feat: close spec 195 action surface residuals (#230)

## Summary
- add the full Spec 195 residual action-surface design package under `specs/195-action-surface-closure`
- implement residual surface inventory and validator enforcement for uncatalogued system and special Filament pages
- add focused regression coverage for residual guards, system directory pages, managed-tenants landing, and readonly register-tenant / tenant-dashboard access
- fix the system workspace detail surface by loading tenant route keys and disabling lazy system database notifications to avoid the Livewire 404 on `/system/directory/workspaces/{workspace}`

## Testing
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/Spec195/SystemDirectoryResidualSurfaceTest.php tests/Feature/Filament/DatabaseNotificationsPollingTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

## Notes
- branch: `195-action-surface-closure`
- target: `dev`
- no new assets, migrations, or provider-registration changes

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #230

.dockerignore

@@ -1,7 +1,12 @@
 node_modules/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
 dist/
 build/
 vendor/
+apps/platform/vendor/
 coverage/
 .git/
 .DS_Store
@@ -18,12 +23,19 @@ Dockerfile*
 *.tmp
 *.swp
 public/build/
+apps/platform/public/build/
 public/hot/
+apps/platform/public/hot/
 public/storage/
+apps/platform/public/storage/
 storage/framework/
+apps/platform/storage/framework/
 storage/logs/
+apps/platform/storage/logs/
 storage/debugbar/
+apps/platform/storage/debugbar/
 storage/*.key
+apps/platform/storage/*.key
 /references/
 .idea/
 .vscode/

.github/agents/copilot-instructions.md

@@ -2,6 +2,14 @@ # TenantAtlas Development Guidelines
 
 Auto-generated from all feature plans. Last updated: 2025-12-22
 
+## Relocation override
+- The authoritative Laravel application root is `apps/platform`.
+- Human-facing commands should use `cd apps/platform && ...`.
+- Repo-root tooling may delegate via `./scripts/platform-sail` when it cannot set a nested working directory.
+- Repo-root JavaScript orchestration uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If any generated technology note below conflicts with the current repo, trust `apps/platform/composer.json`, `apps/platform/package.json`, and the live Laravel application metadata over stale generated entries.
+
 ## Active Technologies
 - PHP 8.4.15 + Laravel 12, Filament v4, Livewire v3 (feat/005-bulk-operations)
 - PostgreSQL (app), SQLite in-memory (tests) (feat/005-bulk-operations)
@@ -135,27 +143,75 @@ ## Active Technologies
 - PostgreSQL; existing `inventory_items` rows and `operation_runs.context` / `operation_runs.summary_counts` JSONB are reused with no schema change (177-inventory-coverage-truth)
 - PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages (178-ops-truth-alignment)
 - PostgreSQL unchanged; existing `operation_runs` JSONB-backed `context`, `summary_counts`, and `failure_summary`; no schema change (178-ops-truth-alignment)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `RestoreRunResource`, `RestoreService`, `RestoreRiskChecker`, `RestoreDiffGenerator`, `OperationRunResource`, `TenantlessOperationRunViewer`, shared badge infrastructure, and existing RBAC or write-gate helpers (181-restore-safety-integrity)
+- PostgreSQL with existing `restore_runs` and `operation_runs` records plus JSON or array-backed `metadata`, `preview`, `results`, and `context`; no schema change planned (181-restore-safety-integrity)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `BackupSetResource`, `BackupItemsRelationManager`, `PolicyVersionResource`, `RestoreRunResource`, `CreateRestoreRun`, `AssignmentBackupService`, `VersionService`, `PolicySnapshotService`, `RestoreRiskChecker`, `BadgeRenderer`, `PolicySnapshotModeBadge`, `EnterpriseDetailBuilder`, and existing RBAC helpers (176-backup-quality-truth)
+- PostgreSQL with existing tenant-owned `backup_sets`, `backup_items`, `policy_versions`, and restore wizard input state; JSON-backed `metadata`, `snapshot`, `assignments`, and `scope_tags`; no schema change planned (176-backup-quality-truth)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5, Livewire v4, Pest v4, Laravel Sail, existing `DashboardKpis`, `NeedsAttention`, `BackupSetResource`, `BackupScheduleResource`, `BackupQualityResolver`, `BackupQualitySummary`, `ScheduleTimeService`, shared badge infrastructure, and existing RBAC helpers (180-tenant-backup-health)
+- PostgreSQL with existing tenant-owned `backup_sets`, `backup_items`, and `backup_schedules` records plus existing JSON-backed backup metadata; no schema change planned (180-tenant-backup-health)
+- PHP 8.4.15, Laravel 12, Blade, Livewire v4, Filament v5.2.x, Tailwind CSS v4, Vite 7 + `laravel/framework`, `filament/filament`, `livewire/livewire`, `laravel/sail`, `laravel-vite-plugin`, `tailwindcss`, `vite`, `pestphp/pest`, `drizzle-kit`, PostgreSQL, Redis, Docker Compose (182-platform-relocation)
+- PostgreSQL, Redis, filesystem storage under the Laravel app `storage/` tree, plus existing Vite build artifacts in `public/build`; no new database persistence planned (182-platform-relocation)
+- PHP 8.4.15 and Laravel 12 for `apps/platform`; Node.js 20+ with pnpm 10 workspace tooling; Astro v6 for `apps/website`; Bash and Docker Compose for root orchestration + `laravel/framework`, `filament/filament`, `livewire/livewire`, `laravel/sail`, `vite`, `tailwindcss`, `pnpm` workspaces, Astro, existing `./scripts/platform-sail` wrapper, repo-root Docker Compose (183-website-workspace-foundation)
+- Existing PostgreSQL, Redis, and filesystem storage for `apps/platform`; static build artifacts for `apps/website`; repository-managed workspace manifests and docs; no new database persistence (183-website-workspace-foundation)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5 widgets and resources, Livewire v4, Pest v4, existing `TenantDashboard`, `DashboardKpis`, `NeedsAttention`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreRunResource`, `RestoreSafetyResolver`, `RestoreResultAttention`, `OperationRunLinks`, and existing RBAC helpers (184-dashboard-recovery-honesty)
+- PostgreSQL with existing tenant-owned `backup_sets`, `restore_runs`, and linked `operation_runs`; no schema change planned (184-dashboard-recovery-honesty)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `WorkspaceSummaryStats`, `WorkspaceNeedsAttention`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, tenant dashboard widgets, `WorkspaceCapabilityResolver`, `CapabilityResolver`, and the current workspace overview Blade surfaces (185-workspace-recovery-posture-visibility)
+- PostgreSQL unchanged; no schema change, new cache table, or persisted workspace recovery artifact is planned (185-workspace-recovery-posture-visibility)
+- PHP 8.4, Laravel 12, Blade, Filament v5, Livewire v4 + Filament v5 resources and table filters, Livewire v4 `ListRecords`, Pest v4, Laravel Sail, existing `TenantResource`, `ListTenants`, `WorkspaceOverviewBuilder`, `TenantBackupHealthResolver`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, `RecoveryReadiness`, and shared badge infrastructure (186-tenant-registry-recovery-triage)
+- PostgreSQL with existing tenant-owned `tenants`, `backup_sets`, `backup_items`, `restore_runs`, `policies`, and membership records; no schema change planned (186-tenant-registry-recovery-triage)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantResource`, `TenantDashboard`, `CanonicalAdminTenantFilterState`, `TenantBackupHealthAssessment`, `RestoreSafetyResolver`, and continuity-aware backup or restore list pages (187-portfolio-triage-arrival-context)
+- PostgreSQL unchanged; no new tables, caches, or durable workflow artifacts (187-portfolio-triage-arrival-context)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `ProviderConnection` model, `ProviderConnectionResolver`, `ProviderConnectionStateProjector`, `ProviderConnectionMutationService`, `ProviderConnectionHealthCheckJob`, `StartVerification`, `ProviderConnectionResource`, `TenantResource`, system directory pages, `BadgeCatalog`, `BadgeRenderer`, and shared provider-state Blade entries (188-provider-connection-state-cleanup)
+- PostgreSQL with one narrow schema addition (`is_enabled`) followed by final removal of legacy `status` and `health_status` columns and their indexes (188-provider-connection-state-cleanup)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `WorkspaceOverviewBuilder`, `TenantResource`, `TenantDashboard`, `PortfolioArrivalContext`, `TenantBackupHealthResolver`, `RestoreSafetyResolver`, `BadgeCatalog`, `UiEnforcement`, and `AuditRecorder` patterns (189-portfolio-triage-review-state)
+- PostgreSQL via Laravel Eloquent with one new table `tenant_triage_reviews` and no new external caches or background stores (189-portfolio-triage-review-state)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `BaselineCompareService`, `BaselineSnapshotTruthResolver`, `BaselineCompareStats`, `RelatedNavigationResolver`, `CanonicalNavigationContext`, `BadgeCatalog`, and `UiEnforcement` patterns (190-baseline-compare-matrix)
+- PostgreSQL via existing `baseline_profiles`, `baseline_snapshots`, `baseline_snapshot_items`, `baseline_tenant_assignments`, `operation_runs`, and `findings` tables; no new persistence planned (190-baseline-compare-matrix)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `BaselineCompareMatrixBuilder`, `BadgeCatalog`, `CanonicalNavigationContext`, and `UiEnforcement` patterns (191-baseline-compare-operator-mode)
+- PostgreSQL via existing baseline, assignment, compare-run, and finding tables; no new persistence planned (191-baseline-compare-operator-mode)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `UiEnforcement`, `RelatedNavigationResolver`, `ActionSurfaceValidator`, and page-local Filament action builders (192-record-header-discipline)
+- PostgreSQL through existing workspace-owned and tenant-owned resource models; no schema change planned (192-record-header-discipline)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `OperateHubShell`, `CanonicalNavigationContext`, `CanonicalAdminTenantFilterState`, `UiEnforcement`, `ActionSurfaceValidator`, and Filament page or resource action builders (193-monitoring-action-hierarchy)
+- PostgreSQL through existing workspace-owned and tenant-owned models; no schema change planned (193-monitoring-action-hierarchy)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `UiEnforcement`, existing audit loggers (`AuditLogger`, `WorkspaceAuditLogger`, `SystemConsoleAuditLogger`), existing mutation services (`FindingExceptionService`, `FindingWorkflowService`, `TenantReviewLifecycleService`, `EvidenceSnapshotService`, `OperationRunTriageService`) (194-governance-friction-hardening)
+- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ActionSurfaceDiscovery`, `ActionSurfaceValidator`, `ActionSurfaceExemptions`, `GovernanceActionCatalog`, `UiEnforcement`, `WorkspaceContext`, and existing system/onboarding/auth helpers (195-action-surface-closure)
+- PostgreSQL through existing workspace-owned, tenant-owned, and system-visible models; no schema change planned (195-action-surface-closure)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
 ## Project Structure
 
 ```text
-src/
+apps/
-tests/
+  platform/
+  website/
+docs/
+specs/
+scripts/
 ```
 
 ## Commands
 
-# Add commands for PHP 8.4.15
+- Root workspace:
+  - `corepack pnpm install`
+  - `corepack pnpm dev:platform`
+  - `corepack pnpm dev:website`
+  - `corepack pnpm dev`
+  - `corepack pnpm build:website`
+  - `corepack pnpm build:platform`
+- Platform app:
+  - `cd apps/platform && ./vendor/bin/sail up -d`
+  - `cd apps/platform && ./vendor/bin/sail pnpm dev`
+  - `cd apps/platform && ./vendor/bin/sail pnpm build`
+  - `cd apps/platform && ./vendor/bin/sail artisan test --compact`
 
 ## Code Style
 
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
-- 178-ops-truth-alignment: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `OperationRun`, `OperationLifecyclePolicy`, `OperationRunFreshnessState`, `OperationUxPresenter`, `OperationRunLinks`, `ActiveRuns`, `StuckRunClassifier`, `WorkspaceOverviewBuilder`, dashboard widgets, workspace widgets, and system ops pages
+- 195-action-surface-closure: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `ActionSurfaceDiscovery`, `ActionSurfaceValidator`, `ActionSurfaceExemptions`, `GovernanceActionCatalog`, `UiEnforcement`, `WorkspaceContext`, and existing system/onboarding/auth helpers
-- 177-inventory-coverage-truth: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `InventoryItem`, `OperationRun`, `InventoryCoverage`, `InventoryPolicyTypeMeta`, `CoverageCapabilitiesResolver`, `InventoryKpiHeader`, `InventoryCoverage` page, and `OperationRunResource` enterprise-detail stack
+- 195-action-surface-closure: Added PostgreSQL through existing workspace-owned, tenant-owned, and system-visible models; no schema change planned
-- 179-provider-truth-cleanup: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `TenantResource`, `ProviderConnectionResource`, `TenantVerificationReport`, `BadgeCatalog`, `BadgeRenderer`, `TenantOperabilityService`, `ProviderConsentStatus`, `ProviderVerificationStatus`, and shared provider-state Blade partials
+- 194-governance-friction-hardening: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4, existing `UiEnforcement`, existing audit loggers (`AuditLogger`, `WorkspaceAuditLogger`, `SystemConsoleAuditLogger`), existing mutation services (`FindingExceptionService`, `FindingWorkflowService`, `TenantReviewLifecycleService`, `EvidenceSnapshotService`, `OperationRunTriageService`)
 <!-- MANUAL ADDITIONS START -->
 <!-- MANUAL ADDITIONS END -->

.github/copilot-instructions.md

@@ -40,7 +40,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -254,7 +254,7 @@ ## Testing
   - Source: https://filamentphp.com/docs/5.x/testing/testing-actions — “Testing actions”
 
 ## Deployment / Ops
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -291,8 +291,12 @@ ## Application Structure & Architecture
 - Stick to existing directory structure; don't create new base folders without approval.
 - Do not change the application's dependencies without approval.
 
+## Workspace Commands
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+
 ## Frontend Bundling
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Replies
 - Be concise in your explanations - focus on what's important rather than explaining obvious details.
@@ -372,28 +376,29 @@ ## Enums
 ## Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
+- The canonical application working directory is `apps/platform`. Repo-root launchers such as MCP or VS Code tasks may use `./scripts/platform-sail`, but that helper is compatibility-only.
-- Open the application in the browser by running `vendor/bin/sail open`.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
-    - Install Composer packages: `vendor/bin/sail composer install`
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 ## Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 ## Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ### Database
@@ -404,7 +409,7 @@ ### Database
 - Use Laravel's query builder for very complex database operations.
 
 ### Model Creation
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 - For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.
@@ -428,10 +433,10 @@ ### Configuration
 ### Testing
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ### Vite Error
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -460,7 +465,7 @@ ### Models
 ## Livewire
 
 - Use the `search-docs` tool to find exact version-specific documentation for how to write Livewire and Livewire tests.
-- Use the `vendor/bin/sail artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
+- Use the `cd apps/platform && ./vendor/bin/sail artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
 - State should live on the server, with the UI reflecting it.
 - All Livewire requests hit the Laravel backend; they're like regular HTTP requests. Always validate form data and run authorization checks in Livewire actions.
 
@@ -504,8 +509,8 @@ ## Testing Livewire
 
 ## Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test`, simply run `vendor/bin/sail bin pint` to fix any formatting issues.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test`, simply run `cd apps/platform && ./vendor/bin/sail bin pint` to fix any formatting issues.
 
 === pest/core rules ===
 
@@ -514,7 +519,7 @@ ### Testing
 - If you need to verify a feature is working, write or update a Unit / Feature test.
 
 ### Pest Tests
-- All tests must be written using Pest. Use `vendor/bin/sail artisan make:test --pest {name}`.
+- All tests must be written using Pest. Use `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
 - You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files - these are core to the application.
 - Tests should test all of the happy paths, failure paths, and weird paths.
 - Tests live in the `tests/Feature` and `tests/Unit` directories.
@@ -527,9 +532,9 @@ ### Pest Tests
 
 ### Running Tests
 - Run the minimal number of tests using an appropriate filter before finalizing code edits.
-- To run all tests: `vendor/bin/sail artisan test --compact`.
+- To run all tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact`.
-- To run all tests in a file: `vendor/bin/sail artisan test --compact tests/Feature/ExampleTest.php`.
+- To run all tests in a file: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ExampleTest.php`.
-- To filter on a particular test name: `vendor/bin/sail artisan test --compact --filter=testName` (recommended after making a change to a related file).
+- To filter on a particular test name: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName` (recommended after making a change to a related file).
 - When the tests relating to your changes are passing, ask the user if they would like to run the entire test suite to ensure everything is still passing.
 
 ### Pest Assertions

.gitignore

@@ -15,19 +15,34 @@
 /.zed
 /auth.json
 /node_modules
+/apps/platform/node_modules
+/apps/website/node_modules
+/.pnpm-store
+/apps/website/.astro
 dist/
 build/
 coverage/
 /public/build
+/apps/platform/public/build
+/apps/website/dist
 /public/hot
+/apps/platform/public/hot
 /public/storage
+/apps/platform/public/storage
 /storage/*.key
+/apps/platform/storage/*.key
 /storage/pail
+/apps/platform/storage/pail
 /storage/framework
+/apps/platform/storage/framework
 /storage/logs
+/apps/platform/storage/logs
 /storage/debugbar
+/apps/platform/storage/debugbar
 /vendor
+/apps/platform/vendor
 /bootstrap/cache
+/apps/platform/bootstrap/cache
 Homestead.json
 Homestead.yaml
 Thumbs.db
@@ -35,3 +50,7 @@ Thumbs.db
 /tests/Browser/Screenshots
 *.tmp
 *.swp
+/apps/platform/.env
+/apps/platform/.env.*
+/apps/website/.env
+/apps/website/.env.*

.npmignore

@@ -1,8 +1,14 @@
 dist/
 build/
 public/build/
+apps/platform/public/build/
 node_modules/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
 vendor/
+apps/platform/vendor/
 *.log
 .env
 .env.*

.prettierignore

@@ -2,12 +2,22 @@ node_modules/
 dist/
 build/
 public/build/
+apps/platform/public/build/
 public/hot/
+apps/platform/public/hot/
 public/storage/
+apps/platform/public/storage/
 coverage/
 vendor/
+apps/platform/vendor/
+apps/platform/node_modules/
+apps/website/node_modules/
+apps/website/.astro/
+apps/website/dist/
 storage/
+apps/platform/storage/
 bootstrap/cache/
+apps/platform/bootstrap/cache/
 package-lock.json
 yarn.lock
 pnpm-lock.yaml

.specify/memory/constitution.md

@@ -1,36 +1,37 @@
 <!--
 Sync Impact Report
 
-- Version change: 1.14.0 -> 2.0.0
+- Version change: 2.2.0 -> 2.3.0
 - Modified principles:
-  - Filament UI - Action Surface Contract -> Operator-Facing UI/UX Constitution v1 / Filament UI - Action Surface Contract
+  - UI-CONST-001: expanded to make TenantPilot's decision-first
-  - Filament UI - Layout & Information Architecture Standards (UX-001) -> Operator-Facing UI/UX Constitution v1 / Filament UI - Layout & Information Architecture Standards (UX-001)
+    governance identity explicit
-  - Operator-facing UI Naming Standards (UI-NAMING-001) -> Operator-Facing UI/UX Constitution v1 / Operator-facing UI Naming Standards (UI-NAMING-001)
+  - UI-REVIEW-001: spec and PR review gates expanded for surface role,
-  - Operator Surface Principles (OPSURF-001) -> Operator-Facing UI/UX Constitution v1 / Operator Surface Principles (OPSURF-001)
+    human-in-the-loop justification, workflow-vs-storage IA, and
-  - Spec Scope Fields (SCOPE-002) -> Operator-Facing UI/UX Constitution v1 / Spec Scope Fields (SCOPE-002)
+    attention-load reduction
+  - Immediate Retrofit Priorities: expanded with a classification-first
+    wave for existing surfaces
 - Added sections:
-  - Operator-Facing UI/UX Constitution v1 (UI-CONST-001)
+  - Decision-First Operating Model & Progressive Disclosure
-  - Surface Taxonomy (UI-SURF-001)
+    (DECIDE-001)
-  - Hard Rules (UI-HARD-001)
-  - Exception Model (UI-EX-001)
-  - Enforcement Model (UI-REVIEW-001)
-  - Immediate Retrofit Priorities
-  - Appendix A - One-page Condensed Constitution
-  - Appendix B - Feature Review Checklist
-  - Appendix C - Red Flags for Future PRs
 - Removed sections: None
 - Templates requiring updates:
   - ✅ .specify/memory/constitution.md
-  - ✅ .specify/templates/spec-template.md
+  - ✅ .specify/templates/plan-template.md (Constitution Check updated for
-  - ✅ .specify/templates/plan-template.md
+    decision-first surface roles, workflow-first IA, and calm-surface
-  - ✅ .specify/templates/tasks-template.md
+    review)
-  - ✅ docs/product/principles.md
+  - ✅ .specify/templates/spec-template.md (surface role classification,
-  - ✅ docs/product/standards/README.md
+    operator contract, and requirements updated for decision-first
-  - ✅ docs/HANDOVER.md
+    governance)
+  - ✅ .specify/templates/tasks-template.md (implementation task guidance
+    updated for progressive disclosure, single-case context, and
+    attention-load reduction)
+  - ✅ docs/product/standards/README.md (Constitution index updated for
+    DECIDE-001)
 - Commands checked:
   - N/A `.specify/templates/commands/*.md` directory is not present in this repo
 - Follow-up TODOs:
-  - None.
+  - Create a dedicated surface / IA classification spec to retrofit
+    existing surfaces against DECIDE-001.
 -->
 
 # TenantPilot Constitution
@@ -121,6 +122,15 @@ ### Mandatory Bloat Check for New Specs (BLOAT-001)
   6. Is this current-release truth or future-release preparation?
 - Specs that cannot answer these questions clearly MUST NOT merge.
 
+### Spec Candidate Gate (SPEC-GATE-001)
+- Every new spec candidate MUST pass the Spec Approval Rubric (`.specify/memory/spec-approval-rubric.md`) before progressing beyond Draft status.
+- The spec MUST include a filled-out "Spec Candidate Check" section answering the 5 mandatory questions (operator workflow, trust/safety, smallest version, permanent complexity, why now).
+- The spec MUST be classified into exactly one approval class: Core Enterprise, Workflow Compression, Cleanup, or Defer.
+- The spec MUST include a scored evaluation (6 dimensions, 0–2 each). Specs scoring below 7/12 MUST NOT be approved without explicit scope reduction.
+- If two or more red flags from the rubric are triggered, the spec MUST include an explicit defense justifying why it should proceed.
+- Specs classified as "Defer" or scoring 0–3 MUST NOT be implemented.
+- This gate applies to all spec-creating agents (speckit.specify, speckit.plan) and manual spec creation alike.
+
 ### Default Bias (BIAS-001)
 - Default codebase bias is: derive before persist, map before frameworkize, localize before generalize, simplify before extend, replace before layer, explicit before generic, and present directly before interpreting recursively.
 
@@ -321,13 +331,189 @@ ### Operator-Facing UI/UX Constitution v1 (UI-CONST-001)
 
 Purpose and scope
 - This section governs operator-facing admin UI semantics across TenantPilot / TenantAtlas.
-- It defines allowed surface types, allowed interaction models, primary/secondary/destructive action hierarchy, list/detail/queue semantics, scope and context signals, canonical navigation and naming rules, visibility of critical operational truth, scanability and density rules, exception handling, and review and enforcement requirements.
+- It defines decision-first prominence roles, allowed surface types,
+  allowed interaction models, primary/secondary/destructive action
+  hierarchy, list/detail/queue semantics, scope and context signals,
+  canonical navigation and naming rules, visibility of critical
+  operational truth, scanability and density rules, exception handling,
+  and review and enforcement requirements.
 - It does not govern branding, colors, typography, spacing tokens, marketing or landing pages, implementation details without UX effect, purely cosmetic copy changes, or backend architecture except where backend design would create false UI mental models.
 - This section is governance, not a style guide. Its purpose is to prevent ambiguity, operator risk, and UI drift before they spread through the product.
 
+#### Decision-First Operating Model & Progressive Disclosure (DECIDE-001)
+
+Goal: TenantPilot is primarily a governance and decision platform, not
+a browser for internal technical detail objects. This section governs
+surface prominence and default information depth. It is orthogonal to
+UI-SURF-001 and ACTSURF-001: every operator-facing surface MUST declare
+both its interaction model and its decision-role prominence.
+
+##### Surface prominence roles
+
+- Every operator-facing surface MUST declare exactly one decision-role
+  prominence:
+  - Primary Decision Surface
+  - Secondary Context Surface
+  - Tertiary Evidence / Diagnostics Surface
+- Decision-role prominence is separate from action-surface class and
+  detailed surface type.
+- Prominence determines what deserves top-level navigation, default
+  emphasis, and default-visible information depth.
+
+##### Primary surfaces are for human decisions
+
+- Primary Decision Surfaces MUST support a clear human-in-the-loop
+  moment such as attention prioritization, approval, risk acceptance or
+  rejection, drift / findings / exception triage, review completion,
+  evaluation of blocked or failed automations, or execution /
+  escalation of the next governance action.
+- A prominent surface MUST NOT exist primarily to display internal
+  model objects, raw data, diagnostics, or technical object hubs
+  without clear operator value.
+- Every proposed primary surface MUST answer: what concrete decision or
+  operator action does this surface support?
+
+##### Detail surfaces are evidence surfaces
+
+- OperationRun detail, evidence detail, policy version detail, audit
+  log detail, JSON / payload / diff views, and deep diagnostic contexts
+  are normally Secondary Context or Tertiary Evidence / Diagnostics
+  surfaces.
+- These surfaces remain essential for verification, diagnosis, and
+  auditability, but they MUST NOT dominate default operator workflows
+  or primary navigation merely because the underlying objects exist.
+
+##### Default to decisions, not details
+
+- Default-visible information MUST first answer what happened, why it
+  matters, how urgent it is, what the system recommends, what impact
+  the decision has, and what action or approval is required now.
+- Internal IDs, relation depth, raw payloads, full snapshot history,
+  debug views, and unstructured technical detail MUST stay secondary
+  unless they are required for the first decision.
+
+##### Progressive disclosure is the default
+
+- Depth MUST be preserved but revealed on demand through
+  expand/collapse, drawers, tabs, side panels, explicit "Show details"
+  affordances, or focused drill-downs from a clear decision context.
+- The default workflow SHOULD let the operator decide before navigating
+  through diagnostic depth.
+- Primary flows MUST NOT force operators through multiple technical
+  subpages before a single governance decision can be made.
+
+##### Navigation follows workflows, not storage structures
+
+- Primary navigation and prominent entry points MUST follow operator
+  workflows such as pending decisions, alerts / escalations, reviews,
+  exceptions / accepted risks, governance priorities, and blocked or
+  failed automations.
+- Internal persistence terms such as OperationRuns, EvidenceItems,
+  PolicyVersions, StoredReports, or relational chains MAY exist as
+  supporting surfaces, but they do not earn primary information
+  architecture status by default.
+- Every navigation proposal MUST answer: does this reflect a working
+  task or only an internal storage structure?
+
+##### Meaning comes before model names
+
+- Operator-facing surfaces MUST prefer governance language such as
+  "Drift detected", "Exception expires soon", "Evidence incomplete",
+  "Review ready", "Remediation recommended", or "Further review
+  required".
+- Model names, table/entity language, relation terminology, and
+  implementation-first state labels MUST NOT be the primary UX
+  language when business meaning can be expressed directly.
+
+##### One case, one decision context
+
+- A single governance case SHOULD be decidable within one focused
+  context that brings together the problem, risk or relevance,
+  recommendation, impact, ownership, next action, approval options, and
+  optional detail beneath or beside the decision.
+- Operators MUST NOT be forced to reconstruct one decision across
+  multiple equal-rank Run, Evidence, Policy, Audit, and Finding pages
+  when the product can present one coherent decision context.
+
+##### Audit depth is mandatory; dominance is not
+
+- Enterprise-grade evidence, verification, and audit depth MUST remain
+  available.
+- Audit requirements do NOT justify default surfaces that look or
+  behave like forensic diagnostics consoles.
+- The standard operator flow SHOULD remain calm, prioritized, and
+  decision-led even when deep proof is available.
+
+##### New primary surfaces require strict justification
+
+- Every new top-level or otherwise prominent surface MUST justify:
+  1. which human-in-the-loop moment it supports,
+  2. why an existing surface is insufficient,
+  3. why a drawer, panel, tab, or embedded decision context is
+     insufficient,
+  4. what search, review, or click work it removes.
+- If those answers are weak, the work MUST reuse an existing decision
+  context or remain secondary/tertiary.
+
+##### Automation must reduce attention load
+
+- New automation, notification, or autonomous governance behavior MUST
+  measurably reduce search work, review work, or click load.
+- Automation that primarily creates extra lists, statuses, surfaces, or
+  detail work is non-conformant even if technically correct.
+- The review question is: does this make the platform quieter and
+  clearer, or merely larger?
+
+##### Calm default surfaces
+
+- The default workspace experience MUST distinguish clearly between
+  immediately actionable work, worth-watching context, and
+  reference-only information.
+- Unranked warning floods, parallel attention entry points, and
+  perpetual visual escalation are forbidden on primary surfaces.
+- A surface that only creates noise instead of priority is
+  non-conformant.
+
+##### Retrofit requirement
+
+- DECIDE-001 applies to existing as well as new surfaces.
+- Existing surfaces MUST be reclassified as Primary Decision,
+  Secondary Context, or Tertiary Evidence / Diagnostics surfaces and
+  then reviewed for prominence, disclosure, consolidation, and
+  workflow alignment.
+- Surface retrofit work SHOULD prefer reclassification and
+  consolidation before creating new navigation branches.
+
+##### Review gate
+
+Every operator-facing spec or PR that changes a surface MUST answer:
+1. What concrete decision or operator action does this support?
+2. Who is the human in the loop?
+3. What MUST be immediately visible for the first decision?
+4. What is preserved but only revealed on demand?
+5. Is this a Primary Decision Surface, Secondary Context Surface, or
+   Tertiary Evidence / Diagnostics Surface?
+6. If it is primary, why can it not live inside an existing decision
+   context?
+7. Does the navigation reflect a workflow or only storage structure?
+8. Does this reduce search, review, or click work?
+9. Does this make the product calmer and clearer instead of louder?
+
 #### Surface Taxonomy (UI-SURF-001)
 
-Every new admin surface MUST be assigned exactly one surface type before implementation. Ad-hoc interaction models are forbidden.
+Every new admin surface MUST be assigned exactly one broad action-surface
+class before implementation. Ad-hoc interaction models are forbidden.
+
+The allowed broad action-surface classes are:
+- Record / Detail / Edit
+- Monitoring / Queue / Workbench
+- List / Table / Bulk
+- Wizard / Flow
+- Utility / System
+
+Operator-facing surfaces MUST also declare exactly one detailed surface
+type from the taxonomy below. The broad class determines the action
+hierarchy first; the detailed surface type refines it.
 
 ##### CRUD / List-first Resource
 - Purpose: scan, find, open, and selectively mutate many business records.
@@ -380,6 +566,157 @@ ##### Detail-first Operational Surface
 - Destructive actions: detail header or grouped header actions only, always with confirmation.
 - Row click and explicit View/Inspect: not applicable.
 
+#### Action Surface Discipline (ACTSURF-001)
+
+Goal: actions across all surfaces MUST make the next sensible operator
+step obvious, keep safe navigation distinct from mutation, and prevent
+dangerous or governance-relevant actions from sitting casually beside
+harmless context changes.
+
+##### Surface class first
+
+- Every new or materially changed surface MUST declare exactly one broad
+  action-surface class before actions are designed.
+- Different surface classes MAY use different action models only when
+  the difference is deliberate, documented, and justified by the
+  workflow.
+- Detailed surface types refine the rule set; they do not replace the
+  broad class requirement.
+
+##### Record / Detail / Edit surfaces
+
+- Classic record/detail/edit pages MUST expose at most one visible
+  primary header action.
+- Pure navigation MUST NOT live in the header when it can be placed
+  inline at summary, field, badge, status, or related-context level.
+- Secondary, rare, or administrative actions MUST be grouped.
+- Multiple equally weighted mutation buttons in the header are
+  forbidden.
+- Destructive, irreversible, or governance-relevant actions MUST be
+  clearly separated from routine actions.
+- The likely next operator step MUST be recognizable within seconds.
+- HDR-001 is the binding specialization for record/detail/edit headers.
+
+##### Monitoring / Queue / Workbench surfaces
+
+- Surface-level context, scope context, navigation, selection actions,
+  and object actions MUST NOT be mixed as one flat header strip.
+- Scope indicators are context signals, not ordinary calls to action.
+- Selection-dependent actions SHOULD become prominent only when a
+  selection or focused object actually exists.
+- Record-page header rules MUST NOT be copied blindly onto workbench
+  surfaces.
+- Workbench surfaces MAY use a different action model, but that model
+  MUST be explicit, repeatable, and internally consistent.
+
+##### List / Table / Bulk surfaces
+
+- Inspect/open affordances MUST remain consistent within the same
+  surface class.
+- Bulk actions are allowed only for genuine multi-record work.
+- Row actions MUST NOT dominate reading and scanning.
+- Rare, destructive, or governance-relevant actions MUST NOT accumulate
+  casually in default row actions.
+- Tables exist primarily to scan, filter, compare, and decide; they
+  MUST NOT become unstructured action stockpiles.
+
+##### Wizard / Flow surfaces
+
+- Wizard actions MUST reflect staged progression, explicit back/cancel
+  semantics, and safe confirmation at the step where risk becomes real.
+- Wizard pages MAY expose more than one visible action when the flow
+  genuinely requires progression, backtracking, or guarded cancellation.
+- Even in a wizard, the next primary step MUST remain obvious.
+
+##### Utility / System surfaces
+
+- Utility and system pages MAY use narrower tooling-oriented action
+  sets, but they MUST still separate safe navigation, routine control,
+  and dangerous intervention.
+- System or recovery status does not justify casual placement of
+  destructive or governance-changing actions.
+
+##### Action grouping and order
+
+- Actions MUST be ordered by meaning, frequency, and risk.
+- The preferred order is:
+  1. primary next step
+  2. common secondary action
+  3. rare or contextual action
+  4. dangerous or irreversible action
+- An `ActionGroup` / More menu is not a junk drawer. Navigation,
+  mutation, external links, and destructive actions inside a group MUST
+  still be named, ordered, and separated coherently.
+
+##### Navigation vs mutation
+
+- Navigation and mutation are different intent classes and MUST NOT
+  appear as equal-weight peers without explicit hierarchy.
+- Harmless context switches MUST NOT visually overpower
+  governance-relevant actions.
+- Pure context navigation SHOULD live near the content it concerns
+  rather than as header filler.
+
+##### Governance friction
+
+- Actions with risk, blast radius, or irreversible effect MUST use
+  shared governance-friction rules rather than per-surface improvisation.
+- Depending on impact, the required friction is confirmation, optional
+  reason, mandatory reason, typed confirmation, or staged flow.
+- Clear danger semantics and separated placement are mandatory for
+  dangerous or governance-changing actions.
+
+##### Exceptions require explicit reason
+
+- New surfaces MAY deviate only when the surface class or workflow truly
+  requires it.
+- Allowed justification labels are:
+  - Special type
+  - Workflow hub
+  - Wizard
+  - Utility / System surface
+  - Another clearly defined exception documented in the governing spec
+- "Historically grew this way" and "it was easy to add to the header"
+  are invalid reasons.
+
+##### Reuse before invention
+
+- New features MUST reuse existing disciplined patterns, reference
+  architectures, and shared primitives when they fit the chosen surface
+  class.
+- Reference patterns are reuse baselines, not automatic mandates for
+  every surface.
+
+##### Constitution over convenience
+
+- Local implementation speed MUST NOT override consistent action
+  hierarchy.
+- No new feature may introduce:
+  - multiple equal-rank header mutations without a clear primary
+  - navigation as casual header filler
+  - unreflective mixing of record, workbench, and governance patterns
+  - new local exceptions without explicit rationale
+
+##### Review gate
+
+Every new or materially changed surface with actions MUST answer:
+1. What broad action-surface class is it?
+2. What is the one most likely next operator action?
+3. Is navigation cleanly separated from mutation?
+4. Are rare or risky actions removed from the primary plane?
+5. Is the hierarchy scanable in a few seconds?
+6. Is this a real special type or just an unordered exception?
+
+If those answers are not clear, the surface is non-conformant.
+
+##### Canonical outcome
+
+- The goal is not the smallest possible number of buttons.
+- A conformant surface highlights the next sensible step, separates
+  context, navigation, mutation, and danger cleanly, remains structured
+  as capability grows, and applies the same principles consistently
+  across the product.
+
 #### Hard Rules (UI-HARD-001)
 
 ##### Primary inspect model
@@ -512,6 +849,8 @@ #### Filament UI — Action Surface Contract (NON-NEGOTIABLE)
 
 Behavior over declaration
 - Every spec MUST include both a UI/UX Surface Classification and a UI Action Matrix.
+- Every changed operator-facing surface MUST declare its broad
+  action-surface class and the one most likely next operator action.
 - Custom action-surface contracts are legitimate only when they validate rendered behavior, not only declarations or slot counts.
 - A change is not Done unless the implemented interaction semantics conform to the declared surface type or an approved exception documents and tests the deviation.
 
@@ -535,7 +874,10 @@ #### Filament UI — Layout & Information Architecture Standards (UX-001)
 - When records exist, that primary CTA moves to the header and MUST NOT be duplicated in the empty state shell.
 
 Actions and flows
-- Pages SHOULD expose at most one primary header action and one secondary header action; all others belong in groups.
+- Record / Detail / Edit pages MUST expose at most one visible primary
+  header action. Any additional visible secondary header action requires
+  explicit justification under ACTSURF-001 / HDR-001; the rest belong in
+  groups or contextual placement.
 - Multi-step or high-risk flows MUST use a wizard or an equivalent staged flow with preview and confirmation.
 - Destructive actions remain non-primary and confirmed.
 
@@ -548,6 +890,128 @@ #### Filament UI — Layout & Information Architecture Standards (UX-001)
 - Shared layout builders such as `MainAsideForm`, `MainAsideInfolist`, and `StandardTableDefaults` SHOULD be reused where available.
 - A change is not Done unless UX-001 is satisfied or an approved exception documents why not.
 
+#### Record / Detail / Edit Header Discipline & Contextual Navigation (HDR-001)
+
+Goal: record, detail, and edit pages MUST be comprehensible within
+seconds. HDR-001 is the binding record/detail/edit specialization of
+ACTSURF-001.
+
+Header actions are reserved for the primary workflow of the current page
+and MUST NOT become a dumping ground for every available action or
+navigation jump.
+
+##### Core rule
+
+Header actions MUST contain only workflow-critical actions of the
+currently displayed record. Pure navigation, relational jumps, and
+contextual references do not belong in the header; they belong directly
+at the affected field, status indicator, or relation.
+
+##### Maximum one primary visible header action
+
+- Each record/detail page MUST expose at most one clearly prioritized
+  primary visible header action.
+- That action MUST represent the most obvious next operator step on
+  exactly this page.
+- Multiple equally weighted mutation buttons in the header are
+  forbidden.
+
+##### Navigation does not belong in headers
+
+- Actions such as "Open finding", "Open queue", "View related run",
+  "Open tenant", or similar jumps are navigation actions, not primary
+  object actions.
+- They MUST be placed as contextual navigation at fields, badges,
+  relation entries, or status displays — never in the header.
+
+##### Destructive or governance-changing actions require friction
+
+- Actions with operational, security-relevant, or governance-changing
+  effect MUST NOT stand at the same visual level as the primary action.
+- They MUST either:
+  - be rendered as a clearly separated danger action, or
+  - be placed in an Action Group / More Actions.
+- They MUST always require explicit confirmation
+  (`->requiresConfirmation()`).
+- If an action changes governance truth, compliance status, risk
+  acceptance, exception validity, or equivalent system truths,
+  additional friction is mandatory (e.g., typed confirmation, reason
+  field, or staged flow).
+
+##### Rare secondary actions belong in an Action Group
+
+- Actions that are not part of the expected core workflow of the page
+  or are only occasionally needed MUST NOT appear as equally weighted
+  visible header buttons.
+- They MUST be placed in an Action Group.
+- The Action Group itself MUST remain structured; it MUST NOT become an
+  unlabelled mix of navigation, external links, mutations, and danger.
+
+##### Header clarity over implementation convenience
+
+- The fact that a framework makes header actions easy to add is not a
+  reason to place actions there.
+- Information architecture, scanability, and operator clarity take
+  precedence over implementation convenience.
+
+##### 5-second scan rule
+
+Every record/detail page MUST pass the 5-second scan rule:
+
+1. The operator instantly recognizes where they are.
+2. The operator instantly sees the status of the object.
+3. The operator instantly identifies the one central next action.
+4. The operator immediately understands where secondary or dangerous
+   actions live.
+
+If multiple equally weighted header buttons degrade this readability,
+it is a constitution violation.
+
+##### Placement rules
+
+Allowed in the header:
+- One primary workflow action.
+- Optionally one clearly justified secondary action.
+- Rare or administrative actions only when grouped.
+- Critical/destructive actions only when separated and with friction.
+
+Forbidden in the header:
+- Pure navigation to related objects.
+- Relational jumps without immediate workflow relevance.
+- Collections of technically available standard actions.
+- Multiple equally weighted buttons without clear prioritization.
+
+##### Preferred pattern
+
+| Slot | Placement |
+|---|---|
+| Primary visible | Exactly 1 |
+| Danger | Separated or grouped, never casual beside Primary |
+| Navigation | Inline at context (field, badge, relation) |
+| Rare actions | More / Action Group |
+
+##### Binding decision — Exception / Approval surfaces
+
+For exception detail pages specifically:
+- **Renew exception** MAY appear as the primary visible header action.
+- **Revoke exception** is a governance-changing danger action and MUST
+  require friction (separated + confirmation).
+- **Open finding** MUST be placed as a link at the Finding field, not
+  in the header.
+- **Open approval queue** MUST be placed as a contextual link at
+  approval / status context, not in the header.
+
+##### Reviewer heuristics
+
+A page violates HDR-001 if any of the following are true:
+- Multiple equally weighted header actions without clear workflow
+  priority.
+- Pure navigation buttons in the header.
+- Danger actions beside normal actions without clear separation.
+- Rarely used administrative actions as visible standard buttons.
+- The header resembles an action stockpile instead of a focused
+  workflow entry point.
+
 #### Operator-facing UI Naming Standards (UI-NAMING-001)
 
 Goal: operator-facing actions, runs, notifications, audit prose, and navigation MUST use one clear domain vocabulary.
@@ -632,17 +1096,58 @@ #### Spec Scope Fields (SCOPE-002)
 #### Enforcement Model (UI-REVIEW-001)
 
 Spec review requirements
-- Every spec that changes an operator-facing surface MUST answer: surface type, primary inspect/open model, row-click rule, whether explicit View/Inspect exists or is forbidden, where secondary actions live, where destructive actions live, canonical collection route, canonical detail route, scope signals and their exact meaning, canonical noun, critical truth visible by default, and whether an exception type is used.
+- Every spec that changes an operator-facing surface MUST answer:
+  decision-role prominence, human-in-the-loop moment, immediate-visible
+  decision information, on-demand evidence/diagnostics boundary,
+  whether a new primary surface is actually justified, broad
+  action-surface class, detailed surface type, one likely next operator
+  action, primary inspect/open model, row-click rule, whether explicit
+  View/Inspect exists or is forbidden, where navigation lives, where
+  secondary actions live, where destructive actions live, how grouped
+  actions are ordered, canonical collection route, canonical detail
+  route, scope signals and their exact meaning, canonical noun,
+  critical truth visible by default, workflow-vs-storage IA
+  justification, attention-load reduction, and whether an exception
+  type is used.
 - Missing any of those answers makes the spec incomplete.
 
 PR review requirements
-- A PR MUST NOT pass when it introduces more than one primary inspect model, redundant View beside row click, destructive inline actions beside inspect on standard lists, empty overflow or bulk groups, long workflow labels in dense rows, misleading scope chips, drifting domain nouns, hidden critical operational truth, or undocumented exceptions without dedicated tests.
+- A PR MUST NOT pass when it introduces more than one primary inspect
+  model, redundant View beside row click, destructive inline actions
+  beside inspect on standard lists, empty overflow or bulk groups, long
+  workflow labels in dense rows, misleading scope chips, drifting domain
+  nouns, hidden critical operational truth, flat record headers with
+  multiple equal-weight mutations, workbench headers that mix scope,
+  selection, navigation, and object actions as peers, a primary surface
+  with no clear human-in-the-loop purpose, detail/evidence objects
+  promoted into primary navigation without justification, one case
+  fragmented across multiple equal-rank pages, new automation that adds
+  attention surfaces without reducing operator work, noisy default
+  surfaces with no action/watch/reference hierarchy, or undocumented
+  exceptions without dedicated tests.
 
 Guard tests
-- Repository guards SHOULD validate: declared surface type, conformant primary inspect model, absence of redundant View actions, presence of explicit Inspect on Queue / Review and History / Audit surfaces, absence of empty `ActionGroup` or `BulkActionGroup`, correct placement of destructive actions, truthful scope signals, stable canonical nouns across shells, and dedicated tests for every approved exception.
+- Repository guards SHOULD validate: declared surface type, declared
+  decision-role prominence where specs or metadata expose it,
+  conformant primary inspect model, absence of redundant View actions,
+  presence of explicit Inspect on Queue / Review and History / Audit
+  surfaces, absence of empty `ActionGroup` or `BulkActionGroup`,
+  correct placement of destructive actions, truthful scope signals,
+  stable canonical nouns across shells, and dedicated tests for every
+  approved exception.
 
 #### Immediate Retrofit Priorities
 
+Wave 0 - Surface role classification
+- First classify existing surfaces as Primary Decision, Secondary
+  Context, or Tertiary Evidence / Diagnostics surfaces.
+- For each surface, determine whether its current prominence is
+  justified, which detail can move into progressive disclosure, and
+  whether several technical pages should collapse into one decision
+  context.
+- Wave 0 is done only when primary navigation candidates are grounded
+  in workflows rather than storage structures.
+
 Wave 1 - Interaction normalization
 - First fixes target redundant row click plus View, destructive row actions on standard lists, empty overflow or bulk groups, and rows that have become pseudo-control centers.
 - First-slice focus surfaces are Tenants, Workspaces, Policies, Alert Deliveries, and other CRUD-first list surfaces with the same drift pattern.
@@ -656,6 +1161,23 @@ #### Immediate Retrofit Priorities
 
 #### Appendix A - One-page Condensed Constitution
 
+- Every operator-facing surface declares one decision role:
+  Primary Decision, Secondary Context, or Tertiary Evidence /
+  Diagnostics.
+- Primary surfaces exist to help a human prioritize, judge, approve,
+  reject, escalate, or act.
+- Evidence and diagnostics remain available but do not dominate the
+  default workflow.
+- Default to decisions, not details.
+- Progressive disclosure preserves depth without forcing it into the
+  first decision.
+- Navigation follows workflows, not storage structures.
+- One governance case should be decidable in one focused context.
+- Automation must reduce attention load.
+- Default surfaces stay calm, prioritized, and explicit about what is
+  actionable, worth watching, and reference-only.
+- Every new or materially changed surface declares one broad
+  action-surface class first.
 - Every admin surface has one surface type.
 - Every list has exactly one primary inspect/open model.
 - CRUD and Registry surfaces use one-click open.
@@ -665,6 +1187,10 @@ #### Appendix A - One-page Condensed Constitution
 - Destructive actions never sit openly beside inspect on standard lists.
 - Overflow is standardized per surface class and is never empty.
 - Bulk exists only when it is genuinely useful.
+- Navigation and mutation do not share equal visual weight without
+  explicit hierarchy.
+- Monitoring and workbench surfaces separate scope/context, selection,
+  navigation, and object actions.
 - Scope chips must be truthful.
 - Domain nouns are canonical and stable.
 - Critical operational truth is default-visible.
@@ -672,14 +1198,28 @@ #### Appendix A - One-page Condensed Constitution
 - Standard lists stay scanable.
 - Exceptions are catalogued, justified, and tested.
 - Features with ambiguous interaction semantics do not ship.
+- Header actions on record/detail pages expose at most one primary action; navigation belongs at context, not in the header.
 
 #### Appendix B - Feature Review Checklist
 
-- Surface type is declared.
+- Decision-role prominence is declared.
+- The human-in-the-loop moment is explicit.
+- Immediate-visible decision information is explicit.
+- On-demand evidence / diagnostics boundaries are explicit.
+- Any new primary surface is justified against an existing decision
+  context.
+- Navigation reflects a workflow rather than storage structure.
+- One governance case stays decidable in one focused context.
+- The feature reduces search, review, or click work.
+- The resulting surface is calmer and clearer, not merely larger.
+- Broad action-surface class is declared.
+- Detailed surface type is declared.
+- The one most likely next operator action is explicit.
 - Primary inspect/open model is defined.
 - Row-click rule is decided.
 - View/Inspect is correctly present or correctly forbidden.
 - Edit-as-inspect is used only when allowed.
+- Navigation and mutation are separated intentionally.
 - Secondary actions are grouped correctly.
 - Destructive actions are placed correctly.
 - Overflow is not empty.
@@ -690,20 +1230,40 @@ #### Appendix B - Feature Review Checklist
 - Critical truth is visible.
 - Scanability is preserved.
 - Exceptions are documented and tested.
+- Header passes the 5-second scan rule (HDR-001).
+- No pure navigation in the header.
+- Governance-changing actions have extra friction.
+- Any special type or workflow-hub exception is real and justified.
 
 #### Appendix C - Red Flags for Future PRs
 
+- A primary surface has no clear human-in-the-loop moment.
+- A technical object hub is promoted into primary navigation without
+  workflow justification.
+- Default-visible content behaves like a diagnostics console instead of
+  a decision surface.
+- The operator must assemble one decision from multiple equal-rank Run,
+  Evidence, Policy, Audit, or Finding pages.
+- A feature adds automation, alerts, or statuses that increase net
+  attention load.
+- The surface creates more noise than priority.
 - Row click and View open the same destination.
 - A row becomes a control center.
 - Archive or Delete sits openly beside View or Inspect on a standard list.
 - More menus or bulk menus are empty.
+- A More menu becomes a mixed junk drawer with no ordering logic.
 - Scope chips have no real scope effect.
 - Runs and Operations are used as competing primary collection nouns.
 - Long workflow labels live in dense tables.
 - Edit is used as default inspect even though a true View surface exists.
 - Queue surfaces throw the operator out of context through row click.
+- A workbench surface mixes scope, selection, navigation, and object
+  actions as one flat header rail.
 - Critical health or operability truth is hidden by default.
 - A contract claims conformance while the rendered UI behaves differently.
+- Header has multiple equally weighted buttons without clear prioritization.
+- "Open X" navigation links placed in the header instead of at the related field.
+- Governance-changing actions sit casually beside the primary action without friction.
 
 ### Data Minimization & Safe Logging
 - Inventory MUST store only metadata + whitelisted `meta_jsonb`.
@@ -774,6 +1334,9 @@ ### Scope, Compliance, and Review Expectations
 - This constitution applies across the repo. Feature specs may add stricter constraints but not weaker ones.
 - Restore semantics changes require: spec update, checklist update (if applicable), and tests proving safety.
 - Specs and PRs that introduce new persisted truth, abstractions, states, DTO/presenter layers, or taxonomies MUST include the proportionality review required by BLOAT-001.
+- Specs and PRs that change operator-facing surfaces MUST classify each
+  affected surface under DECIDE-001 and justify any new Primary
+  Decision Surface or workflow-first navigation change.
 - Review and approval MUST favor simplification, replacement, and absorption over additive semantic layering.
 - Future-release preparation alone is not sufficient justification for new persistence or frameworkization unless security, tenant isolation, auditability, compliance evidence, or queue correctness already require it.
 
@@ -787,4 +1350,4 @@ ### Versioning Policy (SemVer)
 - **MINOR**: new principle/section or materially expanded guidance.
 - **MAJOR**: removing/redefining principles in a backward-incompatible way.
 
-**Version**: 2.0.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-03-28
+**Version**: 2.3.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-12

.specify/memory/spec-approval-rubric.md

@@ -0,0 +1,236 @@
+# TenantPilot Spec Approval Rubric (Anti-Overengineering Guardrails)
+
+## Leitsatz
+
+> Kein neuer Layer ohne klaren Operatorgewinn, und kein neuer Spec nur für interne semantische Schönheit.
+
+Ein neuer Spec ist nur dann stark genug, wenn er **sichtbar mehr Produktwahrheit oder Operator-Wirkung** erzeugt als er dauerhafte Systemkomplexität importiert.
+
+Jeder Spec muss zwei Dinge gleichzeitig beweisen:
+
+1. Welches echte Problem wird gelöst?
+2. Warum ist diese Lösung die kleinste enterprise-taugliche Form?
+
+Wenn der Spec nur interne Eleganz, feinere Semantik oder mehr Konsistenz bringt, aber keinen klaren Workflow-, Trust- oder Audit-Gewinn, dann ist er **verdächtig**.
+
+---
+
+## 5 Pflichtfragen vor jeder Freigabe
+
+Ein Spec darf nur weiterverfolgt werden, wenn diese 5 Fragen sauber beantwortet sind.
+
+### A. Welcher konkrete Operator-Workflow wird besser?
+
+Nicht abstrakt „Konsistenz verbessern", sondern konkret: welcher Nutzer, auf welcher Fläche, in welchem Schritt, mit welchem heutigen Schmerz, und was danach schneller, sicherer oder ehrlicher wird.
+
+Wenn kein klarer Vorher/Nachher-Workflow benennbar ist → Spec ist zu abstrakt.
+
+### B. Welche falsche oder gefährliche Produktaussage wird verhindert?
+
+Legitime Antworten:
+
+- Falscher „alles okay"-Eindruck
+- Irreführende Recovery-Claims
+- Unsaubere Ownership
+- Fehlende nächste Aktion
+- Fehlende Audit-Nachvollziehbarkeit
+- Tenant/Workspace Leakage
+- RBAC-Missverständnisse
+
+Wenn ein Spec weder Workflow noch Trust verbessert → kaum zu rechtfertigen.
+
+### C. Was ist die kleinste brauchbare Version?
+
+Explizit benennen:
+
+- Was ist die v1-Minimalversion?
+- Welche Teile sind bewusst nicht enthalten?
+- Welche Generalisierung wird absichtlich verschoben?
+
+Wenn v1 wie ein Framework, eine Plattform oder eine universelle Taxonomie klingt → zu groß.
+
+### D. Welche dauerhafte Komplexität entsteht?
+
+Nicht nur Implementierungsaufwand, sondern Dauerfolgen:
+
+- Neue Models / Tables?
+- Neue Enums / Statusachsen?
+- Neue UI-Semantik?
+- Neue cross-surface Contracts?
+- Neue Tests, die dauerhaft gepflegt werden müssen?
+- Neue Begriffe, die jeder verstehen muss?
+
+Wenn die Liste lang ist → Produktgewinn muss entsprechend hoch sein.
+
+### E. Warum jetzt?
+
+Legitime Gründe:
+
+- Blockiert Kernworkflow
+- Verhindert gefährliche Fehlinterpretation
+- Ist Voraussetzung für unmittelbar folgende Hauptdomäne
+- Beseitigt echten systemischen Widerspruch
+- Wird bereits von mehreren Flächen schmerzhaft benötigt
+
+Schwache Gründe:
+
+- „wäre sauberer"
+- „brauchen wir später bestimmt"
+- „passt gut zur Architektur"
+- „macht das Modell vollständiger"
+
+---
+
+## 4 Spec-Klassen
+
+Jeden Kandidaten zwingend in genau eine Klasse einordnen.
+
+### Klasse 1 — Core Enterprise Spec
+
+Mindestens eins muss stimmen:
+
+- Schützt echte System-/Tenant-/RBAC-Korrektheit
+- Verhindert falsche Governance-/Recovery-/Audit-Aussagen
+- Schließt klaren Workflow-Gap
+- Beseitigt cross-surface Widerspruch mit realem Operator-Schaden
+- Ist echte Voraussetzung für eine wichtige Produktfunktion
+
+Dürfen Komplexität einführen, aber nur gezielt.
+
+### Klasse 2 — Workflow Compression Spec
+
+Gut, wenn sie:
+
+- Klickpfade verkürzen
+- Kontextverlust senken
+- Return-/Drilldown-Kontinuität verbessern
+- Triage-/Review-/Run-Bearbeitung beschleunigen
+
+Nützlich, aber klein halten.
+
+### Klasse 3 — Cleanup / Consolidation
+
+- Vereinfachung, Zusammenführung, Entkopplung
+- Entfernen von Legacy / Duplikaten
+- Reduktion unnötiger Schichten
+
+Explizit erwünscht als Gegengewicht zu Wachstum.
+
+### Klasse 4 — Premature / Defer
+
+Wenn der Kandidat hauptsächlich bringt:
+
+- Neue Semantik, Frameworks, Taxonomien
+- Generalisierung für künftige Fälle
+- Infrastruktur ohne breite aktuelle Nutzung
+
+→ Nicht freigeben. Verschieben oder brutal einkürzen.
+
+---
+
+## Rote Flaggen
+
+Wenn **zwei oder mehr** zutreffen → Spec muss aktiv verteidigt werden.
+
+| # | Rote Flagge | Prüffrage |
+|---|---|---|
+| 1 | **Neue Achsen** — neues Truth-Modell, Statusdimension, Taxonomie, Bewertungsachse | Braucht der Operator das wirklich, oder nur das Modell? |
+| 2 | **Neue Meta-Infrastruktur** — Presenter, Resolver, Catalog, Matrix, Registry, Builder, Policy-Layer | Sehr hoher Beweiswert nötig. |
+| 3 | **Viele Flächen, wenig Nutzerwert** — 6 Flächen „harmonisiert", kein klarer Nutzerflow besser | Architektur um ihrer selbst willen? |
+| 4 | **Klingt nach Foundation** — foundation, framework, generalized, reusable, future-proof, canonical semantics | Fast immer erklärungsbedürftig. |
+| 5 | **Mehr Begriffe als Outcomes** — lange semantische Erklärung, Nutzerverbesserung kaum in einem Satz | Verdächtig. |
+| 6 | **Mehrere Mikrospecs für eine Domäne** — foundation + semantics + presentation + hardening + integration | Zu fein zerlegt. |
+
+---
+
+## Grüne Flaggen
+
+- Löst klar beobachtbaren Operator-Schmerz
+- Verbessert echte Entscheidungssituation
+- Verhindert konkrete Fehlinterpretation
+- Reduziert Navigation oder Denkaufwand
+- Vereinfacht bereits existierende Komplexität
+- Führt wenig neue Begriffe ein
+- Hat klare Nicht-Ziele
+- Ist in einer Sitzung gut erklärbar
+- Braucht keine neue Meta-Schicht
+- Macht mehrere Flächen einfacher statt abstrakter
+
+---
+
+## Bewertungsraster (0–2 pro Dimension)
+
+| Dimension | 0 | 1 | 2 |
+|---|---|---|---|
+| **Nutzen** | unklar | lokal nützlich | klarer Workflow-/Trust-/Audit-Gewinn |
+| **Dringlichkeit** | kann warten | sinnvoll bald | blockiert oder schützt Wichtiges jetzt |
+| **Scope-Disziplin** | wirkt wie Framework/Plattform | etwas breit | klar begrenzte v1 |
+| **Komplexitätslast** | hohe dauerhafte Last | mittel | niedrig / gut beherrschbar |
+| **Produktnähe** | vor allem intern/architektonisch | gemischt | direkt spürbar für Operatoren |
+| **Wiederverwendung belegt** | hypothetisch | wahrscheinlich | bereits an mehreren echten Stellen nötig |
+
+### Auswertung
+
+| Score | Entscheidung |
+|---|---|
+| **10–12** | Freigabefähig |
+| **7–9** | Nur freigeben wenn Scope enger gezogen wird |
+| **4–6** | Verschieben oder zu Cleanup/Micro-Follow-up downgraden |
+| **0–3** | Nicht freigeben |
+
+---
+
+## TenantPilot-spezifische Regeln
+
+### Regel A — Keine neue semantische Achse ohne UI-Beweis
+
+Wo wird sie sichtbar? Warum reichen bestehende Achsen nicht? Welche Fehlentscheidung bleibt ohne sie bestehen?
+
+### Regel B — Keine neue Support-/Presentation-Schicht ohne ≥ 3 echte Verbraucher
+
+Registry, Resolver, Catalog, Presenter, Matrix, Explanation-Layer → nur mit mindestens drei echten (nicht künstlich erzeugten) Verbrauchern. Sonst lokal lösen.
+
+### Regel C — Keine Spec-Aufspaltung unterhalb Operator-Domäne
+
+Wenn ein Thema nicht eigenständig als Operator-Problem beschrieben werden kann → kein eigener Spec.
+
+### Regel D — Jeder neue Status braucht eine echte Folgehandlung
+
+Neue Status/Outcome nur erlaubt wenn sie etwas Konkretes ändern: andere nächste Aktion, anderes Routing, andere Audit-Bedeutung, andere Workflow-Behandlung.
+
+### Regel E — Consolidation ist ein legitimer Spec-Typ
+
+Zusammenführen von Semantik, Reduktion von Komplexität, Entfernen von Parallelmodellen, Vereinfachung von Navigation/Resolvern, Rückbau unnötiger Zwischenlayer — aktiv Platz geben.
+
+---
+
+## Freigabe-Template (Pflichtabschnitt in spec.md)
+
+```markdown
+## Spec Candidate Check
+
+- **Problem**: [Konkreter Operator-Schmerz oder Trust-Gap heute]
+- **Today's failure**: [Welche Fehlentscheidung / Verlangsamung / irreführende Produktaussage passiert aktuell?]
+- **User-visible improvement**: [Was wird konkret schneller, sicherer oder ehrlicher?]
+- **Smallest enterprise-capable version**: [Kleinste Version die das Problem sauber löst]
+- **Explicit non-goals**: [Was wird bewusst nicht modelliert/generalisiert/frameworkisiert?]
+- **Permanent complexity imported**: [Neue Models, Status, Enums, Services, Support-Layer, Tests, UI-Konzepte, Begriffe]
+- **Why now**: [Warum jetzt wichtiger als später?]
+- **Why not local**: [Warum reicht keine lokale, schmale Lösung?]
+- **Approval class**: [Core Enterprise / Workflow Compression / Cleanup / Defer]
+- **Red flags triggered**: [Welche roten Flaggen treffen zu?]
+- **Score**: [Nutzen: _ | Dringlichkeit: _ | Scope: _ | Komplexität: _ | Produktnähe: _ | Wiederverwendung: _ | **Gesamt: _/12**]
+- **Decision**: [approve / shrink / merge / defer / reject]
+```
+
+---
+
+## Erlaubt vs. Verdächtig (Schnellreferenz)
+
+| Erlaubt | Verdächtig |
+|---|---|
+| Echte Workflow-Specs | Neue truth sub-axes |
+| Governance-/Finding-/Review-Bearbeitbarkeit | Neue explanation frameworks |
+| Trust-/Audit-/RBAC-Härtung | Neue presentation taxonomies |
+| Portfolio-Operator-Durchsatzverbesserungen | Neue generalized support layers |
+| Consolidation-Specs | Mikro-Specs für bereits stark zerlegte Domänen |

.specify/templates/plan-template.md

@@ -58,6 +58,14 @@ ## Constitution Check
 - Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests
 - Filament-native UI (UI-FIL-001): admin/operator surfaces use native Filament components or shared primitives first; no ad-hoc status UI, local semantic color/border decisions, or hand-built replacements when native/shared semantics exist; any exception is explicitly justified
 - UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): every changed operator-facing surface is classified as exactly one allowed surface type; ad-hoc interaction models are forbidden
+- Decision-first operating model (DECIDE-001): each changed
+  operator-facing surface is classified as Primary Decision,
+  Secondary Context, or Tertiary Evidence / Diagnostics; primary
+  surfaces justify the human-in-the-loop moment, default-visible info
+  is limited to first-decision needs, deep proof is progressive
+  disclosed, one governance case stays decidable in one context where
+  practical, navigation follows workflows not storage structures, and
+  automation / alerts reduce attention load instead of adding noise
 - UI/UX inspect model (UI-HARD-001): each list surface has exactly one primary inspect/open model; redundant View beside row click or identifier click is forbidden; edit-as-inspect is limited to Config-lite resources
 - UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): standard CRUD and Registry rows expose at most one inline safe shortcut; destructive actions are grouped or in the detail header; queue exceptions are catalogued, justified, and tested
 - UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): scope signals are truthful, canonical nouns stay stable across shells, critical operational truth is default-visible, and standard lists remain scanable
@@ -70,7 +78,15 @@ ## Constitution Check
 - Operator surfaces (OPSURF-001): workspace and tenant context remain explicit in navigation, actions, and page semantics; tenant surfaces do not silently expose workspace-wide actions
 - Operator surfaces (OPSURF-001): each new or materially refactored operator-facing page defines a page contract covering persona, surface type, operator question, default-visible info, diagnostics-only info, status dimensions, mutation scope, primary actions, and dangerous actions
 - Filament UI Action Surface Contract: for any new/modified Filament Resource/RelationManager/Page, define Header/Row/Bulk/Empty-State actions, ensure every List/Table has a surface-appropriate inspect affordance, remove redundant View when row click or identifier click already opens the same destination, keep standard CRUD/Registry rows to inspect plus at most one inline safe shortcut, group or relocate the rest to “More” or detail header, forbid empty bulk/overflow groups, require confirmations for destructive actions, write audit logs for mutations, enforce RBAC via central helpers (non-member 404, member missing capability 403), and ensure CI blocks merges if the contract is violated or not explicitly exempted
-- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action; tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Filament UI UX-001 (Layout & IA): Create/Edit uses Main/Aside (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)); all fields inside Sections/Cards (no naked inputs); View uses Infolists (not disabled edit forms); status badges use BADGE-001; empty states have specific title + explanation + 1 CTA; max 1 primary + 1 secondary header action (see HDR-001); tables provide search/sort/filters for core dimensions; shared layout builders preferred for consistency
+- Action-surface discipline (ACTSURF-001 / HDR-001): every changed
+  surface declares one broad action-surface class; the spec names the
+  one likely next operator action; navigation is separated from
+  mutation; record/detail/edit pages keep at most one visible primary
+  header action; monitoring/workbench surfaces separate scope/context,
+  selection actions, navigation, and object actions; risky or rare
+  actions are grouped and ordered by meaning/frequency/risk; any special
+  type or workflow-hub exception is explicit and justified
 ## Project Structure
 
 ### Documentation (this feature)

.specify/templates/spec-template.md

@@ -5,6 +5,24 @@ # Feature Specification: [FEATURE NAME]
 **Status**: Draft  
 **Input**: User description: "$ARGUMENTS"
 
+## Spec Candidate Check *(mandatory — SPEC-GATE-001)*
+
+<!-- This section MUST be completed before the spec progresses beyond Draft.
+     See .specify/memory/spec-approval-rubric.md for the full rubric. -->
+
+- **Problem**: [Konkreter Operator-Schmerz oder Trust-Gap heute]
+- **Today's failure**: [Welche Fehlentscheidung / Verlangsamung / irreführende Produktaussage passiert aktuell?]
+- **User-visible improvement**: [Was wird konkret schneller, sicherer oder ehrlicher?]
+- **Smallest enterprise-capable version**: [Kleinste Version die das Problem sauber löst]
+- **Explicit non-goals**: [Was wird bewusst nicht modelliert/generalisiert/frameworkisiert?]
+- **Permanent complexity imported**: [Neue Models, Status, Enums, Services, Support-Layer, Tests, UI-Konzepte, Begriffe]
+- **Why now**: [Warum jetzt wichtiger als später?]
+- **Why not local**: [Warum reicht keine lokale, schmale Lösung?]
+- **Approval class**: [Core Enterprise / Workflow Compression / Cleanup / Defer]
+- **Red flags triggered**: [Welche roten Flaggen treffen zu? Wenn ≥ 2: explizite Verteidigung nötig]
+- **Score**: [Nutzen: _ | Dringlichkeit: _ | Scope: _ | Komplexität: _ | Produktnähe: _ | Wiederverwendung: _ | **Gesamt: _/12**]
+- **Decision**: [approve / shrink / merge / defer / reject]
+
 ## Spec Scope Fields *(mandatory)*
 
 - **Scope**: [workspace | tenant | canonical-view]
@@ -17,22 +35,37 @@ ## Spec Scope Fields *(mandatory)*
 - **Default filter behavior when tenant-context is active**: [e.g., prefilter to current tenant]
 - **Explicit entitlement checks preventing cross-tenant leakage**: [Describe checks]
 
+## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
+
+If this feature adds or materially changes an operator-facing surface,
+fill out one row per affected surface. This role is orthogonal to the
+Action Surface Class / Surface Type below.
+
+| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
+|---|---|---|---|---|---|---|---|
+| e.g. Review inbox | Primary Decision Surface | Review and release queued governance work | Case summary, severity, recommendation, required action | Full evidence, raw payloads, audit trail, provider diagnostics | Primary because it is the queue where operators decide and clear work | Follows pending-decisions workflow, not storage objects | Removes search across runs, findings, and audit pages |
+
 ## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
 
 If this feature adds or materially changes an operator-facing list, detail, queue, audit, config, or report surface,
-fill out one row per affected surface.
+fill out one row per affected surface. Declare the broad Action Surface
+Class first, then the detailed Surface Type. Keep this table in sync
+with the Decision-First Surface Role section above.
 
-| Surface | Surface Type | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type |
+| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
-|---|---|---|---|---|---|---|---|---|---|---|---|
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| e.g. Tenant policies page | CRUD / List-first Resource | Full-row click | required | One inline safe shortcut + More | More / detail header | /admin/t/{tenant}/policies | /admin/t/{tenant}/policies/{record} | Tenant chip scopes rows and actions | Policies / Policy | Policy health, drift, assignment coverage | none |
+| e.g. Tenant policies page | List / Table / Bulk | CRUD / List-first Resource | Open policy for review | Full-row click | required | One inline safe shortcut + More | More / detail header | /admin/t/{tenant}/policies | /admin/t/{tenant}/policies/{record} | Tenant chip scopes rows and actions | Policies / Policy | Policy health, drift, assignment coverage | none |
 
 ## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
 
-If this feature adds a new operator-facing page or materially refactors one, fill out one row per affected page/surface.
+If this feature adds a new operator-facing page or materially refactors
+one, fill out one row per affected page/surface. The contract MUST show
+how one governance case or operator task becomes decidable without
+unnecessary cross-page reconstruction.
 
-| Surface | Primary Persona | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
+| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
-|---|---|---|---|---|---|---|---|---|---|
+|---|---|---|---|---|---|---|---|---|---|---|
-| e.g. Tenant policies page | Tenant operator | List/detail | What needs action right now? | Policy health, drift, assignment coverage | Raw payloads, provider IDs, low-level API details | lifecycle, data completeness, governance result | TenantPilot only / Microsoft tenant / simulation only | Sync policies, View policy | Restore policy |
+| e.g. Tenant policies page | Tenant operator | Decide whether policy state needs follow-up | List/detail | What needs action right now? | Policy health, drift, assignment coverage | Raw payloads, provider IDs, low-level API details | lifecycle, data completeness, governance result | TenantPilot only / Microsoft tenant / simulation only | Sync policies, View policy | Restore policy |
 
 ## Proportionality Review *(mandatory when structural complexity is introduced)*
 
@@ -181,19 +214,50 @@ ## Requirements *(mandatory)*
 - how the same domain vocabulary is preserved across button labels, modal titles, run titles, notifications, and audit prose,
 - and how implementation-first terms are kept out of primary operator-facing labels.
 
-**Constitution alignment (UI-CONST-001 / UI-SURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001):** If this feature adds or changes an operator-facing surface, the spec MUST describe:
+**Constitution alignment (DECIDE-001):** If this feature adds or changes operator-facing surfaces, the spec MUST describe:
-- the chosen surface type and why it is the correct classification,
+- whether each affected surface is a Primary Decision Surface,
+  Secondary Context Surface, or Tertiary Evidence / Diagnostics
+  Surface, and why,
+- which human-in-the-loop moment each primary surface supports,
+- what MUST be visible immediately for the first decision,
+- what is preserved but only revealed on demand,
+- why any new primary surface cannot live inside an existing decision
+  context,
+- how navigation follows operator workflows rather than storage
+  structures,
+- how one governance case remains decidable in one focused context,
+- how any new automation, notifications, or autonomous governance logic
+  reduce search/review/click load,
+- and how the resulting default experience is calmer and clearer rather
+  than merely larger.
+
+**Constitution alignment (UI-CONST-001 / UI-SURF-001 / ACTSURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001 / HDR-001):** If this feature adds or changes an operator-facing surface, the spec MUST describe:
+- the chosen broad action-surface class and why it is the correct classification,
+- the chosen detailed surface type and why it is the correct refinement,
+- the one most likely next operator action,
 - the one and only primary inspect/open model,
 - whether row click is required, allowed, or forbidden,
 - whether explicit View or Inspect is present, and why it is present or forbidden,
+- where pure navigation lives and why it is not competing with mutation,
 - where secondary actions live,
 - where destructive actions live,
+- how grouped actions are ordered by meaning, frequency, and risk,
 - the canonical collection route and canonical detail route,
 - the scope signals shown to the operator and what real effect each one has,
 - the canonical noun used across routes, labels, runs, notifications, and audit prose,
 - which critical operational truth is visible by default,
 - and any catalogued exception type, rationale, and dedicated test coverage.
 
+**Constitution alignment (ACTSURF-001 - action hierarchy):** If this
+feature adds or materially changes header actions, row actions, bulk
+actions, or workbench controls, the spec MUST describe:
+- how navigation, mutation, context signals, selection actions, and
+  dangerous actions are separated,
+- why any visible secondary action deserves primary-plane placement,
+- why any ActionGroup is structured rather than a mixed catch-all,
+- and why any workflow-hub, wizard, system, or other special-type
+  exception is genuine rather than a convenience shortcut.
+
 **Constitution alignment (OPSURF-001):** If this feature adds or materially refactors an operator-facing surface, the spec MUST describe:
 - how the default-visible content stays operator-first on `/admin` and avoids raw implementation detail,
 - which diagnostics are secondary and how they are explicitly revealed,

.specify/templates/tasks-template.md

@@ -39,30 +39,62 @@ # Tasks: [FEATURE NAME]
 - aligning button labels, modal titles, run titles, notifications, and audit prose to the same domain vocabulary,
 - removing implementation-first wording from primary operator-facing copy.
 **Operator Surfaces**: If this feature adds or materially refactors an operator-facing page or flow, tasks MUST include:
+- classifying each affected surface as Primary Decision, Secondary
+  Context, or Tertiary Evidence / Diagnostics and keeping that role in
+  sync with the governing spec,
+- defining the human-in-the-loop moment and justifying any new Primary
+  Decision Surface against existing decision contexts,
 - filling the spec’s UI/UX Surface Classification for every affected surface,
 - filling the spec’s Operator Surface Contract for every affected page,
+- keeping default-visible content limited to first-decision needs and
+  moving proof, payloads, and diagnostics into progressive disclosure,
 - making default-visible content operator-first and moving JSON payloads, raw IDs, internal field names, provider error details, and low-level metadata into explicitly revealed diagnostics surfaces,
+- keeping each governance case decidable in one focused context where
+  practical instead of forcing cross-page reconstruction,
 - modeling execution outcome, data completeness, governance result, and lifecycle/readiness as distinct status dimensions when applicable,
 - making mutation scope legible before execution for every state-changing action (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
 - implementing the safe-execution flow for dangerous actions (configuration, safety checks/simulation, preview, hard confirmation where required, execute) or documenting an approved exemption,
 - keeping canonical nouns stable across routes, buttons, run titles, notifications, and audit prose,
+- keeping navigation aligned to operator workflows rather than storage
+  structures,
+- ensuring new automation, alerts, or autonomous flows reduce
+  search/review/click load instead of adding noise, extra lists, or
+  extra detail work,
+- preserving a calm, prioritized default state that distinguishes
+  actionable work from worth-watching context and reference-only
+  information,
 - keeping scope signals truthful and ensuring critical operational truth is visible by default,
 - keeping standard CRUD / Registry rows scanable rather than prose-heavy,
 - keeping workspace and tenant context explicit in navigation, actions, and page semantics so tenant pages do not silently expose workspace-wide actions.
 **Filament UI Action Surfaces**: If this feature adds/modifies any Filament Resource / RelationManager / Page, tasks MUST include:
 - filling the spec’s “UI Action Matrix” for all changed surfaces,
+- assigning exactly one broad action-surface class to every changed
+  operator-facing surface and keeping the detailed surface type in sync
+  with the spec,
+- identifying the one likely next operator action for each changed
+  surface and shaping the visible hierarchy around it,
 - implementing required action surfaces (header/row/bulk/empty-state CTA for lists; header actions for view; consistent save/cancel on create/edit),
 - ensuring every List/Table has exactly one primary inspect/open model with the correct surface-appropriate affordance,
 - removing redundant View/Inspect actions when row click or identifier click already opens the same destination,
 - keeping standard CRUD / Registry rows to inspect/open plus at most one inline safe shortcut,
+- separating navigation from mutation so pure context changes do not
+  compete visually with state-changing actions,
 - moving additional secondary actions into More or the detail header,
+- ordering visible actions and grouped actions by meaning, frequency,
+  and risk rather than append order,
 - placing destructive actions in More or the detail header for standard lists and using catalogued exceptions only where allowed,
+- ensuring workbench and monitoring surfaces separate scope/context,
+  selection actions, navigation, and object actions instead of mixing
+  them into one flat header zone,
 - grouping bulk actions via BulkActionGroup,
 - preventing empty `ActionGroup` / `BulkActionGroup` placeholders,
 - adding confirmations for destructive actions (and typed confirmation where required by scale),
 - adding `AuditLog` entries for relevant mutations,
 - using native Filament components or shared UI primitives before any local Blade/Tailwind assembly for badges, alerts, buttons, and semantic status surfaces,
 - avoiding page-local semantic color, border, rounding, or highlight styling when Filament props or shared primitives can express the same state,
+- documenting any workflow-hub, wizard, utility/system, or other
+  special-type exception in the spec/PR and adding dedicated test
+  coverage,
 - documenting any catalogued UI exception in the spec/PR and adding dedicated test coverage,
 - documenting any UI-FIL-001 exception with rationale in the spec/PR,
 - adding/updated tests that enforce the contract and block merge on violations, OR documenting an explicit exemption with rationale.
@@ -71,7 +103,13 @@ # Tasks: [FEATURE NAME]
 - ensuring all form fields are inside Sections/Cards (no naked inputs at root schema level),
 - ensuring View pages use Infolists (not disabled edit forms); status badges use BADGE-001,
 - ensuring empty states show a specific title + explanation + exactly 1 CTA; non-empty tables move CTA to header,
-- capping header actions to max 1 primary + 1 secondary (rest grouped),
+- enforcing ACTSURF-001 / HDR-001 action discipline: record/detail/edit
+  pages keep at most 1 visible primary header action; pure navigation
+  moves to contextual placement; destructive or governance-changing
+  actions are separated and require friction; monitoring/workbench
+  surfaces use their own layered hierarchy; rare actions live in
+  structured Action Groups; every affected surface passes the few-second
+  scan rule,
 - using shared layout builders (e.g., `MainAsideForm`, `MainAsideInfolist`, `StandardTableDefaults`) where available,
 - OR documenting an explicit exemption with rationale if UX-001 is not fully satisfied.
 **Badges**: If this feature changes status-like badge semantics, tasks MUST use `BadgeCatalog` / `BadgeRenderer` (BADGE-001),

Agents.md

@@ -318,12 +318,13 @@ ## Security
 ## Commands
 
 ### Sail (preferred locally)
-- `./vendor/bin/sail up -d`
+- `cd apps/platform && ./vendor/bin/sail up -d`
-- `./vendor/bin/sail down`
+- `cd apps/platform && ./vendor/bin/sail down`
-- `./vendor/bin/sail composer install`
+- `cd apps/platform && ./vendor/bin/sail composer install`
-- `./vendor/bin/sail artisan migrate`
+- `cd apps/platform && ./vendor/bin/sail artisan migrate`
-- `./vendor/bin/sail artisan test`
+- `cd apps/platform && ./vendor/bin/sail artisan test`
-- `./vendor/bin/sail artisan` (general)
+- `cd apps/platform && ./vendor/bin/sail artisan` (general)
+- Root helper for tooling only: `./scripts/platform-sail ...`
 
 ### Drizzle (local DB tooling, if configured)
 - Use only for local/dev workflows.
@@ -335,10 +336,10 @@ ### Drizzle (local DB tooling, if configured)
 (Agents should confirm the exact script names in `package.json` before suggesting them.)
 
 ### Non-Docker fallback (only if needed)
-- `composer install`
+- `cd apps/platform && composer install`
-- `php artisan serve`
+- `cd apps/platform && php artisan serve`
-- `php artisan migrate`
+- `cd apps/platform && php artisan migrate`
-- `php artisan test`
+- `cd apps/platform && php artisan test`
 
 ### Frontend/assets/tooling (if present)
 - `pnpm install`
@@ -352,11 +353,11 @@ ## Where to look first
 - `.specify/`
 - `AGENTS.md`
 - `README.md`
-- `app/`
+- `apps/platform/app/`
-- `database/`
+- `apps/platform/database/`
-- `routes/`
+- `apps/platform/routes/`
-- `resources/`
+- `apps/platform/resources/`
-- `config/`
+- `apps/platform/config/`
 
 ---
 
@@ -433,7 +434,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -670,7 +671,7 @@ ## Testing
 
 ## Deployment / Ops
 
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -720,7 +721,9 @@ ## Application Structure & Architecture
 
 ## Frontend Bundling
 
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Documentation Files
 
@@ -812,28 +815,28 @@ ## PHPDoc Blocks
 # Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
-- Open the application in the browser by running `vendor/bin/sail open`.
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
-    - Install Composer packages: `vendor/bin/sail composer install`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 # Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 # Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ## Database
@@ -846,7 +849,7 @@ ## Database
 
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 
@@ -877,11 +880,11 @@ ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ## Vite Error
 
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -912,15 +915,15 @@ ### Models
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test --format agent`, simply run `vendor/bin/sail bin pint --format agent` to fix any formatting issues.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test --format agent`, simply run `cd apps/platform && ./vendor/bin/sail bin pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
 
 ## Pest
 
-- This project uses Pest for testing. Create tests: `vendor/bin/sail artisan make:test --pest {name}`.
+- This project uses Pest for testing. Create tests: `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
-- Run tests: `vendor/bin/sail artisan test --compact` or filter: `vendor/bin/sail artisan test --compact --filter=testName`.
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact` or filter: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
 - CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
 - IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.

GEMINI.md

@@ -156,12 +156,13 @@ ## Security
 ## Commands
 
 ### Sail (preferred locally)
-- `./vendor/bin/sail up -d`
+- `cd apps/platform && ./vendor/bin/sail up -d`
-- `./vendor/bin/sail down`
+- `cd apps/platform && ./vendor/bin/sail down`
-- `./vendor/bin/sail composer install`
+- `cd apps/platform && ./vendor/bin/sail composer install`
-- `./vendor/bin/sail artisan migrate`
+- `cd apps/platform && ./vendor/bin/sail artisan migrate`
-- `./vendor/bin/sail artisan test`
+- `cd apps/platform && ./vendor/bin/sail artisan test`
-- `./vendor/bin/sail artisan` (general)
+- `cd apps/platform && ./vendor/bin/sail artisan` (general)
+- Root helper for tooling only: `./scripts/platform-sail ...`
 
 ### Drizzle (local DB tooling, if configured)
 - Use only for local/dev workflows.
@@ -173,10 +174,10 @@ ### Drizzle (local DB tooling, if configured)
 (Agents should confirm the exact script names in `package.json` before suggesting them.)
 
 ### Non-Docker fallback (only if needed)
-- `composer install`
+- `cd apps/platform && composer install`
-- `php artisan serve`
+- `cd apps/platform && php artisan serve`
-- `php artisan migrate`
+- `cd apps/platform && php artisan migrate`
-- `php artisan test`
+- `cd apps/platform && php artisan test`
 
 ### Frontend/assets/tooling (if present)
 - `pnpm install`
@@ -190,11 +191,11 @@ ## Where to look first
 - `.specify/`
 - `AGENTS.md`
 - `README.md`
-- `app/`
+- `apps/platform/app/`
-- `database/`
+- `apps/platform/database/`
-- `routes/`
+- `apps/platform/routes/`
-- `resources/`
+- `apps/platform/resources/`
-- `config/`
+- `apps/platform/config/`
 
 ---
 
@@ -271,7 +272,7 @@ ## 3) Panel setup defaults
 - Assets policy:
   - Panel-only assets: register via panel config.
   - Shared/plugin assets: register via `FilamentAsset::register()`.
-  - Deployment must include `php artisan filament:assets`.
+  - Deployment must include `cd apps/platform && php artisan filament:assets`.
 
 Sources:
 - https://filamentphp.com/docs/5.x/panel-configuration
@@ -508,7 +509,7 @@ ## Testing
 
 ## Deployment / Ops
 
-- [ ] `php artisan filament:assets` is included in the deployment process when using registered assets.
+- [ ] `cd apps/platform && php artisan filament:assets` is included in the deployment process when using registered assets.
   - Source: https://filamentphp.com/docs/5.x/advanced/assets — “The FilamentAsset facade”
 
 === foundation rules ===
@@ -558,7 +559,9 @@ ## Application Structure & Architecture
 
 ## Frontend Bundling
 
-- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `vendor/bin/sail npm run build`, `vendor/bin/sail npm run dev`, or `vendor/bin/sail composer run dev`. Ask them.
+- Repo-root JavaScript orchestration now uses `corepack pnpm install`, `corepack pnpm dev:platform`, `corepack pnpm dev:website`, `corepack pnpm dev`, `corepack pnpm build:website`, and `corepack pnpm build:platform`.
+- `apps/website` is a standalone Astro app, not a second Laravel runtime, so Boost MCP remains platform-only.
+- If the user doesn't see a platform frontend change reflected in the UI, it could mean they need to run `cd apps/platform && ./vendor/bin/sail pnpm build`, `cd apps/platform && ./vendor/bin/sail pnpm dev`, or `cd apps/platform && ./vendor/bin/sail composer run dev`. Ask them.
 
 ## Documentation Files
 
@@ -650,28 +653,28 @@ ## PHPDoc Blocks
 # Laravel Sail
 
 - This project runs inside Laravel Sail's Docker containers. You MUST execute all commands through Sail.
-- Start services using `vendor/bin/sail up -d` and stop them with `vendor/bin/sail stop`.
+- Start services using `cd apps/platform && ./vendor/bin/sail up -d` and stop them with `cd apps/platform && ./vendor/bin/sail stop`.
-- Open the application in the browser by running `vendor/bin/sail open`.
+- Open the application in the browser by running `cd apps/platform && ./vendor/bin/sail open`.
-- Always prefix PHP, Artisan, Composer, and Node commands with `vendor/bin/sail`. Examples:
+- Always prefix PHP, Artisan, Composer, and Node commands with `cd apps/platform && ./vendor/bin/sail`. Examples:
-    - Run Artisan Commands: `vendor/bin/sail artisan migrate`
+    - Run Artisan Commands: `cd apps/platform && ./vendor/bin/sail artisan migrate`
-    - Install Composer packages: `vendor/bin/sail composer install`
+    - Install Composer packages: `cd apps/platform && ./vendor/bin/sail composer install`
-    - Execute Node commands: `vendor/bin/sail npm run dev`
+    - Execute Node commands: `cd apps/platform && ./vendor/bin/sail pnpm dev`
-    - Execute PHP scripts: `vendor/bin/sail php [script]`
+    - Execute PHP scripts: `cd apps/platform && ./vendor/bin/sail php [script]`
-- View all available Sail commands by running `vendor/bin/sail` without arguments.
+- View all available Sail commands by running `cd apps/platform && ./vendor/bin/sail` without arguments.
 
 === tests rules ===
 
 # Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `vendor/bin/sail artisan test --compact` with a specific filename or filter.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `cd apps/platform && ./vendor/bin/sail artisan test --compact` with a specific filename or filter.
 
 === laravel/core rules ===
 
 # Do Things the Laravel Way
 
-- Use `vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- Use `cd apps/platform && ./vendor/bin/sail artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
-- If you're creating a generic PHP class, use `vendor/bin/sail artisan make:class`.
+- If you're creating a generic PHP class, use `cd apps/platform && ./vendor/bin/sail artisan make:class`.
 - Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
 
 ## Database
@@ -684,7 +687,7 @@ ## Database
 
 ### Model Creation
 
-- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `vendor/bin/sail artisan make:model`.
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `cd apps/platform && ./vendor/bin/sail artisan make:model`.
 
 ### APIs & Eloquent Resources
 
@@ -715,11 +718,11 @@ ## Testing
 
 - When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
 - Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
-- When creating tests, make use of `vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+- When creating tests, make use of `cd apps/platform && ./vendor/bin/sail artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
 
 ## Vite Error
 
-- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `vendor/bin/sail npm run build` or ask the user to run `vendor/bin/sail npm run dev` or `vendor/bin/sail composer run dev`.
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `cd apps/platform && ./vendor/bin/sail pnpm build` or ask the user to run `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail composer run dev`.
 
 === laravel/v12 rules ===
 
@@ -750,15 +753,15 @@ ### Models
 
 # Laravel Pint Code Formatter
 
-- You must run `vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
+- You must run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` before finalizing changes to ensure your code matches the project's expected style.
-- Do not run `vendor/bin/sail bin pint --test --format agent`, simply run `vendor/bin/sail bin pint --format agent` to fix any formatting issues.
+- Do not run `cd apps/platform && ./vendor/bin/sail bin pint --test --format agent`, simply run `cd apps/platform && ./vendor/bin/sail bin pint --format agent` to fix any formatting issues.
 
 === pest/core rules ===
 
 ## Pest
 
-- This project uses Pest for testing. Create tests: `vendor/bin/sail artisan make:test --pest {name}`.
+- This project uses Pest for testing. Create tests: `cd apps/platform && ./vendor/bin/sail artisan make:test --pest {name}`.
-- Run tests: `vendor/bin/sail artisan test --compact` or filter: `vendor/bin/sail artisan test --compact --filter=testName`.
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact` or filter: `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=testName`.
 - Do NOT delete tests without approval.
 - CRITICAL: ALWAYS use `search-docs` tool for version-specific Pest documentation and updated code examples.
 - IMPORTANT: Activate `pest-testing` every time you're working with a Pest or testing-related task.

README.md

@@ -1,19 +1,50 @@
-<p align="center"><a href="https://laravel.com" target="_blank"><img src="https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg" width="400" alt="Laravel Logo"></a></p>
+# TenantPilot Workspace
 
-<p align="center">
+TenantPilot is an Intune management platform built around a stable Laravel application in
-<a href="https://github.com/laravel/framework/actions"><img src="https://github.com/laravel/framework/workflows/tests/badge.svg" alt="Build Status"></a>
+`apps/platform` and, starting with Spec 183, a standalone public Astro website in
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/dt/laravel/framework" alt="Total Downloads"></a>
+`apps/website`. The repository root is now the official JavaScript workspace entry point and
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/v/laravel/framework" alt="Latest Stable Version"></a>
+orchestrates app-local commands without becoming a runtime itself.
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://img.shields.io/packagist/l/laravel/framework" alt="License"></a>
-</p>
 
-## TenantPilot setup
+## Multi-App Topology
+
+- `apps/platform`: the Laravel 12 + Filament v5 + Livewire v4 product runtime
+- `apps/website`: the Astro v6 public website runtime
+- repo root: workspace manifests, documentation, scripts, editor tooling, and `docker-compose.yml`
+- `./scripts/platform-sail`: platform-only compatibility helper for tooling that cannot set `cwd`
+
+## Official Root Commands
+
+- Install workspace-managed JavaScript dependencies: `corepack pnpm install`
+- Start the platform stack: `corepack pnpm dev:platform`
+- Start the website dev server: `corepack pnpm dev:website`
+- Start platform + website together: `corepack pnpm dev`
+- Build the website: `corepack pnpm build:website`
+- Build platform frontend assets: `corepack pnpm build:platform`
+
+## App-Local Commands
+
+### Platform
+
+- Install PHP dependencies: `cd apps/platform && composer install`
+- Start Sail: `cd apps/platform && ./vendor/bin/sail up -d`
+- Generate the app key: `cd apps/platform && ./vendor/bin/sail artisan key:generate`
+- Run migrations and seeders: `cd apps/platform && ./vendor/bin/sail artisan migrate --seed`
+- Run frontend watch/build inside Sail: `cd apps/platform && ./vendor/bin/sail pnpm dev` or `cd apps/platform && ./vendor/bin/sail pnpm build`
+- Run tests: `cd apps/platform && ./vendor/bin/sail artisan test --compact`
+
+### Website
+
+- Start the dev server: `cd apps/website && pnpm dev`
+- Build the static site: `cd apps/website && pnpm build`
+
+## Port Overrides
+
+- Platform HTTP and Vite ports: set `APP_PORT` and or `VITE_PORT` before `corepack pnpm dev:platform` or `cd apps/platform && ./vendor/bin/sail up -d`
+- Website dev server port: set `WEBSITE_PORT` before `corepack pnpm dev:website` or pass `--port <port>` to `cd apps/website && pnpm dev`
+- Parallel local development keeps both apps isolated, even when one or both ports are overridden
+
+## Platform Setup Notes
 
-- Local dev (Sail-first):
-  - Start stack: `./vendor/bin/sail up -d`
-  - Init DB: `./vendor/bin/sail artisan migrate --seed`
-  - Tests: `./vendor/bin/sail artisan test`
-  - Policy sync: `./vendor/bin/sail artisan intune:sync-policies`
 - Filament admin: `/admin` (seed user `test@example.com`, set password via factory or `artisan tinker`).
 - Microsoft Graph (Intune) env vars:
   - `GRAPH_TENANT_ID`
@@ -25,10 +56,17 @@ ## TenantPilot setup
     - **Missing permissions?** Scope tags will show as "Unknown (ID: X)" - add `DeviceManagementRBAC.Read.All`
 - Deployment (Dokploy, staging → production):
   - Containerized deploy; ensure Postgres + Redis are provisioned (see `docker-compose.yml` for local baseline).
+  - Run application commands from `apps/platform`, including `php artisan filament:assets`.
   - Run migrations on staging first, validate backup/restore flows, then promote to production.
   - Ensure queue workers are running for jobs (e.g., policy sync) after deploy.
   - Keep secrets/env in Dokploy, never in code.
 
+## Platform relocation rollout notes
+
+- Open branches that still touch legacy root app paths should merge `dev` first, then remap file moves from `app/`, `bootstrap/`, `config/`, `database/`, `lang/`, `public/`, `resources/`, `routes/`, `storage/`, and `tests/` into `apps/platform/...`.
+- Keep using merge-based catch-up on shared feature branches; do not rebase long-lived shared branches just to absorb the relocation.
+- VS Code tasks expose the official root workspace commands, while MCP launchers remain platform-only and delegate through `./scripts/platform-sail`.
+
 ## Bulk operations (Feature 005)
 
 - Bulk actions are available in Filament resource tables (Policies, Policy Versions, Backup Sets, Restore Runs).
@@ -39,8 +77,23 @@ ### Troubleshooting
 
 - **Progress stuck on “Queued…”** usually means the queue worker is not running (or not processing the queue you expect).
   - Prefer using the Sail/Docker worker (see `docker-compose.yml`) rather than starting an additional local `php artisan queue:work`.
-  - Check worker status/logs: `./vendor/bin/sail ps` and `./vendor/bin/sail logs -f queue`.
+  - Check worker status/logs: `cd apps/platform && ./vendor/bin/sail ps` and `cd apps/platform && ./vendor/bin/sail logs -f queue`.
 - **Exit code 137** for `queue:work` typically means the process was killed (often OOM). Increase Docker memory/limits or run the worker inside the container.
+- **Moved app but old commands still fail** usually means the command is still being run from repo root. Switch to `cd apps/platform && ...` or use `./scripts/platform-sail ...` only for tooling that cannot set `cwd`.
+
+## Rollback checklist
+
+1. Revert the relocation commit or merge on your feature branch instead of hard-resetting shared history.
+2. Preserve any local app env overrides before switching commits: `cp apps/platform/.env /tmp/tenantatlas.platform.env.backup` if needed.
+3. Stop local containers and clean generated artifacts: `cd apps/platform && ./vendor/bin/sail down -v`, then remove `apps/platform/vendor`, `apps/platform/node_modules`, `apps/platform/public/build`, and `apps/platform/public/hot` if they need a clean rebuild.
+4. After rollback, restore the matching env file for the restored topology and rerun the documented setup flow for that commit.
+5. Notify owners of open feature branches that the topology changed so they can remap outstanding work before the next merge from `dev`.
+
+## Deployment unknowns
+
+- Dokploy build context for a repo-root compose file plus an app-root Laravel runtime still needs staging confirmation.
+- Production web, queue, and scheduler working directories must be verified explicitly after the move; do not assume repo root and app root behave interchangeably.
+- Any Dokploy volume mounts or storage persistence paths that previously targeted repo-root `storage/` must be reviewed against `apps/platform/storage/`.
 
 ### Configuration
 
@@ -64,7 +117,7 @@ ## Graph Contract Registry & Drift Guard
   - Sanitizes `$select`/`$expand` to allowed fields; logs warnings on trim.
   - Derived @odata.type values within the family are accepted for preview/restore routing.
   - Capability fallback: on 400s related to select/expand, retries without those clauses and surfaces warnings.
-- Drift check: `php artisan graph:contract:check [--tenant=]` runs lightweight probes against contract endpoints to detect capability/shape issues; useful in staging/CI (prod optional).
+- Drift check: `cd apps/platform && php artisan graph:contract:check [--tenant=]` runs lightweight probes against contract endpoints to detect capability/shape issues; useful in staging/CI (prod optional).
 - If Graph returns capability errors, TenantPilot downgrades safely, records warnings/audit entries, and avoids breaking preview/restore flows.
 
 ## Policy Settings Display
@@ -89,54 +142,3 @@ ## Policy JSON Viewer (Feature 002)
   - Scrollable container with max height to prevent page overflow
 - **Usage**: See `specs/002-filament-json/quickstart.md` for detailed examples and configuration
 - **Performance**: Optimized for payloads up to 1 MB; auto-collapse improves initial render for large snapshots
-
-## About Laravel
-
-Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
-
-- [Simple, fast routing engine](https://laravel.com/docs/routing).
-- [Powerful dependency injection container](https://laravel.com/docs/container).
-- Multiple back-ends for [session](https://laravel.com/docs/session) and [cache](https://laravel.com/docs/cache) storage.
-- Expressive, intuitive [database ORM](https://laravel.com/docs/eloquent).
-- Database agnostic [schema migrations](https://laravel.com/docs/migrations).
-- [Robust background job processing](https://laravel.com/docs/queues).
-- [Real-time event broadcasting](https://laravel.com/docs/broadcasting).
-
-Laravel is accessible, powerful, and provides tools required for large, robust applications.
-
-## Learning Laravel
-
-Laravel has the most extensive and thorough [documentation](https://laravel.com/docs) and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework. You can also check out [Laravel Learn](https://laravel.com/learn), where you will be guided through building a modern Laravel application.
-
-If you don't feel like reading, [Laracasts](https://laracasts.com) can help. Laracasts contains thousands of video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
-
-## Laravel Sponsors
-
-We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the [Laravel Partners program](https://partners.laravel.com).
-
-### Premium Partners
-
-- **[Vehikl](https://vehikl.com)**
-- **[Tighten Co.](https://tighten.co)**
-- **[Kirschbaum Development Group](https://kirschbaumdevelopment.com)**
-- **[64 Robots](https://64robots.com)**
-- **[Curotec](https://www.curotec.com/services/technologies/laravel)**
-- **[DevSquad](https://devsquad.com/hire-laravel-developers)**
-- **[Redberry](https://redberry.international/laravel-development)**
-- **[Active Logic](https://activelogic.com)**
-
-## Contributing
-
-Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions).
-
-## Code of Conduct
-
-In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct).
-
-## Security Vulnerabilities
-
-If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [taylor@laravel.com](mailto:taylor@laravel.com). All security vulnerabilities will be promptly addressed.
-
-## License
-
-The Laravel framework is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT).

app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php

@@ -1,249 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\ProviderConnectionResource\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Intune\AuditLogger;
-use App\Services\Providers\ProviderConnectionMutationService;
-use App\Support\Auth\Capabilities;
-use App\Support\Links\RequiredPermissionsLinks;
-use App\Support\Providers\ProviderConnectionType;
-use App\Support\Rbac\UiEnforcement;
-use Filament\Actions;
-use Filament\Forms\Components\TextInput;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewProviderConnection extends ViewRecord
-{
-    protected static string $resource = ProviderConnectionResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            UiEnforcement::forAction(
-                Actions\Action::make('grant_admin_consent')
-                    ->label('Grant admin consent')
-                    ->icon('heroicon-o-clipboard-document')
-                    ->url(function (): ?string {
-                        $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-                        return $tenant instanceof Tenant
-                            ? RequiredPermissionsLinks::adminConsentPrimaryUrl($tenant)
-                            : null;
-                    })
-                    ->visible(function (): bool {
-                        return ProviderConnectionResource::resolveTenantForRecord($this->record) instanceof Tenant;
-                    })
-                    ->openUrlInNewTab()
-            )
-                ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                ->apply(),
-            UiEnforcement::forAction(
-                Actions\Action::make('edit')
-                    ->label('Edit')
-                    ->icon('heroicon-o-pencil-square')
-                    ->url(fn (): string => ProviderConnectionResource::getUrl('edit', ['record' => $this->record]))
-            )
-                ->requireCapability(Capabilities::PROVIDER_MANAGE)
-                ->apply(),
-            Actions\ActionGroup::make([
-                UiEnforcement::forAction(
-                    Actions\Action::make('enable_dedicated_override')
-                        ->label('Enable dedicated override')
-                        ->icon('heroicon-o-key')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->modalDescription('Dedicated credentials are stored encrypted and reset consent to the dedicated app registration.')
-                        ->visible(fn (): bool => $this->record->connection_type !== ProviderConnectionType::Dedicated)
-                        ->form([
-                            TextInput::make('client_id')
-                                ->label('Dedicated app (client) ID')
-                                ->required()
-                                ->maxLength(255),
-                            TextInput::make('client_secret')
-                                ->label('Dedicated client secret')
-                                ->password()
-                                ->required()
-                                ->maxLength(255),
-                        ])
-                        ->action(function (array $data, ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
-                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $mutations->enableDedicatedOverride(
-                                connection: $this->record,
-                                clientId: (string) $data['client_id'],
-                                clientSecret: (string) $data['client_secret'],
-                            );
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.connection_type_changed',
-                                context: [
-                                    'metadata' => [
-                                        'provider_connection_id' => (int) $this->record->getKey(),
-                                        'provider' => $this->record->provider,
-                                        'entra_tenant_id' => $this->record->entra_tenant_id,
-                                        'from_connection_type' => ProviderConnectionType::Platform->value,
-                                        'to_connection_type' => ProviderConnectionType::Dedicated->value,
-                                        'client_id' => (string) $data['client_id'],
-                                        'source' => 'provider_connection.view_page',
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $this->record->getKey(),
-                                status: 'success',
-                            );
-
-                            Notification::make()
-                                ->title('Dedicated override enabled')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
-                    ->preserveVisibility()
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('rotate_dedicated_credential')
-                        ->label('Rotate dedicated credential')
-                        ->icon('heroicon-o-arrow-path')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated)
-                        ->form([
-                            TextInput::make('client_id')
-                                ->label('Dedicated app (client) ID')
-                                ->default(function (): string {
-                                    $payload = $this->record->credential?->payload;
-
-                                    return is_array($payload) ? (string) ($payload['client_id'] ?? '') : '';
-                                })
-                                ->required()
-                                ->maxLength(255),
-                            TextInput::make('client_secret')
-                                ->label('Dedicated client secret')
-                                ->password()
-                                ->required()
-                                ->maxLength(255),
-                        ])
-                        ->action(function (array $data, ProviderConnectionMutationService $mutations): void {
-                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $mutations->enableDedicatedOverride(
-                                connection: $this->record,
-                                clientId: (string) $data['client_id'],
-                                clientSecret: (string) $data['client_secret'],
-                            );
-
-                            Notification::make()
-                                ->title('Dedicated credential rotated')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
-                    ->preserveVisibility()
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('delete_dedicated_credential')
-                        ->label('Delete dedicated credential')
-                        ->icon('heroicon-o-trash')
-                        ->color('danger')
-                        ->requiresConfirmation()
-                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated
-                            && $this->record->credential()->exists())
-                        ->action(function (ProviderConnectionMutationService $mutations): void {
-                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $mutations->deleteDedicatedCredential($this->record);
-
-                            Notification::make()
-                                ->title('Dedicated credential deleted')
-                                ->warning()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
-                    ->preserveVisibility()
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('revert_to_platform')
-                        ->label('Revert to platform')
-                        ->icon('heroicon-o-arrow-uturn-left')
-                        ->color('gray')
-                        ->requiresConfirmation()
-                        ->visible(fn (): bool => $this->record->connection_type === ProviderConnectionType::Dedicated)
-                        ->action(function (ProviderConnectionMutationService $mutations, AuditLogger $auditLogger): void {
-                            $tenant = ProviderConnectionResource::resolveTenantForRecord($this->record);
-
-                            if (! $tenant instanceof Tenant) {
-                                abort(404);
-                            }
-
-                            $mutations->revertToPlatform($this->record);
-
-                            $user = auth()->user();
-                            $actorId = $user instanceof User ? (int) $user->getKey() : null;
-                            $actorEmail = $user instanceof User ? $user->email : null;
-                            $actorName = $user instanceof User ? $user->name : null;
-
-                            $auditLogger->log(
-                                tenant: $tenant,
-                                action: 'provider_connection.connection_type_changed',
-                                context: [
-                                    'metadata' => [
-                                        'provider_connection_id' => (int) $this->record->getKey(),
-                                        'provider' => $this->record->provider,
-                                        'entra_tenant_id' => $this->record->entra_tenant_id,
-                                        'from_connection_type' => ProviderConnectionType::Dedicated->value,
-                                        'to_connection_type' => ProviderConnectionType::Platform->value,
-                                        'source' => 'provider_connection.view_page',
-                                    ],
-                                ],
-                                actorId: $actorId,
-                                actorEmail: $actorEmail,
-                                actorName: $actorName,
-                                resourceType: 'provider_connection',
-                                resourceId: (string) $this->record->getKey(),
-                                status: 'success',
-                            );
-
-                            Notification::make()
-                                ->title('Connection reverted to platform')
-                                ->success()
-                                ->send();
-                        })
-                )
-                    ->requireCapability(Capabilities::PROVIDER_MANAGE_DEDICATED)
-                    ->preserveVisibility()
-                    ->apply(),
-            ])
-                ->label('Manage dedicated override')
-                ->icon('heroicon-o-cog-6-tooth')
-                ->color('gray'),
-        ];
-    }
-}

app/Filament/Resources/RestoreRunResource/Pages/ViewRestoreRun.php

@@ -1,17 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\RestoreRunResource\Pages;
-
-use App\Filament\Resources\RestoreRunResource;
-use Filament\Resources\Pages\ViewRecord;
-use Illuminate\Database\Eloquent\Model;
-
-class ViewRestoreRun extends ViewRecord
-{
-    protected static string $resource = RestoreRunResource::class;
-
-    protected function resolveRecord(int|string $key): Model
-    {
-        return RestoreRunResource::resolveScopedRecordOrFail($key);
-    }
-}

app/Filament/Resources/TenantResource/Pages/EditTenant.php

@@ -1,66 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\TenantResource;
-use App\Models\Tenant;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Support\Auth\Capabilities;
-use App\Support\Rbac\UiEnforcement;
-use App\Support\Tenants\TenantActionSurface;
-use Filament\Actions;
-use Filament\Actions\Action;
-use Filament\Resources\Pages\EditRecord;
-
-class EditTenant extends EditRecord
-{
-    protected static string $resource = TenantResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\ViewAction::make(),
-            Actions\Action::make('related_onboarding')
-                ->label(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantEditHeader) ?? 'View related onboarding')
-                ->icon(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-eye')
-                ->url(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
-                ->visible(fn (Tenant $record): bool => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantEditHeader) instanceof \App\Support\Tenants\TenantActionDescriptor),
-            UiEnforcement::forAction(
-                Action::make('restore')
-                    ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->label ?? 'Restore')
-                    ->color('success')
-                    ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-arrow-uturn-left')
-                    ->requiresConfirmation()
-                    ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalHeading ?? 'Restore tenant')
-                    ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalDescription ?? 'Restore this archived tenant to make it available again in normal management flows.')
-                    ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->key === 'restore')
-                    ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
-                        TenantResource::restoreTenant($record, $auditLogger);
-                    })
-            )
-                ->requireCapability(Capabilities::TENANT_DELETE)
-                ->tooltip('You do not have permission to restore tenants.')
-                ->preserveVisibility()
-                ->destructive()
-                ->apply(),
-            UiEnforcement::forAction(
-                Action::make('archive')
-                    ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->label ?? 'Archive')
-                    ->color('danger')
-                    ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->icon ?? 'heroicon-o-archive-box-x-mark')
-                    ->requiresConfirmation()
-                    ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalHeading ?? 'Archive tenant')
-                    ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->modalDescription ?? 'Archive this tenant to retain it for inspection while removing it from active operating flows.')
-                    ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantEditHeader)?->key === 'archive')
-                    ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
-                        TenantResource::archiveTenant($record, $auditLogger);
-                    })
-            )
-                ->requireCapability(Capabilities::TENANT_DELETE)
-                ->tooltip('You do not have permission to archive tenants.')
-                ->preserveVisibility()
-                ->destructive()
-                ->apply(),
-        ];
-    }
-}

app/Filament/Resources/TenantResource/Pages/ListTenants.php

@@ -1,66 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\TenantResource;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Onboarding\OnboardingDraftResolver;
-use App\Support\Workspaces\WorkspaceContext;
-use Filament\Actions;
-use Filament\Resources\Pages\ListRecords;
-
-class ListTenants extends ListRecords
-{
-    protected static string $resource = TenantResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            $this->makeOnboardingEntryAction()
-                ->visible(fn (): bool => $this->getTableRecords()->count() > 0),
-        ];
-    }
-
-    protected function getTableEmptyStateActions(): array
-    {
-        return [
-            $this->makeOnboardingEntryAction(),
-        ];
-    }
-
-    private function makeOnboardingEntryAction(): Actions\Action
-    {
-        $descriptor = TenantResource::tenantActionPolicy()->onboardingEntryDescriptor($this->accessibleResumableDraftCount());
-
-        return Actions\Action::make('add_tenant')
-            ->label($descriptor->label)
-            ->icon($descriptor->icon)
-            ->url(route('admin.onboarding'));
-    }
-
-    private function accessibleResumableDraftCount(): int
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return 0;
-        }
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if (! is_int($workspaceId)) {
-            return 0;
-        }
-
-        $workspace = Workspace::query()->whereKey($workspaceId)->first();
-
-        if (! $workspace instanceof Workspace) {
-            return 0;
-        }
-
-        return app(OnboardingDraftResolver::class)->resumableDraftsFor($user, $workspace)->count();
-    }
-}

app/Filament/Resources/TenantResource/Pages/ViewTenant.php

@@ -1,326 +0,0 @@
-<?php
-
-namespace App\Filament\Resources\TenantResource\Pages;
-
-use App\Filament\Resources\ProviderConnectionResource;
-use App\Filament\Resources\TenantResource;
-use App\Filament\Widgets\Tenant\AdminRolesSummaryWidget;
-use App\Filament\Widgets\Tenant\RecentOperationsSummary;
-use App\Filament\Widgets\Tenant\TenantArchivedBanner;
-use App\Filament\Widgets\Tenant\TenantVerificationReport;
-use App\Jobs\RefreshTenantRbacHealthJob;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\OperationRunService;
-use App\Services\Verification\StartVerification;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\OperationRunType;
-use App\Support\OpsUx\OperationUxPresenter;
-use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Rbac\UiEnforcement;
-use App\Support\Tenants\TenantActionSurface;
-use Filament\Actions;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ViewRecord;
-
-class ViewTenant extends ViewRecord
-{
-    protected static string $resource = TenantResource::class;
-
-    public static function verificationHeaderActionLabel(): string
-    {
-        return 'Verify configuration';
-    }
-
-    public static function verificationHeaderActionHint(): string
-    {
-        return 'Use "'.self::verificationHeaderActionLabel().'" in the tenant header to run verification again after you inspect the current operation.';
-    }
-
-    public function getHeaderWidgetsColumns(): int|array
-    {
-        return 1;
-    }
-
-    protected function getHeaderWidgets(): array
-    {
-        return [
-            TenantArchivedBanner::class,
-            RecentOperationsSummary::class,
-            TenantVerificationReport::class,
-            AdminRolesSummaryWidget::class,
-        ];
-    }
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\ActionGroup::make([
-                UiEnforcement::forAction(
-                    Actions\Action::make('provider_connections')
-                        ->label('Provider connections')
-                        ->icon('heroicon-o-link')
-                        ->url(fn (Tenant $record): string => ProviderConnectionResource::getUrl('index', ['tenant_id' => $record->external_id], panel: 'admin'))
-                )
-                    ->requireCapability(Capabilities::PROVIDER_VIEW)
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('edit')
-                        ->label('Edit')
-                        ->icon('heroicon-o-pencil-square')
-                        ->url(fn (Tenant $record): string => TenantResource::getUrl('edit', ['record' => $record]))
-                )
-                    ->requireCapability(Capabilities::TENANT_MANAGE)
-                    ->apply(),
-                Actions\Action::make('related_onboarding')
-                    ->label(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftActionLabel($record, TenantActionSurface::TenantViewHeader) ?? 'View related onboarding')
-                    ->icon(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-eye')
-                    ->url(fn (Tenant $record): string => TenantResource::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
-                    ->visible(fn (Tenant $record): bool => TenantResource::relatedOnboardingDraftAction($record, TenantActionSurface::TenantViewHeader) instanceof \App\Support\Tenants\TenantActionDescriptor),
-                Actions\Action::make('admin_consent')
-                    ->label('Grant admin consent')
-                    ->icon('heroicon-o-clipboard-document')
-                    ->url(fn (Tenant $record) => TenantResource::adminConsentUrl($record))
-                    ->visible(fn (Tenant $record) => TenantResource::adminConsentUrl($record) !== null)
-                    ->openUrlInNewTab(),
-                Actions\Action::make('open_in_entra')
-                    ->label('Open in Entra')
-                    ->icon('heroicon-o-arrow-top-right-on-square')
-                    ->url(fn (Tenant $record) => TenantResource::entraUrl($record))
-                    ->visible(fn (Tenant $record) => TenantResource::entraUrl($record) !== null)
-                    ->openUrlInNewTab(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('verify')
-                        ->label(self::verificationHeaderActionLabel())
-                        ->icon('heroicon-o-check-badge')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (Tenant $record): bool => TenantResource::verificationActionVisible($record))
-                        ->action(function (
-                            Tenant $record,
-                            StartVerification $verification,
-                        ): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($record)) {
-                                abort(404);
-                            }
-
-                            $result = $verification->providerConnectionCheckForTenant(
-                                tenant: $record,
-                                initiator: $user,
-                                extraContext: [
-                                    'surface' => [
-                                        'kind' => 'tenant_view_header',
-                                    ],
-                                ],
-                            );
-
-                            $runUrl = OperationRunLinks::tenantlessView($result->run);
-
-                            if ($result->status === 'scope_busy') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                Notification::make()
-                                    ->title('Another operation is already running')
-                                    ->body('Please wait for the active operation to finish.')
-                                    ->warning()
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label(OperationRunLinks::openLabel())
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'deduped') {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $result->run->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label(OperationRunLinks::openLabel())
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            if ($result->status === 'blocked') {
-                                $reasonCode = is_string($result->run->context['reason_code'] ?? null)
-                                    ? (string) $result->run->context['reason_code']
-                                    : 'unknown_error';
-
-                                $actions = [
-                                    Actions\Action::make('view_run')
-                                        ->label(OperationRunLinks::openLabel())
-                                        ->url($runUrl),
-                                ];
-
-                                $nextSteps = $result->run->context['next_steps'] ?? [];
-                                $nextSteps = is_array($nextSteps) ? $nextSteps : [];
-
-                                foreach ($nextSteps as $index => $step) {
-                                    if (! is_array($step)) {
-                                        continue;
-                                    }
-
-                                    $label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
-                                    $url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
-
-                                    if ($label === '' || $url === '') {
-                                        continue;
-                                    }
-
-                                    $actions[] = Actions\Action::make('next_step_'.$index)
-                                        ->label($label)
-                                        ->url($url);
-
-                                    break;
-                                }
-
-                                $reasonEnvelope = app(\App\Support\ReasonTranslation\ReasonPresenter::class)->forOperationRun($result->run, 'notification');
-                                $bodyLines = $reasonEnvelope?->toBodyLines() ?? ['Blocked by provider configuration.'];
-
-                                Notification::make()
-                                    ->title('Verification blocked')
-                                    ->body(implode("\n", $bodyLines))
-                                    ->warning()
-                                    ->actions($actions)
-                                    ->send();
-
-                                return;
-                            }
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $result->run->type)
-                                ->actions([
-                                    Actions\Action::make('view_run')
-                                        ->label(OperationRunLinks::openLabel())
-                                        ->url($runUrl),
-                                ])
-                                ->send();
-                        }),
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->apply(),
-                TenantResource::rbacAction(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('refresh_rbac')
-                        ->label('Refresh RBAC status')
-                        ->icon('heroicon-o-arrow-path')
-                        ->color('primary')
-                        ->requiresConfirmation()
-                        ->visible(fn (Tenant $record): bool => $record->isActive())
-                        ->action(function (Tenant $record): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            if (! $user->canAccessTenant($record)) {
-                                abort(404);
-                            }
-
-                            /** @var OperationRunService $runs */
-                            $runs = app(OperationRunService::class);
-
-                            $opRun = $runs->ensureRun(
-                                tenant: $record,
-                                type: OperationRunType::RbacHealthCheck->value,
-                                inputs: [
-                                    'tenant_id' => (int) $record->getKey(),
-                                    'surface' => 'tenant_view_header',
-                                ],
-                                initiator: $user,
-                            );
-
-                            $runUrl = OperationRunLinks::tenantlessView($opRun);
-
-                            if ($opRun->wasRecentlyCreated === false) {
-                                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                                OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
-                                    ->actions([
-                                        Actions\Action::make('view_run')
-                                            ->label(OperationRunLinks::openLabel())
-                                            ->url($runUrl),
-                                    ])
-                                    ->send();
-
-                                return;
-                            }
-
-                            RefreshTenantRbacHealthJob::dispatch(
-                                (int) $record->getKey(),
-                                (int) $user->getKey(),
-                                $opRun,
-                            );
-
-                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-
-                            OperationUxPresenter::queuedToast((string) $opRun->type)
-                                ->actions([
-                                    Actions\Action::make('view_run')
-                                        ->label(OperationRunLinks::openLabel())
-                                        ->url($runUrl),
-                                ])
-                                ->send();
-                        }),
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('restore')
-                        ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->label ?? 'Restore')
-                        ->color('success')
-                        ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-arrow-uturn-left')
-                        ->requiresConfirmation()
-                        ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalHeading ?? 'Restore tenant')
-                        ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalDescription ?? 'Restore this archived tenant to make it available again in normal management flows.')
-                        ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->key === 'restore')
-                        ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
-                            TenantResource::restoreTenant($record, $auditLogger);
-                        })
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::TENANT_DELETE)
-                    ->destructive()
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('archive')
-                        ->label(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->label ?? 'Archive')
-                        ->color('danger')
-                        ->icon(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->icon ?? 'heroicon-o-archive-box-x-mark')
-                        ->requiresConfirmation()
-                        ->modalHeading(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalHeading ?? 'Archive tenant')
-                        ->modalDescription(fn (Tenant $record): string => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->modalDescription ?? 'Archive this tenant to retain it for inspection while removing it from active operating flows.')
-                        ->visible(fn (Tenant $record): bool => TenantResource::lifecycleActionDescriptor($record, TenantActionSurface::TenantViewHeader)?->key === 'archive')
-                        ->action(function (Tenant $record, WorkspaceAuditLogger $auditLogger): void {
-                            TenantResource::archiveTenant($record, $auditLogger);
-                        })
-                )
-                    ->preserveVisibility()
-                    ->requireCapability(Capabilities::TENANT_DELETE)
-                    ->destructive()
-                    ->apply(),
-            ])
-                ->label('Actions')
-                ->icon('heroicon-o-ellipsis-vertical')
-                ->color('gray'),
-        ];
-    }
-}

app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php

@@ -1,205 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Resources\TenantReviewResource\Pages;
-
-use App\Filament\Resources\TenantReviewResource;
-use App\Models\Tenant;
-use App\Models\TenantReview;
-use App\Models\User;
-use App\Services\TenantReviews\TenantReviewLifecycleService;
-use App\Services\TenantReviews\TenantReviewService;
-use App\Support\Auth\Capabilities;
-use App\Support\OperationRunLinks;
-use App\Support\Rbac\UiEnforcement;
-use App\Support\TenantReviewStatus;
-use Filament\Actions;
-use Filament\Notifications\Notification;
-use Filament\Resources\Pages\ViewRecord;
-use Illuminate\Database\Eloquent\Model;
-
-class ViewTenantReview extends ViewRecord
-{
-    protected static string $resource = TenantReviewResource::class;
-
-    protected function resolveRecord(int|string $key): Model
-    {
-        return TenantReviewResource::resolveScopedRecordOrFail($key);
-    }
-
-    protected function authorizeAccess(): void
-    {
-        $tenant = TenantReviewResource::panelTenantContext();
-        $record = $this->getRecord();
-        $user = auth()->user();
-
-        if (! $user instanceof User || ! $tenant instanceof Tenant || ! $record instanceof TenantReview) {
-            abort(404);
-        }
-
-        if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
-            abort(404);
-        }
-
-        if (! $user->canAccessTenant($tenant)) {
-            abort(404);
-        }
-
-        if (! $user->can('view', $record)) {
-            abort(403);
-        }
-    }
-
-    protected function getHeaderActions(): array
-    {
-        return [
-            Actions\Action::make('view_run')
-                ->label('Open operation')
-                ->icon('heroicon-o-eye')
-                ->color('gray')
-                ->hidden(fn (): bool => ! is_numeric($this->record->operation_run_id))
-                ->url(fn (): ?string => $this->record->operation_run_id
-                    ? OperationRunLinks::tenantlessView((int) $this->record->operation_run_id)
-                    : null),
-            Actions\Action::make('view_export')
-                ->label('View executive pack')
-                ->icon('heroicon-o-document-arrow-down')
-                ->color('gray')
-                ->hidden(fn (): bool => ! $this->record->currentExportReviewPack)
-                ->url(fn (): ?string => $this->record->currentExportReviewPack
-                    ? \App\Filament\Resources\ReviewPackResource::getUrl('view', ['record' => $this->record->currentExportReviewPack], tenant: $this->record->tenant)
-                    : null),
-            Actions\Action::make('view_evidence')
-                ->label('View evidence snapshot')
-                ->icon('heroicon-o-shield-check')
-                ->color('gray')
-                ->hidden(fn (): bool => ! $this->record->evidenceSnapshot)
-                ->url(fn (): ?string => $this->record->evidenceSnapshot
-                    ? \App\Filament\Resources\EvidenceSnapshotResource::getUrl('view', ['record' => $this->record->evidenceSnapshot], tenant: $this->record->tenant)
-                    : null),
-            UiEnforcement::forAction(
-                Actions\Action::make('refresh_review')
-                    ->label('Refresh review')
-                    ->icon('heroicon-o-arrow-path')
-                    ->hidden(fn (): bool => ! $this->record->isMutable())
-                    ->requiresConfirmation()
-                    ->action(function (): void {
-                        $user = auth()->user();
-
-                        if (! $user instanceof User) {
-                            abort(403);
-                        }
-
-                        try {
-                            app(TenantReviewService::class)->refresh($this->record, $user);
-                        } catch (\Throwable $throwable) {
-                            Notification::make()->danger()->title('Unable to refresh review')->body($throwable->getMessage())->send();
-
-                            return;
-                        }
-
-                        Notification::make()->success()->title('Refresh review queued')->send();
-                    }),
-            )
-                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-                ->preserveVisibility()
-                ->apply(),
-            UiEnforcement::forAction(
-                Actions\Action::make('publish_review')
-                    ->label('Publish review')
-                    ->icon('heroicon-o-check-badge')
-                    ->hidden(fn (): bool => ! $this->record->isMutable())
-                    ->requiresConfirmation()
-                    ->action(function (): void {
-                        $user = auth()->user();
-
-                        if (! $user instanceof User) {
-                            abort(403);
-                        }
-
-                        try {
-                            app(TenantReviewLifecycleService::class)->publish($this->record, $user);
-                        } catch (\Throwable $throwable) {
-                            Notification::make()->danger()->title('Unable to publish review')->body($throwable->getMessage())->send();
-
-                            return;
-                        }
-
-                        $this->refreshFormData(['status', 'published_at', 'published_by_user_id', 'summary']);
-                        Notification::make()->success()->title('Review published')->send();
-                    }),
-            )
-                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-                ->preserveVisibility()
-                ->apply(),
-            UiEnforcement::forAction(
-                Actions\Action::make('export_executive_pack')
-                    ->label('Export executive pack')
-                    ->icon('heroicon-o-arrow-down-tray')
-                    ->hidden(fn (): bool => ! in_array($this->record->status, [
-                        TenantReviewStatus::Ready->value,
-                        TenantReviewStatus::Published->value,
-                    ], true))
-                    ->action(fn (): mixed => TenantReviewResource::executeExport($this->record)),
-            )
-                ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-                ->preserveVisibility()
-                ->apply(),
-            Actions\ActionGroup::make([
-                UiEnforcement::forAction(
-                    Actions\Action::make('create_next_review')
-                        ->label('Create next review')
-                        ->icon('heroicon-o-document-duplicate')
-                        ->hidden(fn (): bool => ! $this->record->isPublished())
-                        ->action(function (): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            try {
-                                $nextReview = app(TenantReviewLifecycleService::class)->createNextReview($this->record, $user);
-                            } catch (\Throwable $throwable) {
-                                Notification::make()->danger()->title('Unable to create next review')->body($throwable->getMessage())->send();
-
-                                return;
-                            }
-
-                            $this->redirect(TenantReviewResource::tenantScopedUrl('view', ['record' => $nextReview], $nextReview->tenant));
-                        }),
-                )
-                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-                    ->preserveVisibility()
-                    ->apply(),
-                UiEnforcement::forAction(
-                    Actions\Action::make('archive_review')
-                        ->label('Archive review')
-                        ->icon('heroicon-o-archive-box')
-                        ->color('danger')
-                        ->hidden(fn (): bool => $this->record->statusEnum()->isTerminal())
-                        ->requiresConfirmation()
-                        ->action(function (): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                abort(403);
-                            }
-
-                            app(TenantReviewLifecycleService::class)->archive($this->record, $user);
-                            $this->refreshFormData(['status', 'archived_at']);
-
-                            Notification::make()->success()->title('Review archived')->send();
-                        }),
-                )
-                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-                    ->preserveVisibility()
-                    ->apply(),
-            ])
-                ->label('More')
-                ->icon('heroicon-m-ellipsis-vertical')
-                ->color('gray'),
-        ];
-    }
-}

app/Filament/Widgets/Dashboard/NeedsAttention.php

@@ -1,254 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Widgets\Dashboard;
-
-use App\Filament\Pages\BaselineCompareLanding;
-use App\Filament\Resources\FindingResource;
-use App\Models\FindingException;
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Support\Auth\Capabilities;
-use App\Support\Baselines\TenantGovernanceAggregate;
-use App\Support\Baselines\TenantGovernanceAggregateResolver;
-use App\Support\OperationRunLinks;
-use App\Support\OpsUx\ActiveRuns;
-use App\Support\Rbac\UiTooltips;
-use Filament\Facades\Filament;
-use Filament\Widgets\Widget;
-
-class NeedsAttention extends Widget
-{
-    protected string $view = 'filament.widgets.dashboard.needs-attention';
-
-    /**
-     * @return array<string, mixed>
-     */
-    protected function getViewData(): array
-    {
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [
-                'pollingInterval' => null,
-                'items' => [],
-                'healthyChecks' => [],
-            ];
-        }
-
-        $tenantId = (int) $tenant->getKey();
-        $aggregate = $this->governanceAggregate($tenant);
-        $compareAssessment = $aggregate->summaryAssessment;
-
-        $items = [];
-
-        $overdueOpenCount = $aggregate->overdueOpenFindingsCount;
-        $lapsedGovernanceCount = $aggregate->lapsedGovernanceCount;
-        $expiringGovernanceCount = $aggregate->expiringGovernanceCount;
-        $highSeverityCount = $aggregate->highSeverityActiveFindingsCount;
-        $staleActiveOperationsCount = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->activeStaleAttention()
-            ->count();
-        $terminalFollowUpOperationsCount = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->terminalFollowUp()
-            ->count();
-        $activeRuns = (int) OperationRun::query()
-            ->where('tenant_id', $tenantId)
-            ->healthyActive()
-            ->count();
-
-        if ($lapsedGovernanceCount > 0) {
-            $items[] = [
-                'key' => 'lapsed_governance',
-                'title' => 'Lapsed accepted-risk governance',
-                'body' => "{$lapsedGovernanceCount} accepted-risk finding(s) no longer have valid supporting governance.",
-                'badge' => 'Governance',
-                'badgeColor' => 'danger',
-                ...$this->findingsAction(
-                    $tenant,
-                    'Open findings',
-                    [
-                        'tab' => 'risk_accepted',
-                        'governance_validity' => FindingException::VALIDITY_MISSING_SUPPORT,
-                    ],
-                ),
-            ];
-        }
-
-        if ($overdueOpenCount > 0) {
-            $items[] = [
-                'key' => 'overdue_findings',
-                'title' => 'Overdue findings',
-                'body' => "{$overdueOpenCount} open finding(s) are overdue and still need workflow follow-up.",
-                'badge' => 'Findings',
-                'badgeColor' => 'danger',
-                ...$this->findingsAction(
-                    $tenant,
-                    'Open findings',
-                    ['tab' => 'overdue'],
-                ),
-            ];
-        }
-
-        if ($expiringGovernanceCount > 0) {
-            $items[] = [
-                'key' => 'expiring_governance',
-                'title' => 'Expiring accepted-risk governance',
-                'body' => "{$expiringGovernanceCount} accepted-risk finding(s) need governance review soon.",
-                'badge' => 'Governance',
-                'badgeColor' => 'warning',
-                ...$this->findingsAction(
-                    $tenant,
-                    'Open findings',
-                    [
-                        'tab' => 'risk_accepted',
-                        'governance_validity' => FindingException::VALIDITY_EXPIRING,
-                    ],
-                ),
-            ];
-        }
-
-        if ($highSeverityCount > 0) {
-            $items[] = [
-                'key' => 'high_severity_active_findings',
-                'title' => 'High severity active findings',
-                'body' => "{$highSeverityCount} high or critical finding(s) are still active.",
-                'badge' => 'Findings',
-                'badgeColor' => 'danger',
-                ...$this->findingsAction(
-                    $tenant,
-                    'Open findings',
-                    [
-                        'tab' => 'needs_action',
-                        'high_severity' => 1,
-                    ],
-                ),
-            ];
-        }
-
-        if ($compareAssessment->stateFamily !== 'positive') {
-            $items[] = [
-                'key' => 'baseline_compare_posture',
-                'title' => 'Baseline compare posture',
-                'body' => $compareAssessment->headline,
-                'supportingMessage' => $compareAssessment->supportingMessage,
-                'badge' => 'Baseline',
-                'badgeColor' => $compareAssessment->tone,
-                'actionLabel' => 'Open Baseline Compare',
-                'actionUrl' => BaselineCompareLanding::getUrl(panel: 'tenant', tenant: $tenant),
-            ];
-        }
-
-        if ($staleActiveOperationsCount > 0) {
-            $items[] = [
-                'key' => 'operations_stale_attention',
-                'title' => 'Active operations look stale',
-                'body' => "{$staleActiveOperationsCount} run(s) are still marked active but are past the lifecycle window.",
-                'badge' => 'Operations',
-                'badgeColor' => 'warning',
-                'actionLabel' => 'Open stale operations',
-                'actionUrl' => OperationRunLinks::index(
-                    $tenant,
-                    activeTab: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
-                    problemClass: OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION,
-                ),
-            ];
-        }
-
-        if ($terminalFollowUpOperationsCount > 0) {
-            $items[] = [
-                'key' => 'operations_terminal_follow_up',
-                'title' => 'Terminal operations need follow-up',
-                'body' => "{$terminalFollowUpOperationsCount} run(s) finished blocked, partially, failed, or were automatically reconciled.",
-                'badge' => 'Operations',
-                'badgeColor' => 'danger',
-                'actionLabel' => 'Open terminal follow-up',
-                'actionUrl' => OperationRunLinks::index(
-                    $tenant,
-                    activeTab: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
-                    problemClass: OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP,
-                ),
-            ];
-        }
-
-        $healthyChecks = [];
-
-        if ($items === []) {
-            $healthyChecks = [
-                [
-                    'title' => 'Baseline compare looks trustworthy',
-                    'body' => $aggregate->headline,
-                ],
-                [
-                    'title' => 'No overdue findings',
-                    'body' => 'No open findings are currently overdue for this tenant.',
-                ],
-                [
-                    'title' => 'Accepted-risk governance is healthy',
-                    'body' => 'No accepted-risk findings currently need governance follow-up.',
-                ],
-                [
-                    'title' => 'No high severity active findings',
-                    'body' => 'No high severity findings are currently open for this tenant.',
-                ],
-                $activeRuns > 0
-                    ? [
-                        'title' => 'Operations are active',
-                        'body' => "{$activeRuns} run(s) are active, but nothing currently needs follow-up.",
-                    ]
-                    : [
-                        'title' => 'No active operations',
-                        'body' => 'Nothing is currently running for this tenant.',
-                    ],
-            ];
-        }
-
-        return [
-            'pollingInterval' => ActiveRuns::pollingIntervalForTenant($tenant),
-            'items' => $items,
-            'healthyChecks' => $healthyChecks,
-        ];
-    }
-
-    /**
-     * @param  array<string, mixed>  $parameters
-     * @return array<string, mixed>
-     */
-    private function findingsAction(Tenant $tenant, string $label, array $parameters): array
-    {
-        $url = $this->canOpenFindings($tenant)
-            ? FindingResource::getUrl('index', $parameters, panel: 'tenant', tenant: $tenant)
-            : null;
-
-        return [
-            'actionLabel' => $label,
-            'actionUrl' => $url,
-            'actionDisabled' => $url === null,
-            'helperText' => $url === null ? UiTooltips::INSUFFICIENT_PERMISSION : null,
-        ];
-    }
-
-    private function canOpenFindings(Tenant $tenant): bool
-    {
-        $user = auth()->user();
-
-        return $user instanceof User
-            && $user->canAccessTenant($tenant)
-            && $user->can(Capabilities::TENANT_FINDINGS_VIEW, $tenant);
-    }
-
-    private function governanceAggregate(Tenant $tenant): TenantGovernanceAggregate
-    {
-        /** @var TenantGovernanceAggregateResolver $resolver */
-        $resolver = app(TenantGovernanceAggregateResolver::class);
-
-        /** @var TenantGovernanceAggregate $aggregate */
-        $aggregate = $resolver->forTenant($tenant);
-
-        return $aggregate;
-    }
-}

app/Models/BaselineTenantAssignment.php

@@ -1,40 +0,0 @@
-<?php
-
-namespace App\Models;
-
-use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-class BaselineTenantAssignment extends Model
-{
-    use DerivesWorkspaceIdFromTenant;
-    use HasFactory;
-
-    protected $guarded = [];
-
-    protected $casts = [
-        'override_scope_jsonb' => 'array',
-    ];
-
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    public function baselineProfile(): BelongsTo
-    {
-        return $this->belongsTo(BaselineProfile::class);
-    }
-
-    public function assignedByUser(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'assigned_by_user_id');
-    }
-}

app/Support/Badges/Domains/ProviderConnectionHealthBadge.php

@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class ProviderConnectionHealthBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeProviderConnectionHealth($value);
-
-        return match ($state) {
-            'ok' => new BadgeSpec('OK', 'success', 'heroicon-m-check-circle'),
-            'degraded' => new BadgeSpec('Degraded', 'warning', 'heroicon-m-exclamation-triangle'),
-            'down' => new BadgeSpec('Down', 'danger', 'heroicon-m-x-circle'),
-            'unknown' => new BadgeSpec('Unknown', 'gray', 'heroicon-m-question-mark-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Badges/Domains/ProviderConnectionStatusBadge.php

@@ -1,23 +0,0 @@
-<?php
-
-namespace App\Support\Badges\Domains;
-
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class ProviderConnectionStatusBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeProviderConnectionStatus($value);
-
-        return match ($state) {
-            'connected' => new BadgeSpec('Connected', 'success', 'heroicon-m-check-circle'),
-            'needs_consent' => new BadgeSpec('Needs consent', 'warning', 'heroicon-m-exclamation-triangle'),
-            'error' => new BadgeSpec('Error', 'danger', 'heroicon-m-x-circle'),
-            'disabled' => new BadgeSpec('Disabled', 'gray', 'heroicon-m-minus-circle'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

app/Support/Ui/ActionSurface/ActionSurfaceExemptions.php

@@ -1,52 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ui\ActionSurface;
-
-use App\Support\WorkspaceIsolation\TenantOwnedModelFamilies;
-
-final class ActionSurfaceExemptions
-{
-    /**
-     * @param  array<string, string>  $componentReasons
-     */
-    public function __construct(
-        private readonly array $componentReasons,
-    ) {}
-
-    public static function baseline(): self
-    {
-        return new self(array_merge([
-            // Baseline allowlist for legacy surfaces. Keep shrinking this list.
-            // Declared system table pages are discovered directly; deferred system tooling stays out of scope by not opting in.
-            'App\\Filament\\Pages\\Auth\\Login' => 'Auth entry page is out-of-scope for action-surface retrofits in spec 082.',
-            'App\\Filament\\Pages\\BreakGlassRecovery' => 'Break-glass flow is governed by dedicated security specs and tests.',
-            'App\\Filament\\Pages\\ChooseTenant' => 'Tenant chooser has no contract-style table action surface.',
-            'App\\Filament\\Pages\\ChooseWorkspace' => 'Workspace chooser has no contract-style table action surface.',
-            'App\\Filament\\Pages\\Monitoring\\Alerts' => 'Monitoring alerts remains exempt because the active admin alerts surface resolves through the cluster entry at /admin/alerts, not this page-class route.',
-            'App\\Filament\\Pages\\Tenancy\\RegisterTenant' => 'Tenant onboarding route is covered by onboarding/RBAC specs.',
-            'App\\Filament\\Pages\\TenantDashboard' => 'Dashboard retrofit deferred; widget and summary surfaces are excluded from this contract.',
-            'App\\Filament\\Pages\\Workspaces\\ManagedTenantOnboardingWizard' => 'Onboarding wizard has dedicated conformance tests in spec 172 (OnboardingVerificationTest, OnboardingVerificationClustersTest, OnboardingVerificationV1_5UxTest) and remains exempt from blanket discovery.',
-            'App\\Filament\\Pages\\Workspaces\\ManagedTenantsLanding' => 'Managed-tenant landing retrofit deferred to workspace feature track.',
-        ], TenantOwnedModelFamilies::actionSurfaceBaselineExemptions()));
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public function all(): array
-    {
-        return $this->componentReasons;
-    }
-
-    public function reasonForClass(string $className): ?string
-    {
-        return $this->componentReasons[$className] ?? null;
-    }
-
-    public function hasClass(string $className): bool
-    {
-        return array_key_exists($className, $this->componentReasons);
-    }
-}

app/Support/Ui/ActionSurface/ActionSurfaceValidator.php

@@ -1,391 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ui\ActionSurface;
-
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-
-final class ActionSurfaceValidator
-{
-    private ActionSurfaceDiscovery $discovery;
-
-    private ActionSurfaceProfileDefinition $profileDefinition;
-
-    private ActionSurfaceExemptions $exemptions;
-
-    public function __construct(
-        ?ActionSurfaceDiscovery $discovery = null,
-        ?ActionSurfaceProfileDefinition $profileDefinition = null,
-        ?ActionSurfaceExemptions $exemptions = null,
-    ) {
-        $this->discovery = $discovery ?? new ActionSurfaceDiscovery;
-        $this->profileDefinition = $profileDefinition ?? new ActionSurfaceProfileDefinition;
-        $this->exemptions = $exemptions ?? ActionSurfaceExemptions::baseline();
-    }
-
-    /**
-     * @return array<int, ActionSurfaceDiscoveredComponent>
-     */
-    public function discoveredComponents(): array
-    {
-        return $this->discovery->discover();
-    }
-
-    public static function withBaselineExemptions(): self
-    {
-        return new self(
-            discovery: new ActionSurfaceDiscovery,
-            profileDefinition: new ActionSurfaceProfileDefinition,
-            exemptions: ActionSurfaceExemptions::baseline(),
-        );
-    }
-
-    public function validate(): ActionSurfaceValidationResult
-    {
-        return $this->validateComponents($this->discoveredComponents());
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceDiscoveredComponent>  $components
-     */
-    public function validateComponents(array $components): ActionSurfaceValidationResult
-    {
-        $issues = [];
-
-        foreach ($components as $component) {
-            if (! class_exists($component->className)) {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $component->className,
-                    message: 'Discovered class does not exist or is not autoloadable.',
-                    hint: 'Verify namespace/path and run composer dump-autoload if needed.',
-                );
-
-                continue;
-            }
-
-            $declaration = $this->resolveDeclarationForComponent($component, $issues);
-
-            if ($declaration === null) {
-                continue;
-            }
-
-            if ($declaration->componentType !== $component->componentType) {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $component->className,
-                    message: sprintf(
-                        'Declaration component type mismatch (%s declared, %s discovered).',
-                        $declaration->componentType->name,
-                        $component->componentType->name,
-                    ),
-                    hint: 'Use ActionSurfaceDeclaration::forResource/forPage/forRelationManager consistently.',
-                );
-            }
-
-            if ($declaration->defaults->moreGroupLabel !== 'More') {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $component->className,
-                    message: sprintf(
-                        'Invalid more-group label "%s".',
-                        $declaration->defaults->moreGroupLabel,
-                    ),
-                    hint: 'Set ActionSurfaceDefaults->moreGroupLabel to "More".',
-                );
-            }
-
-            $this->validateRequiredSlots($component->className, $declaration, $issues);
-            $this->validateBehaviorAwareContract($component->className, $declaration, $issues);
-            $this->validateExemptions($component->className, $declaration, $issues);
-            $this->validateExportDefaults($component->className, $declaration, $issues);
-        }
-
-        return new ActionSurfaceValidationResult(
-            issues: $issues,
-            componentCount: count($components),
-        );
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function resolveDeclarationForComponent(
-        ActionSurfaceDiscoveredComponent $component,
-        array &$issues,
-    ): ?ActionSurfaceDeclaration {
-        $className = $component->className;
-
-        if (! method_exists($className, 'actionSurfaceDeclaration')) {
-            $this->validateClassExemptionOrFail($className, $issues);
-
-            return null;
-        }
-
-        try {
-            $declaration = $className::actionSurfaceDeclaration();
-        } catch (\Throwable $throwable) {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: 'actionSurfaceDeclaration() threw an exception: '.$throwable->getMessage(),
-                hint: 'Ensure actionSurfaceDeclaration() is static and does not depend on request state.',
-            );
-
-            return null;
-        }
-
-        if (! $declaration instanceof ActionSurfaceDeclaration) {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: 'actionSurfaceDeclaration() must return ActionSurfaceDeclaration.',
-                hint: 'Return ActionSurfaceDeclaration::forResource/forPage/forRelationManager(...).',
-            );
-
-            return null;
-        }
-
-        return $declaration;
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateClassExemptionOrFail(string $className, array &$issues): void
-    {
-        $reason = $this->exemptions->reasonForClass($className);
-
-        if ($reason === null) {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: 'Missing action-surface declaration and no component exemption exists.',
-                hint: 'Add actionSurfaceDeclaration() or register a baseline exemption with a non-empty reason.',
-            );
-
-            return;
-        }
-
-        if (trim($reason) === '') {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: 'Component exemption reason must be non-empty.',
-                hint: 'Provide a concrete, non-empty justification in ActionSurfaceExemptions::baseline().',
-            );
-        }
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateRequiredSlots(
-        string $className,
-        ActionSurfaceDeclaration $declaration,
-        array &$issues,
-    ): void {
-        foreach ($this->profileDefinition->requiredSlots($declaration->profile) as $slot) {
-            $requirement = $declaration->slot($slot);
-
-            if ($requirement === null) {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $className,
-                    slot: $slot,
-                    message: 'Required slot is not declared.',
-                    hint: 'Declare slot as satisfied or exempt with a reason.',
-                );
-
-                continue;
-            }
-
-            if (! $requirement->isExempt()) {
-                if ($slot === ActionSurfaceSlot::InspectAffordance) {
-                    $this->validateInspectAffordanceSlot($className, $requirement, $issues);
-                }
-
-                continue;
-            }
-
-            $exemption = $declaration->exemption($slot);
-
-            if ($exemption === null || ! $exemption->hasReason()) {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $className,
-                    slot: $slot,
-                    message: 'Slot is marked exempt but exemption reason is missing or empty.',
-                    hint: 'Use ->exempt(slot, "reason") with a non-empty reason.',
-                );
-            }
-        }
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateInspectAffordanceSlot(
-        string $className,
-        ActionSurfaceSlotRequirement $requirement,
-        array &$issues,
-    ): void {
-        $this->resolveInspectAffordance($className, $requirement, $issues);
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateBehaviorAwareContract(
-        string $className,
-        ActionSurfaceDeclaration $declaration,
-        array &$issues,
-    ): void {
-        if (! $declaration->requiresBehaviorAwareContract()) {
-            return;
-        }
-
-        if ($declaration->surfaceType === null) {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: 'Behavior-aware declarations must define a surface type.',
-                hint: 'Pass an ActionSurfaceType when creating the declaration.',
-            );
-
-            return;
-        }
-
-        if (! $this->profileDefinition->allowsSurfaceType($declaration->profile, $declaration->surfaceType)) {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                message: sprintf(
-                    'Surface type "%s" is incompatible with profile "%s".',
-                    $declaration->surfaceType->value,
-                    $declaration->profile->value,
-                ),
-                hint: 'Choose a surface type allowed for the profile or change the profile to match the rendered list behavior.',
-            );
-
-            return;
-        }
-
-        $requirement = $declaration->slot(ActionSurfaceSlot::InspectAffordance);
-
-        if (! $requirement instanceof ActionSurfaceSlotRequirement || $requirement->isExempt()) {
-            return;
-        }
-
-        $affordance = $this->resolveInspectAffordance($className, $requirement, $issues);
-
-        if (! $affordance instanceof ActionSurfaceInspectAffordance) {
-            return;
-        }
-
-        if (! $declaration->surfaceType->allowsInspectAffordance($affordance)) {
-            $allowed = implode(', ', array_map(
-                static fn (ActionSurfaceInspectAffordance $allowedAffordance): string => $allowedAffordance->value,
-                $declaration->surfaceType->allowedInspectAffordances(),
-            ));
-
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                slot: ActionSurfaceSlot::InspectAffordance,
-                message: sprintf(
-                    'Inspect affordance "%s" is incompatible with surface type "%s".',
-                    $affordance->value,
-                    $declaration->surfaceType->value,
-                ),
-                hint: sprintf('Allowed: %s.', $allowed),
-            );
-        }
-
-        if ($affordance->isPrimaryLinkColumn() && trim((string) $declaration->primaryLinkColumnReason()) === '') {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                slot: ActionSurfaceSlot::InspectAffordance,
-                message: 'Primary link column inspect affordance requires a non-empty reason.',
-                hint: 'Call ->withPrimaryLinkColumnReason("why row click is not the right primary inspect model").',
-            );
-        }
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function resolveInspectAffordance(
-        string $className,
-        ActionSurfaceSlotRequirement $requirement,
-        array &$issues,
-    ): ?ActionSurfaceInspectAffordance {
-        $mode = $requirement->details;
-
-        if (! is_string($mode) || trim($mode) === '') {
-            $issues[] = new ActionSurfaceValidationIssue(
-                className: $className,
-                slot: ActionSurfaceSlot::InspectAffordance,
-                message: 'Inspect affordance must declare how inspection is provided (clickable_row, view_action, or primary_link_column).',
-                hint: 'Use ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value).',
-            );
-
-            return null;
-        }
-
-        $affordance = ActionSurfaceInspectAffordance::tryFrom($mode);
-
-        if ($affordance instanceof ActionSurfaceInspectAffordance) {
-            return $affordance;
-        }
-
-        $issues[] = new ActionSurfaceValidationIssue(
-            className: $className,
-            slot: ActionSurfaceSlot::InspectAffordance,
-            message: sprintf('Invalid inspect affordance mode "%s".', $mode),
-            hint: 'Allowed: clickable_row, view_action, primary_link_column.',
-        );
-
-        return null;
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateExemptions(
-        string $className,
-        ActionSurfaceDeclaration $declaration,
-        array &$issues,
-    ): void {
-        foreach ($declaration->exemptions() as $slotValue => $exemption) {
-            if (! $exemption->hasReason()) {
-                $issues[] = new ActionSurfaceValidationIssue(
-                    className: $className,
-                    slot: ActionSurfaceSlot::from($slotValue),
-                    message: 'Exemption reason must be non-empty.',
-                    hint: 'Provide a concise reason for each exempted slot.',
-                );
-            }
-        }
-    }
-
-    /**
-     * @param  array<int, ActionSurfaceValidationIssue>  $issues
-     */
-    private function validateExportDefaults(
-        string $className,
-        ActionSurfaceDeclaration $declaration,
-        array &$issues,
-    ): void {
-        if (! $this->profileDefinition->requiresExportDefaultBulk($declaration->profile)) {
-            return;
-        }
-
-        if ($declaration->defaults->exportIsDefaultBulkActionForReadOnly) {
-            return;
-        }
-
-        $bulkExemption = $declaration->exemption(ActionSurfaceSlot::ListBulkMoreGroup);
-
-        if ($bulkExemption instanceof ActionSurfaceExemption && $bulkExemption->hasReason()) {
-            return;
-        }
-
-        $issues[] = new ActionSurfaceValidationIssue(
-            className: $className,
-            slot: ActionSurfaceSlot::ListBulkMoreGroup,
-            message: 'ReadOnly/RunLog profile disables Export default but no bulk-slot exemption reason was provided.',
-            hint: 'Keep exportIsDefaultBulkActionForReadOnly=true or exempt ListBulkMoreGroup with a reason.',
-        );
-    }
-}

apps/platform/.env.example

@@ -3,6 +3,8 @@ APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
 APP_URL=http://localhost
+SAIL_FILES=../../docker-compose.yml
+TENANTATLAS_REPO_ROOT=../..
 
 APP_LOCALE=en
 APP_FALLBACK_LOCALE=en
@@ -21,11 +23,12 @@ LOG_DEPRECATIONS_CHANNEL=null
 LOG_LEVEL=debug
 
 DB_CONNECTION=pgsql
-DB_HOST=127.0.0.1
+DB_HOST=pgsql
 DB_PORT=5432
+FORWARD_DB_PORT=55432
 DB_DATABASE=tenantatlas
 DB_USERNAME=root
-DB_PASSWORD=
+DB_PASSWORD=postgres
 
 SESSION_DRIVER=database
 SESSION_LIFETIME=120
@@ -43,7 +46,7 @@ CACHE_STORE=database
 MEMCACHED_HOST=127.0.0.1
 
 REDIS_CLIENT=phpredis
-REDIS_HOST=127.0.0.1
+REDIS_HOST=redis
 REDIS_PASSWORD=null
 REDIS_PORT=6379
 

apps/platform/app/Console/Commands/ClassifyProviderConnections.php

@@ -10,7 +10,6 @@
 use App\Services\Intune\AuditLogger;
 use App\Services\Providers\ProviderConnectionClassificationResult;
 use App\Services\Providers\ProviderConnectionClassifier;
-use App\Services\Providers\ProviderConnectionStateProjector;
 use App\Support\Providers\ProviderConnectionType;
 use App\Support\Providers\ProviderCredentialKind;
 use App\Support\Providers\ProviderCredentialSource;
@@ -29,10 +28,8 @@ class ClassifyProviderConnections extends Command
 
     protected $description = 'Classify legacy provider connections into platform, dedicated, or review-required outcomes.';
 
-    public function handle(
+    public function handle(ProviderConnectionClassifier $classifier): int
-        ProviderConnectionClassifier $classifier,
+    {
-        ProviderConnectionStateProjector $stateProjector,
-    ): int {
         $query = $this->query();
         $write = (bool) $this->option('write');
         $chunkSize = max(1, (int) $this->option('chunk'));
@@ -62,7 +59,6 @@ public function handle(
             ->orderBy('id')
             ->chunkById($chunkSize, function ($connections) use (
                 $classifier,
-                $stateProjector,
                 $write,
                 $tenantCounts,
                 &$startedTenants,
@@ -101,7 +97,7 @@ public function handle(
                         $startedTenants[$tenantKey] = true;
                     }
 
-                    $connection = $this->applyClassification($connection, $result, $stateProjector);
+                    $connection = $this->applyClassification($connection, $result);
                     $this->auditApplied($tenant, $connection, $result);
                     $appliedCount++;
                 }
@@ -146,11 +142,10 @@ private function query(): Builder
     private function applyClassification(
         ProviderConnection $connection,
         ProviderConnectionClassificationResult $result,
-        ProviderConnectionStateProjector $stateProjector,
     ): ProviderConnection {
-        DB::transaction(function () use ($connection, $result, $stateProjector): void {
+        DB::transaction(function () use ($connection, $result): void {
             $connection->forceFill(
-                $connection->classificationProjection($result, $stateProjector)
+                $connection->classificationProjection($result)
             )->save();
 
             $credential = $connection->credential;

apps/platform/app/Console/Commands/SeedBackupHealthBrowserFixture.php

@@ -0,0 +1,190 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\BackupItem;
+use App\Models\BackupSet;
+use App\Models\Policy;
+use App\Models\Tenant;
+use App\Models\TenantMembership;
+use App\Models\User;
+use App\Models\UserTenantPreference;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Schema;
+
+class SeedBackupHealthBrowserFixture extends Command
+{
+    protected $signature = 'tenantpilot:backup-health:seed-browser-fixture {--force-refresh : Rebuild the fixture backup basis even if it already exists}';
+
+    protected $description = 'Seed a local/testing browser fixture for the Spec 180 blocked backup drill-through scenario.';
+
+    public function handle(): int
+    {
+        if (! app()->environment(['local', 'testing'])) {
+            $this->error('This fixture command is limited to local and testing environments.');
+
+            return self::FAILURE;
+        }
+
+        $fixture = config('tenantpilot.backup_health.browser_smoke_fixture');
+
+        if (! is_array($fixture)) {
+            $this->error('The backup-health browser smoke fixture is not configured.');
+
+            return self::FAILURE;
+        }
+
+        $workspaceConfig = is_array($fixture['workspace'] ?? null) ? $fixture['workspace'] : [];
+        $userConfig = is_array($fixture['user'] ?? null) ? $fixture['user'] : [];
+        $scenarioConfig = is_array($fixture['blocked_drillthrough'] ?? null) ? $fixture['blocked_drillthrough'] : [];
+        $tenantRouteKey = (string) ($scenarioConfig['tenant_id'] ?? $scenarioConfig['tenant_external_id'] ?? '18000000-0000-4000-8000-000000000180');
+
+        $workspace = Workspace::query()->updateOrCreate(
+            ['slug' => (string) ($workspaceConfig['slug'] ?? 'spec-180-backup-health-smoke')],
+            ['name' => (string) ($workspaceConfig['name'] ?? 'Spec 180 Backup Health Smoke')],
+        );
+
+        $password = (string) ($userConfig['password'] ?? 'password');
+
+        $user = User::query()->updateOrCreate(
+            ['email' => (string) ($userConfig['email'] ?? 'smoke-requester+180@tenantpilot.local')],
+            [
+                'name' => (string) ($userConfig['name'] ?? 'Spec 180 Requester'),
+                'password' => Hash::make($password),
+                'email_verified_at' => now(),
+            ],
+        );
+
+        $tenant = Tenant::query()->updateOrCreate(
+            ['external_id' => $tenantRouteKey],
+            [
+                'workspace_id' => (int) $workspace->getKey(),
+                'name' => (string) ($scenarioConfig['tenant_name'] ?? 'Spec 180 Blocked Backup Tenant'),
+                'tenant_id' => $tenantRouteKey,
+                'app_certificate_thumbprint' => null,
+                'app_status' => 'ok',
+                'app_notes' => null,
+                'status' => Tenant::STATUS_ACTIVE,
+                'environment' => 'dev',
+                'is_current' => false,
+                'metadata' => ['fixture' => 'spec-180-browser-smoke'],
+                'rbac_status' => 'ok',
+                'rbac_last_checked_at' => now(),
+            ],
+        );
+
+        WorkspaceMembership::query()->updateOrCreate(
+            ['workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey()],
+            ['role' => 'owner'],
+        );
+
+        TenantMembership::query()->updateOrCreate(
+            ['tenant_id' => (int) $tenant->getKey(), 'user_id' => (int) $user->getKey()],
+            ['role' => 'owner', 'source' => 'manual', 'source_ref' => 'spec-180-browser-smoke'],
+        );
+
+        if (Schema::hasColumn('users', 'last_workspace_id')) {
+            $user->forceFill(['last_workspace_id' => (int) $workspace->getKey()])->save();
+        }
+
+        if (Schema::hasTable('user_tenant_preferences')) {
+            UserTenantPreference::query()->updateOrCreate(
+                ['user_id' => (int) $user->getKey(), 'tenant_id' => (int) $tenant->getKey()],
+                ['last_used_at' => now()],
+            );
+        }
+
+        $policy = Policy::query()->updateOrCreate(
+            [
+                'tenant_id' => (int) $tenant->getKey(),
+                'external_id' => (string) ($scenarioConfig['policy_external_id'] ?? 'spec-180-rbac-stale-policy'),
+                'policy_type' => (string) ($scenarioConfig['policy_type'] ?? 'settingsCatalogPolicy'),
+            ],
+            [
+                'display_name' => (string) ($scenarioConfig['policy_name'] ?? 'Spec 180 RBAC Smoke Policy'),
+                'platform' => 'windows',
+                'last_synced_at' => now(),
+                'metadata' => ['fixture' => 'spec-180-browser-smoke'],
+            ],
+        );
+
+        $backupSet = BackupSet::withTrashed()->firstOrNew([
+            'tenant_id' => (int) $tenant->getKey(),
+            'name' => (string) ($scenarioConfig['backup_set_name'] ?? 'Spec 180 Blocked Stale Backup'),
+        ]);
+
+        $backupSet->forceFill([
+            'created_by' => (string) $user->email,
+            'status' => 'completed',
+            'item_count' => 1,
+            'completed_at' => now()->subHours(max(25, (int) ($scenarioConfig['stale_age_hours'] ?? 48))),
+            'metadata' => ['fixture' => 'spec-180-browser-smoke'],
+            'deleted_at' => null,
+        ])->save();
+
+        if (method_exists($backupSet, 'trashed') && $backupSet->trashed()) {
+            $backupSet->restore();
+        }
+
+        $backupItem = BackupItem::withTrashed()->firstOrNew([
+            'backup_set_id' => (int) $backupSet->getKey(),
+            'policy_identifier' => (string) ($scenarioConfig['policy_external_id'] ?? 'spec-180-rbac-stale-policy'),
+            'policy_type' => (string) ($scenarioConfig['policy_type'] ?? 'settingsCatalogPolicy'),
+        ]);
+
+        $backupItem->forceFill([
+            'tenant_id' => (int) $tenant->getKey(),
+            'policy_id' => (int) $policy->getKey(),
+            'platform' => 'windows',
+            'captured_at' => $backupSet->completed_at,
+            'payload' => [
+                'id' => (string) ($scenarioConfig['policy_external_id'] ?? 'spec-180-rbac-stale-policy'),
+                'name' => (string) ($scenarioConfig['policy_name'] ?? 'Spec 180 RBAC Smoke Policy'),
+            ],
+            'metadata' => [
+                'policy_name' => (string) ($scenarioConfig['policy_name'] ?? 'Spec 180 RBAC Smoke Policy'),
+                'fixture' => 'spec-180-browser-smoke',
+            ],
+            'assignments' => [],
+            'deleted_at' => null,
+        ])->save();
+
+        if (method_exists($backupItem, 'trashed') && $backupItem->trashed()) {
+            $backupItem->restore();
+        }
+
+        if ((bool) $this->option('force-refresh')) {
+            $backupSet->forceFill([
+                'completed_at' => now()->subHours(max(25, (int) ($scenarioConfig['stale_age_hours'] ?? 48))),
+            ])->save();
+
+            $backupItem->forceFill([
+                'captured_at' => $backupSet->completed_at,
+            ])->save();
+        }
+
+        $this->table(
+            ['Fixture', 'Value'],
+            [
+                ['Workspace', (string) $workspace->name],
+                ['User email', (string) $user->email],
+                ['User password', $password],
+                ['Tenant', (string) $tenant->name],
+                ['Tenant external id', (string) $tenant->external_id],
+                ['Dashboard URL', "/admin/t/{$tenant->external_id}"],
+                ['Fixture login URL', route('admin.local.backup-health-browser-fixture-login', absolute: false)],
+                ['Blocked route', "/admin/t/{$tenant->external_id}/backup-sets"],
+                ['Locally denied capability', 'tenant.view'],
+            ],
+        );
+
+        $this->info('The dashboard remains visible for this fixture user, while backup drill-through routes stay forbidden via a local/testing-only capability deny seam.');
+
+        return self::SUCCESS;
+    }
+}

apps/platform/app/Filament/Pages/BaselineCompareLanding.php

@@ -15,6 +15,7 @@
 use App\Support\Baselines\BaselineCaptureMode;
 use App\Support\Baselines\BaselineCompareEvidenceGapDetails;
 use App\Support\Baselines\BaselineCompareStats;
+use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\Baselines\TenantGovernanceAggregate;
 use App\Support\Baselines\TenantGovernanceAggregateResolver;
 use App\Support\OperationRunLinks;
@@ -109,6 +110,13 @@ class BaselineCompareLanding extends Page
     /** @var array<string, mixed>|null */
     public ?array $summaryAssessment = null;
 
+    /** @var array<string, mixed>|null */
+    public ?array $navigationContextPayload = null;
+
+    public ?int $matrixBaselineProfileId = null;
+
+    public ?string $matrixSubjectKey = null;
+
     public static function canAccess(): bool
     {
         $user = auth()->user();
@@ -130,6 +138,12 @@ public static function canAccess(): bool
 
     public function mount(): void
     {
+        $this->navigationContextPayload = is_array(request()->query('nav')) ? request()->query('nav') : null;
+        $baselineProfileId = request()->query('baseline_profile_id');
+        $subjectKey = request()->query('subject_key');
+
+        $this->matrixBaselineProfileId = is_numeric($baselineProfileId) ? (int) $baselineProfileId : null;
+        $this->matrixSubjectKey = is_string($subjectKey) && trim($subjectKey) !== '' ? trim($subjectKey) : null;
         $this->refreshStats();
     }
 
@@ -244,6 +258,9 @@ protected function getViewData(): array
         }
 
         return [
+            'navigationContext' => $this->navigationContext()?->toQuery()['nav'] ?? null,
+            'matrixBaselineProfileId' => $this->matrixBaselineProfileId,
+            'matrixSubjectKey' => $this->matrixSubjectKey,
             'hasCoverageWarnings' => $hasCoverageWarnings,
             'evidenceGapsCountValue' => $evidenceGapsCountValue,
             'hasEvidenceGaps' => $hasEvidenceGaps,
@@ -302,9 +319,19 @@ public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
      */
     protected function getHeaderActions(): array
     {
-        return [
+        $actions = [];
-            $this->compareNowAction(),
+        $navigationContext = $this->navigationContext();
-        ];
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            $actions[] = Action::make('backToOrigin')
+                ->label($navigationContext->backLinkLabel)
+                ->color('gray')
+                ->url($navigationContext->backLinkUrl);
+        }
+
+        $actions[] = $this->compareNowAction();
+
+        return $actions;
     }
 
     private function compareNowAction(): Action
@@ -389,7 +416,7 @@ private function compareNowAction(): Action
                     ->actions($run instanceof OperationRun ? [
                         Action::make('view_run')
                             ->label('Open operation')
-                            ->url(OperationRunLinks::view($run, $tenant)),
+                            ->url(OperationRunLinks::view($run, $tenant, $this->navigationContext())),
                     ] : [])
                     ->send();
             });
@@ -436,4 +463,15 @@ private function governanceAggregate(Tenant $tenant, BaselineCompareStats $stats
 
         return $aggregate;
     }
+
+    private function navigationContext(): ?CanonicalNavigationContext
+    {
+        if (! is_array($this->navigationContextPayload)) {
+            return CanonicalNavigationContext::fromRequest(request());
+        }
+
+        $request = request()->duplicate(query: ['nav' => $this->navigationContextPayload]);
+
+        return CanonicalNavigationContext::fromRequest($request);
+    }
 }

apps/platform/app/Filament/Pages/BaselineCompareMatrix.php

@@ -0,0 +1,758 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages;
+
+use App\Filament\Resources\BaselineProfileResource;
+use App\Filament\Resources\FindingResource;
+use App\Models\BaselineProfile;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Services\Baselines\BaselineCompareService;
+use App\Support\Auth\Capabilities;
+use App\Support\Baselines\BaselineCompareMatrixBuilder;
+use App\Support\Navigation\CanonicalNavigationContext;
+use App\Support\OperationRunLinks;
+use App\Support\OpsUx\OperationUxPresenter;
+use App\Support\OpsUx\OpsUxBrowserEvents;
+use App\Support\Rbac\WorkspaceUiEnforcement;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use Filament\Actions\Action;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\Concerns\InteractsWithRecord;
+use Filament\Resources\Pages\Page;
+use Filament\Schemas\Components\Grid;
+use Filament\Schemas\Schema;
+
+class BaselineCompareMatrix extends Page implements HasForms
+{
+    use InteractsWithForms;
+    use InteractsWithRecord;
+
+    protected static bool $isDiscovered = false;
+
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static string $resource = BaselineProfileResource::class;
+
+    protected static ?string $breadcrumb = 'Compare matrix';
+
+    protected string $view = 'filament.pages.baseline-compare-matrix';
+
+    public string $requestedMode = 'auto';
+
+    /**
+     * @var list<string>
+     */
+    public array $selectedPolicyTypes = [];
+
+    /**
+     * @var list<string>
+     */
+    public array $selectedStates = [];
+
+    /**
+     * @var list<string>
+     */
+    public array $selectedSeverities = [];
+
+    public string $tenantSort = 'tenant_name';
+
+    public string $subjectSort = 'deviation_breadth';
+
+    public ?string $focusedSubjectKey = null;
+
+    /**
+     * @var list<string>
+     */
+    public array $draftSelectedPolicyTypes = [];
+
+    /**
+     * @var list<string>
+     */
+    public array $draftSelectedStates = [];
+
+    /**
+     * @var list<string>
+     */
+    public array $draftSelectedSeverities = [];
+
+    public string $draftTenantSort = 'tenant_name';
+
+    public string $draftSubjectSort = 'deviation_breadth';
+
+    /**
+     * @var array<string, mixed>
+     */
+    public array $matrix = [];
+
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep bounded navigation plus confirmation-gated compare fan-out for visible assigned tenants.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'The matrix intentionally forbids row click; only explicit tenant, subject, cell, and run drilldowns are rendered.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The matrix does not use a row-level secondary-actions menu.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The matrix has no bulk actions.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Blocked, empty, no-visible-tenant, and no-filter-match states render as explicit matrix empty states.')
+            ->exempt(ActionSurfaceSlot::DetailHeader, 'The matrix is a page-level scan surface rather than a record detail header.');
+    }
+
+    public function mount(int|string $record): void
+    {
+        $this->record = $this->resolveRecord($record);
+        $this->hydrateFiltersFromRequest();
+        $this->refreshMatrix();
+        $this->form->fill($this->filterFormState());
+    }
+
+    public function form(Schema $schema): Schema
+    {
+        return $schema
+            ->schema([
+                Grid::make([
+                    'default' => 1,
+                    'xl' => 2,
+                ])
+                    ->schema([
+                        Grid::make([
+                            'default' => 1,
+                            'lg' => 5,
+                        ])
+                            ->schema([
+                                Select::make('draftSelectedPolicyTypes')
+                                    ->label('Policy types')
+                                    ->options(fn (): array => $this->matrixOptions('policyTypeOptions'))
+                                    ->multiple()
+                                    ->searchable()
+                                    ->preload()
+                                    ->native(false)
+                                    ->placeholder('All policy types')
+                                    ->helperText(fn (): ?string => $this->matrixOptions('policyTypeOptions') === []
+                                        ? 'Policy type filters appear after a usable reference snapshot is available.'
+                                        : null)
+                                    ->extraFieldWrapperAttributes([
+                                        'data-testid' => 'matrix-policy-type-filter',
+                                    ])
+                                    ->columnSpan([
+                                        'lg' => 2,
+                                    ]),
+                                Select::make('draftSelectedStates')
+                                    ->label('Technical states')
+                                    ->options(fn (): array => $this->matrixOptions('stateOptions'))
+                                    ->multiple()
+                                    ->searchable()
+                                    ->native(false)
+                                    ->placeholder('All technical states')
+                                    ->columnSpan([
+                                        'lg' => 2,
+                                    ]),
+                                Select::make('draftSelectedSeverities')
+                                    ->label('Severity')
+                                    ->options(fn (): array => $this->matrixOptions('severityOptions'))
+                                    ->multiple()
+                                    ->searchable()
+                                    ->native(false)
+                                    ->placeholder('All severities'),
+                            ])
+                            ->columnSpan([
+                                'xl' => 1,
+                            ]),
+                        Grid::make([
+                            'default' => 1,
+                            'md' => 2,
+                            'xl' => 1,
+                        ])
+                            ->schema([
+                                Select::make('draftTenantSort')
+                                    ->label('Tenant sort')
+                                    ->options(fn (): array => $this->matrixOptions('tenantSortOptions'))
+                                    ->default('tenant_name')
+                                    ->native(false)
+                                    ->extraFieldWrapperAttributes(['data-testid' => 'matrix-tenant-sort'])
+                                    ->extraInputAttributes(['data-testid' => 'matrix-tenant-sort']),
+                                Select::make('draftSubjectSort')
+                                    ->label('Subject sort')
+                                    ->options(fn (): array => $this->matrixOptions('subjectSortOptions'))
+                                    ->default('deviation_breadth')
+                                    ->native(false)
+                                    ->extraFieldWrapperAttributes(['data-testid' => 'matrix-subject-sort'])
+                                    ->extraInputAttributes(['data-testid' => 'matrix-subject-sort']),
+                            ])
+                            ->columnSpan([
+                                'xl' => 1,
+                            ]),
+                    ]),
+            ]);
+    }
+
+    protected function authorizeAccess(): void
+    {
+        $user = auth()->user();
+        $workspace = $this->workspace();
+
+        if (! $user instanceof User || ! $workspace instanceof Workspace) {
+            abort(404);
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        if (! $resolver->isMember($user, $workspace)) {
+            abort(404);
+        }
+
+        if (! $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_VIEW)) {
+            abort(403);
+        }
+    }
+
+    public function getTitle(): string
+    {
+        /** @var BaselineProfile $profile */
+        $profile = $this->getRecord();
+
+        return 'Compare matrix: '.$profile->name;
+    }
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        $profile = $this->getRecord();
+
+        $compareAssignedTenantsAction = Action::make('compareAssignedTenants')
+            ->label('Compare assigned tenants')
+            ->icon('heroicon-o-play')
+            ->requiresConfirmation()
+            ->modalHeading('Compare assigned tenants')
+            ->modalDescription('Simulation only. This starts the normal tenant-owned baseline compare path for the visible assigned set. No workspace umbrella run is created.')
+            ->disabled(fn (): bool => $this->compareAssignedTenantsDisabledReason() !== null)
+            ->tooltip(fn (): ?string => $this->compareAssignedTenantsDisabledReason())
+            ->action(fn (): mixed => $this->compareAssignedTenants());
+
+        $compareAssignedTenantsAction = WorkspaceUiEnforcement::forAction(
+            $compareAssignedTenantsAction,
+            fn (): ?Workspace => $this->workspace(),
+        )
+            ->requireCapability(Capabilities::WORKSPACE_BASELINES_MANAGE)
+            ->preserveDisabled()
+            ->tooltip('You need workspace baseline manage access to compare the visible assigned set.')
+            ->apply();
+
+        return [
+            Action::make('backToBaselineProfile')
+                ->label('Back to baseline profile')
+                ->color('gray')
+                ->url(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin')),
+            $compareAssignedTenantsAction,
+        ];
+    }
+
+    public function applyFilters(): void
+    {
+        $this->selectedPolicyTypes = $this->normalizeQueryList($this->draftSelectedPolicyTypes);
+        $this->selectedStates = $this->normalizeQueryList($this->draftSelectedStates);
+        $this->selectedSeverities = $this->normalizeQueryList($this->draftSelectedSeverities);
+        $this->tenantSort = $this->normalizeTenantSort($this->draftTenantSort);
+        $this->subjectSort = $this->normalizeSubjectSort($this->draftSubjectSort);
+
+        $this->redirect($this->filterUrl(), navigate: true);
+    }
+
+    public function resetFilters(): void
+    {
+        $this->selectedPolicyTypes = [];
+        $this->selectedStates = [];
+        $this->selectedSeverities = [];
+        $this->tenantSort = 'tenant_name';
+        $this->subjectSort = 'deviation_breadth';
+        $this->focusedSubjectKey = null;
+        $this->draftSelectedPolicyTypes = [];
+        $this->draftSelectedStates = [];
+        $this->draftSelectedSeverities = [];
+        $this->draftTenantSort = 'tenant_name';
+        $this->draftSubjectSort = 'deviation_breadth';
+
+        $this->redirect($this->filterUrl(), navigate: true);
+    }
+
+    public function refreshMatrix(): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        /** @var BaselineProfile $profile */
+        $profile = $this->getRecord();
+
+        $this->matrix = app(BaselineCompareMatrixBuilder::class)->build($profile, $user, [
+            'policyTypes' => $this->selectedPolicyTypes,
+            'states' => $this->selectedStates,
+            'severities' => $this->selectedSeverities,
+            'tenantSort' => $this->tenantSort,
+            'subjectSort' => $this->subjectSort,
+            'focusedSubjectKey' => $this->focusedSubjectKey,
+        ]);
+    }
+
+    public function pollMatrix(): void
+    {
+        $this->refreshMatrix();
+    }
+
+    public function tenantCompareUrl(int $tenantId, ?string $subjectKey = null): ?string
+    {
+        $tenant = $this->tenant($tenantId);
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        return BaselineCompareLanding::getUrl(
+            parameters: $this->navigationContext($tenant, $subjectKey)->toQuery(),
+            panel: 'tenant',
+            tenant: $tenant,
+        );
+    }
+
+    public function findingUrl(int $tenantId, int $findingId, ?string $subjectKey = null): ?string
+    {
+        $tenant = $this->tenant($tenantId);
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        return FindingResource::getUrl(
+            'view',
+            [
+                'record' => $findingId,
+                ...$this->navigationContext($tenant, $subjectKey)->toQuery(),
+            ],
+            tenant: $tenant,
+        );
+    }
+
+    public function runUrl(int $runId, ?int $tenantId = null, ?string $subjectKey = null): string
+    {
+        return OperationRunLinks::tenantlessView(
+            $runId,
+            $this->navigationContext(
+                $tenantId !== null ? $this->tenant($tenantId) : null,
+                $subjectKey,
+            ),
+        );
+    }
+
+    public function clearSubjectFocusUrl(): string
+    {
+        return static::getUrl($this->routeParameters([
+            'subject_key' => null,
+        ]), panel: 'admin');
+    }
+
+    public function modeUrl(string $mode): string
+    {
+        return $this->filterUrl([
+            'mode' => $this->normalizeRequestedMode($mode),
+        ]);
+    }
+
+    public function filterUrl(array $overrides = []): string
+    {
+        return static::getUrl($this->routeParameters($overrides), panel: 'admin');
+    }
+
+    public function activeFilterCount(): int
+    {
+        return count($this->selectedPolicyTypes)
+            + count($this->selectedStates)
+            + count($this->selectedSeverities)
+            + ($this->focusedSubjectKey !== null ? 1 : 0);
+    }
+
+    public function hasStagedFilterChanges(): bool
+    {
+        return $this->draftFilterState() !== $this->appliedFilterState();
+    }
+
+    public function canUseCompactMode(): bool
+    {
+        return $this->visibleTenantCount() <= 1;
+    }
+
+    public function presentationModeLabel(string $mode): string
+    {
+        return match ($mode) {
+            'dense' => 'Dense mode',
+            'compact' => 'Compact mode',
+            default => 'Auto mode',
+        };
+    }
+
+    /**
+     * @return array<string, int|string>
+     */
+    public function activeFilterSummary(): array
+    {
+        $summary = [];
+
+        if ($this->selectedPolicyTypes !== []) {
+            $summary['Policy types'] = count($this->selectedPolicyTypes);
+        }
+
+        if ($this->selectedStates !== []) {
+            $summary['Technical states'] = count($this->selectedStates);
+        }
+
+        if ($this->selectedSeverities !== []) {
+            $summary['Severity'] = count($this->selectedSeverities);
+        }
+
+        if ($this->focusedSubjectKey !== null) {
+            $summary['Focused subject'] = $this->focusedSubjectKey;
+        }
+
+        return $summary;
+    }
+
+    /**
+     * @return array<string, int|string>
+     */
+    public function stagedFilterSummary(): array
+    {
+        $summary = [];
+
+        if ($this->draftSelectedPolicyTypes !== $this->selectedPolicyTypes) {
+            $summary['Policy types'] = count($this->draftSelectedPolicyTypes);
+        }
+
+        if ($this->draftSelectedStates !== $this->selectedStates) {
+            $summary['Technical states'] = count($this->draftSelectedStates);
+        }
+
+        if ($this->draftSelectedSeverities !== $this->selectedSeverities) {
+            $summary['Severity'] = count($this->draftSelectedSeverities);
+        }
+
+        if ($this->draftTenantSort !== $this->tenantSort) {
+            $summary['Tenant sort'] = $this->draftTenantSort;
+        }
+
+        if ($this->draftSubjectSort !== $this->subjectSort) {
+            $summary['Subject sort'] = $this->draftSubjectSort;
+        }
+
+        return $summary;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    protected function getViewData(): array
+    {
+        return array_merge($this->matrix, [
+            'profile' => $this->getRecord(),
+            'currentFilters' => [
+                'mode' => $this->requestedMode,
+                'policy_type' => $this->selectedPolicyTypes,
+                'state' => $this->selectedStates,
+                'severity' => $this->selectedSeverities,
+                'tenant_sort' => $this->tenantSort,
+                'subject_sort' => $this->subjectSort,
+                'subject_key' => $this->focusedSubjectKey,
+            ],
+            'draftFilters' => [
+                'policy_type' => $this->draftSelectedPolicyTypes,
+                'state' => $this->draftSelectedStates,
+                'severity' => $this->draftSelectedSeverities,
+                'tenant_sort' => $this->draftTenantSort,
+                'subject_sort' => $this->draftSubjectSort,
+            ],
+            'presentationState' => $this->presentationState(),
+        ]);
+    }
+
+    private function hydrateFiltersFromRequest(): void
+    {
+        $this->requestedMode = $this->normalizeRequestedMode(request()->query('mode', 'auto'));
+        $this->selectedPolicyTypes = $this->normalizeQueryList(request()->query('policy_type', []));
+        $this->selectedStates = $this->normalizeQueryList(request()->query('state', []));
+        $this->selectedSeverities = $this->normalizeQueryList(request()->query('severity', []));
+        $this->tenantSort = $this->normalizeTenantSort(request()->query('tenant_sort', 'tenant_name'));
+        $this->subjectSort = $this->normalizeSubjectSort(request()->query('subject_sort', 'deviation_breadth'));
+        $subjectKey = request()->query('subject_key');
+        $this->focusedSubjectKey = is_string($subjectKey) && trim($subjectKey) !== '' ? trim($subjectKey) : null;
+        $this->draftSelectedPolicyTypes = $this->selectedPolicyTypes;
+        $this->draftSelectedStates = $this->selectedStates;
+        $this->draftSelectedSeverities = $this->selectedSeverities;
+        $this->draftTenantSort = $this->tenantSort;
+        $this->draftSubjectSort = $this->subjectSort;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function filterFormState(): array
+    {
+        return [
+            'draftSelectedPolicyTypes' => $this->draftSelectedPolicyTypes,
+            'draftSelectedStates' => $this->draftSelectedStates,
+            'draftSelectedSeverities' => $this->draftSelectedSeverities,
+            'draftTenantSort' => $this->draftTenantSort,
+            'draftSubjectSort' => $this->draftSubjectSort,
+        ];
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function matrixOptions(string $key): array
+    {
+        $options = $this->matrix[$key] ?? null;
+
+        return is_array($options) ? $options : [];
+    }
+
+    /**
+     * @return array{
+     *     selectedPolicyTypes: list<string>,
+     *     selectedStates: list<string>,
+     *     selectedSeverities: list<string>,
+     *     tenantSort: string,
+     *     subjectSort: string
+     * }
+     */
+    private function draftFilterState(): array
+    {
+        return [
+            'selectedPolicyTypes' => $this->normalizeQueryList($this->draftSelectedPolicyTypes),
+            'selectedStates' => $this->normalizeQueryList($this->draftSelectedStates),
+            'selectedSeverities' => $this->normalizeQueryList($this->draftSelectedSeverities),
+            'tenantSort' => $this->normalizeTenantSort($this->draftTenantSort),
+            'subjectSort' => $this->normalizeSubjectSort($this->draftSubjectSort),
+        ];
+    }
+
+    /**
+     * @return array{
+     *     selectedPolicyTypes: list<string>,
+     *     selectedStates: list<string>,
+     *     selectedSeverities: list<string>,
+     *     tenantSort: string,
+     *     subjectSort: string
+     * }
+     */
+    private function appliedFilterState(): array
+    {
+        return [
+            'selectedPolicyTypes' => $this->selectedPolicyTypes,
+            'selectedStates' => $this->selectedStates,
+            'selectedSeverities' => $this->selectedSeverities,
+            'tenantSort' => $this->tenantSort,
+            'subjectSort' => $this->subjectSort,
+        ];
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function normalizeQueryList(mixed $value): array
+    {
+        $values = is_array($value) ? $value : [$value];
+
+        return array_values(array_unique(array_filter(array_map(static function (mixed $item): ?string {
+            if (! is_string($item)) {
+                return null;
+            }
+
+            $normalized = trim($item);
+
+            return $normalized !== '' ? $normalized : null;
+        }, $values))));
+    }
+
+    private function normalizeRequestedMode(mixed $value): string
+    {
+        return in_array((string) $value, ['auto', 'dense', 'compact'], true)
+            ? (string) $value
+            : 'auto';
+    }
+
+    private function normalizeTenantSort(mixed $value): string
+    {
+        return in_array((string) $value, ['tenant_name', 'deviation_count', 'freshness_urgency'], true)
+            ? (string) $value
+            : 'tenant_name';
+    }
+
+    private function normalizeSubjectSort(mixed $value): string
+    {
+        return in_array((string) $value, ['deviation_breadth', 'policy_type', 'display_name'], true)
+            ? (string) $value
+            : 'deviation_breadth';
+    }
+
+    private function compareAssignedTenantsDisabledReason(): ?string
+    {
+        $reference = is_array($this->matrix['reference'] ?? null) ? $this->matrix['reference'] : [];
+
+        if (($reference['referenceState'] ?? null) !== 'ready') {
+            return 'Capture a complete baseline snapshot before comparing assigned tenants.';
+        }
+
+        if ((int) ($reference['visibleTenantCount'] ?? 0) === 0) {
+            return 'No visible assigned tenants are available for compare.';
+        }
+
+        return null;
+    }
+
+    private function compareAssignedTenants(): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        /** @var BaselineProfile $profile */
+        $profile = $this->getRecord();
+
+        $result = app(BaselineCompareService::class)->startCompareForVisibleAssignments($profile, $user);
+        $summary = sprintf(
+            '%d queued, %d already queued, %d blocked across %d visible assigned tenant%s.',
+            (int) $result['queuedCount'],
+            (int) $result['alreadyQueuedCount'],
+            (int) $result['blockedCount'],
+            (int) $result['visibleAssignedTenantCount'],
+            (int) $result['visibleAssignedTenantCount'] === 1 ? '' : 's',
+        );
+
+        if ((int) $result['queuedCount'] > 0 || (int) $result['alreadyQueuedCount'] > 0) {
+            OpsUxBrowserEvents::dispatchRunEnqueued($this);
+
+            $toast = (int) $result['queuedCount'] > 0
+                ? OperationUxPresenter::queuedToast('baseline_compare')
+                : OperationUxPresenter::alreadyQueuedToast('baseline_compare');
+
+            $toast
+                ->body($summary.' Open Operations for progress and next steps.')
+                ->actions([
+                    Action::make('open_operations')
+                        ->label('Open operations')
+                        ->url(OperationRunLinks::index(
+                            context: $this->navigationContext(),
+                            allTenants: true,
+                        )),
+                ])
+                ->send();
+        } else {
+            Notification::make()
+                ->title('No baseline compares were started')
+                ->body($summary)
+                ->warning()
+                ->send();
+        }
+
+        $this->refreshMatrix();
+    }
+
+    /**
+     * @param  array<string, mixed>  $overrides
+     * @return array<string, mixed>
+     */
+    private function routeParameters(array $overrides = []): array
+    {
+        return array_filter([
+            'record' => $this->getRecord(),
+            'mode' => $this->requestedMode !== 'auto' ? $this->requestedMode : null,
+            'policy_type' => $this->selectedPolicyTypes,
+            'state' => $this->selectedStates,
+            'severity' => $this->selectedSeverities,
+            'tenant_sort' => $this->tenantSort !== 'tenant_name' ? $this->tenantSort : null,
+            'subject_sort' => $this->subjectSort !== 'deviation_breadth' ? $this->subjectSort : null,
+            'subject_key' => $this->focusedSubjectKey,
+            ...$overrides,
+        ], static fn (mixed $value): bool => $value !== null && $value !== [] && $value !== '');
+    }
+
+    private function navigationContext(?Tenant $tenant = null, ?string $subjectKey = null): CanonicalNavigationContext
+    {
+        /** @var BaselineProfile $profile */
+        $profile = $this->getRecord();
+
+        $subjectKey ??= $this->focusedSubjectKey;
+
+        return CanonicalNavigationContext::forBaselineCompareMatrix(
+            profile: $profile,
+            filters: $this->routeParameters(),
+            tenant: $tenant,
+            subjectKey: $subjectKey,
+        );
+    }
+
+    private function tenant(int $tenantId): ?Tenant
+    {
+        return Tenant::query()
+            ->whereKey($tenantId)
+            ->where('workspace_id', (int) $this->getRecord()->workspace_id)
+            ->first();
+    }
+
+    private function workspace(): ?Workspace
+    {
+        return Workspace::query()->whereKey((int) $this->getRecord()->workspace_id)->first();
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function presentationState(): array
+    {
+        $resolvedMode = $this->resolvePresentationMode($this->visibleTenantCount());
+
+        return [
+            'requestedMode' => $this->requestedMode,
+            'resolvedMode' => $resolvedMode,
+            'visibleTenantCount' => $this->visibleTenantCount(),
+            'activeFilterCount' => $this->activeFilterCount(),
+            'hasStagedFilterChanges' => $this->hasStagedFilterChanges(),
+            'autoRefreshActive' => (bool) ($this->matrix['hasActiveRuns'] ?? false),
+            'lastUpdatedAt' => $this->matrix['lastUpdatedAt'] ?? null,
+            'canOverrideMode' => $this->visibleTenantCount() > 0,
+            'compactModeAvailable' => $this->canUseCompactMode(),
+        ];
+    }
+
+    private function visibleTenantCount(): int
+    {
+        $reference = is_array($this->matrix['reference'] ?? null) ? $this->matrix['reference'] : [];
+
+        return (int) ($reference['visibleTenantCount'] ?? 0);
+    }
+
+    private function resolvePresentationMode(int $visibleTenantCount): string
+    {
+        if ($this->requestedMode === 'dense') {
+            return 'dense';
+        }
+
+        if ($this->requestedMode === 'compact' && $visibleTenantCount <= 1) {
+            return 'compact';
+        }
+
+        return $visibleTenantCount > 1 ? 'dense' : 'compact';
+    }
+}

apps/platform/app/Filament/Pages/Monitoring/Alerts.php

@@ -12,6 +12,10 @@
 use App\Support\Auth\Capabilities;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
+use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
+use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
@@ -37,6 +41,16 @@ class Alerts extends Page
 
     protected string $view = 'filament.pages.monitoring.alerts';
 
+    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
+    {
+        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header keeps alerts scope and origin navigation quiet on the page-level overview.')
+            ->exempt(ActionSurfaceSlot::InspectAffordance, 'The alerts overview is a page-level monitoring summary and does not inspect records inline.')
+            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The alerts overview does not render row-level secondary actions.')
+            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The alerts overview does not expose bulk actions.')
+            ->exempt(ActionSurfaceSlot::ListEmptyState, 'The overview always renders KPI widgets and downstream drilldown navigation instead of a list-style empty state.');
+    }
+
     public static function canAccess(): bool
     {
         if (Filament::getCurrentPanel()?->getId() !== 'admin') {

apps/platform/app/Filament/Pages/Monitoring/AuditLog.php

@@ -17,6 +17,7 @@
 use App\Support\Filament\FilterOptionCatalog;
 use App\Support\Filament\FilterPresets;
 use App\Support\Filament\TablePaginationProfiles;
+use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
@@ -93,7 +94,6 @@ public function mount(): void
         if ($requestedEventId !== null) {
             $this->resolveAuditLog($requestedEventId);
             $this->selectedAuditLogId = $requestedEventId;
-            $this->mountTableAction('inspect', (string) $requestedEventId);
         }
     }
 
@@ -102,10 +102,24 @@ public function mount(): void
      */
     protected function getHeaderActions(): array
     {
-        return app(OperateHubShell::class)->headerActions(
+        $actions = app(OperateHubShell::class)->headerActions(
             scopeActionName: 'operate_hub_scope_audit_log',
             returnActionName: 'operate_hub_return_audit_log',
         );
+
+        $navigationContext = CanonicalNavigationContext::fromRequest(request());
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            array_splice($actions, 1, 0, [
+                Action::make('operate_hub_back_to_origin_audit_log')
+                    ->label($navigationContext->backLinkLabel)
+                    ->icon('heroicon-o-arrow-left')
+                    ->color('gray')
+                    ->url($navigationContext->backLinkUrl),
+            ]);
+        }
+
+        return $actions;
     }
 
     public function table(Table $table): Table

apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php

@@ -25,9 +25,11 @@
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
+use App\Support\Ui\GovernanceActions\GovernanceActionCatalog;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
+use Filament\Actions\ActionGroup;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\DateTimePicker;
 use Filament\Forms\Components\Textarea;
@@ -38,6 +40,7 @@
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
+use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Support\Collection;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -49,6 +52,8 @@ class FindingExceptionsQueue extends Page implements HasTable
 
     public ?int $selectedFindingExceptionId = null;
 
+    public bool $showSelectedExceptionSummary = false;
+
     protected static bool $isDiscovered = false;
 
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
@@ -116,11 +121,12 @@ public static function canAccess(): bool
     public function mount(): void
     {
         $this->selectedFindingExceptionId = is_numeric(request()->query('exception')) ? (int) request()->query('exception') : null;
+        $this->showSelectedExceptionSummary = $this->selectedFindingExceptionId !== null;
         $this->mountInteractsWithTable();
         $this->applyRequestedTenantPrefilter();
 
         if ($this->selectedFindingExceptionId !== null) {
-            $this->selectedFindingException();
+            $this->resolveSelectedFindingException($this->selectedFindingExceptionId);
         }
     }
 
@@ -141,6 +147,7 @@ protected function getHeaderActions(): array
                 $this->removeTableFilter('status');
                 $this->removeTableFilter('current_validity_state');
                 $this->selectedFindingExceptionId = null;
+                $this->showSelectedExceptionSummary = false;
                 $this->resetTable();
             });
 
@@ -159,33 +166,38 @@ protected function getHeaderActions(): array
                 return FindingExceptionResource::getUrl('index', panel: 'tenant', tenant: $tenant);
             });
 
-        $actions[] = Action::make('clear_selected_exception')
+        $selectedContextActions = [
-            ->label('Close details')
+            Action::make('clear_selected_exception')
-            ->color('gray')
+                ->label('Close details')
-            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+                ->color('gray')
-            ->action(function (): void {
+                ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
-                $this->selectedFindingExceptionId = null;
+                ->action(function (): void {
-            });
+                    $this->clearSelectedException();
+                }),
 
-        $actions[] = Action::make('open_selected_exception')
+            Action::make('open_selected_exception')
-            ->label('Open tenant detail')
+                ->label('Open tenant detail')
-            ->icon('heroicon-o-arrow-top-right-on-square')
+                ->icon('heroicon-o-arrow-top-right-on-square')
-            ->color('gray')
+                ->color('gray')
-            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+                ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
-            ->url(fn (): ?string => $this->selectedExceptionUrl());
+                ->url(fn (): ?string => $this->selectedExceptionUrl()),
 
-        $actions[] = Action::make('open_selected_finding')
+            Action::make('open_selected_finding')
-            ->label('Open finding')
+                ->label('Open finding')
-            ->icon('heroicon-o-arrow-top-right-on-square')
+                ->icon('heroicon-o-arrow-top-right-on-square')
-            ->color('gray')
+                ->color('gray')
-            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
+                ->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
-            ->url(fn (): ?string => $this->selectedFindingUrl());
+                ->url(fn (): ?string => $this->selectedFindingUrl()),
+        ];
 
-        $actions[] = Action::make('approve_selected_exception')
+        $selectedDecisionActions = [
-            ->label('Approve exception')
+            Action::make('approve_selected_exception')
+            ->label(GovernanceActionCatalog::rule('approve_exception')->canonicalLabel)
             ->color('success')
             ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
             ->requiresConfirmation()
+            ->modalHeading(GovernanceActionCatalog::rule('approve_exception')->modalHeading)
+            ->modalDescription(GovernanceActionCatalog::rule('approve_exception')->modalDescription)
             ->form([
                 DateTimePicker::make('effective_from')
                     ->label('Effective from')
@@ -198,6 +210,7 @@ protected function getHeaderActions(): array
                 Textarea::make('approval_reason')
                     ->label('Approval reason')
                     ->rows(3)
+                    ->required()
                     ->maxLength(2000),
             ])
             ->action(function (array $data, FindingExceptionService $service): void {
@@ -214,41 +227,56 @@ protected function getHeaderActions(): array
                 $this->resetTable();
 
                 Notification::make()
-                    ->title($wasRenewalRequest ? 'Exception renewed' : 'Exception approved')
+                    ->title($wasRenewalRequest ? 'Exception renewed' : GovernanceActionCatalog::rule('approve_exception')->successTitle)
                     ->success()
                     ->send();
-            });
+            }),
 
-        $actions[] = Action::make('reject_selected_exception')
+            Action::make('reject_selected_exception')
-            ->label('Reject exception')
+                ->label(GovernanceActionCatalog::rule('reject_exception')->canonicalLabel)
-            ->color('danger')
+                ->color('warning')
-            ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
+                ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
-            ->requiresConfirmation()
+                ->requiresConfirmation()
-            ->form([
+                ->modalHeading(GovernanceActionCatalog::rule('reject_exception')->modalHeading)
-                Textarea::make('rejection_reason')
+                ->modalDescription(GovernanceActionCatalog::rule('reject_exception')->modalDescription)
-                    ->label('Rejection reason')
+                ->form([
-                    ->rows(3)
+                    Textarea::make('rejection_reason')
-                    ->required()
+                        ->label('Rejection reason')
-                    ->maxLength(2000),
+                        ->rows(3)
-            ])
+                        ->required()
-            ->action(function (array $data, FindingExceptionService $service): void {
+                        ->maxLength(2000),
-                $record = $this->selectedFindingException();
+                ])
-                $user = auth()->user();
+                ->action(function (array $data, FindingExceptionService $service): void {
+                    $record = $this->selectedFindingException();
+                    $user = auth()->user();
 
-                if (! $record instanceof FindingException || ! $user instanceof User) {
+                    if (! $record instanceof FindingException || ! $user instanceof User) {
-                    abort(404);
+                        abort(404);
-                }
+                    }
 
-                $wasRenewalRequest = $record->isPendingRenewal();
+                    $wasRenewalRequest = $record->isPendingRenewal();
-                $updated = $service->reject($record, $user, $data);
+                    $updated = $service->reject($record, $user, $data);
-                $this->selectedFindingExceptionId = (int) $updated->getKey();
+                    $this->selectedFindingExceptionId = (int) $updated->getKey();
-                $this->resetTable();
+                    $this->resetTable();
 
-                Notification::make()
+                    Notification::make()
-                    ->title($wasRenewalRequest ? 'Renewal rejected' : 'Exception rejected')
+                        ->title($wasRenewalRequest ? 'Renewal rejected' : GovernanceActionCatalog::rule('reject_exception')->successTitle)
-                    ->success()
+                        ->success()
-                    ->send();
+                        ->send();
-            });
+                }),
+        ];
+
+        $actions[] = ActionGroup::make($selectedContextActions)
+            ->label('Selected context')
+            ->icon('heroicon-o-rectangle-stack')
+            ->color('gray')
+            ->visible(fn (): bool => $this->selectedFindingExceptionId !== null);
+
+        $actions[] = ActionGroup::make($selectedDecisionActions)
+            ->label('Review selected')
+            ->icon('heroicon-o-shield-check')
+            ->color('primary')
+            ->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false);
 
         return $actions;
     }
@@ -325,8 +353,31 @@ public function table(Table $table): Table
                     ->label('Inspect exception')
                     ->icon('heroicon-o-eye')
                     ->color('gray')
-                    ->action(function (FindingException $record): void {
+                    ->before(function (FindingException $record): void {
                         $this->selectedFindingExceptionId = (int) $record->getKey();
+                    })
+                    ->slideOver()
+                    ->stickyModalHeader()
+                    ->modalSubmitAction(false)
+                    ->modalCancelAction(fn (Action $action): Action => $action->label('Close details'))
+                    ->modalHeading(function (): string {
+                        $record = $this->inspectedFindingException();
+
+                        return $record instanceof FindingException
+                            ? 'Finding exception #'.$record->getKey()
+                            : 'Finding exception';
+                    })
+                    ->modalDescription(fn (): ?string => $this->inspectedFindingException()?->requested_at?->toDayDateTimeString())
+                    ->modalContent(function (): View {
+                        $record = $this->inspectedFindingException();
+
+                        if (! $record instanceof FindingException) {
+                            return view('filament.pages.monitoring.partials.finding-exception-queue-unavailable');
+                        }
+
+                        return view('filament.pages.monitoring.partials.finding-exception-queue-sidebar', [
+                            'selectedException' => $record,
+                        ]);
                     }),
             ])
             ->bulkActions([])
@@ -343,6 +394,7 @@ public function table(Table $table): Table
                         $this->removeTableFilter('status');
                         $this->removeTableFilter('current_validity_state');
                         $this->selectedFindingExceptionId = null;
+                        $this->showSelectedExceptionSummary = false;
                         $this->resetTable();
                     }),
             ]);
@@ -354,15 +406,7 @@ public function selectedFindingException(): ?FindingException
             return null;
         }
 
-        $record = $this->queueBaseQuery()
+        return $this->resolveSelectedFindingException($this->selectedFindingExceptionId);
-            ->whereKey($this->selectedFindingExceptionId)
-            ->first();
-
-        if (! $record instanceof FindingException) {
-            throw new NotFoundHttpException;
-        }
-
-        return $record;
     }
 
     public function selectedExceptionUrl(): ?string
@@ -387,6 +431,12 @@ public function selectedFindingUrl(): ?string
         return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
     }
 
+    public function clearSelectedException(): void
+    {
+        $this->selectedFindingExceptionId = null;
+        $this->showSelectedExceptionSummary = false;
+    }
+
     /**
      * @return array<int, Tenant>
      */
@@ -508,6 +558,30 @@ private function hasActiveQueueFilters(): bool
             || is_string(data_get($this->tableFilters, 'current_validity_state.value'));
     }
 
+    private function resolveSelectedFindingException(int $findingExceptionId): FindingException
+    {
+        $record = $this->queueBaseQuery()
+            ->whereKey($findingExceptionId)
+            ->first();
+
+        if (! $record instanceof FindingException) {
+            throw new NotFoundHttpException;
+        }
+
+        return $record;
+    }
+
+    private function inspectedFindingException(): ?FindingException
+    {
+        $mountedRecord = $this->getMountedTableActionRecord();
+
+        if ($mountedRecord instanceof FindingException) {
+            return $mountedRecord;
+        }
+
+        return $this->selectedFindingException();
+    }
+
     private function governanceWarning(FindingException $record): ?string
     {
         $finding = $record->relationLoaded('finding')

apps/platform/app/Filament/Pages/Monitoring/Operations.php

@@ -142,6 +142,49 @@ protected function getHeaderActions(): array
         return $actions;
     }
 
+    /**
+     * @return array{
+     *     scope_label: string,
+     *     scope_body: string,
+     *     return_label: ?string,
+     *     return_body: ?string,
+     *     scope_reset_label: ?string,
+     *     scope_reset_body: ?string,
+     *     inspect_body: string
+     * }
+     */
+    public function landingHierarchySummary(): array
+    {
+        $operateHubShell = app(OperateHubShell::class);
+        $navigationContext = $this->navigationContext();
+        $activeTenant = $operateHubShell->activeEntitledTenant(request());
+
+        $returnLabel = null;
+        $returnBody = null;
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            $returnLabel = $navigationContext->backLinkLabel;
+            $returnBody = 'Return to the originating monitoring surface without competing with the current tab, filters, or row inspection flow.';
+        } elseif ($activeTenant instanceof Tenant) {
+            $returnLabel = 'Back to '.$activeTenant->name;
+            $returnBody = 'Return to the tenant dashboard when you need tenant-specific context outside this workspace monitoring landing.';
+        }
+
+        return [
+            'scope_label' => $operateHubShell->scopeLabel(request()),
+            'scope_body' => $activeTenant instanceof Tenant
+                ? 'The landing is currently narrowed to one tenant inside the active workspace.'
+                : 'The landing is currently showing workspace-wide monitoring across all entitled tenants.',
+            'return_label' => $returnLabel,
+            'return_body' => $returnBody,
+            'scope_reset_label' => $activeTenant instanceof Tenant ? 'Show all tenants' : null,
+            'scope_reset_body' => $activeTenant instanceof Tenant
+                ? 'Reset the landing back to workspace-wide monitoring when tenant-specific context is no longer needed.'
+                : null,
+            'inspect_body' => 'Open a run from the table to enter the canonical monitoring detail viewer.',
+        ];
+    }
+
     private function navigationContext(): ?CanonicalNavigationContext
     {
         if (! is_array($this->navigationContextPayload)) {

apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -22,6 +22,7 @@
 use App\Support\OpsUx\RunDetailPolling;
 use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\RedactionIntegrity;
+use App\Support\RestoreSafety\RestoreSafetyCopy;
 use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
 use App\Support\Tenants\TenantInteractionLane;
 use App\Support\Tenants\TenantOperabilityQuestion;
@@ -122,7 +123,7 @@ protected function getHeaderActions(): array
         $actions[] = Action::make('refresh')
             ->label('Refresh')
             ->icon('heroicon-o-arrow-path')
-            ->color('gray')
+            ->color('primary')
             ->url(fn (): string => isset($this->run)
                 ? OperationRunLinks::tenantlessView($this->run, $navigationContext)
                 : route('admin.operations.index'));
@@ -154,6 +155,57 @@ protected function getHeaderActions(): array
         return $actions;
     }
 
+    /**
+     * @return array{
+     *     scope_label: string,
+     *     scope_body: string,
+     *     navigation_label: string,
+     *     navigation_body: string,
+     *     utility_body: string,
+     *     related_body: string,
+     *     follow_up_body: string,
+     *     follow_up_label: ?string
+     * }
+     */
+    public function monitoringDetailSummary(): array
+    {
+        $operateHubShell = app(OperateHubShell::class);
+        $navigationContext = $this->navigationContext();
+        $activeTenant = $operateHubShell->activeEntitledTenant(request());
+        $runTenantId = isset($this->run) ? (int) ($this->run->tenant_id ?? 0) : 0;
+
+        $navigationLabel = 'Back to Operations';
+        $navigationBody = 'Return to the operations landing when this review is complete.';
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            $navigationLabel = $navigationContext->backLinkLabel;
+            $navigationBody = 'Return to the originating surface while keeping refresh and follow-up work separate from navigation.';
+        } elseif ($activeTenant instanceof Tenant && (int) $activeTenant->getKey() === $runTenantId) {
+            $navigationLabel = 'Back to '.$activeTenant->name;
+            $navigationBody = 'Return to the active tenant dashboard, then widen back to the workspace view only when you need broader monitoring context.';
+        }
+
+        $relatedLabels = array_values(array_keys($this->relatedLinks()));
+        $relatedBody = $relatedLabels === []
+            ? 'Open keeps secondary drilldowns grouped under one control when downstream context exists.'
+            : 'Open keeps secondary drilldowns grouped under one control: '.implode(', ', $relatedLabels).'.';
+
+        $followUpLabel = $this->canResumeCapture() ? 'Resume capture' : null;
+
+        return [
+            'scope_label' => $operateHubShell->scopeLabel(request()),
+            'scope_body' => 'The current workspace or tenant scope remains visible without behaving like a primary task action.',
+            'navigation_label' => $navigationLabel,
+            'navigation_body' => $navigationBody,
+            'utility_body' => 'Refresh keeps the current run state accurate without changing scope.',
+            'related_body' => $relatedBody,
+            'follow_up_body' => $followUpLabel !== null
+                ? 'Resume capture only appears when this run supports additional evidence collection.'
+                : 'No run-specific follow-up is currently available.',
+            'follow_up_label' => $followUpLabel,
+        ];
+    }
+
     public function mount(OperationRun $run): void
     {
         $user = auth()->user();
@@ -244,6 +296,42 @@ public function lifecycleBanner(): ?array
         };
     }
 
+    /**
+     * @return array{tone: string, title: string, body: string, url: ?string, link_label: ?string}|null
+     */
+    public function restoreContinuationBanner(): ?array
+    {
+        if (! isset($this->run)) {
+            return null;
+        }
+
+        $continuation = OperationRunResource::restoreContinuation($this->run);
+
+        if (! is_array($continuation)) {
+            return null;
+        }
+
+        $tone = ($continuation['follow_up_required'] ?? false) ? 'amber' : 'sky';
+        $body = $continuation['summary'] ?? 'Restore continuation detail is unavailable.';
+        $boundary = $continuation['recovery_claim_boundary'] ?? null;
+
+        if (is_string($boundary) && $boundary !== '') {
+            $body .= ' '.RestoreSafetyCopy::recoveryBoundary($boundary);
+        }
+
+        if (! ($continuation['link_available'] ?? false)) {
+            $body .= ' Restore detail is not available from this session.';
+        }
+
+        return [
+            'tone' => $tone,
+            'title' => 'Restore continuation',
+            'body' => $body,
+            'url' => is_string($continuation['link_url'] ?? null) ? $continuation['link_url'] : null,
+            'link_label' => ($continuation['link_available'] ?? false) ? 'Open restore run' : null,
+        ];
+    }
+
     /**
      * @return array{tone: string, title: string, body: string}|null
      */
@@ -327,6 +415,7 @@ private function resumeCaptureAction(): Action
         return Action::make('resumeCapture')
             ->label('Resume capture')
             ->icon('heroicon-o-forward')
+            ->color('primary')
             ->requiresConfirmation()
             ->modalHeading('Resume capture')
             ->modalDescription('This will start a follow-up operation to capture remaining baseline evidence for this scope.')
@@ -495,9 +584,16 @@ private function relatedLinks(bool $fresh = false): array
 
         $resolver = app(RelatedNavigationResolver::class);
 
-        return $fresh
+        $links = $fresh
             ? $resolver->operationLinksFresh($this->run, $this->relatedLinksTenant())
             : $resolver->operationLinks($this->run, $this->relatedLinksTenant());
+
+        unset(
+            $links[OperationRunLinks::collectionLabel()],
+            $links[OperationRunLinks::openCollectionLabel()],
+        );
+
+        return $links;
     }
 
     private function lifecycleAttentionSummary(bool $fresh = false): ?string

apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php

@@ -94,7 +94,7 @@ protected function getHeaderActions(): array
                 ->color('gray')
                 ->visible(fn (): bool => $this->hasActiveFilters())
                 ->action(function (): void {
-                    $this->resetTable();
+                    $this->clearRegisterFilters();
                 }),
         ];
     }
@@ -209,7 +209,7 @@ public function table(Table $table): Table
                     ->label('Clear filters')
                     ->icon('heroicon-o-x-mark')
                     ->color('gray')
-                    ->action(fn (): mixed => $this->resetTable()),
+                    ->action(fn (): mixed => $this->clearRegisterFilters()),
             ]);
     }
 
@@ -311,9 +311,29 @@ private function applyRequestedTenantPrefilter(): void
 
     private function hasActiveFilters(): bool
     {
-        $filters = array_filter((array) $this->tableFilters);
+        return $this->currentTenantFilterId() !== null
+            || is_string(data_get($this->tableFilters, 'status.value'))
+            || is_string(data_get($this->tableFilters, 'completeness_state.value'))
+            || is_string(data_get($this->tableFilters, 'published_state.value'))
+            || filled(data_get($this->tableFilters, 'review_date.from'))
+            || filled(data_get($this->tableFilters, 'review_date.until'));
+    }
 
-        return $filters !== [];
+    private function clearRegisterFilters(): void
+    {
+        app(WorkspaceContext::class)->clearLastTenantId(request());
+        $this->removeTableFilters();
+    }
+
+    private function currentTenantFilterId(): ?int
+    {
+        $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
+
+        if (! is_numeric($tenantFilter)) {
+            $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
+        }
+
+        return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
     }
 
     private function workspace(): ?Workspace

apps/platform/app/Filament/Pages/TenantDashboard.php

@@ -4,11 +4,13 @@
 
 namespace App\Filament\Pages;
 
+use App\Filament\Widgets\Tenant\TenantTriageArrivalContinuity;
 use App\Filament\Widgets\Dashboard\BaselineCompareNow;
 use App\Filament\Widgets\Dashboard\DashboardKpis;
 use App\Filament\Widgets\Dashboard\NeedsAttention;
 use App\Filament\Widgets\Dashboard\RecentDriftFindings;
 use App\Filament\Widgets\Dashboard\RecentOperations;
+use App\Filament\Widgets\Dashboard\RecoveryReadiness;
 use Filament\Pages\Dashboard;
 use Filament\Widgets\Widget;
 use Filament\Widgets\WidgetConfiguration;
@@ -30,6 +32,8 @@ public static function getUrl(array $parameters = [], bool $isAbsolute = true, ?
     public function getWidgets(): array
     {
         return [
+            TenantTriageArrivalContinuity::class,
+            RecoveryReadiness::class,
             DashboardKpis::class,
             NeedsAttention::class,
             BaselineCompareNow::class,

apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php

@@ -30,7 +30,6 @@
 use App\Services\Onboarding\OnboardingLifecycleService;
 use App\Services\OperationRunService;
 use App\Services\Providers\ProviderConnectionMutationService;
-use App\Services\Providers\ProviderConnectionStateProjector;
 use App\Services\Providers\ProviderOperationRegistry;
 use App\Services\Providers\ProviderOperationStartGate;
 use App\Services\Tenants\TenantOperabilityService;
@@ -2535,12 +2534,6 @@ public function createProviderConnection(array $data): void
 
         /** @var ProviderConnection $connection */
         $connection = DB::transaction(function () use ($tenant, $displayName, $clientId, $clientSecret, $makeDefault, $usesDedicatedCredential, &$wasExistingConnection, &$previousConnectionType): ProviderConnection {
-            $projectedState = app(ProviderConnectionStateProjector::class)->project(
-                connectionType: ProviderConnectionType::Platform,
-                consentStatus: ProviderConsentStatus::Required,
-                verificationStatus: ProviderVerificationStatus::Unknown,
-            );
-
             $connection = ProviderConnection::query()
                 ->where('tenant_id', (int) $tenant->getKey())
                 ->where('provider', 'microsoft')
@@ -2554,15 +2547,14 @@ public function createProviderConnection(array $data): void
                     'provider' => 'microsoft',
                     'entra_tenant_id' => (string) $tenant->tenant_id,
                     'display_name' => $displayName,
+                    'is_enabled' => true,
                     'connection_type' => ProviderConnectionType::Platform->value,
-                    'status' => $projectedState['status'],
                     'consent_status' => ProviderConsentStatus::Required->value,
                     'consent_granted_at' => null,
                     'consent_last_checked_at' => null,
                     'consent_error_code' => null,
                     'consent_error_message' => null,
                     'verification_status' => ProviderVerificationStatus::Unknown->value,
-                    'health_status' => $projectedState['health_status'],
                     'migration_review_required' => false,
                     'migration_reviewed_at' => null,
                     'last_error_reason_code' => ProviderReasonCodes::ProviderConsentMissing,

apps/platform/app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php

@@ -6,7 +6,9 @@
 
 use App\Filament\Resources\AlertDeliveryResource;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
+use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
+use Filament\Actions\Action;
 use Filament\Resources\Pages\ListRecords;
 
 class ListAlertDeliveries extends ListRecords
@@ -22,9 +24,23 @@ public function mount(): void
 
     protected function getHeaderActions(): array
     {
-        return app(OperateHubShell::class)->headerActions(
+        $actions = app(OperateHubShell::class)->headerActions(
             scopeActionName: 'operate_hub_scope_alerts',
             returnActionName: 'operate_hub_return_alerts',
         );
+
+        $navigationContext = CanonicalNavigationContext::fromRequest(request());
+
+        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
+            array_splice($actions, 1, 0, [
+                Action::make('operate_hub_back_to_origin_alert_deliveries')
+                    ->label($navigationContext->backLinkLabel)
+                    ->icon('heroicon-o-arrow-left')
+                    ->color('gray')
+                    ->url($navigationContext->backLinkUrl),
+            ]);
+        }
+
+        return $actions;
     }
 }

apps/platform/app/Filament/Resources/BackupScheduleResource.php

@@ -395,6 +395,7 @@ public static function table(Table $table): Table
                             return $nextRun->format('M j, Y H:i:s');
                         }
                     })
+                    ->description(fn (BackupSchedule $record): ?string => static::scheduleFollowUpDescription($record))
                     ->sortable(),
             ])
             ->filters([
@@ -1149,4 +1150,31 @@ protected static function dayOfWeekOptions(): array
             7 => 'Sunday',
         ];
     }
+
+    protected static function scheduleFollowUpDescription(BackupSchedule $record): ?string
+    {
+        if (! $record->is_enabled || $record->trashed()) {
+            return null;
+        }
+
+        $graceCutoff = now('UTC')->subMinutes(max(1, (int) config('tenantpilot.backup_health.schedule_overdue_grace_minutes', 30)));
+        $lastRunStatus = strtolower(trim((string) $record->last_run_status));
+        $isOverdue = $record->next_run_at?->lessThan($graceCutoff) ?? false;
+        $neverSuccessful = $record->last_run_at === null
+            && ($isOverdue || ($record->created_at?->lessThan($graceCutoff) ?? false));
+
+        if ($neverSuccessful) {
+            return 'No successful run has been recorded yet.';
+        }
+
+        if ($isOverdue) {
+            return 'This schedule looks overdue.';
+        }
+
+        if (in_array($lastRunStatus, ['failed', 'partial', 'skipped', 'canceled'], true)) {
+            return 'The last run needs follow-up.';
+        }
+
+        return null;
+    }
 }