feat: implement spec 169 action surface contract v1.1 (#200)

## Summary
- implement the Action Surface Contract v1.1 runtime changes for Spec 169
- add the new explicit ActionSurfaceType contract, validator/discovery updates, and enrolled surface declarations
- update Filament action-surface documentation, focused guard tests, and spec artifacts for the completed feature

## Included
- clickable-row vs explicit-inspect enforcement across monitoring, reporting, CRUD, and system reference surfaces
- helper-first, workflow-next, destructive-last overflow ordering checks
- system panel list discovery in the primary action-surface validator
- Spec 169 artifacts: spec, plan, tasks, research, data model, quickstart, and logical contract

## Verification
- focused Pest verification pack completed for:
  - tests/Feature/Guards/ActionSurfaceValidatorTest.php
  - tests/Feature/Guards/ActionSurfaceContractTest.php
  - tests/Feature/Rbac/TenantActionSurfaceConsistencyTest.php
- integrated browser smoke test completed for admin-side reference surfaces:
  - /admin/operations
  - /admin/audit-log
  - /admin/finding-exceptions/queue
  - /admin/reviews
  - /admin/tenants

## Notes
- system panel browser smoke coverage could not be exercised in the same session because /system routes require platform authentication in the integrated browser
- Livewire target remains v4-compliant and no provider registration or asset strategy changes are introduced by this PR

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #200

.codex/prompts/tenantpilot.audit.md

@@ -0,0 +1,76 @@
+---
+description: Scan the TenantPilot repository for architecture and safety violations against the workspace-first, RBAC-first, audit-first governance model.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architecture Auditor reviewing TenantPilot / TenantAtlas.
+
+This is not a generic code review. Audit the repository against the TenantPilot audit constitution at `docs/audits/tenantpilot-architecture-audit-constitution.md`.
+
+## Audit focus
+
+Prioritize:
+
+- workspace and tenant isolation
+- route model binding safety
+- Filament resources, pages, relation managers, widgets, and actions
+- Livewire public properties and serialized state risks
+- jobs, queue boundaries, and backend authorization rechecks
+- provider access boundaries
+- `OperationRun` consistency
+- findings, exceptions, review, drift, and baseline workflow integrity
+- audit trail completeness
+- wrong-tenant regression coverage
+- unauthorized action coverage
+- workflow misuse and invalid transition coverage
+
+## Output rules
+
+Classify every finding as exactly one of:
+
+- Constitutional Violation
+- Architectural Drift
+- Workflow Trust Gap
+- Test Blind Spot
+
+Assign one severity:
+
+- Severity 1: Critical
+- Severity 2: High
+- Severity 3: Medium
+- Severity 4: Low
+
+Anything directly touching isolation, RBAC, secrets, or auditability must not be rated Low.
+
+For each finding provide:
+
+1. Title
+2. Classification
+3. Severity
+4. Affected Area
+5. Evidence with specific files, classes, methods, routes, or test gaps
+6. Why this matters in TenantPilot
+7. Recommended structural correction
+8. Delivery recommendation: `hotfix`, `follow-up refactor`, or `dedicated spec required`
+
+## Constraints
+
+- Do not praise the codebase.
+- Do not focus on style unless it affects architecture or safety.
+- Do not suggest random patterns without proving fit.
+- Group multiple symptoms under one deeper diagnosis when appropriate.
+- Be explicit when a local fix is insufficient and a dedicated spec is required.
+
+## Repository context
+
+TenantPilot is an enterprise SaaS product for Intune and Microsoft 365 governance, backup, restore, inventory, drift detection, findings, exceptions, operations, and auditability.
+
+The strategic priorities are:
+
+- workspace-first context modeling
+- capability-first RBAC
+- strong auditability
+- deterministic workflow semantics
+- provider access through canonical boundaries
+- minimal duplication of domain logic across UI surfaces
+
+Return the audit as a concise but substantive findings report.

.codex/prompts/tenantpilot.spec-candidates.md

@@ -0,0 +1,104 @@
+---
+description: Turn TenantPilot architecture audit findings into bounded spec candidates without colliding with active spec numbering.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architect working on TenantPilot / TenantAtlas.
+
+Your task is to produce spec candidates, not implementation code.
+
+Before writing anything, read and use these repository files as binding context:
+
+- `docs/audits/tenantpilot-architecture-audit-constitution.md`
+- `docs/audits/2026-03-15-audit-spec-candidates.md`
+- `specs/110-ops-ux-enforcement/spec.md`
+- `specs/111-findings-workflow-sla/spec.md`
+- `specs/134-audit-log-foundation/spec.md`
+- `specs/138-managed-tenant-onboarding-draft-identity/spec.md`
+
+## Goal
+
+Turn the existing audit-derived problem clusters into exactly four proposed follow-up spec candidates.
+
+The four candidate themes are:
+
+1. queued execution reauthorization and scope continuity
+2. tenant-owned query canon and wrong-tenant guards
+3. findings workflow enforcement and audit backstop
+4. Livewire context locking and trusted-state reduction
+
+## Numbering rule
+
+- Do not invent or reserve fixed spec numbers unless the current repository state proves they are available.
+- If numbering is uncertain, use `Candidate A`, `Candidate B`, `Candidate C`, and `Candidate D`.
+- Only recommend a numbering strategy; do not force numbering in the output when collisions are possible.
+
+## Output requirements
+
+Create exactly four spec candidates, one per problem class.
+
+For each candidate provide:
+
+1. Candidate label or confirmed spec number
+2. Working title
+3. Status: `Proposed`
+4. Summary
+5. Why this is needed now
+6. Boundary to existing specs
+7. Problem statement
+8. Goals
+9. Non-goals
+10. Scope
+11. Target model
+12. Key requirements
+13. Risks if not implemented
+14. Dependencies and sequencing notes
+15. Delivery recommendation: `hotfix`, `dedicated spec`, or `phased spec`
+16. Suggested implementation priority: `Critical`, `High`, or `Medium`
+17. Suggested slug
+
+At the end provide:
+
+A. Recommended implementation order
+B. Which candidates can run in parallel
+C. Which candidate should start first and why
+D. A numbering strategy recommendation if active spec numbers are not yet known
+
+## Writing rules
+
+- Write in English.
+- Use formal enterprise spec language.
+- Be concrete and opinionated.
+- Focus on structural integrity, not patch-level fixes.
+- Treat the audit constitution as binding.
+- Explicitly say when UI-only authorization is insufficient.
+- Explicitly say when Livewire public state must be treated as untrusted input.
+- Explicitly say when negative-path regression tests are required.
+- Explicitly say when `OperationRun` or audit semantics must be extended or hardened.
+- Do not duplicate adjacent specs; state the boundary clearly.
+- Do not collapse all four themes into one umbrella spec.
+
+## Candidate-specific direction
+
+### Candidate A — queued execution reauthorization and scope continuity
+
+- Treat this as an execution trust problem, not a simple `authorize()` omission.
+- Cover dispatch-time actor and context capture, handle-time scope revalidation, capability reauthorization, execution denial semantics, and audit visibility.
+- Define what happens when authorization or tenant operability changes between dispatch and execution.
+
+### Candidate B — tenant-owned query canon and wrong-tenant guards
+
+- Treat this as canonical data-access hardening.
+- Cover tenant-owned and workspace-owned query rules, route model binding safety, canonical query paths, anti-pattern elimination, and required wrong-tenant regression tests.
+- Focus on ownership enforcement, not generic repository-pattern advice.
+
+### Candidate C — findings workflow enforcement and audit backstop
+
+- Treat this as a workflow-truth problem.
+- Cover formal lifecycle enforcement, invalid transition prevention, reopen and recurrence semantics, and audit backstop requirements.
+- Make clear how this extends but does not duplicate Spec 111.
+
+### Candidate D — Livewire context locking and trusted-state reduction
+
+- Treat this as a UI/server trust-boundary hardening problem.
+- Cover locked identifiers, untrusted public state, server-side reconstruction of workflow truth, sensitive-state reduction, and misuse regression tests.
+- Make clear how this complements but does not duplicate Spec 138.

.github/agents/copilot-instructions.md

@@ -63,6 +63,61 @@ ## Active Technologies
 - PostgreSQL via Laravel Sail plus existing workspace and tenant context, existing Eloquent relations, and provider-derived identifiers already stored in domain records (132-guid-context-resolver)
 - PostgreSQL via Laravel Sail; no schema change expected (133-detail-page-template)
 - PostgreSQL via Laravel Sail; existing `audit_logs` table expanded in place; JSON context payload remains application-shaped rather than raw archival payloads (134-audit-log-foundation)
+- PHP 8.4 on Laravel 12 + Filament v5, Livewire v4, Pest v4, Laravel Sail (135-canonical-tenant-context-resolution)
+- PostgreSQL application database (135-canonical-tenant-context-resolution)
+- PostgreSQL application database and session-backed Filament table state (136-admin-canonical-tenant)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Laravel Sail, Pest v4, PHPUnit v12 (137-platform-provider-identity)
+- PostgreSQL via Laravel migrations and encrypted model casts (137-platform-provider-identity)
+- PHP 8.4 (Laravel 12) + Filament v5 (Livewire v4), Laravel Blade, existing onboarding/verification support classes (139-verify-access-permissions-assist)
+- PostgreSQL; existing JSON-backed onboarding draft state and `OperationRun.context.verification_report` (139-verify-access-permissions-assist)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, PostgreSQL, Laravel Sail, Pest v4, existing `OperationRunService`, `ProviderOperationStartGate`, onboarding services, workspace audit logging (140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp)
+- PostgreSQL tables including `managed_tenant_onboarding_sessions`, `operation_runs`, `tenants`, and provider-connection-backed tenant records (140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp)
+- PostgreSQL via Laravel Sail for existing source records and JSON payloads; no new persistence introduced (141-shared-diff-presentation-foundation)
+- PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4, shared `App\Support\Diff` foundation from Spec 141 (142-rbac-role-definition-diff-ux-upgrade)
+- PostgreSQL via Laravel Sail for existing `findings.evidence_jsonb`; no schema or persistence changes (142-rbac-role-definition-diff-ux-upgrade)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4 (143-tenant-lifecycle-operability-context-semantics)
+- PostgreSQL via Laravel Eloquent models and workspace/tenant scoped tables (143-tenant-lifecycle-operability-context-semantics)
+- PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Gates and Policies, `OperateHubShell`, `OperationRunLinks` (144-canonical-operation-viewer-context-decoupling)
+- PostgreSQL plus session-backed workspace and remembered tenant context (no schema changes) (144-canonical-operation-viewer-context-decoupling)
+- PHP 8.4.15 with Laravel 12, Filament v5, Livewire v4.0+ + Filament Actions/Tables/Infolists, Laravel Gates/Policies, `UiEnforcement`, `WorkspaceUiEnforcement`, `ActionSurfaceDeclaration`, `BadgeCatalog`, `TenantOperabilityService`, `OnboardingLifecycleService` (145-tenant-action-taxonomy-lifecycle-safe-visibility)
+- PostgreSQL for tenants, onboarding sessions, audit logs, operation runs, and workspace membership data (145-tenant-action-taxonomy-lifecycle-safe-visibility)
+- PostgreSQL (existing tenant and operation records only; no schema changes planned) (146-central-tenant-status-presentation)
+- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned (147-tenant-selector-remembered-context-enforcement)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing support-layer helpers such as `UiEnforcement`, `CapabilityResolver`, `WorkspaceContext`, `OperateHubShell`, `TenantOperabilityService`, and `TenantActionPolicySurface` (148-central-tenant-operability-policy)
+- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned for the first implementation slice (148-central-tenant-operability-policy)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing `OperationRunService`, `TrackOperationRun`, `ProviderOperationStartGate`, `TenantOperabilityService`, `CapabilityResolver`, and `WriteGateInterface` seams (149-queued-execution-reauthorization)
+- PostgreSQL-backed application data plus queue-serialized `OperationRun` context; no schema migration planned for the first implementation slice (149-queued-execution-reauthorization)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, PostgreSQL, Pest 4 (150-tenant-owned-query-canon-and-wrong-tenant-guards)
+- PostgreSQL with existing `findings` and `audit_logs` tables; no new storage engine or external log store (151-findings-workflow-backstop)
+- PostgreSQL with existing workspace-, tenant-, onboarding-, and audit-related tables; no new persistent storage planned for the first slice (152-livewire-context-locking)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `StoredReport`, `Finding`, `OperationRun`, and `AuditLog` infrastructure (153-evidence-domain-foundation)
+- PostgreSQL with JSONB-backed snapshot metadata; existing private storage remains a downstream-consumer concern, not a primary evidence-foundation store (153-evidence-domain-foundation)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing Finding, AuditLog, EvidenceSnapshot, CapabilityResolver, WorkspaceCapabilityResolver, and UiEnforcement patterns (001-finding-risk-acceptance)
+- PostgreSQL with new tenant-owned exception tables and JSONB-backed supporting metadata (001-finding-risk-acceptance)
+- PHP 8.4, Laravel 12, Livewire 4, Filament 5 + Filament resources/pages/actions, Eloquent models, queued Laravel jobs, existing `EvidenceSnapshotService`, existing `ReviewPackService`, capability registry, `OperationRunService` (155-tenant-review-layer)
+- PostgreSQL with JSONB-backed summary payloads and tenant/workspace ownership columns (155-tenant-review-layer)
+- PostgreSQL-backed existing domain records; no new business-domain table is required for the first slice; shared taxonomy reference will live in repository documentation and code-level metadata (156-operator-outcome-taxonomy)
+- PostgreSQL-backed existing records such as `operation_runs`, tenant governance records, onboarding workflow state, and provider connection state; no new business-domain table is required for the first slice (157-reason-code-translation)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BadgeCatalog` / `BadgeRenderer` / `OperatorOutcomeTaxonomy`, `ReasonPresenter`, `OperationRunService`, `TenantReviewReadinessGate`, existing baseline/evidence/review/review-pack resources and canonical pages (158-artifact-truth-semantics)
+- PostgreSQL with existing JSONB-backed `summary`, `summary_jsonb`, and `context` payloads on baseline snapshots, evidence snapshots, tenant reviews, review packs, and operation runs; no new primary storage required for the first slice (158-artifact-truth-semantics)
+- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, Laravel queue workers, existing `OperationRunService`, `TrackOperationRun`, `OperationUxPresenter`, `ReasonPresenter`, `BadgeCatalog` domain badges, and current Operations Monitoring pages (160-operation-lifecycle-guarantees)
+- PostgreSQL for `operation_runs`, `jobs`, and `failed_jobs`; JSONB-backed `context`, `summary_counts`, and `failure_summary`; configuration in `config/queue.php` and `config/tenantpilot.php` (160-operation-lifecycle-guarantees)
+- PostgreSQL (via Sail) plus existing read models persisted in application tables (161-operator-explanation-layer)
+- PHP 8.4 / Laravel 12, Blade, Alpine via Filament, Tailwind CSS v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `OperationRun` and baseline compare services (162-baseline-gap-details)
+- PostgreSQL with JSONB-backed `operation_runs.context`; no new tables required (162-baseline-gap-details)
+- PostgreSQL via existing application tables, especially `operation_runs.context` and baseline snapshot summary JSON (163-baseline-subject-resolution)
+- PHP 8.4, Laravel 12, Blade views, Alpine via Filament v5 / Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `OperationRunResource`, `TenantlessOperationRunViewer`, `EnterpriseDetailBuilder`, `ArtifactTruthPresenter`, `OperationUxPresenter`, and `SummaryCountsNormalizer` (164-run-detail-hardening)
+- PostgreSQL with existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change planned (164-run-detail-hardening)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BaselineCompareStats`, `BaselineCompareExplanationRegistry`, `ReasonPresenter`, `BadgeCatalog` or `BadgeRenderer`, `UiEnforcement`, and `OperationRunLinks` (165-baseline-summary-trust)
+- PostgreSQL with existing baseline, findings, and `operation_runs` tables plus JSONB-backed compare context; no schema change planned (165-baseline-summary-trust)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `Finding`, `FindingException`, `FindingRiskGovernanceResolver`, `BadgeCatalog`, `BadgeRenderer`, `FilterOptionCatalog`, and tenant dashboard widgets (166-finding-governance-health)
+- PostgreSQL using existing `findings`, `finding_exceptions`, related decision tables, and existing DB-backed summary sources; no schema changes required (166-finding-governance-health)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ArtifactTruthPresenter`, `OperationUxPresenter`, `RelatedNavigationResolver`, `AppServiceProvider`, `BadgeCatalog`, `BadgeRenderer`, and current Filament resource/page seams (167-derived-state-memoization)
+- PostgreSQL unchanged; feature adds no persistence and relies on request-local in-memory state only (167-derived-state-memoization)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `BaselineCompareLanding`, `BaselineCompareNow`, `NeedsAttention`, `BaselineCompareCoverageBanner`, and `RequestScopedDerivedStateStore` from Spec 167 (168-tenant-governance-aggregate-contract)
+- PostgreSQL unchanged; no new persistence, cache store, or durable summary artifac (168-tenant-governance-aggregate-contract)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `ActionSurfaceDeclaration`, `ActionSurfaceValidator`, `ActionSurfaceDiscovery`, `ActionSurfaceExemptions`, and Filament Tables / Actions APIs (169-action-surface-v11)
+- PostgreSQL unchanged; no new persistence, cache store, queue payload, or durable artifac (169-action-surface-v11)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
@@ -82,8 +137,8 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
-- 134-audit-log-foundation: Added PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4
-- 133-detail-page-template: Added PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4
-- 132-guid-context-resolver: Added PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Tailwind CSS v4
+- 169-action-surface-v11: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `ActionSurfaceDeclaration`, `ActionSurfaceValidator`, `ActionSurfaceDiscovery`, `ActionSurfaceExemptions`, and Filament Tables / Actions APIs
+- 168-tenant-governance-aggregate-contract: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `BaselineCompareLanding`, `BaselineCompareNow`, `NeedsAttention`, `BaselineCompareCoverageBanner`, and `RequestScopedDerivedStateStore` from Spec 167
+- 167-derived-state-memoization: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ArtifactTruthPresenter`, `OperationUxPresenter`, `RelatedNavigationResolver`, `AppServiceProvider`, `BadgeCatalog`, `BadgeRenderer`, and current Filament resource/page seams
 <!-- MANUAL ADDITIONS START -->
 <!-- MANUAL ADDITIONS END -->

.github/prompts/tenantpilot.audit.prompt.md

@@ -0,0 +1,76 @@
+---
+description: Scan the TenantPilot repository for architecture and safety violations against the workspace-first, RBAC-first, audit-first governance model.
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architecture Auditor reviewing TenantPilot / TenantAtlas.
+
+This is not a generic code review. Audit the repository against the TenantPilot audit constitution at `docs/audits/tenantpilot-architecture-audit-constitution.md`.
+
+## Audit focus
+
+Prioritize:
+
+- workspace and tenant isolation
+- route model binding safety
+- Filament resources, pages, relation managers, widgets, and actions
+- Livewire public properties and serialized state risks
+- jobs, queue boundaries, and backend authorization rechecks
+- provider access boundaries
+- `OperationRun` consistency
+- findings, exceptions, review, drift, and baseline workflow integrity
+- audit trail completeness
+- wrong-tenant regression coverage
+- unauthorized action coverage
+- workflow misuse and invalid transition coverage
+
+## Output rules
+
+Classify every finding as exactly one of:
+
+- Constitutional Violation
+- Architectural Drift
+- Workflow Trust Gap
+- Test Blind Spot
+
+Assign one severity:
+
+- Severity 1: Critical
+- Severity 2: High
+- Severity 3: Medium
+- Severity 4: Low
+
+Anything directly touching isolation, RBAC, secrets, or auditability must not be rated Low.
+
+For each finding provide:
+
+1. Title
+2. Classification
+3. Severity
+4. Affected Area
+5. Evidence with specific files, classes, methods, routes, or test gaps
+6. Why this matters in TenantPilot
+7. Recommended structural correction
+8. Delivery recommendation: `hotfix`, `follow-up refactor`, or `dedicated spec required`
+
+## Constraints
+
+- Do not praise the codebase.
+- Do not focus on style unless it affects architecture or safety.
+- Do not suggest random patterns without proving fit.
+- Group multiple symptoms under one deeper diagnosis when appropriate.
+- Be explicit when a local fix is insufficient and a dedicated spec is required.
+
+## Repository context
+
+TenantPilot is an enterprise SaaS product for Intune and Microsoft 365 governance, backup, restore, inventory, drift detection, findings, exceptions, operations, and auditability.
+
+The strategic priorities are:
+
+- workspace-first context modeling
+- capability-first RBAC
+- strong auditability
+- deterministic workflow semantics
+- provider access through canonical boundaries
+- minimal duplication of domain logic across UI surfaces
+
+Return the audit as a concise but substantive findings report.

.github/prompts/tenantpilot.spec-candidates.prompt.md

@@ -0,0 +1,105 @@
+---
+description: Turn TenantPilot architecture audit findings into bounded spec candidates without colliding with active spec numbering.
+agent: speckit.specify
+---
+
+You are a Senior Staff Engineer and Enterprise SaaS Architect working on TenantPilot / TenantAtlas.
+
+Your task is to produce spec candidates, not implementation code.
+
+Before writing anything, read and use these repository files as binding context:
+
+- `docs/audits/tenantpilot-architecture-audit-constitution.md`
+- `docs/audits/2026-03-15-audit-spec-candidates.md`
+- `specs/110-ops-ux-enforcement/spec.md`
+- `specs/111-findings-workflow-sla/spec.md`
+- `specs/134-audit-log-foundation/spec.md`
+- `specs/138-managed-tenant-onboarding-draft-identity/spec.md`
+
+## Goal
+
+Turn the existing audit-derived problem clusters into exactly four proposed follow-up spec candidates.
+
+The four candidate themes are:
+
+1. queued execution reauthorization and scope continuity
+2. tenant-owned query canon and wrong-tenant guards
+3. findings workflow enforcement and audit backstop
+4. Livewire context locking and trusted-state reduction
+
+## Numbering rule
+
+- Do not invent or reserve fixed spec numbers unless the current repository state proves they are available.
+- If numbering is uncertain, use `Candidate A`, `Candidate B`, `Candidate C`, and `Candidate D`.
+- Only recommend a numbering strategy; do not force numbering in the output when collisions are possible.
+
+## Output requirements
+
+Create exactly four spec candidates, one per problem class.
+
+For each candidate provide:
+
+1. Candidate label or confirmed spec number
+2. Working title
+3. Status: `Proposed`
+4. Summary
+5. Why this is needed now
+6. Boundary to existing specs
+7. Problem statement
+8. Goals
+9. Non-goals
+10. Scope
+11. Target model
+12. Key requirements
+13. Risks if not implemented
+14. Dependencies and sequencing notes
+15. Delivery recommendation: `hotfix`, `dedicated spec`, or `phased spec`
+16. Suggested implementation priority: `Critical`, `High`, or `Medium`
+17. Suggested slug
+
+At the end provide:
+
+A. Recommended implementation order
+B. Which candidates can run in parallel
+C. Which candidate should start first and why
+D. A numbering strategy recommendation if active spec numbers are not yet known
+
+## Writing rules
+
+- Write in English.
+- Use formal enterprise spec language.
+- Be concrete and opinionated.
+- Focus on structural integrity, not patch-level fixes.
+- Treat the audit constitution as binding.
+- Explicitly say when UI-only authorization is insufficient.
+- Explicitly say when Livewire public state must be treated as untrusted input.
+- Explicitly say when negative-path regression tests are required.
+- Explicitly say when `OperationRun` or audit semantics must be extended or hardened.
+- Do not duplicate adjacent specs; state the boundary clearly.
+- Do not collapse all four themes into one umbrella spec.
+
+## Candidate-specific direction
+
+### Candidate A — queued execution reauthorization and scope continuity
+
+- Treat this as an execution trust problem, not a simple `authorize()` omission.
+- Cover dispatch-time actor and context capture, handle-time scope revalidation, capability reauthorization, execution denial semantics, and audit visibility.
+- Define what happens when authorization or tenant operability changes between dispatch and execution.
+
+### Candidate B — tenant-owned query canon and wrong-tenant guards
+
+- Treat this as canonical data-access hardening.
+- Cover tenant-owned and workspace-owned query rules, route model binding safety, canonical query paths, anti-pattern elimination, and required wrong-tenant regression tests.
+- Focus on ownership enforcement, not generic repository-pattern advice.
+
+### Candidate C — findings workflow enforcement and audit backstop
+
+- Treat this as a workflow-truth problem.
+- Cover formal lifecycle enforcement, invalid transition prevention, reopen and recurrence semantics, and audit backstop requirements.
+- Make clear how this extends but does not duplicate Spec 111.
+
+### Candidate D — Livewire context locking and trusted-state reduction
+
+- Treat this as a UI/server trust-boundary hardening problem.
+- Cover locked identifiers, untrusted public state, server-side reconstruction of workflow truth, sensitive-state reduction, and misuse regression tests.
+- Make clear how this complements but does not duplicate Spec 138.

.gitignore

@@ -32,5 +32,6 @@ Homestead.json
 Homestead.yaml
 Thumbs.db
 /references
+/tests/Browser/Screenshots
 *.tmp
 *.swp

.specify/memory/constitution.md

@@ -1,17 +1,34 @@
 <!--
 Sync Impact Report
 
-- Version change: 1.10.0 → 1.11.0
+- Version change: 1.14.0 -> 2.0.0
 - Modified principles:
-  - None
+  - Filament UI - Action Surface Contract -> Operator-Facing UI/UX Constitution v1 / Filament UI - Action Surface Contract
+  - Filament UI - Layout & Information Architecture Standards (UX-001) -> Operator-Facing UI/UX Constitution v1 / Filament UI - Layout & Information Architecture Standards (UX-001)
+  - Operator-facing UI Naming Standards (UI-NAMING-001) -> Operator-Facing UI/UX Constitution v1 / Operator-facing UI Naming Standards (UI-NAMING-001)
+  - Operator Surface Principles (OPSURF-001) -> Operator-Facing UI/UX Constitution v1 / Operator Surface Principles (OPSURF-001)
+  - Spec Scope Fields (SCOPE-002) -> Operator-Facing UI/UX Constitution v1 / Spec Scope Fields (SCOPE-002)
 - Added sections:
-  - Operator-facing UI Naming Standards (UI-NAMING-001)
+  - Operator-Facing UI/UX Constitution v1 (UI-CONST-001)
+  - Surface Taxonomy (UI-SURF-001)
+  - Hard Rules (UI-HARD-001)
+  - Exception Model (UI-EX-001)
+  - Enforcement Model (UI-REVIEW-001)
+  - Immediate Retrofit Priorities
+  - Appendix A - One-page Condensed Constitution
+  - Appendix B - Feature Review Checklist
+  - Appendix C - Red Flags for Future PRs
 - Removed sections: None
 - Templates requiring updates:
-  - ✅ .specify/templates/plan-template.md
+  - ✅ .specify/memory/constitution.md
   - ✅ .specify/templates/spec-template.md
+  - ✅ .specify/templates/plan-template.md
   - ✅ .specify/templates/tasks-template.md
-  - N/A: .specify/templates/commands/ (directory not present in this repo)
+  - ✅ docs/product/principles.md
+  - ✅ docs/product/standards/README.md
+  - ✅ docs/HANDOVER.md
+- Commands checked:
+  - N/A `.specify/templates/commands/*.md` directory is not present in this repo
 - Follow-up TODOs:
   - None.
 -->
@@ -40,6 +57,73 @@ ### Deterministic Capabilities
 - Backup/restore/risk/support flags MUST be derived deterministically from config/contracts via a Capabilities Resolver.
 - The resolver output MUST be programmatically testable (snapshot/golden tests) so config changes cannot silently break behavior.
 
+### Proportionality First (PROP-001)
+- New structure, layering, persistence, or semantic machinery MUST be justified by current release truth, current operator workflow, and a concrete reason a narrower implementation is insufficient.
+- Code MUST NOT become more generic, more layered, or more persistent than the current product actually needs.
+- Reviews MUST reject speculative generalization framed only as future flexibility.
+
+### No Premature Abstraction (ABSTR-001)
+- New factories, registries, resolvers, strategy systems, interfaces, extension-point frameworks, type registries, or orchestration pipelines MUST NOT be introduced before at least two real concrete cases require them.
+- Test convenience alone is not sufficient justification for a new abstraction.
+- Narrow abstractions are allowed when required for security, tenant isolation, auditability, compliance evidence, or queue/job execution correctness.
+
+### No New Persisted Truth Without Source-of-Truth Need (PERSIST-001)
+- New tables, persisted entities, or stored artifacts MUST represent real product truth that survives independently of the originating request, run, or view.
+- Persisted storage is justified only when at least one of these is true: it is a source of truth, has an independent lifecycle, must be audited independently, must outlive its originating run/request, is required for permissions/routing/compliance evidence, or is required for stable operator workflows over time.
+- Convenience projections, UI helpers, speculative artifacts, derived summaries, and temporary semantic wrappers MUST remain derived unless current-release operator workflows require independent persistence.
+- Release 2/3 entities MUST NOT be fully built in Release 1 unless they are foundational and already exercised by the shipped workflow.
+
+### No New State Without Behavioral Consequence (STATE-001)
+- New states, statuses, reason codes, lifecycle labels, and semantic categories MUST change operator action, workflow routing, permission or policy enforcement, lifecycle behavior, persistence truth, audit responsibility, retention behavior, or retry/failure handling.
+- Presentation-only distinctions MUST remain derived labels rather than persisted domain state.
+- Reason code families MUST NOT expand unless each added value has a distinct system or operator consequence.
+
+### UI Semantics Must Not Become Their Own Framework (UI-SEM-001)
+- Badges, explanation text, trust/confidence labels, detail cards, and status summaries MUST remain lightweight presentation helpers unless they are proven product contracts.
+- New UI semantics MUST NOT require mandatory presenter, badge, explanation, taxonomy, or multi-step interpretation pipelines by default.
+- Direct mapping from canonical domain truth to UI is preferred over intermediate semantic superstructures.
+- Presentation helpers SHOULD remain optional adapters, not mandatory architecture.
+
+### V1 Prefers Explicit Narrow Implementations (V1-EXP-001)
+- For V1 and early product maturity, direct implementation, local mapping, explicit per-domain logic, small focused helpers, derived read models, and minimal UI adapters are preferred.
+- Generic platform engines, meta-frameworks, universal resolver systems, workflow frameworks, and broad semantic taxonomies are disfavored until real variance proves them necessary.
+- The burden of proof is always on the broader abstraction.
+
+### One Truth, Few Layers (LAYER-001)
+- A single domain truth MUST NOT be redundantly modeled across model fields, service result objects, presenters, UI summaries, explanation builders, badge taxonomies, run context wrappers, and persisted mirror entities without clear necessity.
+- Prefer one canonical truth with thin adapters.
+- Any new layer MUST replace an existing layer or prove why the existing layer cannot serve the need.
+- Additive semantic layering is discouraged; absorption is preferred over accumulation.
+
+### Spec Discipline Over Slice Proliferation (SPEC-DISC-001)
+- Related semantic, taxonomy, and presentation-contract changes SHOULD be grouped into one coherent spec instead of many micro-specs that each add classes, enums, DTOs, and tests.
+- Every spec MUST explicitly state whether it introduces a new source of truth, persisted entity, abstraction, state, or cross-cutting framework.
+- If the answer is yes, the spec MUST explain why the addition is necessary now.
+
+### Tests Must Protect Business Truth (TEST-TRUTH-001)
+- Testing is mandatory, but test growth MUST follow business truth rather than indirection created for its own sake.
+- Tests MUST prioritize domain behavior, permissions, isolation, lifecycle correctness, and operator-critical outcomes.
+- Large dedicated test surfaces for thin presentation indirection SHOULD be avoided.
+- If a pattern creates more test burden than product certainty, the pattern SHOULD be simplified.
+
+### Enterprise Complexity Is Allowed Only Where Risk Demands It (RISK-COMP-001)
+- Heavier architecture is explicitly legitimate for workspace or tenant isolation, RBAC and policy enforcement, auditability, immutable history and snapshot truth, queue/job execution legitimacy, provider credential safety, retention/compliance evidence, and operator-critical lifecycle correctness.
+- Badge systems, explanation builders, trust/confidence overlays, presentation taxonomies, generic provider frameworks without real provider variance, speculative export/report/review infrastructure, UI meta-governance frameworks, and derived helper entities promoted into persisted truth are high-risk overproduction zones and require extra restraint.
+
+### Mandatory Bloat Check for New Specs (BLOAT-001)
+- Any spec that introduces a new enum or status family, DTO/envelope/presenter layer, persisted entity or table, interface/contract/registry/resolver, cross-domain UI framework, or taxonomy/classification system MUST include a proportionality review.
+- That review MUST answer:
+  1. What current operator problem does this solve?
+  2. Why is existing structure insufficient?
+  3. Why is this the narrowest correct implementation?
+  4. What ownership cost does this create?
+  5. What alternative was intentionally rejected?
+  6. Is this current-release truth or future-release preparation?
+- Specs that cannot answer these questions clearly MUST NOT merge.
+
+### Default Bias (BIAS-001)
+- Default codebase bias is: derive before persist, map before frameworkize, localize before generalize, simplify before extend, replace before layer, explicit before generic, and present directly before interpreting recursively.
+
 ### Workspace Isolation is Non-negotiable
 - Workspace membership is an isolation boundary. If the actor is not entitled to the workspace scope, the system MUST respond as
   deny-as-not-found (404).
@@ -68,6 +152,7 @@ ### Tenant Isolation is Non-negotiable
 - Workspace-owned tables MUST include workspace_id and MUST NOT include tenant_id.
 - Exception: OperationRun MAY have tenant_id nullable to support canonical workspace-context monitoring views; however, revealing any tenant-bound runs still MUST enforce entitlement checks to the referenced tenant scope.
 - Exception: AlertDelivery MAY have tenant_id nullable for workspace-scoped, non-tenant-operational artifacts (e.g., `event_type=alerts.test`). Tenant-bound delivery records still MUST enforce tenant entitlement checks, and tenantless delivery rows MUST NOT contain tenant-specific data.
+- Exception: `managed_tenant_onboarding_sessions` MAY keep `tenant_id` nullable as a workspace-scoped workflow-coordination record. It begins before tenant identification, may later reference a tenant for authorization continuity and resume semantics, and MUST always enforce workspace entitlement plus tenant entitlement once a tenant reference is attached. This exception is specific to onboarding draft workflow state and does not create a general precedent for workspace-owned domain records.
 
 ### RBAC & UI Enforcement Standards (RBAC-UX)
 
@@ -232,98 +317,266 @@ ### Scheduled/system runs (OPS-UX-SYS-001)
 - Scheduled/queued operations MUST use locks + idempotency (no duplicates).
 - Graph throttling and transient failures MUST be handled with backoff + jitter (e.g., 429/503).
 
-### Filament UI — Action Surface Contract (NON-NEGOTIABLE)
+### Operator-Facing UI/UX Constitution v1 (UI-CONST-001)
 
-For every new or modified Filament Resource / RelationManager / Page:
+Purpose and scope
+- This section governs operator-facing admin UI semantics across TenantPilot / TenantAtlas.
+- It defines allowed surface types, allowed interaction models, primary/secondary/destructive action hierarchy, list/detail/queue semantics, scope and context signals, canonical navigation and naming rules, visibility of critical operational truth, scanability and density rules, exception handling, and review and enforcement requirements.
+- It does not govern branding, colors, typography, spacing tokens, marketing or landing pages, implementation details without UX effect, purely cosmetic copy changes, or backend architecture except where backend design would create false UI mental models.
+- This section is governance, not a style guide. Its purpose is to prevent ambiguity, operator risk, and UI drift before they spread through the product.
+
+#### Surface Taxonomy (UI-SURF-001)
+
+Every new admin surface MUST be assigned exactly one surface type before implementation. Ad-hoc interaction models are forbidden.
+
+##### CRUD / List-first Resource
+- Purpose: scan, find, open, and selectively mutate many business records.
+- Primary behavior: Browse -> Open -> Decide / Mutate.
+- Primary model: one-click inspect/open. Full-row click is the default; identifier click is allowed only when full-row click conflicts with another dominant row mechanism.
+- Secondary actions: at most one inline non-destructive shortcut; everything else belongs in overflow.
+- Destructive actions: never inline beside inspect; only in overflow or the detail header; confirmation is mandatory.
+- Explicit View/Inspect: forbidden when row click or identifier click already opens the same destination.
+
+##### Queue / Review Surface
+- Purpose: triage items, inspect them in context, decide, and continue working through the queue.
+- Primary behavior: Inspect in context -> Decide -> Continue.
+- Primary model: explicit Inspect using a slide-over, inline detail pane, or same-page inspect.
+- Secondary actions: only queue-relevant actions belong in the row.
+- Destructive actions: inline is allowed only when the destructive decision is part of the real queue work; irreversibility or high risk still requires confirmation.
+- Row click: forbidden by default.
+- Explicit View/Inspect: required unless the detail is already visible inline.
+
+##### History / Audit Surface
+- Purpose: inspect immutable history, events, and evidence without losing chronology.
+- Primary behavior: Inspect event -> Follow trace -> Return to history context.
+- Primary model: explicit Inspect, preferably in a slide-over or same-page detail.
+- Secondary actions: related navigation only.
+- Destructive actions: normally none.
+- Row click: forbidden.
+- Explicit View/Inspect: required.
+
+##### Config-lite Resource
+- Purpose: manage small, low-cardinality configuration where edit is effectively the detail surface.
+- Primary behavior: Open config -> Adjust.
+- Primary model: edit-as-inspect.
+- Secondary actions: minimal and usually limited to Edit or overflow.
+- Destructive actions: overflow or detail header only.
+- Row click: allowed when it opens Edit directly and no separate View surface exists.
+- Explicit View/Inspect: forbidden.
+
+##### Read-only Registry / Report Surface
+- Purpose: inspect, compare, reference, and export immutable or mostly read-only artifacts.
+- Primary behavior: Scan -> Open detail -> Reference / Export.
+- Primary model: row click or identifier click to detail.
+- Secondary actions: optional single inline non-destructive shortcut when it serves the operator flow.
+- Destructive actions: normally none; if they exist they belong in detail only.
+- Explicit View/Inspect: forbidden when a functional one-click open already exists.
+
+##### Detail-first Operational Surface
+- Purpose: fully understand one operational record, including state, truth, context, and next steps.
+- Primary behavior: Read -> Understand -> Act / Navigate.
+- Primary model: dedicated detail page or dedicated operational page.
+- Secondary actions: header actions and related-link groups.
+- Destructive actions: detail header or grouped header actions only, always with confirmation.
+- Row click and explicit View/Inspect: not applicable.
+
+#### Hard Rules (UI-HARD-001)
+
+##### Primary inspect model
+- Every list surface MUST expose exactly one primary inspect/open model.
+- A surface MUST NOT offer row click, identifier click, and explicit View/Inspect for the same destination as parallel primary models.
+- CRUD / List-first and Read-only Registry / Report surfaces MUST provide an obvious one-click open path.
+- Queue / Review and History / Audit surfaces MUST use explicit Inspect rather than row-click navigation.
+
+##### Row-click semantics
+- Full-row click is the default for CRUD / List-first and Read-only Registry / Report surfaces.
+- Identifier-only click is allowed only when full-row click would conflict with another dominant row behavior such as selection-heavy interaction, expand/collapse, drag/sort, or another primary row mechanism.
+- When row click is enabled, the row MUST feel consistent. Silent split behavior inside the same row is forbidden.
+- Edit-as-inspect is allowed only for Config-lite resources.
+
+##### View and Inspect actions
+- Explicit View MUST NOT exist when the same destination is already opened through row click or identifier click.
+- Explicit Inspect is the default only for Queue / Review, History / Audit, and explicitly catalogued exceptions.
+- View and Inspect MUST NOT be treated as interchangeable labels. If the interaction preserves context and behaves unlike ordinary navigation, it is Inspect, not View.
+
+##### Action hierarchy
+- Every surface MUST distinguish between the primary inspect/open action, secondary safe actions, destructive actions, and long-running workflow launches.
+- Standard CRUD and Read-only Registry rows MUST NOT exceed the primary open interaction plus one inline safe shortcut.
+- All other secondary actions MUST move to overflow.
+- Long-running workflow launches such as sync, compare, verify, generate, consent, setup, or retry SHOULD live in list headers or detail headers rather than in every row.
+
+##### Destructive actions
+- Destructive actions MUST NOT appear inline beside the primary inspect interaction on standard CRUD, Config-lite, or Read-only Registry surfaces.
+- Destructive actions MUST live in overflow or the detail header.
+- Destructive actions MUST use confirmation.
+- High-risk or high-volume destructive bulk actions SHOULD use typed confirmation.
+- The Queue Decision exception applies only when the destructive decision is part of the actual queue work.
+
+##### Overflow and More
+- Overflow actions MUST follow one product-wide pattern per surface class.
+- Mixed labeled-overflow versus icon-only overflow patterns inside the same surface class are forbidden unless an approved exception documents why.
+- Empty `ActionGroup` and empty `BulkActionGroup` are forbidden.
+- Placeholder UI added only to satisfy a contract or slot is forbidden.
+
+##### Bulk actions
+- Bulk actions are allowed only when they are safe enough, materially faster than row-by-row execution, and genuinely fit the surface.
+- A surface with no real bulk need MUST NOT render bulk UI.
+- Bulk destructive actions follow the same protection rules as row destructive actions, with stricter confirmation and review expectations.
+
+##### Row label length and action budget
+- Inline row action labels MUST stay short and SHOULD be one or two words.
+- Long workflow labels belong in overflow, headers, or detail surfaces.
+- Standard list rows MUST NOT become control centers for onboarding recovery, provider management, consent flows, RBAC setup, diagnostics, and destructive lifecycle actions all at once.
+
+##### Scope and context semantics
+- Scope chips, tenant pills, and similar context signals MUST correspond to real scoping behavior.
+- A scope signal MUST NOT be shown when it neither scopes the displayed data nor materially changes the action targets.
+- Remembered context is allowed only when labeled clearly as reference context rather than active scope.
+- Cross-panel navigation MUST NOT imply that the operator remains inside the same logical scope when that is not true.
+
+##### Canonical navigation and terminology
+- Every domain object MUST have one canonical collection noun and one canonical singular noun.
+- The same domain object MUST NOT use competing primary nouns across shells.
+- The Operations domain MUST use one canonical collection noun. Parallel primary nouns such as Runs beside Operations are forbidden.
+- Cross-panel navigation is allowed only when it lands on a canonical surface, uses stable nouns, and keeps back navigation clear.
+
+##### Visibility of critical operational truth
+- Critical operational truth MUST be visible by default.
+- It MUST NOT be hidden only in default-off columns, tooltips, helper text, overflow menus, or detail pages when list decisions depend on it.
+- Lifecycle truth, operability truth, health truth, execution outcome, trust/confidence, and next action MUST remain separate semantic dimensions.
+- One badge, column, or label MUST NOT collapse multiple truth dimensions into a generic status.
+
+##### Row density and scanability
+- Standard CRUD lists MUST remain scanable.
+- Outside Queue / Review and History / Audit exceptions, each row MAY contain at most one multi-line explanatory column and at most one prose-heavy explanatory context.
+- Standard CRUD rows MUST NOT carry more than one sentence of flowing prose.
+- Next-step prose belongs in detail, inspect, or queue surfaces, not in ordinary CRUD rows.
+
+##### Custom abstractions
+- Custom UI abstractions MAY document and validate, but they MUST NOT create declaration-only safety that diverges from real behavior.
+- Contract systems MUST NOT force placeholder UI.
+- Behavior matters more than declaration. If declared conformance and rendered behavior differ, the surface is non-conformant.
+- A feature MUST NOT ship when its implemented interaction semantics contradict its declared surface type.
+
+#### Exception Model (UI-EX-001)
+
+Only catalogued exception types are allowed. Every exception MUST be named in the spec, reference its exception type, include a reason block, be called out explicitly in the PR, and carry at least one dedicated test.
+
+##### Queue Decision Exception
+- Allowed when per-item decision-making is the real queue work.
+- Guardrails: Inspect remains available unless detail is already inline; irreversible decisions require confirmation; unrelated maintenance actions do not join the row.
+
+##### History In-place Inspect Exception
+- Allowed when leaving the page would break chronology or traceability.
+- Guardrails: explicit Inspect is mandatory; row click is forbidden; generic mutation rails are forbidden.
+
+##### Config-lite Edit-as-Inspect Exception
+- Allowed when a separate View surface would add no value.
+- Guardrails: no parallel View surface; no high-risk destructive flow as the default entry point.
+
+##### Read-only Shortcut Exception
+- Allowed for exactly one dominant non-destructive shortcut.
+- Guardrails: inspect/open remains dominant; only one shortcut exists; the shortcut does not compete with the primary open path.
+
+##### Cross-panel Canonical Route Exception
+- Allowed when only one canonical surface makes sense.
+- Guardrails: nouns stay stable; shell transition is explicit; back navigation is clear; scope signals remain truthful.
+
+#### Filament UI — Action Surface Contract (NON-NEGOTIABLE)
+
+For every new or modified Filament Resource, RelationManager, or Page:
 
 Required surfaces
-- List/Table MUST define: Header Actions, Row Actions, Bulk Actions, and Empty-State CTA(s).
-- Inspect affordance (List/Table): Every table MUST provide a record inspection affordance.
-  - Accepted forms: clickable rows via `recordUrl()` (preferred), a dedicated row “View” action, or a primary linked column.
-  - Rule: Do NOT render a lone “View” row action button. If View is the only row action, prefer clickable rows.
-- View/Detail MUST define Header Actions (Edit + “More” group when applicable).
-- View/Detail MUST be sectioned (e.g., Infolist Sections / Cards); avoid long ungrouped field lists.
-- Create/Edit MUST provide consistent Save/Cancel UX.
+- List/Table MUST define Header Actions, Row Actions, Bulk Actions, and Empty-State CTA(s).
+- Every table MUST provide a record inspection affordance that matches its surface type.
+- Accepted forms are `recordUrl()` row click, a primary linked column, or an explicit row action when the taxonomy requires Inspect.
+- CRUD / List-first, Config-lite, and Read-only Registry surfaces MUST NOT render a redundant View action when the same destination is already available through row click or identifier click.
+- Queue / Review and History / Audit surfaces MAY use a lone explicit Inspect action because context-preserving inspect is the primary interaction.
+- View/Detail MUST define header actions and MUST keep destructive actions grouped and confirmed.
+- View/Detail MUST be sectioned using Infolists, Sections, Cards, Tabs, or equivalent composable structure.
+- Create/Edit MUST provide consistent Save and Cancel UX.
 
-Grouping & safety
-- Max 2 visible Row Actions (typically View/Edit). Everything else MUST be in an ActionGroup “More”.
-- Bulk actions MUST be grouped via BulkActionGroup.
-- RelationManagers MUST follow the same action surface rules (grouped row actions, bulk actions where applicable, inspection affordance).
-- Destructive actions MUST NOT be primary and MUST require confirmation; typed confirmation MAY be required for large/bulk changes.
+Grouping and safety
+- Standard CRUD and Read-only Registry rows MUST NOT exceed inspect/open plus one inline safe shortcut.
+- Queue / Review rows MAY expose inline decision actions only when allowed by UI-EX-001.
+- Everything else MUST move to `ActionGroup::make()` or the detail header.
+- Bulk actions MUST be grouped via `BulkActionGroup` only when the surface has a real bulk use case.
+- Empty `ActionGroup` and `BulkActionGroup` are forbidden.
+- Destructive actions MUST NOT be primary and MUST require confirmation; typed confirmation MAY be required for large or high-risk bulk changes.
 - Relevant mutations MUST write an audit log entry.
 
 RBAC enforcement
 - Non-member access MUST abort(404) and MUST NOT leak existence.
-- Member without capability: UI visible but disabled with tooltip; server-side MUST abort(403).
-- Central enforcement helpers (tenant/workspace UI enforcement) MUST be used for gating.
+- Members without capability MAY see disabled actions with helper text, but server-side execution MUST still abort(403).
+- Central tenant and workspace UI enforcement helpers MUST be used for gating.
 
-Spec / DoD gates
-- Every spec MUST include a “UI Action Matrix”.
-- A change is not “Done” unless the Action Surface Contract is met OR an explicit exemption exists with documented reason.
-- CI MUST run an automated Action Surface Contract check (test suite and/or command) that fails when required surfaces are missing.
+Behavior over declaration
+- Every spec MUST include both a UI/UX Surface Classification and a UI Action Matrix.
+- Custom action-surface contracts are legitimate only when they validate rendered behavior, not only declarations or slot counts.
+- A change is not Done unless the implemented interaction semantics conform to the declared surface type or an approved exception documents and tests the deviation.
 
-### Filament UI — Layout & Information Architecture Standards (UX-001)
+#### Filament UI — Layout & Information Architecture Standards (UX-001)
 
-Goal: Demo-level, enterprise-grade admin UX. These rules are NON-NEGOTIABLE for new or modified Filament screens.
+Goal: operator-facing Filament screens MUST feel enterprise-grade, legible, and decisive.
 
 Page layout
 - Create/Edit MUST default to a Main/Aside layout using a 3-column grid with `Main=columnSpan(2)` and `Aside=columnSpan(1)`.
-- All fields MUST be inside Sections/Cards. No “naked” inputs at the root schema level.
-- Main contains domain definition/content. Aside contains status/meta (status, version label, owner, scope selectors, timestamps).
-- Related data (assignments, relations, evidence, runs, findings, etc.) MUST render as separate Sections below the main/aside grid (or as tabs/sub-navigation), never mixed as unstructured long lists.
+- All fields MUST live inside Sections or Cards. Naked root-level inputs are forbidden.
+- Main content carries domain definition and working content. Aside carries status and meta such as scope, owner, timestamps, or version labels.
+- Related data MUST render as separate sections, tabs, or subordinate surfaces rather than as one long unstructured form or detail page.
 
 View pages
-- View/Detail MUST be a read-only experience using Infolists (or equivalent), not disabled edit forms.
-- Status-like values MUST render as badges/chips using the centralized badge semantics (BADGE-001).
-- Long text MUST render as readable prose (not textarea styling).
+- View/Detail MUST be a read-only surface built with Infolists or an equivalent read-first structure, not disabled edit forms.
+- Status-like values MUST render via BADGE-001 semantics.
+- Long text MUST read like prose, not like disabled textarea output.
 
 Empty states
-- Empty lists/tables MUST show: a specific title, one-sentence explanation, and exactly ONE primary CTA in the empty state.
-- When non-empty, the primary CTA MUST move to the table header (top-right) and MUST NOT be duplicated in the empty state.
+- Empty lists and tables MUST show a specific title, a one-sentence explanation, and exactly one primary CTA.
+- When records exist, that primary CTA moves to the header and MUST NOT be duplicated in the empty state shell.
 
-Actions & flows
-- Pages SHOULD expose at most 1 primary header action and 1 secondary action; all other actions MUST be grouped (ActionGroup / BulkActionGroup).
-- Multi-step or high-risk flows MUST use a Wizard (e.g., capture/compare/restore with preview + confirmation).
-- Destructive actions MUST remain non-primary and require confirmation (RBAC-UX-005).
+Actions and flows
+- Pages SHOULD expose at most one primary header action and one secondary header action; all others belong in groups.
+- Multi-step or high-risk flows MUST use a wizard or an equivalent staged flow with preview and confirmation.
+- Destructive actions remain non-primary and confirmed.
 
-Table work-surface defaults
-- Tables SHOULD provide search (when the dataset can grow), a meaningful default sort, and filters for core dimensions (status/severity/type/tenant/time-range).
-- Tables MUST render key statuses as badges/chips (BADGE-001) and avoid ad-hoc status mappings.
+Table defaults
+- Tables SHOULD provide search when the dataset can grow, a meaningful default sort, and filters for core dimensions.
+- Standard CRUD tables MUST stay scanable and MUST NOT rely on row prose to communicate next steps.
+- Critical operational truth that informs list decisions MUST be default-visible.
 
 Enforcement
-- New resources/pages SHOULD use shared layout builders (e.g., `MainAsideForm`, `MainAsideInfolist`, `StandardTableDefaults`) to keep screens consistent.
-- A change is not “Done” unless UX-001 is satisfied OR an explicit exemption exists with a documented rationale in the spec/PR.
+- Shared layout builders such as `MainAsideForm`, `MainAsideInfolist`, and `StandardTableDefaults` SHOULD be reused where available.
+- A change is not Done unless UX-001 is satisfied or an approved exception documents why not.
 
-### Operator-facing UI Naming Standards (UI-NAMING-001)
+#### Operator-facing UI Naming Standards (UI-NAMING-001)
 
-Goal: operator-facing actions, run labels, notifications, audit prose, and related UI copy MUST use consistent,
-enterprise-grade product language.
+Goal: operator-facing actions, runs, notifications, audit prose, and navigation MUST use one clear domain vocabulary.
 
 Naming model
-- Operator-facing copy MUST distinguish four layers: Scope, Source/Domain, Operation, and Target Object.
-- Scope terms (`Workspace`, `Tenant`) describe execution context and MUST NOT be used as the primary action label unless they are the actual target object.
-- Source/Domain terms (`Intune`, `Entra`, `Teams`, future providers) are secondary and MUST NOT lead the primary label unless the current screen presents competing sources that need explicit disambiguation.
+- Operator-facing copy MUST distinguish Scope, Source/Domain, Operation, and Target Object.
+- Scope terms such as Workspace and Tenant describe execution context and MUST NOT become the primary action label unless they are the actual target object.
+- Source/domain terms such as Intune or Entra are secondary and lead only when same-screen disambiguation genuinely requires them.
 
-Primary action labels
-- Primary buttons, header actions, and menu actions MUST use `Verb + Object`.
-- Preferred examples: `Sync policies`, `Sync groups`, `Capture baseline`, `Compare baseline`, `Restore policy`, `Run review`, `Export review pack`.
-- Forbidden examples: `Sync from tenant`, `Backup tenant`, `Compare tenant`, `Sync from Intune`, `Run tenant sync now`, `Start inventory refresh from provider`.
+Primary labels
+- Primary buttons, header actions, and menu actions MUST use Verb + Object.
+- Preferred examples are `Sync policies`, `Sync groups`, `Capture baseline`, `Compare baseline`, `Restore policy`, `Run review`, and `Export review pack`.
+- Implementation-first labels such as `Sync from tenant`, `Sync from Intune`, `Run tenant sync now`, or `Start inventory refresh from provider` are forbidden.
 
-Domain vocabulary
-- Operator-facing copy MUST prefer product-domain objects such as `policies`, `groups`, `baseline`, `findings`, `review pack`, `alerts`, and `operations`.
-- Primary operator-facing copy MUST NOT use implementation-first terms such as `provider`, `gateway`, `resolver`, `collector`, `contract registry`, or `job dispatch`.
-- Source/domain details MAY appear in modal descriptions, helper text, run metadata, audit metadata, and notifications when needed for precision.
+Canonical nouns and routes
+- Every domain object MUST keep one canonical collection noun and one canonical singular noun.
+- Cross-shell or cross-panel navigation MUST preserve the same noun.
+- Operations is the canonical collection noun for run records. Runs MUST NOT appear as a competing primary collection noun.
 
 Run, notification, and audit semantics
-- Visible run titles MUST use the same domain vocabulary as the initiating action and SHOULD be concise noun phrases such as `Policy sync`, `Baseline capture`, `Baseline compare`, `Policy restore`, and `Tenant review`.
-- Notifications MUST use either `{Object} {state}` or `{Operation} {result}` and remain short, e.g. `Policy sync queued`, `Policy sync completed`, `Policy sync failed`, `Baseline compare detected drift`.
-- Audit prose MUST use the same operator-facing language, e.g. `{actor} queued policy sync`, `{actor} captured baseline`, `{actor} reopened finding`.
-- The same user-visible action MUST keep the same domain vocabulary across button labels, modal titles, run titles, notifications, and audit prose.
+- Visible run titles MUST use the same domain vocabulary as the initiating action and SHOULD remain concise noun phrases such as `Policy sync`, `Baseline capture`, `Baseline compare`, `Policy restore`, and `Tenant review`.
+- Notifications MUST use either `{Object} {state}` or `{Operation} {result}` and remain short.
+- Audit prose MUST use the same operator-facing language as the initiating action.
+- The same user-visible action MUST keep the same domain vocabulary across button labels, modal titles, run titles, notifications, audit prose, and related navigation.
 
 Verb standard
 - Preferred verbs are `Sync`, `Capture`, `Compare`, `Restore`, `Review`, `Export`, `Open`, `Archive`, `Resolve`, `Reopen`, and `Assign`.
-- `Start`, `Execute`, `Trigger`, and `Perform` SHOULD be avoided for operator-facing copy unless there is a deliberate domain reason.
-- `Run` MAY be used only when the object is itself run-like, such as `Run review` or `Run compare`; it MUST NOT be the generic fallback verb for all operations.
+- `Start`, `Execute`, `Trigger`, and `Perform` SHOULD be avoided unless the domain specifically requires them.
+- `Run` MAY be used only when the object is itself run-like, such as `Run review`; it MUST NOT become the fallback verb for everything.
 
 Current binding decision
 - The Policies screen primary action MUST be `Sync policies`.
@@ -332,16 +585,125 @@ ### Operator-facing UI Naming Standards (UI-NAMING-001)
 - The visible run label for that action MUST be `Policy sync`.
 - The audit prose for that action MUST be `{actor} queued policy sync`.
 
-Spec Scope Fields (SCOPE-002)
+#### Operator Surface Principles (OPSURF-001)
 
-- Every feature spec MUST declare:
-  - Scope: workspace | tenant | canonical-view
-  - Primary Routes
-  - Data Ownership: workspace-owned vs tenant-owned tables/records impacted
-  - RBAC: membership requirements + capability requirements
-- For canonical-view specs, the spec MUST define:
-  - Default filter behavior when tenant-context is active (e.g., prefilter to current tenant)
-  - Explicit entitlement checks that prevent cross-tenant leakage
+Goal: operator-facing surfaces MUST optimize for the operator's working question instead of raw implementation visibility.
+
+Operator-first default surfaces
+- `/admin` is operator-first.
+- Default-visible content MUST use operator language, clear scope, and actionable status communication.
+- Raw implementation details MUST NOT be default-visible on primary operator surfaces.
+
+Progressive disclosure for diagnostics
+- Diagnostic detail MAY exist, but it MUST be secondary and explicitly revealed.
+- JSON payloads, raw IDs, internal field names, provider error details, and low-level technical metadata belong in diagnostics surfaces rather than the primary content region.
+- Operators MUST NOT need to parse raw payloads to understand current state or next action.
+
+Distinct truth dimensions
+- When the domain has execution outcome, data completeness, governance result, lifecycle or readiness state, operability truth, health truth, trust/confidence, or next action semantics, the surface MUST keep them explicit instead of collapsing them into one ambiguous status.
+- If multiple truth dimensions are summarized, the default-visible UI MUST label each dimension clearly.
+
+Explicit mutation scope
+- Every state-changing action MUST communicate before execution whether it affects TenantPilot only, the Microsoft tenant, or simulation only.
+- Mutation scope MUST be understandable from nearby action copy, helper text, preview, or confirmation.
+
+Safe execution
+- Dangerous actions MUST follow a consistent safety flow: configuration, safety checks or simulation, preview, hard confirmation where required, then execution.
+- One-click high-blast-radius actions are forbidden unless an approved exception documents replacement safeguards.
+
+Explicit workspace and tenant context
+- Workspace and tenant context MUST remain explicit in navigation, action copy, and page semantics.
+- Tenant surfaces MUST NOT silently expose workspace-wide actions.
+- Canonical workspace views that operate on tenant-owned records MUST make both workspace and tenant context legible before the operator acts.
+
+Critical truth visibility and scanability
+- Critical operational truth MUST be default-visible wherever the list or summary surface is used to prepare decisions.
+- Standard CRUD surfaces MUST preserve scanability and MUST avoid collapsing multiple truth dimensions into one generic badge or one prose-heavy row.
+
+Page contract requirement
+- Every new or materially refactored operator-facing page MUST define the primary persona, surface type, primary operator question, default-visible information, diagnostics-only information, status dimensions used, mutation scope, primary actions, and dangerous actions.
+- The page contract MUST live in the governing spec and stay in sync with implementation.
+
+#### Spec Scope Fields (SCOPE-002)
+
+- Every feature spec MUST declare Scope, Primary Routes, Data Ownership, and RBAC requirements.
+- Canonical-view specs MUST define the default filter behavior when tenant context is active and the entitlement checks that prevent cross-tenant leakage.
+
+#### Enforcement Model (UI-REVIEW-001)
+
+Spec review requirements
+- Every spec that changes an operator-facing surface MUST answer: surface type, primary inspect/open model, row-click rule, whether explicit View/Inspect exists or is forbidden, where secondary actions live, where destructive actions live, canonical collection route, canonical detail route, scope signals and their exact meaning, canonical noun, critical truth visible by default, and whether an exception type is used.
+- Missing any of those answers makes the spec incomplete.
+
+PR review requirements
+- A PR MUST NOT pass when it introduces more than one primary inspect model, redundant View beside row click, destructive inline actions beside inspect on standard lists, empty overflow or bulk groups, long workflow labels in dense rows, misleading scope chips, drifting domain nouns, hidden critical operational truth, or undocumented exceptions without dedicated tests.
+
+Guard tests
+- Repository guards SHOULD validate: declared surface type, conformant primary inspect model, absence of redundant View actions, presence of explicit Inspect on Queue / Review and History / Audit surfaces, absence of empty `ActionGroup` or `BulkActionGroup`, correct placement of destructive actions, truthful scope signals, stable canonical nouns across shells, and dedicated tests for every approved exception.
+
+#### Immediate Retrofit Priorities
+
+Wave 1 - Interaction normalization
+- First fixes target redundant row click plus View, destructive row actions on standard lists, empty overflow or bulk groups, and rows that have become pseudo-control centers.
+- First-slice focus surfaces are Tenants, Workspaces, Policies, Alert Deliveries, and other CRUD-first list surfaces with the same drift pattern.
+- Wave 1 is done only when each surface has exactly one primary inspect model, destructive actions are protected, and placeholder groups are gone.
+
+Wave 2 - Scope, nouns, and truth
+- Then fix scope and context leaks, stabilize canonical nouns, make cross-panel transitions explicit, move critical operational truth to default-visible regions, and reduce prose-heavy dense rows.
+
+Wave 3 - Enforcement
+- Then move the constitution into repo enforcement, require the PR checklist, anchor guard tests, and trim old declaration-only action-surface checks until behavior is the governing truth.
+
+#### Appendix A - One-page Condensed Constitution
+
+- Every admin surface has one surface type.
+- Every list has exactly one primary inspect/open model.
+- CRUD and Registry surfaces use one-click open.
+- Queue and Audit surfaces use explicit Inspect.
+- Edit-as-inspect exists only for Config-lite resources.
+- Standard lists expose at most one inline safe shortcut.
+- Destructive actions never sit openly beside inspect on standard lists.
+- Overflow is standardized per surface class and is never empty.
+- Bulk exists only when it is genuinely useful.
+- Scope chips must be truthful.
+- Domain nouns are canonical and stable.
+- Critical operational truth is default-visible.
+- Semantic truth dimensions are not collapsed into a generic status.
+- Standard lists stay scanable.
+- Exceptions are catalogued, justified, and tested.
+- Features with ambiguous interaction semantics do not ship.
+
+#### Appendix B - Feature Review Checklist
+
+- Surface type is declared.
+- Primary inspect/open model is defined.
+- Row-click rule is decided.
+- View/Inspect is correctly present or correctly forbidden.
+- Edit-as-inspect is used only when allowed.
+- Secondary actions are grouped correctly.
+- Destructive actions are placed correctly.
+- Overflow is not empty.
+- Bulk is justified.
+- Inline labels are short.
+- Scope signals are truthful.
+- Canonical nouns stay consistent.
+- Critical truth is visible.
+- Scanability is preserved.
+- Exceptions are documented and tested.
+
+#### Appendix C - Red Flags for Future PRs
+
+- Row click and View open the same destination.
+- A row becomes a control center.
+- Archive or Delete sits openly beside View or Inspect on a standard list.
+- More menus or bulk menus are empty.
+- Scope chips have no real scope effect.
+- Runs and Operations are used as competing primary collection nouns.
+- Long workflow labels live in dense tables.
+- Edit is used as default inspect even though a true View surface exists.
+- Queue surfaces throw the operator out of context through row click.
+- Critical health or operability truth is hidden by default.
+- A contract claims conformance while the rendered UI behaves differently.
 
 ### Data Minimization & Safe Logging
 - Inventory MUST store only metadata + whitelisted `meta_jsonb`.
@@ -354,6 +716,39 @@ ### Badge Semantics Are Centralized (BADGE-001)
 - Introducing or changing a status-like value MUST include updating the relevant badge mapper and adding/updating tests for the mapping.
 - Tag/category chips (e.g., type/platform/environment) are not status-like and are not governed by BADGE-001.
 
+### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
+- Admin and operator-facing surfaces MUST use native Filament components, existing shared UI primitives, and centralized design patterns first.
+- If Filament already provides the required semantic element, feature code MUST use the Filament-native component instead of a locally assembled replacement.
+- Preferred native elements include `x-filament::badge`, `x-filament::button`, `x-filament::icon`, and Filament Forms, Infolists, Tables, Sections, Tabs, Grids, and Actions.
+
+Forbidden local replacements
+- Feature code MUST NOT hand-build badges, pills, status chips, alert cards, or action buttons from raw `<span>`, `<div>`, or `<button>` markup plus Tailwind classes when Filament-native or shared project primitives can express the same meaning.
+- Feature code MUST NOT introduce page-local visual status languages for status, risk, outcome, drift, trust, importance, or severity.
+- Feature code MUST NOT make local color, border, rounding, or emphasis decisions for semantic UI states using ad-hoc classes such as `bg-danger-100`, `text-warning-900`, `border-dashed`, or `rounded-full` when the same state can be expressed through Filament props or shared primitives.
+
+Shared primitive before local override
+- If the same UI pattern can recur, it MUST use an existing shared primitive or introduce a new central primitive instead of reassembling the pattern inside a Blade view.
+- Central badge and status catalogs remain the canonical source for status semantics; local views MUST consume them rather than re-map them.
+
+Upgrade-safe preference
+- Update-safe, framework-native implementations take priority over page-local styling shortcuts.
+- Filament props such as `color`, `icon`, and standard component composition are the default mechanism for semantic emphasis.
+- Publishing or emulating Filament internals for cosmetic speed is not acceptable when native composition or shared primitives are sufficient.
+
+Exception rule
+- Ad-hoc markup or styling is allowed only when all of the following are true:
+  - native Filament components cannot express the required semantics,
+  - no suitable shared primitive exists,
+  - and the deviation is justified briefly in code and in the governing spec or PR.
+- Approved exceptions MUST stay layout-neutral, use the minimum local classes necessary, and MUST NOT invent a new page-local status language.
+
+Review and enforcement
+- Every UI review MUST answer:
+  - which native Filament element or shared primitive was used,
+  - why an existing component was insufficient if an exception was taken,
+  - and whether any ad-hoc status or emphasis styling was introduced.
+- UI work is not Done if it introduces ad-hoc status styling or framework-foreign replacement components where a native Filament or shared UI solution was viable.
+
 ### Incremental UI Standards Enforcement (UI-STD-001)
 - UI consistency is enforced incrementally, not by recurring cleanup passes.
 - New tables, filters, and list surfaces MUST follow established Filament-native standards from the first implementation.
@@ -375,9 +770,12 @@ ## Quality Gates
 
 ## Governance
 
-### Scope & Compliance
+### Scope, Compliance, and Review Expectations
 - This constitution applies across the repo. Feature specs may add stricter constraints but not weaker ones.
 - Restore semantics changes require: spec update, checklist update (if applicable), and tests proving safety.
+- Specs and PRs that introduce new persisted truth, abstractions, states, DTO/presenter layers, or taxonomies MUST include the proportionality review required by BLOAT-001.
+- Review and approval MUST favor simplification, replacement, and absorption over additive semantic layering.
+- Future-release preparation alone is not sufficient justification for new persistence or frameworkization unless security, tenant isolation, auditability, compliance evidence, or queue correctness already require it.
 
 ### Amendment Procedure
 - Propose changes as a PR that updates `.specify/memory/constitution.md`.
@@ -389,4 +787,4 @@ ### Versioning Policy (SemVer)
 - **MINOR**: new principle/section or materially expanded guidance.
 - **MAJOR**: removing/redefining principles in a backward-incompatible way.
 
-**Version**: 1.11.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-03-10
+**Version**: 2.0.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-03-28

.specify/templates/plan-template.md

@@ -48,9 +48,28 @@ ## Constitution Check
 - Ops-UX system runs: initiator-null runs emit no terminal DB notification; audit remains via Monitoring; tenant-wide alerting goes through Alerts (not OperationRun notifications)
 - Automation: queued/scheduled ops use locks + idempotency; handle 429/503 with backoff+jitter
 - Data minimization: Inventory stores metadata + whitelisted meta; logs contain no secrets/tokens
+- Proportionality (PROP-001): any new structure, layer, persisted truth, or semantic machinery is justified by current release truth, current operator workflow, and why a narrower solution is insufficient
+- No premature abstraction (ABSTR-001): no new factories, registries, resolvers, strategy systems, interfaces, type registries, or orchestration pipelines before at least 2 real concrete cases exist, unless security, tenant isolation, auditability, compliance evidence, or queue correctness require it now
+- Persisted truth (PERSIST-001): new tables/entities/artifacts represent independent product truth or lifecycle; convenience projections and UI helpers stay derived
+- Behavioral state (STATE-001): new states/statuses/reason codes change behavior, routing, permissions, lifecycle, audit, retention, or retry handling; presentation-only distinctions stay derived
+- UI semantics (UI-SEM-001): avoid turning badges, explanation text, trust/confidence labels, or detail summaries into mandatory interpretation frameworks; prefer direct domain-to-UI mapping
+- V1 explicitness / few layers (V1-EXP-001, LAYER-001): prefer direct implementation, local mappings, and small helpers; any new layer replaces an old one or proves the old one cannot serve
+- Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
 - Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests
+- Filament-native UI (UI-FIL-001): admin/operator surfaces use native Filament components or shared primitives first; no ad-hoc status UI, local semantic color/border decisions, or hand-built replacements when native/shared semantics exist; any exception is explicitly justified
+- UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): every changed operator-facing surface is classified as exactly one allowed surface type; ad-hoc interaction models are forbidden
+- UI/UX inspect model (UI-HARD-001): each list surface has exactly one primary inspect/open model; redundant View beside row click or identifier click is forbidden; edit-as-inspect is limited to Config-lite resources
+- UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): standard CRUD and Registry rows expose at most one inline safe shortcut; destructive actions are grouped or in the detail header; queue exceptions are catalogued, justified, and tested
+- UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): scope signals are truthful, canonical nouns stay stable across shells, critical operational truth is default-visible, and standard lists remain scanable
+- UI/UX placeholder ban (UI-HARD-001): empty `ActionGroup` / `BulkActionGroup` placeholders and declaration-only UI conformance are forbidden
 - UI naming (UI-NAMING-001): operator-facing labels use `Verb + Object`; scope (`Workspace`, `Tenant`) is never the primary action label; source/domain is secondary unless disambiguation is required; runs/toasts/audit prose use the same domain vocabulary; implementation-first terms do not appear in primary operator UI
-- Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a record inspection affordance (prefer `recordUrl()` clickable rows; do not render a lone View row action), keep max 2 visible row actions with the rest in “More”, group bulk actions, require confirmations for destructive actions (typed confirmation for large/bulk where applicable), write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted
+- Operator surfaces (OPSURF-001): `/admin` defaults are operator-first; default-visible content avoids raw implementation detail; diagnostics are explicitly revealed secondarily
+- Operator surfaces (OPSURF-001): execution outcome, data completeness, governance result, and lifecycle/readiness are modeled as distinct status dimensions when all apply; they are not collapsed into one ambiguous status
+- Operator surfaces (OPSURF-001): every mutating action communicates whether it changes TenantPilot only, the Microsoft tenant, or simulation only before execution
+- Operator surfaces (OPSURF-001): dangerous actions follow configuration → safety checks/simulation → preview → hard confirmation where required → execute, unless a spec documents an explicit exemption and replacement safeguards
+- Operator surfaces (OPSURF-001): workspace and tenant context remain explicit in navigation, actions, and page semantics; tenant surfaces do not silently expose workspace-wide actions
+- Operator surfaces (OPSURF-001): each new or materially refactored operator-facing page defines a page contract covering persona, surface type, operator question, default-visible info, diagnostics-only info, status dimensions, mutation scope, primary actions, and dangerous actions
+- Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a surface-appropriate inspect affordance, remove redundant View when row click or identifier click already opens the same destination, keep standard CRUD/Registry rows to inspect plus at most one inline safe shortcut, group or relocate the rest to “More” or detail header, forbid empty bulk/overflow groups, require confirmations for destructive actions, write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted
 - Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action; tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
 ## Project Structure
 
@@ -115,9 +134,20 @@ # [REMOVE IF UNUSED] Option 3: Mobile + API (when "iOS/Android" detected)
 
 ## Complexity Tracking
 
-> **Fill ONLY if Constitution Check has violations that must be justified**
+> **Fill when Constitution Check has violations that must be justified OR when BLOAT-001 is triggered by new persistence, abstractions, states, or semantic frameworks.**
 
 | Violation | Why Needed | Simpler Alternative Rejected Because |
 |-----------|------------|-------------------------------------|
 | [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
 | [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |
+
+## Proportionality Review
+
+> **Fill when the feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table/artifact, interface/contract/registry/resolver, taxonomy/classification system, or cross-domain UI framework.**
+
+- **Current operator problem**: [What present-day workflow or risk requires this?]
+- **Existing structure is insufficient because**: [Why the current code cannot serve safely or clearly]
+- **Narrowest correct implementation**: [Why this shape is the smallest viable one]
+- **Ownership cost created**: [Maintenance, testing, cognitive load, migration, or review burden]
+- **Alternative intentionally rejected**: [Simpler option and why it failed]
+- **Release truth**: [Current-release truth or future-release preparation]

.specify/templates/spec-template.md

@@ -17,6 +17,44 @@ ## Spec Scope Fields *(mandatory)*
 - **Default filter behavior when tenant-context is active**: [e.g., prefilter to current tenant]
 - **Explicit entitlement checks preventing cross-tenant leakage**: [Describe checks]
 
+## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds or materially changes an operator-facing list, detail, queue, audit, config, or report surface,
+fill out one row per affected surface.
+
+| Surface | Surface Type | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type |
+|---|---|---|---|---|---|---|---|---|---|---|---|
+| e.g. Tenant policies page | CRUD / List-first Resource | Full-row click | required | One inline safe shortcut + More | More / detail header | /admin/t/{tenant}/policies | /admin/t/{tenant}/policies/{record} | Tenant chip scopes rows and actions | Policies / Policy | Policy health, drift, assignment coverage | none |
+
+## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds a new operator-facing page or materially refactors one, fill out one row per affected page/surface.
+
+| Surface | Primary Persona | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+|---|---|---|---|---|---|---|---|---|---|
+| e.g. Tenant policies page | Tenant operator | List/detail | What needs action right now? | Policy health, drift, assignment coverage | Raw payloads, provider IDs, low-level API details | lifecycle, data completeness, governance result | TenantPilot only / Microsoft tenant / simulation only | Sync policies, View policy | Restore policy |
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+Fill this section if the feature introduces any of the following:
+- a new source of truth
+- a new persisted entity, table, or artifact
+- a new abstraction (interface, contract, registry, resolver, strategy, factory, orchestration layer)
+- a new enum, status family, reason code family, or lifecycle category
+- a new cross-domain UI framework, taxonomy, or classification system
+
+- **New source of truth?**: [yes/no]
+- **New persisted entity/table/artifact?**: [yes/no]
+- **New abstraction?**: [yes/no]
+- **New enum/state/reason family?**: [yes/no]
+- **New cross-domain UI framework/taxonomy?**: [yes/no]
+- **Current operator problem**: [What present-day workflow or risk does this solve?]
+- **Existing structure is insufficient because**: [Why the current implementation shape cannot safely or clearly solve it]
+- **Narrowest correct implementation**: [Why this is the smallest viable solution]
+- **Ownership cost**: [What maintenance, testing, review, migration, or conceptual cost this adds]
+- **Alternative intentionally rejected**: [What simpler option was considered and why it was not sufficient]
+- **Release truth**: [Current-release truth or future-release preparation]
+
 ## User Scenarios & Testing *(mandatory)*
 
 <!--
@@ -94,6 +132,16 @@ ## Requirements *(mandatory)*
 (preview/confirmation/audit), tenant isolation, run observability (`OperationRun` type/identity/visibility), and tests.
 If security-relevant DB-only actions intentionally skip `OperationRun`, the spec MUST describe `AuditLog` entries.
 
+**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** If this feature introduces new persistence,
+new abstractions, new states, or new semantic layers, the spec MUST explain:
+- which current operator workflow or current product truth requires the addition now,
+- why a narrower implementation is insufficient,
+- whether the addition is current-release truth or future-release preparation,
+- what ownership cost it creates,
+- and how the choice follows the default bias of deriving before persisting, replacing before layering, and being explicit before generic.
+If the feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table, interface/contract/registry/resolver,
+or taxonomy/classification system, the Proportionality Review section above is mandatory.
+
 **Constitution alignment (OPS-UX):** If this feature creates/reuses an `OperationRun`, the spec MUST:
 - explicitly state compliance with the Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification),
 - state that `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`),
@@ -119,6 +167,12 @@ ## Requirements *(mandatory)*
 **Constitution alignment (BADGE-001):** If this feature changes status-like badges (status/outcome/severity/risk/availability/boolean),
 the spec MUST describe how badge semantics stay centralized (no ad-hoc mappings) and which tests cover any new/changed values.
 
+**Constitution alignment (UI-FIL-001):** If this feature adds or changes Filament or Blade UI for admin/operator surfaces, the spec MUST describe:
+- which native Filament components or shared UI primitives are used,
+- whether any local replacement markup was avoided for badges, alerts, buttons, or status surfaces,
+- how semantic emphasis is expressed through Filament props or central primitives rather than page-local color/border classes,
+- and any exception where Filament or a shared primitive was insufficient, including why the exception is necessary and how it avoids introducing a new local status language.
+
 **Constitution alignment (UI-NAMING-001):** If this feature adds or changes operator-facing buttons, header actions, run titles,
 notifications, audit prose, or related helper copy, the spec MUST describe:
 - the target object,
@@ -127,9 +181,41 @@ ## Requirements *(mandatory)*
 - how the same domain vocabulary is preserved across button labels, modal titles, run titles, notifications, and audit prose,
 - and how implementation-first terms are kept out of primary operator-facing labels.
 
+**Constitution alignment (UI-CONST-001 / UI-SURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001):** If this feature adds or changes an operator-facing surface, the spec MUST describe:
+- the chosen surface type and why it is the correct classification,
+- the one and only primary inspect/open model,
+- whether row click is required, allowed, or forbidden,
+- whether explicit View or Inspect is present, and why it is present or forbidden,
+- where secondary actions live,
+- where destructive actions live,
+- the canonical collection route and canonical detail route,
+- the scope signals shown to the operator and what real effect each one has,
+- the canonical noun used across routes, labels, runs, notifications, and audit prose,
+- which critical operational truth is visible by default,
+- and any catalogued exception type, rationale, and dedicated test coverage.
+
+**Constitution alignment (OPSURF-001):** If this feature adds or materially refactors an operator-facing surface, the spec MUST describe:
+- how the default-visible content stays operator-first on `/admin` and avoids raw implementation detail,
+- which diagnostics are secondary and how they are explicitly revealed,
+- which status dimensions are shown separately (execution outcome, data completeness, governance result, lifecycle/readiness) and why,
+- how each mutating action communicates its mutation scope before execution (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
+- how dangerous actions follow the safe-execution pattern (configuration, safety checks/simulation, preview, hard confirmation where required, execute),
+- how workspace and tenant context remain explicit in navigation, action copy, and page semantics,
+- and the page contract for each new or materially refactored operator-facing page.
+
+**Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** If this feature adds UI semantics, presenters, explanation layers,
+status taxonomies, or other interpretation layers, the spec MUST describe:
+- why direct mapping from canonical domain truth to UI is insufficient,
+- which existing layer is replaced or why no existing layer can serve,
+- how the feature avoids creating redundant truth across models, service results, presenters, summaries, wrappers, and persisted mirrors,
+- and how tests focus on business consequences rather than thin indirection alone.
+
 **Constitution alignment (Filament Action Surfaces):** If this feature adds or modifies any Filament Resource / RelationManager / Page,
 the spec MUST include a “UI Action Matrix” (see below) and explicitly state whether the Action Surface Contract is satisfied.
+The same section MUST state that each affected surface has exactly one primary inspect/open model, that redundant View actions are absent,
+that empty `ActionGroup` / `BulkActionGroup` placeholders are absent, and that destructive actions follow the required placement rules for the chosen surface type.
 If the contract is not satisfied, the spec MUST include an explicit exemption with rationale.
+The same section MUST also state whether UI-FIL-001 is satisfied and identify any approved exception.
 **Constitution alignment (UX-001 — Layout & Information Architecture):** If this feature adds or modifies any Filament screen,
 the spec MUST describe compliance with UX-001: Create/Edit uses Main/Aside layout (3-col grid), all fields inside Sections/Cards
 (no naked inputs), View pages use Infolists (not disabled edit forms), status badges use BADGE-001, empty states have a specific
@@ -158,7 +244,7 @@ ## UI Action Matrix *(mandatory when Filament is changed)*
 If this feature adds/modifies any Filament Resource / RelationManager / Page, fill out the matrix below.
 
 For each surface, list the exact action labels, whether they are destructive (confirmation? typed confirmation?),
-RBAC gating (capability + enforcement helper), and whether the mutation writes an audit log.
+RBAC gating (capability + enforcement helper), whether the mutation writes an audit log, and any exemption or exception used.
 
 | Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
 |---|---|---|---|---|---|---|---|---|---|

.specify/templates/tasks-template.md

@@ -38,14 +38,33 @@ # Tasks: [FEATURE NAME]
 - using source/domain terms only where same-screen disambiguation is required,
 - aligning button labels, modal titles, run titles, notifications, and audit prose to the same domain vocabulary,
 - removing implementation-first wording from primary operator-facing copy.
+**Operator Surfaces**: If this feature adds or materially refactors an operator-facing page or flow, tasks MUST include:
+- filling the spec’s UI/UX Surface Classification for every affected surface,
+- filling the spec’s Operator Surface Contract for every affected page,
+- making default-visible content operator-first and moving JSON payloads, raw IDs, internal field names, provider error details, and low-level metadata into explicitly revealed diagnostics surfaces,
+- modeling execution outcome, data completeness, governance result, and lifecycle/readiness as distinct status dimensions when applicable,
+- making mutation scope legible before execution for every state-changing action (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
+- implementing the safe-execution flow for dangerous actions (configuration, safety checks/simulation, preview, hard confirmation where required, execute) or documenting an approved exemption,
+- keeping canonical nouns stable across routes, buttons, run titles, notifications, and audit prose,
+- keeping scope signals truthful and ensuring critical operational truth is visible by default,
+- keeping standard CRUD / Registry rows scanable rather than prose-heavy,
+- keeping workspace and tenant context explicit in navigation, actions, and page semantics so tenant pages do not silently expose workspace-wide actions.
 **Filament UI Action Surfaces**: If this feature adds/modifies any Filament Resource / RelationManager / Page, tasks MUST include:
 - filling the spec’s “UI Action Matrix” for all changed surfaces,
 - implementing required action surfaces (header/row/bulk/empty-state CTA for lists; header actions for view; consistent save/cancel on create/edit),
-- ensuring every List/Table has a record inspection affordance (prefer `recordUrl()` clickable rows; do not render a lone View row action),
-- enforcing the “max 2 visible row actions; everything else in More ActionGroup” rule,
+- ensuring every List/Table has exactly one primary inspect/open model with the correct surface-appropriate affordance,
+- removing redundant View/Inspect actions when row click or identifier click already opens the same destination,
+- keeping standard CRUD / Registry rows to inspect/open plus at most one inline safe shortcut,
+- moving additional secondary actions into More or the detail header,
+- placing destructive actions in More or the detail header for standard lists and using catalogued exceptions only where allowed,
 - grouping bulk actions via BulkActionGroup,
+- preventing empty `ActionGroup` / `BulkActionGroup` placeholders,
 - adding confirmations for destructive actions (and typed confirmation where required by scale),
 - adding `AuditLog` entries for relevant mutations,
+- using native Filament components or shared UI primitives before any local Blade/Tailwind assembly for badges, alerts, buttons, and semantic status surfaces,
+- avoiding page-local semantic color, border, rounding, or highlight styling when Filament props or shared primitives can express the same state,
+- documenting any catalogued UI exception in the spec/PR and adding dedicated test coverage,
+- documenting any UI-FIL-001 exception with rationale in the spec/PR,
 - adding/updated tests that enforce the contract and block merge on violations, OR documenting an explicit exemption with rationale.
 **Filament UI UX-001 (Layout & IA)**: If this feature adds/modifies any Filament screen, tasks MUST include:
 - ensuring Create/Edit pages use Main/Aside layout (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)),
@@ -57,6 +76,13 @@ # Tasks: [FEATURE NAME]
 - OR documenting an explicit exemption with rationale if UX-001 is not fully satisfied.
 **Badges**: If this feature changes status-like badge semantics, tasks MUST use `BadgeCatalog` / `BadgeRenderer` (BADGE-001),
 avoid ad-hoc mappings in Filament, and include mapping tests for any new/changed values.
+**Proportionality / Anti-Bloat**: If this feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table/artifact,
+interface/contract/registry/resolver, taxonomy/classification system, or cross-domain UI framework, tasks MUST include:
+- completing the spec’s Proportionality Review,
+- implementing the narrowest correct shape justified by current-release truth,
+- removing or replacing superseded layers where practical instead of stacking new ones on top,
+- keeping convenience projections and UI helpers derived unless independent persistence is explicitly justified,
+- and adding tests around business consequences, permissions, lifecycle behavior, isolation, or audit responsibilities rather than thin indirection alone.
 
 **Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
 
@@ -203,6 +229,7 @@ ## Phase N: Polish & Cross-Cutting Concerns
 - [ ] TXXX Performance optimization across all stories
 - [ ] TXXX [P] Additional unit tests (if requested) in tests/unit/
 - [ ] TXXX Security hardening
+- [ ] TXXX Proportionality cleanup: remove or collapse superseded layers introduced during implementation
 - [ ] TXXX Run quickstart.md validation
 
 ---

Agents.md

@@ -25,12 +25,14 @@ ## Scope Reference
 - Tenant-scoped RBAC and audit logs
 
 ## Workflow (Spec Kit)
-1. Read `.specify/constitution.md`
+1. Read `.specify/memory/constitution.md`
 2. For new work: create/update `specs/<NNN>-<slug>/spec.md`
 3. Produce `specs/<NNN>-<slug>/plan.md`
 4. Break into `specs/<NNN>-<slug>/tasks.md`
 5. Implement changes in small PRs
 
+Any spec that introduces a new persisted entity, abstraction, enum/status family, or taxonomy/framework must include the proportionality review required by the constitution before implementation starts.
+
 If requirements change during implementation, update spec/plan before continuing.
 
 ## Workflow (SDD in diesem Repo)
@@ -681,7 +683,7 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.4.15
 - filament/filament (FILAMENT) - v5
 - laravel/framework (LARAVEL) - v12
 - laravel/prompts (PROMPTS) - v0

GEMINI.md

@@ -521,7 +521,7 @@ ## Foundational Context
 
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.4.1
+- php - 8.4.15
 - filament/filament (FILAMENT) - v5
 - laravel/framework (LARAVEL) - v12
 - laravel/prompts (PROMPTS) - v0

app/Console/Commands/ClassifyProviderConnections.php

@@ -0,0 +1,232 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\ProviderConnection;
+use App\Models\ProviderCredential;
+use App\Models\Tenant;
+use App\Services\Intune\AuditLogger;
+use App\Services\Providers\ProviderConnectionClassificationResult;
+use App\Services\Providers\ProviderConnectionClassifier;
+use App\Services\Providers\ProviderConnectionStateProjector;
+use App\Support\Providers\ProviderConnectionType;
+use App\Support\Providers\ProviderCredentialKind;
+use App\Support\Providers\ProviderCredentialSource;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Facades\DB;
+
+class ClassifyProviderConnections extends Command
+{
+    protected $signature = 'tenantpilot:provider-connections:classify
+        {--tenant= : Restrict to a tenant id, external id, or tenant guid}
+        {--connection= : Restrict to a single provider connection id}
+        {--provider=microsoft : Restrict to one provider}
+        {--chunk=100 : Chunk size for large write runs}
+        {--write : Persist the classification results}';
+
+    protected $description = 'Classify legacy provider connections into platform, dedicated, or review-required outcomes.';
+
+    public function handle(
+        ProviderConnectionClassifier $classifier,
+        ProviderConnectionStateProjector $stateProjector,
+    ): int {
+        $query = $this->query();
+        $write = (bool) $this->option('write');
+        $chunkSize = max(1, (int) $this->option('chunk'));
+
+        $candidateCount = (clone $query)->count();
+
+        if ($candidateCount === 0) {
+            $this->info('No provider connections matched the classification scope.');
+
+            return self::SUCCESS;
+        }
+
+        $tenantCounts = (clone $query)
+            ->selectRaw('tenant_id, count(*) as aggregate')
+            ->groupBy('tenant_id')
+            ->pluck('aggregate', 'tenant_id')
+            ->map(static fn (mixed $count): int => (int) $count)
+            ->all();
+
+        $startedTenants = [];
+        $classifiedCount = 0;
+        $appliedCount = 0;
+        $reviewRequiredCount = 0;
+
+        $query
+            ->with(['tenant', 'credential'])
+            ->orderBy('id')
+            ->chunkById($chunkSize, function ($connections) use (
+                $classifier,
+                $stateProjector,
+                $write,
+                $tenantCounts,
+                &$startedTenants,
+                &$classifiedCount,
+                &$appliedCount,
+                &$reviewRequiredCount,
+            ): void {
+                foreach ($connections as $connection) {
+                    $classifiedCount++;
+
+                    $result = $classifier->classify(
+                        $connection,
+                        source: 'tenantpilot:provider-connections:classify',
+                    );
+
+                    if ($result->reviewRequired) {
+                        $reviewRequiredCount++;
+                    }
+
+                    if (! $write) {
+                        continue;
+                    }
+
+                    $tenant = $connection->tenant;
+
+                    if (! $tenant instanceof Tenant) {
+                        $this->warn(sprintf('Skipping provider connection #%d without tenant context.', (int) $connection->getKey()));
+
+                        continue;
+                    }
+
+                    $tenantKey = (int) $tenant->getKey();
+
+                    if (! array_key_exists($tenantKey, $startedTenants)) {
+                        $this->auditStart($tenant, $tenantCounts[$tenantKey] ?? 0);
+                        $startedTenants[$tenantKey] = true;
+                    }
+
+                    $connection = $this->applyClassification($connection, $result, $stateProjector);
+                    $this->auditApplied($tenant, $connection, $result);
+                    $appliedCount++;
+                }
+            });
+
+        if ($write) {
+            $this->info(sprintf('Applied classifications: %d', $appliedCount));
+        } else {
+            $this->info(sprintf('Dry-run classifications: %d', $classifiedCount));
+        }
+
+        $this->info(sprintf('Review required: %d', $reviewRequiredCount));
+        $this->info(sprintf('Mode: %s', $write ? 'write' : 'dry-run'));
+
+        return self::SUCCESS;
+    }
+
+    private function query(): Builder
+    {
+        $query = ProviderConnection::query()
+            ->where('provider', (string) $this->option('provider'));
+
+        $tenantOption = $this->option('tenant');
+
+        if (is_string($tenantOption) && trim($tenantOption) !== '') {
+            $tenant = Tenant::query()
+                ->forTenant(trim($tenantOption))
+                ->firstOrFail();
+
+            $query->where('tenant_id', (int) $tenant->getKey());
+        }
+
+        $connectionOption = $this->option('connection');
+
+        if (is_numeric($connectionOption)) {
+            $query->whereKey((int) $connectionOption);
+        }
+
+        return $query;
+    }
+
+    private function applyClassification(
+        ProviderConnection $connection,
+        ProviderConnectionClassificationResult $result,
+        ProviderConnectionStateProjector $stateProjector,
+    ): ProviderConnection {
+        DB::transaction(function () use ($connection, $result, $stateProjector): void {
+            $connection->forceFill(
+                $connection->classificationProjection($result, $stateProjector)
+            )->save();
+
+            $credential = $connection->credential;
+
+            if (! $credential instanceof ProviderCredential) {
+                return;
+            }
+
+            $updates = [];
+
+            if (
+                $result->suggestedConnectionType === ProviderConnectionType::Dedicated
+                && $credential->source === null
+            ) {
+                $updates['source'] = ProviderCredentialSource::LegacyMigrated->value;
+            }
+
+            if ($credential->credential_kind === null && $credential->type === ProviderCredentialKind::ClientSecret->value) {
+                $updates['credential_kind'] = ProviderCredentialKind::ClientSecret->value;
+            }
+
+            if ($updates !== []) {
+                $credential->forceFill($updates)->save();
+            }
+        });
+
+        return $connection->fresh(['tenant', 'credential']);
+    }
+
+    private function auditStart(Tenant $tenant, int $candidateCount): void
+    {
+        app(AuditLogger::class)->log(
+            tenant: $tenant,
+            action: 'provider_connection.migration_classification_started',
+            context: [
+                'metadata' => [
+                    'source' => 'tenantpilot:provider-connections:classify',
+                    'provider' => 'microsoft',
+                    'candidate_count' => $candidateCount,
+                    'write' => true,
+                ],
+            ],
+            resourceType: 'tenant',
+            resourceId: (string) $tenant->getKey(),
+            status: 'success',
+        );
+    }
+
+    private function auditApplied(
+        Tenant $tenant,
+        ProviderConnection $connection,
+        ProviderConnectionClassificationResult $result,
+    ): void {
+        $effectiveApp = $connection->effectiveAppMetadata();
+
+        app(AuditLogger::class)->log(
+            tenant: $tenant,
+            action: 'provider_connection.migration_classification_applied',
+            context: [
+                'metadata' => [
+                    'source' => 'tenantpilot:provider-connections:classify',
+                    'workspace_id' => (int) $connection->workspace_id,
+                    'provider_connection_id' => (int) $connection->getKey(),
+                    'provider' => (string) $connection->provider,
+                    'entra_tenant_id' => (string) $connection->entra_tenant_id,
+                    'connection_type' => $connection->connection_type->value,
+                    'migration_review_required' => $connection->migration_review_required,
+                    'legacy_identity_result' => $result->suggestedConnectionType->value,
+                    'effective_app_id' => $effectiveApp['app_id'],
+                    'effective_app_source' => $effectiveApp['source'],
+                    'signals' => $result->signals,
+                ],
+            ],
+            resourceType: 'provider_connection',
+            resourceId: (string) $connection->getKey(),
+            status: 'success',
+        );
+    }
+}

app/Console/Commands/PurgeLegacyBaselineGapRuns.php

@@ -0,0 +1,153 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\OperationRun;
+use App\Models\Tenant;
+use Illuminate\Console\Command;
+
+class PurgeLegacyBaselineGapRuns extends Command
+{
+    protected $signature = 'tenantpilot:baselines:purge-legacy-gap-runs
+        {--type=* : Limit cleanup to baseline_compare and/or baseline_capture runs}
+        {--tenant=* : Limit cleanup to tenant ids or tenant external ids}
+        {--workspace=* : Limit cleanup to workspace ids}
+        {--limit=500 : Maximum candidate runs to inspect}
+        {--force : Actually delete matched legacy runs}';
+
+    protected $description = 'Purge development-only baseline compare/capture runs that still use legacy broad gap payloads.';
+
+    public function handle(): int
+    {
+        if (! app()->environment(['local', 'testing'])) {
+            $this->error('This cleanup command is limited to local and testing environments.');
+
+            return self::FAILURE;
+        }
+
+        $types = $this->normalizedTypes();
+        $workspaceIds = array_values(array_filter(
+            array_map(
+                static fn (mixed $workspaceId): int => is_numeric($workspaceId) ? (int) $workspaceId : 0,
+                (array) $this->option('workspace'),
+            ),
+            static fn (int $workspaceId): bool => $workspaceId > 0,
+        ));
+        $tenantIds = $this->resolveTenantIds(array_values(array_filter((array) $this->option('tenant'))));
+        $limit = max(1, (int) $this->option('limit'));
+        $dryRun = ! (bool) $this->option('force');
+
+        $query = OperationRun::query()
+            ->whereIn('type', $types)
+            ->orderBy('id')
+            ->limit($limit);
+
+        if ($workspaceIds !== []) {
+            $query->whereIn('workspace_id', $workspaceIds);
+        }
+
+        if ($tenantIds !== []) {
+            $query->whereIn('tenant_id', $tenantIds);
+        }
+
+        $candidates = $query->get();
+        $matched = $candidates
+            ->filter(static fn (OperationRun $run): bool => $run->hasLegacyBaselineGapPayload())
+            ->values();
+
+        if ($matched->isEmpty()) {
+            $this->info('No legacy baseline gap runs matched the current filters.');
+
+            return self::SUCCESS;
+        }
+
+        $this->table(
+            ['Run', 'Type', 'Tenant', 'Workspace', 'Legacy signal'],
+            $matched
+                ->map(fn (OperationRun $run): array => [
+                    'Run' => (string) $run->getKey(),
+                    'Type' => (string) $run->type,
+                    'Tenant' => $run->tenant_id !== null ? (string) $run->tenant_id : '—',
+                    'Workspace' => $run->workspace_id !== null ? (string) $run->workspace_id : '—',
+                    'Legacy signal' => $this->legacySignal($run),
+                ])
+                ->all(),
+        );
+
+        if ($dryRun) {
+            $this->warn(sprintf(
+                'Dry run: matched %d legacy baseline run(s). Re-run with --force to delete them.',
+                $matched->count(),
+            ));
+
+            return self::SUCCESS;
+        }
+
+        OperationRun::query()
+            ->whereKey($matched->modelKeys())
+            ->delete();
+
+        $this->info(sprintf('Deleted %d legacy baseline run(s).', $matched->count()));
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    private function normalizedTypes(): array
+    {
+        $types = array_values(array_unique(array_filter(
+            array_map(
+                static fn (mixed $type): ?string => is_string($type) && trim($type) !== '' ? trim($type) : null,
+                (array) $this->option('type'),
+            ),
+        )));
+
+        if ($types === []) {
+            return ['baseline_compare', 'baseline_capture'];
+        }
+
+        return array_values(array_filter(
+            $types,
+            static fn (string $type): bool => in_array($type, ['baseline_compare', 'baseline_capture'], true),
+        ));
+    }
+
+    /**
+     * @param  array<int, string>  $tenantIdentifiers
+     * @return array<int, int>
+     */
+    private function resolveTenantIds(array $tenantIdentifiers): array
+    {
+        if ($tenantIdentifiers === []) {
+            return [];
+        }
+
+        $tenantIds = [];
+
+        foreach ($tenantIdentifiers as $identifier) {
+            $tenant = Tenant::query()->forTenant($identifier)->first();
+
+            if ($tenant instanceof Tenant) {
+                $tenantIds[] = (int) $tenant->getKey();
+            }
+        }
+
+        return array_values(array_unique($tenantIds));
+    }
+
+    private function legacySignal(OperationRun $run): string
+    {
+        $byReason = $run->baselineGapEnvelope()['by_reason'] ?? null;
+        $byReason = is_array($byReason) ? $byReason : [];
+
+        if (array_key_exists('policy_not_found', $byReason)) {
+            return 'legacy_reason_code';
+        }
+
+        return 'legacy_subject_shape';
+    }
+}

app/Console/Commands/TenantpilotReconcileBackupScheduleOperationRuns.php

@@ -6,6 +6,7 @@
 use App\Models\OperationRun;
 use App\Models\Tenant;
 use App\Services\OperationRunService;
+use App\Services\Operations\OperationLifecycleReconciler;
 use App\Support\OperationRunOutcome;
 use Illuminate\Console\Command;
 
@@ -18,8 +19,10 @@ class TenantpilotReconcileBackupScheduleOperationRuns extends Command
 
     protected $description = 'Reconcile stuck backup schedule OperationRuns without legacy run-table lookups.';
 
-    public function handle(OperationRunService $operationRunService): int
-    {
+    public function handle(
+        OperationRunService $operationRunService,
+        OperationLifecycleReconciler $operationLifecycleReconciler,
+    ): int {
         $tenantIdentifiers = array_values(array_filter((array) $this->option('tenant')));
         $olderThanMinutes = max(0, (int) $this->option('older-than'));
         $dryRun = (bool) $this->option('dry-run');
@@ -96,31 +99,9 @@ public function handle(OperationRunService $operationRunService): int
                 continue;
             }
 
-            if ($operationRun->status === 'queued' && $operationRunService->isStaleQueuedRun($operationRun, max(1, $olderThanMinutes))) {
-                if (! $dryRun) {
-                    $operationRunService->failStaleQueuedRun($operationRun, 'Backup schedule run was queued but never started.');
-                }
-
-                $reconciled++;
-
-                continue;
-            }
-
-            if ($operationRun->status === 'running') {
-                if (! $dryRun) {
-                    $operationRunService->updateRun(
-                        $operationRun,
-                        status: 'completed',
-                        outcome: OperationRunOutcome::Failed->value,
-                        failures: [
-                            [
-                                'code' => 'backup_schedule.stalled',
-                                'message' => 'Backup schedule run exceeded reconciliation timeout and was marked failed.',
-                            ],
-                        ],
-                    );
-                }
+            $change = $operationLifecycleReconciler->reconcileRun($operationRun, $dryRun);
 
+            if ($change !== null) {
                 $reconciled++;
 
                 continue;

app/Console/Commands/TenantpilotReconcileOperationRuns.php

@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\Tenant;
+use App\Services\Operations\OperationLifecycleReconciler;
+use App\Support\Operations\OperationLifecyclePolicy;
+use Illuminate\Console\Command;
+
+class TenantpilotReconcileOperationRuns extends Command
+{
+    protected $signature = 'tenantpilot:operation-runs:reconcile
+        {--type=* : Limit reconciliation to one or more covered operation types}
+        {--tenant=* : Limit reconciliation to tenant_id or tenant external_id}
+        {--workspace=* : Limit reconciliation to workspace ids}
+        {--limit=100 : Maximum number of active runs to inspect}
+        {--dry-run : Report the changes without writing them}';
+
+    protected $description = 'Reconcile stale covered operation runs back to deterministic terminal truth.';
+
+    public function handle(
+        OperationLifecycleReconciler $reconciler,
+        OperationLifecyclePolicy $policy,
+    ): int {
+        $types = array_values(array_filter(
+            (array) $this->option('type'),
+            static fn (mixed $type): bool => is_string($type) && trim($type) !== '',
+        ));
+        $workspaceIds = array_values(array_filter(
+            array_map(
+                static fn (mixed $workspaceId): int => is_numeric($workspaceId) ? (int) $workspaceId : 0,
+                (array) $this->option('workspace'),
+            ),
+            static fn (int $workspaceId): bool => $workspaceId > 0,
+        ));
+        $tenantIds = $this->resolveTenantIds(array_values(array_filter((array) $this->option('tenant'))));
+        $dryRun = (bool) $this->option('dry-run');
+
+        if ($types === []) {
+            $types = $policy->coveredTypeNames();
+        }
+
+        $result = $reconciler->reconcile([
+            'types' => $types,
+            'tenant_ids' => $tenantIds,
+            'workspace_ids' => $workspaceIds,
+            'limit' => max(1, (int) $this->option('limit')),
+            'dry_run' => $dryRun,
+        ]);
+
+        $rows = collect($result['changes'] ?? [])
+            ->map(static function (array $change): array {
+                return [
+                    'Run' => (string) ($change['operation_run_id'] ?? '—'),
+                    'Type' => (string) ($change['type'] ?? '—'),
+                    'Reason' => (string) ($change['reason_code'] ?? '—'),
+                    'Applied' => (($change['applied'] ?? false) === true) ? 'yes' : 'no',
+                ];
+            })
+            ->values()
+            ->all();
+
+        if ($rows !== []) {
+            $this->table(['Run', 'Type', 'Reason', 'Applied'], $rows);
+        }
+
+        $this->info(sprintf(
+            'Inspected %d run(s); reconciled %d; skipped %d.',
+            (int) ($result['candidates'] ?? 0),
+            (int) ($result['reconciled'] ?? 0),
+            (int) ($result['skipped'] ?? 0),
+        ));
+
+        if ($dryRun) {
+            $this->comment('Dry-run: no changes written.');
+        }
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * @param  array<int, string>  $tenantIdentifiers
+     * @return array<int, int>
+     */
+    private function resolveTenantIds(array $tenantIdentifiers): array
+    {
+        if ($tenantIdentifiers === []) {
+            return [];
+        }
+
+        $tenantIds = [];
+
+        foreach ($tenantIdentifiers as $identifier) {
+            $tenant = Tenant::query()->forTenant($identifier)->first();
+
+            if ($tenant instanceof Tenant) {
+                $tenantIds[] = (int) $tenant->getKey();
+            }
+        }
+
+        return array_values(array_unique($tenantIds));
+    }
+}

app/Exceptions/Onboarding/OnboardingDraftConflictException.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions\Onboarding;
+
+use RuntimeException;
+
+class OnboardingDraftConflictException extends RuntimeException
+{
+    public function __construct(
+        public readonly int $draftId,
+        public readonly int $expectedVersion,
+        public readonly int $actualVersion,
+        string $message = 'This onboarding draft changed in another tab or session.',
+    ) {
+        parent::__construct($message);
+    }
+}

app/Exceptions/Onboarding/OnboardingDraftImmutableException.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions\Onboarding;
+
+use App\Support\Onboarding\OnboardingLifecycleState;
+use RuntimeException;
+
+class OnboardingDraftImmutableException extends RuntimeException
+{
+    public function __construct(
+        public readonly int $draftId,
+        public readonly OnboardingLifecycleState $lifecycleState,
+        string $message = 'This onboarding draft is no longer editable.',
+    ) {
+        parent::__construct($message);
+    }
+}

app/Exceptions/ReviewPackEvidenceResolutionException.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Exceptions;
+
+use App\Services\Evidence\EvidenceResolutionResult;
+use RuntimeException;
+
+class ReviewPackEvidenceResolutionException extends RuntimeException
+{
+    public function __construct(
+        public readonly EvidenceResolutionResult $result,
+        ?string $message = null,
+    ) {
+        parent::__construct($message ?? self::defaultMessage($result));
+    }
+
+    private static function defaultMessage(EvidenceResolutionResult $result): string
+    {
+        return match ($result->outcome) {
+            'missing_snapshot' => 'No eligible evidence snapshot is available for this review pack.',
+            'snapshot_ineligible' => 'The latest evidence snapshot is not eligible for review-pack generation.',
+            default => 'Evidence snapshot resolution failed.',
+        };
+    }
+}

app/Filament/Clusters/Inventory/InventoryCluster.php

@@ -6,6 +6,7 @@
 
 use BackedEnum;
 use Filament\Clusters\Cluster;
+use Filament\Facades\Filament;
 use Filament\Pages\Enums\SubNavigationPosition;
 use UnitEnum;
 
@@ -18,4 +19,13 @@ class InventoryCluster extends Cluster
     protected static string|UnitEnum|null $navigationGroup = 'Inventory';
 
     protected static ?string $navigationLabel = 'Items';
+
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
 }

app/Filament/Concerns/InteractsWithTenantOwnedRecords.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Concerns;
+
+use App\Models\Tenant;
+use App\Support\WorkspaceIsolation\TenantOwnedQueryScope;
+use App\Support\WorkspaceIsolation\TenantOwnedRecordResolver;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+
+trait InteractsWithTenantOwnedRecords
+{
+    protected static function tenantOwnedRelationshipName(): string
+    {
+        $relationshipName = property_exists(static::class, 'tenantOwnershipRelationshipName')
+            ? static::$tenantOwnershipRelationshipName
+            : null;
+
+        return is_string($relationshipName) && $relationshipName !== ''
+            ? $relationshipName
+            : 'tenant';
+    }
+
+    protected static function resolveTenantContextForTenantOwnedRecords(): ?Tenant
+    {
+        if (method_exists(static::class, 'resolveTenantContextForCurrentPanel')) {
+            return static::resolveTenantContextForCurrentPanel();
+        }
+
+        if (method_exists(static::class, 'panelTenantContext')) {
+            return static::panelTenantContext();
+        }
+
+        return null;
+    }
+
+    public static function getTenantOwnedEloquentQuery(): Builder
+    {
+        return static::scopeTenantOwnedQuery(parent::getEloquentQuery());
+    }
+
+    protected static function scopeTenantOwnedQuery(Builder $query, ?Tenant $tenant = null): Builder
+    {
+        return app(TenantOwnedQueryScope::class)->apply(
+            $query,
+            $tenant ?? static::resolveTenantContextForTenantOwnedRecords(),
+            static::tenantOwnedRelationshipName(),
+        );
+    }
+
+    protected static function resolveTenantOwnedRecord(Model|int|string|null $record, ?Builder $query = null, ?Tenant $tenant = null): ?Model
+    {
+        $scopedQuery = static::scopeTenantOwnedQuery(
+            $query ?? parent::getEloquentQuery(),
+            $tenant,
+        );
+
+        return app(TenantOwnedRecordResolver::class)->resolve($scopedQuery, $record);
+    }
+
+    protected static function resolveTenantOwnedRecordOrFail(Model|int|string|null $record, ?Builder $query = null, ?Tenant $tenant = null): Model
+    {
+        $scopedQuery = static::scopeTenantOwnedQuery(
+            $query ?? parent::getEloquentQuery(),
+            $tenant,
+        );
+
+        return app(TenantOwnedRecordResolver::class)->resolveOrFail($scopedQuery, $record);
+    }
+}

app/Filament/Concerns/ResolvesPanelTenantContext.php

@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Concerns;
+
+use App\Models\Tenant;
+use App\Support\OperateHub\OperateHubShell;
+use Filament\Facades\Filament;
+use RuntimeException;
+
+trait ResolvesPanelTenantContext
+{
+    protected static function resolveTenantContextForCurrentPanel(): ?Tenant
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            $tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
+
+            return $tenant instanceof Tenant ? $tenant : null;
+        }
+
+        $tenant = Tenant::current();
+
+        return $tenant instanceof Tenant ? $tenant : null;
+    }
+
+    public static function panelTenantContext(): ?Tenant
+    {
+        return static::resolveTenantContextForCurrentPanel();
+    }
+
+    public static function trustedPanelTenantContext(): ?Tenant
+    {
+        return static::panelTenantContext();
+    }
+
+    protected static function resolveTenantContextForCurrentPanelOrFail(): Tenant
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+
+        if (! $tenant instanceof Tenant) {
+            throw new RuntimeException('No tenant context selected.');
+        }
+
+        return $tenant;
+    }
+
+    protected static function resolveTrustedPanelTenantContextOrFail(): Tenant
+    {
+        return static::resolveTenantContextForCurrentPanelOrFail();
+    }
+}

app/Filament/Concerns/ScopesGlobalSearchToTenant.php

@@ -4,6 +4,9 @@
 
 namespace App\Filament\Concerns;
 
+use App\Models\Tenant;
+use App\Support\OperateHub\OperateHubShell;
+use App\Support\WorkspaceIsolation\TenantOwnedModelFamilies;
 use Filament\Facades\Filament;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Model;
@@ -19,6 +22,10 @@ public static function getGlobalSearchEloquentQuery(): Builder
     {
         $query = static::getModel()::query();
 
+        if (! TenantOwnedModelFamilies::supportsScopedGlobalSearch(static::getModel())) {
+            return $query->whereRaw('1 = 0');
+        }
+
         if (! static::isScopedToTenant()) {
             $panel = Filament::getCurrentOrDefaultPanel();
 
@@ -27,7 +34,7 @@ public static function getGlobalSearchEloquentQuery(): Builder
             }
         }
 
-        $tenant = Filament::getTenant();
+        $tenant = static::resolveGlobalSearchTenant();
 
         if (! $tenant instanceof Model) {
             return $query->whereRaw('1 = 0');
@@ -41,4 +48,17 @@ public static function getGlobalSearchEloquentQuery(): Builder
 
         return $query->whereBelongsTo($tenant, static::$globalSearchTenantRelationship);
     }
+
+    protected static function resolveGlobalSearchTenant(): ?Model
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            $tenant = app(OperateHubShell::class)->activeEntitledTenant(request());
+
+            return $tenant instanceof Tenant ? $tenant : null;
+        }
+
+        $tenant = Filament::getTenant();
+
+        return $tenant instanceof Model ? $tenant : null;
+    }
 }

app/Filament/Pages/BaselineCompareLanding.php

@@ -4,6 +4,7 @@
 
 namespace App\Filament\Pages;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\FindingResource;
 use App\Models\OperationRun;
 use App\Models\Tenant;
@@ -12,7 +13,10 @@
 use App\Services\Baselines\BaselineCompareService;
 use App\Support\Auth\Capabilities;
 use App\Support\Baselines\BaselineCaptureMode;
+use App\Support\Baselines\BaselineCompareEvidenceGapDetails;
 use App\Support\Baselines\BaselineCompareStats;
+use App\Support\Baselines\TenantGovernanceAggregate;
+use App\Support\Baselines\TenantGovernanceAggregateResolver;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
@@ -28,6 +32,8 @@
 
 class BaselineCompareLanding extends Page
 {
+    use ResolvesPanelTenantContext;
+
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-scale';
 
     protected static string|UnitEnum|null $navigationGroup = 'Governance';
@@ -56,6 +62,8 @@ class BaselineCompareLanding extends Page
 
     public ?int $duplicateNamePoliciesCount = null;
 
+    public ?int $duplicateNameSubjectsCount = null;
+
     public ?int $operationRunId = null;
 
     public ?int $findingsCount = null;
@@ -83,9 +91,24 @@ class BaselineCompareLanding extends Page
     /** @var array<string, int>|null */
     public ?array $evidenceGapsTopReasons = null;
 
+    /** @var array<string, mixed>|null */
+    public ?array $evidenceGapSummary = null;
+
+    /** @var list<array<string, mixed>>|null */
+    public ?array $evidenceGapBuckets = null;
+
+    /** @var array<string, mixed>|null */
+    public ?array $baselineCompareDiagnostics = null;
+
     /** @var array<string, int>|null */
     public ?array $rbacRoleDefinitionSummary = null;
 
+    /** @var array<string, mixed>|null */
+    public ?array $operatorExplanation = null;
+
+    /** @var array<string, mixed>|null */
+    public ?array $summaryAssessment = null;
+
     public static function canAccess(): bool
     {
         $user = auth()->user();
@@ -94,7 +117,7 @@ public static function canAccess(): bool
             return false;
         }
 
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant instanceof Tenant) {
             return false;
@@ -112,7 +135,11 @@ public function mount(): void
 
     public function refreshStats(): void
     {
-        $stats = BaselineCompareStats::forTenant(Tenant::current());
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $stats = BaselineCompareStats::forTenant($tenant);
+        $aggregate = $tenant instanceof Tenant
+            ? $this->governanceAggregate($tenant, $stats)
+            : null;
 
         $this->state = $stats->state;
         $this->message = $stats->message;
@@ -120,6 +147,7 @@ public function refreshStats(): void
         $this->profileId = $stats->profileId;
         $this->snapshotId = $stats->snapshotId;
         $this->duplicateNamePoliciesCount = $stats->duplicateNamePoliciesCount;
+        $this->duplicateNameSubjectsCount = $stats->duplicateNameSubjectsCount;
         $this->operationRunId = $stats->operationRunId;
         $this->findingsCount = $stats->findingsCount;
         $this->severityCounts = $stats->severityCounts !== [] ? $stats->severityCounts : null;
@@ -136,7 +164,18 @@ public function refreshStats(): void
 
         $this->evidenceGapsCount = $stats->evidenceGapsCount;
         $this->evidenceGapsTopReasons = $stats->evidenceGapsTopReasons !== [] ? $stats->evidenceGapsTopReasons : null;
+        $this->evidenceGapSummary = is_array($stats->evidenceGapDetails['summary'] ?? null)
+            ? $stats->evidenceGapDetails['summary']
+            : null;
+        $this->evidenceGapBuckets = is_array($stats->evidenceGapDetails['buckets'] ?? null) && $stats->evidenceGapDetails['buckets'] !== []
+            ? $stats->evidenceGapDetails['buckets']
+            : null;
+        $this->baselineCompareDiagnostics = $stats->baselineCompareDiagnostics !== []
+            ? $stats->baselineCompareDiagnostics
+            : null;
         $this->rbacRoleDefinitionSummary = $stats->rbacRoleDefinitionSummary !== [] ? $stats->rbacRoleDefinitionSummary : null;
+        $this->operatorExplanation = $stats->operatorExplanation()->toArray();
+        $this->summaryAssessment = $aggregate?->summaryAssessment->toArray();
     }
 
     /**
@@ -149,26 +188,32 @@ public function refreshStats(): void
      */
     protected function getViewData(): array
     {
+        $evidenceGapSummary = is_array($this->evidenceGapSummary) ? $this->evidenceGapSummary : [];
         $hasCoverageWarnings = in_array($this->coverageStatus, ['warning', 'unproven'], true);
-        $evidenceGapsCountValue = (int) ($this->evidenceGapsCount ?? 0);
+        $evidenceGapsCountValue = is_numeric($evidenceGapSummary['count'] ?? null)
+            ? (int) $evidenceGapSummary['count']
+            : (int) ($this->evidenceGapsCount ?? 0);
         $hasEvidenceGaps = $evidenceGapsCountValue > 0;
         $hasWarnings = $hasCoverageWarnings || $hasEvidenceGaps;
         $hasRbacRoleDefinitionSummary = is_array($this->rbacRoleDefinitionSummary)
             && array_sum($this->rbacRoleDefinitionSummary) > 0;
+        $evidenceGapDetailState = is_string($evidenceGapSummary['detail_state'] ?? null)
+            ? (string) $evidenceGapSummary['detail_state']
+            : 'no_gaps';
+        $hasEvidenceGapDetailSection = $evidenceGapDetailState !== 'no_gaps';
+        $hasEvidenceGapDiagnostics = is_array($this->baselineCompareDiagnostics) && $this->baselineCompareDiagnostics !== [];
 
         $evidenceGapsSummary = null;
         $evidenceGapsTooltip = null;
 
-        if ($hasEvidenceGaps && is_array($this->evidenceGapsTopReasons) && $this->evidenceGapsTopReasons !== []) {
-            $parts = [];
-
-            foreach (array_slice($this->evidenceGapsTopReasons, 0, 5, true) as $reason => $count) {
-                if (! is_string($reason) || $reason === '' || ! is_numeric($count)) {
-                    continue;
-                }
-
-                $parts[] = $reason.' ('.((int) $count).')';
-            }
+        if ($hasEvidenceGaps) {
+            $parts = array_map(
+                static fn (array $reason): string => $reason['reason_label'].' ('.$reason['count'].')',
+                BaselineCompareEvidenceGapDetails::topReasons(
+                    is_array($evidenceGapSummary['by_reason'] ?? null) ? $evidenceGapSummary['by_reason'] : [],
+                    5,
+                ),
+            );
 
             if ($parts !== []) {
                 $evidenceGapsSummary = implode(', ', $parts);
@@ -204,12 +249,16 @@ protected function getViewData(): array
             'hasEvidenceGaps' => $hasEvidenceGaps,
             'hasWarnings' => $hasWarnings,
             'hasRbacRoleDefinitionSummary' => $hasRbacRoleDefinitionSummary,
+            'evidenceGapDetailState' => $evidenceGapDetailState,
+            'hasEvidenceGapDetailSection' => $hasEvidenceGapDetailSection,
+            'hasEvidenceGapDiagnostics' => $hasEvidenceGapDiagnostics,
             'evidenceGapsSummary' => $evidenceGapsSummary,
             'evidenceGapsTooltip' => $evidenceGapsTooltip,
             'findingsColorClass' => $findingsColorClass,
             'whyNoFindingsMessage' => $whyNoFindingsMessage,
             'whyNoFindingsFallback' => $whyNoFindingsFallback,
             'whyNoFindingsColor' => $whyNoFindingsColor,
+            'summaryAssessment' => is_array($this->summaryAssessment) ? $this->summaryAssessment : null,
         ];
     }
 
@@ -292,10 +341,10 @@ private function compareNowAction(): Action
                     return;
                 }
 
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
 
                 if (! $tenant instanceof Tenant) {
-                    Notification::make()->title('No tenant context')->danger()->send();
+                    Notification::make()->title('Select a tenant to compare baselines')->danger()->send();
 
                     return;
                 }
@@ -304,9 +353,22 @@ private function compareNowAction(): Action
                 $result = $service->startCompare($tenant, $user);
 
                 if (! ($result['ok'] ?? false)) {
+                    $reasonCode = is_string($result['reason_code'] ?? null) ? (string) $result['reason_code'] : 'unknown';
+
+                    $message = match ($reasonCode) {
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_ROLLOUT_DISABLED => 'Full-content baseline compare is currently disabled for controlled rollout.',
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE => 'The assigned baseline profile is not active.',
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_NO_ACTIVE_SNAPSHOT,
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_NO_CONSUMABLE_SNAPSHOT => 'No complete baseline snapshot is currently available for compare.',
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => 'The latest baseline capture is still building. Compare will be available after it completes.',
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_SNAPSHOT_INCOMPLETE => 'The latest baseline capture is incomplete. Capture a new baseline before comparing.',
+                        \App\Support\Baselines\BaselineReasonCodes::COMPARE_SNAPSHOT_SUPERSEDED => 'A newer complete baseline snapshot is current. Compare uses the latest complete baseline only.',
+                        default => 'Reason: '.$reasonCode,
+                    };
+
                     Notification::make()
                         ->title('Cannot start comparison')
-                        ->body('Reason: '.($result['reason_code'] ?? 'unknown'))
+                        ->body($message)
                         ->danger()
                         ->send();
 
@@ -340,7 +402,7 @@ private function compareNowAction(): Action
 
     public function getFindingsUrl(): ?string
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant instanceof Tenant) {
             return null;
@@ -355,7 +417,7 @@ public function getRunUrl(): ?string
             return null;
         }
 
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant instanceof Tenant) {
             return null;
@@ -363,4 +425,15 @@ public function getRunUrl(): ?string
 
         return OperationRunLinks::view($this->operationRunId, $tenant);
     }
+
+    private function governanceAggregate(Tenant $tenant, BaselineCompareStats $stats): TenantGovernanceAggregate
+    {
+        /** @var TenantGovernanceAggregateResolver $resolver */
+        $resolver = app(TenantGovernanceAggregateResolver::class);
+
+        /** @var TenantGovernanceAggregate $aggregate */
+        $aggregate = $resolver->fromStats($tenant, $stats);
+
+        return $aggregate;
+    }
 }

app/Filament/Pages/ChooseTenant.php

@@ -7,6 +7,10 @@
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\UserTenantPreference;
+use App\Services\Tenants\TenantOperabilityService;
+use App\Support\Tenants\TenantInteractionLane;
+use App\Support\Tenants\TenantLifecyclePresentation;
+use App\Support\Tenants\TenantOperabilityQuestion;
 use App\Support\Workspaces\WorkspaceContext;
 use Filament\Facades\Filament;
 use Filament\Pages\Page;
@@ -52,10 +56,10 @@ public function getTenants(): Collection
         $tenants = $user->getTenants(Filament::getCurrentOrDefaultPanel());
 
         if ($tenants instanceof Collection) {
-            return $tenants;
+            return app(TenantOperabilityService::class)->filterSelectable($tenants);
         }
 
-        return collect($tenants);
+        return app(TenantOperabilityService::class)->filterSelectable(collect($tenants));
     }
 
     public function selectTenant(int $tenantId): void
@@ -66,10 +70,35 @@ public function selectTenant(int $tenantId): void
             abort(403);
         }
 
-        $tenant = Tenant::query()
-            ->where('status', 'active')
-            ->whereKey($tenantId)
-            ->first();
+        $workspaceContext = app(WorkspaceContext::class);
+        $workspaceId = $workspaceContext->currentWorkspaceId(request());
+        $tenant = null;
+
+        if ($workspaceId === null) {
+            $tenant = Tenant::query()->whereKey($tenantId)->first();
+
+            if ($tenant instanceof Tenant) {
+                $workspace = $tenant->workspace;
+
+                if ($workspace !== null && $user->canAccessTenant($tenant)) {
+                    $workspaceContext->setCurrentWorkspace($workspace, $user, request());
+                    $workspaceId = (int) $workspace->getKey();
+                }
+            }
+        }
+
+        if ($workspaceId === null) {
+            $this->redirect(route('filament.admin.pages.choose-workspace'));
+
+            return;
+        }
+
+        if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== $workspaceId) {
+            $tenant = Tenant::query()
+                ->where('workspace_id', $workspaceId)
+                ->whereKey($tenantId)
+                ->first();
+        }
 
         if (! $tenant instanceof Tenant) {
             abort(404);
@@ -79,13 +108,32 @@ public function selectTenant(int $tenantId): void
             abort(404);
         }
 
+        $outcome = app(TenantOperabilityService::class)->outcomeFor(
+            tenant: $tenant,
+            question: TenantOperabilityQuestion::SelectorEligibility,
+            actor: $user,
+            workspaceId: $workspaceId,
+            lane: TenantInteractionLane::StandardActiveOperating,
+        );
+
+        if (! $outcome->allowed) {
+            abort(404);
+        }
+
         $this->persistLastTenant($user, $tenant);
 
-        app(WorkspaceContext::class)->rememberLastTenantId((int) $tenant->workspace_id, (int) $tenant->getKey(), request());
+        if (! $workspaceContext->rememberTenantContext($tenant, request())) {
+            abort(404);
+        }
 
         $this->redirect(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant));
     }
 
+    public function tenantLifecyclePresentation(Tenant $tenant): TenantLifecyclePresentation
+    {
+        return TenantLifecyclePresentation::fromTenant($tenant);
+    }
+
     private function persistLastTenant(User $user, Tenant $tenant): void
     {
         if (Schema::hasColumn('users', 'last_tenant_id')) {

app/Filament/Pages/InventoryCoverage.php

@@ -5,6 +5,7 @@
 namespace App\Filament\Pages;
 
 use App\Filament\Clusters\Inventory\InventoryCluster;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Widgets\Inventory\InventoryKpiHeader;
 use App\Models\Tenant;
 use App\Models\User;
@@ -18,8 +19,13 @@
 use App\Support\Badges\TagBadgeDomain;
 use App\Support\Badges\TagBadgeRenderer;
 use App\Support\Inventory\InventoryPolicyTypeMeta;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use BackedEnum;
 use Filament\Actions\Action;
+use Filament\Facades\Filament;
 use Filament\Pages\Page;
 use Filament\Support\Enums\FontFamily;
 use Filament\Tables\Columns\IconColumn;
@@ -36,6 +42,7 @@
 class InventoryCoverage extends Page implements HasTable
 {
     use InteractsWithTable;
+    use ResolvesPanelTenantContext;
 
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-table-cells';
 
@@ -49,9 +56,32 @@ class InventoryCoverage extends Page implements HasTable
 
     protected string $view = 'filament.pages.inventory-coverage';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
+            ->withDefaults(new ActionSurfaceDefaults(
+                moreGroupLabel: 'More',
+                exportIsDefaultBulkActionForReadOnly: false,
+            ))
+            ->exempt(ActionSurfaceSlot::ListHeader, 'Inventory coverage stays read-only and uses KPI widgets instead of header actions.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Inventory coverage rows are runtime-derived metadata and intentionally omit inspect affordances.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Derived coverage rows do not expose row actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Derived coverage rows do not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state provides a clear-filters CTA to return to the full coverage matrix.');
+    }
+
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function canAccess(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {

app/Filament/Pages/Monitoring/AuditLog.php

@@ -13,6 +13,7 @@
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Filament\FilterOptionCatalog;
 use App\Support\Filament\FilterPresets;
 use App\Support\Filament\TablePaginationProfiles;
@@ -23,6 +24,7 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
@@ -33,6 +35,7 @@
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
+use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\Builder;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
@@ -66,7 +69,7 @@ class AuditLog extends Page implements HasTable
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog)
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::HistoryAudit)
             ->withDefaults(new ActionSurfaceDefaults(
                 moreGroupLabel: 'More',
                 exportIsDefaultBulkActionForReadOnly: false,
@@ -81,11 +84,16 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     public function mount(): void
     {
         $this->authorizePageAccess();
-        $this->selectedAuditLogId = is_numeric(request()->query('event')) ? (int) request()->query('event') : null;
+        $requestedEventId = is_numeric(request()->query('event')) ? (int) request()->query('event') : null;
+
+        app(CanonicalAdminTenantFilterState::class)->sync($this->getTableFiltersSessionKey(), request: request());
+
         $this->mountInteractsWithTable();
 
-        if ($this->selectedAuditLogId !== null) {
-            $this->selectedAuditLog();
+        if ($requestedEventId !== null) {
+            $this->resolveAuditLog($requestedEventId);
+            $this->selectedAuditLogId = $requestedEventId;
+            $this->mountTableAction('inspect', (string) $requestedEventId);
         }
     }
 
@@ -94,31 +102,10 @@ public function mount(): void
      */
     protected function getHeaderActions(): array
     {
-        $actions = app(OperateHubShell::class)->headerActions(
+        return app(OperateHubShell::class)->headerActions(
             scopeActionName: 'operate_hub_scope_audit_log',
             returnActionName: 'operate_hub_return_audit_log',
         );
-
-        if ($this->selectedAuditLog() instanceof AuditLogModel) {
-            $actions[] = Action::make('clear_selected_audit_event')
-                ->label('Close details')
-                ->color('gray')
-                ->action(function (): void {
-                    $this->clearSelectedAuditLog();
-                });
-
-            $relatedLink = $this->selectedAuditLink();
-
-            if (is_array($relatedLink)) {
-                $actions[] = Action::make('open_selected_audit_target')
-                    ->label($relatedLink['label'])
-                    ->icon('heroicon-o-arrow-top-right-on-square')
-                    ->color('gray')
-                    ->url($relatedLink['url']);
-            }
-        }
-
-        return $actions;
     }
 
     public function table(Table $table): Table
@@ -191,13 +178,23 @@ public function table(Table $table): Table
                     ->label('Inspect event')
                     ->icon('heroicon-o-eye')
                     ->color('gray')
-                    ->action(function (AuditLogModel $record): void {
+                    ->before(function (AuditLogModel $record): void {
                         $this->selectedAuditLogId = (int) $record->getKey();
-                    }),
+                    })
+                    ->slideOver()
+                    ->stickyModalHeader()
+                    ->modalSubmitAction(false)
+                    ->modalCancelAction(fn (Action $action): Action => $action->label('Close details'))
+                    ->modalHeading(fn (AuditLogModel $record): string => $record->summaryText())
+                    ->modalDescription(fn (AuditLogModel $record): ?string => $record->recorded_at?->toDayDateTimeString())
+                    ->modalContent(fn (AuditLogModel $record): View => view('filament.pages.monitoring.partials.audit-log-inspect-event', [
+                        'selectedAudit' => $record,
+                        'selectedAuditLink' => $this->auditTargetLink($record),
+                    ])),
             ])
             ->bulkActions([])
             ->emptyStateHeading('No audit events match this view')
-            ->emptyStateDescription('Clear the current search or filters to return to the workspace audit history.')
+            ->emptyStateDescription('Clear the current search or filters to return to the workspace-wide audit history.')
             ->emptyStateIcon('heroicon-o-funnel')
             ->emptyStateActions([
                 Action::make('clear_filters')
@@ -205,48 +202,11 @@ public function table(Table $table): Table
                     ->icon('heroicon-o-x-mark')
                     ->color('gray')
                     ->action(function (): void {
-                        $this->selectedAuditLogId = null;
                         $this->resetTable();
                     }),
             ]);
     }
 
-    public function clearSelectedAuditLog(): void
-    {
-        $this->selectedAuditLogId = null;
-    }
-
-    public function selectedAuditLog(): ?AuditLogModel
-    {
-        if (! is_numeric($this->selectedAuditLogId)) {
-            return null;
-        }
-
-        $record = $this->auditBaseQuery()
-            ->whereKey((int) $this->selectedAuditLogId)
-            ->first();
-
-        if (! $record instanceof AuditLogModel) {
-            throw new NotFoundHttpException;
-        }
-
-        return $record;
-    }
-
-    /**
-     * @return array{label: string, url: string}|null
-     */
-    public function selectedAuditLink(): ?array
-    {
-        $record = $this->selectedAuditLog();
-
-        if (! $record instanceof AuditLogModel) {
-            return null;
-        }
-
-        return app(RelatedNavigationResolver::class)->auditTargetLink($record);
-    }
-
     /**
      * @return array<int, Tenant>
      */
@@ -319,6 +279,54 @@ private function auditBaseQuery(): Builder
             ->latestFirst();
     }
 
+    private function resolveAuditLog(int $auditLogId): AuditLogModel
+    {
+        $record = $this->auditBaseQuery()
+            ->whereKey($auditLogId)
+            ->first();
+
+        if (! $record instanceof AuditLogModel) {
+            throw new NotFoundHttpException;
+        }
+
+        return $record;
+    }
+
+    public function selectedAuditRecord(): ?AuditLogModel
+    {
+        if (! is_int($this->selectedAuditLogId) || $this->selectedAuditLogId <= 0) {
+            return null;
+        }
+
+        try {
+            return $this->resolveAuditLog($this->selectedAuditLogId);
+        } catch (NotFoundHttpException) {
+            return null;
+        }
+    }
+
+    /**
+     * @return array{label: string, url: string}|null
+     */
+    public function selectedAuditTargetLink(): ?array
+    {
+        $record = $this->selectedAuditRecord();
+
+        if (! $record instanceof AuditLogModel) {
+            return null;
+        }
+
+        return $this->auditTargetLink($record);
+    }
+
+    /**
+     * @return array{label: string, url: string}|null
+     */
+    private function auditTargetLink(AuditLogModel $record): ?array
+    {
+        return app(RelatedNavigationResolver::class)->auditTargetLink($record);
+    }
+
     /**
      * @return array<string, string>
      */

app/Filament/Pages/Monitoring/EvidenceOverview.php

@@ -0,0 +1,147 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages\Monitoring;
+
+use App\Filament\Resources\EvidenceSnapshotResource;
+use App\Models\EvidenceSnapshot;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
+use App\Support\Workspaces\WorkspaceContext;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Pages\Page;
+use Illuminate\Auth\AuthenticationException;
+use UnitEnum;
+
+class EvidenceOverview extends Page
+{
+    protected static bool $isDiscovered = false;
+
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
+
+    protected static ?string $title = 'Evidence Overview';
+
+    protected string $view = 'filament.pages.monitoring.evidence-overview';
+
+    /**
+     * @var list<array<string, mixed>>
+     */
+    public array $rows = [];
+
+    public ?int $tenantFilter = null;
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'The overview header exposes a clear-filters action when a tenant prefilter is active.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The overview exposes a single drill-down link per row without a More menu.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The overview does not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains the current scope and offers a clear-filters CTA.');
+    }
+
+    public function mount(): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            throw new AuthenticationException;
+        }
+
+        $workspaceContext = app(WorkspaceContext::class);
+        $workspace = $workspaceContext->currentWorkspaceForMemberOrFail($user, request());
+        $workspaceId = (int) $workspace->getKey();
+
+        $accessibleTenants = $user->tenants()
+            ->where('tenants.workspace_id', $workspaceId)
+            ->orderBy('tenants.name')
+            ->get()
+            ->filter(fn (Tenant $tenant): bool => (int) $tenant->workspace_id === $workspaceId && $user->can('evidence.view', $tenant))
+            ->values();
+
+        $this->tenantFilter = is_numeric(request()->query('tenant_id')) ? (int) request()->query('tenant_id') : null;
+
+        $tenantIds = $accessibleTenants->pluck('id')->map(static fn (mixed $id): int => (int) $id)->all();
+
+        $query = EvidenceSnapshot::query()
+            ->with('tenant')
+            ->where('workspace_id', $workspaceId)
+            ->whereIn('tenant_id', $tenantIds)
+            ->where('status', 'active')
+            ->latest('generated_at');
+
+        if ($this->tenantFilter !== null) {
+            $query->where('tenant_id', $this->tenantFilter);
+        }
+
+        $snapshots = $query->get()->unique('tenant_id')->values();
+
+        $this->rows = $snapshots->map(function (EvidenceSnapshot $snapshot): array {
+            $truth = $this->snapshotTruth($snapshot);
+            $freshnessSpec = BadgeCatalog::spec(BadgeDomain::GovernanceArtifactFreshness, $truth->freshnessState);
+
+            return [
+                'tenant_name' => $snapshot->tenant?->name ?? 'Unknown tenant',
+                'tenant_id' => (int) $snapshot->tenant_id,
+                'snapshot_id' => (int) $snapshot->getKey(),
+                'completeness_state' => (string) $snapshot->completeness_state,
+                'generated_at' => $snapshot->generated_at?->toDateTimeString(),
+                'missing_dimensions' => (int) (($snapshot->summary['missing_dimensions'] ?? 0)),
+                'stale_dimensions' => (int) (($snapshot->summary['stale_dimensions'] ?? 0)),
+                'artifact_truth' => [
+                    'label' => $truth->primaryLabel,
+                    'color' => $truth->primaryBadgeSpec()->color,
+                    'icon' => $truth->primaryBadgeSpec()->icon,
+                    'explanation' => $truth->primaryExplanation,
+                ],
+                'freshness' => [
+                    'label' => $freshnessSpec->label,
+                    'color' => $freshnessSpec->color,
+                    'icon' => $freshnessSpec->icon,
+                ],
+                'next_step' => $truth->nextStepText(),
+                'view_url' => $snapshot->tenant
+                    ? EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $snapshot->tenant)
+                    : null,
+            ];
+        })->all();
+    }
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('clear_filters')
+                ->label('Clear filters')
+                ->color('gray')
+                ->visible(fn (): bool => $this->tenantFilter !== null)
+                ->url(route('admin.evidence.overview')),
+        ];
+    }
+
+    private function snapshotTruth(EvidenceSnapshot $snapshot, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forEvidenceSnapshotFresh($snapshot)
+            : $presenter->forEvidenceSnapshot($snapshot);
+    }
+}

app/Filament/Pages/Monitoring/FindingExceptionsQueue.php

@@ -0,0 +1,540 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages\Monitoring;
+
+use App\Filament\Resources\FindingExceptionResource;
+use App\Filament\Resources\FindingResource;
+use App\Models\FindingException;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Services\Findings\FindingExceptionService;
+use App\Services\Findings\FindingRiskGovernanceResolver;
+use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Badges\BadgeRenderer;
+use App\Support\Filament\FilterOptionCatalog;
+use App\Support\Filament\TablePaginationProfiles;
+use App\Support\OperateHub\OperateHubShell;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Workspaces\WorkspaceContext;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Facades\Filament;
+use Filament\Forms\Components\DateTimePicker;
+use Filament\Forms\Components\Textarea;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Filters\SelectFilter;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Collection;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use UnitEnum;
+
+class FindingExceptionsQueue extends Page implements HasTable
+{
+    use InteractsWithTable;
+
+    public ?int $selectedFindingExceptionId = null;
+
+    protected static bool $isDiscovered = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
+
+    protected static ?string $navigationLabel = 'Finding exceptions';
+
+    protected static ?string $slug = 'finding-exceptions/queue';
+
+    protected static ?string $title = 'Finding Exceptions Queue';
+
+    protected string $view = 'filament.pages.monitoring.finding-exceptions-queue';
+
+    /**
+     * @var array<int, Tenant>|null
+     */
+    private ?array $authorizedTenants = null;
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::QueueReview)
+            ->withDefaults(new ActionSurfaceDefaults(
+                moreGroupLabel: 'More',
+                exportIsDefaultBulkActionForReadOnly: false,
+            ))
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep workspace approval scope visible and expose selected exception review actions.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Exception decisions are reviewed one record at a time in v1 and do not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state explains when the approval queue is empty and keeps navigation back to tenant findings available.')
+            ->satisfy(ActionSurfaceSlot::DetailHeader, 'Selected exception detail exposes approve, reject, and related-record navigation actions in the page header.');
+    }
+
+    public static function canAccess(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() !== 'admin') {
+            return false;
+        }
+
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return false;
+        }
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        if (! is_int($workspaceId)) {
+            return false;
+        }
+
+        $workspace = Workspace::query()->whereKey($workspaceId)->first();
+
+        if (! $workspace instanceof Workspace) {
+            return false;
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->isMember($user, $workspace)
+            && $resolver->can($user, $workspace, Capabilities::FINDING_EXCEPTION_APPROVE);
+    }
+
+    public function mount(): void
+    {
+        $this->selectedFindingExceptionId = is_numeric(request()->query('exception')) ? (int) request()->query('exception') : null;
+        $this->mountInteractsWithTable();
+        $this->applyRequestedTenantPrefilter();
+
+        if ($this->selectedFindingExceptionId !== null) {
+            $this->selectedFindingException();
+        }
+    }
+
+    protected function getHeaderActions(): array
+    {
+        $actions = app(OperateHubShell::class)->headerActions(
+            scopeActionName: 'operate_hub_scope_finding_exceptions',
+            returnActionName: 'operate_hub_return_finding_exceptions',
+        );
+
+        $actions[] = Action::make('clear_filters')
+            ->label('Clear filters')
+            ->icon('heroicon-o-x-mark')
+            ->color('gray')
+            ->visible(fn (): bool => $this->hasActiveQueueFilters())
+            ->action(function (): void {
+                $this->removeTableFilter('tenant_id');
+                $this->removeTableFilter('status');
+                $this->removeTableFilter('current_validity_state');
+                $this->selectedFindingExceptionId = null;
+                $this->resetTable();
+            });
+
+        $actions[] = Action::make('view_tenant_register')
+            ->label('View tenant register')
+            ->icon('heroicon-o-arrow-top-right-on-square')
+            ->color('gray')
+            ->visible(fn (): bool => $this->filteredTenant() instanceof Tenant)
+            ->url(function (): ?string {
+                $tenant = $this->filteredTenant();
+
+                if (! $tenant instanceof Tenant) {
+                    return null;
+                }
+
+                return FindingExceptionResource::getUrl('index', panel: 'tenant', tenant: $tenant);
+            });
+
+        $actions[] = Action::make('clear_selected_exception')
+            ->label('Close details')
+            ->color('gray')
+            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+            ->action(function (): void {
+                $this->selectedFindingExceptionId = null;
+            });
+
+        $actions[] = Action::make('open_selected_exception')
+            ->label('Open tenant detail')
+            ->icon('heroicon-o-arrow-top-right-on-square')
+            ->color('gray')
+            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+            ->url(fn (): ?string => $this->selectedExceptionUrl());
+
+        $actions[] = Action::make('open_selected_finding')
+            ->label('Open finding')
+            ->icon('heroicon-o-arrow-top-right-on-square')
+            ->color('gray')
+            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+            ->url(fn (): ?string => $this->selectedFindingUrl());
+
+        $actions[] = Action::make('approve_selected_exception')
+            ->label('Approve exception')
+            ->color('success')
+            ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
+            ->requiresConfirmation()
+            ->form([
+                DateTimePicker::make('effective_from')
+                    ->label('Effective from')
+                    ->required()
+                    ->seconds(false),
+                DateTimePicker::make('expires_at')
+                    ->label('Expires at')
+                    ->required()
+                    ->seconds(false),
+                Textarea::make('approval_reason')
+                    ->label('Approval reason')
+                    ->rows(3)
+                    ->maxLength(2000),
+            ])
+            ->action(function (array $data, FindingExceptionService $service): void {
+                $record = $this->selectedFindingException();
+                $user = auth()->user();
+
+                if (! $record instanceof FindingException || ! $user instanceof User) {
+                    abort(404);
+                }
+
+                $wasRenewalRequest = $record->isPendingRenewal();
+                $updated = $service->approve($record, $user, $data);
+                $this->selectedFindingExceptionId = (int) $updated->getKey();
+                $this->resetTable();
+
+                Notification::make()
+                    ->title($wasRenewalRequest ? 'Exception renewed' : 'Exception approved')
+                    ->success()
+                    ->send();
+            });
+
+        $actions[] = Action::make('reject_selected_exception')
+            ->label('Reject exception')
+            ->color('danger')
+            ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
+            ->requiresConfirmation()
+            ->form([
+                Textarea::make('rejection_reason')
+                    ->label('Rejection reason')
+                    ->rows(3)
+                    ->required()
+                    ->maxLength(2000),
+            ])
+            ->action(function (array $data, FindingExceptionService $service): void {
+                $record = $this->selectedFindingException();
+                $user = auth()->user();
+
+                if (! $record instanceof FindingException || ! $user instanceof User) {
+                    abort(404);
+                }
+
+                $wasRenewalRequest = $record->isPendingRenewal();
+                $updated = $service->reject($record, $user, $data);
+                $this->selectedFindingExceptionId = (int) $updated->getKey();
+                $this->resetTable();
+
+                Notification::make()
+                    ->title($wasRenewalRequest ? 'Renewal rejected' : 'Exception rejected')
+                    ->success()
+                    ->send();
+            });
+
+        return $actions;
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->query(fn (): Builder => $this->queueBaseQuery())
+            ->defaultSort('requested_at', 'asc')
+            ->paginated(TablePaginationProfiles::customPage())
+            ->persistFiltersInSession()
+            ->persistSearchInSession()
+            ->persistSortInSession()
+            ->columns([
+                TextColumn::make('status')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus)),
+                TextColumn::make('current_validity_state')
+                    ->label('Validity')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity)),
+                TextColumn::make('tenant.name')
+                    ->label('Tenant')
+                    ->searchable(),
+                TextColumn::make('finding_summary')
+                    ->label('Finding')
+                    ->state(fn (FindingException $record): string => $record->finding?->resolvedSubjectDisplayName() ?: 'Finding #'.$record->finding_id)
+                    ->searchable(),
+                TextColumn::make('governance_warning')
+                    ->label('Governance warning')
+                    ->state(fn (FindingException $record): ?string => $this->governanceWarning($record))
+                    ->color(fn (FindingException $record): string => $this->governanceWarningColor($record))
+                    ->wrap(),
+                TextColumn::make('requester.name')
+                    ->label('Requested by')
+                    ->placeholder('—'),
+                TextColumn::make('owner.name')
+                    ->label('Owner')
+                    ->placeholder('—'),
+                TextColumn::make('review_due_at')
+                    ->label('Review due')
+                    ->dateTime()
+                    ->placeholder('—')
+                    ->sortable(),
+                TextColumn::make('expires_at')
+                    ->label('Expires')
+                    ->dateTime()
+                    ->placeholder('—')
+                    ->sortable(),
+                TextColumn::make('requested_at')
+                    ->label('Requested')
+                    ->dateTime()
+                    ->sortable(),
+            ])
+            ->filters([
+                SelectFilter::make('tenant_id')
+                    ->label('Tenant')
+                    ->options(fn (): array => $this->tenantFilterOptions())
+                    ->searchable(),
+                SelectFilter::make('status')
+                    ->options(FilterOptionCatalog::findingExceptionStatuses()),
+                SelectFilter::make('current_validity_state')
+                    ->label('Validity')
+                    ->options(FilterOptionCatalog::findingExceptionValidityStates()),
+            ])
+            ->actions([
+                Action::make('inspect_exception')
+                    ->label('Inspect exception')
+                    ->icon('heroicon-o-eye')
+                    ->color('gray')
+                    ->action(function (FindingException $record): void {
+                        $this->selectedFindingExceptionId = (int) $record->getKey();
+                    }),
+            ])
+            ->bulkActions([])
+            ->emptyStateHeading('No exceptions match this queue')
+            ->emptyStateDescription('Adjust the current tenant or lifecycle filters to review governed exceptions in this workspace.')
+            ->emptyStateIcon('heroicon-o-shield-check')
+            ->emptyStateActions([
+                Action::make('clear_filters')
+                    ->label('Clear filters')
+                    ->icon('heroicon-o-x-mark')
+                    ->color('gray')
+                    ->action(function (): void {
+                        $this->removeTableFilter('tenant_id');
+                        $this->removeTableFilter('status');
+                        $this->removeTableFilter('current_validity_state');
+                        $this->selectedFindingExceptionId = null;
+                        $this->resetTable();
+                    }),
+            ]);
+    }
+
+    public function selectedFindingException(): ?FindingException
+    {
+        if (! is_int($this->selectedFindingExceptionId)) {
+            return null;
+        }
+
+        $record = $this->queueBaseQuery()
+            ->whereKey($this->selectedFindingExceptionId)
+            ->first();
+
+        if (! $record instanceof FindingException) {
+            throw new NotFoundHttpException;
+        }
+
+        return $record;
+    }
+
+    public function selectedExceptionUrl(): ?string
+    {
+        $record = $this->selectedFindingException();
+
+        if (! $record instanceof FindingException || ! $record->tenant) {
+            return null;
+        }
+
+        return FindingExceptionResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $record->tenant);
+    }
+
+    public function selectedFindingUrl(): ?string
+    {
+        $record = $this->selectedFindingException();
+
+        if (! $record instanceof FindingException || ! $record->finding || ! $record->tenant) {
+            return null;
+        }
+
+        return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
+    }
+
+    /**
+     * @return array<int, Tenant>
+     */
+    public function authorizedTenants(): array
+    {
+        if ($this->authorizedTenants !== null) {
+            return $this->authorizedTenants;
+        }
+
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return $this->authorizedTenants = [];
+        }
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        if (! is_int($workspaceId)) {
+            return $this->authorizedTenants = [];
+        }
+
+        $tenants = $user->tenants()
+            ->where('tenants.workspace_id', $workspaceId)
+            ->orderBy('tenants.name')
+            ->get();
+
+        return $this->authorizedTenants = $tenants
+            ->filter(fn (Tenant $tenant): bool => (int) $tenant->workspace_id === $workspaceId)
+            ->values()
+            ->all();
+    }
+
+    private function queueBaseQuery(): Builder
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+        $tenantIds = array_values(array_map(
+            static fn (Tenant $tenant): int => (int) $tenant->getKey(),
+            $this->authorizedTenants(),
+        ));
+
+        return FindingException::query()
+            ->with([
+                'tenant',
+                'requester',
+                'owner',
+                'approver',
+                'finding' => fn ($query) => $query->withSubjectDisplayName(),
+                'decisions.actor',
+                'evidenceReferences',
+            ])
+            ->where('workspace_id', (int) $workspaceId)
+            ->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds);
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function tenantFilterOptions(): array
+    {
+        return Collection::make($this->authorizedTenants())
+            ->mapWithKeys(static fn (Tenant $tenant): array => [
+                (string) $tenant->getKey() => $tenant->name,
+            ])
+            ->all();
+    }
+
+    private function applyRequestedTenantPrefilter(): void
+    {
+        $requestedTenant = request()->query('tenant');
+
+        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
+            return;
+        }
+
+        foreach ($this->authorizedTenants() as $tenant) {
+            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
+                continue;
+            }
+
+            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
+            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
+
+            return;
+        }
+    }
+
+    private function filteredTenant(): ?Tenant
+    {
+        $tenantId = $this->currentTenantFilterId();
+
+        if (! is_int($tenantId)) {
+            return null;
+        }
+
+        foreach ($this->authorizedTenants() as $tenant) {
+            if ((int) $tenant->getKey() === $tenantId) {
+                return $tenant;
+            }
+        }
+
+        return null;
+    }
+
+    private function currentTenantFilterId(): ?int
+    {
+        $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
+
+        if (! is_numeric($tenantFilter)) {
+            $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
+        }
+
+        return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
+    }
+
+    private function hasActiveQueueFilters(): bool
+    {
+        return $this->currentTenantFilterId() !== null
+            || is_string(data_get($this->tableFilters, 'status.value'))
+            || is_string(data_get($this->tableFilters, 'current_validity_state.value'));
+    }
+
+    private function governanceWarning(FindingException $record): ?string
+    {
+        $finding = $record->relationLoaded('finding')
+            ? $record->finding
+            : $record->finding()->withSubjectDisplayName()->first();
+
+        if (! $finding instanceof \App\Models\Finding) {
+            return null;
+        }
+
+        return app(FindingRiskGovernanceResolver::class)->resolveWarningMessage($finding, $record);
+    }
+
+    private function governanceWarningColor(FindingException $record): string
+    {
+        if ((string) $record->current_validity_state === FindingException::VALIDITY_EXPIRING) {
+            return 'warning';
+        }
+
+        $finding = $record->relationLoaded('finding')
+            ? $record->finding
+            : $record->finding()->withSubjectDisplayName()->first();
+
+        if ($finding instanceof \App\Models\Finding && $record->requiresFreshDecisionForFinding($finding)) {
+            return 'warning';
+        }
+
+        return 'danger';
+    }
+}

app/Filament/Pages/Monitoring/Operations.php

@@ -8,10 +8,18 @@
 use App\Filament\Widgets\Operations\OperationsKpiHeader;
 use App\Models\OperationRun;
 use App\Models\Tenant;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
+use App\Support\Operations\OperationLifecyclePolicy;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
@@ -48,9 +56,30 @@ class Operations extends Page implements HasForms, HasTable
     // Must be non-static
     protected string $view = 'filament.pages.monitoring.operations';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->withDefaults(new ActionSurfaceDefaults(
+                moreGroupLabel: 'More',
+                exportIsDefaultBulkActionForReadOnly: false,
+            ))
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions preserve scope context and return navigation for the monitoring operations list.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Operation runs remain immutable on the monitoring list and intentionally omit bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains when no operation runs exist for the active workspace scope.')
+            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation opens the canonical tenantless operation detail page, which owns header actions.');
+    }
+
     public function mount(): void
     {
         $this->navigationContextPayload = is_array(request()->query('nav')) ? request()->query('nav') : null;
+
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            ['type', 'initiator_name'],
+            request(),
+        );
+
         $this->mountInteractsWithTable();
     }
 
@@ -131,8 +160,11 @@ public function table(Table $table): Table
         return OperationRunResource::table($table)
             ->query(function (): Builder {
                 $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+                $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
 
-                $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
+                if (! is_numeric($tenantFilter)) {
+                    $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
+                }
 
                 $query = OperationRun::query()
                     ->with('user')
@@ -146,14 +178,76 @@ public function table(Table $table): Table
                         fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
                     )
                     ->when(
-                        $activeTenant instanceof Tenant,
-                        fn (Builder $query): Builder => $query->where('tenant_id', (int) $activeTenant->getKey()),
+                        is_numeric($tenantFilter),
+                        fn (Builder $query): Builder => $query->where('tenant_id', (int) $tenantFilter),
                     );
 
                 return $this->applyActiveTab($query);
             });
     }
 
+    /**
+     * @return array{likely_stale:int,reconciled:int}
+     */
+    public function lifecycleVisibilitySummary(): array
+    {
+        $baseQuery = $this->scopedSummaryQuery();
+
+        if (! $baseQuery instanceof Builder) {
+            return [
+                'likely_stale' => 0,
+                'reconciled' => 0,
+            ];
+        }
+
+        $reconciled = (clone $baseQuery)
+            ->whereNotNull('context->reconciliation->reconciled_at')
+            ->count();
+
+        $policy = app(OperationLifecyclePolicy::class);
+        $likelyStale = (clone $baseQuery)
+            ->whereIn('status', [
+                OperationRunStatus::Queued->value,
+                OperationRunStatus::Running->value,
+            ])
+            ->where(function (Builder $query) use ($policy): void {
+                foreach ($policy->coveredTypeNames() as $type) {
+                    $query->orWhere(function (Builder $typeQuery) use ($policy, $type): void {
+                        $typeQuery
+                            ->where('type', $type)
+                            ->where(function (Builder $stateQuery) use ($policy, $type): void {
+                                $stateQuery
+                                    ->where(function (Builder $queuedQuery) use ($policy, $type): void {
+                                        $queuedQuery
+                                            ->where('status', OperationRunStatus::Queued->value)
+                                            ->whereNull('started_at')
+                                            ->where('created_at', '<=', now()->subSeconds($policy->queuedStaleAfterSeconds($type)));
+                                    })
+                                    ->orWhere(function (Builder $runningQuery) use ($policy, $type): void {
+                                        $runningQuery
+                                            ->where('status', OperationRunStatus::Running->value)
+                                            ->where(function (Builder $startedAtQuery) use ($policy, $type): void {
+                                                $startedAtQuery
+                                                    ->where('started_at', '<=', now()->subSeconds($policy->runningStaleAfterSeconds($type)))
+                                                    ->orWhere(function (Builder $fallbackQuery) use ($policy, $type): void {
+                                                        $fallbackQuery
+                                                            ->whereNull('started_at')
+                                                            ->where('created_at', '<=', now()->subSeconds($policy->runningStaleAfterSeconds($type)));
+                                                    });
+                                            });
+                                    });
+                            });
+                    });
+                }
+            })
+            ->count();
+
+        return [
+            'likely_stale' => $likelyStale,
+            'reconciled' => $reconciled,
+        ];
+    }
+
     private function applyActiveTab(Builder $query): Builder
     {
         return match ($this->activeTab) {
@@ -161,6 +255,9 @@ private function applyActiveTab(Builder $query): Builder
                 OperationRunStatus::Queued->value,
                 OperationRunStatus::Running->value,
             ]),
+            'blocked' => $query
+                ->where('status', OperationRunStatus::Completed->value)
+                ->where('outcome', OperationRunOutcome::Blocked->value),
             'succeeded' => $query
                 ->where('status', OperationRunStatus::Completed->value)
                 ->where('outcome', OperationRunOutcome::Succeeded->value),
@@ -173,4 +270,26 @@ private function applyActiveTab(Builder $query): Builder
             default => $query,
         };
     }
+
+    private function scopedSummaryQuery(): ?Builder
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        if (! $workspaceId) {
+            return null;
+        }
+
+        $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
+
+        if (! is_numeric($tenantFilter)) {
+            $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
+        }
+
+        return OperationRun::query()
+            ->where('workspace_id', (int) $workspaceId)
+            ->when(
+                is_numeric($tenantFilter),
+                fn (Builder $query): Builder => $query->where('tenant_id', (int) $tenantFilter),
+            );
+    }
 }

app/Filament/Pages/NoAccess.php

@@ -7,6 +7,9 @@
 use App\Models\User;
 use App\Models\Workspace;
 use App\Models\WorkspaceMembership;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Workspaces\WorkspaceContext;
 use Filament\Actions\Action;
 use Filament\Forms\Components\TextInput;
@@ -27,6 +30,16 @@ class NoAccess extends Page
 
     protected string $view = 'filament.pages.no-access';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header provides a create-workspace recovery action when the user has no tenant access yet.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'The no-access page is a singleton recovery surface without record-level inspect affordances.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The no-access page does not render row-level secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The no-access page does not expose bulk actions.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'The page renders a dedicated recovery message instead of a list-style empty state.');
+    }
+
     /**
      * @return array<Action>
      */

app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -11,14 +11,25 @@
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Baselines\BaselineEvidenceCaptureResumeService;
+use App\Services\Tenants\TenantOperabilityService;
 use App\Support\Auth\Capabilities;
 use App\Support\Navigation\CanonicalNavigationContext;
+use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\OpsUx\RunDetailPolling;
+use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\RedactionIntegrity;
+use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
+use App\Support\Tenants\TenantInteractionLane;
+use App\Support\Tenants\TenantOperabilityQuestion;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
 use Filament\Notifications\Notification;
@@ -40,6 +51,20 @@ class TenantlessOperationRunViewer extends Page
 
     protected string $view = 'filament.pages.operations.tenantless-operation-run-viewer';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog)
+            ->withDefaults(new ActionSurfaceDefaults(
+                moreGroupLabel: 'More',
+                exportIsDefaultBulkActionForReadOnly: false,
+            ))
+            ->exempt(ActionSurfaceSlot::ListHeader, 'Canonical tenantless run viewing is a detail-only page and does not render list header actions.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'The tenantless run viewer is itself the canonical detail destination for a selected operation run.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Detail viewing does not expose bulk actions.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'The page renders a selected run detail instead of a list empty state.')
+            ->satisfy(ActionSurfaceSlot::DetailHeader, 'Header keeps scope context, back navigation, refresh, related links, and resumable capture actions when applicable.');
+    }
+
     public OperationRun $run;
 
     /**
@@ -47,8 +72,6 @@ class TenantlessOperationRunViewer extends Page
      */
     public ?array $navigationContextPayload = null;
 
-    public bool $opsUxIsTabHidden = false;
-
     /**
      * @return array<Action|ActionGroup>
      */
@@ -56,6 +79,8 @@ protected function getHeaderActions(): array
     {
         $operateHubShell = app(OperateHubShell::class);
         $navigationContext = $this->navigationContext();
+        $activeTenant = $operateHubShell->activeEntitledTenant(request());
+        $runTenantId = isset($this->run) ? (int) ($this->run->tenant_id ?? 0) : 0;
 
         $actions = [
             Action::make('operate_hub_scope_run_detail')
@@ -64,14 +89,12 @@ protected function getHeaderActions(): array
                 ->disabled(),
         ];
 
-        $activeTenant = $operateHubShell->activeEntitledTenant(request());
-
         if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
             $actions[] = Action::make('operate_hub_back_to_origin_run_detail')
                 ->label($navigationContext->backLinkLabel)
                 ->color('gray')
                 ->url($navigationContext->backLinkUrl);
-        } elseif ($activeTenant instanceof Tenant) {
+        } elseif ($activeTenant instanceof Tenant && (int) $activeTenant->getKey() === $runTenantId) {
             $actions[] = Action::make('operate_hub_back_to_tenant_run_detail')
                 ->label('← Back to '.$activeTenant->name)
                 ->color('gray')
@@ -102,14 +125,7 @@ protected function getHeaderActions(): array
             return $actions;
         }
 
-        $user = auth()->user();
-        $tenant = $this->run->tenant;
-
-        if ($tenant instanceof Tenant && (! $user instanceof User || ! app(CapabilityResolver::class)->isMember($user, $tenant))) {
-            $tenant = null;
-        }
-
-        $related = OperationRunLinks::related($this->run, $tenant);
+        $related = $this->relatedLinks();
 
         $relatedActions = [];
 
@@ -163,13 +179,126 @@ public function redactionIntegrityNote(): ?string
         return isset($this->run) ? RedactionIntegrity::noteForRun($this->run) : null;
     }
 
-    public function pollInterval(): ?string
+    /**
+     * @return array{tone: string, title: string, body: string}|null
+     */
+    public function blockedExecutionBanner(): ?array
+    {
+        if (! isset($this->run) || (string) $this->run->outcome !== 'blocked') {
+            return null;
+        }
+
+        $operatorExplanation = $this->governanceOperatorExplanation();
+        $reasonEnvelope = app(ReasonPresenter::class)->forOperationRun($this->run, 'run_detail');
+        $lines = $operatorExplanation instanceof OperatorExplanationPattern
+            ? array_values(array_filter([
+                $operatorExplanation->headline,
+                $operatorExplanation->dominantCauseExplanation,
+            ]))
+            : ($reasonEnvelope?->toBodyLines(false) ?? [
+                $this->surfaceFailureDetail() ?? 'The queued run was refused before side effects could begin.',
+            ]);
+
+        return [
+            'tone' => 'amber',
+            'title' => 'Blocked by prerequisite',
+            'body' => implode(' ', array_values(array_unique($lines))),
+        ];
+    }
+
+    /**
+     * @return array{tone: string, title: string, body: string}|null
+     */
+    public function lifecycleBanner(): ?array
     {
         if (! isset($this->run)) {
             return null;
         }
 
-        if ($this->opsUxIsTabHidden === true) {
+        $attention = $this->lifecycleAttentionSummary();
+
+        if ($attention === null) {
+            return null;
+        }
+
+        $detail = $this->surfaceFailureDetail() ?? 'Lifecycle truth needs operator review.';
+
+        return match ($this->run->freshnessState()->value) {
+            'likely_stale' => [
+                'tone' => 'amber',
+                'title' => 'Likely stale run',
+                'body' => $detail,
+            ],
+            'reconciled_failed' => [
+                'tone' => 'rose',
+                'title' => 'Automatically reconciled',
+                'body' => $detail,
+            ],
+            default => null,
+        };
+    }
+
+    /**
+     * @return array{tone: string, title: string, body: string}|null
+     */
+    public function canonicalContextBanner(): ?array
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
+        $runTenant = $this->run->tenant;
+
+        if (! $runTenant instanceof Tenant) {
+            return [
+                'tone' => 'slate',
+                'title' => 'Workspace-level run',
+                'body' => $activeTenant instanceof Tenant
+                    ? 'This canonical workspace view is not tied to the current tenant context ('.$activeTenant->name.').'
+                    : 'This canonical workspace view is not tied to any tenant.',
+            ];
+        }
+
+        $messages = ['Run tenant: '.$runTenant->name.'.'];
+        $tone = 'sky';
+        $title = null;
+
+        if ($activeTenant instanceof Tenant && ! $activeTenant->is($runTenant)) {
+            $title = 'Current tenant context differs from this run';
+            array_unshift($messages, 'Current tenant context: '.$activeTenant->name.'.');
+            $messages[] = 'This canonical workspace view remains valid without switching tenant context.';
+        }
+
+        $referencedTenant = ReferencedTenantLifecyclePresentation::forOperationRun($runTenant);
+
+        if ($selectorAvailabilityMessage = $referencedTenant->selectorAvailabilityMessage()) {
+            $title ??= 'Run tenant is not available in the current tenant selector';
+            $tone = 'amber';
+            $messages[] = $selectorAvailabilityMessage;
+
+            if ($referencedTenant->contextNote !== null) {
+                $messages[] = $referencedTenant->contextNote;
+            }
+        } elseif (! $activeTenant instanceof Tenant) {
+            $title ??= 'Canonical workspace view';
+            $messages[] = 'No tenant context is currently selected.';
+        }
+
+        if ($title === null) {
+            return null;
+        }
+
+        return [
+            'tone' => $tone,
+            'title' => $title,
+            'body' => implode(' ', $messages),
+        ];
+    }
+
+    public function pollInterval(): ?string
+    {
+        if (! isset($this->run)) {
             return null;
         }
 
@@ -313,4 +442,77 @@ private function canResumeCapture(): bool
         return $resolver->isMember($user, $workspace)
             && $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE);
     }
+
+    private function relatedLinksTenant(): ?Tenant
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        $user = auth()->user();
+        $tenant = $this->run->tenant;
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return null;
+        }
+
+        if (! app(CapabilityResolver::class)->isMember($user, $tenant)) {
+            return null;
+        }
+
+        return app(TenantOperabilityService::class)->outcomeFor(
+            tenant: $tenant,
+            question: TenantOperabilityQuestion::SelectorEligibility,
+            actor: $user,
+            workspaceId: (int) ($this->run->workspace_id ?? 0),
+            lane: TenantInteractionLane::StandardActiveOperating,
+        )->allowed ? $tenant : null;
+    }
+
+    private function governanceOperatorExplanation(): ?OperatorExplanationPattern
+    {
+        if (! isset($this->run) || ! $this->run->supportsOperatorExplanation()) {
+            return null;
+        }
+
+        return OperationUxPresenter::governanceOperatorExplanation($this->run);
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function relatedLinks(bool $fresh = false): array
+    {
+        if (! isset($this->run)) {
+            return [];
+        }
+
+        $resolver = app(RelatedNavigationResolver::class);
+
+        return $fresh
+            ? $resolver->operationLinksFresh($this->run, $this->relatedLinksTenant())
+            : $resolver->operationLinks($this->run, $this->relatedLinksTenant());
+    }
+
+    private function lifecycleAttentionSummary(bool $fresh = false): ?string
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        return $fresh
+            ? OperationUxPresenter::lifecycleAttentionSummaryFresh($this->run)
+            : OperationUxPresenter::lifecycleAttentionSummary($this->run);
+    }
+
+    private function surfaceFailureDetail(bool $fresh = false): ?string
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        return $fresh
+            ? OperationUxPresenter::surfaceFailureDetailFresh($this->run)
+            : OperationUxPresenter::surfaceFailureDetail($this->run);
+    }
 }

app/Filament/Pages/Reviews/ReviewRegister.php

@@ -0,0 +1,336 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages\Reviews;
+
+use App\Filament\Resources\TenantReviewResource;
+use App\Models\Tenant;
+use App\Models\TenantReview;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\TenantReviews\TenantReviewRegisterService;
+use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Badges\BadgeRenderer;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
+use App\Support\Filament\FilterPresets;
+use App\Support\Filament\TablePaginationProfiles;
+use App\Support\TenantReviewCompletenessState;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
+use App\Support\Workspaces\WorkspaceContext;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Pages\Page;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Filters\SelectFilter;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use UnitEnum;
+
+class ReviewRegister extends Page implements HasTable
+{
+    use InteractsWithTable;
+
+    protected static bool $isDiscovered = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-magnifying-glass';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Reporting';
+
+    protected static ?string $navigationLabel = 'Reviews';
+
+    protected static ?string $title = 'Review Register';
+
+    protected static ?string $slug = 'reviews';
+
+    protected string $view = 'filament.pages.reviews.review-register';
+
+    /**
+     * @var array<int, Tenant>|null
+     */
+    private ?array $authorizedTenants = null;
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions provide a single Clear filters action for the canonical review register.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The review register does not expose bulk actions in the first slice.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state keeps exactly one Clear filters CTA.')
+            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation returns to the tenant-scoped review detail rather than opening an inline canonical detail panel.');
+    }
+
+    public function mount(): void
+    {
+        $this->authorizePageAccess();
+
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            ['status', 'published_state', 'completeness_state'],
+            request(),
+        );
+
+        $this->applyRequestedTenantPrefilter();
+        $this->mountInteractsWithTable();
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('clear_filters')
+                ->label('Clear filters')
+                ->icon('heroicon-o-x-mark')
+                ->color('gray')
+                ->visible(fn (): bool => $this->hasActiveFilters())
+                ->action(function (): void {
+                    $this->resetTable();
+                }),
+        ];
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->query(fn (): Builder => $this->registerQuery())
+            ->defaultSort('generated_at', 'desc')
+            ->paginated(TablePaginationProfiles::customPage())
+            ->persistFiltersInSession()
+            ->persistSearchInSession()
+            ->persistSortInSession()
+            ->recordUrl(fn (TenantReview $record): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $record], $record->tenant, 'tenant'))
+            ->columns([
+                TextColumn::make('tenant.name')->label('Tenant')->searchable(),
+                TextColumn::make('status')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
+                TextColumn::make('artifact_truth')
+                    ->label('Artifact truth')
+                    ->badge()
+                    ->getStateUsing(fn (TenantReview $record): string => $this->reviewTruth($record)->primaryLabel)
+                    ->color(fn (TenantReview $record): string => $this->reviewTruth($record)->primaryBadgeSpec()->color)
+                    ->icon(fn (TenantReview $record): ?string => $this->reviewTruth($record)->primaryBadgeSpec()->icon)
+                    ->iconColor(fn (TenantReview $record): ?string => $this->reviewTruth($record)->primaryBadgeSpec()->iconColor)
+                    ->description(fn (TenantReview $record): ?string => $this->reviewTruth($record)->operatorExplanation?->headline ?? $this->reviewTruth($record)->primaryExplanation)
+                    ->wrap(),
+                TextColumn::make('completeness_state')
+                    ->label('Completeness')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
+                    ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
+                TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
+                TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
+                TextColumn::make('publication_truth')
+                    ->label('Publication')
+                    ->badge()
+                    ->getStateUsing(fn (TenantReview $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        $this->reviewTruth($record)->publicationReadiness ?? 'internal_only',
+                    )->label)
+                    ->color(fn (TenantReview $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        $this->reviewTruth($record)->publicationReadiness ?? 'internal_only',
+                    )->color)
+                    ->icon(fn (TenantReview $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        $this->reviewTruth($record)->publicationReadiness ?? 'internal_only',
+                    )->icon)
+                    ->iconColor(fn (TenantReview $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        $this->reviewTruth($record)->publicationReadiness ?? 'internal_only',
+                    )->iconColor),
+                TextColumn::make('artifact_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(fn (TenantReview $record): string => $this->reviewTruth($record)->operatorExplanation?->nextActionText ?? $this->reviewTruth($record)->nextStepText())
+                    ->wrap(),
+            ])
+            ->filters([
+                SelectFilter::make('tenant_id')
+                    ->label('Tenant')
+                    ->options(fn (): array => $this->tenantFilterOptions())
+                    ->default(fn (): ?string => $this->defaultTenantFilter())
+                    ->searchable(),
+                SelectFilter::make('status')
+                    ->options([
+                        'draft' => 'Draft',
+                        'ready' => 'Ready',
+                        'published' => 'Published',
+                        'archived' => 'Archived',
+                        'superseded' => 'Superseded',
+                        'failed' => 'Failed',
+                    ]),
+                SelectFilter::make('completeness_state')
+                    ->label('Completeness')
+                    ->options(BadgeCatalog::options(BadgeDomain::TenantReviewCompleteness, TenantReviewCompletenessState::values())),
+                SelectFilter::make('published_state')
+                    ->label('Published state')
+                    ->options([
+                        'published' => 'Published',
+                        'unpublished' => 'Not published',
+                    ])
+                    ->query(function (Builder $query, array $data): Builder {
+                        return match ($data['value'] ?? null) {
+                            'published' => $query->whereNotNull('published_at'),
+                            'unpublished' => $query->whereNull('published_at'),
+                            default => $query,
+                        };
+                    }),
+                FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
+            ])
+            ->actions([
+                Action::make('export_executive_pack')
+                    ->label('Export executive pack')
+                    ->icon('heroicon-o-arrow-down-tray')
+                    ->visible(fn (TenantReview $record): bool => auth()->user() instanceof User
+                        && auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
+                        && in_array($record->status, ['ready', 'published'], true))
+                    ->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
+            ])
+            ->bulkActions([])
+            ->emptyStateHeading('No review records match this view')
+            ->emptyStateDescription('Clear the current filters to return to the full review register for your entitled tenants.')
+            ->emptyStateActions([
+                Action::make('clear_filters_empty')
+                    ->label('Clear filters')
+                    ->icon('heroicon-o-x-mark')
+                    ->color('gray')
+                    ->action(fn (): mixed => $this->resetTable()),
+            ]);
+    }
+
+    /**
+     * @return array<int, Tenant>
+     */
+    public function authorizedTenants(): array
+    {
+        if ($this->authorizedTenants !== null) {
+            return $this->authorizedTenants;
+        }
+
+        $user = auth()->user();
+        $workspace = $this->workspace();
+
+        if (! $user instanceof User || ! $workspace instanceof Workspace) {
+            return $this->authorizedTenants = [];
+        }
+
+        return $this->authorizedTenants = app(TenantReviewRegisterService::class)->authorizedTenants($user, $workspace);
+    }
+
+    private function authorizePageAccess(): void
+    {
+        $user = auth()->user();
+        $workspace = $this->workspace();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        if (! $workspace instanceof Workspace) {
+            throw new NotFoundHttpException;
+        }
+
+        $service = app(TenantReviewRegisterService::class);
+
+        if (! $service->canAccessWorkspace($user, $workspace)) {
+            throw new NotFoundHttpException;
+        }
+
+        if ($this->authorizedTenants() === []) {
+            throw new NotFoundHttpException;
+        }
+    }
+
+    private function registerQuery(): Builder
+    {
+        $user = auth()->user();
+        $workspace = $this->workspace();
+
+        if (! $user instanceof User || ! $workspace instanceof Workspace) {
+            return TenantReview::query()->whereRaw('1 = 0');
+        }
+
+        return app(TenantReviewRegisterService::class)->query($user, $workspace);
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function tenantFilterOptions(): array
+    {
+        return collect($this->authorizedTenants())
+            ->mapWithKeys(static fn (Tenant $tenant): array => [
+                (string) $tenant->getKey() => $tenant->name,
+            ])
+            ->all();
+    }
+
+    private function defaultTenantFilter(): ?string
+    {
+        $tenantId = app(WorkspaceContext::class)->lastTenantId(request());
+
+        return is_int($tenantId) && array_key_exists($tenantId, $this->authorizedTenants())
+            ? (string) $tenantId
+            : null;
+    }
+
+    private function applyRequestedTenantPrefilter(): void
+    {
+        $requestedTenant = request()->query('tenant');
+
+        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
+            return;
+        }
+
+        foreach ($this->authorizedTenants() as $tenant) {
+            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
+                continue;
+            }
+
+            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
+            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
+
+            return;
+        }
+    }
+
+    private function hasActiveFilters(): bool
+    {
+        $filters = array_filter((array) $this->tableFilters);
+
+        return $filters !== [];
+    }
+
+    private function workspace(): ?Workspace
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        return is_numeric($workspaceId)
+            ? Workspace::query()->whereKey((int) $workspaceId)->first()
+            : null;
+    }
+
+    private function reviewTruth(TenantReview $record, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forTenantReviewFresh($record)
+            : $presenter->forTenantReview($record);
+    }
+}

app/Filament/Pages/TenantDiagnostics.php

@@ -4,7 +4,7 @@
 
 namespace App\Filament\Pages;
 
-use App\Models\Tenant;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Models\TenantMembership;
 use App\Models\User;
 use App\Services\Auth\TenantDiagnosticsService;
@@ -12,24 +12,39 @@
 use App\Support\Auth\Capabilities;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\Rbac\UiTooltips;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use Filament\Actions\Action;
 use Filament\Pages\Page;
 
 class TenantDiagnostics extends Page
 {
+    use ResolvesPanelTenantContext;
+
     protected static bool $shouldRegisterNavigation = false;
 
     protected static ?string $slug = 'diagnostics';
 
     protected string $view = 'filament.pages.tenant-diagnostics';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header exposes capability-gated tenant repair actions when inconsistent membership state is detected.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Tenant diagnostics is already the singleton diagnostic surface for the active tenant.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The diagnostics page does not render row-level secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The diagnostics page does not expose bulk actions.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'Diagnostics content is always rendered instead of a list-style empty state.');
+    }
+
     public bool $missingOwner = false;
 
     public bool $hasDuplicateMembershipsForCurrentUser = false;
 
     public function mount(): void
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanelOrFail();
         $tenantId = (int) $tenant->getKey();
 
         $this->missingOwner = ! TenantMembership::query()
@@ -80,7 +95,7 @@ protected function getHeaderActions(): array
 
     public function bootstrapOwner(): void
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanelOrFail();
 
         $user = auth()->user();
         if (! $user instanceof User) {
@@ -94,7 +109,7 @@ public function bootstrapOwner(): void
 
     public function mergeDuplicateMemberships(): void
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanelOrFail();
 
         $user = auth()->user();
         if (! $user instanceof User) {

app/Filament/Pages/TenantRequiredPermissions.php

@@ -10,8 +10,13 @@
 use App\Models\User;
 use App\Models\WorkspaceMembership;
 use App\Services\Intune\TenantRequiredPermissionsViewModelBuilder;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Workspaces\WorkspaceContext;
 use Filament\Pages\Page;
+use Livewire\Attributes\Locked;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 class TenantRequiredPermissions extends Page
 {
@@ -25,6 +30,16 @@ class TenantRequiredPermissions extends Page
 
     protected string $view = 'filament.pages.tenant-required-permissions';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
+            ->exempt(ActionSurfaceSlot::ListHeader, 'Required permissions keeps guidance, copy flows, and filter reset actions inside body sections instead of page header actions.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Required permissions rows are reviewed inline inside the diagnostic matrix and do not open a separate inspect destination.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Permission rows are read-only and do not expose row-level secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Required permissions does not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The inline permissions matrix provides purposeful no-data, all-clear, and no-matches states with verification or reset guidance.');
+    }
+
     public string $status = 'missing';
 
     public string $type = 'all';
@@ -41,7 +56,8 @@ class TenantRequiredPermissions extends Page
      */
     public array $viewModel = [];
 
-    public ?Tenant $scopedTenant = null;
+    #[Locked]
+    public ?int $scopedTenantId = null;
 
     public static function canAccess(): bool
     {
@@ -50,7 +66,7 @@ public static function canAccess(): bool
 
     public function currentTenant(): ?Tenant
     {
-        return $this->scopedTenant;
+        return $this->trustedScopedTenant();
     }
 
     public function mount(): void
@@ -61,7 +77,9 @@ public function mount(): void
             abort(404);
         }
 
-        $this->scopedTenant = $tenant;
+        $this->scopedTenantId = (int) $tenant->getKey();
+        $this->heading = $tenant->getFilamentName();
+        $this->subheading = 'Required permissions';
 
         $queryFeatures = request()->query('features', $this->features);
 
@@ -141,7 +159,7 @@ public function resetFilters(): void
 
     private function refreshViewModel(): void
     {
-        $tenant = $this->scopedTenant;
+        $tenant = $this->trustedScopedTenant();
 
         if (! $tenant instanceof Tenant) {
             $this->viewModel = [];
@@ -170,7 +188,7 @@ private function refreshViewModel(): void
 
     public function reRunVerificationUrl(): string
     {
-        $tenant = $this->scopedTenant;
+        $tenant = $this->trustedScopedTenant();
 
         if ($tenant instanceof Tenant) {
             return TenantResource::getUrl('view', ['record' => $tenant]);
@@ -181,7 +199,7 @@ public function reRunVerificationUrl(): string
 
     public function manageProviderConnectionUrl(): ?string
     {
-        $tenant = $this->scopedTenant;
+        $tenant = $this->trustedScopedTenant();
 
         if (! $tenant instanceof Tenant) {
             return null;
@@ -232,4 +250,47 @@ private static function hasScopedTenantAccess(?Tenant $tenant): bool
 
         return $user->canAccessTenant($tenant);
     }
+
+    private function trustedScopedTenant(): ?Tenant
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return null;
+        }
+
+        $workspaceContext = app(WorkspaceContext::class);
+
+        try {
+            $workspace = $workspaceContext->currentWorkspaceForMemberOrFail($user, request());
+        } catch (NotFoundHttpException) {
+            return null;
+        }
+
+        $routeTenant = static::resolveScopedTenant();
+
+        if ($routeTenant instanceof Tenant) {
+            try {
+                return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($routeTenant, $user, request());
+            } catch (NotFoundHttpException) {
+                return null;
+            }
+        }
+
+        if ($this->scopedTenantId === null) {
+            return null;
+        }
+
+        $tenant = Tenant::query()->withTrashed()->whereKey($this->scopedTenantId)->first();
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        try {
+            return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($tenant, $user, request());
+        } catch (NotFoundHttpException) {
+            return null;
+        }
+    }
 }

app/Filament/Pages/Workspaces/ManagedTenantsLanding.php

@@ -5,10 +5,14 @@
 namespace App\Filament\Pages\Workspaces;
 
 use App\Filament\Pages\ChooseTenant;
-use App\Filament\Pages\TenantDashboard;
+use App\Filament\Resources\TenantResource;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
+use App\Services\Tenants\TenantOperabilityService;
+use App\Support\Tenants\TenantInteractionLane;
+use App\Support\Tenants\TenantOperabilityQuestion;
+use App\Support\Workspaces\WorkspaceContext;
 use Filament\Pages\Page;
 use Illuminate\Database\Eloquent\Collection;
 
@@ -54,11 +58,25 @@ public function getTenants(): Collection
             return Tenant::query()->whereRaw('1 = 0')->get();
         }
 
-        return $user->tenants()
+        $tenantIds = $user->tenantMemberships()
+            ->pluck('tenant_id');
+
+        return Tenant::query()
+            ->withTrashed()
+            ->whereIn('id', $tenantIds)
             ->where('workspace_id', $this->workspace->getKey())
-            ->where('status', 'active')
             ->orderBy('name')
-            ->get();
+            ->get()
+            ->filter(function (Tenant $tenant) use ($user): bool {
+                return app(TenantOperabilityService::class)->outcomeFor(
+                    tenant: $tenant,
+                    question: TenantOperabilityQuestion::AdministrativeDiscoverability,
+                    actor: $user,
+                    workspaceId: app(WorkspaceContext::class)->currentWorkspaceId(request()),
+                    lane: TenantInteractionLane::AdministrativeManagement,
+                )->allowed;
+            })
+            ->values();
     }
 
     public function goToChooseTenant(): void
@@ -75,7 +93,7 @@ public function openTenant(int $tenantId): void
         }
 
         $tenant = Tenant::query()
-            ->where('status', 'active')
+            ->withTrashed()
             ->where('workspace_id', $this->workspace->getKey())
             ->whereKey($tenantId)
             ->first();
@@ -88,6 +106,6 @@ public function openTenant(int $tenantId): void
             abort(404);
         }
 
-        $this->redirect(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant));
+        $this->redirect(TenantResource::getUrl('view', ['record' => $tenant]));
     }
 }

app/Filament/Resources/AlertDeliveryResource.php

@@ -19,10 +19,10 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
-use Filament\Actions\ViewAction;
 use Filament\Facades\Filament;
 use Filament\Infolists\Components\TextEntry;
 use Filament\Infolists\Components\ViewEntry;
@@ -91,7 +91,7 @@ public static function canView(Model $record): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::ListOnlyReadOnly)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
             ->exempt(ActionSurfaceSlot::ListHeader, 'Read-only history list intentionally has no list-header actions.')
             ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
             ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'No secondary row actions are exposed for read-only deliveries.')
@@ -322,9 +322,7 @@ public static function table(Table $table): Table
                     }),
                 FilterPresets::dateRange('created_at', 'Created', 'created_at'),
             ])
-            ->actions([
-                ViewAction::make()->label('View'),
-            ])
+            ->actions([])
             ->bulkActions([])
             ->emptyStateHeading('No alert deliveries')
             ->emptyStateDescription('Deliveries appear automatically when alert rules fire.')

app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php

@@ -5,7 +5,7 @@
 namespace App\Filament\Resources\AlertDeliveryResource\Pages;
 
 use App\Filament\Resources\AlertDeliveryResource;
-use App\Models\Tenant;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\OperateHub\OperateHubShell;
 use Filament\Resources\Pages\ListRecords;
 
@@ -15,21 +15,7 @@ class ListAlertDeliveries extends ListRecords
 
     public function mount(): void
     {
-        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
-
-        if ($activeTenant instanceof Tenant) {
-            $filtersSessionKey = $this->getTableFiltersSessionKey();
-            $persistedFilters = session()->get($filtersSessionKey, []);
-
-            if (! is_array($persistedFilters)) {
-                $persistedFilters = [];
-            }
-
-            if (! is_string(data_get($persistedFilters, 'tenant_id.value'))) {
-                data_set($persistedFilters, 'tenant_id.value', (string) $activeTenant->getKey());
-                session()->put($filtersSessionKey, $persistedFilters);
-            }
-        }
+        app(CanonicalAdminTenantFilterState::class)->sync($this->getTableFiltersSessionKey(), request: request());
 
         parent::mount();
     }

app/Filament/Resources/AlertDestinationResource.php

@@ -18,8 +18,6 @@
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
-use Filament\Actions\BulkActionGroup;
-use Filament\Actions\EditAction;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TagsInput;
@@ -191,9 +189,6 @@ public static function table(Table $table): Table
                     ->since(),
             ])
             ->actions([
-                EditAction::make()
-                    ->label('Edit')
-                    ->visible(fn (AlertDestination $record): bool => static::canEdit($record)),
                 ActionGroup::make([
                     Action::make('toggle_enabled')
                         ->label(fn (AlertDestination $record): string => $record->is_enabled ? 'Disable' : 'Enable')
@@ -253,9 +248,6 @@ public static function table(Table $table): Table
                         }),
                 ])->label('More'),
             ])
-            ->bulkActions([
-                BulkActionGroup::make([])->label('More'),
-            ])
             ->emptyStateActions([
                 \Filament\Actions\CreateAction::make()
                     ->label('Create target')

app/Filament/Resources/AlertRuleResource.php

@@ -20,8 +20,6 @@
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
-use Filament\Actions\BulkActionGroup;
-use Filament\Actions\EditAction;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
@@ -248,9 +246,6 @@ public static function table(Table $table): Table
                     ->color(fn (bool $state): string => $state ? 'success' : 'gray'),
             ])
             ->actions([
-                EditAction::make()
-                    ->label('Edit')
-                    ->visible(fn (AlertRule $record): bool => static::canEdit($record)),
                 ActionGroup::make([
                     Action::make('toggle_enabled')
                         ->label(fn (AlertRule $record): string => $record->is_enabled ? 'Disable' : 'Enable')
@@ -311,9 +306,6 @@ public static function table(Table $table): Table
                         }),
                 ])->label('More'),
             ])
-            ->bulkActions([
-                BulkActionGroup::make([])->label('More'),
-            ])
             ->emptyStateHeading('No alert rules')
             ->emptyStateDescription('Create a rule to route notifications when monitored events fire.')
             ->emptyStateIcon('heroicon-o-bell');

app/Filament/Resources/BackupScheduleResource.php

@@ -3,6 +3,8 @@
 namespace App\Filament\Resources;
 
 use App\Exceptions\InvalidPolicyTypeException;
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\BackupScheduleResource\Pages;
 use App\Filament\Resources\BackupScheduleResource\RelationManagers\BackupScheduleOperationRunsRelationManager;
 use App\Jobs\RunBackupScheduleJob;
@@ -30,6 +32,7 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use BackedEnum;
 use DateTimeZone;
 use Filament\Actions\Action;
@@ -37,7 +40,7 @@
 use Filament\Actions\BulkAction;
 use Filament\Actions\BulkActionGroup;
 use Filament\Actions\CreateAction;
-use Filament\Actions\EditAction;
+use Filament\Facades\Filament;
 use Filament\Forms\Components\CheckboxList;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
@@ -62,6 +65,9 @@
 
 class BackupScheduleResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
     protected static ?string $model = BackupSchedule::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
@@ -70,9 +76,18 @@ class BackupScheduleResource extends Resource
 
     protected static string|UnitEnum|null $navigationGroup = 'Backups & Restore';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function canViewAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -88,7 +103,7 @@ public static function canViewAny(): bool
 
     public static function canView(Model $record): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -112,7 +127,7 @@ public static function canView(Model $record): bool
 
     public static function canCreate(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -128,7 +143,7 @@ public static function canCreate(): bool
 
     public static function canEdit(Model $record): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -144,7 +159,7 @@ public static function canEdit(Model $record): bool
 
     public static function canDelete(Model $record): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -160,7 +175,7 @@ public static function canDelete(Model $record): bool
 
     public static function canDeleteAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -176,11 +191,11 @@ public static function canDeleteAny(): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndEdit)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndEdit, ActionSurfaceType::CrudListFirstResource)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions include capability-gated create.')
             ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Row-level secondary actions are grouped under "More".')
-            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are grouped under "More".')
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Row-level secondary actions are grouped under "More" in workflow-first, destructive-last order.')
+            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are grouped under "More" in workflow-first, destructive-last order.')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List page defines a capability-gated empty-state create CTA.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'Edit page provides save/cancel controls.');
     }
@@ -421,7 +436,7 @@ public static function table(Table $table): Table
                             ->color('success')
                             ->visible(fn (BackupSchedule $record): bool => ! $record->trashed())
                             ->action(function (BackupSchedule $record, HasTable $livewire): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 if (! $tenant instanceof Tenant) {
                                     Notification::make()
@@ -492,7 +507,7 @@ public static function table(Table $table): Table
                             ->color('warning')
                             ->visible(fn (BackupSchedule $record): bool => ! $record->trashed())
                             ->action(function (BackupSchedule $record, HasTable $livewire): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 if (! $tenant instanceof Tenant) {
                                     Notification::make()
@@ -557,8 +572,45 @@ public static function table(Table $table): Table
                         ->requireCapability(Capabilities::TENANT_BACKUP_SCHEDULES_RUN)
                         ->apply(),
                     UiEnforcement::forAction(
-                        EditAction::make()
+                        Action::make('restore')
+                            ->label('Restore')
+                            ->icon('heroicon-o-arrow-uturn-left')
+                            ->color('success')
+                            ->visible(fn (BackupSchedule $record): bool => $record->trashed())
+                            ->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
+                                $record = static::resolveProtectedScheduleRecordOrFail($record);
+
+                                Gate::authorize('restore', $record);
+
+                                if (! $record->trashed()) {
+                                    return;
+                                }
+
+                                $record->restore();
+
+                                if ($record->tenant instanceof Tenant) {
+                                    $auditLogger->log(
+                                        tenant: $record->tenant,
+                                        action: 'backup_schedule.restored',
+                                        resourceType: 'backup_schedule',
+                                        resourceId: (string) $record->getKey(),
+                                        status: 'success',
+                                        context: [
+                                            'metadata' => [
+                                                'backup_schedule_id' => $record->getKey(),
+                                                'backup_schedule_name' => $record->name,
+                                            ],
+                                        ],
+                                    );
+                                }
+
+                                Notification::make()
+                                    ->title('Backup schedule restored')
+                                    ->success()
+                                    ->send();
+                            })
                     )
+                        ->preserveVisibility()
                         ->requireCapability(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE)
                         ->apply(),
                     UiEnforcement::forAction(
@@ -566,8 +618,11 @@ public static function table(Table $table): Table
                             ->label('Archive')
                             ->icon('heroicon-o-archive-box-x-mark')
                             ->color('danger')
+                            ->requiresConfirmation()
                             ->visible(fn (BackupSchedule $record): bool => ! $record->trashed())
                             ->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
+                                $record = static::resolveProtectedScheduleRecordOrFail($record);
+
                                 Gate::authorize('delete', $record);
 
                                 if ($record->trashed()) {
@@ -602,53 +657,16 @@ public static function table(Table $table): Table
                         ->requireCapability(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE)
                         ->destructive()
                         ->apply(),
-                    UiEnforcement::forAction(
-                        Action::make('restore')
-                            ->label('Restore')
-                            ->icon('heroicon-o-arrow-uturn-left')
-                            ->color('success')
-                            ->visible(fn (BackupSchedule $record): bool => $record->trashed())
-                            ->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
-                                Gate::authorize('restore', $record);
-
-                                if (! $record->trashed()) {
-                                    return;
-                                }
-
-                                $record->restore();
-
-                                if ($record->tenant instanceof Tenant) {
-                                    $auditLogger->log(
-                                        tenant: $record->tenant,
-                                        action: 'backup_schedule.restored',
-                                        resourceType: 'backup_schedule',
-                                        resourceId: (string) $record->getKey(),
-                                        status: 'success',
-                                        context: [
-                                            'metadata' => [
-                                                'backup_schedule_id' => $record->getKey(),
-                                                'backup_schedule_name' => $record->name,
-                                            ],
-                                        ],
-                                    );
-                                }
-
-                                Notification::make()
-                                    ->title('Backup schedule restored')
-                                    ->success()
-                                    ->send();
-                            })
-                    )
-                        ->preserveVisibility()
-                        ->requireCapability(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE)
-                        ->apply(),
                     UiEnforcement::forAction(
                         Action::make('forceDelete')
                             ->label('Force delete')
                             ->icon('heroicon-o-trash')
                             ->color('danger')
+                            ->requiresConfirmation()
                             ->visible(fn (BackupSchedule $record): bool => $record->trashed())
                             ->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
+                                $record = static::resolveProtectedScheduleRecordOrFail($record);
+
                                 Gate::authorize('forceDelete', $record);
 
                                 if (! $record->trashed()) {
@@ -706,7 +724,7 @@ public static function table(Table $table): Table
                             ->icon('heroicon-o-play')
                             ->color('success')
                             ->action(function (Collection $records, HasTable $livewire): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 if (! $tenant instanceof Tenant) {
                                     Notification::make()
@@ -721,7 +739,7 @@ public static function table(Table $table): Table
                                     return;
                                 }
 
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $userId = auth()->id();
                                 $user = $userId ? User::query()->find($userId) : null;
                                 /** @var OperationRunService $operationRunService */
@@ -803,7 +821,7 @@ public static function table(Table $table): Table
                             ->icon('heroicon-o-arrow-path')
                             ->color('warning')
                             ->action(function (Collection $records, HasTable $livewire): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 if (! $tenant instanceof Tenant) {
                                     Notification::make()
@@ -818,7 +836,7 @@ public static function table(Table $table): Table
                                     return;
                                 }
 
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $userId = auth()->id();
                                 $user = $userId ? User::query()->find($userId) : null;
                                 /** @var OperationRunService $operationRunService */
@@ -906,17 +924,32 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::currentOrFail()->getKey();
-
-        return parent::getEloquentQuery()
-            ->where('tenant_id', $tenantId)
+        return static::getTenantOwnedEloquentQuery()
             ->orderByDesc('is_enabled')
             ->orderBy('next_run_at');
     }
 
     public static function getRecordRouteBindingEloquentQuery(): Builder
     {
-        return static::getEloquentQuery()->withTrashed();
+        return static::scopeTenantOwnedQuery(parent::getEloquentQuery()->withTrashed())
+            ->orderByDesc('is_enabled')
+            ->orderBy('next_run_at');
+    }
+
+    public static function resolveScopedRecordOrFail(int|string $key): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->withTrashed());
+    }
+
+    protected static function resolveProtectedScheduleRecordOrFail(BackupSchedule|int|string $record): BackupSchedule
+    {
+        $resolvedRecord = static::resolveScopedRecordOrFail($record instanceof Model ? $record->getKey() : $record);
+
+        if (! $resolvedRecord instanceof BackupSchedule) {
+            abort(404);
+        }
+
+        return $resolvedRecord;
     }
 
     public static function getRelations(): array
@@ -1027,7 +1060,7 @@ public static function ensurePolicyTypes(array $data): array
 
     public static function assignTenant(array $data): array
     {
-        $data['tenant_id'] = Tenant::currentOrFail()->getKey();
+        $data['tenant_id'] = static::resolveTenantContextForCurrentPanelOrFail()->getKey();
 
         return $data;
     }

app/Filament/Resources/BackupScheduleResource/Pages/EditBackupSchedule.php

@@ -5,7 +5,6 @@
 use App\Filament\Resources\BackupScheduleResource;
 use Filament\Resources\Pages\EditRecord;
 use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\ModelNotFoundException;
 
 class EditBackupSchedule extends EditRecord
 {
@@ -13,15 +12,7 @@ class EditBackupSchedule extends EditRecord
 
     protected function resolveRecord(int|string $key): Model
     {
-        $record = BackupScheduleResource::getEloquentQuery()
-            ->withTrashed()
-            ->find($key);
-
-        if ($record === null) {
-            throw (new ModelNotFoundException)->setModel(BackupScheduleResource::getModel(), [$key]);
-        }
-
-        return $record;
+        return BackupScheduleResource::resolveScopedRecordOrFail($key);
     }
 
     protected function mutateFormDataBeforeSave(array $data): array

app/Filament/Resources/BackupScheduleResource/Pages/ListBackupSchedules.php

@@ -3,12 +3,38 @@
 namespace App\Filament\Resources\BackupScheduleResource\Pages;
 
 use App\Filament\Resources\BackupScheduleResource;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Resources\Pages\ListRecords;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 
 class ListBackupSchedules extends ListRecords
 {
     protected static string $resource = BackupScheduleResource::class;
 
+    /**
+     * @param  array<string, mixed>  $arguments
+     * @param  array<string, mixed>  $context
+     */
+    public function mountAction(string $name, array $arguments = [], array $context = []): mixed
+    {
+        if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['archive', 'restore', 'forceDelete'], true)) {
+            try {
+                BackupScheduleResource::resolveScopedRecordOrFail($context['recordKey']);
+            } catch (ModelNotFoundException) {
+                abort(404);
+            }
+        }
+
+        return parent::mountAction($name, $arguments, $context);
+    }
+
+    public function mount(): void
+    {
+        $this->syncCanonicalAdminTenantFilterState();
+
+        parent::mount();
+    }
+
     protected function getHeaderActions(): array
     {
         return [
@@ -28,4 +54,14 @@ private function tableHasRecords(): bool
     {
         return $this->getTableRecords()->count() > 0;
     }
+
+    private function syncCanonicalAdminTenantFilterState(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            tenantSensitiveFilters: [],
+            request: request(),
+            tenantFilterName: null,
+        );
+    }
 }

app/Filament/Resources/BackupScheduleResource/RelationManagers/BackupScheduleOperationRunsRelationManager.php

@@ -12,7 +12,7 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use Filament\Actions;
+use Closure;
 use Filament\Resources\RelationManagers\RelationManager;
 use Filament\Tables;
 use Filament\Tables\Table;
@@ -28,8 +28,8 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
             ->exempt(ActionSurfaceSlot::ListHeader, 'Executions relation list has no header actions.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Single primary row action is exposed, so no row menu is needed.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary because this relation manager has no secondary row actions.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are intentionally omitted for operation run safety.')
             ->exempt(ActionSurfaceSlot::ListEmptyState, 'No empty-state actions are exposed in this embedded relation manager.');
     }
@@ -40,6 +40,12 @@ public function table(Table $table): Table
             ->modifyQueryUsing(fn (Builder $query) => $query->where('tenant_id', Tenant::currentOrFail()->getKey()))
             ->defaultSort('created_at', 'desc')
             ->paginated(\App\Support\Filament\TablePaginationProfiles::relationManager())
+            ->recordUrl(function (OperationRun $record): string {
+                $record = $this->resolveOwnerScopedOperationRun($record);
+                $tenant = Tenant::currentOrFail();
+
+                return OperationRunLinks::view($record, $tenant);
+            })
             ->columns([
                 Tables\Columns\TextColumn::make('created_at')
                     ->label('Enqueued')
@@ -48,7 +54,7 @@ public function table(Table $table): Table
 
                 Tables\Columns\TextColumn::make('type')
                     ->label('Type')
-                    ->formatStateUsing([OperationCatalog::class, 'label']),
+                    ->formatStateUsing(Closure::fromCallable([self::class, 'formatOperationType'])),
 
                 Tables\Columns\TextColumn::make('status')
                     ->badge()
@@ -82,19 +88,37 @@ public function table(Table $table): Table
             ])
             ->filters([])
             ->headerActions([])
-            ->actions([
-                Actions\Action::make('view')
-                    ->label('View')
-                    ->icon('heroicon-o-eye')
-                    ->url(function (OperationRun $record): string {
-                        $tenant = Tenant::currentOrFail();
-
-                        return OperationRunLinks::view($record, $tenant);
-                    })
-                    ->openUrlInNewTab(true),
-            ])
+            ->actions([])
             ->bulkActions([])
             ->emptyStateHeading('No schedule runs yet')
             ->emptyStateDescription('Operation history will appear here after this schedule has been enqueued.');
     }
+
+    private function resolveOwnerScopedOperationRun(mixed $record): OperationRun
+    {
+        $recordId = $record instanceof OperationRun
+            ? (int) $record->getKey()
+            : (is_numeric($record) ? (int) $record : 0);
+
+        if ($recordId <= 0) {
+            abort(404);
+        }
+
+        $resolvedRecord = $this->getOwnerRecord()
+            ->operationRuns()
+            ->where('tenant_id', Tenant::currentOrFail()->getKey())
+            ->whereKey($recordId)
+            ->first();
+
+        if (! $resolvedRecord instanceof OperationRun) {
+            abort(404);
+        }
+
+        return $resolvedRecord;
+    }
+
+    public static function formatOperationType(?string $state): string
+    {
+        return OperationCatalog::label($state);
+    }
 }

app/Filament/Resources/BackupSetResource.php

@@ -2,6 +2,8 @@
 
 namespace App\Filament\Resources;
 
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\BackupSetResource\Pages;
 use App\Filament\Resources\BackupSetResource\RelationManagers\BackupItemsRelationManager;
 use App\Jobs\BulkBackupSetDeleteJob;
@@ -55,6 +57,9 @@
 
 class BackupSetResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
     protected static ?string $model = BackupSet::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
@@ -63,6 +68,15 @@ class BackupSetResource extends Resource
 
     protected static string|UnitEnum|null $navigationGroup = 'Backups & Restore';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
@@ -76,7 +90,7 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
 
     public static function canViewAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -92,7 +106,7 @@ public static function canViewAny(): bool
 
     public static function canCreate(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -108,13 +122,12 @@ public static function canCreate(): bool
 
     public static function getEloquentQuery(): Builder
     {
-        $tenant = Filament::getTenant();
+        return static::getTenantOwnedEloquentQuery();
+    }
 
-        if (! $tenant instanceof Tenant) {
-            return parent::getEloquentQuery()->whereRaw('1 = 0');
-        }
-
-        return parent::getEloquentQuery()->where('tenant_id', (int) $tenant->getKey());
+    public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->withTrashed());
     }
 
     public static function form(Schema $schema): Schema
@@ -182,7 +195,7 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (BackupSet $record): bool => $record->trashed())
                             ->action(function (BackupSet $record, AuditLogger $auditLogger) {
-                                $tenant = Filament::getTenant();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 $record->restore();
                                 $record->items()->withTrashed()->restore();
@@ -215,7 +228,7 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (BackupSet $record): bool => ! $record->trashed())
                             ->action(function (BackupSet $record, AuditLogger $auditLogger) {
-                                $tenant = Filament::getTenant();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 $record->delete();
 
@@ -247,7 +260,7 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (BackupSet $record): bool => $record->trashed())
                             ->action(function (BackupSet $record, AuditLogger $auditLogger) {
-                                $tenant = Filament::getTenant();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 if ($record->restoreRuns()->withTrashed()->exists()) {
                                     Notification::make()
@@ -317,7 +330,7 @@ public static function table(Table $table): Table
                                 return [];
                             })
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
                                 $ids = $records->pluck('id')->toArray();
@@ -387,7 +400,7 @@ public static function table(Table $table): Table
                             ->modalHeading(fn (Collection $records) => "Restore {$records->count()} backup sets?")
                             ->modalDescription('Archived backup sets will be restored back to the active list. Active backup sets will be skipped.')
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
                                 $ids = $records->pluck('id')->toArray();
@@ -472,7 +485,7 @@ public static function table(Table $table): Table
                                 return [];
                             })
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
                                 $ids = $records->pluck('id')->toArray();
@@ -622,7 +635,7 @@ private static function primaryRelatedEntry(BackupSet $record): ?RelatedContextE
     public static function createBackupSet(array $data): BackupSet
     {
         /** @var Tenant $tenant */
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         /** @var BackupService $service */
         $service = app(BackupService::class);

app/Filament/Resources/BackupSetResource/Pages/ListBackupSets.php

@@ -3,12 +3,24 @@
 namespace App\Filament\Resources\BackupSetResource\Pages;
 
 use App\Filament\Resources\BackupSetResource;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Resources\Pages\ListRecords;
 
 class ListBackupSets extends ListRecords
 {
     protected static string $resource = BackupSetResource::class;
 
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: null,
+        );
+
+        parent::mount();
+    }
+
     private function tableHasRecords(): bool
     {
         return $this->getTableRecords()->count() > 0;

app/Filament/Resources/BackupSetResource/Pages/ViewBackupSet.php

@@ -4,6 +4,7 @@
 
 namespace App\Filament\Resources\BackupSetResource\Pages;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\BackupSetResource;
 use App\Models\BackupSet;
 use App\Models\Tenant;
@@ -16,11 +17,19 @@
 use Filament\Actions\ActionGroup;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewBackupSet extends ViewRecord
 {
+    use ResolvesPanelTenantContext;
+
     protected static string $resource = BackupSetResource::class;
 
+    protected function resolveRecord(int|string $key): Model
+    {
+        return BackupSetResource::resolveScopedRecordOrFail($key);
+    }
+
     protected function getHeaderActions(): array
     {
         $actions = [
@@ -79,7 +88,7 @@ private function restoreAction(): Action
                     ->success()
                     ->send();
 
-                $this->redirect(BackupSetResource::getUrl('view', ['record' => $record], tenant: Tenant::current()), navigate: true);
+                $this->redirect(BackupSetResource::getUrl('view', ['record' => $record], tenant: static::resolveTenantContextForCurrentPanel()), navigate: true);
             });
 
         UiEnforcement::forAction($action)
@@ -120,7 +129,7 @@ private function archiveAction(): Action
                     ->success()
                     ->send();
 
-                $this->redirect(BackupSetResource::getUrl('index', tenant: Tenant::current()), navigate: true);
+                $this->redirect(BackupSetResource::getUrl('index', tenant: static::resolveTenantContextForCurrentPanel()), navigate: true);
             });
 
         UiEnforcement::forAction($action)
@@ -172,7 +181,7 @@ private function forceDeleteAction(): Action
                     ->success()
                     ->send();
 
-                $this->redirect(BackupSetResource::getUrl('index', tenant: Tenant::current()), navigate: true);
+                $this->redirect(BackupSetResource::getUrl('index', tenant: static::resolveTenantContextForCurrentPanel()), navigate: true);
             });
 
         UiEnforcement::forAction($action)

app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php

@@ -6,6 +6,7 @@
 use App\Filament\Resources\PolicyVersionResource;
 use App\Jobs\RemovePoliciesFromBackupSetJob;
 use App\Models\BackupItem;
+use App\Models\BackupSet;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\OperationRunService;
@@ -21,6 +22,10 @@
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use Filament\Actions;
 use Filament\Resources\RelationManagers\RelationManager;
 use Filament\Tables;
@@ -43,6 +48,37 @@ public function closeAddPoliciesModal(): void
         $this->unmountAction();
     }
 
+    /**
+     * @param  array<string, mixed>  $arguments
+     * @param  array<string, mixed>  $context
+     */
+    public function mountAction(string $name, array $arguments = [], array $context = []): mixed
+    {
+        if (($context['table'] ?? false) === true) {
+            $backupSet = $this->getOwnerRecord();
+
+            if ($name === 'remove' && filled($context['recordKey'] ?? null)) {
+                $this->resolveOwnerScopedBackupItemId($backupSet, $context['recordKey']);
+            }
+
+            if ($name === 'bulk_remove' && ($context['bulk'] ?? false) === true) {
+                $this->resolveOwnerScopedBackupItemIdsFromKeys($backupSet, $this->selectedTableRecords);
+            }
+        }
+
+        return parent::mountAction($name, $arguments, $context);
+    }
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Refresh and Add Policies actions are available in the relation header.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Remove remains grouped under More.')
+            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk remove remains grouped under More.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state exposes the Add Policies CTA.');
+    }
+
     public function table(Table $table): Table
     {
         $refreshTable = Actions\Action::make('refreshTable')
@@ -77,7 +113,7 @@ public function table(Table $table): Table
             ->color('danger')
             ->icon('heroicon-o-x-mark')
             ->requiresConfirmation()
-            ->action(function (BackupItem $record): void {
+            ->action(function (mixed $record): void {
                 $backupSet = $this->getOwnerRecord();
 
                 $user = auth()->user();
@@ -94,7 +130,7 @@ public function table(Table $table): Table
                     abort(404);
                 }
 
-                $backupItemIds = [(int) $record->getKey()];
+                $backupItemIds = [$this->resolveOwnerScopedBackupItemId($backupSet, $record)];
 
                 /** @var OperationRunService $opService */
                 $opService = app(OperationRunService::class);
@@ -173,14 +209,7 @@ public function table(Table $table): Table
                     abort(404);
                 }
 
-                $backupItemIds = $records
-                    ->pluck('id')
-                    ->map(fn (mixed $value): int => (int) $value)
-                    ->filter(fn (int $value): bool => $value > 0)
-                    ->unique()
-                    ->sort()
-                    ->values()
-                    ->all();
+                $backupItemIds = $this->resolveOwnerScopedBackupItemIdsFromKeys($backupSet, $this->selectedTableRecords);
 
                 if ($backupItemIds === []) {
                     return;
@@ -243,6 +272,7 @@ public function table(Table $table): Table
             ->persistFiltersInSession()
             ->persistSearchInSession()
             ->persistSortInSession()
+            ->recordUrl(fn (BackupItem $record): ?string => $this->backupItemInspectUrl($record))
             ->columns([
                 Tables\Columns\TextColumn::make('policy.display_name')
                     ->label('Item')
@@ -344,23 +374,6 @@ public function table(Table $table): Table
             ])
             ->actions([
                 Actions\ActionGroup::make([
-                    Actions\ViewAction::make()
-                        ->label(fn (BackupItem $record): string => $record->policy_version_id ? 'View version' : 'View policy')
-                        ->url(function (BackupItem $record): ?string {
-                            $tenant = $this->getOwnerRecord()->tenant ?? \App\Models\Tenant::current();
-
-                            if ($record->policy_version_id) {
-                                return PolicyVersionResource::getUrl('view', ['record' => $record->policy_version_id], tenant: $tenant);
-                            }
-
-                            if (! $record->policy_id) {
-                                return null;
-                            }
-
-                            return PolicyResource::getUrl('view', ['record' => $record->policy_id], tenant: $tenant);
-                        })
-                        ->hidden(fn (BackupItem $record) => ! $record->policy_version_id && ! $record->policy_id)
-                        ->openUrlInNewTab(true),
                     $removeItem,
                 ])
                     ->label('More')
@@ -434,4 +447,100 @@ private static function applyRestoreModeFilter(Builder $query, mixed $value): Bu
 
         return $query->whereIn('policy_type', $types);
     }
+
+    private function backupItemInspectUrl(BackupItem $record): ?string
+    {
+        $backupSet = $this->getOwnerRecord();
+        $resolvedId = $this->resolveOwnerScopedBackupItemId($backupSet, $record);
+
+        $resolvedRecord = $backupSet->items()
+            ->with(['policy', 'policyVersion', 'policyVersion.policy'])
+            ->where('tenant_id', (int) $backupSet->tenant_id)
+            ->whereKey($resolvedId)
+            ->first();
+
+        if (! $resolvedRecord instanceof BackupItem) {
+            abort(404);
+        }
+
+        $tenant = $backupSet->tenant ?? Tenant::current();
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        if ($resolvedRecord->policy_version_id) {
+            return PolicyVersionResource::getUrl('view', ['record' => $resolvedRecord->policy_version_id], tenant: $tenant);
+        }
+
+        if (! $resolvedRecord->policy_id) {
+            return null;
+        }
+
+        return PolicyResource::getUrl('view', ['record' => $resolvedRecord->policy_id], tenant: $tenant);
+    }
+
+    private function resolveOwnerScopedBackupItemId(BackupSet $backupSet, mixed $record): int
+    {
+        $recordId = $this->normalizeBackupItemKey($record);
+
+        if ($recordId <= 0) {
+            abort(404);
+        }
+
+        $resolvedId = $backupSet->items()
+            ->where('tenant_id', (int) $backupSet->tenant_id)
+            ->whereKey($recordId)
+            ->value('id');
+
+        if (! is_numeric($resolvedId) || (int) $resolvedId <= 0) {
+            abort(404);
+        }
+
+        return (int) $resolvedId;
+    }
+
+    /**
+     * @return array<int, int>
+     */
+    private function resolveOwnerScopedBackupItemIdsFromKeys(BackupSet $backupSet, array $recordKeys): array
+    {
+        $requestedIds = collect($recordKeys)
+            ->map(fn (mixed $record): int => $this->normalizeBackupItemKey($record))
+            ->filter(fn (int $value): bool => $value > 0)
+            ->unique()
+            ->sort()
+            ->values()
+            ->all();
+
+        if ($requestedIds === []) {
+            return [];
+        }
+
+        $resolvedIds = $backupSet->items()
+            ->where('tenant_id', (int) $backupSet->tenant_id)
+            ->whereIn('id', $requestedIds)
+            ->pluck('id')
+            ->map(fn (mixed $value): int => (int) $value)
+            ->filter(fn (int $value): bool => $value > 0)
+            ->unique()
+            ->sort()
+            ->values()
+            ->all();
+
+        if (count($resolvedIds) !== count($requestedIds)) {
+            abort(404);
+        }
+
+        return $resolvedIds;
+    }
+
+    private function normalizeBackupItemKey(mixed $record): int
+    {
+        if ($record instanceof BackupItem) {
+            return (int) $record->getKey();
+        }
+
+        return is_numeric($record) ? (int) $record : 0;
+    }
 }

app/Filament/Resources/BaselineProfileResource.php

@@ -6,28 +6,37 @@
 
 use App\Filament\Resources\BaselineProfileResource\Pages;
 use App\Models\BaselineProfile;
+use App\Models\BaselineSnapshot;
+use App\Models\BaselineTenantAssignment;
+use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Audit\WorkspaceAuditLogger;
+use App\Services\Auth\CapabilityResolver;
+use App\Services\Baselines\BaselineSnapshotTruthResolver;
 use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Baselines\BaselineCaptureMode;
 use App\Support\Baselines\BaselineFullContentRolloutGate;
 use App\Support\Baselines\BaselineProfileStatus;
+use App\Support\Baselines\BaselineReasonCodes;
 use App\Support\Filament\FilterOptionCatalog;
 use App\Support\Inventory\InventoryPolicyTypeMeta;
 use App\Support\Rbac\WorkspaceUiEnforcement;
+use App\Support\ReasonTranslation\ReasonPresenter;
+use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
-use Filament\Actions\BulkActionGroup;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\Select;
@@ -120,10 +129,10 @@ public static function canView(Model $record): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::CrudListFirstResource)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'Header action: Create baseline profile (capability-gated).')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Secondary row actions (edit, archive) under "More".')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Edit leads and archive trails inside "More".')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'No bulk mutations for baseline profiles in v1.')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List defines empty-state create CTA.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'View page provides capture + edit actions.');
@@ -288,15 +297,32 @@ public static function infolist(Schema $schema): Schema
                             ->placeholder('None'),
                     ])
                     ->columnSpanFull(),
+                Section::make('Baseline truth')
+                    ->schema([
+                        TextEntry::make('current_snapshot_truth')
+                            ->label('Current snapshot')
+                            ->state(fn (BaselineProfile $record): string => self::currentSnapshotLabel($record)),
+                        TextEntry::make('latest_attempted_snapshot_truth')
+                            ->label('Latest attempt')
+                            ->state(fn (BaselineProfile $record): string => self::latestAttemptedSnapshotLabel($record)),
+                        TextEntry::make('compare_readiness')
+                            ->label('Compare readiness')
+                            ->badge()
+                            ->state(fn (BaselineProfile $record): string => self::compareReadinessLabel($record))
+                            ->color(fn (BaselineProfile $record): string => self::compareReadinessColor($record))
+                            ->icon(fn (BaselineProfile $record): ?string => self::compareReadinessIcon($record)),
+                        TextEntry::make('baseline_next_step')
+                            ->label('Next step')
+                            ->state(fn (BaselineProfile $record): string => self::profileNextStep($record))
+                            ->columnSpanFull(),
+                    ])
+                    ->columns(2)
+                    ->columnSpanFull(),
                 Section::make('Metadata')
                     ->schema([
                         TextEntry::make('createdByUser.name')
                             ->label('Created by')
                             ->placeholder('—'),
-                        TextEntry::make('activeSnapshot.captured_at')
-                            ->label('Last snapshot')
-                            ->dateTime()
-                            ->placeholder('No snapshot yet'),
                         TextEntry::make('created_at')
                             ->dateTime(),
                         TextEntry::make('updated_at')
@@ -314,6 +340,7 @@ public static function table(Table $table): Table
         return $table
             ->defaultSort('name')
             ->paginated(\App\Support\Filament\TablePaginationProfiles::resource())
+            ->recordUrl(fn (BaselineProfile $record): string => static::getUrl('view', ['record' => $record]))
             ->columns([
                 TextColumn::make('name')
                     ->searchable()
@@ -355,10 +382,27 @@ public static function table(Table $table): Table
                 TextColumn::make('tenant_assignments_count')
                     ->label('Assigned tenants')
                     ->counts('tenantAssignments'),
-                TextColumn::make('activeSnapshot.captured_at')
-                    ->label('Last snapshot')
-                    ->dateTime()
-                    ->placeholder('No snapshot'),
+                TextColumn::make('current_snapshot_truth')
+                    ->label('Current snapshot')
+                    ->getStateUsing(fn (BaselineProfile $record): string => self::currentSnapshotLabel($record))
+                    ->description(fn (BaselineProfile $record): ?string => self::currentSnapshotDescription($record))
+                    ->wrap(),
+                TextColumn::make('latest_attempted_snapshot_truth')
+                    ->label('Latest attempt')
+                    ->getStateUsing(fn (BaselineProfile $record): string => self::latestAttemptedSnapshotLabel($record))
+                    ->description(fn (BaselineProfile $record): ?string => self::latestAttemptedSnapshotDescription($record))
+                    ->wrap(),
+                TextColumn::make('compare_readiness')
+                    ->label('Compare readiness')
+                    ->badge()
+                    ->getStateUsing(fn (BaselineProfile $record): string => self::compareReadinessLabel($record))
+                    ->color(fn (BaselineProfile $record): string => self::compareReadinessColor($record))
+                    ->icon(fn (BaselineProfile $record): ?string => self::compareReadinessIcon($record))
+                    ->wrap(),
+                TextColumn::make('baseline_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(fn (BaselineProfile $record): string => self::profileNextStep($record))
+                    ->wrap(),
                 TextColumn::make('created_at')
                     ->dateTime()
                     ->sortable()
@@ -369,10 +413,6 @@ public static function table(Table $table): Table
                     ->options(FilterOptionCatalog::baselineProfileStatuses()),
             ])
             ->actions([
-                Action::make('view')
-                    ->label('View')
-                    ->url(fn (BaselineProfile $record): string => static::getUrl('view', ['record' => $record]))
-                    ->icon('heroicon-o-eye'),
                 ActionGroup::make([
                     Action::make('edit')
                         ->label('Edit')
@@ -382,9 +422,7 @@ public static function table(Table $table): Table
                     self::archiveTableAction($workspace),
                 ])->label('More'),
             ])
-            ->bulkActions([
-                BulkActionGroup::make([])->label('More'),
-            ])
+            ->bulkActions([])
             ->emptyStateHeading('No baseline profiles')
             ->emptyStateDescription('Create a baseline profile to define what "good" looks like for your tenants.')
             ->emptyStateActions([
@@ -545,4 +583,167 @@ private static function archiveTableAction(?Workspace $workspace): Action
 
         return $action;
     }
+
+    private static function currentSnapshotLabel(BaselineProfile $profile): string
+    {
+        $snapshot = self::effectiveSnapshot($profile);
+
+        if (! $snapshot instanceof BaselineSnapshot) {
+            return 'No complete snapshot';
+        }
+
+        return self::snapshotReference($snapshot);
+    }
+
+    private static function currentSnapshotDescription(BaselineProfile $profile): ?string
+    {
+        $snapshot = self::effectiveSnapshot($profile);
+
+        if (! $snapshot instanceof BaselineSnapshot) {
+            return self::compareAvailabilityEnvelope($profile)?->shortExplanation;
+        }
+
+        return $snapshot->captured_at?->toDayDateTimeString();
+    }
+
+    private static function latestAttemptedSnapshotLabel(BaselineProfile $profile): string
+    {
+        $latestAttempt = self::latestAttemptedSnapshot($profile);
+
+        if (! $latestAttempt instanceof BaselineSnapshot) {
+            return 'No capture attempts yet';
+        }
+
+        $effectiveSnapshot = self::effectiveSnapshot($profile);
+
+        if ($effectiveSnapshot instanceof BaselineSnapshot && (int) $effectiveSnapshot->getKey() === (int) $latestAttempt->getKey()) {
+            return 'Matches current snapshot';
+        }
+
+        return self::snapshotReference($latestAttempt);
+    }
+
+    private static function latestAttemptedSnapshotDescription(BaselineProfile $profile): ?string
+    {
+        $latestAttempt = self::latestAttemptedSnapshot($profile);
+
+        if (! $latestAttempt instanceof BaselineSnapshot) {
+            return null;
+        }
+
+        $effectiveSnapshot = self::effectiveSnapshot($profile);
+
+        if ($effectiveSnapshot instanceof BaselineSnapshot && (int) $effectiveSnapshot->getKey() === (int) $latestAttempt->getKey()) {
+            return 'No newer attempt is pending.';
+        }
+
+        return $latestAttempt->captured_at?->toDayDateTimeString();
+    }
+
+    private static function compareReadinessLabel(BaselineProfile $profile): string
+    {
+        return self::compareAvailabilityEnvelope($profile)?->operatorLabel ?? 'Ready';
+    }
+
+    private static function compareReadinessColor(BaselineProfile $profile): string
+    {
+        return match (self::compareAvailabilityReason($profile)) {
+            null => 'success',
+            BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE => 'gray',
+            default => 'warning',
+        };
+    }
+
+    private static function compareReadinessIcon(BaselineProfile $profile): ?string
+    {
+        return match (self::compareAvailabilityReason($profile)) {
+            null => 'heroicon-m-check-badge',
+            BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE => 'heroicon-m-pause-circle',
+            default => 'heroicon-m-exclamation-triangle',
+        };
+    }
+
+    private static function profileNextStep(BaselineProfile $profile): string
+    {
+        return self::compareAvailabilityEnvelope($profile)?->guidanceText() ?? 'No action needed.';
+    }
+
+    private static function effectiveSnapshot(BaselineProfile $profile): ?BaselineSnapshot
+    {
+        return app(BaselineSnapshotTruthResolver::class)->resolveEffectiveSnapshot($profile);
+    }
+
+    private static function latestAttemptedSnapshot(BaselineProfile $profile): ?BaselineSnapshot
+    {
+        return app(BaselineSnapshotTruthResolver::class)->resolveLatestAttemptedSnapshot($profile);
+    }
+
+    private static function compareAvailabilityReason(BaselineProfile $profile): ?string
+    {
+        $status = $profile->status instanceof BaselineProfileStatus
+            ? $profile->status
+            : BaselineProfileStatus::tryFrom((string) $profile->status);
+
+        if ($status !== BaselineProfileStatus::Active) {
+            return BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE;
+        }
+
+        $resolution = app(BaselineSnapshotTruthResolver::class)->resolveCompareSnapshot($profile);
+        $reasonCode = $resolution['reason_code'] ?? null;
+
+        if (is_string($reasonCode) && trim($reasonCode) !== '') {
+            return trim($reasonCode);
+        }
+
+        if (! self::hasEligibleCompareTarget($profile)) {
+            return BaselineReasonCodes::COMPARE_NO_ELIGIBLE_TARGET;
+        }
+
+        return null;
+    }
+
+    private static function compareAvailabilityEnvelope(BaselineProfile $profile): ?ReasonResolutionEnvelope
+    {
+        $reasonCode = self::compareAvailabilityReason($profile);
+
+        if (! is_string($reasonCode)) {
+            return null;
+        }
+
+        return app(ReasonPresenter::class)->forArtifactTruth($reasonCode, 'artifact_truth');
+    }
+
+    private static function snapshotReference(BaselineSnapshot $snapshot): string
+    {
+        $lifecycleLabel = BadgeCatalog::spec(BadgeDomain::BaselineSnapshotLifecycle, $snapshot->lifecycleState()->value)->label;
+
+        return sprintf('Snapshot #%d (%s)', (int) $snapshot->getKey(), $lifecycleLabel);
+    }
+
+    private static function hasEligibleCompareTarget(BaselineProfile $profile): bool
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return false;
+        }
+
+        $tenantIds = BaselineTenantAssignment::query()
+            ->where('workspace_id', (int) $profile->workspace_id)
+            ->where('baseline_profile_id', (int) $profile->getKey())
+            ->pluck('tenant_id')
+            ->all();
+
+        if ($tenantIds === []) {
+            return false;
+        }
+
+        $resolver = app(CapabilityResolver::class);
+
+        return Tenant::query()
+            ->where('workspace_id', (int) $profile->workspace_id)
+            ->whereIn('id', $tenantIds)
+            ->get(['id'])
+            ->contains(fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_SYNC));
+    }
 }

app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php

@@ -183,7 +183,7 @@ private function compareNowAction(): Action
 
         $modalDescription = $captureMode === BaselineCaptureMode::FullContent
             ? 'Select the target tenant. This will refresh content evidence on demand (redacted) before comparing.'
-            : 'Select the target tenant to compare its current inventory against the active baseline snapshot.';
+            : 'Select the target tenant to compare its current inventory against the effective current baseline snapshot.';
 
         return Action::make('compareNow')
             ->label($label)
@@ -198,7 +198,7 @@ private function compareNowAction(): Action
                     ->required()
                     ->searchable(),
             ])
-            ->disabled(fn (): bool => $this->getEligibleCompareTenantOptions() === [])
+            ->disabled(fn (): bool => $this->getEligibleCompareTenantOptions() === [] || ! $this->profileHasConsumableSnapshot())
             ->action(function (array $data): void {
                 $user = auth()->user();
 
@@ -256,7 +256,11 @@ private function compareNowAction(): Action
                     $message = match ($reasonCode) {
                         BaselineReasonCodes::COMPARE_ROLLOUT_DISABLED => 'Full-content baseline compare is currently disabled for controlled rollout.',
                         BaselineReasonCodes::COMPARE_PROFILE_NOT_ACTIVE => 'This baseline profile is not active.',
-                        BaselineReasonCodes::COMPARE_NO_ACTIVE_SNAPSHOT => 'This baseline profile has no active snapshot.',
+                        BaselineReasonCodes::COMPARE_NO_ACTIVE_SNAPSHOT,
+                        BaselineReasonCodes::COMPARE_NO_CONSUMABLE_SNAPSHOT => 'This baseline profile has no complete snapshot available for compare yet.',
+                        BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => 'The latest baseline capture is still building. Compare will be available after it completes.',
+                        BaselineReasonCodes::COMPARE_SNAPSHOT_INCOMPLETE => 'The latest baseline capture is incomplete. Capture a new baseline before comparing.',
+                        BaselineReasonCodes::COMPARE_SNAPSHOT_SUPERSEDED => 'A newer complete snapshot is current. Compare uses the latest complete baseline only.',
                         default => 'Reason: '.str_replace('.', ' ', $reasonCode),
                     };
 
@@ -395,4 +399,12 @@ private function hasManageCapability(): bool
         return $resolver->isMember($user, $workspace)
             && $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE);
     }
+
+    private function profileHasConsumableSnapshot(): bool
+    {
+        /** @var BaselineProfile $profile */
+        $profile = $this->getRecord();
+
+        return $profile->resolveCurrentConsumableSnapshot() !== null;
+    }
 }

app/Filament/Resources/BaselineSnapshotResource.php

@@ -9,7 +9,12 @@
 use App\Models\BaselineSnapshot;
 use App\Models\User;
 use App\Models\Workspace;
+use App\Services\Baselines\BaselineSnapshotTruthResolver;
+use App\Services\Baselines\SnapshotRendering\FidelityState;
 use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Baselines\BaselineSnapshotLifecycleState;
 use App\Support\Filament\FilterPresets;
 use App\Support\Navigation\CrossResourceNavigationMatrix;
 use App\Support\Navigation\RelatedContextEntry;
@@ -18,6 +23,9 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
@@ -113,7 +121,7 @@ public static function canView(Model $record): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
             ->exempt(ActionSurfaceSlot::ListHeader, 'Snapshots are created by capture runs; no list-header actions.')
             ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
             ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Snapshots are immutable; rows navigate directly to the detail page.')
@@ -165,15 +173,39 @@ public static function table(Table $table): Table
                     ->label('Captured')
                     ->since()
                     ->sortable(),
+                TextColumn::make('artifact_truth')
+                    ->label('Artifact truth')
+                    ->badge()
+                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::truthEnvelope($record)->primaryLabel)
+                    ->color(static fn (BaselineSnapshot $record): string => self::truthEnvelope($record)->primaryBadgeSpec()->color)
+                    ->icon(static fn (BaselineSnapshot $record): ?string => self::truthEnvelope($record)->primaryBadgeSpec()->icon)
+                    ->iconColor(static fn (BaselineSnapshot $record): ?string => self::truthEnvelope($record)->primaryBadgeSpec()->iconColor)
+                    ->description(static fn (BaselineSnapshot $record): ?string => self::truthEnvelope($record)->operatorExplanation?->headline ?? self::truthEnvelope($record)->primaryExplanation)
+                    ->wrap(),
+                TextColumn::make('lifecycle_state')
+                    ->label('Lifecycle')
+                    ->badge()
+                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::lifecycleSpec($record)->label)
+                    ->color(static fn (BaselineSnapshot $record): string => self::lifecycleSpec($record)->color)
+                    ->icon(static fn (BaselineSnapshot $record): ?string => self::lifecycleSpec($record)->icon)
+                    ->iconColor(static fn (BaselineSnapshot $record): ?string => self::lifecycleSpec($record)->iconColor)
+                    ->sortable(),
+                TextColumn::make('current_truth')
+                    ->label('Current truth')
+                    ->badge()
+                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::currentTruthLabel($record))
+                    ->color(static fn (BaselineSnapshot $record): string => self::currentTruthColor($record))
+                    ->icon(static fn (BaselineSnapshot $record): ?string => self::currentTruthIcon($record))
+                    ->description(static fn (BaselineSnapshot $record): ?string => self::currentTruthDescription($record))
+                    ->wrap(),
                 TextColumn::make('fidelity_summary')
                     ->label('Fidelity')
                     ->getStateUsing(static fn (BaselineSnapshot $record): string => self::fidelitySummary($record))
                     ->wrap(),
-                TextColumn::make('snapshot_state')
-                    ->label('State')
-                    ->badge()
-                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::stateLabel($record))
-                    ->color(static fn (BaselineSnapshot $record): string => self::hasGaps($record) ? 'warning' : 'success'),
+                TextColumn::make('artifact_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::truthEnvelope($record)->operatorExplanation?->nextActionText ?? self::truthEnvelope($record)->nextStepText())
+                    ->wrap(),
             ])
             ->recordUrl(static fn (BaselineSnapshot $record): ?string => static::canView($record)
                 ? static::getUrl('view', ['record' => $record])
@@ -183,10 +215,10 @@ public static function table(Table $table): Table
                     ->label('Baseline')
                     ->options(static::baselineProfileOptions())
                     ->searchable(),
-                SelectFilter::make('snapshot_state')
-                    ->label('State')
-                    ->options(static::snapshotStateOptions())
-                    ->query(fn (Builder $query, array $data): Builder => static::applySnapshotStateFilter($query, $data['value'] ?? null)),
+                SelectFilter::make('lifecycle_state')
+                    ->label('Lifecycle')
+                    ->options(static::lifecycleOptions())
+                    ->query(fn (Builder $query, array $data): Builder => static::applyLifecycleFilter($query, $data['value'] ?? null)),
                 FilterPresets::dateRange('captured_at', 'Captured', 'captured_at'),
             ])
             ->actions([
@@ -247,12 +279,9 @@ private static function baselineProfileOptions(): array
     /**
      * @return array<string, string>
      */
-    private static function snapshotStateOptions(): array
+    private static function lifecycleOptions(): array
     {
-        return [
-            'complete' => 'Complete',
-            'with_gaps' => 'Captured with gaps',
-        ];
+        return BadgeCatalog::options(BadgeDomain::BaselineSnapshotLifecycle, BaselineSnapshotLifecycleState::values());
     }
 
     public static function resolveWorkspace(): ?Workspace
@@ -290,7 +319,13 @@ private static function fidelitySummary(BaselineSnapshot $snapshot): string
     {
         $counts = self::fidelityCounts($snapshot);
 
-        return sprintf('Content %d, Meta %d', (int) ($counts['content'] ?? 0), (int) ($counts['meta'] ?? 0));
+        return sprintf(
+            '%s %d, %s %d',
+            BadgeCatalog::spec(BadgeDomain::BaselineSnapshotFidelity, FidelityState::Full->value)->label,
+            (int) ($counts['content'] ?? 0),
+            BadgeCatalog::spec(BadgeDomain::BaselineSnapshotFidelity, FidelityState::ReferenceOnly->value)->label,
+            (int) ($counts['meta'] ?? 0),
+        );
     }
 
     private static function gapsCount(BaselineSnapshot $snapshot): int
@@ -298,6 +333,17 @@ private static function gapsCount(BaselineSnapshot $snapshot): int
         $summary = self::summary($snapshot);
         $gaps = $summary['gaps'] ?? null;
         $gaps = is_array($gaps) ? $gaps : [];
+        $byReason = is_array($gaps['by_reason'] ?? null) ? $gaps['by_reason'] : [];
+
+        if ($byReason !== []) {
+            return array_sum(array_map(
+                static fn (mixed $count, string $reason): int => in_array($reason, ['meta_fallback'], true) || ! is_numeric($count)
+                    ? 0
+                    : (int) $count,
+                $byReason,
+                array_keys($byReason),
+            ));
+        }
 
         $count = $gaps['count'] ?? 0;
 
@@ -309,32 +355,90 @@ private static function hasGaps(BaselineSnapshot $snapshot): bool
         return self::gapsCount($snapshot) > 0;
     }
 
-    private static function stateLabel(BaselineSnapshot $snapshot): string
+    private static function lifecycleSpec(BaselineSnapshot $snapshot): \App\Support\Badges\BadgeSpec
     {
-        return self::hasGaps($snapshot) ? 'Captured with gaps' : 'Complete';
+        return BadgeCatalog::spec(BadgeDomain::BaselineSnapshotLifecycle, $snapshot->lifecycleState()->value);
     }
 
-    private static function applySnapshotStateFilter(Builder $query, mixed $value): Builder
+    private static function applyLifecycleFilter(Builder $query, mixed $value): Builder
     {
         if (! is_string($value) || trim($value) === '') {
             return $query;
         }
 
-        $gapCountExpression = self::gapCountExpression($query);
-
-        return match ($value) {
-            'complete' => $query->whereRaw("{$gapCountExpression} = 0"),
-            'with_gaps' => $query->whereRaw("{$gapCountExpression} > 0"),
-            default => $query,
-        };
+        return $query->where('lifecycle_state', trim($value));
     }
 
     private static function gapCountExpression(Builder $query): string
     {
         return match ($query->getConnection()->getDriverName()) {
-            'sqlite' => "COALESCE(CAST(json_extract(summary_jsonb, '$.gaps.count') AS INTEGER), 0)",
-            'pgsql' => "COALESCE((summary_jsonb #>> '{gaps,count}')::int, 0)",
-            default => "COALESCE(CAST(JSON_EXTRACT(summary_jsonb, '$.gaps.count') AS UNSIGNED), 0)",
+            'sqlite' => "MAX(0, COALESCE(CAST(json_extract(summary_jsonb, '$.gaps.count') AS INTEGER), 0) - COALESCE(CAST(json_extract(summary_jsonb, '$.gaps.by_reason.meta_fallback') AS INTEGER), 0))",
+            'pgsql' => "GREATEST(0, COALESCE((summary_jsonb #>> '{gaps,count}')::int, 0) - COALESCE((summary_jsonb #>> '{gaps,by_reason,meta_fallback}')::int, 0))",
+            default => "GREATEST(0, COALESCE(CAST(JSON_EXTRACT(summary_jsonb, '$.gaps.count') AS SIGNED), 0) - COALESCE(CAST(JSON_EXTRACT(summary_jsonb, '$.gaps.by_reason.meta_fallback') AS SIGNED), 0))",
         };
     }
+
+    private static function gapSpec(BaselineSnapshot $snapshot): \App\Support\Badges\BadgeSpec
+    {
+        return BadgeCatalog::spec(
+            BadgeDomain::BaselineSnapshotGapStatus,
+            self::hasGaps($snapshot) ? 'gaps_present' : 'clear',
+        );
+    }
+
+    private static function truthEnvelope(BaselineSnapshot $snapshot, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forBaselineSnapshotFresh($snapshot)
+            : $presenter->forBaselineSnapshot($snapshot);
+    }
+
+    private static function currentTruthLabel(BaselineSnapshot $snapshot): string
+    {
+        return match (self::currentTruthState($snapshot)) {
+            'current' => 'Current baseline',
+            'historical' => 'Historical trace',
+            default => 'Not compare input',
+        };
+    }
+
+    private static function currentTruthDescription(BaselineSnapshot $snapshot): ?string
+    {
+        return match (self::currentTruthState($snapshot)) {
+            'current' => 'Compare resolves to this snapshot as the current baseline truth.',
+            'historical' => 'A newer complete snapshot is now the current baseline truth for this profile.',
+            default => self::truthEnvelope($snapshot)->primaryExplanation,
+        };
+    }
+
+    private static function currentTruthColor(BaselineSnapshot $snapshot): string
+    {
+        return match (self::currentTruthState($snapshot)) {
+            'current' => 'success',
+            'historical' => 'gray',
+            default => 'warning',
+        };
+    }
+
+    private static function currentTruthIcon(BaselineSnapshot $snapshot): ?string
+    {
+        return match (self::currentTruthState($snapshot)) {
+            'current' => 'heroicon-m-check-badge',
+            'historical' => 'heroicon-m-clock',
+            default => 'heroicon-m-exclamation-triangle',
+        };
+    }
+
+    private static function currentTruthState(BaselineSnapshot $snapshot): string
+    {
+        if (! $snapshot->isConsumable()) {
+            return 'unusable';
+        }
+
+        return app(BaselineSnapshotTruthResolver::class)->isHistoricallySuperseded($snapshot)
+            ? 'historical'
+            : 'current';
+    }
 }

app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php

@@ -35,6 +35,8 @@ public function mount(int|string $record): void
         $snapshot = $this->getRecord();
 
         if ($snapshot instanceof BaselineSnapshot) {
+            $snapshot->loadMissing(['baselineProfile', 'items']);
+
             $relatedContext = app(RelatedNavigationResolver::class)
                 ->detailEntries(CrossResourceNavigationMatrix::SOURCE_BASELINE_SNAPSHOT, $snapshot);
 

app/Filament/Resources/EntraGroupResource.php

@@ -2,6 +2,9 @@
 
 namespace App\Filament\Resources;
 
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Concerns\ScopesGlobalSearchToTenant;
 use App\Filament\Resources\EntraGroupResource\Pages;
 use App\Models\EntraGroup;
 use App\Models\Tenant;
@@ -17,6 +20,7 @@
 use App\Support\Ui\EnterpriseDetail\EnterpriseDetailSectionFactory;
 use App\Support\Ui\EnterpriseDetail\SummaryHeaderData;
 use BackedEnum;
+use Filament\Facades\Filament;
 use Filament\Infolists\Components\ViewEntry;
 use Filament\Resources\Resource;
 use Filament\Schemas\Schema;
@@ -24,21 +28,39 @@
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Carbon;
 use UnitEnum;
 
 class EntraGroupResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+    use ScopesGlobalSearchToTenant;
+
     protected static bool $isScopedToTenant = false;
 
     protected static ?string $model = EntraGroup::class;
 
+    protected static ?string $tenantOwnershipRelationshipName = 'tenant';
+
+    protected static ?string $recordTitleAttribute = 'display_name';
+
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-user-group';
 
     protected static string|UnitEnum|null $navigationGroup = 'Directory';
 
     protected static ?string $navigationLabel = 'Groups';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
@@ -75,13 +97,8 @@ public static function table(Table $table): Table
             ->persistFiltersInSession()
             ->persistSearchInSession()
             ->persistSortInSession()
-            ->modifyQueryUsing(function (Builder $query): Builder {
-                $tenantId = Tenant::current()?->getKey();
-
-                return $query->when($tenantId, fn (Builder $q) => $q->where('tenant_id', $tenantId));
-            })
             ->recordUrl(static fn (EntraGroup $record): ?string => static::canView($record)
-                ? static::getUrl('view', ['record' => $record])
+                ? static::scopedUrl('view', ['record' => $record], static::panelTenantContext())
                 : null)
             ->columns([
                 Tables\Columns\TextColumn::make('display_name')
@@ -176,7 +193,22 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        return parent::getEloquentQuery()->latest('id');
+        return static::getTenantOwnedEloquentQuery()
+            ->latest('id');
+    }
+
+    public static function resolveScopedRecordOrFail(int|string $key): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($key);
+    }
+
+    public static function getGlobalSearchResultUrl(Model $record): string
+    {
+        $tenant = $record instanceof EntraGroup && $record->tenant instanceof Tenant
+            ? $record->tenant
+            : static::panelTenantContext();
+
+        return static::scopedUrl('view', ['record' => $record], $tenant);
     }
 
     public static function getPages(): array
@@ -187,6 +219,20 @@ public static function getPages(): array
         ];
     }
 
+    /**
+     * @param  array<string, mixed>  $parameters
+     */
+    public static function scopedUrl(
+        string $page = 'index',
+        array $parameters = [],
+        ?Tenant $tenant = null,
+        ?string $panel = null,
+    ): string {
+        $panelId = $panel ?? Filament::getCurrentOrDefaultPanel()?->getId() ?? 'admin';
+
+        return static::getUrl($page, $parameters, panel: $panelId, tenant: $tenant);
+    }
+
     private static function groupType(EntraGroup $record): string
     {
         $groupTypes = $record->group_types;

app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php

@@ -9,25 +9,47 @@
 use App\Services\Directory\EntraGroupSelection;
 use App\Services\OperationRunService;
 use App\Support\Auth\Capabilities;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\UiEnforcement;
 use Filament\Actions\Action;
+use Filament\Facades\Filament;
 use Filament\Resources\Pages\ListRecords;
 
 class ListEntraGroups extends ListRecords
 {
     protected static string $resource = EntraGroupResource::class;
 
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: null,
+        );
+
+        if (
+            Filament::getCurrentPanel()?->getId() === 'admin'
+            && ! EntraGroupResource::panelTenantContext() instanceof Tenant
+        ) {
+            abort(404);
+        }
+
+        parent::mount();
+    }
+
     protected function getHeaderActions(): array
     {
+        $tenant = EntraGroupResource::panelTenantContext();
+
         return [
             Action::make('view_operations')
                 ->label('Operations')
                 ->icon('heroicon-o-clock')
-                ->url(fn (): string => OperationRunLinks::index(Tenant::current()))
-                ->visible(fn (): bool => (bool) Tenant::current()),
+                ->url(fn (): string => OperationRunLinks::index($tenant))
+                ->visible(fn (): bool => $tenant instanceof Tenant),
             UiEnforcement::forAction(
                 Action::make('sync_groups')
                     ->label('Sync Groups')
@@ -35,7 +57,7 @@ protected function getHeaderActions(): array
                     ->color('primary')
                     ->action(function (): void {
                         $user = auth()->user();
-                        $tenant = Tenant::current();
+                        $tenant = EntraGroupResource::panelTenantContext();
 
                         if (! $user instanceof User || ! $tenant instanceof Tenant) {
                             return;

app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php

@@ -3,9 +3,49 @@
 namespace App\Filament\Resources\EntraGroupResource\Pages;
 
 use App\Filament\Resources\EntraGroupResource;
+use App\Models\EntraGroup;
+use App\Models\Tenant;
+use App\Models\User;
+use Filament\Facades\Filament;
 use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewEntraGroup extends ViewRecord
 {
     protected static string $resource = EntraGroupResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return EntraGroupResource::resolveScopedRecordOrFail($key);
+    }
+
+    protected function authorizeAccess(): void
+    {
+        $tenant = EntraGroupResource::panelTenantContext();
+        $record = $this->getRecord();
+        $user = auth()->user();
+
+        if (
+            Filament::getCurrentPanel()?->getId() === 'admin'
+            && ! $tenant instanceof Tenant
+        ) {
+            abort(404);
+        }
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant || ! $record instanceof EntraGroup) {
+            abort(404);
+        }
+
+        if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
+            abort(404);
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            abort(404);
+        }
+
+        if (! $user->can('view', $record)) {
+            abort(403);
+        }
+    }
 }

app/Filament/Resources/EvidenceSnapshotResource.php

@@ -0,0 +1,682 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources;
+
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Resources\EvidenceSnapshotResource\Pages;
+use App\Models\EvidenceSnapshot;
+use App\Models\EvidenceSnapshotItem;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Evidence\EvidenceSnapshotService;
+use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Badges\BadgeRenderer;
+use App\Support\Evidence\EvidenceCompletenessState;
+use App\Support\Evidence\EvidenceSnapshotStatus;
+use App\Support\OperationCatalog;
+use App\Support\OperationRunLinks;
+use App\Support\OperationRunOutcome;
+use App\Support\OperationRunStatus;
+use App\Support\Rbac\UiEnforcement;
+use App\Support\Rbac\UiTooltips;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
+use BackedEnum;
+use Filament\Actions;
+use Filament\Facades\Filament;
+use Filament\Infolists\Components\RepeatableEntry;
+use Filament\Infolists\Components\TextEntry;
+use Filament\Infolists\Components\ViewEntry;
+use Filament\Notifications\Notification;
+use Filament\Panel;
+use Filament\Resources\Pages\PageRegistration;
+use Filament\Resources\Resource;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Filament\Tables;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Routing\Route;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Route as RouteFacade;
+use Illuminate\Support\Str;
+use UnitEnum;
+
+class EvidenceSnapshotResource extends Resource
+{
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
+    protected static ?string $model = EvidenceSnapshot::class;
+
+    protected static ?string $slug = 'evidence';
+
+    protected static ?string $tenantOwnershipRelationshipName = 'tenant';
+
+    protected static bool $isGloballySearchable = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Governance';
+
+    protected static ?string $navigationLabel = 'Evidence';
+
+    protected static ?int $navigationSort = 55;
+
+    public static function canViewAny(): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            return false;
+        }
+
+        return $user->can(Capabilities::EVIDENCE_VIEW, $tenant);
+    }
+
+    public static function canView(Model $record): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant) || ! $user->can(Capabilities::EVIDENCE_VIEW, $tenant)) {
+            return false;
+        }
+
+        return ! $record instanceof EvidenceSnapshot
+            || ((int) $record->tenant_id === (int) $tenant->getKey() && (int) $record->workspace_id === (int) $tenant->workspace_id);
+    }
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Create snapshot is available from the list header.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes a Create snapshot CTA.')
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Expire snapshot remains grouped under More.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Evidence snapshots do not support bulk actions.')
+            ->satisfy(ActionSurfaceSlot::DetailHeader, 'View page exposes Refresh evidence and Expire snapshot actions.');
+    }
+
+    public static function getEloquentQuery(): Builder
+    {
+        return static::getTenantOwnedEloquentQuery()->with(['tenant', 'initiator', 'operationRun', 'items']);
+    }
+
+    public static function resolveScopedRecordOrFail(int|string|null $record): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($record);
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema;
+    }
+
+    public static function infolist(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make('Artifact truth')
+                ->schema([
+                    ViewEntry::make('artifact_truth')
+                        ->hiddenLabel()
+                        ->view('filament.infolists.entries.governance-artifact-truth')
+                        ->state(fn (EvidenceSnapshot $record): array => static::truthEnvelope($record)->toArray())
+                        ->columnSpanFull(),
+                ])
+                ->columnSpanFull(),
+            Section::make('Snapshot')
+                ->schema([
+                    TextEntry::make('status')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceSnapshotStatus))
+                        ->color(BadgeRenderer::color(BadgeDomain::EvidenceSnapshotStatus))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceSnapshotStatus))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceSnapshotStatus)),
+                    TextEntry::make('completeness_state')
+                        ->label('Completeness')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
+                        ->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness)),
+                    TextEntry::make('tenant.name')->label('Tenant'),
+                    TextEntry::make('generated_at')->dateTime()->placeholder('—'),
+                    TextEntry::make('expires_at')->dateTime()->placeholder('—'),
+                    TextEntry::make('operationRun.id')
+                        ->label('Operation run')
+                        ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                        ->url(fn (EvidenceSnapshot $record): ?string => $record->operation_run_id ? OperationRunLinks::tenantlessView((int) $record->operation_run_id) : null)
+                        ->openUrlInNewTab(),
+                    TextEntry::make('fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
+                    TextEntry::make('previous_fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
+                ])
+                ->columns(2),
+            Section::make('Summary')
+                ->schema([
+                    TextEntry::make('summary.finding_count')->label('Findings')->placeholder('—'),
+                    TextEntry::make('summary.report_count')->label('Reports')->placeholder('—'),
+                    TextEntry::make('summary.operation_count')->label('Operations')->placeholder('—'),
+                    TextEntry::make('summary.missing_dimensions')->label(static::evidenceCompletenessCountLabel(EvidenceCompletenessState::Missing->value))->placeholder('—'),
+                    TextEntry::make('summary.stale_dimensions')->label(static::evidenceCompletenessCountLabel(EvidenceCompletenessState::Stale->value))->placeholder('—'),
+                ])
+                ->columns(2),
+            Section::make('Evidence dimensions')
+                ->schema([
+                    RepeatableEntry::make('items')
+                        ->hiddenLabel()
+                        ->schema([
+                            TextEntry::make('dimension_key')->label('Dimension')
+                                ->formatStateUsing(fn (string $state): string => Str::headline($state)),
+                            TextEntry::make('state')
+                                ->badge()
+                                ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
+                                ->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
+                                ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
+                                ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness)),
+                            TextEntry::make('source_kind')->label('Source')
+                                ->formatStateUsing(fn (string $state): string => Str::headline($state)),
+                            TextEntry::make('freshness_at')->dateTime()->placeholder('—'),
+                            ViewEntry::make('summary_payload_highlights')
+                                ->label('Summary')
+                                ->view('filament.infolists.entries.evidence-dimension-summary')
+                                ->state(fn (EvidenceSnapshotItem $record): array => static::dimensionSummaryPresentation($record))
+                                ->columnSpanFull(),
+                            ViewEntry::make('summary_payload_raw')
+                                ->label('Raw summary JSON')
+                                ->view('filament.infolists.entries.snapshot-json')
+                                ->state(fn (EvidenceSnapshotItem $record): array => is_array($record->summary_payload) ? $record->summary_payload : [])
+                                ->columnSpanFull(),
+                        ])
+                        ->columns(4),
+                ]),
+        ]);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->defaultSort('created_at', 'desc')
+            ->recordUrl(fn (EvidenceSnapshot $record): string => static::getUrl('view', ['record' => $record]))
+            ->columns([
+                Tables\Columns\TextColumn::make('status')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceSnapshotStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::EvidenceSnapshotStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceSnapshotStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceSnapshotStatus))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('artifact_truth')
+                    ->label('Artifact truth')
+                    ->badge()
+                    ->getStateUsing(fn (EvidenceSnapshot $record): string => static::truthEnvelope($record)->primaryLabel)
+                    ->color(fn (EvidenceSnapshot $record): string => static::truthEnvelope($record)->primaryBadgeSpec()->color)
+                    ->icon(fn (EvidenceSnapshot $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->icon)
+                    ->iconColor(fn (EvidenceSnapshot $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->iconColor)
+                    ->description(fn (EvidenceSnapshot $record): ?string => static::truthEnvelope($record)->primaryExplanation)
+                    ->wrap(),
+                Tables\Columns\TextColumn::make('completeness_state')
+                    ->label('Completeness')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
+                    ->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('generated_at')->dateTime()->sortable()->placeholder('—'),
+                Tables\Columns\TextColumn::make('summary.finding_count')->label('Findings'),
+                Tables\Columns\TextColumn::make('summary.missing_dimensions')->label(static::evidenceCompletenessCountLabel(EvidenceCompletenessState::Missing->value)),
+                Tables\Columns\TextColumn::make('artifact_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(fn (EvidenceSnapshot $record): string => static::truthEnvelope($record)->nextStepText())
+                    ->wrap(),
+            ])
+            ->filters([
+                Tables\Filters\SelectFilter::make('status')
+                    ->options(BadgeCatalog::options(BadgeDomain::EvidenceSnapshotStatus, EvidenceSnapshotStatus::values())),
+                Tables\Filters\SelectFilter::make('completeness_state')
+                    ->options(BadgeCatalog::options(BadgeDomain::EvidenceCompleteness, EvidenceCompletenessState::values())),
+            ])
+            ->actions([
+                Actions\ActionGroup::make([
+                    UiEnforcement::forTableAction(
+                        Actions\Action::make('expire')
+                            ->label('Expire snapshot')
+                            ->color('danger')
+                            ->hidden(fn (EvidenceSnapshot $record): bool => ! static::canExpireRecord($record))
+                            ->requiresConfirmation()
+                            ->action(function (EvidenceSnapshot $record): void {
+                                $user = auth()->user();
+
+                                if (! $user instanceof User) {
+                                    abort(403);
+                                }
+
+                                app(EvidenceSnapshotService::class)->expire($record, $user);
+                                static::truthEnvelope($record->refresh(), fresh: true);
+
+                                Notification::make()->success()->title('Snapshot expired')->send();
+                            }),
+                        fn (EvidenceSnapshot $record): EvidenceSnapshot => $record,
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::EVIDENCE_MANAGE)
+                        ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
+                        ->apply(),
+                ])->label('More'),
+            ])
+            ->bulkActions([])
+            ->emptyStateHeading('No evidence snapshots yet')
+            ->emptyStateDescription('Create the first snapshot to capture immutable evidence for this tenant.')
+            ->emptyStateActions([
+                UiEnforcement::forAction(
+                    Actions\Action::make('create_first_snapshot')
+                        ->label('Create first snapshot')
+                        ->icon('heroicon-o-plus')
+                        ->action(fn (): mixed => static::executeGeneration([])),
+                )
+                    ->requireCapability(Capabilities::EVIDENCE_MANAGE)
+                    ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
+                    ->apply(),
+            ]);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => Pages\ListEvidenceSnapshots::route('/'),
+            'view' => new PageRegistration(
+                page: Pages\ViewEvidenceSnapshot::class,
+                route: fn (Panel $panel): Route => RouteFacade::get('/{record}', Pages\ViewEvidenceSnapshot::class)
+                    ->whereNumber('record')
+                    ->middleware(Pages\ViewEvidenceSnapshot::getRouteMiddleware($panel))
+                    ->withoutMiddleware(Pages\ViewEvidenceSnapshot::getWithoutRouteMiddleware($panel)),
+            ),
+        ];
+    }
+
+    /**
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function dimensionSummaryPresentation(EvidenceSnapshotItem $item): array
+    {
+        $payload = is_array($item->summary_payload) ? $item->summary_payload : [];
+
+        return match ($item->dimension_key) {
+            'findings_summary' => static::findingsSummaryPresentation($payload),
+            'permission_posture' => static::permissionPosturePresentation($payload),
+            'entra_admin_roles' => static::entraAdminRolesPresentation($payload),
+            'baseline_drift_posture' => static::baselineDriftPosturePresentation($payload),
+            'operations_summary' => static::operationsSummaryPresentation($payload),
+            default => static::genericSummaryPresentation($payload),
+        };
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function findingsSummaryPresentation(array $payload): array
+    {
+        $count = (int) ($payload['count'] ?? 0);
+        $openCount = (int) ($payload['open_count'] ?? 0);
+        $severityCounts = is_array($payload['severity_counts'] ?? null) ? $payload['severity_counts'] : [];
+        $entries = is_array($payload['entries'] ?? null) ? $payload['entries'] : [];
+
+        return [
+            'summary' => sprintf('%d findings, %d open.', $count, $openCount),
+            'highlights' => [
+                ['label' => 'Findings', 'value' => (string) $count],
+                ['label' => 'Open findings', 'value' => (string) $openCount],
+                ['label' => 'Critical', 'value' => (string) ((int) ($severityCounts['critical'] ?? 0))],
+                ['label' => 'High', 'value' => (string) ((int) ($severityCounts['high'] ?? 0))],
+                ['label' => 'Medium', 'value' => (string) ((int) ($severityCounts['medium'] ?? 0))],
+                ['label' => 'Low', 'value' => (string) ((int) ($severityCounts['low'] ?? 0))],
+            ],
+            'items' => collect($entries)
+                ->map(fn (mixed $entry): ?string => is_array($entry) ? static::findingEntryLabel($entry) : null)
+                ->filter()
+                ->take(5)
+                ->values()
+                ->all(),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function permissionPosturePresentation(array $payload): array
+    {
+        $requiredCount = (int) ($payload['required_count'] ?? 0);
+        $grantedCount = (int) ($payload['granted_count'] ?? 0);
+        $postureScore = $payload['posture_score'] ?? null;
+        $reportPayload = is_array($payload['payload'] ?? null) ? $payload['payload'] : [];
+
+        return [
+            'summary' => sprintf('%d of %d required permissions granted.', $grantedCount, $requiredCount),
+            'highlights' => [
+                ['label' => 'Granted permissions', 'value' => (string) $grantedCount],
+                ['label' => 'Required permissions', 'value' => (string) $requiredCount],
+                ['label' => 'Posture score', 'value' => $postureScore === null ? '—' : (string) $postureScore],
+            ],
+            'items' => static::namedItemsFromArray(
+                Arr::get($reportPayload, 'missing_permissions', Arr::get($reportPayload, 'missing', [])),
+                'No missing permission details captured.'
+            ),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function entraAdminRolesPresentation(array $payload): array
+    {
+        $roleCount = (int) ($payload['role_count'] ?? 0);
+
+        return [
+            'summary' => sprintf('%d privileged Entra roles captured.', $roleCount),
+            'highlights' => [
+                ['label' => 'Role count', 'value' => (string) $roleCount],
+            ],
+            'items' => static::namedItemsFromArray($payload['roles'] ?? [], 'No role details captured.'),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function baselineDriftPosturePresentation(array $payload): array
+    {
+        $driftCount = (int) ($payload['drift_count'] ?? 0);
+        $openDriftCount = (int) ($payload['open_drift_count'] ?? 0);
+
+        return [
+            'summary' => sprintf('%d drift findings, %d still open.', $driftCount, $openDriftCount),
+            'highlights' => [
+                ['label' => 'Drift findings', 'value' => (string) $driftCount],
+                ['label' => 'Open drift findings', 'value' => (string) $openDriftCount],
+            ],
+            'items' => [],
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function operationsSummaryPresentation(array $payload): array
+    {
+        $operationCount = (int) ($payload['operation_count'] ?? 0);
+        $failedCount = (int) ($payload['failed_count'] ?? 0);
+        $partialCount = (int) ($payload['partial_count'] ?? 0);
+        $entries = is_array($payload['entries'] ?? null) ? $payload['entries'] : [];
+        $actionSummary = $failedCount === 0 && $partialCount === 0
+            ? 'No action needed.'
+            : sprintf('%d execution failures, %d need follow-up.', $failedCount, $partialCount);
+
+        return [
+            'summary' => sprintf('%d operations in the last 30 days. %s', $operationCount, $actionSummary),
+            'highlights' => [
+                ['label' => 'Operations', 'value' => (string) $operationCount],
+                ['label' => 'Execution failures', 'value' => (string) $failedCount],
+                ['label' => 'Needs follow-up', 'value' => (string) $partialCount],
+            ],
+            'items' => collect($entries)
+                ->map(fn (mixed $entry): ?string => is_array($entry) ? static::operationEntryLabel($entry) : null)
+                ->filter()
+                ->take(5)
+                ->values()
+                ->all(),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
+     */
+    private static function genericSummaryPresentation(array $payload): array
+    {
+        $highlights = collect($payload)
+            ->reject(fn (mixed $value, string|int $key): bool => in_array((string) $key, ['entries', 'payload', 'roles'], true) || is_array($value))
+            ->take(6)
+            ->map(fn (mixed $value, string|int $key): array => [
+                'label' => Str::headline((string) $key),
+                'value' => static::stringifySummaryValue($value),
+            ])
+            ->values()
+            ->all();
+
+        return [
+            'summary' => empty($highlights) ? 'No summary details captured.' : null,
+            'highlights' => $highlights,
+            'items' => [],
+        ];
+    }
+
+    /**
+     * @return list<string>
+     */
+    private static function namedItemsFromArray(mixed $items, string $emptyFallback): array
+    {
+        if (! is_array($items) || $items === []) {
+            return [$emptyFallback];
+        }
+
+        $labels = collect($items)
+            ->map(function (mixed $item): ?string {
+                if (is_string($item)) {
+                    return trim($item) !== '' ? $item : null;
+                }
+
+                if (! is_array($item)) {
+                    return null;
+                }
+
+                foreach (['display_name', 'displayName', 'name', 'title', 'id'] as $key) {
+                    $value = $item[$key] ?? null;
+
+                    if (is_string($value) && trim($value) !== '') {
+                        return $value;
+                    }
+                }
+
+                return null;
+            })
+            ->filter()
+            ->take(5)
+            ->values()
+            ->all();
+
+        return $labels === [] ? [$emptyFallback] : $labels;
+    }
+
+    /**
+     * @param  array<string, mixed>  $entry
+     */
+    private static function findingEntryLabel(array $entry): ?string
+    {
+        $title = $entry['title'] ?? null;
+        $severity = $entry['severity'] ?? null;
+        $status = $entry['status'] ?? null;
+
+        if (! is_string($title) || trim($title) === '') {
+            return null;
+        }
+
+        $parts = [trim($title)];
+
+        if (is_string($severity) && trim($severity) !== '') {
+            $parts[] = Str::headline($severity);
+        }
+
+        if (is_string($status) && trim($status) !== '') {
+            $parts[] = Str::headline($status);
+        }
+
+        return implode(' · ', $parts);
+    }
+
+    /**
+     * @param  array<string, mixed>  $entry
+     */
+    private static function operationEntryLabel(array $entry): ?string
+    {
+        $type = $entry['type'] ?? null;
+
+        if (! is_string($type) || trim($type) === '') {
+            return null;
+        }
+
+        $parts = [static::operationTypeLabel($type)];
+
+        $stateLabel = static::operationEntryStateLabel($entry);
+
+        if ($stateLabel !== null) {
+            $parts[] = $stateLabel;
+        }
+
+        return implode(' · ', $parts);
+    }
+
+    public static function canExpireRecord(EvidenceSnapshot $record): bool
+    {
+        return (string) $record->status !== EvidenceSnapshotStatus::Expired->value;
+    }
+
+    private static function operationTypeLabel(string $type): string
+    {
+        $label = OperationCatalog::label($type);
+
+        return $label === 'Unknown operation' ? 'Operation' : $label;
+    }
+
+    /**
+     * @param  array<string, mixed>  $entry
+     */
+    private static function operationEntryStateLabel(array $entry): ?string
+    {
+        $status = is_string($entry['status'] ?? null) ? trim((string) $entry['status']) : null;
+        $outcome = is_string($entry['outcome'] ?? null) ? trim((string) $entry['outcome']) : null;
+
+        return match ($status) {
+            OperationRunStatus::Queued->value => static::badgeLabel(BadgeDomain::OperationRunStatus, $status),
+            OperationRunStatus::Running->value => static::badgeLabel(BadgeDomain::OperationRunStatus, $status),
+            OperationRunStatus::Completed->value => match ($outcome) {
+                OperationRunOutcome::Pending->value => static::badgeLabel(BadgeDomain::OperationRunStatus, $status),
+                OperationRunOutcome::Succeeded->value,
+                OperationRunOutcome::PartiallySucceeded->value,
+                OperationRunOutcome::Blocked->value,
+                OperationRunOutcome::Failed->value,
+                OperationRunOutcome::Cancelled->value => static::badgeLabel(BadgeDomain::OperationRunOutcome, $outcome),
+                default => static::badgeLabel(BadgeDomain::OperationRunStatus, $status),
+            },
+            default => $outcome !== null ? static::badgeLabel(BadgeDomain::OperationRunOutcome, $outcome) : null,
+        };
+    }
+
+    private static function evidenceCompletenessCountLabel(string $state): string
+    {
+        return BadgeCatalog::spec(BadgeDomain::EvidenceCompleteness, $state)->label;
+    }
+
+    private static function badgeLabel(BadgeDomain $domain, ?string $state): ?string
+    {
+        if ($state === null || trim($state) === '') {
+            return null;
+        }
+
+        $label = BadgeCatalog::spec($domain, $state)->label;
+
+        return $label === 'Unknown' ? null : $label;
+    }
+
+    private static function truthEnvelope(EvidenceSnapshot $record, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forEvidenceSnapshotFresh($record)
+            : $presenter->forEvidenceSnapshot($record);
+    }
+
+    private static function stringifySummaryValue(mixed $value): string
+    {
+        return match (true) {
+            $value === null => '—',
+            is_bool($value) => $value ? 'Yes' : 'No',
+            is_scalar($value) => (string) $value,
+            default => '—',
+        };
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public static function executeGeneration(array $data): void
+    {
+        $tenant = Filament::getTenant();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            Notification::make()->danger()->title('Unable to create snapshot — missing context.')->send();
+
+            return;
+        }
+
+        $snapshot = app(EvidenceSnapshotService::class)->generate(
+            tenant: $tenant,
+            user: $user,
+            allowStale: (bool) ($data['allow_stale'] ?? false),
+        );
+        static::truthEnvelope($snapshot->refresh(), fresh: true);
+
+        if (! $snapshot->wasRecentlyCreated) {
+            Notification::make()
+                ->success()
+                ->title('Snapshot already available')
+                ->body('A matching active snapshot already exists. No new run was started.')
+                ->actions([
+                    Actions\Action::make('view_snapshot')
+                        ->label('View snapshot')
+                        ->url(static::getUrl('view', ['record' => $snapshot], tenant: $tenant)),
+                ])
+                ->send();
+
+            return;
+        }
+
+        Notification::make()
+            ->success()
+            ->title('Create snapshot queued')
+            ->body('The snapshot is being generated in the background.')
+            ->actions([
+                Actions\Action::make('view_run')
+                    ->label('View run')
+                    ->url($snapshot->operation_run_id ? OperationRunLinks::tenantlessView((int) $snapshot->operation_run_id) : static::getUrl('view', ['record' => $snapshot], tenant: $tenant)),
+            ])
+            ->send();
+    }
+}

app/Filament/Resources/EvidenceSnapshotResource/Pages/ListEvidenceSnapshots.php

@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\EvidenceSnapshotResource\Pages;
+
+use App\Filament\Resources\EvidenceSnapshotResource;
+use App\Support\Auth\Capabilities;
+use App\Support\Rbac\UiEnforcement;
+use Filament\Actions;
+use Filament\Forms\Components\Toggle;
+use Filament\Resources\Pages\ListRecords;
+use Filament\Schemas\Components\Section;
+
+class ListEvidenceSnapshots extends ListRecords
+{
+    protected static string $resource = EvidenceSnapshotResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            UiEnforcement::forAction(
+                Actions\Action::make('create_snapshot')
+                    ->label('Create snapshot')
+                    ->icon('heroicon-o-plus')
+                    ->action(fn (array $data): mixed => EvidenceSnapshotResource::executeGeneration($data))
+                    ->form([
+                        Section::make('Snapshot options')
+                            ->schema([
+                                Toggle::make('allow_stale')
+                                    ->label('Allow stale dimensions')
+                                    ->default(false),
+                            ]),
+                    ]),
+            )
+                ->requireCapability(Capabilities::EVIDENCE_MANAGE)
+                ->apply(),
+        ];
+    }
+}

app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php

@@ -0,0 +1,102 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\EvidenceSnapshotResource\Pages;
+
+use App\Filament\Resources\EvidenceSnapshotResource;
+use App\Filament\Resources\ReviewPackResource;
+use App\Models\ReviewPack;
+use App\Models\User;
+use App\Services\Evidence\EvidenceSnapshotService;
+use App\Support\Auth\Capabilities;
+use App\Support\OperationRunLinks;
+use App\Support\Rbac\UiEnforcement;
+use Filament\Actions;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
+
+class ViewEvidenceSnapshot extends ViewRecord
+{
+    protected static string $resource = EvidenceSnapshotResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return EvidenceSnapshotResource::resolveScopedRecordOrFail($key);
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\Action::make('view_run')
+                ->label('View run')
+                ->icon('heroicon-o-eye')
+                ->color('gray')
+                ->url(fn (): ?string => $this->record->operation_run_id ? OperationRunLinks::tenantlessView((int) $this->record->operation_run_id) : null)
+                ->hidden(fn (): bool => ! is_numeric($this->record->operation_run_id)),
+            Actions\Action::make('view_review_pack')
+                ->label('View review pack')
+                ->icon('heroicon-o-document-text')
+                ->color('gray')
+                ->url(function (): ?string {
+                    $pack = $this->latestReviewPack();
+
+                    if (! $pack instanceof ReviewPack || ! $pack->tenant) {
+                        return null;
+                    }
+
+                    return ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant);
+                })
+                ->hidden(fn (): bool => ! $this->latestReviewPack() instanceof ReviewPack),
+            UiEnforcement::forAction(
+                Actions\Action::make('refresh_snapshot')
+                    ->label('Refresh evidence')
+                    ->icon('heroicon-o-arrow-path')
+                    ->requiresConfirmation()
+                    ->action(function (): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User) {
+                            abort(403);
+                        }
+
+                        app(EvidenceSnapshotService::class)->refresh($this->record, $user);
+
+                        Notification::make()->success()->title('Refresh evidence queued')->send();
+                    }),
+            )
+                ->requireCapability(Capabilities::EVIDENCE_MANAGE)
+                ->apply(),
+            UiEnforcement::forAction(
+                Actions\Action::make('expire_snapshot')
+                    ->label('Expire snapshot')
+                    ->icon('heroicon-o-x-circle')
+                    ->color('danger')
+                    ->hidden(fn (): bool => ! EvidenceSnapshotResource::canExpireRecord($this->record))
+                    ->requiresConfirmation()
+                    ->action(function (): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User) {
+                            abort(403);
+                        }
+
+                        app(EvidenceSnapshotService::class)->expire($this->record, $user);
+                        $this->refreshFormData(['status', 'expires_at']);
+
+                        Notification::make()->success()->title('Snapshot expired')->send();
+                    }),
+            )
+                ->requireCapability(Capabilities::EVIDENCE_MANAGE)
+                ->apply(),
+        ];
+    }
+
+    private function latestReviewPack(): ?ReviewPack
+    {
+        return $this->record->reviewPacks()
+            ->latest('created_at')
+            ->first();
+    }
+}

app/Filament/Resources/FindingExceptionResource.php

@@ -0,0 +1,630 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources;
+
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Resources\FindingExceptionResource\Pages;
+use App\Models\FindingException;
+use App\Models\FindingExceptionEvidenceReference;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Services\Findings\FindingExceptionService;
+use App\Services\Findings\FindingRiskGovernanceResolver;
+use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Badges\BadgeRenderer;
+use App\Support\Filament\FilterOptionCatalog;
+use App\Support\Filament\TablePaginationProfiles;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Facades\Filament;
+use Filament\Forms\Components\DateTimePicker;
+use Filament\Forms\Components\Repeater;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Infolists\Components\RepeatableEntry;
+use Filament\Infolists\Components\TextEntry;
+use Filament\Notifications\Notification;
+use Filament\Resources\Resource;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Filament\Tables;
+use Filament\Tables\Filters\SelectFilter;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+use InvalidArgumentException;
+use UnitEnum;
+
+class FindingExceptionResource extends Resource
+{
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
+    protected static ?string $model = FindingException::class;
+
+    protected static ?string $tenantOwnershipRelationshipName = 'tenant';
+
+    protected static bool $isGloballySearchable = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Governance';
+
+    protected static ?string $navigationLabel = 'Risk exceptions';
+
+    protected static ?int $navigationSort = 60;
+
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
+    public static function canViewAny(): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            return false;
+        }
+
+        return $user->can(Capabilities::FINDING_EXCEPTION_VIEW, $tenant);
+    }
+
+    public static function canView(Model $record): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant) || ! $user->can(Capabilities::FINDING_EXCEPTION_VIEW, $tenant)) {
+            return false;
+        }
+
+        return ! $record instanceof FindingException
+            || ((int) $record->tenant_id === (int) $tenant->getKey() && (int) $record->workspace_id === (int) $tenant->workspace_id);
+    }
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'List header links back to findings where exception requests originate.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'v1 keeps exception mutations direct and avoids a More menu.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Exception decisions require per-record review and intentionally omit bulk actions in v1.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state explains that new requests start from finding detail.')
+            ->satisfy(ActionSurfaceSlot::DetailHeader, 'Detail header exposes linked finding navigation plus state-aware renewal and revocation actions.');
+    }
+
+    public static function getEloquentQuery(): Builder
+    {
+        return static::getTenantOwnedEloquentQuery()
+            ->with(static::relationshipsForView());
+    }
+
+    /**
+     * @return array{active: int, expiring: int, expired: int, pending: int, total: int}
+     */
+    public static function exceptionStatsForCurrentTenant(): array
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+
+        if (! $tenant instanceof Tenant) {
+            return ['active' => 0, 'expiring' => 0, 'expired' => 0, 'pending' => 0, 'total' => 0];
+        }
+
+        $counts = FindingException::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->where('workspace_id', (int) $tenant->workspace_id)
+            ->selectRaw('count(*) as total')
+            ->selectRaw("count(*) filter (where status = 'active') as active")
+            ->selectRaw("count(*) filter (where status = 'expiring') as expiring")
+            ->selectRaw("count(*) filter (where status = 'expired') as expired")
+            ->selectRaw("count(*) filter (where status = 'pending') as pending")
+            ->first();
+
+        return [
+            'active' => (int) ($counts?->active ?? 0),
+            'expiring' => (int) ($counts?->expiring ?? 0),
+            'expired' => (int) ($counts?->expired ?? 0),
+            'pending' => (int) ($counts?->pending ?? 0),
+            'total' => (int) ($counts?->total ?? 0),
+        ];
+    }
+
+    public static function resolveScopedRecordOrFail(int|string|null $record): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($record, parent::getEloquentQuery()->with(static::relationshipsForView()));
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema;
+    }
+
+    public static function infolist(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make('Exception')
+                ->schema([
+                    TextEntry::make('status')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
+                        ->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus)),
+                    TextEntry::make('current_validity_state')
+                        ->label('Validity')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
+                        ->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity)),
+                    TextEntry::make('governance_warning')
+                        ->label('Governance warning')
+                        ->state(fn (FindingException $record): ?string => static::governanceWarning($record))
+                        ->color(fn (FindingException $record): string => static::governanceWarningColor($record))
+                        ->columnSpanFull()
+                        ->visible(fn (FindingException $record): bool => static::governanceWarning($record) !== null),
+                    TextEntry::make('tenant.name')->label('Tenant'),
+                    TextEntry::make('finding_summary')
+                        ->label('Finding')
+                        ->state(fn (FindingException $record): string => static::findingSummary($record)),
+                    TextEntry::make('requester.name')->label('Requested by')->placeholder('—'),
+                    TextEntry::make('owner.name')->label('Owner')->placeholder('—'),
+                    TextEntry::make('approver.name')->label('Approved by')->placeholder('—'),
+                    TextEntry::make('requested_at')->label('Requested')->dateTime()->placeholder('—'),
+                    TextEntry::make('approved_at')->label('Approved')->dateTime()->placeholder('—'),
+                    TextEntry::make('review_due_at')->label('Review due')->dateTime()->placeholder('—'),
+                    TextEntry::make('effective_from')->label('Effective from')->dateTime()->placeholder('—'),
+                    TextEntry::make('expires_at')->label('Expires')->dateTime()->placeholder('—'),
+                    TextEntry::make('request_reason')->label('Request reason')->columnSpanFull(),
+                    TextEntry::make('approval_reason')->label('Approval reason')->placeholder('—')->columnSpanFull(),
+                    TextEntry::make('rejection_reason')->label('Rejection reason')->placeholder('—')->columnSpanFull(),
+                ])
+                ->columns(2),
+            Section::make('Decision history')
+                ->schema([
+                    RepeatableEntry::make('decisions')
+                        ->hiddenLabel()
+                        ->schema([
+                            TextEntry::make('decision_type')->label('Decision'),
+                            TextEntry::make('actor.name')->label('Actor')->placeholder('—'),
+                            TextEntry::make('decided_at')->label('Decided')->dateTime()->placeholder('—'),
+                            TextEntry::make('reason')->label('Reason')->placeholder('—')->columnSpanFull(),
+                        ])
+                        ->columns(3),
+                ]),
+            Section::make('Evidence references')
+                ->schema([
+                    RepeatableEntry::make('evidenceReferences')
+                        ->hiddenLabel()
+                        ->schema([
+                            TextEntry::make('label')->label('Label'),
+                            TextEntry::make('source_type')->label('Source'),
+                            TextEntry::make('source_id')->label('Source ID')->placeholder('—'),
+                            TextEntry::make('source_fingerprint')->label('Fingerprint')->placeholder('—'),
+                            TextEntry::make('measured_at')->label('Measured')->dateTime()->placeholder('—'),
+                            TextEntry::make('summary_payload')
+                                ->label('Summary')
+                                ->state(function (FindingExceptionEvidenceReference $record): ?string {
+                                    if ($record->summary_payload === [] || $record->summary_payload === null) {
+                                        return null;
+                                    }
+
+                                    return json_encode($record->summary_payload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) ?: null;
+                                })
+                                ->placeholder('—')
+                                ->columnSpanFull(),
+                        ])
+                        ->columns(2),
+                ])
+                ->visible(fn (FindingException $record): bool => $record->evidenceReferences->isNotEmpty()),
+        ]);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->defaultSort('requested_at', 'desc')
+            ->paginated(TablePaginationProfiles::resource())
+            ->persistFiltersInSession()
+            ->persistSearchInSession()
+            ->persistSortInSession()
+            ->recordUrl(fn (FindingException $record): string => static::getUrl('view', ['record' => $record]))
+            ->columns([
+                Tables\Columns\TextColumn::make('status')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('current_validity_state')
+                    ->label('Validity')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('finding.severity')
+                    ->label('Severity')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingSeverity))
+                    ->color(BadgeRenderer::color(BadgeDomain::FindingSeverity))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingSeverity))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingSeverity))
+                    ->placeholder('—')
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('finding_summary')
+                    ->label('Finding')
+                    ->state(fn (FindingException $record): string => static::findingSummary($record))
+                    ->searchable()
+                    ->wrap()
+                    ->limit(60),
+                Tables\Columns\TextColumn::make('governance_warning')
+                    ->label('Governance warning')
+                    ->state(fn (FindingException $record): ?string => static::governanceWarning($record))
+                    ->color(fn (FindingException $record): string => static::governanceWarningColor($record))
+                    ->wrap(),
+                Tables\Columns\TextColumn::make('requester.name')
+                    ->label('Requested by')
+                    ->placeholder('—'),
+                Tables\Columns\TextColumn::make('owner.name')
+                    ->label('Owner')
+                    ->placeholder('—'),
+                Tables\Columns\TextColumn::make('review_due_at')
+                    ->label('Review due')
+                    ->dateTime()
+                    ->placeholder('—')
+                    ->sortable()
+                    ->description(fn (FindingException $record): ?string => static::relativeTimeDescription($record->review_due_at)),
+                Tables\Columns\TextColumn::make('expires_at')
+                    ->label('Expires')
+                    ->dateTime()
+                    ->placeholder('—')
+                    ->sortable()
+                    ->description(fn (FindingException $record): ?string => static::relativeTimeDescription($record->expires_at)),
+                Tables\Columns\TextColumn::make('requested_at')
+                    ->label('Requested')
+                    ->dateTime()
+                    ->sortable(),
+            ])
+            ->filters([
+                SelectFilter::make('status')
+                    ->options(FilterOptionCatalog::findingExceptionStatuses()),
+                SelectFilter::make('current_validity_state')
+                    ->label('Validity')
+                    ->options(FilterOptionCatalog::findingExceptionValidityStates()),
+                SelectFilter::make('finding_severity')
+                    ->label('Finding severity')
+                    ->options(FilterOptionCatalog::findingSeverities())
+                    ->query(fn (Builder $query, array $data): Builder => filled($data['value'])
+                        ? $query->whereHas('finding', fn (Builder $q) => $q->where('severity', $data['value']))
+                        : $query),
+            ])
+            ->actions([
+                Action::make('renew_exception')
+                    ->label('Renew exception')
+                    ->icon('heroicon-o-arrow-path')
+                    ->color('warning')
+                    ->visible(fn (FindingException $record): bool => static::canManageRecord($record) && $record->canBeRenewed())
+                    ->requiresConfirmation()
+                    ->form([
+                        Select::make('owner_user_id')
+                            ->label('Owner')
+                            ->required()
+                            ->options(fn (): array => static::tenantMemberOptions())
+                            ->searchable(),
+                        Textarea::make('request_reason')
+                            ->label('Renewal reason')
+                            ->rows(4)
+                            ->required()
+                            ->maxLength(2000),
+                        DateTimePicker::make('review_due_at')
+                            ->label('Review due at')
+                            ->required()
+                            ->seconds(false),
+                        DateTimePicker::make('expires_at')
+                            ->label('Requested expiry')
+                            ->seconds(false),
+                        Repeater::make('evidence_references')
+                            ->label('Evidence references')
+                            ->schema([
+                                TextInput::make('label')
+                                    ->label('Label')
+                                    ->required()
+                                    ->maxLength(255),
+                                TextInput::make('source_type')
+                                    ->label('Source type')
+                                    ->required()
+                                    ->maxLength(255),
+                                TextInput::make('source_id')
+                                    ->label('Source ID')
+                                    ->maxLength(255),
+                                TextInput::make('source_fingerprint')
+                                    ->label('Fingerprint')
+                                    ->maxLength(255),
+                                DateTimePicker::make('measured_at')
+                                    ->label('Measured at')
+                                    ->seconds(false),
+                            ])
+                            ->defaultItems(0)
+                            ->collapsed(),
+                    ])
+                    ->action(function (FindingException $record, array $data, FindingExceptionService $service): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User || ! $record->tenant instanceof Tenant) {
+                            abort(404);
+                        }
+
+                        try {
+                            $service->renew($record, $user, $data);
+                        } catch (InvalidArgumentException $exception) {
+                            Notification::make()
+                                ->title('Renewal request failed')
+                                ->body($exception->getMessage())
+                                ->danger()
+                                ->send();
+
+                            return;
+                        }
+
+                        Notification::make()
+                            ->title('Renewal request submitted')
+                            ->success()
+                            ->send();
+                    }),
+                Action::make('revoke_exception')
+                    ->label('Revoke exception')
+                    ->icon('heroicon-o-no-symbol')
+                    ->color('danger')
+                    ->visible(fn (FindingException $record): bool => static::canManageRecord($record) && $record->canBeRevoked())
+                    ->requiresConfirmation()
+                    ->form([
+                        Textarea::make('revocation_reason')
+                            ->label('Revocation reason')
+                            ->rows(4)
+                            ->required()
+                            ->maxLength(2000),
+                    ])
+                    ->action(function (FindingException $record, array $data, FindingExceptionService $service): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User) {
+                            abort(404);
+                        }
+
+                        try {
+                            $service->revoke($record, $user, $data);
+                        } catch (InvalidArgumentException $exception) {
+                            Notification::make()
+                                ->title('Exception revocation failed')
+                                ->body($exception->getMessage())
+                                ->danger()
+                                ->send();
+
+                            return;
+                        }
+
+                        Notification::make()
+                            ->title('Exception revoked')
+                            ->success()
+                            ->send();
+                    }),
+            ])
+            ->bulkActions([])
+            ->emptyStateHeading('No exceptions match this view')
+            ->emptyStateDescription('Exception requests are created from finding detail when a governed risk acceptance review is needed.')
+            ->emptyStateIcon('heroicon-o-shield-exclamation')
+            ->emptyStateActions([
+                Action::make('open_findings')
+                    ->label('Open findings')
+                    ->icon('heroicon-o-arrow-top-right-on-square')
+                    ->color('gray')
+                    ->url(fn (): string => FindingResource::getUrl('index')),
+            ]);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => Pages\ListFindingExceptions::route('/'),
+            'view' => Pages\ViewFindingException::route('/{record}'),
+        ];
+    }
+
+    /**
+     * @return array<int, string|array<int|string, mixed>>
+     */
+    private static function relationshipsForView(): array
+    {
+        return [
+            'tenant',
+            'requester',
+            'owner',
+            'approver',
+            'currentDecision',
+            'decisions.actor',
+            'evidenceReferences',
+            'finding' => fn ($query) => $query->withSubjectDisplayName(),
+        ];
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    private static function tenantMemberOptions(): array
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+
+        if (! $tenant instanceof Tenant) {
+            return [];
+        }
+
+        return \App\Models\TenantMembership::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->join('users', 'users.id', '=', 'tenant_memberships.user_id')
+            ->orderBy('users.name')
+            ->pluck('users.name', 'users.id')
+            ->mapWithKeys(fn (string $name, int|string $id): array => [(int) $id => $name])
+            ->all();
+    }
+
+    private static function findingSummary(FindingException $record): string
+    {
+        $finding = $record->finding;
+
+        if (! $finding instanceof \App\Models\Finding) {
+            return 'Finding #'.$record->finding_id;
+        }
+
+        $displayName = $finding->resolvedSubjectDisplayName();
+        $findingType = $finding->finding_type;
+
+        $parts = [];
+
+        if (is_string($displayName) && trim($displayName) !== '') {
+            $parts[] = trim($displayName);
+        }
+
+        if (is_string($findingType) && trim($findingType) !== '') {
+            $label = str_replace('_', ' ', trim($findingType));
+            $parts[] = '('.ucfirst($label).')';
+        }
+
+        if ($parts !== []) {
+            return implode(' ', $parts);
+        }
+
+        return 'Finding #'.$record->finding_id;
+    }
+
+    public static function relativeTimeDescription(mixed $date): ?string
+    {
+        if (! $date instanceof \DateTimeInterface) {
+            return null;
+        }
+
+        $carbon = \Illuminate\Support\Carbon::instance($date);
+
+        if ($carbon->isToday()) {
+            return 'Today';
+        }
+
+        if ($carbon->isPast()) {
+            return $carbon->diffForHumans();
+        }
+
+        if ($carbon->isTomorrow()) {
+            return 'Tomorrow';
+        }
+
+        $daysUntil = (int) now()->startOfDay()->diffInDays($carbon->startOfDay());
+
+        if ($daysUntil <= 14) {
+            return 'In '.$daysUntil.' days';
+        }
+
+        return $carbon->diffForHumans();
+    }
+
+    private static function canManageRecord(FindingException $record): bool
+    {
+        $user = auth()->user();
+
+        return $user instanceof User
+            && $record->tenant instanceof Tenant
+            && $user->canAccessTenant($record->tenant)
+            && $user->can(Capabilities::FINDING_EXCEPTION_MANAGE, $record->tenant);
+    }
+
+    private static function governanceWarning(FindingException $record): ?string
+    {
+        $finding = $record->relationLoaded('finding')
+            ? $record->finding
+            : $record->finding()->withSubjectDisplayName()->first();
+
+        if (! $finding instanceof \App\Models\Finding) {
+            return null;
+        }
+
+        return app(FindingRiskGovernanceResolver::class)->resolveWarningMessage($finding, $record);
+    }
+
+    private static function governanceWarningColor(FindingException $record): string
+    {
+        $finding = $record->relationLoaded('finding')
+            ? $record->finding
+            : $record->finding()->withSubjectDisplayName()->first();
+
+        if ((string) $record->current_validity_state === FindingException::VALIDITY_EXPIRING) {
+            return 'warning';
+        }
+
+        if ($finding instanceof \App\Models\Finding && $record->requiresFreshDecisionForFinding($finding)) {
+            return 'warning';
+        }
+
+        return 'danger';
+    }
+
+    public static function canAccessApprovalQueueForTenant(?Tenant $tenant = null): bool
+    {
+        $tenant ??= static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        $workspace = Workspace::query()->whereKey($tenant->workspace_id)->first();
+
+        if (! $workspace instanceof Workspace) {
+            return false;
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->isMember($user, $workspace)
+            && $resolver->can($user, $workspace, Capabilities::FINDING_EXCEPTION_APPROVE);
+    }
+
+    public static function approvalQueueUrl(?Tenant $tenant = null): ?string
+    {
+        $tenant ??= static::resolveTenantContextForCurrentPanel();
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        return route('admin.finding-exceptions.open-queue', [
+            'tenant' => (string) $tenant->external_id,
+        ]);
+    }
+}

app/Filament/Resources/FindingExceptionResource/Pages/ListFindingExceptions.php

@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\FindingExceptionResource\Pages;
+
+use App\Filament\Resources\FindingExceptionResource;
+use App\Filament\Resources\FindingResource;
+use App\Filament\Widgets\Tenant\FindingExceptionStatsOverview;
+use App\Models\FindingException;
+use Filament\Actions\Action;
+use Filament\Resources\Pages\ListRecords;
+use Filament\Schemas\Components\Tabs\Tab;
+use Illuminate\Database\Eloquent\Builder;
+
+class ListFindingExceptions extends ListRecords
+{
+    protected static string $resource = FindingExceptionResource::class;
+
+    protected function getHeaderWidgets(): array
+    {
+        return [
+            FindingExceptionStatsOverview::class,
+        ];
+    }
+
+    /**
+     * @return array<string, Tab>
+     */
+    public function getTabs(): array
+    {
+        $stats = FindingExceptionResource::exceptionStatsForCurrentTenant();
+        $needsAction = $stats['pending'] + $stats['expiring'] + $stats['expired'];
+
+        return [
+            'all' => Tab::make('All')
+                ->icon('heroicon-m-list-bullet'),
+            'needs_action' => Tab::make('Needs action')
+                ->icon('heroicon-m-exclamation-triangle')
+                ->modifyQueryUsing(fn (Builder $query) => $query->whereIn('status', [
+                    FindingException::STATUS_PENDING,
+                    FindingException::STATUS_EXPIRING,
+                    FindingException::STATUS_EXPIRED,
+                ]))
+                ->badge($needsAction > 0 ? $needsAction : null)
+                ->badgeColor('warning'),
+            'active' => Tab::make('Active')
+                ->icon('heroicon-m-check-badge')
+                ->modifyQueryUsing(fn (Builder $query) => $query->where('status', FindingException::STATUS_ACTIVE)),
+            'historical' => Tab::make('Historical')
+                ->icon('heroicon-m-archive-box')
+                ->modifyQueryUsing(fn (Builder $query) => $query->whereIn('status', [
+                    FindingException::STATUS_REJECTED,
+                    FindingException::STATUS_REVOKED,
+                    FindingException::STATUS_SUPERSEDED,
+                ])),
+        ];
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('open_findings')
+                ->label('Open findings')
+                ->icon('heroicon-o-arrow-top-right-on-square')
+                ->color('gray')
+                ->url(FindingResource::getUrl('index')),
+            Action::make('open_approval_queue')
+                ->label('Open approval queue')
+                ->icon('heroicon-o-arrow-top-right-on-square')
+                ->color('gray')
+                ->visible(fn (): bool => FindingExceptionResource::canAccessApprovalQueueForTenant())
+                ->url(fn (): ?string => FindingExceptionResource::approvalQueueUrl()),
+        ];
+    }
+}

app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php

@@ -0,0 +1,225 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\FindingExceptionResource\Pages;
+
+use App\Filament\Resources\FindingExceptionResource;
+use App\Filament\Resources\FindingResource;
+use App\Models\FindingException;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Findings\FindingExceptionService;
+use App\Support\Auth\Capabilities;
+use Filament\Actions\Action;
+use Filament\Forms\Components\DateTimePicker;
+use Filament\Forms\Components\Repeater;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
+use InvalidArgumentException;
+
+class ViewFindingException extends ViewRecord
+{
+    protected static string $resource = FindingExceptionResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return FindingExceptionResource::resolveScopedRecordOrFail($key);
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('open_finding')
+                ->label('Open finding')
+                ->icon('heroicon-o-arrow-top-right-on-square')
+                ->color('gray')
+                ->url(function (): ?string {
+                    $record = $this->getRecord();
+
+                    if (! $record instanceof FindingException || ! $record->finding || ! $record->tenant) {
+                        return null;
+                    }
+
+                    return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
+                }),
+            Action::make('open_approval_queue')
+                ->label('Open approval queue')
+                ->icon('heroicon-o-arrow-top-right-on-square')
+                ->color('gray')
+                ->visible(function (): bool {
+                    $record = $this->getRecord();
+
+                    return $record instanceof FindingException
+                        && FindingExceptionResource::canAccessApprovalQueueForTenant($record->tenant);
+                })
+                ->url(function (): ?string {
+                    $record = $this->getRecord();
+
+                    return $record instanceof FindingException
+                        ? FindingExceptionResource::approvalQueueUrl($record->tenant)
+                        : null;
+                }),
+            Action::make('renew_exception')
+                ->label('Renew exception')
+                ->icon('heroicon-o-arrow-path')
+                ->color('warning')
+                ->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRenewed())
+                ->fillForm(fn (): array => [
+                    'owner_user_id' => $this->getRecord() instanceof FindingException ? $this->getRecord()->owner_user_id : null,
+                ])
+                ->requiresConfirmation()
+                ->form([
+                    Select::make('owner_user_id')
+                        ->label('Owner')
+                        ->required()
+                        ->options(fn (): array => FindingExceptionResource::canViewAny() ? $this->tenantMemberOptions() : [])
+                        ->searchable(),
+                    Textarea::make('request_reason')
+                        ->label('Renewal reason')
+                        ->rows(4)
+                        ->required()
+                        ->maxLength(2000),
+                    DateTimePicker::make('review_due_at')
+                        ->label('Review due at')
+                        ->required()
+                        ->seconds(false),
+                    DateTimePicker::make('expires_at')
+                        ->label('Requested expiry')
+                        ->seconds(false),
+                    Repeater::make('evidence_references')
+                        ->label('Evidence references')
+                        ->schema([
+                            TextInput::make('label')
+                                ->label('Label')
+                                ->required()
+                                ->maxLength(255),
+                            TextInput::make('source_type')
+                                ->label('Source type')
+                                ->required()
+                                ->maxLength(255),
+                            TextInput::make('source_id')
+                                ->label('Source ID')
+                                ->maxLength(255),
+                            TextInput::make('source_fingerprint')
+                                ->label('Fingerprint')
+                                ->maxLength(255),
+                            DateTimePicker::make('measured_at')
+                                ->label('Measured at')
+                                ->seconds(false),
+                        ])
+                        ->defaultItems(0)
+                        ->collapsed(),
+                ])
+                ->action(function (array $data, FindingExceptionService $service): void {
+                    $record = $this->getRecord();
+                    $user = auth()->user();
+
+                    if (! $record instanceof FindingException || ! $user instanceof User) {
+                        abort(404);
+                    }
+
+                    try {
+                        $service->renew($record, $user, $data);
+                    } catch (InvalidArgumentException $exception) {
+                        Notification::make()
+                            ->title('Renewal request failed')
+                            ->body($exception->getMessage())
+                            ->danger()
+                            ->send();
+
+                        return;
+                    }
+
+                    Notification::make()
+                        ->title('Renewal request submitted')
+                        ->success()
+                        ->send();
+
+                    $this->refreshFormData(['status', 'current_validity_state', 'review_due_at']);
+                }),
+            Action::make('revoke_exception')
+                ->label('Revoke exception')
+                ->icon('heroicon-o-no-symbol')
+                ->color('danger')
+                ->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRevoked())
+                ->requiresConfirmation()
+                ->form([
+                    Textarea::make('revocation_reason')
+                        ->label('Revocation reason')
+                        ->rows(4)
+                        ->required()
+                        ->maxLength(2000),
+                ])
+                ->action(function (array $data, FindingExceptionService $service): void {
+                    $record = $this->getRecord();
+                    $user = auth()->user();
+
+                    if (! $record instanceof FindingException || ! $user instanceof User) {
+                        abort(404);
+                    }
+
+                    try {
+                        $service->revoke($record, $user, $data);
+                    } catch (InvalidArgumentException $exception) {
+                        Notification::make()
+                            ->title('Exception revocation failed')
+                            ->body($exception->getMessage())
+                            ->danger()
+                            ->send();
+
+                        return;
+                    }
+
+                    Notification::make()
+                        ->title('Exception revoked')
+                        ->success()
+                        ->send();
+
+                    $this->refreshFormData(['status', 'current_validity_state', 'revocation_reason', 'revoked_at']);
+                }),
+        ];
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    private function tenantMemberOptions(): array
+    {
+        $record = $this->getRecord();
+
+        if (! $record instanceof FindingException) {
+            return [];
+        }
+
+        $tenant = $record->tenant;
+
+        if (! $tenant instanceof Tenant) {
+            return [];
+        }
+
+        return \App\Models\TenantMembership::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->join('users', 'users.id', '=', 'tenant_memberships.user_id')
+            ->orderBy('users.name')
+            ->pluck('users.name', 'users.id')
+            ->mapWithKeys(fn (string $name, int|string $id): array => [(int) $id => $name])
+            ->all();
+    }
+
+    private function canManageRecord(): bool
+    {
+        $record = $this->getRecord();
+        $user = auth()->user();
+
+        return $record instanceof FindingException
+            && $record->tenant instanceof Tenant
+            && $user instanceof User
+            && $user->canAccessTenant($record->tenant)
+            && $user->can(Capabilities::FINDING_EXCEPTION_MANAGE, $record->tenant);
+    }
+}

app/Filament/Resources/FindingResource/Pages/ListFindings.php

@@ -2,8 +2,10 @@
 
 namespace App\Filament\Resources\FindingResource\Pages;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\FindingResource;
 use App\Filament\Widgets\Tenant\BaselineCompareCoverageBanner;
+use App\Filament\Widgets\Tenant\FindingStatsOverview;
 use App\Jobs\BackfillFindingLifecycleJob;
 use App\Models\Finding;
 use App\Models\Tenant;
@@ -11,6 +13,7 @@
 use App\Services\Findings\FindingWorkflowService;
 use App\Services\OperationRunService;
 use App\Support\Auth\Capabilities;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
@@ -20,18 +23,82 @@
 use Filament\Forms\Components\TextInput;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ListRecords;
+use Filament\Schemas\Components\Tabs\Tab;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Support\Arr;
 use Throwable;
 
 class ListFindings extends ListRecords
 {
+    use ResolvesPanelTenantContext;
+
     protected static string $resource = FindingResource::class;
 
+    /**
+     * @param  array<string, mixed>  $arguments
+     * @param  array<string, mixed>  $context
+     */
+    public function mountAction(string $name, array $arguments = [], array $context = []): mixed
+    {
+        if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['triage', 'start_progress', 'assign', 'resolve', 'close', 'request_exception', 'reopen'], true)) {
+            try {
+                FindingResource::resolveScopedRecordOrFail($context['recordKey']);
+            } catch (ModelNotFoundException) {
+                abort(404);
+            }
+        }
+
+        return parent::mountAction($name, $arguments, $context);
+    }
+
+    public function mount(): void
+    {
+        $this->syncCanonicalAdminTenantFilterState();
+
+        parent::mount();
+    }
+
     protected function getHeaderWidgets(): array
     {
         return [
             BaselineCompareCoverageBanner::class,
+            FindingStatsOverview::class,
+        ];
+    }
+
+    /**
+     * @return array<string, Tab>
+     */
+    public function getTabs(): array
+    {
+        $stats = FindingResource::findingStatsForCurrentTenant();
+
+        return [
+            'all' => Tab::make('All')
+                ->icon('heroicon-m-list-bullet'),
+            'needs_action' => Tab::make('Needs action')
+                ->icon('heroicon-m-exclamation-triangle')
+                ->modifyQueryUsing(fn (Builder $query): Builder => $query
+                    ->whereIn('status', Finding::openStatusesForQuery()))
+                ->badge($stats['open'] > 0 ? $stats['open'] : null)
+                ->badgeColor('warning'),
+            'overdue' => Tab::make('Overdue')
+                ->icon('heroicon-m-clock')
+                ->modifyQueryUsing(fn (Builder $query): Builder => $query
+                    ->whereIn('status', Finding::openStatusesForQuery())
+                    ->whereNotNull('due_at')
+                    ->where('due_at', '<', now()))
+                ->badge($stats['overdue'] > 0 ? $stats['overdue'] : null)
+                ->badgeColor('danger'),
+            'risk_accepted' => Tab::make('Risk accepted')
+                ->icon('heroicon-m-shield-check')
+                ->modifyQueryUsing(fn (Builder $query): Builder => $query
+                    ->where('status', Finding::STATUS_RISK_ACCEPTED)),
+            'resolved' => Tab::make('Resolved')
+                ->icon('heroicon-m-archive-box')
+                ->modifyQueryUsing(fn (Builder $query): Builder => $query
+                    ->whereIn('status', [Finding::STATUS_RESOLVED, Finding::STATUS_CLOSED])),
         ];
     }
 
@@ -55,7 +122,7 @@ protected function getHeaderActions(): array
                             abort(403);
                         }
 
-                        $tenant = \Filament\Facades\Filament::getTenant();
+                        $tenant = static::resolveTenantContextForCurrentPanel();
 
                         if (! $tenant instanceof Tenant) {
                             abort(404);
@@ -161,7 +228,7 @@ protected function getHeaderActions(): array
                     }
 
                     $user = auth()->user();
-                    $tenant = \Filament\Facades\Filament::getTenant();
+                    $tenant = static::resolveTenantContextForCurrentPanel();
 
                     if (! $user instanceof User) {
                         abort(403);
@@ -230,15 +297,7 @@ protected function getHeaderActions(): array
 
     protected function buildAllMatchingQuery(): Builder
     {
-        $query = Finding::query();
-
-        $tenantId = \Filament\Facades\Filament::getTenant()?->getKey();
-
-        if (! is_numeric($tenantId)) {
-            return $query->whereRaw('1 = 0');
-        }
-
-        $query->where('tenant_id', (int) $tenantId);
+        $query = FindingResource::getEloquentQuery();
 
         $query->where('status', Finding::STATUS_NEW);
 
@@ -288,6 +347,16 @@ protected function buildAllMatchingQuery(): Builder
         return $query;
     }
 
+    private function syncCanonicalAdminTenantFilterState(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            tenantSensitiveFilters: ['scope_key', 'run_ids'],
+            request: request(),
+            tenantFilterName: null,
+        );
+    }
+
     private function filterIsActive(string $filterName): bool
     {
         $state = $this->getTableFilterState($filterName);

app/Filament/Resources/FindingResource/Pages/ViewFinding.php

@@ -2,17 +2,25 @@
 
 namespace App\Filament\Resources\FindingResource\Pages;
 
+use App\Filament\Resources\FindingExceptionResource;
 use App\Filament\Resources\FindingResource;
+use App\Models\Finding;
 use App\Support\Navigation\CrossResourceNavigationMatrix;
 use App\Support\Navigation\RelatedNavigationResolver;
 use Filament\Actions;
 use Filament\Resources\Pages\ViewRecord;
 use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewFinding extends ViewRecord
 {
     protected static string $resource = FindingResource::class;
 
+    protected function resolveRecord(int|string $key): Model
+    {
+        return FindingResource::resolveScopedRecordOrFail($key);
+    }
+
     protected function getHeaderActions(): array
     {
         return [
@@ -24,6 +32,23 @@ protected function getHeaderActions(): array
                 ->hidden(fn (): bool => ! (app(RelatedNavigationResolver::class)
                     ->primaryListAction(CrossResourceNavigationMatrix::SOURCE_FINDING, $this->getRecord())?->isAvailable() ?? false))
                 ->color('gray'),
+            Actions\Action::make('open_approval_queue')
+                ->label('Open approval queue')
+                ->icon('heroicon-o-arrow-top-right-on-square')
+                ->color('gray')
+                ->visible(function (): bool {
+                    $record = $this->getRecord();
+
+                    return $record instanceof Finding
+                        && FindingExceptionResource::canAccessApprovalQueueForTenant($record->tenant);
+                })
+                ->url(function (): ?string {
+                    $record = $this->getRecord();
+
+                    return $record instanceof Finding
+                        ? FindingExceptionResource::approvalQueueUrl($record->tenant)
+                        : null;
+                }),
             Actions\ActionGroup::make(FindingResource::workflowActions())
                 ->label('Actions')
                 ->icon('heroicon-o-ellipsis-vertical')

app/Filament/Resources/InventoryItemResource.php

@@ -3,6 +3,8 @@
 namespace App\Filament\Resources;
 
 use App\Filament\Clusters\Inventory\InventoryCluster;
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\InventoryItemResource\Pages;
 use App\Models\InventoryItem;
 use App\Models\Tenant;
@@ -23,6 +25,7 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use BackedEnum;
+use Filament\Facades\Filament;
 use Filament\Infolists\Components\TextEntry;
 use Filament\Infolists\Components\ViewEntry;
 use Filament\Resources\Resource;
@@ -36,6 +39,9 @@
 
 class InventoryItemResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
     protected static ?string $model = InventoryItem::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
@@ -48,6 +54,15 @@ class InventoryItemResource extends Resource
 
     protected static string|UnitEnum|null $navigationGroup = 'Inventory';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::ListOnlyReadOnly)
@@ -60,7 +75,7 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
 
     public static function canViewAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -75,7 +90,7 @@ public static function canViewAny(): bool
 
     public static function canView(Model $record): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -175,7 +190,7 @@ public static function infolist(Schema $schema): Schema
 
                                 $service = app(DependencyQueryService::class);
                                 $resolver = app(DependencyTargetResolver::class);
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
 
                                 $edges = collect();
                                 if ($direction === 'inbound' || $direction === 'all') {
@@ -321,13 +336,15 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::current()?->getKey();
-
-        return parent::getEloquentQuery()
-            ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
+        return static::getTenantOwnedEloquentQuery()
             ->with('lastSeenRun');
     }
 
+    public static function resolveScopedRecordOrFail(int|string $key): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->with('lastSeenRun'));
+    }
+
     public static function getPages(): array
     {
         return [

app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php

@@ -2,6 +2,7 @@
 
 namespace App\Filament\Resources\InventoryItemResource\Pages;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\InventoryItemResource;
 use App\Filament\Widgets\Inventory\InventoryKpiHeader;
 use App\Jobs\RunInventorySyncJob;
@@ -11,6 +12,7 @@
 use App\Services\Inventory\InventorySyncService;
 use App\Services\OperationRunService;
 use App\Support\Auth\Capabilities;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Inventory\InventoryPolicyTypeMeta;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
@@ -28,8 +30,21 @@
 
 class ListInventoryItems extends ListRecords
 {
+    use ResolvesPanelTenantContext;
+
     protected static string $resource = InventoryItemResource::class;
 
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: null,
+        );
+
+        parent::mount();
+    }
+
     protected function getHeaderWidgets(): array
     {
         return [
@@ -103,7 +118,7 @@ protected function getHeaderActions(): array
                             ->rules(['boolean'])
                             ->columnSpanFull(),
                         Hidden::make('tenant_id')
-                            ->default(fn (): ?string => Tenant::current()?->getKey())
+                            ->default(fn (): ?string => static::resolveTenantContextForCurrentPanel()?->getKey())
                             ->dehydrated(),
                     ])
                     ->visible(function (): bool {
@@ -112,7 +127,7 @@ protected function getHeaderActions(): array
                             return false;
                         }
 
-                        $tenant = Tenant::current();
+                        $tenant = static::resolveTenantContextForCurrentPanel();
                         if (! $tenant instanceof Tenant) {
                             return false;
                         }
@@ -120,7 +135,7 @@ protected function getHeaderActions(): array
                         return $user->canAccessTenant($tenant);
                     })
                     ->action(function (array $data, self $livewire, InventorySyncService $inventorySyncService, AuditLogger $auditLogger): void {
-                        $tenant = Tenant::current();
+                        $tenant = static::resolveTenantContextForCurrentPanel();
                         $user = auth()->user();
 
                         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -159,6 +174,8 @@ protected function getHeaderActions(): array
                             ],
                             context: array_merge($computed['selection'], [
                                 'selection_hash' => $computed['selection_hash'],
+                                'execution_authority_mode' => 'actor_bound',
+                                'required_capability' => Capabilities::TENANT_INVENTORY_SYNC_RUN,
                                 'target_scope' => [
                                     'entra_tenant_id' => $tenant->graphTenantId(),
                                 ],

app/Filament/Resources/InventoryItemResource/Pages/ViewInventoryItem.php

@@ -4,8 +4,14 @@
 
 use App\Filament\Resources\InventoryItemResource;
 use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewInventoryItem extends ViewRecord
 {
     protected static string $resource = InventoryItemResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return InventoryItemResource::resolveScopedRecordOrFail($key);
+    }
 }

app/Filament/Resources/PolicyResource.php

@@ -2,6 +2,9 @@
 
 namespace App\Filament\Resources;
 
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Concerns\ScopesGlobalSearchToTenant;
 use App\Filament\Resources\PolicyResource\Pages;
 use App\Filament\Resources\PolicyResource\RelationManagers\VersionsRelationManager;
 use App\Jobs\BulkPolicyDeleteJob;
@@ -29,11 +32,13 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use BackedEnum;
 use Filament\Actions;
 use Filament\Actions\ActionGroup;
 use Filament\Actions\BulkAction;
 use Filament\Actions\BulkActionGroup;
+use Filament\Facades\Filament;
 use Filament\Forms;
 use Filament\Infolists\Components\TextEntry;
 use Filament\Infolists\Components\ViewEntry;
@@ -52,17 +57,32 @@
 
 class PolicyResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+    use ScopesGlobalSearchToTenant;
+
     protected static ?string $model = Policy::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
 
+    protected static bool $isGloballySearchable = false;
+
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
 
     protected static string|UnitEnum|null $navigationGroup = 'Inventory';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function canViewAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -78,11 +98,11 @@ public static function canViewAny(): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::CrudListFirstResource)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'Header action: Sync from Intune.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Secondary row actions are grouped under "More".')
-            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are grouped under "More".')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Secondary row actions are grouped under "More" in helper-first, workflow-next, destructive-last order.')
+            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are grouped under "More" in helper-first, workflow-next, destructive-last order.')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List page defines an empty-state CTA.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'View page provides header actions when applicable.');
     }
@@ -98,7 +118,7 @@ public static function makeSyncAction(string $name = 'sync'): Actions\Action
                 ->modalHeading('Sync policies from Intune')
                 ->modalDescription('This queues a background sync operation for supported policy types in the current tenant.')
                 ->action(function (Pages\ListPolicies $livewire): void {
-                    $tenant = Tenant::current();
+                    $tenant = static::resolveTenantContextForCurrentPanel();
                     $user = auth()->user();
 
                     if (! $user instanceof User || ! $tenant instanceof Tenant) {
@@ -346,6 +366,7 @@ public static function table(Table $table): Table
             ->persistFiltersInSession()
             ->persistSearchInSession()
             ->persistSortInSession()
+            ->recordUrl(fn (Policy $record): string => static::getUrl('view', ['record' => $record]))
             ->columns([
                 Tables\Columns\TextColumn::make('display_name')
                     ->label('Policy')
@@ -471,109 +492,7 @@ public static function table(Table $table): Table
                         ->all()),
             ])
             ->actions([
-                Actions\ViewAction::make(),
                 ActionGroup::make([
-                    UiEnforcement::forTableAction(
-                        Actions\Action::make('ignore')
-                            ->label('Ignore')
-                            ->icon('heroicon-o-trash')
-                            ->color('danger')
-                            ->requiresConfirmation()
-                            ->visible(fn (Policy $record): bool => $record->ignored_at === null)
-                            ->action(function (Policy $record): void {
-                                $record->ignore();
-
-                                Notification::make()
-                                    ->title('Policy ignored')
-                                    ->success()
-                                    ->send();
-                            }),
-                        fn () => Tenant::current(),
-                    )
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->tooltip('You do not have permission to ignore policies.')
-                        ->preserveVisibility()
-                        ->apply(),
-                    UiEnforcement::forTableAction(
-                        Actions\Action::make('restore')
-                            ->label('Restore')
-                            ->icon('heroicon-o-arrow-uturn-left')
-                            ->color('success')
-                            ->requiresConfirmation()
-                            ->visible(fn (Policy $record): bool => $record->ignored_at !== null)
-                            ->action(function (Policy $record): void {
-                                $record->unignore();
-
-                                Notification::make()
-                                    ->title('Policy restored')
-                                    ->success()
-                                    ->send();
-                            }),
-                        fn () => Tenant::current(),
-                    )
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->tooltip('You do not have permission to restore policies.')
-                        ->preserveVisibility()
-                        ->apply(),
-                    UiEnforcement::forTableAction(
-                        Actions\Action::make('sync')
-                            ->label('Sync')
-                            ->icon('heroicon-o-arrow-path')
-                            ->color('primary')
-                            ->requiresConfirmation()
-                            ->visible(fn (Policy $record): bool => $record->ignored_at === null)
-                            ->action(function (Policy $record, HasTable $livewire): void {
-                                $tenant = Tenant::current();
-                                $user = auth()->user();
-
-                                if (! $tenant instanceof Tenant) {
-                                    abort(404);
-                                }
-
-                                if (! $user instanceof User) {
-                                    abort(403);
-                                }
-
-                                /** @var OperationRunService $opService */
-                                $opService = app(OperationRunService::class);
-                                $opRun = $opService->ensureRun(
-                                    tenant: $tenant,
-                                    type: 'policy.sync_one',
-                                    inputs: [
-                                        'scope' => 'one',
-                                        'policy_id' => (int) $record->getKey(),
-                                    ],
-                                    initiator: $user
-                                );
-
-                                if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'], true)) {
-                                    OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-                                    OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                                        ->actions([
-                                            Actions\Action::make('view_run')
-                                                ->label('View run')
-                                                ->url(OperationRunLinks::view($opRun, $tenant)),
-                                        ])
-                                        ->send();
-
-                                    return;
-                                }
-
-                                SyncPoliciesJob::dispatch((int) $tenant->getKey(), null, [(int) $record->getKey()], $opRun);
-                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-                                OperationUxPresenter::queuedToast((string) $opRun->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($opRun, $tenant)),
-                                    ])
-                                    ->send();
-                            }),
-                        fn () => Tenant::current(),
-                    )
-                        ->requireCapability(Capabilities::TENANT_SYNC)
-                        ->preserveVisibility()
-                        ->apply(),
                     UiEnforcement::forTableAction(
                         Actions\Action::make('export')
                             ->label('Export to Backup')
@@ -586,7 +505,7 @@ public static function table(Table $table): Table
                                     ->default(fn () => 'Backup '.now()->toDateTimeString()),
                             ])
                             ->action(function (Policy $record, array $data): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
 
                                 if (! $tenant instanceof Tenant) {
@@ -639,213 +558,21 @@ public static function table(Table $table): Table
                                     ])
                                     ->send();
                             }),
-                        fn () => Tenant::current(),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
                     )
                         ->requireCapability(Capabilities::TENANT_MANAGE)
                         ->preserveVisibility()
                         ->apply(),
-                ])
-                    ->label('More')
-                    ->icon('heroicon-o-ellipsis-vertical'),
-            ])
-            ->bulkActions([
-                BulkActionGroup::make([
-                    UiEnforcement::forBulkAction(
-                        BulkAction::make('bulk_delete')
-                            ->label('Ignore Policies')
-                            ->icon('heroicon-o-trash')
-                            ->color('danger')
-                            ->requiresConfirmation()
-                            ->hidden(function (HasTable $livewire): bool {
-                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
-                                $value = $visibilityFilterState['value'] ?? null;
-
-                                return $value === 'ignored';
-                            })
-                            ->form(function (Collection $records) {
-                                if ($records->count() >= 20) {
-                                    return [
-                                        Forms\Components\TextInput::make('confirmation')
-                                            ->label('Type DELETE to confirm')
-                                            ->required()
-                                            ->in(['DELETE'])
-                                            ->validationMessages([
-                                                'in' => 'Please type DELETE to confirm.',
-                                            ]),
-                                    ];
-                                }
-
-                                return [];
-                            })
-                            ->action(function (Collection $records, HasTable $livewire): void {
-                                $tenant = Tenant::current();
-                                $user = auth()->user();
-                                $count = $records->count();
-                                $ids = $records->pluck('id')->toArray();
-
-                                if (! $tenant instanceof Tenant || ! $user instanceof User) {
-                                    return;
-                                }
-
-                                /** @var BulkSelectionIdentity $selection */
-                                $selection = app(BulkSelectionIdentity::class);
-
-                                $selectionIdentity = $selection->fromIds($ids);
-
-                                /** @var OperationRunService $runs */
-                                $runs = app(OperationRunService::class);
-
-                                $opRun = $runs->enqueueBulkOperation(
-                                    tenant: $tenant,
-                                    type: 'policy.delete',
-                                    targetScope: [
-                                        'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
-                                    ],
-                                    selectionIdentity: $selectionIdentity,
-                                    dispatcher: function ($operationRun) use ($tenant, $user, $ids): void {
-                                        BulkPolicyDeleteJob::dispatch(
-                                            tenantId: (int) $tenant->getKey(),
-                                            userId: (int) $user->getKey(),
-                                            policyIds: $ids,
-                                            operationRun: $operationRun,
-                                        );
-                                    },
-                                    initiator: $user,
-                                    extraContext: [
-                                        'policy_count' => $count,
-                                    ],
-                                    emitQueuedNotification: false,
-                                );
-
-                                $runUrl = OperationRunLinks::view($opRun, $tenant);
-
-                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-
-                                if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'], true)) {
-                                    OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                                        ->body("Queued deletion for {$count} policies.")
-                                        ->actions([
-                                            \Filament\Actions\Action::make('view_run')
-                                                ->label('View run')
-                                                ->url($runUrl),
-                                        ])
-                                        ->send();
-
-                                    return;
-                                }
-
-                                OperationUxPresenter::queuedToast((string) $opRun->type)
-                                    ->body("Queued deletion for {$count} policies.")
-                                    ->actions([
-                                        \Filament\Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-                            })
-                            ->deselectRecordsAfterCompletion(),
-                    )
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->apply(),
-
-                    UiEnforcement::forBulkAction(
-                        BulkAction::make('bulk_restore')
-                            ->label('Restore Policies')
-                            ->icon('heroicon-o-arrow-uturn-left')
-                            ->color('success')
-                            ->requiresConfirmation()
-                            ->hidden(function (HasTable $livewire): bool {
-                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
-                                $value = $visibilityFilterState['value'] ?? null;
-
-                                return ! in_array($value, [null, 'ignored'], true);
-                            })
-                            ->action(function (Collection $records, HasTable $livewire): void {
-                                $tenant = Tenant::current();
-                                $user = auth()->user();
-                                $count = $records->count();
-                                $ids = $records->pluck('id')->toArray();
-
-                                if (! $tenant instanceof Tenant) {
-                                    abort(404);
-                                }
-
-                                if (! $user instanceof User) {
-                                    abort(403);
-                                }
-
-                                /** @var BulkSelectionIdentity $selection */
-                                $selection = app(BulkSelectionIdentity::class);
-
-                                $selectionIdentity = $selection->fromIds($ids);
-
-                                /** @var OperationRunService $runs */
-                                $runs = app(OperationRunService::class);
-
-                                $opRun = $runs->enqueueBulkOperation(
-                                    tenant: $tenant,
-                                    type: 'policy.unignore',
-                                    targetScope: [
-                                        'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
-                                    ],
-                                    selectionIdentity: $selectionIdentity,
-                                    dispatcher: function ($operationRun) use ($tenant, $user, $ids, $count): void {
-                                        if ($count >= 20) {
-                                            BulkPolicyUnignoreJob::dispatch(
-                                                tenantId: (int) $tenant->getKey(),
-                                                userId: (int) $user->getKey(),
-                                                policyIds: $ids,
-                                                operationRun: $operationRun,
-                                            );
-
-                                            return;
-                                        }
-
-                                        BulkPolicyUnignoreJob::dispatchSync(
-                                            tenantId: (int) $tenant->getKey(),
-                                            userId: (int) $user->getKey(),
-                                            policyIds: $ids,
-                                            operationRun: $operationRun,
-                                        );
-                                    },
-                                    initiator: $user,
-                                    extraContext: [
-                                        'policy_count' => $count,
-                                    ],
-                                    emitQueuedNotification: false,
-                                );
-
-                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
-
-                                OperationUxPresenter::queuedToast((string) $opRun->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label('View run')
-                                            ->url(OperationRunLinks::view($opRun, $tenant)),
-                                    ])
-                                    ->send();
-                            })
-                            ->deselectRecordsAfterCompletion(),
-                    )
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->apply(),
-
-                    UiEnforcement::forBulkAction(
-                        BulkAction::make('bulk_sync')
-                            ->label('Sync Policies')
+                    UiEnforcement::forTableAction(
+                        Actions\Action::make('sync')
+                            ->label('Sync')
                             ->icon('heroicon-o-arrow-path')
                             ->color('primary')
                             ->requiresConfirmation()
-                            ->hidden(function (HasTable $livewire): bool {
-                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
-                                $value = $visibilityFilterState['value'] ?? null;
-
-                                return $value === 'ignored';
-                            })
-                            ->action(function (Collection $records, HasTable $livewire): void {
-                                $tenant = Tenant::current();
+                            ->visible(fn (Policy $record): bool => $record->ignored_at === null)
+                            ->action(function (Policy $record, HasTable $livewire): void {
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
-                                $count = $records->count();
 
                                 if (! $tenant instanceof Tenant) {
                                     abort(404);
@@ -855,22 +582,14 @@ public static function table(Table $table): Table
                                     abort(403);
                                 }
 
-                                $ids = $records
-                                    ->pluck('id')
-                                    ->map(static fn ($id): int => (int) $id)
-                                    ->unique()
-                                    ->sort()
-                                    ->values()
-                                    ->all();
-
                                 /** @var OperationRunService $opService */
                                 $opService = app(OperationRunService::class);
                                 $opRun = $opService->ensureRun(
                                     tenant: $tenant,
-                                    type: 'policy.sync',
+                                    type: 'policy.sync_one',
                                     inputs: [
-                                        'scope' => 'subset',
-                                        'policy_ids' => $ids,
+                                        'scope' => 'one',
+                                        'policy_id' => (int) $record->getKey(),
                                     ],
                                     initiator: $user
                                 );
@@ -888,7 +607,7 @@ public static function table(Table $table): Table
                                     return;
                                 }
 
-                                SyncPoliciesJob::dispatch((int) $tenant->getKey(), null, $ids, $opRun);
+                                SyncPoliciesJob::dispatch((int) $tenant->getKey(), null, [(int) $record->getKey()], $opRun);
                                 OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
                                 OperationUxPresenter::queuedToast((string) $opRun->type)
                                     ->actions([
@@ -897,12 +616,60 @@ public static function table(Table $table): Table
                                             ->url(OperationRunLinks::view($opRun, $tenant)),
                                     ])
                                     ->send();
-                            })
-                            ->deselectRecordsAfterCompletion(),
+                            }),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
                     )
                         ->requireCapability(Capabilities::TENANT_SYNC)
+                        ->preserveVisibility()
                         ->apply(),
+                    UiEnforcement::forTableAction(
+                        Actions\Action::make('restore')
+                            ->label('Restore')
+                            ->icon('heroicon-o-arrow-uturn-left')
+                            ->color('success')
+                            ->requiresConfirmation()
+                            ->visible(fn (Policy $record): bool => $record->ignored_at !== null)
+                            ->action(function (Policy $record): void {
+                                $record->unignore();
 
+                                Notification::make()
+                                    ->title('Policy restored')
+                                    ->success()
+                                    ->send();
+                            }),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
+                    )
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->tooltip('You do not have permission to restore policies.')
+                        ->preserveVisibility()
+                        ->apply(),
+                    UiEnforcement::forTableAction(
+                        Actions\Action::make('ignore')
+                            ->label('Ignore')
+                            ->icon('heroicon-o-trash')
+                            ->color('danger')
+                            ->requiresConfirmation()
+                            ->visible(fn (Policy $record): bool => $record->ignored_at === null)
+                            ->action(function (Policy $record): void {
+                                $record->ignore();
+
+                                Notification::make()
+                                    ->title('Policy ignored')
+                                    ->success()
+                                    ->send();
+                            }),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
+                    )
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->tooltip('You do not have permission to ignore policies.')
+                        ->preserveVisibility()
+                        ->apply(),
+                ])
+                    ->label('More')
+                    ->icon('heroicon-o-ellipsis-vertical'),
+            ])
+            ->bulkActions([
+                BulkActionGroup::make([
                     UiEnforcement::forBulkAction(
                         BulkAction::make('bulk_export')
                             ->label('Export to Backup')
@@ -914,7 +681,7 @@ public static function table(Table $table): Table
                                     ->default(fn () => 'Backup '.now()->toDateTimeString()),
                             ])
                             ->action(function (Collection $records, array $data): void {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
                                 $ids = $records->pluck('id')->toArray();
@@ -983,6 +750,255 @@ public static function table(Table $table): Table
                     )
                         ->requireCapability(Capabilities::TENANT_MANAGE)
                         ->apply(),
+                    UiEnforcement::forBulkAction(
+                        BulkAction::make('bulk_sync')
+                            ->label('Sync Policies')
+                            ->icon('heroicon-o-arrow-path')
+                            ->color('primary')
+                            ->requiresConfirmation()
+                            ->hidden(function (HasTable $livewire): bool {
+                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
+                                $value = $visibilityFilterState['value'] ?? null;
+
+                                return $value === 'ignored';
+                            })
+                            ->action(function (Collection $records, HasTable $livewire): void {
+                                $tenant = static::resolveTenantContextForCurrentPanel();
+                                $user = auth()->user();
+
+                                if (! $tenant instanceof Tenant) {
+                                    abort(404);
+                                }
+
+                                if (! $user instanceof User) {
+                                    abort(403);
+                                }
+
+                                $ids = $records
+                                    ->pluck('id')
+                                    ->map(static fn ($id): int => (int) $id)
+                                    ->unique()
+                                    ->sort()
+                                    ->values()
+                                    ->all();
+
+                                /** @var OperationRunService $opService */
+                                $opService = app(OperationRunService::class);
+                                $opRun = $opService->ensureRun(
+                                    tenant: $tenant,
+                                    type: 'policy.sync',
+                                    inputs: [
+                                        'scope' => 'subset',
+                                        'policy_ids' => $ids,
+                                    ],
+                                    initiator: $user
+                                );
+
+                                if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'], true)) {
+                                    OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
+                                    OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
+                                        ->actions([
+                                            Actions\Action::make('view_run')
+                                                ->label('View run')
+                                                ->url(OperationRunLinks::view($opRun, $tenant)),
+                                        ])
+                                        ->send();
+
+                                    return;
+                                }
+
+                                SyncPoliciesJob::dispatch((int) $tenant->getKey(), null, $ids, $opRun);
+                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
+                                OperationUxPresenter::queuedToast((string) $opRun->type)
+                                    ->actions([
+                                        Actions\Action::make('view_run')
+                                            ->label('View run')
+                                            ->url(OperationRunLinks::view($opRun, $tenant)),
+                                    ])
+                                    ->send();
+                            })
+                            ->deselectRecordsAfterCompletion(),
+                    )
+                        ->requireCapability(Capabilities::TENANT_SYNC)
+                        ->apply(),
+                    UiEnforcement::forBulkAction(
+                        BulkAction::make('bulk_restore')
+                            ->label('Restore Policies')
+                            ->icon('heroicon-o-arrow-uturn-left')
+                            ->color('success')
+                            ->requiresConfirmation()
+                            ->hidden(function (HasTable $livewire): bool {
+                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
+                                $value = $visibilityFilterState['value'] ?? null;
+
+                                return ! in_array($value, [null, 'ignored'], true);
+                            })
+                            ->action(function (Collection $records, HasTable $livewire): void {
+                                $tenant = static::resolveTenantContextForCurrentPanel();
+                                $user = auth()->user();
+                                $count = $records->count();
+                                $ids = $records->pluck('id')->toArray();
+
+                                if (! $tenant instanceof Tenant) {
+                                    abort(404);
+                                }
+
+                                if (! $user instanceof User) {
+                                    abort(403);
+                                }
+
+                                /** @var BulkSelectionIdentity $selection */
+                                $selection = app(BulkSelectionIdentity::class);
+
+                                $selectionIdentity = $selection->fromIds($ids);
+
+                                /** @var OperationRunService $runs */
+                                $runs = app(OperationRunService::class);
+
+                                $opRun = $runs->enqueueBulkOperation(
+                                    tenant: $tenant,
+                                    type: 'policy.unignore',
+                                    targetScope: [
+                                        'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
+                                    ],
+                                    selectionIdentity: $selectionIdentity,
+                                    dispatcher: function ($operationRun) use ($tenant, $user, $ids, $count): void {
+                                        if ($count >= 20) {
+                                            BulkPolicyUnignoreJob::dispatch(
+                                                tenantId: (int) $tenant->getKey(),
+                                                userId: (int) $user->getKey(),
+                                                policyIds: $ids,
+                                                operationRun: $operationRun,
+                                            );
+
+                                            return;
+                                        }
+
+                                        BulkPolicyUnignoreJob::dispatchSync(
+                                            tenantId: (int) $tenant->getKey(),
+                                            userId: (int) $user->getKey(),
+                                            policyIds: $ids,
+                                            operationRun: $operationRun,
+                                        );
+                                    },
+                                    initiator: $user,
+                                    extraContext: [
+                                        'policy_count' => $count,
+                                    ],
+                                    emitQueuedNotification: false,
+                                );
+
+                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
+
+                                OperationUxPresenter::queuedToast((string) $opRun->type)
+                                    ->actions([
+                                        Actions\Action::make('view_run')
+                                            ->label('View run')
+                                            ->url(OperationRunLinks::view($opRun, $tenant)),
+                                    ])
+                                    ->send();
+                            })
+                            ->deselectRecordsAfterCompletion(),
+                    )
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
+                    UiEnforcement::forBulkAction(
+                        BulkAction::make('bulk_delete')
+                            ->label('Ignore Policies')
+                            ->icon('heroicon-o-trash')
+                            ->color('danger')
+                            ->requiresConfirmation()
+                            ->hidden(function (HasTable $livewire): bool {
+                                $visibilityFilterState = $livewire->getTableFilterState('visibility') ?? [];
+                                $value = $visibilityFilterState['value'] ?? null;
+
+                                return $value === 'ignored';
+                            })
+                            ->form(function (Collection $records) {
+                                if ($records->count() >= 20) {
+                                    return [
+                                        Forms\Components\TextInput::make('confirmation')
+                                            ->label('Type DELETE to confirm')
+                                            ->required()
+                                            ->in(['DELETE'])
+                                            ->validationMessages([
+                                                'in' => 'Please type DELETE to confirm.',
+                                            ]),
+                                    ];
+                                }
+
+                                return [];
+                            })
+                            ->action(function (Collection $records, HasTable $livewire): void {
+                                $tenant = static::resolveTenantContextForCurrentPanel();
+                                $user = auth()->user();
+                                $count = $records->count();
+                                $ids = $records->pluck('id')->toArray();
+
+                                if (! $tenant instanceof Tenant || ! $user instanceof User) {
+                                    return;
+                                }
+
+                                /** @var BulkSelectionIdentity $selection */
+                                $selection = app(BulkSelectionIdentity::class);
+
+                                $selectionIdentity = $selection->fromIds($ids);
+
+                                /** @var OperationRunService $runs */
+                                $runs = app(OperationRunService::class);
+
+                                $opRun = $runs->enqueueBulkOperation(
+                                    tenant: $tenant,
+                                    type: 'policy.delete',
+                                    targetScope: [
+                                        'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
+                                    ],
+                                    selectionIdentity: $selectionIdentity,
+                                    dispatcher: function ($operationRun) use ($tenant, $user, $ids): void {
+                                        BulkPolicyDeleteJob::dispatch(
+                                            tenantId: (int) $tenant->getKey(),
+                                            userId: (int) $user->getKey(),
+                                            policyIds: $ids,
+                                            operationRun: $operationRun,
+                                        );
+                                    },
+                                    initiator: $user,
+                                    extraContext: [
+                                        'policy_count' => $count,
+                                    ],
+                                    emitQueuedNotification: false,
+                                );
+
+                                $runUrl = OperationRunLinks::view($opRun, $tenant);
+
+                                OpsUxBrowserEvents::dispatchRunEnqueued($livewire);
+
+                                if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'], true)) {
+                                    OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
+                                        ->body("Queued deletion for {$count} policies.")
+                                        ->actions([
+                                            \Filament\Actions\Action::make('view_run')
+                                                ->label('View run')
+                                                ->url($runUrl),
+                                        ])
+                                        ->send();
+
+                                    return;
+                                }
+
+                                OperationUxPresenter::queuedToast((string) $opRun->type)
+                                    ->body("Queued deletion for {$count} policies.")
+                                    ->actions([
+                                        \Filament\Actions\Action::make('view_run')
+                                            ->label('View run')
+                                            ->url($runUrl),
+                                    ])
+                                    ->send();
+                            })
+                            ->deselectRecordsAfterCompletion(),
+                    )
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
                 ])->label('More'),
             ])
             ->emptyStateHeading('No policies synced yet')
@@ -995,16 +1011,25 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::currentOrFail()->getKey();
-
-        return parent::getEloquentQuery()
-            ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
+        return static::getTenantOwnedEloquentQuery()
             ->withCount('versions')
             ->with([
                 'versions' => fn ($query) => $query->orderByDesc('captured_at')->limit(1),
             ]);
     }
 
+    public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
+    {
+        return static::resolveTenantOwnedRecordOrFail(
+            $key,
+            parent::getEloquentQuery()
+                ->withCount('versions')
+                ->with([
+                    'versions' => fn ($query) => $query->orderByDesc('captured_at')->limit(1),
+                ]),
+        );
+    }
+
     public static function getRelations(): array
     {
         return [

app/Filament/Resources/PolicyResource/Pages/ListPolicies.php

@@ -3,12 +3,20 @@
 namespace App\Filament\Resources\PolicyResource\Pages;
 
 use App\Filament\Resources\PolicyResource;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Resources\Pages\ListRecords;
 
 class ListPolicies extends ListRecords
 {
     protected static string $resource = PolicyResource::class;
 
+    public function mount(): void
+    {
+        $this->syncCanonicalAdminTenantFilterState();
+
+        parent::mount();
+    }
+
     protected function getHeaderActions(): array
     {
         return [
@@ -22,4 +30,14 @@ protected function getTableEmptyStateActions(): array
             PolicyResource::makeSyncAction(),
         ];
     }
+
+    private function syncCanonicalAdminTenantFilterState(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            tenantSensitiveFilters: [],
+            request: request(),
+            tenantFilterName: null,
+        );
+    }
 }

app/Filament/Resources/PolicyResource/Pages/ViewPolicy.php

@@ -16,6 +16,7 @@
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ViewRecord;
 use Filament\Support\Enums\Width;
+use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Str;
 
 class ViewPolicy extends ViewRecord
@@ -24,6 +25,11 @@ class ViewPolicy extends ViewRecord
 
     protected Width|string|null $maxContentWidth = Width::Full;
 
+    protected function resolveRecord(int|string $key): Model
+    {
+        return PolicyResource::resolveScopedRecordOrFail($key);
+    }
+
     protected function getActions(): array
     {
         return [$this->makeCaptureSnapshotAction()];

app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php

@@ -2,7 +2,10 @@
 
 namespace App\Filament\Resources\PolicyResource\RelationManagers;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Resources\PolicyVersionResource;
 use App\Filament\Resources\RestoreRunResource;
+use App\Models\Policy;
 use App\Models\PolicyVersion;
 use App\Models\Tenant;
 use App\Models\User;
@@ -26,14 +29,29 @@
 
 class VersionsRelationManager extends RelationManager
 {
+    use ResolvesPanelTenantContext;
+
     protected static string $relationship = 'versions';
 
+    /**
+     * @param  array<string, mixed>  $arguments
+     * @param  array<string, mixed>  $context
+     */
+    public function mountAction(string $name, array $arguments = [], array $context = []): mixed
+    {
+        if (($context['table'] ?? false) === true && $name === 'restore_to_intune' && filled($context['recordKey'] ?? null)) {
+            $this->resolveOwnerScopedVersionRecord($this->getOwnerRecord(), $context['recordKey']);
+        }
+
+        return parent::mountAction($name, $arguments, $context);
+    }
+
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
             ->exempt(ActionSurfaceSlot::ListHeader, 'Versions sub-list intentionally has no header actions.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Only two row actions are present, so no secondary row menu is needed.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while restore remains the only inline row shortcut.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are intentionally omitted for version restore safety.')
             ->exempt(ActionSurfaceSlot::ListEmptyState, 'No inline empty-state action is exposed in this embedded relation manager.');
     }
@@ -52,8 +70,9 @@ public function table(Table $table): Table
                     ->label('Preview only (dry-run)')
                     ->default(true),
             ])
-            ->action(function (PolicyVersion $record, array $data, RestoreService $restoreService) {
-                $tenant = Tenant::current();
+            ->action(function (mixed $record, array $data, RestoreService $restoreService) {
+                $record = $this->resolveOwnerScopedVersionRecord($this->getOwnerRecord(), $record);
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
 
                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -110,7 +129,7 @@ public function table(Table $table): Table
                     return true;
                 }
 
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
 
                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -130,7 +149,7 @@ public function table(Table $table): Table
                     return 'Disabled for metadata-only snapshots (Graph did not provide policy settings).';
                 }
 
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
 
                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -163,16 +182,36 @@ public function table(Table $table): Table
             ])
             ->defaultSort('version_number', 'desc')
             ->paginated(\App\Support\Filament\TablePaginationProfiles::relationManager())
+            ->recordUrl(fn (PolicyVersion $record): string => PolicyVersionResource::getUrl('view', ['record' => $record]))
             ->filters([])
             ->headerActions([])
             ->actions([
                 $restoreToIntune,
-                Actions\ViewAction::make()
-                    ->url(fn ($record) => \App\Filament\Resources\PolicyVersionResource::getUrl('view', ['record' => $record]))
-                    ->openUrlInNewTab(false),
             ])
             ->bulkActions([])
             ->emptyStateHeading('No versions captured')
             ->emptyStateDescription('Capture or sync this policy again to create version history entries.');
     }
+
+    private function resolveOwnerScopedVersionRecord(Policy $policy, mixed $record): PolicyVersion
+    {
+        $recordId = $record instanceof PolicyVersion
+            ? (int) $record->getKey()
+            : (is_numeric($record) ? (int) $record : 0);
+
+        if ($recordId <= 0) {
+            abort(404);
+        }
+
+        $resolvedRecord = $policy->versions()
+            ->where('tenant_id', (int) $policy->tenant_id)
+            ->whereKey($recordId)
+            ->first();
+
+        if (! $resolvedRecord instanceof PolicyVersion) {
+            abort(404);
+        }
+
+        return $resolvedRecord;
+    }
 }

app/Filament/Resources/PolicyVersionResource.php

@@ -2,6 +2,9 @@
 
 namespace App\Filament\Resources;
 
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Concerns\ScopesGlobalSearchToTenant;
 use App\Filament\Resources\PolicyVersionResource\Pages;
 use App\Jobs\BulkPolicyVersionForceDeleteJob;
 use App\Jobs\BulkPolicyVersionPruneJob;
@@ -39,6 +42,7 @@
 use Filament\Actions;
 use Filament\Actions\BulkAction;
 use Filament\Actions\BulkActionGroup;
+use Filament\Facades\Filament;
 use Filament\Forms;
 use Filament\Infolists;
 use Filament\Notifications\Notification;
@@ -57,17 +61,32 @@
 
 class PolicyVersionResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+    use ScopesGlobalSearchToTenant;
+
     protected static ?string $model = PolicyVersion::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
 
+    protected static bool $isGloballySearchable = false;
+
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-list-bullet';
 
     protected static string|UnitEnum|null $navigationGroup = 'Inventory';
 
+    public static function shouldRegisterNavigation(): bool
+    {
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
+            return false;
+        }
+
+        return parent::shouldRegisterNavigation();
+    }
+
     public static function canViewAny(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -274,7 +293,7 @@ public static function table(Table $table): Table
                 return $fields;
             })
             ->action(function (Collection $records, array $data) {
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
                 $count = $records->count();
                 $ids = $records->pluck('id')->toArray();
@@ -353,7 +372,7 @@ public static function table(Table $table): Table
             ->modalHeading(fn (Collection $records) => "Restore {$records->count()} policy versions?")
             ->modalDescription('Archived versions will be restored back to the active list. Active versions will be skipped.')
             ->action(function (Collection $records) {
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
                 $count = $records->count();
                 $ids = $records->pluck('id')->toArray();
@@ -437,7 +456,7 @@ public static function table(Table $table): Table
                     ]),
             ])
             ->action(function (Collection $records, array $data) {
-                $tenant = Tenant::current();
+                $tenant = static::resolveTenantContextForCurrentPanel();
                 $user = auth()->user();
                 $count = $records->count();
                 $ids = $records->pluck('id')->toArray();
@@ -546,7 +565,7 @@ public static function table(Table $table): Table
                             ->modalHeading(fn (PolicyVersion $record): string => "Restore version {$record->version_number} via wizard?")
                             ->modalSubheading('Creates a 1-item backup set from this snapshot and opens the restore run wizard prefilled.')
                             ->visible(function (): bool {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
 
                                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -563,7 +582,7 @@ public static function table(Table $table): Table
                                     return true;
                                 }
 
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
 
                                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -580,7 +599,7 @@ public static function table(Table $table): Table
                                 return ! $resolver->can($user, $tenant, Capabilities::TENANT_MANAGE);
                             })
                             ->tooltip(function (PolicyVersion $record): ?string {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
 
                                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -605,7 +624,7 @@ public static function table(Table $table): Table
                                 return null;
                             })
                             ->action(function (PolicyVersion $record) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
 
                                 if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -877,8 +896,7 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenant = Tenant::currentOrFail();
-        $tenantId = $tenant->getKey();
+        $tenant = static::resolveTenantContextForCurrentPanelOrFail();
         $user = auth()->user();
 
         $resolver = app(CapabilityResolver::class);
@@ -888,8 +906,7 @@ public static function getEloquentQuery(): Builder
                 || $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW)
             );
 
-        return parent::getEloquentQuery()
-            ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
+        return static::getTenantOwnedEloquentQuery()
             ->when(! $canSeeBaselinePurposeEvidence, function (Builder $query): Builder {
                 return $query->where(function (Builder $query): void {
                     $query
@@ -903,6 +920,36 @@ public static function getEloquentQuery(): Builder
             ->with('policy');
     }
 
+    public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
+    {
+        $tenant = static::resolveTenantContextForCurrentPanelOrFail();
+        $user = auth()->user();
+
+        $resolver = app(CapabilityResolver::class);
+        $canSeeBaselinePurposeEvidence = $user instanceof User
+            && (
+                $resolver->can($user, $tenant, Capabilities::TENANT_SYNC)
+                || $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW)
+            );
+
+        return static::resolveTenantOwnedRecordOrFail(
+            $key,
+            parent::getEloquentQuery()
+                ->withTrashed()
+                ->when(! $canSeeBaselinePurposeEvidence, function (Builder $query): Builder {
+                    return $query->where(function (Builder $query): void {
+                        $query
+                            ->whereNull('capture_purpose')
+                            ->orWhereNotIn('capture_purpose', [
+                                PolicyVersionCapturePurpose::BaselineCapture->value,
+                                PolicyVersionCapturePurpose::BaselineCompare->value,
+                            ]);
+                    });
+                })
+                ->with('policy'),
+        );
+    }
+
     /**
      * @return list<array{
      *     key: string,

app/Filament/Resources/PolicyVersionResource/Pages/ListPolicyVersions.php

@@ -3,12 +3,24 @@
 namespace App\Filament\Resources\PolicyVersionResource\Pages;
 
 use App\Filament\Resources\PolicyVersionResource;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Resources\Pages\ListRecords;
 
 class ListPolicyVersions extends ListRecords
 {
     protected static string $resource = PolicyVersionResource::class;
 
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: null,
+        );
+
+        parent::mount();
+    }
+
     protected function getHeaderActions(): array
     {
         return [];

app/Filament/Resources/PolicyVersionResource/Pages/ViewPolicyVersion.php

@@ -4,11 +4,13 @@
 
 use App\Filament\Resources\PolicyVersionResource;
 use App\Support\Navigation\CrossResourceNavigationMatrix;
+use App\Support\Navigation\RelatedContextEntry;
 use App\Support\Navigation\RelatedNavigationResolver;
 use Filament\Actions\Action;
 use Filament\Resources\Pages\ViewRecord;
 use Filament\Support\Enums\Width;
 use Illuminate\Contracts\View\View;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewPolicyVersion extends ViewRecord
 {
@@ -16,16 +18,18 @@ class ViewPolicyVersion extends ViewRecord
 
     protected Width|string|null $maxContentWidth = Width::Full;
 
+    protected function resolveRecord(int|string $key): Model
+    {
+        return PolicyVersionResource::resolveScopedRecordOrFail($key);
+    }
+
     protected function getHeaderActions(): array
     {
         return [
             Action::make('primary_related')
-                ->label(fn (): string => app(RelatedNavigationResolver::class)
-                    ->primaryListAction(CrossResourceNavigationMatrix::SOURCE_POLICY_VERSION, $this->getRecord())?->actionLabel ?? 'Open related record')
-                ->url(fn (): ?string => app(RelatedNavigationResolver::class)
-                    ->primaryListAction(CrossResourceNavigationMatrix::SOURCE_POLICY_VERSION, $this->getRecord())?->targetUrl)
-                ->hidden(fn (): bool => ! (app(RelatedNavigationResolver::class)
-                    ->primaryListAction(CrossResourceNavigationMatrix::SOURCE_POLICY_VERSION, $this->getRecord())?->isAvailable() ?? false))
+                ->label(fn (): string => $this->primaryRelatedEntry()?->actionLabel ?? 'Open related record')
+                ->url(fn (): ?string => $this->primaryRelatedEntry()?->targetUrl)
+                ->hidden(fn (): bool => ! ($this->primaryRelatedEntry()?->isAvailable() ?? false))
                 ->color('gray'),
         ];
     }
@@ -36,4 +40,13 @@ public function getFooter(): ?View
             'record' => $this->getRecord(),
         ]);
     }
+
+    private function primaryRelatedEntry(bool $fresh = false): ?RelatedContextEntry
+    {
+        $resolver = app(RelatedNavigationResolver::class);
+
+        return $fresh
+            ? $resolver->primaryListActionFresh(CrossResourceNavigationMatrix::SOURCE_POLICY_VERSION, $this->getRecord())
+            : $resolver->primaryListAction(CrossResourceNavigationMatrix::SOURCE_POLICY_VERSION, $this->getRecord());
+    }
 }

app/Filament/Resources/ProviderConnectionResource.php

@@ -2,6 +2,7 @@
 
 namespace App\Filament\Resources;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\ProviderConnectionResource\Pages;
 use App\Jobs\ProviderComplianceSnapshotJob;
 use App\Jobs\ProviderInventorySyncJob;
@@ -11,7 +12,7 @@
 use App\Models\User;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Intune\AuditLogger;
-use App\Services\Providers\CredentialManager;
+use App\Services\Providers\ProviderConnectionMutationService;
 use App\Services\Providers\ProviderOperationStartGate;
 use App\Services\Verification\StartVerification;
 use App\Support\Auth\Capabilities;
@@ -21,6 +22,7 @@
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
+use App\Support\Providers\ProviderConnectionType;
 use App\Support\Providers\ProviderReasonCodes;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
@@ -30,9 +32,10 @@
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions;
-use Filament\Facades\Filament;
+use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
+use Filament\Infolists;
 use Filament\Notifications\Notification;
 use Filament\Resources\Resource;
 use Filament\Schemas\Components\Section;
@@ -49,6 +52,8 @@
 
 class ProviderConnectionResource extends Resource
 {
+    use ResolvesPanelTenantContext;
+
     protected static bool $isDiscovered = false;
 
     protected static bool $isScopedToTenant = false;
@@ -77,7 +82,7 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
         return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions include capability-gated create.')
             ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Secondary row actions are grouped under "More".')
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Edit and provider operations are grouped under "More" while clickable-row view remains primary.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Provider connections intentionally omit bulk actions.')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List page defines empty-state guidance and CTA.')
             ->exempt(ActionSurfaceSlot::DetailHeader, 'View page has no additional header mutations in this resource.');
@@ -147,9 +152,7 @@ protected static function resolveScopedTenant(): ?Tenant
             return static::resolveTenantByExternalId($contextTenantExternalId);
         }
 
-        $filamentTenant = Filament::getTenant();
-
-        return $filamentTenant instanceof Tenant ? $filamentTenant : null;
+        return static::resolveTenantContextForCurrentPanel();
     }
 
     public static function resolveTenantForRecord(?ProviderConnection $record = null): ?Tenant
@@ -196,10 +199,10 @@ public static function resolveContextTenantExternalId(): ?string
             }
         }
 
-        $filamentTenant = Filament::getTenant();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
-        if ($filamentTenant instanceof Tenant) {
-            return (string) $filamentTenant->external_id;
+        if ($tenant instanceof Tenant) {
+            return (string) $tenant->external_id;
         }
 
         return null;
@@ -329,10 +332,10 @@ private static function applyMembershipScope(Builder $query): Builder
         $user = auth()->user();
 
         if (! is_int($workspaceId)) {
-            $filamentTenant = Filament::getTenant();
+            $tenant = static::resolveTenantContextForCurrentPanel();
 
-            if ($filamentTenant instanceof Tenant) {
-                $workspaceId = (int) $filamentTenant->workspace_id;
+            if ($tenant instanceof Tenant) {
+                $workspaceId = (int) $tenant->workspace_id;
             }
         }
 
@@ -401,6 +404,96 @@ private static function sanitizeErrorMessage(?string $value): ?string
         return Str::limit($normalized, 120);
     }
 
+    private static function providerConnectionTypeLabel(?ProviderConnection $record): string
+    {
+        $connectionType = $record?->connection_type;
+
+        if ($connectionType instanceof ProviderConnectionType && $connectionType === ProviderConnectionType::Dedicated) {
+            return 'Dedicated connection';
+        }
+
+        return 'Platform connection';
+    }
+
+    private static function effectiveAppId(?ProviderConnection $record): string
+    {
+        $effectiveAppId = $record?->effectiveAppId();
+
+        return filled($effectiveAppId) ? (string) $effectiveAppId : 'Effective app pending review';
+    }
+
+    private static function credentialSourceLabel(?ProviderConnection $record): string
+    {
+        if (! $record instanceof ProviderConnection) {
+            return 'Managed centrally by platform';
+        }
+
+        $effectiveApp = $record->effectiveAppMetadata();
+
+        return match ($effectiveApp['source'] ?? null) {
+            'dedicated_credential' => 'Dedicated credential',
+            'review_required' => 'Legacy identity review required',
+            default => 'Managed centrally by platform',
+        };
+    }
+
+    private static function migrationReviewLabel(?ProviderConnection $record): string
+    {
+        return $record?->requiresMigrationReview() ? 'Review required' : 'Clear';
+    }
+
+    private static function migrationReviewDescription(?ProviderConnection $record): ?string
+    {
+        if (! $record instanceof ProviderConnection) {
+            return null;
+        }
+
+        $metadata = $record->legacyIdentityMetadata();
+        $source = $metadata['legacy_identity_classification_source'] ?? null;
+        $result = $metadata['legacy_identity_result'] ?? null;
+
+        if (! $record->requiresMigrationReview()) {
+            return filled($source) ? sprintf('Classified via %s as %s.', $source, $result ?? 'platform') : null;
+        }
+
+        $signals = $metadata['legacy_identity_signals'] ?? [];
+        $tenantClientId = $signals['tenant_client_id'] ?? null;
+        $credentialClientId = $signals['credential_client_id'] ?? null;
+
+        if (filled($tenantClientId) && filled($credentialClientId)) {
+            return sprintf('Legacy tenant app %s conflicts with dedicated app %s.', $tenantClientId, $credentialClientId);
+        }
+
+        return 'Legacy app evidence conflicts with the current connection and needs explicit review.';
+    }
+
+    private static function consentStatusLabelFromState(mixed $state): string
+    {
+        $value = $state instanceof BackedEnum ? $state->value : (is_string($state) ? $state : 'unknown');
+
+        return match ($value) {
+            'required' => 'Required',
+            'granted' => 'Granted',
+            'failed' => 'Failed',
+            'revoked' => 'Revoked',
+            default => 'Unknown',
+        };
+    }
+
+    private static function verificationStatusLabelFromState(mixed $state): string
+    {
+        $value = $state instanceof BackedEnum ? $state->value : (is_string($state) ? $state : 'unknown');
+
+        return match ($value) {
+            'pending' => 'Pending',
+            'healthy' => 'Healthy',
+            'degraded' => 'Degraded',
+            'blocked' => 'Blocked',
+            'error' => 'Error',
+            default => 'Unknown',
+        };
+    }
+
     public static function form(Schema $schema): Schema
     {
         return $schema
@@ -418,6 +511,15 @@ public static function form(Schema $schema): Schema
                             ->maxLength(255)
                             ->disabled(fn (): bool => ! static::hasTenantCapability(Capabilities::PROVIDER_MANAGE))
                             ->rules(['uuid']),
+                        Placeholder::make('connection_type_display')
+                            ->label('Connection type')
+                            ->content(fn (?ProviderConnection $record): string => static::providerConnectionTypeLabel($record)),
+                        Placeholder::make('platform_app_id_display')
+                            ->label('Effective app ID')
+                            ->content(fn (?ProviderConnection $record): string => static::effectiveAppId($record)),
+                        Placeholder::make('effective_app_source_display')
+                            ->label('Effective app source')
+                            ->content(fn (?ProviderConnection $record): string => static::credentialSourceLabel($record)),
                         Toggle::make('is_default')
                             ->label('Default connection')
                             ->disabled(fn (): bool => ! static::hasTenantCapability(Capabilities::PROVIDER_MANAGE))
@@ -427,6 +529,12 @@ public static function form(Schema $schema): Schema
                     ->columnSpanFull(),
                 Section::make('Status')
                     ->schema([
+                        Placeholder::make('consent_status_display')
+                            ->label('Consent')
+                            ->content(fn (?ProviderConnection $record): string => static::consentStatusLabelFromState($record?->consent_status)),
+                        Placeholder::make('verification_status_display')
+                            ->label('Verification')
+                            ->content(fn (?ProviderConnection $record): string => static::verificationStatusLabelFromState($record?->verification_status)),
                         TextInput::make('status')
                             ->label('Status')
                             ->disabled()
@@ -435,17 +543,69 @@ public static function form(Schema $schema): Schema
                             ->label('Health')
                             ->disabled()
                             ->dehydrated(false),
+                        Placeholder::make('migration_review_status_display')
+                            ->label('Migration review')
+                            ->content(fn (?ProviderConnection $record): string => static::migrationReviewLabel($record))
+                            ->hint(fn (?ProviderConnection $record): ?string => static::migrationReviewDescription($record)),
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
             ]);
     }
 
+    public static function infolist(Schema $schema): Schema
+    {
+        return $schema
+            ->schema([
+                Section::make('Connection')
+                    ->schema([
+                        Infolists\Components\TextEntry::make('display_name')
+                            ->label('Display name'),
+                        Infolists\Components\TextEntry::make('provider')
+                            ->label('Provider'),
+                        Infolists\Components\TextEntry::make('entra_tenant_id')
+                            ->label('Entra tenant ID')
+                            ->copyable(),
+                        Infolists\Components\TextEntry::make('connection_type')
+                            ->label('Connection type')
+                            ->formatStateUsing(fn (?ProviderConnectionType $state): string => $state === ProviderConnectionType::Dedicated
+                                ? 'Dedicated connection'
+                                : 'Platform connection'),
+                        Infolists\Components\TextEntry::make('effective_app_id')
+                            ->label('Effective app ID')
+                            ->state(fn (ProviderConnection $record): string => static::effectiveAppId($record))
+                            ->copyable(),
+                        Infolists\Components\TextEntry::make('effective_app_source')
+                            ->label('Effective app source')
+                            ->state(fn (ProviderConnection $record): string => static::credentialSourceLabel($record)),
+                    ])
+                    ->columns(2),
+                Section::make('Status')
+                    ->schema([
+                        Infolists\Components\TextEntry::make('consent_status')
+                            ->label('Consent')
+                            ->formatStateUsing(fn ($state): string => static::consentStatusLabelFromState($state)),
+                        Infolists\Components\TextEntry::make('verification_status')
+                            ->label('Verification')
+                            ->formatStateUsing(fn ($state): string => static::verificationStatusLabelFromState($state)),
+                        Infolists\Components\TextEntry::make('status')
+                            ->label('Status'),
+                        Infolists\Components\TextEntry::make('health_status')
+                            ->label('Health'),
+                        Infolists\Components\TextEntry::make('migration_review_required')
+                            ->label('Migration review')
+                            ->formatStateUsing(fn (ProviderConnection $record): string => static::migrationReviewLabel($record))
+                            ->tooltip(fn (ProviderConnection $record): ?string => static::migrationReviewDescription($record)),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+
     public static function table(Table $table): Table
     {
         return $table
             ->modifyQueryUsing(function (Builder $query): Builder {
-                $query->with('tenant');
+                $query->with(['tenant', 'credential']);
 
                 $tenantExternalId = static::resolveRequestedTenantExternalId();
 
@@ -488,6 +648,13 @@ public static function table(Table $table): Table
                 Tables\Columns\TextColumn::make('provider')->label('Provider')->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('entra_tenant_id')->label('Entra tenant ID')->copyable()->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\IconColumn::make('is_default')->label('Default')->boolean(),
+                Tables\Columns\TextColumn::make('connection_type')
+                    ->label('Connection type')
+                    ->badge()
+                    ->formatStateUsing(fn (?ProviderConnectionType $state): string => $state === ProviderConnectionType::Dedicated
+                        ? 'Dedicated'
+                        : 'Platform')
+                    ->color(fn (?ProviderConnectionType $state): string => $state === ProviderConnectionType::Dedicated ? 'info' : 'gray'),
                 Tables\Columns\TextColumn::make('status')
                     ->label('Status')
                     ->badge()
@@ -502,6 +669,12 @@ public static function table(Table $table): Table
                     ->color(BadgeRenderer::color(BadgeDomain::ProviderConnectionHealth))
                     ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConnectionHealth))
                     ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionHealth)),
+                Tables\Columns\TextColumn::make('migration_review_required')
+                    ->label('Migration review')
+                    ->badge()
+                    ->formatStateUsing(fn (bool $state): string => $state ? 'Review required' : 'Clear')
+                    ->color(fn (bool $state): string => $state ? 'warning' : 'success')
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('last_health_check_at')->label('Last check')->since()->sortable(),
                 Tables\Columns\TextColumn::make('last_error_reason_code')
                     ->label('Last error reason')
@@ -651,9 +824,12 @@ public static function table(Table $table): Table
                                         ? (string) $result->run->context['reason_code']
                                         : 'unknown_error';
 
+                                    $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                    $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                     Notification::make()
                                         ->title('Connection check blocked')
-                                        ->body("Blocked by provider configuration ({$reasonCode}).")
+                                        ->body(implode("\n", $bodyLines))
                                         ->warning()
                                         ->actions([
                                             Actions\Action::make('view_run')
@@ -748,9 +924,12 @@ public static function table(Table $table): Table
                                         ? (string) $result->run->context['reason_code']
                                         : 'unknown_error';
 
+                                    $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                    $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                     Notification::make()
                                         ->title('Inventory sync blocked')
-                                        ->body("Blocked by provider configuration ({$reasonCode}).")
+                                        ->body(implode("\n", $bodyLines))
                                         ->warning()
                                         ->actions([
                                             Actions\Action::make('view_run')
@@ -842,9 +1021,12 @@ public static function table(Table $table): Table
                                         ? (string) $result->run->context['reason_code']
                                         : 'unknown_error';
 
+                                    $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                    $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                     Notification::make()
                                         ->title('Compliance snapshot blocked')
-                                        ->body("Blocked by provider configuration ({$reasonCode}).")
+                                        ->body(implode("\n", $bodyLines))
                                         ->warning()
                                         ->actions([
                                             Actions\Action::make('view_run')
@@ -920,31 +1102,32 @@ public static function table(Table $table): Table
                         ->apply(),
 
                     UiEnforcement::forAction(
-                        Actions\Action::make('update_credentials')
-                            ->label('Update credentials')
+                        Actions\Action::make('enable_dedicated_override')
+                            ->label('Enable dedicated override')
                             ->icon('heroicon-o-key')
                             ->color('primary')
                             ->requiresConfirmation()
-                            ->modalDescription('Client secret is stored encrypted and will never be shown again.')
+                            ->modalDescription('Dedicated credentials are stored encrypted and reset consent to the dedicated app registration.')
+                            ->visible(fn (ProviderConnection $record): bool => $record->connection_type !== ProviderConnectionType::Dedicated)
                             ->form([
                                 TextInput::make('client_id')
-                                    ->label('Client ID')
+                                    ->label('Dedicated app (client) ID')
                                     ->required()
                                     ->maxLength(255),
                                 TextInput::make('client_secret')
-                                    ->label('Client secret')
+                                    ->label('Dedicated client secret')
                                     ->password()
                                     ->required()
                                     ->maxLength(255),
                             ])
-                            ->action(function (array $data, ProviderConnection $record, CredentialManager $credentials, AuditLogger $auditLogger): void {
+                            ->action(function (array $data, ProviderConnection $record, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
                                 $tenant = static::resolveTenantForRecord($record);
 
                                 if (! $tenant instanceof Tenant) {
                                     return;
                                 }
 
-                                $credentials->upsertClientSecretCredential(
+                                $mutations->enableDedicatedOverride(
                                     connection: $record,
                                     clientId: (string) $data['client_id'],
                                     clientSecret: (string) $data['client_secret'],
@@ -957,12 +1140,16 @@ public static function table(Table $table): Table
 
                                 $auditLogger->log(
                                     tenant: $tenant,
-                                    action: 'provider_connection.credentials_updated',
+                                    action: 'provider_connection.connection_type_changed',
                                     context: [
                                         'metadata' => [
+                                            'provider_connection_id' => (int) $record->getKey(),
                                             'provider' => $record->provider,
                                             'entra_tenant_id' => $record->entra_tenant_id,
+                                            'from_connection_type' => ProviderConnectionType::Platform->value,
+                                            'to_connection_type' => ProviderConnectionType::Dedicated->value,
                                             'client_id' => (string) $data['client_id'],
+                                            'source' => 'provider_connection.resource_table',
                                         ],
                                     ],
                                     actorId: $actorId,
@@ -974,12 +1161,138 @@ public static function table(Table $table): Table
                                 );
 
                                 Notification::make()
-                                    ->title('Credentials updated')
+                                    ->title('Dedicated override enabled')
                                     ->success()
                                     ->send();
                             })
                     )
-                        ->requireCapability(Capabilities::PROVIDER_MANAGE)
+                        ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                        ->preserveVisibility()
+                        ->apply(),
+
+                    UiEnforcement::forAction(
+                        Actions\Action::make('rotate_dedicated_credential')
+                            ->label('Rotate dedicated credential')
+                            ->icon('heroicon-o-arrow-path')
+                            ->color('primary')
+                            ->requiresConfirmation()
+                            ->visible(fn (ProviderConnection $record): bool => $record->connection_type === ProviderConnectionType::Dedicated)
+                            ->form([
+                                TextInput::make('client_id')
+                                    ->label('Dedicated app (client) ID')
+                                    ->default(function (ProviderConnection $record): string {
+                                        $payload = $record->credential?->payload;
+
+                                        return is_array($payload) ? (string) ($payload['client_id'] ?? '') : '';
+                                    })
+                                    ->required()
+                                    ->maxLength(255),
+                                TextInput::make('client_secret')
+                                    ->label('Dedicated client secret')
+                                    ->password()
+                                    ->required()
+                                    ->maxLength(255),
+                            ])
+                            ->action(function (array $data, ProviderConnection $record, ProviderConnectionMutationService $mutations): void {
+                                $tenant = static::resolveTenantForRecord($record);
+
+                                if (! $tenant instanceof Tenant) {
+                                    return;
+                                }
+
+                                $mutations->enableDedicatedOverride(
+                                    connection: $record,
+                                    clientId: (string) $data['client_id'],
+                                    clientSecret: (string) $data['client_secret'],
+                                );
+
+                                Notification::make()
+                                    ->title('Dedicated credential rotated')
+                                    ->success()
+                                    ->send();
+                            })
+                    )
+                        ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                        ->preserveVisibility()
+                        ->apply(),
+
+                    UiEnforcement::forAction(
+                        Actions\Action::make('delete_dedicated_credential')
+                            ->label('Delete dedicated credential')
+                            ->icon('heroicon-o-trash')
+                            ->color('danger')
+                            ->requiresConfirmation()
+                            ->visible(fn (ProviderConnection $record): bool => $record->connection_type === ProviderConnectionType::Dedicated
+                                && $record->credential()->exists())
+                            ->action(function (ProviderConnection $record, ProviderConnectionMutationService $mutations): void {
+                                $tenant = static::resolveTenantForRecord($record);
+
+                                if (! $tenant instanceof Tenant) {
+                                    return;
+                                }
+
+                                $mutations->deleteDedicatedCredential($record);
+
+                                Notification::make()
+                                    ->title('Dedicated credential deleted')
+                                    ->warning()
+                                    ->send();
+                            })
+                    )
+                        ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                        ->preserveVisibility()
+                        ->apply(),
+
+                    UiEnforcement::forAction(
+                        Actions\Action::make('revert_to_platform')
+                            ->label('Revert to platform')
+                            ->icon('heroicon-o-arrow-uturn-left')
+                            ->color('gray')
+                            ->requiresConfirmation()
+                            ->visible(fn (ProviderConnection $record): bool => $record->connection_type === ProviderConnectionType::Dedicated)
+                            ->action(function (ProviderConnection $record, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
+                                $tenant = static::resolveTenantForRecord($record);
+
+                                if (! $tenant instanceof Tenant) {
+                                    return;
+                                }
+
+                                $mutations->revertToPlatform($record);
+
+                                $user = auth()->user();
+                                $actorId = $user instanceof User ? (int) $user->getKey() : null;
+                                $actorEmail = $user instanceof User ? $user->email : null;
+                                $actorName = $user instanceof User ? $user->name : null;
+
+                                $auditLogger->log(
+                                    tenant: $tenant,
+                                    action: 'provider_connection.connection_type_changed',
+                                    context: [
+                                        'metadata' => [
+                                            'provider_connection_id' => (int) $record->getKey(),
+                                            'provider' => $record->provider,
+                                            'entra_tenant_id' => $record->entra_tenant_id,
+                                            'from_connection_type' => ProviderConnectionType::Dedicated->value,
+                                            'to_connection_type' => ProviderConnectionType::Platform->value,
+                                            'source' => 'provider_connection.resource_table',
+                                        ],
+                                    ],
+                                    actorId: $actorId,
+                                    actorEmail: $actorEmail,
+                                    actorName: $actorName,
+                                    resourceType: 'provider_connection',
+                                    resourceId: (string) $record->getKey(),
+                                    status: 'success',
+                                );
+
+                                Notification::make()
+                                    ->title('Connection reverted to platform')
+                                    ->success()
+                                    ->send();
+                            })
+                    )
+                        ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                        ->preserveVisibility()
                         ->apply(),
 
                     UiEnforcement::forAction(

app/Filament/Resources/ProviderConnectionResource/Pages/CreateProviderConnection.php

@@ -6,6 +6,11 @@
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Intune\AuditLogger;
+use App\Services\Providers\ProviderConnectionStateProjector;
+use App\Support\Providers\ProviderConnectionType;
+use App\Support\Providers\ProviderConsentStatus;
+use App\Support\Providers\ProviderReasonCodes;
+use App\Support\Providers\ProviderVerificationStatus;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\CreateRecord;
 
@@ -25,12 +30,31 @@ protected function mutateFormDataBeforeCreate(array $data): array
 
         $this->shouldMakeDefault = (bool) ($data['is_default'] ?? false);
 
+        $projectedState = app(ProviderConnectionStateProjector::class)->project(
+            connectionType: ProviderConnectionType::Platform,
+            consentStatus: ProviderConsentStatus::Required,
+            verificationStatus: ProviderVerificationStatus::Unknown,
+        );
+
         return [
             'workspace_id' => (int) $tenant->workspace_id,
             'tenant_id' => $tenant->getKey(),
             'provider' => 'microsoft',
             'entra_tenant_id' => $data['entra_tenant_id'],
             'display_name' => $data['display_name'],
+            'connection_type' => ProviderConnectionType::Platform->value,
+            'status' => $projectedState['status'],
+            'consent_status' => ProviderConsentStatus::Required->value,
+            'consent_granted_at' => null,
+            'consent_last_checked_at' => null,
+            'consent_error_code' => null,
+            'consent_error_message' => null,
+            'verification_status' => ProviderVerificationStatus::Unknown->value,
+            'health_status' => $projectedState['health_status'],
+            'migration_review_required' => false,
+            'migration_reviewed_at' => null,
+            'last_error_reason_code' => ProviderReasonCodes::ProviderConsentMissing,
+            'last_error_message' => null,
             'is_default' => false,
         ];
     }
@@ -57,6 +81,7 @@ protected function afterCreate(): void
                 'metadata' => [
                     'provider' => $record->provider,
                     'entra_tenant_id' => $record->entra_tenant_id,
+                    'connection_type' => $record->connection_type->value,
                 ],
             ],
             actorId: $actorId,

app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php

@@ -11,13 +11,14 @@
 use App\Models\User;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Intune\AuditLogger;
-use App\Services\Providers\CredentialManager;
+use App\Services\Providers\ProviderConnectionMutationService;
 use App\Services\Providers\ProviderOperationStartGate;
 use App\Services\Verification\StartVerification;
 use App\Support\Auth\Capabilities;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
+use App\Support\Providers\ProviderConnectionType;
 use App\Support\Rbac\UiEnforcement;
 use Filament\Actions;
 use Filament\Actions\Action;
@@ -277,9 +278,12 @@ protected function getHeaderActions(): array
                                     ? (string) $result->run->context['reason_code']
                                     : 'unknown_error';
 
+                                $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                 Notification::make()
                                     ->title('Connection check blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
+                                    ->body(implode("\n", $bodyLines))
                                     ->warning()
                                     ->actions([
                                         Action::make('view_run')
@@ -310,32 +314,33 @@ protected function getHeaderActions(): array
                     ->apply(),
 
                 UiEnforcement::forAction(
-                    Action::make('update_credentials')
-                        ->label('Update credentials')
+                    Action::make('enable_dedicated_override')
+                        ->label('Enable dedicated override')
                         ->icon('heroicon-o-key')
                         ->color('primary')
                         ->requiresConfirmation()
-                        ->modalDescription('Client secret is stored encrypted and will never be shown again.')
-                        ->visible(fn (): bool => $tenant instanceof Tenant)
+                        ->modalDescription('Dedicated credentials are stored encrypted and reset consent to the dedicated app registration.')
+                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
+                            && $record->connection_type !== ProviderConnectionType::Dedicated)
                         ->form([
                             TextInput::make('client_id')
-                                ->label('Client ID')
+                                ->label('Dedicated app (client) ID')
                                 ->required()
                                 ->maxLength(255),
                             TextInput::make('client_secret')
-                                ->label('Client secret')
+                                ->label('Dedicated client secret')
                                 ->password()
                                 ->required()
                                 ->maxLength(255),
                         ])
-                        ->action(function (array $data, ProviderConnection $record, CredentialManager $credentials, AuditLogger $auditLogger): void {
+                        ->action(function (array $data, ProviderConnection $record, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
                             $tenant = $this->currentTenant();
 
                             if (! $tenant instanceof Tenant) {
                                 abort(404);
                             }
 
-                            $credentials->upsertClientSecretCredential(
+                            $mutations->enableDedicatedOverride(
                                 connection: $record,
                                 clientId: (string) $data['client_id'],
                                 clientSecret: (string) $data['client_secret'],
@@ -348,12 +353,16 @@ protected function getHeaderActions(): array
 
                             $auditLogger->log(
                                 tenant: $tenant,
-                                action: 'provider_connection.credentials_updated',
+                                action: 'provider_connection.connection_type_changed',
                                 context: [
                                     'metadata' => [
+                                        'provider_connection_id' => (int) $record->getKey(),
                                         'provider' => $record->provider,
                                         'entra_tenant_id' => $record->entra_tenant_id,
+                                        'from_connection_type' => ProviderConnectionType::Platform->value,
+                                        'to_connection_type' => ProviderConnectionType::Dedicated->value,
                                         'client_id' => (string) $data['client_id'],
+                                        'source' => 'provider_connection.edit_page',
                                     ],
                                 ],
                                 actorId: $actorId,
@@ -365,13 +374,143 @@ protected function getHeaderActions(): array
                             );
 
                             Notification::make()
-                                ->title('Credentials updated')
+                                ->title('Dedicated override enabled')
                                 ->success()
                                 ->send();
                         })
                 )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                    ->tooltip('You do not have permission to manage provider connections.')
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+
+                UiEnforcement::forAction(
+                    Action::make('rotate_dedicated_credential')
+                        ->label('Rotate dedicated credential')
+                        ->icon('heroicon-o-arrow-path')
+                        ->color('primary')
+                        ->requiresConfirmation()
+                        ->modalDescription('Stores a replacement dedicated client secret and refreshes dedicated identity state.')
+                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
+                            && $record->connection_type === ProviderConnectionType::Dedicated)
+                        ->form([
+                            TextInput::make('client_id')
+                                ->label('Dedicated app (client) ID')
+                                ->default(function (ProviderConnection $record): string {
+                                    $payload = $record->credential?->payload;
+
+                                    return is_array($payload) ? (string) ($payload['client_id'] ?? '') : '';
+                                })
+                                ->required()
+                                ->maxLength(255),
+                            TextInput::make('client_secret')
+                                ->label('Dedicated client secret')
+                                ->password()
+                                ->required()
+                                ->maxLength(255),
+                        ])
+                        ->action(function (array $data, ProviderConnection $record, ProviderConnectionMutationService $mutations): void {
+                            $tenant = $this->currentTenant();
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->enableDedicatedOverride(
+                                connection: $record,
+                                clientId: (string) $data['client_id'],
+                                clientSecret: (string) $data['client_secret'],
+                            );
+
+                            Notification::make()
+                                ->title('Dedicated credential rotated')
+                                ->success()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+
+                UiEnforcement::forAction(
+                    Action::make('delete_dedicated_credential')
+                        ->label('Delete dedicated credential')
+                        ->icon('heroicon-o-trash')
+                        ->color('danger')
+                        ->requiresConfirmation()
+                        ->modalDescription('Deletes the dedicated credential and leaves the connection blocked until a replacement is added or the type is reverted.')
+                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
+                            && $record->connection_type === ProviderConnectionType::Dedicated
+                            && $record->credential()->exists())
+                        ->action(function (ProviderConnection $record, ProviderConnectionMutationService $mutations): void {
+                            $tenant = $this->currentTenant();
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->deleteDedicatedCredential($record);
+
+                            Notification::make()
+                                ->title('Dedicated credential deleted')
+                                ->warning()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+
+                UiEnforcement::forAction(
+                    Action::make('revert_to_platform')
+                        ->label('Revert to platform')
+                        ->icon('heroicon-o-arrow-uturn-left')
+                        ->color('gray')
+                        ->requiresConfirmation()
+                        ->modalDescription('Reverts the connection to the platform-managed identity and removes any dedicated credential.')
+                        ->visible(fn (ProviderConnection $record): bool => $tenant instanceof Tenant
+                            && $record->connection_type === ProviderConnectionType::Dedicated)
+                        ->action(function (ProviderConnection $record, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
+                            $tenant = $this->currentTenant();
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->revertToPlatform($record);
+
+                            $user = auth()->user();
+                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
+                            $actorEmail = $user instanceof User ? $user->email : null;
+                            $actorName = $user instanceof User ? $user->name : null;
+
+                            $auditLogger->log(
+                                tenant: $tenant,
+                                action: 'provider_connection.connection_type_changed',
+                                context: [
+                                    'metadata' => [
+                                        'provider_connection_id' => (int) $record->getKey(),
+                                        'provider' => $record->provider,
+                                        'entra_tenant_id' => $record->entra_tenant_id,
+                                        'from_connection_type' => ProviderConnectionType::Dedicated->value,
+                                        'to_connection_type' => ProviderConnectionType::Platform->value,
+                                        'source' => 'provider_connection.edit_page',
+                                    ],
+                                ],
+                                actorId: $actorId,
+                                actorEmail: $actorEmail,
+                                actorName: $actorName,
+                                resourceType: 'provider_connection',
+                                resourceId: (string) $record->getKey(),
+                                status: 'success',
+                            );
+
+                            Notification::make()
+                                ->title('Connection reverted to platform')
+                                ->success()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
                     ->preserveVisibility()
                     ->apply(),
 
@@ -511,9 +650,12 @@ protected function getHeaderActions(): array
                                     ? (string) $result->run->context['reason_code']
                                     : 'unknown_error';
 
+                                $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                 Notification::make()
                                     ->title('Inventory sync blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
+                                    ->body(implode("\n", $bodyLines))
                                     ->warning()
                                     ->actions([
                                         Action::make('view_run')
@@ -622,9 +764,12 @@ protected function getHeaderActions(): array
                                     ? (string) $result->run->context['reason_code']
                                     : 'unknown_error';
 
+                                $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                 Notification::make()
                                     ->title('Compliance snapshot blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
+                                    ->body(implode("\n", $bodyLines))
                                     ->warning()
                                     ->actions([
                                         Action::make('view_run')

app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php

@@ -7,14 +7,26 @@
 use App\Models\User;
 use App\Services\Auth\CapabilityResolver;
 use App\Support\Auth\Capabilities;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Actions;
-use Filament\Facades\Filament;
 use Filament\Resources\Pages\ListRecords;
 
 class ListProviderConnections extends ListRecords
 {
     protected static string $resource = ProviderConnectionResource::class;
 
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: 'tenant',
+            tenantAttribute: 'external_id',
+        );
+
+        parent::mount();
+    }
+
     private function tableHasRecords(): bool
     {
         return $this->getTableRecords()->count() > 0;
@@ -207,9 +219,7 @@ private function resolveTenantExternalIdForCreateAction(): ?string
             return $requested;
         }
 
-        $filamentTenant = Filament::getTenant();
-
-        return $filamentTenant instanceof Tenant ? (string) $filamentTenant->external_id : null;
+        return ProviderConnectionResource::resolveContextTenantExternalId();
     }
 
     private function resolveTenantForCreateAction(): ?Tenant
@@ -227,12 +237,12 @@ private function resolveTenantForCreateAction(): ?Tenant
 
     public function getTableEmptyStateHeading(): ?string
     {
-        return 'No provider connections found';
+        return 'No Microsoft connections found';
     }
 
     public function getTableEmptyStateDescription(): ?string
     {
-        return 'Create a Microsoft provider connection or adjust the tenant filter to inspect another managed tenant.';
+        return 'Start with a platform-managed Microsoft connection. Dedicated overrides are handled separately with stronger authorization.';
     }
 
     public function getTableEmptyStateActions(): array

app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php

@@ -3,9 +3,17 @@
 namespace App\Filament\Resources\ProviderConnectionResource\Pages;
 
 use App\Filament\Resources\ProviderConnectionResource;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Intune\AuditLogger;
+use App\Services\Providers\ProviderConnectionMutationService;
 use App\Support\Auth\Capabilities;
+use App\Support\Links\RequiredPermissionsLinks;
+use App\Support\Providers\ProviderConnectionType;
 use App\Support\Rbac\UiEnforcement;
 use Filament\Actions;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ViewRecord;
 
 class ViewProviderConnection extends ViewRecord
@@ -15,6 +23,24 @@ class ViewProviderConnection extends ViewRecord
     protected function getHeaderActions(): array
     {
         return [
+            UiEnforcement::forAction(
+                Actions\Action::make('grant_admin_consent')
+                    ->label('Grant admin consent')
+                    ->icon('heroicon-o-clipboard-document')
+                    ->url(function (): ?string {
+                        $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
+
+                        return $tenant instanceof Tenant
+                            ? RequiredPermissionsLinks::adminConsentPrimaryUrl($tenant)
+                            : null;
+                    })
+                    ->visible(function (): bool {
+                        return ProviderConnectionResource::resolveTenantForRecord($this->record) instanceof Tenant;
+                    })
+                    ->openUrlInNewTab()
+            )
+                ->requireCapability(Capabilities::PROVIDER_MANAGE)
+                ->apply(),
             UiEnforcement::forAction(
                 Actions\Action::make('edit')
                     ->label('Edit')
@@ -23,6 +49,201 @@ protected function getHeaderActions(): array
             )
                 ->requireCapability(Capabilities::PROVIDER_MANAGE)
                 ->apply(),
+            Actions\ActionGroup::make([
+                UiEnforcement::forAction(
+                    Actions\Action::make('enable_dedicated_override')
+                        ->label('Enable dedicated override')
+                        ->icon('heroicon-o-key')
+                        ->color('primary')
+                        ->requiresConfirmation()
+                        ->modalDescription('Dedicated credentials are stored encrypted and reset consent to the dedicated app registration.')
+                        ->visible(fn (): bool => $this->record->connection_type !== ProviderConnectionType::Dedicated)
+                        ->form([
+                            TextInput::make('client_id')
+                                ->label('Dedicated app (client) ID')
+                                ->required()
+                                ->maxLength(255),
+                            TextInput::make('client_secret')
+                                ->label('Dedicated client secret')
+                                ->password()
+                                ->required()
+                                ->maxLength(255),
+                        ])
+                        ->action(function (array $data, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
+                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->enableDedicatedOverride(
+                                connection: $this->record,
+                                clientId: (string) $data['client_id'],
+                                clientSecret: (string) $data['client_secret'],
+                            );
+
+                            $user = auth()->user();
+                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
+                            $actorEmail = $user instanceof User ? $user->email : null;
+                            $actorName = $user instanceof User ? $user->name : null;
+
+                            $auditLogger->log(
+                                tenant: $tenant,
+                                action: 'provider_connection.connection_type_changed',
+                                context: [
+                                    'metadata' => [
+                                        'provider_connection_id' => (int) $this->record->getKey(),
+                                        'provider' => $this->record->provider,
+                                        'entra_tenant_id' => $this->record->entra_tenant_id,
+                                        'from_connection_type' => ProviderConnectionType::Platform->value,
+                                        'to_connection_type' => ProviderConnectionType::Dedicated->value,
+                                        'client_id' => (string) $data['client_id'],
+                                        'source' => 'provider_connection.view_page',
+                                    ],
+                                ],
+                                actorId: $actorId,
+                                actorEmail: $actorEmail,
+                                actorName: $actorName,
+                                resourceType: 'provider_connection',
+                                resourceId: (string) $this->record->getKey(),
+                                status: 'success',
+                            );
+
+                            Notification::make()
+                                ->title('Dedicated override enabled')
+                                ->success()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('rotate_dedicated_credential')
+                        ->label('Rotate dedicated credential')
+                        ->icon('heroicon-o-arrow-path')
+                        ->color('primary')
+                        ->requiresConfirmation()
+                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated)
+                        ->form([
+                            TextInput::make('client_id')
+                                ->label('Dedicated app (client) ID')
+                                ->default(function (): string {
+                                    $payload = $this->record->credential?->payload;
+
+                                    return is_array($payload) ? (string) ($payload['client_id'] ?? '') : '';
+                                })
+                                ->required()
+                                ->maxLength(255),
+                            TextInput::make('client_secret')
+                                ->label('Dedicated client secret')
+                                ->password()
+                                ->required()
+                                ->maxLength(255),
+                        ])
+                        ->action(function (array $data, ProviderConnectionMutationService $mutations): void {
+                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->enableDedicatedOverride(
+                                connection: $this->record,
+                                clientId: (string) $data['client_id'],
+                                clientSecret: (string) $data['client_secret'],
+                            );
+
+                            Notification::make()
+                                ->title('Dedicated credential rotated')
+                                ->success()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('delete_dedicated_credential')
+                        ->label('Delete dedicated credential')
+                        ->icon('heroicon-o-trash')
+                        ->color('danger')
+                        ->requiresConfirmation()
+                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated
+                            && $this->record->credential()->exists())
+                        ->action(function (ProviderConnectionMutationService $mutations): void {
+                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->deleteDedicatedCredential($this->record);
+
+                            Notification::make()
+                                ->title('Dedicated credential deleted')
+                                ->warning()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('revert_to_platform')
+                        ->label('Revert to platform')
+                        ->icon('heroicon-o-arrow-uturn-left')
+                        ->color('gray')
+                        ->requiresConfirmation()
+                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated)
+                        ->action(function (ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
+                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
+
+                            if (! $tenant instanceof Tenant) {
+                                abort(404);
+                            }
+
+                            $mutations->revertToPlatform($this->record);
+
+                            $user = auth()->user();
+                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
+                            $actorEmail = $user instanceof User ? $user->email : null;
+                            $actorName = $user instanceof User ? $user->name : null;
+
+                            $auditLogger->log(
+                                tenant: $tenant,
+                                action: 'provider_connection.connection_type_changed',
+                                context: [
+                                    'metadata' => [
+                                        'provider_connection_id' => (int) $this->record->getKey(),
+                                        'provider' => $this->record->provider,
+                                        'entra_tenant_id' => $this->record->entra_tenant_id,
+                                        'from_connection_type' => ProviderConnectionType::Dedicated->value,
+                                        'to_connection_type' => ProviderConnectionType::Platform->value,
+                                        'source' => 'provider_connection.view_page',
+                                    ],
+                                ],
+                                actorId: $actorId,
+                                actorEmail: $actorEmail,
+                                actorName: $actorName,
+                                resourceType: 'provider_connection',
+                                resourceId: (string) $this->record->getKey(),
+                                status: 'success',
+                            );
+
+                            Notification::make()
+                                ->title('Connection reverted to platform')
+                                ->success()
+                                ->send();
+                        })
+                )
+                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
+                    ->preserveVisibility()
+                    ->apply(),
+            ])
+                ->label('Manage dedicated override')
+                ->icon('heroicon-o-cog-6-tooth')
+                ->color('gray'),
         ];
     }
 }

app/Filament/Resources/RestoreRunResource.php

@@ -4,6 +4,8 @@
 
 use App\Contracts\Hardening\WriteGateInterface;
 use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\RestoreRunResource\Pages;
 use App\Jobs\BulkRestoreRunDeleteJob;
 use App\Jobs\BulkRestoreRunForceDeleteJob;
@@ -35,6 +37,10 @@
 use App\Support\Rbac\UiEnforcement;
 use App\Support\RestoreRunIdempotency;
 use App\Support\RestoreRunStatus;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use BackedEnum;
 use Filament\Actions;
 use Filament\Actions\ActionGroup;
@@ -65,6 +71,9 @@
 
 class RestoreRunResource extends Resource
 {
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
     protected static ?string $model = RestoreRun::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
@@ -84,7 +93,7 @@ public static function shouldRegisterNavigation(): bool
 
     public static function canCreate(): bool
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -98,6 +107,17 @@ public static function canCreate(): bool
             && $resolver->can($user, $tenant, Capabilities::TENANT_MANAGE);
     }
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Create restore run is available from the list header whenever records already exist.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while rerun and archive lifecycle actions stay grouped under More.')
+            ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk restore-run maintenance actions are grouped under More.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state exposes the New restore run CTA.')
+            ->exempt(ActionSurfaceSlot::DetailHeader, 'View page has no additional header actions.');
+    }
+
     public static function form(Schema $schema): Schema
     {
         return $schema
@@ -105,7 +125,7 @@ public static function form(Schema $schema): Schema
                 Forms\Components\Select::make('backup_set_id')
                     ->label('Backup set')
                     ->options(function () {
-                        $tenantId = Tenant::currentOrFail()->getKey();
+                        $tenantId = static::resolveTenantContextForCurrentPanelOrFail()->getKey();
 
                         return BackupSet::query()
                             ->when($tenantId, fn ($query) => $query->where('tenant_id', $tenantId))
@@ -145,7 +165,7 @@ public static function form(Schema $schema): Schema
                     ->schema(function (Get $get): array {
                         $backupSetId = $get('backup_set_id');
                         $selectedItemIds = $get('backup_item_ids');
-                        $tenant = Tenant::current();
+                        $tenant = static::resolveTenantContextForCurrentPanel();
 
                         if (! $tenant || ! $backupSetId) {
                             return [];
@@ -199,7 +219,7 @@ public static function form(Schema $schema): Schema
                                         ->label('Sync Groups')
                                         ->icon('heroicon-o-arrow-path')
                                         ->color('warning')
-                                        ->url(fn (): string => EntraGroupResource::getUrl('index', tenant: Tenant::current()))
+                                        ->url(fn (): string => EntraGroupResource::getUrl('index', tenant: static::resolveTenantContextForCurrentPanel()))
                                         ->visible(fn (): bool => $cacheNotice !== null)
                                 );
                         }, $unresolved);
@@ -207,7 +227,7 @@ public static function form(Schema $schema): Schema
                     ->visible(function (Get $get): bool {
                         $backupSetId = $get('backup_set_id');
                         $selectedItemIds = $get('backup_item_ids');
-                        $tenant = Tenant::current();
+                        $tenant = static::resolveTenantContextForCurrentPanel();
 
                         if (! $tenant || ! $backupSetId) {
                             return false;
@@ -239,18 +259,44 @@ public static function makeCreateAction(): Actions\CreateAction
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::current()?->getKey();
+        return static::scopeTenantOwnedQuery(parent::getEloquentQuery())
+            ->with('backupSet');
+    }
 
-        return parent::getEloquentQuery()
-            ->with('backupSet')
-            ->when(
-                $tenantId !== null,
-                fn (Builder $query): Builder => $query->where('tenant_id', (int) $tenantId),
-            )
-            ->when(
-                $tenantId === null,
-                fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
-            );
+    public static function resolveScopedRecordOrFail(int|string $key): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail(
+            $key,
+            parent::getEloquentQuery()->withTrashed()->with('backupSet'),
+        );
+    }
+
+    protected static function resolveProtectedRestoreRunRecordOrFail(RestoreRun|int|string $record): RestoreRun
+    {
+        $resolvedRecord = static::resolveScopedRecordOrFail($record instanceof Model ? $record->getKey() : $record);
+
+        if (! $resolvedRecord instanceof RestoreRun) {
+            abort(404);
+        }
+
+        return $resolvedRecord;
+    }
+
+    /**
+     * @return array<int, int>
+     */
+    protected static function resolveProtectedRestoreRunIds(Collection $records): array
+    {
+        return $records
+            ->map(function (mixed $record): int {
+                $resolvedRecord = static::resolveProtectedRestoreRunRecordOrFail($record instanceof RestoreRun ? $record : (is_numeric($record) ? (int) $record : 0));
+
+                return (int) $resolvedRecord->getKey();
+            })
+            ->filter(fn (int $value): bool => $value > 0)
+            ->unique()
+            ->values()
+            ->all();
     }
 
     /**
@@ -265,7 +311,7 @@ public static function getWizardSteps(): array
                     Forms\Components\Select::make('backup_set_id')
                         ->label('Backup set')
                         ->options(function () {
-                            $tenantId = Tenant::currentOrFail()->getKey();
+                            $tenantId = static::resolveTenantContextForCurrentPanelOrFail()->getKey();
 
                             return BackupSet::query()
                                 ->when($tenantId, fn ($query) => $query->where('tenant_id', $tenantId))
@@ -290,7 +336,7 @@ public static function getWizardSteps(): array
                                 backupSetId: $get('backup_set_id'),
                                 scopeMode: 'all',
                                 selectedItemIds: null,
-                                tenant: Tenant::current(),
+                                tenant: static::resolveTenantContextForCurrentPanel(),
                             ));
                             $set('is_dry_run', true);
                             $set('acknowledged_impact', false);
@@ -317,7 +363,7 @@ public static function getWizardSteps(): array
                         ->reactive()
                         ->afterStateUpdated(function (Set $set, Get $get, $state): void {
                             $backupSetId = $get('backup_set_id');
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
                             $set('is_dry_run', true);
                             $set('acknowledged_impact', false);
                             $set('tenant_confirm', null);
@@ -357,7 +403,7 @@ public static function getWizardSteps(): array
                             $backupSetId = $get('backup_set_id');
                             $selectedItemIds = $get('backup_item_ids');
                             $selectedItemIds = is_array($selectedItemIds) ? $selectedItemIds : null;
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             $set('group_mapping', static::groupMappingPlaceholders(
                                 backupSetId: $backupSetId,
@@ -408,7 +454,7 @@ public static function getWizardSteps(): array
                             $backupSetId = $get('backup_set_id');
                             $scopeMode = $get('scope_mode') ?? 'all';
                             $selectedItemIds = $get('backup_item_ids');
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             if (! $tenant || ! $backupSetId) {
                                 return [];
@@ -477,7 +523,7 @@ public static function getWizardSteps(): array
                                             ->label('Sync Groups')
                                             ->icon('heroicon-o-arrow-path')
                                             ->color('warning')
-                                            ->url(fn (): string => EntraGroupResource::getUrl('index', tenant: Tenant::current()))
+                                            ->url(fn (): string => EntraGroupResource::getUrl('index', tenant: static::resolveTenantContextForCurrentPanel()))
                                             ->visible(fn (): bool => $cacheNotice !== null)
                                     );
                             }, $unresolved);
@@ -486,7 +532,7 @@ public static function getWizardSteps(): array
                             $backupSetId = $get('backup_set_id');
                             $scopeMode = $get('scope_mode') ?? 'all';
                             $selectedItemIds = $get('backup_item_ids');
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             if (! $tenant || ! $backupSetId) {
                                 return false;
@@ -527,7 +573,7 @@ public static function getWizardSteps(): array
                                 ->color('gray')
                                 ->visible(fn (Get $get): bool => filled($get('backup_set_id')))
                                 ->action(function (Get $get, Set $set): void {
-                                    $tenant = Tenant::current();
+                                    $tenant = static::resolveTenantContextForCurrentPanel();
 
                                     if (! $tenant) {
                                         return;
@@ -625,7 +671,7 @@ public static function getWizardSteps(): array
                                 ->color('gray')
                                 ->visible(fn (Get $get): bool => filled($get('backup_set_id')))
                                 ->action(function (Get $get, Set $set): void {
-                                    $tenant = Tenant::current();
+                                    $tenant = static::resolveTenantContextForCurrentPanel();
 
                                     if (! $tenant) {
                                         return;
@@ -704,7 +750,7 @@ public static function getWizardSteps(): array
                     Forms\Components\Placeholder::make('confirm_tenant_label')
                         ->label('Tenant hard-confirm label')
                         ->content(function (): string {
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             if (! $tenant) {
                                 return '';
@@ -741,7 +787,7 @@ public static function getWizardSteps(): array
                         ->required(fn (Get $get): bool => $get('is_dry_run') === false)
                         ->visible(fn (Get $get): bool => $get('is_dry_run') === false)
                         ->in(function (): array {
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             if (! $tenant) {
                                 return [];
@@ -755,7 +801,7 @@ public static function getWizardSteps(): array
                             'in' => 'Tenant hard-confirm does not match.',
                         ])
                         ->helperText(function (): string {
-                            $tenant = Tenant::current();
+                            $tenant = static::resolveTenantContextForCurrentPanel();
 
                             if (! $tenant) {
                                 return '';
@@ -793,10 +839,10 @@ public static function table(Table $table): Table
                     ->label('Total')
                     ->state(fn (RestoreRun $record): int => (int) (($record->metadata ?? [])['total'] ?? 0)),
                 Tables\Columns\TextColumn::make('summary_succeeded')
-                    ->label('Succeeded')
+                    ->label('Applied')
                     ->state(fn (RestoreRun $record): int => (int) (($record->metadata ?? [])['succeeded'] ?? 0)),
                 Tables\Columns\TextColumn::make('summary_failed')
-                    ->label('Failed')
+                    ->label('Failed items')
                     ->state(fn (RestoreRun $record): int => (int) (($record->metadata ?? [])['failed'] ?? 0)),
                 Tables\Columns\TextColumn::make('started_at')->dateTime()->since()->sortable(),
                 Tables\Columns\TextColumn::make('completed_at')->dateTime()->since()->sortable(),
@@ -831,8 +877,8 @@ public static function table(Table $table): Table
                 FilterPresets::dateRange('started_at', 'Started', 'started_at'),
                 FilterPresets::archived(),
             ])
+            ->recordUrl(fn (RestoreRun $record): string => static::getUrl('view', ['record' => $record]))
             ->actions([
-                Actions\ViewAction::make(),
                 ActionGroup::make([
                     static::rerunActionWithGate(),
                     UiEnforcement::forTableAction(
@@ -843,6 +889,8 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (RestoreRun $record): bool => $record->trashed())
                             ->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
+                                $record = static::resolveProtectedRestoreRunRecordOrFail($record);
+
                                 $record->restore();
 
                                 if ($record->tenant) {
@@ -861,7 +909,7 @@ public static function table(Table $table): Table
                                     ->success()
                                     ->send();
                             }),
-                        fn () => Tenant::current(),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
                     )
                         ->requireCapability(Capabilities::TENANT_MANAGE)
                         ->preserveVisibility()
@@ -874,6 +922,8 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (RestoreRun $record): bool => ! $record->trashed())
                             ->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
+                                $record = static::resolveProtectedRestoreRunRecordOrFail($record);
+
                                 if (! $record->isDeletable()) {
                                     Notification::make()
                                         ->title('Restore run cannot be archived')
@@ -902,7 +952,7 @@ public static function table(Table $table): Table
                                     ->success()
                                     ->send();
                             }),
-                        fn () => Tenant::current(),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
                     )
                         ->requireCapability(Capabilities::TENANT_MANAGE)
                         ->preserveVisibility()
@@ -915,6 +965,8 @@ public static function table(Table $table): Table
                             ->requiresConfirmation()
                             ->visible(fn (RestoreRun $record): bool => $record->trashed())
                             ->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
+                                $record = static::resolveProtectedRestoreRunRecordOrFail($record);
+
                                 if ($record->tenant) {
                                     $auditLogger->log(
                                         tenant: $record->tenant,
@@ -933,12 +985,14 @@ public static function table(Table $table): Table
                                     ->success()
                                     ->send();
                             }),
-                        fn () => Tenant::current(),
+                        fn () => static::resolveTenantContextForCurrentPanel(),
                     )
                         ->requireCapability(Capabilities::TENANT_DELETE)
                         ->preserveVisibility()
                         ->apply(),
-                ])->icon('heroicon-o-ellipsis-vertical'),
+                ])
+                    ->label('More')
+                    ->icon('heroicon-o-ellipsis-vertical'),
             ])
             ->bulkActions([
                 BulkActionGroup::make([
@@ -972,10 +1026,10 @@ public static function table(Table $table): Table
                                 return [];
                             })
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
-                                $ids = $records->pluck('id')->toArray();
+                                $ids = static::resolveProtectedRestoreRunIds($records);
 
                                 if (! $tenant instanceof Tenant) {
                                     return;
@@ -1042,10 +1096,10 @@ public static function table(Table $table): Table
                             ->modalHeading(fn (Collection $records) => "Restore {$records->count()} restore runs?")
                             ->modalDescription('Archived runs will be restored back to the active list. Active runs will be skipped.')
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
-                                $ids = $records->pluck('id')->toArray();
+                                $ids = static::resolveProtectedRestoreRunIds($records);
 
                                 if (! $tenant instanceof Tenant) {
                                     return;
@@ -1132,10 +1186,10 @@ public static function table(Table $table): Table
                                     ]),
                             ])
                             ->action(function (Collection $records) {
-                                $tenant = Tenant::current();
+                                $tenant = static::resolveTenantContextForCurrentPanel();
                                 $user = auth()->user();
                                 $count = $records->count();
-                                $ids = $records->pluck('id')->toArray();
+                                $ids = static::resolveProtectedRestoreRunIds($records);
 
                                 if (! $tenant instanceof Tenant) {
                                     return;
@@ -1195,7 +1249,7 @@ public static function table(Table $table): Table
                     )
                         ->requireCapability(Capabilities::TENANT_DELETE)
                         ->apply(),
-                ]),
+                ])->label('More'),
             ])
             ->emptyStateHeading('No restore runs')
             ->emptyStateDescription('Start a restoration from a backup set.')
@@ -1224,7 +1278,7 @@ public static function infolist(Schema $schema): Schema
                         $succeeded = (int) ($meta['succeeded'] ?? 0);
                         $failed = (int) ($meta['failed'] ?? 0);
 
-                        return sprintf('Total: %d • Succeeded: %d • Failed: %d', $total, $succeeded, $failed);
+                        return sprintf('Total: %d • Applied: %d • Failed items: %d', $total, $succeeded, $failed);
                     }),
                 Infolists\Components\TextEntry::make('is_dry_run')
                     ->label('Dry-run')
@@ -1276,7 +1330,7 @@ private static function typeMeta(?string $type): array
      */
     private static function restoreItemOptionData(?int $backupSetId): array
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant || ! $backupSetId) {
             return [
@@ -1347,7 +1401,7 @@ private static function restoreItemOptionData(?int $backupSetId): array
      */
     private static function restoreItemGroupedOptions(?int $backupSetId): array
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant || ! $backupSetId) {
             return [];
@@ -1399,7 +1453,7 @@ private static function restoreItemGroupedOptions(?int $backupSetId): array
 
     public static function createRestoreRun(array $data): RestoreRun
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
@@ -1691,6 +1745,8 @@ public static function createRestoreRun(array $data): RestoreRun
                 'restore_run_id' => (int) $restoreRun->getKey(),
                 'backup_set_id' => (int) $backupSet->getKey(),
                 'is_dry_run' => (bool) ($restoreRun->is_dry_run ?? false),
+                'execution_authority_mode' => 'actor_bound',
+                'required_capability' => Capabilities::TENANT_MANAGE,
             ],
             initiator: $initiator,
         );
@@ -1922,6 +1978,7 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
                     \App\Services\Intune\AuditLogger $auditLogger,
                     HasTable $livewire
                 ) {
+                    $record = static::resolveProtectedRestoreRunRecordOrFail($record);
                     $tenant = $record->tenant;
                     $backupSet = $record->backupSet;
 
@@ -2089,6 +2146,8 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
                                 'restore_run_id' => (int) $newRun->getKey(),
                                 'backup_set_id' => (int) $backupSet->getKey(),
                                 'is_dry_run' => (bool) ($newRun->is_dry_run ?? false),
+                                'execution_authority_mode' => 'actor_bound',
+                                'required_capability' => Capabilities::TENANT_MANAGE,
                             ],
                             initiator: $initiator,
                         );
@@ -2165,7 +2224,7 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
                     OperationUxPresenter::queuedToast('restore.execute')
                         ->send();
                 }),
-            fn () => Tenant::current(),
+            fn () => static::resolveTenantContextForCurrentPanel(),
         )
             ->requireCapability(Capabilities::TENANT_MANAGE)
             ->preserveVisibility()
@@ -2181,7 +2240,7 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
                 return true;
             }
 
-            $tenant = $record instanceof RestoreRun ? $record->tenant : Tenant::current();
+            $tenant = $record instanceof RestoreRun ? $record->tenant : static::resolveTenantContextForCurrentPanel();
 
             if (! $tenant instanceof Tenant) {
                 return true;
@@ -2205,7 +2264,7 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
                 return \App\Support\Auth\UiTooltips::insufficientPermission();
             }
 
-            $tenant = $record instanceof RestoreRun ? $record->tenant : Tenant::current();
+            $tenant = $record instanceof RestoreRun ? $record->tenant : static::resolveTenantContextForCurrentPanel();
 
             if (! $tenant instanceof Tenant) {
                 return 'Tenant unavailable';

app/Filament/Resources/RestoreRunResource/Pages/CreateRestoreRun.php

@@ -2,6 +2,7 @@
 
 namespace App\Filament\Resources\RestoreRunResource\Pages;
 
+use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Resources\RestoreRunResource;
 use App\Models\BackupSet;
 use App\Models\Tenant;
@@ -17,12 +18,13 @@
 class CreateRestoreRun extends CreateRecord
 {
     use HasWizard;
+    use ResolvesPanelTenantContext;
 
     protected static string $resource = RestoreRunResource::class;
 
     protected function authorizeAccess(): void
     {
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         $user = auth()->user();
 
@@ -60,7 +62,7 @@ protected function afterFill(): void
             return;
         }
 
-        $tenant = Tenant::current();
+        $tenant = static::resolveTenantContextForCurrentPanel();
 
         if (! $tenant) {
             return;

app/Filament/Resources/RestoreRunResource/Pages/ListRestoreRuns.php

@@ -3,12 +3,42 @@
 namespace App\Filament\Resources\RestoreRunResource\Pages;
 
 use App\Filament\Resources\RestoreRunResource;
+use App\Support\Filament\CanonicalAdminTenantFilterState;
 use Filament\Resources\Pages\ListRecords;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 
 class ListRestoreRuns extends ListRecords
 {
     protected static string $resource = RestoreRunResource::class;
 
+    /**
+     * @param  array<string, mixed>  $arguments
+     * @param  array<string, mixed>  $context
+     */
+    public function mountAction(string $name, array $arguments = [], array $context = []): mixed
+    {
+        if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['archive', 'forceDelete', 'rerun'], true)) {
+            try {
+                RestoreRunResource::resolveScopedRecordOrFail($context['recordKey']);
+            } catch (ModelNotFoundException) {
+                abort(404);
+            }
+        }
+
+        return parent::mountAction($name, $arguments, $context);
+    }
+
+    public function mount(): void
+    {
+        app(CanonicalAdminTenantFilterState::class)->sync(
+            $this->getTableFiltersSessionKey(),
+            request: request(),
+            tenantFilterName: null,
+        );
+
+        parent::mount();
+    }
+
     private function tableHasRecords(): bool
     {
         return $this->getTableRecords()->count() > 0;

app/Filament/Resources/RestoreRunResource/Pages/ViewRestoreRun.php

@@ -4,8 +4,14 @@
 
 use App\Filament\Resources\RestoreRunResource;
 use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
 
 class ViewRestoreRun extends ViewRecord
 {
     protected static string $resource = RestoreRunResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return RestoreRunResource::resolveScopedRecordOrFail($key);
+    }
 }

app/Filament/Resources/ReviewPackResource.php

@@ -2,12 +2,15 @@
 
 namespace App\Filament\Resources;
 
+use App\Exceptions\ReviewPackEvidenceResolutionException;
+use App\Filament\Resources\EvidenceSnapshotResource as TenantEvidenceSnapshotResource;
 use App\Filament\Resources\ReviewPackResource\Pages;
 use App\Models\ReviewPack;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\ReviewPackService;
 use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\OpsUx\OperationUxPresenter;
@@ -17,11 +20,15 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
 use BackedEnum;
 use Filament\Actions;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\Toggle;
 use Filament\Infolists\Components\TextEntry;
+use Filament\Infolists\Components\ViewEntry;
 use Filament\Notifications\Notification;
 use Filament\Resources\Resource;
 use Filament\Schemas\Components\Section;
@@ -91,11 +98,11 @@ public static function canView(Model $record): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'Generate Pack action available in list header.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes Generate CTA.')
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Only two primary row actions (Download, Expire); no secondary menu needed.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Download and Expire remain direct row shortcuts.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'No bulk operations are supported for review packs.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'Download and Regenerate actions in ViewReviewPack header.');
     }
@@ -109,6 +116,15 @@ public static function infolist(Schema $schema): Schema
     {
         return $schema
             ->schema([
+                Section::make('Artifact truth')
+                    ->schema([
+                        ViewEntry::make('artifact_truth')
+                            ->hiddenLabel()
+                            ->view('filament.infolists.entries.governance-artifact-truth')
+                            ->state(fn (ReviewPack $record): array => static::truthEnvelope($record)->toArray())
+                            ->columnSpanFull(),
+                    ])
+                    ->columnSpanFull(),
                 Section::make('Status')
                     ->schema([
                         TextEntry::make('status')
@@ -164,6 +180,21 @@ public static function infolist(Schema $schema): Schema
                 Section::make('Metadata')
                     ->schema([
                         TextEntry::make('initiator.name')->label('Initiated by')->placeholder('—'),
+                        TextEntry::make('tenantReview.id')
+                            ->label('Tenant review')
+                            ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                            ->url(fn (ReviewPack $record): ?string => $record->tenantReview && $record->tenant
+                                ? TenantReviewResource::tenantScopedUrl('view', ['record' => $record->tenantReview], $record->tenant)
+                                : null)
+                            ->placeholder('—'),
+                        TextEntry::make('summary.review_status')
+                            ->label('Review status')
+                            ->badge()
+                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
+                            ->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
+                            ->placeholder('—'),
                         TextEntry::make('operationRun.id')
                             ->label('Operation run')
                             ->url(fn (ReviewPack $record): ?string => $record->operation_run_id
@@ -177,6 +208,33 @@ public static function infolist(Schema $schema): Schema
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
+
+                Section::make('Evidence snapshot')
+                    ->schema([
+                        TextEntry::make('summary.evidence_resolution.outcome')
+                            ->label('Resolution')
+                            ->placeholder('—'),
+                        TextEntry::make('evidenceSnapshot.id')
+                            ->label('Snapshot')
+                            ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                            ->url(fn (ReviewPack $record): ?string => $record->evidenceSnapshot
+                                ? TenantEvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
+                                : null),
+                        TextEntry::make('evidenceSnapshot.completeness_state')
+                            ->label('Snapshot completeness')
+                            ->badge()
+                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
+                            ->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness))
+                            ->placeholder('—'),
+                        TextEntry::make('summary.evidence_resolution.snapshot_fingerprint')
+                            ->label('Snapshot fingerprint')
+                            ->copyable()
+                            ->placeholder('—'),
+                    ])
+                    ->columns(2)
+                    ->columnSpanFull(),
             ]);
     }
 
@@ -194,6 +252,15 @@ public static function table(Table $table): Table
                     ->icon(BadgeRenderer::icon(BadgeDomain::ReviewPackStatus))
                     ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ReviewPackStatus))
                     ->sortable(),
+                Tables\Columns\TextColumn::make('artifact_truth')
+                    ->label('Artifact truth')
+                    ->badge()
+                    ->getStateUsing(fn (ReviewPack $record): string => static::truthEnvelope($record)->primaryLabel)
+                    ->color(fn (ReviewPack $record): string => static::truthEnvelope($record)->primaryBadgeSpec()->color)
+                    ->icon(fn (ReviewPack $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->icon)
+                    ->iconColor(fn (ReviewPack $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->iconColor)
+                    ->description(fn (ReviewPack $record): ?string => static::truthEnvelope($record)->primaryExplanation)
+                    ->wrap(),
                 Tables\Columns\TextColumn::make('tenant.name')
                     ->label('Tenant')
                     ->searchable(),
@@ -201,6 +268,10 @@ public static function table(Table $table): Table
                     ->dateTime()
                     ->sortable()
                     ->placeholder('—'),
+                Tables\Columns\TextColumn::make('tenantReview.id')
+                    ->label('Review')
+                    ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('expires_at')
                     ->dateTime()
                     ->sortable()
@@ -209,6 +280,29 @@ public static function table(Table $table): Table
                     ->label('Size')
                     ->formatStateUsing(fn ($state): string => $state ? Number::fileSize((int) $state) : '—')
                     ->sortable(),
+                Tables\Columns\TextColumn::make('publication_truth')
+                    ->label('Publication')
+                    ->badge()
+                    ->getStateUsing(fn (ReviewPack $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->label)
+                    ->color(fn (ReviewPack $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->color)
+                    ->icon(fn (ReviewPack $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->icon)
+                    ->iconColor(fn (ReviewPack $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->iconColor),
+                Tables\Columns\TextColumn::make('artifact_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(fn (ReviewPack $record): string => static::truthEnvelope($record)->nextStepText())
+                    ->wrap(),
                 Tables\Columns\TextColumn::make('created_at')
                     ->label('Created')
                     ->since()
@@ -244,6 +338,7 @@ public static function table(Table $table): Table
                             }
 
                             $record->update(['status' => ReviewPackStatus::Expired->value]);
+                            static::truthEnvelope($record->refresh(), fresh: true);
 
                             Notification::make()
                                 ->success()
@@ -304,6 +399,15 @@ public static function getPages(): array
         ];
     }
 
+    private static function truthEnvelope(ReviewPack $record, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forReviewPackFresh($record)
+            : $presenter->forReviewPack($record);
+    }
+
     /**
      * @param  array<string, mixed>  $data
      */
@@ -331,7 +435,25 @@ public static function executeGeneration(array $data): void
             'include_operations' => (bool) ($data['include_operations'] ?? true),
         ];
 
-        $reviewPack = $service->generate($tenant, $user, $options);
+        try {
+            $reviewPack = $service->generate($tenant, $user, $options);
+        } catch (ReviewPackEvidenceResolutionException $exception) {
+            $reasons = $exception->result->reasons;
+
+            Notification::make()
+                ->danger()
+                ->title(match ($exception->result->outcome) {
+                    'missing_snapshot' => 'Create snapshot required',
+                    'snapshot_ineligible' => 'Snapshot is not eligible',
+                    default => 'Unable to generate review pack',
+                })
+                ->body($reasons === [] ? $exception->getMessage() : implode(' ', $reasons))
+                ->send();
+
+            return;
+        }
+
+        static::truthEnvelope($reviewPack->refresh(), fresh: true);
 
         if (! $reviewPack->wasRecentlyCreated) {
             Notification::make()

app/Filament/Resources/TenantResource.php

@@ -11,7 +11,9 @@
 use App\Models\EntraRoleDefinition;
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
+use App\Models\TenantOnboardingSession;
 use App\Models\User;
+use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\RoleCapabilityMap;
 use App\Services\Directory\EntraGroupLabelResolver;
@@ -21,7 +23,11 @@
 use App\Services\Intune\RbacOnboardingService;
 use App\Services\OperationRunService;
 use App\Services\Operations\BulkSelectionIdentity;
+use App\Services\Providers\AdminConsentUrlFactory;
+use App\Services\Tenants\TenantActionPolicySurface;
+use App\Services\Tenants\TenantOperabilityService;
 use App\Services\Verification\StartVerification;
+use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
 use App\Support\Auth\UiTooltips;
 use App\Support\Badges\BadgeDomain;
@@ -33,10 +39,17 @@
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Tenants\TenantActionDescriptor;
+use App\Support\Tenants\TenantActionSurface;
+use App\Support\Tenants\TenantInteractionLane;
+use App\Support\Tenants\TenantLifecyclePresentation;
+use App\Support\Tenants\TenantOperabilityOutcome;
+use App\Support\Tenants\TenantOperabilityQuestion;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions;
@@ -76,6 +89,11 @@ class TenantResource extends Resource
 
     protected static string|UnitEnum|null $navigationGroup = 'Settings';
 
+    /**
+     * @var array<string, Collection<int, TenantActionDescriptor>>
+     */
+    protected static array $tenantActionCatalogCache = [];
+
     /**
      * Tenant creation is handled exclusively by the onboarding wizard.
      * The CRUD create page has been removed.
@@ -128,10 +146,11 @@ public static function canDeleteAny(): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::CrudListFirstResource)
+            ->withListRowPrimaryActionLimit(1)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'List page provides a capability-gated create action.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Row-level secondary actions are grouped under "More".')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'At most one non-inspect row action stays primary; overflow keeps helpers first, workflow actions next, and destructive actions last.')
             ->satisfy(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk actions are grouped under "More".')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Create action is reused in the list empty state.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'Tenant view page exposes header actions via an action group.');
@@ -207,6 +226,18 @@ public static function getEloquentQuery(): Builder
             ->withMax('policies as last_policy_sync_at', 'last_synced_at');
     }
 
+    public static function getGlobalSearchEloquentQuery(): Builder
+    {
+        if (app(WorkspaceContext::class)->currentWorkspaceId(request()) === null) {
+            return static::getEloquentQuery()->whereRaw('1 = 0');
+        }
+
+        return static::tenantOperability()->applyAdministrativeDiscoverabilityScope(
+            static::getEloquentQuery(),
+            (new Tenant)->getTable(),
+        );
+    }
+
     public static function table(Table $table): Table
     {
         return $table
@@ -215,6 +246,7 @@ public static function table(Table $table): Table
             ->persistFiltersInSession()
             ->persistSearchInSession()
             ->persistSortInSession()
+            ->recordUrl(fn (Tenant $record): string => static::getUrl('view', ['record' => $record]))
             ->columns([
                 Tables\Columns\TextColumn::make('name')
                     ->searchable()
@@ -242,20 +274,23 @@ public static function table(Table $table): Table
                     ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\IconColumn::make('is_current')
                     ->label('Current')
-                    ->boolean(),
+                    ->boolean()
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('status')
                     ->badge()
                     ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantStatus))
                     ->color(BadgeRenderer::color(BadgeDomain::TenantStatus))
                     ->icon(BadgeRenderer::icon(BadgeDomain::TenantStatus))
                     ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantStatus))
+                    ->description(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->shortDescription)
                     ->sortable(),
                 Tables\Columns\TextColumn::make('app_status')
                     ->badge()
                     ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
                     ->color(BadgeRenderer::color(BadgeDomain::TenantAppStatus))
                     ->icon(BadgeRenderer::icon(BadgeDomain::TenantAppStatus))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus)),
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus))
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('created_at')
                     ->dateTime()
                     ->since()
@@ -284,11 +319,49 @@ public static function table(Table $table): Table
                     ]),
             ])
             ->actions([
+                Actions\Action::make('related_onboarding')
+                    ->label(fn (Tenant $record): string => static::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantIndexRow) ?? 'Resume onboarding')
+                    ->icon(fn (Tenant $record): string => static::relatedOnboardingDraftAction($record, TenantActionSurface::TenantIndexRow)?->icon ?? 'heroicon-o-arrow-path')
+                    ->url(fn (Tenant $record): string => static::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
+                    ->visible(fn (Tenant $record): bool => static::tenantIndexPrimaryAction($record)?->key === 'related_onboarding'),
                 ActionGroup::make([
-                    Actions\Action::make('view')
-                        ->label('View')
-                        ->icon('heroicon-o-eye')
-                        ->url(fn (Tenant $record) => static::getUrl('view', ['record' => $record])),
+                    Actions\Action::make('related_onboarding_overflow')
+                        ->label(fn (Tenant $record): string => static::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantIndexRow) ?? 'View related onboarding')
+                        ->icon(fn (Tenant $record): string => static::relatedOnboardingDraftAction($record, TenantActionSurface::TenantIndexRow)?->icon ?? 'heroicon-o-eye')
+                        ->url(fn (Tenant $record): string => static::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
+                        ->visible(fn (Tenant $record): bool => static::relatedOnboardingDraftAction($record, TenantActionSurface::TenantIndexRow) instanceof TenantActionDescriptor
+                            && static::tenantIndexPrimaryAction($record)?->key !== 'related_onboarding'),
+                    Actions\Action::make('openTenant')
+                        ->label('Open')
+                        ->icon('heroicon-o-arrow-right')
+                        ->color('primary')
+                        ->url(fn (Tenant $record) => \App\Filament\Resources\PolicyResource::getUrl('index', panel: 'tenant', tenant: $record))
+                        ->visible(fn (Tenant $record) => $record->isActive()),
+                    UiEnforcement::forAction(
+                        Actions\Action::make('edit')
+                            ->label('Edit')
+                            ->icon('heroicon-o-pencil-square')
+                            ->url(fn (Tenant $record) => static::getUrl('edit', ['record' => $record]))
+                    )
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
+                    UiEnforcement::forAction(
+                        Actions\Action::make('admin_consent')
+                            ->label('Grant admin consent')
+                            ->icon('heroicon-o-clipboard-document')
+                            ->url(fn (Tenant $record) => static::adminConsentUrl($record))
+                            ->visible(fn (Tenant $record) => static::adminConsentUrl($record) !== null)
+                            ->openUrlInNewTab(),
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
+                    Actions\Action::make('open_in_entra')
+                        ->label('Open in Entra')
+                        ->icon('heroicon-o-arrow-top-right-on-square')
+                        ->url(fn (Tenant $record) => static::entraUrl($record))
+                        ->visible(fn (Tenant $record) => static::entraUrl($record) !== null)
+                        ->openUrlInNewTab(),
                     UiEnforcement::forAction(
                         Actions\Action::make('syncTenant')
                             ->label('Sync')
@@ -401,81 +474,13 @@ public static function table(Table $table): Table
                         ->preserveVisibility()
                         ->requireCapability(Capabilities::TENANT_SYNC)
                         ->apply(),
-                    Actions\Action::make('openTenant')
-                        ->label('Open')
-                        ->icon('heroicon-o-arrow-right')
-                        ->color('primary')
-                        ->url(fn (Tenant $record) => \App\Filament\Resources\PolicyResource::getUrl('index', panel: 'tenant', tenant: $record))
-                        ->visible(fn (Tenant $record) => $record->isActive()),
-                    UiEnforcement::forAction(
-                        Actions\Action::make('edit')
-                            ->label('Edit')
-                            ->icon('heroicon-o-pencil-square')
-                            ->url(fn (Tenant $record) => static::getUrl('edit', ['record' => $record]))
-                    )
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->apply(),
-                    UiEnforcement::forAction(
-                        Actions\Action::make('restore')
-                            ->label('Restore')
-                            ->color('success')
-                            ->icon('heroicon-o-arrow-uturn-left')
-                            ->successNotificationTitle('Tenant reactivated')
-                            ->requiresConfirmation()
-                            ->visible(fn (Tenant $record): bool => $record->trashed())
-                            ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                                $user = auth()->user();
-
-                                if (! $user instanceof User) {
-                                    abort(403);
-                                }
-
-                                /** @var CapabilityResolver $resolver */
-                                $resolver = app(CapabilityResolver::class);
-
-                                if (! $resolver->can($user, $record, Capabilities::TENANT_DELETE)) {
-                                    abort(403);
-                                }
-
-                                $record->restore();
-
-                                $auditLogger->log(
-                                    tenant: $record,
-                                    action: 'tenant.restored',
-                                    resourceType: 'tenant',
-                                    resourceId: (string) $record->id,
-                                    status: 'success',
-                                    context: ['metadata' => ['tenant_id' => $record->tenant_id]]
-                                );
-                            })
-                    )
-                        ->preserveVisibility()
-                        ->requireCapability(Capabilities::TENANT_DELETE)
-                        ->apply(),
-                    UiEnforcement::forAction(
-                        Actions\Action::make('admin_consent')
-                            ->label('Admin consent')
-                            ->icon('heroicon-o-clipboard-document')
-                            ->url(fn (Tenant $record) => static::adminConsentUrl($record))
-                            ->visible(fn (Tenant $record) => static::adminConsentUrl($record) !== null)
-                            ->openUrlInNewTab(),
-                    )
-                        ->preserveVisibility()
-                        ->requireCapability(Capabilities::TENANT_MANAGE)
-                        ->apply(),
-                    Actions\Action::make('open_in_entra')
-                        ->label('Open in Entra')
-                        ->icon('heroicon-o-arrow-top-right-on-square')
-                        ->url(fn (Tenant $record) => static::entraUrl($record))
-                        ->visible(fn (Tenant $record) => static::entraUrl($record) !== null)
-                        ->openUrlInNewTab(),
                     UiEnforcement::forAction(
                         Actions\Action::make('verify')
                             ->label('Verify configuration')
                             ->icon('heroicon-o-check-badge')
                             ->color('primary')
                             ->requiresConfirmation()
-                            ->visible(fn (Tenant $record): bool => $record->isActive())
+                            ->visible(fn (Tenant $record): bool => static::verificationActionVisible($record))
                             ->action(function (
                                 Tenant $record,
                                 StartVerification $verification,
@@ -567,9 +572,12 @@ public static function table(Table $table): Table
                                         break;
                                     }
 
+                                    $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                    $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                     Notification::make()
                                         ->title('Verification blocked')
-                                        ->body("Blocked by provider configuration ({$reasonCode}).")
+                                        ->body(implode("\n", $bodyLines))
                                         ->warning()
                                         ->actions($actions)
                                         ->send();
@@ -591,49 +599,24 @@ public static function table(Table $table): Table
                         ->preserveVisibility()
                         ->requireCapability(Capabilities::PROVIDER_RUN)
                         ->apply(),
-                    static::rbacAction(),
                     UiEnforcement::forAction(
-                        Actions\Action::make('archive')
-                            ->label('Deactivate')
-                            ->color('danger')
-                            ->icon('heroicon-o-archive-box-x-mark')
+                        Actions\Action::make('restore')
+                            ->label(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->label ?? 'Restore')
+                            ->color('success')
+                            ->icon(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->icon ?? 'heroicon-o-arrow-uturn-left')
+                            ->successNotificationTitle(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->successNotificationTitle ?? 'Tenant restored')
                             ->requiresConfirmation()
-                            ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                            ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                                $user = auth()->user();
-
-                                if (! $user instanceof User) {
-                                    abort(403);
-                                }
-
-                                /** @var CapabilityResolver $resolver */
-                                $resolver = app(CapabilityResolver::class);
-
-                                if (! $resolver->can($user, $record, Capabilities::TENANT_DELETE)) {
-                                    abort(403);
-                                }
-
-                                $record->delete();
-
-                                $auditLogger->log(
-                                    tenant: $record,
-                                    action: 'tenant.archived',
-                                    resourceType: 'tenant',
-                                    resourceId: (string) $record->id,
-                                    status: 'success',
-                                    context: ['metadata' => ['tenant_id' => $record->tenant_id]]
-                                );
-
-                                Notification::make()
-                                    ->title('Tenant deactivated')
-                                    ->body('The tenant has been archived and hidden from lists.')
-                                    ->success()
-                                    ->send();
-                            }),
+                            ->modalHeading(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->modalHeading ?? 'Restore tenant')
+                            ->modalDescription(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->modalDescription ?? 'Restore this archived tenant to make it available again in normal management flows.')
+                            ->visible(fn (Tenant $record): bool => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->key === 'restore')
+                            ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                                static::restoreTenant($record, $auditLogger);
+                            })
                     )
                         ->preserveVisibility()
                         ->requireCapability(Capabilities::TENANT_DELETE)
                         ->apply(),
+                    static::rbacAction(),
                     UiEnforcement::forAction(
                         Actions\Action::make('forceDelete')
                             ->label('Force delete')
@@ -690,6 +673,23 @@ public static function table(Table $table): Table
                         ->preserveVisibility()
                         ->requireCapability(Capabilities::TENANT_DELETE)
                         ->apply(),
+                    UiEnforcement::forAction(
+                        Actions\Action::make('archive')
+                            ->label(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->label ?? 'Archive')
+                            ->color('danger')
+                            ->icon(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->icon ?? 'heroicon-o-archive-box-x-mark')
+                            ->successNotificationTitle(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->successNotificationTitle ?? 'Tenant archived')
+                            ->requiresConfirmation()
+                            ->modalHeading(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->modalHeading ?? 'Archive tenant')
+                            ->modalDescription(fn (Tenant $record): string => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->modalDescription ?? 'Archive this tenant to retain it for inspection while removing it from active operating flows.')
+                            ->visible(fn (Tenant $record): bool => static::lifecycleActionDescriptor($record, TenantActionSurface::TenantIndexRow)?->key === 'archive')
+                            ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                                static::archiveTenant($record, $auditLogger);
+                            })
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_DELETE)
+                        ->apply(),
                 ])
                     ->label('More')
                     ->icon('heroicon-o-ellipsis-vertical')
@@ -838,6 +838,10 @@ public static function infolist(Schema $schema): Schema
                             ->color(BadgeRenderer::color(BadgeDomain::TenantStatus))
                             ->icon(BadgeRenderer::icon(BadgeDomain::TenantStatus))
                             ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantStatus)),
+                        Infolists\Components\TextEntry::make('lifecycle_summary')
+                            ->label('Lifecycle summary')
+                            ->state(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->longDescription)
+                            ->columnSpanFull(),
                         Infolists\Components\TextEntry::make('app_status')
                             ->badge()
                             ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
@@ -905,8 +909,20 @@ public static function infolist(Schema $schema): Schema
                             ->visible(fn (Tenant $record): bool => filled($record->rbac_status)),
                         Section::make('RBAC Details')
                             ->schema([
+                                Infolists\Components\TextEntry::make('rbac_status_reason_label')
+                                    ->label('Reason')
+                                    ->state(fn (Tenant $record): ?string => app(\App\Support\ReasonTranslation\ReasonPresenter::class)
+                                        ->primaryLabel(app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forRbacReason($record->rbac_status_reason, 'detail')))
+                                    ->visible(fn (?string $state): bool => filled($state)),
+                                Infolists\Components\TextEntry::make('rbac_status_reason_explanation')
+                                    ->label('Explanation')
+                                    ->state(fn (Tenant $record): ?string => app(\App\Support\ReasonTranslation\ReasonPresenter::class)
+                                        ->shortExplanation(app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forRbacReason($record->rbac_status_reason, 'detail')))
+                                    ->visible(fn (?string $state): bool => filled($state))
+                                    ->columnSpanFull(),
                                 Infolists\Components\TextEntry::make('rbac_status_reason')
-                                    ->label('Reason'),
+                                    ->label('Diagnostic code')
+                                    ->copyable(),
                                 Infolists\Components\TextEntry::make('rbac_role_definition_id')
                                     ->label('Role definition ID')
                                     ->copyable(),
@@ -936,7 +952,7 @@ public static function infolist(Schema $schema): Schema
                 Section::make('Integration')
                     ->schema([
                         Infolists\Components\TextEntry::make('admin_consent_url')
-                            ->label('Admin consent URL')
+                            ->label('Grant admin consent URL')
                             ->state(fn (Tenant $record) => static::adminConsentUrl($record))
                             ->visible(fn (?string $state) => filled($state))
                             ->copyable()
@@ -1013,6 +1029,216 @@ protected static function storedPermissionSnapshot(Tenant $tenant): array
         return $snapshot;
     }
 
+    protected static function tenantLifecyclePresentation(Tenant $tenant): TenantLifecyclePresentation
+    {
+        return TenantLifecyclePresentation::fromTenant($tenant);
+    }
+
+    public static function tenantOperability(): TenantOperabilityService
+    {
+        return app(TenantOperabilityService::class);
+    }
+
+    public static function tenantActionPolicy(): TenantActionPolicySurface
+    {
+        return app(TenantActionPolicySurface::class);
+    }
+
+    /**
+     * @return Collection<int, TenantActionDescriptor>
+     */
+    public static function tenantActionCatalog(Tenant $tenant, TenantActionSurface $surface = TenantActionSurface::TenantIndexRow): Collection
+    {
+        $cacheKey = static::tenantActionCatalogCacheKey($tenant, $surface);
+
+        if (! array_key_exists($cacheKey, static::$tenantActionCatalogCache)) {
+            static::$tenantActionCatalogCache[$cacheKey] = collect(static::tenantActionPolicy()->catalogForTenant($tenant, $surface))->values();
+        }
+
+        return static::$tenantActionCatalogCache[$cacheKey];
+    }
+
+    public static function lifecycleActionDescriptor(Tenant $tenant, TenantActionSurface $surface = TenantActionSurface::TenantIndexRow): ?TenantActionDescriptor
+    {
+        return static::tenantActionDescriptorForSurface($tenant, $surface, 'restore')
+            ?? static::tenantActionDescriptorForSurface($tenant, $surface, 'archive');
+    }
+
+    public static function tenantIndexPrimaryAction(Tenant $tenant): ?TenantActionDescriptor
+    {
+        $catalog = static::tenantActionCatalog($tenant, TenantActionSurface::TenantIndexRow);
+
+        return $catalog[1] ?? null;
+    }
+
+    public static function relatedOnboardingDraft(Tenant $tenant): ?TenantOnboardingSession
+    {
+        return static::tenantActionPolicy()->relatedOnboardingDraft($tenant);
+    }
+
+    public static function relatedOnboardingDraftAction(Tenant $tenant, TenantActionSurface $surface = TenantActionSurface::TenantViewHeader): ?TenantActionDescriptor
+    {
+        return static::tenantActionDescriptorForSurface($tenant, $surface, 'related_onboarding');
+    }
+
+    public static function relatedOnboardingDraftActionLabel(Tenant $tenant, TenantActionSurface $surface = TenantActionSurface::TenantViewHeader): ?string
+    {
+        return static::relatedOnboardingDraftAction($tenant, $surface)?->label;
+    }
+
+    public static function relatedOnboardingDraftUrl(Tenant $tenant): ?string
+    {
+        $draft = static::relatedOnboardingDraft($tenant);
+
+        if (! $draft instanceof TenantOnboardingSession) {
+            return null;
+        }
+
+        return route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]);
+    }
+
+    public static function verificationActionVisible(Tenant $tenant): bool
+    {
+        $outcome = static::verificationReadinessOutcome($tenant);
+
+        return $outcome->allowed || $outcome->isDeniedForCapability();
+    }
+
+    public static function verificationReadinessOutcome(Tenant $tenant): TenantOperabilityOutcome
+    {
+        $user = auth()->user();
+
+        return static::tenantOperability()->outcomeFor(
+            tenant: $tenant,
+            question: TenantOperabilityQuestion::VerificationReadinessEligibility,
+            actor: $user instanceof User ? $user : null,
+            workspaceId: app(WorkspaceContext::class)->currentWorkspaceId(request()),
+            lane: TenantInteractionLane::AdministrativeManagement,
+        );
+    }
+
+    private static function tenantActionDescriptorForSurface(Tenant $tenant, TenantActionSurface $surface, string $key): ?TenantActionDescriptor
+    {
+        $descriptor = static::tenantActionCatalog($tenant, $surface)
+            ->first(fn (TenantActionDescriptor $descriptor): bool => $descriptor->key === $key);
+
+        return $descriptor instanceof TenantActionDescriptor ? $descriptor : null;
+    }
+
+    private static function tenantActionCatalogCacheKey(Tenant $tenant, TenantActionSurface $surface): string
+    {
+        $relatedDraft = static::relatedOnboardingDraft($tenant);
+
+        return implode(':', [
+            (string) (auth()->id() ?? 'guest'),
+            $surface->value,
+            (string) ($tenant->getKey() ?? 'missing'),
+            (string) $tenant->status,
+            (string) ($tenant->updated_at?->getTimestamp() ?? 'no-updated-at'),
+            (string) ($tenant->deleted_at?->getTimestamp() ?? 'not-deleted'),
+            (string) ($relatedDraft?->getKey() ?? 'no-draft'),
+            (string) ($relatedDraft?->workflowStatus()->value ?? 'no-draft-status'),
+            (string) ($relatedDraft?->lifecycleState()->value ?? 'no-draft-lifecycle-state'),
+            (string) ($relatedDraft?->updated_at?->getTimestamp() ?? 'no-draft-updated-at'),
+            (string) ($relatedDraft?->completed_at?->getTimestamp() ?? 'no-draft-completed-at'),
+            (string) ($relatedDraft?->cancelled_at?->getTimestamp() ?? 'no-draft-cancelled-at'),
+        ]);
+    }
+
+    public static function archiveTenant(Tenant $record, WorkspaceAuditLogger $auditLogger): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        if (! $user->canAccessTenant($record)) {
+            abort(404);
+        }
+
+        /** @var CapabilityResolver $resolver */
+        $resolver = app(CapabilityResolver::class);
+
+        if (! $resolver->can($user, $record, Capabilities::TENANT_DELETE)) {
+            abort(403);
+        }
+
+        $descriptor = static::lifecycleActionDescriptor($record);
+
+        if (! $descriptor instanceof TenantActionDescriptor || $descriptor->key !== 'archive') {
+            Notification::make()
+                ->title('Archive unavailable')
+                ->body('Only active tenants can be archived from tenant management surfaces.')
+                ->warning()
+                ->send();
+
+            return;
+        }
+
+        $record->delete();
+
+        $auditLogger->logTenantLifecycleAction(
+            tenant: $record,
+            action: AuditActionId::TenantArchived,
+            actor: $user,
+            context: ['metadata' => ['tenant_id' => $record->tenant_id]]
+        );
+
+        Notification::make()
+            ->title($descriptor->successNotificationTitle ?? 'Tenant archived')
+            ->body($descriptor->successNotificationBody ?? 'The tenant remains available for inspection and audit history, but it is no longer selectable as active context.')
+            ->success()
+            ->send();
+    }
+
+    public static function restoreTenant(Tenant $record, WorkspaceAuditLogger $auditLogger): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        if (! $user->canAccessTenant($record)) {
+            abort(404);
+        }
+
+        /** @var CapabilityResolver $resolver */
+        $resolver = app(CapabilityResolver::class);
+
+        if (! $resolver->can($user, $record, Capabilities::TENANT_DELETE)) {
+            abort(403);
+        }
+
+        $descriptor = static::lifecycleActionDescriptor($record);
+
+        if (! $descriptor instanceof TenantActionDescriptor || $descriptor->key !== 'restore') {
+            Notification::make()
+                ->title('Restore unavailable')
+                ->body('Only archived tenants can be restored from tenant management surfaces.')
+                ->warning()
+                ->send();
+
+            return;
+        }
+
+        $record->restore();
+
+        $auditLogger->logTenantLifecycleAction(
+            tenant: $record,
+            action: AuditActionId::TenantRestored,
+            actor: $user,
+            context: ['metadata' => ['tenant_id' => $record->tenant_id]]
+        );
+
+        Notification::make()
+            ->title($descriptor->successNotificationTitle ?? 'Tenant restored')
+            ->body($descriptor->successNotificationBody ?? 'The tenant is available again in normal tenant management flows and can be selected as active context.')
+            ->success()
+            ->send();
+    }
+
     public static function getPages(): array
     {
         return [
@@ -1231,36 +1457,6 @@ public static function rbacAction(): Actions\Action
     }
 
     public static function adminConsentUrl(Tenant $tenant): ?string
-    {
-        $tenantId = $tenant->graphTenantId();
-        $clientId = $tenant->app_client_id;
-
-        if (! is_string($clientId) || trim($clientId) === '') {
-            $clientId = static::resolveProviderClientIdForConsent($tenant);
-        }
-        $redirectUri = route('admin.consent.callback');
-        $state = sprintf('tenantpilot|%s', $tenant->id);
-
-        if (! $tenantId || ! $clientId || ! $redirectUri) {
-            return null;
-        }
-
-        // Admin consent should use `.default` so the tenant consents to the app's configured
-        // application permissions. Keeping the URL short also avoids edge cases where a long
-        // scope string gets truncated and causes AADSTS900144 (missing `scope`).
-        $scopes = 'https://graph.microsoft.com/.default';
-
-        $query = http_build_query([
-            'client_id' => $clientId,
-            'state' => $state,
-            'redirect_uri' => $redirectUri,
-            'scope' => $scopes,
-        ]);
-
-        return sprintf('https://login.microsoftonline.com/%s/v2.0/adminconsent?%s', $tenantId, $query);
-    }
-
-    private static function resolveProviderClientIdForConsent(Tenant $tenant): ?string
     {
         $connection = ProviderConnection::query()
             ->where('tenant_id', (int) $tenant->getKey())
@@ -1273,21 +1469,11 @@ private static function resolveProviderClientIdForConsent(Tenant $tenant): ?stri
             return null;
         }
 
-        $payload = $connection->credential?->payload;
-
-        if (! is_array($payload)) {
+        try {
+            return app(AdminConsentUrlFactory::class)->make($connection, sprintf('tenantpilot|%s', $tenant->id));
+        } catch (\Throwable) {
             return null;
         }
-
-        $clientId = $payload['client_id'] ?? null;
-
-        if (! is_string($clientId)) {
-            return null;
-        }
-
-        $clientId = trim($clientId);
-
-        return $clientId !== '' ? $clientId : null;
     }
 
     /**
@@ -1340,10 +1526,21 @@ private static function providerConnectionState(Tenant $tenant): array
 
     public static function entraUrl(Tenant $tenant): ?string
     {
-        if ($tenant->app_client_id) {
+        $connection = ProviderConnection::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->where('provider', 'microsoft')
+            ->orderByDesc('is_default')
+            ->orderBy('id')
+            ->first();
+
+        $effectiveAppId = $connection instanceof ProviderConnection
+            ? $connection->effectiveAppId()
+            : null;
+
+        if (filled($effectiveAppId)) {
             return sprintf(
                 'https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/%s',
-                $tenant->app_client_id
+                $effectiveAppId
             );
         }
 

app/Filament/Resources/TenantResource/Pages/EditTenant.php

@@ -4,8 +4,10 @@
 
 use App\Filament\Resources\TenantResource;
 use App\Models\Tenant;
+use App\Services\Audit\WorkspaceAuditLogger;
 use App\Support\Auth\Capabilities;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Tenants\TenantActionSurface;
 use Filament\Actions;
 use Filament\Actions\Action;
 use Filament\Resources\Pages\EditRecord;
@@ -18,14 +20,40 @@ protected function getHeaderActions(): array
     {
         return [
             Actions\ViewAction::make(),
+            Actions\Action::make('related_onboarding')
+                ->label(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantEditHeader) ?? 'View related onboarding')
+                ->icon(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-eye')
+                ->url(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
+                ->visible(fn (Tenant $record): bool => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantEditHeader) instanceof \App\Support\Tenants\TenantActionDescriptor),
+            UiEnforcement::forAction(
+                Action::make('restore')
+                    ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->label ?? 'Restore')
+                    ->color('success')
+                    ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-arrow-uturn-left')
+                    ->requiresConfirmation()
+                    ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalHeading ?? 'Restore tenant')
+                    ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalDescription ?? 'Restore this archived tenant to make it available again in normal management flows.')
+                    ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->key === 'restore')
+                    ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                        TenantResource::restoreTenant($record, $auditLogger);
+                    })
+            )
+                ->requireCapability(Capabilities::TENANT_DELETE)
+                ->tooltip('You do not have permission to restore tenants.')
+                ->preserveVisibility()
+                ->destructive()
+                ->apply(),
             UiEnforcement::forAction(
                 Action::make('archive')
-                    ->label('Archive')
+                    ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->label ?? 'Archive')
                     ->color('danger')
+                    ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-archive-box-x-mark')
                     ->requiresConfirmation()
-                    ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                    ->action(function (Tenant $record): void {
-                        $record->delete();
+                    ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalHeading ?? 'Archive tenant')
+                    ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalDescription ?? 'Archive this tenant to retain it for inspection while removing it from active operating flows.')
+                    ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->key === 'archive')
+                    ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                        TenantResource::archiveTenant($record, $auditLogger);
                     })
             )
                 ->requireCapability(Capabilities::TENANT_DELETE)

app/Filament/Resources/TenantResource/Pages/ListTenants.php

@@ -1,8 +1,14 @@
 <?php
 
+declare(strict_types=1);
+
 namespace App\Filament\Resources\TenantResource\Pages;
 
 use App\Filament\Resources\TenantResource;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Onboarding\OnboardingDraftResolver;
+use App\Support\Workspaces\WorkspaceContext;
 use Filament\Actions;
 use Filament\Resources\Pages\ListRecords;
 
@@ -13,10 +19,7 @@ class ListTenants extends ListRecords
     protected function getHeaderActions(): array
     {
         return [
-            Actions\Action::make('add_tenant')
-                ->label('Add tenant')
-                ->icon('heroicon-m-plus')
-                ->url(route('admin.onboarding'))
+            $this->makeOnboardingEntryAction()
                 ->visible(fn (): bool => $this->getTableRecords()->count() > 0),
         ];
     }
@@ -24,10 +27,40 @@ protected function getHeaderActions(): array
     protected function getTableEmptyStateActions(): array
     {
         return [
-            Actions\Action::make('add_tenant')
-                ->label('Add tenant')
-                ->icon('heroicon-m-plus')
-                ->url(route('admin.onboarding')),
+            $this->makeOnboardingEntryAction(),
         ];
     }
+
+    private function makeOnboardingEntryAction(): Actions\Action
+    {
+        $descriptor = TenantResource::tenantActionPolicy()->onboardingEntryDescriptor($this->accessibleResumableDraftCount());
+
+        return Actions\Action::make('add_tenant')
+            ->label($descriptor->label)
+            ->icon($descriptor->icon)
+            ->url(route('admin.onboarding'));
+    }
+
+    private function accessibleResumableDraftCount(): int
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return 0;
+        }
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        if (! is_int($workspaceId)) {
+            return 0;
+        }
+
+        $workspace = Workspace::query()->whereKey($workspaceId)->first();
+
+        if (! $workspace instanceof Workspace) {
+            return 0;
+        }
+
+        return app(OnboardingDraftResolver::class)->resumableDraftsFor($user, $workspace)->count();
+    }
 }

app/Filament/Resources/TenantResource/Pages/ViewTenant.php

@@ -11,7 +11,7 @@
 use App\Jobs\RefreshTenantRbacHealthJob;
 use App\Models\Tenant;
 use App\Models\User;
-use App\Services\Intune\AuditLogger;
+use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\OperationRunService;
 use App\Services\Verification\StartVerification;
 use App\Support\Auth\Capabilities;
@@ -20,6 +20,7 @@
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Tenants\TenantActionSurface;
 use Filament\Actions;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ViewRecord;
@@ -63,8 +64,13 @@ protected function getHeaderActions(): array
                 )
                     ->requireCapability(Capabilities::TENANT_MANAGE)
                     ->apply(),
+                Actions\Action::make('related_onboarding')
+                    ->label(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantViewHeader) ?? 'View related onboarding')
+                    ->icon(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-eye')
+                    ->url(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
+                    ->visible(fn (Tenant $record): bool => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantViewHeader) instanceof \App\Support\Tenants\TenantActionDescriptor),
                 Actions\Action::make('admin_consent')
-                    ->label('Admin consent')
+                    ->label('Grant admin consent')
                     ->icon('heroicon-o-clipboard-document')
                     ->url(fn (Tenant $record) => TenantResource::adminConsentUrl($record))
                     ->visible(fn (Tenant $record) => TenantResource::adminConsentUrl($record) !== null)
@@ -81,7 +87,7 @@ protected function getHeaderActions(): array
                         ->icon('heroicon-o-check-badge')
                         ->color('primary')
                         ->requiresConfirmation()
-                        ->visible(fn (Tenant $record): bool => $record->isActive())
+                        ->visible(fn (Tenant $record): bool => TenantResource::verificationActionVisible($record))
                         ->action(function (
                             Tenant $record,
                             StartVerification $verification,
@@ -172,9 +178,12 @@ protected function getHeaderActions(): array
                                     break;
                                 }
 
+                                $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
+                                $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
+
                                 Notification::make()
                                     ->title('Verification blocked')
-                                    ->body("Blocked by provider configuration ({$reasonCode}).")
+                                    ->body(implode("\n", $bodyLines))
                                     ->warning()
                                     ->actions($actions)
                                     ->send();
@@ -264,34 +273,34 @@ protected function getHeaderActions(): array
                     ->preserveVisibility()
                     ->requireCapability(Capabilities::PROVIDER_RUN)
                     ->apply(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('restore')
+                        ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->label ?? 'Restore')
+                        ->color('success')
+                        ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-arrow-uturn-left')
+                        ->requiresConfirmation()
+                        ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalHeading ?? 'Restore tenant')
+                        ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalDescription ?? 'Restore this archived tenant to make it available again in normal management flows.')
+                        ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->key === 'restore')
+                        ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                            TenantResource::restoreTenant($record, $auditLogger);
+                        })
+                )
+                    ->preserveVisibility()
+                    ->requireCapability(Capabilities::TENANT_DELETE)
+                    ->destructive()
+                    ->apply(),
                 UiEnforcement::forAction(
                     Actions\Action::make('archive')
-                        ->label('Deactivate')
+                        ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->label ?? 'Archive')
                         ->color('danger')
-                        ->icon('heroicon-o-archive-box-x-mark')
-                        ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                        ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                            $record->delete();
-
-                            $auditLogger->log(
-                                tenant: $record,
-                                action: 'tenant.archived',
-                                resourceType: 'tenant',
-                                resourceId: (string) $record->getKey(),
-                                status: 'success',
-                                context: [
-                                    'metadata' => [
-                                        'internal_tenant_id' => (int) $record->getKey(),
-                                        'tenant_guid' => (string) $record->tenant_id,
-                                    ],
-                                ]
-                            );
-
-                            Notification::make()
-                                ->title('Tenant deactivated')
-                                ->body('The tenant has been archived and hidden from lists.')
-                                ->success()
-                                ->send();
+                        ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-archive-box-x-mark')
+                        ->requiresConfirmation()
+                        ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalHeading ?? 'Archive tenant')
+                        ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalDescription ?? 'Archive this tenant to retain it for inspection while removing it from active operating flows.')
+                        ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->key === 'archive')
+                        ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
+                            TenantResource::archiveTenant($record, $auditLogger);
                         })
                 )
                     ->preserveVisibility()

app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php

@@ -2,12 +2,17 @@
 
 namespace App\Filament\Resources\TenantResource\RelationManagers;
 
+use App\Filament\Resources\TenantResource\Pages\ManageTenantMemberships;
 use App\Models\Tenant;
 use App\Models\TenantMembership;
 use App\Models\User;
+use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\TenantMembershipManager;
 use App\Support\Auth\Capabilities;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use Filament\Actions\Action;
 use Filament\Forms;
 use Filament\Notifications\Notification;
@@ -15,11 +20,48 @@
 use Filament\Tables;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
 
 class TenantMembershipsRelationManager extends RelationManager
 {
     protected static string $relationship = 'memberships';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Add member action is available in the relation header.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Tenant membership rows are managed inline and have no separate inspect destination.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Change role and remove stay direct for focused inline membership management.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk membership mutations are intentionally omitted.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'No empty-state actions are exposed; add member remains available in the header.');
+    }
+
+    public static function canViewForRecord(Model $ownerRecord, string $pageClass): bool
+    {
+        if (! $ownerRecord instanceof Tenant) {
+            return false;
+        }
+
+        if ($pageClass !== ManageTenantMemberships::class) {
+            return false;
+        }
+
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($ownerRecord)) {
+            return false;
+        }
+
+        /** @var CapabilityResolver $resolver */
+        $resolver = app(CapabilityResolver::class);
+
+        return $resolver->can($user, $ownerRecord, Capabilities::TENANT_MEMBERSHIP_VIEW);
+    }
+
     public function table(Table $table): Table
     {
         return $table

app/Filament/Resources/TenantReviewResource.php

@@ -0,0 +1,620 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources;
+
+use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
+use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Resources\TenantReviewResource\Pages;
+use App\Models\EvidenceSnapshot;
+use App\Models\Tenant;
+use App\Models\TenantReview;
+use App\Models\TenantReviewSection;
+use App\Models\User;
+use App\Services\ReviewPackService;
+use App\Services\TenantReviews\TenantReviewService;
+use App\Support\Auth\Capabilities;
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeDomain;
+use App\Support\Badges\BadgeRenderer;
+use App\Support\OperationRunLinks;
+use App\Support\OperationRunType;
+use App\Support\OpsUx\OperationUxPresenter;
+use App\Support\Rbac\UiEnforcement;
+use App\Support\TenantReviewCompletenessState;
+use App\Support\TenantReviewStatus;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
+use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
+use BackedEnum;
+use Filament\Actions;
+use Filament\Facades\Filament;
+use Filament\Forms\Components\Select;
+use Filament\Infolists\Components\RepeatableEntry;
+use Filament\Infolists\Components\TextEntry;
+use Filament\Infolists\Components\ViewEntry;
+use Filament\Notifications\Notification;
+use Filament\Resources\Resource;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Filament\Support\Enums\TextSize;
+use Filament\Tables;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Str;
+use UnitEnum;
+
+class TenantReviewResource extends Resource
+{
+    use InteractsWithTenantOwnedRecords;
+    use ResolvesPanelTenantContext;
+
+    protected static bool $isDiscovered = false;
+
+    protected static ?string $model = TenantReview::class;
+
+    protected static ?string $slug = 'reviews';
+
+    protected static ?string $tenantOwnershipRelationshipName = 'tenant';
+
+    protected static bool $isGloballySearchable = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-magnifying-glass';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Reporting';
+
+    protected static ?string $navigationLabel = 'Reviews';
+
+    protected static ?int $navigationSort = 45;
+
+    public static function shouldRegisterNavigation(): bool
+    {
+        return Filament::getCurrentPanel()?->getId() === 'tenant';
+    }
+
+    public static function canViewAny(): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            return false;
+        }
+
+        return $user->can(Capabilities::TENANT_REVIEW_VIEW, $tenant);
+    }
+
+    public static function canView(Model $record): bool
+    {
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User || ! $record instanceof TenantReview) {
+            return false;
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            return false;
+        }
+
+        if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
+            return false;
+        }
+
+        return $user->can('view', $record);
+    }
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Create review is available from the review library header.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes exactly one Create first review CTA.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Tenant reviews do not expose bulk actions in the first slice.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Export executive pack remains the only inline row shortcut.')
+            ->satisfy(ActionSurfaceSlot::DetailHeader, 'Detail exposes Refresh review, Publish review, Export executive pack, Archive review, and Create next review as applicable.');
+    }
+
+    public static function getEloquentQuery(): Builder
+    {
+        return static::getTenantOwnedEloquentQuery()
+            ->with(['tenant', 'evidenceSnapshot', 'operationRun', 'initiator', 'publisher', 'currentExportReviewPack', 'sections'])
+            ->latest('generated_at')
+            ->latest('id');
+    }
+
+    public static function resolveScopedRecordOrFail(int|string|null $record): Model
+    {
+        return static::resolveTenantOwnedRecordOrFail($record);
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema;
+    }
+
+    public static function infolist(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make('Artifact truth')
+                ->schema([
+                    ViewEntry::make('artifact_truth')
+                        ->hiddenLabel()
+                        ->view('filament.infolists.entries.governance-artifact-truth')
+                        ->state(fn (TenantReview $record): array => static::truthEnvelope($record)->toArray())
+                        ->columnSpanFull(),
+                ])
+                ->columnSpanFull(),
+            Section::make('Review')
+                ->schema([
+                    TextEntry::make('status')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
+                        ->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
+                    TextEntry::make('completeness_state')
+                        ->label('Completeness')
+                        ->badge()
+                        ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
+                        ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
+                        ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
+                        ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
+                    TextEntry::make('tenant.name')->label('Tenant'),
+                    TextEntry::make('generated_at')->dateTime()->placeholder('—'),
+                    TextEntry::make('published_at')->dateTime()->placeholder('—'),
+                    TextEntry::make('evidenceSnapshot.id')
+                        ->label('Evidence snapshot')
+                        ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                        ->url(fn (TenantReview $record): ?string => $record->evidenceSnapshot
+                            ? EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
+                            : null),
+                    TextEntry::make('currentExportReviewPack.id')
+                        ->label('Current export')
+                        ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
+                        ->url(fn (TenantReview $record): ?string => $record->currentExportReviewPack
+                            ? ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant)
+                            : null),
+                    TextEntry::make('fingerprint')
+                        ->copyable()
+                        ->placeholder('—')
+                        ->columnSpanFull()
+                        ->fontFamily('mono')
+                        ->size(TextSize::ExtraSmall),
+                ])
+                ->columns(2)
+                ->columnSpanFull(),
+            Section::make('Executive posture')
+                ->schema([
+                    ViewEntry::make('review_summary')
+                        ->hiddenLabel()
+                        ->view('filament.infolists.entries.tenant-review-summary')
+                        ->state(fn (TenantReview $record): array => static::summaryPresentation($record))
+                        ->columnSpanFull(),
+                ])
+                ->columnSpanFull(),
+            Section::make('Sections')
+                ->schema([
+                    RepeatableEntry::make('sections')
+                        ->hiddenLabel()
+                        ->schema([
+                            TextEntry::make('title'),
+                            TextEntry::make('completeness_state')
+                                ->label('Completeness')
+                                ->badge()
+                                ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
+                                ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
+                                ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
+                                ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
+                            TextEntry::make('measured_at')->dateTime()->placeholder('—'),
+                            Section::make('Details')
+                                ->schema([
+                                    ViewEntry::make('section_payload')
+                                        ->hiddenLabel()
+                                        ->view('filament.infolists.entries.tenant-review-section')
+                                        ->state(fn (TenantReviewSection $record): array => static::sectionPresentation($record))
+                                        ->columnSpanFull(),
+                                ])
+                                ->collapsible()
+                                ->collapsed()
+                                ->columnSpanFull(),
+                        ])
+                        ->columns(3),
+                ])
+                ->columnSpanFull(),
+        ]);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->defaultSort('generated_at', 'desc')
+            ->persistFiltersInSession()
+            ->persistSearchInSession()
+            ->persistSortInSession()
+            ->recordUrl(fn (TenantReview $record): string => static::tenantScopedUrl('view', ['record' => $record], $record->tenant))
+            ->columns([
+                Tables\Columns\TextColumn::make('status')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('artifact_truth')
+                    ->label('Artifact truth')
+                    ->badge()
+                    ->getStateUsing(fn (TenantReview $record): string => static::truthEnvelope($record)->primaryLabel)
+                    ->color(fn (TenantReview $record): string => static::truthEnvelope($record)->primaryBadgeSpec()->color)
+                    ->icon(fn (TenantReview $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->icon)
+                    ->iconColor(fn (TenantReview $record): ?string => static::truthEnvelope($record)->primaryBadgeSpec()->iconColor)
+                    ->description(fn (TenantReview $record): ?string => static::truthEnvelope($record)->operatorExplanation?->headline ?? static::truthEnvelope($record)->primaryExplanation)
+                    ->wrap(),
+                Tables\Columns\TextColumn::make('completeness_state')
+                    ->label('Completeness')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
+                    ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness))
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
+                Tables\Columns\TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
+                Tables\Columns\TextColumn::make('summary.finding_count')->label('Findings'),
+                Tables\Columns\TextColumn::make('summary.section_state_counts.missing')->label(static::reviewCompletenessCountLabel(TenantReviewCompletenessState::Missing->value)),
+                Tables\Columns\TextColumn::make('publication_truth')
+                    ->label('Publication')
+                    ->badge()
+                    ->getStateUsing(fn (TenantReview $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->label)
+                    ->color(fn (TenantReview $record): string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->color)
+                    ->icon(fn (TenantReview $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->icon)
+                    ->iconColor(fn (TenantReview $record): ?string => BadgeCatalog::spec(
+                        BadgeDomain::GovernanceArtifactPublicationReadiness,
+                        static::truthEnvelope($record)->publicationReadiness ?? 'internal_only',
+                    )->iconColor),
+                Tables\Columns\IconColumn::make('summary.has_ready_export')
+                    ->label('Export')
+                    ->boolean(),
+                Tables\Columns\TextColumn::make('artifact_next_step')
+                    ->label('Next step')
+                    ->getStateUsing(fn (TenantReview $record): string => static::truthEnvelope($record)->operatorExplanation?->nextActionText ?? static::truthEnvelope($record)->nextStepText())
+                    ->wrap(),
+                Tables\Columns\TextColumn::make('fingerprint')
+                    ->toggleable(isToggledHiddenByDefault: true)
+                    ->searchable(),
+            ])
+            ->filters([
+                Tables\Filters\SelectFilter::make('status')
+                    ->options(collect(TenantReviewStatus::cases())
+                        ->mapWithKeys(fn (TenantReviewStatus $status): array => [$status->value => Str::headline($status->value)])
+                        ->all()),
+                Tables\Filters\SelectFilter::make('completeness_state')
+                    ->options(BadgeCatalog::options(BadgeDomain::TenantReviewCompleteness, TenantReviewCompletenessState::values())),
+                \App\Support\Filament\FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
+            ])
+            ->actions([
+                UiEnforcement::forTableAction(
+                    Actions\Action::make('export_executive_pack')
+                        ->label('Export executive pack')
+                        ->icon('heroicon-o-arrow-down-tray')
+                        ->visible(fn (TenantReview $record): bool => in_array($record->status, [
+                            TenantReviewStatus::Ready->value,
+                            TenantReviewStatus::Published->value,
+                        ], true))
+                        ->action(fn (TenantReview $record): mixed => static::executeExport($record)),
+                    fn (TenantReview $record): TenantReview => $record,
+                )
+                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                    ->preserveVisibility()
+                    ->apply(),
+            ])
+            ->bulkActions([])
+            ->emptyStateHeading('No tenant reviews yet')
+            ->emptyStateDescription('Create the first review from an anchored evidence snapshot to start the recurring review history for this tenant.')
+            ->emptyStateActions([
+                static::makeCreateReviewAction(
+                    name: 'create_first_review',
+                    label: 'Create first review',
+                    icon: 'heroicon-o-plus',
+                ),
+            ]);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => Pages\ListTenantReviews::route('/'),
+            'view' => Pages\ViewTenantReview::route('/{record}'),
+        ];
+    }
+
+    public static function makeCreateReviewAction(
+        string $name = 'create_review',
+        string $label = 'Create review',
+        string $icon = 'heroicon-o-plus',
+    ): Actions\Action {
+        return UiEnforcement::forAction(
+            Actions\Action::make($name)
+                ->label($label)
+                ->icon($icon)
+                ->form([
+                    Section::make('Evidence basis')
+                        ->schema([
+                            Select::make('evidence_snapshot_id')
+                                ->label('Evidence snapshot')
+                                ->required()
+                                ->options(fn (): array => static::evidenceSnapshotOptions())
+                                ->searchable()
+                                ->helperText('Choose the anchored evidence snapshot for this review.'),
+                        ]),
+                ])
+                ->action(fn (array $data): mixed => static::executeCreateReview($data)),
+        )
+            ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+            ->apply();
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public static function executeCreateReview(array $data): void
+    {
+        $tenant = Filament::getTenant();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            Notification::make()->danger()->title('Unable to create review — missing context.')->send();
+
+            return;
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            abort(404);
+        }
+
+        if (! $user->can(Capabilities::TENANT_REVIEW_MANAGE, $tenant)) {
+            abort(403);
+        }
+
+        $snapshotId = $data['evidence_snapshot_id'] ?? null;
+        $snapshot = is_numeric($snapshotId)
+            ? EvidenceSnapshot::query()
+                ->whereKey((int) $snapshotId)
+                ->where('tenant_id', (int) $tenant->getKey())
+                ->first()
+            : null;
+
+        if (! $snapshot instanceof EvidenceSnapshot) {
+            Notification::make()->danger()->title('Select a valid evidence snapshot.')->send();
+
+            return;
+        }
+
+        try {
+            $review = app(TenantReviewService::class)->create($tenant, $snapshot, $user);
+        } catch (\Throwable $throwable) {
+            Notification::make()->danger()->title('Unable to create review')->body($throwable->getMessage())->send();
+
+            return;
+        }
+
+        static::truthEnvelope($review->refresh(), fresh: true);
+
+        if (! $review->wasRecentlyCreated) {
+            Notification::make()
+                ->success()
+                ->title('Review already available')
+                ->body('A matching mutable review already exists for this evidence basis.')
+                ->actions([
+                    Actions\Action::make('view_review')
+                        ->label('View review')
+                        ->url(static::tenantScopedUrl('view', ['record' => $review], $tenant)),
+                ])
+                ->send();
+
+            return;
+        }
+
+        $toast = OperationUxPresenter::queuedToast(OperationRunType::TenantReviewCompose->value)
+            ->body('The review is being composed in the background.');
+
+        if ($review->operation_run_id) {
+            $toast->actions([
+                Actions\Action::make('view_run')
+                    ->label('View run')
+                    ->url(OperationRunLinks::tenantlessView((int) $review->operation_run_id)),
+            ]);
+        }
+
+        $toast->send();
+    }
+
+    public static function executeExport(TenantReview $review): void
+    {
+        $review->loadMissing(['tenant', 'currentExportReviewPack']);
+        $user = auth()->user();
+
+        if (! $user instanceof User || ! $review->tenant instanceof Tenant) {
+            Notification::make()->danger()->title('Unable to export review — missing context.')->send();
+
+            return;
+        }
+
+        if (! $user->canAccessTenant($review->tenant)) {
+            abort(404);
+        }
+
+        if (! $user->can('export', $review)) {
+            abort(403);
+        }
+
+        $service = app(ReviewPackService::class);
+
+        if ($service->checkActiveRunForReview($review)) {
+            OperationUxPresenter::alreadyQueuedToast(OperationRunType::ReviewPackGenerate->value)
+                ->body('An executive pack export is already queued or running for this review.')
+                ->send();
+
+            return;
+        }
+
+        try {
+            $pack = $service->generateFromReview($review, $user, [
+                'include_pii' => true,
+                'include_operations' => true,
+            ]);
+        } catch (\Throwable $throwable) {
+            Notification::make()->danger()->title('Unable to export executive pack')->body($throwable->getMessage())->send();
+
+            return;
+        }
+
+        static::truthEnvelope($review->refresh(), fresh: true);
+        app(ArtifactTruthPresenter::class)->forReviewPackFresh($pack->refresh());
+
+        if (! $pack->wasRecentlyCreated) {
+            Notification::make()
+                ->success()
+                ->title('Executive pack already available')
+                ->body('A matching executive pack already exists for this review.')
+                ->actions([
+                    Actions\Action::make('view_pack')
+                        ->label('View pack')
+                        ->url(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $review->tenant)),
+                ])
+                ->send();
+
+            return;
+        }
+
+        OperationUxPresenter::queuedToast(OperationRunType::ReviewPackGenerate->value)
+            ->body('The executive pack is being generated in the background.')
+            ->send();
+    }
+
+    /**
+     * @param  array<string, mixed>  $parameters
+     */
+    public static function tenantScopedUrl(
+        string $page = 'index',
+        array $parameters = [],
+        ?Tenant $tenant = null,
+        ?string $panel = null,
+    ): string {
+        $panelId = $panel ?? 'tenant';
+
+        return static::getUrl($page, $parameters, panel: $panelId, tenant: $tenant);
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private static function evidenceSnapshotOptions(): array
+    {
+        $tenant = Filament::getTenant();
+
+        if (! $tenant instanceof Tenant) {
+            return [];
+        }
+
+        return EvidenceSnapshot::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->whereNotNull('generated_at')
+            ->orderByDesc('generated_at')
+            ->orderByDesc('id')
+            ->get()
+            ->mapWithKeys(static fn (EvidenceSnapshot $snapshot): array => [
+                (string) $snapshot->getKey() => sprintf(
+                    '#%d · %s · %s',
+                    (int) $snapshot->getKey(),
+                    BadgeCatalog::spec(BadgeDomain::EvidenceCompleteness, $snapshot->completeness_state)->label,
+                    $snapshot->generated_at?->format('Y-m-d H:i') ?? 'Pending'
+                ),
+            ])
+            ->all();
+    }
+
+    private static function reviewCompletenessCountLabel(string $state): string
+    {
+        return BadgeCatalog::spec(BadgeDomain::TenantReviewCompleteness, $state)->label;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private static function summaryPresentation(TenantReview $record): array
+    {
+        $summary = is_array($record->summary) ? $record->summary : [];
+
+        return [
+            'operator_explanation' => static::truthEnvelope($record)->operatorExplanation?->toArray(),
+            'highlights' => is_array($summary['highlights'] ?? null) ? $summary['highlights'] : [],
+            'next_actions' => is_array($summary['recommended_next_actions'] ?? null) ? $summary['recommended_next_actions'] : [],
+            'publish_blockers' => is_array($summary['publish_blockers'] ?? null) ? $summary['publish_blockers'] : [],
+            'metrics' => [
+                ['label' => 'Findings', 'value' => (string) ($summary['finding_count'] ?? 0)],
+                ['label' => 'Reports', 'value' => (string) ($summary['report_count'] ?? 0)],
+                ['label' => 'Operations', 'value' => (string) ($summary['operation_count'] ?? 0)],
+                ['label' => 'Sections', 'value' => (string) ($summary['section_count'] ?? 0)],
+            ],
+        ];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private static function sectionPresentation(TenantReviewSection $section): array
+    {
+        $summary = is_array($section->summary_payload) ? $section->summary_payload : [];
+        $render = is_array($section->render_payload) ? $section->render_payload : [];
+        $review = $section->tenantReview;
+        $tenant = $section->tenant;
+
+        return [
+            'summary' => collect($summary)->map(function (mixed $value, string $key): ?array {
+                if (is_array($value) || $value === null || $value === '') {
+                    return null;
+                }
+
+                return [
+                    'label' => Str::headline($key),
+                    'value' => (string) $value,
+                ];
+            })->filter()->values()->all(),
+            'highlights' => is_array($render['highlights'] ?? null) ? $render['highlights'] : [],
+            'entries' => is_array($render['entries'] ?? null) ? $render['entries'] : [],
+            'disclosure' => is_string($render['disclosure'] ?? null) ? $render['disclosure'] : null,
+            'next_actions' => is_array($render['next_actions'] ?? null) ? $render['next_actions'] : [],
+            'empty_state' => is_string($render['empty_state'] ?? null) ? $render['empty_state'] : null,
+            'links' => [],
+        ];
+    }
+
+    private static function truthEnvelope(TenantReview $record, bool $fresh = false): ArtifactTruthEnvelope
+    {
+        $presenter = app(ArtifactTruthPresenter::class);
+
+        return $fresh
+            ? $presenter->forTenantReviewFresh($record)
+            : $presenter->forTenantReview($record);
+    }
+}

app/Filament/Resources/TenantReviewResource/Pages/ListTenantReviews.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\TenantReviewResource\Pages;
+
+use App\Filament\Resources\TenantReviewResource;
+use Filament\Resources\Pages\ListRecords;
+
+class ListTenantReviews extends ListRecords
+{
+    protected static string $resource = TenantReviewResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            TenantReviewResource::makeCreateReviewAction(),
+        ];
+    }
+}

app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php

@@ -0,0 +1,205 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Resources\TenantReviewResource\Pages;
+
+use App\Filament\Resources\TenantReviewResource;
+use App\Models\Tenant;
+use App\Models\TenantReview;
+use App\Models\User;
+use App\Services\TenantReviews\TenantReviewLifecycleService;
+use App\Services\TenantReviews\TenantReviewService;
+use App\Support\Auth\Capabilities;
+use App\Support\OperationRunLinks;
+use App\Support\Rbac\UiEnforcement;
+use App\Support\TenantReviewStatus;
+use Filament\Actions;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\ViewRecord;
+use Illuminate\Database\Eloquent\Model;
+
+class ViewTenantReview extends ViewRecord
+{
+    protected static string $resource = TenantReviewResource::class;
+
+    protected function resolveRecord(int|string $key): Model
+    {
+        return TenantReviewResource::resolveScopedRecordOrFail($key);
+    }
+
+    protected function authorizeAccess(): void
+    {
+        $tenant = TenantReviewResource::panelTenantContext();
+        $record = $this->getRecord();
+        $user = auth()->user();
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant || ! $record instanceof TenantReview) {
+            abort(404);
+        }
+
+        if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
+            abort(404);
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            abort(404);
+        }
+
+        if (! $user->can('view', $record)) {
+            abort(403);
+        }
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\Action::make('view_run')
+                ->label('View run')
+                ->icon('heroicon-o-eye')
+                ->color('gray')
+                ->hidden(fn (): bool => ! is_numeric($this->record->operation_run_id))
+                ->url(fn (): ?string => $this->record->operation_run_id
+                    ? OperationRunLinks::tenantlessView((int) $this->record->operation_run_id)
+                    : null),
+            Actions\Action::make('view_export')
+                ->label('View executive pack')
+                ->icon('heroicon-o-document-arrow-down')
+                ->color('gray')
+                ->hidden(fn (): bool => ! $this->record->currentExportReviewPack)
+                ->url(fn (): ?string => $this->record->currentExportReviewPack
+                    ? \App\Filament\Resources\ReviewPackResource::getUrl('view', ['record' => $this->record->currentExportReviewPack], tenant: $this->record->tenant)
+                    : null),
+            Actions\Action::make('view_evidence')
+                ->label('View evidence snapshot')
+                ->icon('heroicon-o-shield-check')
+                ->color('gray')
+                ->hidden(fn (): bool => ! $this->record->evidenceSnapshot)
+                ->url(fn (): ?string => $this->record->evidenceSnapshot
+                    ? \App\Filament\Resources\EvidenceSnapshotResource::getUrl('view', ['record' => $this->record->evidenceSnapshot], tenant: $this->record->tenant)
+                    : null),
+            UiEnforcement::forAction(
+                Actions\Action::make('refresh_review')
+                    ->label('Refresh review')
+                    ->icon('heroicon-o-arrow-path')
+                    ->hidden(fn (): bool => ! $this->record->isMutable())
+                    ->requiresConfirmation()
+                    ->action(function (): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User) {
+                            abort(403);
+                        }
+
+                        try {
+                            app(TenantReviewService::class)->refresh($this->record, $user);
+                        } catch (\Throwable $throwable) {
+                            Notification::make()->danger()->title('Unable to refresh review')->body($throwable->getMessage())->send();
+
+                            return;
+                        }
+
+                        Notification::make()->success()->title('Refresh review queued')->send();
+                    }),
+            )
+                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                ->preserveVisibility()
+                ->apply(),
+            UiEnforcement::forAction(
+                Actions\Action::make('publish_review')
+                    ->label('Publish review')
+                    ->icon('heroicon-o-check-badge')
+                    ->hidden(fn (): bool => ! $this->record->isMutable())
+                    ->requiresConfirmation()
+                    ->action(function (): void {
+                        $user = auth()->user();
+
+                        if (! $user instanceof User) {
+                            abort(403);
+                        }
+
+                        try {
+                            app(TenantReviewLifecycleService::class)->publish($this->record, $user);
+                        } catch (\Throwable $throwable) {
+                            Notification::make()->danger()->title('Unable to publish review')->body($throwable->getMessage())->send();
+
+                            return;
+                        }
+
+                        $this->refreshFormData(['status', 'published_at', 'published_by_user_id', 'summary']);
+                        Notification::make()->success()->title('Review published')->send();
+                    }),
+            )
+                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                ->preserveVisibility()
+                ->apply(),
+            UiEnforcement::forAction(
+                Actions\Action::make('export_executive_pack')
+                    ->label('Export executive pack')
+                    ->icon('heroicon-o-arrow-down-tray')
+                    ->hidden(fn (): bool => ! in_array($this->record->status, [
+                        TenantReviewStatus::Ready->value,
+                        TenantReviewStatus::Published->value,
+                    ], true))
+                    ->action(fn (): mixed => TenantReviewResource::executeExport($this->record)),
+            )
+                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                ->preserveVisibility()
+                ->apply(),
+            Actions\ActionGroup::make([
+                UiEnforcement::forAction(
+                    Actions\Action::make('create_next_review')
+                        ->label('Create next review')
+                        ->icon('heroicon-o-document-duplicate')
+                        ->hidden(fn (): bool => ! $this->record->isPublished())
+                        ->action(function (): void {
+                            $user = auth()->user();
+
+                            if (! $user instanceof User) {
+                                abort(403);
+                            }
+
+                            try {
+                                $nextReview = app(TenantReviewLifecycleService::class)->createNextReview($this->record, $user);
+                            } catch (\Throwable $throwable) {
+                                Notification::make()->danger()->title('Unable to create next review')->body($throwable->getMessage())->send();
+
+                                return;
+                            }
+
+                            $this->redirect(TenantReviewResource::tenantScopedUrl('view', ['record' => $nextReview], $nextReview->tenant));
+                        }),
+                )
+                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                    ->preserveVisibility()
+                    ->apply(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('archive_review')
+                        ->label('Archive review')
+                        ->icon('heroicon-o-archive-box')
+                        ->color('danger')
+                        ->hidden(fn (): bool => $this->record->statusEnum()->isTerminal())
+                        ->requiresConfirmation()
+                        ->action(function (): void {
+                            $user = auth()->user();
+
+                            if (! $user instanceof User) {
+                                abort(403);
+                            }
+
+                            app(TenantReviewLifecycleService::class)->archive($this->record, $user);
+                            $this->refreshFormData(['status', 'archived_at']);
+
+                            Notification::make()->success()->title('Review archived')->send();
+                        }),
+                )
+                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                    ->preserveVisibility()
+                    ->apply(),
+            ])
+                ->label('More')
+                ->icon('heroicon-m-ellipsis-vertical')
+                ->color('gray'),
+        ];
+    }
+}

app/Filament/Resources/Workspaces/RelationManagers/WorkspaceMembershipsRelationManager.php

@@ -9,7 +9,11 @@
 use App\Support\Auth\Capabilities;
 use App\Support\Auth\WorkspaceRole;
 use App\Support\Rbac\WorkspaceUiEnforcement;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use Filament\Actions\Action;
+use Filament\Actions\ActionGroup;
 use Filament\Forms;
 use Filament\Notifications\Notification;
 use Filament\Resources\RelationManagers\RelationManager;
@@ -21,6 +25,16 @@ class WorkspaceMembershipsRelationManager extends RelationManager
 {
     protected static string $relationship = 'memberships';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Add member action is available in the relation header.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Workspace membership rows are managed inline and have no separate inspect destination.')
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Change role stays inline while destructive removal is grouped under More.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Bulk membership mutations are intentionally omitted.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'No empty-state actions are exposed; add member remains available in the header.');
+    }
+
     public function table(Table $table): Table
     {
         return $table
@@ -177,46 +191,47 @@ public function table(Table $table): Table
                     ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
                     ->tooltip('You do not have permission to manage workspace memberships.')
                     ->apply(),
+                ActionGroup::make([
+                    WorkspaceUiEnforcement::forTableAction(
+                        Action::make('remove')
+                            ->label(__('Remove'))
+                            ->color('danger')
+                            ->icon('heroicon-o-x-mark')
+                            ->requiresConfirmation()
+                            ->action(function (WorkspaceMembership $record, WorkspaceMembershipManager $manager): void {
+                                $workspace = $this->getOwnerRecord();
 
-                WorkspaceUiEnforcement::forTableAction(
-                    Action::make('remove')
-                        ->label(__('Remove'))
-                        ->color('danger')
-                        ->icon('heroicon-o-x-mark')
-                        ->requiresConfirmation()
-                        ->action(function (WorkspaceMembership $record, WorkspaceMembershipManager $manager): void {
-                            $workspace = $this->getOwnerRecord();
+                                if (! $workspace instanceof Workspace) {
+                                    abort(404);
+                                }
 
-                            if (! $workspace instanceof Workspace) {
-                                abort(404);
-                            }
+                                $actor = auth()->user();
+                                if (! $actor instanceof User) {
+                                    abort(403);
+                                }
 
-                            $actor = auth()->user();
-                            if (! $actor instanceof User) {
-                                abort(403);
-                            }
+                                try {
+                                    $manager->removeMember(workspace: $workspace, actor: $actor, membership: $record);
+                                } catch (\Throwable $throwable) {
+                                    Notification::make()
+                                        ->title(__('Failed to remove member'))
+                                        ->body($throwable->getMessage())
+                                        ->danger()
+                                        ->send();
 
-                            try {
-                                $manager->removeMember(workspace: $workspace, actor: $actor, membership: $record);
-                            } catch (\Throwable $throwable) {
-                                Notification::make()
-                                    ->title(__('Failed to remove member'))
-                                    ->body($throwable->getMessage())
-                                    ->danger()
-                                    ->send();
+                                    return;
+                                }
 
-                                return;
-                            }
-
-                            Notification::make()->title(__('Member removed'))->success()->send();
-                            $this->resetTable();
-                        }),
-                    fn () => $this->getOwnerRecord(),
-                )
-                    ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
-                    ->tooltip('You do not have permission to manage workspace memberships.')
-                    ->destructive()
-                    ->apply(),
+                                Notification::make()->title(__('Member removed'))->success()->send();
+                                $this->resetTable();
+                            }),
+                        fn () => $this->getOwnerRecord(),
+                    )
+                        ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
+                        ->tooltip('You do not have permission to manage workspace memberships.')
+                        ->destructive()
+                        ->apply(),
+                ])->label('More'),
             ])
             ->bulkActions([])
             ->emptyStateHeading(__('No workspace members'))

app/Filament/Resources/Workspaces/WorkspaceResource.php

@@ -12,9 +12,11 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions;
+use Filament\Actions\ActionGroup;
 use Filament\Forms;
 use Filament\Resources\Resource;
 use Filament\Schemas\Schema;
@@ -94,10 +96,10 @@ public static function canEdit(Model $record): bool
 
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
-        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
+        return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::CrudListFirstResource)
             ->satisfy(ActionSurfaceSlot::ListHeader, 'List page provides a capability-gated create action.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Workspace list intentionally uses only primary View/Edit row actions.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while the secondary Edit shortcut lives under "More".')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Workspace list intentionally omits bulk actions.')
             ->satisfy(ActionSurfaceSlot::ListEmptyState, 'List page defines a capability-gated empty-state create CTA.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'Workspace view page exposes a capability-gated edit action.');
@@ -151,6 +153,7 @@ public static function table(Table $table): Table
         return $table
             ->defaultSort('name')
             ->paginated(\App\Support\Filament\TablePaginationProfiles::resource())
+            ->recordUrl(fn (Workspace $record): string => static::getUrl('view', ['record' => $record]))
             ->columns([
                 Tables\Columns\TextColumn::make('name')
                     ->searchable()
@@ -160,13 +163,16 @@ public static function table(Table $table): Table
                     ->sortable(),
             ])
             ->actions([
-                Actions\ViewAction::make(),
-                WorkspaceUiEnforcement::forTableAction(
-                    Actions\EditAction::make(),
-                    fn (): ?Workspace => null,
-                )
-                    ->requireCapability(Capabilities::WORKSPACE_MANAGE)
-                    ->apply(),
+                ActionGroup::make([
+                    WorkspaceUiEnforcement::forTableAction(
+                        Actions\EditAction::make(),
+                        fn (): ?Workspace => null,
+                    )
+                        ->requireCapability(Capabilities::WORKSPACE_MANAGE)
+                        ->apply(),
+                ])
+                    ->label('More')
+                    ->icon('heroicon-o-ellipsis-vertical'),
             ])
             ->emptyStateHeading('No workspaces')
             ->emptyStateDescription('Create your first workspace.')

app/Filament/System/Pages/Directory/Tenants.php

@@ -10,6 +10,11 @@
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\System\SystemDirectoryLinks;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
@@ -31,6 +36,16 @@ class Tenants extends Page implements HasTable
 
     protected string $view = 'filament.system.pages.directory.tenants';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->exempt(ActionSurfaceSlot::ListHeader, 'System tenant directory stays scan-first and does not expose page header actions.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Tenant directory rows navigate directly to the detail page and have no secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'System tenant directory does not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains that tenants appear here after onboarding and inventory sync.');
+    }
+
     public static function canAccess(): bool
     {
         $user = auth('platform')->user();

app/Filament/System/Pages/Directory/Workspaces.php

@@ -14,6 +14,11 @@
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
 use App\Support\System\SystemDirectoryLinks;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
@@ -35,6 +40,16 @@ class Workspaces extends Page implements HasTable
 
     protected string $view = 'filament.system.pages.directory.workspaces';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->exempt(ActionSurfaceSlot::ListHeader, 'System workspace directory stays scan-first and does not expose page header actions.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Workspace directory rows navigate directly to the detail page and have no secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'System workspace directory does not expose bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains that workspaces appear here once the platform inventory is seeded.');
+    }
+
     public static function canAccess(): bool
     {
         $user = auth('platform')->user();

app/Filament/System/Pages/Ops/Failures.php

@@ -15,6 +15,11 @@
 use App\Support\OperationRunStatus;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\System\SystemOperationRunLinks;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use Filament\Actions\Action;
 use Filament\Forms\Components\Textarea;
 use Filament\Notifications\Notification;
@@ -39,6 +44,16 @@ class Failures extends Page implements HasTable
 
     protected string $view = 'filament.system.pages.ops.failures';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->exempt(ActionSurfaceSlot::ListHeader, 'System failures stay scan-first and rely on row triage rather than page header actions.')
+            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Failed-run triage stays per run and intentionally omits bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains when there are no failed runs to triage.')
+            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation opens the canonical system run detail page, which owns header actions.');
+    }
+
     public static function getNavigationBadge(): ?string
     {
         $count = OperationRun::query()

app/Filament/System/Pages/Ops/Runbooks.php

@@ -107,10 +107,7 @@ protected function getHeaderActions(): array
                 ->icon('heroicon-o-magnifying-glass')
                 ->form($this->findingsScopeForm())
                 ->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
-                    $scope = FindingsLifecycleBackfillScope::fromArray([
-                        'mode' => $data['scope_mode'] ?? null,
-                        'tenant_id' => $data['tenant_id'] ?? null,
-                    ]);
+                    $scope = $this->trustedFindingsScopeFromFormData($data, app(AllowedTenantUniverse::class));
 
                     $this->findingsScopeMode = $scope->mode;
                     $this->findingsTenantId = $scope->tenantId;
@@ -142,9 +139,7 @@ protected function getHeaderActions(): array
                         ]);
                     }
 
-                    $scope = $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT
-                        ? FindingsLifecycleBackfillScope::singleTenant((int) $this->findingsTenantId)
-                        : FindingsLifecycleBackfillScope::allTenants();
+                    $scope = $this->trustedFindingsScopeFromState(app(AllowedTenantUniverse::class));
 
                     $user = auth('platform')->user();
 
@@ -286,4 +281,34 @@ private function lastRunForType(string $type): ?OperationRun
             ->latest('id')
             ->first();
     }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    private function trustedFindingsScopeFromFormData(array $data, AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
+    {
+        $scope = FindingsLifecycleBackfillScope::fromArray([
+            'mode' => $data['scope_mode'] ?? null,
+            'tenant_id' => $data['tenant_id'] ?? null,
+        ]);
+
+        if (! $scope->isSingleTenant()) {
+            return $scope;
+        }
+
+        $tenant = $allowedTenantUniverse->resolveAllowedOrFail($scope->tenantId);
+
+        return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
+    }
+
+    private function trustedFindingsScopeFromState(AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
+    {
+        if ($this->findingsScopeMode !== FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT) {
+            return FindingsLifecycleBackfillScope::allTenants();
+        }
+
+        $tenant = $allowedTenantUniverse->resolveAllowedOrFail($this->findingsTenantId);
+
+        return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
+    }
 }