feat: implement workspace commercial lifecycle overlay

Merge remote-tracking branch 'origin/dev' into platform-dev
chore: add gitea MCP helper script
2026-04-28 15:29:50 +02:00 · 2026-04-28 12:18:08 +02:00 · 2026-04-28 09:26:51 +02:00 · 2026-04-28 09:22:09 +02:00 · 2026-04-27 23:22:08 +02:00 · 2026-04-27 19:36:43 +02:00
39 changed files with 3418 additions and 54 deletions
--- a/.github/agents/copilot-instructions.md
+++ b/.github/agents/copilot-instructions.md
@ -262,6 +262,8 @@ ## Active Technologies
 - PostgreSQL via existing `operation_runs`, `provider_connections`, `findings`, `stored_reports`, `tenant_reviews`, `review_packs`, and `audit_logs`; no new persistence planned (241-support-diagnostic-pack)
 - PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services (249-customer-review-workspace)
 - PostgreSQL via existing `tenant_reviews`, `review_packs`, `evidence_snapshots`, findings / finding-exception truth, workspace memberships, and `audit_logs`; no new persistence planned (249-customer-review-workspace)
 - PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page (251-commercial-entitlements-billing-state)
 - PostgreSQL via existing `workspace_settings` rows plus existing audit log records; no new table or billing/account model (251-commercial-entitlements-billing-state)
 - PHP 8.4.15 (feat/005-bulk-operations)
@ -296,9 +298,9 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 ## Recent Changes
 - 251-commercial-entitlements-billing-state: Added PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page
 - 249-customer-review-workspace: Added PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services
 - 241-support-diagnostic-pack: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger`
 - 240-tenant-onboarding-readiness: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing onboarding services (`OnboardingLifecycleService`, `OnboardingDraftStageResolver`), provider connection summary, verification assist, and Ops-UX helpers
 <!-- MANUAL ADDITIONS START -->
 ### Pre-production compatibility check
--- a/apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php
+++ b/apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php
@ -178,9 +178,23 @@ public function table(Table $table): Table
                        && auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
                        && in_array($record->status, ['ready', 'published'], true))
                    ->disabled(fn (TenantReview $record): bool => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false))
-                    ->tooltip(fn (TenantReview $record): ?string => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false)
+                    ->tooltip(function (TenantReview $record): ?string {
-                        ? (string) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['block_reason'] ?? '')
+                        $decision = app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant);
-                        : null)
+
                        if ((bool) ($decision['is_blocked'] ?? false)) {
                            $reason = $decision['block_reason'] ?? null;
                            return is_string($reason) && $reason !== '' ? $reason : null;
                        }
                        if ((bool) ($decision['is_warning'] ?? false)) {
                            $reason = $decision['warning_reason'] ?? null;
                            return is_string($reason) && $reason !== '' ? $reason : null;
                        }
                        return null;
                    })
                    ->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
            ])
            ->bulkActions([])
--- a/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
+++ b/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
@ -30,6 +30,7 @@
 use App\Services\Onboarding\OnboardingDraftResolver;
 use App\Services\Onboarding\OnboardingDraftStageResolver;
 use App\Services\Onboarding\OnboardingLifecycleService;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\OperationRunService;
 use App\Services\Providers\ProviderConnectionMutationService;
@ -4551,27 +4552,30 @@ private function completionSummaryEntitlementDecision(): array
            return [];
        }
-        return app(WorkspaceEntitlementResolver::class)->resolve(
+        return app(WorkspaceCommercialLifecycleResolver::class)->actionDecision(
            $this->workspace,
-            WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
+            WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION,
        );
    }
    private function completionSummaryEntitlementBlocked(): bool
    {
-        return (bool) ($this->completionSummaryEntitlementDecision()['is_blocked'] ?? false);
+        return ($this->completionSummaryEntitlementDecision()['outcome'] ?? null) === WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK;
    }
    private function completionSummaryEntitlementSummary(): string
    {
        $decision = $this->completionSummaryEntitlementDecision();
-        $currentUsage = (int) ($decision['current_usage'] ?? 0);
+        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null) ? $decision['entitlement_decision'] : [];
-        $effectiveValue = (int) ($decision['effective_value'] ?? 0);
+        $currentUsage = (int) ($entitlementDecision['current_usage'] ?? 0);
-        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($decision);
+        $effectiveValue = (int) ($entitlementDecision['effective_value'] ?? 0);
        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($entitlementDecision);
        $stateLabel = is_string($decision['state_label'] ?? null) ? $decision['state_label'] : 'Active paid';
        return sprintf(
-            '%s - %d active of %d allowed (%s)',
+            '%s - %s - %d active of %d allowed (%s)',
            $this->completionSummaryEntitlementBlocked() ? 'Blocked' : 'Allowed',
            $stateLabel,
            $currentUsage,
            $effectiveValue,
            $sourceLabel,
@ -4581,13 +4585,15 @@ private function completionSummaryEntitlementSummary(): string
    private function completionSummaryEntitlementDetail(): string
    {
        $decision = $this->completionSummaryEntitlementDecision();
-        $currentUsage = (int) ($decision['current_usage'] ?? 0);
+        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null) ? $decision['entitlement_decision'] : [];
-        $effectiveValue = (int) ($decision['effective_value'] ?? 0);
+        $currentUsage = (int) ($entitlementDecision['current_usage'] ?? 0);
-        $remainingCapacity = (int) ($decision['remaining_capacity'] ?? 0);
+        $effectiveValue = (int) ($entitlementDecision['effective_value'] ?? 0);
-        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($decision);
+        $remainingCapacity = (int) ($entitlementDecision['remaining_capacity'] ?? 0);
        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($entitlementDecision);
        $rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
        $message = sprintf(
-            'Current usage is %d active managed tenant%s out of %d allowed. Source: %s.',
+            '%s Current usage is %d active managed tenant%s out of %d allowed. Source: %s.',
            (string) ($decision['message'] ?? 'Managed-tenant activation is available for this workspace commercial state.'),
            $currentUsage,
            $currentUsage === 1 ? '' : 's',
            $effectiveValue,
@ -4606,7 +4612,7 @@ private function completionSummaryEntitlementDetail(): string
            }
        }
-        if ($rationale !== null && $rationale !== '' && ($decision['source'] ?? null) === 'workspace_override') {
+        if ($rationale !== null && $rationale !== '' && ($decision['source'] ?? null) === WorkspaceCommercialLifecycleResolver::SOURCE_WORKSPACE_SETTING) {
            $message .= ' Rationale: '.$rationale;
        }
@ -4982,7 +4988,7 @@ public function completeOnboarding(): void
        if ($this->completionSummaryEntitlementBlocked()) {
            Notification::make()
-                ->title('Activation limit reached')
+                ->title('Activation unavailable')
                ->body($this->completionSummaryEntitlementDetail())
                ->warning()
                ->send();
--- a/apps/platform/app/Filament/Resources/ReviewPackResource.php
+++ b/apps/platform/app/Filament/Resources/ReviewPackResource.php
@ -575,6 +575,19 @@ public static function reviewPackGenerationBlockReason(?Tenant $tenant = null):
        return is_string($reason) && $reason !== '' ? $reason : null;
    }
    public static function reviewPackGenerationWarningReason(?Tenant $tenant = null): ?string
    {
        $decision = static::reviewPackGenerationDecision($tenant);
        if (! (bool) ($decision['is_warning'] ?? false)) {
            return null;
        }
        $reason = $decision['warning_reason'] ?? null;
        return is_string($reason) && $reason !== '' ? $reason : null;
    }
    public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
    {
        $tenant ??= static::currentTenantContext();
@ -584,6 +597,7 @@ public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null)
            return AuthUiTooltips::insufficientPermission();
        }
-        return static::reviewPackGenerationBlockReason($tenant);
+        return static::reviewPackGenerationBlockReason($tenant)
            ?? static::reviewPackGenerationWarningReason($tenant);
    }
 }
--- a/apps/platform/app/Filament/Resources/TenantReviewResource.php
+++ b/apps/platform/app/Filament/Resources/TenantReviewResource.php
@ -464,6 +464,19 @@ public static function reviewPackGenerationBlockReason(?Tenant $tenant = null):
        return is_string($reason) && $reason !== '' ? $reason : null;
    }
    public static function reviewPackGenerationWarningReason(?Tenant $tenant = null): ?string
    {
        $decision = static::reviewPackGenerationDecision($tenant);
        if (! (bool) ($decision['is_warning'] ?? false)) {
            return null;
        }
        $reason = $decision['warning_reason'] ?? null;
        return is_string($reason) && $reason !== '' ? $reason : null;
    }
    public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
    {
        $tenant ??= static::panelTenantContext();
@ -473,7 +486,8 @@ public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null)
            return AuthUiTooltips::insufficientPermission();
        }
-        return static::reviewPackGenerationBlockReason($tenant);
+        return static::reviewPackGenerationBlockReason($tenant)
            ?? static::reviewPackGenerationWarningReason($tenant);
    }
    public static function executeExport(TenantReview $review): void
--- a/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php
+++ b/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php
@ -9,13 +9,19 @@
 use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\Workspace;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
 use App\Support\OperationCatalog;
 use App\Support\System\SystemDirectoryLinks;
 use App\Support\System\SystemOperationRunLinks;
 use App\Support\SystemConsole\SystemConsoleWindow;
 use Filament\Actions\Action;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\Textarea;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 use Illuminate\Support\Collection;
@ -94,6 +100,77 @@ public function workspaceEntitlementSummary(): array
        return app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
    }
    /**
     * @return array<string, mixed>
     */
    public function workspaceCommercialLifecycleSummary(): array
    {
        return app(WorkspaceCommercialLifecycleResolver::class)->summary($this->workspace);
    }
    /**
     * @return array<Action>
     */
    protected function getHeaderActions(): array
    {
        return [
            Action::make('change_commercial_state')
                ->label('Change commercial state')
                ->icon('heroicon-o-adjustments-horizontal')
                ->color('warning')
                ->visible(fn (): bool => $this->canManageCommercialLifecycle())
                ->requiresConfirmation()
                ->modalHeading('Change commercial state')
                ->modalDescription('This changes the workspace commercial lifecycle overlay. The rationale is audited and affects onboarding activation and review-pack starts.')
                ->form([
                    Select::make('state')
                        ->label('Commercial state')
                        ->options(WorkspaceCommercialLifecycleResolver::stateLabels())
                        ->required()
                        ->default(fn (): string => (string) ($this->workspaceCommercialLifecycleSummary()['state'] ?? WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID)),
                    Textarea::make('reason')
                        ->label('Rationale')
                        ->required()
                        ->minLength(5)
                        ->maxLength(500)
                        ->rows(4),
                ])
                ->action(function (array $data, SettingsWriter $settingsWriter): void {
                    $actor = auth('platform')->user();
                    if (! $actor instanceof PlatformUser) {
                        abort(403);
                    }
                    if (! $actor->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE)) {
                        abort(403);
                    }
                    $settingsWriter->updateWorkspaceCommercialLifecycle(
                        actor: $actor,
                        workspace: $this->workspace,
                        state: (string) ($data['state'] ?? ''),
                        reason: (string) ($data['reason'] ?? ''),
                    );
                    $this->workspace->refresh();
                    Notification::make()
                        ->title('Commercial state updated')
                        ->success()
                        ->send();
                }),
        ];
    }
    private function canManageCommercialLifecycle(): bool
    {
        $user = auth('platform')->user();
        return $user instanceof PlatformUser
            && $user->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE);
    }
    /**
     * @return array{
     *     overall: array{label: string, color: string, icon: string|null},
--- a/apps/platform/app/Filament/Widgets/Tenant/TenantReviewPackCard.php
+++ b/apps/platform/app/Filament/Widgets/Tenant/TenantReviewPackCard.php
@ -81,6 +81,14 @@ public function generatePack(bool $includePii = true, bool $includeOperations =
            return;
        }
        if ((bool) ($decision['is_warning'] ?? false) && is_string($decision['warning_reason'] ?? null)) {
            Notification::make()
                ->title('Review pack generation allowed with warning')
                ->body($decision['warning_reason'])
                ->warning()
                ->send();
        }
        $activeRun = $service->checkActiveRun($tenant)
            ? OperationRun::query()
                ->where('tenant_id', (int) $tenant->getKey())
@ -163,6 +171,9 @@ protected function getViewData(): array
        $generationBlockReason = is_string($generationEntitlement['block_reason'] ?? null)
            ? $generationEntitlement['block_reason']
            : null;
        $generationWarningReason = is_string($generationEntitlement['warning_reason'] ?? null)
            ? $generationEntitlement['warning_reason']
            : null;
        $latestPack = ReviewPack::query()
            ->with(['tenantReview', 'operationRun'])
@ -181,6 +192,7 @@ protected function getViewData(): array
                'canManage' => $canManage,
                'generationBlocked' => $generationBlocked,
                'generationBlockReason' => $generationBlockReason,
                'generationWarningReason' => $generationWarningReason,
                'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
                'downloadUrl' => null,
                'failedReason' => null,
@ -232,6 +244,7 @@ protected function getViewData(): array
            'canManage' => $canManage,
            'generationBlocked' => $generationBlocked,
            'generationBlockReason' => $generationBlockReason,
            'generationWarningReason' => $generationWarningReason,
            'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
            'downloadUrl' => $downloadUrl,
            'failedReason' => $failedReason,
@ -265,6 +278,7 @@ private function emptyState(): array
            'canManage' => false,
            'generationBlocked' => false,
            'generationBlockReason' => null,
            'generationWarningReason' => null,
            'customerWorkspaceUrl' => null,
            'downloadUrl' => null,
            'failedReason' => null,
--- a/apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php
+++ b/apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php
@ -0,0 +1,410 @@
 <?php
 declare(strict_types=1);
 namespace App\Services\Entitlements;
 use App\Models\AuditLog;
 use App\Models\Tenant;
 use App\Models\Workspace;
 use App\Models\WorkspaceSetting;
 use App\Services\Settings\SettingsResolver;
 use App\Support\Audit\AuditActionId;
 use Carbon\CarbonInterface;
 final class WorkspaceCommercialLifecycleResolver
 {
    public const SETTING_DOMAIN = WorkspaceEntitlementResolver::SETTING_DOMAIN;
    public const SETTING_COMMERCIAL_LIFECYCLE_STATE = 'commercial_lifecycle_state';
    public const SETTING_COMMERCIAL_LIFECYCLE_REASON = 'commercial_lifecycle_reason';
    public const STATE_TRIAL = 'trial';
    public const STATE_GRACE = 'grace';
    public const STATE_ACTIVE_PAID = 'active_paid';
    public const STATE_SUSPENDED_READ_ONLY = 'suspended_read_only';
    public const SOURCE_DEFAULT_ACTIVE_PAID = 'default_active_paid';
    public const SOURCE_WORKSPACE_SETTING = 'workspace_setting';
    public const ACTION_MANAGED_TENANT_ACTIVATION = 'managed_tenant_activation';
    public const ACTION_REVIEW_PACK_START = 'review_pack_start';
    public const ACTION_REVIEW_HISTORY_READ = 'review_history_read';
    public const ACTION_EVIDENCE_READ = 'evidence_read';
    public const ACTION_GENERATED_PACK_READ = 'generated_pack_read';
    public const OUTCOME_ALLOW = 'allow';
    public const OUTCOME_WARN = 'warn';
    public const OUTCOME_BLOCK = 'block';
    public const OUTCOME_ALLOW_READ_ONLY = 'allow_read_only';
    public const REASON_FAMILY_ENTITLEMENT_SUBSTRATE = 'entitlement_substrate';
    public const REASON_FAMILY_COMMERCIAL_LIFECYCLE = 'commercial_lifecycle';
    public function __construct(
        private readonly SettingsResolver $settingsResolver,
        private readonly WorkspaceEntitlementResolver $workspaceEntitlementResolver,
    ) {}
    /**
     * @return list<string>
     */
    public static function stateIds(): array
    {
        return [
            self::STATE_TRIAL,
            self::STATE_GRACE,
            self::STATE_ACTIVE_PAID,
            self::STATE_SUSPENDED_READ_ONLY,
        ];
    }
    /**
     * @return array<string, string>
     */
    public static function stateLabels(): array
    {
        return [
            self::STATE_TRIAL => 'Trial',
            self::STATE_GRACE => 'Grace',
            self::STATE_ACTIVE_PAID => 'Active paid',
            self::STATE_SUSPENDED_READ_ONLY => 'Suspended / read-only',
        ];
    }
    /**
     * @return array<string, string>
     */
    public static function stateDescriptions(): array
    {
        return [
            self::STATE_TRIAL => 'Expansion and review-pack starts are available while the workspace is in trial.',
            self::STATE_GRACE => 'New managed-tenant activation is frozen, but review-pack starts remain available with a warning.',
            self::STATE_ACTIVE_PAID => 'Expansion and review-pack starts are available for the active paid workspace.',
            self::STATE_SUSPENDED_READ_ONLY => 'New activation and review-pack starts are blocked while existing review, evidence, and generated-pack access remains read-only.',
        ];
    }
    /**
     * @return array<string, mixed>
     */
    public function summary(Workspace $workspace): array
    {
        $lifecycle = $this->resolve($workspace);
        return $lifecycle + [
            'entitlement_summary' => $this->workspaceEntitlementResolver->summary($workspace),
            'action_decisions' => [
                self::ACTION_MANAGED_TENANT_ACTIVATION => $this->actionDecision($workspace, self::ACTION_MANAGED_TENANT_ACTIVATION, $lifecycle),
                self::ACTION_REVIEW_PACK_START => $this->actionDecision($workspace, self::ACTION_REVIEW_PACK_START, $lifecycle),
                self::ACTION_REVIEW_HISTORY_READ => $this->actionDecision($workspace, self::ACTION_REVIEW_HISTORY_READ, $lifecycle),
                self::ACTION_EVIDENCE_READ => $this->actionDecision($workspace, self::ACTION_EVIDENCE_READ, $lifecycle),
                self::ACTION_GENERATED_PACK_READ => $this->actionDecision($workspace, self::ACTION_GENERATED_PACK_READ, $lifecycle),
            ],
        ];
    }
    /**
     * @return array{
     *     workspace_id: int,
     *     state: string,
     *     state_label: string,
     *     source: string,
     *     source_label: string,
     *     rationale: string|null,
     *     description: string,
     *     last_changed_at: CarbonInterface|null,
     *     last_changed_by: string|null
     * }
     */
    public function resolve(Workspace $workspace): array
    {
        $stateSetting = $this->settingsResolver->resolveDetailed(
            workspace: $workspace,
            domain: self::SETTING_DOMAIN,
            key: self::SETTING_COMMERCIAL_LIFECYCLE_STATE,
        );
        $rawState = is_string($stateSetting['value'] ?? null)
            ? strtolower(trim((string) $stateSetting['value']))
            : null;
        $state = in_array($rawState, self::stateIds(), true)
            ? $rawState
            : self::STATE_ACTIVE_PAID;
        $source = ($stateSetting['source'] ?? null) === 'workspace_override' && $rawState !== null
            ? self::SOURCE_WORKSPACE_SETTING
            : self::SOURCE_DEFAULT_ACTIVE_PAID;
        $rationale = $this->settingsResolver->resolveValue(
            workspace: $workspace,
            domain: self::SETTING_DOMAIN,
            key: self::SETTING_COMMERCIAL_LIFECYCLE_REASON,
        );
        $labels = self::stateLabels();
        $descriptions = self::stateDescriptions();
        $lastChanged = $this->lastChangedMetadata($workspace);
        return [
            'workspace_id' => (int) $workspace->getKey(),
            'state' => $state,
            'state_label' => $labels[$state],
            'source' => $source,
            'source_label' => $source === self::SOURCE_WORKSPACE_SETTING
                ? 'workspace setting'
                : 'default active paid',
            'rationale' => is_string($rationale) && trim($rationale) !== '' ? trim($rationale) : null,
            'description' => $descriptions[$state],
            'last_changed_at' => $lastChanged['last_changed_at'],
            'last_changed_by' => $lastChanged['last_changed_by'],
        ];
    }
    /**
     * @param  array<string, mixed>|null  $lifecycle
     * @return array<string, mixed>
     */
    public function actionDecision(Workspace $workspace, string $actionKey, ?array $lifecycle = null): array
    {
        $lifecycle ??= $this->resolve($workspace);
        return match ($actionKey) {
            self::ACTION_MANAGED_TENANT_ACTIVATION => $this->managedTenantActivationDecision($workspace, $lifecycle),
            self::ACTION_REVIEW_PACK_START => $this->reviewPackStartDecision($workspace, $lifecycle),
            self::ACTION_REVIEW_HISTORY_READ,
            self::ACTION_EVIDENCE_READ,
            self::ACTION_GENERATED_PACK_READ => $this->readOnlyDecision($actionKey, $lifecycle),
            default => throw new \InvalidArgumentException(sprintf('Unknown commercial lifecycle action key: %s', $actionKey)),
        };
    }
    /**
     * @return array<string, mixed>
     */
    public function reviewPackStartDecisionForTenant(Tenant $tenant): array
    {
        $tenant->loadMissing('workspace');
        return $this->actionDecision($tenant->workspace, self::ACTION_REVIEW_PACK_START);
    }
    /**
     * @param  array<string, mixed>  $lifecycle
     * @return array<string, mixed>
     */
    private function managedTenantActivationDecision(Workspace $workspace, array $lifecycle): array
    {
        $substrateDecision = $this->workspaceEntitlementResolver->resolve(
            $workspace,
            WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
        );
        if ((bool) ($substrateDecision['is_blocked'] ?? false)) {
            return $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
                outcome: self::OUTCOME_BLOCK,
                reasonFamily: self::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
                message: (string) ($substrateDecision['block_reason'] ?? 'Workspace entitlement currently blocks managed tenant activation.'),
                substrateDecision: $substrateDecision,
            );
        }
        return match ($lifecycle['state']) {
            self::STATE_GRACE => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
                outcome: self::OUTCOME_BLOCK,
                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
                message: 'New managed-tenant activation is frozen while this workspace is in grace.',
                substrateDecision: $substrateDecision,
            ),
            self::STATE_SUSPENDED_READ_ONLY => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
                outcome: self::OUTCOME_BLOCK,
                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
                message: 'This workspace is suspended / read-only. New managed-tenant activation is blocked, but existing review and evidence history remains available.',
                substrateDecision: $substrateDecision,
            ),
            default => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
                outcome: self::OUTCOME_ALLOW,
                reasonFamily: null,
                message: 'Managed-tenant activation is available for this workspace commercial state.',
                substrateDecision: $substrateDecision,
            ),
        };
    }
    /**
     * @param  array<string, mixed>  $lifecycle
     * @return array<string, mixed>
     */
    private function reviewPackStartDecision(Workspace $workspace, array $lifecycle): array
    {
        $substrateDecision = $this->workspaceEntitlementResolver->resolve(
            $workspace,
            WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
        );
        if ((bool) ($substrateDecision['is_blocked'] ?? false)) {
            return $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_REVIEW_PACK_START,
                outcome: self::OUTCOME_BLOCK,
                reasonFamily: self::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
                message: (string) ($substrateDecision['block_reason'] ?? 'Workspace entitlement currently blocks review pack generation.'),
                substrateDecision: $substrateDecision,
            );
        }
        return match ($lifecycle['state']) {
            self::STATE_GRACE => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_REVIEW_PACK_START,
                outcome: self::OUTCOME_WARN,
                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
                message: 'Workspace is in grace. Review-pack starts remain available, but managed-tenant expansion is frozen.',
                substrateDecision: $substrateDecision,
            ),
            self::STATE_SUSPENDED_READ_ONLY => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_REVIEW_PACK_START,
                outcome: self::OUTCOME_BLOCK,
                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
                message: 'This workspace is suspended / read-only. New review-pack starts are blocked, but existing review packs, evidence, and review history remain available.',
                substrateDecision: $substrateDecision,
            ),
            default => $this->decision(
                lifecycle: $lifecycle,
                actionKey: self::ACTION_REVIEW_PACK_START,
                outcome: self::OUTCOME_ALLOW,
                reasonFamily: null,
                message: 'Review-pack starts are available for this workspace commercial state.',
                substrateDecision: $substrateDecision,
            ),
        };
    }
    /**
     * @param  array<string, mixed>  $lifecycle
     * @return array<string, mixed>
     */
    private function readOnlyDecision(string $actionKey, array $lifecycle): array
    {
        if (($lifecycle['state'] ?? null) === self::STATE_SUSPENDED_READ_ONLY) {
            return $this->decision(
                lifecycle: $lifecycle,
                actionKey: $actionKey,
                outcome: self::OUTCOME_ALLOW_READ_ONLY,
                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
                message: 'Suspended / read-only workspaces keep existing review, evidence, and generated-pack consumption available under current RBAC.',
                substrateDecision: null,
            );
        }
        return $this->decision(
            lifecycle: $lifecycle,
            actionKey: $actionKey,
            outcome: self::OUTCOME_ALLOW,
            reasonFamily: null,
            message: 'Read-only history remains available under current RBAC.',
            substrateDecision: null,
        );
    }
    /**
     * @param  array<string, mixed>  $lifecycle
     * @param  array<string, mixed>|null  $substrateDecision
     * @return array<string, mixed>
     */
    private function decision(
        array $lifecycle,
        string $actionKey,
        string $outcome,
        ?string $reasonFamily,
        string $message,
        ?array $substrateDecision,
    ): array {
        return [
            'workspace_id' => (int) ($lifecycle['workspace_id'] ?? 0),
            'action_key' => $actionKey,
            'outcome' => $outcome,
            'is_blocked' => $outcome === self::OUTCOME_BLOCK,
            'is_warning' => $outcome === self::OUTCOME_WARN,
            'block_reason' => $outcome === self::OUTCOME_BLOCK ? $message : null,
            'warning_reason' => $outcome === self::OUTCOME_WARN ? $message : null,
            'message' => $message,
            'reason_family' => $reasonFamily,
            'state' => (string) $lifecycle['state'],
            'state_label' => (string) $lifecycle['state_label'],
            'source' => (string) $lifecycle['source'],
            'source_label' => (string) $lifecycle['source_label'],
            'rationale' => $lifecycle['rationale'] ?? null,
            'entitlement_decision' => $substrateDecision,
        ];
    }
    /**
     * @return array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}
     */
    private function lastChangedMetadata(Workspace $workspace): array
    {
        $audit = AuditLog::query()
            ->where('workspace_id', (int) $workspace->getKey())
            ->where('action', AuditActionId::WorkspaceSettingUpdated->value)
            ->where('resource_type', 'workspace_setting')
            ->where('resource_id', self::SETTING_DOMAIN.'.'.self::SETTING_COMMERCIAL_LIFECYCLE_STATE)
            ->latest('recorded_at')
            ->latest('id')
            ->first();
        if ($audit instanceof AuditLog) {
            return [
                'last_changed_at' => $audit->recorded_at,
                'last_changed_by' => $audit->actorDisplayLabel(),
            ];
        }
        $record = WorkspaceSetting::query()
            ->where('workspace_id', (int) $workspace->getKey())
            ->where('domain', self::SETTING_DOMAIN)
            ->whereIn('key', [
                self::SETTING_COMMERCIAL_LIFECYCLE_STATE,
                self::SETTING_COMMERCIAL_LIFECYCLE_REASON,
            ])
            ->with('updatedByUser:id,name')
            ->latest('updated_at')
            ->latest('id')
            ->first();
        if (! $record instanceof WorkspaceSetting) {
            return [
                'last_changed_at' => null,
                'last_changed_by' => null,
            ];
        }
        return [
            'last_changed_at' => $record->updated_at,
            'last_changed_by' => $record->updatedByUser?->name,
        ];
    }
 }
--- a/apps/platform/app/Services/ReviewPackService.php
+++ b/apps/platform/app/Services/ReviewPackService.php
@ -14,7 +14,7 @@
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\Entitlements\WorkspaceEntitlementResolver;
+use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Evidence\EvidenceResolutionRequest;
 use App\Services\Evidence\EvidenceSnapshotResolver;
 use App\Support\Audit\AuditActionId;
@ -30,7 +30,7 @@ public function __construct(
        private OperationRunService $operationRunService,
        private EvidenceSnapshotResolver $snapshotResolver,
        private WorkspaceAuditLogger $auditLogger,
-        private WorkspaceEntitlementResolver $workspaceEntitlementResolver,
+        private WorkspaceCommercialLifecycleResolver $workspaceCommercialLifecycleResolver,
        private ProductTelemetryRecorder $productTelemetryRecorder,
    ) {}
@ -253,10 +253,22 @@ public function generateDownloadUrl(ReviewPack $pack, array $parameters = []): s
     */
    public function reviewPackGenerationDecisionForTenant(Tenant $tenant): array
    {
-        return $this->workspaceEntitlementResolver->resolve(
+        $tenant->loadMissing('workspace');
        $decision = $this->workspaceCommercialLifecycleResolver->actionDecision(
            $tenant->workspace,
-            WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
+            WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START,
        );
        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null)
            ? $decision['entitlement_decision']
            : [];
        return $decision + [
            'effective_value' => $entitlementDecision['effective_value'] ?? null,
            'source' => $decision['source'] ?? null,
            'current_usage' => $entitlementDecision['current_usage'] ?? null,
            'remaining_capacity' => $entitlementDecision['remaining_capacity'] ?? null,
        ];
    }
    private function recordReviewPackRequestTelemetry(ReviewPack $reviewPack, User $user, string $sourceSurface): void
--- a/apps/platform/app/Services/Settings/SettingsWriter.php
+++ b/apps/platform/app/Services/Settings/SettingsWriter.php
@ -4,6 +4,7 @@
 namespace App\Services\Settings;
 use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\TenantSetting;
 use App\Models\User;
@ -11,11 +12,14 @@
 use App\Models\WorkspaceSetting;
 use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\Settings\SettingDefinition;
 use App\Support\Settings\SettingsRegistry;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@ -33,27 +37,7 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
    {
        $this->authorizeManage($actor, $workspace);
-        $definition = $this->requireDefinition($domain, $key);
+        $result = $this->persistWorkspaceSetting($workspace, $domain, $key, $value, (int) $actor->getKey());
        $normalizedValue = $this->validatedValue($definition, $value);
        $existing = WorkspaceSetting::query()
            ->where('workspace_id', (int) $workspace->getKey())
            ->where('domain', $domain)
            ->where('key', $key)
            ->first();
        $beforeValue = $existing instanceof WorkspaceSetting
            ? $this->decodeStoredValue($existing->getAttribute('value'))
            : null;
        $setting = WorkspaceSetting::query()->updateOrCreate([
            'workspace_id' => (int) $workspace->getKey(),
            'domain' => $domain,
            'key' => $key,
        ], [
            'value' => $normalizedValue,
            'updated_by_user_id' => (int) $actor->getKey(),
        ]);
        $this->resolver->clearCache();
@ -67,7 +51,7 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
                    'scope' => 'workspace',
                    'domain' => $domain,
                    'key' => $key,
-                    'before_value' => $beforeValue,
+                    'before_value' => $result['before_value'],
                    'after_value' => $afterValue,
                ],
            ],
@ -76,7 +60,79 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
            resourceId: $domain.'.'.$key,
        );
-        return $setting;
+        return $result['setting'];
    }
    public function updateWorkspaceCommercialLifecycle(
        PlatformUser $actor,
        Workspace $workspace,
        string $state,
        string $reason,
    ): void {
        $state = strtolower(trim($state));
        $reason = trim($reason);
        if (! $actor->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE)) {
            throw new AuthorizationException('Missing commercial lifecycle manage capability.');
        }
        if ($reason === '') {
            throw ValidationException::withMessages([
                'reason' => ['A rationale is required when changing commercial lifecycle state.'],
            ]);
        }
        DB::transaction(function () use ($actor, $workspace, $state, $reason): void {
            $stateResult = $this->persistWorkspaceSetting(
                workspace: $workspace,
                domain: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
                key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
                value: $state,
                updatedByUserId: null,
            );
            $reasonResult = $this->persistWorkspaceSetting(
                workspace: $workspace,
                domain: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
                key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
                value: $reason,
                updatedByUserId: null,
            );
            $this->resolver->clearCache();
            $afterState = $this->resolver->resolveValue(
                $workspace,
                WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
                WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
            );
            $afterReason = $this->resolver->resolveValue(
                $workspace,
                WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
                WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
            );
            $this->auditLogger->log(
                workspace: $workspace,
                action: AuditActionId::WorkspaceSettingUpdated->value,
                context: [
                    'metadata' => [
                        'scope' => 'workspace',
                        'domain' => WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
                        'key' => WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
                        'before_state' => $stateResult['before_value'],
                        'after_state' => $afterState,
                        'before_reason' => $reasonResult['before_value'],
                        'after_reason' => $afterReason,
                    ],
                ],
                actor: $actor,
                resourceType: 'workspace_setting',
                resourceId: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN.'.'.WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
                targetLabel: 'Commercial lifecycle state',
            );
        });
    }
    public function resetWorkspaceSetting(User $actor, Workspace $workspace, string $domain, string $key): void
@ -174,6 +230,39 @@ private function requireDefinition(string $domain, string $key): SettingDefiniti
        ]);
    }
    /**
     * @return array{setting: WorkspaceSetting, before_value: mixed}
     */
    private function persistWorkspaceSetting(Workspace $workspace, string $domain, string $key, mixed $value, ?int $updatedByUserId): array
    {
        $definition = $this->requireDefinition($domain, $key);
        $normalizedValue = $this->validatedValue($definition, $value);
        $existing = WorkspaceSetting::query()
            ->where('workspace_id', (int) $workspace->getKey())
            ->where('domain', $domain)
            ->where('key', $key)
            ->first();
        $beforeValue = $existing instanceof WorkspaceSetting
            ? $this->decodeStoredValue($existing->getAttribute('value'))
            : null;
        $setting = WorkspaceSetting::query()->updateOrCreate([
            'workspace_id' => (int) $workspace->getKey(),
            'domain' => $domain,
            'key' => $key,
        ], [
            'value' => $normalizedValue,
            'updated_by_user_id' => $updatedByUserId,
        ]);
        return [
            'setting' => $setting,
            'before_value' => $beforeValue,
        ];
    }
    private function validatedValue(SettingDefinition $definition, mixed $value): mixed
    {
        $validator = Validator::make(
--- a/apps/platform/app/Support/Auth/PlatformCapabilities.php
+++ b/apps/platform/app/Support/Auth/PlatformCapabilities.php
@ -18,6 +18,8 @@ class PlatformCapabilities
    public const DIRECTORY_VIEW = 'platform.directory.view';
    public const COMMERCIAL_LIFECYCLE_MANAGE = 'platform.commercial_lifecycle.manage';
    public const OPERATIONS_VIEW = 'platform.operations.view';
    public const OPERATIONS_MANAGE = 'platform.operations.manage';
--- a/apps/platform/app/Support/Badges/BadgeCatalog.php
+++ b/apps/platform/app/Support/Badges/BadgeCatalog.php
@ -57,6 +57,7 @@ final class BadgeCatalog
        BadgeDomain::BaselineProfileStatus->value => Domains\BaselineProfileStatusBadge::class,
        BadgeDomain::FindingType->value => Domains\FindingTypeBadge::class,
        BadgeDomain::ReviewPackStatus->value => Domains\ReviewPackStatusBadge::class,
        BadgeDomain::CommercialLifecycleState->value => Domains\CommercialLifecycleStateBadge::class,
        BadgeDomain::EvidenceSnapshotStatus->value => Domains\EvidenceSnapshotStatusBadge::class,
        BadgeDomain::EvidenceCompleteness->value => Domains\EvidenceCompletenessBadge::class,
        BadgeDomain::TenantReviewStatus->value => Domains\TenantReviewStatusBadge::class,
--- a/apps/platform/app/Support/Badges/BadgeDomain.php
+++ b/apps/platform/app/Support/Badges/BadgeDomain.php
@ -48,6 +48,7 @@ enum BadgeDomain: string
    case BaselineProfileStatus = 'baseline_profile_status';
    case FindingType = 'finding_type';
    case ReviewPackStatus = 'review_pack_status';
    case CommercialLifecycleState = 'commercial_lifecycle_state';
    case EvidenceSnapshotStatus = 'evidence_snapshot_status';
    case EvidenceCompleteness = 'evidence_completeness';
    case TenantReviewStatus = 'tenant_review_status';
--- a/apps/platform/app/Support/Badges/Domains/CommercialLifecycleStateBadge.php
+++ b/apps/platform/app/Support/Badges/Domains/CommercialLifecycleStateBadge.php
@ -0,0 +1,26 @@
 <?php
 declare(strict_types=1);
 namespace App\Support\Badges\Domains;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeMapper;
 use App\Support\Badges\BadgeSpec;
 final class CommercialLifecycleStateBadge implements BadgeMapper
 {
    public function spec(mixed $value): BadgeSpec
    {
        $state = BadgeCatalog::normalizeState($value);
        return match ($state) {
            WorkspaceCommercialLifecycleResolver::STATE_TRIAL => new BadgeSpec('Trial', 'info', 'heroicon-m-clock'),
            WorkspaceCommercialLifecycleResolver::STATE_GRACE => new BadgeSpec('Grace', 'warning', 'heroicon-m-exclamation-triangle'),
            WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID => new BadgeSpec('Active paid', 'success', 'heroicon-m-check-circle'),
            WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY => new BadgeSpec('Suspended / read-only', 'danger', 'heroicon-m-lock-closed'),
            default => BadgeSpec::unknown(),
        };
    }
 }
--- a/apps/platform/app/Support/Settings/SettingsRegistry.php
+++ b/apps/platform/app/Support/Settings/SettingsRegistry.php
@ -6,6 +6,7 @@
 use App\Support\Ai\AiPolicyMode;
 use App\Models\Finding;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Entitlements\WorkspacePlanProfileCatalog;
 final class SettingsRegistry
@ -314,6 +315,44 @@ static function (string $attribute, mixed $value, \Closure $fail): void {
                return $normalized === '' ? null : $normalized;
            },
        ));
        $this->register(new SettingDefinition(
            domain: 'entitlements',
            key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
            type: 'string',
            systemDefault: null,
            rules: [
                'nullable',
                'string',
                'in:'.implode(',', WorkspaceCommercialLifecycleResolver::stateIds()),
            ],
            normalizer: static function (mixed $value): ?string {
                if ($value === null) {
                    return null;
                }
                $normalized = strtolower(trim((string) $value));
                return $normalized === '' ? null : $normalized;
            },
        ));
        $this->register(new SettingDefinition(
            domain: 'entitlements',
            key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
            type: 'string',
            systemDefault: null,
            rules: ['nullable', 'string', 'max:500'],
            normalizer: static function (mixed $value): ?string {
                if ($value === null) {
                    return null;
                }
                $normalized = trim((string) $value);
                return $normalized === '' ? null : $normalized;
            },
        ));
    }
    /**
--- a/apps/platform/app/Support/Ui/ActionSurface/ActionSurfaceExemptions.php
+++ b/apps/platform/app/Support/Ui/ActionSurface/ActionSurfaceExemptions.php
@ -749,12 +749,17 @@ public static function spec195ResidualSurfaceInventory(): array
                'discoveryState' => 'outside_primary_discovery',
                'closureDecision' => 'harmless_special_case',
                'reasonCategory' => 'read_mostly_context_detail',
-                'explicitReason' => 'The workspace directory detail page is a read-mostly drilldown that exposes context and links, not a declaration-backed mutable system workbench.',
+                'explicitReason' => 'The workspace directory detail page is a read-mostly drilldown with one bounded, capability-gated commercial lifecycle mutation added by spec 251; it is still not a declaration-backed mutable system workbench.',
                'evidence' => [
                    [
                        'kind' => 'feature_livewire_test',
                        'reference' => 'tests/Feature/System/Spec195/SystemDirectoryResidualSurfaceTest.php',
-                        'proves' => 'The workspace detail page stays capability-gated and renders contextual tenant and run links without mutating actions.',
+                        'proves' => 'The workspace detail page stays capability-gated and renders contextual tenant and run links while remaining outside the primary declaration-backed table contract.',
                    ],
                    [
                        'kind' => 'feature_livewire_test',
                        'reference' => 'tests/Feature/System/ViewWorkspaceEntitlementsTest.php',
                        'proves' => 'The commercial lifecycle mutation is separately capability-gated, confirmation-protected, rationale-required, and audited.',
                    ],
                    [
                        'kind' => 'authorization_test',
--- a/apps/platform/app/Support/Workspaces/WorkspaceResolver.php
+++ b/apps/platform/app/Support/Workspaces/WorkspaceResolver.php
@ -8,6 +8,8 @@ final class WorkspaceResolver
 {
    public function resolve(string $value): ?Workspace
    {
        $value = $this->normalizeRouteValue($value);
        $workspace = Workspace::query()
            ->where('slug', $value)
            ->first();
@ -22,4 +24,37 @@ public function resolve(string $value): ?Workspace
        return Workspace::query()->whereKey((int) $value)->first();
    }
    private function normalizeRouteValue(string $value): string
    {
        $value = trim($value);
        if (! str_starts_with($value, '{')) {
            return $value;
        }
        $decoded = json_decode($value, true);
        if (! is_array($decoded)) {
            return $value;
        }
        $slug = $decoded['slug'] ?? null;
        if (is_string($slug) && $slug !== '') {
            return $slug;
        }
        $id = $decoded['id'] ?? null;
        if (is_int($id)) {
            return (string) $id;
        }
        if (is_string($id) && ctype_digit($id)) {
            return $id;
        }
        return $value;
    }
 }
--- a/apps/platform/resources/views/filament/system/pages/directory/view-workspace.blade.php
+++ b/apps/platform/resources/views/filament/system/pages/directory/view-workspace.blade.php
@ -1,9 +1,18 @@
@php
    use App\Support\Badges\BadgeCatalog;
    use App\Support\Badges\BadgeDomain;
    /** @var \App\Models\Workspace $workspace */
    $workspace = $this->workspace;
    $customerHealthDecision = $this->customerHealthDecision();
    $tenants = $this->workspaceTenants();
    $runs = $this->recentRuns();
    $commercialLifecycle = $this->workspaceCommercialLifecycleSummary();
    $commercialBadge = BadgeCatalog::spec(BadgeDomain::CommercialLifecycleState, $commercialLifecycle['state'] ?? null);
    $commercialActionDecisions = is_array($commercialLifecycle['action_decisions'] ?? null) ? $commercialLifecycle['action_decisions'] : [];
    $activationLifecycleDecision = $commercialActionDecisions['managed_tenant_activation'] ?? null;
    $reviewPackLifecycleDecision = $commercialActionDecisions['review_pack_start'] ?? null;
    $readOnlyLifecycleDecision = $commercialActionDecisions['generated_pack_read'] ?? null;
    $workspaceEntitlementSummary = $this->workspaceEntitlementSummary();
    $planProfile = $workspaceEntitlementSummary['plan_profile'] ?? null;
    $entitlementDecisions = $workspaceEntitlementSummary['decisions'] ?? [];
@ -40,6 +49,63 @@
            @include('filament.system.pages.directory.partials.customer-health-decision-card', ['decision' => $customerHealthDecision])
        @endif
        <x-filament::section>
            <x-slot name="heading">
                Commercial lifecycle
            </x-slot>
            <div class="grid grid-cols-1 gap-4 sm:grid-cols-2">
                <div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
                    <p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Current state</p>
                    <div class="mt-2 flex items-center gap-2">
                        <x-filament::badge :color="$commercialBadge->color" :icon="$commercialBadge->icon">
                            {{ $commercialBadge->label }}
                        </x-filament::badge>
                        <span class="text-sm text-gray-500 dark:text-gray-400">{{ $commercialLifecycle['source_label'] ?? 'default active paid' }}</span>
                    </div>
                    <p class="mt-2 text-sm text-gray-500 dark:text-gray-400">{{ $commercialLifecycle['description'] ?? 'Commercial lifecycle state controls expansion and review-pack starts.' }}</p>
                </div>
                <div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
                    <p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Lifecycle rationale</p>
                    <p class="mt-1 text-base font-semibold text-gray-950 dark:text-white">{{ $commercialLifecycle['rationale'] ?? 'No explicit rationale recorded.' }}</p>
                    <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
                        {{ $commercialLifecycle['last_changed_by'] ?? 'System default' }}
                        @if (($commercialLifecycle['last_changed_at'] ?? null) instanceof \Carbon\CarbonInterface)
                            · {{ $commercialLifecycle['last_changed_at']->diffForHumans() }}
                        @endif
                    </p>
                </div>
            </div>
            <div class="mt-4 space-y-3">
                @foreach ([
                    'Managed tenant activation' => $activationLifecycleDecision,
                    'Review-pack starts' => $reviewPackLifecycleDecision,
                    'Read-only history and downloads' => $readOnlyLifecycleDecision,
                ] as $label => $decision)
                    @if (is_array($decision))
                        <div class="rounded-lg border border-gray-200 px-4 py-3 dark:border-white/10">
                            <div class="flex items-start justify-between gap-4">
                                <div>
                                    <p class="text-sm font-semibold text-gray-950 dark:text-white">{{ $label }}</p>
                                    <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">{{ $decision['message'] ?? 'No lifecycle decision message available.' }}</p>
                                </div>
                                <x-filament::badge :color="match ($decision['outcome'] ?? null) {
                                    'block' => 'danger',
                                    'warn' => 'warning',
                                    'allow_read_only' => 'info',
                                    default => 'success',
                                }">
                                    {{ str_replace('_', ' ', (string) ($decision['outcome'] ?? 'allow')) }}
                                </x-filament::badge>
                            </div>
                        </div>
                    @endif
                @endforeach
            </div>
        </x-filament::section>
        @if (is_array($planProfile) && is_array($managedTenantDecision) && is_array($reviewPackDecision))
            <x-filament::section>
                <x-slot name="heading">
--- a/apps/platform/resources/views/filament/widgets/tenant/tenant-review-pack-card.blade.php
+++ b/apps/platform/resources/views/filament/widgets/tenant/tenant-review-pack-card.blade.php
@ -11,6 +11,7 @@
    /** @var bool $canManage */
    /** @var bool $generationBlocked */
    /** @var ?string $generationBlockReason */
    /** @var ?string $generationWarningReason */
    /** @var ?string $customerWorkspaceUrl */
    /** @var ?string $downloadUrl */
    /** @var ?string $failedReason */
@ -33,6 +34,12 @@
            </div>
        @endif
        @if ($canManage && ! $generationBlocked && $generationWarningReason)
            <div class="mb-3 rounded-lg border border-warning-200 bg-warning-50 px-3 py-2 text-sm text-warning-800 dark:border-warning-500/30 dark:bg-warning-500/10 dark:text-warning-200">
                {{ $generationWarningReason }}
            </div>
        @endif
        @if (! $pack)
            {{-- State 1: No pack --}}
            <div class="flex flex-col items-center gap-3 py-4 text-center">
--- a/apps/platform/tests/Feature/Evidence/EvidenceSnapshotResourceTest.php
+++ b/apps/platform/tests/Feature/Evidence/EvidenceSnapshotResourceTest.php
@ -10,10 +10,14 @@
 use App\Models\EvidenceSnapshotItem;
 use App\Models\Finding;
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
 use App\Models\ReviewPack;
 use App\Models\StoredReport;
 use App\Models\Tenant;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\Capabilities;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\Evidence\EvidenceCompletenessState;
 use App\Support\Evidence\EvidenceSnapshotStatus;
 use App\Support\Ui\GovernanceActions\GovernanceActionCatalog;
@ -68,6 +72,23 @@ function evidenceSnapshotHeaderActions(Testable $component): array
    return $instance->getCachedHeaderActions();
 }
 function suspendEvidenceSnapshotWorkspace(Tenant $tenant): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: PlatformUser::factory()->create([
            'capabilities' => [
                PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                PlatformCapabilities::DIRECTORY_VIEW,
                PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
            ],
            'is_active' => true,
        ]),
        workspace: $tenant->workspace,
        state: WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
        reason: 'Evidence read-only preservation test',
    );
 }
 it('renders the evidence list page for an authorized user', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
@ -207,6 +228,36 @@ function evidenceSnapshotHeaderActions(Testable $component): array
        ->toContain('operation_run', 'review_pack');
 });
 it('keeps evidence snapshot detail accessible for readonly members while suspended read-only', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
    $snapshot = EvidenceSnapshot::query()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'status' => EvidenceSnapshotStatus::Active->value,
        'completeness_state' => EvidenceCompletenessState::Complete->value,
        'summary' => ['finding_count' => 2],
        'generated_at' => now(),
    ]);
    suspendEvidenceSnapshotWorkspace($tenant);
    $this->actingAs($user)
        ->get(EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $tenant, panel: 'tenant'))
        ->assertOk();
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);
    Livewire::actingAs($user)
        ->test(ViewEvidenceSnapshot::class, ['record' => $snapshot->getKey()])
        ->assertActionVisible('refresh_evidence')
        ->assertActionDisabled('refresh_evidence')
        ->assertActionVisible('expire_snapshot')
        ->assertActionDisabled('expire_snapshot');
 });
 it('shows artifact truth and next-step guidance for degraded evidence snapshots', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
--- a/apps/platform/tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php
+++ b/apps/platform/tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php
@ -5,13 +5,16 @@
 use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
 use App\Models\AuditLog;
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
 use App\Models\TenantOnboardingSession;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
 use App\Support\Workspaces\WorkspaceContext;
@ -21,7 +24,12 @@
 /**
 * @return array{workspace: Workspace, user: User, tenant: Tenant, draft: TenantOnboardingSession, component: \Livewire\Features\SupportTesting\Testable}
 */
-function readyOnboardingEntitlementContext(int $activeTenantCount = 0, ?int $limitOverride = null, ?string $overrideReason = null): array
+function readyOnboardingEntitlementContext(
    int $activeTenantCount = 0,
    ?int $limitOverride = null,
    ?string $overrideReason = null,
    ?string $commercialState = null,
 ): array
 {
    Queue::fake();
@ -110,6 +118,22 @@ function readyOnboardingEntitlementContext(int $activeTenantCount = 0, ?int $lim
        }
    }
    if ($commercialState !== null) {
        app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
            actor: PlatformUser::factory()->create([
                'capabilities' => [
                    PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                    PlatformCapabilities::DIRECTORY_VIEW,
                    PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
                ],
                'is_active' => true,
            ]),
            workspace: $workspace,
            state: $commercialState,
            reason: 'Onboarding entitlement test commercial state',
        );
    }
    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
    $component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
@ -188,3 +212,65 @@ function readyOnboardingEntitlementContext(int $activeTenantCount = 0, ?int $lim
    expect($context['tenant']->status)->toBe(Tenant::STATUS_ACTIVE);
 });
 it('allows onboarding activation while a workspace is in trial', function (): void {
    $context = readyOnboardingEntitlementContext(
        activeTenantCount: 0,
        commercialState: WorkspaceCommercialLifecycleResolver::STATE_TRIAL,
    );
    $context['component']
        ->assertSee('Activation entitlement')
        ->assertSee('Trial')
        ->call('completeOnboarding');
    $context['tenant']->refresh();
    expect($context['tenant']->status)->toBe(Tenant::STATUS_ACTIVE)
        ->and(AuditLog::query()
            ->where('workspace_id', (int) $context['workspace']->getKey())
            ->where('action', 'managed_tenant_onboarding.activation')
            ->exists())->toBeTrue();
 });
 it('blocks onboarding activation with a grace commercial-state reason before tenant mutation', function (): void {
    $context = readyOnboardingEntitlementContext(
        activeTenantCount: 0,
        commercialState: WorkspaceCommercialLifecycleResolver::STATE_GRACE,
    );
    $context['component']
        ->assertSee('Activation entitlement')
        ->assertSee('Grace')
        ->assertSee('New managed-tenant activation is frozen while this workspace is in grace.')
        ->call('completeOnboarding');
    $context['tenant']->refresh();
    expect($context['tenant']->status)->toBe(Tenant::STATUS_ONBOARDING)
        ->and(AuditLog::query()
            ->where('workspace_id', (int) $context['workspace']->getKey())
            ->where('action', 'managed_tenant_onboarding.activation')
            ->exists())->toBeFalse();
 });
 it('blocks onboarding activation with a suspended read-only commercial-state reason before tenant mutation', function (): void {
    $context = readyOnboardingEntitlementContext(
        activeTenantCount: 0,
        commercialState: WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
    );
    $context['component']
        ->assertSee('Activation entitlement')
        ->assertSee('Suspended / read-only')
        ->assertSee('This workspace is suspended / read-only. New managed-tenant activation is blocked')
        ->call('completeOnboarding');
    $context['tenant']->refresh();
    expect($context['tenant']->status)->toBe(Tenant::STATUS_ONBOARDING)
        ->and(AuditLog::query()
            ->where('workspace_id', (int) $context['workspace']->getKey())
            ->where('action', 'managed_tenant_onboarding.activation')
            ->exists())->toBeFalse();
 });
--- a/apps/platform/tests/Feature/ReviewPack/ReviewPackDownloadTest.php
+++ b/apps/platform/tests/Feature/ReviewPack/ReviewPackDownloadTest.php
@ -4,8 +4,12 @@
 use App\Models\ReviewPack;
 use App\Models\AuditLog;
 use App\Models\PlatformUser;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\ReviewPackService;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Audit\AuditActionId;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\ReviewPackStatus;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Storage;
@ -38,6 +42,23 @@ function createReadyPackWithFile(?array $packOverrides = []): array
    return [$user, $tenant, $pack];
 }
 function suspendReadyPackWorkspaceForDownloadTest(ReviewPack $pack): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: PlatformUser::factory()->create([
            'capabilities' => [
                PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                PlatformCapabilities::DIRECTORY_VIEW,
                PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
            ],
            'is_active' => true,
        ]),
        workspace: $pack->workspace,
        state: WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
        reason: 'Download preservation test',
    );
 }
 // ─── Happy Path: Signed URL → 200 ───────────────────────────
 it('downloads a ready pack via signed URL with correct headers', function (): void {
@ -64,6 +85,21 @@ function createReadyPackWithFile(?array $packOverrides = []): array
        ->and(data_get($audit?->metadata, 'source_surface'))->toBe('customer_review_workspace');
 });
 it('keeps ready pack downloads available while the workspace is suspended read-only', function (): void {
    [$user, $tenant, $pack] = createReadyPackWithFile();
    suspendReadyPackWorkspaceForDownloadTest($pack);
    $signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack, [
        'source_surface' => 'suspended_read_only_check',
    ]);
    $response = $this->actingAs($user)->get($signedUrl);
    $response->assertOk();
    $response->assertHeader('X-Review-Pack-SHA256', $pack->sha256);
    $response->assertDownload();
 });
 // ─── Expired Signature → 403 ────────────────────────────────
 it('rejects requests with an expired signature', function (): void {
--- a/apps/platform/tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php
+++ b/apps/platform/tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php
@ -8,16 +8,20 @@
 use App\Models\EvidenceSnapshot;
 use App\Models\Finding;
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
 use App\Models\ReviewPack;
 use App\Models\StoredReport;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Evidence\EvidenceSnapshotService;
 use App\Services\ReviewPackService;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\Evidence\EvidenceSnapshotStatus;
 use App\Support\OperationRunType;
 use App\Support\Workspaces\WorkspaceContext;
 use Illuminate\Support\Facades\Notification;
 use Illuminate\Support\Facades\Storage;
 use Livewire\Livewire;
@ -108,6 +112,23 @@ function disableReviewPackGenerationForWorkspace(Tenant $tenant, User $user, str
    );
 }
 function setReviewPackCommercialLifecycleState(Tenant $tenant, string $state, string $reason = 'Review pack commercial lifecycle test'): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: PlatformUser::factory()->create([
            'capabilities' => [
                PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                PlatformCapabilities::DIRECTORY_VIEW,
                PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
            ],
            'is_active' => true,
        ]),
        workspace: $tenant->workspace,
        state: $state,
        reason: $reason,
    );
 }
 it('blocks new review pack generation before creating a review pack or operation run when the workspace is not entitled', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    seedEntitlementReviewPackSnapshot($tenant);
@ -188,3 +209,86 @@ function disableReviewPackGenerationForWorkspace(Tenant $tenant, User $user, str
        ->assertOk()
        ->assertSee('Download');
 });
 it('allows review pack generation in trial and active paid states', function (string $state): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    seedEntitlementReviewPackSnapshot($tenant);
    setReviewPackCommercialLifecycleState($tenant, $state);
    $pack = app(ReviewPackService::class)->generate($tenant, $user);
    expect($pack)->toBeInstanceOf(ReviewPack::class)
        ->and($pack->operation_run_id)->not->toBeNull()
        ->and($pack->status)->toBe(\App\Support\ReviewPackStatus::Queued->value);
 })->with([
    'trial' => [WorkspaceCommercialLifecycleResolver::STATE_TRIAL],
    'active paid' => [WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID],
 ]);
 it('warns but allows review pack generation in grace', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    seedEntitlementReviewPackSnapshot($tenant);
    setReviewPackCommercialLifecycleState($tenant, WorkspaceCommercialLifecycleResolver::STATE_GRACE, 'Grace period');
    $decision = app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($tenant);
    expect($decision)
        ->toMatchArray([
            'is_blocked' => false,
            'is_warning' => true,
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_WARN,
        ])
        ->and($decision['warning_reason'])->toContain('grace');
    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
    setTenantPanelContext($tenant);
    Livewire::actingAs($user)
        ->test(TenantReviewPackCard::class, ['record' => $tenant])
        ->assertSee('Workspace is in grace. Review-pack starts remain available');
    $pack = app(ReviewPackService::class)->generate($tenant, $user);
    expect($pack)->toBeInstanceOf(ReviewPack::class)
        ->and(OperationRun::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('type', OperationRunType::ReviewPackGenerate->value)
            ->exists())->toBeTrue();
 });
 it('blocks suspended read-only review pack generation before creating a review pack or operation run and sends no run notifications', function (): void {
    Notification::fake();
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    seedEntitlementReviewPackSnapshot($tenant);
    setReviewPackCommercialLifecycleState($tenant, WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY, 'Suspension');
    $initialRunCount = OperationRun::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('type', OperationRunType::ReviewPackGenerate->value)
        ->count();
    expect(fn (): ReviewPack => app(ReviewPackService::class)->generate($tenant, $user))
        ->toThrow(WorkspaceEntitlementBlockedException::class, 'suspended / read-only');
    expect(ReviewPack::query()->count())->toBe(0)
        ->and(OperationRun::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('type', OperationRunType::ReviewPackGenerate->value)
            ->count())->toBe($initialRunCount);
    Notification::assertNothingSent();
 });
 it('does not alter already queued review-pack work when a workspace is suspended later', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    seedEntitlementReviewPackSnapshot($tenant);
    $pack = app(ReviewPackService::class)->generate($tenant, $user);
    $initialStatus = (string) $pack->fresh()?->status;
    setReviewPackCommercialLifecycleState($tenant, WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY, 'Later suspension');
    expect($pack->fresh()?->status)->toBe($initialStatus)
        ->and(OperationRun::query()
            ->whereKey((int) $pack->operation_run_id)
            ->exists())->toBeTrue();
 });
--- a/apps/platform/tests/Feature/ReviewPack/ReviewPackGenerationTest.php
+++ b/apps/platform/tests/Feature/ReviewPack/ReviewPackGenerationTest.php
@ -3,18 +3,23 @@
 declare(strict_types=1);
 use App\Exceptions\ReviewPackEvidenceResolutionException;
 use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
 use App\Filament\Widgets\Tenant\TenantReviewPackCard;
 use App\Jobs\GenerateReviewPackJob;
 use App\Models\EvidenceSnapshot;
 use App\Models\Finding;
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
 use App\Models\ReviewPack;
 use App\Models\StoredReport;
 use App\Models\Tenant;
 use App\Notifications\OperationRunCompleted;
 use App\Notifications\OperationRunQueued;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Evidence\EvidenceSnapshotService;
 use App\Services\ReviewPackService;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\Evidence\EvidenceSnapshotStatus;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
@ -157,6 +162,23 @@ function createEvidenceSnapshotForReviewPack(Tenant $tenant): EvidenceSnapshot
    return $snapshot->load('items');
 }
 function suspendReviewPackGenerationWorkspaceForGenerationTest(Tenant $tenant): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: PlatformUser::factory()->create([
            'capabilities' => [
                PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                PlatformCapabilities::DIRECTORY_VIEW,
                PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
            ],
            'is_active' => true,
        ]),
        workspace: $tenant->workspace,
        state: WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
        reason: 'Generation notification boundary test',
    );
 }
 // ─── Happy Path ──────────────────────────────────────────────
 it('generates a review pack end-to-end (happy path)', function (): void {
@ -210,6 +232,22 @@ function createEvidenceSnapshotForReviewPack(Tenant $tenant): EvidenceSnapshot
    Notification::assertSentTo($user, OperationRunCompleted::class);
 });
 it('does not send queued or terminal run notifications when suspended read-only blocks generation', function (): void {
    [$user, $tenant] = createUserWithTenant();
    seedTenantWithData($tenant);
    createEvidenceSnapshotForReviewPack($tenant);
    suspendReviewPackGenerationWorkspaceForGenerationTest($tenant);
    Notification::fake();
    expect(fn (): ReviewPack => app(ReviewPackService::class)->generate($tenant, $user))
        ->toThrow(WorkspaceEntitlementBlockedException::class, 'suspended / read-only');
    Notification::assertNotSentTo($user, OperationRunQueued::class);
    Notification::assertNotSentTo($user, OperationRunCompleted::class);
 });
 // ─── Failure Path ──────────────────────────────────────────────
 it('marks pack as failed when generation throws an exception', function (): void {
--- a/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php
+++ b/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php
@ -3,8 +3,12 @@
 declare(strict_types=1);
 use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Models\PlatformUser;
 use App\Models\ReviewPack;
 use App\Models\Tenant;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\TenantReviewStatus;
 use App\Support\Workspaces\WorkspaceContext;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@ -12,6 +16,23 @@
 uses(RefreshDatabase::class);
 function suspendCustomerReviewWorkspacePackAccessWorkspace(Tenant $tenant): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: PlatformUser::factory()->create([
            'capabilities' => [
                PlatformCapabilities::ACCESS_SYSTEM_PANEL,
                PlatformCapabilities::DIRECTORY_VIEW,
                PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
            ],
            'is_active' => true,
        ]),
        workspace: $tenant->workspace,
        state: WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
        reason: 'Customer review workspace suspended read-only test',
    );
 }
 it('shows the ready review-pack action for the latest published review', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
@ -48,6 +69,44 @@
        ->assertSee('Available');
 });
 it('keeps customer review workspace and pack actions visible while suspended read-only', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
    $snapshot = seedTenantReviewEvidence($tenant);
    $review = composeTenantReviewForTest($tenant, $user, $snapshot);
    $review->forceFill([
        'status' => TenantReviewStatus::Published->value,
        'published_at' => now(),
        'published_by_user_id' => (int) $user->getKey(),
    ])->save();
    $pack = ReviewPack::factory()->ready()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'tenant_review_id' => (int) $review->getKey(),
        'evidence_snapshot_id' => (int) $snapshot->getKey(),
        'initiated_by_user_id' => (int) $user->getKey(),
        'expires_at' => now()->addDay(),
    ]);
    $review->forceFill([
        'current_export_review_pack_id' => (int) $pack->getKey(),
    ])->save();
    suspendCustomerReviewWorkspacePackAccessWorkspace($tenant);
    $this->actingAs($user);
    setAdminPanelContext();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
    Livewire::actingAs($user)
        ->test(CustomerReviewWorkspace::class)
        ->assertTableActionVisible('open_latest_review', $tenant)
        ->assertTableActionVisible('download_review_pack', $tenant)
        ->assertSee('Available');
 });
 it('shows an unavailable pack state and hides the download action when no current review pack exists', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
--- a/apps/platform/tests/Feature/System/Spec113/AuthorizationSemanticsTest.php
+++ b/apps/platform/tests/Feature/System/Spec113/AuthorizationSemanticsTest.php
@ -5,7 +5,9 @@
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\System\SystemDirectoryLinks;
 use App\Support\System\SystemOperationRunLinks;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@ -119,3 +121,38 @@
        ->get('/system/ops/runbooks')
        ->assertSuccessful();
 });
 it('keeps system workspace detail route semantics separate from commercial business-state blocks', function (): void {
    $workspace = Workspace::factory()->create();
    $this->actingAs(User::factory()->create())
        ->get(SystemDirectoryLinks::workspaceDetail($workspace))
        ->assertNotFound();
    auth()->guard('web')->logout();
    $platformWithoutDirectoryView = PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
        ],
        'is_active' => true,
    ]);
    $this->actingAs($platformWithoutDirectoryView, 'platform')
        ->get(SystemDirectoryLinks::workspaceDetail($workspace))
        ->assertForbidden();
    $directoryViewer = PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::DIRECTORY_VIEW,
        ],
        'is_active' => true,
    ]);
    $this->actingAs($directoryViewer, 'platform')
        ->get(SystemDirectoryLinks::workspaceDetail($workspace))
        ->assertSuccessful()
        ->assertSee('Commercial lifecycle')
        ->assertDontSee('Change commercial state');
 });
--- a/apps/platform/tests/Feature/System/ViewWorkspaceEntitlementsTest.php
+++ b/apps/platform/tests/Feature/System/ViewWorkspaceEntitlementsTest.php
@ -3,13 +3,25 @@
 declare(strict_types=1);
 use App\Filament\System\Pages\Directory\ViewWorkspace;
 use App\Models\AuditLog;
 use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Models\WorkspaceMembership;
 use App\Models\WorkspaceSetting;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Audit\AuditActionId;
 use App\Support\Auth\PlatformCapabilities;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
 use Livewire\Livewire;
 beforeEach(function (): void {
    Filament::setCurrentPanel('system');
    Filament::bootCurrentPanel();
 });
 it('renders the read-only workspace entitlement summary on the system workspace detail page', function (): void {
    $workspace = Workspace::factory()->create(['name' => 'Acme Workspace']);
@ -79,5 +91,102 @@
        ->assertSee('Pilot workspace')
        ->assertSee('Escalation only')
        ->assertSee('workspace override')
        ->assertSee('Commercial lifecycle')
        ->assertSee('Active paid')
        ->assertSee('default active paid')
        ->assertDontSee('Save');
 });
 it('gates the commercial lifecycle mutation action behind a dedicated platform capability', function (): void {
    $workspace = Workspace::factory()->create();
    $viewer = PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::DIRECTORY_VIEW,
        ],
        'is_active' => true,
    ]);
    Livewire::actingAs($viewer, 'platform')
        ->test(ViewWorkspace::class, ['workspace' => $workspace])
        ->assertActionHidden('change_commercial_state');
 });
 it('changes commercial lifecycle state through the confirmed system action and records audit truth', function (): void {
    $workspace = Workspace::factory()->create(['name' => 'Lifecycle Workspace']);
    $operator = PlatformUser::factory()->create([
        'name' => 'Platform Operator',
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::DIRECTORY_VIEW,
            PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
        ],
        'is_active' => true,
    ]);
    Livewire::actingAs($operator, 'platform')
        ->test(ViewWorkspace::class, ['workspace' => $workspace])
        ->assertActionVisible('change_commercial_state')
        ->assertActionExists('change_commercial_state', fn (Action $action): bool => $action->getLabel() === 'Change commercial state'
            && $action->isConfirmationRequired())
        ->callAction('change_commercial_state', data: [
            'state' => WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
            'reason' => 'Commercial suspension approved by support',
        ])
        ->assertNotified('Commercial state updated');
    expect(WorkspaceSetting::query()
        ->where('workspace_id', (int) $workspace->getKey())
        ->where('domain', WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN)
        ->where('key', WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE)
        ->value('value'))->toBe(WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY)
        ->and(WorkspaceSetting::query()
            ->where('workspace_id', (int) $workspace->getKey())
            ->where('domain', WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN)
            ->where('key', WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON)
            ->value('value'))->toBe('Commercial suspension approved by support');
    $audit = AuditLog::query()
        ->where('workspace_id', (int) $workspace->getKey())
        ->where('action', AuditActionId::WorkspaceSettingUpdated->value)
        ->where('resource_id', WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN.'.'.WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE)
        ->latest('id')
        ->first();
    expect($audit)->not->toBeNull()
        ->and($audit?->actor_name)->toBe('Platform Operator')
        ->and($audit?->metadata['before_state'] ?? null)->toBeNull()
        ->and($audit?->metadata['after_state'] ?? null)->toBe(WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY)
        ->and($audit?->metadata['after_reason'] ?? null)->toBe('Commercial suspension approved by support');
    $summary = app(WorkspaceCommercialLifecycleResolver::class)->summary($workspace);
    expect($summary)
        ->toMatchArray([
            'state' => WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY,
            'source' => WorkspaceCommercialLifecycleResolver::SOURCE_WORKSPACE_SETTING,
            'rationale' => 'Commercial suspension approved by support',
            'last_changed_by' => 'Platform Operator',
        ]);
 });
 it('requires a rationale before changing commercial lifecycle state', function (): void {
    $workspace = Workspace::factory()->create();
    $operator = PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::DIRECTORY_VIEW,
            PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
        ],
        'is_active' => true,
    ]);
    Livewire::actingAs($operator, 'platform')
        ->test(ViewWorkspace::class, ['workspace' => $workspace])
        ->callAction('change_commercial_state', data: [
            'state' => WorkspaceCommercialLifecycleResolver::STATE_GRACE,
            'reason' => '',
        ])
        ->assertHasActionErrors(['reason']);
 });
--- a/apps/platform/tests/Unit/Badges/CommercialLifecycleStateBadgeTest.php
+++ b/apps/platform/tests/Unit/Badges/CommercialLifecycleStateBadgeTest.php
@ -0,0 +1,20 @@
 <?php
 declare(strict_types=1);
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 it('maps commercial lifecycle states through the shared badge catalog', function (string $state, string $label, string $color): void {
    $spec = BadgeCatalog::spec(BadgeDomain::CommercialLifecycleState, $state);
    expect($spec->label)->toBe($label)
        ->and($spec->color)->toBe($color)
        ->and($spec->icon)->not->toBeNull();
 })->with([
    'trial' => [WorkspaceCommercialLifecycleResolver::STATE_TRIAL, 'Trial', 'info'],
    'grace' => [WorkspaceCommercialLifecycleResolver::STATE_GRACE, 'Grace', 'warning'],
    'active paid' => [WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID, 'Active paid', 'success'],
    'suspended read-only' => [WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY, 'Suspended / read-only', 'danger'],
 ]);
--- a/apps/platform/tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php
+++ b/apps/platform/tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php
@ -0,0 +1,199 @@
 <?php
 declare(strict_types=1);
 use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Models\WorkspaceMembership;
 use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 uses(RefreshDatabase::class);
 /**
 * @return array{0: Workspace, 1: User}
 */
 function commercialLifecycleWorkspaceManager(): array
 {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();
    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'manager',
    ]);
    return [$workspace, $user];
 }
 function commercialLifecyclePlatformOperator(): PlatformUser
 {
    return PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::DIRECTORY_VIEW,
            PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE,
        ],
        'is_active' => true,
    ]);
 }
 function setCommercialLifecycleState(Workspace $workspace, string $state, string $reason = 'Unit test commercial state change'): void
 {
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: commercialLifecyclePlatformOperator(),
        workspace: $workspace,
        state: $state,
        reason: $reason,
    );
 }
 it('falls back to active paid when no explicit commercial lifecycle setting exists', function (): void {
    [$workspace] = commercialLifecycleWorkspaceManager();
    $summary = app(WorkspaceCommercialLifecycleResolver::class)->summary($workspace);
    expect($summary)
        ->toMatchArray([
            'state' => WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID,
            'state_label' => 'Active paid',
            'source' => WorkspaceCommercialLifecycleResolver::SOURCE_DEFAULT_ACTIVE_PAID,
            'source_label' => 'default active paid',
            'rationale' => null,
        ])
        ->and($summary['last_changed_at'])->toBeNull()
        ->and($summary['last_changed_by'])->toBeNull()
        ->and($summary['action_decisions'][WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION]['outcome'])
        ->toBe(WorkspaceCommercialLifecycleResolver::OUTCOME_ALLOW)
        ->and($summary['action_decisions'][WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START]['outcome'])
        ->toBe(WorkspaceCommercialLifecycleResolver::OUTCOME_ALLOW);
 });
 it('resolves explicit stored commercial lifecycle states with source rationale and platform attribution', function (string $state, string $expectedLabel): void {
    [$workspace] = commercialLifecycleWorkspaceManager();
    $operator = commercialLifecyclePlatformOperator();
    app(SettingsWriter::class)->updateWorkspaceCommercialLifecycle(
        actor: $operator,
        workspace: $workspace,
        state: $state,
        reason: 'Support approved commercial lifecycle transition',
    );
    $summary = app(WorkspaceCommercialLifecycleResolver::class)->summary($workspace);
    expect($summary)
        ->toMatchArray([
            'state' => $state,
            'state_label' => $expectedLabel,
            'source' => WorkspaceCommercialLifecycleResolver::SOURCE_WORKSPACE_SETTING,
            'source_label' => 'workspace setting',
            'rationale' => 'Support approved commercial lifecycle transition',
            'last_changed_by' => $operator->name,
        ])
        ->and($summary['last_changed_at'])->not->toBeNull();
 })->with([
    'trial' => [WorkspaceCommercialLifecycleResolver::STATE_TRIAL, 'Trial'],
    'grace' => [WorkspaceCommercialLifecycleResolver::STATE_GRACE, 'Grace'],
    'active paid' => [WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID, 'Active paid'],
    'suspended read-only' => [WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY, 'Suspended / read-only'],
 ]);
 it('blocks activation but warns review pack starts during grace', function (): void {
    [$workspace] = commercialLifecycleWorkspaceManager();
    setCommercialLifecycleState($workspace, WorkspaceCommercialLifecycleResolver::STATE_GRACE, 'Payment collection pending');
    $resolver = app(WorkspaceCommercialLifecycleResolver::class);
    $activation = $resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION);
    $reviewPackStart = $resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START);
    expect($activation)
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK,
            'is_blocked' => true,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
            'state' => WorkspaceCommercialLifecycleResolver::STATE_GRACE,
        ])
        ->and($activation['block_reason'])->toContain('grace')
        ->and($reviewPackStart)
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_WARN,
            'is_blocked' => false,
            'is_warning' => true,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
            'state' => WorkspaceCommercialLifecycleResolver::STATE_GRACE,
        ])
        ->and($reviewPackStart['warning_reason'])->toContain('grace');
 });
 it('blocks new starts but allows read-only history during suspended read-only', function (): void {
    [$workspace] = commercialLifecycleWorkspaceManager();
    setCommercialLifecycleState($workspace, WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY, 'Commercial suspension');
    $resolver = app(WorkspaceCommercialLifecycleResolver::class);
    expect($resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION))
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK,
            'is_blocked' => true,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
        ])
        ->and($resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START))
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK,
            'is_blocked' => true,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
        ])
        ->and($resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_EVIDENCE_READ))
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_ALLOW_READ_ONLY,
            'is_blocked' => false,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
        ]);
 });
 it('preserves entitlement substrate blocks ahead of lifecycle outcomes', function (): void {
    [$workspace, $manager] = commercialLifecycleWorkspaceManager();
    setCommercialLifecycleState($workspace, WorkspaceCommercialLifecycleResolver::STATE_GRACE, 'Grace should not bypass substrate');
    Tenant::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'status' => Tenant::STATUS_ACTIVE,
    ]);
    app(SettingsWriter::class)->updateWorkspaceSetting(
        actor: $manager,
        workspace: $workspace,
        domain: WorkspaceEntitlementResolver::SETTING_DOMAIN,
        key: WorkspaceEntitlementResolver::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
        value: 1,
    );
    app(SettingsWriter::class)->updateWorkspaceSetting(
        actor: $manager,
        workspace: $workspace,
        domain: WorkspaceEntitlementResolver::SETTING_DOMAIN,
        key: WorkspaceEntitlementResolver::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE,
        value: false,
    );
    $resolver = app(WorkspaceCommercialLifecycleResolver::class);
    expect($resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION))
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
        ])
        ->and($resolver->actionDecision($workspace, WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START))
        ->toMatchArray([
            'outcome' => WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK,
            'reason_family' => WorkspaceCommercialLifecycleResolver::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
            'is_warning' => false,
        ]);
 });
--- a/apps/platform/tests/Unit/Support/Workspaces/WorkspaceResolverTest.php
+++ b/apps/platform/tests/Unit/Support/Workspaces/WorkspaceResolverTest.php
@ -0,0 +1,52 @@
 <?php
 declare(strict_types=1);
 use App\Models\Workspace;
 use App\Support\Workspaces\WorkspaceResolver;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 uses(RefreshDatabase::class);
 it('resolves a workspace by slug or id', function (): void {
    $workspace = Workspace::factory()->create([
        'slug' => 'resolver-smoke-workspace',
    ]);
    $resolver = app(WorkspaceResolver::class);
    expect($resolver->resolve('resolver-smoke-workspace')?->is($workspace))->toBeTrue()
        ->and($resolver->resolve((string) $workspace->getKey())?->is($workspace))->toBeTrue();
 });
 it('resolves a Livewire serialized workspace route parameter', function (): void {
    $workspace = Workspace::factory()->create([
        'slug' => 'serialized-route-workspace',
    ]);
    $payload = json_encode([
        'id' => $workspace->getKey(),
        'name' => $workspace->name,
        'slug' => $workspace->slug,
    ], JSON_THROW_ON_ERROR);
    expect(app(WorkspaceResolver::class)->resolve($payload)?->is($workspace))->toBeTrue();
 });
 it('falls back to serialized id when a Livewire route payload has no slug', function (): void {
    $workspace = Workspace::factory()->create();
    $payload = json_encode([
        'id' => (string) $workspace->getKey(),
    ], JSON_THROW_ON_ERROR);
    expect(app(WorkspaceResolver::class)->resolve($payload)?->is($workspace))->toBeTrue();
 });
 it('returns null for an unsupported serialized route payload', function (): void {
    $payload = json_encode([
        'name' => 'Missing key',
    ], JSON_THROW_ON_ERROR);
    expect(app(WorkspaceResolver::class)->resolve($payload))->toBeNull();
 });
--- a/get_gitea_tools.py
+++ b/get_gitea_tools.py
@ -0,0 +1,50 @@
 import json
 import subprocess
 import sys
 import time
 def send(proc, payload):
    proc.stdin.write((json.dumps(payload) + "\n").encode("utf-8"))
    proc.stdin.flush()
 def read_line(proc, timeout=10.0):
    start = time.time()
    while time.time() - start < timeout:
        line = proc.stdout.readline()
        if line:
            return line.decode("utf-8", errors="replace").strip()
        time.sleep(0.05)
    return ""
 def main():
    proc = subprocess.Popen(
        ["python3", "scripts/run-gitea-mcp.py"],
        stdin=subprocess.PIPE,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
    )
    try:
        send(proc, {
            "jsonrpc": "2.0",
            "id": 1,
            "method": "initialize",
            "params": {
                "protocolVersion": "2024-11-05",
                "capabilities": {},
                "clientInfo": {"name": "test", "version": "1.0.0"},
            },
        })
        init_resp = read_line(proc)
        send(proc, {
            "jsonrpc": "2.0",
            "id": 2,
            "method": "tools/list",
            "params": {}
        })
        tools_resp = read_line(proc)
        print(tools_resp)
    finally:
        proc.terminate()
 if __name__ == "__main__":
    main()
--- a/specs/251-commercial-entitlements-billing-state/checklists/requirements.md
+++ b/specs/251-commercial-entitlements-billing-state/checklists/requirements.md
@ -0,0 +1,42 @@
 # Specification Quality Checklist: Commercial Entitlements and Billing-State Maturity
 **Purpose**: Validate specification completeness and readiness before planning or implementation.
 **Created**: 2026-04-28
 **Feature**: [../spec.md](../spec.md)
 ## Content Quality
 - [x] No implementation details (languages, frameworks, APIs)
 - [x] Focused on user value and business needs
 - [x] Written for non-technical stakeholders
 - [x] All mandatory sections completed
 ## Requirement Completeness
 - [x] No [NEEDS CLARIFICATION] markers remain
 - [x] Requirements are testable and unambiguous
 - [x] Success criteria are measurable
 - [x] Success criteria are technology-agnostic (no implementation details)
 - [x] All acceptance scenarios are defined
 - [x] Edge cases are identified
 - [x] Scope is clearly bounded
 - [x] Dependencies and assumptions identified
 ## Feature Readiness
 - [x] All functional requirements have clear acceptance criteria
 - [x] User scenarios cover primary flows
 - [x] Feature meets measurable outcomes defined in Success Criteria
 - [x] No implementation details leak into specification
 ## Review Outcome
 - [x] Review outcome class: acceptable-special-case
 - [x] Workflow outcome: keep
 - [x] Test-governance impact is explicitly recorded in the spec
 ## Notes
 - Repo-specific surface names and existing product terms are used to anchor the spec to current truth, but the spec does not prescribe languages, frameworks, APIs, or low-level implementation design.
 - No open clarification markers remain. The bounded assumptions are the default `active_paid` resolution for unset workspaces and the distinct `grace` behavior that freezes onboarding expansion without blocking in-scope review-pack starts.
 - Implementation close-out keeps the workflow outcome as `keep`. The Livewire browser-smoke finding was fixed inside scope by making workspace route resolution accept Livewire serialized workspace parameters; no follow-up spec is required.
--- a/specs/251-commercial-entitlements-billing-state/contracts/workspace-commercial-lifecycle-overlay.logical.openapi.yaml
+++ b/specs/251-commercial-entitlements-billing-state/contracts/workspace-commercial-lifecycle-overlay.logical.openapi.yaml
@ -0,0 +1,465 @@
 openapi: 3.0.3
 info:
  title: TenantPilot Admin/System - Workspace Commercial Lifecycle Overlay (Conceptual)
  version: 0.1.0
  description: |
    Conceptual contract for the commercial lifecycle overlay that follows the
    existing workspace entitlement substrate from Spec 247.
    NOTE: These routes are implemented as existing Filament pages, resources,
    widgets, and Livewire-backed actions. Exact Livewire payload shapes are not
    part of this contract. This file captures logical route boundaries, the
    system/admin split, and the required 404 / 403 / business-state semantics.
 servers:
  - url: /admin
  - url: /system
 paths:
  /directory/workspaces/{workspace}:
    get:
      summary: View read-only workspace commercial lifecycle summary in the system plane
      description: |
        Renders the existing system directory workspace detail page with the
        effective lifecycle state, rationale, affected behavior summary, and the
        reused entitlement substrate summary.
      parameters:
        - $ref: '#/components/parameters/WorkspaceId'
      responses:
        '200':
          description: System workspace detail rendered
          content:
            text/html:
              schema:
                type: string
          x-logical-view-model:
            $ref: '#/components/schemas/SystemWorkspaceCommercialLifecycleView'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /directory/workspaces/{workspace}/actions/change-commercial-state:
    post:
      summary: Change the workspace commercial lifecycle state from the system plane
      description: |
        Conceptual contract for the confirmation-protected state-change action
        on the existing system workspace detail page.
        Behavior:
        - Platform user with directory visibility but without the dedicated
          lifecycle-manage capability: 403
        - Wrong plane or non-platform actor: 404 semantics at the panel boundary
        - Authorized platform user: state and rationale are written through the
          existing workspace settings audit path
      parameters:
        - $ref: '#/components/parameters/WorkspaceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ChangeCommercialLifecycleCommand'
      responses:
        '204':
          description: Commercial lifecycle state changed successfully
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '422':
          $ref: '#/components/responses/ValidationError'
  /onboarding/{onboardingDraft}:
    get:
      summary: View onboarding workflow with lifecycle-aware completion state
      description: |
        Renders the existing managed-tenant onboarding wizard. The completion
        step must include the commercial lifecycle outcome after the underlying
        entitlement substrate has been evaluated.
      parameters:
        - $ref: '#/components/parameters/OnboardingDraftId'
      responses:
        '200':
          description: Onboarding wizard rendered
          content:
            text/html:
              schema:
                type: string
          x-logical-view-model:
            $ref: '#/components/schemas/OnboardingCommercialLifecycleView'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /onboarding/{onboardingDraft}/actions/complete:
    post:
      summary: Complete onboarding when entitlement, lifecycle state, and existing readiness all allow
      parameters:
        - $ref: '#/components/parameters/OnboardingDraftId'
      responses:
        '204':
          description: Onboarding completed
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/BusinessStateBlocked'
  /review-packs/actions/generate:
    post:
      summary: Generate a review pack from the current tenant context
      description: |
        Conceptual contract for the tenant dashboard and review-pack list start
        action family.
        Behavior ordering:
        1. authorization
        2. underlying entitlement substrate decision
        3. lifecycle overlay decision
        4. existing dedupe / queued-start flow when allowed
        A lifecycle-blocked attempt is future-start-only in this slice: it
        creates no new `ReviewPack`, creates no new `OperationRun`, emits no
        queued or terminal review-pack notification, and does not affect any
        review-pack work that was already queued or running.
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ReviewPackGenerationCommand'
      responses:
        '202':
          description: Generation accepted or deduped through the existing flow
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/BusinessStateBlocked'
  /tenant-reviews/{tenantReview}/actions/export-executive-pack:
    post:
      summary: Export an executive pack from an existing tenant review
      description: |
        Conceptual contract for the review register and tenant review detail
        export action family. The lifecycle overlay must block before any new
        `ReviewPack` or `OperationRun` is created, emit no queued or terminal
        review-pack notification for the blocked attempt, and leave any
        already-created queued or running review-pack work unchanged.
      parameters:
        - $ref: '#/components/parameters/TenantReviewId'
      responses:
        '202':
          description: Export accepted or deduped through the existing flow
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/BusinessStateBlocked'
  /review-packs/{reviewPack}/actions/regenerate:
    post:
      summary: Regenerate an existing review pack
      description: |
        Conceptual contract for the existing review-pack detail regenerate
        action. Existing confirmation and dedupe behavior remain in place when
        the lifecycle overlay allows the start. A lifecycle-blocked attempt is
        future-start-only: it creates no new `ReviewPack`, creates no new
        `OperationRun`, emits no queued or terminal review-pack notification,
        and leaves any already-created queued or running review-pack work
        unchanged.
      parameters:
        - $ref: '#/components/parameters/ReviewPackId'
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ReviewPackGenerationCommand'
      responses:
        '202':
          description: Regeneration accepted or deduped through the existing flow
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/BusinessStateBlocked'
  /tenant-reviews/{tenantReview}:
    get:
      summary: View existing tenant review while the workspace may be suspended read-only
      parameters:
        - $ref: '#/components/parameters/TenantReviewId'
      responses:
        '200':
          description: Existing tenant review rendered when current RBAC allows it
          content:
            text/html:
              schema:
                type: string
          x-logical-view-model:
            $ref: '#/components/schemas/PreservedReadOnlyView'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /review-packs/{reviewPack}:
    get:
      summary: View existing review pack while the workspace may be suspended read-only
      parameters:
        - $ref: '#/components/parameters/ReviewPackId'
      responses:
        '200':
          description: Existing review pack rendered when current RBAC allows it
          content:
            text/html:
              schema:
                type: string
          x-logical-view-model:
            $ref: '#/components/schemas/PreservedReadOnlyView'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /review-packs/{reviewPack}/download:
    get:
      summary: Download an already-generated review pack while the workspace may be suspended read-only
      parameters:
        - $ref: '#/components/parameters/ReviewPackId'
      responses:
        '200':
          description: Existing generated pack download is still available when current RBAC allows it
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /evidence-snapshots/{evidenceSnapshot}:
    get:
      summary: View existing evidence snapshot while the workspace may be suspended read-only
      parameters:
        - $ref: '#/components/parameters/EvidenceSnapshotId'
      responses:
        '200':
          description: Existing evidence snapshot rendered when current RBAC allows it
          content:
            text/html:
              schema:
                type: string
          x-logical-view-model:
            $ref: '#/components/schemas/PreservedReadOnlyView'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
 components:
  parameters:
    WorkspaceId:
      name: workspace
      in: path
      required: true
      schema:
        type: integer
    OnboardingDraftId:
      name: onboardingDraft
      in: path
      required: true
      schema:
        type: integer
    TenantReviewId:
      name: tenantReview
      in: path
      required: true
      schema:
        type: integer
    ReviewPackId:
      name: reviewPack
      in: path
      required: true
      schema:
        type: integer
    EvidenceSnapshotId:
      name: evidenceSnapshot
      in: path
      required: true
      schema:
        type: integer
  responses:
    Forbidden:
      description: Established-scope actor lacks the required capability
    NotFound:
      description: Wrong plane, non-member scope, or inaccessible record
    BusinessStateBlocked:
      description: Actor is otherwise authorized, but the workspace commercial state or underlying entitlement substrate blocks the requested action
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CommercialLifecycleBlockResponse'
    ValidationError:
      description: Submitted commercial lifecycle state change failed validation
  schemas:
    ChangeCommercialLifecycleCommand:
      type: object
      required:
        - state
        - reason
      properties:
        state:
          $ref: '#/components/schemas/CommercialLifecycleState'
        reason:
          type: string
          description: Required for every explicit lifecycle state change, including an explicit return to active_paid.
          minLength: 1
          maxLength: 500
    CommercialLifecycleState:
      type: string
      enum:
        - trial
        - grace
        - active_paid
        - suspended_read_only
    ReviewPackGenerationCommand:
      type: object
      properties:
        include_pii:
          type: boolean
        include_operations:
          type: boolean
    SystemWorkspaceCommercialLifecycleView:
      type: object
      required:
        - workspace_id
        - lifecycle
        - affected_behaviors
      properties:
        workspace_id:
          type: integer
        lifecycle:
          $ref: '#/components/schemas/CommercialLifecycleDecision'
        affected_behaviors:
          type: array
          items:
            $ref: '#/components/schemas/CommercialLifecycleActionDecision'
        entitlement_substrate:
          type: object
          description: Existing Spec 247 workspace entitlement summary reused for context
        primary_action:
          $ref: '#/components/schemas/NextAction'
          nullable: true
    OnboardingCommercialLifecycleView:
      type: object
      required:
        - onboarding_draft_id
        - action_decision
      properties:
        onboarding_draft_id:
          type: integer
        action_decision:
          $ref: '#/components/schemas/CommercialLifecycleActionDecision'
        entitlement_substrate:
          type: object
          nullable: true
    CommercialLifecycleDecision:
      type: object
      required:
        - state
        - label
        - source
        - source_label
      properties:
        state:
          $ref: '#/components/schemas/CommercialLifecycleState'
        label:
          type: string
        source:
          type: string
          enum:
            - default_active_paid
            - workspace_setting
        source_label:
          type: string
          description: Rendered source label from the shared lifecycle source mapping used by system detail surfaces.
        rationale:
          type: string
          nullable: true
        last_changed_at:
          type: string
          format: date-time
          nullable: true
        last_changed_by:
          type: string
          nullable: true
    CommercialLifecycleActionDecision:
      type: object
      required:
        - action_key
        - outcome
        - lifecycle_state
      properties:
        action_key:
          type: string
          enum:
            - managed_tenant_activation
            - review_pack_start
            - review_history_read
            - evidence_read
            - generated_pack_read
        outcome:
          type: string
          enum:
            - allow
            - warn
            - block
            - allow_read_only
        reason_family:
          type: string
          nullable: true
          enum:
            - commercial_lifecycle
            - entitlement_substrate
        message:
          type: string
          nullable: true
        lifecycle_state:
          $ref: '#/components/schemas/CommercialLifecycleState'
        underlying_entitlement_key:
          type: string
          nullable: true
    CommercialLifecycleBlockResponse:
      type: object
      required:
        - reason_family
        - message
      properties:
        reason_family:
          type: string
          enum:
            - commercial_lifecycle
            - entitlement_substrate
        lifecycle_state:
          $ref: '#/components/schemas/CommercialLifecycleState'
          nullable: true
        message:
          type: string
    PreservedReadOnlyView:
      type: object
      required:
        - read_only_access_preserved
      properties:
        read_only_access_preserved:
          type: boolean
          enum: [true]
        lifecycle_state:
          $ref: '#/components/schemas/CommercialLifecycleState'
        message:
          type: string
          nullable: true
          description: Optional calm explanation that the workspace is suspended read-only while current history access remains available
    NextAction:
      type: object
      required:
        - label
      properties:
        label:
          type: string
        enabled:
          type: boolean
        reason:
          type: string
          nullable: true
--- a/specs/251-commercial-entitlements-billing-state/data-model.md
+++ b/specs/251-commercial-entitlements-billing-state/data-model.md
@ -0,0 +1,170 @@
 # Data Model: Commercial Entitlements and Billing-State Maturity
 **Date**: 2026-04-28  
 **Branch**: `251-commercial-entitlements-billing-state`
 ## Overview
 This slice adds no new table. Persisted truth stays in existing `workspace_settings` rows, while the commercial lifecycle overlay and action-family outcomes remain derived.
 ## Persisted Truth
 ### 1. Workspace Commercial Lifecycle Setting Aggregate
 **Persistence**: Existing `App\Models\WorkspaceSetting` rows  
 **Ownership**: Workspace-owned  
 **Scope**: One workspace, no new tenant-owned or platform-owned persistence
 The slice reuses explicit settings keys under the existing `entitlements` domain.
 | Setting key | Type | Nullable | Validation | Notes |
 |-------------|------|----------|------------|-------|
 | `entitlements.commercial_lifecycle_state` | string | yes | when present, must be one of `trial`, `grace`, `active_paid`, `suspended_read_only` | `null` means the workspace has never been explicitly set and resolves to the implicit default `active_paid` |
 | `entitlements.commercial_lifecycle_reason` | string | yes | required on every explicit lifecycle state change; trimmed; max 500 chars | Operator-entered rationale shown on system and contextual admin surfaces |
 **Write rules**:
 - Lifecycle mutation happens from the system plane only and updates state plus rationale together through the existing workspace settings write/audit path.
 - The future `Change commercial state` action is confirmation-protected and requires explicit rationale for every explicit lifecycle transition, including an explicit return to `active_paid`.
 - Once a platform operator explicitly sets `active_paid`, that remains a stored state like the other three values. `null` is reserved for untouched workspaces only.
 **Relationships**:
 - `workspace_settings.workspace_id` anchors lifecycle truth to the workspace.
 - `workspace_settings.updated_by_user_id` remains the attribution source for state change metadata.
 ## Existing Substrate Truth Reused
 ### 2. Workspace Entitlement Substrate Summary
 **Persistence**: Existing Spec 247 workspace entitlement settings + code-owned plan-profile catalog  
 **Owner**: `WorkspaceEntitlementResolver`
 This slice does not remodel the substrate. It reuses:
 - `plan_profile`
 - `managed_tenant_activation_limit`
 - `review_pack_generation_enabled`
 - substrate rationale/source/current-usage metadata
 The lifecycle overlay may warn or restrict after substrate resolution, but it must never expand access beyond what the substrate already allows.
 ## Code-Owned Truth
 ### 3. Commercial Lifecycle State Catalog Entry
 **Persistence**: none, code-owned  
 **Ownership**: Product/runtime configuration  
 **Scope**: current release only
 | Field | Type | Required | Notes |
 |-------|------|----------|-------|
 | `id` | string | yes | Stable internal identifier stored in `entitlements.commercial_lifecycle_state` |
 | `label` | string | yes | Operator-facing state label |
 | `description` | string | yes | Short explanation for system detail and contextual messaging |
 | `onboarding_outcome` | string | yes | `allow` or `block` |
 | `review_pack_start_outcome` | string | yes | `allow`, `warn`, or `block` |
 | `preserves_read_only_history` | bool | yes | Whether existing review/evidence/generated-pack consumption remains explicitly preserved |
 | `is_default` | bool | yes | Exactly one default entry: `active_paid` |
 **Behavior matrix**:
 | State | Onboarding activation | Review-pack starts | Existing review/evidence/download access |
 |-------|-----------------------|--------------------|------------------------------------------|
 | `trial` | allow | allow | allow |
 | `active_paid` | allow | allow | allow |
 | `grace` | block | warn (start still allowed) | allow |
 | `suspended_read_only` | block | block | allow |
 ## Derived Truth
 ### 4. Effective Commercial Lifecycle Decision
 **Persistence**: none, derived at runtime  
 **Owner**: bounded `WorkspaceCommercialLifecycleResolver`
 | Field | Type | Required | Notes |
 |-------|------|----------|-------|
 | `workspace_id` | int | yes | Workspace being evaluated |
 | `state` | string | yes | Effective lifecycle state |
 | `label` | string | yes | Operator-facing label |
 | `source` | string | yes | `default_active_paid` or `workspace_setting`; any rendered source label must come from one shared mapping |
 | `rationale` | string | no | Explicit operator rationale when source is `workspace_setting` |
 | `last_changed_at` | datetime | no | Derived from the most recent lifecycle-related `WorkspaceSetting` row |
 | `last_changed_by` | string | no | Derived actor attribution |
 | `entitlement_summary` | object | yes | Existing Spec 247 substrate summary reused for support/context |
 | `action_decisions` | object | yes | Per-action-family outcomes described below |
 ### 5. Commercial Lifecycle Action Decision
 **Persistence**: none, derived at runtime
 | Field | Type | Required | Notes |
 |-------|------|----------|-------|
 | `action_key` | string | yes | One of `managed_tenant_activation`, `review_pack_start`, `review_history_read`, `evidence_read`, `generated_pack_read` |
 | `outcome` | string | yes | `allow`, `warn`, `block`, or `allow_read_only` |
 | `reason_family` | string | no | `commercial_lifecycle`, `entitlement_substrate`, or `null` when fully allowed |
 | `message` | string | no | Operator-safe explanation or warning |
 | `lifecycle_state` | string | yes | Effective state that produced the action decision |
 | `underlying_entitlement_key` | string | no | Present for onboarding/review-pack start decisions to preserve substrate traceability |
 **Decision ordering rules**:
 - The substrate entitlement decision runs first.
 - If the substrate already blocks the action, the lifecycle overlay must not replace that reason.
 - If the substrate allows the action, the lifecycle overlay may warn or block according to the state matrix.
 - Authorization is not part of this derived decision; 404 and 403 semantics remain outside and happen earlier.
 ## Supporting Derived View Models
 ### 6. System Workspace Commercial Lifecycle View Model
 **Persistence**: none  
 **Consumer**: `App\Filament\System\Pages\Directory\ViewWorkspace`
 Contains:
 - effective lifecycle state, label, rationale, and last-change attribution
 - the two in-scope action-family outcomes
 - the reused entitlement substrate summary for support context
 - the one dominant mutation affordance metadata for `Change commercial state`
 ### 7. Contextual Admin Lifecycle Gate View Models
 **Persistence**: none  
 **Consumers**: `ManagedTenantOnboardingWizard`, review-pack entry surfaces, and suspended read-only history surfaces
 Contains:
 - the immediate action-family outcome (`allow`, `warn`, `block`, or `allow_read_only`)
 - one operator-safe explanation
 - enough substrate context to keep lifecycle blocks distinct from underlying entitlement blocks
 ## Derived Query Dependencies
 | Need | Source | Notes |
 |------|--------|-------|
 | Underlying plan-profile and entitlement truth | `WorkspaceEntitlementResolver` | Remains the canonical substrate |
 | Lifecycle last-change attribution | existing `workspace_settings.updated_by_user_id` and timestamps | Derived from lifecycle-related rows only |
 | Active managed-tenant usage | existing tenant/workspace runtime truth | Reused from the substrate summary |
 | Existing review/history/evidence/download availability | existing review pack, review, evidence snapshot, and RBAC truth | No new persistence needed |
 | Review-pack no-run proof | existing `review_packs` and `operation_runs` tables | Used only in tests to prove blocked starts do not write new run state |
 ## State Transitions
 There is no new table-backed lifecycle entity. State changes are explicit workspace-setting transitions plus audit entries.
 | From | To | Trigger | Consequence |
 |------|----|---------|-------------|
 | `null` (implicit default) | any explicit state | platform operator saves lifecycle state on the system detail page | workspace now has explicit commercial posture, rationale, and attribution |
 | `trial` | `grace` | platform operator state change | new managed-tenant activation blocks; review-pack starts remain allowed with warning |
 | `grace` | `suspended_read_only` | platform operator state change | onboarding and new review-pack starts block; history/evidence/download remain available |
 | `suspended_read_only` | `active_paid` | platform operator state change | future starts again defer to underlying entitlement truth |
 | any explicit state | another explicit state | platform operator state change | previous state is replaced; audit history preserves the transition trail |
 ## Boundaries Explicitly Preserved
 - No new billing/customer/subscription entity exists.
 - No new automated timers, expiry jobs, renewal reminders, or scheduled transitions are introduced.
 - No new broad suspension contract is added for unrelated mutable surfaces.
 - Existing read-only review/evidence/generated-pack access remains governed by current RBAC and redaction rules.
--- a/specs/251-commercial-entitlements-billing-state/plan.md
+++ b/specs/251-commercial-entitlements-billing-state/plan.md
@ -0,0 +1,297 @@
 # Implementation Plan: Commercial Entitlements and Billing-State Maturity
 **Branch**: `251-commercial-entitlements-billing-state` | **Date**: 2026-04-28 | **Spec**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/spec.md`
 **Input**: Feature specification from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/spec.md`
 **Note**: This template is filled in by the `/speckit.plan` command. See `.specify/scripts/` for helper scripts.
 ## Summary
 - Layer one bounded workspace commercial lifecycle overlay on top of the already-real Spec 247 entitlement substrate, not beside it. The existing `WorkspaceEntitlementResolver` remains canonical for plan/default/override truth, and the new slice adds one explicit lifecycle state plus action-family outcomes for onboarding activation, review-pack start, and preserved read-only history access.
 - Keep mutation narrow and platform-owned: persist lifecycle state through the existing workspace settings infrastructure, expose inspection plus state change from the existing system workspace detail surface, and keep `/admin` limited to contextual allow, warn, or block messaging on onboarding and review-pack surfaces.
 - Preserve current review/evidence/download truth while suspended. New lifecycle blocking must stop future onboarding activation and future review-pack starts before any tenant mutation, `ReviewPack`, or `OperationRun` creation, while leaving already-generated history and evidence consumption under current RBAC intact.
 ## Technical Context
 **Language/Version**: PHP 8.4 (Laravel 12)  
 **Primary Dependencies**: Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page  
 **Storage**: PostgreSQL via existing `workspace_settings` rows plus existing audit log records; no new table or billing/account model  
 **Testing**: Pest unit and feature tests via Laravel Sail  
 **Validation Lanes**: fast-feedback, confidence  
 **Target Platform**: Monorepo Laravel web application in `apps/platform`, using existing Filament admin and system panels  
 **Project Type**: web  
 **Performance Goals**: Reuse existing settings reads and current workspace aggregates only, add no new external calls during render, keep review-pack dedupe and shared run UX unchanged when allowed, and short-circuit blocked review-pack starts before any `ReviewPack` or `OperationRun` write  
 **Constraints**: One commercial lifecycle overlay only, four bounded states, two real gated behavior families, preserved authorized read-only history/evidence/download access while suspended, explicit `/admin` vs `/system` separation, no payment provider/invoice/checkout/website/broad billing-engine scope  
 **Scale/Scope**: One bounded lifecycle resolver, one system-plane mutation surface, one platform capability addition, one onboarding gate, one review-pack action-family gate, and focused lifecycle/read-only test coverage
 ## Filament v5 / Panel Notes
 - **Livewire v4.0+ compliance**: The slice stays inside existing Filament v5 pages, widgets, resources, and Livewire-backed actions. No Livewire v3 assumptions or compatibility work are introduced.
 - **Provider registration location**: No panel/provider registration changes are planned. Existing Laravel 12 + Filament provider registration remains in `bootstrap/providers.php`.
 - **Global search**: No new globally searchable resource is introduced. Current global-search behavior remains unchanged.
 - **Destructive and high-impact actions**: The future `Change commercial state` action on the system workspace detail page must use `->requiresConfirmation()`, require platform authorization, and write audit history. The `Suspended / read-only` transition is the only high-risk path in scope. Review-pack and onboarding blocks remain non-destructive business-state responses, not hidden authorization failures.
 - **Asset strategy**: No new panel or shared assets are planned. Deployment remains unchanged, including `cd apps/platform && php artisan filament:assets` when registered Filament assets are deployed elsewhere in the product.
 ## UI / Surface Guardrail Plan
 - **Guardrail scope**: changed surfaces
 - **Native vs custom classification summary**: mixed
 - **Shared-family relevance**: system detail controls, status messaging, onboarding helper text, review-pack action gating, review/evidence viewer messaging
 - **State layers in scope**: page, detail
 - **Audience modes in scope**: operator-MSP, support-platform, customer/read-only
 - **Decision/diagnostic/raw hierarchy plan**: decision-first on the system workspace detail surface and on the immediate onboarding/review-pack action context; diagnostics-second via the existing entitlement substrate and review/run/history context; no new raw/support payload surface is planned
 - **Raw/support gating plan**: capability-gated system-plane inspection only; customer/read-only surfaces remain calm and evidence-first
 - **One-primary-action / duplicate-truth control**: `/system/directory/workspaces/{workspace}` remains the only mutation surface; onboarding and review-pack surfaces show only the local lifecycle consequence required for the immediate action; suspended read-only history pages do not restate the whole commercial profile
 - **Handling modes by drift class or surface**: review-mandatory because one lifecycle vocabulary must stay consistent across system, onboarding, review-pack, and read-only history surfaces
 - **Repository-signal treatment**: review-mandatory
 - **Special surface test profiles**: standard-native-filament, shared-detail-family, monitoring-state-page
 - **Required tests or manual smoke**: functional-core, state-contract
 - **Exception path and spread control**: no second admin-plane commercial mutation surface, no page-local lifecycle labels, and no broad suspension sweep across unrelated mutable surfaces
 - **Active feature PR close-out entry**: Guardrail
 ## Shared Pattern & System Fit
 - **Cross-cutting feature marker**: yes
 - **Systems touched**: `SettingsRegistry`, `SettingsResolver`, `SettingsWriter`, existing workspace-setting audit path, `WorkspaceEntitlementResolver`, `WorkspaceSettings` as the current entitlement substrate reference, `App\Filament\System\Pages\Directory\ViewWorkspace`, `ManagedTenantOnboardingWizard`, `ReviewPackService`, `TenantReviewPackCard`, `ReviewRegister`, `TenantReviewResource`, `ReviewPackResource`, `CustomerReviewWorkspace`, `EvidenceSnapshotResource`, and `WorkspaceEntitlementBlockedException`
 - **Shared abstractions reused**: `WorkspaceEntitlementResolver`, `WorkspacePlanProfileCatalog`, `SettingsResolver`, `SettingsWriter`, current workspace audit logging, `ReviewPackService`, `OperationUxPresenter`, `OperationRunLinks`, `Capabilities`, `PlatformCapabilities`, and existing Filament action/resource surfaces
 - **New abstraction introduced? why?**: one bounded `WorkspaceCommercialLifecycleResolver` is justified because the existing entitlement resolver answers per-key entitlement truth but does not express one workspace-wide lifecycle posture with action-family outcomes, preserved read-only semantics, or system/admin messaging
 - **Why the existing abstraction was sufficient or insufficient**: Spec 247 already provides canonical entitlement substrate truth and must remain the foundation. It is insufficient for `trial`, `grace`, `active_paid`, and `suspended_read_only` because those states cut across more than one entitlement key and need one central business-state explanation
 - **Bounded deviation / spread control**: no page-local lifecycle conditionals and no second exception taxonomy by default; prefer reusing the existing blocked decision payload/catch path for review-pack actions unless implementation proves that the current class name or payload cannot carry lifecycle metadata cleanly
 ## OperationRun UX Impact
 - **Touches OperationRun start/completion/link UX?**: yes
 - **Central contract reused**: existing shared review-pack OperationRun start UX through `ReviewPackService`, `OperationUxPresenter`, and `OperationRunLinks`
 - **Delegated UX behaviors**: queued toast, run link, run-enqueued browser event, dedupe messaging, and existing terminal notifications remain unchanged when review-pack generation is allowed; lifecycle-blocked starts create no `OperationRun`, no queued DB notification, and no terminal notification
 - **Surface-owned behavior kept local**: onboarding completion helper text, review-pack tooltips/disabled state, and suspended read-only explanation on history surfaces remain local projections of the central lifecycle decision
 - **Queued DB-notification policy**: unchanged explicit opt-in only
 - **Terminal notification path**: unchanged central lifecycle mechanism for existing review-pack runs only
 - **Exception path**: none planned; lifecycle blocking must happen before `ReviewPackService` creates or reuses a `ReviewPack` or `OperationRun`, and the preferred later implementation is to extend the current blocked-decision payload rather than invent a second parallel business-state exception family
 ## Provider Boundary & Portability Fit
 - **Shared provider/platform boundary touched?**: no
 - **Provider-owned seams**: N/A
 - **Platform-core seams**: workspace commercial lifecycle vocabulary, lifecycle rationale, action-family outcomes, system/admin messaging, and audit semantics
 - **Neutral platform terms / contracts preserved**: `workspace`, `trial`, `grace`, `active paid`, `suspended / read-only`, `commercial state`, `review pack`, `managed tenant activation`
 - **Retained provider-specific semantics and why**: none; review-pack generation stays provider-backed operationally, but the new lifecycle vocabulary remains platform-core and provider-neutral
 - **Bounded extraction or follow-up path**: none
 ## Constitution Check
 *GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
 - Inventory-first: PASS - the slice adds workspace-owned business state, not new inventory or backup truth.
 - Read/write separation: PASS - the only new write is a confirmation-protected, audited system-plane lifecycle mutation using existing workspace settings persistence.
 - Graph contract path: PASS - no new Microsoft Graph path is introduced.
 - Deterministic capabilities: PASS - admin-plane capabilities remain unchanged, and any new platform capability stays registry-backed.
 - RBAC-UX: PASS - `/admin` and `/system` remain separated; wrong-plane and non-member access stay 404; member-without-capability stays 403; otherwise-authorized actors get a business-state block or warning instead of authorization failure.
 - Workspace isolation: PASS - admin-plane contextual behavior still requires established workspace context.
 - RBAC-UX destructive confirmation: PASS - the future system-plane state-change action must require confirmation and rationale.
 - RBAC-UX global search: PASS - no new searchable resource or search scope is introduced.
 - Tenant isolation: PASS - onboarding, review-pack, review history, evidence, and download surfaces remain tenant-safe.
 - Run observability: PASS - review-pack generation keeps the existing `OperationRun` path when allowed, and blocked starts stop before run creation.
 - OperationRun start UX: PASS - the plan preserves shared review-pack start UX and inserts lifecycle blocking before run creation.
 - Ops-UX 3-surface feedback: PASS - existing feedback stays toast + progress surfaces + terminal notification only when a run exists.
 - Ops-UX lifecycle: PASS - no new `OperationRun` lifecycle contract is introduced.
 - Ops-UX summary counts: N/A - no `summary_counts` shape change is planned.
 - Ops-UX guards: N/A - no new run guard family is planned in the planning slice.
 - Ops-UX system runs: N/A - initiator-null behavior is unchanged.
 - Automation: N/A - no new queued or scheduled workflow family is introduced.
 - Data minimization: PASS - no payment payloads, account records, or provider secrets are introduced.
 - Test governance (TEST-GOV-001): PASS - the plan stays in focused unit + feature lanes with explicit proof commands and limited fixture growth.
 - Proportionality (PROP-001): PASS - persistence stays in existing settings rows, and the only new structural element is one bounded lifecycle overlay.
 - No premature abstraction (ABSTR-001): PASS - no interface, registry, strategy system, or framework is planned; only one local resolver is added because multiple real surfaces already need the same lifecycle decision.
 - Persisted truth (PERSIST-001): PASS - no new table or durable artifact is introduced.
 - Behavioral state (STATE-001): PASS - `grace` and `suspended_read_only` create distinct action-family consequences immediately, and `trial` remains justified because it is part of the explicit platform-managed commercial posture and audit workflow even though its two in-scope gated families currently match `active_paid`.
 - UI semantics (UI-SEM-001): PASS - the plan prefers direct mapping from lifecycle truth to helper text and badges instead of a new presentation framework.
 - Shared pattern first (XCUT-001): PASS - system detail, onboarding, review-pack, and read-only history surfaces all reuse the existing substrate and shared run path first.
 - Provider boundary (PROV-001): PASS - the new vocabulary is platform-core, not Microsoft-shaped.
 - V1 explicitness / few layers (V1-EXP-001, LAYER-001): PASS - one explicit state family plus one thin overlay resolver is the narrowest viable shape.
 - Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): PASS - the plan keeps the whole lifecycle overlay in one coherent spec and includes proportionality review below.
 - Badge semantics (BADGE-001): PASS - any future lifecycle badge must reuse shared badge semantics or stay plain text; no page-local color taxonomy is planned.
 - Filament-native UI (UI-FIL-001): PASS - the slice extends existing Filament pages, resources, widgets, and the current system Blade page.
 - Filament-native UI local Blade/Tailwind: PASS - the existing system Blade view remains the only custom-rendered surface in scope and must preserve current Filament visual language.
 - UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): PASS - existing system detail, guided onboarding, action family, and read-only viewer surface types remain intact.
 - Decision-first operating model (DECIDE-001): PASS - system workspace detail is primary, onboarding/review-pack surfaces stay contextual, and read-only history/evidence pages remain tertiary evidence/diagnostics.
 - Audience-aware disclosure (DECIDE-AUD-001 / OPSURF-001): PASS - system detail stays platform/support-facing, admin action gates stay operator-first, and suspended read-only pages keep customer-safe history access without raw platform diagnostics.
 - UI/UX inspect model (UI-HARD-001): PASS - no duplicate inspect affordances are added.
 - UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): PASS - the plan keeps one system mutation action and existing onboarding/review-pack primary actions in place.
 - UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): PASS - labels remain narrow and billing-provider-free.
 - UI/UX placeholder ban (UI-HARD-001): PASS - no empty action groups are planned.
 - UI naming (UI-NAMING-001): PASS - primary labels stay `Change commercial state`, `Complete onboarding`, `Generate pack`, `Regenerate`, and `Export executive pack`.
 - Operator surfaces (OPSURF-001): PASS - mutation scope remains explicit, and `/admin` surfaces only show contextual lifecycle truth.
 - Operator surface page contract: PASS - the spec already defines the required surface contracts.
 - Filament UI Action Surface Contract: PASS - touched surfaces already have contracts or exemptions; the plan preserves them while adding lifecycle truth.
 - Filament UI UX-001 (Layout & IA): PASS - no new page shell or panel is introduced.
 - Action-surface discipline (ACTSURF-001 / HDR-001): PASS - one system primary action and existing onboarding/review-pack action families remain the only primary mutations in scope.
 - UI review workflow: PASS - guardrail, shared-family, and exception posture remain explicit in this plan.
 ## Test Governance Check
 - **Test purpose / classification by changed surface**: `Unit` for the bounded lifecycle overlay and behavior matrix; `Feature` for system-plane mutation, onboarding activation gating, review-pack start blocking, and preserved suspended read-only consumption
 - **Affected validation lanes**: `fast-feedback`, `confidence`
 - **Why this lane mix is the narrowest sufficient proof**: the business risk is deterministic decision ordering plus existing Filament/Livewire and service entry points. Browser or heavy-governance coverage would add cost without proving additional current-release risk for this bounded overlay.
 - **Narrowest proving command(s)**:
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/ViewWorkspaceEntitlementsTest.php tests/Feature/System/Spec113/AuthorizationSemanticsTest.php tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php tests/Feature/ReviewPack/ReviewPackGenerationTest.php tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/Reviews/CustomerReviewWorkspacePageTest.php tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php tests/Feature/Evidence/EvidenceSnapshotResourceTest.php`
 - **Fixture / helper / factory / seed / context cost risks**: limited to workspace, platform user, workspace member, onboarding draft, tenant, existing review pack, tenant review, and evidence snapshot fixtures
 - **Expensive defaults or shared helper growth introduced?**: no - implementation should reuse existing factories and opt-in tenant/review/evidence helpers only
 - **Heavy-family additions, promotions, or visibility changes**: none
 - **Surface-class relief / special coverage rule**: standard-native relief for system detail and onboarding; monitoring-state-page proof for no new run creation; shared-detail-family proof for preserved view/download access while suspended
 - **Closing validation and reviewer handoff**: rerun the exact targeted commands above, verify 404 vs 403 vs business-state outcomes separately, verify system detail source labels remain consistent, verify blocked review-pack starts create no new `ReviewPack` or `OperationRun` and emit no queued or terminal notification, verify already queued or running review-pack runs continue unaffected after later suspension, and verify suspended workspaces still allow authorized review/evidence/download access
 - **Budget / baseline / trend follow-up**: none expected beyond ordinary feature-local growth
 - **Review-stop questions**: does the state vocabulary stay narrow enough, does the system/admin split remain intact, does suspended read-only coverage avoid broad mutation-sweep scope, and does the blocked-decision transport avoid a second exception framework
 - **Escalation path**: document-in-feature if only payload wording or helper reuse needs adjustment; follow-up-spec only if the overlay starts pulling unrelated mutable surfaces into suspension logic
 - **Active feature PR close-out entry**: Guardrail
 - **Why no dedicated follow-up spec is needed**: the testing cost stays local to one overlay resolver and a small set of existing pages/services/resources; no new browser or heavy-governance harness is justified
 ## Project Structure
 ### Documentation (this feature)
 ```text
 specs/251-commercial-entitlements-billing-state/
 ├── plan.md
 ├── research.md
 ├── data-model.md
 ├── quickstart.md
 ├── contracts/
 │   └── workspace-commercial-lifecycle-overlay.logical.openapi.yaml
 ├── checklists/
 │   └── requirements.md
 └── tasks.md             # Created later by /speckit.tasks, not by this plan step
 ```
 ### Source Code (repository root)
 ```text
 apps/platform/
 ├── app/
 │   ├── Exceptions/Entitlements/WorkspaceEntitlementBlockedException.php
 │   ├── Filament/
 │   │   ├── Pages/
 │   │   │   ├── Reviews/CustomerReviewWorkspace.php
 │   │   │   ├── Reviews/ReviewRegister.php
 │   │   │   ├── Settings/WorkspaceSettings.php
 │   │   │   └── Workspaces/ManagedTenantOnboardingWizard.php
 │   │   ├── Resources/
 │   │   │   ├── EvidenceSnapshotResource.php
 │   │   │   ├── EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php
 │   │   │   ├── ReviewPackResource.php
 │   │   │   ├── ReviewPackResource/Pages/ViewReviewPack.php
 │   │   │   ├── TenantReviewResource.php
 │   │   │   └── TenantReviewResource/Pages/ViewTenantReview.php
 │   │   ├── System/Pages/Directory/ViewWorkspace.php
 │   │   └── Widgets/Tenant/TenantReviewPackCard.php
 │   ├── Models/WorkspaceSetting.php
 │   ├── Services/
 │   │   ├── Entitlements/WorkspaceCommercialLifecycleResolver.php   # likely new bounded overlay service
 │   │   ├── Entitlements/WorkspaceEntitlementResolver.php
 │   │   ├── ReviewPackService.php
 │   │   └── Settings/
 │   │       ├── SettingsResolver.php
 │   │       └── SettingsWriter.php
 │   ├── Support/
 │   │   ├── Auth/Capabilities.php
 │   │   ├── Auth/PlatformCapabilities.php
 │   │   └── Settings/SettingsRegistry.php
 ├── resources/views/filament/system/pages/directory/view-workspace.blade.php
 └── tests/
    ├── Feature/
    └── Unit/
 ```
 **Structure Decision**: Single Laravel/Filament application inside `apps/platform`, with one new bounded lifecycle overlay service and changes limited to existing settings persistence, system detail, onboarding, review-pack, and read-only review/evidence/download surfaces plus focused Pest coverage.
 ## Likely Implementation Surfaces
 - `app/Support/Settings/SettingsRegistry.php` to register lifecycle-setting definitions and validation using the existing workspace settings infrastructure
 - `app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php` as the new bounded overlay, with `WorkspaceEntitlementResolver.php` remaining the canonical substrate provider
 - `app/Support/Auth/PlatformCapabilities.php` and related platform authorization helpers for one dedicated commercial-lifecycle management capability
 - `app/Filament/System/Pages/Directory/ViewWorkspace.php` and `resources/views/filament/system/pages/directory/view-workspace.blade.php` for read-only summary plus the confirmation-protected state-change action
 - `app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php` for contextual lifecycle messaging and activation blocking before tenant mutation
 - `app/Services/ReviewPackService.php`, `app/Filament/Widgets/Tenant/TenantReviewPackCard.php`, `app/Filament/Pages/Reviews/ReviewRegister.php`, `app/Filament/Resources/TenantReviewResource.php`, `app/Filament/Resources/ReviewPackResource.php`, `app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php`, and `app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php` for shared start gating and tooltip/disabled-state reuse
 - Existing read-only consumption surfaces `CustomerReviewWorkspace.php`, `ViewTenantReview.php`, `ViewReviewPack.php`, `ViewEvidenceSnapshot.php`, and the current review-pack download path to prove suspended history/evidence access remains available under existing RBAC
 - Focused unit and feature tests under `tests/Unit/Entitlements`, `tests/Feature/System/Directory`, `tests/Feature/Onboarding`, `tests/Feature/ReviewPack`, `tests/Feature/Reviews`, and `tests/Feature/Evidence`
 ## Complexity Tracking
 | Violation | Why Needed | Simpler Alternative Rejected Because |
 |-----------|------------|-------------------------------------|
 | One bounded `WorkspaceCommercialLifecycleResolver` | Two real gated behavior families plus preserved read-only consumption need one shared workspace-wide decision layered above existing entitlements | Page-local conditionals in onboarding, review-pack resources/widgets, and system detail would drift immediately and undermine business-state consistency |
 | Four-state commercial lifecycle vocabulary | Platform operators need one auditable commercial posture that distinguishes trial, grace, active paid, and suspended/read-only on the single system decision surface | Three unlabeled booleans or ad hoc flags would either collapse grace into suspension or lose the explicit platform-side lifecycle state needed for support and audit |
 ## Proportionality Review
 - **Current operator problem**: The repo can already answer per-key entitlement questions, but it cannot say in one place whether a workspace is currently trialing, in grace, fully active paid, or suspended/read-only, nor can it explain why onboarding and review-pack starts are blocked while history remains readable.
 - **Existing structure is insufficient because**: `WorkspaceEntitlementResolver` and current workspace settings expose substrate truth only. They do not provide one workspace-wide lifecycle posture, one system-owned mutation path, or one action-family outcome that distinguishes lifecycle blocks from entitlement blocks and authorization failures.
 - **Narrowest correct implementation**: Keep persistence inside existing `workspace_settings`, add only one four-state lifecycle family plus rationale, derive action-family outcomes in one bounded overlay service, mutate it from one system detail page, and apply it only to onboarding activation, review-pack starts, and preserved read-only history/evidence/download semantics.
 - **Ownership cost created**: One new state vocabulary, one overlay service, one platform capability, cross-surface copy discipline, and focused lifecycle/read-only tests.
 - **Alternative intentionally rejected**: A billing/subscription engine, customer-account model, payment-provider seam, or many local page booleans was rejected because the current release only needs a single workspace commercial overlay on top of the already-real entitlement substrate.
 - **Release truth**: current-release truth. The four-state vocabulary is justified now because platform operators already need to set and audit those named postures, even though only `grace` and `suspended_read_only` introduce new blocked outcomes for the two in-scope action families in this slice.
 ## Phase 0 — Research (output: `research.md`)
 See: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/research.md`
 Goals:
 - Confirm the narrowest reuse of the existing `entitlements` settings domain and audit path for lifecycle state and rationale.
 - Confirm that one bounded overlay service can compose `WorkspaceEntitlementResolver` without creating a second commercial framework.
 - Confirm that lifecycle mutation remains platform-only on the existing system workspace detail page and does not leak into `/admin` self-service.
 - Confirm that review-pack start blocking happens before `ReviewPack` or `OperationRun` creation and can reuse the current blocked-decision transport.
 - Confirm that suspended read-only preservation remains bounded to existing review, evidence, and generated-pack consumption surfaces instead of becoming a broad product-wide suspension sweep.
 ## Phase 1 — Design & Contracts (outputs: `data-model.md`, `contracts/`, `quickstart.md`)
 See:
 - `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/data-model.md`
 - `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/contracts/workspace-commercial-lifecycle-overlay.logical.openapi.yaml`
 - `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md`
 Design focus:
 - Persist `commercial_lifecycle_state` plus rationale through the existing `entitlements` settings domain instead of adding a new table or billing domain.
 - Keep the overlay inside `App\Services\Entitlements` and let it compose `WorkspaceEntitlementResolver` rather than replacing it.
 - Extend the existing system workspace detail page with a read-only lifecycle summary and one confirmation-protected `Change commercial state` action, while leaving `WorkspaceSettings` as substrate truth rather than a second mutation plane.
 - Gate `ManagedTenantOnboardingWizard` completion from the central lifecycle decision after underlying entitlement truth is known.
 - Gate review-pack `Generate pack`, `Regenerate`, and `Export executive pack` starts through `ReviewPackService` and current action surfaces, stopping before any `ReviewPack` or `OperationRun` write when the lifecycle blocks the action.
 - Preserve `CustomerReviewWorkspace`, review detail, evidence detail, review-pack detail, and pack download access under current RBAC while suspended, and keep any broader mutable-surface suspension work explicitly out of scope.
 ## Phase 1 — Agent Context Update
 After Phase 1 artifacts are generated, update Copilot context from the completed plan:
 - `/Users/ahmeddarrazi/Documents/projects/wt-plattform/.specify/scripts/bash/update-agent-context.sh copilot`
 ## Phase 2 — Implementation Outline (tasks created later by `/speckit.tasks`)
 - Register lifecycle state and rationale setting definitions under the existing `entitlements` settings domain and wire them into the current workspace-setting audit path.
 - Add one bounded `WorkspaceCommercialLifecycleResolver` that composes underlying entitlement decisions and yields action-family outcomes plus suspended read-only allowances.
 - Add one dedicated platform capability for commercial lifecycle management and enforce it on the system detail mutation action only.
 - Extend `ViewWorkspace` plus its Blade view with current lifecycle state, affected behavior summary, and a confirmation-protected `Change commercial state` action.
 - Gate onboarding completion in `ManagedTenantOnboardingWizard` using the shared lifecycle decision while preserving existing tenant operability checks and 404/403 semantics.
 - Gate review-pack start surfaces and `ReviewPackService` using the shared lifecycle decision, preserving current queued-start UX when allowed and reusing the existing blocked-decision transport when blocked.
 - Prove suspended read-only continuation by asserting existing review/evidence/download surfaces remain available under current RBAC while no new onboarding activation or review-pack run can start.
 - Add focused Sail/Pest unit and feature coverage only.
 ## Constitution Check (Post-Design)
 Re-check result: PASS. The design keeps Filament v5 + Livewire v4 compliance intact, leaves provider registration unchanged in `bootstrap/providers.php`, introduces no new globally searchable resource, keeps asset strategy unchanged, preserves strict `/admin` vs `/system` separation, layers one bounded lifecycle resolver above the existing entitlement substrate, and blocks review-pack starts before `OperationRun` creation rather than forking shared run UX.
 ## Planning Readiness
 - Outcome: keep
 - No unresolved clarification markers remain in the plan-phase artifacts.
 - No application implementation is included in this planning step.
 - The next repo-native step is `/speckit.tasks` for an implementation task breakdown, not code changes.
 ## Implementation Close-Out
 - **Workflow outcome**: keep.
 - **Implementation result**: one bounded commercial lifecycle overlay was implemented through existing workspace settings, one system-plane `Change commercial state` action, onboarding activation gating, review-pack start allow/warn/block semantics, and preserved suspended read-only review/evidence/download access.
 - **Blocked-decision transport**: document-in-feature. The existing `WorkspaceEntitlementBlockedException` transport remains sufficient for review-pack blocked starts; no second business-state exception family was introduced.
 - **Preserved read-only scope**: document-in-feature. Suspension stays bounded to onboarding activation and new review-pack starts in this spec; broader mutable-surface suspension remains out of scope.
 - **Browser smoke path**: `/system/login` as `operator@tenantpilot.io`, `/system/directory/workspaces/1`, open `Change commercial state`, set `Trial` with rationale, confirm, observe updated lifecycle summary and notification follow-up, then restore `Active paid`.
 - **Browser smoke result**: pass after fixing `WorkspaceResolver` to accept Livewire serialized workspace route parameters; the follow-up notification update no longer emits console errors or 404/419 markers.
 - **Lane results**: targeted unit/support/system/onboarding/review-pack/read-only Pest lanes passed; dirty-only Pint passed; `git diff --check` passed.
--- a/specs/251-commercial-entitlements-billing-state/quickstart.md
+++ b/specs/251-commercial-entitlements-billing-state/quickstart.md
@ -0,0 +1,109 @@
 # Quickstart: Commercial Entitlements and Billing-State Maturity
 **Date**: 2026-04-28  
 **Branch**: `251-commercial-entitlements-billing-state`
 This quickstart is the intended reviewer flow after implementation. It stays bounded to the commercial lifecycle overlay described in the spec.
 ## Prerequisites
 1. Start the local platform stack.
   - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail up -d`
 2. Ensure one platform user has directory visibility plus the dedicated commercial lifecycle management capability.
 3. Ensure one workspace member can complete onboarding, one reporting operator can manage review packs, and one customer-safe or operator read-only actor can open review/evidence/download surfaces under current RBAC.
 4. Seed or factory-create:
   - one workspace with untouched lifecycle state
   - one onboarding draft in that workspace
   - one tenant with an existing review, evidence snapshot, and generated review pack
   - one workspace already at or above the managed-tenant activation limit for substrate-block verification
 ## Scenario 1: Change workspace commercial state from the system plane
 1. Open `/system/directory/workspaces/{workspace}` as the authorized platform user.
 2. Confirm the page shows:
   - current lifecycle state
   - source label
   - rationale and last-changed attribution
   - affected behavior summary for onboarding and review-pack starts
   - the underlying entitlement substrate summary for context
 3. Use `Change commercial state` to move the workspace to `trial` with rationale.
 4. Confirm the page updates immediately and the change is attributable.
 5. Repeat with `grace`, `suspended_read_only`, and `active_paid`.
 6. Confirm every explicit state change requires rationale, including a return to `active_paid`, and that the `Suspended / read-only` path also requires explicit confirmation.
 ## Scenario 2: Gate onboarding activation with business-state truth
 1. Open `/admin/onboarding/{onboardingDraft}` for a workspace in `trial` or `active_paid`.
 2. Confirm the completion step allows `Complete onboarding` when the underlying entitlement substrate also allows it.
 3. Switch the same workspace to `grace` from the system plane.
 4. Refresh the onboarding draft and confirm:
   - the action remains visible for an otherwise authorized actor
   - the step explains that expansion is frozen during grace
   - no tenant activation occurs
 5. Repeat with `suspended_read_only` and confirm the block message changes to read-only suspension semantics instead of a permission failure.
 ## Scenario 3: Gate review-pack starts before any run is created
 1. Use a workspace in `trial` or `active_paid` where the underlying review-pack entitlement allows generation.
 2. Trigger the current start family from:
   - tenant dashboard review-pack card
   - review register export action
   - tenant review detail export action
   - review-pack detail regenerate action
 3. Confirm the existing queued-start UX remains unchanged when allowed.
 4. Move the workspace to `grace`.
 5. Confirm review-pack starts remain allowed with a grace warning.
 6. Start one allowed review-pack action and leave the resulting work queued or running.
 7. Move the workspace to `suspended_read_only`.
 8. Confirm the already-created run remains visible and continues with the existing run UX.
 9. Repeat the same start actions and confirm:
   - each surface shows the same lifecycle-based reason
   - no new `ReviewPack` row is created
   - no new `OperationRun` row is created
   - no queued or terminal review-pack notification is emitted for the blocked attempt
 ## Scenario 4: Preserve read-only review, evidence, and generated-pack access while suspended
 1. Keep the workspace in `suspended_read_only`.
 2. Open the current read-only consumption surfaces as an already-authorized actor:
   - `CustomerReviewWorkspace`
   - tenant review detail
   - review-pack detail
   - evidence snapshot detail
   - current review-pack download link
 3. Confirm:
   - the pages still render
   - already-generated review packs remain downloadable
   - existing review/evidence history remains visible
   - any read-only explanation stays calm and does not masquerade as 403 or 404
 4. Confirm the slice does not add broad new suspension behavior to unrelated mutable controls outside the spec boundary.
 ## RBAC and Plane Semantics Checks
 1. Access lifecycle mutation from `/admin` and confirm there is no self-service control surface.
 2. Access `/system/directory/workspaces/{workspace}` as a platform user lacking the dedicated lifecycle capability and confirm authorization is enforced without leaking admin-plane truth.
 3. Access onboarding or review-pack surfaces as a non-member or wrong-plane actor and confirm 404.
 4. Access the same surfaces as an established-scope actor lacking the relevant capability and confirm 403.
 5. Access the action as an otherwise authorized actor whose workspace lifecycle blocks the action and confirm a truthful business-state block instead of 403 or 404.
 ## Targeted Validation Commands
 ```bash
 export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php
 export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/ViewWorkspaceEntitlementsTest.php tests/Feature/System/Spec113/AuthorizationSemanticsTest.php tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php
 export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php tests/Feature/ReviewPack/ReviewPackGenerationTest.php tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/Reviews/CustomerReviewWorkspacePageTest.php tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php tests/Feature/Evidence/EvidenceSnapshotResourceTest.php
 export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent
 ```
 ## Out of Scope Confirmations
 While validating this slice, confirm that the implementation does not add or imply:
 - payment-provider credentials, invoices, checkout, taxes, or public pricing UI
 - customer-account, subscription, or contract models
 - automated expiry/reminder/renewal logic
 - a second admin-plane commercial settings surface
 - a broad suspension engine across unrelated mutable product surfaces
--- a/specs/251-commercial-entitlements-billing-state/research.md
+++ b/specs/251-commercial-entitlements-billing-state/research.md
@ -0,0 +1,84 @@
 # Research: Commercial Entitlements and Billing-State Maturity
 **Date**: 2026-04-28  
 **Branch**: `251-commercial-entitlements-billing-state`
 ## Decision 1: Persist lifecycle truth inside the existing `entitlements` settings domain
 - **Decision**: Store the workspace commercial lifecycle overlay through explicit `WorkspaceSetting` keys in the existing `entitlements` domain, conceptually `commercial_lifecycle_state` plus `commercial_lifecycle_reason`.
 - **Rationale**: Spec 247 already proved that workspace-owned commercial truth belongs in the existing workspace settings infrastructure. Reusing that path keeps audit behavior, validation, and source-of-truth ownership consistent without inventing a billing/account model or a second persistence family.
 - **Alternatives considered**:
  - New `subscriptions`, `billing_states`, or `customer_accounts` tables: rejected because the spec explicitly forbids broad billing/account scope.
  - A separate `commercial` settings domain: rejected because the new state is an overlay on the already-real entitlement substrate, not a second independent settings family.
 ## Decision 2: Add one bounded lifecycle overlay service above `WorkspaceEntitlementResolver`
 - **Decision**: Introduce one bounded `WorkspaceCommercialLifecycleResolver` in `App\Services\Entitlements` that composes `WorkspaceEntitlementResolver` instead of replacing it.
 - **Rationale**: The underlying entitlement resolver remains canonical for plan-profile defaults, override values, and per-key allow/block truth. The new feature needs one additional workspace-wide layer that can answer lifecycle state, lifecycle rationale, and action-family outcomes across onboarding, review-pack starts, and preserved read-only history access.
 - **Alternatives considered**:
  - Extend `WorkspaceEntitlementResolver` until it also owns lifecycle posture: rejected because that would blur substrate truth with the new overlay and make future review of state ordering harder.
  - Local page/service conditionals in onboarding, review-pack resources, and system detail: rejected because they would drift immediately.
 ## Decision 3: Keep system-plane mutation on the existing workspace detail page only
 - **Decision**: Make `/system/directory/workspaces/{workspace}` the only mutation surface for lifecycle state changes, with inspection plus a confirmation-protected `Change commercial state` action.
 - **Rationale**: The spec requires platform-managed lifecycle mutation. The existing system workspace detail page already exposes commercial truth read-only and is the narrowest platform context that can show state, rationale, and audit attribution without creating a second control plane.
 - **Alternatives considered**:
  - Add lifecycle mutation to `/admin/settings/workspace`: rejected because the slice must not become a self-service workspace-admin commercial control surface.
  - Create a dedicated system commercial page/resource: rejected because the existing workspace detail page already anchors the platform/support workflow.
 ## Decision 4: Preserve explicit business-state versus authorization semantics
 - **Decision**: Keep non-member and wrong-plane access as 404, keep established-scope capability denial as 403, and treat lifecycle blocking or warnings as business-state results for otherwise authorized actors.
 - **Rationale**: This is the main operator value of the slice. The commercial lifecycle overlay must explain why an action is blocked without pretending the actor lacks scope or permission.
 - **Alternatives considered**:
  - Hide blocked actions entirely: rejected because it would erase the commercial explanation the feature exists to provide.
  - Return 403 for lifecycle blocks: rejected because it would conflate business state with authorization.
 ## Decision 5: Review-pack lifecycle blocking must happen before `ReviewPack` or `OperationRun` creation
 - **Decision**: Reuse `ReviewPackService` as the hard enforcement boundary and block lifecycle-restricted starts before any `ReviewPack` or `OperationRun` write occurs.
 - **Rationale**: Current review-pack start surfaces already converge on `ReviewPackService`. Blocking at the service boundary prevents UI-surface bypass and preserves the shared OperationRun start UX for allowed actions.
 - **Alternatives considered**:
  - UI-only disabling on each widget/resource/page action: rejected because it would not protect direct action execution.
  - A new review-pack lifecycle queue/framework: rejected because the slice changes eligibility only, not run orchestration.
 ## Decision 6: Reuse the existing blocked-decision transport if it can carry lifecycle metadata cleanly
 - **Decision**: Prefer reusing `WorkspaceEntitlementBlockedException` and extending its decision payload for lifecycle blocks, rather than introducing a second parallel business-state exception family.
 - **Rationale**: Review-pack widgets/resources already catch `WorkspaceEntitlementBlockedException` and project its `block_reason` into user-visible feedback. Reusing that transport keeps the change narrow unless implementation proves the class name or payload shape is too substrate-specific.
 - **Alternatives considered**:
  - New `WorkspaceCommercialLifecycleBlockedException`: rejected for now because it would widen changes across all review-pack action surfaces without proving extra value.
  - Plain string returns without a shared decision payload: rejected because the UI surfaces already consume structured block context.
 ## Decision 7: Preserve suspended read-only access by leaving existing history/evidence/download routes outside the new gate
 - **Decision**: Keep `CustomerReviewWorkspace`, `ViewTenantReview`, `ViewReviewPack`, `ViewEvidenceSnapshot`, and current review-pack download access outside the new lifecycle start gate, while allowing them to show a calm read-only explanation when helpful.
 - **Rationale**: The feature promise is not "suspend everything." It is "block future starts while preserving safe existing history." Existing view/download routes already encode current RBAC and redaction semantics and are the narrowest place to preserve that truth.
 - **Alternatives considered**:
  - Broad product-wide suspension of all mutable controls: rejected because the spec explicitly forbids a broad suspension engine.
  - No plan for preserved read access: rejected because suspension would otherwise appear as total lockout and break the evidence/history requirement.
 ## Decision 8: Keep the four-state vocabulary, but justify it narrowly
 - **Decision**: Keep exactly four lifecycle states: `trial`, `grace`, `active_paid`, and `suspended_read_only`.
 - **Rationale**: The spec requires these named postures, and platform operators need to set and audit them explicitly from one system surface. `grace` and `suspended_read_only` have immediate distinct action-family consequences. `trial` remains in scope because the platform/support workflow and audit trail need to distinguish temporary non-paid posture from steady active paid posture now, even though both allow the two in-scope gated behavior families.
 - **Alternatives considered**:
  - Collapse to three states by removing `trial`: rejected because it would erase a required current-release commercial posture and force later renaming/migration when trial lifecycle work grows.
  - Persist only booleans like `is_suspended` and `is_in_grace`: rejected because that would not yield one clear operator-facing commercial state.
 ## Decision 9: Prove the slice with focused unit and feature lanes only
 - **Decision**: Use one unit family for lifecycle resolution and focused feature tests for system mutation, onboarding gating, review-pack no-run blocking, and suspended read-only consumption.
 - **Rationale**: The primary risk is correctness of decision ordering and bounded surface behavior, not browser layout or heavy orchestration.
 - **Alternatives considered**:
  - Browser tests: rejected because no browser-only interaction risk is introduced in the planning slice.
  - Heavy-governance suite expansion: rejected because the scope is feature-local and uses existing surfaces.
 ## Decision 10: Leave panels, assets, and global search unchanged
 - **Decision**: Do not add new panels, provider registration changes, global-search resources, or Filament assets as part of this slice.
 - **Rationale**: The feature is a business-state overlay inside existing admin and system surfaces. Infrastructure changes would widen scope without helping the current release.
 - **Alternatives considered**:
  - New commercial panel: rejected because `/system` detail already anchors the platform workflow.
  - Asset-backed custom commercial UI: rejected because current Filament components and the existing Blade detail view are sufficient.
--- a/specs/251-commercial-entitlements-billing-state/spec.md
+++ b/specs/251-commercial-entitlements-billing-state/spec.md
@ -0,0 +1,332 @@
 # Feature Specification: Commercial Entitlements and Billing-State Maturity
 **Feature Branch**: `251-commercial-entitlements-billing-state`  
 **Created**: 2026-04-28  
 **Status**: Draft  
 **Input**: User description: "Commercial lifecycle follow-up on top of the already-real Spec 247 entitlement substrate, with one central workspace lifecycle resolution, bounded lifecycle states, two real gated behaviors, explicit read-only suspension semantics, and audited state changes without expanding into a billing engine."
 ## Spec Candidate Check *(mandatory — SPEC-GATE-001)*
 - **Problem**: TenantPilot already resolves plan-profile entitlements for a workspace, but it still lacks one central commercial lifecycle state that explains whether the workspace is in trial, grace, normal paid use, or suspended/read-only posture.
 - **Today's failure**: Operators can hit blocked onboarding or reporting actions without one consistent business-state explanation, and a future suspension or grace posture would otherwise be implemented as scattered local conditionals or mistaken as RBAC denial.
 - **User-visible improvement**: Platform operators can set one auditable workspace commercial lifecycle state, and tenant/workspace operators then see a truthful allow, warn, or read-only message directly at onboarding and review-pack action surfaces without losing safe access to existing history and evidence.
 - **Smallest enterprise-capable version**: Add one platform-managed workspace commercial lifecycle overlay on top of the existing entitlement substrate, resolve four bounded lifecycle states, gate managed-tenant onboarding activation plus review-pack start actions from that central decision, and preserve safe read-only access to existing review/evidence history while suspended.
 - **Explicit non-goals**: No payment providers, invoicing, taxes, accounting, checkout, public pricing, website work, customer-account modeling, subscription engine, automated renewal reminders, broad entitlement spread, or customer self-service lifecycle management.
 - **Permanent complexity imported**: One bounded lifecycle state family, one small central lifecycle resolution layer on top of the existing entitlement substrate, one platform-side state change surface with audit, and focused unit plus feature coverage.
 - **Why now**: This directly extends real repo truth from Spec 247 and `WorkspaceEntitlementResolver`, so it is implementation-ready as a narrow follow-up. Localization remains a broader missing foundation, and external support-desk handoff still lacks a concrete external target.
 - **Why not local**: The same commercial posture must drive system support visibility, onboarding activation, review-pack generation, and suspended read-only access rules. Local page checks would drift immediately and recreate the current manual explanation problem.
 - **Approval class**: Core Enterprise
 - **Red flags triggered**: New state axis, foundation-sounding commercial theme, and multi-surface touchpoint. Defense: this slice is limited to one overlay on top of an existing resolver, one platform mutation surface, two already-real gated behaviors, and explicit read-only preservation instead of a broader billing platform.
 - **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexität: 1 | Produktnähe: 2 | Wiederverwendung: 2 | **Gesamt: 11/12**
 - **Decision**: approve
 ## Spec Scope Fields *(mandatory)*
 - **Scope**: workspace
 - **Primary Routes**:
  - `/system/directory/workspaces/{workspace}` for platform-side inspection and lifecycle state change
  - `/admin/onboarding/{onboardingDraft}` for managed-tenant onboarding activation
  - `/admin/reviews` plus existing tenant review detail, tenant dashboard, and review-pack registry/detail surfaces for `Generate pack`, `Regenerate`, and `Export executive pack`
  - existing read-only review, evidence, and generated-pack consumption surfaces that must remain available while suspended/read-only
 - **Data Ownership**: Commercial lifecycle state remains workspace-owned truth and is stored through the existing workspace settings infrastructure. Existing plan profiles and entitlement decisions from Spec 247 remain the underlying workspace-owned substrate. Tenant-owned review packs, evidence snapshots, review history, and onboarding records stay tenant-owned and are not remodeled by this slice.
 - **RBAC**: Platform users with directory visibility plus a dedicated commercial lifecycle management capability may inspect and change state on `/system`. Workspace or tenant members keep their existing onboarding and review-pack capabilities on `/admin`, but lifecycle state is a business-state overlay rather than a self-service setting. Non-members and wrong-plane actors continue to receive 404. Members missing capability continue to receive 403. Members with the required capability but blocked by lifecycle state receive a truthful business-state block instead of an authorization failure.
 For canonical-view specs, the spec MUST define:
 - **Default filter behavior when tenant-context is active**: N/A - this slice does not introduce a new tenantless collection or cross-tenant list.
 - **Explicit entitlement checks preventing cross-tenant leakage**: Existing workspace and tenant isolation remain authoritative. The lifecycle overlay never reveals tenant-owned history or artifacts outside the already-authorized workspace and tenant scope.
 ## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, alerts, navigation entry points, evidence/report viewers, or any other existing shared operator interaction family; otherwise write `N/A - no shared interaction family touched`)*
 - **Cross-cutting feature?**: yes
 - **Interaction class(es)**: status messaging, action gating, system detail controls, operation-start blocking, evidence/report viewers
 - **Systems touched**: existing workspace settings persistence, existing workspace entitlement resolution, system workspace detail view, onboarding activation gate, review-pack generation entry family, audit logging, and existing read-only review/evidence/download surfaces
 - **Existing pattern(s) to extend**: existing workspace entitlement resolver and summary pattern, existing workspace-setting audit path, existing review-pack start UX, existing onboarding activation gate, and existing system detail summary surfaces
 - **Shared contract / presenter / builder / renderer to reuse**: the current workspace entitlement resolution path and its audit-backed settings persistence remain the canonical substrate; this slice adds one bounded commercial lifecycle decision layer on top rather than a second parallel commercial framework
 - **Why the existing shared path is sufficient or insufficient**: The current entitlement substrate is already sufficient for plan defaults, overrides, and per-key allow/block decisions. It is insufficient for one workspace-wide lifecycle posture that can say "expansion frozen" or "read-only suspended" consistently across multiple surfaces.
 - **Allowed deviation and why**: none. No surface may invent local lifecycle labels, local business-state copy, or page-specific suspension rules.
 - **Consistency impact**: State labels, source labels, block reasons, and read-only explanations must mean the same thing on the system workspace page, onboarding completion step, review-pack start actions, and preserved read-only review/evidence surfaces.
 - **Review focus**: Reviewers must verify that all in-scope surfaces consume one shared lifecycle decision, that lifecycle overlay semantics do not expand access beyond current entitlements, and that suspended read-only messaging does not drift across surfaces.
 ## OperationRun UX Impact *(mandatory when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`; otherwise write `N/A - no OperationRun start or link semantics touched`)*
 - **Touches OperationRun start/completion/link UX?**: yes
 - **Shared OperationRun UX contract/layer reused**: existing review-pack queued-start, `Open operation`, and canonical run-link behavior remain unchanged when lifecycle state allows the start action
 - **Delegated start/completion UX behaviors**: queued toast, `Open operation` link, dedupe behavior, and terminal lifecycle feedback stay on the existing review-pack path when allowed. A lifecycle block stops earlier and produces no queued-start feedback because no run is created.
 - **Local surface-owned behavior that remains**: local surfaces only render lifecycle state, blocked reason, and the safe next step. They do not replace the existing review-pack run UX.
 - **Queued DB-notification policy**: unchanged
 - **Terminal notification path**: central lifecycle mechanism for existing review-pack runs only
 - **Exception required?**: none
 ## Provider Boundary / Platform Core Check *(mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write `N/A - no shared provider/platform boundary touched`)*
 N/A - no shared provider/platform boundary is changed. Commercial lifecycle state is platform-core workspace truth and must remain provider-neutral even when it gates provider-backed review-pack workflows.
 ## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)*
 | Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
 |---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | yes | Native Filament system detail page | detail summary, header actions, status messaging | detail page, header action, summary card | no | Single platform mutation surface only |
 | Managed tenant onboarding activation gate | yes | Native Filament wizard | action gating, helper text, business-state callout | completion step, confirmation action | no | Reuses the existing activation step |
 | Review-pack generation entry family | yes | Native Filament widget/resource/page actions | operation-start gating, helper text, state badges | widget action, detail action, list/header action | no | Only `Generate pack`, `Regenerate`, and `Export executive pack` are in scope |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | yes | Native Filament detail and download surfaces | evidence/report viewers, detail messaging | detail page, download action, read-only summary | no | No new routes; the slice only preserves safe read-only availability during suspension |
 ## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
 | Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
 |---|---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | Primary Decision Surface | Platform operator decides whether a workspace should remain trial, move into grace, return to active paid, or become suspended/read-only | Current state, rationale, affected action families, and last changed attribution | Existing entitlement summary and related workspace diagnostics | Primary because this is the one place where commercial posture is intentionally changed | Follows platform support/commercial workflow rather than customer admin navigation | Prevents founders or support staff from reconstructing state from ad hoc notes and blocked actions |
 | Managed tenant onboarding activation gate | Primary Decision Surface | Workspace operator decides whether the current tenant may be activated now | Lifecycle state, whether activation is allowed, and the business-state reason when blocked | Existing onboarding verification and readiness diagnostics remain secondary | Primary because onboarding completion is the actual high-impact mutation point | Keeps the commercial decision inside the activation workflow | Removes the need to ask support whether a block is about permissions or billing state |
 | Review-pack generation entry family | Secondary Context Surface | Reporting operator decides whether to start, retry, or export a review pack from the current tenant or review context | Lifecycle state, whether the start action is blocked, and the safe fallback when suspended/read-only | Existing run state, artifact truth, and review history remain secondary | Not primary because the family exists to continue reporting/review workflows, not to manage commercial posture itself | Stays inside existing report-generation workflows | Avoids a second support lookup just to understand why generation is blocked |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | Tertiary Evidence / Diagnostics Surface | Customer-safe or operator read-only consumer verifies existing history while the workspace is suspended/read-only | Existing history, evidence, and generated pack availability plus a calm read-only explanation | Raw provider or support diagnostics remain secondary and capability-gated | Not primary because these surfaces answer "what history is still safe to read" rather than "what state should change" | Preserves evidence-first review consumption instead of forcing new export workarounds | Prevents suspended workspaces from looking completely unavailable when history should still be readable |
 ## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)*
 | Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
 |---|---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | support-platform, operator-platform | Current lifecycle state, rationale, last changed attribution, and affected behavior summary | Existing workspace entitlement summary and tenant counts | No raw settings payload or internal debug data by default | `Change commercial state` | Raw settings rows and internal debugging remain hidden | The page states the lifecycle blocker once and reuses the same labels later rather than restating them differently |
 | Managed tenant onboarding activation gate | operator-MSP | Activation allowed/blocked, current lifecycle state, and why the block is business-state rather than permission-state | Existing readiness and verification diagnostics already on the wizard | No support/raw payloads on the default path | `Complete onboarding` when allowed, otherwise `Request commercial review` | Deeper commercial diagnostics stay off the onboarding surface | The step shows one lifecycle explanation and does not restate the whole workspace commercial profile |
 | Review-pack generation entry family | operator-MSP | Start action availability, current lifecycle state, and the safe fallback when generation is blocked | Existing run state and artifact status | No raw support diagnostics on start surfaces | `Generate pack`, `Regenerate`, or `Export executive pack` when allowed; otherwise `View current pack` | System-only lifecycle controls stay off these surfaces | One shared lifecycle reason is reused across all in-scope start actions |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | customer-read-only, operator-MSP | What history remains available and why the workspace is read-only rather than fully inaccessible | Existing review history and artifact provenance | Support/raw details remain collapsed or gated | `View current review` or `Download current pack` | Any mutation affordance stays blocked in suspended/read-only posture | The read-only explanation appears once and later sections add evidence rather than repeating the same blocker |
 ## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
 | Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
 |---|---|---|---|---|---|---|---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | System / Detail / Diagnostics | Read-only detail with bounded mutation action | Change the workspace lifecycle state | Dedicated workspace detail page | forbidden | Existing admin-workspace and related navigation stay secondary | `Change commercial state` contains the high-risk `Suspended / read-only` path with explicit confirmation | `/system/directory/workspaces` | `/system/directory/workspaces/{workspace}` | Platform workspace identity plus current lifecycle state | Commercial lifecycle | Current state, rationale, and affected behaviors | Acceptable detail-surface exception because mutation stays bounded to one header action on the detail page |
 | Managed tenant onboarding activation gate | Workflow / Guided action entry | Onboarding completion step | Complete onboarding or stop because commercial state blocks expansion | In-page completion step | forbidden | Existing back-navigation and tenant links stay secondary | Existing `Cancel draft` and `Delete draft` remain the only destructive actions | `/admin/onboarding` | `/admin/onboarding/{onboardingDraft}` | Workspace context plus current tenant | Onboarding commercial state | Activation allowed or blocked and why | Existing wizard exception remains valid |
 | Review-pack generation entry family | Contextual action family | Widget/resource/page start actions | Start, retry, or export a review pack when allowed | Explicit action on the current tenant or review context | mixed - existing registry rows may still open detail, but start actions remain explicit | Existing `View` and `Download` stay secondary and outside the blocked start gate | Existing destructive actions remain out of scope and keep current placement | `/admin/reviews` plus existing tenant review-pack collection surfaces | Existing tenant review detail and review-pack detail surfaces | Active workspace, active tenant, review or pack context | Review-pack generation | Start allowed or blocked, and the safe read-only fallback | Grouped-action family exception is documented here so all start actions share one gate |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | Detail / Report viewer / Download | Read-only detail and artifact consumption | View history or download an already-generated pack | Existing review or pack detail page | allowed where the current collection already opens detail | Supporting navigation remains secondary | none | Existing review and review-pack collections | Existing review, evidence, and review-pack detail routes | Active workspace, active tenant, current artifact or review | Review history / Generated pack | Safe read-only availability during suspension | No new surface type introduced |
 ## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
 | Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
 |---|---|---|---|---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | Platform commercial or support operator | Decide the current commercial posture of a workspace | System detail page | What lifecycle state should this workspace be in now? | State, rationale, affected behaviors, and last changed attribution | Existing entitlement summary and workspace diagnostics | commercial lifecycle, entitlement substrate | TenantPilot only | Change commercial state | Set suspended/read-only |
 | Managed tenant onboarding activation gate | Workspace owner or manager completing onboarding | Decide whether the current tenant can be activated now | Guided workflow step | Can I activate this tenant under the current commercial posture? | Current lifecycle state, whether activation is allowed, and the block reason when not | Existing verification and bootstrap detail | onboarding readiness, commercial lifecycle, entitlement availability | TenantPilot only for activation state | Complete onboarding | Cancel draft, Delete draft |
 | Review-pack generation entry family | Workspace manager or reporting operator | Decide whether a new pack run may start now | Contextual start-action family | Can I start, retry, or export a pack from this context? | Current lifecycle state, whether the start action is blocked, and the safe fallback | Existing run state, review status, and artifact truth | commercial lifecycle, entitlement availability, run state, artifact status | TenantPilot only until the existing run starts | Generate pack, Regenerate, Export executive pack, View current pack | Existing destructive actions remain unchanged and out of scope |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | Customer-safe reader or workspace operator | Consume already-generated history safely while the workspace is read-only | Read-only detail and download surfaces | What history can I still read or download safely? | Existing review/evidence/download truth plus a calm read-only explanation | Raw provider diagnostics and support-only detail | commercial lifecycle, artifact availability | none | View current review, Download current pack | none |
 ## Proportionality Review *(mandatory when structural complexity is introduced)*
 - **New source of truth?**: yes - one workspace-owned commercial lifecycle state becomes current-release business truth, but it is stored through existing workspace settings rather than a new table
 - **New persisted entity/table/artifact?**: no
 - **New abstraction?**: yes - one bounded lifecycle resolution layer on top of the existing entitlement substrate
 - **New enum/state/reason family?**: yes - the four-state lifecycle family (`trial`, `grace`, `active_paid`, `suspended_read_only`)
 - **New cross-domain UI framework/taxonomy?**: no
 - **Current operator problem**: Support and operators cannot truthfully explain whether a workspace is in a normal commercial state, an expansion freeze, or a read-only suspension without reconstructing the answer from scattered surface behavior.
 - **Existing structure is insufficient because**: Spec 247 gives per-key entitlement truth, but it does not provide one workspace-wide lifecycle posture that can say "activation blocked but reading is still safe" or "new runs blocked while history remains available."
 - **Narrowest correct implementation**: Keep persistence inside the existing workspace settings infrastructure, add one small state family and one shared resolution layer, mutate it from one system detail page, and apply it only to two already-real start behaviors plus suspended read-only preservation.
 - **Ownership cost**: One state vocabulary, one additional decision layer, cross-surface copy discipline, and focused tests for state transitions plus allowed/blocked behavior.
 - **Alternative intentionally rejected**: A new subscription/customer-account model or many per-surface lifecycle flags was rejected because the repo has no current billing domain and the smallest safe slice only needs one central commercial posture.
 - **Release truth**: current-release truth with later follow-up candidates for automation, billing integration, and broader lifecycle-aware entitlement spread
 ### Compatibility posture
 This feature assumes a pre-production environment.
 Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope unless explicitly required by this spec.
 Canonical replacement is preferred over preservation.
 ## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
 - **Test purpose / classification**: Unit, Feature
 - **Validation lane(s)**: fast-feedback, confidence
 - **Why this classification and these lanes are sufficient**: Unit coverage proves default state resolution, state precedence over existing entitlements, and state-to-behavior mapping. Focused feature coverage proves platform mutation, audit logging, onboarding blocks, review-pack start blocks, and preserved read-only access without expanding into browser or heavy-governance lanes.
 - **New or expanded test families**: one bounded lifecycle resolver unit family plus focused extensions to the existing system detail, onboarding, review-pack, and preserved read-only feature families
 - **Fixture / helper cost impact**: Add only workspace, platform user, workspace member, onboarding draft, active tenant count, existing review pack, and existing evidence/history fixtures required to prove the state consequences. Avoid payment-provider mocks, browser harnesses, or new heavy support fixtures.
 - **Heavy-family visibility / justification**: none
 - **Special surface test profile**: standard-native-filament, shared-detail-family, monitoring-state-page
 - **Standard-native relief or required special coverage**: Standard Filament feature coverage is sufficient for the system detail mutation surface and onboarding gate. Review-pack gating still needs monitoring-state assertions to prove blocked starts create no run, while suspended read-only preservation needs one detail/download assertion on existing artifact surfaces.
 - **Reviewer handoff**: Reviewers must confirm that lifecycle blocks remain distinct from 404 and 403 outcomes, that source labels stay consistent on the system detail surface, that `grace` and `suspended_read_only` do not collapse into one behavior, that blocked review-pack starts create no queued or terminal notification, that already queued or running review-pack runs remain unaffected by later suspension, and that existing read-only history/download access remains available under current RBAC.
 - **Budget / baseline / trend impact**: low feature-local increase only
 - **Escalation needed**: none
 - **Active feature PR close-out entry**: Guardrail
 - **Planned validation commands**:
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/ViewWorkspaceEntitlementsTest.php tests/Feature/System/Spec113/AuthorizationSemanticsTest.php tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php tests/Feature/ReviewPack/ReviewPackGenerationTest.php tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/Reviews/CustomerReviewWorkspacePageTest.php tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php tests/Feature/Evidence/EvidenceSnapshotResourceTest.php`
 ## Scope Boundaries *(required for this slice)*
 ### In Scope
 - One central workspace commercial lifecycle overlay with exactly four states: `trial`, `grace`, `active_paid`, and `suspended_read_only`
 - One platform-managed lifecycle change path with rationale and audit, persisted through the existing workspace settings infrastructure
 - One shared lifecycle resolution path layered on top of the existing Spec 247 entitlement substrate
 - Lifecycle gating of managed-tenant onboarding activation
 - Lifecycle gating of review-pack `Generate pack`, `Regenerate`, and `Export executive pack` entry points
 - Suspended/read-only preservation of authorized review history, evidence, and already-generated review-pack consumption
 - Explicit business-state messaging that distinguishes lifecycle blocks from RBAC failures
 ### Non-Goals
 - Payment providers, invoices, taxes, accounting, checkout, public pricing, website work, and payment failure workflows
 - New customer-account, subscription, contract, or offer models
 - Automated timers, expiries, reminders, or scheduled state transitions
 - Customer self-service state changes from the workspace admin plane
 - Broad entitlement expansion across seats, exports, retention, support SLAs, or unrelated feature flags
 - Broad suspension logic across every mutable surface in the product
 - A second commercial control plane outside the existing system workspace detail flow
 ## Assumptions
 - Spec 247 remains the canonical entitlement substrate. Commercial lifecycle state is an overlay that can warn or restrict, not a replacement for plan-profile and per-key entitlement truth.
 - Commercial lifecycle mutation is platform-managed in this slice. Workspace and tenant operators may observe the resulting state where it matters, but they do not change it themselves.
 - If no explicit lifecycle state has been set for a workspace, the system resolves to `active_paid` so that current repo behavior stays unchanged until a platform operator intentionally selects a different state.
 - `grace` is intentionally narrower than `suspended_read_only`: it freezes new managed-tenant activation but continues to allow existing review-pack start behavior when the underlying entitlement substrate still allows it.
 - `suspended_read_only` preserves existing review/evidence/download access under current RBAC and redaction rules, but blocks new onboarding activation and new review-pack start actions.
 ## Risks
 - `grace` and `suspended_read_only` can drift into near-duplicates if blocked-action copy and tests do not keep their consequences distinct.
 - A later customer-account or billing source could require revisiting how manual lifecycle transitions are sourced, even though that broader domain is intentionally out of scope here.
 - A future admin-plane commercial settings surface could confuse ownership if it appears without preserving platform-only mutation authority.
 - Mid-flight review-pack runs created before a workspace becomes suspended could create confusion if the product does not clearly state that this slice only blocks future starts.
 ## Deferred Adjacent Candidates
 - **Localization v1** remains a separate, broader foundation candidate because it requires cross-product locale resolution and copy governance beyond this bounded commercial lifecycle slice.
 - **External Support Desk / PSA Handoff** remains a separate candidate because repo docs still do not define one concrete external desk target to hand off into.
 - Broader billing lifecycle automation, reminders, and external billing-source integration stay deferred until a real account and payment domain exists in repo truth.
 ## User Scenarios & Testing *(mandatory)*
 ### User Story 1 - Set one workspace commercial lifecycle state centrally (Priority: P1)
 As a platform commercial or support operator, I want to set a workspace's current commercial lifecycle state once so downstream product behavior follows one audited source of truth instead of local exceptions.
 **Why this priority**: Without one central lifecycle state, every later gate or support explanation would duplicate commercial truth and drift away from the already-real entitlement substrate.
 **Independent Test**: Open the existing system workspace detail surface, change the lifecycle state with rationale, and verify that the new state is visible there and auditable without touching onboarding or reporting flows.
 **Acceptance Scenarios**:
 1. **Given** a workspace has no explicit commercial lifecycle state, **When** an authorized platform operator sets it to `trial` with rationale, **Then** the workspace resolves to `trial`, the change is auditable, and the system detail surface shows the new state and rationale.
 2. **Given** a workspace is currently in `grace`, **When** an authorized platform operator changes it to `suspended_read_only`, **Then** the previous state is replaced, the new state is auditable, and later gated surfaces consume the new state.
 3. **Given** a workspace is in `suspended_read_only`, **When** an authorized platform operator returns it to `active_paid`, **Then** future gated actions again use the normal underlying entitlement substrate instead of the suspended overlay.
 ---
 ### User Story 2 - Truthfully block tenant activation when lifecycle state freezes expansion (Priority: P1)
 As an authorized workspace operator, I want the onboarding completion step to tell me whether the tenant may be activated under the current commercial lifecycle state so I can distinguish business-state blocking from permissions or onboarding readiness problems.
 **Why this priority**: Managed-tenant activation is the highest-risk first-slice mutation and the clearest place where a grace or suspended posture must stop expansion without ambiguity.
 **Independent Test**: Seed workspaces in `trial`, `active_paid`, `grace`, and `suspended_read_only`, open the existing onboarding completion step, and verify that the same action becomes allowed or blocked with the correct business-state explanation before any activation mutation happens.
 **Acceptance Scenarios**:
 1. **Given** a workspace is `trial` or `active_paid` and the existing entitlement substrate allows activation, **When** an authorized operator reaches the onboarding completion step, **Then** the step allows completion and no lifecycle block is shown.
 2. **Given** a workspace is in `grace`, **When** the same operator reaches the completion step, **Then** the action remains visible but blocked with a business-state explanation that new managed-tenant activation is frozen during grace.
 3. **Given** a workspace is in `suspended_read_only`, **When** the operator reaches the same step, **Then** activation is blocked before any tenant mutation occurs and the step explains that the workspace is read-only rather than lacking permission.
 ---
 ### User Story 3 - Block new review-pack starts while preserving safe historical access (Priority: P2)
 As a reporting operator or customer-safe reader, I want new review-pack start actions to obey the current commercial lifecycle state while already-generated history remains safely readable so suspension does not erase needed evidence.
 **Why this priority**: Review-pack generation already exists on multiple real surfaces, and suspension is only trustworthy if it blocks new starts consistently while preserving safe access to history and already-generated evidence.
 **Independent Test**: Seed a workspace with an existing generated pack and history, switch it to `suspended_read_only`, verify that `Generate pack`, `Regenerate`, and `Export executive pack` stop before any new run or artifact is created, that blocked starts emit no queued or terminal review-pack notification, that already queued or running review-pack work continues unchanged, and then confirm that authorized readers can still view or download the already-generated artifacts.
 **Acceptance Scenarios**:
 1. **Given** a workspace is `active_paid` or `trial` and the existing review-pack entitlement allows generation, **When** an authorized operator starts `Generate pack`, `Regenerate`, or `Export executive pack`, **Then** the current review-pack flow continues unchanged.
 2. **Given** a workspace is in `grace` and the underlying review-pack entitlement allows generation, **When** an authorized operator starts the same action, **Then** the action remains allowed with a grace warning and without blocking the run.
 3. **Given** a workspace is in `suspended_read_only`, **When** an authorized operator attempts `Generate pack`, `Regenerate`, or `Export executive pack`, **Then** the action is blocked before any new `ReviewPack` or `OperationRun` is created and no queued or terminal review-pack notification is emitted for the blocked attempt.
 4. **Given** a review-pack run was already created while the workspace lifecycle state still allowed it, **When** the workspace later moves to `suspended_read_only`, **Then** the existing queued or running review-pack work may complete unchanged because this slice only blocks future start attempts.
 5. **Given** a workspace is in `suspended_read_only` and already has generated review packs, evidence, or review history, **When** an authorized reader opens or downloads those existing artifacts, **Then** the existing read-only access continues under current RBAC and redaction rules.
 ### Edge Cases
 - A workspace with no explicit lifecycle state must still resolve deterministically to `active_paid` so current Spec 247 behavior does not change accidentally.
 - If the lifecycle state allows a behavior but the underlying entitlement substrate blocks it, the underlying entitlement block still applies and must remain distinguishable from lifecycle blocking.
 - If the lifecycle state becomes `suspended_read_only` while a review-pack run is already queued or running, the existing run may complete; the new state only blocks future start attempts in this slice.
 - A workspace member who lacks the relevant onboarding or review-pack capability must still receive 403 even when the workspace lifecycle state is otherwise permissive.
 - A non-member or wrong-plane actor must not learn whether a workspace is in `grace` or `suspended_read_only`; those requests continue to resolve as 404.
 - Suspended/read-only behavior must never revoke access to already-generated artifacts or review/evidence history that the actor is otherwise allowed to read.
 ## Requirements *(mandatory)*
 **Constitution alignment (required):** This feature changes runtime behavior and writes workspace-owned commercial state, but it adds no Microsoft Graph calls, no new provider dispatch path, and no new queued workflow family. Lifecycle state changes use the existing workspace settings infrastructure and audit foundation. Existing review-pack `OperationRun` behavior is reused only when lifecycle state allows a start action.
 **Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** The feature introduces one new business-state family because current-release operator workflows now need a workspace-wide commercial posture that per-key entitlement decisions cannot express alone. A narrower local-only approach would still scatter lifecycle semantics across onboarding and review-pack surfaces.
 **Constitution alignment (XCUT-001):** All in-scope gated behaviors and preserved read-only surfaces must consume the same lifecycle decision. No local page is allowed to invent its own trial, grace, or suspension semantics.
 **Constitution alignment (DECIDE-AUD-001 / OPSURF-001):** Blocked onboarding and blocked review-pack starts must show customer-safe or operator-safe default content first, with diagnostics and support-only detail remaining secondary. Suspended read-only surfaces must preserve one calm next step instead of turning history surfaces into error pages.
 **Constitution alignment (PROV-001):** Commercial lifecycle state is platform-core workspace truth and must not import provider-specific vocabulary or billing-provider semantics.
 **Constitution alignment (TEST-GOV-001):** Proof remains in focused unit plus feature lanes. New fixtures stay limited to workspace, platform operator, workspace member, onboarding draft, tenant count, and existing review-pack/evidence artifacts.
 **Constitution alignment (OPS-UX):** This feature does not create a new run family. Existing review-pack generation keeps the current queued toast, operation link, and terminal notification path when lifecycle state allows it. Blocked lifecycle starts create no run and no run lifecycle feedback.
 **Constitution alignment (OPS-UX-START-001):** Lifecycle gating sits before review-pack run creation and delegates all allowed queued-start UX to the existing shared review-pack path.
 **Constitution alignment (RBAC-UX):** Two authorization planes are involved: platform `/system` for lifecycle mutation and tenant/admin `/admin` for contextual blocked-or-allowed behavior. Wrong-plane or non-member requests remain 404. Members missing capability remain 403. Lifecycle blocking is a product-state response for otherwise-authorized actors and must not masquerade as authorization failure.
 **Constitution alignment (BADGE-001):** If lifecycle badges or state chips are rendered, their labels and visual semantics must come from one shared lifecycle vocabulary rather than page-local color mapping.
 **Constitution alignment (UI-FIL-001):** The slice must extend existing native Filament detail, wizard, widget, resource, and download surfaces. No custom commercial panel or page-local status language is allowed.
 **Constitution alignment (UI-NAMING-001):** Primary labels remain product-facing and specific: `Trial`, `Grace`, `Active paid`, `Suspended / read-only`, `Change commercial state`, `Complete onboarding`, `Generate pack`, `Regenerate`, and `Export executive pack`. Billing-provider or checkout terminology remains out of scope.
 **Constitution alignment (DECIDE-001):** The system workspace detail page is the one primary commercial decision surface. Onboarding and review-pack surfaces remain contextual decision points that only show the commercial truth required for the immediate action. Existing history/evidence surfaces remain tertiary read-only contexts.
 **Constitution alignment (UI-CONST-001 / UI-SURF-001 / ACTSURF-001 / UI-HARD-001 / UI-EX-001 / UI-REVIEW-001 / HDR-001):** The feature must preserve the existing system detail, guided onboarding, grouped review-pack actions, and read-only artifact consumption patterns. It may not create a second admin-plane commercial management surface or redundant inspect actions.
 **Constitution alignment (ACTSURF-001 - action hierarchy):** Lifecycle mutation stays on the system workspace detail page. Onboarding completion remains the primary activation action. Review-pack start actions remain the primary reporting mutations where they already exist. View/download history remains secondary but available during suspension.
 **Constitution alignment (UI-SEM-001 / LAYER-001 / TEST-TRUTH-001):** One thin lifecycle overlay is justified because direct reads from the existing entitlement substrate cannot express one workspace-wide read-only posture. Tests must prove business outcomes such as allowed, warned, blocked, and preserved-read behavior rather than badge rendering alone.
 **Constitution alignment (Filament Action Surfaces):** The action-surface contract remains satisfied with the documented system detail exception for one bounded mutation action, the existing onboarding wizard exception, and the existing review-pack action family. No empty action groups or redundant view actions are introduced by this slice.
 **Constitution alignment (UX-001 — Layout & Information Architecture):** The feature extends the existing system detail, onboarding, and review-pack surfaces with bounded state information only. It does not create a new commercial page shell or duplicate summary screen.
 ### Functional Requirements
 - **FR-251-001 Central lifecycle state**: The system MUST resolve one commercial lifecycle state per workspace with exactly four values: `trial`, `grace`, `active_paid`, and `suspended_read_only`.
 - **FR-251-002 Existing entitlement substrate remains canonical**: The system MUST layer lifecycle state on top of the existing Spec 247 entitlement substrate rather than replacing plan profiles, entitlement keys, or override logic.
 - **FR-251-003 Deterministic default**: If no explicit lifecycle state has been stored for a workspace, the system MUST resolve to `active_paid` so existing behavior remains unchanged until an operator intentionally changes state.
 - **FR-251-004 Workspace-owned persistence**: The system MUST store lifecycle state and rationale through the existing workspace settings infrastructure instead of introducing a new customer-account, subscription, or billing table.
 - **FR-251-005 Platform-managed mutation**: Only authorized platform users MAY change or override lifecycle state in this slice, and the workspace or tenant admin plane MUST NOT become a self-service lifecycle control surface.
 - **FR-251-006 Decision shape**: The effective lifecycle decision MUST include the state, source, operator-visible rationale, last changed attribution, and a summary of which in-scope behaviors are currently warned, allowed, or blocked.
 - **FR-251-007 State precedence**: Lifecycle state MUST apply after the existing entitlement substrate and MAY only warn or restrict. It MUST NOT expand access beyond what the underlying entitlement decision already allows.
 - **FR-251-008 Onboarding activation gate**: Managed-tenant onboarding activation MUST consult the shared lifecycle decision before mutation. `grace` and `suspended_read_only` MUST block activation before any tenant activation state changes occur.
 - **FR-251-009 Review-pack start gate**: `Generate pack`, `Regenerate`, and `Export executive pack` MUST consult the shared lifecycle decision before creating or reusing a `ReviewPack` or `OperationRun`. `suspended_read_only` MUST block those actions before any new run or artifact start occurs.
 - **FR-251-010 Grace semantics**: `grace` MUST have a distinct behavioral consequence from `active_paid` by freezing new managed-tenant onboarding activation while leaving in-scope review-pack start behavior under the existing entitlement substrate.
 - **FR-251-011 Suspended read-only semantics**: `suspended_read_only` MUST block onboarding activation and review-pack start actions while preserving authorized read-only access to existing review history, evidence, and already-generated review-pack consumption.
 - **FR-251-012 In-flight behavior boundary**: A lifecycle state change to `suspended_read_only` MUST affect future start attempts only in this slice and MUST NOT retroactively cancel already-created review-pack runs.
 - **FR-251-013 Message semantics**: Gated surfaces MUST clearly distinguish lifecycle business-state blocking from entitlement-limit blocking and from authorization failure.
 - **FR-251-014 System visibility**: The system workspace detail surface MUST show the current lifecycle state, rationale, affected behavior summary, and last changed attribution to authorized platform users.
 - **FR-251-015 Auditability**: Every lifecycle state change and manual override MUST create an auditable record containing old state, new state, actor, and rationale.
 - **FR-251-016 No scattered lifecycle conditionals**: Onboarding, review-pack generation, and preserved read-only surfaces MUST use the shared lifecycle decision rather than local page-specific commercial booleans.
 - **FR-251-017 Bounded non-goals**: This slice MUST NOT introduce payment providers, invoices, taxes, accounting, checkout, public pricing, website work, customer-account modeling, broad billing automation, or broad entitlement spread beyond the in-scope behaviors above.
 ## UI Action Matrix *(mandatory when Filament is changed)*
 | Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
 |---|---|---|---|---|---|---|---|---|---|---|
 | Platform workspace commercial-state controls | existing system workspace detail surface | none on collection | dedicated detail route | none | none | N/A | `Change commercial state` with bounded state selection and rationale; `Suspended / read-only` path requires explicit confirmation | N/A | yes | Existing system-detail exception remains bounded to one platform mutation surface |
 | Managed tenant onboarding activation gate | existing onboarding wizard completion step | existing back-navigation and tenant links | N/A - guided workflow | none | none | existing onboarding start state unchanged | `Complete onboarding` remains the primary action and becomes lifecycle-gated | N/A | yes - existing onboarding activation audit path | Existing wizard exception remains valid |
 | Review-pack generation entry family | existing tenant dashboard, review register, tenant review detail, and review-pack detail/registry surfaces | current `Generate pack`, `Regenerate`, and `Export executive pack` actions stay primary where already present | existing registry/detail affordances remain unchanged | existing `View` or `Download` shortcuts remain secondary where already present | none | existing `Generate` CTA remains where already present | existing start actions are lifecycle-gated; `View` and `Download` remain outside the blocked-start gate | N/A | no new audit requirement for blocked attempts | Grouped action family stays consistent and does not invent new local start actions |
 | Existing read-only review, evidence, and generated-pack consumption surfaces | existing review/evidence/detail/download surfaces | none | existing detail routes | existing `View` or `Download` actions remain available under current RBAC | none | N/A | existing read-only view/download actions remain available during suspension | N/A | no new audit action; read-only continuation only | No new surface is created; the slice only preserves availability semantics |
 ### Key Entities *(include if feature involves data)*
 - **Workspace Commercial Lifecycle Setting**: Workspace-owned commercial posture consisting of lifecycle state, rationale, and last change attribution, persisted through the existing workspace settings infrastructure.
 - **Effective Commercial Lifecycle Decision**: Derived decision that overlays the existing entitlement substrate and answers whether in-scope behaviors are allowed, warned, or blocked, plus why.
 ## Success Criteria *(mandatory)*
 ### Measurable Outcomes
 - **SC-001**: Authorized platform operators can inspect and change a workspace commercial lifecycle state from one system workspace detail surface and see the updated state plus rationale immediately afterward.
 - **SC-002**: Authorized workspace operators can determine in under 30 seconds whether onboarding activation or review-pack start is blocked by commercial state rather than by missing permission or underlying entitlement limits.
 - **SC-003**: 100% of `suspended_read_only` blocked onboarding or review-pack start attempts stop before activation mutation or new run/artifact creation, while authorized readers still retain access to already-generated history and evidence.
 - **SC-004**: Every commercial lifecycle state change produces one auditable old-state to new-state record with actor and rationale, and platform support can inspect that state from one canonical system surface.
--- a/specs/251-commercial-entitlements-billing-state/tasks.md
+++ b/specs/251-commercial-entitlements-billing-state/tasks.md
@ -0,0 +1,190 @@
 ---
 description: "Task list for feature implementation"
 ---
 # Tasks: Commercial Entitlements and Billing-State Maturity
 **Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/`
 **Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/spec.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/checklists/requirements.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/data-model.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/contracts/workspace-commercial-lifecycle-overlay.logical.openapi.yaml`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md`
 **Tests**: Required (Pest) for all runtime behavior changes. Keep proof in focused `Unit` plus `Feature` lanes only, using the targeted Sail commands already captured in the feature spec, plan, and quickstart artifacts.
 ## Test Governance Notes
 - Lane assignment: `fast-feedback` and `confidence` are the narrowest sufficient proof for resolver precedence, system-plane mutation, onboarding gating, review-pack start blocking, and preserved suspended read-only continuation.
 - Keep new coverage inside `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Entitlements/` plus focused `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/System/`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Onboarding/`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Reviews/`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Evidence/`; do not widen this slice into browser or heavy-governance families.
 - Reuse existing workspace, platform-user, workspace-member, onboarding-draft, tenant, review-pack, and evidence fixtures; any new helper or factory state must stay opt-in and cheap by default.
 - If implementation needs a bounded exception for blocked-decision transport or preserved read-only scope, record `document-in-feature` or `follow-up-spec` in the final close-out task instead of widening feature scope.
 ## Scope Control Notes
 - Keep implementation inside one commercial lifecycle overlay, one system-plane lifecycle mutation surface, managed-tenant onboarding activation gating, review-pack generation/regeneration/export gating, and preserved read-only review/evidence/download semantics while suspended.
 - Do not add payment provider, invoicing, checkout, website, customer-account, localization, external support-desk handoff, or broad billing-platform work.
 ---
 ## Phase 1: Setup (Shared Infrastructure)
 **Purpose**: Lock the bounded slice, contract semantics, and validation plan before runtime edits begin.
 - [x] T001 Review the bounded slice, explicit non-goals, scope-control decisions, and review outcomes in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/spec.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/checklists/requirements.md`
 - [x] T002 [P] Review the lifecycle-state model, system/admin split, preserved read-only contract, and 404 versus 403 versus business-state semantics in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/data-model.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/contracts/workspace-commercial-lifecycle-overlay.logical.openapi.yaml`
 - [x] T003 [P] Confirm the focused Sail/Pest proof commands and reviewer scenarios in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md`
 ---
 ## Phase 2: Foundational (Blocking Prerequisites)
 **Purpose**: Add the shared lifecycle primitives that every user story depends on.
 **⚠️ CRITICAL**: No user story work should begin until this phase is complete.
 - [x] T004 [P] Register the commercial lifecycle state and rationale setting definitions, validation metadata, and operator-facing labels in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Settings/SettingsRegistry.php`
 - [x] T005 [P] Add the bounded four-state catalog, action-decision matrix, and shared overlay resolution logic in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php`
 - [x] T006 Thread lifecycle setting resolution, default `active_paid` fallback, and lifecycle change attribution through `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Settings/SettingsResolver.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Settings/SettingsWriter.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php`
 **Checkpoint**: Foundation ready. User story work can now proceed independently without inventing local lifecycle state.
 ---
 ## Phase 3: User Story 1 - Set Workspace Commercial State Centrally (Priority: P1) 🎯 MVP
 **Goal**: Let an authorized platform operator inspect and change one workspace commercial lifecycle state from the existing system workspace detail surface.
 **Independent Test**: Open `/system/directory/workspaces/{workspace}` as an authorized and unauthorized platform actor, change the lifecycle state with rationale, and verify the page shows current state, affected behavior summary, last-changed attribution, and audit-backed mutation semantics without creating a second control plane.
 ### Tests for User Story 1
 - [x] T007 [P] [US1] Add unit coverage for default `active_paid` fallback, explicit stored states, `default_active_paid` versus `workspace_setting` source resolution, grace versus suspended action outcomes, and last-change attribution in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php`
 - [x] T008 [P] [US1] Extend system-plane feature coverage for lifecycle summary and source-label rendering, capability-gated mutation, confirmation plus rationale validation for every explicit transition, and 404 versus 403 semantics in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/System/ViewWorkspaceEntitlementsTest.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/System/Spec113/AuthorizationSemanticsTest.php`
 ### Implementation for User Story 1
 - [x] T009 [US1] Add the dedicated commercial-lifecycle management capability and apply it to the system workspace detail action surface in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Auth/PlatformCapabilities.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php`
 - [x] T010 [US1] Project the shared lifecycle state, source label, rationale, affected-behavior summary, and last-changed attribution onto `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/resources/views/filament/system/pages/directory/view-workspace.blade.php`
 - [x] T011 [US1] Add the confirmation-protected `Change commercial state` action with audited old/new state writes and rationale validation for every explicit lifecycle transition in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Settings/SettingsWriter.php`
 **Checkpoint**: User Story 1 is independently functional when the system plane exposes one canonical lifecycle decision and one audited mutation path.
 ---
 ## Phase 4: User Story 2 - Truthfully Gate Managed-Tenant Activation (Priority: P1)
 **Goal**: Keep onboarding completion visible to otherwise authorized workspace actors while blocking activation with business-state truth when `grace` or `suspended_read_only` freezes expansion.
 **Independent Test**: Seed workspaces in `trial`, `active_paid`, `grace`, and `suspended_read_only`, open the existing onboarding completion step, and verify that activation is either allowed or blocked with the correct lifecycle explanation before any tenant activation mutation occurs.
 ### Tests for User Story 2
 - [x] T012 [P] [US2] Extend onboarding feature coverage for trial/active allow, grace block, suspended block, and 404 versus 403 versus business-state outcomes in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php`
 ### Implementation for User Story 2
 - [x] T013 [US2] Project the shared lifecycle decision onto the onboarding completion step and helper text in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php`
 - [x] T014 [US2] Enforce lifecycle blocking before any tenant activation mutation or onboarding completion audit path in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php`
 - [x] T015 [US2] Keep grace and suspended explanations distinct from entitlement-limit and authorization failures by sourcing block messaging from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php` inside `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php`
 **Checkpoint**: User Story 2 is independently functional when onboarding activation exposes one truthful lifecycle decision and never mutates tenant state after a commercial-state block.
 ---
 ## Phase 5: User Story 3 - Block New Review-Pack Starts While Preserving Read-Only History (Priority: P2)
 **Goal**: Reuse one lifecycle decision for `Generate pack`, `Regenerate`, and `Export executive pack` while keeping current review, evidence, and already-generated pack consumption available under existing RBAC during suspension.
 **Independent Test**: Switch a workspace with existing review history, evidence, and generated packs to `suspended_read_only`, verify that all in-scope start actions block before any new `ReviewPack` or `OperationRun` write occurs, and confirm that authorized actors can still view or download existing artifacts.
 ### Tests for User Story 3
 - [x] T016 [P] [US3] Extend review-pack feature coverage for allowed `trial`/`active_paid`, warned-but-allowed `grace` starts, blocked `suspended_read_only` starts, no new `ReviewPack` or `OperationRun` writes, no queued or terminal notification on blocked starts, and already queued or running review-pack work remaining unaffected by later suspension in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackGenerationTest.php`
 - [x] T017 [P] [US3] Extend suspended read-only consumption coverage for customer review workspace access, current pack download, and evidence snapshot detail access in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePageTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackDownloadTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Evidence/EvidenceSnapshotResourceTest.php`
 ### Implementation for User Story 3
 - [x] T018 [US3] Enforce lifecycle gating before any new `ReviewPack`, `OperationRun`, or blocked-start notification path and reuse the existing blocked-decision transport instead of adding a second exception path while leaving already-created runs unaffected in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/ReviewPackService.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Exceptions/Entitlements/WorkspaceEntitlementBlockedException.php`
 - [x] T019 [P] [US3] Project lifecycle allow/warn/block messaging onto the tenant dashboard and review register start surfaces in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Widgets/Tenant/TenantReviewPackCard.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php`
 - [x] T020 [P] [US3] Gate `Generate pack`, `Regenerate`, and `Export executive pack` actions while keeping `View` and `Download` affordances unchanged in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantReviewResource.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/ReviewPackResource.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ListReviewPacks.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php`
 - [x] T021 [US3] Preserve suspended read-only review history, evidence, and generated-pack consumption without widening into a broader suspension sweep in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php`
 **Checkpoint**: User Story 3 is independently functional when all in-scope start actions share one lifecycle gate and suspended workspaces still retain safe read-only access to existing history and evidence.
 ---
 ## Phase 6: Polish & Cross-Cutting Concerns
 **Purpose**: Run the narrow validation lanes, format touched files, and capture the feature-local close-out without widening scope.
 - [x] T022 Run the targeted unit Sail/Pest command from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Entitlements/WorkspaceCommercialLifecycleResolverTest.php`
 - [x] T023 Run the targeted system-plane and onboarding Sail/Pest command from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/System/ViewWorkspaceEntitlementsTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/System/Spec113/AuthorizationSemanticsTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Onboarding/ManagedTenantOnboardingEntitlementTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php`
 - [x] T024 Run the targeted review-pack, blocked-start no-notification, in-flight-boundary, and preserved-read-only Sail/Pest command from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackEntitlementEnforcementTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackGenerationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ReviewPack/ReviewPackDownloadTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePageTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Evidence/EvidenceSnapshotResourceTest.php`
 - [x] T025 Run dirty-only Pint through Sail for touched platform files using the command recorded in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/quickstart.md`
 - [x] T026 Record the final guardrail close-out, lane results, workflow outcome (`keep` unless implementation proves otherwise), and any bounded `document-in-feature` or `follow-up-spec` note for blocked-decision transport or preserved read-only scope in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/plan.md` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/251-commercial-entitlements-billing-state/checklists/requirements.md`
 ---
 ## Dependencies & Execution Order
 ### Phase Dependencies
 - **Phase 1 (Setup)**: starts immediately.
 - **Phase 2 (Foundational)**: depends on Phase 1 and blocks all user stories.
 - **Phase 3 (US1)**, **Phase 4 (US2)**, and **Phase 5 (US3)**: each depends on Phase 2 and is independently testable after the shared lifecycle setting and resolver primitives exist.
 - **Phase 6 (Polish)**: depends on all desired user stories being complete.
 ### User Story Dependencies
 - **US1 (P1)**: first shippable increment once Phase 2 is complete.
 - **US2 (P1)**: independently testable after Phase 2 and should follow US1 in the main implementation loop because the system-plane lifecycle vocabulary and audit semantics become canonical there.
 - **US3 (P2)**: independently testable after Phase 2 and should merge after US1 because review-pack surfaces must reuse the same lifecycle vocabulary and blocked-decision transport.
 ### Within Each User Story
 - Write the listed Pest coverage first and make it fail for the intended gap before implementation.
 - Complete the shared service or enforcement seam before wiring multiple UI entry points that depend on it.
 - Re-run the narrowest relevant proof command after each story checkpoint before moving to the next story.
 ---
 ## Parallel Opportunities
 ### Phase 1
 - T002 and T003 can run in parallel after T001 confirms the bounded slice.
 ### Phase 2
 - T004 and T005 can run in parallel.
 - T006 should follow once the lifecycle setting keys and resolver shape exist.
 ### User Story 1
 - T007 and T008 can run in parallel.
 - T009 can proceed before T010 and T011, but T010 and T011 should stay coordinated because both touch `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php`.
 ### User Story 2
 - T012 can run in parallel with any remaining US1 validation once Phase 2 is complete.
 - T013, T014, and T015 should stay sequential because they all tighten the same onboarding completion boundary.
 ### User Story 3
 - T016 and T017 can run in parallel.
 - After T018 establishes the service-level gate, T019 and T020 can run in parallel.
 - T021 should follow the shared start-gate work so preserved read-only semantics stay bounded to existing consumption surfaces.
 ---
 ## Implementation Strategy
 ### Suggested MVP Scope
 - MVP = **Phase 2 + User Story 1 + User Story 2**. This is the smallest slice that creates canonical lifecycle truth, exposes the one platform-side mutation surface, and proves a real business-state consequence (`grace` / `suspended_read_only` onboarding activation gating) without yet widening into review-pack and preserved-history follow-up.
 ### Incremental Delivery
 1. Complete Phase 1 and Phase 2.
 2. Deliver US1 and validate system-plane lifecycle mutation plus audit semantics.
 3. Deliver US2 and validate onboarding business-state gating.
 4. Deliver US3 and validate review-pack start blocking plus preserved suspended read-only history/evidence/download access.
 5. Finish with Phase 6 validation, formatting, and feature-local close-out recording.
Author	SHA1	Message	Date
Ahmed Darrazi	606e9760dd	feat: implement workspace commercial lifecycle overlay Some checks failed PR Fast Feedback / fast-feedback (pull_request) Failing after 1m45s Details	2026-04-28 15:29:50 +02:00
Ahmed Darrazi	4325e1ed8d	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-28 12:18:08 +02:00
Ahmed Darrazi	4ae4c2ee95	chore: add gitea MCP helper script Some checks failed PR Fast Feedback / fast-feedback (pull_request) Failing after 58s Details	2026-04-28 09:26:51 +02:00
Ahmed Darrazi	32b6dcb937	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-28 09:22:09 +02:00
Ahmed Darrazi	f7bc4f2787	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-27 23:22:08 +02:00
Ahmed Darrazi	0739018ee5	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-27 19:36:43 +02:00
Ahmed Darrazi	9a02261f5c	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-27 15:03:58 +02:00
Ahmed Darrazi	65ec1d5904	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-27 10:33:23 +02:00
Ahmed Darrazi	f05857c276	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-27 02:13:30 +02:00
Ahmed Darrazi	9f5d3293c5	Merge remote-tracking branch 'origin/dev' into platform-dev	2026-04-26 22:53:42 +02:00