
-    private function redactReportPayload(array $payload, bool $includePii): array
-    {
-        if ($includePii) {
-            return $payload;
-        }
-
-        return $this->redactArrayPii($payload);
-    }
-
-    /**
-     * Recursively redact PII fields from an array.
-     *
-     * @param  array<string, mixed>  $data
-     * @return array<string, mixed>
-     */
-    private function redactArrayPii(array $data): array
-    {
-        $piiKeys = ['displayName', 'display_name', 'userPrincipalName', 'user_principal_name', 'email', 'mail'];
-
-        foreach ($data as $key => $value) {
-            if (is_string($key) && in_array($key, $piiKeys, true)) {
-                $data[$key] = '[REDACTED]';
-            } elseif (is_array($value)) {
-                $data[$key] = $this->redactArrayPii($value);
-            }
-        }
-
-        return $data;
-    }
-
-    /**
-     * Assemble a ZIP file from a file map.
-     *
-     * @param  array<string, string>  $fileMap
-     */
-    private function assembleZip(string $tempFile, array $fileMap): void
-    {
-        $zip = new ZipArchive;
-        $result = $zip->open($tempFile, ZipArchive::CREATE | ZipArchive::OVERWRITE);
-
-        if ($result !== true) {
-            throw new \RuntimeException("Failed to create ZIP archive: error code {$result}");
-        }
-
-        // Add files in alphabetical order for deterministic output
-        ksort($fileMap);
-
-        foreach ($fileMap as $filename => $content) {
-            $zip->addFromString($filename, $content);
-        }
-
-        $zip->close();
-    }
-
-    private function markFailed(ReviewPack $reviewPack, OperationRun $operationRun, OperationRunService $operationRunService, string $reasonCode, string $errorMessage): void
-    {
-        $reviewPack->update(['status' => ReviewPackStatus::Failed->value]);
-
-        $operationRunService->updateRun(
-            $operationRun,
-            status: OperationRunStatus::Completed->value,
-            outcome: OperationRunOutcome::Failed->value,
-            failures: [
-                ['code' => $reasonCode, 'message' => mb_substr($errorMessage, 0, 500)],
-            ],
-        );
-    }
-}

app/Models/AuditLog.php

@@ -1,24 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-class AuditLog extends Model
-{
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'metadata' => 'array',
-        'recorded_at' => 'datetime',
-    ];
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-}

app/Models/BaselineProfile.php

@@ -1,50 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-use Illuminate\Database\Eloquent\Relations\HasMany;
-
-class BaselineProfile extends Model
-{
-    use HasFactory;
-
-    public const string STATUS_DRAFT = 'draft';
-
-    public const string STATUS_ACTIVE = 'active';
-
-    public const string STATUS_ARCHIVED = 'archived';
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'scope_jsonb' => 'array',
-    ];
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function createdByUser(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'created_by_user_id');
-    }
-
-    public function activeSnapshot(): BelongsTo
-    {
-        return $this->belongsTo(BaselineSnapshot::class, 'active_snapshot_id');
-    }
-
-    public function snapshots(): HasMany
-    {
-        return $this->hasMany(BaselineSnapshot::class);
-    }
-
-    public function tenantAssignments(): HasMany
-    {
-        return $this->hasMany(BaselineTenantAssignment::class);
-    }
-}

app/Models/BaselineSnapshot.php

@@ -1,35 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-use Illuminate\Database\Eloquent\Relations\HasMany;
-
-class BaselineSnapshot extends Model
-{
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'summary_jsonb' => 'array',
-        'captured_at' => 'datetime',
-    ];
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function baselineProfile(): BelongsTo
-    {
-        return $this->belongsTo(BaselineProfile::class);
-    }
-
-    public function items(): HasMany
-    {
-        return $this->hasMany(BaselineSnapshotItem::class);
-    }
-}

app/Models/BaselineTenantAssignment.php

@@ -1,40 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-class BaselineTenantAssignment extends Model
-{
-    use DerivesWorkspaceIdFromTenant;
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'override_scope_jsonb' => 'array',
-    ];
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    public function baselineProfile(): BelongsTo
-    {
-        return $this->belongsTo(BaselineProfile::class);
-    }
-
-    public function assignedByUser(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'assigned_by_user_id');
-    }
-}

app/Models/OperationRun.php

@@ -1,130 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-use Illuminate\Support\Arr;
-
-class OperationRun extends Model
-{
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'summary_counts' => 'array',
-        'failure_summary' => 'array',
-        'context' => 'array',
-        'started_at' => 'datetime',
-        'completed_at' => 'datetime',
-    ];
-
-    protected static function booted(): void
-    {
-        static::creating(function (self $operationRun): void {
-            if ($operationRun->workspace_id !== null) {
-                return;
-            }
-
-            if ($operationRun->tenant_id === null) {
-                return;
-            }
-
-            $tenant = Tenant::query()->whereKey((int) $operationRun->tenant_id)->first();
-
-            if (! $tenant instanceof Tenant) {
-                return;
-            }
-
-            if ($tenant->workspace_id === null) {
-                return;
-            }
-
-            $operationRun->workspace_id = (int) $tenant->workspace_id;
-        });
-    }
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function user(): BelongsTo
-    {
-        return $this->belongsTo(User::class);
-    }
-
-    public function scopeActive(Builder $query): Builder
-    {
-        return $query->whereIn('status', ['queued', 'running']);
-    }
-
-    public function getSelectionHashAttribute(): ?string
-    {
-        $context = is_array($this->context) ? $this->context : [];
-
-        return isset($context['selection_hash']) && is_string($context['selection_hash'])
-            ? $context['selection_hash']
-            : null;
-    }
-
-    public function setSelectionHashAttribute(?string $value): void
-    {
-        $context = is_array($this->context) ? $this->context : [];
-        $context['selection_hash'] = $value;
-
-        $this->context = $context;
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function getSelectionPayloadAttribute(): array
-    {
-        $context = is_array($this->context) ? $this->context : [];
-
-        return Arr::only($context, [
-            'policy_types',
-            'categories',
-            'include_foundations',
-            'include_dependencies',
-        ]);
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $value
-     */
-    public function setSelectionPayloadAttribute(?array $value): void
-    {
-        $context = is_array($this->context) ? $this->context : [];
-
-        if (is_array($value)) {
-            $context = array_merge($context, Arr::only($value, [
-                'policy_types',
-                'categories',
-                'include_foundations',
-                'include_dependencies',
-            ]));
-        }
-
-        $this->context = $context;
-    }
-
-    public function getFinishedAtAttribute(): mixed
-    {
-        return $this->completed_at;
-    }
-
-    public function setFinishedAtAttribute(mixed $value): void
-    {
-        $this->completed_at = $value;
-    }
-}

app/Models/PolicyVersion.php

@@ -1,57 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-use Illuminate\Database\Eloquent\SoftDeletes;
-
-class PolicyVersion extends Model
-{
-    use DerivesWorkspaceIdFromTenant;
-    use HasFactory;
-    use SoftDeletes;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'snapshot' => 'array',
-        'metadata' => 'array',
-        'assignments' => 'array',
-        'scope_tags' => 'array',
-        'captured_at' => 'datetime',
-    ];
-
-    public function previous(): ?self
-    {
-        return $this->policy
-            ? $this->policy
-                ->versions()
-                ->where('version_number', '<', $this->version_number)
-                ->orderByDesc('version_number')
-                ->first()
-            : null;
-    }
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    public function policy(): BelongsTo
-    {
-        return $this->belongsTo(Policy::class);
-    }
-
-    public function scopePruneEligible($query, int $days = 90)
-    {
-        return $query
-            ->whereNull('deleted_at')
-            ->where('captured_at', '<', now()->subDays($days))
-            ->whereRaw(
-                'policy_versions.version_number < (select max(pv2.version_number) from policy_versions pv2 where pv2.policy_id = policy_versions.policy_id and pv2.deleted_at is null)'
-            );
-    }
-}

app/Models/ProviderConnection.php

@@ -1,56 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-use Illuminate\Database\Eloquent\Relations\HasOne;
-use Illuminate\Support\Facades\DB;
-
-class ProviderConnection extends Model
-{
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'is_default' => 'boolean',
-        'scopes_granted' => 'array',
-        'metadata' => 'array',
-        'last_health_check_at' => 'datetime',
-    ];
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function credential(): HasOne
-    {
-        return $this->hasOne(ProviderCredential::class, 'provider_connection_id');
-    }
-
-    public function makeDefault(): void
-    {
-        DB::transaction(function (): void {
-            static::query()
-                ->where('tenant_id', $this->tenant_id)
-                ->where('provider', $this->provider)
-                ->where('is_default', true)
-                ->whereKeyNot($this->getKey())
-                ->update(['is_default' => false]);
-
-            static::query()
-                ->whereKey($this->getKey())
-                ->update(['is_default' => true]);
-        });
-
-        $this->refresh();
-    }
-}

app/Models/TenantOnboardingSession.php

@@ -1,92 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-class TenantOnboardingSession extends Model
-{
-    /** @use HasFactory<\Database\Factories\TenantOnboardingSessionFactory> */
-    use HasFactory;
-
-    protected $table = 'managed_tenant_onboarding_sessions';
-
-    /**
-     * @var array<int, string>
-     */
-    public const STATE_ALLOWED_KEYS = [
-        'entra_tenant_id',
-        'tenant_id',
-        'tenant_name',
-        'environment',
-        'primary_domain',
-        'notes',
-        'provider_connection_id',
-        'selected_provider_connection_id',
-        'verification_operation_run_id',
-        'verification_run_id',
-        'bootstrap_operation_types',
-        'bootstrap_operation_runs',
-        'bootstrap_run_ids',
-        'connection_recently_updated',
-    ];
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'state' => 'array',
-        'completed_at' => 'datetime',
-    ];
-
-    /**
-     * @param  array<string, mixed>|null  $value
-     */
-    public function setStateAttribute(?array $value): void
-    {
-        if ($value === null) {
-            $this->attributes['state'] = null;
-
-            return;
-        }
-
-        $allowed = array_intersect_key($value, array_flip(self::STATE_ALLOWED_KEYS));
-
-        $encoded = json_encode($allowed, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
-
-        $this->attributes['state'] = $encoded !== false ? $encoded : json_encode([], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
-    }
-
-    /**
-     * @return BelongsTo<Workspace, $this>
-     */
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    /**
-     * @return BelongsTo<Tenant, $this>
-     */
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    /**
-     * @return BelongsTo<User, $this>
-     */
-    public function startedByUser(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'started_by_user_id');
-    }
-
-    /**
-     * @return BelongsTo<User, $this>
-     */
-    public function updatedByUser(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'updated_by_user_id');
-    }
-}

app/Notifications/OperationRunCompleted.php

@@ -1,33 +0,0 @@
-<?php
-
-namespace App\Notifications;
-
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\OpsUx\OperationUxPresenter;
-use Illuminate\Bus\Queueable;
-use Illuminate\Notifications\Notification;
-
-class OperationRunCompleted extends Notification
-{
-    use Queueable;
-
-    public function __construct(
-        public OperationRun $run
-    ) {}
-
-    public function via(object $notifiable): array
-    {
-        return ['database'];
-    }
-
-    public function toDatabase(object $notifiable): array
-    {
-        $tenant = $this->run->tenant;
-
-        return OperationUxPresenter::terminalDatabaseNotification(
-            run: $this->run,
-            tenant: $tenant instanceof Tenant ? $tenant : null,
-        )->getDatabaseMessage();
-    }
-}

app/Policies/BackupSchedulePolicy.php

@@ -1,83 +0,0 @@
-<?php
-
-namespace App\Policies;
-
-use App\Models\BackupSchedule;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Support\Auth\Capabilities;
-use Illuminate\Auth\Access\HandlesAuthorization;
-use Illuminate\Support\Facades\Gate;
-
-class BackupSchedulePolicy
-{
-    use HandlesAuthorization;
-
-    protected function isTenantMember(User $user, ?Tenant $tenant = null): bool
-    {
-        $tenant ??= Tenant::current();
-
-        return $tenant instanceof Tenant
-            && Gate::forUser($user)->allows(Capabilities::TENANT_VIEW, $tenant);
-    }
-
-    public function viewAny(User $user): bool
-    {
-        return $this->isTenantMember($user);
-    }
-
-    public function view(User $user, BackupSchedule $schedule): bool
-    {
-        $tenant = Tenant::current();
-
-        if (! $this->isTenantMember($user, $tenant)) {
-            return false;
-        }
-
-        return (int) $schedule->tenant_id === (int) $tenant->getKey();
-    }
-
-    public function create(User $user): bool
-    {
-        $tenant = Tenant::current();
-
-        return $tenant instanceof Tenant
-            && Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
-    }
-
-    public function update(User $user, BackupSchedule $schedule): bool
-    {
-        $tenant = Tenant::current();
-
-        return $tenant instanceof Tenant
-            && (int) $schedule->tenant_id === (int) $tenant->getKey()
-            && Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
-    }
-
-    public function delete(User $user, BackupSchedule $schedule): bool
-    {
-        $tenant = Tenant::current();
-
-        return $tenant instanceof Tenant
-            && (int) $schedule->tenant_id === (int) $tenant->getKey()
-            && Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
-    }
-
-    public function restore(User $user, BackupSchedule $schedule): bool
-    {
-        $tenant = Tenant::current();
-
-        return $tenant instanceof Tenant
-            && (int) $schedule->tenant_id === (int) $tenant->getKey()
-            && Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
-    }
-
-    public function forceDelete(User $user, BackupSchedule $schedule): bool
-    {
-        $tenant = Tenant::current();
-
-        return $tenant instanceof Tenant
-            && (int) $schedule->tenant_id === (int) $tenant->getKey()
-            && Gate::forUser($user)->allows(Capabilities::TENANT_DELETE, $tenant);
-    }
-}

app/Policies/EntraGroupPolicy.php

@@ -1,39 +0,0 @@
-<?php
-
-namespace App\Policies;
-
-use App\Models\EntraGroup;
-use App\Models\Tenant;
-use App\Models\User;
-use Illuminate\Auth\Access\HandlesAuthorization;
-
-class EntraGroupPolicy
-{
-    use HandlesAuthorization;
-
-    public function viewAny(User $user): bool
-    {
-        $tenant = Tenant::current();
-
-        if (! $tenant) {
-            return false;
-        }
-
-        return $user->canAccessTenant($tenant);
-    }
-
-    public function view(User $user, EntraGroup $group): bool
-    {
-        $tenant = Tenant::current();
-
-        if (! $tenant) {
-            return false;
-        }
-
-        if (! $user->canAccessTenant($tenant)) {
-            return false;
-        }
-
-        return (int) $group->tenant_id === (int) $tenant->getKey();
-    }
-}

app/Services/Audit/WorkspaceAuditLogger.php

@@ -1,48 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Audit;
-
-use App\Models\AuditLog;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Support\Audit\AuditContextSanitizer;
-use Carbon\CarbonImmutable;
-
-class WorkspaceAuditLogger
-{
-    public function log(
-        Workspace $workspace,
-        string $action,
-        array $context = [],
-        ?User $actor = null,
-        string $status = 'success',
-        ?string $resourceType = null,
-        ?string $resourceId = null,
-        ?int $actorId = null,
-        ?string $actorEmail = null,
-        ?string $actorName = null,
-    ): AuditLog {
-        $metadata = $context['metadata'] ?? [];
-        unset($context['metadata']);
-
-        $metadata = is_array($metadata) ? $metadata : [];
-
-        $sanitizedMetadata = AuditContextSanitizer::sanitize($metadata + $context);
-
-        return AuditLog::create([
-            'tenant_id' => null,
-            'workspace_id' => (int) $workspace->getKey(),
-            'actor_id' => $actor?->getKey() ?? $actorId,
-            'actor_email' => $actor?->email ?? $actorEmail,
-            'actor_name' => $actor?->name ?? $actorName,
-            'action' => $action,
-            'resource_type' => $resourceType,
-            'resource_id' => $resourceId,
-            'status' => $status,
-            'metadata' => $sanitizedMetadata,
-            'recorded_at' => CarbonImmutable::now(),
-        ]);
-    }
-}

app/Services/Baselines/BaselineCaptureService.php

@@ -1,79 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Baselines;
-
-use App\Jobs\CaptureBaselineSnapshotJob;
-use App\Models\BaselineProfile;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\OperationRunService;
-use App\Support\Baselines\BaselineReasonCodes;
-use App\Support\Baselines\BaselineScope;
-
-final class BaselineCaptureService
-{
-    public function __construct(
-        private readonly OperationRunService $runs,
-    ) {}
-
-    /**
-     * @return array{ok: bool, run?: OperationRun, reason_code?: string}
-     */
-    public function startCapture(
-        BaselineProfile $profile,
-        Tenant $sourceTenant,
-        User $initiator,
-    ): array {
-        $precondition = $this->validatePreconditions($profile, $sourceTenant);
-
-        if ($precondition !== null) {
-            return ['ok' => false, 'reason_code' => $precondition];
-        }
-
-        $effectiveScope = BaselineScope::fromJsonb(
-            is_array($profile->scope_jsonb) ? $profile->scope_jsonb : null,
-        );
-
-        $context = [
-            'baseline_profile_id' => (int) $profile->getKey(),
-            'source_tenant_id' => (int) $sourceTenant->getKey(),
-            'effective_scope' => $effectiveScope->toJsonb(),
-        ];
-
-        $run = $this->runs->ensureRunWithIdentity(
-            tenant: $sourceTenant,
-            type: 'baseline_capture',
-            identityInputs: [
-                'baseline_profile_id' => (int) $profile->getKey(),
-            ],
-            context: $context,
-            initiator: $initiator,
-        );
-
-        if ($run->wasRecentlyCreated) {
-            CaptureBaselineSnapshotJob::dispatch($run);
-        }
-
-        return ['ok' => true, 'run' => $run];
-    }
-
-    private function validatePreconditions(BaselineProfile $profile, Tenant $sourceTenant): ?string
-    {
-        if ($profile->status !== BaselineProfile::STATUS_ACTIVE) {
-            return BaselineReasonCodes::CAPTURE_PROFILE_NOT_ACTIVE;
-        }
-
-        if ($sourceTenant->workspace_id === null) {
-            return BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT;
-        }
-
-        if ((int) $sourceTenant->workspace_id !== (int) $profile->workspace_id) {
-            return BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT;
-        }
-
-        return null;
-    }
-}

app/Services/Baselines/BaselineCompareService.php

@@ -1,97 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Baselines;
-
-use App\Jobs\CompareBaselineToTenantJob;
-use App\Models\BaselineProfile;
-use App\Models\BaselineTenantAssignment;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\OperationRunService;
-use App\Support\Baselines\BaselineReasonCodes;
-use App\Support\Baselines\BaselineScope;
-
-final class BaselineCompareService
-{
-    public function __construct(
-        private readonly OperationRunService $runs,
-    ) {}
-
-    /**
-     * @return array{ok: bool, run?: OperationRun, reason_code?: string}
-     */
-    public function startCompare(
-        Tenant $tenant,
-        User $initiator,
-    ): array {
-        $assignment = BaselineTenantAssignment::query()
-            ->where('workspace_id', $tenant->workspace_id)
-            ->where('tenant_id', $tenant->getKey())
-            ->first();
-
-        if (! $assignment instanceof BaselineTenantAssignment) {
-            return ['ok' => false, 'reason_code' => BaselineReasonCodes::COMPARE_NO_ASSIGNMENT];
-        }
-
-        $profile = BaselineProfile::query()->find($assignment->baseline_profile_id);
-
-        if (! $profile instanceof BaselineProfile) {
-            return ['ok' => false, 'reason_code' => BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE];
-        }
-
-        $precondition = $this->validatePreconditions($profile);
-
-        if ($precondition !== null) {
-            return ['ok' => false, 'reason_code' => $precondition];
-        }
-
-        $snapshotId = (int) $profile->active_snapshot_id;
-
-        $profileScope = BaselineScope::fromJsonb(
-            is_array($profile->scope_jsonb) ? $profile->scope_jsonb : null,
-        );
-        $overrideScope = $assignment->override_scope_jsonb !== null
-            ? BaselineScope::fromJsonb(is_array($assignment->override_scope_jsonb) ? $assignment->override_scope_jsonb : null)
-            : null;
-
-        $effectiveScope = BaselineScope::effective($profileScope, $overrideScope);
-
-        $context = [
-            'baseline_profile_id' => (int) $profile->getKey(),
-            'baseline_snapshot_id' => $snapshotId,
-            'effective_scope' => $effectiveScope->toJsonb(),
-        ];
-
-        $run = $this->runs->ensureRunWithIdentity(
-            tenant: $tenant,
-            type: 'baseline_compare',
-            identityInputs: [
-                'baseline_profile_id' => (int) $profile->getKey(),
-            ],
-            context: $context,
-            initiator: $initiator,
-        );
-
-        if ($run->wasRecentlyCreated) {
-            CompareBaselineToTenantJob::dispatch($run);
-        }
-
-        return ['ok' => true, 'run' => $run];
-    }
-
-    private function validatePreconditions(BaselineProfile $profile): ?string
-    {
-        if ($profile->status !== BaselineProfile::STATUS_ACTIVE) {
-            return BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE;
-        }
-
-        if ($profile->active_snapshot_id === null) {
-            return BaselineReasonCodes::COMPARE_NO_ACTIVE_SNAPSHOT;
-        }
-
-        return null;
-    }
-}

app/Services/Baselines/BaselineSnapshotIdentity.php

@@ -1,59 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Baselines;
-
-use App\Services\Drift\DriftHasher;
-
-/**
- * Computes the snapshot_identity_hash for baseline snapshot content dedupe.
- *
- * The identity hash is a sha256 over normalized snapshot items, enabling
- * detection of "nothing changed" when capturing the same inventory state.
- */
-final class BaselineSnapshotIdentity
-{
-    public function __construct(
-        private readonly DriftHasher $hasher,
-    ) {}
-
-    /**
-     * Compute identity hash over a set of snapshot items.
-     *
-     * Each item is represented as an associative array with:
-     * - subject_type, subject_external_id, policy_type, baseline_hash
-     *
-     * @param  array<int, array{subject_type: string, subject_external_id: string, policy_type: string, baseline_hash: string}>  $items
-     */
-    public function computeIdentity(array $items): string
-    {
-        if ($items === []) {
-            return hash('sha256', '[]');
-        }
-
-        $normalized = array_map(
-            fn (array $item): string => implode('|', [
-                trim((string) ($item['subject_type'] ?? '')),
-                trim((string) ($item['subject_external_id'] ?? '')),
-                trim((string) ($item['policy_type'] ?? '')),
-                trim((string) ($item['baseline_hash'] ?? '')),
-            ]),
-            $items,
-        );
-
-        sort($normalized, SORT_STRING);
-
-        return hash('sha256', implode("\n", $normalized));
-    }
-
-    /**
-     * Compute a stable content hash for a single inventory item's metadata.
-     *
-     * Strips volatile OData keys and normalizes for stable comparison.
-     */
-    public function hashItemContent(mixed $metaJsonb): string
-    {
-        return $this->hasher->hashNormalized($metaJsonb);
-    }
-}

app/Services/Drift/DriftFindingGenerator.php

@@ -1,483 +0,0 @@
-<?php
-
-namespace App\Services\Drift;
-
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\Policy;
-use App\Models\PolicyVersion;
-use App\Models\Tenant;
-use App\Models\Workspace;
-use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
-use App\Services\Drift\Normalizers\SettingsNormalizer;
-use App\Services\Findings\FindingSlaPolicy;
-use App\Services\Settings\SettingsResolver;
-use Carbon\CarbonImmutable;
-use Illuminate\Support\Arr;
-use RuntimeException;
-
-class DriftFindingGenerator
-{
-    public function __construct(
-        private readonly DriftHasher $hasher,
-        private readonly DriftEvidence $evidence,
-        private readonly SettingsNormalizer $settingsNormalizer,
-        private readonly ScopeTagsNormalizer $scopeTagsNormalizer,
-        private readonly SettingsResolver $settingsResolver,
-        private readonly FindingSlaPolicy $slaPolicy,
-    ) {}
-
-    public function generate(Tenant $tenant, OperationRun $baseline, OperationRun $current, string $scopeKey): int
-    {
-        if (! $baseline->completed_at || ! $current->completed_at) {
-            throw new RuntimeException('Baseline/current run must be finished.');
-        }
-
-        $observedAt = CarbonImmutable::instance($current->completed_at);
-
-        /** @var array<string, mixed> $selection */
-        $selection = is_array($current->context) ? $current->context : [];
-
-        $policyTypes = Arr::get($selection, 'policy_types');
-        if (! is_array($policyTypes)) {
-            $policyTypes = [];
-        }
-
-        $policyTypes = array_values(array_filter(array_map('strval', $policyTypes)));
-
-        $created = 0;
-        $resolvedSeverity = $this->resolveSeverityForFindingType($tenant, Finding::FINDING_TYPE_DRIFT);
-        $seenRecurrenceKeys = [];
-
-        Policy::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->whereIn('policy_type', $policyTypes)
-            ->orderBy('id')
-            ->chunk(200, function ($policies) use ($tenant, $baseline, $current, $scopeKey, $resolvedSeverity, $observedAt, &$seenRecurrenceKeys, &$created): void {
-                foreach ($policies as $policy) {
-                    if (! $policy instanceof Policy) {
-                        continue;
-                    }
-
-                    $baselineVersion = $this->versionForRun($policy, $baseline);
-                    $currentVersion = $this->versionForRun($policy, $current);
-
-                    if ($baselineVersion instanceof PolicyVersion || $currentVersion instanceof PolicyVersion) {
-                        $policyType = (string) ($policy->policy_type ?? '');
-                        $platform = is_string($policy->platform ?? null) ? $policy->platform : null;
-
-                        $baselineSnapshot = $baselineVersion instanceof PolicyVersion && is_array($baselineVersion->snapshot)
-                            ? $baselineVersion->snapshot
-                            : [];
-                        $currentSnapshot = $currentVersion instanceof PolicyVersion && is_array($currentVersion->snapshot)
-                            ? $currentVersion->snapshot
-                            : [];
-
-                        $baselineNormalized = $this->settingsNormalizer->normalizeForDiff($baselineSnapshot, $policyType, $platform);
-                        $currentNormalized = $this->settingsNormalizer->normalizeForDiff($currentSnapshot, $policyType, $platform);
-
-                        $baselineSnapshotHash = $this->hasher->hashNormalized($baselineNormalized);
-                        $currentSnapshotHash = $this->hasher->hashNormalized($currentNormalized);
-
-                        if ($baselineSnapshotHash !== $currentSnapshotHash) {
-                            $changeType = match (true) {
-                                $baselineVersion instanceof PolicyVersion && ! $currentVersion instanceof PolicyVersion => 'removed',
-                                ! $baselineVersion instanceof PolicyVersion && $currentVersion instanceof PolicyVersion => 'added',
-                                default => 'modified',
-                            };
-
-                            $rawEvidence = [
-                                'change_type' => $changeType,
-                                'summary' => [
-                                    'kind' => 'policy_snapshot',
-                                    'changed_fields' => ['snapshot_hash'],
-                                ],
-                                'baseline' => [
-                                    'policy_id' => $policy->external_id,
-                                    'policy_version_id' => $baselineVersion?->getKey(),
-                                    'snapshot_hash' => $baselineSnapshotHash,
-                                ],
-                                'current' => [
-                                    'policy_id' => $policy->external_id,
-                                    'policy_version_id' => $currentVersion?->getKey(),
-                                    'snapshot_hash' => $currentSnapshotHash,
-                                ],
-                            ];
-
-                            $dimension = $this->recurrenceDimension('policy_snapshot', $changeType);
-                            $wasNew = $this->upsertDriftFinding(
-                                tenant: $tenant,
-                                baseline: $baseline,
-                                current: $current,
-                                scopeKey: $scopeKey,
-                                subjectType: 'policy',
-                                subjectExternalId: (string) $policy->external_id,
-                                severity: $resolvedSeverity,
-                                dimension: $dimension,
-                                rawEvidence: $rawEvidence,
-                                observedAt: $observedAt,
-                                seenRecurrenceKeys: $seenRecurrenceKeys,
-                            );
-
-                            if ($wasNew) {
-                                $created++;
-                            }
-                        }
-                    }
-
-                    if (! $baselineVersion instanceof PolicyVersion || ! $currentVersion instanceof PolicyVersion) {
-                        continue;
-                    }
-
-                    $baselineAssignments = is_array($baselineVersion->assignments) ? $baselineVersion->assignments : [];
-                    $currentAssignments = is_array($currentVersion->assignments) ? $currentVersion->assignments : [];
-
-                    $baselineAssignmentsHash = $this->hasher->hashNormalized($baselineAssignments);
-                    $currentAssignmentsHash = $this->hasher->hashNormalized($currentAssignments);
-
-                    if ($baselineAssignmentsHash !== $currentAssignmentsHash) {
-                        $rawEvidence = [
-                            'change_type' => 'modified',
-                            'summary' => [
-                                'kind' => 'policy_assignments',
-                                'changed_fields' => ['assignments_hash'],
-                            ],
-                            'baseline' => [
-                                'policy_id' => $policy->external_id,
-                                'policy_version_id' => $baselineVersion->getKey(),
-                                'assignments_hash' => $baselineAssignmentsHash,
-                            ],
-                            'current' => [
-                                'policy_id' => $policy->external_id,
-                                'policy_version_id' => $currentVersion->getKey(),
-                                'assignments_hash' => $currentAssignmentsHash,
-                            ],
-                        ];
-
-                        $dimension = $this->recurrenceDimension('policy_assignments', 'modified');
-                        $wasNew = $this->upsertDriftFinding(
-                            tenant: $tenant,
-                            baseline: $baseline,
-                            current: $current,
-                            scopeKey: $scopeKey,
-                            subjectType: 'assignment',
-                            subjectExternalId: (string) $policy->external_id,
-                            severity: $resolvedSeverity,
-                            dimension: $dimension,
-                            rawEvidence: $rawEvidence,
-                            observedAt: $observedAt,
-                            seenRecurrenceKeys: $seenRecurrenceKeys,
-                        );
-
-                        if ($wasNew) {
-                            $created++;
-                        }
-                    }
-
-                    $baselineScopeTagIds = $this->scopeTagsNormalizer->normalizeIdsForHash($baselineVersion->scope_tags);
-                    $currentScopeTagIds = $this->scopeTagsNormalizer->normalizeIdsForHash($currentVersion->scope_tags);
-
-                    if ($baselineScopeTagIds === null || $currentScopeTagIds === null) {
-                        continue;
-                    }
-
-                    $baselineScopeTagsHash = $this->hasher->hashNormalized($baselineScopeTagIds);
-                    $currentScopeTagsHash = $this->hasher->hashNormalized($currentScopeTagIds);
-
-                    if ($baselineScopeTagsHash === $currentScopeTagsHash) {
-                        continue;
-                    }
-
-                    $rawEvidence = [
-                        'change_type' => 'modified',
-                        'summary' => [
-                            'kind' => 'policy_scope_tags',
-                            'changed_fields' => ['scope_tags_hash'],
-                        ],
-                        'baseline' => [
-                            'policy_id' => $policy->external_id,
-                            'policy_version_id' => $baselineVersion->getKey(),
-                            'scope_tags_hash' => $baselineScopeTagsHash,
-                        ],
-                        'current' => [
-                            'policy_id' => $policy->external_id,
-                            'policy_version_id' => $currentVersion->getKey(),
-                            'scope_tags_hash' => $currentScopeTagsHash,
-                        ],
-                    ];
-
-                    $dimension = $this->recurrenceDimension('policy_scope_tags', 'modified');
-                    $wasNew = $this->upsertDriftFinding(
-                        tenant: $tenant,
-                        baseline: $baseline,
-                        current: $current,
-                        scopeKey: $scopeKey,
-                        subjectType: 'scope_tag',
-                        subjectExternalId: (string) $policy->external_id,
-                        severity: $resolvedSeverity,
-                        dimension: $dimension,
-                        rawEvidence: $rawEvidence,
-                        observedAt: $observedAt,
-                        seenRecurrenceKeys: $seenRecurrenceKeys,
-                    );
-
-                    if ($wasNew) {
-                        $created++;
-                    }
-                }
-            });
-
-        $this->resolveStaleDriftFindings(
-            tenant: $tenant,
-            scopeKey: $scopeKey,
-            seenRecurrenceKeys: $seenRecurrenceKeys,
-            observedAt: $observedAt,
-        );
-
-        return $created;
-    }
-
-    private function recurrenceDimension(string $kind, string $changeType): string
-    {
-        $kind = strtolower(trim($kind));
-        $changeType = strtolower(trim($changeType));
-
-        return match ($kind) {
-            'policy_snapshot', 'baseline_compare' => sprintf('%s:%s', $kind, $changeType),
-            default => $kind,
-        };
-    }
-
-    private function recurrenceKey(
-        int $tenantId,
-        string $scopeKey,
-        string $subjectType,
-        string $subjectExternalId,
-        string $dimension,
-    ): string {
-        return hash('sha256', sprintf(
-            'drift:%d:%s:%s:%s:%s',
-            $tenantId,
-            $scopeKey,
-            $subjectType,
-            $subjectExternalId,
-            $dimension,
-        ));
-    }
-
-    /**
-     * @param  array<int, string>  $seenRecurrenceKeys
-     * @param  array<string, mixed>  $rawEvidence
-     */
-    private function upsertDriftFinding(
-        Tenant $tenant,
-        OperationRun $baseline,
-        OperationRun $current,
-        string $scopeKey,
-        string $subjectType,
-        string $subjectExternalId,
-        string $severity,
-        string $dimension,
-        array $rawEvidence,
-        CarbonImmutable $observedAt,
-        array &$seenRecurrenceKeys,
-    ): bool {
-        $tenantId = (int) $tenant->getKey();
-        $recurrenceKey = $this->recurrenceKey($tenantId, $scopeKey, $subjectType, $subjectExternalId, $dimension);
-        $seenRecurrenceKeys[] = $recurrenceKey;
-
-        $finding = Finding::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('recurrence_key', $recurrenceKey)
-            ->first();
-
-        $wasNew = ! $finding instanceof Finding;
-
-        if ($wasNew) {
-            $finding = new Finding;
-        } else {
-            $this->observeFinding($finding, $observedAt, (int) $current->getKey());
-        }
-
-        $finding->forceFill([
-            'tenant_id' => $tenantId,
-            'finding_type' => Finding::FINDING_TYPE_DRIFT,
-            'scope_key' => $scopeKey,
-            'baseline_operation_run_id' => $baseline->getKey(),
-            'current_operation_run_id' => $current->getKey(),
-            'recurrence_key' => $recurrenceKey,
-            'fingerprint' => $recurrenceKey,
-            'subject_type' => $subjectType,
-            'subject_external_id' => $subjectExternalId,
-            'severity' => $severity,
-            'evidence_jsonb' => $this->evidence->sanitize($rawEvidence),
-        ]);
-
-        if ($wasNew) {
-            $slaDays = $this->slaPolicy->daysForSeverity($severity, $tenant);
-
-            $finding->forceFill([
-                'status' => Finding::STATUS_NEW,
-                'acknowledged_at' => null,
-                'acknowledged_by_user_id' => null,
-                'first_seen_at' => $observedAt,
-                'last_seen_at' => $observedAt,
-                'times_seen' => 1,
-                'sla_days' => $slaDays,
-                'due_at' => $this->slaPolicy->dueAtForSeverity($severity, $tenant, $observedAt),
-            ]);
-        }
-
-        $status = (string) $finding->status;
-
-        if ($status === Finding::STATUS_RESOLVED) {
-            $resolvedAt = $finding->resolved_at;
-
-            if ($resolvedAt === null || $observedAt->greaterThan(CarbonImmutable::instance($resolvedAt))) {
-                $slaDays = $this->slaPolicy->daysForSeverity($severity, $tenant);
-
-                $finding->forceFill([
-                    'status' => Finding::STATUS_REOPENED,
-                    'reopened_at' => $observedAt,
-                    'resolved_at' => null,
-                    'resolved_reason' => null,
-                    'closed_at' => null,
-                    'closed_reason' => null,
-                    'closed_by_user_id' => null,
-                    'sla_days' => $slaDays,
-                    'due_at' => $this->slaPolicy->dueAtForSeverity($severity, $tenant, $observedAt),
-                ]);
-            }
-        }
-
-        $finding->save();
-
-        return $wasNew;
-    }
-
-    private function observeFinding(Finding $finding, CarbonImmutable $observedAt, int $currentOperationRunId): void
-    {
-        if ($finding->first_seen_at === null) {
-            $finding->first_seen_at = $observedAt;
-        }
-
-        if ($finding->last_seen_at === null || $observedAt->greaterThan(CarbonImmutable::instance($finding->last_seen_at))) {
-            $finding->last_seen_at = $observedAt;
-        }
-
-        $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
-
-        if ((int) ($finding->current_operation_run_id ?? 0) !== $currentOperationRunId) {
-            $finding->times_seen = max(0, $timesSeen) + 1;
-        } elseif ($timesSeen < 1) {
-            $finding->times_seen = 1;
-        }
-    }
-
-    /**
-     * @param  array<int, string>  $seenRecurrenceKeys
-     */
-    private function resolveStaleDriftFindings(
-        Tenant $tenant,
-        string $scopeKey,
-        array $seenRecurrenceKeys,
-        CarbonImmutable $observedAt,
-    ): void {
-        $staleFindingsQuery = Finding::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
-            ->where('scope_key', $scopeKey)
-            ->whereNotNull('recurrence_key')
-            ->whereIn('status', Finding::openStatusesForQuery());
-
-        if ($seenRecurrenceKeys !== []) {
-            $staleFindingsQuery->whereNotIn('recurrence_key', $seenRecurrenceKeys);
-        }
-
-        $staleFindings = $staleFindingsQuery->get();
-
-        foreach ($staleFindings as $finding) {
-            if (! $finding instanceof Finding) {
-                continue;
-            }
-
-            $finding->forceFill([
-                'status' => Finding::STATUS_RESOLVED,
-                'resolved_at' => $observedAt,
-                'resolved_reason' => 'no_longer_detected',
-            ])->save();
-        }
-    }
-
-    private function versionForRun(Policy $policy, OperationRun $run): ?PolicyVersion
-    {
-        if (! $run->completed_at) {
-            return null;
-        }
-
-        return PolicyVersion::query()
-            ->where('tenant_id', $policy->tenant_id)
-            ->where('policy_id', $policy->getKey())
-            ->where('captured_at', '<=', $run->completed_at)
-            ->latest('captured_at')
-            ->first();
-    }
-
-    private function resolveSeverityForFindingType(Tenant $tenant, string $findingType): string
-    {
-        $workspace = $tenant->workspace;
-
-        if (! $workspace instanceof Workspace && is_numeric($tenant->workspace_id)) {
-            $workspace = Workspace::query()->whereKey((int) $tenant->workspace_id)->first();
-        }
-
-        if (! $workspace instanceof Workspace) {
-            return Finding::SEVERITY_MEDIUM;
-        }
-
-        $resolved = $this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: 'drift',
-            key: 'severity_mapping',
-            tenant: $tenant,
-        );
-
-        if (! is_array($resolved)) {
-            return Finding::SEVERITY_MEDIUM;
-        }
-
-        foreach ($resolved as $mappedFindingType => $mappedSeverity) {
-            if (! is_string($mappedFindingType) || ! is_string($mappedSeverity)) {
-                continue;
-            }
-
-            if ($mappedFindingType !== $findingType) {
-                continue;
-            }
-
-            $normalizedSeverity = strtolower($mappedSeverity);
-
-            if (in_array($normalizedSeverity, $this->supportedSeverities(), true)) {
-                return $normalizedSeverity;
-            }
-
-            break;
-        }
-
-        return Finding::SEVERITY_MEDIUM;
-    }
-
-    /**
-     * @return array<int, string>
-     */
-    private function supportedSeverities(): array
-    {
-        return [
-            Finding::SEVERITY_LOW,
-            Finding::SEVERITY_MEDIUM,
-            Finding::SEVERITY_HIGH,
-            Finding::SEVERITY_CRITICAL,
-        ];
-    }
-}

app/Services/Drift/DriftRunSelector.php

@@ -1,47 +0,0 @@
-<?php
-
-namespace App\Services\Drift;
-
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Support\OperationRunOutcome;
-use App\Support\OperationRunStatus;
-
-class DriftRunSelector
-{
-    /**
-     * @return array{baseline:OperationRun,current:OperationRun}|null
-     */
-    public function selectBaselineAndCurrent(Tenant $tenant, string $scopeKey): ?array
-    {
-        $runs = OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
-            ->where('type', 'inventory_sync')
-            ->where('status', OperationRunStatus::Completed->value)
-            ->whereIn('outcome', [
-                OperationRunOutcome::Succeeded->value,
-                OperationRunOutcome::PartiallySucceeded->value,
-            ])
-            ->where('context->selection_hash', $scopeKey)
-            ->whereNotNull('completed_at')
-            ->orderByDesc('completed_at')
-            ->limit(2)
-            ->get();
-
-        if ($runs->count() < 2) {
-            return null;
-        }
-
-        $current = $runs->first();
-        $baseline = $runs->last();
-
-        if (! $baseline instanceof OperationRun || ! $current instanceof OperationRun) {
-            return null;
-        }
-
-        return [
-            'baseline' => $baseline,
-            'current' => $current,
-        ];
-    }
-}

app/Services/Drift/DriftScopeKey.php

@@ -1,15 +0,0 @@
-<?php
-
-namespace App\Services\Drift;
-
-use App\Models\OperationRun;
-
-class DriftScopeKey
-{
-    public function fromRun(OperationRun $run): string
-    {
-        $context = is_array($run->context) ? $run->context : [];
-
-        return (string) ($context['selection_hash'] ?? '');
-    }
-}

app/Services/Intune/AuditLogger.php

@@ -1,50 +0,0 @@
-<?php
-
-namespace App\Services\Intune;
-
-use App\Models\AuditLog;
-use App\Models\Tenant;
-use App\Support\Audit\AuditContextSanitizer;
-use Carbon\CarbonImmutable;
-use InvalidArgumentException;
-
-class AuditLogger
-{
-    public function log(
-        Tenant $tenant,
-        string $action,
-        array $context = [],
-        ?int $actorId = null,
-        ?string $actorEmail = null,
-        ?string $actorName = null,
-        string $status = 'success',
-        ?string $resourceType = null,
-        ?string $resourceId = null,
-    ): AuditLog {
-        $metadata = $context['metadata'] ?? [];
-        unset($context['metadata']);
-
-        $metadata = is_array($metadata) ? $metadata : [];
-
-        $sanitizedMetadata = AuditContextSanitizer::sanitize($metadata + $context);
-        $workspaceId = is_numeric($tenant->workspace_id) ? (int) $tenant->workspace_id : null;
-
-        if ($workspaceId === null) {
-            throw new InvalidArgumentException('Tenant-scoped audit events require tenant workspace_id.');
-        }
-
-        return AuditLog::create([
-            'tenant_id' => $tenant->id,
-            'workspace_id' => $workspaceId,
-            'actor_id' => $actorId,
-            'actor_email' => $actorEmail,
-            'actor_name' => $actorName,
-            'action' => $action,
-            'resource_type' => $resourceType,
-            'resource_id' => $resourceId,
-            'status' => $status,
-            'metadata' => $sanitizedMetadata,
-            'recorded_at' => CarbonImmutable::now(),
-        ]);
-    }
-}

app/Services/ReviewPackService.php

@@ -1,153 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services;
-
-use App\Jobs\GenerateReviewPackJob;
-use App\Models\Finding;
-use App\Models\OperationRun;
-use App\Models\ReviewPack;
-use App\Models\StoredReport;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Support\OperationRunType;
-use App\Support\ReviewPackStatus;
-use Illuminate\Support\Facades\URL;
-
-class ReviewPackService
-{
-    public function __construct(
-        private OperationRunService $operationRunService,
-    ) {}
-
-    /**
-     * Create an OperationRun + ReviewPack and dispatch the generation job.
-     *
-     * @param  array<string, mixed>  $options
-     */
-    public function generate(Tenant $tenant, User $user, array $options = []): ReviewPack
-    {
-        $options = $this->normalizeOptions($options);
-        $fingerprint = $this->computeFingerprint($tenant, $options);
-
-        $existing = $this->findExistingPack($tenant, $fingerprint);
-        if ($existing instanceof ReviewPack) {
-            return $existing;
-        }
-
-        $operationRun = $this->operationRunService->ensureRun(
-            tenant: $tenant,
-            type: OperationRunType::ReviewPackGenerate->value,
-            inputs: [
-                'include_pii' => $options['include_pii'],
-                'include_operations' => $options['include_operations'],
-            ],
-            initiator: $user,
-        );
-
-        $reviewPack = ReviewPack::create([
-            'tenant_id' => (int) $tenant->getKey(),
-            'workspace_id' => (int) $tenant->workspace_id,
-            'operation_run_id' => (int) $operationRun->getKey(),
-            'initiated_by_user_id' => (int) $user->getKey(),
-            'status' => ReviewPackStatus::Queued->value,
-            'options' => $options,
-            'summary' => [],
-        ]);
-
-        $this->operationRunService->dispatchOrFail($operationRun, function () use ($reviewPack, $operationRun): void {
-            GenerateReviewPackJob::dispatch(
-                reviewPackId: (int) $reviewPack->getKey(),
-                operationRunId: (int) $operationRun->getKey(),
-            );
-        });
-
-        return $reviewPack;
-    }
-
-    /**
-     * Compute a deterministic fingerprint for deduplication.
-     *
-     * @param  array<string, mixed>  $options
-     */
-    public function computeFingerprint(Tenant $tenant, array $options): string
-    {
-        $reportFingerprints = StoredReport::query()
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->whereIn('report_type', [
-                StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
-                StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
-            ])
-            ->orderBy('report_type')
-            ->pluck('fingerprint')
-            ->toArray();
-
-        $maxFindingDate = Finding::query()
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->whereIn('status', Finding::openStatusesForQuery())
-            ->max('updated_at');
-
-        $data = [
-            'tenant_id' => (int) $tenant->getKey(),
-            'include_pii' => (bool) ($options['include_pii'] ?? true),
-            'include_operations' => (bool) ($options['include_operations'] ?? true),
-            'report_fingerprints' => $reportFingerprints,
-            'max_finding_date' => $maxFindingDate,
-            'rbac_last_checked_at' => $tenant->rbac_last_checked_at?->toIso8601String(),
-        ];
-
-        return hash('sha256', json_encode($data, JSON_THROW_ON_ERROR));
-    }
-
-    /**
-     * Generate a signed download URL for a review pack.
-     */
-    public function generateDownloadUrl(ReviewPack $pack): string
-    {
-        $ttlMinutes = (int) config('tenantpilot.review_pack.download_url_ttl_minutes', 60);
-
-        return URL::signedRoute(
-            'admin.review-packs.download',
-            ['reviewPack' => $pack->getKey()],
-            now()->addMinutes($ttlMinutes),
-        );
-    }
-
-    /**
-     * Find an existing ready, non-expired pack with the same fingerprint.
-     */
-    public function findExistingPack(Tenant $tenant, string $fingerprint): ?ReviewPack
-    {
-        return ReviewPack::query()
-            ->forTenant((int) $tenant->getKey())
-            ->ready()
-            ->where('fingerprint', $fingerprint)
-            ->where('expires_at', '>', now())
-            ->first();
-    }
-
-    /**
-     * Check if a generation run is currently active for this tenant.
-     */
-    public function checkActiveRun(Tenant $tenant): bool
-    {
-        return OperationRun::query()
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->where('type', OperationRunType::ReviewPackGenerate->value)
-            ->active()
-            ->exists();
-    }
-
-    /**
-     * @param  array<string, mixed>  $options
-     * @return array{include_pii: bool, include_operations: bool}
-     */
-    private function normalizeOptions(array $options): array
-    {
-        return [
-            'include_pii' => (bool) ($options['include_pii'] ?? config('tenantpilot.review_pack.include_pii_default', true)),
-            'include_operations' => (bool) ($options['include_operations'] ?? config('tenantpilot.review_pack.include_operations_default', true)),
-        ];
-    }
-}

app/Support/Audit/AuditActionId.php

@@ -1,66 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Audit;
-
-enum AuditActionId: string
-{
-    case WorkspaceMembershipAdd = 'workspace_membership.add';
-    case WorkspaceMembershipRoleChange = 'workspace_membership.role_change';
-    case WorkspaceMembershipRemove = 'workspace_membership.remove';
-    case WorkspaceMembershipLastOwnerBlocked = 'workspace_membership.last_owner_blocked';
-    case WorkspaceMembershipBreakGlassAssignOwner = 'workspace_membership.break_glass.assign_owner';
-
-    case TenantMembershipAdd = 'tenant_membership.add';
-    case TenantMembershipRoleChange = 'tenant_membership.role_change';
-    case TenantMembershipRemove = 'tenant_membership.remove';
-    case TenantMembershipLastOwnerBlocked = 'tenant_membership.last_owner_blocked';
-
-    // Not part of the v1 contract, but used in codebase.
-    case TenantMembershipBootstrapRecover = 'tenant_membership.bootstrap_recover';
-
-    // Diagnostics / repair actions.
-    case TenantMembershipDuplicatesMerged = 'tenant_membership.duplicates_merged';
-
-    // Managed tenant onboarding wizard.
-    case ManagedTenantOnboardingStart = 'managed_tenant_onboarding.start';
-    case ManagedTenantOnboardingResume = 'managed_tenant_onboarding.resume';
-    case ManagedTenantOnboardingVerificationStart = 'managed_tenant_onboarding.verification_start';
-    case ManagedTenantOnboardingActivation = 'managed_tenant_onboarding.activation';
-    case VerificationCompleted = 'verification.completed';
-    case VerificationCheckAcknowledged = 'verification.check_acknowledged';
-
-    case AlertDestinationCreated = 'alert_destination.created';
-    case AlertDestinationUpdated = 'alert_destination.updated';
-    case AlertDestinationDeleted = 'alert_destination.deleted';
-    case AlertDestinationEnabled = 'alert_destination.enabled';
-    case AlertDestinationDisabled = 'alert_destination.disabled';
-    case AlertDestinationTestRequested = 'alert_destination.test_requested';
-
-    case AlertRuleCreated = 'alert_rule.created';
-    case AlertRuleUpdated = 'alert_rule.updated';
-    case AlertRuleDeleted = 'alert_rule.deleted';
-    case AlertRuleEnabled = 'alert_rule.enabled';
-    case AlertRuleDisabled = 'alert_rule.disabled';
-
-    case WorkspaceSettingUpdated = 'workspace_setting.updated';
-    case WorkspaceSettingReset = 'workspace_setting.reset';
-
-    case BaselineProfileCreated = 'baseline_profile.created';
-    case BaselineProfileUpdated = 'baseline_profile.updated';
-    case BaselineProfileArchived = 'baseline_profile.archived';
-    case BaselineCaptureStarted = 'baseline_capture.started';
-    case BaselineCaptureCompleted = 'baseline_capture.completed';
-    case BaselineCaptureFailed = 'baseline_capture.failed';
-    case BaselineCompareStarted = 'baseline_compare.started';
-    case BaselineCompareCompleted = 'baseline_compare.completed';
-    case BaselineCompareFailed = 'baseline_compare.failed';
-    case BaselineAssignmentCreated = 'baseline_assignment.created';
-    case BaselineAssignmentUpdated = 'baseline_assignment.updated';
-    case BaselineAssignmentDeleted = 'baseline_assignment.deleted';
-
-    // Workspace selection / switch events (Spec 107).
-    case WorkspaceAutoSelected = 'workspace.auto_selected';
-    case WorkspaceSelected = 'workspace.selected';
-}

app/Support/Audit/AuditContextSanitizer.php

@@ -1,66 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Audit;
-
-final class AuditContextSanitizer
-{
-    private const REDACTED = '[REDACTED]';
-
-    public static function sanitize(mixed $value): mixed
-    {
-        if (is_array($value)) {
-            $sanitized = [];
-
-            foreach ($value as $key => $item) {
-                if (is_string($key) && self::shouldRedactKey($key)) {
-                    $sanitized[$key] = self::REDACTED;
-
-                    continue;
-                }
-
-                $sanitized[$key] = self::sanitize($item);
-            }
-
-            return $sanitized;
-        }
-
-        if (is_string($value)) {
-            return self::sanitizeString($value);
-        }
-
-        return $value;
-    }
-
-    private static function shouldRedactKey(string $key): bool
-    {
-        $key = strtolower(trim($key));
-
-        return str_contains($key, 'token')
-            || str_contains($key, 'secret')
-            || str_contains($key, 'password')
-            || str_contains($key, 'authorization')
-            || str_contains($key, 'private_key')
-            || str_contains($key, 'client_secret');
-    }
-
-    private static function sanitizeString(string $value): string
-    {
-        $candidate = trim($value);
-
-        if ($candidate === '') {
-            return $value;
-        }
-
-        if (preg_match('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', $candidate)) {
-            return self::REDACTED;
-        }
-
-        if (preg_match('/\b[A-Za-z0-9\-_]{20,}\.[A-Za-z0-9\-_]{20,}\.[A-Za-z0-9\-_]{20,}\b/', $candidate)) {
-            return self::REDACTED;
-        }
-
-        return $value;
-    }
-}

app/Support/Badges/BadgeCatalog.php

@@ -1,130 +0,0 @@
-<?php
-
-namespace App\Support\Badges;
-
-use BackedEnum;
-use Stringable;
-use Throwable;
-
-final class BadgeCatalog
-{
-    /**
-     * @var array<string, class-string<BadgeMapper>>
-     */
-    private const DOMAIN_MAPPERS = [
-        BadgeDomain::OperationRunStatus->value => Domains\OperationRunStatusBadge::class,
-        BadgeDomain::OperationRunOutcome->value => Domains\OperationRunOutcomeBadge::class,
-        BadgeDomain::BackupSetStatus->value => Domains\BackupSetStatusBadge::class,
-        BadgeDomain::RestoreRunStatus->value => Domains\RestoreRunStatusBadge::class,
-        BadgeDomain::RestoreCheckSeverity->value => Domains\RestoreCheckSeverityBadge::class,
-        BadgeDomain::FindingStatus->value => Domains\FindingStatusBadge::class,
-        BadgeDomain::FindingSeverity->value => Domains\FindingSeverityBadge::class,
-        BadgeDomain::BooleanEnabled->value => Domains\BooleanEnabledBadge::class,
-        BadgeDomain::BooleanHasErrors->value => Domains\BooleanHasErrorsBadge::class,
-        BadgeDomain::TenantStatus->value => Domains\TenantStatusBadge::class,
-        BadgeDomain::TenantAppStatus->value => Domains\TenantAppStatusBadge::class,
-        BadgeDomain::TenantRbacStatus->value => Domains\TenantRbacStatusBadge::class,
-        BadgeDomain::TenantPermissionStatus->value => Domains\TenantPermissionStatusBadge::class,
-        BadgeDomain::PolicySnapshotMode->value => Domains\PolicySnapshotModeBadge::class,
-        BadgeDomain::PolicyRestoreMode->value => Domains\PolicyRestoreModeBadge::class,
-        BadgeDomain::PolicyRisk->value => Domains\PolicyRiskBadge::class,
-        BadgeDomain::IgnoredAt->value => Domains\IgnoredAtBadge::class,
-        BadgeDomain::RestorePreviewDecision->value => Domains\RestorePreviewDecisionBadge::class,
-        BadgeDomain::RestoreResultStatus->value => Domains\RestoreResultStatusBadge::class,
-        BadgeDomain::ProviderConnectionStatus->value => Domains\ProviderConnectionStatusBadge::class,
-        BadgeDomain::ProviderConnectionHealth->value => Domains\ProviderConnectionHealthBadge::class,
-        BadgeDomain::ManagedTenantOnboardingVerificationStatus->value => Domains\ManagedTenantOnboardingVerificationStatusBadge::class,
-        BadgeDomain::VerificationCheckStatus->value => Domains\VerificationCheckStatusBadge::class,
-        BadgeDomain::VerificationCheckSeverity->value => Domains\VerificationCheckSeverityBadge::class,
-        BadgeDomain::VerificationReportOverall->value => Domains\VerificationReportOverallBadge::class,
-        BadgeDomain::AlertDeliveryStatus->value => Domains\AlertDeliveryStatusBadge::class,
-        BadgeDomain::AlertDestinationLastTestStatus->value => Domains\AlertDestinationLastTestStatusBadge::class,
-        BadgeDomain::BaselineProfileStatus->value => Domains\BaselineProfileStatusBadge::class,
-        BadgeDomain::FindingType->value => Domains\FindingTypeBadge::class,
-        BadgeDomain::ReviewPackStatus->value => Domains\ReviewPackStatusBadge::class,
-    ];
-
-    /**
-     * @var array<string, BadgeMapper|null>
-     */
-    private static array $mapperCache = [];
-
-    public static function spec(BadgeDomain $domain, mixed $value): BadgeSpec
-    {
-        $mapper = self::mapper($domain);
-
-        if (! $mapper) {
-            return BadgeSpec::unknown();
-        }
-
-        try {
-            return $mapper->spec($value);
-        } catch (Throwable) {
-            return BadgeSpec::unknown();
-        }
-    }
-
-    public static function mapper(BadgeDomain $domain): ?BadgeMapper
-    {
-        $key = $domain->value;
-
-        if (array_key_exists($key, self::$mapperCache)) {
-            return self::$mapperCache[$key];
-        }
-
-        $mapper = self::buildMapper($domain);
-
-        self::$mapperCache[$key] = $mapper;
-
-        return $mapper;
-    }
-
-    public static function normalizeState(mixed $value): ?string
-    {
-        if ($value === null) {
-            return null;
-        }
-
-        if ($value instanceof BackedEnum) {
-            $value = $value->value;
-        }
-
-        if ($value instanceof Stringable) {
-            $value = (string) $value;
-        }
-
-        if (is_bool($value)) {
-            return $value ? 'true' : 'false';
-        }
-
-        if (is_int($value) || is_float($value)) {
-            return (string) $value;
-        }
-
-        if (! is_string($value)) {
-            return null;
-        }
-
-        $normalized = strtolower(trim($value));
-        $normalized = str_replace([' ', '-'], '_', $normalized);
-
-        return $normalized === '' ? null : $normalized;
-    }
-
-    private static function buildMapper(BadgeDomain $domain): ?BadgeMapper
-    {
-        $mapperClass = self::DOMAIN_MAPPERS[$domain->value] ?? null;
-
-        if (! $mapperClass) {
-            return null;
-        }
-
-        if (! class_exists($mapperClass)) {
-            return null;
-        }
-
-        $mapper = new $mapperClass;
-
-        return $mapper instanceof BadgeMapper ? $mapper : null;
-    }
-}

app/Support/Badges/BadgeDomain.php

@@ -1,37 +0,0 @@
-<?php
-
-namespace App\Support\Badges;
-
-enum BadgeDomain: string
-{
-    case OperationRunStatus = 'operation_run_status';
-    case OperationRunOutcome = 'operation_run_outcome';
-    case BackupSetStatus = 'backup_set_status';
-    case RestoreRunStatus = 'restore_run_status';
-    case RestoreCheckSeverity = 'restore_check_severity';
-    case FindingStatus = 'finding_status';
-    case FindingSeverity = 'finding_severity';
-    case BooleanEnabled = 'boolean_enabled';
-    case BooleanHasErrors = 'boolean_has_errors';
-    case TenantStatus = 'tenant_status';
-    case TenantAppStatus = 'tenant_app_status';
-    case TenantRbacStatus = 'tenant_rbac_status';
-    case TenantPermissionStatus = 'tenant_permission_status';
-    case PolicySnapshotMode = 'policy_snapshot_mode';
-    case PolicyRestoreMode = 'policy_restore_mode';
-    case PolicyRisk = 'policy_risk';
-    case IgnoredAt = 'ignored_at';
-    case RestorePreviewDecision = 'restore_preview_decision';
-    case RestoreResultStatus = 'restore_result_status';
-    case ProviderConnectionStatus = 'provider_connection.status';
-    case ProviderConnectionHealth = 'provider_connection.health';
-    case ManagedTenantOnboardingVerificationStatus = 'managed_tenant_onboarding.verification_status';
-    case VerificationCheckStatus = 'verification_check_status';
-    case VerificationCheckSeverity = 'verification_check_severity';
-    case VerificationReportOverall = 'verification_report_overall';
-    case AlertDeliveryStatus = 'alert_delivery_status';
-    case AlertDestinationLastTestStatus = 'alert_destination_last_test_status';
-    case BaselineProfileStatus = 'baseline_profile_status';
-    case FindingType = 'finding_type';
-    case ReviewPackStatus = 'review_pack_status';
-}

app/Support/Badges/BadgeSpec.php

@@ -1,61 +0,0 @@
-<?php
-
-namespace App\Support\Badges;
-
-use InvalidArgumentException;
-
-final class BadgeSpec
-{
-    /**
-     * @var array<int, string>
-     */
-    private const ALLOWED_COLORS = [
-        'gray',
-        'info',
-        'success',
-        'warning',
-        'danger',
-        'primary',
-    ];
-
-    public function __construct(
-        public readonly string $label,
-        public readonly string $color,
-        public readonly ?string $icon = null,
-        public readonly ?string $iconColor = null,
-    ) {
-        if (trim($this->label) === '') {
-            throw new InvalidArgumentException('BadgeSpec label must be a non-empty string.');
-        }
-
-        if (! in_array($this->color, self::ALLOWED_COLORS, true)) {
-            throw new InvalidArgumentException('BadgeSpec color must be one of: '.implode(', ', self::ALLOWED_COLORS));
-        }
-
-        if ($this->icon !== null && trim($this->icon) === '') {
-            throw new InvalidArgumentException('BadgeSpec icon must be null or a non-empty string.');
-        }
-
-        if ($this->iconColor !== null && ! in_array($this->iconColor, self::ALLOWED_COLORS, true)) {
-            throw new InvalidArgumentException('BadgeSpec iconColor must be null or one of: '.implode(', ', self::ALLOWED_COLORS));
-        }
-    }
-
-    /**
-     * @return array<int, string>
-     */
-    public static function allowedColors(): array
-    {
-        return self::ALLOWED_COLORS;
-    }
-
-    public static function unknown(): self
-    {
-        return new self(
-            label: 'Unknown',
-            color: 'gray',
-            icon: 'heroicon-m-question-mark-circle',
-            iconColor: 'gray',
-        );
-    }
-}

app/Support/Badges/Domains/BaselineProfileStatusBadge.php

@@ -1,25 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Badges\Domains;
-
-use App\Models\BaselineProfile;
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class BaselineProfileStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            BaselineProfile::STATUS_DRAFT => new BadgeSpec('Draft', 'gray', 'heroicon-m-pencil-square'),
-            BaselineProfile::STATUS_ACTIVE => new BadgeSpec('Active', 'success', 'heroicon-m-check-circle'),
-            BaselineProfile::STATUS_ARCHIVED => new BadgeSpec('Archived', 'warning', 'heroicon-m-archive-box'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/OperationRunOutcomeBadge.php

@@ -1,26 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-use App\Support\OperationRunOutcome;
-
-final class OperationRunOutcomeBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            OperationRunOutcome::Pending->value => new BadgeSpec('Pending', 'gray', 'heroicon-m-clock'),
-            OperationRunOutcome::Succeeded->value => new BadgeSpec('Succeeded', 'success', 'heroicon-m-check-circle'),
-            OperationRunOutcome::PartiallySucceeded->value => new BadgeSpec('Partially succeeded', 'warning', 'heroicon-m-exclamation-triangle'),
-            OperationRunOutcome::Blocked->value => new BadgeSpec('Blocked', 'warning', 'heroicon-m-no-symbol'),
-            OperationRunOutcome::Failed->value => new BadgeSpec('Failed', 'danger', 'heroicon-m-x-circle'),
-            OperationRunOutcome::Cancelled->value => new BadgeSpec('Cancelled', 'gray', 'heroicon-m-minus-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/OperationRunStatusBadge.php

@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-use App\Support\OperationRunStatus;
-
-final class OperationRunStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            OperationRunStatus::Queued->value => new BadgeSpec('Queued', 'warning', 'heroicon-m-clock'),
-            OperationRunStatus::Running->value => new BadgeSpec('Running', 'info', 'heroicon-m-arrow-path'),
-            OperationRunStatus::Completed->value => new BadgeSpec('Completed', 'gray', 'heroicon-m-check-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/ProviderConnectionStatusBadge.php

@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class ProviderConnectionStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            'connected' => new BadgeSpec('Connected', 'success', 'heroicon-m-check-circle'),
-            'needs_consent' => new BadgeSpec('Needs consent', 'warning', 'heroicon-m-exclamation-triangle'),
-            'error' => new BadgeSpec('Error', 'danger', 'heroicon-m-x-circle'),
-            'disabled' => new BadgeSpec('Disabled', 'gray', 'heroicon-m-minus-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/RestoreCheckSeverityBadge.php

@@ -1,22 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class RestoreCheckSeverityBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            'blocking' => new BadgeSpec('Blocking', 'danger', 'heroicon-m-x-circle'),
-            'warning' => new BadgeSpec('Warning', 'warning', 'heroicon-m-exclamation-triangle'),
-            'safe' => new BadgeSpec('Safe', 'success', 'heroicon-m-check-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/RestoreResultStatusBadge.php

@@ -1,26 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class RestoreResultStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            'applied' => new BadgeSpec('Applied', 'success', 'heroicon-m-check-circle'),
-            'dry_run' => new BadgeSpec('Dry run', 'info', 'heroicon-m-arrow-path'),
-            'mapped' => new BadgeSpec('Mapped', 'success', 'heroicon-m-check-circle'),
-            'skipped' => new BadgeSpec('Skipped', 'warning', 'heroicon-m-minus-circle'),
-            'partial' => new BadgeSpec('Partial', 'warning', 'heroicon-m-exclamation-triangle'),
-            'manual_required' => new BadgeSpec('Manual required', 'warning', 'heroicon-m-exclamation-triangle'),
-            'failed' => new BadgeSpec('Failed', 'danger', 'heroicon-m-x-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/RestoreRunStatusBadge.php

@@ -1,33 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-use App\Support\RestoreRunStatus;
-
-final class RestoreRunStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            RestoreRunStatus::Draft->value => new BadgeSpec('Draft', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::Scoped->value => new BadgeSpec('Scoped', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::Checked->value => new BadgeSpec('Checked', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::Previewed->value => new BadgeSpec('Previewed', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::Pending->value => new BadgeSpec('Pending', 'warning', 'heroicon-m-clock'),
-            RestoreRunStatus::Queued->value => new BadgeSpec('Queued', 'warning', 'heroicon-m-clock'),
-            RestoreRunStatus::Running->value => new BadgeSpec('Running', 'info', 'heroicon-m-arrow-path'),
-            RestoreRunStatus::Completed->value => new BadgeSpec('Completed', 'success', 'heroicon-m-check-circle'),
-            RestoreRunStatus::Partial->value => new BadgeSpec('Partial', 'warning', 'heroicon-m-exclamation-triangle'),
-            RestoreRunStatus::Failed->value => new BadgeSpec('Failed', 'danger', 'heroicon-m-x-circle'),
-            RestoreRunStatus::Cancelled->value => new BadgeSpec('Cancelled', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::Aborted->value => new BadgeSpec('Aborted', 'gray', 'heroicon-m-minus-circle'),
-            RestoreRunStatus::CompletedWithErrors->value => new BadgeSpec('Completed with errors', 'warning', 'heroicon-m-exclamation-triangle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/TenantStatusBadge.php

@@ -1,25 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class TenantStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            'pending' => new BadgeSpec('Pending', 'warning', 'heroicon-m-clock'),
-            'active' => new BadgeSpec('Active', 'success', 'heroicon-m-check-circle'),
-            'inactive' => new BadgeSpec('Inactive', 'gray', 'heroicon-m-minus-circle'),
-            'archived' => new BadgeSpec('Archived', 'gray', 'heroicon-m-minus-circle'),
-            'suspended' => new BadgeSpec('Suspended', 'warning', 'heroicon-m-exclamation-triangle'),
-            'error' => new BadgeSpec('Error', 'danger', 'heroicon-m-x-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Baselines/BaselineReasonCodes.php

@@ -1,24 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Baselines;
-
-/**
- * Stable reason codes for 422 precondition failures.
- *
- * These codes are returned in the response body when a baseline operation
- * cannot start due to unmet preconditions. No OperationRun is created.
- */
-final class BaselineReasonCodes
-{
-    public const string CAPTURE_MISSING_SOURCE_TENANT = 'baseline.capture.missing_source_tenant';
-
-    public const string CAPTURE_PROFILE_NOT_ACTIVE = 'baseline.capture.profile_not_active';
-
-    public const string COMPARE_NO_ASSIGNMENT = 'baseline.compare.no_assignment';
-
-    public const string COMPARE_PROFILE_NOT_ACTIVE = 'baseline.compare.profile_not_active';
-
-    public const string COMPARE_NO_ACTIVE_SNAPSHOT = 'baseline.compare.no_active_snapshot';
-}

app/Support/Baselines/BaselineScope.php

@@ -1,113 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Baselines;
-
-/**
- * Value object for baseline scope resolution.
- *
- * A scope defines which policy types are included in a baseline profile.
- * An empty policy_types array means "all types" (no filter).
- */
-final class BaselineScope
-{
-    /**
-     * @param  array<string>  $policyTypes
-     */
-    public function __construct(
-        public readonly array $policyTypes = [],
-    ) {}
-
-    /**
-     * Create from the scope_jsonb column value.
-     *
-     * @param  array<string, mixed>|null  $scopeJsonb
-     */
-    public static function fromJsonb(?array $scopeJsonb): self
-    {
-        if ($scopeJsonb === null) {
-            return new self;
-        }
-
-        $policyTypes = $scopeJsonb['policy_types'] ?? [];
-
-        return new self(
-            policyTypes: is_array($policyTypes) ? array_values(array_filter($policyTypes, 'is_string')) : [],
-        );
-    }
-
-    /**
-     * Normalize the effective scope by intersecting profile scope with an optional override.
-     *
-     * Override can only narrow the profile scope (subset enforcement).
-     * If the profile scope is empty (all types), the override becomes the effective scope.
-     * If the override is empty or null, the profile scope is used as-is.
-     */
-    public static function effective(self $profileScope, ?self $overrideScope): self
-    {
-        if ($overrideScope === null || $overrideScope->isEmpty()) {
-            return $profileScope;
-        }
-
-        if ($profileScope->isEmpty()) {
-            return $overrideScope;
-        }
-
-        $intersected = array_values(array_intersect($profileScope->policyTypes, $overrideScope->policyTypes));
-
-        return new self(policyTypes: $intersected);
-    }
-
-    /**
-     * An empty scope means "all types".
-     */
-    public function isEmpty(): bool
-    {
-        return $this->policyTypes === [];
-    }
-
-    /**
-     * Check if a policy type is included in this scope.
-     */
-    public function includes(string $policyType): bool
-    {
-        if ($this->isEmpty()) {
-            return true;
-        }
-
-        return in_array($policyType, $this->policyTypes, true);
-    }
-
-    /**
-     * Validate that override is a subset of the profile scope.
-     */
-    public static function isValidOverride(self $profileScope, self $overrideScope): bool
-    {
-        if ($overrideScope->isEmpty()) {
-            return true;
-        }
-
-        if ($profileScope->isEmpty()) {
-            return true;
-        }
-
-        foreach ($overrideScope->policyTypes as $type) {
-            if (! in_array($type, $profileScope->policyTypes, true)) {
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function toJsonb(): array
-    {
-        return [
-            'policy_types' => $this->policyTypes,
-        ];
-    }
-}

app/Support/Inventory/InventoryKpiBadges.php

@@ -1,46 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Inventory;
-
-use Illuminate\Support\Facades\Blade;
-
-class InventoryKpiBadges
-{
-    public static function coverage(int $restorableCount, int $partialCount): string
-    {
-        return Blade::render(<<<'BLADE'
-            <div class="flex items-center gap-2">
-                <x-filament::badge color="success" size="sm">
-                    Restorable {{ $restorableCount }}
-                </x-filament::badge>
-
-                <x-filament::badge color="warning" size="sm">
-                    Partial {{ $partialCount }}
-                </x-filament::badge>
-            </div>
-            BLADE, [
-            'restorableCount' => $restorableCount,
-            'partialCount' => $partialCount,
-        ]);
-    }
-
-    public static function inventoryOps(int $dependenciesCount, int $riskCount): string
-    {
-        return Blade::render(<<<'BLADE'
-            <div class="flex items-center gap-2">
-                <x-filament::badge color="gray" size="sm">
-                    Dependencies {{ $dependenciesCount }}
-                </x-filament::badge>
-
-                <x-filament::badge color="danger" size="sm">
-                    Risk {{ $riskCount }}
-                </x-filament::badge>
-            </div>
-            BLADE, [
-            'dependenciesCount' => $dependenciesCount,
-            'riskCount' => $riskCount,
-        ]);
-    }
-}