feat: restore safety integrity and queue slide-over (#210)

## Summary
- add the Spec 181 restore-safety layer with scope fingerprinting, preview/check integrity states, execution safety snapshots, result attention, and operator-facing copy across the wizard, restore detail, and canonical operation detail
- add focused unit and feature coverage for restore-safety assessment, result attention, and restore-linked operation detail
- switch the finding exceptions queue `Inspect exception` action to a native Filament slide-over while preserving query-param-backed inline summary behavior

## Testing
- `vendor/bin/sail artisan test --compact tests/Feature/Monitoring/FindingExceptionsQueueTest.php tests/Feature/Filament/RestoreSafetyIntegrityWizardTest.php tests/Feature/Filament/RestoreResultAttentionSurfaceTest.php tests/Feature/Operations/RestoreLinkedOperationDetailTest.php tests/Unit/Support/RestoreSafety`

## Notes
- Spec 181 checklist is complete (`specs/181-restore-safety-integrity/checklists/requirements.md`)
- the branch still has unchecked follow-up tasks in `specs/181-restore-safety-integrity/tasks.md`: `T012`, `T018`, `T019`, `T023`, `T025`, `T029`, `T032`, `T033`, `T041`, `T042`, `T043`, `T044`
- Filament v5 / Livewire v4 compliance is preserved, no panel provider registration changes were made, no global-search behavior was added, destructive actions remain confirmation-gated, and no new Filament assets were introduced

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #210

.github/agents/copilot-instructions.md

@@ -127,6 +127,16 @@ ## Active Technologies
 - PostgreSQL unchanged; no new persistence, cache store, or durable dashboard summary artifac (173-tenant-dashboard-truth-alignment)
 - PHP 8.4, Laravel 12, Filament v5, Livewire v4, Blade + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `ArtifactTruthPresenter`, `ArtifactTruthEnvelope`, `TenantReviewReadinessGate`, `EvidenceSnapshotService`, `TenantReviewRegisterService`, and current evidence/review/review-pack resources and pages (174-evidence-freshness-publication-trust)
 - PostgreSQL with existing `evidence_snapshots`, `evidence_snapshot_items`, `tenant_reviews`, and `review_packs` tables using current summary JSON and timestamps; no schema change planned (174-evidence-freshness-publication-trust)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, `WorkspaceRecentOperations`, `FindingResource`, `BaselineCompareLanding`, `EvidenceSnapshotResource`, `TenantReviewResource`, and canonical admin Operations routes (175-workspace-governance-attention)
+- PostgreSQL unchanged; no new persistence, cache table, or materialized aggregate is introduced (175-workspace-governance-attention)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `TenantResource`, `ProviderConnectionResource`, `TenantVerificationReport`, `BadgeCatalog`, `BadgeRenderer`, `TenantOperabilityService`, `ProviderConsentStatus`, `ProviderVerificationStatus`, and shared provider-state Blade partials (179-provider-truth-cleanup)
+- PostgreSQL unchanged; no new table, column, or persisted artifact is introduced (179-provider-truth-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `InventoryItem`, `OperationRun`, `InventoryCoverage`, `InventoryPolicyTypeMeta`, `CoverageCapabilitiesResolver`, `InventoryKpiHeader`, `InventoryCoverage` page, and `OperationRunResource` enterprise-detail stack (177-inventory-coverage-truth)
+- PostgreSQL; existing `inventory_items` rows and `operation_runs.context` / `operation_runs.summary_counts` JSONB are reused with no schema change (177-inventory-coverage-truth)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages (178-ops-truth-alignment)
+- PostgreSQL unchanged; existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change (178-ops-truth-alignment)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `RestoreRunResource`, `RestoreService`, `RestoreRiskChecker`, `RestoreDiffGenerator`, `OperationRunResource`, `TenantlessOperationRunViewer`, shared badge infrastructure, and existing RBAC or write-gate helpers (181-restore-safety-integrity)
+- PostgreSQL with existing `restore_runs` and `operation_runs` records plus JSON or array-backed `metadata`, `preview`, `results`, and `context`; no schema change planned (181-restore-safety-integrity)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
@@ -146,8 +156,8 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
-- 174-evidence-freshness-publication-trust: Added PHP 8.4, Laravel 12, Filament v5, Livewire v4, Blade + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `ArtifactTruthPresenter`, `ArtifactTruthEnvelope`, `TenantReviewReadinessGate`, `EvidenceSnapshotService`, `TenantReviewRegisterService`, and current evidence/review/review-pack resources and pages
+- 181-restore-safety-integrity: Added PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `RestoreRunResource`, `RestoreService`, `RestoreRiskChecker`, `RestoreDiffGenerator`, `OperationRunResource`, `TenantlessOperationRunViewer`, shared badge infrastructure, and existing RBAC or write-gate helpers
-- 173-tenant-dashboard-truth-alignment: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `TenantDashboard`, `DashboardKpis`, `NeedsAttention`, `BaselineCompareNow`, `RecentDriftFindings`, `RecentOperations`, `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `FindingResource`, `OperationRunLinks`, and canonical admin Operations page
+- 178-ops-truth-alignment: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages
-- 172-deferred-operator-surfaces-retrofit: Added PHP 8.4, Laravel 12, Livewire v4, Filament v5, Tailwind CSS v4 + `laravel/framework`, `filament/filament`, `livewire/livewire`, `pestphp/pest`
+- 177-inventory-coverage-truth: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `InventoryItem`, `OperationRun`, `InventoryCoverage`, `InventoryPolicyTypeMeta`, `CoverageCapabilitiesResolver`, `InventoryKpiHeader`, `InventoryCoverage` page, and `OperationRunResource` enterprise-detail stack
 <!-- MANUAL ADDITIONS START -->
 <!-- MANUAL ADDITIONS END -->

.specify/memory/constitution.md

@@ -1,32 +1,20 @@
 <!--
 Sync Impact Report
 
-- Version change: 1.14.0 -> 2.0.0
+- Version change: 2.0.0 -> 2.1.0
 - Modified principles:
-  - Filament UI - Action Surface Contract -> Operator-Facing UI/UX Constitution v1 / Filament UI - Action Surface Contract
+  - UX-001 (Layout & IA): header action line strengthened from SHOULD to MUST
-  - Filament UI - Layout & Information Architecture Standards (UX-001) -> Operator-Facing UI/UX Constitution v1 / Filament UI - Layout & Information Architecture Standards (UX-001)
+    with cross-reference to new HDR-001
-  - Operator-facing UI Naming Standards (UI-NAMING-001) -> Operator-Facing UI/UX Constitution v1 / Operator-facing UI Naming Standards (UI-NAMING-001)
-  - Operator Surface Principles (OPSURF-001) -> Operator-Facing UI/UX Constitution v1 / Operator Surface Principles (OPSURF-001)
-  - Spec Scope Fields (SCOPE-002) -> Operator-Facing UI/UX Constitution v1 / Spec Scope Fields (SCOPE-002)
 - Added sections:
-  - Operator-Facing UI/UX Constitution v1 (UI-CONST-001)
+  - Header Action Discipline & Contextual Navigation (HDR-001)
-  - Surface Taxonomy (UI-SURF-001)
-  - Hard Rules (UI-HARD-001)
-  - Exception Model (UI-EX-001)
-  - Enforcement Model (UI-REVIEW-001)
-  - Immediate Retrofit Priorities
-  - Appendix A - One-page Condensed Constitution
-  - Appendix B - Feature Review Checklist
-  - Appendix C - Red Flags for Future PRs
 - Removed sections: None
 - Templates requiring updates:
   - ✅ .specify/memory/constitution.md
-  - ✅ .specify/templates/spec-template.md
+  - ✅ .specify/templates/plan-template.md (Constitution Check: HDR-001 added)
-  - ✅ .specify/templates/plan-template.md
+  - ✅ .specify/templates/tasks-template.md (Filament UI section: HDR-001 added)
-  - ✅ .specify/templates/tasks-template.md
+  - ⚠ .specify/templates/spec-template.md (no changes needed; existing
-  - ✅ docs/product/principles.md
+    UI/UX Surface Classification and Operator Surface Contract tables already
-  - ✅ docs/product/standards/README.md
+    cover header action placement implicitly)
-  - ✅ docs/HANDOVER.md
 - Commands checked:
   - N/A `.specify/templates/commands/*.md` directory is not present in this repo
 - Follow-up TODOs:
@@ -535,7 +523,7 @@ #### Filament UI — Layout & Information Architecture Standards (UX-001)
 - When records exist, that primary CTA moves to the header and MUST NOT be duplicated in the empty state shell.
 
 Actions and flows
-- Pages SHOULD expose at most one primary header action and one secondary header action; all others belong in groups.
+- Pages MUST expose at most one primary header action and one secondary header action; all others belong in groups (see HDR-001 for the full header discipline rule).
 - Multi-step or high-risk flows MUST use a wizard or an equivalent staged flow with preview and confirmation.
 - Destructive actions remain non-primary and confirmed.
 
@@ -548,6 +536,121 @@ #### Filament UI — Layout & Information Architecture Standards (UX-001)
 - Shared layout builders such as `MainAsideForm`, `MainAsideInfolist`, and `StandardTableDefaults` SHOULD be reused where available.
 - A change is not Done unless UX-001 is satisfied or an approved exception documents why not.
 
+#### Header Action Discipline & Contextual Navigation (HDR-001)
+
+Goal: record and detail pages MUST be comprehensible within seconds.
+Header actions are reserved for the primary workflow of the current page
+and MUST NOT become a dumping ground for every available action or
+navigation jump.
+
+##### Core rule
+
+Header actions MUST contain only workflow-critical actions of the
+currently displayed record. Pure navigation, relational jumps, and
+contextual references do not belong in the header; they belong directly
+at the affected field, status indicator, or relation.
+
+##### Maximum one primary visible header action
+
+- Each record/detail page MUST expose at most one clearly prioritized
+  primary visible header action.
+- That action MUST represent the most obvious next operator step on
+  exactly this page.
+
+##### Navigation does not belong in headers
+
+- Actions such as "Open finding", "Open queue", "View related run",
+  "Open tenant", or similar jumps are navigation actions, not primary
+  object actions.
+- They MUST be placed as contextual navigation at fields, badges,
+  relation entries, or status displays — never in the header.
+
+##### Destructive or governance-changing actions require friction
+
+- Actions with operational, security-relevant, or governance-changing
+  effect MUST NOT stand at the same visual level as the primary action.
+- They MUST either:
+  - be rendered as a clearly separated danger action, or
+  - be placed in an Action Group / More Actions.
+- They MUST always require explicit confirmation
+  (`->requiresConfirmation()`).
+- If an action changes governance truth, compliance status, risk
+  acceptance, exception validity, or equivalent system truths,
+  additional friction is mandatory (e.g., typed confirmation, reason
+  field, or staged flow).
+
+##### Rare secondary actions belong in an Action Group
+
+- Actions that are not part of the expected core workflow of the page
+  or are only occasionally needed MUST NOT appear as equally weighted
+  visible header buttons.
+- They MUST be placed in an Action Group.
+
+##### Header clarity over implementation convenience
+
+- The fact that a framework makes header actions easy to add is not a
+  reason to place actions there.
+- Information architecture, scanability, and operator clarity take
+  precedence over implementation convenience.
+
+##### 5-second scan rule
+
+Every record/detail page MUST pass the 5-second scan rule:
+
+1. The operator instantly recognizes where they are.
+2. The operator instantly sees the status of the object.
+3. The operator instantly identifies the one central next action.
+4. The operator immediately understands where secondary or dangerous
+   actions live.
+
+If multiple equally weighted header buttons degrade this readability,
+it is a constitution violation.
+
+##### Placement rules
+
+Allowed in the header:
+- One primary workflow action.
+- Optionally one clearly justified secondary action.
+- Rare or administrative actions only when grouped.
+- Critical/destructive actions only when separated and with friction.
+
+Forbidden in the header:
+- Pure navigation to related objects.
+- Relational jumps without immediate workflow relevance.
+- Collections of technically available standard actions.
+- Multiple equally weighted buttons without clear prioritization.
+
+##### Preferred pattern
+
+| Slot | Placement |
+|---|---|
+| Primary visible | Exactly 1 |
+| Danger | Separated or grouped, never casual beside Primary |
+| Navigation | Inline at context (field, badge, relation) |
+| Rare actions | More / Action Group |
+
+##### Binding decision — Exception / Approval surfaces
+
+For exception detail pages specifically:
+- **Renew exception** MAY appear as the primary visible header action.
+- **Revoke exception** is a governance-changing danger action and MUST
+  require friction (separated + confirmation).
+- **Open finding** MUST be placed as a link at the Finding field, not
+  in the header.
+- **Open approval queue** MUST be placed as a contextual link at
+  approval / status context, not in the header.
+
+##### Reviewer heuristics
+
+A page violates HDR-001 if any of the following are true:
+- Multiple equally weighted header actions without clear workflow
+  priority.
+- Pure navigation buttons in the header.
+- Danger actions beside normal actions without clear separation.
+- Rarely used administrative actions as visible standard buttons.
+- The header resembles an action stockpile instead of a focused
+  workflow entry point.
+
 #### Operator-facing UI Naming Standards (UI-NAMING-001)
 
 Goal: operator-facing actions, runs, notifications, audit prose, and navigation MUST use one clear domain vocabulary.
@@ -672,6 +775,7 @@ #### Appendix A - One-page Condensed Constitution
 - Standard lists stay scanable.
 - Exceptions are catalogued, justified, and tested.
 - Features with ambiguous interaction semantics do not ship.
+- Header actions on record/detail pages expose at most one primary action; navigation belongs at context, not in the header.
 
 #### Appendix B - Feature Review Checklist
 
@@ -690,6 +794,9 @@ #### Appendix B - Feature Review Checklist
 - Critical truth is visible.
 - Scanability is preserved.
 - Exceptions are documented and tested.
+- Header passes the 5-second scan rule (HDR-001).
+- No pure navigation in the header.
+- Governance-changing actions have extra friction.
 
 #### Appendix C - Red Flags for Future PRs
 
@@ -704,6 +811,9 @@ #### Appendix C - Red Flags for Future PRs
 - Queue surfaces throw the operator out of context through row click.
 - Critical health or operability truth is hidden by default.
 - A contract claims conformance while the rendered UI behaves differently.
+- Header has multiple equally weighted buttons without clear prioritization.
+- "Open X" navigation links placed in the header instead of at the related field.
+- Governance-changing actions sit casually beside the primary action without friction.
 
 ### Data Minimization & Safe Logging
 - Inventory MUST store only metadata + whitelisted `meta_jsonb`.
@@ -787,4 +897,4 @@ ### Versioning Policy (SemVer)
 - **MINOR**: new principle/section or materially expanded guidance.
 - **MAJOR**: removing/redefining principles in a backward-incompatible way.
 
-**Version**: 2.0.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-03-28
+**Version**: 2.1.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-07

.specify/templates/plan-template.md

@@ -70,7 +70,8 @@ ## Constitution Check
 - Operator surfaces (OPSURF-001): workspace and tenant context remain explicit in navigation, actions, and page semantics; tenant surfaces do not silently expose workspace-wide actions
 - Operator surfaces (OPSURF-001): each new or materially refactored operator-facing page defines a page contract covering persona, surface type, operator question, default-visible info, diagnostics-only info, status dimensions, mutation scope, primary actions, and dangerous actions
 - Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a surface-appropriate inspect affordance, remove redundant View when row click or identifier click already opens the same destination, keep standard CRUD/Registry rows to inspect plus at most one inline safe shortcut, group or relocate the rest to “More” or detail header, forbid empty bulk/overflow groups, require confirmations for destructive actions, write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted
-- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action; tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action (see HDR-001); tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Header action discipline (HDR-001): record/detail pages expose at most 1 primary visible header action; pure navigation (Open finding, Open tenant, View related run, etc.) is placed at the relevant field/badge/relation, NOT in the header; destructive or governance-changing actions are separated and require friction; rare actions live in Action Groups; every record/detail page passes the 5-second scan rule
 ## Project Structure
 
 ### Documentation (this feature)

.specify/templates/tasks-template.md

@@ -72,6 +72,7 @@ # Tasks: [FEATURE NAME]
 - ensuring View pages use Infolists (not disabled edit forms); status badges use BADGE-001,
 - ensuring empty states show a specific title + explanation + exactly 1 CTA; non-empty tables move CTA to header,
 - capping header actions to max 1 primary + 1 secondary (rest grouped),
+- enforcing HDR-001 header action discipline: at most 1 primary visible action per record/detail page; pure navigation (Open finding, Open tenant, View related run, etc.) placed at the relevant field/badge/relation, NOT in the header; destructive or governance-changing actions separated and requiring friction; rare actions in Action Groups; every record/detail page passing the 5-second scan rule,
 - using shared layout builders (e.g., `MainAsideForm`, `MainAsideInfolist`, `StandardTableDefaults`) where available,
 - OR documenting an explicit exemption with rationale if UX-001 is not fully satisfied.
 **Badges**: If this feature changes status-like badge semantics, tasks MUST use `BadgeCatalog` / `BadgeRenderer` (BADGE-001),

app/Filament/Pages/InventoryCoverage.php

@@ -6,19 +6,20 @@
 
 use App\Filament\Clusters\Inventory\InventoryCluster;
 use App\Filament\Concerns\ResolvesPanelTenantContext;
+use App\Filament\Resources\InventoryItemResource;
 use App\Filament\Widgets\Inventory\InventoryKpiHeader;
+use App\Models\OperationRun;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Auth\CapabilityResolver;
-use App\Services\Inventory\CoverageCapabilitiesResolver;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Badges\TagBadgeCatalog;
 use App\Support\Badges\TagBadgeDomain;
-use App\Support\Badges\TagBadgeRenderer;
+use App\Support\Inventory\TenantCoverageTruth;
-use App\Support\Inventory\InventoryPolicyTypeMeta;
+use App\Support\Inventory\TenantCoverageTruthResolver;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
@@ -56,6 +57,8 @@ class InventoryCoverage extends Page implements HasTable
 
     protected string $view = 'filament.pages.inventory-coverage';
 
+    protected ?TenantCoverageTruth $cachedCoverageTruth = null;
+
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
@@ -67,7 +70,7 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
             ->exempt(ActionSurfaceSlot::InspectAffordance, 'Inventory coverage rows are runtime-derived metadata and intentionally omit inspect affordances.')
             ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Derived coverage rows do not expose row actions.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Derived coverage rows do not expose bulk actions.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state provides a clear-filters CTA to return to the full coverage matrix.');
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state provides a clear-filters CTA to return to the full tenant coverage report.');
     }
 
     public static function shouldRegisterNavigation(): bool
@@ -110,9 +113,12 @@ protected function getHeaderWidgets(): array
     public function table(Table $table): Table
     {
         return $table
+            ->persistFiltersInSession()
+            ->persistSearchInSession()
+            ->persistSortInSession()
             ->searchable()
-            ->searchPlaceholder('Search by policy type or label')
+            ->searchPlaceholder('Search by type or label')
-            ->defaultSort('label')
+            ->defaultSort('follow_up_priority')
             ->defaultPaginationPageOption(50)
             ->paginated(\App\Support\Filament\TablePaginationProfiles::customPage())
             ->records(function (
@@ -142,14 +148,16 @@ public function table(Table $table): Table
                 );
             })
             ->columns([
-                TextColumn::make('type')
+                TextColumn::make('coverage_state')
-                    ->label('Type')
+                    ->label('Coverage state')
-                    ->sortable()
+                    ->badge()
-                    ->fontFamily(FontFamily::Mono)
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::InventoryCoverageState))
-                    ->copyable()
+                    ->color(BadgeRenderer::color(BadgeDomain::InventoryCoverageState))
-                    ->wrap(),
+                    ->icon(BadgeRenderer::icon(BadgeDomain::InventoryCoverageState))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::InventoryCoverageState))
+                    ->sortable(),
                 TextColumn::make('label')
-                    ->label('Label')
+                    ->label('Type')
                     ->sortable()
                     ->badge()
                     ->formatStateUsing(function (?string $state, array $record): string {
@@ -179,17 +187,29 @@ public function table(Table $table): Table
                         return $spec->iconColor ?? $spec->color;
                     })
                     ->wrap(),
-                TextColumn::make('risk')
+                TextColumn::make('follow_up_guidance')
-                    ->label('Risk')
+                    ->label('Follow-up guidance')
+                    ->wrap()
+                    ->toggleable(),
+                TextColumn::make('observed_item_count')
+                    ->label('Observed items')
+                    ->numeric()
+                    ->sortable(),
+                TextColumn::make('category')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::PolicyRisk))
+                    ->formatStateUsing(fn (?string $state): string => TagBadgeCatalog::spec(TagBadgeDomain::PolicyCategory, $state)->label)
-                    ->color(BadgeRenderer::color(BadgeDomain::PolicyRisk))
+                    ->color(fn (?string $state): string => TagBadgeCatalog::spec(TagBadgeDomain::PolicyCategory, $state)->color)
-                    ->icon(BadgeRenderer::icon(BadgeDomain::PolicyRisk))
+                    ->icon(fn (?string $state): ?string => TagBadgeCatalog::spec(TagBadgeDomain::PolicyCategory, $state)->icon)
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::PolicyRisk)),
+                    ->iconColor(function (?string $state): ?string {
+                        $spec = TagBadgeCatalog::spec(TagBadgeDomain::PolicyCategory, $state);
+
+                        return $spec->iconColor ?? $spec->color;
+                    })
+                    ->toggleable()
+                    ->wrap(),
                 TextColumn::make('restore')
                     ->label('Restore')
                     ->badge()
-                    ->state(fn (array $record): ?string => $record['restore'])
                     ->formatStateUsing(function (?string $state): string {
                         return filled($state)
                             ? BadgeCatalog::spec(BadgeDomain::PolicyRestoreMode, $state)->label
@@ -213,20 +233,7 @@ public function table(Table $table): Table
                         $spec = BadgeCatalog::spec(BadgeDomain::PolicyRestoreMode, $state);
 
                         return $spec->iconColor ?? $spec->color;
-                    }),
+                    })
-                TextColumn::make('category')
-                    ->badge()
-                    ->formatStateUsing(TagBadgeRenderer::label(TagBadgeDomain::PolicyCategory))
-                    ->color(TagBadgeRenderer::color(TagBadgeDomain::PolicyCategory))
-                    ->icon(TagBadgeRenderer::icon(TagBadgeDomain::PolicyCategory))
-                    ->iconColor(TagBadgeRenderer::iconColor(TagBadgeDomain::PolicyCategory))
-                    ->toggleable()
-                    ->wrap(),
-                TextColumn::make('segment')
-                    ->label('Segment')
-                    ->badge()
-                    ->formatStateUsing(fn (?string $state): string => $state === 'foundation' ? 'Foundation' : 'Policy')
-                    ->color(fn (?string $state): string => $state === 'foundation' ? 'gray' : 'info')
                     ->toggleable(),
                 IconColumn::make('dependencies')
                     ->label('Dependencies')
@@ -237,10 +244,31 @@ public function table(Table $table): Table
                     ->falseColor('gray')
                     ->alignCenter()
                     ->toggleable(),
+                TextColumn::make('type')
+                    ->label('Type key')
+                    ->sortable()
+                    ->fontFamily(FontFamily::Mono)
+                    ->copyable()
+                    ->wrap()
+                    ->toggleable(isToggledHiddenByDefault: true),
+                TextColumn::make('segment')
+                    ->label('Segment')
+                    ->badge()
+                    ->formatStateUsing(fn (?string $state): string => $state === 'foundation' ? 'Foundation' : 'Policy')
+                    ->color(fn (?string $state): string => $state === 'foundation' ? 'gray' : 'info')
+                    ->toggleable(isToggledHiddenByDefault: true),
+                TextColumn::make('risk')
+                    ->label('Risk')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::PolicyRisk))
+                    ->color(BadgeRenderer::color(BadgeDomain::PolicyRisk))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::PolicyRisk))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::PolicyRisk))
+                    ->toggleable(isToggledHiddenByDefault: true),
             ])
             ->filters($this->tableFilters())
-            ->emptyStateHeading('No coverage entries match this view')
+            ->emptyStateHeading('No coverage rows match this report')
-            ->emptyStateDescription('Clear the current search or filters to return to the full coverage matrix.')
+            ->emptyStateDescription('Clear the current search or filters to return to the full tenant coverage report.')
             ->emptyStateIcon('heroicon-o-funnel')
             ->emptyStateActions([
                 Action::make('clear_filters')
@@ -261,6 +289,14 @@ public function table(Table $table): Table
     protected function tableFilters(): array
     {
         $filters = [
+            SelectFilter::make('coverage_state')
+                ->label('Coverage state')
+                ->options([
+                    'succeeded' => BadgeCatalog::spec(BadgeDomain::InventoryCoverageState, 'succeeded')->label,
+                    'failed' => BadgeCatalog::spec(BadgeDomain::InventoryCoverageState, 'failed')->label,
+                    'skipped' => BadgeCatalog::spec(BadgeDomain::InventoryCoverageState, 'skipped')->label,
+                    'unknown' => BadgeCatalog::spec(BadgeDomain::InventoryCoverageState, 'unknown')->label,
+                ]),
             SelectFilter::make('category')
                 ->label('Category')
                 ->options($this->categoryFilterOptions()),
@@ -279,84 +315,36 @@ protected function tableFilters(): array
      * @return Collection<string, array{
      *     __key: string,
      *     key: string,
-     *     segment: string,
      *     type: string,
+     *     segment: string,
      *     label: string,
      *     category: string,
-     *     dependencies: bool,
+     *     platform: ?string,
+     *     coverage_state: string,
+     *     follow_up_required: bool,
+     *     follow_up_priority: int,
+     *     follow_up_guidance: string,
+     *     observed_item_count: int,
+     *     basis_item_count: ?int,
+     *     basis_error_code: ?string,
      *     restore: ?string,
-     *     risk: string,
+     *     risk: ?string,
-     *     source_order: int
+     *     dependencies: bool,
+     *     is_basis_payload_backed: bool
      * }>
      */
     protected function coverageRows(): Collection
     {
-        $resolver = app(CoverageCapabilitiesResolver::class);
+        $truth = $this->coverageTruth();
 
-        $supported = $this->mapCoverageRows(
+        if (! $truth instanceof TenantCoverageTruth) {
-            rows: InventoryPolicyTypeMeta::supported(),
+            return collect();
-            segment: 'policy',
+        }
-            sourceOrderOffset: 0,
-            resolver: $resolver,
-        );
 
-        return $supported->merge($this->mapCoverageRows(
+        return collect($truth->rows)
-            rows: InventoryPolicyTypeMeta::foundations(),
+            ->mapWithKeys(static fn ($row): array => [
-            segment: 'foundation',
+                $row->key => $row->toArray(),
-            sourceOrderOffset: $supported->count(),
+            ]);
-            resolver: $resolver,
-        ));
-    }
-
-    /**
-     * @param  array<int, array<string, mixed>>  $rows
-     * @return Collection<string, array{
-     *     __key: string,
-     *     key: string,
-     *     segment: string,
-     *     type: string,
-     *     label: string,
-     *     category: string,
-     *     dependencies: bool,
-     *     restore: ?string,
-     *     risk: string,
-     *     source_order: int
-     * }>
-     */
-    protected function mapCoverageRows(
-        array $rows,
-        string $segment,
-        int $sourceOrderOffset,
-        CoverageCapabilitiesResolver $resolver
-    ): Collection {
-        return collect($rows)
-            ->values()
-            ->mapWithKeys(function (array $row, int $index) use ($resolver, $segment, $sourceOrderOffset): array {
-                $type = (string) ($row['type'] ?? '');
-
-                if ($type === '') {
-                    return [];
-                }
-
-                $key = "{$segment}:{$type}";
-                $restore = $row['restore'] ?? null;
-                $risk = $row['risk'] ?? 'n/a';
-
-                return [
-                    $key => [
-                        '__key' => $key,
-                        'key' => $key,
-                        'segment' => $segment,
-                        'type' => $type,
-                        'label' => (string) ($row['label'] ?? $type),
-                        'category' => (string) ($row['category'] ?? 'Other'),
-                        'dependencies' => $segment === 'policy' && $resolver->supportsDependencies($type),
-                        'restore' => is_string($restore) ? $restore : null,
-                        'risk' => is_string($risk) ? $risk : 'n/a',
-                        'source_order' => $sourceOrderOffset + $index,
-                    ],
-                ];
-            });
     }
 
     /**
@@ -367,6 +355,7 @@ protected function mapCoverageRows(
     protected function filterRows(Collection $rows, ?string $search, array $filters): Collection
     {
         $normalizedSearch = Str::lower(trim((string) $search));
+        $coverageState = $filters['coverage_state']['value'] ?? null;
         $category = $filters['category']['value'] ?? null;
         $restore = $filters['restore']['value'] ?? null;
 
@@ -380,6 +369,10 @@ function (Collection $rows) use ($normalizedSearch): Collection {
                     });
                 },
             )
+            ->when(
+                filled($coverageState),
+                fn (Collection $rows): Collection => $rows->where('coverage_state', (string) $coverageState),
+            )
             ->when(
                 filled($category),
                 fn (Collection $rows): Collection => $rows->where('category', (string) $category),
@@ -396,22 +389,35 @@ function (Collection $rows) use ($normalizedSearch): Collection {
      */
     protected function sortRows(Collection $rows, ?string $sortColumn, ?string $sortDirection): Collection
     {
-        $sortColumn = in_array($sortColumn, ['type', 'label'], true) ? $sortColumn : null;
+        $sortColumn = in_array($sortColumn, ['type', 'label', 'observed_item_count', 'coverage_state', 'follow_up_priority'], true)
+            ? $sortColumn
+            : null;
 
         if ($sortColumn === null) {
-            return $rows->sortBy('source_order');
+            return $rows;
         }
 
         $records = $rows->all();
 
         uasort($records, function (array $left, array $right) use ($sortColumn, $sortDirection): int {
-            $comparison = strnatcasecmp(
+            $comparison = match ($sortColumn) {
-                (string) ($left[$sortColumn] ?? ''),
+                'observed_item_count' => ((int) ($left[$sortColumn] ?? 0)) <=> ((int) ($right[$sortColumn] ?? 0)),
-                (string) ($right[$sortColumn] ?? ''),
+                'follow_up_priority' => ((int) ($left[$sortColumn] ?? 0)) <=> ((int) ($right[$sortColumn] ?? 0)),
-            );
+                default => strnatcasecmp(
+                    (string) ($left[$sortColumn] ?? ''),
+                    (string) ($right[$sortColumn] ?? ''),
+                ),
+            };
+
+            if ($comparison === 0 && $sortColumn === 'follow_up_priority') {
+                $comparison = ((int) ($right['observed_item_count'] ?? 0)) <=> ((int) ($left['observed_item_count'] ?? 0));
+            }
 
             if ($comparison === 0) {
-                $comparison = ((int) ($left['source_order'] ?? 0)) <=> ((int) ($right['source_order'] ?? 0));
+                $comparison = strnatcasecmp(
+                    (string) ($left['label'] ?? ''),
+                    (string) ($right['label'] ?? ''),
+                );
             }
 
             return $sortDirection === 'desc' ? ($comparison * -1) : $comparison;
@@ -468,4 +474,99 @@ protected function restoreFilterOptions(): array
             })
             ->all();
     }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function coverageSummary(): array
+    {
+        $truth = $this->coverageTruth();
+
+        if (! $truth instanceof TenantCoverageTruth) {
+            return [];
+        }
+
+        return [
+            'supportedTypes' => $truth->supportedTypeCount,
+            'succeededTypes' => $truth->succeededTypeCount,
+            'followUpTypes' => $truth->followUpTypeCount,
+            'observedItems' => $truth->observedItemTotal,
+            'observedTypes' => $truth->observedTypeCount(),
+            'topFollowUpLabel' => $truth->topPriorityFollowUpRow()?->label,
+            'topFollowUpGuidance' => $truth->topPriorityFollowUpRow()?->followUpGuidance,
+            'hasCurrentCoverageResult' => $truth->hasCurrentCoverageResult,
+        ];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function basisRunSummary(): array
+    {
+        $truth = $this->coverageTruth();
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+
+        if (! $truth instanceof TenantCoverageTruth || ! $tenant instanceof Tenant) {
+            return [];
+        }
+
+        if (! $truth->basisRun instanceof OperationRun) {
+            return [
+                'title' => 'No current coverage basis',
+                'body' => $user instanceof User && $user->can(Capabilities::TENANT_INVENTORY_SYNC_RUN, $tenant)
+                    ? 'Run Inventory Sync from Inventory Items to establish current tenant coverage truth.'
+                    : 'A tenant operator with inventory sync permission must establish current tenant coverage truth.',
+                'badgeLabel' => null,
+                'badgeColor' => null,
+                'runUrl' => null,
+                'historyUrl' => null,
+                'inventoryItemsUrl' => InventoryItemResource::getUrl('index', tenant: $tenant),
+            ];
+        }
+
+        $badge = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, (string) $truth->basisRun->outcome);
+        $canViewRun = $user instanceof User && $user->can('view', $truth->basisRun);
+
+        return [
+            'title' => sprintf('Latest coverage-bearing sync completed %s.', $truth->basisCompletedAtLabel() ?? 'recently'),
+            'body' => $canViewRun
+                ? 'Review the cited inventory sync to inspect provider or permission issues in detail.'
+                : 'The coverage basis is current, but your role cannot open the cited run detail.',
+            'badgeLabel' => $badge->label,
+            'badgeColor' => $badge->color,
+            'runUrl' => $canViewRun ? route('admin.operations.view', ['run' => (int) $truth->basisRun->getKey()]) : null,
+            'historyUrl' => $canViewRun ? $this->inventorySyncHistoryUrl($tenant) : null,
+            'inventoryItemsUrl' => InventoryItemResource::getUrl('index', tenant: $tenant),
+        ];
+    }
+
+    protected function coverageTruth(): ?TenantCoverageTruth
+    {
+        if ($this->cachedCoverageTruth instanceof TenantCoverageTruth) {
+            return $this->cachedCoverageTruth;
+        }
+
+        $tenant = static::resolveTenantContextForCurrentPanel();
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        $this->cachedCoverageTruth = app(TenantCoverageTruthResolver::class)->resolve($tenant);
+
+        return $this->cachedCoverageTruth;
+    }
+
+    private function inventorySyncHistoryUrl(Tenant $tenant): string
+    {
+        return route('admin.operations.index', [
+            'tenant_id' => (int) $tenant->getKey(),
+            'tableFilters' => [
+                'type' => [
+                    'value' => 'inventory_sync',
+                ],
+            ],
+        ]);
+    }
 }

app/Filament/Pages/Monitoring/Alerts.php

@@ -10,6 +10,7 @@
 use App\Models\Workspace;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Support\Auth\Capabilities;
+use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
@@ -79,9 +80,23 @@ protected function getHeaderWidgets(): array
      */
     protected function getHeaderActions(): array
     {
-        return app(OperateHubShell::class)->headerActions(
+        $actions = app(OperateHubShell::class)->headerActions(
             scopeActionName: 'operate_hub_scope_alerts',
             returnActionName: 'operate_hub_return_alerts',
         );
+
+        $navigationContext = CanonicalNavigationContext::fromRequest(request());
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            array_splice($actions, 1, 0, [
+                Action::make('operate_hub_back_to_origin_alerts')
+                    ->label($navigationContext->backLinkLabel)
+                    ->icon('heroicon-o-arrow-left')
+                    ->color('gray')
+                    ->url($navigationContext->backLinkUrl),
+            ]);
+        }
+
+        return $actions;
     }
 }

app/Filament/Pages/Monitoring/FindingExceptionsQueue.php

@@ -38,6 +38,7 @@
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
+use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Support\Collection;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -49,6 +50,8 @@ class FindingExceptionsQueue extends Page implements HasTable
 
     public ?int $selectedFindingExceptionId = null;
 
+    public bool $showSelectedExceptionSummary = false;
+
     protected static bool $isDiscovered = false;
 
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
@@ -116,11 +119,12 @@ public static function canAccess(): bool
     public function mount(): void
     {
         $this->selectedFindingExceptionId = is_numeric(request()->query('exception')) ? (int) request()->query('exception') : null;
+        $this->showSelectedExceptionSummary = $this->selectedFindingExceptionId !== null;
         $this->mountInteractsWithTable();
         $this->applyRequestedTenantPrefilter();
 
         if ($this->selectedFindingExceptionId !== null) {
-            $this->selectedFindingException();
+            $this->resolveSelectedFindingException($this->selectedFindingExceptionId);
         }
     }
 
@@ -141,6 +145,7 @@ protected function getHeaderActions(): array
                 $this->removeTableFilter('status');
                 $this->removeTableFilter('current_validity_state');
                 $this->selectedFindingExceptionId = null;
+                $this->showSelectedExceptionSummary = false;
                 $this->resetTable();
             });
 
@@ -165,6 +170,7 @@ protected function getHeaderActions(): array
             ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
             ->action(function (): void {
                 $this->selectedFindingExceptionId = null;
+                $this->showSelectedExceptionSummary = false;
             });
 
         $actions[] = Action::make('open_selected_exception')
@@ -325,8 +331,31 @@ public function table(Table $table): Table
                     ->label('Inspect exception')
                     ->icon('heroicon-o-eye')
                     ->color('gray')
-                    ->action(function (FindingException $record): void {
+                    ->before(function (FindingException $record): void {
                         $this->selectedFindingExceptionId = (int) $record->getKey();
+                    })
+                    ->slideOver()
+                    ->stickyModalHeader()
+                    ->modalSubmitAction(false)
+                    ->modalCancelAction(fn (Action $action): Action => $action->label('Close details'))
+                    ->modalHeading(function (): string {
+                        $record = $this->inspectedFindingException();
+
+                        return $record instanceof FindingException
+                            ? 'Finding exception #'.$record->getKey()
+                            : 'Finding exception';
+                    })
+                    ->modalDescription(fn (): ?string => $this->inspectedFindingException()?->requested_at?->toDayDateTimeString())
+                    ->modalContent(function (): View {
+                        $record = $this->inspectedFindingException();
+
+                        if (! $record instanceof FindingException) {
+                            return view('filament.pages.monitoring.partials.finding-exception-queue-unavailable');
+                        }
+
+                        return view('filament.pages.monitoring.partials.finding-exception-queue-sidebar', [
+                            'selectedException' => $record,
+                        ]);
                     }),
             ])
             ->bulkActions([])
@@ -343,6 +372,7 @@ public function table(Table $table): Table
                         $this->removeTableFilter('status');
                         $this->removeTableFilter('current_validity_state');
                         $this->selectedFindingExceptionId = null;
+                        $this->showSelectedExceptionSummary = false;
                         $this->resetTable();
                     }),
             ]);
@@ -354,15 +384,7 @@ public function selectedFindingException(): ?FindingException
             return null;
         }
 
-        $record = $this->queueBaseQuery()
+        return $this->resolveSelectedFindingException($this->selectedFindingExceptionId);
-            ->whereKey($this->selectedFindingExceptionId)
-            ->first();
-
-        if (! $record instanceof FindingException) {
-            throw new NotFoundHttpException;
-        }
-
-        return $record;
     }
 
     public function selectedExceptionUrl(): ?string
@@ -508,6 +530,30 @@ private function hasActiveQueueFilters(): bool
             || is_string(data_get($this->tableFilters, 'current_validity_state.value'));
     }
 
+    private function resolveSelectedFindingException(int $findingExceptionId): FindingException
+    {
+        $record = $this->queueBaseQuery()
+            ->whereKey($findingExceptionId)
+            ->first();
+
+        if (! $record instanceof FindingException) {
+            throw new NotFoundHttpException;
+        }
+
+        return $record;
+    }
+
+    private function inspectedFindingException(): ?FindingException
+    {
+        $mountedRecord = $this->getMountedTableActionRecord();
+
+        if ($mountedRecord instanceof FindingException) {
+            return $mountedRecord;
+        }
+
+        return $this->selectedFindingException();
+    }
+
     private function governanceWarning(FindingException $record): ?string
     {
         $finding = $record->relationLoaded('finding')

app/Filament/Pages/Monitoring/Operations.php

@@ -74,6 +74,8 @@ public function mount(): void
     {
         $this->navigationContextPayload = is_array(request()->query('nav')) ? request()->query('nav') : null;
 
+        $this->applyRequestedTenantScope();
+
         app(CanonicalAdminTenantFilterState::class)->sync(
             $this->getTableFiltersSessionKey(),
             ['type', 'initiator_name'],
@@ -187,6 +189,17 @@ public function table(Table $table): Table
             });
     }
 
+    private function applyRequestedTenantScope(): void
+    {
+        if (! $this->shouldForceWorkspaceWideTenantScope()) {
+            return;
+        }
+
+        Filament::setTenant(null, true);
+
+        app(WorkspaceContext::class)->clearLastTenantId(request());
+    }
+
     /**
      * @return array{likely_stale:int,reconciled:int}
      */
@@ -220,6 +233,8 @@ private function applyActiveTab(Builder $query): Builder
     {
         return match ($this->activeTab) {
             'active' => $query->healthyActive(),
+            OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION => $query->activeStaleAttention(),
+            OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP => $query->terminalFollowUp(),
             'blocked' => $query->dashboardNeedsFollowUp(),
             'succeeded' => $query
                 ->where('status', OperationRunStatus::Completed->value)
@@ -258,18 +273,45 @@ private function scopedSummaryQuery(): ?Builder
 
     private function applyRequestedDashboardPrefilter(): void
     {
-        $requestedTenantId = request()->query('tenant_id');
+        if (! $this->shouldForceWorkspaceWideTenantScope()) {
+            $requestedTenantId = request()->query('tenant_id');
 
-        if (is_numeric($requestedTenantId)) {
+            if (is_numeric($requestedTenantId)) {
-            $tenantId = (string) $requestedTenantId;
+                $tenantId = (string) $requestedTenantId;
-            $this->tableFilters['tenant_id']['value'] = $tenantId;
+                $this->tableFilters['tenant_id']['value'] = $tenantId;
-            $this->tableDeferredFilters['tenant_id']['value'] = $tenantId;
+                $this->tableDeferredFilters['tenant_id']['value'] = $tenantId;
+            }
+        }
+
+        $requestedProblemClass = request()->query('problemClass');
+
+        if (in_array($requestedProblemClass, [
+            OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+            OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+        ], true)) {
+            $this->activeTab = (string) $requestedProblemClass;
+
+            return;
         }
 
         $requestedTab = request()->query('activeTab');
 
-        if (in_array($requestedTab, ['all', 'active', 'blocked', 'succeeded', 'partial', 'failed'], true)) {
+        if (in_array($requestedTab, [
+            'all',
+            'active',
+            'blocked',
+            'succeeded',
+            'partial',
+            'failed',
+            OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+            OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+        ], true)) {
             $this->activeTab = (string) $requestedTab;
         }
     }
+
+    private function shouldForceWorkspaceWideTenantScope(): bool
+    {
+        return request()->query('tenant_scope') === 'all';
+    }
 }

app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -22,6 +22,7 @@
 use App\Support\OpsUx\RunDetailPolling;
 use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\RedactionIntegrity;
+use App\Support\RestoreSafety\RestoreSafetyCopy;
 use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
 use App\Support\Tenants\TenantInteractionLane;
 use App\Support\Tenants\TenantOperabilityQuestion;
@@ -244,6 +245,42 @@ public function lifecycleBanner(): ?array
         };
     }
 
+    /**
+     * @return array{tone: string, title: string, body: string, url: ?string, link_label: ?string}|null
+     */
+    public function restoreContinuationBanner(): ?array
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        $continuation = OperationRunResource::restoreContinuation($this->run);
+
+        if (! is_array($continuation)) {
+            return null;
+        }
+
+        $tone = ($continuation['follow_up_required'] ?? false) ? 'amber' : 'sky';
+        $body = $continuation['summary'] ?? 'Restore continuation detail is unavailable.';
+        $boundary = $continuation['recovery_claim_boundary'] ?? null;
+
+        if (is_string($boundary) && $boundary !== '') {
+            $body .= ' '.RestoreSafetyCopy::recoveryBoundary($boundary);
+        }
+
+        if (! ($continuation['link_available'] ?? false)) {
+            $body .= ' Restore detail is not available from this session.';
+        }
+
+        return [
+            'tone' => $tone,
+            'title' => 'Restore continuation',
+            'body' => $body,
+            'url' => is_string($continuation['link_url'] ?? null) ? $continuation['link_url'] : null,
+            'link_label' => ($continuation['link_available'] ?? false) ? 'Open restore run' : null,
+        ];
+    }
+
     /**
      * @return array{tone: string, title: string, body: string}|null
      */

app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php

@@ -87,7 +87,6 @@
 use Illuminate\Database\QueryException;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\DB;
-use Illuminate\Support\Facades\Gate;
 use Illuminate\Validation\ValidationException;
 use InvalidArgumentException;
 use Livewire\Attributes\Locked;
@@ -3334,7 +3333,7 @@ private function canInspectOperationRun(OperationRun $run): bool
             return false;
         }
 
-        return Gate::forUser($user)->allows('view', $run);
+        return $user->can('view', $run);
     }
 
     public function verificationSucceeded(): bool

app/Filament/Resources/OperationRunResource.php

@@ -5,6 +5,7 @@
 use App\Filament\Support\VerificationReportChangeIndicator;
 use App\Filament\Support\VerificationReportViewer;
 use App\Models\OperationRun;
+use App\Models\RestoreRun;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\VerificationCheckAcknowledgement;
@@ -16,6 +17,9 @@
 use App\Support\Filament\FilterOptionCatalog;
 use App\Support\Filament\FilterPresets;
 use App\Support\Filament\TablePaginationProfiles;
+use App\Support\Inventory\InventoryCoverage;
+use App\Support\Inventory\InventoryPolicyTypeMeta;
+use App\Support\Inventory\TenantCoverageTruthResolver;
 use App\Support\Navigation\CrossResourceNavigationMatrix;
 use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperateHub\OperateHubShell;
@@ -27,6 +31,7 @@
 use App\Support\OpsUx\RunDurationInsights;
 use App\Support\OpsUx\SummaryCountsNormalizer;
 use App\Support\ReasonTranslation\ReasonPresenter;
+use App\Support\RestoreSafety\RestoreSafetyResolver;
 use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
@@ -264,6 +269,7 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
         $artifactTruth = static::artifactTruthEnvelope($record);
         $operatorExplanation = $artifactTruth?->operatorExplanation;
         $primaryNextStep = static::resolvePrimaryNextStep($record, $artifactTruth, $operatorExplanation);
+        $restoreContinuation = static::restoreContinuation($record);
         $supportingGroups = static::supportingGroups(
             record: $record,
             factory: $factory,
@@ -316,6 +322,13 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
                             ),
                         )
                         : null,
+                    is_array($restoreContinuation)
+                        ? $factory->keyFact(
+                            'Restore continuation',
+                            (string) ($restoreContinuation['badge_label'] ?? 'Restore detail'),
+                            (string) ($restoreContinuation['summary'] ?? 'Restore continuation detail is unavailable.'),
+                        )
+                        : null,
                 ])),
                 primaryNextStep: $factory->primaryNextStep(
                     $primaryNextStep['text'],
@@ -472,6 +485,21 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
             }
         }
 
+        $inventorySyncCoverageSection = static::inventorySyncCoverageSection($record);
+
+        if ($inventorySyncCoverageSection !== null) {
+            $builder->addSection(
+                $factory->viewSection(
+                    id: 'inventory_sync_coverage',
+                    kind: 'type_specific_detail',
+                    title: 'Inventory sync coverage',
+                    description: 'Per-type run results explain what this sync established without forcing operators into raw JSON first.',
+                    view: 'filament.infolists.entries.inventory-coverage-truth',
+                    viewData: $inventorySyncCoverageSection,
+                ),
+            );
+        }
+
         if (VerificationReportViewer::shouldRenderForRun($record)) {
             $builder->addSection(
                 $factory->viewSection(
@@ -766,7 +794,7 @@ private static function artifactTruthFact(
 
     private static function decisionAttentionNote(OperationRun $record): ?string
     {
-        return null;
+        return OperationUxPresenter::decisionAttentionNote($record);
     }
 
     private static function detailHintUnlessDuplicate(?string $hint, ?string $duplicateOf): ?string
@@ -1169,6 +1197,106 @@ private static function reconciliationPayload(OperationRun $record): array
         return $reconciliation;
     }
 
+    /**
+     * @return array{
+     *     rows: list<array{
+     *         type: string,
+     *         label: string,
+     *         segment: string,
+     *         category: string,
+     *         coverageState: string,
+     *         followUpRequired: bool,
+     *         followUpPriority: int,
+     *         followUpGuidance: string,
+     *         itemCount: int,
+     *         errorCode: ?string
+     *     }>,
+     *     summary: array{
+     *         totalTypes: int,
+     *         succeededTypes: int,
+     *         failedTypes: int,
+     *         skippedTypes: int,
+     *         followUpTypes: int,
+     *         observedItems: int
+     *     },
+     *     runOutcomeLabel: string,
+     *     runOutcomeColor: string,
+     *     runOutcomeIcon: ?string
+     * }|null
+     */
+    private static function inventorySyncCoverageSection(OperationRun $record): ?array
+    {
+        if ((string) $record->type !== 'inventory_sync') {
+            return null;
+        }
+
+        $coverage = $record->inventoryCoverage();
+
+        if (! $coverage instanceof InventoryCoverage) {
+            return null;
+        }
+
+        $rows = collect($coverage->rows())
+            ->map(function (array $row): array {
+                $type = (string) ($row['type'] ?? '');
+                $meta = InventoryPolicyTypeMeta::metaFor($type);
+                $status = is_string($row['status'] ?? null) ? (string) $row['status'] : InventoryCoverage::StatusFailed;
+                $errorCode = is_string($row['error_code'] ?? null) ? (string) $row['error_code'] : null;
+                $itemCount = is_int($row['item_count'] ?? null) ? (int) $row['item_count'] : 0;
+
+                return [
+                    'type' => $type,
+                    'label' => is_string($meta['label'] ?? null) && $meta['label'] !== ''
+                        ? (string) $meta['label']
+                        : $type,
+                    'segment' => (string) ($row['segment'] ?? 'policy'),
+                    'category' => is_string($meta['category'] ?? null) && $meta['category'] !== ''
+                        ? (string) $meta['category']
+                        : 'Other',
+                    'coverageState' => $status,
+                    'followUpRequired' => $status !== InventoryCoverage::StatusSucceeded,
+                    'followUpPriority' => TenantCoverageTruthResolver::followUpPriorityForState($status),
+                    'followUpGuidance' => TenantCoverageTruthResolver::followUpGuidanceForState($status, $errorCode),
+                    'itemCount' => $itemCount,
+                    'errorCode' => $errorCode,
+                ];
+            })
+            ->sort(function (array $left, array $right): int {
+                $priority = ((int) ($left['followUpPriority'] ?? 0)) <=> ((int) ($right['followUpPriority'] ?? 0));
+
+                if ($priority !== 0) {
+                    return $priority;
+                }
+
+                $items = ((int) ($right['itemCount'] ?? 0)) <=> ((int) ($left['itemCount'] ?? 0));
+
+                if ($items !== 0) {
+                    return $items;
+                }
+
+                return strnatcasecmp((string) ($left['label'] ?? ''), (string) ($right['label'] ?? ''));
+            })
+            ->values()
+            ->all();
+
+        $outcomeSpec = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, static::outcomeBadgeState($record));
+
+        return [
+            'rows' => $rows,
+            'summary' => [
+                'totalTypes' => count($rows),
+                'succeededTypes' => count(array_filter($rows, static fn (array $row): bool => ($row['coverageState'] ?? null) === InventoryCoverage::StatusSucceeded)),
+                'failedTypes' => count(array_filter($rows, static fn (array $row): bool => ($row['coverageState'] ?? null) === InventoryCoverage::StatusFailed)),
+                'skippedTypes' => count(array_filter($rows, static fn (array $row): bool => ($row['coverageState'] ?? null) === InventoryCoverage::StatusSkipped)),
+                'followUpTypes' => count(array_filter($rows, static fn (array $row): bool => (bool) ($row['followUpRequired'] ?? false))),
+                'observedItems' => array_sum(array_map(static fn (array $row): int => (int) ($row['itemCount'] ?? 0), $rows)),
+            ],
+            'runOutcomeLabel' => $outcomeSpec->label,
+            'runOutcomeColor' => $outcomeSpec->color,
+            'runOutcomeIcon' => $outcomeSpec->icon,
+        ];
+    }
+
     private static function formatDetailTimestamp(mixed $value): string
     {
         if (! $value instanceof \Illuminate\Support\Carbon) {
@@ -1210,6 +1338,58 @@ private static function surfaceGuidance(OperationRun $record, bool $fresh = fals
             : OperationUxPresenter::surfaceGuidance($record);
     }
 
+    /**
+     * @return array{
+     *     restore_run_id: int,
+     *     state: string,
+     *     summary: string,
+     *     primary_next_action: string,
+     *     recovery_claim_boundary: string,
+     *     follow_up_required: bool,
+     *     badge_label: string,
+     *     link_url: ?string,
+     *     link_available: bool
+     * }|null
+     */
+    public static function restoreContinuation(OperationRun $record): ?array
+    {
+        if ($record->type !== 'restore.execute') {
+            return null;
+        }
+
+        $context = is_array($record->context) ? $record->context : [];
+        $restoreRunId = is_numeric($context['restore_run_id'] ?? null) ? (int) $context['restore_run_id'] : null;
+
+        $restoreRun = $restoreRunId !== null
+            ? RestoreRun::query()->find($restoreRunId)
+            : RestoreRun::query()->where('operation_run_id', (int) $record->getKey())->latest('id')->first();
+
+        if (! $restoreRun instanceof RestoreRun) {
+            return null;
+        }
+
+        $attention = app(RestoreSafetyResolver::class)->resultAttentionForRun($restoreRun);
+        $tenant = $record->tenant;
+        $user = auth()->user();
+        $canOpenRestore = $tenant instanceof Tenant
+            && $user instanceof User
+            && app(\App\Services\Auth\CapabilityResolver::class)->isMember($user, $tenant);
+
+        return [
+            'restore_run_id' => (int) $restoreRun->getKey(),
+            'state' => $attention->state,
+            'summary' => $attention->summary,
+            'primary_next_action' => $attention->primaryNextAction,
+            'recovery_claim_boundary' => $attention->recoveryClaimBoundary,
+            'follow_up_required' => $attention->followUpRequired,
+            'badge_label' => \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestoreResultStatus, $attention->state)->label,
+            'link_url' => $canOpenRestore
+                ? RestoreRunResource::getUrl('view', ['record' => $restoreRun], panel: 'tenant', tenant: $tenant)
+                : null,
+            'link_available' => $canOpenRestore,
+        ];
+    }
+
     /**
      * @return list<array{
      *     key: string,

app/Filament/Resources/ProviderConnectionResource.php

@@ -469,29 +469,12 @@ private static function migrationReviewDescription(?ProviderConnection $record):
 
     private static function consentStatusLabelFromState(mixed $state): string
     {
-        $value = $state instanceof BackedEnum ? $state->value : (is_string($state) ? $state : 'unknown');
+        return BadgeRenderer::spec(BadgeDomain::ProviderConsentStatus, $state)->label;
-
-        return match ($value) {
-            'required' => 'Required',
-            'granted' => 'Granted',
-            'failed' => 'Failed',
-            'revoked' => 'Revoked',
-            default => 'Unknown',
-        };
     }
 
     private static function verificationStatusLabelFromState(mixed $state): string
     {
-        $value = $state instanceof BackedEnum ? $state->value : (is_string($state) ? $state : 'unknown');
+        return BadgeRenderer::spec(BadgeDomain::ProviderVerificationStatus, $state)->label;
-
-        return match ($value) {
-            'pending' => 'Pending',
-            'healthy' => 'Healthy',
-            'degraded' => 'Degraded',
-            'blocked' => 'Blocked',
-            'error' => 'Error',
-            default => 'Unknown',
-        };
     }
 
     public static function form(Schema $schema): Schema
@@ -527,7 +510,7 @@ public static function form(Schema $schema): Schema
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
-                Section::make('Status')
+                Section::make('Current state')
                     ->schema([
                         Placeholder::make('consent_status_display')
                             ->label('Consent')
@@ -535,18 +518,31 @@ public static function form(Schema $schema): Schema
                         Placeholder::make('verification_status_display')
                             ->label('Verification')
                             ->content(fn (?ProviderConnection $record): string => static::verificationStatusLabelFromState($record?->verification_status)),
-                        TextInput::make('status')
+                        Placeholder::make('last_health_check_at_display')
-                            ->label('Status')
+                            ->label('Last check')
-                            ->disabled()
+                            ->content(fn (?ProviderConnection $record): string => $record?->last_health_check_at?->diffForHumans() ?? 'Never'),
-                            ->dehydrated(false),
+                    ])
-                        TextInput::make('health_status')
+                    ->columns(2)
-                            ->label('Health')
+                    ->columnSpanFull(),
-                            ->disabled()
+                Section::make('Diagnostics')
-                            ->dehydrated(false),
+                    ->schema([
+                        Placeholder::make('status_display')
+                            ->label('Legacy status')
+                            ->content(fn (?ProviderConnection $record): string => BadgeRenderer::spec(BadgeDomain::ProviderConnectionStatus, $record?->status)->label),
+                        Placeholder::make('health_status_display')
+                            ->label('Legacy health')
+                            ->content(fn (?ProviderConnection $record): string => BadgeRenderer::spec(BadgeDomain::ProviderConnectionHealth, $record?->health_status)->label),
                         Placeholder::make('migration_review_status_display')
                             ->label('Migration review')
                             ->content(fn (?ProviderConnection $record): string => static::migrationReviewLabel($record))
                             ->hint(fn (?ProviderConnection $record): ?string => static::migrationReviewDescription($record)),
+                        Placeholder::make('last_error_reason_code_display')
+                            ->label('Last error reason')
+                            ->content(fn (?ProviderConnection $record): string => filled($record?->last_error_reason_code) ? (string) $record->last_error_reason_code : 'n/a'),
+                        Placeholder::make('last_error_message_display')
+                            ->label('Last error message')
+                            ->content(fn (?ProviderConnection $record): string => static::sanitizeErrorMessage($record?->last_error_message) ?? 'n/a')
+                            ->columnSpanFull(),
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
@@ -580,22 +576,55 @@ public static function infolist(Schema $schema): Schema
                             ->state(fn (ProviderConnection $record): string => static::credentialSourceLabel($record)),
                     ])
                     ->columns(2),
-                Section::make('Status')
+                Section::make('Current state')
                     ->schema([
                         Infolists\Components\TextEntry::make('consent_status')
                             ->label('Consent')
-                            ->formatStateUsing(fn ($state): string => static::consentStatusLabelFromState($state)),
+                            ->badge()
+                            ->formatStateUsing(fn ($state): string => static::consentStatusLabelFromState($state))
+                            ->color(BadgeRenderer::color(BadgeDomain::ProviderConsentStatus))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConsentStatus))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConsentStatus)),
                         Infolists\Components\TextEntry::make('verification_status')
                             ->label('Verification')
-                            ->formatStateUsing(fn ($state): string => static::verificationStatusLabelFromState($state)),
+                            ->badge()
+                            ->formatStateUsing(fn ($state): string => static::verificationStatusLabelFromState($state))
+                            ->color(BadgeRenderer::color(BadgeDomain::ProviderVerificationStatus))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::ProviderVerificationStatus))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderVerificationStatus)),
+                        Infolists\Components\TextEntry::make('last_health_check_at')
+                            ->label('Last check')
+                            ->since(),
+                    ])
+                    ->columns(2),
+                Section::make('Diagnostics')
+                    ->schema([
                         Infolists\Components\TextEntry::make('status')
-                            ->label('Status'),
+                            ->label('Legacy status')
+                            ->badge()
+                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderConnectionStatus))
+                            ->color(BadgeRenderer::color(BadgeDomain::ProviderConnectionStatus))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConnectionStatus))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionStatus)),
                         Infolists\Components\TextEntry::make('health_status')
-                            ->label('Health'),
+                            ->label('Legacy health')
+                            ->badge()
+                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderConnectionHealth))
+                            ->color(BadgeRenderer::color(BadgeDomain::ProviderConnectionHealth))
+                            ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConnectionHealth))
+                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionHealth)),
                         Infolists\Components\TextEntry::make('migration_review_required')
                             ->label('Migration review')
                             ->formatStateUsing(fn (ProviderConnection $record): string => static::migrationReviewLabel($record))
                             ->tooltip(fn (ProviderConnection $record): ?string => static::migrationReviewDescription($record)),
+                        Infolists\Components\TextEntry::make('last_error_reason_code')
+                            ->label('Last error reason')
+                            ->placeholder('n/a'),
+                        Infolists\Components\TextEntry::make('last_error_message')
+                            ->label('Last error message')
+                            ->formatStateUsing(fn (?string $state): ?string => static::sanitizeErrorMessage($state))
+                            ->placeholder('n/a')
+                            ->columnSpanFull(),
                     ])
                     ->columns(2),
             ]);
@@ -655,20 +684,36 @@ public static function table(Table $table): Table
                         ? 'Dedicated'
                         : 'Platform')
                     ->color(fn (?ProviderConnectionType $state): string => $state === ProviderConnectionType::Dedicated ? 'info' : 'gray'),
+                Tables\Columns\TextColumn::make('consent_status')
+                    ->label('Consent')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderConsentStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::ProviderConsentStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConsentStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConsentStatus)),
+                Tables\Columns\TextColumn::make('verification_status')
+                    ->label('Verification')
+                    ->badge()
+                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderVerificationStatus))
+                    ->color(BadgeRenderer::color(BadgeDomain::ProviderVerificationStatus))
+                    ->icon(BadgeRenderer::icon(BadgeDomain::ProviderVerificationStatus))
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderVerificationStatus)),
                 Tables\Columns\TextColumn::make('status')
-                    ->label('Status')
+                    ->label('Legacy status')
                     ->badge()
                     ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderConnectionStatus))
                     ->color(BadgeRenderer::color(BadgeDomain::ProviderConnectionStatus))
                     ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConnectionStatus))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionStatus)),
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionStatus))
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('health_status')
-                    ->label('Health')
+                    ->label('Legacy health')
                     ->badge()
                     ->formatStateUsing(BadgeRenderer::label(BadgeDomain::ProviderConnectionHealth))
                     ->color(BadgeRenderer::color(BadgeDomain::ProviderConnectionHealth))
                     ->icon(BadgeRenderer::icon(BadgeDomain::ProviderConnectionHealth))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionHealth)),
+                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::ProviderConnectionHealth))
+                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('migration_review_required')
                     ->label('Migration review')
                     ->badge()
@@ -714,8 +759,45 @@ public static function table(Table $table): Table
 
                         return $query->where('provider_connections.provider', $value);
                     }),
+                SelectFilter::make('consent_status')
+                    ->label('Consent')
+                    ->options([
+                        'unknown' => 'Unknown',
+                        'required' => 'Required',
+                        'granted' => 'Granted',
+                        'failed' => 'Failed',
+                        'revoked' => 'Revoked',
+                    ])
+                    ->query(function (Builder $query, array $data): Builder {
+                        $value = $data['value'] ?? null;
+
+                        if (! is_string($value) || $value === '') {
+                            return $query;
+                        }
+
+                        return $query->where('provider_connections.consent_status', $value);
+                    }),
+                SelectFilter::make('verification_status')
+                    ->label('Verification')
+                    ->options([
+                        'unknown' => 'Unknown',
+                        'pending' => 'Pending',
+                        'healthy' => 'Healthy',
+                        'degraded' => 'Degraded',
+                        'blocked' => 'Blocked',
+                        'error' => 'Error',
+                    ])
+                    ->query(function (Builder $query, array $data): Builder {
+                        $value = $data['value'] ?? null;
+
+                        if (! is_string($value) || $value === '') {
+                            return $query;
+                        }
+
+                        return $query->where('provider_connections.verification_status', $value);
+                    }),
                 SelectFilter::make('status')
-                    ->label('Status')
+                    ->label('Diagnostic status')
                     ->options([
                         'connected' => 'Connected',
                         'needs_consent' => 'Needs consent',
@@ -732,7 +814,7 @@ public static function table(Table $table): Table
                         return $query->where('provider_connections.status', $value);
                     }),
                 SelectFilter::make('health_status')
-                    ->label('Health')
+                    ->label('Diagnostic health')
                     ->options([
                         'ok' => 'OK',
                         'degraded' => 'Degraded',

app/Filament/Resources/RestoreRunResource.php

@@ -37,6 +37,10 @@
 use App\Support\Rbac\UiEnforcement;
 use App\Support\RestoreRunIdempotency;
 use App\Support\RestoreRunStatus;
+use App\Support\RestoreSafety\ChecksIntegrityState;
+use App\Support\RestoreSafety\PreviewIntegrityState;
+use App\Support\RestoreSafety\RestoreSafetyCopy;
+use App\Support\RestoreSafety\RestoreSafetyResolver;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
@@ -330,23 +334,30 @@ public static function getWizardSteps(): array
                         })
                         ->reactive()
                         ->afterStateUpdated(function (Set $set, Get $get): void {
-                            $set('scope_mode', 'all');
+                            $groupMapping = static::groupMappingPlaceholders(
-                            $set('backup_item_ids', null);
-                            $set('group_mapping', static::groupMappingPlaceholders(
                                 backupSetId: $get('backup_set_id'),
                                 scopeMode: 'all',
                                 selectedItemIds: null,
                                 tenant: static::resolveTenantContextForCurrentPanel(),
-                            ));
+                            );
+
+                            $set('scope_mode', 'all');
+                            $set('backup_item_ids', null);
+                            $set('group_mapping', $groupMapping);
                             $set('is_dry_run', true);
                             $set('acknowledged_impact', false);
                             $set('tenant_confirm', null);
-                            $set('check_summary', null);
+
-                            $set('check_results', []);
+                            $draft = static::synchronizeRestoreSafetyDraft([
-                            $set('checks_ran_at', null);
+                                ...static::draftDataSnapshot($get),
-                            $set('preview_summary', null);
+                                'scope_mode' => 'all',
-                            $set('preview_diffs', []);
+                                'backup_item_ids' => [],
-                            $set('preview_ran_at', null);
+                                'group_mapping' => $groupMapping,
+                            ]);
+
+                            $set('scope_basis', $draft['scope_basis']);
+                            $set('check_invalidation_reasons', $draft['check_invalidation_reasons']);
+                            $set('preview_invalidation_reasons', $draft['preview_invalidation_reasons']);
                         })
                         ->required(),
                 ]),
@@ -367,27 +378,45 @@ public static function getWizardSteps(): array
                             $set('is_dry_run', true);
                             $set('acknowledged_impact', false);
                             $set('tenant_confirm', null);
-                            $set('check_summary', null);
-                            $set('check_results', []);
-                            $set('checks_ran_at', null);
-                            $set('preview_summary', null);
-                            $set('preview_diffs', []);
-                            $set('preview_ran_at', null);
 
                             if ($state === 'all') {
-                                $set('backup_item_ids', null);
+                                $groupMapping = static::groupMappingPlaceholders(
-                                $set('group_mapping', static::groupMappingPlaceholders(
                                     backupSetId: $backupSetId,
                                     scopeMode: 'all',
                                     selectedItemIds: null,
                                     tenant: $tenant,
-                                ));
+                                );
+
+                                $set('backup_item_ids', null);
+                                $set('group_mapping', $groupMapping);
+
+                                $draft = static::synchronizeRestoreSafetyDraft([
+                                    ...static::draftDataSnapshot($get),
+                                    'scope_mode' => 'all',
+                                    'backup_item_ids' => [],
+                                    'group_mapping' => $groupMapping,
+                                ]);
+
+                                $set('scope_basis', $draft['scope_basis']);
+                                $set('check_invalidation_reasons', $draft['check_invalidation_reasons']);
+                                $set('preview_invalidation_reasons', $draft['preview_invalidation_reasons']);
 
                                 return;
                             }
 
                             $set('group_mapping', []);
                             $set('backup_item_ids', []);
+
+                            $draft = static::synchronizeRestoreSafetyDraft([
+                                ...static::draftDataSnapshot($get),
+                                'scope_mode' => 'selected',
+                                'backup_item_ids' => [],
+                                'group_mapping' => [],
+                            ]);
+
+                            $set('scope_basis', $draft['scope_basis']);
+                            $set('check_invalidation_reasons', $draft['check_invalidation_reasons']);
+                            $set('preview_invalidation_reasons', $draft['preview_invalidation_reasons']);
                         })
                         ->required(),
                     Forms\Components\Select::make('backup_item_ids')
@@ -414,12 +443,21 @@ public static function getWizardSteps(): array
                             $set('is_dry_run', true);
                             $set('acknowledged_impact', false);
                             $set('tenant_confirm', null);
-                            $set('check_summary', null);
+
-                            $set('check_results', []);
+                            $draft = static::synchronizeRestoreSafetyDraft([
-                            $set('checks_ran_at', null);
+                                ...static::draftDataSnapshot($get),
-                            $set('preview_summary', null);
+                                'backup_item_ids' => $selectedItemIds ?? [],
-                            $set('preview_diffs', []);
+                                'group_mapping' => static::groupMappingPlaceholders(
-                            $set('preview_ran_at', null);
+                                    backupSetId: $backupSetId,
+                                    scopeMode: 'selected',
+                                    selectedItemIds: $selectedItemIds,
+                                    tenant: $tenant,
+                                ),
+                            ]);
+
+                            $set('scope_basis', $draft['scope_basis']);
+                            $set('check_invalidation_reasons', $draft['check_invalidation_reasons']);
+                            $set('preview_invalidation_reasons', $draft['preview_invalidation_reasons']);
                         })
                         ->visible(fn (Get $get): bool => $get('scope_mode') === 'selected')
                         ->required(fn (Get $get): bool => $get('scope_mode') === 'selected')
@@ -495,13 +533,16 @@ public static function getWizardSteps(): array
                                     ->placeholder('SKIP or target group Object ID (GUID)')
                                     ->rules([new SkipOrUuidRule])
                                     ->reactive()
-                                    ->afterStateUpdated(function (Set $set): void {
+                                    ->afterStateUpdated(function (Set $set, Get $get): void {
-                                        $set('check_summary', null);
+                                        $set('is_dry_run', true);
-                                        $set('check_results', []);
+                                        $set('acknowledged_impact', false);
-                                        $set('checks_ran_at', null);
+                                        $set('tenant_confirm', null);
-                                        $set('preview_summary', null);
+
-                                        $set('preview_diffs', []);
+                                        $draft = static::synchronizeRestoreSafetyDraft(static::draftDataSnapshot($get));
-                                        $set('preview_ran_at', null);
+
+                                        $set('scope_basis', $draft['scope_basis']);
+                                        $set('check_invalidation_reasons', $draft['check_invalidation_reasons']);
+                                        $set('preview_invalidation_reasons', $draft['preview_invalidation_reasons']);
                                     })
                                     ->required()
                                     ->suffixAction(
@@ -554,10 +595,16 @@ public static function getWizardSteps(): array
             Step::make('Safety & Conflict Checks')
                 ->description('Is this dangerous?')
                 ->schema([
+                    Forms\Components\Hidden::make('scope_basis')
+                        ->default(null),
                     Forms\Components\Hidden::make('check_summary')
                         ->default(null),
                     Forms\Components\Hidden::make('checks_ran_at')
                         ->default(null),
+                    Forms\Components\Hidden::make('check_basis')
+                        ->default(null),
+                    Forms\Components\Hidden::make('check_invalidation_reasons')
+                        ->default([]),
                     Forms\Components\ViewField::make('check_results')
                         ->label('Checks')
                         ->default([])
@@ -565,6 +612,7 @@ public static function getWizardSteps(): array
                         ->viewData(fn (Get $get): array => [
                             'summary' => $get('check_summary'),
                             'ranAt' => $get('checks_ran_at'),
+                            ...static::wizardSafetyState(static::draftDataSnapshot($get)),
                         ])
                         ->hintActions([
                             Actions\Action::make('run_restore_checks')
@@ -614,9 +662,23 @@ public static function getWizardSteps(): array
                                         groupMapping: $groupMapping,
                                     );
 
-                                    $set('check_summary', $outcome['summary'] ?? [], shouldCallUpdatedHooks: true);
+                                    $ranAt = now('UTC')->toIso8601String();
-                                    $set('check_results', $outcome['results'] ?? [], shouldCallUpdatedHooks: true);
+                                    $draft = [
-                                    $set('checks_ran_at', now()->toIso8601String(), shouldCallUpdatedHooks: true);
+                                        ...static::draftDataSnapshot($get),
+                                        'check_summary' => $outcome['summary'] ?? [],
+                                        'check_results' => $outcome['results'] ?? [],
+                                        'checks_ran_at' => $ranAt,
+                                    ];
+                                    $draft['check_basis'] = static::restoreSafetyResolver()->checksBasisFromData($draft);
+                                    $draft['check_invalidation_reasons'] = [];
+                                    $draft = static::synchronizeRestoreSafetyDraft($draft);
+
+                                    $set('check_summary', $draft['check_summary'], shouldCallUpdatedHooks: true);
+                                    $set('check_results', $draft['check_results'], shouldCallUpdatedHooks: true);
+                                    $set('checks_ran_at', $ranAt, shouldCallUpdatedHooks: true);
+                                    $set('check_basis', $draft['check_basis'], shouldCallUpdatedHooks: true);
+                                    $set('check_invalidation_reasons', [], shouldCallUpdatedHooks: true);
+                                    $set('scope_basis', $draft['scope_basis'], shouldCallUpdatedHooks: true);
 
                                     $summary = $outcome['summary'] ?? [];
                                     $blockers = (int) ($summary['blocking'] ?? 0);
@@ -644,6 +706,8 @@ public static function getWizardSteps(): array
                                     $set('check_summary', null, shouldCallUpdatedHooks: true);
                                     $set('check_results', [], shouldCallUpdatedHooks: true);
                                     $set('checks_ran_at', null, shouldCallUpdatedHooks: true);
+                                    $set('check_basis', null, shouldCallUpdatedHooks: true);
+                                    $set('check_invalidation_reasons', [], shouldCallUpdatedHooks: true);
                                 }),
                         ])
                         ->helperText('Run checks after defining scope and mapping missing groups.'),
@@ -656,6 +720,10 @@ public static function getWizardSteps(): array
                     Forms\Components\Hidden::make('preview_ran_at')
                         ->default(null)
                         ->required(),
+                    Forms\Components\Hidden::make('preview_basis')
+                        ->default(null),
+                    Forms\Components\Hidden::make('preview_invalidation_reasons')
+                        ->default([]),
                     Forms\Components\ViewField::make('preview_diffs')
                         ->label('Preview')
                         ->default([])
@@ -663,6 +731,7 @@ public static function getWizardSteps(): array
                         ->viewData(fn (Get $get): array => [
                             'summary' => $get('preview_summary'),
                             'ranAt' => $get('preview_ran_at'),
+                            ...static::wizardSafetyState(static::draftDataSnapshot($get)),
                         ])
                         ->hintActions([
                             Actions\Action::make('run_restore_preview')
@@ -711,10 +780,23 @@ public static function getWizardSteps(): array
 
                                     $summary = $outcome['summary'] ?? [];
                                     $diffs = $outcome['diffs'] ?? [];
+                                    $ranAt = (string) ($summary['generated_at'] ?? now('UTC')->toIso8601String());
+                                    $draft = [
+                                        ...static::draftDataSnapshot($get),
+                                        'preview_summary' => $summary,
+                                        'preview_diffs' => $diffs,
+                                        'preview_ran_at' => $ranAt,
+                                    ];
+                                    $draft['preview_basis'] = static::restoreSafetyResolver()->previewBasisFromData($draft);
+                                    $draft['preview_invalidation_reasons'] = [];
+                                    $draft = static::synchronizeRestoreSafetyDraft($draft);
 
                                     $set('preview_summary', $summary, shouldCallUpdatedHooks: true);
                                     $set('preview_diffs', $diffs, shouldCallUpdatedHooks: true);
-                                    $set('preview_ran_at', $summary['generated_at'] ?? now()->toIso8601String(), shouldCallUpdatedHooks: true);
+                                    $set('preview_ran_at', $ranAt, shouldCallUpdatedHooks: true);
+                                    $set('preview_basis', $draft['preview_basis'], shouldCallUpdatedHooks: true);
+                                    $set('preview_invalidation_reasons', [], shouldCallUpdatedHooks: true);
+                                    $set('scope_basis', $draft['scope_basis'], shouldCallUpdatedHooks: true);
 
                                     $policiesChanged = (int) ($summary['policies_changed'] ?? 0);
                                     $policiesTotal = (int) ($summary['policies_total'] ?? 0);
@@ -737,6 +819,8 @@ public static function getWizardSteps(): array
                                     $set('preview_summary', null, shouldCallUpdatedHooks: true);
                                     $set('preview_diffs', [], shouldCallUpdatedHooks: true);
                                     $set('preview_ran_at', null, shouldCallUpdatedHooks: true);
+                                    $set('preview_basis', null, shouldCallUpdatedHooks: true);
+                                    $set('preview_invalidation_reasons', [], shouldCallUpdatedHooks: true);
                                 }),
                         ])
                         ->helperText('Generate a normalized diff preview before creating the dry-run restore.'),
@@ -760,24 +844,66 @@ public static function getWizardSteps(): array
 
                             return (string) ($tenant->name ?? $tenantIdentifier ?? $tenant->getKey());
                         }),
+                    Forms\Components\Placeholder::make('confirm_execution_readiness')
+                        ->label('Technical startability')
+                        ->content(function (Get $get): string {
+                            $state = static::wizardSafetyState(static::draftDataSnapshot($get));
+                            $readiness = $state['executionReadiness'];
+
+                            if (! is_array($readiness)) {
+                                return 'Execution readiness is unavailable.';
+                            }
+
+                            return (string) ($readiness['display_summary'] ?? 'Execution readiness is unavailable.');
+                        }),
+                    Forms\Components\Placeholder::make('confirm_safety_readiness')
+                        ->label('Safety readiness')
+                        ->content(function (Get $get): string {
+                            $state = static::wizardSafetyState(static::draftDataSnapshot($get));
+                            $assessment = $state['safetyAssessment'];
+
+                            if (! is_array($assessment)) {
+                                return 'Safety readiness is unavailable.';
+                            }
+
+                            return (string) ($assessment['summary'] ?? 'Safety readiness is unavailable.');
+                        }),
+                    Forms\Components\Placeholder::make('confirm_primary_next_step')
+                        ->label('Primary next step')
+                        ->content(function (Get $get): string {
+                            $state = static::wizardSafetyState(static::draftDataSnapshot($get));
+                            $assessment = $state['safetyAssessment'];
+
+                            if (! is_array($assessment)) {
+                                return 'Review the current scope and safety evidence.';
+                            }
+
+                            return RestoreSafetyCopy::primaryNextAction(
+                                is_string($assessment['primary_next_action'] ?? null)
+                                    ? $assessment['primary_next_action']
+                                    : 'review_scope'
+                            );
+                        }),
                     Forms\Components\Toggle::make('is_dry_run')
                         ->label('Preview only (dry-run)')
                         ->default(true)
                         ->reactive()
                         ->disabled(function (Get $get): bool {
-                            if (! filled($get('checks_ran_at'))) {
+                            $state = static::wizardSafetyState(static::draftDataSnapshot($get));
-                                return true;
+                            $readiness = $state['executionReadiness'];
-                            }
 
-                            $summary = $get('check_summary');
+                            return ! is_array($readiness) || ! (bool) ($readiness['allowed'] ?? false);
-
-                            if (! is_array($summary)) {
-                                return false;
-                            }
-
-                            return (int) ($summary['blocking'] ?? 0) > 0;
                         })
-                        ->helperText('Turn OFF to queue a real execution. Execution requires checks + preview + confirmations.'),
+                        ->helperText(function (Get $get): string {
+                            $state = static::wizardSafetyState(static::draftDataSnapshot($get));
+                            $assessment = $state['safetyAssessment'];
+
+                            if (! is_array($assessment)) {
+                                return 'Turn OFF to queue a real execution. Execution requires checks, preview, and confirmations.';
+                            }
+
+                            return (string) ($assessment['summary'] ?? 'Turn OFF to queue a real execution. Execution requires checks, preview, and confirmations.');
+                        }),
                     Forms\Components\Checkbox::make('acknowledged_impact')
                         ->label('I reviewed the impact (checks + preview)')
                         ->accepted()
@@ -1290,11 +1416,11 @@ public static function infolist(Schema $schema): Schema
                 Infolists\Components\ViewEntry::make('preview')
                     ->label('Preview')
                     ->view('filament.infolists.entries.restore-preview')
-                    ->state(fn ($record) => $record->preview ?? []),
+                    ->state(fn (RestoreRun $record): array => static::detailPreviewState($record)),
                 Infolists\Components\ViewEntry::make('results')
                     ->label('Results')
                     ->view('filament.infolists.entries.restore-results')
-                    ->state(fn ($record) => $record->results ?? []),
+                    ->state(fn (RestoreRun $record): array => static::detailResultsState($record)),
             ]);
     }
 
@@ -1471,37 +1597,6 @@ public static function createRestoreRun(array $data): RestoreRun
             abort(403);
         }
 
-        try {
-            app(WriteGateInterface::class)->evaluate($tenant, 'restore.execute');
-        } catch (ProviderAccessHardeningRequired $e) {
-            app(\App\Services\Intune\AuditLogger::class)->log(
-                tenant: $tenant,
-                action: 'intune_rbac.write_blocked',
-                status: 'blocked',
-                actorId: (int) $user->getKey(),
-                actorEmail: $user->email,
-                actorName: $user->name,
-                resourceType: 'restore_run',
-                context: [
-                    'metadata' => [
-                        'operation_type' => 'restore.execute',
-                        'reason_code' => $e->reasonCode,
-                        'backup_set_id' => $data['backup_set_id'] ?? null,
-                    ],
-                ],
-            );
-
-            Notification::make()
-                ->title('Write operation blocked')
-                ->body($e->reasonMessage)
-                ->danger()
-                ->send();
-
-            throw ValidationException::withMessages([
-                'backup_set_id' => $e->reasonMessage,
-            ]);
-        }
-
         /** @var BackupSet $backupSet */
         $backupSet = BackupSet::findOrFail($data['backup_set_id']);
 
@@ -1520,6 +1615,26 @@ public static function createRestoreRun(array $data): RestoreRun
         $actorName = auth()->user()?->name;
         $isDryRun = (bool) ($data['is_dry_run'] ?? true);
         $groupMapping = static::normalizeGroupMapping($data['group_mapping'] ?? null);
+        $data = static::synchronizeRestoreSafetyDraft([
+            ...$data,
+            'group_mapping' => $groupMapping,
+        ]);
+        $restoreSafetyResolver = static::restoreSafetyResolver();
+        $scopeBasis = is_array($data['scope_basis'] ?? null)
+            ? $data['scope_basis']
+            : $restoreSafetyResolver->scopeBasisFromData($data);
+        $checkBasis = is_array($data['check_basis'] ?? null)
+            ? $data['check_basis']
+            : $restoreSafetyResolver->checksBasisFromData($data);
+        $previewBasis = is_array($data['preview_basis'] ?? null)
+            ? $data['preview_basis']
+            : $restoreSafetyResolver->previewBasisFromData($data);
+        $data = [
+            ...$data,
+            'scope_basis' => $scopeBasis,
+            'check_basis' => $checkBasis,
+            'preview_basis' => $previewBasis,
+        ];
 
         $checkSummary = $data['check_summary'] ?? null;
         $checkResults = $data['check_results'] ?? null;
@@ -1532,27 +1647,71 @@ public static function createRestoreRun(array $data): RestoreRun
         $highlanderLabel = (string) ($tenant->name ?? $tenantIdentifier ?? $tenant->getKey());
 
         if (! $isDryRun) {
-            if (! is_array($checkSummary) || ! filled($checksRanAt)) {
+            try {
+                app(WriteGateInterface::class)->evaluate($tenant, 'restore.execute');
+            } catch (ProviderAccessHardeningRequired $e) {
+                app(\App\Services\Intune\AuditLogger::class)->log(
+                    tenant: $tenant,
+                    action: 'intune_rbac.write_blocked',
+                    status: 'blocked',
+                    actorId: (int) $user->getKey(),
+                    actorEmail: $user->email,
+                    actorName: $user->name,
+                    resourceType: 'restore_run',
+                    context: [
+                        'metadata' => [
+                            'operation_type' => 'restore.execute',
+                            'reason_code' => $e->reasonCode,
+                            'backup_set_id' => $data['backup_set_id'] ?? null,
+                        ],
+                    ],
+                );
+
+                Notification::make()
+                    ->title('Write operation blocked')
+                    ->body($e->reasonMessage)
+                    ->danger()
+                    ->send();
+
+                throw ValidationException::withMessages([
+                    'backup_set_id' => $e->reasonMessage,
+                ]);
+            }
+
+            $previewIntegrity = $restoreSafetyResolver->previewIntegrityFromData($data);
+            $checksIntegrity = $restoreSafetyResolver->checksIntegrityFromData($data);
+            $assessment = $restoreSafetyResolver->safetyAssessment($tenant, $user, $data);
+
+            if ($checksIntegrity->state === ChecksIntegrityState::STATE_NOT_RUN) {
                 throw ValidationException::withMessages([
                     'check_summary' => 'Run safety checks before executing.',
                 ]);
             }
 
-            $blocking = (int) ($checkSummary['blocking'] ?? 0);
+            if ($checksIntegrity->state !== ChecksIntegrityState::STATE_CURRENT) {
-            $hasBlockers = (bool) ($checkSummary['has_blockers'] ?? ($blocking > 0));
+                throw ValidationException::withMessages([
+                    'check_summary' => 'Run safety checks again for the current scope before executing.',
+                ]);
+            }
 
-            if ($blocking > 0 || $hasBlockers) {
+            if ($checksIntegrity->blockingCount > 0 || $assessment->state === 'blocked') {
                 throw ValidationException::withMessages([
                     'check_summary' => 'Blocking checks must be resolved before executing.',
                 ]);
             }
 
-            if (! filled($previewRanAt)) {
+            if ($previewIntegrity->state === PreviewIntegrityState::STATE_NOT_GENERATED) {
                 throw ValidationException::withMessages([
                     'preview_ran_at' => 'Generate preview before executing.',
                 ]);
             }
 
+            if ($previewIntegrity->state !== PreviewIntegrityState::STATE_CURRENT) {
+                throw ValidationException::withMessages([
+                    'preview_ran_at' => 'Generate preview again for the current scope before executing.',
+                ]);
+            }
+
             if (! (bool) ($data['acknowledged_impact'] ?? false)) {
                 throw ValidationException::withMessages([
                     'acknowledged_impact' => 'Please acknowledge that you reviewed the impact.',
@@ -1605,6 +1764,16 @@ public static function createRestoreRun(array $data): RestoreRun
                 $metadata['preview_ran_at'] = $previewRanAt;
             }
 
+            $metadata['scope_basis'] = $scopeBasis;
+
+            if (is_array($checkBasis)) {
+                $metadata['check_basis'] = $checkBasis;
+            }
+
+            if (is_array($previewBasis)) {
+                $metadata['preview_basis'] = $previewBasis;
+            }
+
             $restoreRun->update(['metadata' => $metadata]);
 
             return $restoreRun->refresh();
@@ -1619,6 +1788,7 @@ public static function createRestoreRun(array $data): RestoreRun
             'confirmed_at' => now()->toIso8601String(),
             'confirmed_by' => $actorEmail,
             'confirmed_by_name' => $actorName,
+            'scope_basis' => $scopeBasis,
         ];
 
         if (is_array($checkSummary)) {
@@ -1645,6 +1815,18 @@ public static function createRestoreRun(array $data): RestoreRun
             $metadata['preview_ran_at'] = $previewRanAt;
         }
 
+        if (is_array($checkBasis)) {
+            $metadata['check_basis'] = $checkBasis;
+        }
+
+        if (is_array($previewBasis)) {
+            $metadata['preview_basis'] = $previewBasis;
+        }
+
+        $metadata['execution_safety_snapshot'] = $restoreSafetyResolver
+            ->executionSafetySnapshot($tenant, $user, $data)
+            ->toArray();
+
         $idempotencyKey = RestoreRunIdempotency::restoreExecuteKey(
             tenantId: (int) $tenant->getKey(),
             backupSetId: (int) $backupSet->getKey(),
@@ -1768,6 +1950,145 @@ public static function createRestoreRun(array $data): RestoreRun
         return $restoreRun->refresh();
     }
 
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array<string, mixed>
+     */
+    public static function synchronizeRestoreSafetyDraft(array $data): array
+    {
+        $resolver = static::restoreSafetyResolver();
+        $scope = $resolver->scopeFingerprintFromData($data);
+
+        $data['scope_basis'] = $resolver->scopeBasisFromData($data);
+        $data['check_invalidation_reasons'] = $resolver->invalidationReasonsForBasis(
+            currentScope: $scope,
+            basis: is_array($data['check_basis'] ?? null) ? $data['check_basis'] : null,
+            explicitReasons: $data['check_invalidation_reasons'] ?? null,
+        );
+        $data['preview_invalidation_reasons'] = $resolver->invalidationReasonsForBasis(
+            currentScope: $scope,
+            basis: is_array($data['preview_basis'] ?? null) ? $data['preview_basis'] : null,
+            explicitReasons: $data['preview_invalidation_reasons'] ?? null,
+        );
+
+        return $data;
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array<string, mixed>
+     */
+    private static function wizardSafetyState(array $data): array
+    {
+        $data = static::synchronizeRestoreSafetyDraft($data);
+        $resolver = static::restoreSafetyResolver();
+        $tenant = static::resolveTenantContextForCurrentPanel();
+        $user = auth()->user();
+        $scope = $resolver->scopeFingerprintFromData($data)->toArray();
+        $previewIntegrity = $resolver->previewIntegrityFromData($data);
+        $checksIntegrity = $resolver->checksIntegrityFromData($data);
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return [
+                'currentScope' => $scope,
+                'previewIntegrity' => $previewIntegrity->toArray(),
+                'checksIntegrity' => $checksIntegrity->toArray(),
+                'executionReadiness' => null,
+                'safetyAssessment' => null,
+            ];
+        }
+
+        $assessment = $resolver->safetyAssessment($tenant, $user, $data);
+
+        return [
+            'currentScope' => $scope,
+            'previewIntegrity' => $previewIntegrity->toArray(),
+            'checksIntegrity' => $checksIntegrity->toArray(),
+            'executionReadiness' => $assessment->executionReadiness->toArray(),
+            'safetyAssessment' => $assessment->toArray(),
+        ];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private static function draftDataSnapshot(Get $get): array
+    {
+        return [
+            'backup_set_id' => $get('backup_set_id'),
+            'scope_mode' => $get('scope_mode'),
+            'backup_item_ids' => $get('backup_item_ids'),
+            'group_mapping' => static::normalizeGroupMapping($get('group_mapping')),
+            'check_summary' => $get('check_summary'),
+            'check_results' => $get('check_results'),
+            'checks_ran_at' => $get('checks_ran_at'),
+            'check_basis' => $get('check_basis'),
+            'check_invalidation_reasons' => $get('check_invalidation_reasons'),
+            'preview_summary' => $get('preview_summary'),
+            'preview_diffs' => $get('preview_diffs'),
+            'preview_ran_at' => $get('preview_ran_at'),
+            'preview_basis' => $get('preview_basis'),
+            'preview_invalidation_reasons' => $get('preview_invalidation_reasons'),
+            'scope_basis' => $get('scope_basis'),
+            'is_dry_run' => $get('is_dry_run'),
+        ];
+    }
+
+    /**
+     * @return array{
+     *     preview: array<int|string, mixed>,
+     *     previewIntegrity: array<string, mixed>,
+     *     checksIntegrity: array<string, mixed>,
+     *     executionSafetySnapshot: array<string, mixed>,
+     *     scopeBasis: array<string, mixed>
+     * }
+     */
+    private static function detailPreviewState(RestoreRun $record): array
+    {
+        $resolver = static::restoreSafetyResolver();
+        $data = [
+            'backup_set_id' => $record->backup_set_id,
+            'scope_mode' => (string) (($record->scopeBasis()['scope_mode'] ?? null) ?: ((is_array($record->requested_items) && $record->requested_items !== []) ? 'selected' : 'all')),
+            'backup_item_ids' => is_array($record->requested_items) ? $record->requested_items : [],
+            'group_mapping' => is_array($record->group_mapping) ? $record->group_mapping : [],
+            'preview_basis' => $record->previewBasis(),
+            'check_basis' => $record->checkBasis(),
+            'check_summary' => is_array(($record->metadata ?? [])['check_summary'] ?? null) ? $record->metadata['check_summary'] : [],
+            'checks_ran_at' => $record->checkBasis()['ran_at'] ?? (($record->metadata ?? [])['checks_ran_at'] ?? null),
+            'preview_summary' => is_array(($record->metadata ?? [])['preview_summary'] ?? null) ? $record->metadata['preview_summary'] : [],
+            'preview_ran_at' => $record->previewBasis()['generated_at'] ?? (($record->metadata ?? [])['preview_ran_at'] ?? null),
+        ];
+
+        return [
+            'preview' => is_array($record->preview) ? $record->preview : [],
+            'previewIntegrity' => $resolver->previewIntegrityFromData($data)->toArray(),
+            'checksIntegrity' => $resolver->checksIntegrityFromData($data)->toArray(),
+            'executionSafetySnapshot' => $record->executionSafetySnapshot(),
+            'scopeBasis' => $record->scopeBasis(),
+        ];
+    }
+
+    /**
+     * @return array{
+     *     results: array<string, mixed>|array<int|string, mixed>,
+     *     resultAttention: array<string, mixed>,
+     *     executionSafetySnapshot: array<string, mixed>
+     * }
+     */
+    private static function detailResultsState(RestoreRun $record): array
+    {
+        return [
+            'results' => is_array($record->results) ? $record->results : [],
+            'resultAttention' => static::restoreSafetyResolver()->resultAttentionForRun($record)->toArray(),
+            'executionSafetySnapshot' => $record->executionSafetySnapshot(),
+        ];
+    }
+
+    private static function restoreSafetyResolver(): RestoreSafetyResolver
+    {
+        return app(RestoreSafetyResolver::class);
+    }
+
     /**
      * @param  array<int>|null  $selectedItemIds
      * @return array<int, array{id:string,label:string}>

app/Filament/Resources/RestoreRunResource/Pages/CreateRestoreRun.php

@@ -96,6 +96,9 @@ protected function afterFill(): void
 
             $this->form->callAfterStateUpdated('data.backup_item_ids');
         }
+
+        $this->data = RestoreRunResource::synchronizeRestoreSafetyDraft($this->data);
+        $this->form->fill($this->data);
     }
 
     /**
@@ -151,13 +154,10 @@ protected function handleRecordCreation(array $data): Model
     public function applyEntraGroupCachePick(string $sourceGroupId, string $entraId): void
     {
         data_set($this->data, "group_mapping.{$sourceGroupId}", $entraId);
-
+        $this->data['is_dry_run'] = true;
-        $this->data['check_summary'] = null;
+        $this->data['acknowledged_impact'] = false;
-        $this->data['check_results'] = [];
+        $this->data['tenant_confirm'] = null;
-        $this->data['checks_ran_at'] = null;
+        $this->data = RestoreRunResource::synchronizeRestoreSafetyDraft($this->data);
-        $this->data['preview_summary'] = null;
-        $this->data['preview_diffs'] = [];
-        $this->data['preview_ran_at'] = null;
 
         $this->form->fill($this->data);
 

app/Filament/Resources/TenantResource.php

@@ -284,13 +284,6 @@ public static function table(Table $table): Table
                     ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantStatus))
                     ->description(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->shortDescription)
                     ->sortable(),
-                Tables\Columns\TextColumn::make('app_status')
-                    ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
-                    ->color(BadgeRenderer::color(BadgeDomain::TenantAppStatus))
-                    ->icon(BadgeRenderer::icon(BadgeDomain::TenantAppStatus))
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus))
-                    ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('created_at')
                     ->dateTime()
                     ->since()
@@ -310,13 +303,6 @@ public static function table(Table $table): Table
                         'staging' => 'STAGING',
                         'other' => 'Other',
                     ]),
-                Tables\Filters\SelectFilter::make('app_status')
-                    ->options([
-                        'ok' => 'OK',
-                        'consent_required' => 'Consent required',
-                        'error' => 'Error',
-                        'unknown' => 'Unknown',
-                    ]),
             ])
             ->actions([
                 Actions\Action::make('related_onboarding')
@@ -842,12 +828,6 @@ public static function infolist(Schema $schema): Schema
                             ->label('Lifecycle summary')
                             ->state(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->longDescription)
                             ->columnSpanFull(),
-                        Infolists\Components\TextEntry::make('app_status')
-                            ->badge()
-                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
-                            ->color(BadgeRenderer::color(BadgeDomain::TenantAppStatus))
-                            ->icon(BadgeRenderer::icon(BadgeDomain::TenantAppStatus))
-                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus)),
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
@@ -1492,19 +1472,30 @@ private static function providerConnectionState(Tenant $tenant): array
     {
         $ctaUrl = ProviderConnectionResource::getUrl('index', ['tenant_id' => (string) $tenant->external_id], panel: 'admin');
 
-        $connection = ProviderConnection::query()
+        $defaultConnection = ProviderConnection::query()
             ->where('tenant_id', (int) $tenant->getKey())
             ->where('provider', 'microsoft')
-            ->orderByDesc('is_default')
+            ->where('is_default', true)
             ->orderBy('id')
             ->first();
 
+        $connection = $defaultConnection instanceof ProviderConnection
+            ? $defaultConnection
+            : ProviderConnection::query()
+                ->where('tenant_id', (int) $tenant->getKey())
+                ->where('provider', 'microsoft')
+                ->orderBy('id')
+                ->first();
+
         if (! $connection instanceof ProviderConnection) {
             return [
-                'state' => 'needs_action',
+                'state' => 'missing',
                 'cta_url' => $ctaUrl,
+                'needs_default_connection' => false,
                 'display_name' => null,
                 'provider' => null,
+                'consent_status' => null,
+                'verification_status' => null,
                 'status' => null,
                 'health_status' => null,
                 'last_health_check_at' => null,
@@ -1515,8 +1506,15 @@ private static function providerConnectionState(Tenant $tenant): array
         return [
             'state' => $connection->is_default ? 'default_configured' : 'configured',
             'cta_url' => $ctaUrl,
+            'needs_default_connection' => ! $connection->is_default,
             'display_name' => (string) $connection->display_name,
             'provider' => (string) $connection->provider,
+            'consent_status' => $connection->consent_status instanceof BackedEnum
+                ? (string) $connection->consent_status->value
+                : (is_string($connection->consent_status) ? $connection->consent_status : null),
+            'verification_status' => $connection->verification_status instanceof BackedEnum
+                ? (string) $connection->verification_status->value
+                : (is_string($connection->verification_status) ? $connection->verification_status : null),
             'status' => is_string($connection->status) ? $connection->status : null,
             'health_status' => is_string($connection->health_status) ? $connection->health_status : null,
             'last_health_check_at' => optional($connection->last_health_check_at)->toDateTimeString(),

app/Filament/System/Pages/Ops/Failures.php

@@ -12,6 +12,7 @@
 use App\Support\OperationCatalog;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
+use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\System\SystemOperationRunLinks;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
@@ -113,16 +114,46 @@ public function table(Table $table): Table
                     ->state(fn (OperationRun $record): string => '#'.$record->getKey()),
                 TextColumn::make('status')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
+                        'status' => (string) $record->status,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
+                        'freshness_state' => $record->freshnessState()->value,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::lifecycleAttentionSummary($record)),
                 TextColumn::make('outcome')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
+                        'outcome' => (string) $record->outcome,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
+                        'status' => (string) $record->status,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome)),
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::surfaceGuidance($record)),
                 TextColumn::make('type')
                     ->label('Operation')
                     ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))

app/Filament/System/Pages/Ops/Runs.php

@@ -10,6 +10,7 @@
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\OperationCatalog;
+use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\System\SystemOperationRunLinks;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
@@ -94,16 +95,46 @@ public function table(Table $table): Table
                     ->state(fn (OperationRun $record): string => '#'.$record->getKey()),
                 TextColumn::make('status')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
+                        'status' => (string) $record->status,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
+                        'freshness_state' => $record->freshnessState()->value,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::lifecycleAttentionSummary($record)),
                 TextColumn::make('outcome')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
+                        'outcome' => (string) $record->outcome,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
+                        'status' => (string) $record->status,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome)),
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::surfaceGuidance($record)),
                 TextColumn::make('type')
                     ->label('Operation')
                     ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))

app/Filament/System/Pages/Ops/Stuck.php

@@ -11,6 +11,7 @@
 use App\Support\Badges\BadgeRenderer;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunStatus;
+use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\System\SystemOperationRunLinks;
 use App\Support\SystemConsole\StuckRunClassifier;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
@@ -112,10 +113,23 @@ public function table(Table $table): Table
                     ->state(fn (OperationRun $record): string => '#'.$record->getKey()),
                 TextColumn::make('status')
                     ->badge()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
+                        'status' => (string) $record->status,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
+                        'freshness_state' => $record->freshnessState()->value,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(null),
                 TextColumn::make('stuck_class')
                     ->label('Stuck class')
                     ->state(function (OperationRun $record): string {
@@ -126,6 +140,7 @@ public function table(Table $table): Table
                 TextColumn::make('type')
                     ->label('Operation')
                     ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::lifecycleAttentionSummary($record))
                     ->searchable(),
                 TextColumn::make('workspace.name')
                     ->label('Workspace')

app/Filament/Widgets/Dashboard/DashboardKpis.php

@@ -23,13 +23,7 @@ class DashboardKpis extends StatsOverviewWidget
 
     protected function getPollingInterval(): ?string
     {
-        $tenant = Filament::getTenant();
+        return ActiveRuns::pollingIntervalForTenant(Filament::getTenant());
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return ActiveRuns::existForTenant($tenant) ? '10s' : null;
     }
 
     /**
@@ -60,9 +54,14 @@ protected function getStats(): array
             ->healthyActive()
             ->count();
 
-        $followUpRuns = (int) OperationRun::query()
+        $staleActiveRuns = (int) OperationRun::query()
             ->where('tenant_id', $tenantId)
-            ->dashboardNeedsFollowUp()
+            ->activeStaleAttention()
+            ->count();
+
+        $terminalFollowUpRuns = (int) OperationRun::query()
+            ->where('tenant_id', $tenantId)
+            ->terminalFollowUp()
             ->count();
 
         $openDriftUrl = $openDriftFindings > 0
@@ -96,10 +95,26 @@ protected function getStats(): array
                 ->description('healthy queued or running tenant work')
                 ->color($activeRuns > 0 ? 'info' : 'gray')
                 ->url($activeRuns > 0 ? OperationRunLinks::index($tenant, activeTab: 'active') : null),
-            Stat::make('Operations needing follow-up', $followUpRuns)
+            Stat::make('Likely stale operations', $staleActiveRuns)
-                ->description('failed, warning, or stalled runs')
+                ->description('queued or running past the lifecycle window')
-                ->color($followUpRuns > 0 ? 'danger' : 'gray')
+                ->color($staleActiveRuns > 0 ? 'warning' : 'gray')
-                ->url($followUpRuns > 0 ? OperationRunLinks::index($tenant, activeTab: 'blocked') : null),
+                ->url($staleActiveRuns > 0
+                    ? OperationRunLinks::index(
+                        $tenant,
+                        activeTab: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+                        problemClass: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+                    )
+                    : null),
+            Stat::make('Terminal follow-up operations', $terminalFollowUpRuns)
+                ->description('blocked, partial, failed, or auto-reconciled runs')
+                ->color($terminalFollowUpRuns > 0 ? 'danger' : 'gray')
+                ->url($terminalFollowUpRuns > 0
+                    ? OperationRunLinks::index(
+                        $tenant,
+                        activeTab: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+                        problemClass: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+                    )
+                    : null),
         ];
     }
 
@@ -112,7 +127,8 @@ private function emptyStats(): array
             Stat::make('Open drift findings', 0),
             Stat::make('High severity active findings', 0),
             Stat::make('Active operations', 0),
-            Stat::make('Operations needing follow-up', 0),
+            Stat::make('Likely stale operations', 0),
+            Stat::make('Terminal follow-up operations', 0),
         ];
     }
 

app/Filament/Widgets/Dashboard/NeedsAttention.php

@@ -48,9 +48,13 @@ protected function getViewData(): array
         $lapsedGovernanceCount = $aggregate->lapsedGovernanceCount;
         $expiringGovernanceCount = $aggregate->expiringGovernanceCount;
         $highSeverityCount = $aggregate->highSeverityActiveFindingsCount;
-        $operationsFollowUpCount = (int) OperationRun::query()
+        $staleActiveOperationsCount = (int) OperationRun::query()
             ->where('tenant_id', $tenantId)
-            ->dashboardNeedsFollowUp()
+            ->activeStaleAttention()
+            ->count();
+        $terminalFollowUpOperationsCount = (int) OperationRun::query()
+            ->where('tenant_id', $tenantId)
+            ->terminalFollowUp()
             ->count();
         $activeRuns = (int) OperationRun::query()
             ->where('tenant_id', $tenantId)
@@ -139,15 +143,35 @@ protected function getViewData(): array
             ];
         }
 
-        if ($operationsFollowUpCount > 0) {
+        if ($staleActiveOperationsCount > 0) {
             $items[] = [
-                'key' => 'operations_follow_up',
+                'key' => 'operations_stale_attention',
-                'title' => 'Operations need follow-up',
+                'title' => 'Active operations look stale',
-                'body' => "{$operationsFollowUpCount} run(s) failed, completed with warnings, or look stalled.",
+                'body' => "{$staleActiveOperationsCount} run(s) are still marked active but are past the lifecycle window.",
+                'badge' => 'Operations',
+                'badgeColor' => 'warning',
+                'actionLabel' => 'Open stale operations',
+                'actionUrl' => OperationRunLinks::index(
+                    $tenant,
+                    activeTab: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+                    problemClass: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+                ),
+            ];
+        }
+
+        if ($terminalFollowUpOperationsCount > 0) {
+            $items[] = [
+                'key' => 'operations_terminal_follow_up',
+                'title' => 'Terminal operations need follow-up',
+                'body' => "{$terminalFollowUpOperationsCount} run(s) finished blocked, partially, failed, or were automatically reconciled.",
                 'badge' => 'Operations',
                 'badgeColor' => 'danger',
-                'actionLabel' => 'Open operations',
+                'actionLabel' => 'Open terminal follow-up',
-                'actionUrl' => OperationRunLinks::index($tenant, activeTab: 'blocked'),
+                'actionUrl' => OperationRunLinks::index(
+                    $tenant,
+                    activeTab: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+                    problemClass: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+                ),
             ];
         }
 
@@ -184,7 +208,7 @@ protected function getViewData(): array
         }
 
         return [
-            'pollingInterval' => ActiveRuns::existForTenant($tenant) ? '10s' : null,
+            'pollingInterval' => ActiveRuns::pollingIntervalForTenant($tenant),
             'items' => $items,
             'healthyChecks' => $healthyChecks,
         ];

app/Filament/Widgets/Dashboard/RecentOperations.php

@@ -29,7 +29,7 @@ public function table(Table $table): Table
         return $table
             ->heading('Recent Operations')
             ->query($this->getQuery())
-            ->poll(fn (): ?string => ($tenant instanceof Tenant) && ActiveRuns::existForTenant($tenant) ? '10s' : null)
+            ->poll(fn (): ?string => ActiveRuns::pollingIntervalForTenant($tenant instanceof Tenant ? $tenant : null))
             ->defaultSort('created_at', 'desc')
             ->paginated(\App\Support\Filament\TablePaginationProfiles::widget())
             ->columns([
@@ -43,22 +43,52 @@ public function table(Table $table): Table
                     ->sortable()
                     ->formatStateUsing(fn (?string $state): string => OperationCatalog::label((string) $state))
                     ->limit(40)
+                    ->description(fn (OperationRun $record): ?string => OperationUxPresenter::lifecycleAttentionSummary($record))
                     ->tooltip(fn (OperationRun $record): string => OperationCatalog::label((string) $record->type)),
                 TextColumn::make('status')
                     ->badge()
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true)
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunStatus))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunStatus))
+                        'status' => (string) $record->status,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunStatus))
+                        'freshness_state' => $record->freshnessState()->value,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunStatus)),
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunStatus, [
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
+                    ->description(null),
                 TextColumn::make('outcome')
                     ->badge()
                     ->sortable()
-                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::OperationRunOutcome))
+                    ->formatStateUsing(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
-                    ->color(BadgeRenderer::color(BadgeDomain::OperationRunOutcome))
+                        'outcome' => (string) $record->outcome,
-                    ->icon(BadgeRenderer::icon(BadgeDomain::OperationRunOutcome))
+                        'status' => (string) $record->status,
-                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::OperationRunOutcome))
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->label)
+                    ->color(fn (mixed $state, OperationRun $record): string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->color)
+                    ->icon(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->icon)
+                    ->iconColor(fn (mixed $state, OperationRun $record): ?string => BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, [
+                        'outcome' => (string) $record->outcome,
+                        'status' => (string) $record->status,
+                        'freshness_state' => $record->freshnessState()->value,
+                    ])->iconColor)
                     ->description(fn (OperationRun $record): ?string => OperationUxPresenter::surfaceGuidance($record)),
                 TextColumn::make('created_at')
                     ->label('Started')

app/Filament/Widgets/Inventory/InventoryKpiHeader.php

@@ -5,16 +5,16 @@
 namespace App\Filament\Widgets\Inventory;
 
 use App\Filament\Concerns\ResolvesPanelTenantContext;
-use App\Models\InventoryItem;
 use App\Models\OperationRun;
 use App\Models\Tenant;
-use App\Services\Inventory\CoverageCapabilitiesResolver;
+use App\Models\User;
+use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Inventory\InventoryKpiBadges;
-use App\Support\Inventory\InventoryPolicyTypeMeta;
+use App\Support\Inventory\TenantCoverageTruth;
-use App\Support\OperationRunOutcome;
+use App\Support\Inventory\TenantCoverageTruthResolver;
-use App\Support\OperationRunStatus;
+use App\Support\OperationRunLinks;
 use Filament\Widgets\StatsOverviewWidget;
 use Filament\Widgets\StatsOverviewWidget\Stat;
 use Illuminate\Support\Facades\Blade;
@@ -28,12 +28,9 @@ class InventoryKpiHeader extends StatsOverviewWidget
 
     protected int|string|array $columnSpan = 'full';
 
+    protected ?string $pollingInterval = null;
+
     /**
-     * Inventory KPI aggregation source-of-truth:
-     * - `inventory_items.policy_type`
-     * - `config('tenantpilot.supported_policy_types')` + `config('tenantpilot.foundation_types')` meta (`restore`, `risk`)
-     * - dependency capability via `CoverageCapabilitiesResolver`
-     *
      * @return array<Stat>
      */
     protected function getStats(): array
@@ -43,126 +40,85 @@ protected function getStats(): array
         if (! $tenant instanceof Tenant) {
             return [
                 Stat::make('Total items', 0),
-                Stat::make('Coverage', '0%')->description('Select a tenant to load coverage.'),
+                Stat::make('Covered types', '—')->description('Select a tenant to load coverage truth.'),
-                Stat::make('Last inventory sync', '—')->description('Select a tenant to see the latest sync.'),
+                Stat::make('Need follow-up', '—')->description('Select a tenant to review follow-up types.'),
+                Stat::make('Coverage basis', '—')->description('Select a tenant to see the latest coverage basis.'),
                 Stat::make('Active ops', 0),
-                Stat::make('Inventory ops', 0)->description('Select a tenant to load dependency and risk counts.'),
             ];
         }
 
-        $tenantId = (int) $tenant->getKey();
+        $truth = app(TenantCoverageTruthResolver::class)->resolve($tenant);
-
-        /** @var array<string, int> $countsByPolicyType */
-        $countsByPolicyType = InventoryItem::query()
-            ->where('tenant_id', $tenantId)
-            ->selectRaw('policy_type, COUNT(*) as aggregate')
-            ->groupBy('policy_type')
-            ->pluck('aggregate', 'policy_type')
-            ->map(fn ($value): int => (int) $value)
-            ->all();
-
-        $totalItems = array_sum($countsByPolicyType);
-
-        $restorableItems = 0;
-        $partialItems = 0;
-        $riskItems = 0;
-
-        foreach ($countsByPolicyType as $policyType => $count) {
-            if (InventoryPolicyTypeMeta::isRestorable($policyType)) {
-                $restorableItems += $count;
-            } elseif (InventoryPolicyTypeMeta::isPartial($policyType)) {
-                $partialItems += $count;
-            }
-
-            if (InventoryPolicyTypeMeta::isHighRisk($policyType)) {
-                $riskItems += $count;
-            }
-        }
-
-        $coveragePercent = $totalItems > 0
-            ? (int) round(($restorableItems / $totalItems) * 100)
-            : 0;
-
-        $lastRun = OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->where('type', 'inventory_sync')
-            ->where('status', OperationRunStatus::Completed->value)
-            ->whereNotNull('completed_at')
-            ->latest('completed_at')
-            ->latest('id')
-            ->first();
-
-        $lastInventorySyncTimeLabel = '—';
-        $lastInventorySyncStatusLabel = '—';
-        $lastInventorySyncStatusColor = 'gray';
-        $lastInventorySyncStatusIcon = 'heroicon-m-clock';
-        $lastInventorySyncViewUrl = null;
-
-        if ($lastRun instanceof OperationRun) {
-            $timestamp = $lastRun->completed_at ?? $lastRun->started_at ?? $lastRun->created_at;
-
-            if ($timestamp) {
-                $lastInventorySyncTimeLabel = $timestamp->diffForHumans(['short' => true]);
-            }
-
-            $outcome = (string) ($lastRun->outcome ?? OperationRunOutcome::Pending->value);
-            $badge = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, $outcome);
-            $lastInventorySyncStatusLabel = $badge->label;
-            $lastInventorySyncStatusColor = $badge->color;
-            $lastInventorySyncStatusIcon = (string) ($badge->icon ?? 'heroicon-m-clock');
-
-            $lastInventorySyncViewUrl = route('admin.operations.view', ['run' => (int) $lastRun->getKey()]);
-        }
-
-        $badgeColor = $lastInventorySyncStatusColor;
-
-        $lastInventorySyncDescription = Blade::render(<<<'BLADE'
-            <div class="flex items-center gap-2">
-                <x-filament::badge :color="$badgeColor" size="sm">
-                    {{ $statusLabel }}
-                </x-filament::badge>
-
-                @if ($viewUrl)
-                    <x-filament::link :href="$viewUrl" size="sm">
-                        Open operation
-                    </x-filament::link>
-                @endif
-            </div>
-            BLADE, [
-            'badgeColor' => $badgeColor,
-            'statusLabel' => $lastInventorySyncStatusLabel,
-            'viewUrl' => $lastInventorySyncViewUrl,
-        ]);
 
         $activeOps = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
+            ->where('tenant_id', (int) $tenant->getKey())
             ->active()
             ->count();
 
         $inventoryOps = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
+            ->where('tenant_id', (int) $tenant->getKey())
             ->where('type', 'inventory_sync')
             ->active()
             ->count();
 
-        $resolver = app(CoverageCapabilitiesResolver::class);
-
-        $dependenciesItems = 0;
-        foreach ($countsByPolicyType as $policyType => $count) {
-            if ($policyType !== '' && $resolver->supportsDependencies($policyType)) {
-                $dependenciesItems += $count;
-            }
-        }
-
         return [
-            Stat::make('Total items', $totalItems),
+            Stat::make('Total items', $truth->observedItemTotal)
-            Stat::make('Coverage', $coveragePercent.'%')
+                ->description(sprintf('Observed across %d supported types.', $truth->observedTypeCount())),
-                ->description(new HtmlString(InventoryKpiBadges::coverage($restorableItems, $partialItems))),
+            Stat::make('Covered types', sprintf('%d / %d', $truth->succeededTypeCount, $truth->supportedTypeCount))
-            Stat::make('Last inventory sync', $lastInventorySyncTimeLabel)
+                ->description(new HtmlString(InventoryKpiBadges::coverageBreakdown(
-                ->description(new HtmlString($lastInventorySyncDescription)),
+                    $truth->failedTypeCount,
-            Stat::make('Active ops', $activeOps),
+                    $truth->skippedTypeCount,
-            Stat::make('Inventory ops', $inventoryOps)
+                    $truth->unknownTypeCount,
-                ->description(new HtmlString(InventoryKpiBadges::inventoryOps($dependenciesItems, $riskItems))),
+                ))),
+            Stat::make('Need follow-up', $truth->followUpTypeCount)
+                ->description(new HtmlString(InventoryKpiBadges::followUpSummary(
+                    $truth->topPriorityFollowUpRow(),
+                    $truth->observedItemTotal,
+                    $truth->observedTypeCount(),
+                ))),
+            $this->coverageBasisStat($truth, $tenant),
+            Stat::make('Active ops', $activeOps)
+                ->description($inventoryOps > 0 ? 'A tenant inventory sync is queued or running.' : 'No inventory sync is currently active.'),
         ];
     }
+
+    private function coverageBasisStat(TenantCoverageTruth $truth, Tenant $tenant): Stat
+    {
+        $user = auth()->user();
+
+        if (! $truth->basisRun instanceof OperationRun) {
+            return Stat::make('Coverage basis', 'No current result')
+                ->description($user instanceof User && $user->can(Capabilities::TENANT_INVENTORY_SYNC_RUN, $tenant)
+                    ? 'Run Inventory Sync from Inventory Items to establish current coverage truth.'
+                    : 'A tenant operator with inventory sync permission must establish current coverage truth.');
+        }
+
+        $outcomeBadge = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, (string) $truth->basisRun->outcome);
+        $canViewRun = $user instanceof User && $user->can('view', $truth->basisRun);
+
+        $description = Blade::render(<<<'BLADE'
+            <div class="flex flex-wrap items-center gap-2">
+                <x-filament::badge :color="$badgeColor" size="sm">
+                    {{ $statusLabel }}
+                </x-filament::badge>
+
+                @if ($canViewRun && $viewUrl)
+                    <x-filament::link :href="$viewUrl" size="sm">
+                        Open basis run
+                    </x-filament::link>
+                @else
+                    <span class="text-xs text-gray-600 dark:text-gray-300">
+                        Latest run detail is not available with your current role.
+                    </span>
+                @endif
+            </div>
+            BLADE, [
+            'badgeColor' => $outcomeBadge->color,
+            'statusLabel' => $outcomeBadge->label,
+            'canViewRun' => $canViewRun,
+            'viewUrl' => $canViewRun ? OperationRunLinks::view($truth->basisRun, $tenant) : null,
+        ]);
+
+        return Stat::make('Coverage basis', $truth->basisCompletedAtLabel() ?? 'Completed')
+            ->description(new HtmlString($description));
+    }
 }

app/Filament/Widgets/Tenant/RecentOperationsSummary.php

@@ -58,6 +58,8 @@ protected function getViewData(): array
                 'type',
                 'status',
                 'outcome',
+                'context',
+                'failure_summary',
                 'created_at',
                 'started_at',
                 'completed_at',

app/Filament/Widgets/Tenant/TenantVerificationReport.php

@@ -201,7 +201,7 @@ protected function getViewData(): array
             && $user->can(Capabilities::PROVIDER_RUN, $tenant);
 
         $lifecycleNotice = $isTenantMember && ! $canOperate
-            ? 'Verification can be started from tenant management only while the tenant is active.'
+            ? 'Verification can be started from tenant management only while the tenant is active. Consent and connection configuration remain separate from this stored verification report.'
             : null;
 
         $runData = null;

app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php

@@ -16,11 +16,21 @@ class WorkspaceNeedsAttention extends Widget
 
     /**
      * @var array<int, array{
+     *     key: string,
+     *     tenant_id: int,
+     *     tenant_label: string,
+     *     tenant_route_key: string,
+     *     family: string,
+     *     urgency: string,
      *     title: string,
      *     body: string,
-     *     url: string,
+     *     supporting_message: ?string,
      *     badge: string,
-     *     badge_color: string
+     *     badge_color: string,
+     *     destination: array<string, mixed>,
+     *     action_disabled: bool,
+     *     helper_text: ?string,
+     *     url: ?string
      * }>
      */
     public array $items = [];
@@ -37,11 +47,21 @@ class WorkspaceNeedsAttention extends Widget
 
     /**
      * @param  array<int, array{
+     *     key: string,
+     *     tenant_id: int,
+     *     tenant_label: string,
+     *     tenant_route_key: string,
+     *     family: string,
+     *     urgency: string,
      *     title: string,
      *     body: string,
-     *     url: string,
+     *     supporting_message: ?string,
      *     badge: string,
-     *     badge_color: string
+     *     badge_color: string,
+     *     destination: array<string, mixed>,
+     *     action_disabled: bool,
+     *     helper_text: ?string,
+     *     url: ?string
      * }>  $items
      * @param  array{
      *     title: string,

app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php

@@ -23,8 +23,10 @@ class WorkspaceRecentOperations extends Widget
      *     status_color: string,
      *     outcome_label: string,
      *     outcome_color: string,
+     *     lifecycle_label: ?string,
      *     guidance: ?string,
      *     started_at: string,
+     *     destination: array<string, mixed>,
      *     url: string
      * }>
      */
@@ -49,8 +51,10 @@ class WorkspaceRecentOperations extends Widget
      *     status_color: string,
      *     outcome_label: string,
      *     outcome_color: string,
+     *     lifecycle_label: ?string,
      *     guidance: ?string,
      *     started_at: string,
+     *     destination: array<string, mixed>,
      *     url: string
      * }>  $operations
      * @param  array{

app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php

@@ -20,9 +20,11 @@ class WorkspaceSummaryStats extends StatsOverviewWidget
      *     key: string,
      *     label: string,
      *     value: int,
+     *     category: string,
      *     description: string,
+     *     destination: ?array<string, mixed>,
      *     destination_url: ?string,
-     *     color: string
+     *     color: string,
      * }>
      */
     public array $metrics = [];
@@ -32,9 +34,11 @@ class WorkspaceSummaryStats extends StatsOverviewWidget
      *     key: string,
      *     label: string,
      *     value: int,
+     *     category: string,
      *     description: string,
+     *     destination: ?array<string, mixed>,
      *     destination_url: ?string,
-     *     color: string
+     *     color: string,
      * }>  $metrics
      */
     public function mount(array $metrics = []): void
@@ -53,8 +57,13 @@ protected function getStats(): array
                     ->description($metric['description'])
                     ->color($metric['color']);
 
-                if ($metric['destination_url'] !== null) {
+                $destination = $metric['destination'] ?? null;
-                    $stat->url($metric['destination_url']);
+                $destinationUrl = is_array($destination) && ($destination['disabled'] ?? false) === false
+                    ? ($destination['url'] ?? null)
+                    : ($metric['destination_url'] ?? null);
+
+                if (is_string($destinationUrl) && $destinationUrl !== '') {
+                    $stat->url($destinationUrl);
                 }
 
                 return $stat;

app/Jobs/RunInventorySyncJob.php

@@ -103,11 +103,15 @@ public function handle(InventorySyncService $inventorySyncService, AuditLogger $
             $this->operationRun,
             $tenant,
             $context,
-            function (string $policyType, bool $success, ?string $errorCode) use (&$processedPolicyTypes, &$coverageStatusByType, &$successCount, &$failedCount): void {
+            function (string $policyType, bool $success, ?string $errorCode, int $itemCount) use (&$processedPolicyTypes, &$coverageStatusByType, &$successCount, &$failedCount): void {
                 $processedPolicyTypes[] = $policyType;
-                $coverageStatusByType[$policyType] = $success
+                $coverageStatusByType[$policyType] = array_filter([
-                    ? InventoryCoverage::StatusSucceeded
+                    'status' => $success
-                    : InventoryCoverage::StatusFailed;
+                        ? InventoryCoverage::StatusSucceeded
+                        : InventoryCoverage::StatusFailed,
+                    'item_count' => $itemCount,
+                    'error_code' => $success ? null : $errorCode,
+                ], static fn (mixed $value): bool => $value !== null);
 
                 if ($success) {
                     $successCount++;
@@ -126,7 +130,10 @@ function (string $policyType, bool $success, ?string $errorCode) use (&$processe
                 continue;
             }
 
-            $statusByType[$type] = InventoryCoverage::StatusSkipped;
+            $statusByType[$type] = [
+                'status' => InventoryCoverage::StatusSkipped,
+                'item_count' => 0,
+            ];
         }
 
         foreach ($coverageStatusByType as $type => $status) {
@@ -138,8 +145,16 @@ function (string $policyType, bool $success, ?string $errorCode) use (&$processe
         }
 
         if ((string) ($result['status'] ?? '') === 'skipped') {
+            $skippedErrorCode = is_string($result['error_codes'][0] ?? null)
+                ? (string) $result['error_codes'][0]
+                : null;
+
             foreach ($statusByType as $type => $status) {
-                $statusByType[$type] = InventoryCoverage::StatusSkipped;
+                $statusByType[$type] = array_filter([
+                    'status' => InventoryCoverage::StatusSkipped,
+                    'item_count' => 0,
+                    'error_code' => $skippedErrorCode,
+                ], static fn (mixed $value): bool => $value !== null);
             }
         }
 

app/Livewire/BulkOperationProgress.php

@@ -4,6 +4,7 @@
 
 use App\Models\OperationRun;
 use App\Models\Tenant;
+use App\Support\OpsUx\ActiveRuns;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use Filament\Facades\Filament;
 use Illuminate\Support\Collection;
@@ -85,13 +86,13 @@ public function refreshRuns(): void
 
         $query = OperationRun::query()
             ->where('tenant_id', $tenantId)
-            ->active()
+            ->healthyActive()
             ->orderByDesc('created_at');
 
         $activeCount = (clone $query)->count();
         $this->runs = (clone $query)->limit(6)->get();
         $this->overflowCount = max(0, $activeCount - 5);
-        $this->hasActiveRuns = $this->runs->isNotEmpty();
+        $this->hasActiveRuns = ActiveRuns::existForTenantId($tenantId);
     }
 
     public function render(): \Illuminate\Contracts\View\View

app/Models/OperationRun.php

@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Support\Inventory\InventoryCoverage;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
@@ -17,6 +18,12 @@ class OperationRun extends Model
 {
     use HasFactory;
 
+    public const string PROBLEM_CLASS_NONE = 'none';
+
+    public const string PROBLEM_CLASS_ACTIVE_STALE_ATTENTION = 'active_stale_attention';
+
+    public const string PROBLEM_CLASS_TERMINAL_FOLLOW_UP = 'terminal_follow_up';
+
     protected $guarded = [];
 
     protected $casts = [
@@ -178,20 +185,34 @@ public function scopeDashboardNeedsFollowUp(Builder $query): Builder
         return $query->where(function (Builder $query): void {
             $query
                 ->where(function (Builder $terminalQuery): void {
-                    $terminalQuery
+                    $terminalQuery->terminalFollowUp();
-                        ->where('status', OperationRunStatus::Completed->value)
-                        ->whereIn('outcome', [
-                            OperationRunOutcome::Blocked->value,
-                            OperationRunOutcome::PartiallySucceeded->value,
-                            OperationRunOutcome::Failed->value,
-                        ]);
                 })
                 ->orWhere(function (Builder $activeQuery): void {
-                    $activeQuery->likelyStale();
+                    $activeQuery->activeStaleAttention();
                 });
         });
     }
 
+    public function scopeActiveStaleAttention(Builder $query, ?OperationLifecyclePolicy $policy = null): Builder
+    {
+        return $query->likelyStale($policy);
+    }
+
+    public function scopeTerminalFollowUp(Builder $query): Builder
+    {
+        return $query
+            ->where('status', OperationRunStatus::Completed->value)
+            ->where(function (Builder $query): void {
+                $query
+                    ->whereIn('outcome', [
+                        OperationRunOutcome::Blocked->value,
+                        OperationRunOutcome::PartiallySucceeded->value,
+                        OperationRunOutcome::Failed->value,
+                    ])
+                    ->orWhereNotNull('context->reconciliation->reconciled_at');
+            });
+    }
+
     public function getSelectionHashAttribute(): ?string
     {
         $context = is_array($this->context) ? $this->context : [];
@@ -253,11 +274,33 @@ public function setFinishedAtAttribute(mixed $value): void
         $this->completed_at = $value;
     }
 
+    public function inventoryCoverage(): ?InventoryCoverage
+    {
+        return InventoryCoverage::fromContext($this->context);
+    }
+
     public function isGovernanceArtifactOperation(): bool
     {
         return OperationCatalog::isGovernanceArtifactOperation((string) $this->type);
     }
 
+    public static function latestCompletedCoverageBearingInventorySyncForTenant(int $tenantId): ?self
+    {
+        if ($tenantId <= 0) {
+            return null;
+        }
+
+        return static::query()
+            ->where('tenant_id', $tenantId)
+            ->where('type', 'inventory_sync')
+            ->where('status', OperationRunStatus::Completed->value)
+            ->whereNotNull('completed_at')
+            ->latest('completed_at')
+            ->latest('id')
+            ->cursor()
+            ->first(static fn (self $run): bool => $run->inventoryCoverage() instanceof InventoryCoverage);
+    }
+
     public function supportsOperatorExplanation(): bool
     {
         return OperationCatalog::supportsOperatorExplanation((string) $this->type);
@@ -317,17 +360,64 @@ public function freshnessState(): OperationRunFreshnessState
         return OperationRunFreshnessState::forRun($this);
     }
 
-    public function requiresDashboardFollowUp(): bool
+    /**
+     * @return list<string>
+     */
+    public static function problemClasses(): array
     {
+        return [
+            self::PROBLEM_CLASS_NONE,
+            self::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
+            self::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
+        ];
+    }
+
+    public function problemClass(): string
+    {
+        $freshnessState = $this->freshnessState();
+
+        if ($freshnessState->isLikelyStale()) {
+            return self::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION;
+        }
+
+        if ($freshnessState->isReconciledFailed()) {
+            return self::PROBLEM_CLASS_TERMINAL_FOLLOW_UP;
+        }
+
         if ((string) $this->status === OperationRunStatus::Completed->value) {
             return in_array((string) $this->outcome, [
                 OperationRunOutcome::Blocked->value,
                 OperationRunOutcome::PartiallySucceeded->value,
                 OperationRunOutcome::Failed->value,
-            ], true);
+            ], true)
+                ? self::PROBLEM_CLASS_TERMINAL_FOLLOW_UP
+                : self::PROBLEM_CLASS_NONE;
         }
 
-        return $this->freshnessState()->isLikelyStale();
+        return self::PROBLEM_CLASS_NONE;
+    }
+
+    public function hasStaleLineage(): bool
+    {
+        return $this->freshnessState()->isReconciledFailed();
+    }
+
+    public function isCurrentlyActive(): bool
+    {
+        return in_array((string) $this->status, [
+            OperationRunStatus::Queued->value,
+            OperationRunStatus::Running->value,
+        ], true);
+    }
+
+    public function requiresOperatorReview(): bool
+    {
+        return $this->problemClass() !== self::PROBLEM_CLASS_NONE;
+    }
+
+    public function requiresDashboardFollowUp(): bool
+    {
+        return $this->requiresOperatorReview();
     }
 
     /**

app/Models/RestoreRun.php

@@ -156,4 +156,46 @@ public function getSkippedAssignmentsCount(): int
             static fn (mixed $outcome): bool => is_array($outcome) && ($outcome['status'] ?? null) === 'skipped'
         ));
     }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function scopeBasis(): array
+    {
+        $metadata = is_array($this->metadata) ? $this->metadata : [];
+
+        return is_array($metadata['scope_basis'] ?? null) ? $metadata['scope_basis'] : [];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function checkBasis(): array
+    {
+        $metadata = is_array($this->metadata) ? $this->metadata : [];
+
+        return is_array($metadata['check_basis'] ?? null) ? $metadata['check_basis'] : [];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function previewBasis(): array
+    {
+        $metadata = is_array($this->metadata) ? $this->metadata : [];
+
+        return is_array($metadata['preview_basis'] ?? null) ? $metadata['preview_basis'] : [];
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function executionSafetySnapshot(): array
+    {
+        $metadata = is_array($this->metadata) ? $this->metadata : [];
+
+        return is_array($metadata['execution_safety_snapshot'] ?? null)
+            ? $metadata['execution_safety_snapshot']
+            : [];
+    }
 }

app/Services/Inventory/InventorySyncService.php

@@ -82,17 +82,24 @@ public function syncNow(Tenant $tenant, array $selectionPayload): OperationRun
                 continue;
             }
 
-            $statusByType[$type] = InventoryCoverage::StatusSkipped;
+            $statusByType[$type] = [
+                'status' => InventoryCoverage::StatusSkipped,
+                'item_count' => 0,
+            ];
         }
 
         $result = $this->executeSelection(
             $operationRun,
             $tenant,
             $normalizedSelection,
-            function (string $policyType, bool $success, ?string $errorCode) use (&$statusByType): void {
+            function (string $policyType, bool $success, ?string $errorCode, int $itemCount) use (&$statusByType): void {
-                $statusByType[$policyType] = $success
+                $statusByType[$policyType] = array_filter([
-                    ? InventoryCoverage::StatusSucceeded
+                    'status' => $success
-                    : InventoryCoverage::StatusFailed;
+                        ? InventoryCoverage::StatusSucceeded
+                        : InventoryCoverage::StatusFailed,
+                    'item_count' => $itemCount,
+                    'error_code' => $success ? null : $errorCode,
+                ], static fn (mixed $value): bool => $value !== null);
             },
         );
 
@@ -126,10 +133,15 @@ function (string $policyType, bool $success, ?string $errorCode) use (&$statusBy
         $updatedContext = is_array($operationRun->context) ? $operationRun->context : [];
 
         $coverageStatusByType = $statusByType;
+        $skippedErrorCode = is_string($errorCodes[0] ?? null) ? (string) $errorCodes[0] : null;
 
         if ($status === 'skipped') {
             foreach ($coverageStatusByType as $type => $coverageStatus) {
-                $coverageStatusByType[$type] = InventoryCoverage::StatusSkipped;
+                $coverageStatusByType[$type] = array_filter([
+                    'status' => InventoryCoverage::StatusSkipped,
+                    'item_count' => 0,
+                    'error_code' => $skippedErrorCode,
+                ], static fn (mixed $value): bool => $value !== null);
             }
         }
 
@@ -176,7 +188,7 @@ function (string $policyType, bool $success, ?string $errorCode) use (&$statusBy
      * This method MUST NOT create or update legacy sync-run rows; OperationRun is canonical.
      *
      * @param  array<string, mixed>  $selectionPayload
-     * @param  null|callable(string $policyType, bool $success, ?string $errorCode): void  $onPolicyTypeProcessed
+     * @param  null|callable(string $policyType, bool $success, ?string $errorCode, int $itemCount): void  $onPolicyTypeProcessed
      * @return array{status: string, had_errors: bool, error_codes: list<string>, error_context: array<string, mixed>|null, items_observed_count: int, items_upserted_count: int, errors_count: int}
      */
     public function executeSelection(OperationRun $operationRun, Tenant $tenant, array $selectionPayload, ?callable $onPolicyTypeProcessed = null): array
@@ -245,7 +257,7 @@ public function normalizeAndHashSelection(array $selectionPayload): array
 
     /**
      * @param  array{policy_types: list<string>, categories: list<string>, include_foundations: bool, include_dependencies: bool}  $normalizedSelection
-     * @param  null|callable(string $policyType, bool $success, ?string $errorCode): void  $onPolicyTypeProcessed
+     * @param  null|callable(string $policyType, bool $success, ?string $errorCode, int $itemCount): void  $onPolicyTypeProcessed
      * @return array{status: string, had_errors: bool, error_codes: list<string>, error_context: array<string, mixed>|null, items_observed_count: int, items_upserted_count: int, errors_count: int}
      */
     private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $tenant, array $normalizedSelection, ?callable $onPolicyTypeProcessed = null): array
@@ -256,6 +268,7 @@ private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $t
         $errorCodes = [];
         $hadErrors = false;
         $warnings = [];
+        $observedByType = [];
 
         try {
             $connection = $this->resolveProviderConnection($tenant);
@@ -277,7 +290,7 @@ private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $t
                     $hadErrors = true;
                     $errors++;
                     $errorCodes[] = 'unsupported_type';
-                    $onPolicyTypeProcessed && $onPolicyTypeProcessed($policyType, false, 'unsupported_type');
+                    $onPolicyTypeProcessed && $onPolicyTypeProcessed($policyType, false, 'unsupported_type', 0);
 
                     continue;
                 }
@@ -293,7 +306,7 @@ private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $t
                     $errors++;
                     $errorCode = $this->mapGraphFailureToErrorCode($response);
                     $errorCodes[] = $errorCode;
-                    $onPolicyTypeProcessed && $onPolicyTypeProcessed($policyType, false, $errorCode);
+                    $onPolicyTypeProcessed && $onPolicyTypeProcessed($policyType, false, $errorCode, 0);
 
                     continue;
                 }
@@ -313,6 +326,7 @@ private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $t
                     }
 
                     $observed++;
+                    $observedByType[$policyType] = (int) ($observedByType[$policyType] ?? 0) + 1;
 
                     $includeDeps = (bool) ($normalizedSelection['include_dependencies'] ?? true);
 
@@ -384,7 +398,12 @@ private function executeSelectionUnderLock(OperationRun $operationRun, Tenant $t
                     }
                 }
 
-                $onPolicyTypeProcessed && $onPolicyTypeProcessed($policyType, true, null);
+                $onPolicyTypeProcessed && $onPolicyTypeProcessed(
+                    $policyType,
+                    true,
+                    null,
+                    (int) ($observedByType[$policyType] ?? 0),
+                );
             }
 
             return [

app/Support/Badges/BadgeCatalog.php

@@ -27,6 +27,7 @@ final class BadgeCatalog
         BadgeDomain::BaselineSnapshotGapStatus->value => Domains\BaselineSnapshotGapStatusBadge::class,
         BadgeDomain::OperationRunStatus->value => Domains\OperationRunStatusBadge::class,
         BadgeDomain::OperationRunOutcome->value => Domains\OperationRunOutcomeBadge::class,
+        BadgeDomain::InventoryCoverageState->value => Domains\InventoryCoverageStateBadge::class,
         BadgeDomain::BackupSetStatus->value => Domains\BackupSetStatusBadge::class,
         BadgeDomain::RestoreRunStatus->value => Domains\RestoreRunStatusBadge::class,
         BadgeDomain::RestoreCheckSeverity->value => Domains\RestoreCheckSeverityBadge::class,
@@ -46,6 +47,8 @@ final class BadgeCatalog
         BadgeDomain::IgnoredAt->value => Domains\IgnoredAtBadge::class,
         BadgeDomain::RestorePreviewDecision->value => Domains\RestorePreviewDecisionBadge::class,
         BadgeDomain::RestoreResultStatus->value => Domains\RestoreResultStatusBadge::class,
+        BadgeDomain::ProviderConsentStatus->value => Domains\ProviderConsentStatusBadge::class,
+        BadgeDomain::ProviderVerificationStatus->value => Domains\ProviderVerificationStatusBadge::class,
         BadgeDomain::ProviderConnectionStatus->value => Domains\ProviderConnectionStatusBadge::class,
         BadgeDomain::ProviderConnectionHealth->value => Domains\ProviderConnectionHealthBadge::class,
         BadgeDomain::ManagedTenantOnboardingVerificationStatus->value => Domains\ManagedTenantOnboardingVerificationStatusBadge::class,
@@ -166,6 +169,32 @@ public static function normalizeProviderConnectionStatus(mixed $value): ?string
         };
     }
 
+    public static function normalizeProviderConsentStatus(mixed $value): ?string
+    {
+        $state = self::normalizeState($value);
+
+        return match ($state) {
+            'needs_admin_consent', 'needs_consent', 'consent_required' => 'required',
+            'connected' => 'granted',
+            'error' => 'failed',
+            default => $state,
+        };
+    }
+
+    public static function normalizeProviderVerificationStatus(mixed $value): ?string
+    {
+        $state = self::normalizeState($value);
+
+        return match ($state) {
+            'not_started', 'never_checked' => 'unknown',
+            'in_progress' => 'pending',
+            'ok' => 'healthy',
+            'warning', 'needs_attention' => 'degraded',
+            'failed' => 'error',
+            default => $state,
+        };
+    }
+
     public static function normalizeProviderConnectionHealth(mixed $value): ?string
     {
         $state = self::normalizeState($value);

app/Support/Badges/BadgeDomain.php

@@ -18,6 +18,7 @@ enum BadgeDomain: string
     case BaselineSnapshotGapStatus = 'baseline_snapshot_gap_status';
     case OperationRunStatus = 'operation_run_status';
     case OperationRunOutcome = 'operation_run_outcome';
+    case InventoryCoverageState = 'inventory_coverage_state';
     case BackupSetStatus = 'backup_set_status';
     case RestoreRunStatus = 'restore_run_status';
     case RestoreCheckSeverity = 'restore_check_severity';
@@ -37,6 +38,8 @@ enum BadgeDomain: string
     case IgnoredAt = 'ignored_at';
     case RestorePreviewDecision = 'restore_preview_decision';
     case RestoreResultStatus = 'restore_result_status';
+    case ProviderConsentStatus = 'provider_connection.consent_status';
+    case ProviderVerificationStatus = 'provider_connection.verification_status';
     case ProviderConnectionStatus = 'provider_connection.status';
     case ProviderConnectionHealth = 'provider_connection.health';
     case ManagedTenantOnboardingVerificationStatus = 'managed_tenant_onboarding.verification_status';

app/Support/Badges/Domains/InventoryCoverageStateBadge.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+
+final class InventoryCoverageStateBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeState($value);
+
+        return match ($state) {
+            'succeeded' => new BadgeSpec('Succeeded', 'success', 'heroicon-m-check-circle'),
+            'failed' => new BadgeSpec('Failed', 'danger', 'heroicon-m-x-circle'),
+            'skipped' => new BadgeSpec('Skipped', 'warning', 'heroicon-m-minus-circle'),
+            'unknown' => new BadgeSpec('Unknown', 'gray', 'heroicon-m-question-mark-circle'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/ProviderConsentStatusBadge.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+
+final class ProviderConsentStatusBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeProviderConsentStatus($value);
+
+        return match ($state) {
+            'required' => new BadgeSpec('Required', 'warning', 'heroicon-m-exclamation-triangle'),
+            'granted' => new BadgeSpec('Granted', 'success', 'heroicon-m-check-circle'),
+            'failed' => new BadgeSpec('Failed', 'danger', 'heroicon-m-x-circle'),
+            'revoked' => new BadgeSpec('Revoked', 'danger', 'heroicon-m-no-symbol'),
+            'unknown' => new BadgeSpec('Unknown', 'gray', 'heroicon-m-question-mark-circle'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/ProviderVerificationStatusBadge.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+
+final class ProviderVerificationStatusBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeProviderVerificationStatus($value);
+
+        return match ($state) {
+            'pending' => new BadgeSpec('Pending', 'info', 'heroicon-m-clock'),
+            'healthy' => new BadgeSpec('Healthy', 'success', 'heroicon-m-check-circle'),
+            'degraded' => new BadgeSpec('Degraded', 'warning', 'heroicon-m-exclamation-triangle'),
+            'blocked' => new BadgeSpec('Blocked', 'danger', 'heroicon-m-no-symbol'),
+            'error' => new BadgeSpec('Error', 'danger', 'heroicon-m-x-circle'),
+            'unknown' => new BadgeSpec('Unknown', 'gray', 'heroicon-m-question-mark-circle'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/RestoreCheckSeverityBadge.php

@@ -18,6 +18,10 @@ public function spec(mixed $value): BadgeSpec
             'blocking' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreCheckSeverity, $state, 'heroicon-m-x-circle'),
             'warning' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreCheckSeverity, $state, 'heroicon-m-exclamation-triangle'),
             'safe' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreCheckSeverity, $state, 'heroicon-m-check-circle'),
+            'current' => new BadgeSpec('Current checks', 'success', 'heroicon-m-check-circle', 'success'),
+            'invalidated' => new BadgeSpec('Invalidated', 'warning', 'heroicon-m-arrow-path-rounded-square', 'warning'),
+            'stale' => new BadgeSpec('Legacy stale', 'gray', 'heroicon-m-clock', 'gray'),
+            'not_run' => new BadgeSpec('Not run', 'gray', 'heroicon-m-eye-slash', 'gray'),
             default => BadgeSpec::unknown(),
         } ?? BadgeSpec::unknown();
     }

app/Support/Badges/Domains/RestorePreviewDecisionBadge.php

@@ -18,8 +18,13 @@ public function spec(mixed $value): BadgeSpec
             'created' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestorePreviewDecision, $state, 'heroicon-m-plus-circle'),
             'created_copy' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestorePreviewDecision, $state, 'heroicon-m-document-duplicate'),
             'mapped_existing' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestorePreviewDecision, $state, 'heroicon-m-arrow-right-circle'),
+            'dry_run' => new BadgeSpec('Preview only', 'warning', 'heroicon-m-exclamation-triangle', 'warning'),
             'skipped' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestorePreviewDecision, $state, 'heroicon-m-minus-circle'),
             'failed' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestorePreviewDecision, $state, 'heroicon-m-x-circle'),
+            'current' => new BadgeSpec('Current basis', 'success', 'heroicon-m-check-circle', 'success'),
+            'invalidated' => new BadgeSpec('Invalidated', 'warning', 'heroicon-m-arrow-path-rounded-square', 'warning'),
+            'stale' => new BadgeSpec('Legacy stale', 'gray', 'heroicon-m-clock', 'gray'),
+            'not_generated' => new BadgeSpec('Not generated', 'gray', 'heroicon-m-eye-slash', 'gray'),
             default => BadgeSpec::unknown(),
         } ?? BadgeSpec::unknown();
     }

app/Support/Badges/Domains/RestoreResultStatusBadge.php

@@ -22,6 +22,9 @@ public function spec(mixed $value): BadgeSpec
             'partial' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreResultStatus, $state, 'heroicon-m-exclamation-triangle'),
             'manual_required' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreResultStatus, $state, 'heroicon-m-wrench-screwdriver'),
             'failed' => OperatorOutcomeTaxonomy::spec(BadgeDomain::RestoreResultStatus, $state, 'heroicon-m-x-circle'),
+            'not_executed' => new BadgeSpec('Not executed', 'gray', 'heroicon-m-eye', 'gray'),
+            'completed' => new BadgeSpec('Completed', 'success', 'heroicon-m-check-circle', 'success'),
+            'completed_with_follow_up' => new BadgeSpec('Follow-up required', 'warning', 'heroicon-m-exclamation-triangle', 'warning'),
             default => BadgeSpec::unknown(),
         } ?? BadgeSpec::unknown();
     }

app/Support/Inventory/InventoryCoverage.php

@@ -68,10 +68,56 @@ public function coveredTypes(): array
         return array_values(array_unique($covered));
     }
 
+    /**
+     * @return array<string, array{
+     *     segment: 'policy'|'foundation',
+     *     type: string,
+     *     status: string,
+     *     item_count?: int,
+     *     error_code?: string|null
+     * }>
+     */
+    public function rows(): array
+    {
+        $rows = [];
+
+        foreach ($this->policyTypes as $type => $meta) {
+            $rows[$type] = array_merge($meta, [
+                'segment' => 'policy',
+                'type' => $type,
+            ]);
+        }
+
+        foreach ($this->foundationTypes as $type => $meta) {
+            $rows[$type] = array_merge($meta, [
+                'segment' => 'foundation',
+                'type' => $type,
+            ]);
+        }
+
+        ksort($rows);
+
+        return $rows;
+    }
+
+    /**
+     * @return array{
+     *     segment: 'policy'|'foundation',
+     *     type: string,
+     *     status: string,
+     *     item_count?: int,
+     *     error_code?: string|null
+     * }|null
+     */
+    public function row(string $type): ?array
+    {
+        return $this->rows()[$type] ?? null;
+    }
+
     /**
      * Build the canonical `inventory.coverage.*` payload for OperationRun.context.
      *
-     * @param  array<string, string>  $statusByType
+     * @param  array<string, string|array{status: string, item_count?: int, error_code?: string|null}>  $statusByType
      * @param  list<string>  $foundationTypes
      * @return array{policy_types: array<string, array{status: string}>, foundation_types: array<string, array{status: string}>}
      */
@@ -88,14 +134,12 @@ public static function buildPayload(array $statusByType, array $foundationTypes)
                 continue;
             }
 
-            $normalizedStatus = self::normalizeStatus($status);
+            $row = self::normalizeBuildRow($status);
 
-            if ($normalizedStatus === null) {
+            if ($row === null) {
                 continue;
             }
 
-            $row = ['status' => $normalizedStatus];
-
             if (array_key_exists($type, $foundationLookup)) {
                 $foundations[$type] = $row;
 
@@ -114,6 +158,40 @@ public static function buildPayload(array $statusByType, array $foundationTypes)
         ];
     }
 
+    /**
+     * @return array{status: string, item_count?: int, error_code?: string|null}|null
+     */
+    private static function normalizeBuildRow(mixed $value): ?array
+    {
+        if (is_string($value)) {
+            $status = self::normalizeStatus($value);
+
+            return $status === null ? null : ['status' => $status];
+        }
+
+        if (! is_array($value)) {
+            return null;
+        }
+
+        $status = self::normalizeStatus($value['status'] ?? null);
+
+        if ($status === null) {
+            return null;
+        }
+
+        $row = ['status' => $status];
+
+        if (array_key_exists('item_count', $value) && is_int($value['item_count'])) {
+            $row['item_count'] = $value['item_count'];
+        }
+
+        if (array_key_exists('error_code', $value) && (is_string($value['error_code']) || $value['error_code'] === null)) {
+            $row['error_code'] = $value['error_code'];
+        }
+
+        return $row;
+    }
+
     private static function normalizeStatus(mixed $status): ?string
     {
         if (! is_string($status)) {

app/Support/Inventory/InventoryKpiBadges.php

@@ -8,39 +8,75 @@
 
 class InventoryKpiBadges
 {
-    public static function coverage(int $restorableCount, int $partialCount): string
+    public static function coverageBreakdown(int $failedCount, int $skippedCount, int $unknownCount): string
     {
-        return Blade::render(<<<'BLADE'
+        if ($failedCount === 0 && $skippedCount === 0 && $unknownCount === 0) {
-            <div class="flex items-center gap-2">
+            return Blade::render(<<<'BLADE'
-                <x-filament::badge color="success" size="sm">
+                <div class="flex items-center gap-2">
-                    Restorable {{ $restorableCount }}
+                    <x-filament::badge color="success" size="sm">
-                </x-filament::badge>
+                        No follow-up
+                    </x-filament::badge>
+                </div>
+                BLADE);
+        }
 
-                <x-filament::badge color="warning" size="sm">
+        return Blade::render(<<<'BLADE'
-                    Partial {{ $partialCount }}
+            <div class="flex flex-wrap items-center gap-2">
-                </x-filament::badge>
+                @if ($failedCount > 0)
+                    <x-filament::badge color="danger" size="sm">
+                        Failed {{ $failedCount }}
+                    </x-filament::badge>
+                @endif
+
+                @if ($skippedCount > 0)
+                    <x-filament::badge color="warning" size="sm">
+                        Skipped {{ $skippedCount }}
+                    </x-filament::badge>
+                @endif
+
+                @if ($unknownCount > 0)
+                    <x-filament::badge color="gray" size="sm">
+                        Unknown {{ $unknownCount }}
+                    </x-filament::badge>
+                @endif
             </div>
             BLADE, [
-            'restorableCount' => $restorableCount,
+            'failedCount' => $failedCount,
-            'partialCount' => $partialCount,
+            'skippedCount' => $skippedCount,
+            'unknownCount' => $unknownCount,
         ]);
     }
 
-    public static function inventoryOps(int $dependenciesCount, int $riskCount): string
+    public static function followUpSummary(?TenantCoverageTypeTruth $topPriorityRow, int $observedItemTotal, int $observedTypeCount): string
     {
+        if (! $topPriorityRow instanceof TenantCoverageTypeTruth) {
+            return Blade::render(<<<'BLADE'
+                <div class="flex items-center gap-2">
+                    <x-filament::badge color="success" size="sm">
+                        All covered
+                    </x-filament::badge>
+                </div>
+                BLADE);
+        }
+
         return Blade::render(<<<'BLADE'
-            <div class="flex items-center gap-2">
+            <div class="flex flex-wrap items-center gap-2">
                 <x-filament::badge color="gray" size="sm">
-                    Dependencies {{ $dependenciesCount }}
+                    {{ $topPriorityLabel }}
                 </x-filament::badge>
 
-                <x-filament::badge color="danger" size="sm">
+                <x-filament::badge color="info" size="sm">
-                    Risk {{ $riskCount }}
+                    Observed {{ $observedItemTotal }}
                 </x-filament::badge>
+
+                <span class="text-xs text-gray-600 dark:text-gray-300">
+                    {{ $observedTypeCount }} supported types currently observed
+                </span>
             </div>
             BLADE, [
-            'dependenciesCount' => $dependenciesCount,
+            'topPriorityLabel' => $topPriorityRow->label,
-            'riskCount' => $riskCount,
+            'observedItemTotal' => $observedItemTotal,
+            'observedTypeCount' => $observedTypeCount,
         ]);
     }
 }

app/Support/Inventory/TenantCoverageTruth.php

@@ -0,0 +1,136 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Inventory;
+
+use App\Models\OperationRun;
+use InvalidArgumentException;
+
+final readonly class TenantCoverageTruth
+{
+    /**
+     * @param  list<TenantCoverageTypeTruth>  $rows
+     */
+    public function __construct(
+        public int $tenantId,
+        public ?OperationRun $basisRun,
+        public bool $hasCurrentCoverageResult,
+        public int $supportedTypeCount,
+        public int $succeededTypeCount,
+        public int $failedTypeCount,
+        public int $skippedTypeCount,
+        public int $unknownTypeCount,
+        public int $followUpTypeCount,
+        public int $observedItemTotal,
+        public array $rows,
+    ) {
+        if ($this->tenantId <= 0) {
+            throw new InvalidArgumentException('Tenant coverage truth requires a positive tenant id.');
+        }
+
+        if ($this->supportedTypeCount < 0 || $this->observedItemTotal < 0) {
+            throw new InvalidArgumentException('Tenant coverage truth counts must be zero or greater.');
+        }
+    }
+
+    public function basisRunId(): ?int
+    {
+        return $this->basisRun instanceof OperationRun
+            ? (int) $this->basisRun->getKey()
+            : null;
+    }
+
+    public function basisRunOutcome(): ?string
+    {
+        return $this->basisRun instanceof OperationRun
+            ? (string) $this->basisRun->outcome
+            : null;
+    }
+
+    public function basisCompletedAtLabel(): ?string
+    {
+        if (! $this->basisRun instanceof OperationRun) {
+            return null;
+        }
+
+        $timestamp = $this->basisRun->completed_at ?? $this->basisRun->started_at ?? $this->basisRun->created_at;
+
+        return $timestamp?->diffForHumans(['short' => true]);
+    }
+
+    public function topPriorityFollowUpRow(): ?TenantCoverageTypeTruth
+    {
+        foreach ($this->rows as $row) {
+            if ($row->followUpRequired) {
+                return $row;
+            }
+        }
+
+        return null;
+    }
+
+    public function observedTypeCount(): int
+    {
+        return count(array_filter(
+            $this->rows,
+            static fn (TenantCoverageTypeTruth $row): bool => $row->observedItemCount > 0,
+        ));
+    }
+
+    /**
+     * @return list<TenantCoverageTypeTruth>
+     */
+    public function followUpRows(): array
+    {
+        return array_values(array_filter(
+            $this->rows,
+            static fn (TenantCoverageTypeTruth $row): bool => $row->followUpRequired,
+        ));
+    }
+
+    /**
+     * @return array{
+     *     tenantId: int,
+     *     basisRun: array{id: int, outcome: string, completedAt: string|null}|null,
+     *     hasCurrentCoverageResult: bool,
+     *     summary: array{
+     *         supportedTypes: int,
+     *         succeededTypes: int,
+     *         failedTypes: int,
+     *         skippedTypes: int,
+     *         unknownTypes: int,
+     *         followUpTypes: int,
+     *         observedItems: int
+     *     },
+     *     rows: list<array<string, mixed>>
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'tenantId' => $this->tenantId,
+            'basisRun' => $this->basisRun instanceof OperationRun
+                ? [
+                    'id' => (int) $this->basisRun->getKey(),
+                    'outcome' => (string) $this->basisRun->outcome,
+                    'completedAt' => $this->basisRun->completed_at?->toIso8601String(),
+                ]
+                : null,
+            'hasCurrentCoverageResult' => $this->hasCurrentCoverageResult,
+            'summary' => [
+                'supportedTypes' => $this->supportedTypeCount,
+                'succeededTypes' => $this->succeededTypeCount,
+                'failedTypes' => $this->failedTypeCount,
+                'skippedTypes' => $this->skippedTypeCount,
+                'unknownTypes' => $this->unknownTypeCount,
+                'followUpTypes' => $this->followUpTypeCount,
+                'observedItems' => $this->observedItemTotal,
+            ],
+            'rows' => array_map(
+                static fn (TenantCoverageTypeTruth $row): array => $row->toArray(),
+                $this->rows,
+            ),
+        ];
+    }
+}

app/Support/Inventory/TenantCoverageTruthResolver.php

@@ -0,0 +1,170 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Inventory;
+
+use App\Models\InventoryItem;
+use App\Models\OperationRun;
+use App\Models\Tenant;
+use App\Services\Inventory\CoverageCapabilitiesResolver;
+use Illuminate\Support\Collection;
+
+final class TenantCoverageTruthResolver
+{
+    public function __construct(
+        private readonly CoverageCapabilitiesResolver $coverageCapabilities,
+    ) {}
+
+    public function resolve(Tenant|int $tenant): TenantCoverageTruth
+    {
+        $tenantId = $tenant instanceof Tenant
+            ? (int) $tenant->getKey()
+            : (int) $tenant;
+
+        $basisRun = OperationRun::latestCompletedCoverageBearingInventorySyncForTenant($tenantId);
+        $basisCoverage = $basisRun?->inventoryCoverage();
+
+        /** @var array<string, int> $countsByType */
+        $countsByType = InventoryItem::query()
+            ->where('tenant_id', $tenantId)
+            ->selectRaw('policy_type, COUNT(*) as aggregate')
+            ->groupBy('policy_type')
+            ->pluck('aggregate', 'policy_type')
+            ->map(static fn (mixed $value): int => (int) $value)
+            ->all();
+
+        $rows = $this->supportedTypes()
+            ->map(function (array $meta) use ($basisCoverage, $countsByType): TenantCoverageTypeTruth {
+                $type = (string) $meta['type'];
+                $segment = (string) $meta['segment'];
+                $basisRow = $basisCoverage?->row($type);
+                $coverageState = is_string($basisRow['status'] ?? null)
+                    ? (string) $basisRow['status']
+                    : TenantCoverageTypeTruth::StateUnknown;
+                $observedItemCount = (int) ($countsByType[$type] ?? 0);
+                $basisItemCount = is_int($basisRow['item_count'] ?? null)
+                    ? (int) $basisRow['item_count']
+                    : null;
+                $basisErrorCode = is_string($basisRow['error_code'] ?? null)
+                    ? (string) $basisRow['error_code']
+                    : null;
+                $followUpRequired = $coverageState !== TenantCoverageTypeTruth::StateSucceeded;
+
+                return new TenantCoverageTypeTruth(
+                    key: sprintf('%s:%s', $segment, $type),
+                    type: $type,
+                    segment: $segment,
+                    label: (string) ($meta['label'] ?? $type),
+                    category: (string) ($meta['category'] ?? 'Other'),
+                    platform: is_string($meta['platform'] ?? null) ? (string) $meta['platform'] : null,
+                    coverageState: $coverageState,
+                    followUpRequired: $followUpRequired,
+                    followUpPriority: self::followUpPriorityForState($coverageState),
+                    observedItemCount: $observedItemCount,
+                    basisItemCount: $basisItemCount,
+                    basisErrorCode: $basisErrorCode,
+                    restoreMode: is_string($meta['restore'] ?? null) ? (string) $meta['restore'] : null,
+                    riskLevel: is_string($meta['risk'] ?? null) ? (string) $meta['risk'] : null,
+                    supportsDependencies: $segment === 'policy' && $this->coverageCapabilities->supportsDependencies($type),
+                    followUpGuidance: self::followUpGuidanceForState($coverageState, $basisErrorCode),
+                    isBasisPayloadBacked: $basisRow !== null,
+                );
+            })
+            ->sort(function (TenantCoverageTypeTruth $left, TenantCoverageTypeTruth $right): int {
+                $priority = $left->followUpPriority <=> $right->followUpPriority;
+
+                if ($priority !== 0) {
+                    return $priority;
+                }
+
+                $observed = $right->observedItemCount <=> $left->observedItemCount;
+
+                if ($observed !== 0) {
+                    return $observed;
+                }
+
+                return strnatcasecmp($left->label, $right->label);
+            })
+            ->values()
+            ->all();
+
+        return new TenantCoverageTruth(
+            tenantId: $tenantId,
+            basisRun: $basisRun,
+            hasCurrentCoverageResult: $basisCoverage instanceof InventoryCoverage,
+            supportedTypeCount: count($rows),
+            succeededTypeCount: $this->countRowsByState($rows, TenantCoverageTypeTruth::StateSucceeded),
+            failedTypeCount: $this->countRowsByState($rows, TenantCoverageTypeTruth::StateFailed),
+            skippedTypeCount: $this->countRowsByState($rows, TenantCoverageTypeTruth::StateSkipped),
+            unknownTypeCount: $this->countRowsByState($rows, TenantCoverageTypeTruth::StateUnknown),
+            followUpTypeCount: count(array_filter(
+                $rows,
+                static fn (TenantCoverageTypeTruth $row): bool => $row->followUpRequired,
+            )),
+            observedItemTotal: array_sum($countsByType),
+            rows: $rows,
+        );
+    }
+
+    /**
+     * @return Collection<int, array{type: string, label: string, category: string, platform?: string|null, restore?: string|null, risk?: string|null, segment: 'policy'|'foundation'}>
+     */
+    private function supportedTypes(): Collection
+    {
+        $supported = collect(InventoryPolicyTypeMeta::supported())
+            ->filter(static fn (array $row): bool => is_string($row['type'] ?? null) && $row['type'] !== '')
+            ->map(static fn (array $row): array => array_merge($row, ['segment' => 'policy']));
+
+        $foundations = collect(InventoryPolicyTypeMeta::foundations())
+            ->filter(static fn (array $row): bool => is_string($row['type'] ?? null) && $row['type'] !== '')
+            ->map(static fn (array $row): array => array_merge($row, ['segment' => 'foundation']));
+
+        return $supported
+            ->merge($foundations)
+            ->values();
+    }
+
+    public static function followUpPriorityForState(string $coverageState): int
+    {
+        return match ($coverageState) {
+            TenantCoverageTypeTruth::StateFailed => 0,
+            TenantCoverageTypeTruth::StateUnknown => 1,
+            TenantCoverageTypeTruth::StateSkipped => 2,
+            default => 3,
+        };
+    }
+
+    public static function followUpGuidanceForState(string $coverageState, ?string $basisErrorCode): string
+    {
+        return match (true) {
+            $coverageState === TenantCoverageTypeTruth::StateFailed && in_array($basisErrorCode, [
+                'graph_forbidden',
+                'provider_consent_missing',
+                'provider_permission_missing',
+                'provider_permission_denied',
+            ], true) => 'Review provider consent or permissions, then rerun inventory sync.',
+            $coverageState === TenantCoverageTypeTruth::StateFailed && in_array($basisErrorCode, [
+                'graph_throttled',
+                'graph_transient',
+                'rate_limited',
+                'network_unreachable',
+            ], true) => 'Retry inventory sync after the provider recovers.',
+            $coverageState === TenantCoverageTypeTruth::StateFailed => 'Review the latest inventory sync details before retrying.',
+            $coverageState === TenantCoverageTypeTruth::StateSkipped => 'Run inventory sync again with the required types selected.',
+            $coverageState === TenantCoverageTypeTruth::StateUnknown => 'No current basis result exists for this type. Run inventory sync to confirm coverage.',
+            default => 'No follow-up is currently required.',
+        };
+    }
+
+    /**
+     * @param  list<TenantCoverageTypeTruth>  $rows
+     */
+    private function countRowsByState(array $rows, string $state): int
+    {
+        return count(array_filter(
+            $rows,
+            static fn (TenantCoverageTypeTruth $row): bool => $row->coverageState === $state,
+        ));
+    }
+}

app/Support/Inventory/TenantCoverageTypeTruth.php

@@ -0,0 +1,88 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Inventory;
+
+use InvalidArgumentException;
+
+final readonly class TenantCoverageTypeTruth
+{
+    public const string StateSucceeded = InventoryCoverage::StatusSucceeded;
+
+    public const string StateFailed = InventoryCoverage::StatusFailed;
+
+    public const string StateSkipped = InventoryCoverage::StatusSkipped;
+
+    public const string StateUnknown = 'unknown';
+
+    public function __construct(
+        public string $key,
+        public string $type,
+        public string $segment,
+        public string $label,
+        public string $category,
+        public ?string $platform,
+        public string $coverageState,
+        public bool $followUpRequired,
+        public int $followUpPriority,
+        public int $observedItemCount,
+        public ?int $basisItemCount,
+        public ?string $basisErrorCode,
+        public ?string $restoreMode,
+        public ?string $riskLevel,
+        public bool $supportsDependencies,
+        public string $followUpGuidance,
+        public bool $isBasisPayloadBacked,
+    ) {
+        if ($this->key === '' || $this->type === '' || $this->label === '') {
+            throw new InvalidArgumentException('Coverage truth rows require non-empty identity fields.');
+        }
+    }
+
+    /**
+     * @return array{
+     *     __key: string,
+     *     key: string,
+     *     type: string,
+     *     segment: string,
+     *     label: string,
+     *     category: string,
+     *     platform: ?string,
+     *     coverage_state: string,
+     *     follow_up_required: bool,
+     *     follow_up_priority: int,
+     *     follow_up_guidance: string,
+     *     observed_item_count: int,
+     *     basis_item_count: ?int,
+     *     basis_error_code: ?string,
+     *     restore: ?string,
+     *     risk: ?string,
+     *     dependencies: bool,
+     *     is_basis_payload_backed: bool
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            '__key' => $this->key,
+            'key' => $this->key,
+            'type' => $this->type,
+            'segment' => $this->segment,
+            'label' => $this->label,
+            'category' => $this->category,
+            'platform' => $this->platform,
+            'coverage_state' => $this->coverageState,
+            'follow_up_required' => $this->followUpRequired,
+            'follow_up_priority' => $this->followUpPriority,
+            'follow_up_guidance' => $this->followUpGuidance,
+            'observed_item_count' => $this->observedItemCount,
+            'basis_item_count' => $this->basisItemCount,
+            'basis_error_code' => $this->basisErrorCode,
+            'restore' => $this->restoreMode,
+            'risk' => $this->riskLevel,
+            'dependencies' => $this->supportsDependencies,
+            'is_basis_payload_backed' => $this->isBasisPayloadBacked,
+        ];
+    }
+}

app/Support/OperateHub/OperateHubShell.php

@@ -188,13 +188,15 @@ private function resolveTenantRouteParameter(mixed $routeTenant): ?Tenant
             return null;
         }
 
+        $tenantKeyColumn = (new Tenant)->getQualifiedKeyName();
+
         return Tenant::query()
             ->withTrashed()
-            ->where(static function ($query) use ($routeTenant): void {
+            ->where(static function ($query) use ($routeTenant, $tenantKeyColumn): void {
                 $query->where('external_id', $routeTenant);
 
                 if (ctype_digit($routeTenant)) {
-                    $query->orWhereKey((int) $routeTenant);
+                    $query->orWhere($tenantKeyColumn, (int) $routeTenant);
                 }
             })
             ->first();

app/Support/OperationRunLinks.php

@@ -79,17 +79,33 @@ public static function index(
         ?Tenant $tenant = null,
         ?CanonicalNavigationContext $context = null,
         ?string $activeTab = null,
+        bool $allTenants = false,
+        ?string $problemClass = null,
     ): string {
         $parameters = $context?->toQuery() ?? [];
 
         if ($tenant instanceof Tenant) {
             $parameters['tenant_id'] = (int) $tenant->getKey();
+        } elseif ($allTenants) {
+            $parameters['tenant_scope'] = 'all';
         }
 
         if (is_string($activeTab) && $activeTab !== '') {
             $parameters['activeTab'] = $activeTab;
         }
 
+        if (
+            is_string($problemClass)
+            && in_array($problemClass, OperationRun::problemClasses(), true)
+            && $problemClass !== OperationRun::PROBLEM_CLASS_NONE
+        ) {
+            $parameters['problemClass'] = $problemClass;
+
+            if (! is_string($activeTab) || $activeTab === '') {
+                $parameters['activeTab'] = $problemClass;
+            }
+        }
+
         return route('admin.operations.index', $parameters);
     }
 

app/Support/OpsUx/ActiveRuns.php

@@ -11,9 +11,30 @@ final class ActiveRuns
 {
     public static function existForTenant(Tenant $tenant): bool
     {
+        return self::existForTenantId((int) $tenant->getKey());
+    }
+
+    public static function existForTenantId(?int $tenantId): bool
+    {
+        if (! is_int($tenantId) || $tenantId <= 0) {
+            return false;
+        }
+
         return OperationRun::query()
-            ->where('tenant_id', $tenant->getKey())
+            ->where('tenant_id', $tenantId)
-            ->active()
+            ->healthyActive()
             ->exists();
     }
+
+    public static function pollingIntervalForTenant(?Tenant $tenant): ?string
+    {
+        return $tenant instanceof Tenant
+            ? self::pollingIntervalForTenantId((int) $tenant->getKey())
+            : null;
+    }
+
+    public static function pollingIntervalForTenantId(?int $tenantId): ?string
+    {
+        return self::existForTenantId($tenantId) ? '10s' : null;
+    }
 }

app/Support/OpsUx/OperationUxPresenter.php

@@ -223,6 +223,70 @@ public static function freshnessState(OperationRun $run): OperationRunFreshnessS
         return $run->freshnessState();
     }
 
+    public static function problemClass(OperationRun $run): string
+    {
+        return $run->problemClass();
+    }
+
+    public static function problemClassLabel(OperationRun $run): ?string
+    {
+        return match (self::problemClass($run)) {
+            OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION => 'Likely stale active run',
+            OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP => 'Terminal follow-up',
+            default => null,
+        };
+    }
+
+    public static function staleLineageNote(OperationRun $run): ?string
+    {
+        if (! $run->hasStaleLineage()) {
+            return null;
+        }
+
+        return 'This terminal run was automatically reconciled after stale lifecycle truth was lost.';
+    }
+
+    /**
+     * @return array{
+     *     freshnessState:string,
+     *     freshnessLabel:?string,
+     *     problemClass:string,
+     *     problemClassLabel:?string,
+     *     isCurrentlyActive:bool,
+     *     isReconciled:bool,
+     *     staleLineageNote:?string,
+     *     primaryNextAction:string,
+     *     attentionNote:?string
+     * }
+     */
+    public static function decisionZoneTruth(OperationRun $run): array
+    {
+        $freshnessState = self::freshnessState($run);
+
+        return [
+            'freshnessState' => $freshnessState->value,
+            'freshnessLabel' => self::lifecycleAttentionSummary($run),
+            'problemClass' => self::problemClass($run),
+            'problemClassLabel' => self::problemClassLabel($run),
+            'isCurrentlyActive' => $run->isCurrentlyActive(),
+            'isReconciled' => $run->isLifecycleReconciled(),
+            'staleLineageNote' => self::staleLineageNote($run),
+            'primaryNextAction' => self::surfaceGuidance($run) ?? 'No action needed.',
+            'attentionNote' => self::decisionAttentionNote($run),
+        ];
+    }
+
+    public static function decisionAttentionNote(OperationRun $run): ?string
+    {
+        return match (self::problemClass($run)) {
+            OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION => 'Still active: Yes. Automatic reconciliation: No. This run is past its lifecycle window and needs stale-run investigation before retrying.',
+            OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP => $run->hasStaleLineage()
+                ? 'Still active: No. Automatic reconciliation: Yes. This terminal failure preserves stale-run lineage so operators can recover why the run stopped.'
+                : 'Still active: No. Automatic reconciliation: No. This run is terminal and still needs follow-up.',
+            default => null,
+        };
+    }
+
     public static function lifecycleAttentionSummary(OperationRun $run): ?string
     {
         return self::memoizeExplanation(
@@ -247,7 +311,9 @@ private static function buildLifecycleAttentionSummary(OperationRun $run): ?stri
         return match (self::freshnessState($run)) {
             OperationRunFreshnessState::LikelyStale => 'Likely stale',
             OperationRunFreshnessState::ReconciledFailed => 'Automatically reconciled',
-            default => null,
+            default => self::problemClass($run) === OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP
+                ? 'Terminal follow-up'
+                : null,
         };
     }
 

app/Support/RestoreSafety/ChecksIntegrityState.php

@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use InvalidArgumentException;
+
+final readonly class ChecksIntegrityState
+{
+    public const string STATE_NOT_RUN = 'not_run';
+
+    public const string STATE_CURRENT = 'current';
+
+    public const string STATE_STALE = 'stale';
+
+    public const string STATE_INVALIDATED = 'invalidated';
+
+    public const string FRESHNESS_POLICY = 'invalidate_after_mutation';
+
+    /**
+     * @param  list<string>  $invalidationReasons
+     */
+    public function __construct(
+        public string $state,
+        public string $freshnessPolicy,
+        public ?string $fingerprint,
+        public ?string $ranAt,
+        public int $blockingCount,
+        public int $warningCount,
+        public array $invalidationReasons,
+        public bool $rerunRequired,
+        public string $displaySummary,
+    ) {
+        if (! in_array($this->state, [
+            self::STATE_NOT_RUN,
+            self::STATE_CURRENT,
+            self::STATE_STALE,
+            self::STATE_INVALIDATED,
+        ], true)) {
+            throw new InvalidArgumentException('Unsupported checks integrity state.');
+        }
+    }
+
+    public function isCurrent(): bool
+    {
+        return $this->state === self::STATE_CURRENT;
+    }
+
+    /**
+     * @return array{
+     *     state: string,
+     *     freshness_policy: string,
+     *     fingerprint: ?string,
+     *     ran_at: ?string,
+     *     blocking_count: int,
+     *     warning_count: int,
+     *     invalidation_reasons: list<string>,
+     *     rerun_required: bool,
+     *     display_summary: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'state' => $this->state,
+            'freshness_policy' => $this->freshnessPolicy,
+            'fingerprint' => $this->fingerprint,
+            'ran_at' => $this->ranAt,
+            'blocking_count' => $this->blockingCount,
+            'warning_count' => $this->warningCount,
+            'invalidation_reasons' => $this->invalidationReasons,
+            'rerun_required' => $this->rerunRequired,
+            'display_summary' => $this->displaySummary,
+        ];
+    }
+}

app/Support/RestoreSafety/ExecutionReadinessState.php

@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+final readonly class ExecutionReadinessState
+{
+    /**
+     * @param  list<string>  $blockingReasons
+     */
+    public function __construct(
+        public bool $allowed,
+        public array $blockingReasons,
+        public string $mutationScope,
+        public string $requiredCapability,
+        public string $displaySummary,
+    ) {}
+
+    /**
+     * @return array{
+     *     allowed: bool,
+     *     blocking_reasons: list<string>,
+     *     mutation_scope: string,
+     *     required_capability: string,
+     *     display_summary: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'allowed' => $this->allowed,
+            'blocking_reasons' => $this->blockingReasons,
+            'mutation_scope' => $this->mutationScope,
+            'required_capability' => $this->requiredCapability,
+            'display_summary' => $this->displaySummary,
+        ];
+    }
+}

app/Support/RestoreSafety/PreviewIntegrityState.php

@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use InvalidArgumentException;
+
+final readonly class PreviewIntegrityState
+{
+    public const string STATE_NOT_GENERATED = 'not_generated';
+
+    public const string STATE_CURRENT = 'current';
+
+    public const string STATE_STALE = 'stale';
+
+    public const string STATE_INVALIDATED = 'invalidated';
+
+    public const string FRESHNESS_POLICY = 'invalidate_after_mutation';
+
+    /**
+     * @param  list<string>  $invalidationReasons
+     */
+    public function __construct(
+        public string $state,
+        public string $freshnessPolicy,
+        public ?string $fingerprint,
+        public ?string $generatedAt,
+        public array $invalidationReasons,
+        public bool $rerunRequired,
+        public string $displaySummary,
+    ) {
+        if (! in_array($this->state, [
+            self::STATE_NOT_GENERATED,
+            self::STATE_CURRENT,
+            self::STATE_STALE,
+            self::STATE_INVALIDATED,
+        ], true)) {
+            throw new InvalidArgumentException('Unsupported preview integrity state.');
+        }
+    }
+
+    public function isCurrent(): bool
+    {
+        return $this->state === self::STATE_CURRENT;
+    }
+
+    /**
+     * @return array{
+     *     state: string,
+     *     freshness_policy: string,
+     *     fingerprint: ?string,
+     *     generated_at: ?string,
+     *     invalidation_reasons: list<string>,
+     *     rerun_required: bool,
+     *     display_summary: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'state' => $this->state,
+            'freshness_policy' => $this->freshnessPolicy,
+            'fingerprint' => $this->fingerprint,
+            'generated_at' => $this->generatedAt,
+            'invalidation_reasons' => $this->invalidationReasons,
+            'rerun_required' => $this->rerunRequired,
+            'display_summary' => $this->displaySummary,
+        ];
+    }
+}

app/Support/RestoreSafety/RestoreExecutionSafetySnapshot.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+final readonly class RestoreExecutionSafetySnapshot
+{
+    public function __construct(
+        public string $evaluatedAt,
+        public string $scopeFingerprint,
+        public string $previewState,
+        public string $checksState,
+        public string $safetyState,
+        public int $blockingCount,
+        public int $warningCount,
+        public ?string $primaryIssueCode,
+        public string $followUpBoundary,
+    ) {}
+
+    /**
+     * @return array{
+     *     evaluated_at: string,
+     *     scope_fingerprint: string,
+     *     preview_state: string,
+     *     checks_state: string,
+     *     safety_state: string,
+     *     blocking_count: int,
+     *     warning_count: int,
+     *     primary_issue_code: ?string,
+     *     follow_up_boundary: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'evaluated_at' => $this->evaluatedAt,
+            'scope_fingerprint' => $this->scopeFingerprint,
+            'preview_state' => $this->previewState,
+            'checks_state' => $this->checksState,
+            'safety_state' => $this->safetyState,
+            'blocking_count' => $this->blockingCount,
+            'warning_count' => $this->warningCount,
+            'primary_issue_code' => $this->primaryIssueCode,
+            'follow_up_boundary' => $this->followUpBoundary,
+        ];
+    }
+}

app/Support/RestoreSafety/RestoreResultAttention.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use InvalidArgumentException;
+
+final readonly class RestoreResultAttention
+{
+    public const string STATE_NOT_EXECUTED = 'not_executed';
+
+    public const string STATE_COMPLETED = 'completed';
+
+    public const string STATE_PARTIAL = 'partial';
+
+    public const string STATE_FAILED = 'failed';
+
+    public const string STATE_COMPLETED_WITH_FOLLOW_UP = 'completed_with_follow_up';
+
+    public function __construct(
+        public string $state,
+        public bool $followUpRequired,
+        public string $primaryCauseFamily,
+        public string $summary,
+        public string $primaryNextAction,
+        public string $recoveryClaimBoundary,
+        public string $tone,
+    ) {
+        if (! in_array($this->state, [
+            self::STATE_NOT_EXECUTED,
+            self::STATE_COMPLETED,
+            self::STATE_PARTIAL,
+            self::STATE_FAILED,
+            self::STATE_COMPLETED_WITH_FOLLOW_UP,
+        ], true)) {
+            throw new InvalidArgumentException('Unsupported restore result attention state.');
+        }
+    }
+
+    /**
+     * @return array{
+     *     state: string,
+     *     follow_up_required: bool,
+     *     primary_cause_family: string,
+     *     summary: string,
+     *     primary_next_action: string,
+     *     recovery_claim_boundary: string,
+     *     tone: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'state' => $this->state,
+            'follow_up_required' => $this->followUpRequired,
+            'primary_cause_family' => $this->primaryCauseFamily,
+            'summary' => $this->summary,
+            'primary_next_action' => $this->primaryNextAction,
+            'recovery_claim_boundary' => $this->recoveryClaimBoundary,
+            'tone' => $this->tone,
+        ];
+    }
+}

app/Support/RestoreSafety/RestoreSafetyAssessment.php

@@ -0,0 +1,93 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use InvalidArgumentException;
+
+final readonly class RestoreSafetyAssessment
+{
+    public const string STATE_BLOCKED = 'blocked';
+
+    public const string STATE_RISKY = 'risky';
+
+    public const string STATE_READY_WITH_CAUTION = 'ready_with_caution';
+
+    public const string STATE_READY = 'ready';
+
+    public function __construct(
+        public string $state,
+        public ExecutionReadinessState $executionReadiness,
+        public PreviewIntegrityState $previewIntegrity,
+        public ChecksIntegrityState $checksIntegrity,
+        public bool $positiveClaimSuppressed,
+        public ?string $primaryIssueCode,
+        public string $primaryNextAction,
+        public string $summary,
+    ) {
+        if (! in_array($this->state, [
+            self::STATE_BLOCKED,
+            self::STATE_RISKY,
+            self::STATE_READY_WITH_CAUTION,
+            self::STATE_READY,
+        ], true)) {
+            throw new InvalidArgumentException('Unsupported restore safety assessment state.');
+        }
+    }
+
+    public function canSignalReady(): bool
+    {
+        return in_array($this->state, [self::STATE_READY, self::STATE_READY_WITH_CAUTION], true);
+    }
+
+    /**
+     * @return array{
+     *     state: string,
+     *     execution_readiness: array{
+     *         allowed: bool,
+     *         blocking_reasons: list<string>,
+     *         mutation_scope: string,
+     *         required_capability: string,
+     *         display_summary: string
+     *     },
+     *     preview_integrity: array{
+     *         state: string,
+     *         freshness_policy: string,
+     *         fingerprint: ?string,
+     *         generated_at: ?string,
+     *         invalidation_reasons: list<string>,
+     *         rerun_required: bool,
+     *         display_summary: string
+     *     },
+     *     checks_integrity: array{
+     *         state: string,
+     *         freshness_policy: string,
+     *         fingerprint: ?string,
+     *         ran_at: ?string,
+     *         blocking_count: int,
+     *         warning_count: int,
+     *         invalidation_reasons: list<string>,
+     *         rerun_required: bool,
+     *         display_summary: string
+     *     },
+     *     positive_claim_suppressed: bool,
+     *     primary_issue_code: ?string,
+     *     primary_next_action: string,
+     *     summary: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'state' => $this->state,
+            'execution_readiness' => $this->executionReadiness->toArray(),
+            'preview_integrity' => $this->previewIntegrity->toArray(),
+            'checks_integrity' => $this->checksIntegrity->toArray(),
+            'positive_claim_suppressed' => $this->positiveClaimSuppressed,
+            'primary_issue_code' => $this->primaryIssueCode,
+            'primary_next_action' => $this->primaryNextAction,
+            'summary' => $this->summary,
+        ];
+    }
+}

app/Support/RestoreSafety/RestoreSafetyCopy.php

@@ -0,0 +1,86 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use Illuminate\Support\Str;
+
+final class RestoreSafetyCopy
+{
+    public static function safetyStateLabel(?string $state): string
+    {
+        return match ($state) {
+            RestoreSafetyAssessment::STATE_BLOCKED => 'Blocked',
+            RestoreSafetyAssessment::STATE_RISKY => 'Risky',
+            RestoreSafetyAssessment::STATE_READY_WITH_CAUTION => 'Ready with caution',
+            RestoreSafetyAssessment::STATE_READY => 'Ready',
+            default => self::headline($state, 'Unknown state'),
+        };
+    }
+
+    public static function primaryNextAction(?string $action): string
+    {
+        return match ($action) {
+            'resolve_blockers' => 'Resolve the technical blockers before real execution.',
+            'generate_preview' => 'Generate a preview for the current scope.',
+            'regenerate_preview' => 'Regenerate the preview for the current scope.',
+            'rerun_checks' => 'Run the safety checks again for the current scope.',
+            'review_warnings' => 'Review the warnings before real execution.',
+            'execute' => 'Queue the real restore execution.',
+            'review_preview' => 'Review the preview evidence before claiming recovery or queueing execution.',
+            'review_failures' => 'Review failed items and provider errors before retrying.',
+            'review_partial_items' => 'Review partial items and incomplete assignments before retrying.',
+            'review_skipped_items' => 'Review skipped or non-applied items before closing the run.',
+            'review_result' => 'Review the completed restore details.',
+            'adjust_scope' => 'Adjust the restore scope, then refresh preview and checks.',
+            'review_scope' => 'Review the current scope and safety evidence.',
+            default => self::sentence($action, 'Review the current scope and safety evidence.'),
+        };
+    }
+
+    public static function primaryCauseFamily(?string $family): string
+    {
+        return match ($family) {
+            'none' => 'No dominant cause recorded',
+            'execution_failure' => 'Execution failure',
+            'write_gate_or_rbac' => 'RBAC or write gate',
+            'provider_operability' => 'Provider operability',
+            'missing_dependency_or_mapping' => 'Missing dependency or mapping',
+            'payload_quality' => 'Payload quality',
+            'scope_mismatch' => 'Scope mismatch',
+            'item_level_failure' => 'Item-level failure',
+            default => self::headline($family, 'Unknown cause'),
+        };
+    }
+
+    public static function recoveryBoundary(?string $boundary): string
+    {
+        return match ($boundary) {
+            'preview_only_no_execution_proven' => 'No execution was performed from this record.',
+            'execution_failed_no_recovery_claim' => 'Tenant recovery is not proven.',
+            'run_completed_not_recovery_proven' => 'Tenant-wide recovery is not proven.',
+            default => 'Tenant-wide recovery is not proven.',
+        };
+    }
+
+    private static function headline(?string $value, string $fallback): string
+    {
+        if (! is_string($value) || trim($value) === '') {
+            return $fallback;
+        }
+
+        return Str::headline(trim($value));
+    }
+
+    private static function sentence(?string $value, string $fallback): string
+    {
+        if (! is_string($value) || trim($value) === '') {
+            return $fallback;
+        }
+
+        $sentence = Str::headline(trim($value));
+
+        return str_ends_with($sentence, '.') ? $sentence : $sentence.'.';
+    }
+}

app/Support/RestoreSafety/RestoreSafetyResolver.php

@@ -0,0 +1,619 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use App\Contracts\Hardening\WriteGateInterface;
+use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
+use App\Models\RestoreRun;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Auth\CapabilityResolver;
+use App\Support\Auth\Capabilities;
+
+final readonly class RestoreSafetyResolver
+{
+    public function __construct(
+        private CapabilityResolver $capabilityResolver,
+        private WriteGateInterface $writeGate,
+    ) {}
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function scopeFingerprintFromData(array $data): RestoreScopeFingerprint
+    {
+        return RestoreScopeFingerprint::fromInputs(
+            $data['backup_set_id'] ?? null,
+            $data['scope_mode'] ?? null,
+            $data['backup_item_ids'] ?? [],
+            $data['group_mapping'] ?? [],
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array{
+     *     backup_set_id: ?int,
+     *     scope_mode: string,
+     *     selected_item_ids: list<int>,
+     *     group_mapping: array<string, string>,
+     *     group_mapping_fingerprint: string,
+     *     fingerprint: string,
+     *     captured_at: string
+     * }
+     */
+    public function scopeBasisFromData(array $data): array
+    {
+        $scope = $this->scopeFingerprintFromData($data);
+
+        return $scope->toArray() + [
+            'captured_at' => now('UTC')->toIso8601String(),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array{
+     *     fingerprint: string,
+     *     ran_at: string,
+     *     blocking_count: int,
+     *     warning_count: int,
+     *     result_codes: list<string>
+     * }|null
+     */
+    public function checksBasisFromData(array $data): ?array
+    {
+        $summary = $data['check_summary'] ?? null;
+        $ranAt = $data['checks_ran_at'] ?? null;
+
+        if (! is_array($summary) || ! is_string($ranAt) || $ranAt === '') {
+            return is_array($data['check_basis'] ?? null) ? $data['check_basis'] : null;
+        }
+
+        $scope = $this->scopeFingerprintFromData($data);
+        $results = is_array($data['check_results'] ?? null) ? $data['check_results'] : [];
+
+        return [
+            'fingerprint' => $scope->fingerprint,
+            'ran_at' => $ranAt,
+            'blocking_count' => (int) ($summary['blocking'] ?? 0),
+            'warning_count' => (int) ($summary['warning'] ?? 0),
+            'result_codes' => array_values(array_filter(array_map(static function (mixed $result): ?string {
+                $code = is_array($result) ? ($result['code'] ?? null) : null;
+
+                return is_string($code) && $code !== '' ? $code : null;
+            }, $results))),
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array{
+     *     fingerprint: string,
+     *     generated_at: string,
+     *     summary: array<string, mixed>
+     * }|null
+     */
+    public function previewBasisFromData(array $data): ?array
+    {
+        $summary = $data['preview_summary'] ?? null;
+        $ranAt = $data['preview_ran_at'] ?? null;
+
+        if (! is_array($summary) || ! is_string($ranAt) || $ranAt === '') {
+            return is_array($data['preview_basis'] ?? null) ? $data['preview_basis'] : null;
+        }
+
+        $scope = $this->scopeFingerprintFromData($data);
+
+        return [
+            'fingerprint' => $scope->fingerprint,
+            'generated_at' => $ranAt,
+            'summary' => $summary,
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function previewIntegrityFromData(array $data): PreviewIntegrityState
+    {
+        $scope = $this->scopeFingerprintFromData($data);
+        $basis = is_array($data['preview_basis'] ?? null) ? $data['preview_basis'] : null;
+        $generatedAt = is_string($data['preview_ran_at'] ?? null) ? $data['preview_ran_at'] : null;
+        $hasPreviewEvidence = (is_array($data['preview_summary'] ?? null) && $data['preview_summary'] !== [])
+            || ($basis !== null && $basis !== [])
+            || (is_string($generatedAt) && $generatedAt !== '');
+
+        if (! $hasPreviewEvidence) {
+            return new PreviewIntegrityState(
+                state: PreviewIntegrityState::STATE_NOT_GENERATED,
+                freshnessPolicy: PreviewIntegrityState::FRESHNESS_POLICY,
+                fingerprint: null,
+                generatedAt: null,
+                invalidationReasons: [],
+                rerunRequired: true,
+                displaySummary: 'Generate a preview for the current scope before claiming calm execution readiness.',
+            );
+        }
+
+        $basisFingerprint = is_string($basis['fingerprint'] ?? null) ? $basis['fingerprint'] : null;
+        $reasons = $this->invalidationReasonsForBasis(
+            currentScope: $scope,
+            basis: $basis,
+            explicitReasons: $data['preview_invalidation_reasons'] ?? null,
+        );
+
+        if ($reasons !== []) {
+            return new PreviewIntegrityState(
+                state: PreviewIntegrityState::STATE_INVALIDATED,
+                freshnessPolicy: PreviewIntegrityState::FRESHNESS_POLICY,
+                fingerprint: $basisFingerprint,
+                generatedAt: is_string($basis['generated_at'] ?? null) ? $basis['generated_at'] : $generatedAt,
+                invalidationReasons: $reasons,
+                rerunRequired: true,
+                displaySummary: 'The last preview no longer matches the current restore scope. Regenerate it before real execution.',
+            );
+        }
+
+        if ($basisFingerprint === null || ! is_string($basis['generated_at'] ?? null)) {
+            return new PreviewIntegrityState(
+                state: PreviewIntegrityState::STATE_STALE,
+                freshnessPolicy: PreviewIntegrityState::FRESHNESS_POLICY,
+                fingerprint: $basisFingerprint,
+                generatedAt: is_string($basis['generated_at'] ?? null) ? $basis['generated_at'] : $generatedAt,
+                invalidationReasons: [],
+                rerunRequired: true,
+                displaySummary: 'Preview evidence exists, but it cannot prove it still belongs to the current scope.',
+            );
+        }
+
+        return new PreviewIntegrityState(
+            state: PreviewIntegrityState::STATE_CURRENT,
+            freshnessPolicy: PreviewIntegrityState::FRESHNESS_POLICY,
+            fingerprint: $basisFingerprint,
+            generatedAt: $basis['generated_at'],
+            invalidationReasons: [],
+            rerunRequired: false,
+            displaySummary: 'Preview evidence is current for the selected restore scope.',
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function checksIntegrityFromData(array $data): ChecksIntegrityState
+    {
+        $scope = $this->scopeFingerprintFromData($data);
+        $basis = is_array($data['check_basis'] ?? null) ? $data['check_basis'] : null;
+        $summary = is_array($data['check_summary'] ?? null) ? $data['check_summary'] : [];
+        $ranAt = is_string($data['checks_ran_at'] ?? null) ? $data['checks_ran_at'] : null;
+        $blockingCount = (int) ($summary['blocking'] ?? ($basis['blocking_count'] ?? 0));
+        $warningCount = (int) ($summary['warning'] ?? ($basis['warning_count'] ?? 0));
+
+        $hasCheckEvidence = $summary !== []
+            || ($basis !== null && $basis !== [])
+            || (is_string($ranAt) && $ranAt !== '');
+
+        if (! $hasCheckEvidence) {
+            return new ChecksIntegrityState(
+                state: ChecksIntegrityState::STATE_NOT_RUN,
+                freshnessPolicy: ChecksIntegrityState::FRESHNESS_POLICY,
+                fingerprint: null,
+                ranAt: null,
+                blockingCount: 0,
+                warningCount: 0,
+                invalidationReasons: [],
+                rerunRequired: true,
+                displaySummary: 'Run safety checks for the current scope before offering real execution calmly.',
+            );
+        }
+
+        $basisFingerprint = is_string($basis['fingerprint'] ?? null) ? $basis['fingerprint'] : null;
+        $reasons = $this->invalidationReasonsForBasis(
+            currentScope: $scope,
+            basis: $basis,
+            explicitReasons: $data['check_invalidation_reasons'] ?? null,
+        );
+
+        if ($reasons !== []) {
+            return new ChecksIntegrityState(
+                state: ChecksIntegrityState::STATE_INVALIDATED,
+                freshnessPolicy: ChecksIntegrityState::FRESHNESS_POLICY,
+                fingerprint: $basisFingerprint,
+                ranAt: is_string($basis['ran_at'] ?? null) ? $basis['ran_at'] : $ranAt,
+                blockingCount: $blockingCount,
+                warningCount: $warningCount,
+                invalidationReasons: $reasons,
+                rerunRequired: true,
+                displaySummary: 'The last checks no longer match the current restore scope. Run them again before real execution.',
+            );
+        }
+
+        if ($basisFingerprint === null || ! is_string($basis['ran_at'] ?? null)) {
+            return new ChecksIntegrityState(
+                state: ChecksIntegrityState::STATE_STALE,
+                freshnessPolicy: ChecksIntegrityState::FRESHNESS_POLICY,
+                fingerprint: $basisFingerprint,
+                ranAt: is_string($basis['ran_at'] ?? null) ? $basis['ran_at'] : $ranAt,
+                blockingCount: $blockingCount,
+                warningCount: $warningCount,
+                invalidationReasons: [],
+                rerunRequired: true,
+                displaySummary: 'Checks evidence exists, but it cannot prove it still belongs to the current scope.',
+            );
+        }
+
+        return new ChecksIntegrityState(
+            state: ChecksIntegrityState::STATE_CURRENT,
+            freshnessPolicy: ChecksIntegrityState::FRESHNESS_POLICY,
+            fingerprint: $basisFingerprint,
+            ranAt: $basis['ran_at'],
+            blockingCount: $blockingCount,
+            warningCount: $warningCount,
+            invalidationReasons: [],
+            rerunRequired: false,
+            displaySummary: 'Checks evidence is current for the selected restore scope.',
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function executionReadiness(Tenant $tenant, User $user, array $data, bool $dryRun = false): ExecutionReadinessState
+    {
+        $blockingReasons = [];
+
+        if (! $this->capabilityResolver->can($user, $tenant, Capabilities::TENANT_MANAGE)) {
+            $blockingReasons[] = 'missing_capability';
+        }
+
+        if (! $dryRun) {
+            try {
+                $this->writeGate->evaluate($tenant, 'restore.execute');
+            } catch (ProviderAccessHardeningRequired $exception) {
+                $blockingReasons[] = $exception->reasonCode;
+            }
+        }
+
+        $checkSummary = is_array($data['check_summary'] ?? null) ? $data['check_summary'] : [];
+        $blockingCount = (int) ($checkSummary['blocking'] ?? 0);
+        $hasBlockers = (bool) ($checkSummary['has_blockers'] ?? ($blockingCount > 0));
+
+        if ($hasBlockers) {
+            $blockingReasons[] = 'risk_blocker';
+        }
+
+        $blockingReasons = array_values(array_unique($blockingReasons));
+        $allowed = $blockingReasons === [];
+
+        $displaySummary = $allowed
+            ? 'The platform can start a restore for this tenant once the operator chooses to proceed.'
+            : 'Technical startability is blocked until capability, write-gate, or hard-blocker issues are resolved.';
+
+        return new ExecutionReadinessState(
+            allowed: $allowed,
+            blockingReasons: $blockingReasons,
+            mutationScope: $dryRun ? 'simulation_only' : 'microsoft_tenant',
+            requiredCapability: Capabilities::TENANT_MANAGE,
+            displaySummary: $displaySummary,
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function safetyAssessment(Tenant $tenant, User $user, array $data): RestoreSafetyAssessment
+    {
+        $previewIntegrity = $this->previewIntegrityFromData($data);
+        $checksIntegrity = $this->checksIntegrityFromData($data);
+        $executionReadiness = $this->executionReadiness($tenant, $user, $data, false);
+
+        if (! $executionReadiness->allowed) {
+            return new RestoreSafetyAssessment(
+                state: RestoreSafetyAssessment::STATE_BLOCKED,
+                executionReadiness: $executionReadiness,
+                previewIntegrity: $previewIntegrity,
+                checksIntegrity: $checksIntegrity,
+                positiveClaimSuppressed: true,
+                primaryIssueCode: $executionReadiness->blockingReasons[0] ?? 'execution_blocked',
+                primaryNextAction: 'resolve_blockers',
+                summary: 'Real execution is blocked until the technical prerequisites are healthy again.',
+            );
+        }
+
+        if (! $previewIntegrity->isCurrent()) {
+            return new RestoreSafetyAssessment(
+                state: RestoreSafetyAssessment::STATE_RISKY,
+                executionReadiness: $executionReadiness,
+                previewIntegrity: $previewIntegrity,
+                checksIntegrity: $checksIntegrity,
+                positiveClaimSuppressed: true,
+                primaryIssueCode: $previewIntegrity->state,
+                primaryNextAction: 'regenerate_preview',
+                summary: 'Real execution is technically possible, but the preview basis is not current enough to support a calm go signal.',
+            );
+        }
+
+        if (! $checksIntegrity->isCurrent()) {
+            return new RestoreSafetyAssessment(
+                state: RestoreSafetyAssessment::STATE_RISKY,
+                executionReadiness: $executionReadiness,
+                previewIntegrity: $previewIntegrity,
+                checksIntegrity: $checksIntegrity,
+                positiveClaimSuppressed: true,
+                primaryIssueCode: $checksIntegrity->state,
+                primaryNextAction: 'rerun_checks',
+                summary: 'Real execution is technically possible, but the checks basis is not current enough to support a calm go signal.',
+            );
+        }
+
+        if ($checksIntegrity->warningCount > 0) {
+            return new RestoreSafetyAssessment(
+                state: RestoreSafetyAssessment::STATE_READY_WITH_CAUTION,
+                executionReadiness: $executionReadiness,
+                previewIntegrity: $previewIntegrity,
+                checksIntegrity: $checksIntegrity,
+                positiveClaimSuppressed: true,
+                primaryIssueCode: 'warnings_present',
+                primaryNextAction: 'review_warnings',
+                summary: 'Current preview and checks exist, but warnings remain. The restore can start, yet calm safety claims stay suppressed.',
+            );
+        }
+
+        return new RestoreSafetyAssessment(
+            state: RestoreSafetyAssessment::STATE_READY,
+            executionReadiness: $executionReadiness,
+            previewIntegrity: $previewIntegrity,
+            checksIntegrity: $checksIntegrity,
+            positiveClaimSuppressed: false,
+            primaryIssueCode: null,
+            primaryNextAction: 'execute',
+            summary: 'Current preview and checks support real execution for the selected scope.',
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public function executionSafetySnapshot(Tenant $tenant, User $user, array $data): RestoreExecutionSafetySnapshot
+    {
+        $scope = $this->scopeFingerprintFromData($data);
+        $assessment = $this->safetyAssessment($tenant, $user, $data);
+
+        return new RestoreExecutionSafetySnapshot(
+            evaluatedAt: now('UTC')->toIso8601String(),
+            scopeFingerprint: $scope->fingerprint,
+            previewState: $assessment->previewIntegrity->state,
+            checksState: $assessment->checksIntegrity->state,
+            safetyState: $assessment->state,
+            blockingCount: $assessment->checksIntegrity->blockingCount,
+            warningCount: $assessment->checksIntegrity->warningCount,
+            primaryIssueCode: $assessment->primaryIssueCode,
+            followUpBoundary: 'run_completed_not_recovery_proven',
+        );
+    }
+
+    public function resultAttentionForRun(RestoreRun $restoreRun): RestoreResultAttention
+    {
+        $status = strtolower((string) $restoreRun->status);
+        $results = is_array($restoreRun->results) ? $restoreRun->results : [];
+        $items = is_array($results['items'] ?? null) ? array_values($results['items']) : [];
+        $foundations = is_array($results['foundations'] ?? null) ? array_values($results['foundations']) : [];
+        $operationOutcome = strtolower((string) ($restoreRun->operationRun?->outcome ?? ''));
+
+        $itemStatuses = array_values(array_filter(array_map(static function (mixed $item): ?string {
+            $status = is_array($item) ? ($item['status'] ?? null) : null;
+
+            return is_string($status) && $status !== '' ? strtolower($status) : null;
+        }, $items)));
+
+        $failedItems = count(array_filter($itemStatuses, static fn (string $itemStatus): bool => $itemStatus === 'failed'));
+        $partialItems = count(array_filter($itemStatuses, static fn (string $itemStatus): bool => in_array($itemStatus, ['partial', 'manual_required'], true)));
+        $skippedItems = count(array_filter($itemStatuses, static fn (string $itemStatus): bool => $itemStatus === 'skipped'));
+        $failedAssignments = $restoreRun->getFailedAssignmentsCount();
+        $skippedAssignments = $restoreRun->getSkippedAssignmentsCount();
+        $foundationSkips = count(array_filter($foundations, static function (mixed $entry): bool {
+            return is_array($entry) && in_array(($entry['decision'] ?? null), ['failed', 'skipped'], true);
+        }));
+
+        if ($restoreRun->is_dry_run || in_array($status, ['draft', 'scoped', 'checked', 'previewed'], true)) {
+            return new RestoreResultAttention(
+                state: RestoreResultAttention::STATE_NOT_EXECUTED,
+                followUpRequired: false,
+                primaryCauseFamily: 'none',
+                summary: 'This record proves preview truth, not tenant recovery.',
+                primaryNextAction: 'review_preview',
+                recoveryClaimBoundary: 'preview_only_no_execution_proven',
+                tone: 'gray',
+            );
+        }
+
+        if ($status === 'failed' || $operationOutcome === 'failed') {
+            return new RestoreResultAttention(
+                state: RestoreResultAttention::STATE_FAILED,
+                followUpRequired: true,
+                primaryCauseFamily: $this->primaryCauseFamilyForRun($restoreRun),
+                summary: 'The restore did not complete successfully. Follow-up is still required.',
+                primaryNextAction: 'review_failures',
+                recoveryClaimBoundary: 'execution_failed_no_recovery_claim',
+                tone: 'danger',
+            );
+        }
+
+        if ($failedItems > 0 || $partialItems > 0 || $failedAssignments > 0 || in_array($operationOutcome, ['partially_succeeded', 'blocked'], true)) {
+            return new RestoreResultAttention(
+                state: RestoreResultAttention::STATE_PARTIAL,
+                followUpRequired: true,
+                primaryCauseFamily: $this->primaryCauseFamilyForRun($restoreRun),
+                summary: 'The restore reached a terminal state, but some items or assignments still need follow-up.',
+                primaryNextAction: 'review_partial_items',
+                recoveryClaimBoundary: 'run_completed_not_recovery_proven',
+                tone: 'warning',
+            );
+        }
+
+        if ($skippedItems > 0 || $skippedAssignments > 0 || $foundationSkips > 0 || (int) (($restoreRun->metadata ?? [])['non_applied'] ?? 0) > 0) {
+            return new RestoreResultAttention(
+                state: RestoreResultAttention::STATE_COMPLETED_WITH_FOLLOW_UP,
+                followUpRequired: true,
+                primaryCauseFamily: $this->primaryCauseFamilyForRun($restoreRun),
+                summary: 'The restore completed, but follow-up remains for skipped or non-applied work.',
+                primaryNextAction: 'review_skipped_items',
+                recoveryClaimBoundary: 'run_completed_not_recovery_proven',
+                tone: 'warning',
+            );
+        }
+
+        return new RestoreResultAttention(
+            state: RestoreResultAttention::STATE_COMPLETED,
+            followUpRequired: false,
+            primaryCauseFamily: 'none',
+            summary: 'The restore completed without visible follow-up, but this still does not prove tenant-wide recovery.',
+            primaryNextAction: 'review_result',
+            recoveryClaimBoundary: 'run_completed_not_recovery_proven',
+            tone: 'success',
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>|null  $basis
+     * @return list<string>
+     */
+    public function invalidationReasonsForBasis(
+        RestoreScopeFingerprint $currentScope,
+        ?array $basis,
+        mixed $explicitReasons = null,
+    ): array {
+        $reasons = $this->normalizeReasons($explicitReasons);
+
+        if ($basis === null) {
+            return $reasons;
+        }
+
+        if ($reasons !== []) {
+            return $reasons;
+        }
+
+        $basisFingerprint = is_string($basis['fingerprint'] ?? null) ? $basis['fingerprint'] : null;
+
+        if ($basisFingerprint !== null && $currentScope->matches($basisFingerprint)) {
+            return [];
+        }
+
+        $basisBackupSetId = is_numeric($basis['backup_set_id'] ?? null) ? (int) $basis['backup_set_id'] : null;
+        $basisScopeMode = $basis['scope_mode'] ?? null;
+        $basisSelectedItemIds = is_array($basis['selected_item_ids'] ?? null) ? $basis['selected_item_ids'] : [];
+        $basisGroupMappingFingerprint = is_string($basis['group_mapping_fingerprint'] ?? null)
+            ? $basis['group_mapping_fingerprint']
+            : null;
+
+        $derivedReasons = [];
+
+        if ($basisBackupSetId !== null && $basisBackupSetId !== $currentScope->backupSetId) {
+            $derivedReasons[] = 'backup_set_changed';
+        }
+
+        if (is_string($basisScopeMode) && $basisScopeMode !== $currentScope->scopeMode) {
+            $derivedReasons[] = 'scope_mode_changed';
+        }
+
+        if ($this->normalizeIds($basisSelectedItemIds) !== $currentScope->selectedItemIds) {
+            $derivedReasons[] = 'selected_items_changed';
+        }
+
+        if ($basisGroupMappingFingerprint !== null && $basisGroupMappingFingerprint !== $currentScope->groupMappingFingerprint) {
+            $derivedReasons[] = 'group_mapping_changed';
+        }
+
+        if ($derivedReasons === [] && $basisFingerprint !== null && ! $currentScope->matches($basisFingerprint)) {
+            $derivedReasons[] = 'scope_mismatch';
+        }
+
+        return $derivedReasons;
+    }
+
+    private function primaryCauseFamilyForRun(RestoreRun $restoreRun): string
+    {
+        $operationContext = is_array($restoreRun->operationRun?->context) ? $restoreRun->operationRun->context : [];
+        $reasonCode = strtolower((string) ($operationContext['reason_code'] ?? ''));
+
+        if ($reasonCode !== '' && (str_contains($reasonCode, 'capability') || str_contains($reasonCode, 'rbac') || str_contains($reasonCode, 'write'))) {
+            return 'write_gate_or_rbac';
+        }
+
+        $results = is_array($restoreRun->results) ? $restoreRun->results : [];
+        $items = is_array($results['items'] ?? null) ? array_values($results['items']) : [];
+
+        foreach ($items as $item) {
+            if (! is_array($item)) {
+                continue;
+            }
+
+            $reason = strtolower((string) ($item['reason'] ?? ''));
+            $graphMessage = strtolower((string) ($item['graph_error_message'] ?? ''));
+
+            if (str_contains($reason, 'mapping') || str_contains($reason, 'group') || str_contains($graphMessage, 'mapping')) {
+                return 'missing_dependency_or_mapping';
+            }
+
+            if (str_contains($reason, 'metadata only') || str_contains($reason, 'manual')) {
+                return 'payload_quality';
+            }
+
+            if ($graphMessage !== '' || filled($item['graph_error_code'] ?? null)) {
+                return 'item_level_failure';
+            }
+        }
+
+        return 'none';
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function normalizeReasons(mixed $reasons): array
+    {
+        if (! is_array($reasons)) {
+            return [];
+        }
+
+        $normalized = array_values(array_filter(array_map(static function (mixed $reason): ?string {
+            if (! is_string($reason)) {
+                return null;
+            }
+
+            $reason = trim($reason);
+
+            return $reason === '' ? null : $reason;
+        }, $reasons)));
+
+        return array_values(array_unique($normalized));
+    }
+
+    /**
+     * @return list<int>
+     */
+    private function normalizeIds(array $ids): array
+    {
+        $normalized = [];
+
+        foreach ($ids as $id) {
+            if (is_int($id) && $id > 0) {
+                $normalized[] = $id;
+
+                continue;
+            }
+
+            if (is_string($id) && ctype_digit($id) && (int) $id > 0) {
+                $normalized[] = (int) $id;
+            }
+        }
+
+        $normalized = array_values(array_unique($normalized));
+        sort($normalized);
+
+        return $normalized;
+    }
+}

app/Support/RestoreSafety/RestoreScopeFingerprint.php

@@ -0,0 +1,199 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\RestoreSafety;
+
+use InvalidArgumentException;
+use JsonException;
+
+final readonly class RestoreScopeFingerprint
+{
+    public function __construct(
+        public ?int $backupSetId,
+        public string $scopeMode,
+        /**
+         * @var list<int>
+         */
+        public array $selectedItemIds,
+        /**
+         * @var array<string, string>
+         */
+        public array $groupMapping,
+        public string $groupMappingFingerprint,
+        public string $fingerprint,
+    ) {
+        if (! in_array($this->scopeMode, ['all', 'selected'], true)) {
+            throw new InvalidArgumentException('Restore scope mode must be all or selected.');
+        }
+    }
+
+    public static function fromInputs(
+        mixed $backupSetId,
+        mixed $scopeMode,
+        mixed $selectedItemIds,
+        mixed $groupMapping,
+    ): self {
+        $normalizedBackupSetId = is_numeric($backupSetId) ? max(1, (int) $backupSetId) : null;
+        $normalizedScopeMode = $scopeMode === 'selected' ? 'selected' : 'all';
+        $normalizedSelectedItemIds = self::normalizeItemIds(
+            $normalizedScopeMode === 'selected' ? $selectedItemIds : []
+        );
+        $normalizedGroupMapping = self::normalizeGroupMapping($groupMapping);
+        $groupMappingFingerprint = self::hashPayload($normalizedGroupMapping);
+
+        return new self(
+            backupSetId: $normalizedBackupSetId,
+            scopeMode: $normalizedScopeMode,
+            selectedItemIds: $normalizedSelectedItemIds,
+            groupMapping: $normalizedGroupMapping,
+            groupMappingFingerprint: $groupMappingFingerprint,
+            fingerprint: self::hashPayload([
+                'backup_set_id' => $normalizedBackupSetId,
+                'scope_mode' => $normalizedScopeMode,
+                'selected_item_ids' => $normalizedSelectedItemIds,
+                'group_mapping_fingerprint' => $groupMappingFingerprint,
+            ]),
+        );
+    }
+
+    public static function fromArray(mixed $payload): ?self
+    {
+        if (! is_array($payload)) {
+            return null;
+        }
+
+        if (
+            ! array_key_exists('backup_set_id', $payload)
+            && ! array_key_exists('scope_mode', $payload)
+            && ! array_key_exists('fingerprint', $payload)
+        ) {
+            return null;
+        }
+
+        return self::fromInputs(
+            $payload['backup_set_id'] ?? null,
+            $payload['scope_mode'] ?? null,
+            $payload['selected_item_ids'] ?? [],
+            $payload['group_mapping'] ?? [],
+        );
+    }
+
+    public function matches(?string $fingerprint): bool
+    {
+        return is_string($fingerprint)
+            && $fingerprint !== ''
+            && hash_equals($this->fingerprint, $fingerprint);
+    }
+
+    /**
+     * @return array{
+     *     backup_set_id: ?int,
+     *     scope_mode: string,
+     *     selected_item_ids: list<int>,
+     *     group_mapping: array<string, string>,
+     *     group_mapping_fingerprint: string,
+     *     fingerprint: string
+     * }
+     */
+    public function toArray(): array
+    {
+        return [
+            'backup_set_id' => $this->backupSetId,
+            'scope_mode' => $this->scopeMode,
+            'selected_item_ids' => $this->selectedItemIds,
+            'group_mapping' => $this->groupMapping,
+            'group_mapping_fingerprint' => $this->groupMappingFingerprint,
+            'fingerprint' => $this->fingerprint,
+        ];
+    }
+
+    /**
+     * @return list<int>
+     */
+    private static function normalizeItemIds(mixed $selectedItemIds): array
+    {
+        if (! is_array($selectedItemIds)) {
+            return [];
+        }
+
+        $normalized = [];
+
+        foreach ($selectedItemIds as $itemId) {
+            if (is_int($itemId) && $itemId > 0) {
+                $normalized[] = $itemId;
+
+                continue;
+            }
+
+            if (is_string($itemId) && ctype_digit($itemId) && (int) $itemId > 0) {
+                $normalized[] = (int) $itemId;
+            }
+        }
+
+        $normalized = array_values(array_unique($normalized));
+        sort($normalized);
+
+        return $normalized;
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private static function normalizeGroupMapping(mixed $groupMapping): array
+    {
+        if ($groupMapping instanceof \Illuminate\Contracts\Support\Arrayable) {
+            $groupMapping = $groupMapping->toArray();
+        }
+
+        if ($groupMapping instanceof \stdClass) {
+            $groupMapping = (array) $groupMapping;
+        }
+
+        if (! is_array($groupMapping)) {
+            return [];
+        }
+
+        $normalized = [];
+
+        foreach ($groupMapping as $sourceGroupId => $targetGroupId) {
+            if (! is_string($sourceGroupId) || trim($sourceGroupId) === '') {
+                continue;
+            }
+
+            if ($targetGroupId instanceof \BackedEnum) {
+                $targetGroupId = $targetGroupId->value;
+            }
+
+            if (! is_string($targetGroupId)) {
+                continue;
+            }
+
+            $targetGroupId = trim($targetGroupId);
+
+            if ($targetGroupId === '') {
+                continue;
+            }
+
+            $normalized[trim($sourceGroupId)] = strtoupper($targetGroupId) === 'SKIP'
+                ? 'SKIP'
+                : $targetGroupId;
+        }
+
+        ksort($normalized);
+
+        return $normalized;
+    }
+
+    /**
+     * @param  array<mixed>  $payload
+     */
+    private static function hashPayload(array $payload): string
+    {
+        try {
+            return hash('sha256', json_encode($payload, JSON_THROW_ON_ERROR));
+        } catch (JsonException $exception) {
+            throw new InvalidArgumentException('Restore scope payload could not be fingerprinted.', previous: $exception);
+        }
+    }
+}

app/Support/Ui/GovernanceArtifactTruth/ArtifactTruthPresenter.php

@@ -33,6 +33,7 @@
 use App\Support\Ui\DerivedState\RequestScopedDerivedStateStore;
 use App\Support\Ui\OperatorExplanation\CountDescriptor;
 use App\Support\Ui\OperatorExplanation\OperatorExplanationBuilder;
+use Filament\Facades\Filament;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Arr;
 
@@ -359,7 +360,7 @@ private function buildEvidenceSnapshotEnvelope(EvidenceSnapshot $snapshot): Arti
             nextActionUrl: $nextActionUrl,
             relatedRunId: $snapshot->operation_run_id !== null ? (int) $snapshot->operation_run_id : null,
             relatedArtifactUrl: $snapshot->tenant !== null
-                ? EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $snapshot->tenant)
+                ? $this->panelSafeTenantArtifactUrl(fn (): string => EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $snapshot->tenant))
                 : null,
             includePublicationDimension: false,
             countDescriptors: [
@@ -500,9 +501,13 @@ private function buildTenantReviewEnvelope(TenantReview $review): ArtifactTruthE
             : null;
 
         if ($publishBlockers !== [] && $review->tenant !== null) {
-            $nextActionUrl = TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $review->tenant);
+            $nextActionUrl = $this->panelSafeTenantArtifactUrl(
+                fn (): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $review->tenant)
+            );
         } elseif (($freshnessState === 'stale' || $contentState === 'partial') && $review->tenant !== null && $review->evidenceSnapshot !== null) {
-            $nextActionUrl = EvidenceSnapshotResource::getUrl('view', ['record' => $review->evidenceSnapshot], tenant: $review->tenant);
+            $nextActionUrl = $this->panelSafeTenantArtifactUrl(
+                fn (): string => EvidenceSnapshotResource::getUrl('view', ['record' => $review->evidenceSnapshot], tenant: $review->tenant)
+            );
         }
 
         return $this->makeEnvelope(
@@ -538,7 +543,9 @@ private function buildTenantReviewEnvelope(TenantReview $review): ArtifactTruthE
             nextActionUrl: $nextActionUrl,
             relatedRunId: $review->operation_run_id !== null ? (int) $review->operation_run_id : null,
             relatedArtifactUrl: $review->tenant !== null
-                ? TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $review->tenant)
+                ? $this->panelSafeTenantArtifactUrl(
+                    fn (): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $review->tenant)
+                )
                 : null,
             includePublicationDimension: true,
             countDescriptors: [
@@ -675,9 +682,13 @@ private function buildReviewPackEnvelope(ReviewPack $pack): ArtifactTruthEnvelop
         $nextActionUrl = null;
 
         if ($sourceReview instanceof TenantReview && $pack->tenant !== null) {
-            $nextActionUrl = TenantReviewResource::tenantScopedUrl('view', ['record' => $sourceReview], $pack->tenant);
+            $nextActionUrl = $this->panelSafeTenantArtifactUrl(
+                fn (): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $sourceReview], $pack->tenant)
+            );
         } elseif (($freshnessState === 'stale' || $contentState === 'partial') && $pack->tenant !== null && $pack->evidenceSnapshot !== null) {
-            $nextActionUrl = EvidenceSnapshotResource::getUrl('view', ['record' => $pack->evidenceSnapshot], tenant: $pack->tenant);
+            $nextActionUrl = $this->panelSafeTenantArtifactUrl(
+                fn (): string => EvidenceSnapshotResource::getUrl('view', ['record' => $pack->evidenceSnapshot], tenant: $pack->tenant)
+            );
         } elseif ($pack->operation_run_id !== null) {
             $nextActionUrl = OperationRunLinks::tenantlessView((int) $pack->operation_run_id);
         }
@@ -715,7 +726,9 @@ private function buildReviewPackEnvelope(ReviewPack $pack): ArtifactTruthEnvelop
             nextActionUrl: $nextActionUrl,
             relatedRunId: $pack->operation_run_id !== null ? (int) $pack->operation_run_id : null,
             relatedArtifactUrl: $pack->tenant !== null
-                ? ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant)
+                ? $this->panelSafeTenantArtifactUrl(
+                    fn (): string => ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant)
+                )
                 : null,
             includePublicationDimension: true,
             countDescriptors: [
@@ -1084,6 +1097,13 @@ classification: $classification,
         );
     }
 
+    private function panelSafeTenantArtifactUrl(callable $resolver): ?string
+    {
+        return Filament::getCurrentPanel()?->getId() === 'system'
+            ? null
+            : $resolver();
+    }
+
     /**
      * @return array<int, CountDescriptor>
      */

resources/views/filament/forms/components/restore-run-checks.blade.php

@@ -7,11 +7,20 @@
     $summary = $summary ?? [];
     $summary = is_array($summary) ? $summary : [];
 
-    $blocking = (int) ($summary['blocking'] ?? 0);
+    $checksIntegrity = $checksIntegrity ?? [];
-    $warning = (int) ($summary['warning'] ?? 0);
+    $checksIntegrity = is_array($checksIntegrity) ? $checksIntegrity : [];
+
+    $executionReadiness = $executionReadiness ?? [];
+    $executionReadiness = is_array($executionReadiness) ? $executionReadiness : [];
+
+    $safetyAssessment = $safetyAssessment ?? [];
+    $safetyAssessment = is_array($safetyAssessment) ? $safetyAssessment : [];
+
+    $blocking = (int) ($summary['blocking'] ?? ($checksIntegrity['blocking_count'] ?? 0));
+    $warning = (int) ($summary['warning'] ?? ($checksIntegrity['warning_count'] ?? 0));
     $safe = (int) ($summary['safe'] ?? 0);
 
-    $ranAt = $ranAt ?? null;
+    $ranAt = $ranAt ?? ($checksIntegrity['ran_at'] ?? null);
     $ranAtLabel = null;
 
     if (is_string($ranAt) && $ranAt !== '') {
@@ -26,6 +35,12 @@
         return \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestoreCheckSeverity, $severity);
     };
 
+    $integritySpec = $severitySpec($checksIntegrity['state'] ?? 'not_run');
+    $integritySummary = $checksIntegrity['display_summary'] ?? 'Run checks for the current scope before real execution.';
+    $nextAction = $safetyAssessment['primary_next_action'] ?? 'rerun_checks';
+    $nextActionLabel = \App\Support\RestoreSafety\RestoreSafetyCopy::primaryNextAction(is_string($nextAction) ? $nextAction : 'rerun_checks');
+    $startabilitySummary = $executionReadiness['display_summary'] ?? 'Execution readiness is unavailable.';
+    $startabilityTone = (bool) ($executionReadiness['allowed'] ?? false) ? 'success' : 'warning';
     $limitedList = static function (array $items, int $limit = 5): array {
         if (count($items) <= $limit) {
             return $items;
@@ -39,25 +54,65 @@
     <div class="space-y-4">
         <x-filament::section
             heading="Safety checks"
-            :description="$ranAtLabel ? ('Last run: ' . $ranAtLabel) : 'Run checks to evaluate risk before previewing.'"
+            :description="$ranAtLabel ? ('Last run: ' . $ranAtLabel) : 'Checks tell you whether the current scope can be defended, not just whether it can start.'"
         >
-            <div class="flex flex-wrap gap-2">
+            <div class="space-y-3">
-                <x-filament::badge :color="$blocking > 0 ? $severitySpec('blocking')->color : 'gray'">
+                <div class="flex flex-wrap gap-2">
-                    {{ $blocking }} {{ \Illuminate\Support\Str::lower($severitySpec('blocking')->label) }}
+                    <x-filament::badge :color="$integritySpec->color" :icon="$integritySpec->icon" size="sm">
-                </x-filament::badge>
+                        {{ $integritySpec->label }}
-                <x-filament::badge :color="$warning > 0 ? $severitySpec('warning')->color : 'gray'">
+                    </x-filament::badge>
-                    {{ $warning }} {{ \Illuminate\Support\Str::lower($severitySpec('warning')->label) }}
+                    <x-filament::badge :color="$startabilityTone" size="sm">
-                </x-filament::badge>
+                        {{ (bool) ($executionReadiness['allowed'] ?? false) ? 'Technically startable' : 'Technical blocker present' }}
-                <x-filament::badge :color="$safe > 0 ? $severitySpec('safe')->color : 'gray'">
+                    </x-filament::badge>
-                    {{ $safe }} {{ \Illuminate\Support\Str::lower($severitySpec('safe')->label) }}
+                    @if (($safetyAssessment['state'] ?? null) === 'ready_with_caution')
-                </x-filament::badge>
+                        <x-filament::badge color="warning" size="sm">
+                            Ready with caution
+                        </x-filament::badge>
+                    @elseif (($safetyAssessment['state'] ?? null) === 'ready')
+                        <x-filament::badge color="success" size="sm">
+                            Ready
+                        </x-filament::badge>
+                    @endif
+                </div>
+
+                <div class="rounded-lg border border-slate-200 bg-slate-50 px-3 py-3 text-sm text-slate-900 dark:border-white/10 dark:bg-white/5 dark:text-slate-100">
+                    <div class="font-medium">What the current checks prove</div>
+                    <div class="mt-1">{{ $integritySummary }}</div>
+                    <div class="mt-2 text-xs text-slate-600 dark:text-slate-300">
+                        Technical startability: {{ $startabilitySummary }}
+                    </div>
+                    <div class="mt-2 text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">
+                        Primary next step
+                    </div>
+                    <div class="mt-1 text-xs text-slate-600 dark:text-slate-300">
+                        {{ $nextActionLabel }}
+                    </div>
+                </div>
+
+                <div class="flex flex-wrap gap-2">
+                    <x-filament::badge :color="$blocking > 0 ? $severitySpec('blocking')->color : 'gray'">
+                        {{ $blocking }} {{ \Illuminate\Support\Str::lower($severitySpec('blocking')->label) }}
+                    </x-filament::badge>
+                    <x-filament::badge :color="$warning > 0 ? $severitySpec('warning')->color : 'gray'">
+                        {{ $warning }} {{ \Illuminate\Support\Str::lower($severitySpec('warning')->label) }}
+                    </x-filament::badge>
+                    <x-filament::badge :color="$safe > 0 ? $severitySpec('safe')->color : 'gray'">
+                        {{ $safe }} {{ \Illuminate\Support\Str::lower($severitySpec('safe')->label) }}
+                    </x-filament::badge>
+                </div>
+
+                @if (($checksIntegrity['invalidation_reasons'] ?? []) !== [])
+                    <div class="text-xs text-amber-800 dark:text-amber-200">
+                        Invalidated by: {{ implode(', ', array_map(static fn (string $reason): string => \Illuminate\Support\Str::replace('_', ' ', $reason), $checksIntegrity['invalidation_reasons'])) }}
+                    </div>
+                @endif
             </div>
         </x-filament::section>
 
         @if ($results === [])
             <x-filament::section>
                 <div class="text-sm text-gray-600 dark:text-gray-300">
-                    No checks have been run yet.
+                    No checks have been recorded for this scope yet.
                 </div>
             </x-filament::section>
         @else
@@ -69,9 +124,9 @@
                         $message = is_array($result) ? ($result['message'] ?? null) : null;
                         $meta = is_array($result) ? ($result['meta'] ?? []) : [];
                         $meta = is_array($meta) ? $meta : [];
-
                         $unmappedGroups = $meta['unmapped'] ?? [];
                         $unmappedGroups = is_array($unmappedGroups) ? $limitedList($unmappedGroups) : [];
+                        $spec = $severitySpec($severity);
                     @endphp
 
                     <x-filament::section>
@@ -87,10 +142,6 @@
                                 @endif
                             </div>
 
-	                            @php
-	                                $spec = $severitySpec($severity);
-	                            @endphp
-
                             <x-filament::badge :color="$spec->color" :icon="$spec->icon" size="sm">
                                 {{ $spec->label }}
                             </x-filament::badge>

resources/views/filament/forms/components/restore-run-preview.blade.php

@@ -7,7 +7,16 @@
     $summary = $summary ?? [];
     $summary = is_array($summary) ? $summary : [];
 
-    $ranAt = $ranAt ?? null;
+    $previewIntegrity = $previewIntegrity ?? [];
+    $previewIntegrity = is_array($previewIntegrity) ? $previewIntegrity : [];
+
+    $checksIntegrity = $checksIntegrity ?? [];
+    $checksIntegrity = is_array($checksIntegrity) ? $checksIntegrity : [];
+
+    $safetyAssessment = $safetyAssessment ?? [];
+    $safetyAssessment = is_array($safetyAssessment) ? $safetyAssessment : [];
+
+    $ranAt = $ranAt ?? ($previewIntegrity['generated_at'] ?? null);
     $ranAtLabel = null;
 
     if (is_string($ranAt) && $ranAt !== '') {
@@ -18,12 +27,19 @@
         }
     }
 
+    $integritySpec = \App\Support\Badges\BadgeRenderer::spec(
+        \App\Support\Badges\BadgeDomain::RestorePreviewDecision,
+        $previewIntegrity['state'] ?? 'not_generated'
+    );
+
     $policiesTotal = (int) ($summary['policies_total'] ?? 0);
     $policiesChanged = (int) ($summary['policies_changed'] ?? 0);
     $assignmentsChanged = (int) ($summary['assignments_changed'] ?? 0);
     $scopeTagsChanged = (int) ($summary['scope_tags_changed'] ?? 0);
     $diffsOmitted = (int) ($summary['diffs_omitted'] ?? 0);
-
+    $integritySummary = $previewIntegrity['display_summary'] ?? 'Generate a preview before real execution.';
+    $nextAction = $safetyAssessment['primary_next_action'] ?? 'generate_preview';
+    $nextActionLabel = \App\Support\RestoreSafety\RestoreSafetyCopy::primaryNextAction(is_string($nextAction) ? $nextAction : 'generate_preview');
     $limitedKeys = static function (array $items, int $limit = 8): array {
         $keys = array_keys($items);
 
@@ -39,22 +55,57 @@
     <div class="space-y-4">
         <x-filament::section
             heading="Preview"
-            :description="$ranAtLabel ? ('Generated: ' . $ranAtLabel) : 'Generate a preview to see what would change.'"
+            :description="$ranAtLabel ? ('Generated: ' . $ranAtLabel) : 'Preview answers what would change for the current scope.'"
         >
-            <div class="flex flex-wrap gap-2">
+            <div class="space-y-3">
-                <x-filament::badge :color="$policiesChanged > 0 ? 'warning' : 'success'">
+                <div class="flex flex-wrap gap-2">
-                    {{ $policiesChanged }}/{{ $policiesTotal }} policies changed
+                    <x-filament::badge :color="$integritySpec->color" :icon="$integritySpec->icon" size="sm">
-                </x-filament::badge>
+                        {{ $integritySpec->label }}
-                <x-filament::badge :color="$assignmentsChanged > 0 ? 'warning' : 'gray'">
-                    {{ $assignmentsChanged }} assignments changed
-                </x-filament::badge>
-                <x-filament::badge :color="$scopeTagsChanged > 0 ? 'warning' : 'gray'">
-                    {{ $scopeTagsChanged }} scope tags changed
-                </x-filament::badge>
-                @if ($diffsOmitted > 0)
-                    <x-filament::badge color="gray">
-                        {{ $diffsOmitted }} diffs omitted (limit)
                     </x-filament::badge>
+                    @if (($checksIntegrity['state'] ?? null) === 'current')
+                        <x-filament::badge color="success" size="sm">
+                            Checks current
+                        </x-filament::badge>
+                    @endif
+                    @if (($safetyAssessment['state'] ?? null) === 'ready_with_caution')
+                        <x-filament::badge color="warning" size="sm">
+                            Calm readiness suppressed
+                        </x-filament::badge>
+                    @endif
+                </div>
+
+                <div class="rounded-lg border border-slate-200 bg-slate-50 px-3 py-3 text-sm text-slate-900 dark:border-white/10 dark:bg-white/5 dark:text-slate-100">
+                    <div class="font-medium">What the preview proves</div>
+                    <div class="mt-1">{{ $integritySummary }}</div>
+                    <div class="mt-2 text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">
+                        Primary next step
+                    </div>
+                    <div class="mt-1 text-xs text-slate-600 dark:text-slate-300">
+                        {{ $nextActionLabel }}
+                    </div>
+                </div>
+
+                <div class="flex flex-wrap gap-2">
+                    <x-filament::badge :color="$policiesChanged > 0 ? 'warning' : 'success'">
+                        {{ $policiesChanged }}/{{ $policiesTotal }} policies changed
+                    </x-filament::badge>
+                    <x-filament::badge :color="$assignmentsChanged > 0 ? 'warning' : 'gray'">
+                        {{ $assignmentsChanged }} assignments changed
+                    </x-filament::badge>
+                    <x-filament::badge :color="$scopeTagsChanged > 0 ? 'warning' : 'gray'">
+                        {{ $scopeTagsChanged }} scope tags changed
+                    </x-filament::badge>
+                    @if ($diffsOmitted > 0)
+                        <x-filament::badge color="gray">
+                            {{ $diffsOmitted }} diffs omitted (limit)
+                        </x-filament::badge>
+                    @endif
+                </div>
+
+                @if (($previewIntegrity['invalidation_reasons'] ?? []) !== [])
+                    <div class="text-xs text-amber-800 dark:text-amber-200">
+                        Invalidated by: {{ implode(', ', array_map(static fn (string $reason): string => \Illuminate\Support\Str::replace('_', ' ', $reason), $previewIntegrity['invalidation_reasons'])) }}
+                    </div>
                 @endif
             </div>
         </x-filament::section>
@@ -62,7 +113,7 @@
         @if ($diffs === [])
             <x-filament::section>
                 <div class="text-sm text-gray-600 dark:text-gray-300">
-                    No preview generated yet.
+                    No preview diff is recorded for this scope yet.
                 </div>
             </x-filament::section>
         @else
@@ -76,16 +127,13 @@
                         $action = $entry['action'] ?? 'update';
                         $diff = is_array($entry['diff'] ?? null) ? $entry['diff'] : [];
                         $diffSummary = is_array($diff['summary'] ?? null) ? $diff['summary'] : [];
-
                         $added = (int) ($diffSummary['added'] ?? 0);
                         $removed = (int) ($diffSummary['removed'] ?? 0);
                         $changed = (int) ($diffSummary['changed'] ?? 0);
-
                         $assignmentsDelta = (bool) ($entry['assignments_changed'] ?? false);
                         $scopeTagsDelta = (bool) ($entry['scope_tags_changed'] ?? false);
                         $diffOmitted = (bool) ($entry['diff_omitted'] ?? false);
                         $diffTruncated = (bool) ($entry['diff_truncated'] ?? false);
-
                         $changedKeys = $limitedKeys(is_array($diff['changed'] ?? null) ? $diff['changed'] : []);
                         $addedKeys = $limitedKeys(is_array($diff['added'] ?? null) ? $diff['added'] : []);
                         $removedKeys = $limitedKeys(is_array($diff['removed'] ?? null) ? $diff['removed'] : []);

resources/views/filament/infolists/entries/inventory-coverage-truth.blade.php

@@ -0,0 +1,140 @@
+@php
+    use App\Support\Badges\BadgeCatalog;
+    use App\Support\Badges\BadgeDomain;
+    use App\Support\Badges\TagBadgeCatalog;
+    use App\Support\Badges\TagBadgeDomain;
+
+    $rows = array_values(array_filter($rows ?? [], 'is_array'));
+    $summary = is_array($summary ?? null) ? $summary : [];
+    $followUpRows = array_values(array_filter($rows, static fn (array $row): bool => (bool) ($row['followUpRequired'] ?? false)));
+    $topFollowUp = $followUpRows[0] ?? null;
+@endphp
+
+<div class="space-y-4">
+    <div class="grid gap-3 sm:grid-cols-2 xl:grid-cols-4">
+        <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+            <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                Types in run
+            </div>
+
+            <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                {{ (int) ($summary['totalTypes'] ?? count($rows)) }}
+            </div>
+
+            <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                Succeeded: {{ (int) ($summary['succeededTypes'] ?? 0) }}. Failed: {{ (int) ($summary['failedTypes'] ?? 0) }}. Skipped: {{ (int) ($summary['skippedTypes'] ?? 0) }}.
+            </div>
+        </div>
+
+        <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+            <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                Need follow-up
+            </div>
+
+            <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                {{ (int) ($summary['followUpTypes'] ?? count($followUpRows)) }}
+            </div>
+
+            <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                Execution outcome stays separate from the per-type results below.
+            </div>
+        </div>
+
+        <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+            <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                Observed items
+            </div>
+
+            <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                {{ (int) ($summary['observedItems'] ?? 0) }}
+            </div>
+
+            <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                Item counts show what this run observed for the listed types.
+            </div>
+        </div>
+
+        <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+            <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                Run outcome
+            </div>
+
+            <div class="mt-2">
+                <x-filament::badge :color="$runOutcomeColor ?? 'gray'" :icon="$runOutcomeIcon ?? null">
+                    {{ $runOutcomeLabel ?? 'Unknown' }}
+                </x-filament::badge>
+            </div>
+
+            <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                Coverage truth below explains which types created the follow-up.
+            </div>
+        </div>
+    </div>
+
+    @if ($topFollowUp !== null)
+        <div class="rounded-2xl border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-900/60 dark:bg-amber-950/30 dark:text-amber-100">
+            Highest-priority follow-up: {{ $topFollowUp['label'] ?? ($topFollowUp['type'] ?? 'Unknown type') }}. {{ $topFollowUp['followUpGuidance'] ?? 'Review the latest inventory sync details before retrying.' }}
+        </div>
+    @endif
+
+    <div class="space-y-3">
+        @foreach ($rows as $row)
+            @php
+                $typeSpec = TagBadgeCatalog::spec(TagBadgeDomain::PolicyType, $row['type'] ?? null);
+                $categorySpec = TagBadgeCatalog::spec(TagBadgeDomain::PolicyCategory, $row['category'] ?? null);
+                $stateSpec = BadgeCatalog::spec(BadgeDomain::InventoryCoverageState, $row['coverageState'] ?? null);
+            @endphp
+
+            <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+                <div class="flex flex-wrap items-start justify-between gap-3">
+                    <div class="min-w-0 space-y-2">
+                        <div class="flex flex-wrap items-center gap-2">
+                            <x-filament::badge :color="$typeSpec->color" :icon="$typeSpec->icon">
+                                {{ $typeSpec->label }}
+                            </x-filament::badge>
+
+                            <x-filament::badge :color="$stateSpec->color" :icon="$stateSpec->icon">
+                                {{ $stateSpec->label }}
+                            </x-filament::badge>
+
+                            <x-filament::badge :color="$categorySpec->color" :icon="$categorySpec->icon">
+                                {{ $categorySpec->label }}
+                            </x-filament::badge>
+
+                            <x-filament::badge color="{{ ($row['segment'] ?? 'policy') === 'foundation' ? 'gray' : 'info' }}">
+                                {{ ($row['segment'] ?? 'policy') === 'foundation' ? 'Foundation' : 'Policy' }}
+                            </x-filament::badge>
+                        </div>
+
+                        <div class="text-sm font-medium text-gray-900 dark:text-white">
+                            {{ $row['label'] ?? ($row['type'] ?? 'Unknown type') }}
+                        </div>
+
+                        <div class="text-xs text-gray-500 dark:text-gray-400">
+                            {{ $row['type'] ?? 'unknown' }}
+                        </div>
+                    </div>
+
+                    <div class="rounded-xl bg-gray-50 px-3 py-2 text-right dark:bg-gray-950/60">
+                        <div class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+                            Observed items
+                        </div>
+                        <div class="mt-1 text-lg font-semibold text-gray-950 dark:text-white">
+                            {{ (int) ($row['itemCount'] ?? 0) }}
+                        </div>
+                    </div>
+                </div>
+
+                <div class="mt-3 text-sm text-gray-700 dark:text-gray-200">
+                    {{ $row['followUpGuidance'] ?? 'No follow-up is currently required.' }}
+                </div>
+
+                @if (filled($row['errorCode'] ?? null))
+                    <div class="mt-2 text-xs text-gray-500 dark:text-gray-400">
+                        Reason code: {{ $row['errorCode'] }}
+                    </div>
+                @endif
+            </div>
+        @endforeach
+    </div>
+</div>

resources/views/filament/infolists/entries/provider-connection-state.blade.php

@@ -2,17 +2,24 @@
     $state = $getState();
     $state = is_array($state) ? $state : [];
 
-    $connectionState = is_string($state['state'] ?? null) ? (string) $state['state'] : 'needs_action';
+    $connectionState = is_string($state['state'] ?? null) ? (string) $state['state'] : 'missing';
     $ctaUrl = is_string($state['cta_url'] ?? null) ? (string) $state['cta_url'] : '#';
+    $needsDefaultConnection = (bool) ($state['needs_default_connection'] ?? false);
 
     $displayName = is_string($state['display_name'] ?? null) ? (string) $state['display_name'] : null;
     $provider = is_string($state['provider'] ?? null) ? (string) $state['provider'] : null;
+    $consentStatus = is_string($state['consent_status'] ?? null) ? (string) $state['consent_status'] : null;
+    $verificationStatus = is_string($state['verification_status'] ?? null) ? (string) $state['verification_status'] : null;
     $status = is_string($state['status'] ?? null) ? (string) $state['status'] : null;
     $healthStatus = is_string($state['health_status'] ?? null) ? (string) $state['health_status'] : null;
     $lastCheck = is_string($state['last_health_check_at'] ?? null) ? (string) $state['last_health_check_at'] : null;
     $lastErrorReason = is_string($state['last_error_reason_code'] ?? null) ? (string) $state['last_error_reason_code'] : null;
 
-    $isMissing = $connectionState === 'needs_action';
+    $isMissing = $connectionState === 'missing';
+    $consentSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::ProviderConsentStatus, $consentStatus);
+    $verificationSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::ProviderVerificationStatus, $verificationStatus);
+    $legacyStatusSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::ProviderConnectionStatus, $status);
+    $legacyHealthSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::ProviderConnectionHealth, $healthStatus);
 @endphp
 
 <div class="space-y-3 rounded-md border border-gray-200 bg-white p-4 shadow-sm">
@@ -20,7 +27,9 @@
         <div>
             <div class="text-sm font-semibold text-gray-800">Provider connection</div>
             @if ($isMissing)
-                <div class="mt-1 text-sm text-amber-700">Needs action: no default Microsoft provider connection is configured.</div>
+                <div class="mt-1 text-sm text-amber-700">Needs action: no Microsoft provider connection is configured.</div>
+            @elseif ($needsDefaultConnection)
+                <div class="mt-1 text-sm text-amber-700">Needs action: set a default Microsoft provider connection.</div>
             @else
                 <div class="mt-1 text-sm text-gray-700">{{ $displayName ?? 'Unnamed connection' }}</div>
             @endif
@@ -32,18 +41,32 @@
     </div>
 
     @unless ($isMissing)
+        @if ($needsDefaultConnection && $displayName)
+            <div class="text-sm text-gray-700">
+                Current connection: <span class="font-medium">{{ $displayName }}</span>
+            </div>
+        @endif
+
         <dl class="grid grid-cols-1 gap-2 text-sm text-gray-700 sm:grid-cols-2">
             <div>
                 <dt class="text-xs uppercase tracking-wide text-gray-500">Provider</dt>
                 <dd>{{ $provider ?? 'n/a' }}</dd>
             </div>
             <div>
-                <dt class="text-xs uppercase tracking-wide text-gray-500">Status</dt>
+                <dt class="text-xs uppercase tracking-wide text-gray-500">Consent</dt>
-                <dd>{{ $status ?? 'n/a' }}</dd>
+                <dd>
+                    <x-filament::badge :color="$consentSpec->color" :icon="$consentSpec->icon" size="sm">
+                        {{ $consentSpec->label }}
+                    </x-filament::badge>
+                </dd>
             </div>
             <div>
-                <dt class="text-xs uppercase tracking-wide text-gray-500">Health</dt>
+                <dt class="text-xs uppercase tracking-wide text-gray-500">Verification</dt>
-                <dd>{{ $healthStatus ?? 'n/a' }}</dd>
+                <dd>
+                    <x-filament::badge :color="$verificationSpec->color" :icon="$verificationSpec->icon" size="sm">
+                        {{ $verificationSpec->label }}
+                    </x-filament::badge>
+                </dd>
             </div>
             <div>
                 <dt class="text-xs uppercase tracking-wide text-gray-500">Last check</dt>
@@ -51,10 +74,32 @@
             </div>
         </dl>
 
-        @if ($lastErrorReason)
+        <div class="space-y-2 rounded-md border border-gray-200 bg-gray-50 p-3 text-sm text-gray-700">
-            <div class="rounded-md border border-amber-300 bg-amber-50 p-2 text-xs text-amber-800">
+            <div class="text-xs font-semibold uppercase tracking-wide text-gray-500">Diagnostics</div>
-                Last error reason: {{ $lastErrorReason }}
+            <dl class="grid grid-cols-1 gap-2 sm:grid-cols-2">
-            </div>
+                <div>
-        @endif
+                    <dt class="text-xs uppercase tracking-wide text-gray-500">Legacy status</dt>
+                    <dd>
+                        <x-filament::badge :color="$legacyStatusSpec->color" :icon="$legacyStatusSpec->icon" size="sm">
+                            {{ $legacyStatusSpec->label }}
+                        </x-filament::badge>
+                    </dd>
+                </div>
+                <div>
+                    <dt class="text-xs uppercase tracking-wide text-gray-500">Legacy health</dt>
+                    <dd>
+                        <x-filament::badge :color="$legacyHealthSpec->color" :icon="$legacyHealthSpec->icon" size="sm">
+                            {{ $legacyHealthSpec->label }}
+                        </x-filament::badge>
+                    </dd>
+                </div>
+            </dl>
+
+            @if ($lastErrorReason)
+                <div class="rounded-md border border-amber-300 bg-amber-50 p-2 text-xs text-amber-800">
+                    Last error reason: {{ $lastErrorReason }}
+                </div>
+            @endif
+        </div>
     @endunless
 </div>

resources/views/filament/infolists/entries/restore-preview.blade.php

@@ -1,5 +1,28 @@
 @php
-    $preview = $getState() ?? [];
+    $state = $getState() ?? [];
+    $state = is_array($state) ? $state : [];
+
+    $preview = is_array($state['preview'] ?? null) ? $state['preview'] : $state;
+    $previewIntegrity = is_array($state['previewIntegrity'] ?? null) ? $state['previewIntegrity'] : [];
+    $checksIntegrity = is_array($state['checksIntegrity'] ?? null) ? $state['checksIntegrity'] : [];
+    $executionSafetySnapshot = is_array($state['executionSafetySnapshot'] ?? null) ? $state['executionSafetySnapshot'] : [];
+    $scopeBasis = is_array($state['scopeBasis'] ?? null) ? $state['scopeBasis'] : [];
+
+    $integritySpec = \App\Support\Badges\BadgeRenderer::spec(
+        \App\Support\Badges\BadgeDomain::RestorePreviewDecision,
+        $previewIntegrity['state'] ?? 'not_generated'
+    );
+
+    $checksSpec = \App\Support\Badges\BadgeRenderer::spec(
+        \App\Support\Badges\BadgeDomain::RestoreCheckSeverity,
+        $checksIntegrity['state'] ?? 'not_run'
+    );
+    $recoveryBoundary = \App\Support\RestoreSafety\RestoreSafetyCopy::recoveryBoundary(
+        is_string($executionSafetySnapshot['follow_up_boundary'] ?? null)
+            ? $executionSafetySnapshot['follow_up_boundary']
+            : 'preview_only_no_execution_proven'
+    );
+
     $actionPresentation = static function (array $item): array {
         $action = is_string($item['action'] ?? null) ? $item['action'] : null;
 
@@ -9,6 +32,7 @@
             default => ['label' => \Illuminate\Support\Str::headline((string) ($action ?? 'action')), 'color' => 'gray'],
         };
     };
+
     $foundationItems = collect($preview)->filter(function ($item) {
         return is_array($item) && array_key_exists('decision', $item) && array_key_exists('sourceId', $item);
     });
@@ -21,13 +45,54 @@
     <p class="text-sm text-gray-600">No preview has been generated yet.</p>
 @else
     <div class="space-y-4">
+        <div class="rounded-lg border border-slate-200 bg-slate-50 p-4 text-sm text-slate-900 dark:border-white/10 dark:bg-white/5 dark:text-slate-100">
+            <div class="flex flex-wrap items-center gap-2">
+                <x-filament::badge :color="$integritySpec->color" :icon="$integritySpec->icon" size="sm">
+                    {{ $integritySpec->label }}
+                </x-filament::badge>
+                <x-filament::badge :color="$checksSpec->color" :icon="$checksSpec->icon" size="sm">
+                    {{ $checksSpec->label }}
+                </x-filament::badge>
+            </div>
+
+            <div class="mt-3 grid gap-3 md:grid-cols-2">
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">What the preview proves</div>
+                    <div class="mt-1">{{ $previewIntegrity['display_summary'] ?? 'Preview basis is unavailable.' }}</div>
+                </div>
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">What this record does not prove</div>
+                    <div class="mt-1">{{ $recoveryBoundary }}</div>
+                </div>
+            </div>
+
+            @if (($scopeBasis['fingerprint'] ?? null) !== null)
+                <div class="mt-3 text-xs text-slate-600 dark:text-slate-300">
+                    Scope mode: {{ $scopeBasis['scope_mode'] ?? 'all' }}
+                    @if (($scopeBasis['selected_item_ids'] ?? []) !== [])
+                        • selected items: {{ count($scopeBasis['selected_item_ids']) }}
+                    @endif
+                </div>
+            @endif
+        </div>
+
         @if ($foundationItems->isNotEmpty())
             <div class="space-y-2">
                 <div class="text-xs font-semibold uppercase tracking-wide text-gray-500">Foundations</div>
                 @foreach ($foundationItems as $item)
                     @php
                         $decision = $item['decision'] ?? 'mapped_existing';
-                        $decisionSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestorePreviewDecision, $decision);
+                        $foundationIsPreviewOnly = ($item['reason'] ?? null) === 'preview_only'
+                            || ($item['restore_mode'] ?? null) === 'preview-only'
+                            || $decision === 'dry_run';
+                        $decisionSpec = $foundationIsPreviewOnly
+                            ? \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::PolicyRestoreMode, 'preview_only')
+                            : \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestorePreviewDecision, $decision);
+                        $foundationReason = $item['reason'] ?? null;
+
+                        if ($foundationReason === 'preview_only') {
+                            $foundationReason = 'Preview only. This foundation type is not applied during execution.';
+                        }
                     @endphp
                     <div class="rounded border border-gray-200 bg-white p-3 shadow-sm">
                         <div class="flex items-center justify-between text-sm text-gray-800">
@@ -44,9 +109,9 @@
                                 Target: {{ $item['targetName'] }}
                             </div>
                         @endif
-                        @if (! empty($item['reason']))
+                        @if (! empty($foundationReason))
                             <div class="mt-2 rounded border border-amber-300 bg-amber-50 px-2 py-1 text-xs text-amber-800">
-                                {{ $item['reason'] }}
+                                {{ $foundationReason }}
                             </div>
                         @endif
                     </div>
@@ -64,16 +129,16 @@
                     @endphp
                     <div class="rounded border border-gray-200 bg-white p-3 shadow-sm">
                         <div class="flex items-center justify-between text-sm text-gray-800">
-	                            <span class="font-semibold">{{ $item['policy_identifier'] ?? 'Policy' }}</span>
+                            <span class="font-semibold">{{ $item['policy_identifier'] ?? 'Policy' }}</span>
-	                            <div class="flex items-center gap-2">
+                            <div class="flex items-center gap-2">
-	                                @if ($restoreMode === 'preview-only')
+                                @if ($restoreMode === 'preview-only')
-	                                    @php
+                                    @php
-	                                        $restoreModeSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::PolicyRestoreMode, $restoreMode);
+                                        $restoreModeSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::PolicyRestoreMode, $restoreMode);
-	                                    @endphp
+                                    @endphp
-	                                    <x-filament::badge :color="$restoreModeSpec->color" :icon="$restoreModeSpec->icon" size="sm">
+                                    <x-filament::badge :color="$restoreModeSpec->color" :icon="$restoreModeSpec->icon" size="sm">
-	                                        {{ $restoreModeSpec->label }}
+                                        {{ $restoreModeSpec->label }}
-	                                    </x-filament::badge>
+                                    </x-filament::badge>
-	                                @endif
+                                @endif
                                 <span class="rounded bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-700">
                                     {{ $actionState['label'] }}
                                 </span>

resources/views/filament/infolists/entries/restore-results.blade.php

@@ -1,5 +1,9 @@
 @php
     $state = $getState() ?? [];
+    $state = is_array($state) ? $state : [];
+    $resultAttention = is_array($state['resultAttention'] ?? null) ? $state['resultAttention'] : [];
+    $executionSafetySnapshot = is_array($state['executionSafetySnapshot'] ?? null) ? $state['executionSafetySnapshot'] : [];
+    $state = is_array($state['results'] ?? null) ? $state['results'] : $state;
     $isFoundationEntry = function ($item) {
         return is_array($item) && array_key_exists('decision', $item) && array_key_exists('sourceId', $item);
     };
@@ -39,21 +43,85 @@
     <p class="text-sm text-gray-600">No restore results have been recorded yet.</p>
 @else
     @php
-        $needsAttention = $policyItems->contains(function ($item) {
+        $needsAttention = (bool) ($resultAttention['follow_up_required'] ?? false)
-            $status = $item['status'] ?? null;
+            || $policyItems->contains(function ($item) {
+                $status = $item['status'] ?? null;
 
-            return in_array($status, ['partial', 'manual_required'], true);
+                return in_array($status, ['partial', 'manual_required'], true);
-        });
+            });
+        $attentionSpec = \App\Support\Badges\BadgeRenderer::spec(
+            \App\Support\Badges\BadgeDomain::RestoreResultStatus,
+            $resultAttention['state'] ?? ($needsAttention ? 'completed_with_follow_up' : 'completed')
+        );
+        $executionBasisLabel = \App\Support\RestoreSafety\RestoreSafetyCopy::safetyStateLabel(
+            is_string($executionSafetySnapshot['safety_state'] ?? null) ? $executionSafetySnapshot['safety_state'] : null
+        );
+        $primaryNextAction = \App\Support\RestoreSafety\RestoreSafetyCopy::primaryNextAction(
+            is_string($resultAttention['primary_next_action'] ?? null) ? $resultAttention['primary_next_action'] : 'review_result'
+        );
+        $primaryCauseFamily = \App\Support\RestoreSafety\RestoreSafetyCopy::primaryCauseFamily(
+            is_string($resultAttention['primary_cause_family'] ?? null) ? $resultAttention['primary_cause_family'] : 'none'
+        );
+        $recoveryBoundary = \App\Support\RestoreSafety\RestoreSafetyCopy::recoveryBoundary(
+            is_string($resultAttention['recovery_claim_boundary'] ?? null)
+                ? $resultAttention['recovery_claim_boundary']
+                : 'run_completed_not_recovery_proven'
+        );
     @endphp
 
     <div class="space-y-4">
+        <div class="rounded-lg border border-slate-200 bg-slate-50 p-4 text-sm text-slate-900 dark:border-white/10 dark:bg-white/5 dark:text-slate-100">
+            <div class="flex flex-wrap items-center gap-2">
+                <x-filament::badge :color="$attentionSpec->color" :icon="$attentionSpec->icon" size="sm">
+                    {{ $attentionSpec->label }}
+                </x-filament::badge>
+                @if (($executionSafetySnapshot['safety_state'] ?? null) !== null)
+                    <x-filament::badge color="gray" size="sm">
+                        Execution basis: {{ $executionBasisLabel }}
+                    </x-filament::badge>
+                @endif
+            </div>
+
+            <div class="mt-3 grid gap-3 md:grid-cols-2">
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">What this run proves</div>
+                    <div class="mt-1">{{ $resultAttention['summary'] ?? 'Restore result truth is unavailable.' }}</div>
+                </div>
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">Primary next step</div>
+                    <div class="mt-1">{{ $primaryNextAction }}</div>
+                </div>
+            </div>
+
+            <div class="mt-3 grid gap-3 md:grid-cols-2">
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">Main follow-up driver</div>
+                    <div class="mt-1 text-xs text-slate-600 dark:text-slate-300">{{ $primaryCauseFamily }}</div>
+                </div>
+                <div>
+                    <div class="text-xs font-semibold uppercase tracking-wide text-slate-500 dark:text-slate-400">What this record does not prove</div>
+                    <div class="mt-1 text-xs text-slate-600 dark:text-slate-300">{{ $recoveryBoundary }}</div>
+                </div>
+            </div>
+        </div>
+
         @if ($foundationItems->isNotEmpty())
             <div class="space-y-2">
                 <div class="text-xs font-semibold uppercase tracking-wide text-gray-500">Foundations</div>
                 @foreach ($foundationItems as $item)
                     @php
                         $decision = $item['decision'] ?? 'mapped_existing';
-                        $decisionSpec = \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestorePreviewDecision, $decision);
+                        $foundationIsPreviewOnly = ($item['reason'] ?? null) === 'preview_only'
+                            || ($item['restore_mode'] ?? null) === 'preview-only'
+                            || $decision === 'dry_run';
+                        $decisionSpec = $foundationIsPreviewOnly
+                            ? \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::PolicyRestoreMode, 'preview_only')
+                            : \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::RestorePreviewDecision, $decision);
+                        $foundationReason = $item['reason'] ?? null;
+
+                        if ($foundationReason === 'preview_only') {
+                            $foundationReason = 'Preview only. This foundation type is not applied during execution.';
+                        }
                     @endphp
                     <div class="rounded border border-gray-200 bg-white p-3 shadow-sm">
                         <div class="flex items-center justify-between text-sm text-gray-800">
@@ -70,9 +138,9 @@
                                 Target: {{ $item['targetName'] }}
                             </div>
                         @endif
-                        @if (! empty($item['reason']))
+                        @if (! empty($foundationReason))
                             <div class="mt-2 rounded border border-amber-200 bg-amber-50 px-2 py-1 text-xs text-amber-900">
-                                {{ $item['reason'] }}
+                                {{ $foundationReason }}
                             </div>
                         @endif
                     </div>
@@ -82,7 +150,7 @@
 
         @if ($needsAttention)
             <div class="rounded border border-amber-200 bg-amber-50 px-3 py-2 text-sm text-amber-900">
-                Some items still need follow-up. Review the per-item details below.
+                {{ $resultAttention['summary'] ?? 'Some items still need follow-up. Review the per-item details below.' }}
             </div>
         @endif
 

resources/views/filament/pages/inventory-coverage.blade.php

@@ -1,16 +1,121 @@
 <x-filament-panels::page>
+    @php
+        $summary = $this->coverageSummary();
+        $basis = $this->basisRunSummary();
+    @endphp
+
     <x-filament::section>
-        <div class="flex flex-col gap-3">
+        <div class="grid gap-4 xl:grid-cols-[minmax(0,1.8fr)_minmax(0,1fr)]">
-            <div class="text-lg font-semibold text-gray-900 dark:text-gray-100">
+            <div class="space-y-4">
-                Searchable support matrix
+                <div class="space-y-2">
+                    <div class="text-lg font-semibold text-gray-900 dark:text-white">
+                        Tenant coverage truth
+                    </div>
+
+                    <div class="text-sm text-gray-600 dark:text-gray-300">
+                        This report shows which supported inventory types are currently covered for the active tenant, which ones still need follow-up, and what the statement is based on.
+                    </div>
+                </div>
+
+                <div class="grid gap-3 sm:grid-cols-3">
+                    <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+                        <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                            Covered types
+                        </div>
+
+                        <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                            {{ $summary['succeededTypes'] ?? 0 }} / {{ $summary['supportedTypes'] ?? 0 }}
+                        </div>
+
+                        <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                            Current supported types with a successful basis result.
+                        </div>
+                    </div>
+
+                    <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+                        <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                            Need follow-up
+                        </div>
+
+                        <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                            {{ $summary['followUpTypes'] ?? 0 }}
+                        </div>
+
+                        <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                            @if (filled($summary['topFollowUpLabel'] ?? null))
+                                Highest-priority type: {{ $summary['topFollowUpLabel'] }}.
+                            @else
+                                No follow-up types are currently highlighted.
+                            @endif
+                        </div>
+                    </div>
+
+                    <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
+                        <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                            Observed items
+                        </div>
+
+                        <div class="mt-2 text-2xl font-semibold text-gray-950 dark:text-white">
+                            {{ $summary['observedItems'] ?? 0 }}
+                        </div>
+
+                        <div class="mt-2 text-sm text-gray-600 dark:text-gray-300">
+                            {{ $summary['observedTypes'] ?? 0 }} supported types currently have observed inventory rows.
+                        </div>
+                    </div>
+                </div>
+
+                @if (filled($summary['topFollowUpGuidance'] ?? null))
+                    <div class="rounded-2xl border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-900/60 dark:bg-amber-950/30 dark:text-amber-100">
+                        {{ $summary['topFollowUpGuidance'] }}
+                    </div>
+                @endif
             </div>
 
-            <div class="text-sm text-gray-600 dark:text-gray-300">
+            <div class="rounded-2xl border border-gray-200 bg-white px-4 py-4 shadow-sm dark:border-gray-800 dark:bg-gray-900/60">
-                Search by policy type or label, sort the primary columns, and filter the runtime-derived coverage matrix without leaving the tenant inventory workspace.
+                <div class="space-y-3">
-            </div>
+                    <div class="flex flex-wrap items-start justify-between gap-3">
+                        <div class="space-y-1">
+                            <div class="text-xs font-medium uppercase tracking-[0.18em] text-gray-500 dark:text-gray-400">
+                                Coverage basis
+                            </div>
 
-            <div class="text-sm text-gray-600 dark:text-gray-300">
+                            <div class="text-base font-semibold text-gray-950 dark:text-white">
-                Coverage rows combine supported policy types and foundations in a single read-only table so Segment and Dependencies stay easy to scan.
+                                {{ $basis['title'] ?? 'No current coverage basis' }}
+                            </div>
+                        </div>
+
+                        @if (filled($basis['badgeLabel'] ?? null))
+                            <x-filament::badge :color="$basis['badgeColor'] ?? 'gray'" size="sm">
+                                {{ $basis['badgeLabel'] }}
+                            </x-filament::badge>
+                        @endif
+                    </div>
+
+                    <div class="text-sm text-gray-600 dark:text-gray-300">
+                        {{ $basis['body'] ?? 'No current coverage basis is available.' }}
+                    </div>
+
+                    <div class="flex flex-wrap items-center gap-3">
+                        @if (filled($basis['runUrl'] ?? null))
+                            <x-filament::link :href="$basis['runUrl']" size="sm">
+                                Open basis run
+                            </x-filament::link>
+                        @endif
+
+                        @if (filled($basis['historyUrl'] ?? null))
+                            <x-filament::link :href="$basis['historyUrl']" size="sm">
+                                Inventory sync history
+                            </x-filament::link>
+                        @endif
+
+                        @if (filled($basis['inventoryItemsUrl'] ?? null))
+                            <x-filament::link :href="$basis['inventoryItemsUrl']" size="sm">
+                                Open inventory items
+                            </x-filament::link>
+                        @endif
+                    </div>
+                </div>
             </div>
         </div>
     </x-filament::section>

resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php

@@ -1,4 +1,6 @@
 <x-filament-panels::page>
+    @php($selectedException = $this->selectedFindingException())
+
     <x-filament::section>
         <div class="flex flex-col gap-3">
             <div class="text-lg font-semibold text-gray-900 dark:text-gray-100">
@@ -11,129 +13,13 @@
         </div>
     </x-filament::section>
 
-    {{ $this->table }}
+    @if ($this->showSelectedExceptionSummary && $selectedException)
-
+        <x-filament::section>
-    @php
+            @include('filament.pages.monitoring.partials.finding-exception-queue-sidebar', [
-        $selectedException = $this->selectedFindingException();
+                'selectedException' => $selectedException,
-    @endphp
+            ])
-
-    @if ($selectedException)
-        <x-filament::section
-            :heading="'Finding exception #'.$selectedException->getKey()"
-            :description="$selectedException->requested_at?->toDayDateTimeString()"
-        >
-            <div class="grid gap-4 lg:grid-cols-3">
-                <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
-                    <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                        Status
-                    </div>
-                    <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
-                        {{ \App\Support\Badges\BadgeRenderer::label(\App\Support\Badges\BadgeDomain::FindingExceptionStatus)($selectedException->status) }}
-                    </div>
-                    <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
-                        {{ \App\Support\Badges\BadgeRenderer::label(\App\Support\Badges\BadgeDomain::FindingRiskGovernanceValidity)($selectedException->current_validity_state) }}
-                    </div>
-                    @php
-                        $governanceWarning = app(\App\Services\Findings\FindingRiskGovernanceResolver::class)->resolveWarningMessage($selectedException->finding, $selectedException);
-                        $governanceWarningColor = (string) $selectedException->current_validity_state === \App\Models\FindingException::VALIDITY_EXPIRING
-                            ? 'text-warning-700 dark:text-warning-300'
-                            : 'text-danger-700 dark:text-danger-300';
-                    @endphp
-                    @if (filled($governanceWarning))
-                        <div class="mt-3 text-sm {{ $governanceWarningColor }}">
-                            {{ $governanceWarning }}
-                        </div>
-                    @endif
-                </div>
-
-                <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
-                    <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                        Scope
-                    </div>
-                    <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
-                        {{ $selectedException->tenant?->name ?? 'Unknown tenant' }}
-                    </div>
-                    <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
-                        Finding #{{ $selectedException->finding_id }}
-                    </div>
-                </div>
-
-                <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
-                    <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                        Review timing
-                    </div>
-                    <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
-                        Review due {{ $selectedException->review_due_at?->toDayDateTimeString() ?? '—' }}
-                    </div>
-                    <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
-                        Expires {{ $selectedException->expires_at?->toDayDateTimeString() ?? '—' }}
-                    </div>
-                </div>
-            </div>
-
-            <div class="mt-6 grid gap-4 lg:grid-cols-2">
-                <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
-                    <div class="text-sm font-semibold text-gray-900 dark:text-gray-100">
-                        Request
-                    </div>
-                    <dl class="mt-3 space-y-3">
-                        <div>
-                            <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                                Requested by
-                            </dt>
-                            <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
-                                {{ $selectedException->requester?->name ?? 'Unknown requester' }}
-                            </dd>
-                        </div>
-                        <div>
-                            <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                                Owner
-                            </dt>
-                            <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
-                                {{ $selectedException->owner?->name ?? 'Unassigned' }}
-                            </dd>
-                        </div>
-                        <div>
-                            <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
-                                Reason
-                            </dt>
-                            <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
-                                {{ $selectedException->request_reason }}
-                            </dd>
-                        </div>
-                    </dl>
-                </div>
-
-                <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
-                    <div class="text-sm font-semibold text-gray-900 dark:text-gray-100">
-                        Decision history
-                    </div>
-
-                    @if ($selectedException->decisions->isEmpty())
-                        <div class="mt-3 text-sm text-gray-600 dark:text-gray-300">
-                            No decisions have been recorded yet.
-                        </div>
-                    @else
-                        <div class="mt-3 space-y-3">
-                            @foreach ($selectedException->decisions as $decision)
-                                <div class="rounded-xl border border-gray-200 px-3 py-3 dark:border-gray-800">
-                                    <div class="text-sm font-medium text-gray-900 dark:text-gray-100">
-                                        {{ ucfirst(str_replace('_', ' ', $decision->decision_type)) }}
-                                    </div>
-                                    <div class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-                                        {{ $decision->actor?->name ?? 'Unknown actor' }} · {{ $decision->decided_at?->toDayDateTimeString() ?? '—' }}
-                                    </div>
-                                    @if (filled($decision->reason))
-                                        <div class="mt-2 text-sm text-gray-700 dark:text-gray-300">
-                                            {{ $decision->reason }}
-                                        </div>
-                                    @endif
-                                </div>
-                            @endforeach
-                        </div>
-                    @endif
-                </div>
-            </div>
         </x-filament::section>
     @endif
+
+    {{ $this->table }}
 </x-filament-panels::page>

resources/views/filament/pages/monitoring/operations.blade.php

@@ -1,5 +1,7 @@
 <x-filament-panels::page>
     @php($lifecycleSummary = $this->lifecycleVisibilitySummary())
+    @php($staleAttentionTab = \App\Models\OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION)
+    @php($terminalFollowUpTab = \App\Models\OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP)
 
     <x-filament::tabs label="Operations tabs">
         <x-filament::tabs.item
@@ -15,10 +17,16 @@
             Active
         </x-filament::tabs.item>
         <x-filament::tabs.item
-            :active="$this->activeTab === 'blocked'"
+            :active="$this->activeTab === $staleAttentionTab"
-            wire:click="$set('activeTab', 'blocked')"
+            wire:click="$set('activeTab', '{{ $staleAttentionTab }}')"
         >
-            Needs follow-up
+            Likely stale
+        </x-filament::tabs.item>
+        <x-filament::tabs.item
+            :active="$this->activeTab === $terminalFollowUpTab"
+            wire:click="$set('activeTab', '{{ $terminalFollowUpTab }}')"
+        >
+            Terminal follow-up
         </x-filament::tabs.item>
         <x-filament::tabs.item
             :active="$this->activeTab === 'succeeded'"
@@ -42,8 +50,8 @@
 
     @if (($lifecycleSummary['likely_stale'] ?? 0) > 0 || ($lifecycleSummary['reconciled'] ?? 0) > 0)
         <div class="mb-4 rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-100">
-            {{ ($lifecycleSummary['likely_stale'] ?? 0) }} active operation(s) are beyond their lifecycle window.
+            {{ ($lifecycleSummary['likely_stale'] ?? 0) }} active operation(s) are beyond their lifecycle window and belong in the stale-attention view.
-            {{ ($lifecycleSummary['reconciled'] ?? 0) }} operation(s) have already been automatically reconciled.
+            {{ ($lifecycleSummary['reconciled'] ?? 0) }} operation(s) already carry reconciled stale lineage and belong in terminal follow-up.
         </div>
     @endif
 

resources/views/filament/pages/monitoring/partials/finding-exception-queue-sidebar.blade.php

@@ -0,0 +1,110 @@
+<div data-testid="finding-exception-slide-over" class="grid gap-4">
+    <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
+        <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+            Status
+        </div>
+        <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
+            {{ \App\Support\Badges\BadgeRenderer::label(\App\Support\Badges\BadgeDomain::FindingExceptionStatus)($selectedException->status) }}
+        </div>
+        <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
+            {{ \App\Support\Badges\BadgeRenderer::label(\App\Support\Badges\BadgeDomain::FindingRiskGovernanceValidity)($selectedException->current_validity_state) }}
+        </div>
+        @php
+            $governanceWarning = app(\App\Services\Findings\FindingRiskGovernanceResolver::class)->resolveWarningMessage($selectedException->finding, $selectedException);
+            $governanceWarningColor = (string) $selectedException->current_validity_state === \App\Models\FindingException::VALIDITY_EXPIRING
+                ? 'text-warning-700 dark:text-warning-300'
+                : 'text-danger-700 dark:text-danger-300';
+        @endphp
+        @if (filled($governanceWarning))
+            <div class="mt-3 text-sm {{ $governanceWarningColor }}">
+                {{ $governanceWarning }}
+            </div>
+        @endif
+    </div>
+
+    <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
+        <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+            Scope
+        </div>
+        <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
+            {{ $selectedException->tenant?->name ?? 'Unknown tenant' }}
+        </div>
+        <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
+            Finding #{{ $selectedException->finding_id }}
+        </div>
+    </div>
+
+    <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
+        <div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+            Review timing
+        </div>
+        <div class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
+            Review due {{ $selectedException->review_due_at?->toDayDateTimeString() ?? '—' }}
+        </div>
+        <div class="mt-1 text-sm text-gray-600 dark:text-gray-300">
+            Expires {{ $selectedException->expires_at?->toDayDateTimeString() ?? '—' }}
+        </div>
+    </div>
+
+    <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
+        <div class="text-sm font-semibold text-gray-900 dark:text-gray-100">
+            Request
+        </div>
+        <dl class="mt-3 space-y-3">
+            <div>
+                <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+                    Requested by
+                </dt>
+                <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
+                    {{ $selectedException->requester?->name ?? 'Unknown requester' }}
+                </dd>
+            </div>
+            <div>
+                <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+                    Owner
+                </dt>
+                <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
+                    {{ $selectedException->owner?->name ?? 'Unassigned' }}
+                </dd>
+            </div>
+            <div>
+                <dt class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
+                    Reason
+                </dt>
+                <dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
+                    {{ $selectedException->request_reason }}
+                </dd>
+            </div>
+        </dl>
+    </div>
+
+    <div class="rounded-2xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
+        <div class="text-sm font-semibold text-gray-900 dark:text-gray-100">
+            Decision history
+        </div>
+
+        @if ($selectedException->decisions->isEmpty())
+            <div class="mt-3 text-sm text-gray-600 dark:text-gray-300">
+                No decisions have been recorded yet.
+            </div>
+        @else
+            <div class="mt-3 space-y-3">
+                @foreach ($selectedException->decisions as $decision)
+                    <div class="rounded-xl border border-gray-200 px-3 py-3 dark:border-gray-800">
+                        <div class="text-sm font-medium text-gray-900 dark:text-gray-100">
+                            {{ ucfirst(str_replace('_', ' ', $decision->decision_type)) }}
+                        </div>
+                        <div class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+                            {{ $decision->actor?->name ?? 'Unknown actor' }} · {{ $decision->decided_at?->toDayDateTimeString() ?? '—' }}
+                        </div>
+                        @if (filled($decision->reason))
+                            <div class="mt-2 text-sm text-gray-700 dark:text-gray-300">
+                                {{ $decision->reason }}
+                            </div>
+                        @endif
+                    </div>
+                @endforeach
+            </div>
+        @endif
+    </div>
+</div>

resources/views/filament/pages/monitoring/partials/finding-exception-queue-unavailable.blade.php

@@ -0,0 +1,3 @@
+<div class="rounded-2xl border border-dashed border-gray-300 bg-white/80 p-4 text-sm text-gray-600 dark:border-gray-700 dark:bg-gray-900/80 dark:text-gray-300">
+    Exception details are unavailable for this inspection state.
+</div>

resources/views/filament/pages/operations/tenantless-operation-run-viewer.blade.php

@@ -2,6 +2,7 @@
     $contextBanner = $this->canonicalContextBanner();
     $blockedBanner = $this->blockedExecutionBanner();
     $lifecycleBanner = $this->lifecycleBanner();
+    $restoreContinuationBanner = $this->restoreContinuationBanner();
     $pollInterval = $this->pollInterval();
 @endphp
 
@@ -49,6 +50,27 @@
             </div>
         @endif
 
+        @if ($restoreContinuationBanner !== null)
+            @php
+                $restoreContinuationClasses = match ($restoreContinuationBanner['tone']) {
+                    'amber' => 'border-amber-200 bg-amber-50 text-amber-900 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-100',
+                    default => 'border-sky-200 bg-sky-50 text-sky-900 dark:border-sky-500/30 dark:bg-sky-500/10 dark:text-sky-100',
+                };
+            @endphp
+
+            <div class="mb-6 rounded-lg border px-4 py-3 text-sm {{ $restoreContinuationClasses }}">
+                <p class="font-semibold">{{ $restoreContinuationBanner['title'] }}</p>
+                <p class="mt-1">{{ $restoreContinuationBanner['body'] }}</p>
+                @if ($restoreContinuationBanner['url'] !== null && $restoreContinuationBanner['link_label'] !== null)
+                    <p class="mt-3">
+                        <a href="{{ $restoreContinuationBanner['url'] }}" class="font-semibold underline underline-offset-2">
+                            {{ $restoreContinuationBanner['link_label'] }}
+                        </a>
+                    </p>
+                @endif
+            </div>
+        @endif
+
         @if ($this->redactionIntegrityNote())
             <div class="mb-6 rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-100">
                 {{ $this->redactionIntegrityNote() }}

resources/views/filament/pages/workspace-overview.blade.php

@@ -26,7 +26,7 @@
                 </h1>
 
                 <p class="max-w-2xl text-sm leading-6 text-gray-600 dark:text-gray-300">
-                    This home stays workspace-scoped even when you were previously working in a tenant. Tenant drill-down remains explicit so the overview never silently narrows itself.
+                    This home stays workspace-scoped even when you were previously working in a tenant. Governance risk is ranked ahead of execution noise, and calm wording only appears when the checked workspace domains are genuinely quiet.
                 </p>
             </div>
         </x-filament::section>
@@ -82,6 +82,18 @@ class="rounded-xl border border-gray-200 bg-white px-4 py-3 text-left transition
         @endif
 
         <div class="space-y-6">
+            <div class="flex flex-wrap gap-2 text-xs text-gray-600 dark:text-gray-300">
+                <span class="inline-flex items-center rounded-full border border-danger-200 bg-danger-50 px-3 py-1 font-medium text-danger-700 dark:border-danger-700/50 dark:bg-danger-950/30 dark:text-danger-200">
+                    Governance risk counts affected tenants
+                </span>
+                <span class="inline-flex items-center rounded-full border border-warning-200 bg-warning-50 px-3 py-1 font-medium text-warning-700 dark:border-warning-700/50 dark:bg-warning-950/30 dark:text-warning-200">
+                    Activity counts execution load only
+                </span>
+                <span class="inline-flex items-center rounded-full border border-gray-200 bg-white px-3 py-1 font-medium text-gray-600 dark:border-white/10 dark:bg-white/5 dark:text-gray-300">
+                    Recent operations stay diagnostic
+                </span>
+            </div>
+
             @livewire(\App\Filament\Widgets\Workspace\WorkspaceSummaryStats::class, [
                 'metrics' => $overview['summary_metrics'] ?? [],
             ], key('workspace-overview-summary-' . ($workspace['id'] ?? 'none')))

resources/views/filament/system/pages/ops/view-run.blade.php

@@ -4,20 +4,26 @@
 
     $statusSpec = \App\Support\Badges\BadgeRenderer::spec(
         \App\Support\Badges\BadgeDomain::OperationRunStatus,
-        (string) $run->status,
+        [
+            'status' => (string) $run->status,
+            'freshness_state' => $run->freshnessState()->value,
+        ],
     );
 
-    $outcomeSpec = (string) $run->status === 'completed'
+    $outcomeSpec = \App\Support\Badges\BadgeRenderer::spec(
-        ? \App\Support\Badges\BadgeRenderer::spec(
+        \App\Support\Badges\BadgeDomain::OperationRunOutcome,
-            \App\Support\Badges\BadgeDomain::OperationRunOutcome,
+        [
-            (string) $run->outcome,
+            'outcome' => (string) $run->outcome,
-        )
+            'status' => (string) $run->status,
-        : null;
+            'freshness_state' => $run->freshnessState()->value,
+        ],
+    );
 
     $summaryCounts = is_array($run->summary_counts) ? $run->summary_counts : [];
     $hasSummary = count($summaryCounts) > 0;
     $integrityNote = \App\Support\RedactionIntegrity::noteForRun($run);
     $guidance = \App\Support\OpsUx\OperationUxPresenter::surfaceGuidance($run);
+    $decisionTruth = \App\Support\OpsUx\OperationUxPresenter::decisionZoneTruth($run);
 @endphp
 
 <x-filament-panels::page>
@@ -104,6 +110,47 @@
             </dl>
         </x-filament::section>
 
+        <x-filament::section>
+            <x-slot name="heading">
+                Current lifecycle truth
+            </x-slot>
+
+            <div class="grid grid-cols-1 gap-4 sm:grid-cols-3">
+                <div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
+                    <div class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Still active</div>
+                    <div class="mt-1 text-sm font-medium text-gray-950 dark:text-white">
+                        {{ ($decisionTruth['isCurrentlyActive'] ?? false) ? 'Yes' : 'No' }}
+                    </div>
+                </div>
+
+                <div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
+                    <div class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Automatic reconciliation</div>
+                    <div class="mt-1 text-sm font-medium text-gray-950 dark:text-white">
+                        {{ ($decisionTruth['isReconciled'] ?? false) ? 'Yes' : 'No' }}
+                    </div>
+                </div>
+
+                <div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
+                    <div class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Problem class</div>
+                    <div class="mt-1 text-sm font-medium text-gray-950 dark:text-white">
+                        {{ $decisionTruth['problemClassLabel'] ?? 'None' }}
+                    </div>
+                </div>
+            </div>
+
+            @if (filled($decisionTruth['attentionNote'] ?? null))
+                <div class="mt-4 rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-100">
+                    {{ $decisionTruth['attentionNote'] }}
+                </div>
+            @endif
+
+            @if (filled($decisionTruth['staleLineageNote'] ?? null))
+                <div class="mt-4 rounded-lg border border-rose-200 bg-rose-50 px-4 py-3 text-sm text-rose-900 dark:border-rose-500/30 dark:bg-rose-500/10 dark:text-rose-100">
+                    {{ $decisionTruth['staleLineageNote'] }}
+                </div>
+            @endif
+        </x-filament::section>
+
         @if ($integrityNote)
             <x-filament::section>
                 <div class="rounded-lg border border-amber-200 bg-amber-50 px-4 py-3 text-sm text-amber-900 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-100">

resources/views/filament/widgets/tenant/recent-operations-summary.blade.php

@@ -17,12 +17,20 @@
                 @php
                     $statusSpec = \App\Support\Badges\BadgeRenderer::spec(
                         \App\Support\Badges\BadgeDomain::OperationRunStatus,
-                        (string) $run->status,
+                        [
+                            'status' => (string) $run->status,
+                            'freshness_state' => $run->freshnessState()->value,
+                        ],
                     );
                     $outcomeSpec = \App\Support\Badges\BadgeRenderer::spec(
                         \App\Support\Badges\BadgeDomain::OperationRunOutcome,
-                        (string) $run->outcome,
+                        [
+                            'outcome' => (string) $run->outcome,
+                            'status' => (string) $run->status,
+                            'freshness_state' => $run->freshnessState()->value,
+                        ],
                     );
+                    $lifecycleAttention = \App\Support\OpsUx\OperationUxPresenter::lifecycleAttentionSummary($run);
                     $guidance = \App\Support\OpsUx\OperationUxPresenter::surfaceGuidance($run);
                 @endphp
                 <li class="flex items-center justify-between gap-3 py-2">
@@ -38,6 +46,11 @@
                             <x-filament::badge :color="$outcomeSpec->color" size="sm">
                                 {{ $outcomeSpec->label }}
                             </x-filament::badge>
+                            @if ($lifecycleAttention)
+                                <span class="inline-flex items-center rounded-full border border-warning-200 bg-warning-50 px-2 py-0.5 text-xs font-medium text-warning-800 dark:border-warning-600/40 dark:bg-warning-500/10 dark:text-warning-100">
+                                    {{ $lifecycleAttention }}
+                                </span>
+                            @endif
                         </div>
 
                         <div class="mt-1 text-xs text-gray-500 dark:text-gray-400">

resources/views/filament/widgets/tenant/tenant-verification-report.blade.php

@@ -27,12 +27,12 @@
 
 <x-filament::section
     heading="Verification report"
-    description="Latest verification state for this tenant (DB-only rendering)."
+    description="Latest stored verification result for this tenant. Consent and connection configuration are summarized separately above."
 >
     <div class="space-y-4">
         @if ($run === null)
             <div class="rounded-lg border border-gray-200 bg-white p-4 text-sm text-gray-600 shadow-sm dark:border-gray-800 dark:bg-gray-900 dark:text-gray-300">
-                No verification operation has been started yet.
+                No provider verification check has been recorded yet.
             </div>
 
             <div class="flex items-center gap-2">

resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php

@@ -22,25 +22,66 @@
     @else
         <div class="space-y-3">
             @foreach ($items as $item)
-                <a
+                @php
-                    href="{{ $item['url'] }}"
+                    $destination = $item['destination'] ?? null;
-                    class="block rounded-xl border border-gray-200 bg-gray-50 p-4 transition hover:border-gray-300 hover:bg-white dark:border-white/10 dark:bg-white/5 dark:hover:border-white/20 dark:hover:bg-white/10"
+                    $actionUrl = is_array($destination) && ($destination['disabled'] ?? false) === false
-                >
+                        ? ($destination['url'] ?? null)
-                    <div class="flex items-start justify-between gap-3">
+                        : null;
-                        <div class="space-y-1">
+                @endphp
-                            <div class="text-sm font-semibold text-gray-950 dark:text-white">
+
-                                {{ $item['title'] }}
+                <div class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-white/10 dark:bg-white/5">
-                            </div>
+                    <div class="space-y-3">
-                            <div class="text-sm leading-6 text-gray-600 dark:text-gray-300">
+                        <div class="flex flex-wrap items-start justify-between gap-3">
-                                {{ $item['body'] }}
+                            <div class="space-y-2">
+                                <div class="flex flex-wrap items-center gap-2">
+                                    <span class="inline-flex items-center rounded-full border border-gray-200 bg-white px-2.5 py-0.5 text-xs font-medium text-gray-700 dark:border-white/10 dark:bg-white/10 dark:text-gray-200">
+                                        {{ $item['tenant_label'] }}
+                                    </span>
+
+                                    <span class="inline-flex items-center rounded-full border border-gray-200 bg-white px-2.5 py-0.5 text-xs font-medium uppercase tracking-wide text-gray-500 dark:border-white/10 dark:bg-white/10 dark:text-gray-300">
+                                        {{ str_replace('_', ' ', $item['urgency']) }}
+                                    </span>
+
+                                    <x-filament::badge :color="$item['badge_color']" size="sm">
+                                        {{ $item['badge'] }}
+                                    </x-filament::badge>
+                                </div>
+
+                                <div class="text-sm font-semibold text-gray-950 dark:text-white">
+                                    {{ $item['title'] }}
+                                </div>
+
+                                <div class="text-sm leading-6 text-gray-600 dark:text-gray-300">
+                                    {{ $item['body'] }}
+                                </div>
+
+                                @if (filled($item['supporting_message'] ?? null))
+                                    <p class="text-xs leading-5 text-gray-500 dark:text-gray-400">
+                                        {{ $item['supporting_message'] }}
+                                    </p>
+                                @endif
                             </div>
                         </div>
 
-                        <x-filament::badge :color="$item['badge_color']" size="sm">
+                        <div class="flex flex-wrap items-center gap-3 text-sm">
-                            {{ $item['badge'] }}
+                            @if (is_string($actionUrl) && $actionUrl !== '')
-                        </x-filament::badge>
+                                <x-filament::link :href="$actionUrl" size="sm">
+                                    {{ $destination['label'] ?? 'Open' }}
+                                </x-filament::link>
+                            @else
+                                <span class="text-gray-500 dark:text-gray-400">
+                                    {{ $destination['label'] ?? 'Unavailable' }}
+                                </span>
+                            @endif
+
+                            @if (filled($item['helper_text'] ?? null))
+                                <span class="text-xs text-gray-500 dark:text-gray-400">
+                                    {{ $item['helper_text'] }}
+                                </span>
+                            @endif
+                        </div>
                     </div>
-                </a>
+                </div>
             @endforeach
         </div>
     @endif

resources/views/filament/widgets/workspace/workspace-recent-operations.blade.php

@@ -1,4 +1,8 @@
 <x-filament::section heading="Recent operations">
+    <p class="mb-4 text-xs leading-5 text-gray-500 dark:text-gray-400">
+        Diagnostic recency across your visible workspace slice. This does not define governance health on its own.
+    </p>
+
     @if ($operations === [])
         <div class="flex h-full flex-col justify-between gap-4">
             <div class="space-y-2">
@@ -22,45 +26,62 @@
     @else
         <div class="space-y-3">
             @foreach ($operations as $operation)
-                <a
+                @php
-                    href="{{ $operation['url'] }}"
+                    $destination = $operation['destination'] ?? null;
-                    class="block rounded-xl border border-gray-200 bg-gray-50 p-4 transition hover:border-gray-300 hover:bg-white dark:border-white/10 dark:bg-white/5 dark:hover:border-white/20 dark:hover:bg-white/10"
+                    $actionUrl = is_array($destination) ? ($destination['url'] ?? null) : ($operation['url'] ?? null);
-                >
+                @endphp
-                    <div class="flex items-start justify-between gap-3">
+
-                        <div class="min-w-0 space-y-2">
+                <div class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-white/10 dark:bg-white/5">
-                            <div class="flex flex-wrap items-center gap-2">
+                    <div class="space-y-3">
-                                <div class="text-sm font-semibold text-gray-950 dark:text-white">
+                        <div class="flex items-start justify-between gap-3">
-                                    {{ $operation['title'] }}
+                            <div class="min-w-0 space-y-2">
+                                <div class="flex flex-wrap items-center gap-2">
+                                    <div class="text-sm font-semibold text-gray-950 dark:text-white">
+                                        {{ $operation['title'] }}
+                                    </div>
+
+                                    @if (filled($operation['tenant_label'] ?? null))
+                                        <span class="inline-flex items-center rounded-full border border-gray-200 bg-white px-2 py-0.5 text-xs font-medium text-gray-600 dark:border-white/10 dark:bg-white/10 dark:text-gray-300">
+                                            {{ $operation['tenant_label'] }}
+                                        </span>
+                                    @endif
                                 </div>
 
-                                @if (filled($operation['tenant_label'] ?? null))
+                                <div class="flex flex-wrap items-center gap-2">
-                                    <span class="inline-flex items-center rounded-full border border-gray-200 bg-white px-2 py-0.5 text-xs font-medium text-gray-600 dark:border-white/10 dark:bg-white/10 dark:text-gray-300">
+                                    <x-filament::badge :color="$operation['status_color']" size="sm">
-                                        {{ $operation['tenant_label'] }}
+                                        {{ $operation['status_label'] }}
-                                    </span>
+                                    </x-filament::badge>
+                                    <x-filament::badge :color="$operation['outcome_color']" size="sm">
+                                        {{ $operation['outcome_label'] }}
+                                    </x-filament::badge>
+                                    @if (filled($operation['lifecycle_label'] ?? null))
+                                        <span class="inline-flex items-center rounded-full border border-warning-200 bg-warning-50 px-2 py-0.5 text-xs font-medium text-warning-800 dark:border-warning-600/40 dark:bg-warning-500/10 dark:text-warning-100">
+                                            {{ $operation['lifecycle_label'] }}
+                                        </span>
+                                    @endif
+                                </div>
+
+                                @if (filled($operation['guidance'] ?? null))
+                                    <p class="text-xs leading-5 text-gray-600 dark:text-gray-300">
+                                        {{ $operation['guidance'] }}
+                                    </p>
                                 @endif
                             </div>
 
-                            <div class="flex flex-wrap items-center gap-2">
+                            <div class="shrink-0 text-xs text-gray-500 dark:text-gray-400">
-                                <x-filament::badge :color="$operation['status_color']" size="sm">
+                                {{ $operation['started_at'] }}
-                                    {{ $operation['status_label'] }}
-                                </x-filament::badge>
-                                <x-filament::badge :color="$operation['outcome_color']" size="sm">
-                                    {{ $operation['outcome_label'] }}
-                                </x-filament::badge>
                             </div>
-
-                            @if (filled($operation['guidance'] ?? null))
-                                <p class="text-xs leading-5 text-gray-600 dark:text-gray-300">
-                                    {{ $operation['guidance'] }}
-                                </p>
-                            @endif
                         </div>
 
-                        <div class="shrink-0 text-xs text-gray-500 dark:text-gray-400">
+                        @if (is_string($actionUrl) && $actionUrl !== '')
-                            {{ $operation['started_at'] }}
+                            <div>
-                        </div>
+                                <x-filament::link :href="$actionUrl" size="sm">
+                                    {{ $destination['label'] ?? 'Open operation' }}
+                                </x-filament::link>
+                            </div>
+                        @endif
                     </div>
-                </a>
+                </div>
             @endforeach
         </div>
     @endif

resources/views/livewire/bulk-operation-progress.blade.php

@@ -9,6 +9,9 @@
     x-data="opsUxProgressWidgetPoller()" 
     x-init="init()" 
     wire:key="ops-ux-progress-widget"
+    @if (! $disabled && $hasActiveRuns)
+        wire:poll.10s="refreshRuns"
+    @endif
 >
     @if($runs->isNotEmpty())
         <div class="fixed bottom-4 right-4 z-[999999] w-96 space-y-2" style="pointer-events: auto;">

specs/175-workspace-governance-attention/checklists/requirements.md

@@ -0,0 +1,36 @@
+# Specification Quality Checklist: Spec 175 - Workspace Governance Attention Foundation
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning  
+**Created**: 2026-04-04  
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Validation pass completed against the written spec on 2026-04-04.
+- No clarification markers were needed because the supplied feature description already defined scope, priorities, constraints, and desired outcomes precisely.
+- The spec stays intentionally narrow: it hardens existing workspace surfaces using already-available tenant truth and explicitly rejects new persistence, scores, or matrix-style redesign in this slice.

specs/175-workspace-governance-attention/contracts/workspace-governance-attention.openapi.yaml

@@ -0,0 +1,541 @@
+openapi: 3.1.0
+info:
+  title: Workspace Governance Attention Internal Surface Contract
+  version: 0.1.0
+  summary: Internal logical contract for governance-aware workspace overview semantics
+  description: |
+    This contract is an internal planning artifact for Spec 175. It documents how
+    the existing workspace overview must derive governance-aware summary metrics,
+    attention items, calmness claims, and drill-through destinations from visible
+    tenant truth. The rendered routes still return HTML. The structured schemas
+    below describe the internal page and widget models that must be derivable
+    before rendering. This does not add a public HTTP API.
+servers:
+  - url: /internal
+x-overview-consumers:
+  - surface: workspace.overview.summary_stats
+    summarySource:
+      - workspace_overview_builder
+      - tenant_governance_aggregate
+      - operation_run_activity
+      - alert_delivery_activity
+    guardScope:
+      - app/Support/Workspaces/WorkspaceOverviewBuilder.php
+      - app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php
+    expectedContract:
+      - governance_metrics_count_visible_tenants_not_raw_issue_totals
+      - governance_metrics_are_distinct_from_activity_metrics
+  - surface: workspace.overview.needs_attention
+    summarySource:
+      - workspace_overview_builder
+      - tenant_governance_aggregate
+      - existing_evidence_review_truth
+      - operation_run_activity
+      - alert_delivery_activity
+    guardScope:
+      - app/Support/Workspaces/WorkspaceOverviewBuilder.php
+      - app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php
+      - resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php
+    expectedContract:
+      - each_item_identifies_the_visible_tenant_when_tenant_bound
+      - all_attention_items_are_tenant_bound
+      - governance_issues_rank_above_activity_only_items
+      - compare_attention_only_uses_stale_or_compare_specific_action_required_signals
+      - each_item_has_one_matching_destination_or_a_safe_disabled_state
+  - surface: workspace.overview.calmness
+    summarySource:
+      - workspace_overview_builder
+      - tenant_governance_aggregate
+      - operation_run_activity
+      - alert_delivery_activity
+    guardScope:
+      - app/Support/Workspaces/WorkspaceOverviewBuilder.php
+      - resources/views/filament/pages/workspace-overview.blade.php
+    expectedContract:
+      - operations_quiet_alone_is_not_enough_for_calmness
+      - zero_tenant_and_low_permission_states_do_not_masquerade_as_healthy_calm
+      - zero_tenant_recovery_uses_switch_workspace_and_low_permission_recovery_uses_operations_index
+  - surface: workspace.overview.recent_operations
+    summarySource:
+      - workspace_overview_builder
+      - operation_run_recency_query
+    guardScope:
+      - app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php
+      - resources/views/filament/widgets/workspace/workspace-recent-operations.blade.php
+    expectedContract:
+      - surface_role_is_diagnostic_recency_not_primary_governance_summary
+      - recent_operations_remain_filtered_to_visible_tenant_scope
+      - recent_operations_are_bounded_to_five
+paths:
+  /admin:
+    get:
+      summary: Render the governance-aware workspace overview bundle
+      operationId: viewWorkspaceGovernanceAttentionOverview
+      responses:
+        '200':
+          description: Workspace overview rendered with governance-aware summary, attention, calmness, and recency semantics
+          content:
+            text/html:
+              schema:
+                type: string
+            application/vnd.tenantpilot.workspace-governance-attention+json:
+              schema:
+                $ref: '#/components/schemas/WorkspaceGovernanceOverviewBundle'
+        '302':
+          description: No workspace context is active yet, so the request is redirected to `/admin/choose-workspace`
+        '404':
+          description: Workspace is outside entitlement scope
+  /admin/choose-tenant:
+    get:
+      summary: Explicit tenant-entry destination used by workspace drill-down when the operator wants to pick a tenant deliberately
+      operationId: openChooseTenantFromWorkspaceOverview
+      responses:
+        '200':
+          description: Choose-tenant page opened inside the authenticated admin panel and may bootstrap workspace context from the selected tenant if no workspace is currently active
+  /admin/choose-workspace:
+    get:
+      summary: Default workspace-switch recovery destination for zero-tenant or wrong-workspace states
+      operationId: openChooseWorkspaceFromWorkspaceOverview
+      responses:
+        '200':
+          description: Choose-workspace page opened so the operator can recover to another entitled workspace context even when no workspace is currently active
+  /admin/t/{tenant}:
+    get:
+      summary: Tenant dashboard fallback or broad tenant drill-through from workspace attention
+      operationId: openTenantDashboardFromWorkspaceAttention
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Tenant dashboard opened for the visible tenant named by the workspace item when the dashboard is the allowed fallback or primary tenant landing
+        '404':
+          description: Tenant is outside entitlement scope
+  /admin/t/{tenant}/findings:
+    get:
+      summary: Tenant findings destination used by workspace governance and findings attention
+      operationId: openTenantFindingsFromWorkspaceAttention
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: tab
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/FindingsTab'
+        - name: high_severity
+          in: query
+          required: false
+          schema:
+            type: boolean
+        - name: governance_validity
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/GovernanceValidityFilter'
+          description: Reproduces directly filterable governance-validity subsets such as `missing_support` or `expiring`; aggregate lapsed-governance attention falls back to the tenant dashboard when the full invalid-governance family cannot be reproduced without narrowing.
+      responses:
+        '200':
+          description: Tenant findings list opened with a subset matching the originating workspace attention item
+        '403':
+          description: Actor is in scope but lacks findings inspection capability
+        '404':
+          description: Tenant is outside entitlement scope
+  /admin/t/{tenant}/baseline-compare-landing:
+    get:
+      summary: Tenant baseline compare landing used by workspace compare attention
+      operationId: openTenantBaselineCompareFromWorkspaceAttention
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Tenant baseline compare landing opened with the same compare posture family summarized by the workspace item
+        '403':
+          description: Actor is in scope but lacks the current tenant-view capability required by the compare landing
+        '404':
+          description: Tenant is outside entitlement scope
+  /admin/t/{tenant}/evidence:
+    get:
+      summary: Tenant evidence destination used only when existing evidence truth is the most precise workspace next jump
+      operationId: openTenantEvidenceFromWorkspaceAttention
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Tenant evidence surface opened for the visible tenant named by the workspace item
+        '403':
+          description: Actor is in scope but lacks evidence inspection capability
+        '404':
+          description: Tenant is outside entitlement scope
+  /admin/t/{tenant}/reviews:
+    get:
+      summary: Tenant reviews destination used only when existing review truth is the most precise workspace next jump
+      operationId: openTenantReviewsFromWorkspaceAttention
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Tenant reviews surface opened for the visible tenant named by the workspace item
+        '403':
+          description: Actor is in scope but lacks review inspection capability
+        '404':
+          description: Tenant is outside entitlement scope
+  /admin/operations:
+    get:
+      summary: Canonical operations index used by workspace activity and operations-follow-up signals
+      operationId: openOperationsFromWorkspaceOverview
+      parameters:
+        - name: tenant_id
+          in: query
+          required: false
+          schema:
+            type:
+              - integer
+              - string
+          description: Optional tenant filter when the workspace item points to one tenant's operations follow-up.
+        - name: activeTab
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/OperationsTab'
+      responses:
+        '200':
+          description: Canonical operations index opened with any tenant and tab continuity required by the workspace signal; this remains the workspace-member-safe fallback for low-permission workspace states
+        '404':
+          description: Requested tenant context is outside entitlement scope
+  /admin/operations/{run}:
+    get:
+      summary: Canonical operation detail opened from workspace recent operations or operations attention
+      operationId: openOperationDetailFromWorkspaceOverview
+      parameters:
+        - name: run
+          in: path
+          required: true
+          schema:
+            type:
+              - integer
+              - string
+      responses:
+        '200':
+          description: Canonical operation detail opened for the visible run
+        '403':
+          description: Actor is in scope but lacks operation detail capability
+        '404':
+          description: Operation run is outside entitlement scope
+  /admin/alerts:
+    get:
+      summary: Canonical alerts overview used for alert-only follow-up from the workspace home
+      operationId: openAlertsOverviewFromWorkspaceOverview
+      responses:
+        '200':
+          description: Alerts overview opened for the current workspace, including delivery follow-up and alert-health context
+        '403':
+          description: Actor is in scope but lacks alerts inspection capability
+        '404':
+          description: Workspace is outside entitlement scope
+components:
+  schemas:
+    MetricCategory:
+      type: string
+      enum:
+        - scope
+        - governance_risk
+        - activity
+        - alerts
+    AttentionFamily:
+      type: string
+      enum:
+        - governance
+        - findings
+        - compare
+        - evidence
+        - review
+        - operations
+        - alerts
+    AttentionUrgency:
+      type: string
+      enum:
+        - critical
+        - high
+        - medium
+        - supporting
+    DestinationKind:
+      type: string
+      enum:
+        - choose_tenant
+        - tenant_dashboard
+        - tenant_findings
+        - baseline_compare_landing
+        - tenant_evidence
+        - tenant_reviews
+        - operations_index
+        - operation_detail
+        - alerts_overview
+        - switch_workspace
+        - none
+    CheckedDomain:
+      type: string
+      enum:
+        - governance
+        - findings
+        - compare
+        - evidence
+        - review
+        - operations
+        - alerts
+        - tenant_access
+    FindingsTab:
+      type: string
+      enum:
+        - all
+        - needs_action
+        - overdue
+        - risk_accepted
+        - resolved
+    GovernanceValidityFilter:
+      type: string
+      enum:
+        - missing_support
+        - expiring
+        - valid
+    OperationsTab:
+      type: string
+      enum:
+        - all
+        - active
+        - blocked
+        - failed
+        - partial
+        - succeeded
+    DrillthroughTarget:
+      type: object
+      additionalProperties: false
+      required:
+        - kind
+        - disabled
+      properties:
+        kind:
+          $ref: '#/components/schemas/DestinationKind'
+        url:
+          type:
+            - string
+            - 'null'
+        tenantRouteKey:
+          type:
+            - string
+            - 'null'
+        label:
+          type:
+            - string
+            - 'null'
+        disabled:
+          type: boolean
+        helperText:
+          type:
+            - string
+            - 'null'
+        filters:
+          type:
+            - object
+            - 'null'
+          additionalProperties: true
+    WorkspaceSummaryMetric:
+      type: object
+      additionalProperties: false
+      required:
+        - key
+        - label
+        - value
+        - category
+        - description
+        - color
+      properties:
+        key:
+          type: string
+        label:
+          type: string
+        value:
+          type: integer
+          minimum: 0
+        category:
+          $ref: '#/components/schemas/MetricCategory'
+        description:
+          type: string
+        color:
+          type: string
+        destination:
+          oneOf:
+            - $ref: '#/components/schemas/DrillthroughTarget'
+            - type: 'null'
+    WorkspaceAttentionItem:
+      type: object
+      additionalProperties: false
+      required:
+        - key
+        - tenantId
+        - tenantLabel
+        - family
+        - urgency
+        - title
+        - body
+        - badge
+        - badgeColor
+      anyOf:
+        - required:
+            - destination
+          properties:
+            destination:
+              $ref: '#/components/schemas/DrillthroughTarget'
+        - required:
+            - actionDisabled
+            - helperText
+          properties:
+            actionDisabled:
+              const: true
+            helperText:
+              type: string
+      properties:
+        key:
+          type: string
+        tenantId:
+          type: integer
+        tenantLabel:
+          type: string
+        family:
+          $ref: '#/components/schemas/AttentionFamily'
+        urgency:
+          $ref: '#/components/schemas/AttentionUrgency'
+        title:
+          type: string
+        body:
+          type: string
+        supportingMessage:
+          type:
+            - string
+            - 'null'
+        badge:
+          type: string
+        badgeColor:
+          type: string
+        destination:
+          oneOf:
+            - $ref: '#/components/schemas/DrillthroughTarget'
+            - type: 'null'
+        actionDisabled:
+          type:
+            - boolean
+            - 'null'
+        helperText:
+          type:
+            - string
+            - 'null'
+    WorkspaceRecentOperation:
+      type: object
+      additionalProperties: false
+      required:
+        - id
+        - title
+        - statusLabel
+        - statusColor
+        - outcomeLabel
+        - outcomeColor
+        - startedAt
+        - destination
+      properties:
+        id:
+          type: integer
+        title:
+          type: string
+        tenantLabel:
+          type:
+            - string
+            - 'null'
+        statusLabel:
+          type: string
+        statusColor:
+          type: string
+        outcomeLabel:
+          type: string
+        outcomeColor:
+          type: string
+        guidance:
+          type:
+            - string
+            - 'null'
+        startedAt:
+          type: string
+        destination:
+          $ref: '#/components/schemas/DrillthroughTarget'
+    WorkspaceCalmnessState:
+      type: object
+      additionalProperties: false
+      required:
+        - isCalm
+        - checkedDomains
+        - title
+        - body
+        - nextAction
+      properties:
+        isCalm:
+          type: boolean
+        checkedDomains:
+          type: array
+          items:
+            $ref: '#/components/schemas/CheckedDomain'
+        title:
+          type: string
+        body:
+          type: string
+        nextAction:
+          description: Defaults to `switch_workspace` for zero-tenant recovery and `operations_index` for low-permission workspace-state recovery unless a more specific allowed action exists.
+          $ref: '#/components/schemas/DrillthroughTarget'
+    WorkspaceGovernanceOverviewBundle:
+      type: object
+      additionalProperties: false
+      required:
+        - workspaceId
+        - workspaceName
+        - summaryMetrics
+        - attentionItems
+        - recentOperations
+        - calmness
+      properties:
+        workspaceId:
+          type: integer
+        workspaceName:
+          type: string
+        summaryMetrics:
+          type: array
+          maxItems: 8
+          items:
+            $ref: '#/components/schemas/WorkspaceSummaryMetric'
+        attentionItems:
+          type: array
+          maxItems: 5
+          items:
+            $ref: '#/components/schemas/WorkspaceAttentionItem'
+        recentOperations:
+          type: array
+          maxItems: 5
+          items:
+            $ref: '#/components/schemas/WorkspaceRecentOperation'
+        calmness:
+          $ref: '#/components/schemas/WorkspaceCalmnessState'

specs/175-workspace-governance-attention/data-model.md

@@ -0,0 +1,313 @@
+# Phase 1 Data Model: Workspace Governance Attention Foundation
+
+## Overview
+
+This feature does not add a table, persisted workspace summary, or new cross-domain runtime subsystem. It aligns the existing workspace overview surface with already-available tenant truth so the workspace home can answer which visible tenants need governance attention, why they need it, and where the operator should jump next.
+
+## Persistent Source Truths
+
+### Workspace
+
+**Purpose**: Scope boundary for the workspace home and all workspace-safe aggregates.
+
+**Key fields**:
+- `id`
+- `name`
+- `slug`
+
+**Validation rules**:
+- Workspace overview aggregation must always resolve for one explicit workspace.
+- Non-members must receive deny-as-not-found behavior before any workspace truth is rendered.
+
+### Tenant
+
+**Purpose**: Scope boundary and identity anchor for every governance-aware workspace attention item.
+
+**Key fields**:
+- `id`
+- `workspace_id`
+- `external_id`
+- `name`
+- `status`
+
+**Validation rules**:
+- Only active tenants inside the current workspace and inside the current user's entitled tenant slice may contribute to workspace attention or governance-risk metrics.
+- Every workspace attention item must identify one visible tenant explicitly.
+
+### Finding
+
+**Purpose**: Source of overdue findings, high-severity active findings, and other governance workflow pressure promoted into workspace attention.
+
+**Key fields**:
+- `tenant_id`
+- `workspace_id`
+- `finding_type`
+- `status`
+- `severity`
+- `due_at`
+- `scope_key`
+
+**Validation rules**:
+- Canonical open and active semantics remain sourced from existing finding query helpers.
+- Workspace promotion must not invent a second finding status universe.
+
+### FindingException / Governance Validity
+
+**Purpose**: Source of lapsed governance and expiring governance truth for risk-accepted findings.
+
+**Key fields**:
+- `tenant_id`
+- `workspace_id`
+- `finding_id`
+- `status`
+- `current_validity_state`
+- `review_due_at`
+- `expires_at`
+
+**Validation rules**:
+- Lapsed and expiring governance remain derived from existing validity-state rules.
+- Workspace promotion must not replace existing governance-validity semantics with a new workspace-specific status family.
+
+### OperationRun
+
+**Purpose**: Source of workspace activity, operation failures, and canonical operation drill-through.
+
+**Key fields**:
+- `id`
+- `workspace_id`
+- `tenant_id`
+- `type`
+- `status`
+- `outcome`
+- `created_at`
+- `completed_at`
+
+**Validation rules**:
+- Active operations and failed or warning operations remain activity truths, not governance truths.
+- Workspace attention may still include operations follow-up, but those items must remain semantically distinct from governance items.
+
+### AlertDelivery
+
+**Purpose**: Source of workspace alert-delivery failures that remain supporting attention but no longer define workspace calmness by themselves.
+
+**Key fields**:
+- `workspace_id`
+- `tenant_id`
+- `status`
+- `created_at`
+
+**Validation rules**:
+- Alert-delivery failures remain lower-priority supporting signals once governance-critical tenant states exist.
+
+### EvidenceSnapshot and TenantReview
+
+**Purpose**: Existing tenant-level evidence and review truth that may serve as a precise workspace drill-through target when already-available truth makes them the best next jump.
+
+**Key fields**:
+- `tenant_id`
+- `workspace_id`
+- `status` or completeness fields on the owning model
+- associated detail identifiers needed by tenant evidence or review resources
+
+**Validation rules**:
+- This slice does not add a new workspace evidence or review aggregate.
+- Evidence or review destinations may only be used when existing tenant truth already makes them the most precise action target.
+
+## Existing Runtime Source Objects
+
+### TenantGovernanceAggregate
+
+**Purpose**: Existing derived tenant summary that already combines compare posture with overdue, expiring, lapsed, and high-severity counts.
+
+**Key consumed fields**:
+- `tenantId`
+- `workspaceId`
+- `compareState`
+- `stateFamily`
+- `tone`
+- `headline`
+- `supportingMessage`
+- `overdueOpenFindingsCount`
+- `expiringGovernanceCount`
+- `lapsedGovernanceCount`
+- `highSeverityActiveFindingsCount`
+- `nextActionLabel`
+- `nextActionTarget`
+- `positiveClaimAllowed`
+- `summaryAssessment`
+
+**Validation rules**:
+- Workspace promotion should consume this existing summary contract before considering lower-level recomputation.
+- Any workspace calmness or ranking rule based on compare or governance must remain consistent with this aggregate.
+
+### BaselineCompareStats
+
+**Purpose**: Existing compare-backed statistics object underlying the tenant governance aggregate.
+
+**Key consumed fields**:
+- `overdueOpenFindingsCount`
+- `expiringGovernanceCount`
+- `lapsedGovernanceCount`
+- `highSeverityActiveFindingsCount`
+- compare posture state and evidence-gap fields needed by `summaryAssessment`
+
+**Validation rules**:
+- Workspace code should not fork a second compare-summary model while this object already provides the necessary facts.
+
+### BaselineCompareSummaryAssessment
+
+**Purpose**: Existing compare posture contract that maps compare stats into a state family, tone, headline, and next-action intent.
+
+**Key consumed fields**:
+- `stateFamily`
+- `tone`
+- `headline`
+- `supportingMessage`
+- `reasonCode`
+- `nextActionTarget()` semantics as reflected into the aggregate
+
+**Validation rules**:
+- Workspace compare attention and calmness suppression should reuse this assessment path rather than inventing a workspace-only tone system.
+
+### WorkspaceOverviewBuilder Payload
+
+**Purpose**: Existing page-level payload that already carries summary metrics, attention items, recent operations, quick actions, and empty states for `/admin`.
+
+**Validation rules**:
+- Governance hardening extends this payload shape rather than replacing the page with a new surface framework.
+- Existing visible-tenant filtering remains the workspace aggregation guardrail.
+
+## Derived Workspace View Contracts
+
+### Workspace Summary Metric
+
+**Purpose**: Compact workspace stat that answers one scope, governance-risk, or activity question and optionally opens one matching destination.
+
+#### Fields
+
+| Field | Type | Required | Description |
+|------|------|----------|-------------|
+| `key` | string | yes | Stable metric identity such as `accessible_tenants`, `governance_attention_tenants`, `overdue_findings_tenants`, or `active_operations` |
+| `label` | string | yes | Operator-facing label that must accurately describe the counted universe |
+| `value` | integer | yes | Metric value |
+| `category` | enum | yes | `scope`, `governance_risk`, `activity`, or `alerts` |
+| `description` | string | yes | Short explanation of what the metric means |
+| `color` | string | yes | Existing tone family used by the widget |
+| `destination` | object nullable | no | Shared drill-through contract when the metric is actionable |
+
+#### Validation rules
+
+- Governance-risk metrics count affected visible tenants, not raw issue totals.
+- Activity metrics remain activity-only and must not imply governance health.
+- The stat strip must make the difference between `governance_risk` and `activity` categories obvious.
+
+### Workspace Attention Item
+
+**Purpose**: One prioritized workspace triage item that names a visible tenant problem and one next jump.
+
+#### Fields
+
+| Field | Type | Required | Description |
+|------|------|----------|-------------|
+| `key` | string | yes | Stable attention identity such as `tenant_overdue_findings`, `tenant_lapsed_governance`, `tenant_compare_attention`, or `tenant_failed_operation` |
+| `tenantId` | integer | yes | Visible tenant identifier |
+| `tenantLabel` | string | yes | Tenant name shown to the operator |
+| `family` | enum | yes | `governance`, `findings`, `compare`, `evidence`, `review`, `operations`, or `alerts` |
+| `urgency` | enum | yes | `critical`, `high`, `medium`, or `supporting` |
+| `title` | string | yes | Primary operator-facing summary |
+| `body` | string | yes | Short explanation of why this needs attention |
+| `badge` | string | yes | Existing family label shown in the UI |
+| `badgeColor` | string | yes | Existing tone family used for the item |
+| `supportingMessage` | string nullable | no | Secondary explanatory text when needed |
+| `destination` | object nullable | no | Shared drill-through contract |
+| `actionDisabled` | boolean nullable | no | Whether the visible next step is intentionally disabled |
+| `helperText` | string nullable | no | Explanation when the visible next step is disabled |
+
+#### Validation rules
+
+- Every workspace attention item is tenant-bound and must include both `tenantId` and `tenantLabel`.
+- Governance, findings, compare, evidence or review, and operations items must remain semantically distinct.
+- Compare attention promotes `BaselineCompareSummaryAssessment::STATE_STALE` directly and only treats `BaselineCompareSummaryAssessment::STATE_ACTION_REQUIRED` as materially degraded compare posture when the aggregate's next action remains compare-specific rather than findings-driven.
+- `BaselineCompareSummaryAssessment::STATE_CAUTION` stays below the workspace-attention threshold unless another governance signal independently warrants promotion.
+- Workspace-wide operations or alert totals remain in summary metrics or recent operations until they can be attributed to one visible tenant.
+- Each item may expose one primary destination only.
+- Every item must either expose a non-null destination or set `actionDisabled=true` with explanatory `helperText`; null destination without an explicit disabled state is invalid.
+- If the most precise destination is not available to the current in-scope user, the item must either use an allowed fallback or expose a disabled explanatory state instead of a clickable dead end.
+
+### Workspace Recent Operation
+
+**Purpose**: One bounded recent-operations entry shown on the workspace overview as diagnostic recency, not governance posture.
+
+#### Fields
+
+| Field | Type | Required | Description |
+|------|------|----------|-------------|
+| `id` | integer | yes | Operation run identifier |
+| `title` | string | yes | Operator-facing operation label |
+| `tenantLabel` | string nullable | no | Tenant name when the run is tenant-bound |
+| `statusLabel` | string | yes | Human-readable run status |
+| `statusColor` | string | yes | Existing tone family for the run status |
+| `outcomeLabel` | string | yes | Human-readable run outcome |
+| `outcomeColor` | string | yes | Existing tone family for the run outcome |
+| `guidance` | string nullable | no | Short follow-up guidance when helpful |
+| `startedAt` | string | yes | Render-ready recency label |
+| `destination` | object | yes | Canonical operation-detail drill-through target |
+
+#### Validation rules
+
+- The recent-operations collection is bounded to the five most recent visible runs.
+- Recent operations remain diagnostic context and do not define calmness on their own.
+- `tenantLabel` may be null only when the run is genuinely workspace-wide rather than tenant-bound.
+
+### Workspace Drill-Through Target
+
+**Purpose**: Shared navigation contract used by summary metrics and attention items.
+
+#### Fields
+
+| Field | Type | Required | Description |
+|------|------|----------|-------------|
+| `kind` | enum | yes | `choose_tenant`, `tenant_dashboard`, `tenant_findings`, `baseline_compare_landing`, `tenant_evidence`, `tenant_reviews`, `operations_index`, `operation_detail`, `alerts_overview`, `switch_workspace`, or `none` |
+| `url` | string nullable | no | Destination URL when the target is actionable |
+| `tenantRouteKey` | string nullable | no | Tenant route scope when the destination is tenant-bound |
+| `filters` | object nullable | no | Query or state needed to reproduce the same subset on the destination |
+| `label` | string nullable | no | Primary action label |
+| `disabled` | boolean | yes | Whether the target is intentionally non-clickable |
+| `helperText` | string nullable | no | Explanation shown when the target is disabled |
+
+#### Validation rules
+
+- `kind=none` may only be used for intentionally passive reassurance states.
+- `tenant_findings` must carry the filter state needed to reproduce overdue, high-severity, expiring-governance, or other directly filterable findings subsets when applicable.
+- Aggregate lapsed-governance attention uses `tenant_dashboard` when the current tenant findings filters would otherwise narrow the full invalid-governance family to a smaller subset such as `missing_support`.
+- `operations_index` may carry tenant and tab filters but must remain the canonical admin operations route and the workspace-member-safe fallback for low-permission workspace states.
+- `alerts_overview` targets the existing alerts overview at `/admin/alerts`, which remains the canonical alert-delivery follow-up surface for this slice.
+- `switch_workspace` targets `/admin/choose-workspace` and is the default zero-tenant recovery action.
+
+### Workspace Calmness State
+
+**Purpose**: The derived claim that the workspace is currently calm enough for an empty or reassurance state.
+
+#### Fields
+
+| Field | Type | Required | Description |
+|------|------|----------|-------------|
+| `isCalm` | boolean | yes | Whether the workspace may currently make a calmness claim |
+| `checkedDomains` | array<enum> | yes | Domains actually checked before the claim was made: `governance`, `findings`, `compare`, `evidence`, `review`, `operations`, `alerts`, `tenant_access` |
+| `title` | string | yes | Empty-state or reassurance title |
+| `body` | string | yes | Supporting explanation constrained to the checked domains |
+| `nextAction` | object | yes | One bounded next action |
+
+#### Validation rules
+
+- `isCalm=true` is invalid whenever any visible tenant has governance-critical conditions inside the checked domains.
+- Zero-tenant states and low-permission states must not masquerade as healthy calmness states.
+- Zero-tenant states default `nextAction.kind` to `switch_workspace`, while low-permission states default `nextAction.kind` to `operations_index` unless a more specific allowed in-scope recovery action exists.
+- Calm wording must not imply portfolio health beyond the `checkedDomains` list.
+
+## Ranking Rules
+
+1. Governance-critical tenant conditions outrank activity-only and alert-only items.
+2. A single tenant may contribute multiple raw issues, but workspace attention should surface a bounded prioritized subset.
+3. The stat strip answers portfolio counts by tenant, while the attention list answers which tenant to open next.
+4. Recent operations remain supporting recency context and do not participate in calmness unless explicitly modeled as an operations-follow-up issue.

specs/175-workspace-governance-attention/plan.md

@@ -0,0 +1,332 @@
+# Implementation Plan: Workspace Governance Attention Foundation
+
+**Branch**: `175-workspace-governance-attention` | **Date**: 2026-04-04 | **Spec**: `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/175-workspace-governance-attention/spec.md`
+**Input**: Feature specification from `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/175-workspace-governance-attention/spec.md`
+
+**Note**: This plan follows the existing TenantPilot workspace and tenant-truth architecture. It hardens the current workspace overview instead of introducing a new workspace posture subsystem.
+
+## Summary
+
+Promote existing tenant governance truth into the existing workspace overview so `/admin` becomes a trustworthy multi-tenant governance attention surface instead of an operations-first calm surface. The implementation will keep `WorkspaceOverviewBuilder` as the orchestration point, reuse `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, existing findings and compare destinations, and optionally already-available evidence or review surfaces where they provide a more precise next jump. The first slice will harden summary metrics, attention ranking, tenant identification, compare breadth across stale, failed, and degraded states, and calmness semantics; the second slice will preserve activity versus governance separation and protect the new contract with focused workspace overview regression tests.
+
+## Technical Context
+
+**Language/Version**: PHP 8.4.15  
+**Primary Dependencies**: Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantGovernanceAggregateResolver`, `BaselineCompareStats`, `BaselineCompareSummaryAssessor`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, `WorkspaceRecentOperations`, `WorkspaceCapabilityResolver`, `CapabilityResolver`, `FindingResource`, `BaselineCompareLanding`, `EvidenceSnapshotResource`, `TenantReviewResource`, and canonical admin Operations routes  
+**Storage**: PostgreSQL unchanged; no new persistence, cache table, or materialized aggregate is introduced  
+**Testing**: Pest 4 feature and Livewire-style widget tests through Laravel Sail using existing workspace overview tests plus new governance attention and drill-through coverage  
+**Target Platform**: Laravel monolith web application in Sail locally and containerized Linux deployment in staging and production  
+**Project Type**: web application  
+**Performance Goals**: Keep `/admin` DB-only at render time, keep workspace attention bounded, reuse request-scoped derived-state caching for tenant governance aggregates, and avoid uncontrolled polling or unbounded cross-tenant queries  
+**Constraints**: No new table, no new workspace posture score, no full portfolio matrix, no new panel/provider, no cross-tenant leakage, no dead-end drill-throughs for visible states, no ad-hoc status taxonomy, and no broad workspace IA redesign  
+**Scale/Scope**: One workspace landing page, three existing workspace widgets, one builder, one accessible-tenant slice per workspace, six central governance signal families, and focused regression coverage for workspace calmness, ranking, drill-through continuity, and RBAC-safe omission or fallback behavior
+
+## Constitution Check
+
+*GATE: Passed before Phase 0 research. Re-check after Phase 1 design.*
+
+| Principle | Pre-Research | Post-Design | Notes |
+|-----------|--------------|-------------|-------|
+| Inventory-first / snapshots-second | PASS | PASS | The feature adds no new inventory or snapshot truth. It only changes read-time workspace aggregation over existing records. |
+| Read/write separation | PASS | PASS | The slice is read-only workspace overview hardening. No new write path, preview flow, or destructive action is introduced. |
+| Graph contract path | N/A | N/A | No Graph call or `config/graph_contracts.php` change is required. |
+| Deterministic capabilities | PASS | PASS | Existing workspace membership and tenant capability checks remain authoritative for aggregation and drill-through behavior. |
+| RBAC-UX authorization semantics | PASS | PASS | `/admin` remains workspace-scoped, tenant destinations remain tenant-scoped, non-members stay `404`, and members missing downstream capability must not receive dead-end links. |
+| Workspace and tenant isolation | PASS | PASS | Aggregation stays limited to visible tenants in the active workspace and uses existing `scopeToAuthorizedTenants()` style filtering. |
+| Run observability / Ops-UX | PASS | PASS | No new `OperationRun` type, feedback surface, or lifecycle change is added. Existing operations destinations remain canonical. |
+| Data minimization | PASS | PASS | The plan adds no new persistence and no broader route exposure. Only already-visible tenant truth is promoted into the workspace home. |
+| Proportionality / no premature abstraction | PASS | PASS | The plan reuses `WorkspaceOverviewBuilder` and `TenantGovernanceAggregateResolver` instead of adding a new workspace posture framework or aggregate layer. |
+| Persisted truth / behavioral state | PASS | PASS | No new table, enum, status family, or persisted summary artifact is planned. |
+| UI semantics / few layers | PASS | PASS | The feature aligns existing widget semantics rather than introducing a new presenter or badge taxonomy. |
+| Badge semantics (BADGE-001) | PASS | PASS | Existing badge and tone domains remain the source for operations and compare posture meaning. New workspace items reuse those semantics rather than inventing new colors or labels. |
+| Filament-native UI / Action Surface Contract | PASS | PASS | `WorkspaceOverview` and its widgets remain navigation and inspection surfaces only. No destructive or redundant action model is added. |
+| Filament UX-001 | PASS | PASS | No create or edit page is touched. The design keeps governance attention above recent operations and uses bounded empty-state wording. |
+| Filament v5 / Livewire v4 compliance | PASS | PASS | The design stays within the current Filament v5 + Livewire v4 stack. |
+| Provider registration location | PASS | PASS | No panel/provider registration change is required. Laravel 11+ provider registration remains in `bootstrap/providers.php`. |
+| Global search hard rule | PASS | PASS | No global-searchable resource behavior is changed in this slice. |
+| Destructive action safety | PASS | PASS | The feature introduces no destructive action. |
+| Asset strategy | PASS | PASS | No new assets or `filament:assets` deployment change is required. |
+| Testing truth (TEST-TRUTH-001) | PASS | PASS | The plan adds tests around business consequences: false calmness, tenant identification, ordering, continuity, and RBAC-safe navigation behavior. |
+
+## Phase 0 Research
+
+Research outcomes are captured in `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/175-workspace-governance-attention/research.md`.
+
+Key decisions:
+
+- Reuse `WorkspaceOverviewBuilder` as the single orchestration point instead of creating a new workspace posture service.
+- Reuse `TenantGovernanceAggregateResolver` and `BaselineCompareStats` per visible tenant as the primary source for lapsed governance, overdue findings, expiring governance, high-severity active findings, and stale, failed, or materially degraded compare posture.
+- Count governance risk at the tenant level for workspace summary metrics so the workspace answer is “how many tenants need attention,” not “how many raw issues exist.”
+- Rank governance-critical tenant states above activity-only or alert-delivery-only items, while keeping operations and alerts available as lower-priority supporting attention.
+- Make every workspace attention item tenant-identifiable and map it to exactly one matching destination, with an RBAC-safe fallback or disabled/non-clickable explanatory state when the exact destination is not allowed.
+- Default zero-tenant recovery to the existing choose-workspace route and keep alert-only follow-up on the existing alerts overview route.
+- Keep `WorkspaceRecentOperations` as a diagnostic activity surface, not a governance surface.
+- Promote evidence or review truth only when an existing tenant-level evidence or review surface already carries a clearer next jump than the tenant dashboard fallback.
+- Lean on request-scoped derived-state caching to keep per-tenant aggregate resolution viable for normal workspace sizes without new persistence.
+
+## Phase 1 Design
+
+Design artifacts are created under `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/175-workspace-governance-attention/`:
+
+- `data-model.md`: persistent source truths and derived workspace attention contracts for this slice
+- `contracts/workspace-governance-attention.openapi.yaml`: internal surface contract for workspace governance-aware overview semantics and drill-through continuity
+- `quickstart.md`: focused implementation and verification workflow
+
+Design highlights:
+
+- `WorkspaceOverviewBuilder` remains the builder boundary and becomes responsible for deriving governance-aware summary metrics, attention candidates, and calmness claims from visible tenants only.
+- `TenantGovernanceAggregateResolver` is the primary source for governance-related tenant promotion, mirroring the mature tenant dashboard semantics rather than reinterpreting the same truth a second time.
+- Workspace summary metrics are split into scope, governance-risk, and activity categories so the stat strip can no longer blur portfolio activity with portfolio risk.
+- Workspace attention items become structured tenant-bound records carrying tenant label, problem family, urgency, and one primary drill-through target.
+- `WorkspaceNeedsAttention` remains bounded and prioritized, favoring the highest-value tenant signal per item instead of dumping every raw issue into the workspace surface.
+- Compare-driven workspace attention must preserve stale, failed, and materially degraded posture families rather than collapsing them into a single degraded-only bucket.
+- Compare attention promotes `STATE_STALE` directly and only treats `STATE_ACTION_REQUIRED` as materially degraded compare posture when the aggregate's next action remains compare-specific rather than findings-driven; `STATE_CAUTION` remains below the workspace-attention threshold unless another governance signal independently warrants promotion.
+- Existing evidence and review surfaces stay optional targets in this slice: they are only used when already-available truth makes them the most precise next jump.
+- Zero-tenant recovery defaults to `ChooseWorkspace`, and alert-only follow-up reuses the existing alerts overview at `/admin/alerts`.
+- `WorkspaceRecentOperations` remains a recency surface and is intentionally prevented from defining calmness on its own.
+
+## Phase 1 — Agent Context Update
+
+Run after artifact generation:
+
+- `.specify/scripts/bash/update-agent-context.sh copilot`
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/175-workspace-governance-attention/
+├── spec.md
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+│   └── workspace-governance-attention.openapi.yaml
+├── checklists/
+│   └── requirements.md
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+app/
+├── Filament/
+│   ├── Pages/
+│   │   ├── WorkspaceOverview.php
+│   │   ├── ChooseTenant.php
+│   │   ├── TenantDashboard.php
+│   │   └── BaselineCompareLanding.php
+│   ├── Resources/
+│   │   ├── FindingResource.php
+│   │   ├── EvidenceSnapshotResource.php
+│   │   └── TenantReviewResource.php
+│   └── Widgets/
+│       ├── Dashboard/
+│       │   └── NeedsAttention.php
+│       └── Workspace/
+│           ├── WorkspaceSummaryStats.php
+│           ├── WorkspaceNeedsAttention.php
+│           └── WorkspaceRecentOperations.php
+├── Models/
+│   ├── Finding.php
+│   ├── AlertDelivery.php
+│   ├── OperationRun.php
+│   ├── EvidenceSnapshot.php
+│   └── TenantReview.php
+├── Services/
+│   └── Auth/
+│       ├── WorkspaceCapabilityResolver.php
+│       └── CapabilityResolver.php
+└── Support/
+    ├── Auth/
+    │   └── Capabilities.php
+    ├── Baselines/
+    │   ├── BaselineCompareStats.php
+    │   ├── BaselineCompareSummaryAssessment.php
+    │   ├── BaselineCompareSummaryAssessor.php
+    │   ├── TenantGovernanceAggregate.php
+    │   └── TenantGovernanceAggregateResolver.php
+    ├── OperationRunLinks.php
+    └── Workspaces/
+        └── WorkspaceOverviewBuilder.php
+
+resources/
+└── views/
+    └── filament/
+        ├── pages/
+        │   └── workspace-overview.blade.php
+        └── widgets/
+            └── workspace/
+                ├── workspace-needs-attention.blade.php
+                └── workspace-recent-operations.blade.php
+
+tests/
+└── Feature/
+    └── Filament/
+        ├── WorkspaceOverviewAccessTest.php
+        ├── WorkspaceOverviewAuthorizationTest.php
+        ├── WorkspaceOverviewContentTest.php
+        ├── WorkspaceOverviewEmptyStatesTest.php
+        ├── WorkspaceOverviewLandingTest.php
+        ├── WorkspaceOverviewNavigationTest.php
+        ├── WorkspaceOverviewOperationsTest.php
+        ├── WorkspaceOverviewPermissionVisibilityTest.php
+        ├── WorkspaceOverviewGovernanceAttentionTest.php
+        ├── WorkspaceOverviewDbOnlyTest.php
+        ├── WorkspaceOverviewDrilldownContinuityTest.php
+        └── WorkspaceOverviewSummaryMetricsTest.php
+```
+
+**Structure Decision**: Keep the feature entirely inside the existing Laravel/Filament monolith. Extend the current workspace overview builder, workspace widgets, tenant truth helpers, and existing destination resources or pages instead of creating a new workspace domain layer.
+
+## Complexity Tracking
+
+> No Constitution Check violations are planned. No exceptions are currently justified.
+
+| Violation | Why Needed | Simpler Alternative Rejected Because |
+|-----------|------------|-------------------------------------|
+| — | — | — |
+
+## Proportionality Review
+
+> No new enum/status family, persisted entity, abstraction layer, taxonomy, or cross-domain UI framework is planned in this slice.
+
+- **Current operator problem**: The workspace home can look calm even when visible tenants already carry governance-critical problems.
+- **Existing structure is insufficient because**: Workspace aggregation currently stops at operations and alerts and fails to propagate already-mature tenant governance truth.
+- **Narrowest correct implementation**: Extend the existing workspace overview builder and widgets to consume existing tenant aggregates and destination contracts.
+- **Ownership cost created**: Modest additional workspace-level aggregation logic and focused regression coverage.
+- **Alternative intentionally rejected**: A new workspace posture subsystem, new persistence, or a matrix-style redesign.
+- **Release truth**: Current-release truth.
+
+## Implementation Strategy
+
+### Phase A — Reuse Existing Tenant Truth In The Workspace Builder
+
+**Goal**: Make `WorkspaceOverviewBuilder` governance-aware without creating a parallel truth layer.
+
+| Step | File | Change |
+|------|------|--------|
+| A.1 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php` | Add a visible-tenant governance promotion pass that resolves `TenantGovernanceAggregate` for accessible tenants and builds a bounded set of governance candidates from overdue findings, lapsed governance, expiring governance, high-severity active findings, stale, failed, or materially degraded compare posture, and optionally already-available evidence or review attention. |
+| A.2 | `app/Support/Baselines/TenantGovernanceAggregateResolver.php` and existing tenant truth classes | Reuse existing aggregate outputs as-is; only add plan-level consumption, not a second interpretation layer. |
+| A.3 | `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php` plus existing overview tests | Prove that visible governance-critical tenants now surface on the workspace home even when operations are quiet. |
+
+### Phase B — Separate Governance Metrics From Activity Metrics
+
+**Goal**: Make the stat strip clearly answer risk versus activity instead of flattening them into one line of numbers.
+
+| Step | File | Change |
+|------|------|--------|
+| B.1 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php` | Replace or augment the current `needs_attention` stat with one or more tenant-level governance-risk metrics such as tenants needing governance attention, tenants with overdue findings, tenants with lapsed governance, or tenants with stale, failed, or materially degraded compare posture. |
+| B.2 | `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php` and `resources/views/filament/pages/workspace-overview.blade.php` | Preserve the existing stat strip but ensure risk metrics and activity metrics are semantically and visually distinguishable through grouping, wording, and destination meaning. |
+| B.3 | `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php` and existing content tests | Prove that governance metrics count affected visible tenants, activity metrics remain activity-only, and the two meanings are not mixed. |
+
+### Phase C — Make Workspace Attention Tenant-Addressable And Actionable
+
+**Goal**: Turn workspace attention into a real start surface with tenant identity, reason, priority, and next jump.
+
+| Step | File | Change |
+|------|------|--------|
+| C.1 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php` | Expand the attention item payload to include tenant label, tenant route key or id, problem family, urgency, and one primary target kind. Keep every attention item tenant-bound, leave workspace-wide operations or alert totals in metrics or recency surfaces, and rank governance issues above activity-only items while keeping the list bounded. |
+| C.2 | `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php` | Render tenant identity, family, urgency, and one explicit primary action or a disabled explanatory state when the exact destination is not allowed. |
+| C.3 | `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php` and `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php` | Prove that each central attention family leads to the correct tenant dashboard, findings, compare, evidence, review, or operation destination and that dead-end links are not exposed. |
+
+### Phase D — Fix Workspace Calmness And Empty-State Semantics
+
+**Goal**: Stop the workspace home from claiming calmness when only operations are quiet.
+
+| Step | File | Change |
+|------|------|--------|
+| D.1 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php` | Change empty-state and calmness logic so calm claims are suppressed whenever visible tenant governance or compare issues exist, even if operations and alerts are healthy. Keep zero-tenant states distinct from healthy states and default their recovery action to the existing choose-workspace route. |
+| D.2 | `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, `resources/views/filament/pages/workspace-overview.blade.php`, and `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php` | Tighten copy so the workspace can say “nothing urgent” only for the domains actually checked and only when no visible governance-critical tenant state exists. |
+| D.3 | `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php` and new governance attention coverage | Prove false calmness is suppressed and low-permission or zero-tenant scenarios remain clearly distinct from healthy calm. |
+
+### Phase E — Preserve Operations As Diagnostic Recency, Not Portfolio Posture
+
+**Goal**: Keep `WorkspaceRecentOperations` useful without letting it dominate workspace risk semantics.
+
+| Step | File | Change |
+|------|------|--------|
+| E.1 | `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php` and `resources/views/filament/widgets/workspace/workspace-recent-operations.blade.php` | Preserve existing recency behavior and row-open model, but ensure surrounding copy and page hierarchy keep it clearly subordinate to governance attention and summary metrics. |
+| E.2 | `tests/Feature/Filament/WorkspaceOverviewOperationsTest.php` and content tests | Prove operations remain filtered to the visible tenant slice, remain non-polling by default, and no longer define calmness on their own. |
+
+### Phase F — Tighten RBAC-Safe Destination Selection
+
+**Goal**: Ensure visible truth never creates a broken or misleading navigation path.
+
+| Step | File | Change |
+|------|------|--------|
+| F.1 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php`, `app/Services/Auth/WorkspaceCapabilityResolver.php`, `app/Services/Auth/CapabilityResolver.php`, and tenant resource URL helpers | For each attention family, choose the most precise destination the current in-scope user may actually open; otherwise fall back to an allowed tenant dashboard or disabled explanatory state. Aggregate lapsed-governance attention stays tenant-bound but falls back to the tenant dashboard when the current findings filters would narrow the invalid-governance family. Alert-only follow-up reuses `/admin/alerts`, and zero-tenant recovery reuses `/admin/choose-workspace`. |
+| F.2 | `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php`, `WorkspaceOverviewAuthorizationTest.php`, and new drilldown tests | Prove non-members still receive `404`, hidden tenants do not affect visible output, and members missing downstream capability do not receive clickable dead-end links. |
+
+### Phase G — Verification And Formatting
+
+**Goal**: Lock the new workspace truth and performance contract in place.
+
+| Step | File | Change |
+|------|------|--------|
+| G.1 | Workspace overview focused test pack | Add or extend tests for governance promotion, stale, failed, and materially degraded compare breadth, ordering, tenant identity, summary metric separation, calmness suppression, zero-tenant next-step recovery, low-permission operations fallback, drill-through continuity, DB-only query-bounded rendering, and permission-safe fallbacks. |
+| G.2 | `vendor/bin/sail bin pint --dirty --format agent` and focused Pest runs | Apply formatting and run the smallest verification pack that covers the builder, workspace view rendering, and navigation behavior. |
+
+## Key Design Decisions
+
+### D-001 — Keep `WorkspaceOverviewBuilder` as the single orchestration boundary
+
+The repo already has one place that constructs the workspace overview payload. Extending that builder is narrower than inventing a separate workspace governance service or presenter layer.
+
+### D-002 — Promote tenant truth by tenant, not by raw issue count
+
+The workspace operator needs to know which tenants need attention first. A tenant-level risk count is a better workspace answer than raw issue totals because it preserves the MSP triage shape and avoids making one noisy tenant dominate the stat strip.
+
+### D-003 — Reuse `TenantGovernanceAggregate` before touching lower-level logic
+
+The tenant dashboard already uses a mature governance aggregate. Workspace attention should consume that same truth path rather than rebuilding overdue, lapsed, or compare logic with new ad-hoc queries.
+
+### D-004 — Keep workspace attention bounded and prioritized
+
+The spec hardens the workspace entry point, not a portfolio matrix. The workspace home should surface the top visible reasons to act, not every raw tenant issue. One high-value item per visible problem family is preferable to a noisy stream.
+
+### D-005 — Treat evidence and review as opportunistic precision targets
+
+Evidence and reviews are in scope only when they already represent the best existing tenant-level next jump. They are not a reason to create a new workspace evidence or review aggregate in this slice.
+
+### D-006 — Calmness is a checked-domain claim, not a decorative empty state
+
+The workspace may only look calm when both governance and activity signals in visible scope are calm. Operations-only quietness is never enough.
+
+### D-007 — Disabled or fallback navigation is preferable to dead-end clicks
+
+If the current in-scope user can see that a tenant has a problem but cannot open the most precise destination, the UI must not offer a clickable link that fails later. The surface must either choose an allowed fallback or render a disabled explanatory state.
+
+## Risk Assessment
+
+| Risk | Impact | Likelihood | Mitigation |
+|------|--------|------------|------------|
+| Workspace attention becomes noisy by promoting too many tenant signals | High | Medium | Bound the list, rank governance-critical families first, and cap per-page attention items. |
+| Per-tenant aggregate resolution introduces avoidable N+1 behavior | High | Medium | Reuse `TenantGovernanceAggregateResolver` request-scoped caching and keep the visible tenant slice bounded. |
+| Workspace and tenant truth diverge because workspace logic starts reinterpreting the same facts | High | Medium | Consume `TenantGovernanceAggregate` and existing destinations instead of rebuilding semantics with ad-hoc query logic. |
+| Capability gaps create misleading or broken drill-throughs | High | Medium | Implement explicit destination selection with fallback or disabled states and cover it with focused tests. |
+| Calmness copy still overstates health after the change | Medium | Medium | Add explicit calmness-suppression tests covering quiet-ops but risky-governance scenarios. |
+
+## Test Strategy
+
+- Extend existing workspace overview tests to preserve landing, navigation, authorization, permission visibility, and operations-slice behavior.
+- Add focused governance attention coverage for overdue findings, lapsed governance, expiring governance, high-severity active findings, stale, failed, or materially degraded compare posture, and quiet-ops-but-risky-governance scenarios.
+- Add summary-metric tests proving governance-risk metrics count affected visible tenants rather than raw issue counts and remain distinct from activity metrics.
+- Add drill-through continuity tests covering tenant dashboard fallback, findings filters, baseline compare landing, evidence or review targets where applicable, and canonical operation detail or index routes.
+- Add permission-sensitive tests ensuring non-members remain `404`, invisible tenants do not affect visible output, members missing a downstream capability get a safe fallback or disabled state rather than a clickable dead end, and zero-tenant members receive the choose-workspace recovery action instead of healthy calm messaging.
+- Add DB-only and query-bounding verification so render-time aggregation stays inside the plan's performance constraints and benefits from existing request-scoped caching.
+- Keep the verification pack Sail-first and run `vendor/bin/sail bin pint --dirty --format agent` before closing implementation.
+
+## Constitution Check (Post-Design)
+
+Re-check result: PASS.
+
+- Livewire v4.0+ compliance: preserved because the design stays inside existing Filament v5 widgets and pages.
+- Provider registration location: unchanged; no panel/provider registration work is needed beyond the existing `bootstrap/providers.php` setup.
+- Global-searchable resources: unchanged; no resource search behavior is altered.
+- Destructive actions: unchanged; the feature adds no destructive action and therefore no new confirmation flow.
+- Asset strategy: unchanged; no new asset bundle or deploy-time asset step is introduced.
+- Testing plan: focused Pest coverage will be added or extended for workspace overview rendering, governance promotion, calmness suppression, summary metric separation, drill-through continuity, and RBAC-safe behavior.

specs/175-workspace-governance-attention/quickstart.md

@@ -0,0 +1,121 @@
+# Quickstart: Workspace Governance Attention Foundation
+
+## Goal
+
+Validate that `/admin` no longer appears calm when visible tenants carry governance-critical conditions, that workspace summary metrics distinguish risk from activity, and that workspace attention items identify the correct tenant and open the correct next surface.
+
+## Prerequisites
+
+1. Start Sail.
+2. Ensure you have one workspace with multiple visible tenants and current workspace session context.
+3. Prepare seeded tenant scenarios for:
+   - no governance-critical conditions and no unusual activity
+   - overdue findings with otherwise quiet operations
+   - lapsed governance
+   - expiring governance
+   - high-severity active findings
+   - stale, failed, or materially degraded compare posture
+   - activity-only workspace noise with otherwise healthy governance posture
+   - optional existing evidence or review attention if those truth surfaces are already available
+4. Prepare one workspace member who can see the workspace home but lacks at least one downstream tenant destination capability so disabled or fallback attention behavior can be verified.
+5. Prepare one workspace member who belongs to the workspace but has zero accessible tenants so the choose-workspace recovery path can be verified.
+
+## Implementation Validation Order
+
+### 1. Run the existing workspace overview baseline pack
+
+```bash
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewAccessTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewLandingTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewNavigationTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewContentTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewOperationsTest.php
+```
+
+Expected outcome:
+- The existing workspace home still renders, remains workspace-scoped, and preserves current access and operations behavior.
+
+### 2. Run focused governance-attention coverage
+
+```bash
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php
+```
+
+Expected outcome:
+- Visible tenants with overdue findings, lapsed governance, expiring governance, high-severity active findings, or stale, failed, or materially degraded compare posture now promote governance attention into the workspace home.
+- Governance-risk metrics count affected tenants and remain distinct from operations or alerts volume.
+
+### 3. Run drill-through continuity and RBAC-safe navigation coverage
+
+```bash
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php
+```
+
+Expected outcome:
+- Workspace attention items carry tenant context and open the correct findings, compare, evidence, review, tenant dashboard, or operations destination.
+- Members missing a downstream capability do not receive clickable dead-end links.
+
+### 4. Re-run workspace empty-state and calmness coverage
+
+```bash
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php --filter=calm
+```
+
+Expected outcome:
+- The workspace no longer renders a calm or “nothing urgent” state when visible governance-critical tenant conditions exist.
+- Zero-tenant and low-permission states remain clearly distinct from healthy calmness, zero-tenant recovery defaults to `Switch workspace`, and permission-limited recovery defaults to `Open operations` unless a more specific allowed action exists.
+
+### 5. Format touched files
+
+```bash
+vendor/bin/sail bin pint --dirty --format agent
+```
+
+Expected outcome:
+- All changed implementation files conform to project formatting rules.
+
+### 6. Run the final focused verification pack
+
+```bash
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewAccessTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewLandingTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewNavigationTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewContentTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewOperationsTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php
+```
+
+Expected outcome:
+- The formatted implementation preserves landing, authorization, content, empty-state, operations, governance-attention, stat-separation, and drill-through contracts for the workspace home.
+
+## Manual Smoke Check
+
+1. Open `/admin` for a workspace where one visible tenant has overdue findings but operations are quiet.
+2. Confirm the workspace home does not read as calm and identifies the tenant explicitly.
+3. Open `/admin` for a workspace where a visible tenant has lapsed governance or stale, failed, or materially degraded compare posture and confirm that tenant is prioritized above activity-only items.
+4. Click a governance attention item and confirm the destination reproduces the same tenant problem family.
+5. Verify that the summary strip clearly distinguishes tenant risk from active operations.
+6. Switch to a healthy workspace and confirm calm wording only appears when both governance and activity domains are truly calm within visible scope.
+7. Sign in as the zero-tenant workspace member and confirm the workspace does not look healthy and instead offers `Switch workspace` as the next action.
+8. Sign in as the permission-limited workspace member and confirm visible attention does not expose a clickable dead-end link and the page still presents `Open operations` as the valid workspace-safe next action.
+
+## Non-Goals For This Slice
+
+- No database migration.
+- No new Graph contract or provider workflow.
+- No full portfolio matrix or posture score.
+- No new workspace evidence or review aggregate.
+- No conversion of recent operations into a primary governance queue.

specs/175-workspace-governance-attention/research.md

@@ -0,0 +1,105 @@
+# Phase 0 Research: Workspace Governance Attention Foundation
+
+## Decision: Reuse `WorkspaceOverviewBuilder` as the single orchestration point for workspace governance attention
+
+**Rationale**: The current workspace home already builds one typed payload through `WorkspaceOverviewBuilder`, and it already applies visible-tenant scoping plus workspace capability checks before computing metrics, attention, and recency. The missing behavior is not a missing builder seam; it is that the builder currently stops at operations and alerts. Extending that existing orchestration point is narrower than creating a second workspace posture service.
+
+**Alternatives considered**:
+- Create a new workspace posture builder or presenter layer: rejected because it would duplicate ownership and violate the repo's bias toward few layers.
+- Push governance promotion into widget-local queries: rejected because it would spread truth ownership across multiple workspace widgets.
+
+## Decision: Reuse `TenantGovernanceAggregateResolver` and `BaselineCompareStats` per visible tenant instead of inventing workspace-local governance logic
+
+**Rationale**: The tenant dashboard already uses `TenantGovernanceAggregate`, `BaselineCompareStats`, and `BaselineCompareSummaryAssessor` to answer exactly the governance questions Spec 175 wants to surface at workspace level: overdue findings, lapsed governance, expiring governance, high-severity active findings, and stale, failed, or materially degraded compare posture. Workspace attention should promote that existing tenant truth, not reinterpret it with a weaker query path.
+
+**Alternatives considered**:
+- Create a workspace-only aggregation query for overdue, lapsed, and compare states: rejected because it would split truth ownership away from the existing tenant governance path.
+- Create a persisted workspace governance summary: rejected because the spec explicitly forbids new persistence and the problem is request-time semantics, not lifecycle truth.
+
+## Decision: Count governance risk by affected tenant, not by raw issue total, in workspace summary metrics
+
+**Rationale**: The workspace question is “which tenants need attention” rather than “how many findings exist.” Counting visible tenants with overdue findings, lapsed governance, or stale, failed, or materially degraded compare posture gives the operator a portfolio answer and avoids one noisy tenant dominating the workspace strip.
+
+**Alternatives considered**:
+- Show raw totals for overdue findings or lapsed exceptions across the whole workspace: rejected because it weakens triage value and makes the summary less tenant-actionable.
+- Keep the existing single `needs attention` count derived from operations and alerts only: rejected because it preserves the false-calm problem.
+
+## Decision: Rank governance-critical tenant states above activity-only and alert-delivery-only items
+
+**Rationale**: The spec explicitly requires governance-critical states such as lapsed governance, overdue findings, high-severity active findings, and stale, failed, or materially degraded compare posture to outrank active operations and alert-delivery failures. Workspace attention should still include operations or alerts, but only after governance-critical tenant problems have had a chance to surface.
+
+**Alternatives considered**:
+- Keep current recency-first ordering with governance added lower down: rejected because it still lets busy but healthier workspaces look more urgent than risky but quiet ones.
+- Remove operations and alerts entirely: rejected because they remain useful as supporting attention once governance-critical signals are represented.
+
+## Decision: Make every workspace attention item tenant-identifiable with one primary destination
+
+**Rationale**: The current workspace attention items are generic operations or alert items. Spec 175 requires tenant identity, problem family, relevance, and next jump. A bounded item contract with tenant label plus one primary destination is the narrowest way to satisfy this without turning the workspace home into a matrix or a second diagnostics page.
+
+**Alternatives considered**:
+- Continue using generic titles like “operations are still running”: rejected because it does not answer which tenant to open first.
+- Add multiple buttons per item: rejected because it makes the attention surface noisier and less decisive.
+
+## Decision: Use RBAC-safe fallback or disabled explanatory states instead of dead-end drill-throughs
+
+**Rationale**: Some workspace members may be able to see that a tenant has a problem but may not hold the most precise downstream capability, such as findings inspection. The constitution permits visible disabled states for in-scope members. The safest behavior is to choose an allowed fallback such as the tenant dashboard or to render a disabled explanatory state instead of a clickable link that ends in `403`.
+
+**Alternatives considered**:
+- Hide the tenant problem entirely when the precise destination is not allowed: rejected because it can make the workspace appear calmer than reality.
+- Always link to the precise destination and rely on downstream authorization failure: rejected because the spec forbids dead-end drill-throughs.
+
+## Decision: Default zero-tenant recovery to the existing choose-workspace route
+
+**Rationale**: The current admin workspace flow already uses `/admin/choose-workspace` as the canonical recovery surface when no usable workspace or tenant context is available. Reusing that existing route keeps the workspace overview honest for zero-tenant members without inventing a new recovery surface or asking them to infer the next step.
+
+**Alternatives considered**:
+- Treat zero-tenant state as a healthy calm empty state: rejected because it hides a scope problem as a health signal.
+- Default zero-tenant recovery to a workspace-management surface: rejected because many members can switch workspace but cannot manage workspace memberships.
+
+## Decision: Route alert-only follow-up to the existing alerts overview at `/admin/alerts`
+
+**Rationale**: The app already has an admin alerts overview that serves as the canonical entry point for alert health, rules, and delivery follow-up. Using that route for workspace alert-only attention is narrower and more stable than inventing a new alert-delivery deep-link contract inside this slice.
+
+**Alternatives considered**:
+- Send alert-only attention directly to an alert-deliveries list route: rejected because the current operator surface is the alerts overview at `/admin/alerts`.
+- Drop alert-only follow-up entirely: rejected because alert delivery remains a valid supporting attention family once governance-critical items are represented.
+
+## Decision: Keep evidence and review promotion opportunistic, not foundational, in this slice
+
+**Rationale**: The codebase already has tenant evidence and review resources, but the current workspace overview has no evidence or review aggregation. Spec 175 allows evidence or review issues where already available. The narrow implementation is to use those surfaces only when existing tenant truth already provides a clear problem family and a clear target, not to build a new workspace evidence or review subsystem.
+
+**Alternatives considered**:
+- Exclude evidence and review entirely: rejected because the spec explicitly leaves room for them where they already provide value.
+- Build a dedicated workspace evidence or review aggregate now: rejected because it exceeds the foundation scope of the feature.
+
+## Decision: Keep `WorkspaceRecentOperations` as diagnostic recency, not portfolio posture
+
+**Rationale**: The current recent-operations widget already serves a clear supporting role and is covered by existing tests that verify visible-tenant filtering and the absence of polling. The spec does not require changing its query model; it requires preventing that surface from being mistaken for the workspace's main truth surface.
+
+**Alternatives considered**:
+- Expand recent operations into the primary attention owner: rejected because it would keep the workspace entry point operations-centered.
+- Remove recent operations from the overview: rejected because it still provides useful context when subordinated to governance attention.
+
+## Decision: Treat workspace calmness as a checked-domain claim instead of an operations-only empty state
+
+**Rationale**: The current `WorkspaceNeedsAttention` empty state says “Nothing urgent in your current scope” and explains that recent operations and alert deliveries look healthy. That wording is only valid if the page is consciously limiting its claim to those domains. After governance promotion, calm messaging must be based on both governance and activity signals in visible scope, or else be narrowed explicitly.
+
+**Alternatives considered**:
+- Keep the current empty-state wording and rely on new governance items to suppress it sometimes: rejected because the wording still over-claims portfolio health.
+- Remove calm messaging entirely: rejected because a truthful all-clear remains useful when the covered domains are genuinely calm.
+
+## Decision: Lean on request-scoped derived-state caching instead of new persistence for performance
+
+**Rationale**: `TenantGovernanceAggregateResolver` already uses request-scoped derived-state caching. That makes per-visible-tenant governance resolution viable for the workspace overview without introducing a new summary table or materialized view. This keeps the implementation within the spec's no-new-persistence constraint.
+
+**Alternatives considered**:
+- Add a cached database aggregate or background precompute job: rejected because it introduces durability and lifecycle cost the feature does not need.
+- Resolve all tenant governance truth from raw ad-hoc queries without using the resolver: rejected because it ignores an existing request-scope caching seam and increases drift risk.
+
+## Decision: Protect the feature with focused workspace overview regression tests instead of manual review alone
+
+**Rationale**: The highest-risk failures are semantic: false calmness, wrong tenant prioritization, missing tenant labels, or broken destinations. Existing workspace overview tests already cover access, landing, navigation, permission visibility, empty states, content, and operations slice behavior. Extending that suite with governance attention and drill-through coverage is the narrowest way to keep this contract stable.
+
+**Alternatives considered**:
+- Rely on manual browser review only: rejected because semantic regressions are subtle and easy to reintroduce.
+- Build a full browser-based suite first: rejected because focused Pest coverage is already the repo's normal enforcement layer for Filament truth contracts.

specs/175-workspace-governance-attention/spec.md

@@ -0,0 +1,238 @@
+# Feature Specification: Spec 175 - Workspace Governance Attention Foundation
+
+**Feature Branch**: `175-workspace-governance-attention`  
+**Created**: 2026-04-04  
+**Status**: Draft  
+**Input**: User description: "Spec 175 — Workspace Governance Attention Foundation"
+
+## Spec Scope Fields *(mandatory)*
+
+- **Scope**: workspace + canonical-view
+- **Primary Routes**:
+  - `/admin` as the workspace-level overview where `WorkspaceOverview`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, and `WorkspaceRecentOperations` establish the first portfolio triage impression
+  - `/admin/choose-workspace` as the default workspace-switch recovery surface for zero-tenant or wrong-workspace states
+  - `/admin/choose-tenant` as the deliberate tenant-entry surface when the operator needs to move from workspace triage into one tenant
+  - `/admin/t/{tenant}` as the tenant dashboard destination for tenant-wide recovery when a workspace attention item needs a broad tenant landing point
+  - `/admin/t/{tenant}/findings` and tenant finding detail routes as the primary findings and governance drill-through destinations
+  - `/admin/t/{tenant}/baseline-compare-landing` as the compare-posture destination for stale, failed, or materially degraded compare states
+  - `/admin/alerts` as the canonical alert overview and delivery follow-up destination for workspace alert issues
+  - `/admin/operations` and canonical operation detail routes as the operations and execution follow-up destinations
+  - `/admin/t/{tenant}/evidence` and `/admin/t/{tenant}/reviews` only when an attention item is backed by already-visible evidence or review truth that is more precise than a generic tenant landing
+- **Data Ownership**:
+  - Workspace-owned: workspace context, workspace home composition, workspace-scoped recent operations, and alert-delivery history already summarized on the workspace home
+  - Tenant-owned but workspace-filtered: visible tenant governance state, findings workflow state, evidence and review truth, and tenant-scoped compare posture that may be promoted into workspace attention
+  - This feature introduces no new workspace summary record; workspace attention, calmness, and governance stats remain derived over existing workspace and tenant truth
+- **RBAC**:
+  - Workspace membership remains required to render `/admin` and all workspace-level overview aggregates
+  - Only tenants that are visible within the current operator's entitled workspace scope may contribute to workspace counts, calmness suppression, or attention items
+  - Alert-related destinations continue to require the existing alert visibility permission, while tenant drill-through destinations continue to require the current tenant-level inspection capability for that surface; baseline compare currently rides on general `tenant.view` rather than a dedicated compare-specific capability
+  - Non-members or out-of-scope actors remain deny-as-not-found, and the workspace home must not leak hidden tenant posture through counts, wording, or drill-through affordances
+
+For canonical-view specs, the spec MUST define:
+
+- **Default filter behavior when tenant-context is active**: The workspace home remains workspace-scoped even if a tenant was selected earlier in the session. The overview itself must not silently collapse into one tenant. Any drill-through launched from workspace attention or governance stats must preserve the originating tenant and problem family through tenant context or an equivalent pre-applied destination filter.
+- **Explicit entitlement checks preventing cross-tenant leakage**: Workspace counts, calmness claims, priority order, and drill-through destinations must be computed only from visible tenants and visible truth surfaces. Inaccessible tenants must not contribute to `needs attention`, governance-risk stats, or empty-state suppression. If a precise destination is not authorized for the current in-scope user, the workspace surface must use an allowed fallback or remove the clickable affordance instead of hinting at hidden data.
+
+## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
+
+| Surface | Surface Type | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type |
+|---|---|---|---|---|---|---|---|---|---|---|---|
+| Workspace overview page | Workspace landing page | The page itself is the canonical workspace entry and hosts the embedded triage surfaces | forbidden | quick actions section only | none | `/admin` | none | Active workspace identity stays visible and embedded items must keep tenant labels explicit | Overview | Whether the workspace currently has governance attention and how that differs from raw activity | Singleton landing surface |
+| Workspace `Needs Attention` | Embedded triage summary | Each attention item opens one matching working surface for the named tenant problem | required | none | none | `/admin` | Existing tenant dashboard, findings, baseline compare, evidence, review, or operation detail destination depending on item type | Tenant name, problem family, and urgency must be visible on the item before navigation | Attention / Attention item | The most important visible tenant problems and where to go next | Multi-destination triage surface |
+| Workspace summary stats | Embedded status summary / drill-in surface | Each stat opens one matching destination or remains intentionally passive when no actionable set exists | forbidden | none | none | `/admin` | Matching destination for the metric, such as choose tenant, findings, compare, or operations | Workspace identity and a clear split between governance risk and activity volume | Governance attention and Operations | Portfolio risk counts are separated from portfolio activity counts | Mixed metric summary surface |
+| Workspace recent operations | Embedded diagnostic recency surface | Each operation row or card opens the canonical operation detail | required | none | none | `/admin/operations` | Existing canonical operation detail route | Workspace context plus visible tenant label on each operation keeps the recency list anchored to one tenant when relevant | Operations / Operation | Recent execution context without pretending to be the main portfolio-risk summary | Diagnostic recency surface |
+
+## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
+
+| Surface | Primary Persona | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+|---|---|---|---|---|---|---|---|---|---|
+| Workspace overview page | Workspace operator | Workspace landing page | Which tenants need attention first, and is this workspace actually calm or only operationally quiet? | Workspace identity, governance-aware summary stats, prioritized attention, and recent activity as supporting context | Deep run metadata, raw compare internals, and low-level workflow detail remain on downstream pages | governance attention, compare posture, findings pressure, evidence or review trust where already available, operations activity | none | Choose tenant, open an attention item destination, open operations | none |
+| Workspace `Needs Attention` | Workspace operator | Embedded triage summary | Which tenant needs attention now, why, and where should I jump? | Tenant label, problem family, urgency, and one clear next destination | Low-level evidence payloads, verbose status histories, and raw query context remain secondary | governance issue, findings issue, compare issue, evidence or review issue, operations issue | none | Open the matching tenant dashboard, findings list, compare landing, evidence or review surface, or operation detail | none |
+| Workspace summary stats | Workspace operator | Embedded status summary / drill-in surface | How much of this workspace is active, and how much of it is governance risk? | Small set of trustworthy counts with explicit governance versus activity meaning | Full tenant-by-tenant breakdown and historical trends remain outside the stat strip | governance attention volume, activity volume | none | Open the matching aggregate destination or tenant entry point | none |
+| Workspace recent operations | Workspace operator | Embedded diagnostic recency surface | What has run recently if I need execution context? | Recent operations with tenant label, status, outcome, and recency | Full operation timeline, payload diagnostics, and longer history remain in operations surfaces | recency, execution status, execution outcome | none | Open the selected operation detail | none |
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+- **New source of truth?**: No. Existing tenant governance, findings, compare, evidence, review, operations, and alert truth remain authoritative.
+- **New persisted entity/table/artifact?**: No. This feature explicitly avoids a new workspace posture record or aggregate table.
+- **New abstraction?**: No. The narrow change is to tighten workspace aggregation and presentation semantics on existing surfaces.
+- **New enum/state/reason family?**: No. Existing governance, compare, findings, and operations state families remain authoritative.
+- **New cross-domain UI framework/taxonomy?**: No. The feature aligns existing workspace and tenant surfaces without creating a new posture framework or score system.
+- **Current operator problem**: The workspace home can look calm while visible tenants already have governance-critical conditions, which makes the portfolio entry point weaker than the tenant truth operators already rely on.
+- **Existing structure is insufficient because**: The current workspace overview summarizes operations and alert activity well enough, but it does not promote tenant governance truth strongly enough to stop false calmness or answer which tenant to open first.
+- **Narrowest correct implementation**: Reuse existing tenant governance, findings, compare, and already-available evidence or review truth to harden workspace stats, attention, and empty-state semantics on the current workspace home.
+- **Ownership cost**: The repo takes on stricter workspace aggregation rules, a modest amount of copy tightening, and regression coverage for priority order, calmness suppression, and drill-through continuity.
+- **Alternative intentionally rejected**: A full portfolio matrix, a workspace posture score, a major workspace redesign, or a new persisted posture model was rejected because the immediate gap is truth propagation on the existing workspace entry point.
+- **Release truth**: Current-release truth. The semantic risk already exists on the shipped workspace overview.
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - See The Right Tenant First (Priority: P1)
+
+As a workspace operator, I want the workspace home to surface governance-critical tenants before operational noise so that I can start triage from the riskiest visible tenant instead of from the most recent activity.
+
+**Why this priority**: The feature only delivers value if the workspace entry point stops feeling quieter than the visible tenant truth.
+
+**Independent Test**: Can be fully tested by seeding multiple visible tenants with mixes of overdue findings, lapsed governance, stale, failed, or materially degraded compare posture, high-severity active findings, alert failures, and active operations, then verifying that workspace attention promotes governance-critical tenants first.
+
+**Acceptance Scenarios**:
+
+1. **Given** one visible tenant has lapsed governance and another only has active operations, **When** the operator opens `/admin`, **Then** the governance-critical tenant is surfaced as higher-priority workspace attention.
+2. **Given** a visible tenant has overdue findings while operations and alerts look healthy, **When** the workspace home loads, **Then** the page still presents governance attention instead of an all-clear impression.
+3. **Given** a visible tenant has stale, failed, or materially degraded compare posture but little recent activity, **When** the workspace home loads, **Then** compare risk remains visible on the workspace entry point.
+
+---
+
+### User Story 2 - Distinguish Risk From Activity (Priority: P1)
+
+As a workspace operator, I want the workspace home to separate governance risk from operations activity so that I can tell whether the portfolio is risky, merely busy, or genuinely calm.
+
+**Why this priority**: A workspace overview that mixes posture and activity cannot support MSP triage with confidence.
+
+**Independent Test**: Can be fully tested by rendering the workspace home in scenarios that contain only activity, only governance risk, both, or neither, then verifying that stats, attention, and empty states describe those cases differently.
+
+**Acceptance Scenarios**:
+
+1. **Given** the workspace has active operations but no visible governance-critical tenant states, **When** the overview renders, **Then** activity appears without governance-risk wording.
+2. **Given** the workspace has no failed runs or alert failures but visible overdue findings exist, **When** the overview renders, **Then** the page does not present a calm empty state.
+3. **Given** the workspace has no visible governance-critical states and no unusual operations issues, **When** the overview renders, **Then** calm messaging may appear and must match the covered truth domains.
+
+---
+
+### User Story 3 - Jump Into The Right Tenant Surface (Priority: P2)
+
+As a workspace operator, I want each attention item to carry tenant identity and a trustworthy next jump so that I can recover the same problem family immediately on a tenant-level working surface.
+
+**Why this priority**: Workspace attention is only trustworthy if the operator can click it and rediscover the same tenant problem without guesswork.
+
+**Independent Test**: Can be fully tested by seeding representative workspace attention cases and verifying that each item names the tenant, names the problem family, and lands on the matching tenant dashboard, findings, compare, evidence, review, or operation destination.
+
+**Acceptance Scenarios**:
+
+1. **Given** a workspace attention item represents overdue findings for one visible tenant, **When** the operator opens it, **Then** the destination is that tenant's findings surface or a precise allowed fallback that preserves the same problem meaning.
+2. **Given** a workspace attention item represents stale, failed, or materially degraded compare posture, **When** the operator opens it, **Then** the destination is the same tenant's baseline compare landing.
+3. **Given** the operator can see a tenant on the workspace home but lacks a precise downstream capability, **When** the attention surface renders, **Then** it uses an allowed fallback or a disabled non-clickable state instead of a dead-end drill-through.
+
+### Edge Cases
+
+- A single visible tenant may have multiple governance-critical conditions at the same time; the workspace home must stay bounded while still exposing the tenant identity and the highest-priority next action.
+- A workspace may be operationally quiet while one or more visible tenants still have overdue findings, lapsed governance, high-severity active findings, or stale, failed, or materially degraded compare posture; calm messaging must stay suppressed in that case.
+- A workspace may be busy but healthy from a governance perspective; governance-risk stats and attention must remain calm even when recent operations are active.
+- Some visible tenants may contribute only through a broader tenant dashboard drill-through because the operator lacks a more specific downstream capability; the workspace home must not create dead-end links or authorization surprises.
+- A user may belong to the workspace but have zero accessible tenants; the zero-tenant state must remain distinct from a healthy calm state and must still provide one valid next step.
+- Evidence or review truth may already indicate attention for a visible tenant even when operations are quiet; if that truth is already surfaced on tenant-level pages, the workspace home should be able to promote it without inventing a parallel status language.
+
+## Requirements *(mandatory)*
+
+**Constitution alignment (required):** This feature introduces no new Microsoft Graph call, no new write workflow, and no new queued or scheduled operation. It hardens the workspace home by promoting already-existing tenant-level truth into existing workspace surfaces.
+
+**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** This feature is intentionally narrow. It adds no new persistence, no new abstraction layer, no new status family, and no new posture framework. The required change is truthful workspace aggregation over existing tenant truth.
+
+**Constitution alignment (OPS-UX):** No new `OperationRun` type, progress surface, or execution path is introduced. Existing operations surfaces remain the sole execution-truth surfaces. This slice only changes how the workspace home summarizes and points to those existing operations.
+
+**Constitution alignment (RBAC-UX):** The feature lives in the admin workspace plane at `/admin` with drill-through into tenant-context or canonical admin destinations. Non-members or out-of-scope actors remain `404`. In-scope members lacking a downstream capability remain governed by existing server-side authorization on that destination. Workspace aggregation must stay capability-safe and tenant-safe: hidden tenants must not influence visible counts or wording, and attention items must not become clickable dead ends. If the semantically correct destination is not authorized, the item may only remain if an allowed fallback still preserves tenant and problem meaning. No destructive action is introduced.
+
+**Constitution alignment (OPS-EX-AUTH-001):** Not applicable. No authentication-handshake behavior is changed.
+
+**Constitution alignment (BADGE-001):** Existing centralized badge or tone semantics for findings severity, compare posture, and operations status or outcome remain the semantic source. This feature may expose those existing meanings at workspace level, but it must not invent page-local badge vocabularies for calmness, risk, or urgency.
+
+**Constitution alignment (UI-FIL-001):** The feature reuses the existing Filament page and workspace widgets, existing stat cards, and existing shared status primitives. It should harden semantics through aligned copy, ordering, and drill-through meaning rather than through custom local status markup or a new widget family.
+
+**Constitution alignment (UI-NAMING-001):** Operator-facing vocabulary must keep `Governance`, `Findings`, `Baseline Compare`, `Evidence`, `Reviews`, `Operations`, and `Needs attention` distinct. Calm wording must not imply portfolio health when the page only proves operational quietness.
+
+**Constitution alignment (UI-CONST-001 / UI-SURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001):** The workspace overview remains the canonical workspace landing surface. `WorkspaceNeedsAttention` is the primary workspace triage surface. `WorkspaceSummaryStats` is a supporting summary strip and must separate risk from activity. `WorkspaceRecentOperations` remains diagnostic recency, not posture. Each affected surface must keep one primary inspect or open model and must not add redundant affordances.
+
+**Constitution alignment (OPSURF-001):** Default-visible content on `/admin` must stay operator-first. Workspace identity, governance attention, and the distinction between risk and activity must remain visible before any diagnostic detail. Mutation scope remains none for all affected surfaces.
+
+**Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** The feature must not create a new workspace posture layer, presenter framework, or persisted summary. It should instead align workspace semantics directly on top of existing tenant governance, findings, compare, evidence, review, and operations truth. Tests must protect business consequences such as false calmness, missing tenant labels, or broken drill-through continuity.
+
+**Constitution alignment (Filament Action Surfaces):** The Action Surface Contract remains satisfied. `WorkspaceOverview` and its widgets remain inspection and drill-through surfaces with no destructive actions, no empty action groups, and no redundant `View` actions. Embedded widgets are exempt from list-action conventions where they are not tables, but each still needs one primary open model.
+
+**Constitution alignment (UX-001 — Layout & Information Architecture):** This feature does not add create or edit screens. It refines the existing workspace landing page. Governance attention must stay above recent operations context, and empty states must use specific, bounded wording plus exactly one next step instead of broad health claims.
+
+### Functional Requirements
+
+- **FR-175-001**: The workspace home MUST become governance-aware rather than remaining a purely operations and alerts summary.
+- **FR-175-002**: Workspace attention MUST be able to surface, when present within visible scope, at least lapsed governance, overdue findings, high-severity active findings, and stale, failed, or materially degraded compare posture.
+- **FR-175-003**: Workspace attention SHOULD also be able to promote already-available evidence or review truth when that truth is more actionable than a generic tenant landing.
+- **FR-175-004**: Every workspace attention item MUST clearly identify the tenant, the problem family, the urgency or relevance, and one clear next jump.
+- **FR-175-005**: Workspace attention MUST semantically distinguish governance issues, findings issues, compare posture issues, evidence or review issues, and operations issues rather than flattening them into one generic alert stream.
+- **FR-175-006**: Governance-critical tenant states MUST rank at least as high as, and ordinarily above, active-operations-only or alert-delivery-only items in workspace attention ordering.
+- **FR-175-007**: The workspace home MUST NOT appear calmer or healthier than the worst visible tenant condition covered by its workspace attention and summary surfaces.
+- **FR-175-008**: Calm or empty states on the workspace home MUST only claim calmness across the signal families that were actually checked and MUST NOT imply full portfolio health merely because operations or alerts are quiet.
+- **FR-175-009**: Workspace summary stats MUST include at least one real governance-risk metric such as tenants needing governance attention, tenants with overdue findings, tenants with lapsed governance, or tenants with stale, failed, or materially degraded compare posture.
+- **FR-175-010**: Workspace summary stats MUST clearly separate governance attention from activity or volume so an operator can tell whether the portfolio is risky, busy, both, or neither.
+- **FR-175-011**: Every workspace attention item MUST resolve to one semantically matching destination surface such as the tenant dashboard, tenant findings, tenant baseline compare, tenant evidence, tenant reviews, or canonical operations detail.
+- **FR-175-012**: When the exact matching destination is not authorized for the current in-scope user, the workspace home MUST use an allowed fallback that preserves tenant and problem meaning or suppress the clickable affordance rather than exposing a dead-end drill-through.
+- **FR-175-013**: Workspace aggregation MUST reuse existing tenant governance aggregate, findings workflow and governance validity truth, compare assessment, and already-shipped evidence or review truth rather than introducing a weaker parallel workspace-only interpretation.
+- **FR-175-014**: `WorkspaceRecentOperations` MUST remain an activity and recency surface and MUST NOT be treated as the workspace's primary posture or governance summary.
+- **FR-175-015**: Zero-tenant and low-permission workspace states MUST remain distinct from calm or healthy portfolio states and MUST still provide one valid next action. Zero-tenant recovery MUST default to `Switch workspace`, and low-permission workspace-state recovery MUST default to `Open operations` unless a more specific allowed in-scope recovery action exists.
+- **FR-175-016**: The feature MUST be achievable without a new table, new persisted workspace summary model, or heavy pre-aggregated materialized view.
+- **FR-175-017**: Regression coverage MUST verify governance-attention promotion, priority order, calmness suppression, tenant identification, governance-versus-operations separation, drill-through continuity, RBAC-safe omission or fallback behavior, DB-only query-bounded render behavior, and the absence of schema requirements.
+
+## UI Action Matrix *(mandatory when Filament is changed)*
+
+| Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
+|---|---|---|---|---|---|---|---|---|---|---|
+| Workspace overview page | `app/Filament/Pages/WorkspaceOverview.php` | Existing page chrome only; no new page-header action required | n/a | n/a | none | One bounded CTA per empty state, aligned to the specific empty condition | n/a | n/a | no new audit behavior | Singleton landing surface whose main job is truthful orientation, not mutation |
+| `WorkspaceSummaryStats` | `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php` | none | Explicit stat click only when the metric has a matching actionable destination | none | none | Zero-value reassurance remains intentionally passive unless a specific next step is required | n/a | n/a | no new audit behavior | Stat meanings must stay honest about whether they represent risk or activity |
+| `WorkspaceNeedsAttention` | `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php` | none | One explicit destination or one full-item primary open model per attention item | none | none | Healthy fallback remains read-only reassurance only when no covered attention condition exists | n/a | n/a | no new audit behavior | Multi-destination triage widget; no destructive action and no redundant secondary action model |
+| `WorkspaceRecentOperations` | `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php` | none | Each operation row or card opens canonical operation detail | none | none | Existing empty state remains diagnostic and must not imply broader portfolio health | n/a | n/a | no new audit behavior | Diagnostic recency surface; keeps operations context visible without redefining workspace posture |
+
+### Key Entities *(include if feature involves data)*
+
+- **Visible tenant governance state**: The already-derived tenant condition that tells whether a visible tenant currently carries overdue findings, lapsed or expiring governance, stale, failed, or materially degraded compare posture, high-severity active findings, or already-surfaced evidence or review attention.
+- **Workspace governance attention item**: A bounded workspace-level triage item that promotes one visible tenant problem into the workspace home with tenant identity, problem family, urgency, and a next jump.
+- **Workspace governance metric**: A workspace-level count that describes how many visible tenants currently require governance attention, independent from operations volume.
+- **Workspace calmness claim**: Any workspace wording or empty state that implies the portfolio is calm; it is only valid when the covered governance and activity signals are genuinely calm within visible scope.
+- **Workspace drill-through contract**: The semantic promise that a workspace stat or attention item can be rediscovered on the surface it opens without losing tenant identity or problem meaning.
+
+## Success Criteria *(mandatory)*
+
+### Measurable Outcomes
+
+- **SC-175-001**: In regression coverage, every seeded workspace scenario containing at least one visible tenant with lapsed governance, overdue findings, high-severity active findings, or stale, failed, or materially degraded compare posture produces at least one governance attention signal on the workspace home and no calm empty state.
+- **SC-175-002**: In regression coverage, 100% of covered workspace attention items display tenant context, problem-family context, and either a matching destination or an allowed disabled or fallback state when the exact destination is not authorized.
+- **SC-175-003**: In seeded operator review, an operator can identify within 10 seconds which tenant to open first, why that tenant needs attention, and whether the issue is governance or operations.
+- **SC-175-004**: In regression coverage, operations-only activity scenarios do not trigger governance-risk wording, and governance-critical tenant scenarios are not ranked beneath pure activity-only or alert-delivery-only items.
+- **SC-175-005**: The feature ships without a required schema migration, a new persisted workspace posture model, or a required materialized aggregate view.
+- **SC-175-006**: In regression coverage, a dedicated DB-only workspace overview test proves render-time aggregation stays query-bounded for representative visible-tenant scenarios and does not rely on uncontrolled polling or unbounded per-tenant query fanout.
+
+## Assumptions
+
+- Existing tenant governance aggregate, findings workflow state, compare assessment, and already-available evidence or review truth are sufficient to harden the workspace home without inventing a new posture system.
+- Existing tenant dashboard, findings, baseline compare, evidence, review, and operations surfaces remain the correct downstream destinations for workspace drill-through.
+- The current workspace overview page structure remains in place for this slice; the work changes truth ordering and meaning, not the overall workspace information architecture.
+
+## Non-Goals
+
+- Building a full portfolio matrix or tenant grid
+- Introducing a global workspace posture score, grade, or traffic-light system
+- Redesigning the entire workspace overview layout
+- Adding choose-tenant posture annotations
+- Creating new persistence, materialized views, or a new workspace summary artifact
+- Extending the work into cross-workspace or platform-wide operator surfaces
+
+## Dependencies
+
+- Existing workspace overview page and workspace widgets
+- Existing tenant governance truth, compare assessment, findings governance state, and evidence or review trust work
+- Existing tenant dashboard, findings, compare, evidence, review, and operations destinations used as canonical drill-through surfaces
+- Existing workspace and tenant RBAC plus capability-safe query scoping
+
+## Follow-up Spec Candidates
+
+- **Spec 176 — Workspace Portfolio Posture Surface** for per-tenant posture summaries, risk concentration, and a first true portfolio matrix
+- **Spec 177 — Choose Tenant Posture Annotation** for posture-aware tenant selection and faster triage from tenant pickers
+- **Spec 178 — Workspace Portfolio Stats Redesign** for a broader governance-oriented workspace stat model that goes beyond this foundation slice
+
+## Definition of Done
+
+Spec 175 is complete when:
+
+- workspace attention is no longer purely operations-centered,
+- governance-relevant tenant problems are visible on the workspace home,
+- workspace calmness no longer reads healthier than the worst visible tenant conditions,
+- attention items carry tenant identity, problem type, and a meaningful drill-through,
+- workspace summary stats include at least one real governance-risk metric and clearly separate risk from activity,
+- and the improvement ships without a new persistence structure or a full workspace redesign.

specs/175-workspace-governance-attention/tasks.md

@@ -0,0 +1,207 @@
+# Tasks: Workspace Governance Attention Foundation
+
+**Input**: Design documents from `/specs/175-workspace-governance-attention/` (`spec.md`, `plan.md`, `research.md`, `data-model.md`, `contracts/`, `quickstart.md`)  
+**Prerequisites**: `/specs/175-workspace-governance-attention/plan.md` (required), `/specs/175-workspace-governance-attention/spec.md` (required for user stories)
+
+**Tests**: REQUIRED (Pest) for all runtime behavior changes in this repo. Use focused workspace overview coverage in `tests/Feature/Filament/WorkspaceOverviewAccessTest.php`, `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`, `tests/Feature/Filament/WorkspaceOverviewLandingTest.php`, `tests/Feature/Filament/WorkspaceOverviewNavigationTest.php`, `tests/Feature/Filament/WorkspaceOverviewContentTest.php`, `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`, `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php`, `tests/Feature/Filament/WorkspaceOverviewOperationsTest.php`, `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php`, `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php`, `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php`, and `tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php`.  
+**Operations**: This feature does not create a new `OperationRun` type or change operations lifecycle ownership. Existing canonical Operations routes remain the only operations destinations involved, and the work here is limited to truthful workspace aggregation and destination continuity.  
+**RBAC**: Preserve workspace membership enforcement on `/admin`, deny-as-not-found `404` for non-members or out-of-scope tenants, capability-safe fallback or disabled states for drill-through items, and visible-tenant-only aggregation.  
+**Operator Surfaces**: `WorkspaceOverview`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, and `WorkspaceRecentOperations` must stay operator-first, with governance truth above recency context and no dead-end navigation.  
+**Filament UI Action Surfaces**: No destructive actions or redundant inspect affordances are added. `WorkspaceSummaryStats` and `WorkspaceNeedsAttention` remain drill-through summary surfaces, and `WorkspaceRecentOperations` remains a row-open diagnostic surface.  
+**Filament UI UX-001**: No new create, edit, or view pages are introduced. Existing workspace landing layout remains in place while semantics, ordering, and empty-state wording are hardened.  
+**Badges**: Existing badge semantics for findings severity, compare posture, governance validity, operations status, and operations outcome remain authoritative; no new page-local badge vocabulary is introduced.
+
+**Organization**: Tasks are grouped by user story so each story can be implemented and verified as an independent increment.
+
+## Phase 1: Setup (Context And Existing Surface Review)
+
+**Purpose**: Reconfirm the exact workspace overview seams, tenant truth sources, and canonical destinations before changing `/admin` semantics.
+
+- [X] T001 Review current workspace overview composition in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`, `app/Filament/Pages/WorkspaceOverview.php`, `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php`, `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, and `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php`
+- [X] T002 [P] Review existing tenant governance and compare truth sources in `app/Support/Baselines/TenantGovernanceAggregateResolver.php`, `app/Support/Baselines/TenantGovernanceAggregate.php`, `app/Support/Baselines/BaselineCompareStats.php`, `app/Support/Baselines/BaselineCompareSummaryAssessor.php`, and `app/Filament/Widgets/Dashboard/NeedsAttention.php`
+- [X] T003 [P] Review canonical drill-through destinations and current workspace overview regression seams in `app/Filament/Pages/TenantDashboard.php`, `app/Filament/Pages/BaselineCompareLanding.php`, `app/Filament/Resources/FindingResource/Pages/ListFindings.php`, `app/Filament/Pages/Monitoring/Operations.php`, and `tests/Feature/Filament/WorkspaceOverview*.php`
+
+---
+
+## Phase 2: Foundational (Blocking Payload And Continuity Seams)
+
+**Purpose**: Establish the shared workspace payload and continuity helpers that every user story depends on.
+
+**⚠️ CRITICAL**: No user story work should begin until this phase is complete.
+
+- [X] T004 Create governance-attention and performance regression scaffolding in `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php`, `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php`, `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php`, and `tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php`
+- [X] T005 Extend the shared workspace overview payload to match `specs/175-workspace-governance-attention/contracts/workspace-governance-attention.openapi.yaml` for metric categories, calmness state, zero-tenant recovery, and structured attention destinations in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T006 [P] Prepare canonical findings-subset, alerts-overview, and operations-continuity seams for workspace-originated drill-through in `app/Filament/Resources/FindingResource/Pages/ListFindings.php`, `app/Filament/Pages/Monitoring/Alerts.php`, and `app/Support/OperationRunLinks.php`
+- [X] T007 [P] Add shared authorization, visibility, zero-tenant recovery, and DB-only query-bounded assertions for workspace governance destinations in `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`, `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php`, `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`, and `tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php`
+
+**Checkpoint**: The builder exposes the shared payload shape, the destination seams are ready, and the new regression files exist.
+
+---
+
+## Phase 3: User Story 1 - See The Right Tenant First (Priority: P1) 🎯 MVP
+
+**Goal**: Make `/admin` surface governance-critical tenants ahead of operational noise so the riskiest visible tenant is obvious first.
+
+**Independent Test**: Seed multiple visible tenants with overdue findings, lapsed governance, expiring governance, stale, failed, or materially degraded compare posture, high-severity active findings, alerts, and operations, then verify governance-critical tenants rank above activity-only and alert-only items and suppress false calmness.
+
+### Tests for User Story 1
+
+- [X] T008 [P] [US1] Add governance-ranking scenarios for overdue findings, lapsed governance, expiring governance, high-severity active findings, stale, failed, or materially degraded compare posture, and alert-only supporting items in `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php`
+- [X] T009 [P] [US1] Add false-calmness and zero-tenant distinctness scenarios for quiet operations but risky governance in `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php` and `tests/Feature/Filament/WorkspaceOverviewContentTest.php`
+
+### Implementation for User Story 1
+
+- [X] T010 [US1] Promote visible-tenant governance aggregate states into bounded governance-first attention candidates, including expiring governance, stale, failed, or materially degraded compare posture, and lower-priority alert-only supporting items when they can be attributed to one visible tenant, in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T011 [US1] Render tenant label, problem family, urgency, and governance-first ordering in `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php` and `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php`
+- [X] T012 [US1] Align workspace landing copy and calmness framing so operations-only quiet never implies portfolio health in `app/Filament/Pages/WorkspaceOverview.php` and `resources/views/filament/pages/workspace-overview.blade.php`
+- [X] T013 [US1] Run focused US1 verification against `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php`, `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`, and `tests/Feature/Filament/WorkspaceOverviewContentTest.php`
+
+**Checkpoint**: The workspace home no longer looks calmer than the worst visible tenant governance state.
+
+---
+
+## Phase 4: User Story 2 - Distinguish Risk From Activity (Priority: P1)
+
+**Goal**: Make the workspace home clearly separate governance risk from operational activity so the portfolio can be read as risky, busy, both, or calm.
+
+**Independent Test**: Render `/admin` in governance-only, activity-only, mixed, and healthy scenarios, then verify metrics, attention, and empty states describe those cases differently and truthfully.
+
+### Tests for User Story 2
+
+- [X] T014 [P] [US2] Add governance-risk-versus-activity metric scenarios, including expiring governance and stale, failed, or materially degraded compare posture counts, in `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php` and `tests/Feature/Filament/WorkspaceOverviewContentTest.php`
+- [X] T015 [P] [US2] Add operations-only, risk-only, mixed, healthy-state, and zero-tenant recovery scenarios in `tests/Feature/Filament/WorkspaceOverviewOperationsTest.php` and `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`
+
+### Implementation for User Story 2
+
+- [X] T016 [US2] Split workspace summary metrics into scope, governance-risk, activity, and alert categories, preserving expiring governance and stale, failed, or materially degraded compare posture as governance-risk inputs, in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T017 [US2] Update stat-card labels, descriptions, and destination semantics for governance-risk versus activity counts in `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php` and `resources/views/filament/pages/workspace-overview.blade.php`
+- [X] T018 [US2] Keep recent operations diagnostic-only and remove its ability to define calmness on its own in `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php`, `resources/views/filament/widgets/workspace/workspace-recent-operations.blade.php`, and `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T019 [US2] Run focused US2 verification against `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php`, `tests/Feature/Filament/WorkspaceOverviewOperationsTest.php`, `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`, and `tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php`
+
+**Checkpoint**: The summary strip and surrounding copy now distinguish portfolio risk from portfolio activity.
+
+---
+
+## Phase 5: User Story 3 - Jump Into The Right Tenant Surface (Priority: P2)
+
+**Goal**: Make each attention item identify the tenant and open a trustworthy next surface for the same problem family.
+
+**Independent Test**: Seed representative findings, stale, failed, or materially degraded compare, evidence, review, alert, and operations cases, then verify each workspace attention item preserves tenant identity and reaches the correct destination or a safe fallback or disabled state.
+
+### Tests for User Story 3
+
+- [X] T020 [P] [US3] Add drill-through continuity coverage for tenant dashboard, findings, stale, failed, or materially degraded compare posture, evidence, review, alerts overview, and operations destinations in `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php`
+- [X] T021 [P] [US3] Add capability-limited fallback, non-clickable state, zero-tenant choose-workspace recovery, and low-permission operations fallback coverage in `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php` and `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`
+
+### Implementation for User Story 3
+
+- [X] T022 [US3] Implement per-family primary destination selection with tenant-safe fallback or disabled states, explicit alerts-overview routing, `switch_workspace` as the zero-tenant default next action, `operations_index` as the low-permission workspace-state fallback, aggregate lapsed-governance fallback to the tenant dashboard when findings filters would narrow the invalid-governance family, and tenant-scope authorization checks through `app/Services/Auth/CapabilityResolver.php` alongside `app/Services/Auth/WorkspaceCapabilityResolver.php` in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T023 [US3] Wire primary actions and helper text for workspace attention items across findings, compare, evidence, reviews, alerts, and operations, keeping every promoted item tenant-identified, in `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php`, and `app/Filament/Pages/WorkspaceOverview.php`
+- [X] T024 [US3] Preserve canonical subset continuity for workspace-originated findings and operations drill-throughs, and route aggregate lapsed-governance attention through the tenant dashboard when a findings filter would otherwise narrow the invalid-governance family, in `app/Filament/Resources/FindingResource/Pages/ListFindings.php`, `app/Filament/Pages/Monitoring/Operations.php`, and `app/Support/Workspaces/WorkspaceOverviewBuilder.php`
+- [X] T025 [US3] Run focused US3 verification against `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php`, `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php`, and `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`
+
+**Checkpoint**: Every central attention family now opens the correct tenant surface or a safe, non-deceptive fallback state.
+
+---
+
+## Phase 6: Polish & Cross-Cutting Concerns
+
+**Purpose**: Finish copy alignment, formatting, and the final focused verification pack across all stories.
+
+- [X] T026 [P] Align final operator copy, urgency labels, disabled helper text, zero-tenant recovery wording, and low-permission `Open operations` fallback wording across `app/Filament/Pages/WorkspaceOverview.php`, `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php`, `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, `resources/views/filament/pages/workspace-overview.blade.php`, and `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php`
+- [X] T027 Run formatting with `vendor/bin/sail bin pint --dirty --format agent` for `app/Support/Workspaces/WorkspaceOverviewBuilder.php`, `app/Filament/Pages/WorkspaceOverview.php`, `app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php`, `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php`, `resources/views/filament/pages/workspace-overview.blade.php`, `resources/views/filament/widgets/workspace/workspace-needs-attention.blade.php`, and `resources/views/filament/widgets/workspace/workspace-recent-operations.blade.php`
+- [X] T028 Run the final quickstart verification pack from `specs/175-workspace-governance-attention/quickstart.md` against `tests/Feature/Filament/WorkspaceOverviewAccessTest.php`, `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`, `tests/Feature/Filament/WorkspaceOverviewLandingTest.php`, `tests/Feature/Filament/WorkspaceOverviewNavigationTest.php`, `tests/Feature/Filament/WorkspaceOverviewContentTest.php`, `tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`, `tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php`, `tests/Feature/Filament/WorkspaceOverviewOperationsTest.php`, `tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php`, `tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php`, `tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php`, and `tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php`
+- [X] T029 Run the manual smoke checks in `specs/175-workspace-governance-attention/quickstart.md` for quiet-operations-risky-governance, stale or failed compare posture, healthy workspace, zero-tenant recovery, and permission-limited member scenarios
+- [X] T030 Fix the low-permission workspace operations fallback so workspace-originated drill-through clears tenant context and immediately shows workspace-wide follow-up in `app/Support/Workspaces/WorkspaceOverviewBuilder.php`, `app/Support/OperationRunLinks.php`, `app/Filament/Pages/Monitoring/Operations.php`, `tests/Feature/Monitoring/OperationsDashboardDrillthroughTest.php`, and `tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php`
+
+---
+
+## Dependencies & Execution Order
+
+### Phase Dependencies
+
+- **Setup (Phase 1)**: No dependencies; can start immediately.
+- **Foundational (Phase 2)**: Depends on Setup; blocks all user stories.
+- **User Story 1 (Phase 3)**: Depends on Foundational completion.
+- **User Story 2 (Phase 4)**: Depends on Foundational completion and stays independently testable, though it overlaps with the same workspace builder and page shell.
+- **User Story 3 (Phase 5)**: Depends on Foundational completion and benefits from User Stories 1 and 2 because the destination contract is clearer once governance promotion and metric separation are in place.
+- **Polish (Phase 6)**: Depends on all desired user stories being complete.
+
+### User Story Dependencies
+
+- **User Story 1 (P1)**: First deliverable and recommended MVP. No dependency on other user stories after Foundational work.
+- **User Story 2 (P1)**: Can start after Foundational completion and remains independently testable, though it shares the builder and page shell with US1.
+- **User Story 3 (P2)**: Can start after Foundational completion and is best delivered after US1 and US2 because it hardens the attention items already introduced there.
+
+### Within Each User Story
+
+- Story tests should be added before or alongside implementation and must fail before the story is considered complete.
+- Builder changes should land before widget and page copy refinements that depend on the new payload.
+- Destination continuity changes should land before story-level verification runs.
+- Story-level verification should complete before moving on to polish.
+
+### Parallel Opportunities
+
+- Setup review tasks `T002` and `T003` can run in parallel.
+- In Foundational work, `T006` and `T007` can run in parallel after `T005` defines the payload contract.
+- In US1, `T008` and `T009` can run in parallel.
+- In US2, `T014` and `T015` can run in parallel.
+- In US3, `T020` and `T021` can run in parallel.
+- In Phase 6, `T026` can run while the final verification command set for `T028` is being prepared.
+
+---
+
+## Parallel Example: User Story 1
+
+```bash
+# Launch US1 tests in parallel:
+T008 tests/Feature/Filament/WorkspaceOverviewGovernanceAttentionTest.php
+T009 tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php + tests/Feature/Filament/WorkspaceOverviewContentTest.php
+```
+
+## Parallel Example: User Story 2
+
+```bash
+# Launch US2 test work in parallel:
+T014 tests/Feature/Filament/WorkspaceOverviewSummaryMetricsTest.php + tests/Feature/Filament/WorkspaceOverviewContentTest.php
+T015 tests/Feature/Filament/WorkspaceOverviewOperationsTest.php + tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php
+```
+
+## Parallel Example: User Story 3
+
+```bash
+# Launch US3 drill-through and fallback tests in parallel:
+T020 tests/Feature/Filament/WorkspaceOverviewDrilldownContinuityTest.php
+T021 tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php + tests/Feature/Filament/WorkspaceOverviewAuthorizationTest.php
+```
+
+---
+
+## Implementation Strategy
+
+### MVP First (User Story 1 Only)
+
+1. Complete Phase 1: Setup.
+2. Complete Phase 2: Foundational.
+3. Complete Phase 3: User Story 1.
+4. Validate that `/admin` no longer emits a false calm signal when visible tenant governance issues exist.
+
+### Incremental Delivery
+
+1. Ship US1 to make the workspace home governance-aware and suppress false calmness.
+2. Add US2 to separate governance risk from activity and protect calmness semantics.
+3. Add US3 to harden drill-through continuity and capability-safe fallbacks.
+4. Finish with copy alignment, formatting, the quickstart verification pack, and manual smoke checks.
+
+### Suggested MVP Scope
+
+- MVP = Phases 1 through 3 only.
+
+---
+
+## Format Validation
+
+- Every task follows the checklist format `- [ ] T### [P?] [US?] Description with file path`.
+- Setup, Foundational, and Polish phases intentionally omit story labels.
+- User story phases use `[US1]`, `[US2]`, and `[US3]` labels.
+- Parallel markers are used only on tasks that can proceed independently without conflicting incomplete prerequisites.

specs/177-inventory-coverage-truth/checklists/requirements.md

@@ -0,0 +1,35 @@
+# Specification Quality Checklist: Spec 177 - Inventory Coverage Truth
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning  
+**Created**: 2026-04-05  
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Validation pass completed after the draft was rewritten from the template scaffold.
+- Follow-up inventory hardening ideas remain listed as future candidates without fixed spec numbers, since this repository already uses `179` for a different accepted spec.

specs/177-inventory-coverage-truth/contracts/inventory-coverage-truth.openapi.yaml

@@ -0,0 +1,235 @@
+openapi: 3.1.0
+info:
+  title: Inventory Coverage Truth Surfaces
+  version: 0.1.0
+  description: |
+    Logical surface contract for Spec 177. These contracts describe the tenant-scoped
+    coverage truth that inventory surfaces must render, even when the delivered transport
+    is server-rendered Filament UI rather than a public JSON API.
+paths:
+  /admin/inventory-items:
+    get:
+      summary: Inventory items list with truthful coverage summary
+      operationId: inventoryItemsCoverageSummary
+      responses:
+        '200':
+          description: Tenant-scoped inventory items list surface
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: false
+                required:
+                  - tenantId
+                  - coverageSummary
+                properties:
+                  tenantId:
+                    type: integer
+                  coverageSummary:
+                    $ref: '#/components/schemas/CoverageSummary'
+        '403':
+          description: Member lacks capability for a linked follow-up action
+        '404':
+          description: User is not entitled to the tenant or workspace scope
+  /admin/coverage:
+    get:
+      summary: Tenant coverage truth report
+      operationId: inventoryCoverageReport
+      responses:
+        '200':
+          description: Tenant-scoped coverage report surface
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: false
+                required:
+                  - tenantId
+                  - coverageSummary
+                  - rows
+                properties:
+                  tenantId:
+                    type: integer
+                  coverageSummary:
+                    $ref: '#/components/schemas/CoverageSummary'
+                  rows:
+                    type: array
+                    items:
+                      $ref: '#/components/schemas/CoverageRow'
+        '403':
+          description: Member lacks capability for a linked follow-up action
+        '404':
+          description: User is not entitled to the tenant or workspace scope
+  /admin/operations/{run}:
+    get:
+      summary: Canonical inventory-sync run detail with per-type coverage section
+      operationId: inventorySyncRunDetail
+      parameters:
+        - in: path
+          name: run
+          required: true
+          schema:
+            type: integer
+      responses:
+        '200':
+          description: Canonical operation run detail surface
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: false
+                required:
+                  - id
+                  - type
+                  - status
+                  - outcome
+                properties:
+                  id:
+                    type: integer
+                  type:
+                    type: string
+                    enum:
+                      - inventory_sync
+                  status:
+                    type: string
+                    enum:
+                      - queued
+                      - running
+                      - completed
+                  outcome:
+                    type: string
+                    enum:
+                      - pending
+                      - succeeded
+                      - partially_succeeded
+                      - failed
+                      - blocked
+                  inventoryCoverageSection:
+                    oneOf:
+                      - $ref: '#/components/schemas/InventoryCoverageRunSection'
+                      - type: 'null'
+        '403':
+          description: In-scope member lacks the run capability required for this operation
+        '404':
+          description: User is not entitled to the workspace or tenant scope for this run
+components:
+  schemas:
+    BasisRun:
+      type: object
+      additionalProperties: false
+      required:
+        - id
+        - outcome
+        - completedAt
+      properties:
+        id:
+          type: integer
+        outcome:
+          type: string
+          enum:
+            - succeeded
+            - partially_succeeded
+            - failed
+            - blocked
+        completedAt:
+          type: string
+          format: date-time
+    CoverageSummary:
+      type: object
+      additionalProperties: false
+      required:
+        - hasCurrentCoverageResult
+        - supportedTypes
+        - succeededTypes
+        - failedTypes
+        - skippedTypes
+        - unknownTypes
+        - followUpTypes
+        - observedItems
+      properties:
+        hasCurrentCoverageResult:
+          type: boolean
+        basisRun:
+          oneOf:
+            - $ref: '#/components/schemas/BasisRun'
+            - type: 'null'
+        supportedTypes:
+          type: integer
+        succeededTypes:
+          type: integer
+        failedTypes:
+          type: integer
+        skippedTypes:
+          type: integer
+        unknownTypes:
+          type: integer
+        followUpTypes:
+          type: integer
+        observedItems:
+          type: integer
+    CoverageRow:
+      type: object
+      additionalProperties: false
+      required:
+        - type
+        - segment
+        - label
+        - category
+        - coverageState
+        - followUpRequired
+        - observedItemCount
+        - supportsDependencies
+      properties:
+        type:
+          type: string
+        segment:
+          type: string
+          enum:
+            - policy
+            - foundation
+        label:
+          type: string
+        category:
+          type: string
+        platform:
+          type:
+            - string
+            - 'null'
+        coverageState:
+          type: string
+          enum:
+            - succeeded
+            - failed
+            - skipped
+            - unknown
+        followUpRequired:
+          type: boolean
+        observedItemCount:
+          type: integer
+        basisErrorCode:
+          type:
+            - string
+            - 'null'
+        restoreMode:
+          type:
+            - string
+            - 'null'
+        riskLevel:
+          type:
+            - string
+            - 'null'
+        supportsDependencies:
+          type: boolean
+    InventoryCoverageRunSection:
+      type: object
+      additionalProperties: false
+      required:
+        - basisRun
+        - rows
+      properties:
+        basisRun:
+          $ref: '#/components/schemas/BasisRun'
+        rows:
+          type: array
+          items:
+            $ref: '#/components/schemas/CoverageRow'

specs/177-inventory-coverage-truth/contracts/tenant-coverage-truth.schema.json

@@ -0,0 +1,187 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://tenantpilot.local/contracts/tenant-coverage-truth.schema.json",
+  "title": "Tenant Coverage Truth",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "tenantId",
+    "hasCurrentCoverageResult",
+    "summary",
+    "rows"
+  ],
+  "properties": {
+    "tenantId": {
+      "type": "integer"
+    },
+    "basisRun": {
+      "oneOf": [
+        {
+          "$ref": "#/$defs/basisRun"
+        },
+        {
+          "type": "null"
+        }
+      ]
+    },
+    "hasCurrentCoverageResult": {
+      "type": "boolean"
+    },
+    "summary": {
+      "$ref": "#/$defs/summary"
+    },
+    "rows": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/row"
+      }
+    }
+  },
+  "$defs": {
+    "basisRun": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "id",
+        "outcome",
+        "completedAt"
+      ],
+      "properties": {
+        "id": {
+          "type": "integer"
+        },
+        "outcome": {
+          "type": "string",
+          "enum": [
+            "succeeded",
+            "partially_succeeded",
+            "failed",
+            "blocked"
+          ]
+        },
+        "completedAt": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "summary": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "supportedTypes",
+        "succeededTypes",
+        "failedTypes",
+        "skippedTypes",
+        "unknownTypes",
+        "followUpTypes",
+        "observedItems"
+      ],
+      "properties": {
+        "supportedTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "succeededTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "failedTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "skippedTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "unknownTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "followUpTypes": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "observedItems": {
+          "type": "integer",
+          "minimum": 0
+        }
+      }
+    },
+    "row": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "type",
+        "segment",
+        "label",
+        "category",
+        "coverageState",
+        "followUpRequired",
+        "observedItemCount",
+        "supportsDependencies"
+      ],
+      "properties": {
+        "type": {
+          "type": "string"
+        },
+        "segment": {
+          "type": "string",
+          "enum": [
+            "policy",
+            "foundation"
+          ]
+        },
+        "label": {
+          "type": "string"
+        },
+        "category": {
+          "type": "string"
+        },
+        "platform": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "coverageState": {
+          "type": "string",
+          "enum": [
+            "succeeded",
+            "failed",
+            "skipped",
+            "unknown"
+          ]
+        },
+        "followUpRequired": {
+          "type": "boolean"
+        },
+        "observedItemCount": {
+          "type": "integer",
+          "minimum": 0
+        },
+        "basisErrorCode": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "restoreMode": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "riskLevel": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "supportsDependencies": {
+          "type": "boolean"
+        }
+      }
+    }
+  }
+}

specs/177-inventory-coverage-truth/data-model.md

@@ -0,0 +1,163 @@
+# Phase 1 Data Model: Inventory Coverage Truth (177)
+
+## Existing Persisted Truth
+
+### `OperationRun` as coverage basis
+Represents the canonical execution record for inventory syncs and remains the source of per-type sync truth.
+
+**Relevant existing fields**
+- `workspace_id`
+- `tenant_id`
+- `type`
+- `status`
+- `outcome`
+- `summary_counts`
+- `failure_summary`
+- `context`
+- `started_at`
+- `completed_at`
+
+**Relevant existing inventory context shape**
+- `context.inventory.coverage.policy_types`
+- `context.inventory.coverage.foundation_types`
+- each entry stores at minimum `status`
+- optional fields already supported by `InventoryCoverage` normalization:
+  - `item_count`
+  - `error_code`
+
+**Existing invariant**
+- `InventoryCoverage::fromContext()` is the canonical parser for run coverage payload.
+
+### `InventoryItem`
+Represents last observed tenant inventory rows and remains the source of current observed-item counts.
+
+**Relevant existing fields**
+- `workspace_id`
+- `tenant_id`
+- `policy_type`
+- `external_id`
+- `display_name`
+- `category`
+- `platform`
+- `meta_jsonb`
+- `last_seen_at`
+- `last_seen_operation_run_id`
+
+**Existing invariant**
+- Observed rows prove last observation only. They do not by themselves prove current tenant coverage completeness.
+
+### `InventoryPolicyTypeMeta` + capability metadata
+Represents product support and capability reference for supported and foundation types.
+
+**Relevant existing fields and derived attributes**
+- `type`
+- `label`
+- `category`
+- `platform`
+- `restore`
+- `risk`
+- foundation flag
+- dependency support from `CoverageCapabilitiesResolver`
+
+**Existing invariant**
+- Capability metadata is product support truth, not tenant coverage truth.
+
+## New Derived Runtime Contract
+
+### `TenantCoverageTruth`
+Derived runtime contract that answers the operator question: which supported types are currently covered for this tenant, which types need follow-up, and which run establishes that statement.
+
+**Proposed fields**
+- `tenant_id`
+- `basis_run_id` nullable
+- `basis_run_outcome` nullable
+- `basis_completed_at` nullable
+- `has_current_coverage_result` boolean
+- `supported_type_count`
+- `succeeded_type_count`
+- `failed_type_count`
+- `skipped_type_count`
+- `unknown_type_count`
+- `follow_up_type_count`
+- `observed_item_total`
+- `rows` list of `TenantCoverageTypeTruth`
+
+**Derived invariants**
+- Exactly one row exists for each supported policy type and foundation type currently in the product support catalog.
+- `follow_up_type_count = failed + skipped + unknown`.
+- `has_current_coverage_result` is true only when a completed inventory-sync basis run with parseable payload exists.
+- The basis run is chosen independently from current item counts.
+
+### `TenantCoverageTypeTruth`
+Derived row contract for one supported type.
+
+**Proposed fields**
+- `type`
+- `segment` (`policy` or `foundation`)
+- `label`
+- `category`
+- `platform` nullable
+- `coverage_state` (`succeeded`, `failed`, `skipped`, `unknown`)
+- `follow_up_required` boolean
+- `observed_item_count`
+- `basis_error_code` nullable
+- `restore_mode` nullable
+- `risk_level` nullable
+- `supports_dependencies` boolean
+
+**Derived invariants**
+- `follow_up_required` is true for `failed`, `skipped`, and `unknown`; false only for `succeeded`.
+- `observed_item_count > 0` does not change `coverage_state`.
+- `coverage_state = unknown` when the type is supported but absent from the basis run payload.
+- `basis_error_code` is allowed only for non-succeeded payload-backed states.
+
+## Derived State Family
+
+### Coverage state family
+This feature introduces one derived state family for tenant coverage rows:
+
+- `Succeeded`
+  - the basis run reported the type as successfully processed
+- `Failed`
+  - the basis run reported the type as attempted and failed
+- `Skipped`
+  - the basis run reported the type as intentionally skipped or not processed during that run
+- `Unknown`
+  - no current coverage result exists for the supported type in the basis run
+
+**Behavioral consequence**
+- `Failed`, `Skipped`, and `Unknown` all suppress calm claims and increment follow-up counts.
+- `Unknown` is derived, not persisted.
+
+## Relationships
+
+- One `TenantCoverageTruth` resolves for one tenant at a time.
+- One `TenantCoverageTruth` may reference zero or one basis `OperationRun`.
+- One `TenantCoverageTruth` contains one row per supported product type from `InventoryPolicyTypeMeta::supported()` and `InventoryPolicyTypeMeta::foundations()`.
+- Each `TenantCoverageTypeTruth` joins one supported type to zero or one payload-backed status from the basis run and zero or more `InventoryItem` rows from the current tenant observation set.
+
+## Selection Rules
+
+### Basis run selection
+- candidate runs are `OperationRun` rows where:
+  - `tenant_id` matches the selected tenant
+  - `type = inventory_sync`
+  - `status = completed`
+- candidates are ordered by:
+  - `completed_at DESC`
+  - `id DESC`
+- the selected basis run is the first candidate whose `context.inventory.coverage` payload can be parsed by `InventoryCoverage::fromContext()`
+- if no candidate qualifies, the tenant has no current coverage basis run
+
+### Unknown derivation
+- if a supported type is absent from both `policy_types` and `foundation_types` in the selected basis payload, the type is `Unknown`
+- absence from the basis payload is not converted into `Skipped`
+- item presence from older runs does not upgrade `Unknown`
+
+## Validation Rules
+
+- No schema migration is required.
+- No new persisted state is introduced.
+- Coverage rows must remain tenant-scoped.
+- Capability metadata must not alter the derived coverage state.
+- Surfaces may cite the basis run only when they can do so without violating authorization.

specs/177-inventory-coverage-truth/plan.md

@@ -0,0 +1,285 @@
+# Implementation Plan: Inventory Coverage Truth
+
+**Branch**: `feat/177-inventory-coverage-truth` | **Date**: 2026-04-05 | **Spec**: `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/177-inventory-coverage-truth/spec.md`
+**Input**: Feature specification from `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/177-inventory-coverage-truth/spec.md`
+
+**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/scripts/` for helper scripts.
+
+## Summary
+
+Correct inventory coverage semantics by deriving tenant coverage truth from the latest completed inventory-sync run that contains usable per-type coverage payload, joining that run truth with current inventory-item counts and existing supported-type metadata, replacing the misleading coverage percentage in the inventory KPI header with operator-readable counts, refocusing the coverage page on tenant follow-up, and exposing a human-readable per-type coverage section on inventory-sync run detail. The implementation stays fully derived, introduces no new persistence, keeps capability and support metadata secondary, and preserves existing sync execution, authorization, and Ops-UX behavior.
+
+## Technical Context
+
+**Language/Version**: PHP 8.4.15  
+**Primary Dependencies**: Laravel 12, Filament v5, Livewire v4, Pest v4, existing `InventoryItem`, `OperationRun`, `InventoryCoverage`, `InventoryPolicyTypeMeta`, `CoverageCapabilitiesResolver`, `InventoryKpiHeader`, `InventoryCoverage` page, and `OperationRunResource` enterprise-detail stack  
+**Storage**: PostgreSQL; existing `inventory_items` rows and `operation_runs.context` / `operation_runs.summary_counts` JSONB are reused with no schema change  
+**Testing**: Pest 4 unit and feature tests, including Filament or Livewire page coverage, run through Laravel Sail  
+**Target Platform**: Laravel monolith web application in Sail locally and containerized Linux deployment for staging and production  
+**Project Type**: web application  
+**Performance Goals**: DB-only render path for inventory summary and coverage surfaces; no render-time Graph calls; one tenant-scoped basis-run lookup plus grouped item counts per render; default-visible inventory surfaces expose covered versus follow-up types, basis-run context, and next-step guidance without raw JSON inspection  
+**Constraints**: Derived-only implementation; no new coverage table; no inventory-sync backend rewrite; no new Graph calls; no new destructive actions; capability metadata stays secondary; unauthorized run drill-through must degrade safely  
+**Scale/Scope**: One tenant at a time across three primary surfaces: inventory KPI header on the items list, the inventory coverage page, and canonical inventory-sync run detail; dozens of supported and foundation types rather than unbounded row counts
+
+## Constitution Check
+
+*GATE: Passed before Phase 0 research. Re-checked after Phase 1 design and still passing.*
+
+| Principle | Pre-Research | Post-Design | Notes |
+|-----------|--------------|-------------|-------|
+| Inventory-first / snapshots-second | PASS | PASS | Coverage remains derived from current inventory observation and canonical inventory-sync runs; no snapshot or backup truth is introduced. |
+| Read/write separation | PASS | PASS | The feature changes read-time surfaces only. Existing `Run Inventory Sync` semantics remain unchanged. |
+| Graph contract path | PASS | PASS | No new Graph call path or contract registry entry is introduced. |
+| Deterministic capabilities | PASS | PASS | Capability and support metadata remain derived from existing policy-type meta and capability resolvers. |
+| Workspace + tenant isolation | PASS | PASS | All coverage truth stays tenant-scoped; canonical operations drill-through remains tenant-safe and entitlement-checked. |
+| RBAC-UX authorization semantics | PASS | PASS | Non-members remain `404`; members lacking the run capability remain `403` on run detail; coverage surfaces must degrade safely instead of exposing broken links. |
+| Run observability / Ops-UX | PASS | PASS | Existing `inventory_sync` `OperationRun` remains canonical. No new run type or new feedback surface is introduced. |
+| Ops-UX lifecycle / summary counts | PASS | PASS | `OperationRunService` remains the only transition path; `summary_counts` remain canonical and numeric-only. The plan only adds read-time rendering. |
+| Data minimization | PASS | PASS | Existing whitelisted inventory metadata and sanitized run context are reused; no new persisted payload surface is added. |
+| Proportionality / no premature abstraction | PASS WITH JUSTIFIED DERIVED CONTRACT | PASS WITH JUSTIFIED DERIVED CONTRACT | One narrow runtime contract plus resolver is justified because current truth is split across run context, item counts, and supported-type metadata, and three operator surfaces already need the same synthesis. |
+| Persisted truth / behavioral state | PASS | PASS | `Unknown` is derived presentation truth, not persisted domain state. No new tables or durable artifacts are introduced. |
+| UI semantics / few layers | PASS | PASS | The design replaces a misleading KPI and capability-first report with one direct tenant-coverage read model instead of adding a wider semantic framework. |
+| Badge semantics (BADGE-001) | PASS | PASS | Coverage state badges stay centralized and test-covered. No page-local badge language is introduced. |
+| Filament-native UI / Action Surface Contract | PASS | PASS | Existing Filament tables, stats, sections, and enterprise-detail views are reused. The existing derived-row exception on `InventoryCoverage` remains the only UI exception. |
+| Filament UX-001 | PASS | PASS | The coverage page remains a searchable, filterable table surface with one clear empty-state CTA; run detail remains a view-style operational page; no create or edit layout changes are needed. |
+| List-surface review checklist reference | PASS | PASS | The inventory items list and inventory coverage page are governed by `docs/product/standards/list-surface-review-checklist.md`, which must be applied before sign-off. |
+| Filament v5 / Livewire v4 compliance | PASS | PASS | The plan stays inside the existing Filament v5 + Livewire v4 stack. No legacy APIs are introduced. |
+| Provider registration location | PASS | PASS | No panel or provider registration change is involved; Laravel 11+ provider registration remains in `bootstrap/providers.php`. |
+| Global search hard rule | PASS | PASS | No globally searchable resource is added or modified. |
+| Destructive action safety | PASS | PASS | No new destructive action is introduced. Existing sync start action remains non-destructive and capability-gated. |
+| Asset strategy | PASS | PASS | No asset registration or `filament:assets` deployment change is required. |
+| Testing truth (TEST-TRUTH-001) | PASS | PASS | The design adds focused resolver, surface, and RBAC-safe continuity tests that protect operator-visible business truth. |
+
+## Phase 0 Research
+
+Research outcomes are captured in `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/177-inventory-coverage-truth/research.md`.
+
+Key decisions:
+
+- Define the relevant coverage basis as the latest completed `inventory_sync` run for the tenant that contains a parseable `context.inventory.coverage` payload, regardless of overall run outcome, so `Failed` and `Skipped` remain visible when the run produced per-type truth.
+- Keep tenant coverage fully derived from three existing sources: `OperationRun.context.inventory.coverage`, current `InventoryItem` counts, and existing supported-type metadata plus capability metadata.
+- Introduce one narrow runtime contract and resolver in `App\Support\Inventory` rather than extending the low-level `InventoryCoverage` parser or adding request-scoped caching infrastructure.
+- Replace the KPI percentage with count-based summary facts, since the spec explicitly prioritizes semantically clear counts over percentage language.
+- Keep the coverage page as one truth-first report with summary + per-type table, and move capability metadata into secondary columns or reference treatment rather than preserving the current capability-first matrix.
+- Add a dedicated human-readable per-type coverage section to the existing enterprise-detail run page instead of creating a new operations screen.
+- Defer any first-class `stale` or freshness state family to later health hardening work; this slice surfaces the basis timestamp clearly without adding another semantic layer.
+
+## Phase 1 Design
+
+Design artifacts are created under `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/177-inventory-coverage-truth/`:
+
+- `data-model.md`: existing persisted truths plus the new derived tenant coverage contract
+- `contracts/inventory-coverage-truth.openapi.yaml`: logical surface contract for the inventory items summary, coverage page, and run detail continuity
+- `contracts/tenant-coverage-truth.schema.json`: schema for the derived tenant coverage truth contract consumed by the UI
+- `quickstart.md`: focused implementation and verification workflow
+
+Design decisions:
+
+- The new runtime contract is summary-first and derived; it does not become a new persisted truth source.
+- `InventoryCoverage` remains the low-level parser for `OperationRun` context; a sibling resolver assembles tenant coverage truth by joining the parsed payload with item counts and metadata.
+- The inventory KPI header will shift from `Coverage %` to count-based coverage signals and explicit basis-run context.
+- The `InventoryCoverage` page will reuse its existing table surface but reorder the page around tenant coverage truth and follow-up, with capability metadata kept clearly secondary.
+- Inventory-sync run detail will gain one enterprise-detail section backed by a custom Blade view under the existing `filament.infolists.entries.*` convention.
+- No new request-scoped caching or cross-surface aggregate infrastructure is introduced in this slice; one resolver is sufficient.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/177-inventory-coverage-truth/
+├── spec.md
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+│   ├── inventory-coverage-truth.openapi.yaml
+│   └── tenant-coverage-truth.schema.json
+├── checklists/
+│   └── requirements.md
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+app/
+├── Filament/
+│   ├── Pages/
+│   │   └── InventoryCoverage.php
+│   ├── Resources/
+│   │   ├── InventoryItemResource/
+│   │   │   └── Pages/
+│   │   │       └── ListInventoryItems.php
+│   │   └── OperationRunResource.php
+│   ├── Pages/
+│   │   └── Operations/
+│   │       └── TenantlessOperationRunViewer.php
+│   └── Widgets/
+│       └── Inventory/
+│           └── InventoryKpiHeader.php
+├── Models/
+│   ├── InventoryItem.php
+│   └── OperationRun.php
+└── Support/
+    └── Inventory/
+        ├── CoverageCapabilitiesResolver.php
+        ├── InventoryCoverage.php
+        ├── InventoryPolicyTypeMeta.php
+        ├── TenantCoverageTruth.php
+        └── TenantCoverageTruthResolver.php
+
+resources/
+└── views/
+    └── filament/
+        ├── pages/
+        │   └── inventory-coverage.blade.php
+        └── infolists/
+            └── entries/
+                └── inventory-coverage-truth.blade.php
+
+tests/
+├── Feature/
+│   ├── Filament/
+│   │   ├── InventoryCoverageAdminTenantParityTest.php
+│   │   ├── InventoryCoverageTableTest.php
+│   │   ├── InventoryItemResourceTest.php
+│   │   ├── InventoryPagesTest.php
+│   │   └── OperationRunEnterpriseDetailPageTest.php
+│   ├── Inventory/
+│   │   ├── InventorySyncServiceTest.php
+│   │   ├── InventorySyncStartSurfaceTest.php
+│   │   └── RunInventorySyncJobTest.php
+│   ├── Operations/
+│   │   └── TenantlessOperationRunViewerTest.php
+│   └── Rbac/
+│       └── InventoryItemResourceAuthorizationTest.php
+└── Unit/
+    └── Support/
+        └── Inventory/
+            └── TenantCoverageTruthResolverTest.php
+```
+
+**Structure Decision**: Keep the existing Laravel monolith layout. Add one narrow derived coverage contract plus resolver under `app/Support/Inventory`, update the three existing operator surfaces, add one custom enterprise-detail view, and extend the current feature and unit tests instead of creating new base directories or a broader presentation framework.
+
+## Implementation Strategy
+
+### Phase A — Introduce the Derived Coverage Contract
+
+**Goal**: Add one explicit runtime contract that represents tenant coverage truth without changing persistence.
+
+| Step | File | Change |
+|------|------|--------|
+| A.1 | `app/Support/Inventory/TenantCoverageTruth.php` | Add a readonly runtime contract representing basis-run metadata, summary counts, and per-type tenant coverage rows |
+| A.2 | `app/Support/Inventory/TenantCoverageTruthResolver.php` | Add the resolver that selects the latest completed coverage-bearing inventory-sync run, parses `InventoryCoverage`, joins current item counts, and synthesizes follow-up classification |
+| A.3 | `app/Support/Inventory/InventoryCoverage.php` | Keep the low-level parser focused on run payload normalization; extend only if a small helper is needed for row access, not for tenant-level joining |
+
+### Phase B — Refactor the Inventory KPI Header
+
+**Goal**: Remove the misleading percentage and replace it with count-based tenant coverage truth.
+
+| Step | File | Change |
+|------|------|--------|
+| B.1 | `app/Filament/Widgets/Inventory/InventoryKpiHeader.php` | Replace `Coverage %` with count-based coverage stats such as succeeded types and types needing follow-up, plus explicit basis-run or no-sync context while keeping any restore or compare metadata clearly separate from coverage truth |
+| B.2 | `tests/Feature/Filament/InventoryPagesTest.php` and `tests/Feature/Filament/InventoryItemResourceTest.php` | Preserve the existing inventory list inspect and sync-start affordances while asserting the summary surface no longer implies completeness from restorable-item share |
+
+### Phase C — Recenter the Coverage Page Around Tenant Truth
+
+**Goal**: Turn the current capability-first page into a tenant coverage report without removing support metadata entirely.
+
+| Step | File | Change |
+|------|------|--------|
+| C.1 | `app/Filament/Pages/InventoryCoverage.php` | Replace the current static capability row builder with rows sourced from `TenantCoverageTruthResolver`; lead with coverage-state, basis-run, observed-item, follow-up columns, and deterministic follow-up priority ordering |
+| C.2 | `resources/views/filament/pages/inventory-coverage.blade.php` | Add or adjust the summary zone so the page cites the basis run, last sync time, explicit no-sync fallback, provider or permission follow-up guidance, and follow-up summary before the table |
+| C.3 | `tests/Feature/Filament/InventoryCoverageTableTest.php` and `tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php` | Prove the page is tenant-coverage-first, keeps admin and tenant context parity, covers deterministic follow-up priority and no-basis-run messaging, and retains support, restore, and compare metadata only as secondary treatment |
+
+### Phase D — Add Human-Readable Per-Type Results To Run Detail
+
+**Goal**: Make inventory-sync per-type truth readable without raw JSON inspection.
+
+| Step | File | Change |
+|------|------|--------|
+| D.1 | `app/Filament/Resources/OperationRunResource.php` | For `inventory_sync` runs, add a dedicated enterprise-detail section that renders per-type coverage truth from `InventoryCoverage::fromContext()` |
+| D.2 | `resources/views/filament/infolists/entries/inventory-coverage-truth.blade.php` | Add the custom section view used by the enterprise-detail builder for per-type status, item counts, follow-up priority, and provider or permission follow-up cues |
+| D.3 | `tests/Feature/Operations/TenantlessOperationRunViewerTest.php` and `tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php` | Assert that inventory-sync runs render the new coverage section and that execution outcome stays distinct from per-type coverage truth |
+
+### Phase E — Enforce RBAC-Safe Coverage Continuity
+
+**Goal**: Ensure coverage surfaces can cite the backing run without leaking inaccessible operations.
+
+| Step | File | Change |
+|------|------|--------|
+| E.1 | `app/Support/Inventory/TenantCoverageTruthResolver.php` and calling surfaces | Include basis-run identity and safe continuity metadata without assuming the current user can always open the run |
+| E.2 | `app/Filament/Widgets/Inventory/InventoryKpiHeader.php` and `app/Filament/Pages/InventoryCoverage.php` | Show direct links only when the current user can open the run; otherwise show explanatory guidance, explicit no-sync copy, and provider or permission follow-up guidance |
+| E.3 | `tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php` and a new resolver or feature test for run continuity | Assert 404 or 403 behavior remains unchanged and the coverage UI degrades safely for users who cannot open the run |
+
+### Phase F — Regression Protection and Verification
+
+**Goal**: Lock the corrected semantics in place with focused tests and formatting.
+
+| Step | File | Change |
+|------|------|--------|
+| F.1 | `tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php` | Cover basis-run selection, `Unknown` derivation, follow-up classification, and item-count joining |
+| F.2 | Existing feature tests across Inventory, Filament, Operations, and RBAC | Cover KPI wording, truth-first coverage page behavior, run-detail readability, and safe continuity |
+| F.3 | `vendor/bin/sail bin pint --dirty --format agent` and focused Pest runs | Apply formatting and run the smallest verification pack covering resolver logic, inventory surfaces, run detail, and RBAC continuity |
+
+## Key Design Decisions
+
+### D-001 — The basis run is the latest completed inventory-sync run with usable per-type coverage payload
+
+This feature needs `Failed` and `Skipped` to remain visible when a run produced real per-type truth, so the basis selector must key off payload presence rather than optimistic run outcome alone.
+
+### D-002 — `InventoryCoverage` stays a low-level parser; tenant synthesis lives in a sibling contract and resolver
+
+`InventoryCoverage` already models the canonical `context.inventory.coverage` payload. Extending it to select runs, join item counts, and apply UI-facing follow-up logic would blur responsibilities and make the low-level parser less reusable.
+
+### D-003 — Count-based KPI signals are the narrowest correction
+
+The spec explicitly identifies the unqualified percentage as the misleading element. Replacing it with succeeded and follow-up type counts corrects the operator semantics without inventing a new score.
+
+### D-004 — Capability metadata stays visible but subordinate
+
+The product support matrix is still useful, but it must stop being the primary answer to a tenant coverage question. The plan keeps the metadata in secondary table columns or reference treatment instead of removing it completely.
+
+### D-005 — No new stale state family in this slice
+
+The spec allows stale semantics as optional. Adding them now would create another interpretation layer and broaden the scope beyond the immediate truth correction. This slice uses explicit timestamps and leaves broader freshness posture to later health work.
+
+### D-006 — Follow-up priority is deterministic and severity-first
+
+Coverage surfaces must not invent their own urgency rules. Follow-up ordering is `Failed` before `Unknown` before `Skipped`, then observed item count descending, then type label ascending, so the summary and the table can highlight the same first-review candidates without presentation drift.
+
+## Risk Assessment
+
+| Risk | Impact | Likelihood | Mitigation |
+|------|--------|------------|------------|
+| The resolver selects a run that should not be the coverage basis | High | Medium | Unit-test the basis selector across succeeded, partial, failed-with-payload, skipped-with-payload, and no-payload scenarios |
+| Observed item counts are read as proof of coverage | High | Medium | Separate item counts from state columns and summary language, and add regression tests for types with items but `Unknown` coverage |
+| Capability metadata still dominates the coverage page | Medium | Medium | Lead with coverage-state columns and summary facts, demote support metadata to secondary columns, and add page-level assertions |
+| Run drill-through leaks inaccessible operations or creates dead links | High | Medium | Compute safe continuity metadata in the resolver or calling surface and test authorized, forbidden, and not-found paths |
+| Run-detail coverage rendering conflicts with the existing enterprise-detail hierarchy | Medium | Low | Use one enterprise-detail view section under existing conventions and keep raw context JSON in the technical section |
+
+## Test Strategy
+
+- Add focused unit coverage for `TenantCoverageTruthResolver` so basis-run selection, `Unknown` derivation, and follow-up classification are verified without UI noise.
+- Extend `InventoryCoverageTableTest` and `InventoryCoverageAdminTenantParityTest` to prove the page now answers tenant coverage truth first, applies deterministic follow-up priority, handles the no-basis-run case plainly, and keeps support, restore, and compare metadata secondary.
+- Extend inventory list and page regressions so the KPI summary no longer exposes a misleading coverage percentage, plainly reports when no basis run exists, and preserves existing sync-start affordances plus canonical run links.
+- Extend `TenantlessOperationRunViewerTest` and `OperationRunEnterpriseDetailPageTest` to verify inventory-sync runs render a readable per-type coverage section, provider or permission follow-up guidance, and keep execution outcome separate from coverage truth.
+- Add RBAC coverage for safe continuity so users who can see inventory truth but cannot open the run receive non-clickable or explanatory guidance rather than broken drill-throughs.
+- Run the smallest focused Sail test pack plus Pint before implementation completion.
+
+## Complexity Tracking
+
+| Violation | Why Needed | Simpler Alternative Rejected Because |
+|-----------|------------|-------------------------------------|
+| New derived runtime contract plus resolver | Three existing surfaces need the same tenant coverage synthesis from run payload, item counts, and capability metadata | Recomputing the join inside each widget or page would duplicate business truth and make regression drift likely |
+
+## Proportionality Review
+
+- **Current operator problem**: Operators currently read a `Coverage` KPI that actually measures restorable-item share and a coverage page that primarily presents product support metadata, while the true per-type sync result lives in run context and is difficult to read.
+- **Existing structure is insufficient because**: No existing object combines the relevant run basis, per-type run status, item counts, and support metadata into one tenant-coverage answer, and the current surfaces each infer their own incomplete version of coverage.
+- **Narrowest correct implementation**: Add one derived runtime contract plus one resolver, then refit the existing KPI header, coverage page, and run-detail page around that contract without adding persistence or a broader framework.
+- **Ownership cost created**: One new runtime contract, one resolver, one custom enterprise-detail view, and a focused set of unit and feature regressions.
+- **Alternative intentionally rejected**: A persisted coverage table, a new percentage score, a request-scoped aggregate framework, or a broader inventory health layer were rejected because they exceed the scope of correcting already-available truth.
+- **Release truth**: Current-release truth correction.

specs/177-inventory-coverage-truth/quickstart.md

@@ -0,0 +1,64 @@
+# Quickstart: Inventory Coverage Truth (177)
+
+## Goal
+
+Implement the Spec 177 truth correction without changing inventory-sync execution semantics or adding persistence.
+
+The implementation is complete when:
+- the inventory KPI header no longer shows a misleading unqualified coverage percentage,
+- the coverage page answers tenant coverage truth first,
+- inventory-sync run detail shows per-type results in human-readable form,
+- and run continuity is RBAC-safe.
+
+## Suggested Implementation Order
+
+1. Add the derived runtime contract and resolver under `app/Support/Inventory`.
+2. Add unit tests for basis-run selection, `Unknown` derivation, and follow-up classification.
+3. Refactor `InventoryKpiHeader` to consume the new resolver and switch to count-based summary facts.
+4. Refactor `InventoryCoverage` to consume the same resolver and move capability metadata into secondary treatment.
+5. Add the inventory-sync run detail section and its custom Blade view.
+6. Extend RBAC and feature tests for safe continuity and truthful rendering.
+7. Run Pint and the focused Sail test pack.
+
+## Verification Workflow
+
+### Unit and focused feature tests
+
+Run the smallest focused set first:
+
+```bash
+export PATH="/bin:/usr/bin:/usr/local/bin:$PATH"
+cd /Users/ahmeddarrazi/Documents/projects/TenantAtlas
+vendor/bin/sail artisan test --compact tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageTableTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Operations/TenantlessOperationRunViewerTest.php
+vendor/bin/sail artisan test --compact tests/Feature/Inventory/RunInventorySyncJobTest.php
+vendor/bin/sail bin pint --dirty --format agent
+```
+
+### Manual operator walkthrough
+
+1. Open the inventory items list for a tenant with a recent inventory-sync run.
+2. Confirm the header shows count-based coverage truth, not `Coverage %`.
+3. Open the coverage page and verify the summary cites the basis run and the per-type table leads with coverage state and follow-up.
+4. Open the cited inventory-sync run and verify the new per-type coverage section renders without opening raw JSON.
+5. Verify a user without access to the run sees safe explanatory guidance instead of a dead-end link.
+
+## Out-of-Scope Guardrails
+
+Do not do any of the following in this slice:
+- add a new coverage table or materialized summary artifact
+- rewrite `InventorySyncService` or `RunInventorySyncJob`
+- introduce restore-readiness or compare-readiness semantics into coverage
+- add a first-class stale coverage state family
+- add page-local badge mappings or local semantic color logic
+
+## Completion Checklist
+
+- Count-based KPI summary shipped
+- Coverage page is tenant-truth-first
+- Capability metadata is visibly secondary
+- Run detail has human-readable per-type coverage
+- Safe continuity works for both authorized and unauthorized viewers
+- Focused tests and Pint pass

specs/177-inventory-coverage-truth/research.md

@@ -0,0 +1,66 @@
+# Phase 0 Research: Inventory Coverage Truth (177)
+
+## Context
+
+Spec 177 corrects a semantic trust problem on the existing inventory surfaces.
+
+The current inventory KPI widget computes `Coverage %` from restorable-item share inside `InventoryKpiHeader`, while real per-type sync truth is already persisted in canonical `OperationRun.context['inventory']['coverage']` by `InventorySyncService` and `RunInventorySyncJob`. The current `InventoryCoverage` page is config-driven and capability-first, and inventory-sync run detail still leaves the per-type result largely hidden behind generic run outcome and raw JSON.
+
+The feature must stay derived, tenant-scoped, and operator-first.
+
+## Decisions
+
+### Decision: The coverage basis is the latest completed inventory-sync run with parseable per-type coverage payload
+- **Rationale**: The spec needs `Succeeded`, `Failed`, `Skipped`, and `Unknown` to be visible as tenant coverage truth. The job currently writes a normalized `context.inventory.coverage` payload before terminalizing the run, including skipped and failed cases that still carry real per-type truth. The narrowest deterministic rule is therefore to select the latest completed `inventory_sync` run for the tenant whose payload can be parsed by `InventoryCoverage::fromContext()`.
+- **Alternatives considered**:
+  - Latest succeeded or partially succeeded run only: rejected because it would hide relevant skipped or failed per-type truth that the spec explicitly wants operators to see.
+  - Latest attempted run regardless of payload: rejected because a run without parseable coverage payload cannot support per-type coverage truth and would collapse all rows into guesswork.
+
+### Decision: Coverage remains fully derived from existing truth sources
+- **Rationale**: The feature can answer the tenant coverage question by combining three already-existing sources: canonical per-type sync truth from `OperationRun.context.inventory.coverage`, observed-item counts from `InventoryItem`, and product capability metadata from `InventoryPolicyTypeMeta` plus `CoverageCapabilitiesResolver`. This satisfies the constitution bias toward deriving before persisting.
+- **Alternatives considered**:
+  - New coverage table or materialized snapshot: rejected because it would duplicate current-release truth and add lifecycle overhead without new operator value.
+  - Writeback summary JSON to `Tenant`: rejected because the truth already belongs to the latest inventory-sync run and current observed items.
+
+### Decision: Introduce one narrow runtime contract and resolver as siblings to `InventoryCoverage`
+- **Rationale**: `InventoryCoverage` is already the canonical parser for the stored run payload. Extending it to perform tenant-scoped run lookup, item-count joins, and follow-up classification would blur responsibilities. A sibling runtime contract such as `TenantCoverageTruth` and a resolver such as `TenantCoverageTruthResolver` keep the low-level parser small while giving the UI one stable read model.
+- **Alternatives considered**:
+  - Add more behavior directly to `InventoryCoverage`: rejected because it would mix raw payload normalization with tenant-level query and presentation concerns.
+  - Compute the join independently inside each page or widget: rejected because three surfaces would re-own the same truth and regress independently.
+  - Add request-scoped aggregate caching: rejected as unnecessary complexity for this slice.
+
+### Decision: Replace the KPI percentage with count-based coverage facts
+- **Rationale**: The spec explicitly says absolute counts are preferred over a percentage unless the percentage is narrowly qualified. Count-based facts such as succeeded types, types needing follow-up, last sync, and items observed answer the operator question directly and avoid false completeness signals.
+- **Alternatives considered**:
+  - Keep a relabeled percentage such as `Latest sync type coverage`: rejected for the first slice because counts are clearer and avoid another interpretation layer.
+  - Keep the current restorable-item share with different wording: rejected because it still answers the wrong question.
+
+### Decision: The coverage page becomes one tenant-coverage-first report with capability metadata demoted to secondary treatment
+- **Rationale**: The current page already has a searchable and filterable table surface. The narrowest correction is to reuse that surface, rebuild the row model around tenant coverage truth, lead with summary + state + follow-up columns, and keep capability metadata in secondary columns or labeled reference treatment.
+- **Alternatives considered**:
+  - Preserve the current capability-first matrix and add a separate banner: rejected because the primary semantic center would remain wrong.
+  - Split the page into two separate tables for tenant truth and product support: rejected as broader than needed for the first correction slice.
+
+### Decision: Inventory-sync run detail gets one human-readable per-type coverage section under the existing enterprise-detail stack
+- **Rationale**: `OperationRunResource` already uses `EnterpriseDetailBuilder` with custom view sections. Adding one `inventory_sync`-specific section under the same pattern is the narrowest way to expose per-type results without inventing a new operational page.
+- **Alternatives considered**:
+  - Continue relying on raw context JSON: rejected because the spec explicitly forbids leaving this truth buried in JSON.
+  - Build a standalone inventory-sync detail page: rejected because the canonical run viewer already exists.
+
+### Decision: Do not introduce a first-class stale or freshness coverage state in Spec 177
+- **Rationale**: The spec lists stale semantics as optional secondary behavior. The current trust defect is the wrong meaning of coverage, not missing freshness taxonomy. Showing the basis timestamp is enough for this slice and avoids broadening the state family.
+- **Alternatives considered**:
+  - Add `Stale` now as a fifth primary coverage state: rejected because it would expand scope into inventory health and freshness semantics better handled by a later follow-up spec.
+
+### Decision: Run continuity must be RBAC-safe and explanatory when drill-through is unavailable
+- **Rationale**: The spec requires that coverage surfaces never emit broken or implicitly inaccessible next actions. The UI must only link to the basis run when the user is entitled to open it; otherwise it must show clear non-clickable guidance.
+- **Alternatives considered**:
+  - Always show the run link and let authorization fail after navigation: rejected because it creates dead-end operator flows and can leak existence.
+  - Hide all run references unless the user can open them: rejected because the spec still requires clear explanation of what the coverage statement is based on.
+
+## Clarifications Resolved
+
+- **Relevant inventory sync**: The basis run is payload-bearing and completed; outcome alone is not sufficient.
+- **Unknown semantics**: `Unknown` means there is no current tenant coverage result for that supported type in the chosen basis run, even if items still exist from older observation.
+- **Capability separation**: Restore mode, risk, dependency support, and similar metadata remain visible only as secondary support reference, not as coverage truth.
+- **Scope limit**: No new persistence, no backend rewrite, and no freshness-state expansion are included in this slice.

specs/177-inventory-coverage-truth/spec.md

@@ -0,0 +1,235 @@
+# Feature Specification: Spec 177 - Inventory Coverage Truth
+
+**Feature Branch**: `feat/177-inventory-coverage-truth`  
+**Created**: 2026-04-05  
+**Status**: Draft  
+**Input**: User description: "Spec 177 - Inventory Coverage Truth"
+
+## Spec Scope Fields *(mandatory)*
+
+- **Scope**: tenant + canonical-view
+- **Primary Routes**:
+  - `/admin/inventory-items` and inventory item detail routes while a tenant context is active
+  - `/admin/coverage` while a tenant context is active
+  - `/admin/operations` and `/admin/operations/{run}` for canonical inventory-sync drill-through
+- **Data Ownership**:
+  - Tenant-owned `InventoryItem` rows and per-type observed item counts remain the tenant inventory observation truth.
+  - Workspace-owned `OperationRun` rows with a tenant reference remain the canonical execution truth for `inventory_sync`, including the existing per-type payload stored under `context.inventory.coverage`.
+  - Product capability and support metadata remain derived from the supported-type catalog and capability metadata already exposed through inventory policy-type meta and related capability resolvers.
+  - This feature introduces no new persisted coverage table, no materialized coverage snapshot, and no writeback artifact.
+- **RBAC**:
+  - Workspace membership, tenant entitlement, and tenant inventory view capability remain required for the inventory items list and the coverage page.
+  - Starting an inventory sync from the inventory items list remains gated by the canonical tenant inventory sync capability.
+  - Inventory-sync run drill-through remains governed by existing operation-run authorization: workspace membership, tenant entitlement when a run is tenant-bound, and any run-specific required capability already attached to that run.
+  - Coverage surfaces must never expose broken or unauthorized next-action links; when a user can see coverage truth but cannot open the backing run, the UI must degrade safely.
+
+For canonical-view specs, the spec MUST define:
+
+- **Default filter behavior when tenant-context is active**: Coverage-to-operations navigation opens the exact latest relevant inventory-sync run when one is available. If the operator needs the broader operations list instead, the canonical destination opens prefiltered to the active tenant and the inventory-sync operation family.
+- **Explicit entitlement checks preventing cross-tenant leakage**: Coverage summary counts, per-type rows, observed-item counts, run references, and follow-up actions must be derived only from the active tenant scope and from operation runs the current user is entitled to inspect. Non-members remain deny-as-not-found, and inaccessible runs must not leak existence through clickable dead ends.
+
+## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
+
+| Surface | Surface Type | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type |
+|---|---|---|---|---|---|---|---|---|---|---|---|
+| Inventory items list with KPI summary | Read-only Registry / Report Surface | Full-row click to inventory item detail remains the one inspect model for item records | required | `Run Inventory Sync` stays in the header; coverage and run continuity links stay in the KPI summary or adjacent summary content | none | `/admin/inventory-items` | Inventory item detail route for the selected tenant item | Active tenant context, current filters, and the last relevant sync reference anchor the list to one tenant | Inventory Items / Inventory Item | Observed items plus truthful tenant coverage summary, including latest sync reference and follow-up counts rather than a misleading restorable-item percentage | Embedded summary surface inside a read-only resource |
+| Inventory coverage page | Read-only Registry / Report Surface | The page itself is the canonical tenant coverage report; diagnostics drill through via explicit summary links to the relevant sync run | forbidden | Summary-level diagnostic and retry actions live above or beside the per-type table; capability reference remains secondary on the page | none | `/admin/coverage` | `/admin/operations/{run}` for the cited relevant inventory-sync run | Active tenant context, cited run timestamp, cited run identity, and visible succeeded or failed or skipped or unknown counts | Inventory Coverage | Per-type tenant coverage truth, follow-up need, and the run the truth is based on, clearly separated from product capability reference | Derived per-type rows have no standalone record detail |
+| Inventory sync run detail | Detail-first Operational Surface | Dedicated run detail page | forbidden | Existing back, refresh, related-link, and safe diagnostic actions remain in the detail header | none | `/admin/operations` | `/admin/operations/{run}` | Workspace context, referenced tenant, run timing, run outcome, and inventory-sync identity | Inventory Sync Run / Operation Run | Execution outcome plus human-readable per-type coverage results instead of raw JSON alone | none |
+
+## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
+
+| Surface | Primary Persona | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+|---|---|---|---|---|---|---|---|---|---|
+| Inventory items list with KPI summary | Tenant operator | List with embedded summary | What has this tenant inventory observed, and does current coverage need follow-up before I trust that view? | Total observed items, last relevant sync reference, counts of succeeded types and types needing follow-up, and the inventory item list itself | Raw run context, low-level provider failure details, and secondary capability metadata | coverage truth, execution recency, item presence | `Run Inventory Sync` continues to affect the Microsoft tenant and TenantPilot inventory observation state; the list itself is read-only | Open inventory item, Run Inventory Sync, Open coverage truth | none |
+| Inventory coverage page | Tenant operator | Derived report | Which supported types are currently covered for this tenant, which are not, and what should I do next? | Coverage summary, follow-up summary, cited relevant sync, and a per-type table showing state, timestamp or run reference context, observed item count, and follow-up need | Secondary support or capability reference, dependency capability, raw reason codes, and deep diagnostics | coverage truth, execution truth, item presence, capability reference as a separate domain | none on the report itself; any sync retry action keeps the existing inventory-sync mutation scope | View latest sync run, Run inventory sync again when authorized, Review follow-up types | none |
+| Inventory sync run detail | Tenant operator or workspace operator with tenant entitlement | Detail | What did this inventory sync actually do per type, and how does that explain the tenant's current coverage truth? | Run status and outcome, human-readable per-type results, counts, related tenant context, and next-step guidance | Full context JSON, raw failure payloads, and deeper technical fragments | execution outcome, per-type coverage result, item counts, next-step guidance | none on the detail page itself | Refresh, open related coverage context, open related records | none |
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+- **New source of truth?**: No.
+- **New persisted entity/table/artifact?**: No.
+- **New abstraction?**: Yes, one narrow derived coverage-truth assembler or read model may be required to combine supported types, the latest relevant inventory-sync result, observed item counts, and follow-up classification on existing surfaces.
+- **New enum/state/reason family?**: Yes, a narrow derived tenant-coverage state family must include `Unknown` or `Not synced yet` alongside the existing successful, failed, and skipped outcomes. It remains derived, not persisted.
+- **New cross-domain UI framework/taxonomy?**: No.
+- **Current operator problem**: Operators currently see a `Coverage` KPI that is really a restorable-item share, while real per-type sync truth lives in inventory-sync run context and is almost invisible on the operator-facing surfaces that should answer coverage questions.
+- **Existing structure is insufficient because**: The KPI widget currently compresses restorable-item share into `Coverage %`, the coverage page renders a capability or support matrix rather than tenant sync truth, and inventory-sync run detail does not expose per-type results in an operator-first format.
+- **Narrowest correct implementation**: Derive one tenant coverage view from the existing latest relevant inventory-sync run, the supported-type catalog, and current inventory-item counts; surface it on the existing inventory pages and inventory-sync run detail; keep product capability reference secondary; add no new persistence.
+- **Ownership cost**: Focused derived-read-model logic, presentation cleanup on three existing surfaces, and regression coverage across tenant coverage, operations drill-through, and RBAC-safe degradation.
+- **Alternative intentionally rejected**: A new coverage table, a restore-readiness score, a compare-readiness layer, a dashboard-wide inventory health program, or a broader content-depth taxonomy were rejected because the immediate defect is misleading operator truth on already-shipped inventory surfaces.
+- **Release truth**: Current-release truth correction that prepares later usefulness, missing-item, and dashboard follow-up work.
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - Read truthful coverage at a glance (Priority: P1)
+
+As a tenant operator, I can open inventory surfaces and immediately understand which supported inventory types are currently covered for my tenant and which types still need follow-up.
+
+**Why this priority**: The current trust failure starts at first glance. If the leading KPI and coverage page are semantically wrong, every later decision is biased by false calm.
+
+**Independent Test**: Can be fully tested by seeding one tenant with a latest relevant inventory-sync run that contains a mix of succeeded, failed, skipped, and omitted types plus current inventory items, then rendering the inventory items list and the coverage page.
+
+**Acceptance Scenarios**:
+
+1. **Given** a tenant has a latest relevant inventory-sync run with mixed per-type outcomes, **When** the operator opens the coverage page, **Then** every supported type appears with a truthful state of succeeded, failed, skipped, or unknown and the follow-up summary highlights the non-succeeded types.
+2. **Given** a supported type has observed items but no current coverage result in the relevant sync basis, **When** the operator opens the coverage surface, **Then** the type appears as unknown or not synced yet rather than implicitly covered.
+3. **Given** no relevant inventory-sync run exists for the tenant, **When** the operator opens the inventory summary surfaces, **Then** the UI makes clear that there is no current coverage result and points the operator toward starting inventory sync instead of presenting a positive coverage claim.
+
+---
+
+### User Story 2 - Move cleanly from coverage truth to run truth (Priority: P1)
+
+As a tenant operator, I can see which inventory-sync run the current coverage statement is based on and open that run or a safe equivalent diagnostic path without losing tenant context.
+
+**Why this priority**: Coverage claims must be recoverable. If the UI states that a tenant is covered or not covered but cannot show the exact run that established that claim, the truth is not auditable.
+
+**Independent Test**: Can be fully tested by seeding a tenant with a relevant inventory-sync run and verifying that the coverage page and inventory summary surfaces cite the run, the timestamp, and the correct drill-through behavior for both authorized and unauthorized viewers.
+
+**Acceptance Scenarios**:
+
+1. **Given** current coverage is derived from a specific inventory-sync run, **When** the operator opens the coverage page, **Then** the page shows the cited run and timestamp and provides a direct path to that run.
+2. **Given** the current user can see inventory truth but cannot open the backing run, **When** the coverage page renders, **Then** the page shows safe explanatory guidance instead of a broken or unauthorized run link.
+3. **Given** the operator needs the broader operations history, **When** the operator follows the diagnostic path from inventory coverage, **Then** the operations destination stays scoped to the originating tenant and the inventory-sync operation family.
+
+---
+
+### User Story 3 - Diagnose per-type inventory-sync results without raw JSON (Priority: P2)
+
+As a tenant operator, I can open an inventory-sync run detail page and read the per-type results in human terms, so I understand how execution outcome and coverage follow-up relate.
+
+**Why this priority**: The backend already knows this truth. The missing value is readable diagnosis, not a new execution system.
+
+**Independent Test**: Can be fully tested by seeding an inventory-sync run whose per-type payload contains mixed outcomes and verifying that the run detail page renders a readable per-type breakdown and next-step guidance without requiring raw JSON inspection.
+
+**Acceptance Scenarios**:
+
+1. **Given** an inventory-sync run has per-type coverage payload data, **When** the operator opens the run detail page, **Then** the page shows a human-readable per-type result section rather than burying the truth only in raw context JSON.
+2. **Given** the run outcome is partially successful, **When** the operator views run detail, **Then** the page separates overall execution outcome from the specific types that still need follow-up.
+3. **Given** one or more types failed or were skipped, **When** the operator views run detail, **Then** the next-step guidance points to the relevant follow-up path such as reviewing provider or permission problems or running inventory sync again.
+
+### Edge Cases
+
+- The tenant has never completed a relevant inventory-sync run, so all supported types must remain unknown instead of reading as covered by default.
+- The latest relevant run omitted one or more supported types entirely, which must result in unknown rather than silent success.
+- Observed items exist from an older run, but the latest relevant run did not establish current coverage truth for that type.
+- The latest relevant run failed or was blocked before processing most or all selected types.
+- A type was intentionally skipped because of selection or foundation toggles, and the UI must show that truth without implying success.
+- The current user may view inventory surfaces but may not satisfy the required capability for the cited inventory-sync run.
+- The supported-type catalog may change after the latest sync, so the coverage surface must distinguish current support reference from tenant sync truth.
+
+## Requirements *(mandatory)*
+
+**Constitution alignment (required):** This feature introduces no new Microsoft Graph contract, no new change operation, and no new long-running workflow. It reuses the existing `inventory_sync` operation truth already written into canonical `OperationRun` records and corrects how that truth is surfaced on inventory pages.
+
+**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** The feature is intentionally narrow. It introduces no new persistence and no generic framework. A single derived coverage-truth assembler and one derived `Unknown` coverage state are justified because the existing surfaces currently misrepresent three different truths as one. The feature follows the default bias of deriving before persisting, replacing misleading semantics before layering new ones, and being explicit instead of generic.
+
+**Constitution alignment (OPS-UX):** The existing `inventory_sync` `OperationRun` remains canonical. This feature does not change queued-toast, progress-surface, or terminal-notification behavior. `OperationRun.status` and `OperationRun.outcome` remain service-owned through `OperationRunService`, `summary_counts` remain numeric-only and canonical, scheduled or system-run behavior is unchanged, and regression coverage must verify run-detail rendering and coverage-to-run continuity without inventing new operation feedback surfaces.
+
+**Constitution alignment (RBAC-UX):** This feature spans tenant inventory surfaces on `/admin` with active tenant context and canonical operations surfaces on `/admin/operations`. Non-members or actors outside the current tenant scope remain `404`. In-scope members missing the required run capability remain `403` on the run detail itself. Server-side authorization remains the source of truth through the existing capability resolver on inventory surfaces and `OperationRunPolicy` plus run-capability resolution for run drill-through. No raw capability strings or role-string checks are introduced. No new destructive action is added.
+
+**Constitution alignment (OPS-EX-AUTH-001):** Not applicable. No authentication handshake behavior is changed.
+
+**Constitution alignment (BADGE-001):** Any added or updated coverage-state badges must stay centralized. `Succeeded`, `Failed`, `Skipped`, and `Unknown` must use shared badge semantics rather than page-local color language, and regression tests must cover the new or revised mappings.
+
+**Constitution alignment (UI-FIL-001):** The feature reuses Filament stats widgets, tables, sections, badges, infolists, and actions already present on the affected inventory and operations surfaces. It avoids local replacement markup for status language and does not require publishing internal Filament views. No exception is expected.
+
+**Constitution alignment (UI-STD-001):** The modified inventory items list and inventory coverage page are governed by `docs/product/standards/list-surface-review-checklist.md`, and implementation must review both surfaces against that checklist before sign-off.
+
+**Constitution alignment (UI-NAMING-001):** Operator-facing vocabulary must distinguish `Coverage`, `Support`, `Capability`, `Restore mode`, `Compare`, `Last sync`, and `Needs follow-up`. `Coverage` means tenant-specific sync coverage for supported types. `Coverage %` is forbidden unless explicitly qualified as the latest sync's type coverage. `Restore ready` and `Compare ready` must not be used as synonyms for coverage.
+
+**Constitution alignment (UI-CONST-001 / UI-SURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001):** The inventory items list keeps row click for real inventory records. The inventory coverage page remains a derived report with an approved exception: its per-type rows do not open a standalone detail record. Diagnostics drill through through explicit links to the relevant run. The canonical collection and detail routes are stated above, and critical truth visible by default must be tenant coverage truth rather than support metadata.
+
+**Constitution alignment (OPSURF-001):** Default-visible content must stay operator-first. Coverage truth, execution truth, and item presence must be shown as separate dimensions. Capability and support metadata remain diagnostics or secondary reference. The existing `Run Inventory Sync` action continues to communicate a tenant-affecting sync over the external tenant plus TenantPilot observation state and follows the existing safe execution pattern.
+
+**Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** Direct mapping from one existing source is insufficient because current truth is split across operation-run context, inventory-item counts, and supported-type metadata. This feature may introduce one narrow derived coverage view, but it must replace the misleading KPI and capability-centric interpretation rather than add a new general semantic framework. Tests must focus on operator consequences: truthful summaries, safe follow-up, and auditable continuity.
+
+**Constitution alignment (Filament Action Surfaces):** The Action Surface Contract remains satisfied with one approved exception on `InventoryCoverage`: derived per-type rows do not have a standalone record detail. Redundant `View` actions remain absent, empty action groups remain absent, and no new destructive action is introduced. UI-FIL-001 is satisfied with no approved exception beyond the existing derived-row detail exemption.
+
+**Constitution alignment (UX-001 - Layout & Information Architecture):** The inventory coverage page remains a search and filter driven table surface with a truthful summary above the table and a clear single empty-state CTA. The inventory items list remains a read-only list and detail flow. Inventory-sync run detail remains a view-style operational page. Any new summary panels or diagnostic sections must use shared sections or cards and keep raw JSON secondary.
+
+### Functional Requirements
+
+- **FR-177-001**: Default-visible inventory summary surfaces MUST NOT present a KPI or label that can be read as tenant inventory completeness when it actually represents restorable-item share, capability coverage, or any other secondary truth. The current unqualified `Coverage %` must be removed or replaced with an explicitly qualified type-coverage statement.
+- **FR-177-002**: The tenant coverage report MUST show every supported inventory type for the selected tenant with, at minimum, the type, current coverage state, the relevant sync reference or time basis, observed item count, and whether follow-up is needed.
+- **FR-177-003**: Coverage state MUST be derived from real inventory-sync truth and MUST include at least `Succeeded`, `Failed`, `Skipped`, and `Unknown` or `Not synced yet`.
+- **FR-177-004**: Coverage surfaces MUST make clear which relevant inventory-sync run they are based on, including a visible timestamp and a direct or safely degraded path to the canonical run detail. If no relevant sync exists, the surface must say so plainly.
+- **FR-177-005**: Run execution truth and coverage truth MUST remain separate. A partial or failed run outcome must not replace the per-type statement of which supported types are currently covered and which still need follow-up.
+- **FR-177-006**: The inventory coverage page MUST primarily answer the tenant question `Which supported types are currently inventoried successfully for this tenant, and where are the gaps?` It must not remain centered on a product support matrix.
+- **FR-177-007**: Product support and capability metadata MAY remain available only as a clearly secondary reference layer with labels such as `Support`, `Capability`, or `Restore mode`. It must not be confused with tenant coverage truth.
+- **FR-177-008**: When one or more supported types are failed, skipped, or unknown, the coverage surfaces MUST prominently signal that follow-up is required, how many types are affected, and which types are highest priority to review first. Follow-up priority MUST use a deterministic severity-first order of `Failed` before `Unknown` before `Skipped`, then observed item count descending, then inventory type label ascending for stable ties.
+- **FR-177-009**: A supported type without a current tenant coverage result MUST appear as `Unknown` or `Not synced yet`. It must not appear positively because items exist, because the type is supported, or because the product has richer capability metadata for it.
+- **FR-177-010**: Observed item counts MUST remain clearly separate from coverage truth and MUST NOT be styled or worded as proof of completeness, restore usefulness, or compare usefulness.
+- **FR-177-011**: Coverage surfaces MUST provide real next actions such as viewing the latest relevant run, running inventory sync again, reviewing failed or skipped types, or reviewing provider or permission issues. When a next action cannot be opened by the current user, the surface MUST show safe explanatory guidance instead of a dead-end link.
+- **FR-177-012**: Inventory-sync run detail MUST expose per-type results in a human-readable section and MUST NOT rely on raw JSON alone to communicate which supported types succeeded, failed, or were skipped.
+- **FR-177-013**: All coverage signals, per-type states, counts, and run drill-throughs MUST remain tenant-scoped and RBAC-conformant.
+- **FR-177-014**: Coverage MUST NOT imply restore readiness. Any restore metadata shown on the same surface must remain explicitly separate from the coverage statement.
+- **FR-177-015**: Coverage MUST NOT imply compare readiness. Any compare-related context shown on the same surface must remain secondary and explicitly distinct from coverage truth.
+- **FR-177-016**: The feature MUST be derived from existing inventory items, supported-type metadata, and canonical inventory-sync run truth without adding a new coverage persistence model or rewriting the inventory-sync backend.
+
+## UI Action Matrix *(mandatory when Filament is changed)*
+
+| Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
+|---|---|---|---|---|---|---|---|---|---|---|
+| Inventory items list with KPI summary | `app/Filament/Resources/InventoryItemResource.php`, `app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php`, `app/Filament/Widgets/Inventory/InventoryKpiHeader.php` | `Run Inventory Sync` | Existing one-click open path to inventory item detail remains the only inspect model for item rows | none | none | Existing inventory list empty-state CTA remains unchanged | n/a | n/a | existing only for sync dispatch | KPI labels, summary facts, and coverage or run continuity links are changed by this spec. The sync action remains capability-gated and non-destructive. |
+| Inventory coverage page | `app/Filament/Pages/InventoryCoverage.php` | none; summary-level diagnostic or retry CTAs may appear above the table | Approved exception: derived per-type rows do not have a standalone detail record | none | none | `Clear filters` | n/a | n/a | no new audit behavior | Action Surface Contract remains satisfied through the approved derived-row exception. Run continuity is provided through explicit summary links rather than row inspect actions. |
+| Inventory sync run detail | `app/Filament/Pages/Operations/TenantlessOperationRunViewer.php` and the existing operation-run detail rendering stack | Existing back, refresh, and related-link header actions remain | Direct page | n/a | none | n/a | Existing back, refresh, and related-link header actions remain | n/a | no new audit behavior | This spec adds human-readable per-type inventory coverage results to the existing detail page and does not introduce new mutations. |
+
+### Key Entities *(include if feature involves data)*
+
+- **Tenant coverage truth**: The tenant-specific statement of whether each supported inventory type is currently covered successfully, failed, skipped, or still unknown.
+- **Relevant inventory-sync run**: The latest completed `inventory_sync` execution for the active tenant that contains parseable `context.inventory.coverage` truth. Overall run outcome does not disqualify it when usable per-type payload exists, because `Failed` and `Skipped` remain meaningful operator truth.
+- **Coverage state**: The per-type result family used for operator decisions: `Succeeded`, `Failed`, `Skipped`, and `Unknown` or `Not synced yet`.
+- **Observed item count**: The current number of inventory items observed for one supported type in the selected tenant, kept separate from coverage truth.
+- **Capability reference**: Static product support metadata such as support mode, restore mode, dependency capability, risk, or similar type metadata that must remain distinct from tenant coverage truth.
+
+## Success Criteria *(mandatory)*
+
+### Measurable Outcomes
+
+- **SC-177-001**: In seeded regression scenarios, the default-visible inventory items summary, inventory coverage page, and inventory-sync run detail together expose covered versus follow-up types, basis-run context, and next-step guidance without requiring raw JSON inspection.
+- **SC-177-002**: In regression coverage, 100% of default-visible inventory summary surfaces stop showing an unqualified `Coverage %` or any equivalent metric that can be read as tenant inventory completeness.
+- **SC-177-003**: In regression coverage, every supported type shown on the tenant coverage report resolves to exactly one of `Succeeded`, `Failed`, `Skipped`, or `Unknown`, and the summary follow-up count matches the number of non-succeeded types.
+- **SC-177-004**: In tested authorization scenarios, operators can either open the cited relevant inventory-sync run from coverage surfaces or receive a safe non-clickable explanation in 100% of cases.
+- **SC-177-005**: The feature ships without a required schema migration, without a new coverage table, and without a rewrite of the inventory-sync backend.
+
+## Assumptions
+
+- Existing inventory-sync runs already persist per-type successful or failed or skipped truth for attempted types inside canonical `OperationRun` context.
+- The supported and foundation type catalog remains the authoritative denominator for tenant coverage reporting.
+- `Unknown` is a derived tenant state used when current coverage truth for a supported type cannot be established from the relevant sync basis, even if older items still exist.
+- Inventory item list and detail pages remain the correct places for item-level observation; this spec does not promote them into restore-readiness or compare-readiness surfaces.
+
+## Non-Goals
+
+- Redesigning the backup or restore domain
+- Introducing a restore-readiness algorithm or item-level readiness score
+- Introducing a compare-readiness domain for inventory coverage
+- Building a missing or vanished item workflow
+- Launching a dashboard-wide inventory health program
+- Adding a new persistence table or materialized coverage artifact
+- Rewriting the inventory-sync backend
+
+## Dependencies
+
+- Spec 039 - Inventory Program
+- Spec 040 - Inventory Core
+- Spec 041 - Inventory UI
+- Spec 042 - Inventory Dependencies Graph
+- Existing inventory surfaces, inventory-sync execution, supported-type metadata, and canonical operations drill-through behavior already present in the repo
+
+## Follow-up Spec Candidates
+
+- **Inventory Content Depth & Usefulness**: Separate coverage truth from content depth, restore usefulness, and compare usefulness.
+- **Inventory Missing / Vanished Surface**: Add explicit follow-up for missing or vanished items once coverage truth is no longer overloaded.
+- **Dashboard Inventory Health**: Propagate truthful coverage and freshness signals onto broader tenant overview surfaces after the core coverage semantics are corrected.
+
+## Definition of Done
+
+Spec 177 is complete when:
+
+- no operator can read a default-visible coverage metric as tenant inventory completeness when it is actually describing capability or restorable-item share,
+- the inventory coverage page shows truthful per-type tenant coverage and makes follow-up obvious,
+- the inventory items list and its KPI summary cite truthful coverage and last-sync context rather than a misleading percentage,
+- inventory-sync run detail exposes per-type results in human-readable form,
+- capability and support metadata remain available but secondary and explicitly labeled,
+- coverage-to-run continuity is auditable and RBAC-safe,
+- and the improvement ships without a new persisted coverage model or an inventory-sync backend rewrite.

specs/177-inventory-coverage-truth/tasks.md

@@ -0,0 +1,224 @@
+# Tasks: Inventory Coverage Truth
+
+**Input**: Design documents from `/specs/177-inventory-coverage-truth/`
+**Prerequisites**: `plan.md` (required), `spec.md` (required for user stories), `research.md`, `data-model.md`, `contracts/`, `quickstart.md`
+
+**Tests**: Required. Use Pest coverage in `tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php`, `tests/Unit/Badges/BadgeCatalogTest.php`, `tests/Unit/Badges/InventoryCoverageStateBadgesTest.php`, `tests/Feature/Filament/InventoryCoverageTableTest.php`, `tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php`, `tests/Feature/Filament/InventoryPagesTest.php`, `tests/Feature/Filament/InventoryItemResourceTest.php`, `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`, `tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php`, `tests/Feature/Inventory/InventorySyncServiceTest.php`, `tests/Feature/Inventory/InventorySyncStartSurfaceTest.php`, `tests/Feature/Inventory/RunInventorySyncJobTest.php`, `tests/Feature/Operations/TenantlessOperationRunViewerTest.php`, and `tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php`.
+**Operations**: This feature reuses the existing `inventory_sync` `OperationRun` and does not introduce a new run type or change lifecycle ownership. Tasks must keep canonical run links and read-time rendering aligned without changing queued execution semantics.
+**RBAC**: Existing workspace membership, tenant entitlement, and 404 vs 403 semantics remain authoritative. Tasks must preserve tenant-safe rendering and ensure basis-run links degrade safely when the current user cannot open the run.
+**Operator Surfaces**: The inventory items list KPI header, the inventory coverage page, and canonical inventory-sync run detail must become tenant-coverage-first while keeping low-level diagnostics secondary.
+**Filament UI Action Surfaces**: No new destructive actions or new action inventories are added. The existing `Run Inventory Sync` header action remains capability-gated and non-destructive, and the `InventoryCoverage` page keeps its derived-row no-detail exception.
+**Filament UI UX-001**: No new create or edit screens are introduced. The inventory coverage page remains a searchable, filterable table with a single clear empty-state CTA, and run detail remains an enterprise-detail view surface.
+**Badges**: Coverage-state semantics must stay centralized through `BadgeDomain`, `BadgeCatalog`, and `BadgeRenderer`; no page-local badge mappings are allowed.
+
+**Organization**: Tasks are grouped by user story so each story can be implemented and validated as an independent increment once the shared tenant coverage contract is in place.
+
+## Phase 1: Setup (Shared Coverage Truth Scaffolding)
+
+**Purpose**: Create the narrow runtime and regression entry points required for tenant coverage truth.
+
+- [X] T001 [P] Create the derived tenant coverage truth scaffolding in `app/Support/Inventory/TenantCoverageTruth.php` and `app/Support/Inventory/TenantCoverageTruthResolver.php`
+- [X] T002 [P] Create the focused regression scaffolding in `tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php`, `tests/Unit/Badges/InventoryCoverageStateBadgesTest.php`, and `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`
+
+---
+
+## Phase 2: Foundational (Blocking Coverage Contract)
+
+**Purpose**: Build the shared derived coverage contract, basis-run selection, and centralized badge semantics that all user stories depend on.
+
+**⚠️ CRITICAL**: No user story work should begin until this phase is complete.
+
+- [X] T003 [P] Extend basis-run and mixed-outcome payload coverage assertions in `tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php` and `tests/Feature/Inventory/RunInventorySyncJobTest.php`
+- [X] T004 [P] Add centralized inventory coverage badge mapping assertions in `tests/Unit/Badges/BadgeCatalogTest.php` and `tests/Unit/Badges/InventoryCoverageStateBadgesTest.php`
+- [X] T005 [P] Implement the latest completed coverage-bearing inventory-sync selection helper in `app/Models/OperationRun.php`
+- [X] T006 [P] Implement the derived runtime fields and row contract in `app/Support/Inventory/TenantCoverageTruth.php`
+- [X] T007 Implement tenant coverage resolution, item-count joins, follow-up classification, and basis-run metadata in `app/Support/Inventory/TenantCoverageTruthResolver.php`
+- [X] T008 Implement the centralized inventory coverage state badge domain and mapper in `app/Support/Badges/BadgeDomain.php`, `app/Support/Badges/BadgeCatalog.php`, and `app/Support/Badges/Domains/InventoryCoverageStateBadge.php`
+
+**Checkpoint**: A single derived tenant coverage contract now exists for all supported types, with centralized badge semantics and deterministic basis-run selection.
+
+---
+
+## Phase 3: User Story 1 - Read Truthful Coverage At A Glance (Priority: P1) 🎯 MVP
+
+**Goal**: Make the inventory KPI header and coverage page answer the tenant coverage question directly instead of implying completeness from restorable-item share or support metadata.
+
+**Independent Test**: Seed a tenant with a coverage-bearing inventory-sync run that includes succeeded, failed, skipped, and omitted types plus current inventory items, then verify the inventory items list and coverage page show truthful counts, `Unknown` rows, and follow-up emphasis.
+
+### Tests for User Story 1
+
+- [X] T009 [P] [US1] Rewrite summary-surface expectations for truthful count-based coverage on the inventory items list in `tests/Feature/Filament/InventoryPagesTest.php` and `tests/Feature/Filament/InventoryItemResourceTest.php`
+- [X] T010 [P] [US1] Add coverage-table assertions for `Succeeded`, `Failed`, `Skipped`, `Unknown`, deterministic follow-up priority, no-basis-run messaging, and secondary support, restore, and compare metadata in `tests/Feature/Filament/InventoryCoverageTableTest.php` and `tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php`
+
+### Implementation for User Story 1
+
+- [X] T011 [P] [US1] Replace the misleading coverage percentage with count-based tenant coverage facts, explicit no-basis-run messaging, and coverage-only terminology in `app/Filament/Widgets/Inventory/InventoryKpiHeader.php`
+- [X] T012 [P] [US1] Rewrite KPI supporting badge copy around follow-up counts, top-priority follow-up types, and observed-item counts without implying restore or compare readiness in `app/Support/Inventory/InventoryKpiBadges.php`
+- [X] T013 [US1] Refactor tenant coverage row assembly, deterministic follow-up ranking, and default-visible columns while keeping support, restore, and compare metadata secondary in `app/Filament/Pages/InventoryCoverage.php`
+- [X] T014 [US1] Rewrite the coverage page intro and summary copy to tenant-coverage-first language with explicit no-sync fallback guidance in `resources/views/filament/pages/inventory-coverage.blade.php`
+- [X] T015 [US1] Run the focused truthful-at-a-glance pack in `tests/Feature/Filament/InventoryCoverageTableTest.php`, `tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php`, `tests/Feature/Filament/InventoryPagesTest.php`, and `tests/Feature/Filament/InventoryItemResourceTest.php`
+
+**Checkpoint**: The inventory items list and coverage page now show tenant coverage truth first, with capability metadata clearly secondary.
+
+---
+
+## Phase 4: User Story 2 - Move Cleanly From Coverage Truth To Run Truth (Priority: P1)
+
+**Goal**: Make coverage surfaces cite the exact basis run, provide safe drill-through when authorized, and degrade cleanly when the run cannot be opened.
+
+**Independent Test**: Seed a tenant with a coverage-bearing basis run and verify the inventory summary surfaces show the basis timestamp and run continuity, then verify a user without run access receives explanatory guidance instead of a dead-end link.
+
+### Tests for User Story 2
+
+- [X] T016 [P] [US2] Add basis-run continuity assertions for linked coverage summaries, explicit no-basis-run fallback, and tenant-scoped operations fallback in `tests/Feature/Filament/InventoryPagesTest.php` and `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`
+- [X] T017 [P] [US2] Add safe degradation assertions for viewers who can see inventory truth but cannot open the basis run in `tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php` and `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`
+
+### Implementation for User Story 2
+
+- [X] T018 [P] [US2] Surface basis-run summary, continuity actions, no-sync fallback, and provider or permission follow-up guidance on the coverage report in `app/Filament/Pages/InventoryCoverage.php` and `resources/views/filament/pages/inventory-coverage.blade.php`
+- [X] T019 [P] [US2] Surface basis-run continuity and safe link rendering in the inventory KPI summary using `app/Filament/Widgets/Inventory/InventoryKpiHeader.php` and `app/Support/Inventory/TenantCoverageTruthResolver.php`
+- [X] T020 [US2] Run the focused continuity pack in `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`, `tests/Feature/Filament/InventoryPagesTest.php`, and `tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php`
+
+**Checkpoint**: Coverage claims are now auditable through the basis run and remain safe when the current user cannot open the run detail.
+
+---
+
+## Phase 5: User Story 3 - Diagnose Per-Type Inventory Sync Results Without Raw JSON (Priority: P2)
+
+**Goal**: Make canonical inventory-sync run detail render human-readable per-type results and keep execution outcome separate from tenant coverage follow-up.
+
+**Independent Test**: Seed an inventory-sync run with mixed per-type outcomes and verify the canonical run viewer shows a readable coverage section without relying on raw JSON.
+
+### Tests for User Story 3
+
+- [X] T021 [P] [US3] Add human-readable inventory-sync section assertions, including provider or permission follow-up guidance, in `tests/Feature/Operations/TenantlessOperationRunViewerTest.php` and `tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php`
+- [X] T022 [P] [US3] Extend mixed-outcome payload expectations for per-type coverage rows in `tests/Feature/Inventory/InventorySyncServiceTest.php` and `tests/Feature/Inventory/RunInventorySyncJobTest.php`
+
+### Implementation for User Story 3
+
+- [X] T023 [US3] Add the inventory-sync per-type coverage enterprise-detail section with explicit next-step guidance in `app/Filament/Resources/OperationRunResource.php`
+- [X] T024 [P] [US3] Create the human-readable per-type run coverage view with provider or permission follow-up cues in `resources/views/filament/infolists/entries/inventory-coverage-truth.blade.php`
+- [X] T025 [US3] Run the focused inventory-sync run-detail pack in `tests/Feature/Operations/TenantlessOperationRunViewerTest.php`, `tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php`, `tests/Feature/Inventory/InventorySyncServiceTest.php`, and `tests/Feature/Inventory/RunInventorySyncJobTest.php`
+
+**Checkpoint**: Inventory-sync run detail now explains per-type outcomes directly and no longer forces operators into raw JSON for core coverage truth.
+
+---
+
+## Phase 6: Polish & Cross-Cutting Concerns
+
+**Purpose**: Align copy, run focused verification, and confirm the feature stayed within the intended no-new-persistence boundary.
+
+- [X] T026 [P] Align operator-facing coverage labels, restore or compare separation, and helper copy across `app/Filament/Widgets/Inventory/InventoryKpiHeader.php`, `app/Support/Inventory/InventoryKpiBadges.php`, `app/Filament/Pages/InventoryCoverage.php`, and `app/Filament/Resources/OperationRunResource.php`
+- [X] T027 Run `vendor/bin/sail bin pint --dirty --format agent` for touched files under `app/`, `resources/views/`, and `tests/`
+- [X] T028 Run the focused Sail verification pack from `specs/177-inventory-coverage-truth/quickstart.md` against `tests/Unit/Support/Inventory/TenantCoverageTruthResolverTest.php`, `tests/Unit/Badges/BadgeCatalogTest.php`, `tests/Unit/Badges/InventoryCoverageStateBadgesTest.php`, `tests/Feature/Filament/InventoryCoverageTableTest.php`, `tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php`, `tests/Feature/Filament/InventoryPagesTest.php`, `tests/Feature/Filament/InventoryItemResourceTest.php`, `tests/Feature/Filament/InventoryCoverageRunContinuityTest.php`, `tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php`, `tests/Feature/Inventory/InventorySyncServiceTest.php`, `tests/Feature/Inventory/InventorySyncStartSurfaceTest.php`, `tests/Feature/Inventory/RunInventorySyncJobTest.php`, `tests/Feature/Operations/TenantlessOperationRunViewerTest.php`, and `tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php`
+- [X] T029 Validate that the final implementation introduces no schema migration, no inventory-sync backend rewrite, and no new persisted truth by reviewing `database/migrations/`, `app/Services/Inventory/InventorySyncService.php`, `app/Jobs/RunInventorySyncJob.php`, and `specs/177-inventory-coverage-truth/plan.md` against the final diff
+- [X] T030 [P] Review `app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php` and `app/Filament/Pages/InventoryCoverage.php` against `docs/product/standards/list-surface-review-checklist.md` before final sign-off
+
+---
+
+## Dependencies & Execution Order
+
+### Phase Dependencies
+
+- **Setup (Phase 1)**: No dependencies; start immediately.
+- **Foundational (Phase 2)**: Depends on Setup completion and blocks all user story work.
+- **User Story 1 (Phase 3)**: Depends on Foundational completion and delivers the MVP truth-correction slice.
+- **User Story 2 (Phase 4)**: Depends on User Story 1 because it extends the same summary surfaces with basis-run continuity and safe drill-through.
+- **User Story 3 (Phase 5)**: Depends on Foundational completion and can proceed in parallel with User Story 2 if staffed, since it focuses on canonical run detail.
+- **Polish (Phase 6)**: Depends on all desired user stories being complete.
+
+### User Story Dependencies
+
+- **User Story 1 (P1)**: Depends only on the shared derived coverage contract from Phase 2 and is the recommended MVP.
+- **User Story 2 (P1)**: Depends on User Story 1 because the same inventory summary surfaces must first speak truthful coverage before adding run continuity.
+- **User Story 3 (P2)**: Depends only on the foundational contract and existing canonical run detail infrastructure; it can be delivered after User Story 1 or in parallel with User Story 2, but is lower priority.
+
+### Within Each User Story
+
+- Story tests should be written before or alongside implementation and should fail for the intended reason before the story is considered complete.
+- Shared resolver or badge changes should land before surface refactors that consume them.
+- Surface refactors should land before the focused story-level verification run.
+
+### Parallel Opportunities
+
+- `T001` and `T002` can run in parallel during Setup.
+- `T003`, `T004`, `T005`, and `T006` can run in parallel during Foundational work.
+- `T009` and `T010` can run in parallel for User Story 1.
+- `T011` and `T012` can run in parallel for User Story 1 after the foundational resolver is ready.
+- `T016` and `T017` can run in parallel for User Story 2.
+- `T018` and `T019` can run in parallel for User Story 2 after basis-run continuity metadata is available.
+- `T021` and `T022` can run in parallel for User Story 3.
+- `T023` and `T024` can run in parallel for User Story 3.
+- `T026` and `T030` can run in parallel during Polish.
+
+---
+
+## Parallel Example: User Story 1
+
+```bash
+# Launch the inventory truth regressions together before changing summary surfaces:
+Task: T009 tests/Feature/Filament/InventoryPagesTest.php and tests/Feature/Filament/InventoryItemResourceTest.php
+Task: T010 tests/Feature/Filament/InventoryCoverageTableTest.php and tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php
+
+# Split KPI and helper refactors once the shared resolver is ready:
+Task: T011 app/Filament/Widgets/Inventory/InventoryKpiHeader.php
+Task: T012 app/Support/Inventory/InventoryKpiBadges.php
+```
+
+## Parallel Example: User Story 2
+
+```bash
+# Write the continuity and degradation assertions together before adding links:
+Task: T016 tests/Feature/Filament/InventoryCoverageRunContinuityTest.php and tests/Feature/Filament/InventoryPagesTest.php
+Task: T017 tests/Feature/Rbac/InventoryItemResourceAuthorizationTest.php and tests/Feature/Filament/InventoryCoverageRunContinuityTest.php
+
+# Split page and widget continuity work after the tests exist:
+Task: T018 app/Filament/Pages/InventoryCoverage.php and resources/views/filament/pages/inventory-coverage.blade.php
+Task: T019 app/Filament/Widgets/Inventory/InventoryKpiHeader.php and app/Support/Inventory/TenantCoverageTruthResolver.php
+```
+
+## Parallel Example: User Story 3
+
+```bash
+# Lock the run-detail expectations and payload assertions together:
+Task: T021 tests/Feature/Operations/TenantlessOperationRunViewerTest.php and tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php
+Task: T022 tests/Feature/Inventory/InventorySyncServiceTest.php and tests/Feature/Inventory/RunInventorySyncJobTest.php
+
+# Build the section view and enterprise-detail wiring in parallel:
+Task: T023 app/Filament/Resources/OperationRunResource.php
+Task: T024 resources/views/filament/infolists/entries/inventory-coverage-truth.blade.php
+```
+
+---
+
+## Implementation Strategy
+
+### MVP First (User Story 1 Only)
+
+1. Complete Phase 1: Setup.
+2. Complete Phase 2: Foundational.
+3. Complete Phase 3: User Story 1.
+4. Validate the inventory items list and coverage page with the User Story 1-focused subset of `specs/177-inventory-coverage-truth/quickstart.md`.
+
+### Incremental Delivery
+
+1. Finish Setup and Foundational work.
+2. Deliver User Story 1 and validate truthful tenant coverage at a glance.
+3. Deliver User Story 2 and validate run continuity plus safe degradation.
+4. Deliver User Story 3 and validate human-readable inventory-sync run detail.
+5. Finish with formatting, the focused Sail pack, and the no-new-persistence review.
+
+### Parallel Team Strategy
+
+1. One developer can complete Phase 1 and the model or resolver side of Phase 2 while another prepares the badge and feature regressions.
+2. After Phase 2, one developer can take User Story 1 while another prepares User Story 3 run-detail tests.
+3. After User Story 1 stabilizes, one developer can handle User Story 2 continuity while another completes User Story 3 UI wiring.
+4. Rejoin for Phase 6 formatting and verification.
+
+---
+
+## Notes
+
+- Every task follows the required checklist format: checkbox, task ID, optional parallel marker, required story label for story phases, and exact file paths.
+- The suggested MVP scope is Phase 1 through Phase 3 only.
+- No task in this plan introduces new persistence, a new Graph contract, a new Filament panel or provider registration change, or a new destructive action.

specs/178-ops-truth-alignment/checklists/requirements.md

@@ -0,0 +1,36 @@
+# Specification Quality Checklist: Operations Lifecycle Alignment & Cross-Surface Truth Consistency
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning  
+**Created**: 2026-04-05  
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Validated after the initial draft. The spec stays focused on operator trust, cross-surface truth alignment, and drill-through continuity while explicitly avoiding new persistence or a lifecycle-model rewrite.
+- The only new semantic split is a derived operator-facing distinction between terminal follow-up and active stale or stuck attention, built from existing lifecycle truth rather than new stored state.
+- No clarification markers remain. Scope, non-goals, dependencies, and measurable outcomes are explicit enough to proceed to planning.

specs/178-ops-truth-alignment/contracts/operations-truth-alignment.openapi.yaml

@@ -0,0 +1,279 @@
+openapi: 3.1.0
+info:
+  title: Operations Truth Alignment Contract
+  version: 1.0.0
+  summary: Route and UI truth contract for Spec 178.
+components:
+  schemas:
+    FreshnessState:
+      type: string
+      enum:
+        - fresh_active
+        - likely_stale
+        - reconciled_failed
+        - terminal_normal
+        - unknown
+    ProblemClass:
+      type: string
+      enum:
+        - none
+        - active_stale_attention
+        - terminal_follow_up
+    OperationsDrillthroughState:
+      type: object
+      required:
+        - workspace_id
+        - problemClass
+      properties:
+        workspace_id:
+          type: integer
+        tenant_id:
+          type:
+            - integer
+            - 'null'
+        problemClass:
+          $ref: '#/components/schemas/ProblemClass'
+        activeTab:
+          type:
+            - string
+            - 'null'
+        navigationContext:
+          type:
+            - string
+            - 'null'
+    RunDecisionZoneTruth:
+      type: object
+      required:
+        - freshnessState
+        - problemClass
+        - isCurrentlyActive
+        - isReconciled
+        - primaryNextAction
+      properties:
+        freshnessState:
+          $ref: '#/components/schemas/FreshnessState'
+        problemClass:
+          $ref: '#/components/schemas/ProblemClass'
+        isCurrentlyActive:
+          type: boolean
+        isReconciled:
+          type: boolean
+        staleLineageNote:
+          type:
+            - string
+            - 'null'
+        primaryNextAction:
+          type: string
+paths:
+  /admin:
+    get:
+      operationId: viewWorkspaceOverview
+      summary: Display the workspace overview with aligned operations attention and recency truth.
+      responses:
+        '200':
+          description: Workspace overview rendered successfully.
+        '404':
+          description: User is not entitled to the current workspace scope.
+      x-embedded-surfaces:
+        workspaceOperationsAttention:
+          surfaceType: embedded_attention_summary
+          problemBuckets:
+            - active_stale_attention
+            - terminal_follow_up
+          canonicalCollectionRoute: /admin/operations
+          destinationContract:
+            $ref: '#/components/schemas/OperationsDrillthroughState'
+        workspaceRecentOperations:
+          surfaceType: diagnostic_recency_table
+          canonicalCollectionRoute: /admin/operations
+          canonicalDetailRoute: /admin/operations/{run}
+          rowTruth:
+            freshnessState:
+              $ref: '#/components/schemas/FreshnessState'
+            problemClass:
+              $ref: '#/components/schemas/ProblemClass'
+  /admin/t/{tenant}:
+    get:
+      operationId: viewTenantDashboard
+      summary: Display the tenant dashboard with aligned operations attention, recent activity, and local progress truth.
+      parameters:
+        - name: tenant
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Tenant dashboard rendered successfully.
+        '404':
+          description: User is not entitled to the tenant scope.
+      x-embedded-surfaces:
+        tenantOperationsAttention:
+          surfaceType: embedded_attention_summary
+          problemBuckets:
+            - active_stale_attention
+            - terminal_follow_up
+          canonicalCollectionRoute: /admin/operations
+          destinationContract:
+            $ref: '#/components/schemas/OperationsDrillthroughState'
+        tenantRecentOperations:
+          surfaceType: diagnostic_recency_table
+          canonicalCollectionRoute: /admin/operations
+          canonicalDetailRoute: /admin/operations/{run}
+          rowTruth:
+            freshnessState:
+              $ref: '#/components/schemas/FreshnessState'
+            problemClass:
+              $ref: '#/components/schemas/ProblemClass'
+        bulkOperationProgress:
+          surfaceType: live_progress_indicator
+          activeOnly: true
+          polling:
+            interval: 10s
+            activeWhen: active runs exist for the current tenant
+            inactiveWhen: no relevant active runs remain
+  /admin/operations:
+    get:
+      operationId: listAdminOperations
+      summary: Display the canonical admin operations hub with problem-class-aware filtering.
+      parameters:
+        - name: tenant_id
+          in: query
+          required: false
+          schema:
+            type: integer
+        - name: problemClass
+          in: query
+          required: false
+          schema:
+            $ref: '#/components/schemas/ProblemClass'
+        - name: activeTab
+          in: query
+          required: false
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Operations hub rendered successfully.
+        '404':
+          description: User is not entitled to the workspace or referenced tenant scope.
+      x-ui-surface:
+        surfaceType: read_only_registry_report
+        displayLabel: Operations
+        canonicalDetailRoute: /admin/operations/{run}
+        filters:
+          active_stale_attention:
+            definition: queued or running runs whose freshness state is likely_stale
+          terminal_follow_up:
+            definition: completed runs whose outcome is blocked, partially_succeeded, or failed; reconciled stale lineage remains visible
+        rowTruth:
+          freshnessState:
+            $ref: '#/components/schemas/FreshnessState'
+          problemClass:
+            $ref: '#/components/schemas/ProblemClass'
+  /admin/operations/{run}:
+    get:
+      operationId: viewAdminOperation
+      summary: Display the canonical admin run detail with decision-zone lifecycle truth.
+      parameters:
+        - name: run
+          in: path
+          required: true
+          schema:
+            type: integer
+      responses:
+        '200':
+          description: Canonical admin run detail rendered successfully.
+        '404':
+          description: User is not entitled to the workspace or referenced tenant scope.
+      x-ui-surface:
+        surfaceType: detail_first_operational
+        displayLabel: Operation
+        decisionZoneTruth:
+          $ref: '#/components/schemas/RunDecisionZoneTruth'
+        invariant:
+          - stale and reconciled lifecycle truth must be visible in the primary decision hierarchy
+          - problem class on the destination must confirm the problem class of the origin link
+  /system/ops/runs:
+    get:
+      operationId: listSystemOperations
+      summary: Display the platform-wide operations registry with stale/reconciled lineage visible.
+      responses:
+        '200':
+          description: System operations registry rendered successfully.
+        '403':
+          description: Authenticated platform user lacks operations view capability.
+        '404':
+          description: Wrong plane or inaccessible system surface.
+      x-ui-surface:
+        surfaceType: read_only_registry_report
+        displayLabel: Operations
+        canonicalDetailRoute: /system/ops/runs/{run}
+        rowTruth:
+          freshnessState:
+            $ref: '#/components/schemas/FreshnessState'
+          problemClass:
+            $ref: '#/components/schemas/ProblemClass'
+          staleLineageVisible: true
+  /system/ops/failures:
+    get:
+      operationId: listSystemFailures
+      summary: Display the platform failure registry with reconciled stale lineage visible on failed terminal runs.
+      responses:
+        '200':
+          description: System failures registry rendered successfully.
+        '403':
+          description: Authenticated platform user lacks operations view capability.
+        '404':
+          description: Wrong plane or inaccessible system surface.
+      x-ui-surface:
+        surfaceType: read_only_registry_report
+        displayLabel: Failed operations
+        canonicalDetailRoute: /system/ops/runs/{run}
+        filter:
+          baseOutcome: failed
+        invariant:
+          - failed runs that were auto-reconciled from stale state must visibly preserve that lineage
+  /system/ops/stuck:
+    get:
+      operationId: listSystemStuckOperations
+      summary: Display active queued/running operations that crossed the lifecycle stuck threshold.
+      responses:
+        '200':
+          description: System stuck registry rendered successfully.
+        '403':
+          description: Authenticated platform user lacks operations view capability.
+        '404':
+          description: Wrong plane or inaccessible system surface.
+      x-ui-surface:
+        surfaceType: read_only_registry_report
+        displayLabel: Stuck operations
+        canonicalDetailRoute: /system/ops/runs/{run}
+        filter:
+          problemClass: active_stale_attention
+        invariant:
+          - the page remains active-only and uses the same lifecycle-policy thresholds as admin stale detection
+  /system/ops/runs/{run}:
+    get:
+      operationId: viewSystemOperation
+      summary: Display the platform run detail confirming stale/reconciled lineage and next action.
+      parameters:
+        - name: run
+          in: path
+          required: true
+          schema:
+            type: integer
+      responses:
+        '200':
+          description: System run detail rendered successfully.
+        '403':
+          description: Authenticated platform user lacks operations view capability.
+        '404':
+          description: Wrong plane or inaccessible system surface.
+      x-ui-surface:
+        surfaceType: detail_first_operational
+        displayLabel: Operation
+        decisionZoneTruth:
+          $ref: '#/components/schemas/RunDecisionZoneTruth'
+        invariant:
+          - stale/reconciled lineage remains visible even when the run is already terminal

specs/178-ops-truth-alignment/data-model.md

@@ -0,0 +1,230 @@
+# Phase 1 Data Model: Operations Lifecycle Alignment & Cross-Surface Truth Consistency
+
+## Overview
+
+This feature does not add a table, persisted summary entity, or new lifecycle state machine. It aligns existing `OperationRun` truth and existing freshness/reconciliation semantics across multiple operator surfaces by introducing a small set of derived cross-surface contracts.
+
+The central rule is unchanged: `OperationRun` is the only canonical lifecycle source of truth. Everything else in this slice is derived from status, outcome, freshness, and reconciliation metadata already present in the repo.
+
+## Persistent Source Truths
+
+### OperationRun
+
+**Purpose**: Canonical operational record for queued, running, completed, stale, and automatically reconciled work shown across tenant, workspace, canonical admin, and system monitoring surfaces.
+
+**Key fields**:
+- `id`
+- `workspace_id`
+- `tenant_id`
+- `type`
+- `status`
+- `outcome`
+- `initiator_name`
+- `summary_counts`
+- `failure_summary`
+- `context`
+- `created_at`
+- `started_at`
+- `completed_at`
+
+**Validation rules**:
+- `status` and `outcome` remain service-owned; this feature must not introduce page-local lifecycle mutation.
+- Every covered summary, list, detail, and notification surface must derive from the same run record and the same underlying lifecycle fields.
+- The feature must not add a second persisted problem-state field or a new lifecycle table.
+
+### Reconciliation Context (within `OperationRun.context`)
+
+**Purpose**: Existing stored lineage that indicates a run was automatically reconciled after lifecycle drift.
+
+**Expected fields**:
+- `reconciled_at`
+- `reason`
+- `reason_code`
+- `source`
+
+**Validation rules**:
+- Reconciliation context remains nested under `context.reconciliation`; this feature does not move it or normalize it into a new table.
+- If reconciliation context exists, surfaces must preserve that stale/reconciled lineage within one navigation step of the canonical run truth.
+
+## Existing Runtime Source Objects
+
+### OperationRunFreshnessState
+
+**Purpose**: Existing derived lifecycle interpretation for one run.
+
+**Cases**:
+- `fresh_active`
+- `likely_stale`
+- `reconciled_failed`
+- `terminal_normal`
+- `unknown`
+
+**Validation rules**:
+- This remains the canonical freshness interpretation for the slice.
+- Spec 178 must not introduce a parallel freshness-state family.
+
+### OperationLifecyclePolicy
+
+**Purpose**: Existing threshold policy for deciding when queued/running work becomes stale.
+
+**Consumed fields**:
+- covered operation types
+- queued stale threshold
+- running stale threshold
+
+**Validation rules**:
+- Tenant, workspace, admin, and system stale or stuck semantics must all derive from the same underlying lifecycle-policy thresholds.
+
+### StuckRunClassifier
+
+**Purpose**: Existing system-panel classifier for active queued/running runs that crossed the stuck threshold.
+
+**Validation rules**:
+- `Stuck` remains an active-stale registry surface.
+- System visibility for reconciled stale runs must be preserved through adjacent system surfaces rather than a new classifier or new stored state.
+
+### OperationUxPresenter
+
+**Purpose**: Existing operator-facing seam for guidance, notification wording, and run presentation.
+
+**Validation rules**:
+- New stale/reconciled wording should flow through this seam or a compatible existing presentation seam rather than widget-local strings.
+
+## Derived Cross-Surface Contracts
+
+### ProblemClassContract
+
+**Purpose**: The thin operator-facing split used to align summary buckets, monitoring filters, local progress removal rules, and entry-point wording.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `freshnessState` | enum | yes | Existing `OperationRunFreshnessState` value |
+| `problemClass` | enum | yes | `none`, `active_stale_attention`, or `terminal_follow_up` |
+| `staleLineage` | boolean | yes | Whether the run is terminal but carries stale/reconciled history |
+| `isCurrentlyActive` | boolean | yes | Whether the run should still be treated as actively executing |
+| `requiresOperatorReview` | boolean | yes | Whether the surface should escalate the run into an attention/follow-up bucket |
+
+**Validation rules**:
+- `freshnessState = fresh_active` ⇒ `problemClass = none`, `isCurrentlyActive = true`
+- `freshnessState = likely_stale` ⇒ `problemClass = active_stale_attention`, `isCurrentlyActive = true`, `requiresOperatorReview = true`
+- `freshnessState = reconciled_failed` ⇒ `problemClass = terminal_follow_up`, `staleLineage = true`, `isCurrentlyActive = false`, `requiresOperatorReview = true`
+- `freshnessState = terminal_normal` and `outcome in {blocked, partially_succeeded, failed}` ⇒ `problemClass = terminal_follow_up`, `staleLineage = false`
+- `freshnessState = terminal_normal` and healthy terminal outcome ⇒ `problemClass = none`
+
+### OperationsAttentionBucket
+
+**Purpose**: Shared contract for tenant/workspace operations attention summaries.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `problemClass` | enum | yes | `terminal_follow_up` or `active_stale_attention` |
+| `count` | integer | yes | Bucket size |
+| `label` | string | yes | Operator-facing bucket label |
+| `destination` | object | yes | Canonical operations route plus tenant/workspace-safe filter state |
+| `emptyAllowed` | boolean | yes | Whether the bucket may be hidden when count is zero |
+
+**Validation rules**:
+- Attention surfaces must not mix both problem classes into one undifferentiated bucket.
+- Each bucket exposes one destination only.
+
+### OperationsHubFilterState
+
+**Purpose**: Structured state needed to keep `/admin/operations` semantically continuous when opened from a summary or notification.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `workspace_id` | integer | yes | Existing workspace scope |
+| `tenant_id` | integer nullable | no | Active tenant filter when applicable |
+| `problemClass` | enum | yes | `terminal_follow_up`, `active_stale_attention`, or `all` |
+| `activeTab` | string nullable | no | Existing or extended visible tab/filter state |
+| `navigationContext` | string nullable | no | Existing canonical back-link or page-context state |
+
+**Validation rules**:
+- Links opened because of stale active attention must land in a visibly stale-active view, not a mixed generic bucket.
+- Links opened because of terminal follow-up must land in a visibly terminal-problem view.
+
+### RecentOperationRowTruth
+
+**Purpose**: Shared row-level contract for tenant/workspace recent-operation tables and admin/system list rendering.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `runId` | integer | yes | Canonical run identifier |
+| `status` | string | yes | Existing lifecycle status |
+| `outcome` | string | yes | Existing execution outcome |
+| `freshnessState` | enum | yes | Existing freshness interpretation |
+| `problemClass` | enum | yes | Derived attention class |
+| `staleLineage` | boolean | yes | Whether the row should visibly indicate reconciled stale history |
+| `guidance` | string nullable | no | Short operator-facing row hint |
+| `destination` | object | yes | Canonical detail URL plus optional collection URL |
+
+**Validation rules**:
+- A recent-operations row must not visually imply healthy active progress when `problemClass = active_stale_attention` or `staleLineage = true`.
+- Terminal/reconciled rows must remain distinguishable from healthy completed rows.
+
+### BulkOperationProgressSnapshot
+
+**Purpose**: Active-only overlay contract for local progress rendering.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `runId` | integer | yes | Run being shown |
+| `tenantId` | integer | yes | Tenant scope for the overlay |
+| `freshnessState` | enum | yes | Existing freshness interpretation |
+| `displayAsActive` | boolean | yes | Whether the run should remain visible in the overlay |
+| `shouldPoll` | boolean | yes | Whether the component should continue polling |
+| `overflowCount` | integer | yes | Existing overflow behavior |
+
+**Validation rules**:
+- Only currently active runs may remain in the overlay.
+- If a run becomes terminal or reconciled, `displayAsActive` must become `false` within one refresh cycle.
+- `shouldPoll` must become `false` when no relevant active runs remain.
+
+### RunDecisionZoneTruth
+
+**Purpose**: Canonical detail contract for what the operator should learn first.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `freshnessState` | enum | yes | Existing freshness interpretation |
+| `problemClass` | enum | yes | Derived attention class |
+| `isCurrentlyActive` | boolean | yes | Plain answer to “is the run still active?” |
+| `isReconciled` | boolean | yes | Whether automatic reconciliation already happened |
+| `staleLineageNote` | string nullable | no | Visible explanation when terminal truth came from stale reconciliation |
+| `primaryNextAction` | string | yes | First follow-up step the operator should take |
+
+**Validation rules**:
+- For `likely_stale` and `reconciled_failed`, this contract must be visible in the primary decision hierarchy rather than only in diagnostics.
+- `primaryNextAction` must differ by problem class: infrastructure investigation for stale-active, follow-up/retry/artifact review for terminal problems.
+
+### NotificationTruthPayload
+
+**Purpose**: Minimal contract for completed notification wording and link continuity.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `title` | string | yes | Operator-facing summary title |
+| `problemClass` | enum | yes | Derived attention class |
+| `staleLineage` | boolean | yes | Whether stale/reconciled history must be visible in wording |
+| `runUrl` | string | yes | Canonical run destination |
+
+**Validation rules**:
+- Notification wording must not be calmer than the current run truth.
+- If `staleLineage = true`, the notification must preserve that lineage in title or body without requiring the operator to infer it later.
+
+## Relationships
+
+- One `OperationRun` yields one `OperationRunFreshnessState` and one derived `ProblemClassContract`.
+- Tenant/workspace attention buckets, recent-operation rows, admin monitoring filters, system monitoring lists, canonical detail, and completed notifications all consume the same derived problem-class contract.
+- `BulkOperationProgressSnapshot` is a specialized active-only view over the same run truth.
+- `RunDecisionZoneTruth` is the highest-trust detailed interpretation of the same run truth and should confirm the same problem class visible on summary surfaces.
+
+## Lifecycle Notes
+
+1. `OperationRun` remains the single persisted source of lifecycle truth.
+2. Freshness is derived by the existing lifecycle policy and freshness-state enum.
+3. Problem class is derived from freshness plus terminal outcome; it is not stored.
+4. Summary surfaces consume the derived problem class in separate buckets.
+5. The canonical operations hub consumes the derived problem class as visible filter state.
+6. Local progress consumes the same truth but removes terminal/reconciled runs because it is active-only.
+7. Canonical detail and notifications confirm the same truth with stronger operator guidance.

specs/178-ops-truth-alignment/plan.md

@@ -0,0 +1,312 @@
+# Implementation Plan: Operations Lifecycle Alignment & Cross-Surface Truth Consistency
+
+**Branch**: `178-ops-truth-alignment` | **Date**: 2026-04-05 | **Spec**: `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/178-ops-truth-alignment/spec.md`
+**Input**: Feature specification from `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/178-ops-truth-alignment/spec.md`
+
+## Summary
+
+Align operations truth across tenant dashboard summaries, workspace overview summaries, BulkOperationProgress, recent-operations widgets, the canonical admin monitoring hub, the canonical run-detail page, and the system-panel stuck or failure surfaces without changing the `OperationRun` schema, inventing a second lifecycle model, or widening authorization scope. The implementation stays narrow by reusing existing `OperationRun` status, outcome, freshness, reconciliation metadata, and route structure, then hardening four seams that already exist but drift independently today: summary bucketing, local progress freshness, canonical drill-through continuity, and decision-zone emphasis.
+
+The first slice adds one shared derived problem-class contract on top of the existing lifecycle truth so all covered surfaces can separate `terminal follow-up` from `active stale/stuck attention` without creating new persistence. The second slice applies that contract to local progress and summary surfaces, aligns the admin and system monitoring surfaces around the same stale or reconciled story, and preserves that story through notifications and drill-throughs. Focused Pest coverage then locks in cross-surface truth, polling freshness, system visibility of reconciled stale lineage, and decision-zone emphasis.
+
+## Technical Context
+
+**Language/Version**: PHP 8.4.15  
+**Primary Dependencies**: Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages  
+**Storage**: PostgreSQL unchanged; existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change  
+**Testing**: Pest 4 feature and Livewire or Filament component tests through Laravel Sail, plus existing system-panel and monitoring guard coverage  
+**Target Platform**: Laravel monolith web application in Sail locally and containerized Linux deployment in staging/production  
+**Project Type**: web application  
+**Performance Goals**: keep tenant, workspace, admin, and system monitoring surfaces DB-only at render; converge local progress truth within one polling cycle after canonical state changes; poll only while relevant active runs exist; preserve existing 10-second active-surface polling cadence where polling is used  
+**Constraints**: no schema migration; no new persisted lifecycle truth; no enum rewrite; no new route family; no cross-plane leakage; no ad-hoc status or badge mappings; lifecycle transitions remain service-owned; system stuck truth must remain discoverable after reconciliation; no new panel assets or provider-registration changes  
+**Scale/Scope**: 8 operator-facing surfaces across tenant, workspace, canonical admin, and system panels plus existing operation notifications and shared presenter or query seams; one canonical lifecycle model reused across existing operation types
+
+## Constitution Check
+
+*GATE: Passed before Phase 0 research. Re-checked after Phase 1 design and still passing.*
+
+| Principle | Pre-Research | Post-Design | Notes |
+|-----------|--------------|-------------|-------|
+| Inventory-first / snapshots-second | PASS | PASS | No inventory, backup, or snapshot ownership semantics change. |
+| Read/write separation | PASS | PASS | The slice is read-time truth alignment only; no new mutation path or action surface is introduced. |
+| Graph contract path | N/A | N/A | No Microsoft Graph call path is touched. |
+| Deterministic capabilities | PASS | PASS | Existing admin-plane and system-plane authorization remains authoritative. |
+| RBAC-UX plane separation | PASS | PASS | `/admin` and `/system` remain separate; no cross-plane bypass is introduced. |
+| Workspace + tenant isolation | PASS | PASS | Canonical admin routes remain workspace- and tenant-safe; system routes remain platform-scoped only. |
+| Destructive confirmation standard | PASS | PASS | No new destructive action is introduced. Existing destructive flows remain governed by their originating features. |
+| Global search safety | PASS | PASS | No global-search behavior changes are part of this slice. |
+| Run observability / Ops-UX 3-surface contract | PASS | PASS | Existing `OperationRun` truth remains canonical; the feature changes presentation and polling seams only. |
+| Ops lifecycle ownership | PASS | PASS | `OperationRun.status` and `OperationRun.outcome` remain service-owned; summary surfaces stay read-only. |
+| Ops summary counts | PASS | PASS | No new `summary_counts` shape or key family is introduced. |
+| Data minimization / DB-only render | PASS | PASS | Monitoring and dashboard surfaces remain DB-only and do not add render-time external calls. |
+| Proportionality / no premature abstraction | PASS | PASS | The design reuses model scopes, presenter seams, and existing route helpers instead of adding a new lifecycle framework. |
+| Persisted truth / behavioral state | PASS | PASS | No new table, persisted artifact, or top-level state family is added. |
+| UI semantics / few layers | PASS | PASS | Only a thin derived problem-class split is introduced; it remains derived from existing lifecycle truth. |
+| Badge semantics (BADGE-001) | PASS | PASS | Existing badge and presenter seams remain authoritative for status, outcome, and freshness meaning. |
+| Filament-native UI / Action Surface Contract | PASS | PASS | Existing widgets, tables, pages, and detail surfaces remain in place; no redundant inspect model is introduced. |
+| Filament UX-001 | PASS | PASS | Existing detail and list hierarchies remain intact; stale or reconciled truth is elevated inside existing summary structures. |
+| Filament v5 / Livewire v4 compliance | PASS | PASS | The feature stays inside the current Filament v5 + Livewire v4 stack. |
+| Provider registration location | PASS | PASS | No panel or provider change is required; Laravel 11+ registration remains in `bootstrap/providers.php`. |
+| Global-search hard rule | PASS | PASS | No globally searchable resource is added or altered. |
+| Asset strategy | PASS | PASS | No new assets or `filament:assets` deployment changes are needed. |
+| Testing truth (TEST-TRUTH-001) | PASS | PASS | The plan adds business-truth regression coverage for alignment, visibility, and drill-through continuity rather than thin view-only tests. |
+
+## Phase 0 Research
+
+Research outcomes are captured in `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/178-ops-truth-alignment/research.md`.
+
+Key decisions:
+
+- Reuse the existing `OperationRunFreshnessState`, lifecycle policy, reconciliation metadata, and `OperationRun` query scopes as the canonical lifecycle base instead of introducing a second lifecycle or problem-state model.
+- Introduce a thin derived split between `terminal follow-up` and `active stale/stuck attention` through existing model or presenter seams rather than a new taxonomy framework.
+- Extend the repo's current conditional polling pattern to `BulkOperationProgress` instead of introducing a new live-refresh mechanism.
+- Keep `BulkOperationProgress` as an active-only surface: terminal or reconciled runs should disappear from the overlay within one refresh cycle, while recent and attention surfaces carry their follow-up semantics.
+- Use `/admin/operations` as the sole canonical collection route and preserve problem-class continuity through filter or tab state rather than new routes.
+- Keep `/system/ops/stuck` focused on active stale candidates, but make reconciled stale lineage explicitly discoverable on system runs, failures, and detail surfaces so the stale truth chain does not disappear after reconciliation.
+- Elevate stale and reconciled lifecycle truth through the existing canonical decision-zone and guidance seams instead of a new detail surface or banner framework.
+- Keep notification and entry-point changes narrow by extending the existing `OperationRunCompleted` / `OperationUxPresenter` path instead of redesigning the notification subsystem.
+
+## Phase 1 Design
+
+Design artifacts are created under `/Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/178-ops-truth-alignment/`:
+
+- `data-model.md`: existing persistent source truth plus the derived cross-surface truth contracts for this slice
+- `contracts/operations-truth-alignment.openapi.yaml`: internal route and UI contract for summary buckets, canonical drill-through state, and system/admin monitoring continuity
+- `quickstart.md`: focused implementation and verification workflow for admin-plane, system-plane, and local-progress truth alignment
+
+Design decisions:
+
+- `OperationRun` remains the only persistent lifecycle source of truth; the design uses existing freshness and reconciliation semantics rather than adding a new table or state family.
+- The narrowest shared seam is an extension of existing `OperationRun` query scopes and `OperationUxPresenter`-style rendering helpers so dashboard, workspace, monitoring, detail, and notification surfaces can agree on one derived problem-class split.
+- `BulkOperationProgress` gains the same conditional polling discipline already used elsewhere and remains an active-only affordance rather than becoming a second summary surface.
+- Dashboard, workspace, and recent-operation surfaces carry problem-class-specific drill-through metadata into `/admin/operations`, where the admin monitoring hub becomes the single canonical collection route for both `terminal follow-up` and `active stale/stuck attention`.
+- System monitoring stays within the current page family. `Stuck` remains active-stale focused, while `Runs`, `Failures`, and detail surfaces make reconciled stale lineage visible so operators can still recover the stale story after reconciliation.
+- Canonical run detail hardening happens inside existing summary and decision-zone seams so stale/reconciled attention is promoted without changing routing or page ownership.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/178-ops-truth-alignment/
+├── spec.md
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+│   └── operations-truth-alignment.openapi.yaml
+├── checklists/
+│   └── requirements.md
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+app/
+├── Filament/
+│   ├── Pages/
+│   │   ├── Monitoring/
+│   │   │   └── Operations.php
+│   │   └── Operations/
+│   │       └── TenantlessOperationRunViewer.php
+│   ├── System/
+│   │   └── Pages/
+│   │       └── Ops/
+│   │           ├── Runs.php
+│   │           ├── Failures.php
+│   │           ├── Stuck.php
+│   │           └── ViewRun.php
+│   └── Widgets/
+│       ├── Dashboard/
+│       │   ├── DashboardKpis.php
+│       │   ├── NeedsAttention.php
+│       │   └── RecentOperations.php
+│       └── Workspace/
+│           ├── WorkspaceNeedsAttention.php
+│           └── WorkspaceRecentOperations.php
+├── Livewire/
+│   └── BulkOperationProgress.php
+├── Models/
+│   └── OperationRun.php
+├── Notifications/
+│   └── OperationRunCompleted.php
+└── Support/
+    ├── Operations/
+    │   ├── OperationLifecyclePolicy.php
+    │   └── OperationRunFreshnessState.php
+    ├── OpsUx/
+    │   ├── ActiveRuns.php
+    │   └── OperationUxPresenter.php
+    ├── SystemConsole/
+    │   └── StuckRunClassifier.php
+    ├── Workspaces/
+    │   └── WorkspaceOverviewBuilder.php
+    └── OperationRunLinks.php
+
+resources/
+├── views/
+│   ├── filament/
+│   │   └── system/
+│   │       └── pages/
+│   │           └── ops/
+│   │               └── view-run.blade.php
+│   └── livewire/
+│       └── bulk-operation-progress.blade.php
+
+tests/
+├── Feature/
+│   ├── Filament/
+│   │   ├── DashboardKpisWidgetTest.php
+│   │   ├── NeedsAttentionWidgetTest.php
+│   │   ├── RecentOperationsSummaryWidgetTest.php
+│   │   └── WorkspaceOverviewOperationsTest.php
+│   ├── Monitoring/
+│   │   ├── MonitoringOperationsTest.php
+│   │   ├── OperationsDashboardDrillthroughTest.php
+│   │   ├── OperationsDbOnlyRenderTest.php
+│   │   ├── OperationsDbOnlyTest.php
+│   │   └── OperationsTenantScopeTest.php
+│   ├── Notifications/
+│   │   └── OperationRunNotificationTest.php
+│   ├── OpsUx/
+│   │   └── BulkOperationProgressDbOnlyTest.php
+│   ├── System/
+│   │   └── Spec114/
+│   │       ├── CanonicalRunDetailTest.php
+│   │       ├── OpsFailuresViewTest.php
+│   │       ├── OpsStuckViewTest.php
+│   │       └── OpsTriageActionsTest.php
+│   ├── Guards/
+│   │   └── ActionSurfaceContractTest.php
+│   └── RunAuthorizationTenantIsolationTest.php
+```
+
+**Structure Decision**: Keep the existing Laravel monolith structure. The implementation should extend current model scopes, presenters, widgets, monitoring pages, and system pages instead of introducing a new operations-overview layer or new directory family.
+
+## Implementation Strategy
+
+### Phase A — Introduce One Shared Derived Problem-Class Contract
+
+**Goal**: Let every covered surface derive the same operator-facing split between terminal follow-up and active stale/stuck attention from the existing lifecycle truth.
+
+| Step | File | Change |
+|------|------|--------|
+| A.1 | `app/Models/OperationRun.php` | Add narrow query scopes or helpers for `terminal follow-up` and `active stale/stuck attention`, keeping `dashboardNeedsFollowUp()` as a compatibility umbrella if needed. |
+| A.2 | `app/Support/OpsUx/OperationUxPresenter.php` and existing freshness helpers | Centralize derived problem-class text, stale-lineage wording, and row/detail/notification display decisions using existing freshness and reconciliation truth. |
+| A.3 | `app/Support/OpsUx/ActiveRuns.php` | Extend or refine active-run polling helpers so summary and progress surfaces can poll only while relevant active runs still exist. |
+
+### Phase B — Harden Local Progress And Summary Surfaces
+
+**Goal**: Remove stale local-progress residue and separate terminal problems from active stale attention on tenant and workspace entry surfaces.
+
+| Step | File | Change |
+|------|------|--------|
+| B.1 | `app/Livewire/BulkOperationProgress.php` and `resources/views/livewire/bulk-operation-progress.blade.php` | Add conditional polling, canonical refresh behavior, and active-only visibility so terminal or reconciled runs disappear within one refresh cycle. |
+| B.2 | `app/Filament/Widgets/Dashboard/DashboardKpis.php` and `app/Filament/Widgets/Dashboard/NeedsAttention.php` | Split mixed operations follow-up into explicit terminal vs stale-active buckets with one matching destination each. |
+| B.3 | `app/Filament/Widgets/Dashboard/RecentOperations.php` | Surface freshness/problem-class truth per row so stale candidates and terminal follow-up do not read like generic recent activity. |
+| B.4 | `app/Support/Workspaces/WorkspaceOverviewBuilder.php`, `app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php`, and `app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php` | Mirror the same split and row semantics on workspace surfaces so workspace and tenant summaries speak the same truth grammar. |
+
+### Phase C — Align Canonical Operations Hub And Drill-Through State
+
+**Goal**: Make `/admin/operations` the canonical collection route for both problem classes and preserve the originating class through every entry point.
+
+| Step | File | Change |
+|------|------|--------|
+| C.1 | `app/Filament/Pages/Monitoring/Operations.php` | Add or tighten problem-class-aware filters/tabs for `active stale/stuck attention` and `terminal follow-up` without creating a new monitoring page. |
+| C.2 | `app/Support/OperationRunLinks.php` | Carry tenant-safe problem-class filter state and existing navigation context into canonical operations links from dashboard, workspace, and notification entry points. |
+| C.3 | Existing summary and recent-operation surfaces | Replace broad `needs follow-up` drill-throughs with explicit problem-class destinations so the landing page confirms the originating operator story. |
+
+### Phase D — Preserve Stale Truth Across Canonical And System Monitoring Surfaces
+
+**Goal**: Keep stale/reconciled lineage visible to operators after auto-reconciliation and promote stale/reconciled truth inside the primary decision hierarchy.
+
+| Step | File | Change |
+|------|------|--------|
+| D.1 | Existing canonical run-detail composition seams under `OperationRunResource` / `TenantlessOperationRunViewer` | Elevate likely-stale and reconciled lifecycle truth inside the existing decision-zone/current-state summary rather than leaving it only in secondary banners or diagnostics. |
+| D.2 | `app/Filament/System/Pages/Ops/Runs.php`, `Failures.php`, `Stuck.php`, and `ViewRun.php` | Keep `Stuck` focused on active stale candidates while exposing reconciled stale lineage on system runs, failures, and detail so platform operators can still recover the stale story after reconciliation. |
+| D.3 | `resources/views/filament/system/pages/ops/view-run.blade.php` | Strengthen stale/reconciled visual emphasis in the existing guidance/current-state rendering instead of adding a new detail surface. |
+
+### Phase E — Keep Notifications And Entry-Point Wording Truthful
+
+**Goal**: Ensure entry points never frame a run more calmly than its current lifecycle or freshness truth.
+
+| Step | File | Change |
+|------|------|--------|
+| E.1 | `app/Notifications/OperationRunCompleted.php` and existing presenter seams | Preserve problem-class wording and stale-lineage emphasis in terminal notifications and linked entry-point copy. |
+| E.2 | Existing dashboard/workspace/navigation copy | Keep `needs follow-up` as an umbrella only when the concrete sub-class remains visible and recoverable. |
+
+### Phase F — Regression Protection And Verification
+
+**Goal**: Lock the truth contract into tests and preserve DB-only rendering, authorization semantics, and system/admin continuity.
+
+| Step | File | Change |
+|------|------|--------|
+| F.1 | `tests/Feature/Filament/DashboardKpisWidgetTest.php`, `NeedsAttentionWidgetTest.php`, `RecentOperationsSummaryWidgetTest.php`, and `WorkspaceOverviewOperationsTest.php` | Add assertions for terminal-vs-stale separation, row truth, and workspace/tenant summary parity. |
+| F.2 | `tests/Feature/OpsUx/BulkOperationProgressDbOnlyTest.php` | Prove polling freshness and active-only visibility without enqueue-event dependence. |
+| F.3 | `tests/Feature/Monitoring/MonitoringOperationsTest.php`, `OperationsDashboardDrillthroughTest.php`, `OperationsDbOnlyRenderTest.php`, `OperationsDbOnlyTest.php`, `OperationsTenantScopeTest.php`, and `RunAuthorizationTenantIsolationTest.php` | Prove canonical hub filters, drill-through continuity, DB-only rendering, and tenant-safe access semantics. |
+| F.4 | `tests/Feature/System/Spec114/CanonicalRunDetailTest.php`, `OpsFailuresViewTest.php`, `OpsStuckViewTest.php`, `OpsTriageActionsTest.php`, and `tests/Feature/Notifications/OperationRunNotificationTest.php` | Prove stale/reconciled visibility across system detail, failures, stuck surfaces, and notifications. |
+| F.5 | `tests/Feature/Guards/ActionSurfaceContractTest.php` plus `vendor/bin/sail bin pint --dirty --format agent` | Preserve surface-contract compliance and formatting before implementation is considered complete. |
+
+## Key Design Decisions
+
+### D-001 — Preserve `OperationRunFreshnessState` as the lifecycle base and derive problem class above it
+
+The repo already has a narrow, useful freshness enum. The plan builds the operator-facing split above that existing truth instead of adding a second enum or persisted state family.
+
+### D-002 — Use existing model/presenter seams instead of a new taxonomy framework
+
+The narrowest implementation is to extend `OperationRun` query scopes, `OperationUxPresenter`, and existing route helpers. A new cross-domain classification framework would be disproportionate to the problem.
+
+### D-003 — Keep `BulkOperationProgress` active-only
+
+The overlay should not become a second follow-up surface. Once a run is terminal or reconciled, it should leave the overlay and let recent/attention/canonical surfaces tell the rest of the story.
+
+### D-004 — `/admin/operations` remains the only canonical collection route
+
+Problem-class continuity should be achieved with filters/tabs and link state, not by introducing tenant-specific or class-specific duplicate routes.
+
+### D-005 — `Stuck` remains active-stale focused, but stale lineage must survive reconciliation elsewhere in system monitoring
+
+Widening `/system/ops/stuck` into a mixed registry would blur its purpose. The narrower design keeps active stale candidates there and makes reconciled stale lineage visible on `/system/ops/runs`, `/system/ops/failures`, and system detail.
+
+### D-006 — Decision-zone emphasis is the canonical fix for stale/reconciled truth
+
+The canonical detail surface already has the right ownership. The plan promotes stale/reconciled truth inside that existing hierarchy instead of inventing a new banner or side-panel architecture.
+
+### D-007 — Notification changes stay on the existing `OperationRunCompleted` path
+
+The feature should extend current terminal notification semantics, not create a new notification subsystem or duplicate entry-point logic elsewhere.
+
+## Risk Assessment
+
+| Risk | Impact | Likelihood | Mitigation |
+|------|--------|------------|------------|
+| Summary surfaces still share labels but not identical filter meaning | High | Medium | Carry problem-class state through `OperationRunLinks` and verify destination continuity in focused tests. |
+| Bulk progress stays live too long or polls too often | High | Medium | Reuse the existing conditional polling pattern and verify convergence/stoppage behavior in DB-only tests. |
+| System surfaces lose stale lineage after reconciliation | High | Medium | Keep stale lineage explicit on system runs, failures, and detail even when `Stuck` remains active-only. |
+| Canonical detail duplicates stale/reconciled emphasis in multiple equal-priority areas | Medium | Medium | Reuse the existing decision-zone hierarchy and verify emphasis through detail tests instead of adding parallel warning surfaces. |
+| The thin derived split drifts into a new framework over time | Medium | Low | Keep it constrained to existing model scopes, presenter seams, route helpers, and regression coverage. |
+
+## Test Strategy
+
+- Extend tenant and workspace summary widget coverage so dashboard and workspace attention surfaces clearly separate terminal follow-up from active stale/stuck attention.
+- Extend `BulkOperationProgressDbOnlyTest.php` to prove terminal/reconciled runs disappear within one refresh cycle and polling stops when no relevant active runs remain.
+- Extend canonical monitoring tests so `/admin/operations` filters, row rendering, and drill-throughs preserve problem-class continuity and remain DB-only and tenant-safe.
+- Extend system-panel tests so `/system/ops/stuck`, `/system/ops/failures`, `/system/ops/runs`, and system detail preserve stale/reconciled lineage in a way platform operators can recover.
+- Extend notification tests so completed notifications and linked destinations do not frame reconciled or stale-derived terminal runs more calmly than current truth.
+- Run focused Pest suites through Sail plus `vendor/bin/sail bin pint --dirty --format agent`; full-suite execution is not required for planning artifacts.
+
+## Post-Design Constitution Re-check
+
+- `PASS` The design keeps `OperationRun` as the only persistent lifecycle truth and introduces no new schema or state family.
+- `PASS` The derived problem-class split remains narrow and stays within existing model, presenter, and route-helper seams.
+- `PASS` Admin-plane and system-plane surfaces stay separated and tenant-safe; no cross-plane leakage path is introduced.
+- `PASS` The run-detail emphasis work reuses existing decision-zone ownership instead of adding a second detail hierarchy.
+- `PASS` No new destructive actions, global-search changes, asset registration, or provider registration changes are required.
+- `PASS` Livewire v4 and Filament v5 compliance remains intact.
+
+## Complexity Tracking
+
+No constitution waiver is expected. This slice hardens shared truth semantics and removes drift without introducing new persistence, new orchestration, or a new semantic framework.