Merge remote-tracking branch 'origin/dev' into 214-governance-outcome-compression

# Conflicts: # .github/agents/copilot-instructions.md
feat: compress governance operator outcomes
2026-04-19 14:23:16 +02:00 · 2026-04-19 14:15:11 +02:00
994 changed files with 7699 additions and 103491 deletions
--- a/.agents/skills/speckit-git-commit/SKILL.md
+++ b/.agents/skills/speckit-git-commit/SKILL.md
@ -1,53 +0,0 @@
 ---
 name: speckit-git-commit
 description: Auto-commit changes after a Spec Kit command completes
 compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
  author: github-spec-kit
  source: git:commands/speckit.git.commit.md
 ---
 # Auto-Commit Changes
 Automatically stage and commit all changes after a Spec Kit command completes.
 ## Behavior
 This command is invoked as a hook after (or before) core commands. It:
 1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
 2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
 3. Looks up the specific event key to see if auto-commit is enabled
 4. Falls back to `auto_commit.default` if no event-specific key exists
 5. Uses the per-command `message` if configured, otherwise a default message
 6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
 ## Execution
 Determine the event name from the hook that triggered this command, then run the script:
 - **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
 Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
 ## Configuration
 In `.specify/extensions/git/git-config.yml`:
 ```yaml
 auto_commit:
  default: false          # Global toggle — set true to enable for all commands
  after_specify:
    enabled: true          # Override per-command
    message: "[Spec Kit] Add specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
 ```
 ## Graceful Degradation
 - If Git is not available or the current directory is not a repository: skips with a warning
 - If no config file exists: skips (disabled by default)
 - If no changes to commit: skips with a message
--- a/.agents/skills/speckit-git-feature/SKILL.md
+++ b/.agents/skills/speckit-git-feature/SKILL.md
@ -1,72 +0,0 @@
 ---
 name: speckit-git-feature
 description: Create a feature branch with sequential or timestamp numbering
 compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
  author: github-spec-kit
  source: git:commands/speckit.git.feature.md
 ---
 # Create Feature Branch
 Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
 ## User Input
 ```text
 $ARGUMENTS
 ```
 You **MUST** consider the user input before proceeding (if not empty).
 ## Environment Variable Override
 If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
 - The script uses the exact value as the branch name, bypassing all prefix/suffix generation
 - `--short-name`, `--number`, and `--timestamp` flags are ignored
 - `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
 ## Prerequisites
 - Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, warn the user and skip branch creation
 ## Branch Numbering Mode
 Determine the branch numbering strategy by checking configuration in this order:
 1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
 2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
 3. Default to `sequential` if neither exists
 ## Execution
 Generate a concise short name (2-4 words) for the branch:
 - Analyze the feature description and extract the most meaningful keywords
 - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
 - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
 Run the appropriate script based on your platform:
 - **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
 - **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
 - **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
 **IMPORTANT**:
 - Do NOT pass `--number` — the script determines the correct next number automatically
 - Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
 - You must only ever run this script once per feature
 - The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
 ## Graceful Degradation
 If Git is not installed or the current directory is not a Git repository:
 - Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
 - The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
 ## Output
 The script outputs JSON with:
 - `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
 - `FEATURE_NUM`: The numeric or timestamp prefix used
--- a/.agents/skills/speckit-git-initialize/SKILL.md
+++ b/.agents/skills/speckit-git-initialize/SKILL.md
@ -1,54 +0,0 @@
 ---
 name: speckit-git-initialize
 description: Initialize a Git repository with an initial commit
 compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
  author: github-spec-kit
  source: git:commands/speckit.git.initialize.md
 ---
 # Initialize Git Repository
 Initialize a Git repository in the current project directory if one does not already exist.
 ## Execution
 Run the appropriate script from the project root:
 - **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
 If the extension scripts are not found, fall back to:
 - **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
 - **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
 The script handles all checks internally:
 - Skips if Git is not available
 - Skips if already inside a Git repository
 - Runs `git init`, `git add .`, and `git commit` with an initial commit message
 ## Customization
 Replace the script to add project-specific Git initialization steps:
 - Custom `.gitignore` templates
 - Default branch naming (`git config init.defaultBranch`)
 - Git LFS setup
 - Git hooks installation
 - Commit signing configuration
 - Git Flow initialization
 ## Output
 On success:
 - `✓ Git repository initialized`
 ## Graceful Degradation
 If Git is not installed:
 - Warn the user
 - Skip repository initialization
 - The project continues to function without Git (specs can still be created under `specs/`)
 If Git is installed but `git init`, `git add .`, or `git commit` fails:
 - Surface the error to the user
 - Stop this command rather than continuing with a partially initialized repository
--- a/.agents/skills/speckit-git-remote/SKILL.md
+++ b/.agents/skills/speckit-git-remote/SKILL.md
@ -1,50 +0,0 @@
 ---
 name: speckit-git-remote
 description: Detect Git remote URL for GitHub integration
 compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
  author: github-spec-kit
  source: git:commands/speckit.git.remote.md
 ---
 # Detect Git Remote URL
 Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and return empty:
  ```
  [specify] Warning: Git repository not detected; cannot determine remote URL
  ```
 ## Execution
 Run the following command to get the remote URL:
 ```bash
 git config --get remote.origin.url
 ```
 ## Output
 Parse the remote URL and determine:
 1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
 2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
 3. **Is GitHub**: Whether the remote points to a GitHub repository
 Supported URL formats:
 - HTTPS: `https://github.com/<owner>/<repo>.git`
 - SSH: `git@github.com:<owner>/<repo>.git`
 > [!CAUTION]
 > ONLY report a GitHub repository if the remote URL actually points to github.com.
 > Do NOT assume the remote is GitHub if the URL format doesn't match.
 ## Graceful Degradation
 If Git is not installed, the directory is not a Git repository, or no remote is configured:
 - Return an empty result
 - Do NOT error — other workflows should continue without Git remote information
--- a/.agents/skills/speckit-git-validate/SKILL.md
+++ b/.agents/skills/speckit-git-validate/SKILL.md
@ -1,54 +0,0 @@
 ---
 name: speckit-git-validate
 description: Validate current branch follows feature branch naming conventions
 compatibility: Requires spec-kit project structure with .specify/ directory
 metadata:
  author: github-spec-kit
  source: git:commands/speckit.git.validate.md
 ---
 # Validate Feature Branch
 Validate that the current Git branch follows the expected feature branch naming conventions.
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and skip validation:
  ```
  [specify] Warning: Git repository not detected; skipped branch validation
  ```
 ## Validation Rules
 Get the current branch name:
 ```bash
 git rev-parse --abbrev-ref HEAD
 ```
 The branch name must match one of these patterns:
 1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
 2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
 ## Execution
 If on a feature branch (matches either pattern):
 - Output: `✓ On feature branch: <branch-name>`
 - Check if the corresponding spec directory exists under `specs/`:
  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
 - If spec directory exists: `✓ Spec directory found: <path>`
 - If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
 If NOT on a feature branch:
 - Output: `✗ Not on a feature branch. Current branch: <branch-name>`
 - Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
 ## Graceful Degradation
 If Git is not installed or the directory is not a Git repository:
 - Check the `SPECIFY_FEATURE` environment variable as a fallback
 - If set, validate that value against the naming patterns
 - If not set, skip validation with a warning
--- a/.codex/config.toml
+++ b/.codex/config.toml
@ -1,4 +1,4 @@
 [mcp_servers.laravel-boost]
-command = "./scripts/platform-sail"
+command = "vendor/bin/sail"
 args = ["artisan", "boost:mcp"]
-cwd = "/Users/ahmeddarrazi/Documents/projects/wt-plattform"
+cwd = "/Users/ahmeddarrazi/Documents/projects/TenantAtlas"
--- a/.gemini/commands/speckit.git.commit.toml
+++ b/.gemini/commands/speckit.git.commit.toml
@ -1,50 +0,0 @@
 description = "Auto-commit changes after a Spec Kit command completes"
 # Source: git
 prompt = """
 # Auto-Commit Changes
 Automatically stage and commit all changes after a Spec Kit command completes.
 ## Behavior
 This command is invoked as a hook after (or before) core commands. It:
 1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
 2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
 3. Looks up the specific event key to see if auto-commit is enabled
 4. Falls back to `auto_commit.default` if no event-specific key exists
 5. Uses the per-command `message` if configured, otherwise a default message
 6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
 ## Execution
 Determine the event name from the hook that triggered this command, then run the script:
 - **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
 Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
 ## Configuration
 In `.specify/extensions/git/git-config.yml`:
 ```yaml
 auto_commit:
  default: false          # Global toggle — set true to enable for all commands
  after_specify:
    enabled: true          # Override per-command
    message: "[Spec Kit] Add specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
 ```
 ## Graceful Degradation
 - If Git is not available or the current directory is not a repository: skips with a warning
 - If no config file exists: skips (disabled by default)
 - If no changes to commit: skips with a message
 """
--- a/.gemini/commands/speckit.git.feature.toml
+++ b/.gemini/commands/speckit.git.feature.toml
@ -1,69 +0,0 @@
 description = "Create a feature branch with sequential or timestamp numbering"
 # Source: git
 prompt = """
 # Create Feature Branch
 Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
 ## User Input
 ```text
 {{args}}
 ```
 You **MUST** consider the user input before proceeding (if not empty).
 ## Environment Variable Override
 If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
 - The script uses the exact value as the branch name, bypassing all prefix/suffix generation
 - `--short-name`, `--number`, and `--timestamp` flags are ignored
 - `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
 ## Prerequisites
 - Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, warn the user and skip branch creation
 ## Branch Numbering Mode
 Determine the branch numbering strategy by checking configuration in this order:
 1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
 2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
 3. Default to `sequential` if neither exists
 ## Execution
 Generate a concise short name (2-4 words) for the branch:
 - Analyze the feature description and extract the most meaningful keywords
 - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
 - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
 Run the appropriate script based on your platform:
 - **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
 - **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
 - **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
 **IMPORTANT**:
 - Do NOT pass `--number` — the script determines the correct next number automatically
 - Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
 - You must only ever run this script once per feature
 - The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
 ## Graceful Degradation
 If Git is not installed or the current directory is not a Git repository:
 - Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
 - The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
 ## Output
 The script outputs JSON with:
 - `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
 - `FEATURE_NUM`: The numeric or timestamp prefix used
 """
--- a/.gemini/commands/speckit.git.initialize.toml
+++ b/.gemini/commands/speckit.git.initialize.toml
@ -1,51 +0,0 @@
 description = "Initialize a Git repository with an initial commit"
 # Source: git
 prompt = """
 # Initialize Git Repository
 Initialize a Git repository in the current project directory if one does not already exist.
 ## Execution
 Run the appropriate script from the project root:
 - **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
 If the extension scripts are not found, fall back to:
 - **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
 - **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
 The script handles all checks internally:
 - Skips if Git is not available
 - Skips if already inside a Git repository
 - Runs `git init`, `git add .`, and `git commit` with an initial commit message
 ## Customization
 Replace the script to add project-specific Git initialization steps:
 - Custom `.gitignore` templates
 - Default branch naming (`git config init.defaultBranch`)
 - Git LFS setup
 - Git hooks installation
 - Commit signing configuration
 - Git Flow initialization
 ## Output
 On success:
 - `✓ Git repository initialized`
 ## Graceful Degradation
 If Git is not installed:
 - Warn the user
 - Skip repository initialization
 - The project continues to function without Git (specs can still be created under `specs/`)
 If Git is installed but `git init`, `git add .`, or `git commit` fails:
 - Surface the error to the user
 - Stop this command rather than continuing with a partially initialized repository
 """
--- a/.gemini/commands/speckit.git.remote.toml
+++ b/.gemini/commands/speckit.git.remote.toml
@ -1,47 +0,0 @@
 description = "Detect Git remote URL for GitHub integration"
 # Source: git
 prompt = """
 # Detect Git Remote URL
 Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and return empty:
  ```
  [specify] Warning: Git repository not detected; cannot determine remote URL
  ```
 ## Execution
 Run the following command to get the remote URL:
 ```bash
 git config --get remote.origin.url
 ```
 ## Output
 Parse the remote URL and determine:
 1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
 2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
 3. **Is GitHub**: Whether the remote points to a GitHub repository
 Supported URL formats:
 - HTTPS: `https://github.com/<owner>/<repo>.git`
 - SSH: `git@github.com:<owner>/<repo>.git`
 > [!CAUTION]
 > ONLY report a GitHub repository if the remote URL actually points to github.com.
 > Do NOT assume the remote is GitHub if the URL format doesn't match.
 ## Graceful Degradation
 If Git is not installed, the directory is not a Git repository, or no remote is configured:
 - Return an empty result
 - Do NOT error — other workflows should continue without Git remote information
 """
--- a/.gemini/commands/speckit.git.validate.toml
+++ b/.gemini/commands/speckit.git.validate.toml
@ -1,51 +0,0 @@
 description = "Validate current branch follows feature branch naming conventions"
 # Source: git
 prompt = """
 # Validate Feature Branch
 Validate that the current Git branch follows the expected feature branch naming conventions.
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and skip validation:
  ```
  [specify] Warning: Git repository not detected; skipped branch validation
  ```
 ## Validation Rules
 Get the current branch name:
 ```bash
 git rev-parse --abbrev-ref HEAD
 ```
 The branch name must match one of these patterns:
 1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
 2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
 ## Execution
 If on a feature branch (matches either pattern):
 - Output: `✓ On feature branch: <branch-name>`
 - Check if the corresponding spec directory exists under `specs/`:
  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
 - If spec directory exists: `✓ Spec directory found: <path>`
 - If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
 If NOT on a feature branch:
 - Output: `✗ Not on a feature branch. Current branch: <branch-name>`
 - Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
 ## Graceful Degradation
 If Git is not installed or the directory is not a Git repository:
 - Check the `SPECIFY_FEATURE` environment variable as a fallback
 - If set, validate that value against the naming patterns
 - If not set, skip validation with a warning
 """
--- a/.github/agents/copilot-instructions.md
+++ b/.github/agents/copilot-instructions.md
@ -216,56 +216,6 @@ ## Active Technologies
 - PostgreSQL via existing `baseline_snapshots`, `evidence_snapshots`, `evidence_snapshot_items`, `tenant_reviews`, `review_packs`, and `operation_runs` tables; no schema change planned (214-governance-outcome-compression)
 - Astro 6.0.0 templates + TypeScript 5.9 strict + Astro 6, Tailwind CSS v4 via `@tailwindcss/vite`, Astro content collections, local Astro layout/primitive/content helpers, Playwright smoke tests (215-website-core-pages)
 - Static filesystem pages, content modules, and Astro content collections under `apps/website/src` and `apps/website/public`; no database (215-website-core-pages)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament Resources/Pages/Actions, Livewire 4, Pest 4, `ProviderOperationStartGate`, `ProviderOperationRegistry`, `ProviderConnectionResolver`, `OperationRunService`, `ProviderNextStepsRegistry`, `ReasonPresenter`, `OperationUxPresenter`, `OperationRunLinks` (216-provider-dispatch-gate)
 - PostgreSQL via existing `operation_runs`, `provider_connections`, `managed_tenant_onboarding_sessions`, `restore_runs`, and tenant-owned runtime records; no new tables planned (216-provider-dispatch-gate)
 - Astro 6.0.0 templates + TypeScript 5.9.x + Astro 6, Tailwind CSS v4, local Astro layout/section primitives, Astro content collections, Playwright browser smoke tests (217-homepage-structure)
 - Static filesystem content, Astro content collections, and assets under `apps/website/src` and `apps/website/public`; no database (217-homepage-structure)
 - Astro 6.0.0 templates + TypeScript 5.9.x + Astro 6, Tailwind CSS v4, existing Astro content modules and section primitives, Playwright browser smoke tests (218-homepage-hero)
 - Static filesystem content and assets under `apps/website/src` and `apps/website/public`; no database (218-homepage-hero)
 - PHP 8.4.15 / Laravel 12 + Filament v5, Livewire v4.0+, Pest v4, Tailwind CSS v4 (219-finding-ownership-semantics)
 - PostgreSQL via Sail; existing `findings.owner_user_id`, `findings.assignee_user_id`, and `finding_exceptions.owner_user_id` fields; no schema changes planned (219-finding-ownership-semantics)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + Filament v5, Livewire v4, Pest v4, Laravel Sail, `TenantlessOperationRunViewer`, `OperationRunResource`, `ArtifactTruthPresenter`, `OperatorExplanationBuilder`, `ReasonPresenter`, `OperationUxPresenter`, `SummaryCountsNormalizer`, and the existing enterprise-detail builders (220-governance-run-summaries)
 - PostgreSQL via existing `operation_runs` plus related `baseline_snapshots`, `evidence_snapshots`, `tenant_reviews`, and `review_packs`; no schema changes planned (220-governance-run-summaries)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + Filament admin panel pages, `Finding`, `FindingResource`, `WorkspaceOverviewBuilder`, `WorkspaceContext`, `WorkspaceCapabilityResolver`, `CapabilityResolver`, `CanonicalAdminTenantFilterState`, and `CanonicalNavigationContext` (221-findings-operator-inbox)
 - PostgreSQL via existing `findings`, `tenants`, `tenant_memberships`, and workspace context session state; no schema changes planned (221-findings-operator-inbox)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + Filament admin pages/tables/actions/notifications, `Finding`, `FindingResource`, `FindingWorkflowService`, `FindingPolicy`, `CapabilityResolver`, `CanonicalAdminTenantFilterState`, `CanonicalNavigationContext`, `WorkspaceContext`, and `UiEnforcement` (222-findings-intake-team-queue)
 - PostgreSQL via existing `findings`, `tenants`, `tenant_memberships`, `audit_logs`, and workspace session context; no schema changes planned (222-findings-intake-team-queue)
 - TypeScript 5.9, Astro 6, Node.js 20+ + Astro, astro-icon, Tailwind CSS v4, Playwright 1.59 (223-astrodeck-website-rebuild)
 - File-based route files, Astro content collections under `src/content`, public assets, and planning documents under `specs/223-astrodeck-website-rebuild`; no database (223-astrodeck-website-rebuild)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + Laravel notifications (`database` channel), Filament database notifications, `Finding`, `FindingWorkflowService`, `FindingSlaPolicy`, `AlertRule`, `AlertDelivery`, `AlertDispatchService`, `EvaluateAlertsJob`, `CapabilityResolver`, `WorkspaceContext`, `TenantMembership`, `FindingResource` (224-findings-notifications-escalation)
 - PostgreSQL via existing `findings`, `alert_rules`, `alert_deliveries`, `notifications`, `tenant_memberships`, and `audit_logs`; no schema changes planned (224-findings-notifications-escalation)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + `Finding`, `FindingResource`, `MyFindingsInbox`, `FindingsIntakeQueue`, `WorkspaceOverviewBuilder`, `EnsureFilamentTenantSelected`, `FindingWorkflowService`, `AuditLog`, `TenantMembership`, Filament page and table primitives (225-assignment-hygiene)
 - PostgreSQL via existing `findings`, `audit_logs`, `tenant_memberships`, and `users`; no schema changes planned (225-assignment-hygiene)
 - Markdown artifacts + Astro 6.0.0 + TypeScript 5.9 context for source discovery + Repository spec workflow (`.specify`), Astro website source tree under `apps/website/src`, existing component taxonomy (`primitives`, `content`, `sections`, `layout`) (226-astrodeck-inventory-planning)
 - Filesystem only (`specs/226-astrodeck-inventory-planning/*`) (226-astrodeck-inventory-planning)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + `App\Models\Finding`, `App\Filament\Resources\FindingResource`, `App\Services\Findings\FindingWorkflowService`, `App\Services\Baselines\BaselineAutoCloseService`, `App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator`, `App\Services\PermissionPosture\PermissionPostureFindingGenerator`, `App\Jobs\CompareBaselineToTenantJob`, `App\Filament\Pages\Reviews\ReviewRegister`, `App\Filament\Resources\TenantReviewResource`, `BadgeCatalog`, `BadgeRenderer`, `AuditLog` metadata via `AuditLogger` (231-finding-outcome-taxonomy)
 - PostgreSQL via existing `findings`, `finding_exceptions`, `tenant_reviews`, `stored_reports`, and audit-log tables; no schema changes planned (231-finding-outcome-taxonomy)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament Resources/Pages/Widgets, Pest v4, `App\Support\OperationRunLinks`, `App\Support\System\SystemOperationRunLinks`, `App\Support\Navigation\CanonicalNavigationContext`, `App\Support\Navigation\RelatedNavigationResolver`, existing workspace and tenant authorization helpers (232-operation-run-link-contract)
 - PostgreSQL-backed existing `operation_runs`, `tenants`, and `workspaces` records plus current session-backed canonical navigation state; no new persistence (232-operation-run-link-contract)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament widgets/resources/pages, Pest v4, `App\Models\OperationRun`, `App\Support\Operations\OperationRunFreshnessState`, `App\Services\Operations\OperationLifecycleReconciler`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\OpsUx\ActiveRuns`, `App\Support\Badges\BadgeCatalog` / `BadgeRenderer`, `App\Support\Workspaces\WorkspaceOverviewBuilder`, `App\Support\OperationRunLinks` (233-stale-run-visibility)
 - Existing PostgreSQL `operation_runs` records and current session/query-backed monitoring navigation state; no new persistence (233-stale-run-visibility)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `App\Models\BaselineProfile`, `App\Support\Baselines\BaselineProfileStatus`, `App\Support\Badges\BadgeCatalog`, `App\Support\Badges\BadgeDomain`, `Database\Factories\TenantFactory`, `App\Console\Commands\SeedBackupHealthBrowserFixture`, existing tenant-truth and baseline-profile Pest tests (234-dead-transitional-residue)
 - Existing PostgreSQL `baseline_profiles` and `tenants` tables; no new persistence and no schema migration in this slice (234-dead-transitional-residue)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces (235-baseline-capture-truth)
 - Existing PostgreSQL tables only; no new table or schema migration is planned in the mainline slice (235-baseline-capture-truth)
 - PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing governance domain models and builders, existing Evidence Snapshot and Tenant Review infrastructure (236-canonical-control-catalog-foundation)
 - PostgreSQL for existing downstream governance artifacts plus a product-seeded in-repo canonical control registry; no new DB-backed control authoring table in the first slice (236-canonical-control-catalog-foundation)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing provider seams under `App\Services\Providers` and `App\Services\Graph`, especially `ProviderGateway`, `ProviderIdentityResolver`, `ProviderIdentityResolution`, `PlatformProviderIdentityResolver`, `ProviderConnectionResolver`, `ProviderConnectionResolution`, `MicrosoftGraphOptionsResolver`, `ProviderOperationRegistry`, `ProviderOperationStartGate`, `GraphClientInterface`, Pest v4 (237-provider-boundary-hardening)
 - Existing PostgreSQL tables such as `provider_connections` and `operation_runs`; one new in-repo config catalog for provider-boundary ownership; no new database tables (237-provider-boundary-hardening)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `ProviderConnectionResource`, `ManagedTenantOnboardingWizard`, `ProviderConnection`, `ProviderConnectionResolver`, `ProviderConnectionResolution`, `ProviderConnectionMutationService`, `ProviderConnectionStateProjector`, `ProviderIdentityResolver`, `ProviderIdentityResolution`, `PlatformProviderIdentityResolver`, `BadgeRenderer`, Pest v4 (238-provider-identity-target-scope)
 - Existing PostgreSQL tables such as `provider_connections`, `provider_credentials`, and existing audit tables; no new database tables planned (238-provider-identity-target-scope)
 - PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing `App\Support\OperationCatalog`, `App\Support\OperationRunType`, `App\Services\OperationRunService`, `App\Services\Providers\ProviderOperationRegistry`, `App\Services\Providers\ProviderOperationStartGate`, `App\Filament\Resources\OperationRunResource`, `App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard`, `App\Support\Filament\FilterOptionCatalog`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\References\Resolvers\OperationRunReferenceResolver`, `App\Services\Audit\AuditEventBuilder`, Pest v4 (239-canonical-operation-type-source-of-truth)
 - PostgreSQL via existing `operation_runs.type` and `managed_tenant_onboarding_sessions.state->bootstrap_operation_types`, plus config-backed `tenantpilot.operations.lifecycle.covered_types` and `tenantpilot.platform_vocabulary`; no new tables (239-canonical-operation-type-source-of-truth)
 - PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing onboarding services (`OnboardingLifecycleService`, `OnboardingDraftStageResolver`), provider connection summary, verification assist, and Ops-UX helpers (240-tenant-onboarding-readiness)
 - PostgreSQL via existing `managed_tenant_onboarding_sessions`, `provider_connections`, `operation_runs`, and stored permission-posture data; no new persistence planned (240-tenant-onboarding-readiness)
 - PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger` (241-support-diagnostic-pack)
 - PostgreSQL via existing `operation_runs`, `provider_connections`, `findings`, `stored_reports`, `tenant_reviews`, `review_packs`, and `audit_logs`; no new persistence planned (241-support-diagnostic-pack)
 - PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services (249-customer-review-workspace)
 - PostgreSQL via existing `tenant_reviews`, `review_packs`, `evidence_snapshots`, findings / finding-exception truth, workspace memberships, and `audit_logs`; no new persistence planned (249-customer-review-workspace)
 - PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page (251-commercial-entitlements-billing-state)
 - PostgreSQL via existing `workspace_settings` rows plus existing audit log records; no new table or billing/account model (251-commercial-entitlements-billing-state)
 - PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities` (253-remove-findings-backfill-runtime-surfaces)
 - PostgreSQL existing `findings`, `operation_runs`, `audit_logs`, and related runtime tables only; no new persistence, migration, or data backfill is planned (253-remove-findings-backfill-runtime-surfaces)
 - PHP 8.4.15 (feat/005-bulk-operations)
@ -300,20 +250,10 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 ## Recent Changes
- 253-remove-findings-backfill-runtime-surfaces: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities`
+- 215-website-core-pages: Added Astro 6.0.0 templates + TypeScript 5.9 strict + Astro 6, Tailwind CSS v4 via `@tailwindcss/vite`, Astro content collections, local Astro layout/primitive/content helpers, Playwright smoke tests
- 251-commercial-entitlements-billing-state: Added PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page
+- 214-governance-outcome-compression: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + Filament v5, Livewire v4, Pest v4, Laravel Sail, `ArtifactTruthPresenter`, `ArtifactTruthEnvelope`, `OperatorExplanationBuilder`, `BaselineSnapshotPresenter`, `BadgeCatalog`, `BadgeRenderer`, existing governance Filament resources/pages, and current Enterprise Detail builders
- 249-customer-review-workspace: Added PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services
+- 213-website-foundation-v0: Added Astro 6.0.0 templates + TypeScript 5.x (explicit setup in `apps/website`) + Astro 6, Tailwind CSS v4, custom Astro component primitives (shadcn-inspired), lightweight Playwright browser smoke tests
 - 214-website-visual-foundation: Added Astro 6.0.0 templates + TypeScript 5.9 strict + Astro 6, Tailwind CSS v4 via `@tailwindcss/vite`, Astro content collections, local Astro component primitives, Playwright browser smoke tests
 - 201-enforcement-review-guardrails: Added Markdown governance artifacts, JSON Schema plus logical OpenAPI planning contracts, and Bash-backed SpecKit scripts inside a PHP 8.4.15 / Laravel 12 / Filament v5 / Livewire v4 repository + `.specify/memory/constitution.md`, `.specify/templates/spec-template.md`, `.specify/templates/plan-template.md`, `.specify/templates/tasks-template.md`, `.specify/templates/checklist-template.md`, `.specify/README.md`, `docs/ui/operator-ux-surface-standards.md`, and Specs 196 through 200
 <!-- MANUAL ADDITIONS START -->
 ### Pre-production compatibility check
 Before adding aliases, fallback readers, dual-write logic, migration shims, or legacy fixtures, verify all of the following:
 1. Do live production data exist?
 2. Is shared staging migration-relevant?
 3. Does an external contract depend on the old shape?
 4. Does the spec explicitly require compatibility behavior?
 If all answers are no, replace the old shape and remove the compatibility path.
 <!-- MANUAL ADDITIONS END -->
--- a/.github/agents/speckit.git.commit.agent.md
+++ b/.github/agents/speckit.git.commit.agent.md
@ -1,51 +0,0 @@
 ---
 description: Auto-commit changes after a Spec Kit command completes
 ---
 <!-- Extension: git -->
 <!-- Config: .specify/extensions/git/ -->
 # Auto-Commit Changes
 Automatically stage and commit all changes after a Spec Kit command completes.
 ## Behavior
 This command is invoked as a hook after (or before) core commands. It:
 1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
 2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
 3. Looks up the specific event key to see if auto-commit is enabled
 4. Falls back to `auto_commit.default` if no event-specific key exists
 5. Uses the per-command `message` if configured, otherwise a default message
 6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
 ## Execution
 Determine the event name from the hook that triggered this command, then run the script:
 - **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
 Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
 ## Configuration
 In `.specify/extensions/git/git-config.yml`:
 ```yaml
 auto_commit:
  default: false          # Global toggle — set true to enable for all commands
  after_specify:
    enabled: true          # Override per-command
    message: "[Spec Kit] Add specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
 ```
 ## Graceful Degradation
 - If Git is not available or the current directory is not a repository: skips with a warning
 - If no config file exists: skips (disabled by default)
 - If no changes to commit: skips with a message
--- a/.github/agents/speckit.git.feature.agent.md
+++ b/.github/agents/speckit.git.feature.agent.md
@ -1,70 +0,0 @@
 ---
 description: Create a feature branch with sequential or timestamp numbering
 ---
 <!-- Extension: git -->
 <!-- Config: .specify/extensions/git/ -->
 # Create Feature Branch
 Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
 ## User Input
 ```text
 $ARGUMENTS
 ```
 You **MUST** consider the user input before proceeding (if not empty).
 ## Environment Variable Override
 If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
 - The script uses the exact value as the branch name, bypassing all prefix/suffix generation
 - `--short-name`, `--number`, and `--timestamp` flags are ignored
 - `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
 ## Prerequisites
 - Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, warn the user and skip branch creation
 ## Branch Numbering Mode
 Determine the branch numbering strategy by checking configuration in this order:
 1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
 2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
 3. Default to `sequential` if neither exists
 ## Execution
 Generate a concise short name (2-4 words) for the branch:
 - Analyze the feature description and extract the most meaningful keywords
 - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
 - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
 Run the appropriate script based on your platform:
 - **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
 - **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
 - **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
 **IMPORTANT**:
 - Do NOT pass `--number` — the script determines the correct next number automatically
 - Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
 - You must only ever run this script once per feature
 - The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
 ## Graceful Degradation
 If Git is not installed or the current directory is not a Git repository:
 - Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
 - The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
 ## Output
 The script outputs JSON with:
 - `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
 - `FEATURE_NUM`: The numeric or timestamp prefix used
--- a/.github/agents/speckit.git.initialize.agent.md
+++ b/.github/agents/speckit.git.initialize.agent.md
@ -1,52 +0,0 @@
 ---
 description: Initialize a Git repository with an initial commit
 ---
 <!-- Extension: git -->
 <!-- Config: .specify/extensions/git/ -->
 # Initialize Git Repository
 Initialize a Git repository in the current project directory if one does not already exist.
 ## Execution
 Run the appropriate script from the project root:
 - **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
 If the extension scripts are not found, fall back to:
 - **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
 - **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
 The script handles all checks internally:
 - Skips if Git is not available
 - Skips if already inside a Git repository
 - Runs `git init`, `git add .`, and `git commit` with an initial commit message
 ## Customization
 Replace the script to add project-specific Git initialization steps:
 - Custom `.gitignore` templates
 - Default branch naming (`git config init.defaultBranch`)
 - Git LFS setup
 - Git hooks installation
 - Commit signing configuration
 - Git Flow initialization
 ## Output
 On success:
 - `✓ Git repository initialized`
 ## Graceful Degradation
 If Git is not installed:
 - Warn the user
 - Skip repository initialization
 - The project continues to function without Git (specs can still be created under `specs/`)
 If Git is installed but `git init`, `git add .`, or `git commit` fails:
 - Surface the error to the user
 - Stop this command rather than continuing with a partially initialized repository
--- a/.github/agents/speckit.git.remote.agent.md
+++ b/.github/agents/speckit.git.remote.agent.md
@ -1,48 +0,0 @@
 ---
 description: Detect Git remote URL for GitHub integration
 ---
 <!-- Extension: git -->
 <!-- Config: .specify/extensions/git/ -->
 # Detect Git Remote URL
 Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and return empty:
  ```
  [specify] Warning: Git repository not detected; cannot determine remote URL
  ```
 ## Execution
 Run the following command to get the remote URL:
 ```bash
 git config --get remote.origin.url
 ```
 ## Output
 Parse the remote URL and determine:
 1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
 2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
 3. **Is GitHub**: Whether the remote points to a GitHub repository
 Supported URL formats:
 - HTTPS: `https://github.com/<owner>/<repo>.git`
 - SSH: `git@github.com:<owner>/<repo>.git`
 > [!CAUTION]
 > ONLY report a GitHub repository if the remote URL actually points to github.com.
 > Do NOT assume the remote is GitHub if the URL format doesn't match.
 ## Graceful Degradation
 If Git is not installed, the directory is not a Git repository, or no remote is configured:
 - Return an empty result
 - Do NOT error — other workflows should continue without Git remote information
--- a/.github/agents/speckit.git.validate.agent.md
+++ b/.github/agents/speckit.git.validate.agent.md
@ -1,52 +0,0 @@
 ---
 description: Validate current branch follows feature branch naming conventions
 ---
 <!-- Extension: git -->
 <!-- Config: .specify/extensions/git/ -->
 # Validate Feature Branch
 Validate that the current Git branch follows the expected feature branch naming conventions.
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and skip validation:
  ```
  [specify] Warning: Git repository not detected; skipped branch validation
  ```
 ## Validation Rules
 Get the current branch name:
 ```bash
 git rev-parse --abbrev-ref HEAD
 ```
 The branch name must match one of these patterns:
 1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
 2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
 ## Execution
 If on a feature branch (matches either pattern):
 - Output: `✓ On feature branch: <branch-name>`
 - Check if the corresponding spec directory exists under `specs/`:
  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
 - If spec directory exists: `✓ Spec directory found: <path>`
 - If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
 If NOT on a feature branch:
 - Output: `✗ Not on a feature branch. Current branch: <branch-name>`
 - Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
 ## Graceful Degradation
 If Git is not installed or the directory is not a Git repository:
 - Check the `SPECIFY_FEATURE` environment variable as a fallback
 - If set, validate that value against the naming patterns
 - If not set, skip validation with a warning
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@ -673,8 +673,3 @@ ### Replaced Utilities
 | decoration-slice | box-decoration-slice |
 | decoration-clone | box-decoration-clone |
 </laravel-boost-guidelines>
 <!-- SPECKIT START -->
 For additional context about technologies to be used, project structure,
 shell commands, and other important information, read the current plan
 <!-- SPECKIT END -->
--- a/.github/prompts/speckit.git.commit.prompt.md
+++ b/.github/prompts/speckit.git.commit.prompt.md
@ -1,3 +0,0 @@
 ---
 agent: speckit.git.commit
 ---
--- a/.github/prompts/speckit.git.feature.prompt.md
+++ b/.github/prompts/speckit.git.feature.prompt.md
@ -1,3 +0,0 @@
 ---
 agent: speckit.git.feature
 ---
--- a/.github/prompts/speckit.git.initialize.prompt.md
+++ b/.github/prompts/speckit.git.initialize.prompt.md
@ -1,3 +0,0 @@
 ---
 agent: speckit.git.initialize
 ---
--- a/.github/prompts/speckit.git.remote.prompt.md
+++ b/.github/prompts/speckit.git.remote.prompt.md
@ -1,3 +0,0 @@
 ---
 agent: speckit.git.remote
 ---
--- a/.github/prompts/speckit.git.validate.prompt.md
+++ b/.github/prompts/speckit.git.validate.prompt.md
@ -1,3 +0,0 @@
 ---
 agent: speckit.git.validate
 ---
--- a/.github/skills/browsertest/SKILL.md
+++ b/.github/skills/browsertest/SKILL.md
@ -1,295 +0,0 @@
 ---
 name: browsertest
 description: Führe einen vollständigen Smoke-Browser-Test im Integrated Browser für das aktuelle Feature aus, inklusive Happy Path, zentraler Regressionen, Kontext-Prüfung und belastbarer Ergebniszusammenfassung.
 license: MIT
 metadata:
  author: GitHub Copilot
 ---
 # Browser Smoke Test
 ## What This Skill Does
 Use this skill to validate the current feature end-to-end in the integrated browser.
 This is a focused smoke test, not a full exploratory test session. The goal is to prove that the primary operator flow:
 - loads in the correct auth, workspace, and tenant context
 - exposes the expected controls and decision points
 - completes the main happy path without blocking issues
 - lands in the expected end state or canonical drilldown
 - does not show obvious regressions such as broken navigation, missing data, or conflicting actions
 The skill should produce a concrete pass or fail result with actionable evidence.
 ## When To Apply
 Activate this skill when:
 - the user asks to smoke test the current feature in the browser
 - a new Filament page, dashboard signal, report, wizard, or detail flow was just added
 - a UI regression fix needs confirmation in a real browser context
 - the primary question is whether the feature works from an operator perspective
 - you need a quick integration-level check without writing a full browser test suite first
 ## What Success Looks Like
 A successful smoke test confirms all of the following:
 - the target route opens successfully
 - the visible context is correct
 - the main flow is usable
 - the expected result appears after interaction
 - the route or drilldown destination is correct
 - the surface does not obviously violate its intended interaction model
 If the test cannot be completed, the output must clearly state whether the blocker is:
 - authentication
 - missing data or fixture state
 - routing
 - UI interaction failure
 - server error
 - an unclear expected behavior contract
 Do not guess. If the route or state is blocked, report the blocker explicitly.
 ## Preconditions
 Before running the browser smoke test, make sure you know:
 - the canonical route or entry point for the feature
 - the primary operator action or happy path
 - the expected success state
 - whether the feature depends on a specific tenant, workspace, or seeded record
 When available, use the feature spec, quickstart, tasks, or current browser page as the source of truth.
 ## Standard Workflow
 ### 1. Define the smoke-test scope
 Identify:
 - the route to open
 - the primary action to perform
 - the expected end state
 - one or two critical regressions that must not break
 The smoke test should stay narrow. Prefer one complete happy path plus one critical boundary over broad exploratory clicking.
 ### 2. Establish the browser state
 - Reuse the current browser page if it already matches the target feature.
 - Otherwise open the canonical route.
 - Confirm the current auth and scope context before interacting.
 For this repo, that usually means checking whether the page is on:
 - `/admin/...` for workspace-context surfaces
 - `/admin/t/{tenant}/...` for tenant-context surfaces
 ### 3. Inspect before acting
 - Use `read_page` before interacting so you understand the live controls, refs, headings, and route context.
 - Prefer `read_page` over screenshots for actual interaction planning.
 - Use screenshots only for visual evidence or when the user asks for them.
 ### 4. Execute the primary happy path
 Run the smallest meaningful flow that proves the feature works.
 Typical steps include:
 - open the page
 - verify heading or key summary text
 - click the primary CTA or row
 - fill the minimum required form fields
 - confirm modal or dialog text when relevant
 - submit or navigate
 - verify the expected destination or changed state
 After each meaningful action, re-read the page so the next step is based on current DOM state.
 ### 5. Validate the outcome
 Check the exact result that matters for the feature.
 Examples:
 - a new row appears
 - a status changes
 - a success message appears
 - a report filter changes the result set
 - a row click lands on the canonical detail page
 - a dashboard signal links to the correct report page
 ### 6. Check for obvious regressions
 Even in a smoke test, verify a few core non-negotiables:
 - the page is not blank or half-rendered
 - the main action is present and usable
 - the visible context is correct
 - the drilldown destination is canonical
 - no obviously duplicated primary actions exist
 - no stuck modal, spinner, or blocked interaction remains onscreen
 ### 7. Capture evidence and summarize clearly
 Your result should state:
 - route tested
 - context used
 - steps executed
 - pass or fail
 - exact blocker or discrepancy if failed
 Include a screenshot only when it adds value.
 ## Tool Usage Guidance
 Use the browser tools in this order by default:
 1. `read_page`
 2. `click_element`
 3. `type_in_page`
 4. `handle_dialog` when needed
 5. `navigate_page` or `open_browser_page` only when route changes are required
 6. `run_playwright_code` only if the normal browser tools are insufficient
 7. `screenshot_page` for evidence, not for primary navigation logic
 ## Repo-Specific Guidance For TenantPilot
 ### Workspace surfaces
 For `/admin` pages and similar workspace-context surfaces:
 - verify the page is reachable without forcing tenant-route assumptions
 - confirm any summary signal or CTA lands on the canonical destination
 - verify calm-state versus attention-state behavior when the feature defines both
 ### Tenant surfaces
 For `/admin/t/{tenant}/...` pages:
 - verify the tenant context is explicit and correct
 - verify drilldowns stay in the intended tenant scope
 - treat cross-tenant leakage or silent scope changes as failures
 ### Filament list or report surfaces
 For Filament tables, reports, or registry-style pages:
 - verify the heading and table shell render
 - verify fixed filters or summary controls exist when the spec requires them
 - verify row click or the primary inspect affordance behaves as designed
 - verify empty-state messaging is specific rather than generic when the feature defines custom behavior
 ### Filament detail pages
 For detail or view surfaces:
 - verify the canonical record loads
 - verify expected sections or summary content are present
 - verify critical actions or drillbacks are usable
 ## Result Format
 Use a compact result format like this:
 ```text
 Browser smoke result: PASS
 Route: /admin/findings/hygiene
 Context: workspace member with visible hygiene issues
 Steps: opened report -> verified filters -> clicked finding row -> landed on canonical finding detail
 Verified: report rendered, primary interaction worked, drilldown route was correct
 ```
 If the test fails:
 ```text
 Browser smoke result: FAIL
 Route: /admin/findings/hygiene
 Context: authenticated workspace member
 Failed step: clicking the summary CTA
 Expected: navigate to /admin/findings/hygiene
 Actual: remained on /admin with no route change
 Blocker: CTA appears rendered but is not interactive
 ```
 ## Examples
 ### Example 1: Smoke test a new report page
 Use this when the feature adds a new read-only report.
 Steps:
 - open the canonical report route
 - verify the page heading and main controls
 - confirm the table or defined empty state is visible
 - click one row or primary inspect affordance
 - verify navigation lands on the canonical detail route
 Pass criteria:
 - report loads
 - intended controls exist
 - primary inspect path works
 ### Example 2: Smoke test a dashboard signal
 Use this when the feature adds a summary signal on `/admin`.
 Steps:
 - open `/admin`
 - find the signal
 - verify the visible count or summary text
 - click the CTA
 - confirm navigation lands on the canonical downstream surface
 Pass criteria:
 - signal is visible in the correct state
 - CTA text is present
 - CTA opens the correct route
 ### Example 3: Smoke test a tenant detail follow-up
 Use this when a workspace-level surface should drill into a tenant-level detail page.
 Steps:
 - open the workspace-level surface
 - trigger the drilldown
 - verify the target route includes the correct tenant and record
 - confirm the target page actually loads the expected detail content
 Pass criteria:
 - drilldown route is canonical
 - tenant context is correct
 - destination content matches the selected record
 ## Common Pitfalls
 - Clicking before reading the page state and refs
 - Treating a blocked auth session as a feature failure
 - Confusing workspace-context routes with tenant-context routes
 - Reporting visual impressions without validating the actual interaction result
 - Forgetting to re-read the page after a modal opens or a route changes
 - Claiming success without verifying the final destination or changed state
 ## Non-Goals
 This skill does not replace:
 - full exploratory QA
 - formal Pest browser coverage
 - accessibility review
 - visual regression approval
 - backend correctness tests
 It is a fast, real-browser confidence pass for the current feature.
--- a/.github/skills/spec-kit-implementation-loop/SKILL.md
+++ b/.github/skills/spec-kit-implementation-loop/SKILL.md
@ -1,447 +0,0 @@
 ---
 name: spec-kit-implementation-loop
 description: Implement an existing TenantPilot/TenantAtlas Spec Kit feature, run tests, browser smoke checks where applicable, post-implementation analysis, fix all confirmed in-scope findings when safe and bounded, and repeat until no in-scope findings remain or a stop condition is reached.
 ---
 # Skill: Spec Kit Implementation Loop
 ## Purpose
 Use this skill to implement an already prepared TenantPilot/TenantAtlas Spec Kit feature and verify it with a bounded implementation loop.
 This skill assumes `spec.md`, `plan.md`, and `tasks.md` already exist and have passed preparation readiness or have been explicitly accepted by the user.
 The intended workflow is:
 ```text
 active or explicitly named spec
 → inspect repo truth, constitution, spec, plan, tasks, and relevant code/tests
 → evaluate implementation gates
 → implement strictly task-by-task
 → run relevant tests/checks
 → run browser smoke test when UI/user-facing flows are affected
 → run strict post-implementation analysis
 → fix confirmed in-scope findings
 → repeat test + browser smoke + analysis + fix loop until clean or bounded stop condition is reached
 → final implementation report
 ```
 ## When to Use
 Use this skill when the user asks to:
 - implement an active or explicitly named Spec Kit feature
 - run Spec Kit implement
 - analyze after implementation
 - fix implementation findings
 - repeat implementation verification until no confirmed in-scope findings remain
 - run tests and browser smoke checks after implementation
 Typical user prompts:
 ```text
 Implementiere die aktive Spec und analysiere danach, ob alles passt.
 ```
 ```text
 Implementiere specs/243-product-usage-adoption-telemetry streng nach tasks.md.
 ```
 ```text
 Mach Spec Kit implement und danach analyse. Behebe alle Abweichungen und wiederhole bis sauber.
 ```
 ```text
 Implementiere die vorbereitete Spec. Danach Tests, Browser Smoke Test falls UI betroffen ist, Analyse und Fix-Loop bis keine In-Scope Findings mehr offen sind.
 ```
 ## Hard Rules
 - Work strictly repo-based.
 - Implement only the active or explicitly named Spec Kit feature.
 - Do not choose a new candidate.
 - Do not create a new spec.
 - Do not expand scope beyond `spec.md`, `plan.md`, and `tasks.md`.
 - Do not silently add roadmap features, adjacent UX rewrites, speculative architecture, or unrelated refactors.
 - Follow the repository constitution and existing Spec Kit conventions.
 - Preserve TenantPilot/TenantAtlas terminology.
 - Prefer small, reviewable patches over broad rewrites.
 - Treat repository truth as authoritative over assumptions.
 - If repository truth conflicts with implementation scope, stop and report the conflict unless there is an obvious minimal correction inside active spec scope.
 - Fix only confirmed findings from tests, static checks, browser smoke checks, or post-implementation analysis.
 - Fix all confirmed in-scope findings, regardless of severity, when they are safe and bounded.
 - Do not leave Medium/Low findings open silently. If they are not fixed, document exactly why.
 - Never hide failing tests, weaken assertions, delete meaningful coverage, or mark tasks complete without implementation evidence.
 - Do not run destructive commands.
 - Do not force checkout, reset, stash, rebase, merge, or delete branches.
 - Do not perform database-destructive actions unless the repository test workflow explicitly requires isolated test database resets.
 - Do not continue analysis/fix loops indefinitely.
 - Do not move from implementation to final status unless the Test Gate, Browser Smoke Test Gate where applicable, and Post-Implementation Analysis Gate have been evaluated.
 - Do not claim merge-readiness unless the Merge Readiness Gate passes.
 ## Required Inputs
 The user should provide at least one of:
 - explicit spec directory such as `specs/<number>-<slug>/`
 - instruction to use the current active Spec Kit feature
 - instruction to implement the prepared/current spec
 If the active spec cannot be determined safely, inspect the repository Spec Kit context first. If it is still ambiguous, stop and ask for the specific spec directory.
 ## Required Repository Checks
 Always check:
 1. active Spec Kit context / current branch
 2. git status
 3. `.specify/memory/constitution.md`
 4. the active spec directory
 5. `spec.md`
 6. `plan.md`
 7. `tasks.md`
 8. relevant templates or conventions under `.specify/templates/`
 9. nearby existing specs with related terminology or scope
 10. application code surfaces referenced by the active spec
 11. existing tests related to the changed behavior
 ## Git and Branch Safety
 Before making implementation changes:
 1. Check the current branch.
 2. Check whether the working tree is clean.
 3. If there are unrelated uncommitted changes, stop and report them. Do not continue.
 4. If the working tree only contains user-intended changes for this operation, continue cautiously.
 5. Do not force checkout, reset, stash, rebase, merge, or delete branches.
 6. Do not overwrite unrelated work.
 ## Quality Gates
 ### Gate 1: Spec Readiness Gate
 Required before implementation starts.
 Pass criteria:
 - `spec.md`, `plan.md`, and `tasks.md` exist.
 - The spec has clear problem statement, user value, functional requirements, out-of-scope boundaries, acceptance criteria, assumptions, and risks.
 - The plan identifies likely affected repo surfaces and does not contradict repository architecture.
 - The tasks are small, ordered, verifiable, and include test/validation tasks.
 - RBAC, workspace/tenant isolation, auditability, OperationRun semantics, evidence/result-truth, and UX requirements are addressed where relevant.
 - No open question blocks safe implementation.
 - The scope is small enough for a bounded implementation loop.
 Fail behavior:
 - Stop before implementation.
 - Report readiness gaps.
 - Do not compensate for an unclear spec by inventing implementation scope.
 ### Gate 2: Implementation Scope Gate
 Required before changing application code.
 Pass criteria:
 - The active spec directory is known.
 - The implementation target is traceable to specific tasks in `tasks.md`.
 - The affected files/surfaces are consistent with `plan.md` or clearly justified by repository truth.
 - No required change would introduce unrelated product behavior.
 - No required change conflicts with constitution, existing architecture, RBAC/isolation boundaries, or source-of-truth semantics.
 Fail behavior:
 - Stop before code changes and report the conflict or ambiguity.
 - Suggest a minimal spec/plan/tasks correction if the issue is in the artifacts rather than the codebase.
 ### Gate 3: Test Gate
 Required after implementation and after each fix iteration.
 Pass criteria:
 - Targeted tests for changed behavior pass.
 - Relevant existing tests pass or failures are proven unrelated and documented.
 - Static analysis, linting, formatting, or type checks used by the repository pass when applicable.
 - Security/governance-relevant changes have backend, policy, or domain coverage; UI-only verification is not enough.
 - Regression coverage exists for each fixed Blocker or High finding where practical.
 Fail behavior:
 - Fix in-scope failures before post-implementation analysis.
 - If failures are unrelated or pre-existing, document evidence and continue only if they do not invalidate the active spec.
 - Do not weaken tests to pass the gate.
 ### Gate 4: Browser Smoke Test Gate
 Required before claiming implementation is ready for manual review/merge when the change affects Filament UI, Livewire interactions, navigation, forms, tables, actions, modals, dashboards, operation drilldowns, tenant/workspace context, or any user-facing flow.
 Not required for backend-only, domain-only, enum-only, contract-only, or test-only changes unless those changes alter a user-facing flow.
 Pass criteria:
 - The relevant page or flow loads in a real browser or the repository's browser-testing harness.
 - The primary action introduced or changed by the spec can be executed successfully.
 - Expected UI states, labels, badges, actions, empty states, tables, forms, modals, and navigation are visible where relevant.
 - Workspace/tenant context is preserved across the tested flow where relevant.
 - RBAC/capability-dependent visibility behaves as expected where practical to verify.
 - Livewire interactions complete without visible runtime errors.
 - No relevant browser console errors occur.
 - No failed network requests occur for the tested flow, except known unrelated development noise that is explicitly documented.
 - OperationRun, audit, evidence, result, or support-diagnostic drilldowns work where relevant.
 - The smoke-tested path is documented in the final response.
 Fail behavior:
 - Fix in-scope browser, UX, Livewire, navigation, or runtime failures before claiming merge-readiness.
 - If a browser issue is unrelated existing debt, document evidence and residual risk.
 - Do not treat a passing browser smoke test as a substitute for backend, policy, domain, security, feature, or integration tests.
 - Do not expand the smoke test into a full E2E suite unless the user explicitly asks for that.
 ### Gate 5: Post-Implementation Analysis Gate
 Required after implementation and after each fix iteration.
 Pass criteria:
 - The implementation has been checked against `spec.md`, `plan.md`, `tasks.md`, and constitution.
 - All completed tasks have implementation evidence.
 - No confirmed in-scope findings remain.
 - Medium/Low findings are fixed when they are inside active spec scope, clearly bounded, and safe.
 - Medium/Low findings that remain open are explicitly documented with one of these reasons:
  - out of scope
  - requires separate spec
  - risky refactor
  - existing unrelated debt
  - not reproducible
  - blocked by unclear product/architecture decision
 - No scope expansion was introduced during fixes.
 Fail behavior:
 - Fix confirmed in-scope findings, regardless of severity, when the fix is safe and bounded.
 - Stop instead of fixing when remediation would expand scope, contradict repo architecture, introduce risky refactors, or repeat the same failed fix twice.
 ### Gate 6: Merge Readiness Gate
 Required before claiming the implementation is ready for manual review/merge.
 Pass criteria:
 - Spec Readiness Gate passed.
 - Implementation Scope Gate passed.
 - Test Gate passed.
 - Browser Smoke Test Gate passed when applicable, or was explicitly marked not applicable with a reason.
 - Post-Implementation Analysis Gate passed.
 - `tasks.md` reflects actual completion status.
 - No confirmed in-scope findings remain.
 - All remaining findings are documented as out-of-scope, follow-up candidates, unrelated existing debt, or explicit residual risks.
 - Final response includes changed files, tests/checks run, browser smoke result, iterations performed, residual risks, and follow-up candidates.
 Fail behavior:
 - Do not claim merge-readiness.
 - Report the failed gate, remaining risks, and the smallest recommended next action.
 ## Implementation Loop
 Execute the loop in bounded phases:
 1. Evaluate the Spec Readiness Gate.
 2. Evaluate the Implementation Scope Gate before changing application code.
 3. Implement the active Spec Kit feature scope task-by-task.
 4. Run targeted tests and relevant static/dynamic checks.
 5. Evaluate the Test Gate.
 6. Run a Browser Smoke Test when the change affects UI/user-facing flows.
 7. Evaluate the Browser Smoke Test Gate as passed, failed, or not applicable with a reason.
 8. Run strict post-implementation analysis against spec, plan, tasks, constitution, changed code, changed tests, browser smoke results where applicable, and relevant existing patterns.
 9. Evaluate the Post-Implementation Analysis Gate.
 10. Identify confirmed findings by severity: Blocker, High, Medium, Low.
 11. Fix all confirmed in-scope findings regardless of severity when safe and bounded.
 12. Do not fix findings that require scope expansion, risky unrelated refactors, or architectural/product decisions outside the active spec; document them as follow-up/residual risks with reasons.
 13. Re-run relevant tests and browser smoke checks where applicable after fixes.
 14. Repeat test + browser smoke + analysis + fix loop until no confirmed in-scope findings remain or a stop condition is reached.
 15. Evaluate the Merge Readiness Gate.
 16. Report final implementation status, changed files, tests, browser smoke result, residual risks, failed/passed gates, and manual review prompt.
 ## Stop Conditions
 Stop the implementation loop when any of the following is true:
 - No confirmed in-scope findings remain.
 - The same finding appears twice after attempted fixes.
 - A required fix conflicts with the spec, plan, constitution, or repository architecture.
 - A required fix would expand scope beyond the active spec.
 - A required fix would require a risky unrelated refactor.
 - A required fix depends on an unresolved product or architecture decision.
 - Tests reveal an unrelated pre-existing failure that cannot be safely fixed inside the active spec.
 - Browser smoke testing reveals an unrelated pre-existing UI/runtime failure that cannot be safely fixed inside the active spec.
 - Three analysis/fix iterations have already been completed.
 - The repository state is ambiguous enough that continuing would risk damaging architecture or data semantics.
 When stopping before full cleanliness, report exactly why the loop stopped and what remains.
 ## Post-Implementation Analysis Prompt
 Use this prompt internally after implementation and after each fix iteration:
 ```markdown
 Du bist ein Senior Staff Software Engineer, Software Architect und Enterprise SaaS Reviewer.
 Analysiere die Implementierung der aktiven Spec streng repo-basiert.
 Ziel:
 Prüfe, ob die Umsetzung vollständig, konsistent, getestet und constitution-konform ist.
 Prüfe gegen:
 - spec.md
 - plan.md
 - tasks.md
 - .specify/memory/constitution.md
 - geänderte Anwendungscodes
 - geänderte Tests
 - Browser-Smoke-Test-Ergebnis, falls UI/user-facing Flows betroffen sind
 - bestehende Repository-Patterns
 Wichtig:
 - Keine Spekulation ohne Repo-Beleg.
 - Keine Scope-Erweiterung.
 - Keine neuen Produktideen als Pflicht-Fixes.
 - Findings nach Blocker, High, Medium, Low gruppieren.
 - Für jedes Finding konkrete Datei-/Code-Belege nennen.
 - Für jedes Finding eine minimale Remediation nennen.
 - Separat ausweisen, welche Findings innerhalb der aktiven Spec behoben werden müssen.
 - Medium/Low Findings innerhalb der aktiven Spec ebenfalls zur Behebung markieren, wenn sie sicher und bounded sind.
 - Bei UI-/Filament-/Livewire-Änderungen prüfen, ob ein Browser Smoke Test durchgeführt wurde und ob der getestete Operator-Flow wirklich funktioniert.
 - Findings, die nicht behoben werden sollen, nur als Follow-up/Residual Risk ausweisen, wenn sie out of scope, risky refactor, unrelated existing debt, not reproducible oder durch eine offene Produkt-/Architekturentscheidung blockiert sind.
 - Wenn keine bestätigten In-Scope Findings verbleiben, klare Implementierungsfreigabe geben.
 ```
 ## Task Completion Rules
 - Keep `tasks.md` aligned with actual implementation status.
 - Check off tasks only after the implementation and test evidence exists.
 - If a task is obsolete because repository truth proves a different path, update the task note with the reason instead of silently deleting it.
 - If a task cannot be completed inside scope, leave it unchecked and report why.
 ## Testing Rules
 - Add or update tests for all changed business behavior.
 - Include RBAC and workspace/tenant isolation tests where relevant.
 - Include OperationRun, audit, evidence, or result-truth tests where relevant.
 - Prefer regression tests for every fixed Blocker or High finding.
 - Add regression tests for Medium/Low findings when the behavior is important and testable without excessive churn.
 - Do not weaken tests to pass the suite.
 - Do not treat a green UI path as sufficient without backend or policy coverage when the behavior is security- or governance-relevant.
 ## Browser Smoke Test Rules
 Apply these rules when the active spec changes Filament UI, Livewire interactions, navigation, forms, tables, actions, modals, dashboards, operation drilldowns, tenant/workspace context, or any user-facing flow.
 The browser smoke test should be narrow and focused. It is not a full E2E suite unless explicitly requested.
 Minimum smoke path:
 1. Open the relevant page or entry point.
 2. Confirm the expected workspace/tenant context where relevant.
 3. Confirm the changed or newly introduced UI element is visible.
 4. Execute the primary action or interaction changed by the spec.
 5. Confirm the expected result state, notification, redirect, table update, modal state, operation link, or drilldown.
 6. Check for relevant console errors.
 7. Check for failed network requests related to the tested flow.
 8. Document the tested path in the final response.
 For TenantPilot/TenantAtlas, pay special attention to:
 - Filament actions and header actions
 - Livewire polling, modals, validation, and actions
 - workspace/tenant context preservation
 - RBAC/capability-dependent action visibility
 - OperationRun links and drilldown continuity
 - audit/evidence/result/support-diagnostic drilldowns where relevant
 - empty states, badges, labels, and decision guidance where relevant
 Browser smoke testing is required for UI/user-facing changes and optional for backend-only changes.
 Do not treat browser smoke success as proof that backend security, policies, domain logic, auditability, or workspace/tenant isolation are correct. Those still require automated tests or repo-based verification.
 ## Failure Handling
 If an implementation step, test phase, browser smoke phase, or post-implementation analysis fails:
 1. Stop at the relevant gate or stop condition.
 2. Report the failing command or phase.
 3. Summarize the error.
 4. Do not attempt unrelated implementation as a workaround.
 5. Suggest the smallest safe next action.
 If the branch or working tree state is unsafe:
 1. Stop before implementation changes.
 2. Report the current branch and relevant uncommitted files.
 3. Ask the user to commit, stash, or move to a clean worktree.
 ## Final Response Requirements
 Respond with:
 1. Active spec directory
 2. Summary of implemented changes
 3. Tests/checks run and their results
 4. Browser smoke test result, tested path, or not-applicable reason
 5. Quality gates passed/failed and number of analysis/fix iterations performed
 6. Remaining in-scope findings, if any
 7. Residual risks and follow-up candidates, if relevant
 8. Files changed
 9. Explicit statement whether the Merge Readiness Gate passed and whether the implementation is ready for manual review/merge
 Keep the final response concise, but include enough detail for the user to continue immediately.
 ## Manual Review Prompt
 Provide a ready-to-copy prompt like this, adapted to the active spec number and slug:
 ```markdown
 Du bist ein Senior Staff Software Architect und Enterprise SaaS Reviewer.
 Führe eine finale manuelle Review der implementierten Spec `<spec-number>-<slug>` streng repo-basiert durch.
 Ziel:
 Prüfe, ob die Implementierung nach dem Agenten-Loop wirklich merge-ready ist.
 Wichtig:
 - Keine Implementierung.
 - Keine Codeänderungen.
 - Keine Scope-Erweiterung.
 - Prüfe gegen spec.md, plan.md, tasks.md und constitution.md.
 - Prüfe die geänderten Dateien, Tests, Browser-Smoke-Test-Ergebnis, RBAC, Workspace-/Tenant-Isolation, Auditability, UX und OperationRun-Semantik, soweit relevant.
 - Benenne nur konkrete Findings mit Repo-Beleg.
 - Gib am Ende eine klare Entscheidung: Merge-ready, merge-ready with notes, oder not merge-ready.
 ```
 ## Example Invocation
 User:
 ```text
 Nutze den Skill spec-kit-implementation-loop.
 Implementiere die aktive Spec.
 Danach Tests ausführen, Browser Smoke Test falls UI/user-facing betroffen ist, Post-Implementation Analyse durchführen und alle bestätigten In-Scope Findings unabhängig von Severity beheben, wenn safe und bounded.
 Wiederhole test + browser smoke + analysis + fix bis keine In-Scope Findings mehr offen sind oder eine Stop Condition greift.
 ```
 Expected behavior:
 1. Inspect active Spec Kit context, constitution, spec, plan, tasks, relevant code, and relevant tests.
 2. Evaluate the Spec Readiness Gate and Implementation Scope Gate.
 3. Implement only the active spec scope.
 4. Run targeted tests and relevant checks.
 5. Evaluate the Test Gate.
 6. Run and evaluate Browser Smoke Test when UI/user-facing flows are affected.
 7. Run post-implementation analysis.
 8. Fix all confirmed in-scope findings regardless of severity when safe and bounded.
 9. Repeat test + browser smoke + analysis + fix loop up to the stop conditions.
 10. Evaluate the Merge Readiness Gate.
 11. Report final status, changed files, tests, browser smoke result, residual risks, gates, and manual review prompt.
 ```
--- a/.github/skills/spec-kit-next-best-prep/SKILL.md
+++ b/.github/skills/spec-kit-next-best-prep/SKILL.md
@ -1,562 +0,0 @@
 ---
 name: spec-kit-next-best-prep
 description: Select the next suitable TenantPilot/TenantAtlas spec candidate from roadmap/spec-candidates, run the repository's Spec Kit preparation flow, create or update spec.md/plan.md/tasks.md, run preparation analysis, fix preparation-artifact issues only, and stop before application implementation.
 ---
 # Skill: Spec Kit Next-Best Preparation
 ## Purpose
 Use this skill to prepare the next implementation-ready Spec Kit package for TenantPilot/TenantAtlas without implementing application code.
 This skill supports preparation only:
 1. Select or scope the next suitable feature from roadmap/spec-candidates.
 2. Run the repository's real Spec Kit preparation workflow where available.
 3. Create or update `spec.md`, `plan.md`, and `tasks.md`.
 4. Run preparation `analyze` when supported.
 5. Fix preparation-artifact issues only.
 6. Evaluate preparation quality gates.
 7. Stop before application implementation.
 The intended workflow is:
 ```text
 roadmap / spec-candidates / feature idea
 → inspect repo truth, constitution, roadmap, spec candidates, existing specs, and relevant code
 → select the next suitable candidate or scope the provided idea
 → run Spec Kit specify/plan/tasks/analyze where available
 → create or update spec.md + plan.md + tasks.md
 → fix preparation-artifact issues only
 → evaluate Candidate Selection Gate and Spec Readiness Gate
 → final preparation report
 → explicit implementation step later
 ```
 ## When to Use
 Use this skill when the user asks to:
 - select the next best spec candidate from `docs/product/spec-candidates.md` and roadmap sources
 - turn a feature idea, roadmap item, or candidate into `spec.md`, `plan.md`, and `tasks.md`
 - prepare Spec Kit artifacts in one pass
 - run specify/plan/tasks/analyze without implementation
 - fix preparation analysis issues in Spec Kit artifacts only
 - prepare a feature package for a later implementation skill
 Typical user prompts:
 ```text
 Nimm den nächsten sinnvollen Spec Candidate aus Roadmap/spec-candidates und mach spec, plan und tasks.
 ```
 ```text
 Mach daraus spec, plan und tasks in einem Rutsch, aber noch nicht implementieren.
 ```
 ```text
 Wähle aus roadmap.md und spec-candidates.md die nächste sinnvollste Spec und führe specify, plan, tasks und analyze aus.
 ```
 ```text
 Behebe alle analyze-Issues in den Spec-Kit-Artefakten. Keine Application-Implementierung.
 ```
 ## Hard Rules
 - Work strictly repo-based.
 - This is a preparation-only skill.
 - Do not implement application code.
 - Do not modify production code.
 - Do not modify migrations, models, services, jobs, Filament resources, Livewire components, policies, commands, routes, views, tests, or runtime behavior.
 - Use the repository's actual Spec Kit workflow, scripts, templates, branch naming rules, and generated paths when available.
 - Do not manually invent spec numbers, branch names, or spec paths if Spec Kit provides a script or command for that.
 - Do not bypass Spec Kit branch mechanics.
 - Create or update only Spec Kit preparation artifacts unless repository conventions require additional documentation artifacts.
 - Do not expand scope beyond the selected feature, `spec.md`, `plan.md`, and `tasks.md`.
 - Do not silently add roadmap features, adjacent UX rewrites, speculative architecture, or unrelated refactors.
 - Follow the repository constitution and existing Spec Kit conventions.
 - Preserve TenantPilot/TenantAtlas terminology.
 - Prefer small, reviewable, implementation-ready specs over broad rewrites.
 - Treat repository truth as authoritative over assumptions.
 - If repository truth conflicts with the user-provided draft or candidate wording, keep repository truth and document the deviation.
 - Fix only confirmed preparation-artifact findings from Spec Kit preparation analysis.
 - Do not leave preparation findings open silently. If they are not fixed, document exactly why.
 - Do not run destructive commands.
 - Do not force checkout, reset, stash, rebase, merge, or delete branches.
 - Do not overwrite existing specs.
 - Do not move from preparation to an implementation step inside this skill.
 ## Required Inputs
 The user should provide at least one of:
 - feature title and short goal
 - full spec candidate
 - roadmap item
 - rough problem statement
 - UX or architecture improvement idea
 - instruction to choose the next best candidate from roadmap/spec-candidates
 If the input is incomplete, proceed with the smallest reasonable interpretation and document assumptions.
 If no suitable candidate can be selected safely, stop and report why.
 ## Required Repository Checks
 Always check:
 1. `.specify/memory/constitution.md`
 2. `.specify/templates/`
 3. `.specify/scripts/`
 4. existing Spec Kit command usage or repository instructions, if present
 5. current branch and git status
 6. `specs/`
 7. `docs/product/spec-candidates.md`
 8. relevant roadmap documents under `docs/product/`, especially `roadmap.md` if present
 9. nearby existing specs with related terminology or scope
 10. application code only as needed to avoid wrong naming, wrong architecture, duplicate concepts, impossible tasks, duplicated specs, or already-completed candidates
 Do not edit application code.
 ## Git and Branch Safety
 Before running any Spec Kit command:
 1. Check the current branch.
 2. Check whether the working tree is clean.
 3. If there are unrelated uncommitted changes, stop and report them. Do not continue.
 4. If the working tree only contains user-intended planning edits for this operation, continue cautiously.
 5. Let Spec Kit create or switch to the correct feature branch when that is how the repository workflow works.
 6. Do not force checkout, reset, stash, rebase, merge, or delete branches.
 7. Do not overwrite existing specs.
 If the repo requires an explicit branch creation script for `specify`, use that script rather than manually creating the branch.
 ## Quality Gates
 ### Gate 1: Candidate Selection Gate
 Required before creating a new spec from roadmap/spec-candidates.
 Pass criteria:
 - The selected candidate exists in roadmap/spec-candidate material or is directly provided by the user.
 - The selected candidate is not already covered by an existing active or completed spec.
 - The selected candidate aligns with current roadmap priorities or explicitly documented product direction.
 - The candidate can be scoped as a small, reviewable, implementation-ready slice.
 - Major adjacent concerns are listed as follow-up candidates instead of being hidden inside the primary scope.
 Fail behavior:
 - If no candidate satisfies the gate, stop and report the top candidates plus the reason none is ready.
 - Do not invent a new roadmap direction to force progress.
 ### Gate 2: Spec Readiness Gate
 Required before reporting that the package is ready for implementation.
 Pass criteria:
 - `spec.md`, `plan.md`, and `tasks.md` exist.
 - The spec has clear problem statement, user value, functional requirements, out-of-scope boundaries, acceptance criteria, assumptions, and risks.
 - The plan identifies likely affected repo surfaces and does not contradict repository architecture.
 - The tasks are small, ordered, verifiable, and include test/validation tasks.
 - RBAC, workspace/tenant isolation, auditability, OperationRun semantics, evidence/result-truth, and UX requirements are addressed where relevant.
 - No open question blocks safe implementation.
 - The scope is small enough for a bounded implementation loop in a later implementation skill.
 - Required checklist artifacts exist when the constitution requires them.
 Fail behavior:
 - Fix preparation-artifact issues when they are safe and bounded.
 - If readiness cannot be achieved without implementation or unresolved product decisions, stop and report the gap.
 - Do not compensate for an unclear spec by inventing implementation scope.
 ## Candidate Selection Rules
 When the user asks for the next best spec from roadmap/spec-candidates:
 - Read `docs/product/spec-candidates.md`.
 - Read relevant roadmap documents under `docs/product/`, especially `roadmap.md` if present.
 - Check existing specs to avoid duplicates.
 - Prefer candidates that align with current roadmap priorities, platform foundations, enterprise UX, RBAC/isolation, auditability, observability, and governance workflow maturity.
 - Prefer candidates that unlock roadmap progress, reduce architectural drift, harden foundations, or remove known blockers.
 - Prefer small, implementation-ready slices over broad platform rewrites.
 - If multiple candidates are plausible, choose one primary candidate and document why it was selected.
 - Add non-selected relevant candidates as follow-up spec candidates, not hidden scope.
 - Do not invent a candidate if existing roadmap/spec-candidate material provides a suitable one.
 - Do not pick a spec only because it is listed first.
 - Evaluate the Candidate Selection Gate before creating the spec directory.
 Evaluate candidates using these criteria:
 1. **Roadmap Fit**: Does it support the current roadmap sequence or unlock the next roadmap layer?
 2. **Foundation Value**: Does it strengthen reusable platform foundations such as RBAC, isolation, auditability, evidence, OperationRun observability, provider boundaries, vocabulary, baseline/control/finding semantics, or enterprise UX patterns?
 3. **Dependency Unblocking**: Does it make future specs smaller, safer, or more consistent?
 4. **Scope Size**: Can it be implemented as a narrow, testable slice?
 5. **Repo Readiness**: Does the repo already have enough structure to implement the next slice safely?
 6. **Risk Reduction**: Does it reduce current architectural or product risk?
 7. **User/Product Value**: Does it produce visible operator value or make the platform more sellable without heavy scope?
 ## Required Selection Output Before Spec Kit Execution
 Before running the Spec Kit flow, identify:
 - selected candidate title
 - source location in roadmap/spec-candidates
 - why it was selected
 - why close alternatives were deferred
 - roadmap relationship
 - smallest viable implementation slice
 - proposed concise feature description to feed into `specify`
 The feature description must be product- and behavior-oriented. It should not be a low-level implementation plan.
 ## Spec Kit Preparation Flow
 ### Step 1: Determine the repository's Spec Kit command pattern
 Inspect repository instructions and scripts to identify how this repo expects Spec Kit to be run.
 Common locations to inspect:
 ```text
 .specify/scripts/
 .specify/templates/
 .specify/memory/constitution.md
 .github/prompts/
 .github/skills/
 README.md
 specs/
 ```
 Use the repo-specific mechanism if present.
 ### Step 2: Run `specify`
 Run the repository's `specify` flow using the selected candidate and the smallest viable slice.
 The `specify` input should include:
 - selected candidate title
 - problem statement
 - operator/user value
 - roadmap relationship
 - out-of-scope boundaries
 - key acceptance criteria
 - important enterprise constraints
 Let Spec Kit create the correct branch and spec location if that is the repo's configured behavior.
 ### Step 3: Run `plan`
 Run the repository's `plan` flow for the generated spec.
 The `plan` input should keep the scope tight and should require repo-based alignment with:
 - constitution
 - existing architecture
 - workspace/tenant isolation
 - RBAC
 - OperationRun/observability where relevant
 - evidence/snapshot/truth semantics where relevant
 - Filament/Livewire conventions where relevant
 - test strategy
 ### Step 4: Run `tasks`
 Run the repository's `tasks` flow for the generated plan.
 The generated tasks must be:
 - ordered
 - small
 - testable
 - grouped by phase
 - limited to the selected scope
 - suitable for later implementation or manual analysis before implementation
 ### Step 5: Run preparation `analyze`
 Run the repository's `analyze` flow against the generated Spec Kit artifacts when the repository supports it.
 Analyze must check:
 - consistency between `spec.md`, `plan.md`, and `tasks.md`
 - constitution alignment
 - roadmap alignment
 - whether the selected candidate was narrowed safely
 - whether tasks are complete enough for implementation
 - whether tasks accidentally require scope not described in the spec
 - whether plan details conflict with repository architecture or terminology
 - whether implementation risks are documented instead of silently ignored
 Do not use analyze as a trigger to implement application code.
 ### Step 6: Fix preparation-artifact issues only
 If preparation analyze finds issues, fix only Spec Kit preparation artifacts such as:
 - `spec.md`
 - `plan.md`
 - `tasks.md`
 - `checklists/requirements.md` or other generated Spec Kit metadata files, if the repository uses them
 Allowed fixes include:
 - clarify requirements
 - tighten scope
 - move out-of-scope work into follow-up candidates
 - correct terminology
 - add missing tasks
 - remove tasks not backed by the spec
 - align plan language with repository architecture
 - add missing acceptance criteria or validation tasks
 - add missing checklist artifacts required by the constitution
 Forbidden fixes include:
 - modifying application code
 - creating migrations
 - editing models, services, jobs, policies, Filament resources, Livewire components, tests, commands, routes, or views
 - running implementation or test-fix loops
 - changing runtime behavior
 ### Step 7: Evaluate the Spec Readiness Gate
 After preparation analyze has passed or preparation-artifact issues have been fixed, evaluate the Spec Readiness Gate.
 Stop after this gate and do not implement.
 ## Spec Directory Rules
 When creating a new spec directory, use the repository's Spec Kit-generated directory or path.
 If the repository does not provide a command for spec setup, use the next valid spec number and a kebab-case slug:
 ```text
 specs/<number>-<slug>/
 ```
 The exact number must be derived from the current repository state and existing numbering conventions.
 Create or update preparation artifacts inside the selected spec directory:
 ```text
 specs/<number>-<slug>/spec.md
 specs/<number>-<slug>/plan.md
 specs/<number>-<slug>/tasks.md
 ```
 If the repository templates require additional preparation files, create them only when this is consistent with existing Spec Kit conventions.
 ## `spec.md` Requirements
 The spec must be product- and behavior-oriented. It should avoid premature implementation detail unless needed for correctness.
 Include:
 - Feature title
 - Problem statement
 - Business/product value
 - Primary users/operators
 - User stories
 - Functional requirements
 - Non-functional requirements
 - UX requirements
 - RBAC/security requirements
 - Auditability/observability requirements
 - Data/truth-source requirements where relevant
 - Out of scope
 - Acceptance criteria
 - Success criteria
 - Risks
 - Assumptions
 - Open questions
 TenantPilot/TenantAtlas specs should preserve enterprise SaaS principles:
 - workspace/tenant isolation
 - capability-first RBAC
 - auditability
 - operation/result truth separation
 - source-of-truth clarity
 - calm enterprise operator UX
 - progressive disclosure where useful
 - no false positive calmness
 ## `plan.md` Requirements
 The plan must be repo-aware and implementation-oriented, but it must not make code changes by itself.
 Include:
 - Technical approach
 - Existing repository surfaces likely affected
 - Domain/model implications
 - UI/Filament implications
 - Livewire implications where relevant
 - OperationRun/monitoring implications where relevant
 - RBAC/policy implications
 - Audit/logging/evidence implications where relevant
 - Data/migration implications where relevant
 - Test strategy
 - Rollout considerations
 - Risk controls
 - Implementation phases
 The plan should clearly distinguish where relevant:
 - execution truth
 - artifact truth
 - backup/snapshot truth
 - recovery/evidence truth
 - operator next action
 ## `tasks.md` Requirements
 Tasks must be ordered, small, and verifiable.
 Include:
 - checkbox tasks
 - phase grouping
 - tests before or alongside implementation tasks where practical
 - final validation tasks
 - documentation/update tasks if needed
 - explicit non-goals where useful
 Avoid vague tasks such as:
 ```text
 Clean up code
 Refactor UI
 Improve performance
 Make it enterprise-ready
 ```
 Prefer concrete tasks such as:
 ```text
 - [ ] Add a feature test covering workspace isolation for <specific behavior>.
 - [ ] Update <specific Filament page/resource> to display <specific state>.
 - [ ] Add policy coverage for <specific capability>.
 ```
 If exact file names are not known yet, phrase tasks as repo-verification tasks first rather than inventing file paths.
 ## Preparation Scope Control
 If the requested feature implies multiple independent concerns, create one primary spec for the smallest valuable slice and add a `Follow-up spec candidates` section.
 Examples of follow-up candidates:
 - assigned findings
 - pending approvals
 - personal work queue
 - notification delivery settings
 - evidence pack export hardening
 - operation monitoring refinements
 - autonomous governance decision surfaces
 Do not force all follow-up candidates into the primary spec.
 ## Failure Handling
 If a Spec Kit command or preparation analyze phase fails:
 1. Stop at the relevant gate.
 2. Report the failing command or phase.
 3. Summarize the error.
 4. Do not attempt implementation as a workaround.
 5. Suggest the smallest safe next action.
 If the branch or working tree state is unsafe:
 1. Stop before running Spec Kit commands.
 2. Report the current branch and relevant uncommitted files.
 3. Ask the user to commit, stash, or move to a clean worktree.
 ## Final Response Requirements
 Respond with:
 1. Selected candidate and why it was chosen
 2. Why close alternatives were deferred
 3. Current branch after Spec Kit execution, if changed
 4. Generated spec path
 5. Files created or updated by Spec Kit
 6. Preparation analyze result summary
 7. Preparation-artifact fixes applied after analyze
 8. Assumptions made
 9. Open questions, if any
 10. Candidate Selection Gate result
 11. Spec Readiness Gate result
 12. Recommended next implementation prompt
 13. Explicit statement that no application implementation was performed
 Keep the final response concise, but include enough detail for the user to continue immediately.
 ## Manual Review and Next-Step Prompts
 Provide a ready-to-copy manual artifact review prompt like this, adapted to the generated spec branch/path:
 ```markdown
 Du bist ein Senior Staff Software Architect und Enterprise SaaS Reviewer.
 Analysiere die neu erstellte Spec `<spec-branch-or-spec-path>` streng repo-basiert.
 Ziel:
 Prüfe, ob `spec.md`, `plan.md` und `tasks.md` vollständig, konsistent, implementierbar und constitution-konform sind.
 Wichtig:
 - Keine Implementierung.
 - Keine Codeänderungen.
 - Keine Scope-Erweiterung.
 - Prüfe nur gegen Repo-Wahrheit.
 - Benenne konkrete Konflikte mit Dateien, Patterns, Datenflüssen oder bestehenden Specs.
 - Schlage nur minimale Korrekturen an `spec.md`, `plan.md` und `tasks.md` vor.
 - Wenn alles passt, gib eine klare Implementierungsfreigabe.
 ```
 Also provide a ready-to-copy implementation prompt for the separate implementation skill after analyze has passed or preparation-artifact issues have been fixed:
 ```markdown
 /spec-kit-implementation-loop
 Implementiere die vorbereitete Spec `<spec-branch-or-spec-path>` streng anhand von `tasks.md`.
 Danach Tests ausführen, Browser Smoke Test falls UI/user-facing betroffen ist, Post-Implementation Analyse durchführen und alle bestätigten In-Scope Findings unabhängig von Severity beheben, wenn safe und bounded.
 Wiederhole test + browser smoke + analysis + fix bis keine In-Scope Findings mehr offen sind oder eine Stop Condition greift.
 ```
 ## Example Invocation
 User:
 ```text
 Nutze den Skill spec-kit-next-best-prep.
 Wähle aus roadmap.md und spec-candidates.md die nächste sinnvollste Spec.
 Führe danach GitHub Spec Kit specify, plan, tasks und analyze in einem Rutsch aus.
 Behebe alle analyze-Issues in den Spec-Kit-Artefakten.
 Keine Application-Implementierung.
 ```
 Expected behavior:
 1. Inspect constitution, Spec Kit scripts/templates, specs, roadmap, and spec candidates.
 2. Check branch and working tree safety.
 3. Compare candidate suitability.
 4. Select the next best candidate.
 5. Evaluate the Candidate Selection Gate.
 6. Run the repository's real Spec Kit `specify` flow, letting it handle branch/spec setup.
 7. Run the repository's real Spec Kit `plan` flow.
 8. Run the repository's real Spec Kit `tasks` flow.
 9. Run the repository's real Spec Kit preparation `analyze` flow.
 10. Fix analyze issues only in Spec Kit preparation artifacts.
 11. Evaluate the Spec Readiness Gate.
 12. Stop before application implementation.
 13. Return selection rationale, branch/path summary, artifact summary, analyze summary, fixes applied, gates, and next implementation prompt.
 ```
--- a/.specify/extensions.yml
+++ b/.specify/extensions.yml
@ -1,148 +0,0 @@
 installed: []
 settings:
  auto_execute_hooks: true
 hooks:
  before_constitution:
  - extension: git
    command: speckit.git.initialize
    enabled: true
    optional: false
    prompt: Execute speckit.git.initialize?
    description: Initialize Git repository before constitution setup
    condition: null
  before_specify:
  - extension: git
    command: speckit.git.feature
    enabled: true
    optional: false
    prompt: Execute speckit.git.feature?
    description: Create feature branch before specification
    condition: null
  before_clarify:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before clarification?
    description: Auto-commit before spec clarification
    condition: null
  before_plan:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before planning?
    description: Auto-commit before implementation planning
    condition: null
  before_tasks:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before task generation?
    description: Auto-commit before task generation
    condition: null
  before_implement:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before implementation?
    description: Auto-commit before implementation
    condition: null
  before_checklist:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before checklist?
    description: Auto-commit before checklist generation
    condition: null
  before_analyze:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before analysis?
    description: Auto-commit before analysis
    condition: null
  before_taskstoissues:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit outstanding changes before issue sync?
    description: Auto-commit before tasks-to-issues conversion
    condition: null
  after_constitution:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit constitution changes?
    description: Auto-commit after constitution update
    condition: null
  after_specify:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit specification changes?
    description: Auto-commit after specification
    condition: null
  after_clarify:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit clarification changes?
    description: Auto-commit after spec clarification
    condition: null
  after_plan:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit plan changes?
    description: Auto-commit after implementation planning
    condition: null
  after_tasks:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit task changes?
    description: Auto-commit after task generation
    condition: null
  after_implement:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit implementation changes?
    description: Auto-commit after implementation
    condition: null
  after_checklist:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit checklist changes?
    description: Auto-commit after checklist generation
    condition: null
  after_analyze:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit analysis results?
    description: Auto-commit after analysis
    condition: null
  after_taskstoissues:
  - extension: git
    command: speckit.git.commit
    enabled: true
    optional: true
    prompt: Commit after syncing issues?
    description: Auto-commit after tasks-to-issues conversion
    condition: null
--- a/.specify/extensions/.registry
+++ b/.specify/extensions/.registry
@ -1,44 +0,0 @@
 {
  "schema_version": "1.0",
  "extensions": {
    "git": {
      "version": "1.0.0",
      "source": "local",
      "manifest_hash": "sha256:9731aa8143a72fbebfdb440f155038ab42642517c2b2bdbbf67c8fdbe076ed79",
      "enabled": true,
      "priority": 10,
      "registered_commands": {
        "agy": [
          "speckit.git.feature",
          "speckit.git.validate",
          "speckit.git.remote",
          "speckit.git.initialize",
          "speckit.git.commit"
        ],
        "codex": [
          "speckit.git.feature",
          "speckit.git.validate",
          "speckit.git.remote",
          "speckit.git.initialize",
          "speckit.git.commit"
        ],
        "copilot": [
          "speckit.git.feature",
          "speckit.git.validate",
          "speckit.git.remote",
          "speckit.git.initialize",
          "speckit.git.commit"
        ],
        "gemini": [
          "speckit.git.feature",
          "speckit.git.validate",
          "speckit.git.remote",
          "speckit.git.initialize",
          "speckit.git.commit"
        ]
      },
      "registered_skills": [],
      "installed_at": "2026-04-22T21:58:03.029565+00:00"
    }
  }
 }
--- a/.specify/extensions/git/README.md
+++ b/.specify/extensions/git/README.md
@ -1,100 +0,0 @@
 # Git Branching Workflow Extension
 Git repository initialization, feature branch creation, numbering (sequential/timestamp), validation, remote detection, and auto-commit for Spec Kit.
 ## Overview
 This extension provides Git operations as an optional, self-contained module. It manages:
 - **Repository initialization** with configurable commit messages
 - **Feature branch creation** with sequential (`001-feature-name`) or timestamp (`20260319-143022-feature-name`) numbering
 - **Branch validation** to ensure branches follow naming conventions
 - **Git remote detection** for GitHub integration (e.g., issue creation)
 - **Auto-commit** after core commands (configurable per-command with custom messages)
 ## Commands
 | Command | Description |
 |---------|-------------|
 | `speckit.git.initialize` | Initialize a Git repository with a configurable commit message |
 | `speckit.git.feature` | Create a feature branch with sequential or timestamp numbering |
 | `speckit.git.validate` | Validate current branch follows feature branch naming conventions |
 | `speckit.git.remote` | Detect Git remote URL for GitHub integration |
 | `speckit.git.commit` | Auto-commit changes (configurable per-command enable/disable and messages) |
 ## Hooks
 | Event | Command | Optional | Description |
 |-------|---------|----------|-------------|
 | `before_constitution` | `speckit.git.initialize` | No | Init git repo before constitution |
 | `before_specify` | `speckit.git.feature` | No | Create feature branch before specification |
 | `before_clarify` | `speckit.git.commit` | Yes | Commit outstanding changes before clarification |
 | `before_plan` | `speckit.git.commit` | Yes | Commit outstanding changes before planning |
 | `before_tasks` | `speckit.git.commit` | Yes | Commit outstanding changes before task generation |
 | `before_implement` | `speckit.git.commit` | Yes | Commit outstanding changes before implementation |
 | `before_checklist` | `speckit.git.commit` | Yes | Commit outstanding changes before checklist |
 | `before_analyze` | `speckit.git.commit` | Yes | Commit outstanding changes before analysis |
 | `before_taskstoissues` | `speckit.git.commit` | Yes | Commit outstanding changes before issue sync |
 | `after_constitution` | `speckit.git.commit` | Yes | Auto-commit after constitution update |
 | `after_specify` | `speckit.git.commit` | Yes | Auto-commit after specification |
 | `after_clarify` | `speckit.git.commit` | Yes | Auto-commit after clarification |
 | `after_plan` | `speckit.git.commit` | Yes | Auto-commit after planning |
 | `after_tasks` | `speckit.git.commit` | Yes | Auto-commit after task generation |
 | `after_implement` | `speckit.git.commit` | Yes | Auto-commit after implementation |
 | `after_checklist` | `speckit.git.commit` | Yes | Auto-commit after checklist |
 | `after_analyze` | `speckit.git.commit` | Yes | Auto-commit after analysis |
 | `after_taskstoissues` | `speckit.git.commit` | Yes | Auto-commit after issue sync |
 ## Configuration
 Configuration is stored in `.specify/extensions/git/git-config.yml`:
 ```yaml
 # Branch numbering strategy: "sequential" or "timestamp"
 branch_numbering: sequential
 # Custom commit message for git init
 init_commit_message: "[Spec Kit] Initial commit"
 # Auto-commit per command (all disabled by default)
 # Example: enable auto-commit after specify
 auto_commit:
  default: false
  after_specify:
    enabled: true
    message: "[Spec Kit] Add specification"
 ```
 ## Installation
 ```bash
 # Install the bundled git extension (no network required)
 specify extension add git
 ```
 ## Disabling
 ```bash
 # Disable the git extension (spec creation continues without branching)
 specify extension disable git
 # Re-enable it
 specify extension enable git
 ```
 ## Graceful Degradation
 When Git is not installed or the directory is not a Git repository:
 - Spec directories are still created under `specs/`
 - Branch creation is skipped with a warning
 - Branch validation is skipped with a warning
 - Remote detection returns empty results
 ## Scripts
 The extension bundles cross-platform scripts:
 - `scripts/bash/create-new-feature.sh` — Bash implementation
 - `scripts/bash/git-common.sh` — Shared Git utilities (Bash)
 - `scripts/powershell/create-new-feature.ps1` — PowerShell implementation
 - `scripts/powershell/git-common.ps1` — Shared Git utilities (PowerShell)
--- a/.specify/extensions/git/commands/speckit.git.commit.md
+++ b/.specify/extensions/git/commands/speckit.git.commit.md
@ -1,48 +0,0 @@
 ---
 description: "Auto-commit changes after a Spec Kit command completes"
 ---
 # Auto-Commit Changes
 Automatically stage and commit all changes after a Spec Kit command completes.
 ## Behavior
 This command is invoked as a hook after (or before) core commands. It:
 1. Determines the event name from the hook context (e.g., if invoked as an `after_specify` hook, the event is `after_specify`; if `before_plan`, the event is `before_plan`)
 2. Checks `.specify/extensions/git/git-config.yml` for the `auto_commit` section
 3. Looks up the specific event key to see if auto-commit is enabled
 4. Falls back to `auto_commit.default` if no event-specific key exists
 5. Uses the per-command `message` if configured, otherwise a default message
 6. If enabled and there are uncommitted changes, runs `git add .` + `git commit`
 ## Execution
 Determine the event name from the hook that triggered this command, then run the script:
 - **Bash**: `.specify/extensions/git/scripts/bash/auto-commit.sh <event_name>`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/auto-commit.ps1 <event_name>`
 Replace `<event_name>` with the actual hook event (e.g., `after_specify`, `before_plan`, `after_implement`).
 ## Configuration
 In `.specify/extensions/git/git-config.yml`:
 ```yaml
 auto_commit:
  default: false          # Global toggle — set true to enable for all commands
  after_specify:
    enabled: true          # Override per-command
    message: "[Spec Kit] Add specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
 ```
 ## Graceful Degradation
 - If Git is not available or the current directory is not a repository: skips with a warning
 - If no config file exists: skips (disabled by default)
 - If no changes to commit: skips with a message
--- a/.specify/extensions/git/commands/speckit.git.feature.md
+++ b/.specify/extensions/git/commands/speckit.git.feature.md
@ -1,67 +0,0 @@
 ---
 description: "Create a feature branch with sequential or timestamp numbering"
 ---
 # Create Feature Branch
 Create and switch to a new git feature branch for the given specification. This command handles **branch creation only** — the spec directory and files are created by the core `/speckit.specify` workflow.
 ## User Input
 ```text
 $ARGUMENTS
 ```
 You **MUST** consider the user input before proceeding (if not empty).
 ## Environment Variable Override
 If the user explicitly provided `GIT_BRANCH_NAME` (e.g., via environment variable, argument, or in their request), pass it through to the script by setting the `GIT_BRANCH_NAME` environment variable before invoking the script. When `GIT_BRANCH_NAME` is set:
 - The script uses the exact value as the branch name, bypassing all prefix/suffix generation
 - `--short-name`, `--number`, and `--timestamp` flags are ignored
 - `FEATURE_NUM` is extracted from the name if it starts with a numeric prefix, otherwise set to the full branch name
 ## Prerequisites
 - Verify Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, warn the user and skip branch creation
 ## Branch Numbering Mode
 Determine the branch numbering strategy by checking configuration in this order:
 1. Check `.specify/extensions/git/git-config.yml` for `branch_numbering` value
 2. Check `.specify/init-options.json` for `branch_numbering` value (backward compatibility)
 3. Default to `sequential` if neither exists
 ## Execution
 Generate a concise short name (2-4 words) for the branch:
 - Analyze the feature description and extract the most meaningful keywords
 - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
 - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
 Run the appropriate script based on your platform:
 - **Bash**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --short-name "<short-name>" "<feature description>"`
 - **Bash (timestamp)**: `.specify/extensions/git/scripts/bash/create-new-feature.sh --json --timestamp --short-name "<short-name>" "<feature description>"`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -ShortName "<short-name>" "<feature description>"`
 - **PowerShell (timestamp)**: `.specify/extensions/git/scripts/powershell/create-new-feature.ps1 -Json -Timestamp -ShortName "<short-name>" "<feature description>"`
 **IMPORTANT**:
 - Do NOT pass `--number` — the script determines the correct next number automatically
 - Always include the JSON flag (`--json` for Bash, `-Json` for PowerShell) so the output can be parsed reliably
 - You must only ever run this script once per feature
 - The JSON output will contain `BRANCH_NAME` and `FEATURE_NUM`
 ## Graceful Degradation
 If Git is not installed or the current directory is not a Git repository:
 - Branch creation is skipped with a warning: `[specify] Warning: Git repository not detected; skipped branch creation`
 - The script still outputs `BRANCH_NAME` and `FEATURE_NUM` so the caller can reference them
 ## Output
 The script outputs JSON with:
 - `BRANCH_NAME`: The branch name (e.g., `003-user-auth` or `20260319-143022-user-auth`)
 - `FEATURE_NUM`: The numeric or timestamp prefix used
--- a/.specify/extensions/git/commands/speckit.git.initialize.md
+++ b/.specify/extensions/git/commands/speckit.git.initialize.md
@ -1,49 +0,0 @@
 ---
 description: "Initialize a Git repository with an initial commit"
 ---
 # Initialize Git Repository
 Initialize a Git repository in the current project directory if one does not already exist.
 ## Execution
 Run the appropriate script from the project root:
 - **Bash**: `.specify/extensions/git/scripts/bash/initialize-repo.sh`
 - **PowerShell**: `.specify/extensions/git/scripts/powershell/initialize-repo.ps1`
 If the extension scripts are not found, fall back to:
 - **Bash**: `git init && git add . && git commit -m "Initial commit from Specify template"`
 - **PowerShell**: `git init; git add .; git commit -m "Initial commit from Specify template"`
 The script handles all checks internally:
 - Skips if Git is not available
 - Skips if already inside a Git repository
 - Runs `git init`, `git add .`, and `git commit` with an initial commit message
 ## Customization
 Replace the script to add project-specific Git initialization steps:
 - Custom `.gitignore` templates
 - Default branch naming (`git config init.defaultBranch`)
 - Git LFS setup
 - Git hooks installation
 - Commit signing configuration
 - Git Flow initialization
 ## Output
 On success:
 - `✓ Git repository initialized`
 ## Graceful Degradation
 If Git is not installed:
 - Warn the user
 - Skip repository initialization
 - The project continues to function without Git (specs can still be created under `specs/`)
 If Git is installed but `git init`, `git add .`, or `git commit` fails:
 - Surface the error to the user
 - Stop this command rather than continuing with a partially initialized repository
--- a/.specify/extensions/git/commands/speckit.git.remote.md
+++ b/.specify/extensions/git/commands/speckit.git.remote.md
@ -1,45 +0,0 @@
 ---
 description: "Detect Git remote URL for GitHub integration"
 ---
 # Detect Git Remote URL
 Detect the Git remote URL for integration with GitHub services (e.g., issue creation).
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and return empty:
  ```
  [specify] Warning: Git repository not detected; cannot determine remote URL
  ```
 ## Execution
 Run the following command to get the remote URL:
 ```bash
 git config --get remote.origin.url
 ```
 ## Output
 Parse the remote URL and determine:
 1. **Repository owner**: Extract from the URL (e.g., `github` from `https://github.com/github/spec-kit.git`)
 2. **Repository name**: Extract from the URL (e.g., `spec-kit` from `https://github.com/github/spec-kit.git`)
 3. **Is GitHub**: Whether the remote points to a GitHub repository
 Supported URL formats:
 - HTTPS: `https://github.com/<owner>/<repo>.git`
 - SSH: `git@github.com:<owner>/<repo>.git`
 > [!CAUTION]
 > ONLY report a GitHub repository if the remote URL actually points to github.com.
 > Do NOT assume the remote is GitHub if the URL format doesn't match.
 ## Graceful Degradation
 If Git is not installed, the directory is not a Git repository, or no remote is configured:
 - Return an empty result
 - Do NOT error — other workflows should continue without Git remote information
--- a/.specify/extensions/git/commands/speckit.git.validate.md
+++ b/.specify/extensions/git/commands/speckit.git.validate.md
@ -1,49 +0,0 @@
 ---
 description: "Validate current branch follows feature branch naming conventions"
 ---
 # Validate Feature Branch
 Validate that the current Git branch follows the expected feature branch naming conventions.
 ## Prerequisites
 - Check if Git is available by running `git rev-parse --is-inside-work-tree 2>/dev/null`
 - If Git is not available, output a warning and skip validation:
  ```
  [specify] Warning: Git repository not detected; skipped branch validation
  ```
 ## Validation Rules
 Get the current branch name:
 ```bash
 git rev-parse --abbrev-ref HEAD
 ```
 The branch name must match one of these patterns:
 1. **Sequential**: `^[0-9]{3,}-` (e.g., `001-feature-name`, `042-fix-bug`, `1000-big-feature`)
 2. **Timestamp**: `^[0-9]{8}-[0-9]{6}-` (e.g., `20260319-143022-feature-name`)
 ## Execution
 If on a feature branch (matches either pattern):
 - Output: `✓ On feature branch: <branch-name>`
 - Check if the corresponding spec directory exists under `specs/`:
  - For sequential branches, look for `specs/<prefix>-*` where prefix matches the numeric portion
  - For timestamp branches, look for `specs/<prefix>-*` where prefix matches the `YYYYMMDD-HHMMSS` portion
 - If spec directory exists: `✓ Spec directory found: <path>`
 - If spec directory missing: `⚠ No spec directory found for prefix <prefix>`
 If NOT on a feature branch:
 - Output: `✗ Not on a feature branch. Current branch: <branch-name>`
 - Output: `Feature branches should be named like: 001-feature-name or 20260319-143022-feature-name`
 ## Graceful Degradation
 If Git is not installed or the directory is not a Git repository:
 - Check the `SPECIFY_FEATURE` environment variable as a fallback
 - If set, validate that value against the naming patterns
 - If not set, skip validation with a warning
--- a/.specify/extensions/git/config-template.yml
+++ b/.specify/extensions/git/config-template.yml
@ -1,62 +0,0 @@
 # Git Branching Workflow Extension Configuration
 # Copied to .specify/extensions/git/git-config.yml on install
 # Branch numbering strategy: "sequential" (001, 002, ...) or "timestamp" (YYYYMMDD-HHMMSS)
 branch_numbering: sequential
 # Commit message used by `git commit` during repository initialization
 init_commit_message: "[Spec Kit] Initial commit"
 # Auto-commit before/after core commands.
 # Set "default" to enable for all commands, then override per-command.
 # Each key can be true/false. Message is customizable per-command.
 auto_commit:
  default: false
  before_clarify:
    enabled: false
    message: "[Spec Kit] Save progress before clarification"
  before_plan:
    enabled: false
    message: "[Spec Kit] Save progress before planning"
  before_tasks:
    enabled: false
    message: "[Spec Kit] Save progress before task generation"
  before_implement:
    enabled: false
    message: "[Spec Kit] Save progress before implementation"
  before_checklist:
    enabled: false
    message: "[Spec Kit] Save progress before checklist"
  before_analyze:
    enabled: false
    message: "[Spec Kit] Save progress before analysis"
  before_taskstoissues:
    enabled: false
    message: "[Spec Kit] Save progress before issue sync"
  after_constitution:
    enabled: false
    message: "[Spec Kit] Add project constitution"
  after_specify:
    enabled: false
    message: "[Spec Kit] Add specification"
  after_clarify:
    enabled: false
    message: "[Spec Kit] Clarify specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
  after_tasks:
    enabled: false
    message: "[Spec Kit] Add tasks"
  after_implement:
    enabled: false
    message: "[Spec Kit] Implementation progress"
  after_checklist:
    enabled: false
    message: "[Spec Kit] Add checklist"
  after_analyze:
    enabled: false
    message: "[Spec Kit] Add analysis report"
  after_taskstoissues:
    enabled: false
    message: "[Spec Kit] Sync tasks to issues"
--- a/.specify/extensions/git/extension.yml
+++ b/.specify/extensions/git/extension.yml
@ -1,140 +0,0 @@
 schema_version: "1.0"
 extension:
  id: git
  name: "Git Branching Workflow"
  version: "1.0.0"
  description: "Feature branch creation, numbering (sequential/timestamp), validation, and Git remote detection"
  author: spec-kit-core
  repository: https://github.com/github/spec-kit
  license: MIT
 requires:
  speckit_version: ">=0.2.0"
  tools:
    - name: git
      required: false
 provides:
  commands:
    - name: speckit.git.feature
      file: commands/speckit.git.feature.md
      description: "Create a feature branch with sequential or timestamp numbering"
    - name: speckit.git.validate
      file: commands/speckit.git.validate.md
      description: "Validate current branch follows feature branch naming conventions"
    - name: speckit.git.remote
      file: commands/speckit.git.remote.md
      description: "Detect Git remote URL for GitHub integration"
    - name: speckit.git.initialize
      file: commands/speckit.git.initialize.md
      description: "Initialize a Git repository with an initial commit"
    - name: speckit.git.commit
      file: commands/speckit.git.commit.md
      description: "Auto-commit changes after a Spec Kit command completes"
  config:
    - name: "git-config.yml"
      template: "config-template.yml"
      description: "Git branching configuration"
      required: false
 hooks:
  before_constitution:
    command: speckit.git.initialize
    optional: false
    description: "Initialize Git repository before constitution setup"
  before_specify:
    command: speckit.git.feature
    optional: false
    description: "Create feature branch before specification"
  before_clarify:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before clarification?"
    description: "Auto-commit before spec clarification"
  before_plan:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before planning?"
    description: "Auto-commit before implementation planning"
  before_tasks:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before task generation?"
    description: "Auto-commit before task generation"
  before_implement:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before implementation?"
    description: "Auto-commit before implementation"
  before_checklist:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before checklist?"
    description: "Auto-commit before checklist generation"
  before_analyze:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before analysis?"
    description: "Auto-commit before analysis"
  before_taskstoissues:
    command: speckit.git.commit
    optional: true
    prompt: "Commit outstanding changes before issue sync?"
    description: "Auto-commit before tasks-to-issues conversion"
  after_constitution:
    command: speckit.git.commit
    optional: true
    prompt: "Commit constitution changes?"
    description: "Auto-commit after constitution update"
  after_specify:
    command: speckit.git.commit
    optional: true
    prompt: "Commit specification changes?"
    description: "Auto-commit after specification"
  after_clarify:
    command: speckit.git.commit
    optional: true
    prompt: "Commit clarification changes?"
    description: "Auto-commit after spec clarification"
  after_plan:
    command: speckit.git.commit
    optional: true
    prompt: "Commit plan changes?"
    description: "Auto-commit after implementation planning"
  after_tasks:
    command: speckit.git.commit
    optional: true
    prompt: "Commit task changes?"
    description: "Auto-commit after task generation"
  after_implement:
    command: speckit.git.commit
    optional: true
    prompt: "Commit implementation changes?"
    description: "Auto-commit after implementation"
  after_checklist:
    command: speckit.git.commit
    optional: true
    prompt: "Commit checklist changes?"
    description: "Auto-commit after checklist generation"
  after_analyze:
    command: speckit.git.commit
    optional: true
    prompt: "Commit analysis results?"
    description: "Auto-commit after analysis"
  after_taskstoissues:
    command: speckit.git.commit
    optional: true
    prompt: "Commit after syncing issues?"
    description: "Auto-commit after tasks-to-issues conversion"
 tags:
  - "git"
  - "branching"
  - "workflow"
 config:
  defaults:
    branch_numbering: sequential
    init_commit_message: "[Spec Kit] Initial commit"
--- a/.specify/extensions/git/git-config.yml
+++ b/.specify/extensions/git/git-config.yml
@ -1,62 +0,0 @@
 # Git Branching Workflow Extension Configuration
 # Copied to .specify/extensions/git/git-config.yml on install
 # Branch numbering strategy: "sequential" (001, 002, ...) or "timestamp" (YYYYMMDD-HHMMSS)
 branch_numbering: sequential
 # Commit message used by `git commit` during repository initialization
 init_commit_message: "[Spec Kit] Initial commit"
 # Auto-commit before/after core commands.
 # Set "default" to enable for all commands, then override per-command.
 # Each key can be true/false. Message is customizable per-command.
 auto_commit:
  default: false
  before_clarify:
    enabled: false
    message: "[Spec Kit] Save progress before clarification"
  before_plan:
    enabled: false
    message: "[Spec Kit] Save progress before planning"
  before_tasks:
    enabled: false
    message: "[Spec Kit] Save progress before task generation"
  before_implement:
    enabled: false
    message: "[Spec Kit] Save progress before implementation"
  before_checklist:
    enabled: false
    message: "[Spec Kit] Save progress before checklist"
  before_analyze:
    enabled: false
    message: "[Spec Kit] Save progress before analysis"
  before_taskstoissues:
    enabled: false
    message: "[Spec Kit] Save progress before issue sync"
  after_constitution:
    enabled: false
    message: "[Spec Kit] Add project constitution"
  after_specify:
    enabled: false
    message: "[Spec Kit] Add specification"
  after_clarify:
    enabled: false
    message: "[Spec Kit] Clarify specification"
  after_plan:
    enabled: false
    message: "[Spec Kit] Add implementation plan"
  after_tasks:
    enabled: false
    message: "[Spec Kit] Add tasks"
  after_implement:
    enabled: false
    message: "[Spec Kit] Implementation progress"
  after_checklist:
    enabled: false
    message: "[Spec Kit] Add checklist"
  after_analyze:
    enabled: false
    message: "[Spec Kit] Add analysis report"
  after_taskstoissues:
    enabled: false
    message: "[Spec Kit] Sync tasks to issues"
--- a/.specify/extensions/git/scripts/bash/auto-commit.sh
+++ b/.specify/extensions/git/scripts/bash/auto-commit.sh
@ -1,140 +0,0 @@
 #!/usr/bin/env bash
 # Git extension: auto-commit.sh
 # Automatically commit changes after a Spec Kit command completes.
 # Checks per-command config keys in git-config.yml before committing.
 #
 # Usage: auto-commit.sh <event_name>
 #   e.g.: auto-commit.sh after_specify
 set -e
 EVENT_NAME="${1:-}"
 if [ -z "$EVENT_NAME" ]; then
    echo "Usage: $0 <event_name>" >&2
    exit 1
 fi
 SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 _find_project_root() {
    local dir="$1"
    while [ "$dir" != "/" ]; do
        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
            echo "$dir"
            return 0
        fi
        dir="$(dirname "$dir")"
    done
    return 1
 }
 REPO_ROOT=$(_find_project_root "$SCRIPT_DIR") || REPO_ROOT="$(pwd)"
 cd "$REPO_ROOT"
 # Check if git is available
 if ! command -v git >/dev/null 2>&1; then
    echo "[specify] Warning: Git not found; skipped auto-commit" >&2
    exit 0
 fi
 if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
    echo "[specify] Warning: Not a Git repository; skipped auto-commit" >&2
    exit 0
 fi
 # Read per-command config from git-config.yml
 _config_file="$REPO_ROOT/.specify/extensions/git/git-config.yml"
 _enabled=false
 _commit_msg=""
 if [ -f "$_config_file" ]; then
    # Parse the auto_commit section for this event.
    # Look for auto_commit.<event_name>.enabled and .message
    # Also check auto_commit.default as fallback.
    _in_auto_commit=false
    _in_event=false
    _default_enabled=false
    while IFS= read -r _line; do
        # Detect auto_commit: section
        if echo "$_line" | grep -q '^auto_commit:'; then
            _in_auto_commit=true
            _in_event=false
            continue
        fi
        # Exit auto_commit section on next top-level key
        if $_in_auto_commit && echo "$_line" | grep -Eq '^[a-z]'; then
            break
        fi
        if $_in_auto_commit; then
            # Check default key
            if echo "$_line" | grep -Eq "^[[:space:]]+default:[[:space:]]"; then
                _val=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
                [ "$_val" = "true" ] && _default_enabled=true
            fi
            # Detect our event subsection
            if echo "$_line" | grep -Eq "^[[:space:]]+${EVENT_NAME}:"; then
                _in_event=true
                continue
            fi
            # Inside our event subsection
            if $_in_event; then
                # Exit on next sibling key (same indent level as event name)
                if echo "$_line" | grep -Eq '^[[:space:]]{2}[a-z]' && ! echo "$_line" | grep -Eq '^[[:space:]]{4}'; then
                    _in_event=false
                    continue
                fi
                if echo "$_line" | grep -Eq '[[:space:]]+enabled:'; then
                    _val=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
                    [ "$_val" = "true" ] && _enabled=true
                    [ "$_val" = "false" ] && _enabled=false
                fi
                if echo "$_line" | grep -Eq '[[:space:]]+message:'; then
                    _commit_msg=$(echo "$_line" | sed 's/^[^:]*:[[:space:]]*//' | sed 's/^["'\'']//' | sed 's/["'\'']*$//')
                fi
            fi
        fi
    done < "$_config_file"
    # If event-specific key not found, use default
    if [ "$_enabled" = "false" ] && [ "$_default_enabled" = "true" ]; then
        # Only use default if the event wasn't explicitly set to false
        # Check if event section existed at all
        if ! grep -q "^[[:space:]]*${EVENT_NAME}:" "$_config_file" 2>/dev/null; then
            _enabled=true
        fi
    fi
 else
    # No config file — auto-commit disabled by default
    exit 0
 fi
 if [ "$_enabled" != "true" ]; then
    exit 0
 fi
 # Check if there are changes to commit
 if git diff --quiet HEAD 2>/dev/null && git diff --cached --quiet 2>/dev/null && [ -z "$(git ls-files --others --exclude-standard 2>/dev/null)" ]; then
    echo "[specify] No changes to commit after $EVENT_NAME" >&2
    exit 0
 fi
 # Derive a human-readable command name from the event
 # e.g., after_specify -> specify, before_plan -> plan
 _command_name=$(echo "$EVENT_NAME" | sed 's/^after_//' | sed 's/^before_//')
 _phase=$(echo "$EVENT_NAME" | grep -q '^before_' && echo 'before' || echo 'after')
 # Use custom message if configured, otherwise default
 if [ -z "$_commit_msg" ]; then
    _commit_msg="[Spec Kit] Auto-commit ${_phase} ${_command_name}"
 fi
 # Stage and commit
 _git_out=$(git add . 2>&1) || { echo "[specify] Error: git add failed: $_git_out" >&2; exit 1; }
 _git_out=$(git commit -q -m "$_commit_msg" 2>&1) || { echo "[specify] Error: git commit failed: $_git_out" >&2; exit 1; }
 echo "[OK] Changes committed ${_phase} ${_command_name}" >&2
--- a/.specify/extensions/git/scripts/bash/create-new-feature.sh
+++ b/.specify/extensions/git/scripts/bash/create-new-feature.sh
@ -1,453 +0,0 @@
 #!/usr/bin/env bash
 # Git extension: create-new-feature.sh
 # Adapted from core scripts/bash/create-new-feature.sh for extension layout.
 # Sources common.sh from the project's installed scripts, falling back to
 # git-common.sh for minimal git helpers.
 set -e
 JSON_MODE=false
 DRY_RUN=false
 ALLOW_EXISTING=false
 SHORT_NAME=""
 BRANCH_NUMBER=""
 USE_TIMESTAMP=false
 ARGS=()
 i=1
 while [ $i -le $# ]; do
    arg="${!i}"
    case "$arg" in
        --json)
            JSON_MODE=true
            ;;
        --dry-run)
            DRY_RUN=true
            ;;
        --allow-existing-branch)
            ALLOW_EXISTING=true
            ;;
        --short-name)
            if [ $((i + 1)) -gt $# ]; then
                echo 'Error: --short-name requires a value' >&2
                exit 1
            fi
            i=$((i + 1))
            next_arg="${!i}"
            if [[ "$next_arg" == --* ]]; then
                echo 'Error: --short-name requires a value' >&2
                exit 1
            fi
            SHORT_NAME="$next_arg"
            ;;
        --number)
            if [ $((i + 1)) -gt $# ]; then
                echo 'Error: --number requires a value' >&2
                exit 1
            fi
            i=$((i + 1))
            next_arg="${!i}"
            if [[ "$next_arg" == --* ]]; then
                echo 'Error: --number requires a value' >&2
                exit 1
            fi
            BRANCH_NUMBER="$next_arg"
            if [[ ! "$BRANCH_NUMBER" =~ ^[0-9]+$ ]]; then
                echo 'Error: --number must be a non-negative integer' >&2
                exit 1
            fi
            ;;
        --timestamp)
            USE_TIMESTAMP=true
            ;;
        --help|-h)
            echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>"
            echo ""
            echo "Options:"
            echo "  --json              Output in JSON format"
            echo "  --dry-run           Compute branch name without creating the branch"
            echo "  --allow-existing-branch  Switch to branch if it already exists instead of failing"
            echo "  --short-name <name> Provide a custom short name (2-4 words) for the branch"
            echo "  --number N          Specify branch number manually (overrides auto-detection)"
            echo "  --timestamp         Use timestamp prefix (YYYYMMDD-HHMMSS) instead of sequential numbering"
            echo "  --help, -h          Show this help message"
            echo ""
            echo "Environment variables:"
            echo "  GIT_BRANCH_NAME     Use this exact branch name, bypassing all prefix/suffix generation"
            echo ""
            echo "Examples:"
            echo "  $0 'Add user authentication system' --short-name 'user-auth'"
            echo "  $0 'Implement OAuth2 integration for API' --number 5"
            echo "  $0 --timestamp --short-name 'user-auth' 'Add user authentication'"
            echo "  GIT_BRANCH_NAME=my-branch $0 'feature description'"
            exit 0
            ;;
        *)
            ARGS+=("$arg")
            ;;
    esac
    i=$((i + 1))
 done
 FEATURE_DESCRIPTION="${ARGS[*]}"
 if [ -z "$FEATURE_DESCRIPTION" ]; then
    echo "Usage: $0 [--json] [--dry-run] [--allow-existing-branch] [--short-name <name>] [--number N] [--timestamp] <feature_description>" >&2
    exit 1
 fi
 # Trim whitespace and validate description is not empty
 FEATURE_DESCRIPTION=$(echo "$FEATURE_DESCRIPTION" | xargs)
 if [ -z "$FEATURE_DESCRIPTION" ]; then
    echo "Error: Feature description cannot be empty or contain only whitespace" >&2
    exit 1
 fi
 # Function to get highest number from specs directory
 get_highest_from_specs() {
    local specs_dir="$1"
    local highest=0
    if [ -d "$specs_dir" ]; then
        for dir in "$specs_dir"/*; do
            [ -d "$dir" ] || continue
            dirname=$(basename "$dir")
            # Match sequential prefixes (>=3 digits), but skip timestamp dirs.
            if echo "$dirname" | grep -Eq '^[0-9]{3,}-' && ! echo "$dirname" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
                number=$(echo "$dirname" | grep -Eo '^[0-9]+')
                number=$((10#$number))
                if [ "$number" -gt "$highest" ]; then
                    highest=$number
                fi
            fi
        done
    fi
    echo "$highest"
 }
 # Function to get highest number from git branches
 get_highest_from_branches() {
    git branch -a 2>/dev/null | sed 's/^[* ]*//; s|^remotes/[^/]*/||' | _extract_highest_number
 }
 # Extract the highest sequential feature number from a list of ref names (one per line).
 _extract_highest_number() {
    local highest=0
    while IFS= read -r name; do
        [ -z "$name" ] && continue
        if echo "$name" | grep -Eq '^[0-9]{3,}-' && ! echo "$name" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
            number=$(echo "$name" | grep -Eo '^[0-9]+' || echo "0")
            number=$((10#$number))
            if [ "$number" -gt "$highest" ]; then
                highest=$number
            fi
        fi
    done
    echo "$highest"
 }
 # Function to get highest number from remote branches without fetching (side-effect-free)
 get_highest_from_remote_refs() {
    local highest=0
    for remote in $(git remote 2>/dev/null); do
        local remote_highest
        remote_highest=$(GIT_TERMINAL_PROMPT=0 git ls-remote --heads "$remote" 2>/dev/null | sed 's|.*refs/heads/||' | _extract_highest_number)
        if [ "$remote_highest" -gt "$highest" ]; then
            highest=$remote_highest
        fi
    done
    echo "$highest"
 }
 # Function to check existing branches and return next available number.
 check_existing_branches() {
    local specs_dir="$1"
    local skip_fetch="${2:-false}"
    if [ "$skip_fetch" = true ]; then
        local highest_remote=$(get_highest_from_remote_refs)
        local highest_branch=$(get_highest_from_branches)
        if [ "$highest_remote" -gt "$highest_branch" ]; then
            highest_branch=$highest_remote
        fi
    else
        git fetch --all --prune >/dev/null 2>&1 || true
        local highest_branch=$(get_highest_from_branches)
    fi
    local highest_spec=$(get_highest_from_specs "$specs_dir")
    local max_num=$highest_branch
    if [ "$highest_spec" -gt "$max_num" ]; then
        max_num=$highest_spec
    fi
    echo $((max_num + 1))
 }
 # Function to clean and format a branch name
 clean_branch_name() {
    local name="$1"
    echo "$name" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/-\+/-/g' | sed 's/^-//' | sed 's/-$//'
 }
 # ---------------------------------------------------------------------------
 # Source common.sh for resolve_template, json_escape, get_repo_root, has_git.
 #
 # Search locations in priority order:
 #  1. .specify/scripts/bash/common.sh under the project root (installed project)
 #  2. scripts/bash/common.sh under the project root (source checkout fallback)
 #  3. git-common.sh next to this script (minimal fallback — lacks resolve_template)
 # ---------------------------------------------------------------------------
 SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Find project root by walking up from the script location
 _find_project_root() {
    local dir="$1"
    while [ "$dir" != "/" ]; do
        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
            echo "$dir"
            return 0
        fi
        dir="$(dirname "$dir")"
    done
    return 1
 }
 _common_loaded=false
 _PROJECT_ROOT=$(_find_project_root "$SCRIPT_DIR") || true
 if [ -n "$_PROJECT_ROOT" ] && [ -f "$_PROJECT_ROOT/.specify/scripts/bash/common.sh" ]; then
    source "$_PROJECT_ROOT/.specify/scripts/bash/common.sh"
    _common_loaded=true
 elif [ -n "$_PROJECT_ROOT" ] && [ -f "$_PROJECT_ROOT/scripts/bash/common.sh" ]; then
    source "$_PROJECT_ROOT/scripts/bash/common.sh"
    _common_loaded=true
 elif [ -f "$SCRIPT_DIR/git-common.sh" ]; then
    source "$SCRIPT_DIR/git-common.sh"
    _common_loaded=true
 fi
 if [ "$_common_loaded" != "true" ]; then
    echo "Error: Could not locate common.sh or git-common.sh. Please ensure the Specify core scripts are installed." >&2
    exit 1
 fi
 # Resolve repository root
 if type get_repo_root >/dev/null 2>&1; then
    REPO_ROOT=$(get_repo_root)
 elif git rev-parse --show-toplevel >/dev/null 2>&1; then
    REPO_ROOT=$(git rev-parse --show-toplevel)
 elif [ -n "$_PROJECT_ROOT" ]; then
    REPO_ROOT="$_PROJECT_ROOT"
 else
    echo "Error: Could not determine repository root." >&2
    exit 1
 fi
 # Check if git is available at this repo root
 if type has_git >/dev/null 2>&1; then
    if has_git "$REPO_ROOT"; then
        HAS_GIT=true
    else
        HAS_GIT=false
    fi
 elif git -C "$REPO_ROOT" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
    HAS_GIT=true
 else
    HAS_GIT=false
 fi
 cd "$REPO_ROOT"
 SPECS_DIR="$REPO_ROOT/specs"
 # Function to generate branch name with stop word filtering
 generate_branch_name() {
    local description="$1"
    local stop_words="^(i|a|an|the|to|for|of|in|on|at|by|with|from|is|are|was|were|be|been|being|have|has|had|do|does|did|will|would|should|could|can|may|might|must|shall|this|that|these|those|my|your|our|their|want|need|add|get|set)$"
    local clean_name=$(echo "$description" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/ /g')
    local meaningful_words=()
    for word in $clean_name; do
        [ -z "$word" ] && continue
        if ! echo "$word" | grep -qiE "$stop_words"; then
            if [ ${#word} -ge 3 ]; then
                meaningful_words+=("$word")
            elif echo "$description" | grep -qw -- "${word^^}"; then
                meaningful_words+=("$word")
            fi
        fi
    done
    if [ ${#meaningful_words[@]} -gt 0 ]; then
        local max_words=3
        if [ ${#meaningful_words[@]} -eq 4 ]; then max_words=4; fi
        local result=""
        local count=0
        for word in "${meaningful_words[@]}"; do
            if [ $count -ge $max_words ]; then break; fi
            if [ -n "$result" ]; then result="$result-"; fi
            result="$result$word"
            count=$((count + 1))
        done
        echo "$result"
    else
        local cleaned=$(clean_branch_name "$description")
        echo "$cleaned" | tr '-' '\n' | grep -v '^$' | head -3 | tr '\n' '-' | sed 's/-$//'
    fi
 }
 # Check for GIT_BRANCH_NAME env var override (exact branch name, no prefix/suffix)
 if [ -n "${GIT_BRANCH_NAME:-}" ]; then
    BRANCH_NAME="$GIT_BRANCH_NAME"
    # Extract FEATURE_NUM from the branch name if it starts with a numeric prefix
    # Check timestamp pattern first (YYYYMMDD-HHMMSS-) since it also matches the simpler ^[0-9]+ pattern
    if echo "$BRANCH_NAME" | grep -Eq '^[0-9]{8}-[0-9]{6}-'; then
        FEATURE_NUM=$(echo "$BRANCH_NAME" | grep -Eo '^[0-9]{8}-[0-9]{6}')
        BRANCH_SUFFIX="${BRANCH_NAME#${FEATURE_NUM}-}"
    elif echo "$BRANCH_NAME" | grep -Eq '^[0-9]+-'; then
        FEATURE_NUM=$(echo "$BRANCH_NAME" | grep -Eo '^[0-9]+')
        BRANCH_SUFFIX="${BRANCH_NAME#${FEATURE_NUM}-}"
    else
        FEATURE_NUM="$BRANCH_NAME"
        BRANCH_SUFFIX="$BRANCH_NAME"
    fi
 else
    # Generate branch name
    if [ -n "$SHORT_NAME" ]; then
        BRANCH_SUFFIX=$(clean_branch_name "$SHORT_NAME")
    else
        BRANCH_SUFFIX=$(generate_branch_name "$FEATURE_DESCRIPTION")
    fi
    # Warn if --number and --timestamp are both specified
    if [ "$USE_TIMESTAMP" = true ] && [ -n "$BRANCH_NUMBER" ]; then
        >&2 echo "[specify] Warning: --number is ignored when --timestamp is used"
        BRANCH_NUMBER=""
    fi
    # Determine branch prefix
    if [ "$USE_TIMESTAMP" = true ]; then
        FEATURE_NUM=$(date +%Y%m%d-%H%M%S)
        BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
    else
        if [ -z "$BRANCH_NUMBER" ]; then
            if [ "$DRY_RUN" = true ] && [ "$HAS_GIT" = true ]; then
                BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR" true)
            elif [ "$DRY_RUN" = true ]; then
                HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
                BRANCH_NUMBER=$((HIGHEST + 1))
            elif [ "$HAS_GIT" = true ]; then
                BRANCH_NUMBER=$(check_existing_branches "$SPECS_DIR")
            else
                HIGHEST=$(get_highest_from_specs "$SPECS_DIR")
                BRANCH_NUMBER=$((HIGHEST + 1))
            fi
        fi
        FEATURE_NUM=$(printf "%03d" "$((10#$BRANCH_NUMBER))")
        BRANCH_NAME="${FEATURE_NUM}-${BRANCH_SUFFIX}"
    fi
 fi
 # GitHub enforces a 244-byte limit on branch names
 MAX_BRANCH_LENGTH=244
 _byte_length() { printf '%s' "$1" | LC_ALL=C wc -c | tr -d ' '; }
 BRANCH_BYTE_LEN=$(_byte_length "$BRANCH_NAME")
 if [ -n "${GIT_BRANCH_NAME:-}" ] && [ "$BRANCH_BYTE_LEN" -gt $MAX_BRANCH_LENGTH ]; then
    >&2 echo "Error: GIT_BRANCH_NAME must be 244 bytes or fewer in UTF-8. Provided value is ${BRANCH_BYTE_LEN} bytes."
    exit 1
 elif [ "$BRANCH_BYTE_LEN" -gt $MAX_BRANCH_LENGTH ]; then
    PREFIX_LENGTH=$(( ${#FEATURE_NUM} + 1 ))
    MAX_SUFFIX_LENGTH=$((MAX_BRANCH_LENGTH - PREFIX_LENGTH))
    TRUNCATED_SUFFIX=$(echo "$BRANCH_SUFFIX" | cut -c1-$MAX_SUFFIX_LENGTH)
    TRUNCATED_SUFFIX=$(echo "$TRUNCATED_SUFFIX" | sed 's/-$//')
    ORIGINAL_BRANCH_NAME="$BRANCH_NAME"
    BRANCH_NAME="${FEATURE_NUM}-${TRUNCATED_SUFFIX}"
    >&2 echo "[specify] Warning: Branch name exceeded GitHub's 244-byte limit"
    >&2 echo "[specify] Original: $ORIGINAL_BRANCH_NAME (${#ORIGINAL_BRANCH_NAME} bytes)"
    >&2 echo "[specify] Truncated to: $BRANCH_NAME (${#BRANCH_NAME} bytes)"
 fi
 if [ "$DRY_RUN" != true ]; then
    if [ "$HAS_GIT" = true ]; then
        branch_create_error=""
        if ! branch_create_error=$(git checkout -q -b "$BRANCH_NAME" 2>&1); then
            current_branch="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
            if git branch --list "$BRANCH_NAME" | grep -q .; then
                if [ "$ALLOW_EXISTING" = true ]; then
                    if [ "$current_branch" = "$BRANCH_NAME" ]; then
                        :
                    elif ! switch_branch_error=$(git checkout -q "$BRANCH_NAME" 2>&1); then
                        >&2 echo "Error: Failed to switch to existing branch '$BRANCH_NAME'. Please resolve any local changes or conflicts and try again."
                        if [ -n "$switch_branch_error" ]; then
                            >&2 printf '%s\n' "$switch_branch_error"
                        fi
                        exit 1
                    fi
                elif [ "$USE_TIMESTAMP" = true ]; then
                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Rerun to get a new timestamp or use a different --short-name."
                    exit 1
                else
                    >&2 echo "Error: Branch '$BRANCH_NAME' already exists. Please use a different feature name or specify a different number with --number."
                    exit 1
                fi
            else
                >&2 echo "Error: Failed to create git branch '$BRANCH_NAME'."
                if [ -n "$branch_create_error" ]; then
                    >&2 printf '%s\n' "$branch_create_error"
                else
                    >&2 echo "Please check your git configuration and try again."
                fi
                exit 1
            fi
        fi
    else
        >&2 echo "[specify] Warning: Git repository not detected; skipped branch creation for $BRANCH_NAME"
    fi
    printf '# To persist: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME" >&2
 fi
 if $JSON_MODE; then
    if command -v jq >/dev/null 2>&1; then
        if [ "$DRY_RUN" = true ]; then
            jq -cn \
                --arg branch_name "$BRANCH_NAME" \
                --arg feature_num "$FEATURE_NUM" \
                '{BRANCH_NAME:$branch_name,FEATURE_NUM:$feature_num,DRY_RUN:true}'
        else
            jq -cn \
                --arg branch_name "$BRANCH_NAME" \
                --arg feature_num "$FEATURE_NUM" \
                '{BRANCH_NAME:$branch_name,FEATURE_NUM:$feature_num}'
        fi
    else
        if type json_escape >/dev/null 2>&1; then
            _je_branch=$(json_escape "$BRANCH_NAME")
            _je_num=$(json_escape "$FEATURE_NUM")
        else
            _je_branch="$BRANCH_NAME"
            _je_num="$FEATURE_NUM"
        fi
        if [ "$DRY_RUN" = true ]; then
            printf '{"BRANCH_NAME":"%s","FEATURE_NUM":"%s","DRY_RUN":true}\n' "$_je_branch" "$_je_num"
        else
            printf '{"BRANCH_NAME":"%s","FEATURE_NUM":"%s"}\n' "$_je_branch" "$_je_num"
        fi
    fi
 else
    echo "BRANCH_NAME: $BRANCH_NAME"
    echo "FEATURE_NUM: $FEATURE_NUM"
    if [ "$DRY_RUN" != true ]; then
        printf '# To persist in your shell: export SPECIFY_FEATURE=%q\n' "$BRANCH_NAME"
    fi
 fi
--- a/.specify/extensions/git/scripts/bash/git-common.sh
+++ b/.specify/extensions/git/scripts/bash/git-common.sh
@ -1,54 +0,0 @@
 #!/usr/bin/env bash
 # Git-specific common functions for the git extension.
 # Extracted from scripts/bash/common.sh — contains only git-specific
 # branch validation and detection logic.
 # Check if we have git available at the repo root
 has_git() {
    local repo_root="${1:-$(pwd)}"
    { [ -d "$repo_root/.git" ] || [ -f "$repo_root/.git" ]; } && \
        command -v git >/dev/null 2>&1 && \
        git -C "$repo_root" rev-parse --is-inside-work-tree >/dev/null 2>&1
 }
 # Strip a single optional path segment (e.g. gitflow "feat/004-name" -> "004-name").
 # Only when the full name is exactly two slash-free segments; otherwise returns the raw name.
 spec_kit_effective_branch_name() {
    local raw="$1"
    if [[ "$raw" =~ ^([^/]+)/([^/]+)$ ]]; then
        printf '%s\n' "${BASH_REMATCH[2]}"
    else
        printf '%s\n' "$raw"
    fi
 }
 # Validate that a branch name matches the expected feature branch pattern.
 # Accepts sequential (###-* with >=3 digits) or timestamp (YYYYMMDD-HHMMSS-*) formats.
 # Logic aligned with scripts/bash/common.sh check_feature_branch after effective-name normalization.
 check_feature_branch() {
    local raw="$1"
    local has_git_repo="$2"
    # For non-git repos, we can't enforce branch naming but still provide output
    if [[ "$has_git_repo" != "true" ]]; then
        echo "[specify] Warning: Git repository not detected; skipped branch validation" >&2
        return 0
    fi
    local branch
    branch=$(spec_kit_effective_branch_name "$raw")
    # Accept sequential prefix (3+ digits) but exclude malformed timestamps
    # Malformed: 7-or-8 digit date + 6-digit time with no trailing slug (e.g. "2026031-143022" or "20260319-143022")
    local is_sequential=false
    if [[ "$branch" =~ ^[0-9]{3,}- ]] && [[ ! "$branch" =~ ^[0-9]{7}-[0-9]{6}- ]] && [[ ! "$branch" =~ ^[0-9]{7,8}-[0-9]{6}$ ]]; then
        is_sequential=true
    fi
    if [[ "$is_sequential" != "true" ]] && [[ ! "$branch" =~ ^[0-9]{8}-[0-9]{6}- ]]; then
        echo "ERROR: Not on a feature branch. Current branch: $raw" >&2
        echo "Feature branches should be named like: 001-feature-name, 1234-feature-name, or 20260319-143022-feature-name" >&2
        return 1
    fi
    return 0
 }
--- a/.specify/extensions/git/scripts/bash/initialize-repo.sh
+++ b/.specify/extensions/git/scripts/bash/initialize-repo.sh
@ -1,54 +0,0 @@
 #!/usr/bin/env bash
 # Git extension: initialize-repo.sh
 # Initialize a Git repository with an initial commit.
 # Customizable — replace this script to add .gitignore templates,
 # default branch config, git-flow, LFS, signing, etc.
 set -e
 SCRIPT_DIR="$(CDPATH="" cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Find project root
 _find_project_root() {
    local dir="$1"
    while [ "$dir" != "/" ]; do
        if [ -d "$dir/.specify" ] || [ -d "$dir/.git" ]; then
            echo "$dir"
            return 0
        fi
        dir="$(dirname "$dir")"
    done
    return 1
 }
 REPO_ROOT=$(_find_project_root "$SCRIPT_DIR") || REPO_ROOT="$(pwd)"
 cd "$REPO_ROOT"
 # Read commit message from extension config, fall back to default
 COMMIT_MSG="[Spec Kit] Initial commit"
 _config_file="$REPO_ROOT/.specify/extensions/git/git-config.yml"
 if [ -f "$_config_file" ]; then
    _msg=$(grep '^init_commit_message:' "$_config_file" 2>/dev/null | sed 's/^init_commit_message:[[:space:]]*//' | sed 's/^["'\'']//' | sed 's/["'\'']*$//')
    if [ -n "$_msg" ]; then
        COMMIT_MSG="$_msg"
    fi
 fi
 # Check if git is available
 if ! command -v git >/dev/null 2>&1; then
    echo "[specify] Warning: Git not found; skipped repository initialization" >&2
    exit 0
 fi
 # Check if already a git repo
 if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
    echo "[specify] Git repository already initialized; skipping" >&2
    exit 0
 fi
 # Initialize
 _git_out=$(git init -q 2>&1) || { echo "[specify] Error: git init failed: $_git_out" >&2; exit 1; }
 _git_out=$(git add . 2>&1) || { echo "[specify] Error: git add failed: $_git_out" >&2; exit 1; }
 _git_out=$(git commit --allow-empty -q -m "$COMMIT_MSG" 2>&1) || { echo "[specify] Error: git commit failed: $_git_out" >&2; exit 1; }
 echo "✓ Git repository initialized" >&2
--- a/.specify/extensions/git/scripts/powershell/auto-commit.ps1
+++ b/.specify/extensions/git/scripts/powershell/auto-commit.ps1
@ -1,169 +0,0 @@
 #!/usr/bin/env pwsh
 # Git extension: auto-commit.ps1
 # Automatically commit changes after a Spec Kit command completes.
 # Checks per-command config keys in git-config.yml before committing.
 #
 # Usage: auto-commit.ps1 <event_name>
 #   e.g.: auto-commit.ps1 after_specify
 param(
    [Parameter(Position = 0, Mandatory = $true)]
    [string]$EventName
 )
 $ErrorActionPreference = 'Stop'
 function Find-ProjectRoot {
    param([string]$StartDir)
    $current = Resolve-Path $StartDir
    while ($true) {
        foreach ($marker in @('.specify', '.git')) {
            if (Test-Path (Join-Path $current $marker)) {
                return $current
            }
        }
        $parent = Split-Path $current -Parent
        if ($parent -eq $current) { return $null }
        $current = $parent
    }
 }
 $repoRoot = Find-ProjectRoot -StartDir $PSScriptRoot
 if (-not $repoRoot) { $repoRoot = Get-Location }
 Set-Location $repoRoot
 # Check if git is available
 if (-not (Get-Command git -ErrorAction SilentlyContinue)) {
    Write-Warning "[specify] Warning: Git not found; skipped auto-commit"
    exit 0
 }
 # Temporarily relax ErrorActionPreference so git stderr warnings
 # (e.g. CRLF notices on Windows) do not become terminating errors.
 $savedEAP = $ErrorActionPreference
 $ErrorActionPreference = 'Continue'
 try {
    git rev-parse --is-inside-work-tree 2>$null | Out-Null
    $isRepo = $LASTEXITCODE -eq 0
 } finally {
    $ErrorActionPreference = $savedEAP
 }
 if (-not $isRepo) {
    Write-Warning "[specify] Warning: Not a Git repository; skipped auto-commit"
    exit 0
 }
 # Read per-command config from git-config.yml
 $configFile = Join-Path $repoRoot ".specify/extensions/git/git-config.yml"
 $enabled = $false
 $commitMsg = ""
 if (Test-Path $configFile) {
    # Parse YAML to find auto_commit section
    $inAutoCommit = $false
    $inEvent = $false
    $defaultEnabled = $false
    foreach ($line in Get-Content $configFile) {
        # Detect auto_commit: section
        if ($line -match '^auto_commit:') {
            $inAutoCommit = $true
            $inEvent = $false
            continue
        }
        # Exit auto_commit section on next top-level key
        if ($inAutoCommit -and $line -match '^[a-z]') {
            break
        }
        if ($inAutoCommit) {
            # Check default key
            if ($line -match '^\s+default:\s*(.+)$') {
                $val = $matches[1].Trim().ToLower()
                if ($val -eq 'true') { $defaultEnabled = $true }
            }
            # Detect our event subsection
            if ($line -match "^\s+${EventName}:") {
                $inEvent = $true
                continue
            }
            # Inside our event subsection
            if ($inEvent) {
                # Exit on next sibling key (2-space indent, not 4+)
                if ($line -match '^\s{2}[a-z]' -and $line -notmatch '^\s{4}') {
                    $inEvent = $false
                    continue
                }
                if ($line -match '\s+enabled:\s*(.+)$') {
                    $val = $matches[1].Trim().ToLower()
                    if ($val -eq 'true') { $enabled = $true }
                    if ($val -eq 'false') { $enabled = $false }
                }
                if ($line -match '\s+message:\s*(.+)$') {
                    $commitMsg = $matches[1].Trim() -replace '^["'']' -replace '["'']$'
                }
            }
        }
    }
    # If event-specific key not found, use default
    if (-not $enabled -and $defaultEnabled) {
        $hasEventKey = Select-String -Path $configFile -Pattern "^\s*${EventName}:" -Quiet
        if (-not $hasEventKey) {
            $enabled = $true
        }
    }
 } else {
    # No config file — auto-commit disabled by default
    exit 0
 }
 if (-not $enabled) {
    exit 0
 }
 # Check if there are changes to commit
 # Relax ErrorActionPreference so CRLF warnings on stderr do not terminate.
 $savedEAP = $ErrorActionPreference
 $ErrorActionPreference = 'Continue'
 try {
    git diff --quiet HEAD 2>$null; $d1 = $LASTEXITCODE
    git diff --cached --quiet 2>$null; $d2 = $LASTEXITCODE
    $untracked = git ls-files --others --exclude-standard 2>$null
 } finally {
    $ErrorActionPreference = $savedEAP
 }
 if ($d1 -eq 0 -and $d2 -eq 0 -and -not $untracked) {
    Write-Host "[specify] No changes to commit after $EventName" -ForegroundColor DarkGray
    exit 0
 }
 # Derive a human-readable command name from the event
 $commandName = $EventName -replace '^after_', '' -replace '^before_', ''
 $phase = if ($EventName -match '^before_') { 'before' } else { 'after' }
 # Use custom message if configured, otherwise default
 if (-not $commitMsg) {
    $commitMsg = "[Spec Kit] Auto-commit $phase $commandName"
 }
 # Stage and commit
 # Relax ErrorActionPreference so CRLF warnings on stderr do not terminate,
 # while still allowing redirected error output to be captured for diagnostics.
 $savedEAP = $ErrorActionPreference
 $ErrorActionPreference = 'Continue'
 try {
    $out = git add . 2>&1 | Out-String
    if ($LASTEXITCODE -ne 0) { throw "git add failed: $out" }
    $out = git commit -q -m $commitMsg 2>&1 | Out-String
    if ($LASTEXITCODE -ne 0) { throw "git commit failed: $out" }
 } catch {
    Write-Warning "[specify] Error: $_"
    exit 1
 } finally {
    $ErrorActionPreference = $savedEAP
 }
 Write-Host "[OK] Changes committed $phase $commandName"
--- a/.specify/extensions/git/scripts/powershell/create-new-feature.ps1
+++ b/.specify/extensions/git/scripts/powershell/create-new-feature.ps1
@ -1,403 +0,0 @@
 #!/usr/bin/env pwsh
 # Git extension: create-new-feature.ps1
 # Adapted from core scripts/powershell/create-new-feature.ps1 for extension layout.
 # Sources common.ps1 from the project's installed scripts, falling back to
 # git-common.ps1 for minimal git helpers.
 [CmdletBinding()]
 param(
    [switch]$Json,
    [switch]$AllowExistingBranch,
    [switch]$DryRun,
    [string]$ShortName,
    [Parameter()]
    [long]$Number = 0,
    [switch]$Timestamp,
    [switch]$Help,
    [Parameter(Position = 0, ValueFromRemainingArguments = $true)]
    [string[]]$FeatureDescription
 )
 $ErrorActionPreference = 'Stop'
 if ($Help) {
    Write-Host "Usage: ./create-new-feature.ps1 [-Json] [-DryRun] [-AllowExistingBranch] [-ShortName <name>] [-Number N] [-Timestamp] <feature description>"
    Write-Host ""
    Write-Host "Options:"
    Write-Host "  -Json               Output in JSON format"
    Write-Host "  -DryRun             Compute branch name without creating the branch"
    Write-Host "  -AllowExistingBranch  Switch to branch if it already exists instead of failing"
    Write-Host "  -ShortName <name>   Provide a custom short name (2-4 words) for the branch"
    Write-Host "  -Number N           Specify branch number manually (overrides auto-detection)"
    Write-Host "  -Timestamp          Use timestamp prefix (YYYYMMDD-HHMMSS) instead of sequential numbering"
    Write-Host "  -Help               Show this help message"
    Write-Host ""
    Write-Host "Environment variables:"
    Write-Host "  GIT_BRANCH_NAME     Use this exact branch name, bypassing all prefix/suffix generation"
    Write-Host ""
    exit 0
 }
 if (-not $FeatureDescription -or $FeatureDescription.Count -eq 0) {
    Write-Error "Usage: ./create-new-feature.ps1 [-Json] [-DryRun] [-AllowExistingBranch] [-ShortName <name>] [-Number N] [-Timestamp] <feature description>"
    exit 1
 }
 $featureDesc = ($FeatureDescription -join ' ').Trim()
 if ([string]::IsNullOrWhiteSpace($featureDesc)) {
    Write-Error "Error: Feature description cannot be empty or contain only whitespace"
    exit 1
 }
 function Get-HighestNumberFromSpecs {
    param([string]$SpecsDir)
    [long]$highest = 0
    if (Test-Path $SpecsDir) {
        Get-ChildItem -Path $SpecsDir -Directory | ForEach-Object {
            if ($_.Name -match '^(\d{3,})-' -and $_.Name -notmatch '^\d{8}-\d{6}-') {
                [long]$num = 0
                if ([long]::TryParse($matches[1], [ref]$num) -and $num -gt $highest) {
                    $highest = $num
                }
            }
        }
    }
    return $highest
 }
 function Get-HighestNumberFromNames {
    param([string[]]$Names)
    [long]$highest = 0
    foreach ($name in $Names) {
        if ($name -match '^(\d{3,})-' -and $name -notmatch '^\d{8}-\d{6}-') {
            [long]$num = 0
            if ([long]::TryParse($matches[1], [ref]$num) -and $num -gt $highest) {
                $highest = $num
            }
        }
    }
    return $highest
 }
 function Get-HighestNumberFromBranches {
    param()
    try {
        $branches = git branch -a 2>$null
        if ($LASTEXITCODE -eq 0 -and $branches) {
            $cleanNames = $branches | ForEach-Object {
                $_.Trim() -replace '^\*?\s+', '' -replace '^remotes/[^/]+/', ''
            }
            return Get-HighestNumberFromNames -Names $cleanNames
        }
    } catch {
        Write-Verbose "Could not check Git branches: $_"
    }
    return 0
 }
 function Get-HighestNumberFromRemoteRefs {
    [long]$highest = 0
    try {
        $remotes = git remote 2>$null
        if ($remotes) {
            foreach ($remote in $remotes) {
                $env:GIT_TERMINAL_PROMPT = '0'
                $refs = git ls-remote --heads $remote 2>$null
                $env:GIT_TERMINAL_PROMPT = $null
                if ($LASTEXITCODE -eq 0 -and $refs) {
                    $refNames = $refs | ForEach-Object {
                        if ($_ -match 'refs/heads/(.+)$') { $matches[1] }
                    } | Where-Object { $_ }
                    $remoteHighest = Get-HighestNumberFromNames -Names $refNames
                    if ($remoteHighest -gt $highest) { $highest = $remoteHighest }
                }
            }
        }
    } catch {
        Write-Verbose "Could not query remote refs: $_"
    }
    return $highest
 }
 function Get-NextBranchNumber {
    param(
        [string]$SpecsDir,
        [switch]$SkipFetch
    )
    if ($SkipFetch) {
        $highestBranch = Get-HighestNumberFromBranches
        $highestRemote = Get-HighestNumberFromRemoteRefs
        $highestBranch = [Math]::Max($highestBranch, $highestRemote)
    } else {
        try {
            git fetch --all --prune 2>$null | Out-Null
        } catch { }
        $highestBranch = Get-HighestNumberFromBranches
    }
    $highestSpec = Get-HighestNumberFromSpecs -SpecsDir $SpecsDir
    $maxNum = [Math]::Max($highestBranch, $highestSpec)
    return $maxNum + 1
 }
 function ConvertTo-CleanBranchName {
    param([string]$Name)
    return $Name.ToLower() -replace '[^a-z0-9]', '-' -replace '-{2,}', '-' -replace '^-', '' -replace '-$', ''
 }
 # ---------------------------------------------------------------------------
 # Source common.ps1 from the project's installed scripts.
 # Search locations in priority order:
 #  1. .specify/scripts/powershell/common.ps1 under the project root
 #  2. scripts/powershell/common.ps1 under the project root (source checkout)
 #  3. git-common.ps1 next to this script (minimal fallback)
 # ---------------------------------------------------------------------------
 function Find-ProjectRoot {
    param([string]$StartDir)
    $current = Resolve-Path $StartDir
    while ($true) {
        foreach ($marker in @('.specify', '.git')) {
            if (Test-Path (Join-Path $current $marker)) {
                return $current
            }
        }
        $parent = Split-Path $current -Parent
        if ($parent -eq $current) { return $null }
        $current = $parent
    }
 }
 $projectRoot = Find-ProjectRoot -StartDir $PSScriptRoot
 $commonLoaded = $false
 if ($projectRoot) {
    $candidates = @(
        (Join-Path $projectRoot ".specify/scripts/powershell/common.ps1"),
        (Join-Path $projectRoot "scripts/powershell/common.ps1")
    )
    foreach ($candidate in $candidates) {
        if (Test-Path $candidate) {
            . $candidate
            $commonLoaded = $true
            break
        }
    }
 }
 if (-not $commonLoaded -and (Test-Path "$PSScriptRoot/git-common.ps1")) {
    . "$PSScriptRoot/git-common.ps1"
    $commonLoaded = $true
 }
 if (-not $commonLoaded) {
    throw "Unable to locate common script file. Please ensure the Specify core scripts are installed."
 }
 # Resolve repository root
 if (Get-Command Get-RepoRoot -ErrorAction SilentlyContinue) {
    $repoRoot = Get-RepoRoot
 } elseif ($projectRoot) {
    $repoRoot = $projectRoot
 } else {
    throw "Could not determine repository root."
 }
 # Check if git is available
 if (Get-Command Test-HasGit -ErrorAction SilentlyContinue) {
    # Call without parameters for compatibility with core common.ps1 (no -RepoRoot param)
    # and git-common.ps1 (has -RepoRoot param with default).
    $hasGit = Test-HasGit
 } else {
    try {
        git -C $repoRoot rev-parse --is-inside-work-tree 2>$null | Out-Null
        $hasGit = ($LASTEXITCODE -eq 0)
    } catch {
        $hasGit = $false
    }
 }
 Set-Location $repoRoot
 $specsDir = Join-Path $repoRoot 'specs'
 function Get-BranchName {
    param([string]$Description)
    $stopWords = @(
        'i', 'a', 'an', 'the', 'to', 'for', 'of', 'in', 'on', 'at', 'by', 'with', 'from',
        'is', 'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had',
        'do', 'does', 'did', 'will', 'would', 'should', 'could', 'can', 'may', 'might', 'must', 'shall',
        'this', 'that', 'these', 'those', 'my', 'your', 'our', 'their',
        'want', 'need', 'add', 'get', 'set'
    )
    $cleanName = $Description.ToLower() -replace '[^a-z0-9\s]', ' '
    $words = $cleanName -split '\s+' | Where-Object { $_ }
    $meaningfulWords = @()
    foreach ($word in $words) {
        if ($stopWords -contains $word) { continue }
        if ($word.Length -ge 3) {
            $meaningfulWords += $word
        } elseif ($Description -match "\b$($word.ToUpper())\b") {
            $meaningfulWords += $word
        }
    }
    if ($meaningfulWords.Count -gt 0) {
        $maxWords = if ($meaningfulWords.Count -eq 4) { 4 } else { 3 }
        $result = ($meaningfulWords | Select-Object -First $maxWords) -join '-'
        return $result
    } else {
        $result = ConvertTo-CleanBranchName -Name $Description
        $fallbackWords = ($result -split '-') | Where-Object { $_ } | Select-Object -First 3
        return [string]::Join('-', $fallbackWords)
    }
 }
 # Check for GIT_BRANCH_NAME env var override (exact branch name, no prefix/suffix)
 if ($env:GIT_BRANCH_NAME) {
    $branchName = $env:GIT_BRANCH_NAME
    # Check 244-byte limit (UTF-8) for override names
    $branchNameUtf8ByteCount = [System.Text.Encoding]::UTF8.GetByteCount($branchName)
    if ($branchNameUtf8ByteCount -gt 244) {
        throw "GIT_BRANCH_NAME must be 244 bytes or fewer in UTF-8. Provided value is $branchNameUtf8ByteCount bytes; please supply a shorter override branch name."
    }
    # Extract FEATURE_NUM from the branch name if it starts with a numeric prefix
    # Check timestamp pattern first (YYYYMMDD-HHMMSS-) since it also matches the simpler ^\d+ pattern
    if ($branchName -match '^(\d{8}-\d{6})-') {
        $featureNum = $matches[1]
    } elseif ($branchName -match '^(\d+)-') {
        $featureNum = $matches[1]
    } else {
        $featureNum = $branchName
    }
 } else {
    if ($ShortName) {
        $branchSuffix = ConvertTo-CleanBranchName -Name $ShortName
    } else {
        $branchSuffix = Get-BranchName -Description $featureDesc
    }
    if ($Timestamp -and $Number -ne 0) {
        Write-Warning "[specify] Warning: -Number is ignored when -Timestamp is used"
        $Number = 0
    }
    if ($Timestamp) {
        $featureNum = Get-Date -Format 'yyyyMMdd-HHmmss'
        $branchName = "$featureNum-$branchSuffix"
    } else {
        if ($Number -eq 0) {
            if ($DryRun -and $hasGit) {
                $Number = Get-NextBranchNumber -SpecsDir $specsDir -SkipFetch
            } elseif ($DryRun) {
                $Number = (Get-HighestNumberFromSpecs -SpecsDir $specsDir) + 1
            } elseif ($hasGit) {
                $Number = Get-NextBranchNumber -SpecsDir $specsDir
            } else {
                $Number = (Get-HighestNumberFromSpecs -SpecsDir $specsDir) + 1
            }
        }
        $featureNum = ('{0:000}' -f $Number)
        $branchName = "$featureNum-$branchSuffix"
    }
 }
 $maxBranchLength = 244
 if ($branchName.Length -gt $maxBranchLength) {
    $prefixLength = $featureNum.Length + 1
    $maxSuffixLength = $maxBranchLength - $prefixLength
    $truncatedSuffix = $branchSuffix.Substring(0, [Math]::Min($branchSuffix.Length, $maxSuffixLength))
    $truncatedSuffix = $truncatedSuffix -replace '-$', ''
    $originalBranchName = $branchName
    $branchName = "$featureNum-$truncatedSuffix"
    Write-Warning "[specify] Branch name exceeded GitHub's 244-byte limit"
    Write-Warning "[specify] Original: $originalBranchName ($($originalBranchName.Length) bytes)"
    Write-Warning "[specify] Truncated to: $branchName ($($branchName.Length) bytes)"
 }
 if (-not $DryRun) {
    if ($hasGit) {
        $branchCreated = $false
        $branchCreateError = ''
        try {
            $branchCreateError = git checkout -q -b $branchName 2>&1 | Out-String
            if ($LASTEXITCODE -eq 0) {
                $branchCreated = $true
            }
        } catch {
            $branchCreateError = $_.Exception.Message
        }
        if (-not $branchCreated) {
            $currentBranch = ''
            try { $currentBranch = (git rev-parse --abbrev-ref HEAD 2>$null).Trim() } catch {}
            $existingBranch = git branch --list $branchName 2>$null
            if ($existingBranch) {
                if ($AllowExistingBranch) {
                    if ($currentBranch -eq $branchName) {
                        # Already on the target branch
                    } else {
                        $switchBranchError = git checkout -q $branchName 2>&1 | Out-String
                        if ($LASTEXITCODE -ne 0) {
                            if ($switchBranchError) {
                                Write-Error "Error: Branch '$branchName' exists but could not be checked out.`n$($switchBranchError.Trim())"
                            } else {
                                Write-Error "Error: Branch '$branchName' exists but could not be checked out. Resolve any uncommitted changes or conflicts and try again."
                            }
                            exit 1
                        }
                    }
                } elseif ($Timestamp) {
                    Write-Error "Error: Branch '$branchName' already exists. Rerun to get a new timestamp or use a different -ShortName."
                    exit 1
                } else {
                    Write-Error "Error: Branch '$branchName' already exists. Please use a different feature name or specify a different number with -Number."
                    exit 1
                }
            } else {
                if ($branchCreateError) {
                    Write-Error "Error: Failed to create git branch '$branchName'.`n$($branchCreateError.Trim())"
                } else {
                    Write-Error "Error: Failed to create git branch '$branchName'. Please check your git configuration and try again."
                }
                exit 1
            }
        }
    } else {
        if ($Json) {
            [Console]::Error.WriteLine("[specify] Warning: Git repository not detected; skipped branch creation for $branchName")
        } else {
            Write-Warning "[specify] Warning: Git repository not detected; skipped branch creation for $branchName"
        }
    }
    $env:SPECIFY_FEATURE = $branchName
 }
 if ($Json) {
    $obj = [PSCustomObject]@{
        BRANCH_NAME = $branchName
        FEATURE_NUM = $featureNum
        HAS_GIT = $hasGit
    }
    if ($DryRun) {
        $obj | Add-Member -NotePropertyName 'DRY_RUN' -NotePropertyValue $true
    }
    $obj | ConvertTo-Json -Compress
 } else {
    Write-Output "BRANCH_NAME: $branchName"
    Write-Output "FEATURE_NUM: $featureNum"
    Write-Output "HAS_GIT: $hasGit"
    if (-not $DryRun) {
        Write-Output "SPECIFY_FEATURE environment variable set to: $branchName"
    }
 }
--- a/.specify/extensions/git/scripts/powershell/git-common.ps1
+++ b/.specify/extensions/git/scripts/powershell/git-common.ps1
@ -1,51 +0,0 @@
 #!/usr/bin/env pwsh
 # Git-specific common functions for the git extension.
 # Extracted from scripts/powershell/common.ps1 — contains only git-specific
 # branch validation and detection logic.
 function Test-HasGit {
    param([string]$RepoRoot = (Get-Location))
    try {
        if (-not (Test-Path (Join-Path $RepoRoot '.git'))) { return $false }
        if (-not (Get-Command git -ErrorAction SilentlyContinue)) { return $false }
        git -C $RepoRoot rev-parse --is-inside-work-tree 2>$null | Out-Null
        return ($LASTEXITCODE -eq 0)
    } catch {
        return $false
    }
 }
 function Get-SpecKitEffectiveBranchName {
    param([string]$Branch)
    if ($Branch -match '^([^/]+)/([^/]+)$') {
        return $Matches[2]
    }
    return $Branch
 }
 function Test-FeatureBranch {
    param(
        [string]$Branch,
        [bool]$HasGit = $true
    )
    # For non-git repos, we can't enforce branch naming but still provide output
    if (-not $HasGit) {
        Write-Warning "[specify] Warning: Git repository not detected; skipped branch validation"
        return $true
    }
    $raw = $Branch
    $Branch = Get-SpecKitEffectiveBranchName $raw
    # Accept sequential prefix (3+ digits) but exclude malformed timestamps
    # Malformed: 7-or-8 digit date + 6-digit time with no trailing slug (e.g. "2026031-143022" or "20260319-143022")
    $hasMalformedTimestamp = ($Branch -match '^[0-9]{7}-[0-9]{6}-') -or ($Branch -match '^(?:\d{7}|\d{8})-\d{6}$')
    $isSequential = ($Branch -match '^[0-9]{3,}-') -and (-not $hasMalformedTimestamp)
    if (-not $isSequential -and $Branch -notmatch '^\d{8}-\d{6}-') {
        [Console]::Error.WriteLine("ERROR: Not on a feature branch. Current branch: $raw")
        [Console]::Error.WriteLine("Feature branches should be named like: 001-feature-name, 1234-feature-name, or 20260319-143022-feature-name")
        return $false
    }
    return $true
 }
--- a/.specify/extensions/git/scripts/powershell/initialize-repo.ps1
+++ b/.specify/extensions/git/scripts/powershell/initialize-repo.ps1
@ -1,69 +0,0 @@
 #!/usr/bin/env pwsh
 # Git extension: initialize-repo.ps1
 # Initialize a Git repository with an initial commit.
 # Customizable — replace this script to add .gitignore templates,
 # default branch config, git-flow, LFS, signing, etc.
 $ErrorActionPreference = 'Stop'
 # Find project root
 function Find-ProjectRoot {
    param([string]$StartDir)
    $current = Resolve-Path $StartDir
    while ($true) {
        foreach ($marker in @('.specify', '.git')) {
            if (Test-Path (Join-Path $current $marker)) {
                return $current
            }
        }
        $parent = Split-Path $current -Parent
        if ($parent -eq $current) { return $null }
        $current = $parent
    }
 }
 $repoRoot = Find-ProjectRoot -StartDir $PSScriptRoot
 if (-not $repoRoot) { $repoRoot = Get-Location }
 Set-Location $repoRoot
 # Read commit message from extension config, fall back to default
 $commitMsg = "[Spec Kit] Initial commit"
 $configFile = Join-Path $repoRoot ".specify/extensions/git/git-config.yml"
 if (Test-Path $configFile) {
    foreach ($line in Get-Content $configFile) {
        if ($line -match '^init_commit_message:\s*(.+)$') {
            $val = $matches[1].Trim() -replace '^["'']' -replace '["'']$'
            if ($val) { $commitMsg = $val }
            break
        }
    }
 }
 # Check if git is available
 if (-not (Get-Command git -ErrorAction SilentlyContinue)) {
    Write-Warning "[specify] Warning: Git not found; skipped repository initialization"
    exit 0
 }
 # Check if already a git repo
 try {
    git rev-parse --is-inside-work-tree 2>$null | Out-Null
    if ($LASTEXITCODE -eq 0) {
        Write-Warning "[specify] Git repository already initialized; skipping"
        exit 0
    }
 } catch { }
 # Initialize
 try {
    $out = git init -q 2>&1 | Out-String
    if ($LASTEXITCODE -ne 0) { throw "git init failed: $out" }
    $out = git add . 2>&1 | Out-String
    if ($LASTEXITCODE -ne 0) { throw "git add failed: $out" }
    $out = git commit --allow-empty -q -m $commitMsg 2>&1 | Out-String
    if ($LASTEXITCODE -ne 0) { throw "git commit failed: $out" }
 } catch {
    Write-Warning "[specify] Error: $_"
    exit 1
 }
 Write-Host "✓ Git repository initialized"
--- a/.specify/init-options.json
+++ b/.specify/init-options.json
@ -1,10 +0,0 @@
 {
  "ai": "copilot",
  "branch_numbering": "sequential",
  "context_file": ".github/copilot-instructions.md",
  "here": true,
  "integration": "copilot",
  "preset": null,
  "script": "sh",
  "speckit_version": "0.7.4"
 }
--- a/.specify/integration.json
+++ b/.specify/integration.json
@ -1,4 +0,0 @@
 {
  "integration": "copilot",
  "version": "0.7.4"
 }
--- a/.specify/integrations/copilot.manifest.json
+++ b/.specify/integrations/copilot.manifest.json
@ -1,25 +0,0 @@
 {
  "integration": "copilot",
  "version": "0.7.4",
  "installed_at": "2026-04-22T21:58:02.962169+00:00",
  "files": {
    ".github/agents/speckit.analyze.agent.md": "699032fdd49afe31d23c7191f3fe7bcb1d14b081fbc94c2287e6ba3a57574fda",
    ".github/agents/speckit.checklist.agent.md": "d7d691689fe45427c868dcf18ade4df500f0c742a6c91923fefba405d6466dde",
    ".github/agents/speckit.clarify.agent.md": "0cc766dcc5cab233ccdf3bc4cfb5759a6d7d1e13e29f611083046f818f5812bb",
    ".github/agents/speckit.constitution.agent.md": "58d35eb026f56bb7364d91b8b0382d5dd1249ded6c1449a2b69546693afb85f7",
    ".github/agents/speckit.implement.agent.md": "83628415c86ba487b3a083c7a2c0f016c9073abd02c1c7f4a30cff949b6602c0",
    ".github/agents/speckit.plan.agent.md": "2ad128b81ccd8f5bfa78b3b43101f377dfddd8f800fa0856f85bf53b1489b783",
    ".github/agents/speckit.specify.agent.md": "5bbb5270836cc9a3286ce3ed96a500f3d383a54abb06aa11b01a2d2f76dbf39b",
    ".github/agents/speckit.tasks.agent.md": "a58886f29f75e1a14840007772ddd954742aafb3e03d9d1231bee033e6c1626b",
    ".github/agents/speckit.taskstoissues.agent.md": "e84794f7a839126defb364ca815352c5c2b2d20db2d6da399fa53e4ddbb7b3ee",
    ".github/prompts/speckit.analyze.prompt.md": "bb93dbbafa96d07b7cd07fc7061d8adb0c6b26cb772a52d0dce263b1ca2b9b77",
    ".github/prompts/speckit.checklist.prompt.md": "c3aea7526c5cbfd8665acc9508ad5a9a3f71e91a63c36be7bed13a834c3a683c",
    ".github/prompts/speckit.clarify.prompt.md": "ce79b3437ca918d46ac858eb4b8b44d3b0a02c563660c60d94c922a7b5d8d4f4",
    ".github/prompts/speckit.constitution.prompt.md": "38f937279de14387601422ddfda48365debdbaf47b2d513527b8f6d8a27d499d",
    ".github/prompts/speckit.implement.prompt.md": "5053a17fb9238338c63b898ee9c80b2cb4ad1a90c6071fe3748de76864ac6a80",
    ".github/prompts/speckit.plan.prompt.md": "2098dae6bd9277335f31cb150b78bfb1de539c0491798e5cfe382c89ab0bcd0e",
    ".github/prompts/speckit.specify.prompt.md": "7b2cc4dc6462da1c96df46bac4f60e53baba3097f4b24ac3f9b684194458aa98",
    ".github/prompts/speckit.tasks.prompt.md": "88fc57c289f99d5e9d35c255f3e2683f73ecb0a5155dcb4d886f82f52b11841f",
    ".github/prompts/speckit.taskstoissues.prompt.md": "2f9636d4f312a1470f000747cb62677fec0655d8b4e2357fa4fbf238965fa66d"
  }
 }
--- a/.specify/integrations/speckit.manifest.json
+++ b/.specify/integrations/speckit.manifest.json
@ -1,8 +0,0 @@
 {
  "integration": "speckit",
  "version": "0.7.4",
  "installed_at": "2026-04-22T21:58:02.965809+00:00",
  "files": {
    ".specify/templates/constitution-template.md": "ce7549540fa45543cca797a150201d868e64495fdff39dc38246fb17bd4024b3"
  }
 }
--- a/.specify/memory/constitution.md
+++ b/.specify/memory/constitution.md
@ -1,36 +1,21 @@
 <!--
 Sync Impact Report
- Version change: 2.10.0 -> 2.11.0
+- Version change: 2.5.0 -> 2.6.0
 - Modified principles:
-  - Expanded decision-first and operator-surface rules so operational,
+  - UI surface taxonomy and review expectations: expanded with native
-    governance, evidence, onboarding, review, and support-facing
+    vs custom classification, shared-detail host ownership, named
-    detail/status surfaces separate decision content, operator
+    anti-patterns, and shell/page/detail state ownership review
-    diagnostics, and support/raw evidence
+  - Filament Native First / No Ad-hoc Styling (UI-FIL-001): expanded
-  - Expanded review and enforcement expectations so specs, plans,
+    into explicit native-by-default, fake-native, shared-family, and
-    tasks, and checklists must make audience modes, raw/support
+    exception-boundary language
-    gating, one dominant next action, and duplicate-truth prevention
+- Added sections: None
    explicit
 - Added sections:
  - Audience-Aware Decision Surfaces & Disclosure Ladder
    (DECIDE-AUD-001): requires customer-readable default paths,
    operator diagnostics as progressive disclosure, support/raw
    evidence gating, one dominant next action, and no duplicate truth
    across equal-priority cards
 - Removed sections: None
 - Templates requiring updates:
- .specify/templates/spec-template.md: add audience-aware disclosure
+  - None in this docs-only constitution slice; enforcement remains
-    section + constitution prompts ✅
+    deferred to Spec 201
 - .specify/templates/plan-template.md: add audience/disclosure
    planning prompts + constitution checks ✅
 - .specify/templates/tasks-template.md: add decision/disclosure
    implementation + test tasks ✅
 - .specify/templates/checklist-template.md: add disclosure, raw-gating,
    one-primary-action, and duplicate-truth review checks ✅
 - docs/product/standards/README.md: refresh constitution index for
    the new audience-aware disclosure contract ✅
 - Commands checked:
-  - N/A `.specify/templates/commands/*.md` directory is not present
+  - N/A `.specify/templates/commands/*.md` directory is not present in this repo
 - Follow-up TODOs: None
 -->
@ -68,15 +53,6 @@ ### No Premature Abstraction (ABSTR-001)
 - Test convenience alone is not sufficient justification for a new abstraction.
 - Narrow abstractions are allowed when required for security, tenant isolation, auditability, compliance evidence, or queue/job execution correctness.
 ### First Provider Is Not Platform Core (PROV-001)
 - Microsoft is the current first provider, not the platform core.
 - Shared platform-owned contracts, taxonomies, identifiers, compare semantics, and operator vocabulary MUST NOT silently become Microsoft-shaped truth just because Microsoft is the only provider today.
 - Shared platform-owned boundaries SHOULD prefer neutral core terms such as `provider`, `connection`, `target scope`, `governed subject`, and `operation` unless the feature is intentionally provider-owned and explicitly bounded.
 - Shared core terms at shared boundaries (PROV-002): if a boundary is reused across multiple domains, features, or workflows, the default is neutral platform language rather than provider-specific labels or semantics.
 - No accidental deepening of provider coupling (PROV-003): a feature MAY retain provider-specific semantics at a provider-owned seam, but it MUST NOT spread those semantics deeper into platform-core contracts, shared persistence truth, shared taxonomies, or shared UI language without proving that the narrower current-release truth genuinely requires it.
 - Shared-boundary review is mandatory (PROV-004): when a feature touches a shared provider/platform seam, the spec, plan, and review MUST state whether the seam is provider-owned or platform-core, what provider-specific semantics remain, and why that choice is the narrowest correct implementation now.
 - Prefer bounded extraction over premature generalization (PROV-005): if an existing hotspot is too Microsoft-specific, the default remedy is a bounded normalization or extraction of that hotspot, not a speculative multi-provider framework with unused extension points.
 ### No New Persisted Truth Without Source-of-Truth Need (PERSIST-001)
 - New tables, persisted entities, or stored artifacts MUST represent real product truth that survives independently of the originating request, run, or view.
 - Persisted storage is justified only when at least one of these is true: it is a source of truth, has an independent lifecycle, must be audited independently, must outlive its originating run/request, is required for permissions/routing/compliance evidence, or is required for stable operator workflows over time.
@ -94,14 +70,6 @@ ### UI Semantics Must Not Become Their Own Framework (UI-SEM-001)
 - Direct mapping from canonical domain truth to UI is preferred over intermediate semantic superstructures.
 - Presentation helpers SHOULD remain optional adapters, not mandatory architecture.
 ### Shared Pattern First For Cross-Cutting Interaction Classes (XCUT-001)
 - Cross-cutting interaction classes such as notifications, status messaging, action links, header actions, dashboard signals/cards, navigation entry points, alerts, evidence/report viewers, and similar operator-facing infrastructure MUST first attach to an existing shared contract, presenter, builder, renderer, or other shared path when one already exists.
 - New local or domain-specific implementations for an existing interaction class are allowed only when the current shared path is demonstrably insufficient for current-release truth.
 - The active spec MUST name the shared path being reused or explicitly record the deviation, why the existing path is insufficient, what consistency must still be preserved, and what ownership or spread-control cost the deviation creates.
 - The same interaction class MUST NOT develop parallel operator-facing UX languages for title/body/action structure, status semantics, action-label patterns, or deep-link behavior unless the deviation is explicit and justified.
 - Reviews MUST treat undocumented bypass of an existing shared path as drift and block merge until the feature converges on the shared path or records a bounded exception.
 - If the drift is discovered only after a feature is already implemented, the remedy is NOT to rewrite historical closed specs retroactively by default; instead the active work MUST record the issue as `document-in-feature` or escalate it as `follow-up-spec`, depending on whether the drift is contained or structural.
 ### V1 Prefers Explicit Narrow Implementations (V1-EXP-001)
 - For V1 and early product maturity, direct implementation, local mapping, explicit per-domain logic, small focused helpers, derived read models, and minimal UI adapters are preferred.
 - Generic platform engines, meta-frameworks, universal resolver systems, workflow frameworks, and broad semantic taxonomies are disfavored until real variance proves them necessary.
@ -165,37 +133,6 @@ ### Spec Candidate Gate (SPEC-GATE-001)
 ### Default Bias (BIAS-001)
 - Default codebase bias is: derive before persist, map before frameworkize, localize before generalize, simplify before extend, replace before layer, explicit before generic, and present directly before interpreting recursively.
 ### Pre-Production Lean Doctrine (LEAN-001)
 This product has no production deployment, no live customer data, no shared staging with migration-relevant state, and no external API contract consumers.
 #### Data and schema
 - Old data shapes, column names, enum values, and operation types MAY be replaced in place.
 - Migration shims, dual-write logic, and fallback readers MUST NOT be created unless a spec explicitly requires compatibility behavior.
 #### Terminology and types
 - Renamed or unified operation types, reason codes, and status values MUST replace the old value everywhere (code, config, tests, fixtures, seed data).
 - Legacy aliases kept "just in case" are forbidden.
 #### Codebase hygiene
 - Dead constants, dead enum cases, orphan config keys, and test fixtures that reference replaced shapes MUST be removed in the same PR that introduces the replacement.
 - "Old runs / old rows don't matter" is the standing assumption until the product ships.
 #### AI-agent rule
 - Before adding aliases, fallback readers, dual-write logic, migration shims, or legacy fixtures, agents MUST verify:
  1. Do live production data exist?
  2. Is shared staging migration-relevant?
  3. Does an external contract depend on the old shape?
  4. Does the spec explicitly require compatibility behavior?
 - If all answers are no, replace the old shape and remove the compatibility path.
 #### Review rule
 - Any PR that introduces a new legacy alias, compatibility shim, or historical fixture without answering the four questions above is a merge blocker.
 #### Exit condition
 - LEAN-001 expires when the first production deployment occurs.
 - At that point, the constitution MUST be amended to define the real migration and compatibility policy.
 ### Workspace Isolation is Non-negotiable
 - Workspace membership is an isolation boundary. If the actor is not entitled to the workspace scope, the system MUST respond as
  deny-as-not-found (404).
@ -313,57 +250,24 @@ ### Operations / Run Observability Standard
  even if implemented by multiple jobs/steps (“umbrella run”).
 - “Single-row” runs MUST still use consistent counters (e.g., `total=1`, `processed=0|1`) and outcome derived from success/failure.
 - Monitoring pages MUST be DB-only at render time (no external calls).
- Start surfaces MUST NOT perform remote work inline and MUST NOT compose OperationRun start UX locally; they only:
+- Start surfaces MUST NOT perform remote work inline; they only: authorize, create/reuse run (dedupe), enqueue work,
-  authorize, create/reuse run (dedupe), enqueue work, and hand queued/start-state feedback to the shared
+  confirm + “View run”.
  OperationRun Start UX Contract.
 ### OperationRun Start UX Contract (OPS-UX-START-001)
 - OperationRun UX MUST be contract-driven, not surface-driven.
 - Any feature that creates, queues, deduplicates, resumes, blocks, completes, or links to an `OperationRun` MUST use
  the central OperationRun Start UX Contract.
 - Filament Pages, Resources, Widgets, Livewire Components, Actions, and Services MUST NOT independently compose
  OperationRun start UX from local pieces.
 - The shared OperationRun UX layer MUST own:
  - local start notification / toast
  - `Open operation` / `View run` link
  - artifact link such as `View snapshot`, `View pack`, or `View restore`
  - run-enqueued browser event
  - queued DB-notification decision
  - dedupe / already-available / already-running messaging
  - blocked / failed-to-start messaging
  - tenant/workspace-safe operation URL resolution
 - Feature surfaces MAY initiate `OperationRun`s, but they MUST NOT define their own OperationRun UX semantics.
 - `OperationRun` lifecycle state remains the canonical execution truth.
 - Queued DB notifications MUST remain explicit opt-in unless the active spec defines a different policy.
 - Terminal `OperationRun` notifications MUST be emitted through the central OperationRun lifecycle mechanism.
 - Any exception MUST include:
  1. an explicit spec decision,
  2. a documented architecture note,
  3. a test or guard-test exception with rationale,
  4. a follow-up migration decision if the exception is temporary.
 - New OperationRun-starting features MUST include an `OperationRun UX Impact` section in the active spec or plan.
 ### Operations UX — 3-Surface Feedback (OPS-UX-055) (NON-NEGOTIABLE)
-If a feature creates/reuses `OperationRun`, its default feedback contract is exactly three surfaces.
+If a feature creates/reuses `OperationRun`, it MUST use exactly three feedback surfaces — no others:
 Queued DB notifications are forbidden by default and MAY exist only when the active spec explicitly opts into them
 through the OperationRun Start UX Contract:
 1) Toast (intent only / queued-only)
 - A toast MAY be shown only when the run is accepted/queued (intent feedback).
 - The toast MUST use `OperationUxPresenter::queuedToast($operationType)->send()`.
 - Feature code MUST NOT craft ad-hoc operation toasts.
 - A dedicated dedupe message MUST use the presenter (e.g., `alreadyQueuedToast(...)`), not `Notification::make()`.
 - Queued toast copy, action links, artifact links, start-state browser events, and dedupe/start-failure messaging MUST be
  produced by the shared OperationRun Start UX Contract, not by local surface code.
 2) Progress (active awareness only)
 - Live progress MUST exist only in:
  - the global active-ops widget, and
  - Monitoring → Operation Run Detail.
 - These surfaces MUST show only active runs (`queued|running`) and MUST never show terminal runs.
 - Running DB notifications are forbidden.
 - Determinate progress is allowed ONLY when `summary_counts.total` and `summary_counts.processed` are valid numeric values.
 - Determinate progress MUST be clamped to 0–100. Otherwise render indeterminate + elapsed time.
 - The widget MUST NOT show percentage text (optional `processed/total` is allowed).
@ -404,10 +308,6 @@ ### Ops-UX regression guards are mandatory (OPS-UX-GUARD-001)
 The repo MUST include automated guards (Pest) that fail CI if:
 - any direct `OperationRun` status/outcome transition occurs outside `OperationRunService`,
 - feature code bypasses the central OperationRun Start UX Contract for queued/start-state operation UX where the repo's
  guardable patterns can detect it,
 - feature code emits queued DB notifications for operations without explicit spec-driven opt-in through the shared
  OperationRun UX layer,
 - jobs emit DB notifications for operation completion/abort (`OperationRunCompleted` is the single terminal notification),
 - deprecated legacy operation notification classes are referenced again.
@ -593,114 +493,11 @@ ##### Review gate
 5. Is this a Primary Decision Surface, Secondary Context Surface, or
   Tertiary Evidence / Diagnostics Surface?
 6. If it is primary, why can it not live inside an existing decision
-  context?
+   context?
 7. Does the navigation reflect a workflow or only storage structure?
 8. Does this reduce search, review, or click work?
 9. Does this make the product calmer and clearer instead of louder?
 #### Audience-Aware Decision Surfaces & Disclosure Ladder (DECIDE-AUD-001)
 Goal: every operational, governance, evidence, onboarding, review, and
 support-facing detail or status surface MUST keep customer-readable
 decision content, operator diagnostics, and support/raw evidence
 intentionally separated while preserving full depth through progressive
 disclosure.
 ##### Audience ladder is explicit
 - In-scope detail and status surfaces MUST define their content using
  this three-tier hierarchy when applicable:
  - decision content
  - operator diagnostics
  - support / raw evidence
 - Surfaces that are reachable by more than one audience class MUST
  define their default-visible content for at least these layers when
  applicable:
  - customer / read-only default
  - operator / MSP diagnostics
  - platform / support raw evidence
 - The surface contract MUST state which capabilities unlock each deeper
  layer.
 - Support/raw evidence MUST NOT become the default first-read
  experience on customer-readable or ordinary operator-facing
  surfaces.
 ##### Customer-readable default path
 - The default reading path for customer/read-only users MUST optimize
  for status, reason, impact, one dominant next action, and a short
  result or artifact summary.
 - Internal lifecycle wording, debug semantics, implementation field
  names, raw payload fragments, and support-oriented context MUST NOT
  appear in the default customer-readable path unless they are the only
  way to understand the first decision.
 - Default-visible customer/read-only content is responsible for status,
  reason, impact, the dominant next action, and a concise supporting
  summary only.
 ##### Diagnostics are secondary by default
 - Diagnostics such as lifecycle, timings, verification detail, drift
  detail, permission detail, provider summaries, or related-operation
  context MUST be lower-priority than the decision surface and MUST be
  collapsed, tabbed, grouped, or otherwise progressively disclosed when
  the first decision does not require them.
 - Authorized operators MAY expand diagnostics, but diagnostics MUST NOT
  visually compete with the primary decision block.
 - Where no support/raw tier is exposed, diagnostics still remain below
  the decision tier and MUST NOT restate the same decision summary at
  equal weight.
 ##### Raw/support evidence is gated
 - Raw/support evidence such as JSON, raw context payloads,
  fingerprints, internal reason ownership, platform reason families,
  monitoring detail, viewer context, or copy/show-raw actions MUST NOT
  appear in the default decision path.
 - These details MUST live behind explicit reveal affordances and MUST
  be capability-gated wherever the audience model distinguishes support
  or platform users from ordinary operators.
 - Capability-gated support/raw disclosure MUST fail closed when the
  actor lacks the required scope or capability.
 ##### One dominant next action
 - A decision surface MUST expose exactly one dominant next action in
  the default-visible region.
 - Optional secondary actions MAY exist, but they MUST NOT compete with
  the primary remediation or decision action in prominence.
 - Contextual navigation such as opening a related run, tenant, report,
  or technical detail remains secondary.
 ##### No duplicate truth across equal-priority cards
 - The same blocker, reason, or next action MUST NOT be repeated across
  multiple equal-priority cards, sections, or summary blocks on the
  same default-visible surface.
 - Supporting evidence MAY restate the underlying proof, but the
  dominant decision message appears once and diagnostics elaborate
  beneath it.
 ##### Required tests
 - New or materially changed customer/operator-facing detail surfaces
  MUST include focused tests proving:
  - default-visible content shows status, reason, impact, and next
    action,
  - exactly one dominant next action is primary,
  - diagnostics are secondary or collapsed,
  - raw/support evidence is not default-visible,
  - support/raw sections are capability-gated where applicable,
  - and duplicate visible decision summaries are absent.
 ##### Stored evidence wins over fallback diagnostics
 - When a stored verification or report artifact exists, fallback
  technical diagnostics SHOULD demote behind supporting evidence or
  technical details instead of remaining peer-level default content.
 - Fallback diagnostics MAY become temporarily prominent only when the
  higher-level artifact does not yet exist or is unavailable.
 #### Surface Taxonomy (UI-SURF-001)
 Every new admin surface MUST be assigned exactly one broad action-surface
@ -1424,22 +1221,11 @@ #### Operator Surface Principles (OPSURF-001)
 - Diagnostic detail MAY exist, but it MUST be secondary and explicitly revealed.
 - JSON payloads, raw IDs, internal field names, provider error details, and low-level technical metadata belong in diagnostics surfaces rather than the primary content region.
 - Operators MUST NOT need to parse raw payloads to understand current state or next action.
 - Detail/status surfaces MUST satisfy DECIDE-AUD-001: decision content
  first, operator diagnostics second, support/raw evidence third.
 Distinct truth dimensions
 - When the domain has execution outcome, data completeness, governance result, lifecycle or readiness state, operability truth, health truth, trust/confidence, or next action semantics, the surface MUST keep them explicit instead of collapsing them into one ambiguous status.
 - If multiple truth dimensions are summarized, the default-visible UI MUST label each dimension clearly.
 Dominant next action and duplicate-truth control
 - Default-visible decision content MUST include status, reason,
  impact, and one dominant next action where those concepts exist.
 - Secondary navigation or debug helpers MUST remain lower-priority
  than the dominant decision action.
 - The same blocker, reason, impact, or next action MUST NOT be
  repeated across multiple default-visible cards, sections, tabs, or
  summaries.
 Explicit mutation scope
 - Every state-changing action MUST communicate before execution whether it affects TenantPilot only, the Microsoft tenant, or simulation only.
 - Mutation scope MUST be understandable from nearby action copy, helper text, preview, or confirmation.
@ -1460,13 +1246,6 @@ #### Operator Surface Principles (OPSURF-001)
 Page contract requirement
 - Every new or materially refactored operator-facing page MUST define the primary persona, surface type, primary operator question, default-visible information, diagnostics-only information, status dimensions used, mutation scope, primary actions, and dangerous actions.
 - The page contract MUST live in the governing spec and stay in sync with implementation.
 - Where multiple audience classes share the page, the contract MUST
  explicitly define the customer/read-only default path, operator
  diagnostics path, support/raw-evidence path, and the capabilities
  that unlock each layer.
 - The page contract MUST also make the dominant next action,
  duplicate-truth prevention, and raw/support gating explicit for
  changed detail/status surfaces.
 #### Spec Scope Fields (SCOPE-002)
@ -1491,11 +1270,8 @@ #### Enforcement Model (UI-REVIEW-001)
  native, custom, or a shared detail family, what shared core vs host
  variation exists if relevant, which layer owns the relevant shell,
  page, and detail truth, which requested/active/draft/inspect/
-  restorable roles exist, which audience ladder and disclosure
+  restorable roles exist, whether any fake-native or host-drift risk is
-  boundaries exist, what the dominant next action is, how raw/support
+  present, and whether an exception type is used.
  evidence is gated, how duplicate truth is prevented, whether any
  fake-native or host-drift risk is present, and whether an exception
  type is used.
 - Missing any of those answers makes the spec incomplete.
 PR review requirements
@ -1510,12 +1286,7 @@ #### Enforcement Model (UI-REVIEW-001)
  promoted into primary navigation without justification, one case
  fragmented across multiple equal-rank pages, new automation that adds
  attention surfaces without reducing operator work, noisy default
-  surfaces with no action/watch/reference hierarchy, duplicate visible
+  surfaces with no action/watch/reference hierarchy, `Filament Costume`,
  blocker/reason/next-action summaries, customer/operator default paths
  that expose raw JSON, fingerprints, reason ownership, platform reason
  families, or monitoring detail, helper actions such as `Open
  operation`, `Technical details`, or `Show JSON` competing with the
  dominant decision action, `Filament Costume`,
  `Blade Request UI`, `Hand-Rolled Simple Overview`, `Hidden Exception`,
  `Host Drift`, `State Layer Collapse`, `Parallel Inspect Worlds`, or
  undocumented exceptions without dedicated tests.
@ -1527,15 +1298,11 @@ #### Enforcement Model (UI-REVIEW-001)
  presence of explicit Inspect on Queue / Review and History / Audit
  surfaces, absence of empty `ActionGroup` or `BulkActionGroup`,
  correct placement of destructive actions, truthful scope signals,
-  stable canonical nouns across shells, presence of a single dominant
+  stable canonical nouns across shells, absence of fake-native primary
-  next action where surface metadata exposes one, absence of duplicate
+  controls where metadata says the surface is native, bounded shared
-  visible decision summaries, explicit raw/support gating or secondary
+  family contracts where metadata says a family is reused, explicit
-  placement where the surface serves multiple audience classes,
+  state ownership where specs or metadata expose it, and dedicated
-  absence of fake-native primary controls where metadata says the
+  tests for every approved exception.
  surface is native, bounded shared family contracts where metadata
  says a family is reused, explicit state ownership where specs or
  metadata expose it, and dedicated tests for every approved
  exception.
 #### Immediate Retrofit Priorities
@ -1602,10 +1369,6 @@ #### Appendix A - One-page Condensed Constitution
 - Scope chips must be truthful.
 - Domain nouns are canonical and stable.
 - Critical operational truth is default-visible.
 - Multi-audience detail/status surfaces keep customer-readable decision
  content above operator diagnostics and support/raw evidence.
 - One dominant next action stays visually primary.
 - Duplicate visible decision truth is forbidden.
 - Semantic truth dimensions are not collapsed into a generic status.
 - Standard lists stay scanable.
 - Exceptions are catalogued, justified, and tested.
@ -1618,8 +1381,6 @@ #### Appendix B - Feature Review Checklist
 - The human-in-the-loop moment is explicit.
 - Immediate-visible decision information is explicit.
 - On-demand evidence / diagnostics boundaries are explicit.
 - Audience-aware default visibility and raw-evidence boundaries are
  explicit where the page serves more than one audience class.
 - Any new primary surface is justified against an existing decision
  context.
 - Navigation reflects a workflow rather than storage structure.
@ -1629,8 +1390,6 @@ #### Appendix B - Feature Review Checklist
 - Broad action-surface class is declared.
 - Detailed surface type is declared.
 - The one most likely next operator action is explicit.
 - One dominant next action stays primary.
 - Duplicate visible decision truth is absent.
 - The surface is classified correctly as native, custom, or shared
  family.
 - Primary inspect/open model is defined.
@ -1712,10 +1471,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
 - Admin and operator-facing surfaces MUST use native Filament components, existing shared UI primitives, and centralized design patterns first.
 - If Filament already provides the required semantic element, feature code MUST use the Filament-native component instead of a locally assembled replacement.
 - Preferred native elements include `x-filament::badge`, `x-filament::button`, `x-filament::icon`, and Filament Forms, Infolists, Tables, Sections, Tabs, Grids, and Actions.
 - Local Blade/Tailwind cards are allowed only when they preserve dark
  mode correctness, spacing consistency, badge semantics, action
  hierarchy, progressive disclosure, accessibility, and overall
  Filament visual language.
 Native-by-default classification
 - `Native Surface` means the primary interaction contract is built from
@ -1747,8 +1502,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
  more than one host, it becomes a `Shared Detail Micro-UI` and MUST
  define shared core vs host variation before another host reassembles
  it locally.
 - Local one-off markup MUST NOT recreate decision/diagnostics/raw
  layering when an existing shared detail family is sufficient.
 Upgrade-safe preference
 - Update-safe, framework-native implementations take priority over page-local styling shortcuts.
@ -1762,9 +1515,7 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
  - and the deviation is justified briefly in code and in the governing spec or PR.
 - Approved exceptions MUST stay layout-neutral, use the minimum local
  classes necessary, MUST NOT invent a new page-local status language,
-  MUST preserve dark mode correctness, spacing consistency,
+  and MUST say what remains standardized.
  badge semantics, action hierarchy, progressive disclosure,
  accessibility, and MUST say what remains standardized.
 - `Hidden Exception` is forbidden. Historical accident or local
  implementation convenience is not a valid substitute for UI-EX-001.
@ -1773,8 +1524,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
  - which native Filament element or shared primitive was used,
  - why an existing component was insufficient if an exception was taken,
  - whether the surface is native, custom, or a shared detail family,
  - whether any local Blade/Tailwind card still preserves Filament
    visual language and disclosure semantics,
  - and whether any ad-hoc status, emphasis styling, or fake-native
    contract was introduced.
 - UI work is not Done if it introduces ad-hoc status styling or framework-foreign replacement components where a native Filament or shared UI solution was viable.
@ -1807,17 +1556,6 @@ ### Scope, Compliance, and Review Expectations
 - Specs and PRs that introduce new persisted truth, abstractions, states, DTO/presenter layers, or taxonomies MUST include the proportionality review required by BLOAT-001.
 - Runtime-changing or test-affecting specs and PRs MUST include testing/lane/runtime impact covering actual test-purpose classification, affected lanes, fixture/helper/factory/seed/context cost changes, any heavy-family expansion, expected budget/baseline/trend effect, escalation decisions, and the minimal validation commands.
 - Specs, plans, task lists, and review checklists MUST surface the test-governance questions needed to catch lane drift, hidden defaults, and runtime-cost escalation before merge.
 - Specs and PRs that touch shared provider/platform seams MUST classify the touched boundary as provider-owned or platform-core, keep provider-specific semantics out of platform-core contracts and vocabulary unless explicitly justified, and record whether any remaining hotspot is resolved in-feature or escalated as a follow-up spec.
 - Specs and PRs that create, queue, deduplicate, resume, block, complete, or deep-link to an `OperationRun` MUST reuse the
  central OperationRun Start UX Contract, keep queued DB notifications explicit opt-in unless the active spec states a
  different policy, route terminal notifications through the lifecycle mechanism, include an `OperationRun UX Impact`
  section in the active spec or plan, and document any temporary exception with an architecture note, test rationale,
  and migration decision.
 - Specs and PRs that change detail or status surfaces MUST explicitly
  document how they satisfy customer-readable decision-first content,
  diagnostics-secondary disclosure, support/raw-evidence gating, one
  dominant next action, duplicate-truth prevention, and shared-pattern
  reuse.
 - Specs and PRs that change operator-facing surfaces MUST classify each
  affected surface under DECIDE-001 and justify any new Primary
  Decision Surface or workflow-first navigation change.
@ -1835,4 +1573,4 @@ ### Versioning Policy (SemVer)
 - **MINOR**: new principle/section or materially expanded guidance.
 - **MAJOR**: removing/redefining principles in a backward-incompatible way.
-**Version**: 2.11.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-27
+**Version**: 2.6.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-18
--- a/.specify/scripts/bash/setup-plan.sh
+++ b/.specify/scripts/bash/setup-plan.sh
@ -40,13 +40,9 @@ mkdir -p "$FEATURE_DIR"
 TEMPLATE="$REPO_ROOT/.specify/templates/plan-template.md"
 if [[ -f "$TEMPLATE" ]]; then
    cp "$TEMPLATE" "$IMPL_PLAN"
-    if ! $JSON_MODE; then
+    echo "Copied plan template to $IMPL_PLAN"
        echo "Copied plan template to $IMPL_PLAN"
    fi
 else
-    if ! $JSON_MODE; then
+    echo "Warning: Plan template not found at $TEMPLATE"
        echo "Warning: Plan template not found at $TEMPLATE"
    fi
    # Create a basic plan file if template doesn't exist
    touch "$IMPL_PLAN"
 fi
--- a/.specify/templates/checklist-template.md
+++ b/.specify/templates/checklist-template.md
@ -26,44 +26,18 @@ ## Native, Shared-Family, And State Ownership
 - [ ] CHK005 Shell, page, detail, and URL/query state owners are named once and do not collapse into one another.
 - [ ] CHK006 The likely next operator action and the primary inspect/open model stay coherent with the declared surface class.
 ## Shared Pattern Reuse
 - [ ] CHK007 Any cross-cutting interaction class is explicitly marked, and the existing shared contract/presenter/builder/renderer path is named once.
 - [ ] CHK008 The change extends the shared path where it is sufficient, or the deviation is explicitly documented with product reason, preserved consistency, ownership cost, and spread-control.
 - [ ] CHK009 The change does not create a parallel operator-facing UX language for the same interaction class unless a bounded exception is recorded.
 ## OperationRun Start UX Contract
 - [ ] CHK019 The change explicitly says whether it creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`, and the required `OperationRun UX Impact` section exists when applicable.
 - [ ] CHK020 Queued toast/link/artifact-link/browser-event/dedupe-or-blocked messaging and tenant/workspace-safe operation URL resolution are delegated to the shared OperationRun UX contract instead of local surface code.
 - [ ] CHK021 Any queued DB notification is explicit opt-in in the active spec or plan, running DB notifications remain absent, and terminal notifications still flow through the central lifecycle mechanism.
 - [ ] CHK022 Any exception records the explicit spec decision, architecture note, test or guard-test rationale, and temporary migration follow-up decision.
 ## Provider Boundary And Vocabulary
 - [ ] CHK010 The change states whether any touched shared seam is provider-owned, platform-core, or mixed, and provider-specific semantics do not silently spread into platform-core contracts, taxonomy, identifiers, compare semantics, or operator vocabulary.
 - [ ] CHK011 Any retained provider-specific shared boundary is justified as a bounded current-release exception or an explicit follow-up-spec need instead of becoming permanent platform truth by default.
 ## Signals, Exceptions, And Test Depth
- [ ] CHK012 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
+- [ ] CHK007 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
- [ ] CHK013 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
+- [ ] CHK008 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
- [ ] CHK014 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
+- [ ] CHK009 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
- [ ] CHK015 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
+- [ ] CHK010 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
 ## Audience-Aware Disclosure And Decision Hierarchy
 - [ ] CHK023 Default-visible content is decision-first and clearly separated from operator diagnostics and support/raw evidence.
 - [ ] CHK024 Customer/read-only default paths do not expose raw JSON, copied context payloads, fingerprints, internal reason ownership, platform reason families, monitoring detail, or other debug semantics by default.
 - [ ] CHK025 Exactly one dominant next action is primary; navigation or debug helpers such as `Open operation`, `Technical details`, or `Show JSON` do not compete at equal weight.
 - [ ] CHK026 Duplicate visible status, blocker, reason, impact, or next-action summaries are removed or explicitly justified as non-duplicative evidence.
 - [ ] CHK027 Support/raw sections are collapsed, lower-priority, or capability-gated where applicable, and any local Blade/Tailwind surface still preserves Filament visual language, dark mode correctness, progressive disclosure, and accessibility.
 ## Review Outcome
- [ ] CHK016 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
+- [ ] CHK011 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
- [ ] CHK017 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
+- [ ] CHK012 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
- [ ] CHK018 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
+- [ ] CHK013 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
 ## Notes
@ -74,7 +48,7 @@ ## Notes
 - `keep`: the current scope, guardrail handling, and proof depth are justified.
 - `split`: the intent is valid, but the scope should narrow before merge.
 - `document-in-feature`: the change is acceptable, but the active feature must record the exception, signal handling, or proof notes explicitly.
- `follow-up-spec`: the issue is recurring or structural and needs dedicated governance follow-up. For already-implemented historical drift, prefer a follow-up spec or active feature note instead of retroactively rewriting closed specs.
+- `follow-up-spec`: the issue is recurring or structural and needs dedicated governance follow-up.
 - `reject-or-split`: hidden drift, unresolved exception spread, or wrong proof depth blocks merge as proposed.
 - Check items off as completed: `[x]`
 - Add comments or findings inline
--- a/.specify/templates/constitution-template.md
+++ b/.specify/templates/constitution-template.md
@ -1,50 +0,0 @@
 # [PROJECT_NAME] Constitution
 <!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
 ## Core Principles
 ### [PRINCIPLE_1_NAME]
 <!-- Example: I. Library-First -->
 [PRINCIPLE_1_DESCRIPTION]
 <!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
 ### [PRINCIPLE_2_NAME]
 <!-- Example: II. CLI Interface -->
 [PRINCIPLE_2_DESCRIPTION]
 <!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
 ### [PRINCIPLE_3_NAME]
 <!-- Example: III. Test-First (NON-NEGOTIABLE) -->
 [PRINCIPLE_3_DESCRIPTION]
 <!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
 ### [PRINCIPLE_4_NAME]
 <!-- Example: IV. Integration Testing -->
 [PRINCIPLE_4_DESCRIPTION]
 <!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
 ### [PRINCIPLE_5_NAME]
 <!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
 [PRINCIPLE_5_DESCRIPTION]
 <!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
 ## [SECTION_2_NAME]
 <!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
 [SECTION_2_CONTENT]
 <!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
 ## [SECTION_3_NAME]
 <!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
 [SECTION_3_CONTENT]
 <!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
 ## Governance
 <!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
 [GOVERNANCE_RULES]
 <!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
 **Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
 <!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->
--- a/.specify/templates/plan-template.md
+++ b/.specify/templates/plan-template.md
@ -36,10 +36,6 @@ ## UI / Surface Guardrail Plan
 - **Native vs custom classification summary**: [native / custom / mixed / N/A]
 - **Shared-family relevance**: [none / list affected shared families]
 - **State layers in scope**: [shell / page / detail / URL-query / none]
 - **Audience modes in scope**: [customer/read-only / operator-MSP / support-platform / N/A]
 - **Decision/diagnostic/raw hierarchy plan**: [decision-first / diagnostics-second / support-raw-third / N/A]
 - **Raw/support gating plan**: [collapsed / capability-gated / role-gated / N/A]
 - **One-primary-action / duplicate-truth control**: [how one dominant next action is preserved and repeated blockers are removed]
 - **Handling modes by drift class or surface**: [hard-stop-candidate / review-mandatory / exception-required / report-only / N/A]
 - **Repository-signal treatment**: [report-only / review-mandatory / exception-required / future hard-stop candidate / N/A]
 - **Special surface test profiles**: [standard-native-filament / shared-detail-family / monitoring-state-page / global-context-shell / exception-coded-surface / N/A]
@ -47,40 +43,6 @@ ## UI / Surface Guardrail Plan
 - **Exception path and spread control**: [none / describe the named exception boundary]
 - **Active feature PR close-out entry**: [Guardrail / Exception / Smoke Coverage / N/A]
 ## Shared Pattern & System Fit
 > **Fill when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, navigation entry points, alerts, evidence/report viewers, or any other shared interaction family. Docs-only or template-only work may use concise `N/A`. Carry the same decision forward from the spec instead of renaming it here.**
 - **Cross-cutting feature marker**: [yes / no / N/A]
 - **Systems touched**: [List the existing shared systems or `N/A`]
 - **Shared abstractions reused**: [Named contracts / presenters / builders / renderers / helpers or `N/A`]
 - **New abstraction introduced? why?**: [none / short explanation]
 - **Why the existing abstraction was sufficient or insufficient**: [Short explanation tied to current-release truth]
 - **Bounded deviation / spread control**: [none / describe the exception boundary and containment rule]
 ## OperationRun UX Impact
 > **Fill when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`. Docs-only or template-only work may use concise `N/A`.**
 - **Touches OperationRun start/completion/link UX?**: [yes / no / N/A]
 - **Central contract reused**: [shared OperationRun UX layer / `N/A`]
 - **Delegated UX behaviors**: [queued toast / run link / artifact link / run-enqueued browser event / queued DB-notification decision / dedupe-or-blocked messaging / tenant/workspace-safe URL resolution / `N/A`]
 - **Surface-owned behavior kept local**: [initiation inputs only / none / short explanation]
 - **Queued DB-notification policy**: [explicit opt-in / spec override / `N/A`]
 - **Terminal notification path**: [central lifecycle mechanism / `N/A`]
 - **Exception path**: [none / spec decision + architecture note + test rationale + temporary migration follow-up]
 ## Provider Boundary & Portability Fit
 > **Fill when the feature touches shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth. Docs-only or template-only work may use concise `N/A`.**
 - **Shared provider/platform boundary touched?**: [yes / no / N/A]
 - **Provider-owned seams**: [List or `N/A`]
 - **Platform-core seams**: [List or `N/A`]
 - **Neutral platform terms / contracts preserved**: [List or `N/A`]
 - **Retained provider-specific semantics and why**: [none / short explanation]
 - **Bounded extraction or follow-up path**: [none / document-in-feature / follow-up-spec / N/A]
 ## Constitution Check
 *GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
@ -95,8 +57,7 @@ ## Constitution Check
 - RBAC-UX: global search is tenant-scoped; non-members get no hints; inaccessible results are treated as not found (404 semantics)
 - Tenant isolation: all reads/writes tenant-scoped; cross-tenant views are explicit and access-checked
 - Run observability: long-running/remote/queued work creates/reuses `OperationRun`; start surfaces enqueue-only; Monitoring is DB-only; DB-only <2s actions may skip runs but security-relevant ones still audit-log; auth handshake exception OPS-EX-AUTH-001 allows synchronous outbound HTTP on `/auth/*` without `OperationRun`
- OperationRun start UX: any feature that creates, queues, deduplicates, resumes, blocks, completes, or links `OperationRun` reuses the central OperationRun Start UX Contract; no local composition of queued toast/link/event/start-state messaging; `OperationRun UX Impact` is present in the active spec or plan
+- Ops-UX 3-surface feedback: if `OperationRun` is used, feedback is exactly toast intent-only + progress surfaces + exactly-once terminal `OperationRunCompleted` (initiator-only); no queued/running DB notifications
 - Ops-UX 3-surface feedback: if `OperationRun` is used, default feedback is toast intent-only + progress surfaces + exactly-once terminal `OperationRunCompleted` (initiator-only); queued DB notifications remain explicit opt-in through the shared start UX contract; running DB notifications stay disallowed
 - Ops-UX lifecycle: `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`); context-only updates allowed outside
 - Ops-UX summary counts: `summary_counts` keys come from `OperationSummaryKeys::all()` and values are flat numeric-only
 - Ops-UX guards: CI has regression guards that fail with actionable output (file + snippet) when these patterns regress
@ -109,16 +70,10 @@ ## Constitution Check
 - Persisted truth (PERSIST-001): new tables/entities/artifacts represent independent product truth or lifecycle; convenience projections and UI helpers stay derived
 - Behavioral state (STATE-001): new states/statuses/reason codes change behavior, routing, permissions, lifecycle, audit, retention, or retry handling; presentation-only distinctions stay derived
 - UI semantics (UI-SEM-001): avoid turning badges, explanation text, trust/confidence labels, or detail summaries into mandatory interpretation frameworks; prefer direct domain-to-UI mapping
 - Shared pattern first (XCUT-001): cross-cutting interaction classes reuse existing shared contracts/presenters/builders/renderers first; any deviation is explicit, bounded, and justified against current-release truth
 - Provider boundary (PROV-001): shared provider/platform seams are classified as provider-owned vs platform-core; provider-specific semantics stay out of platform-core contracts, taxonomy, identifiers, compare semantics, and operator vocabulary unless explicitly justified; bounded extraction beats speculative multi-provider frameworks
 - V1 explicitness / few layers (V1-EXP-001, LAYER-001): prefer direct implementation, local mappings, and small helpers; any new layer replaces an old one or proves the old one cannot serve
 - Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
 - Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests
 - Filament-native UI (UI-FIL-001): admin/operator surfaces use native Filament components or shared primitives first; no ad-hoc status UI, local semantic color/border decisions, or hand-built replacements when native/shared semantics exist; any exception is explicitly justified
 - Filament-native UI (UI-FIL-001): if local Blade/Tailwind cards are
  still necessary, they preserve dark mode correctness, spacing
  consistency, badge semantics, action hierarchy, progressive
  disclosure, accessibility, and Filament visual language
 - UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): every changed operator-facing surface is classified as exactly one allowed surface type; ad-hoc interaction models are forbidden
 - Decision-first operating model (DECIDE-001): each changed
  operator-facing surface is classified as Primary Decision,
@ -128,13 +83,6 @@ ## Constitution Check
  disclosed, one governance case stays decidable in one context where
  practical, navigation follows workflows not storage structures, and
  automation / alerts reduce attention load instead of adding noise
 - Audience-aware disclosure (DECIDE-AUD-001 / OPSURF-001): detail or
  status surfaces separate customer-readable decision content,
  operator diagnostics, and support/raw evidence; customer-readable
  default paths hide raw JSON, copied context, fingerprints, internal
  reason ownership, platform reason families, and debug semantics;
  one dominant next action is explicit; duplicate visible truth is
  removed
 - UI/UX inspect model (UI-HARD-001): each list surface has exactly one primary inspect/open model; redundant View beside row click or identifier click is forbidden; edit-as-inspect is limited to Config-lite resources
 - UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): standard CRUD and Registry rows expose at most one inline safe shortcut; destructive actions are grouped or in the detail header; queue exceptions are catalogued, justified, and tested
 - UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): scope signals are truthful, canonical nouns stay stable across shells, critical operational truth is default-visible, and standard lists remain scanable
--- a/.specify/templates/spec-template.md
+++ b/.specify/templates/spec-template.md
@ -35,38 +35,6 @@ ## Spec Scope Fields *(mandatory)*
 - **Default filter behavior when tenant-context is active**: [e.g., prefilter to current tenant]
 - **Explicit entitlement checks preventing cross-tenant leakage**: [Describe checks]
 ## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, alerts, navigation entry points, evidence/report viewers, or any other existing shared operator interaction family; otherwise write `N/A - no shared interaction family touched`)*
 - **Cross-cutting feature?**: [yes/no]
 - **Interaction class(es)**: [notifications / status messaging / header actions / dashboard signals / navigation / reports / etc.]
 - **Systems touched**: [List shared systems, surfaces, or infrastructure paths]
 - **Existing pattern(s) to extend**: [Name the existing shared path(s) or write `none`]
 - **Shared contract / presenter / builder / renderer to reuse**: [Exact class, helper, or surface path, or `none`]
 - **Why the existing shared path is sufficient or insufficient**: [Short explanation tied to current-release truth]
 - **Allowed deviation and why**: [none / bounded exception + why]
 - **Consistency impact**: [What must stay aligned across interaction structure, copy, status semantics, actions, and deep links]
 - **Review focus**: [What reviewers must verify to prevent parallel local patterns]
 ## OperationRun UX Impact *(mandatory when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`; otherwise write `N/A - no OperationRun start or link semantics touched`)*
 - **Touches OperationRun start/completion/link UX?**: [yes/no]
 - **Shared OperationRun UX contract/layer reused**: [Name it or `N/A`]
 - **Delegated start/completion UX behaviors**: [queued toast / `Open operation` or `View run` link / artifact link / run-enqueued browser event / queued DB-notification decision / dedupe-or-blocked messaging / tenant/workspace-safe URL resolution / `N/A`]
 - **Local surface-owned behavior that remains**: [initiation inputs only / none / bounded explanation]
 - **Queued DB-notification policy**: [explicit opt-in / spec override / `N/A`]
 - **Terminal notification path**: [central lifecycle mechanism / `N/A`]
 - **Exception required?**: [none / explicit spec decision + architecture note + test or guard-test rationale + temporary migration follow-up]
 ## Provider Boundary / Platform Core Check *(mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write `N/A - no shared provider/platform boundary touched`)*
 - **Shared provider/platform boundary touched?**: [yes/no]
 - **Boundary classification**: [provider-owned / platform-core / mixed / N/A]
 - **Seams affected**: [contracts, models, taxonomies, query keys, labels, filters, compare strategy, etc.]
 - **Neutral platform terms preserved or introduced**: [List them or `N/A`]
 - **Provider-specific semantics retained and why**: [none / bounded current-release necessity]
 - **Why this does not deepen provider coupling accidentally**: [Short explanation]
 - **Follow-up path**: [none / document-in-feature / follow-up-spec]
 ## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)*
 Use this section to classify UI and surface risk once. If the feature does
@ -89,17 +57,6 @@ ## Decision-First Surface Role *(mandatory when operator-facing surfaces are cha
 |---|---|---|---|---|---|---|---|
 | e.g. Review inbox | Primary Decision Surface | Review and release queued governance work | Case summary, severity, recommendation, required action | Full evidence, raw payloads, audit trail, provider diagnostics | Primary because it is the queue where operators decide and clear work | Follows pending-decisions workflow, not storage objects | Removes search across runs, findings, and audit pages |
 ## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)*
 If this feature adds or materially changes a detail or status surface,
 fill out one row per affected surface. Reuse the same surface names
 used above and make the disclosure hierarchy explicit instead of
 assuming it.
 | Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
 |---|---|---|---|---|---|---|---|
 | e.g. Review inbox | customer-read-only, operator-MSP, support-platform | Current status, why it matters, impact, recommendation, next action | Review history, lifecycle, related evidence, related runs | Raw payloads, fingerprints, reason ownership, platform reason family | `Review evidence` | Raw/support detail hidden or capability-gated outside support mode | The top summary states the blocker once; later sections add evidence rather than restating it |
 ## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
 If this feature adds or materially changes an operator-facing list, detail, queue, audit, config, or report surface,
@ -144,14 +101,6 @@ ## Proportionality Review *(mandatory when structural complexity is introduced)*
 - **Alternative intentionally rejected**: [What simpler option was considered and why it was not sufficient]
 - **Release truth**: [Current-release truth or future-release preparation]
 ### Compatibility posture
 This feature assumes a pre-production environment.
 Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope unless explicitly required by this spec.
 Canonical replacement is preferred over preservation.
 ## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
 For docs-only or template-only changes, state concise `N/A` or `none`. For runtime- or test-affecting work, classification MUST follow the proving purpose of the change rather than the file path or folder name.
@ -257,28 +206,6 @@ ## Requirements *(mandatory)*
 If the feature introduces a new enum/status family, DTO/presenter/envelope, persisted entity/table, interface/contract/registry/resolver,
 or taxonomy/classification system, the Proportionality Review section above is mandatory.
 **Constitution alignment (XCUT-001):** If this feature touches a cross-cutting interaction class such as notifications, status messaging,
 action links, header actions, dashboard signals/cards, alerts, navigation entry points, or evidence/report viewers, the spec MUST:
 - state whether the feature is cross-cutting,
 - name the existing shared pattern(s) and shared contract/presenter/builder/renderer to extend,
 - explain why the existing shared path is sufficient or why it is insufficient for current-release truth,
 - record any allowed deviation, the consistency it must preserve, and its ownership/spread-control cost,
 - and make the reviewer focus explicit so parallel local UX paths do not appear silently.
 **Constitution alignment (DECIDE-AUD-001 / OPSURF-001):** If this feature changes a detail or status surface, the spec MUST describe:
 - how the surface separates customer-readable decision content, operator diagnostics, and support/raw evidence,
 - which audience modes are in scope (`customer/read-only`, `operator/MSP`, `support/platform`),
 - which content is hidden, collapsed, or capability-gated by default,
 - how one dominant next action is preserved,
 - and how duplicate visible truth is prevented.
 **Constitution alignment (PROV-001):** If this feature touches a shared provider/platform seam, the spec MUST:
 - classify each touched seam as provider-owned or platform-core,
 - keep provider-specific semantics out of platform-core contracts, taxonomies, identifiers, compare semantics, and operator vocabulary unless explicitly justified,
 - name the neutral platform terms or shared contracts being preserved,
 - explain why any retained provider-specific semantics are the narrowest current-release truth,
 - and state whether the remaining hotspot is resolved in-feature or escalated as a follow-up spec.
 **Constitution alignment (TEST-GOV-001):** If this feature changes runtime behavior or tests, the spec MUST describe:
 - the actual test-purpose classification (`Unit`, `Feature`, `Heavy-Governance`, or `Browser`) and why that classification matches the real proving purpose,
 - the affected validation lane(s) and why they are the narrowest sufficient proof,
@ -291,21 +218,12 @@ ## Requirements *(mandatory)*
 - and the exact minimal validation commands reviewers should run.
 **Constitution alignment (OPS-UX):** If this feature creates/reuses an `OperationRun`, the spec MUST:
- explicitly state compliance with the default Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification) and whether any queued DB notification is explicitly opted into,
+- explicitly state compliance with the Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification),
 - state that `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`),
 - describe how `summary_counts` keys/values comply with `OperationSummaryKeys::all()` and numeric-only rules,
 - clarify scheduled/system-run behavior (initiator null → no terminal DB notification; audit is via Monitoring),
 - list which regression guard tests are added/updated to keep these rules enforceable in CI.
 **Constitution alignment (OPS-UX-START-001):** If this feature creates, queues, deduplicates, resumes, blocks, completes, or links to an `OperationRun`, the spec MUST:
 - include the `OperationRun UX Impact` section,
 - name the shared OperationRun UX contract/layer being reused,
 - delegate queued toast/link/artifact-link/browser-event/queued-DB-notification/dedupe-or-blocked messaging/tenant-safe URL resolution to that shared path,
 - keep local surface code limited to initiation inputs and operation-specific data capture,
 - keep queued DB notifications explicit opt-in unless the spec intentionally defines a different policy,
 - route terminal notifications through the central lifecycle mechanism,
 - and document any exception with an explicit spec decision, architecture note, test or guard-test rationale, and temporary follow-up migration decision.
 **Constitution alignment (RBAC-UX):** If this feature introduces or changes authorization behavior, the spec MUST:
 - state which authorization plane(s) are involved (tenant/admin `/admin` + tenant-context `/admin/t/{tenant}/...` vs platform `/system`),
 - ensure any cross-plane access is deny-as-not-found (404),
@ -328,7 +246,6 @@ ## Requirements *(mandatory)*
 - which native Filament components or shared UI primitives are used,
 - whether any local replacement markup was avoided for badges, alerts, buttons, or status surfaces,
 - how semantic emphasis is expressed through Filament props or central primitives rather than page-local color/border classes,
 - how any required local Blade/Tailwind cards still preserve dark mode correctness, spacing consistency, badge semantics, action hierarchy, progressive disclosure, accessibility, and Filament visual language,
 - and any exception where Filament or a shared primitive was insufficient, including why the exception is necessary and how it avoids introducing a new local status language.
 **Constitution alignment (UI-NAMING-001):** If this feature adds or changes operator-facing buttons, header actions, run titles,
@ -386,7 +303,6 @@ ## Requirements *(mandatory)*
 **Constitution alignment (OPSURF-001):** If this feature adds or materially refactors an operator-facing surface, the spec MUST describe:
 - how the default-visible content stays operator-first on `/admin` and avoids raw implementation detail,
 - which diagnostics are secondary and how they are explicitly revealed,
 - how the dominant next action stays primary and how duplicate visible truth is avoided,
 - which status dimensions are shown separately (execution outcome, data completeness, governance result, lifecycle/readiness) and why,
 - how each mutating action communicates its mutation scope before execution (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
 - how dangerous actions follow the safe-execution pattern (configuration, safety checks/simulation, preview, hard confirmation where required, execute),
--- a/.specify/templates/tasks-template.md
+++ b/.specify/templates/tasks-template.md
@ -18,22 +18,17 @@ # Tasks: [FEATURE NAME]
 - record budget, baseline, or trend follow-up when runtime cost shifts materially,
 - and document whether the change resolves as `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
 **Operations**: If this feature introduces long-running/remote/queued/scheduled work, include tasks to create/reuse and update a
-canonical `OperationRun`, and ensure “View run” links route to the canonical Monitoring hub through the shared OperationRun start UX path rather than local surface composition.
+canonical `OperationRun`, and ensure “View run” links route to the canonical Monitoring hub.
 If security-relevant DB-only actions skip `OperationRun`, include tasks for `AuditLog` entries (before/after + actor + tenant).
 Auth handshake exception (OPS-EX-AUTH-001): OIDC/SAML login handshakes may perform synchronous outbound HTTP on `/auth/*` endpoints
 without an `OperationRun`.
 If this feature creates/reuses an `OperationRun`, tasks MUST also include:
 - reusing the central OperationRun Start UX Contract instead of composing local queued toast/link/event/dedupe/blocked/start-failure semantics,
 - delegating `Open operation` / `View run`, artifact links, run-enqueued browser event, queued DB-notification policy, dedupe / already-available / already-running messaging, blocked / failed-to-start messaging, and tenant/workspace-safe URL resolution to the shared OperationRun UX layer,
 - enforcing the Ops-UX 3-surface feedback contract (toast intent-only via `OperationUxPresenter`, progress only in widget + run detail, terminal notification is `OperationRunCompleted` exactly-once, initiator-only),
- keeping queued DB notifications explicit opt-in in the active spec unless a different policy is intentionally approved, and ensuring running DB notifications do not exist,
+- ensuring no queued/running DB notifications exist anywhere for operations (no `sendToDatabase()` for queued/running/completion/abort in feature code),
 - routing terminal notifications through the central lifecycle mechanism rather than feature-local notification code,
 - ensuring `OperationRun.status` / `OperationRun.outcome` transitions happen only via `OperationRunService`,
 - ensuring `summary_counts` keys come from `OperationSummaryKeys::all()` and values are flat numeric-only,
 - adding/updating Ops-UX regression guards (Pest) that fail CI with actionable output (file + snippet) when these patterns regress,
- clarifying scheduled/system-run behavior (initiator null → no terminal DB notification; audit via Monitoring; tenant-wide alerting via Alerts system),
+- clarifying scheduled/system-run behavior (initiator null → no terminal DB notification; audit via Monitoring; tenant-wide alerting via Alerts system).
 - documenting any exception with an explicit spec decision, architecture note, test or guard-test rationale, and temporary migration follow-up decision,
 - and ensuring the active spec or plan contains an `OperationRun UX Impact` section.
 **RBAC**: If this feature introduces or changes authorization, tasks MUST include:
 - explicit Gate/Policy enforcement for all mutation endpoints/actions,
 - explicit 404 vs 403 semantics:
@ -51,16 +46,6 @@ # Tasks: [FEATURE NAME]
 - using source/domain terms only where same-screen disambiguation is required,
 - aligning button labels, modal titles, run titles, notifications, and audit prose to the same domain vocabulary,
 - removing implementation-first wording from primary operator-facing copy.
 **Cross-Cutting Shared Pattern Reuse (XCUT-001)**: If this feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, navigation entry points, alerts, evidence/report viewers, or another shared interaction family, tasks MUST include:
 - identifying the existing shared contract/presenter/builder/renderer before local implementation begins,
 - extending the shared path when it is sufficient for current-release truth,
 - or recording a bounded exception task that documents why the shared path is insufficient, what consistency must still be preserved, and how spread is controlled,
 - and ensuring reviewer proof covers whether the feature converged on the shared path or knowingly introduced a bounded exception.
 **Provider Boundary / Platform Core (PROV-001)**: If this feature touches shared provider/platform seams, tasks MUST include:
 - classifying each touched seam as provider-owned or platform-core,
 - preventing provider-specific semantics from spreading into platform-core contracts, persistence truth, taxonomies, compare semantics, or operator vocabulary unless explicitly justified,
 - implementing bounded normalization or extraction where a current hotspot is too provider-shaped, rather than introducing speculative multi-provider frameworks,
 - and recording `document-in-feature` or `follow-up-spec` when a bounded provider-specific hotspot remains.
 **UI / Surface Guardrails**: If this feature adds or changes operator-facing surfaces or the workflow that governs them, tasks MUST include:
 - carrying forward the spec's native/custom classification, shared-family relevance, state-layer ownership, and exception need into implementation work without renaming the same decision,
 - classifying any triggered repository signals with one handling mode (`hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`),
@ -78,21 +63,9 @@ # Tasks: [FEATURE NAME]
 - filling the spec’s Operator Surface Contract for every affected page,
 - keeping default-visible content limited to first-decision needs and
  moving proof, payloads, and diagnostics into progressive disclosure,
 - implementing the three-tier disclosure hierarchy where applicable:
  customer-readable decision content first, operator diagnostics
  second, support/raw evidence third,
 - making default-visible content operator-first and moving JSON payloads, raw IDs, internal field names, provider error details, and low-level metadata into explicitly revealed diagnostics surfaces,
 - ensuring customer/read-only default paths do not expose raw JSON,
  copied context payloads, fingerprints, internal reason ownership,
  platform reason families, or debug semantics,
 - keeping each governance case decidable in one focused context where
  practical instead of forcing cross-page reconstruction,
 - keeping exactly one dominant next action primary and demoting
  navigation/debug helpers such as `Open operation`, `Technical
  details`, or `Show JSON`,
 - removing duplicate visible status, blocker, reason, impact, or
  next-action summaries so later sections add evidence instead of
  restating the same decision truth,
 - modeling execution outcome, data completeness, governance result, and lifecycle/readiness as distinct status dimensions when applicable,
 - making mutation scope legible before execution for every state-changing action (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
 - implementing the safe-execution flow for dangerous actions (configuration, safety checks/simulation, preview, hard confirmation where required, execute) or documenting an approved exemption,
@ -140,12 +113,6 @@ # Tasks: [FEATURE NAME]
 - documenting any catalogued UI exception in the spec/PR and adding dedicated test coverage,
 - documenting any UI-FIL-001 exception with rationale in the spec/PR,
 - adding/updated tests that enforce the contract and block merge on violations, OR documenting an explicit exemption with rationale.
 - For any new or modified customer/operator-facing detail surface,
  tests MUST prove default-visible status/reason/impact/next-action
  content, exactly one dominant next action, diagnostics-secondary
  ordering, hidden raw/support detail by default, capability-gated
  support/raw sections where applicable, and the absence of duplicate
  visible decision summaries.
 **Filament UI UX-001 (Layout & IA)**: If this feature adds/modifies any Filament screen, tasks MUST include:
 - ensuring Create/Edit pages use Main/Aside layout (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)),
 - ensuring all form fields are inside Sections/Cards (no naked inputs at root schema level),
--- a/.specify/workflows/speckit/workflow.yml
+++ b/.specify/workflows/speckit/workflow.yml
@ -1,63 +0,0 @@
 schema_version: "1.0"
 workflow:
  id: "speckit"
  name: "Full SDD Cycle"
  version: "1.0.0"
  author: "GitHub"
  description: "Runs specify → plan → tasks → implement with review gates"
 requires:
  speckit_version: ">=0.7.2"
  integrations:
    any: ["copilot", "claude", "gemini"]
 inputs:
  spec:
    type: string
    required: true
    prompt: "Describe what you want to build"
  integration:
    type: string
    default: "copilot"
    prompt: "Integration to use (e.g. claude, copilot, gemini)"
  scope:
    type: string
    default: "full"
    enum: ["full", "backend-only", "frontend-only"]
 steps:
  - id: specify
    command: speckit.specify
    integration: "{{ inputs.integration }}"
    input:
      args: "{{ inputs.spec }}"
  - id: review-spec
    type: gate
    message: "Review the generated spec before planning."
    options: [approve, reject]
    on_reject: abort
  - id: plan
    command: speckit.plan
    integration: "{{ inputs.integration }}"
    input:
      args: "{{ inputs.spec }}"
  - id: review-plan
    type: gate
    message: "Review the plan before generating tasks."
    options: [approve, reject]
    on_reject: abort
  - id: tasks
    command: speckit.tasks
    integration: "{{ inputs.integration }}"
    input:
      args: "{{ inputs.spec }}"
  - id: implement
    command: speckit.implement
    integration: "{{ inputs.integration }}"
    input:
      args: "{{ inputs.spec }}"
--- a/.specify/workflows/workflow-registry.json
+++ b/.specify/workflows/workflow-registry.json
@ -1,13 +0,0 @@
 {
  "schema_version": "1.0",
  "workflows": {
    "speckit": {
      "name": "Full SDD Cycle",
      "version": "1.0.0",
      "description": "Runs specify \u2192 plan \u2192 tasks \u2192 implement with review gates",
      "source": "bundled",
      "installed_at": "2026-04-22T21:58:03.039039+00:00",
      "updated_at": "2026-04-22T21:58:03.039046+00:00"
    }
  }
 }
--- a/apps/platform/.pnpm-store/v10/index/0b/ca168cf47717cd729635bda393b1716cdf87a6af915c030f6558770206a939-playwright@1.59.1.json
+++ b/apps/platform/.pnpm-store/v10/index/0b/ca168cf47717cd729635bda393b1716cdf87a6af915c030f6558770206a939-playwright@1.59.1.json
--- a/apps/platform/.pnpm-store/v10/index/1c/157f44983cd73e418a267dc8fcc888295857f40cb0308a532a20c07f69dcc0-playwright-core@1.59.1.json
+++ b/apps/platform/.pnpm-store/v10/index/1c/157f44983cd73e418a267dc8fcc888295857f40cb0308a532a20c07f69dcc0-playwright-core@1.59.1.json
--- a/apps/platform/.pnpm-store/v10/index/27/da99c96fbe40aff4f4dc8dff378ed1d1bfd467467f2a7d955f1a8c79d154b7-rollup@4.60.2.json
+++ b/apps/platform/.pnpm-store/v10/index/27/da99c96fbe40aff4f4dc8dff378ed1d1bfd467467f2a7d955f1a8c79d154b7-rollup@4.60.2.json
--- a/apps/platform/.pnpm-store/v10/index/74/ecbedc0b96ddadb035b64722e319a537208c6b8b53fb812ffb9b71917d3976-color-name@1.1.4.json
+++ b/apps/platform/.pnpm-store/v10/index/74/ecbedc0b96ddadb035b64722e319a537208c6b8b53fb812ffb9b71917d3976-color-name@1.1.4.json
@ -1 +1 @@
-{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776976148151,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776976148156,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776976148162,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776976148168,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}
+{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776593337482,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776593337489,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776593337495,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776593337500,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}
--- a/apps/platform/.pnpm-store/v10/index/75/61f31dad96a845c8fced44f4e8eba1c313289976992ac4a258752289abbfa5-@types+estree@1.0.8.json
+++ b/apps/platform/.pnpm-store/v10/index/75/61f31dad96a845c8fced44f4e8eba1c313289976992ac4a258752289abbfa5-@types+estree@1.0.8.json
@ -1 +1 @@
-{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776976148127,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776976148139,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776976148143,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776976148144,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776976148144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}
+{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776593336106,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776593336125,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776593336132,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776593336138,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776593336144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}
--- a/apps/platform/.pnpm-store/v10/index/76/129ff74dd4fcf41963a6e834db4019d59b1bce5601b8d3ff5c58a19202ec50-rxjs@7.8.2.json
+++ b/apps/platform/.pnpm-store/v10/index/76/129ff74dd4fcf41963a6e834db4019d59b1bce5601b8d3ff5c58a19202ec50-rxjs@7.8.2.json
--- a/apps/platform/.pnpm-store/v10/index/a0/916ef781d06fe29576e49440bef09e99aa9df98bb0e03f9c087a6fa107d300-tslib@2.8.1.json
+++ b/apps/platform/.pnpm-store/v10/index/a0/916ef781d06fe29576e49440bef09e99aa9df98bb0e03f9c087a6fa107d300-tslib@2.8.1.json
@ -1 +1 @@
-{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776976148162,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776976148164,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776976148166,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776976148173,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776976148180,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776976148185,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776976148187,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776976148192,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776976148195,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776976148199,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776976148200,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776976148210,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776976148214,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776976148225,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}
+{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776593335180,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776593335194,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776593335198,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776593335206,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776593335213,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776593335219,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776593335230,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776593335236,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776593335243,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776593335251,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776593335258,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776593335264,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776593335271,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776593335278,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}
--- a/apps/platform/.pnpm-store/v10/index/c1/6c890e501ab71937d1925eafe19e0964b6d3db00e365fe3798d4da3cbaa074-axios@1.15.0.json
+++ b/apps/platform/.pnpm-store/v10/index/c1/6c890e501ab71937d1925eafe19e0964b6d3db00e365fe3798d4da3cbaa074-axios@1.15.0.json
--- a/apps/platform/app/Console/Commands/PruneProductUsageEventsCommand.php
+++ b/apps/platform/app/Console/Commands/PruneProductUsageEventsCommand.php
@ -1,42 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Console\Commands;
 use App\Models\ProductUsageEvent;
 use Illuminate\Console\Command;
 class PruneProductUsageEventsCommand extends Command
 {
    /**
     * @var string
     */
    protected $signature = 'tenantpilot:product-usage:prune {--days= : Number of days to retain product usage events}';
    /**
     * @var string
     */
    protected $description = 'Delete product usage events older than the retention period';
    public function handle(): int
    {
        $days = (int) ($this->option('days') ?: config('tenantpilot.product_usage_event_retention_days', 90));
        if ($days < 1) {
            $this->error('Retention days must be at least 1.');
            return self::FAILURE;
        }
        $cutoff = now()->subDays($days);
        $deleted = ProductUsageEvent::query()
            ->where('occurred_at', '<', $cutoff)
            ->delete();
        $this->info("Deleted {$deleted} product usage event(s) older than {$days} days.");
        return self::SUCCESS;
    }
 }
--- a/apps/platform/app/Console/Commands/PurgeLegacyBaselineGapRuns.php
+++ b/apps/platform/app/Console/Commands/PurgeLegacyBaselineGapRuns.php
@ -6,14 +6,12 @@
 use App\Models\OperationRun;
 use App\Models\Tenant;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunType;
 use Illuminate\Console\Command;
 class PurgeLegacyBaselineGapRuns extends Command
 {
    protected $signature = 'tenantpilot:baselines:purge-legacy-gap-runs
-        {--type=* : Limit cleanup to baseline.compare and/or baseline.capture runs (legacy aliases also accepted)}
+        {--type=* : Limit cleanup to baseline_compare and/or baseline_capture runs}
        {--tenant=* : Limit cleanup to tenant ids or tenant external ids}
        {--workspace=* : Limit cleanup to workspace ids}
        {--limit=500 : Maximum candidate runs to inspect}
@ -101,35 +99,21 @@ public function handle(): int
     */
    private function normalizedTypes(): array
    {
-        $requestedTypes = array_values(array_unique(array_filter(
+        $types = array_values(array_unique(array_filter(
            array_map(
                static fn (mixed $type): ?string => is_string($type) && trim($type) !== '' ? trim($type) : null,
                (array) $this->option('type'),
            ),
        )));
-        $canonicalTypes = array_values(array_unique(array_filter(array_map(
+        if ($types === []) {
-            static fn (string $type): ?string => match ($type) {
+            return ['baseline_compare', 'baseline_capture'];
                OperationRunType::BaselineCompare->value, 'baseline_compare' => OperationRunType::BaselineCompare->value,
                OperationRunType::BaselineCapture->value, 'baseline_capture' => OperationRunType::BaselineCapture->value,
                default => null,
            },
            $requestedTypes,
        ))));
        if ($canonicalTypes === []) {
            $canonicalTypes = [
                OperationRunType::BaselineCompare->value,
                OperationRunType::BaselineCapture->value,
            ];
        }
-        return array_values(array_unique(array_merge(
+        return array_values(array_filter(
-            ...array_map(
+            $types,
-                static fn (string $type): array => OperationCatalog::rawValuesForCanonical($type),
+            static fn (string $type): bool => in_array($type, ['baseline_compare', 'baseline_capture'], true),
-                $canonicalTypes,
+        ));
            ),
        )));
    }
    /**
--- a/apps/platform/app/Console/Commands/SeedBackupHealthBrowserFixture.php
+++ b/apps/platform/app/Console/Commands/SeedBackupHealthBrowserFixture.php
@ -67,6 +67,7 @@ public function handle(): int
                'name' => (string) ($scenarioConfig['tenant_name'] ?? 'Spec 180 Blocked Backup Tenant'),
                'tenant_id' => $tenantRouteKey,
                'app_certificate_thumbprint' => null,
                'app_status' => 'ok',
                'app_notes' => null,
                'status' => Tenant::STATUS_ACTIVE,
                'environment' => 'dev',
--- a/apps/platform/app/Console/Commands/TenantpilotBackfillFindingLifecycle.php
+++ b/apps/platform/app/Console/Commands/TenantpilotBackfillFindingLifecycle.php
@ -0,0 +1,120 @@
 <?php
 declare(strict_types=1);
 namespace App\Console\Commands;
 use App\Models\Tenant;
 use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
 use App\Services\Runbooks\FindingsLifecycleBackfillScope;
 use Illuminate\Console\Command;
 use Illuminate\Validation\ValidationException;
 class TenantpilotBackfillFindingLifecycle extends Command
 {
    protected $signature = 'tenantpilot:findings:backfill-lifecycle
        {--tenant=* : Limit to tenant_id/external_id}';
    protected $description = 'Queue tenant-scoped findings lifecycle backfill jobs idempotently.';
    public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
    {
        $tenantIdentifiers = array_values(array_filter((array) $this->option('tenant')));
        if ($tenantIdentifiers === []) {
            $this->error('Provide one or more tenants via --tenant={id|external_id}.');
            return self::FAILURE;
        }
        $tenants = $this->resolveTenants($tenantIdentifiers);
        if ($tenants->isEmpty()) {
            $this->info('No tenants matched the provided identifiers.');
            return self::SUCCESS;
        }
        $queued = 0;
        $skipped = 0;
        $nothingToDo = 0;
        foreach ($tenants as $tenant) {
            if (! $tenant instanceof Tenant) {
                continue;
            }
            try {
                $run = $runbookService->start(
                    scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
                    initiator: null,
                    reason: null,
                    source: 'cli',
                );
            } catch (ValidationException $e) {
                $errors = $e->errors();
                if (isset($errors['preflight.affected_count'])) {
                    $nothingToDo++;
                    continue;
                }
                $this->error(sprintf(
                    'Backfill blocked for tenant %d: %s',
                    (int) $tenant->getKey(),
                    $e->getMessage(),
                ));
                return self::FAILURE;
            }
            if (! $run->wasRecentlyCreated) {
                $skipped++;
                continue;
            }
            $queued++;
        }
        $this->info(sprintf(
            'Queued %d backfill run(s), skipped %d duplicate run(s), nothing to do %d.',
            $queued,
            $skipped,
            $nothingToDo,
        ));
        return self::SUCCESS;
    }
    /**
     * @param  array<int, string>  $tenantIdentifiers
     * @return \Illuminate\Support\Collection<int, Tenant>
     */
    private function resolveTenants(array $tenantIdentifiers)
    {
        $tenantIds = [];
        foreach ($tenantIdentifiers as $identifier) {
            $tenant = Tenant::query()
                ->forTenant($identifier)
                ->first();
            if ($tenant instanceof Tenant) {
                $tenantIds[] = (int) $tenant->getKey();
            }
        }
        $tenantIds = array_values(array_unique($tenantIds));
        if ($tenantIds === []) {
            return collect();
        }
        return Tenant::query()
            ->whereIn('id', $tenantIds)
            ->orderBy('id')
            ->get();
    }
 }
--- a/apps/platform/app/Console/Commands/TenantpilotDispatchDirectoryGroupsSync.php
+++ b/apps/platform/app/Console/Commands/TenantpilotDispatchDirectoryGroupsSync.php
@ -4,7 +4,6 @@
 use App\Models\Tenant;
 use App\Services\OperationRunService;
 use App\Support\OperationRunType;
 use Carbon\CarbonImmutable;
 use Illuminate\Console\Command;
@ -51,7 +50,7 @@ public function handle(): int
            $opService = app(OperationRunService::class);
            $opRun = $opService->ensureRunWithIdentityStrict(
                tenant: $tenant,
-                type: OperationRunType::DirectoryGroupsSync->value,
+                type: 'entra_group_sync',
                identityInputs: [
                    'selection_key' => $selectionKey,
                    'slot_key' => $slotKey,
--- a/apps/platform/app/Console/Commands/TenantpilotPurgeNonPersistentData.php
+++ b/apps/platform/app/Console/Commands/TenantpilotPurgeNonPersistentData.php
@ -11,7 +11,6 @@
 use App\Models\PolicyVersion;
 use App\Models\RestoreRun;
 use App\Models\Tenant;
 use App\Support\OperationRunType;
 use Illuminate\Console\Command;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\DB;
@ -169,12 +168,12 @@ private function recordPurgeOperationRun(Tenant $tenant, array $counts): void
            'tenant_id' => (int) $tenant->id,
            'user_id' => null,
            'initiator_name' => 'System',
-            'type' => OperationRunType::BackupSchedulePurge->value,
+            'type' => 'backup_schedule_purge',
            'status' => 'completed',
            'outcome' => 'succeeded',
            'run_identity_hash' => hash('sha256', implode(':', [
                (string) $tenant->id,
-                OperationRunType::BackupSchedulePurge->value,
+                'backup_schedule_purge',
                now()->toISOString(),
                Str::uuid()->toString(),
            ])),
--- a/apps/platform/app/Console/Commands/TenantpilotReconcileBackupScheduleOperationRuns.php
+++ b/apps/platform/app/Console/Commands/TenantpilotReconcileBackupScheduleOperationRuns.php
@ -7,9 +7,7 @@
 use App\Models\Tenant;
 use App\Services\OperationRunService;
 use App\Services\Operations\OperationLifecycleReconciler;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunType;
 use Illuminate\Console\Command;
 class TenantpilotReconcileBackupScheduleOperationRuns extends Command
@ -30,7 +28,7 @@ public function handle(
        $dryRun = (bool) $this->option('dry-run');
        $query = OperationRun::query()
-            ->whereIn('type', OperationCatalog::rawValuesForCanonical(OperationRunType::BackupScheduleExecute->value))
+            ->where('type', 'backup_schedule_run')
            ->whereIn('status', ['queued', 'running']);
        if ($olderThanMinutes > 0) {
--- a/apps/platform/app/Console/Commands/TenantpilotRunDeployRunbooks.php
+++ b/apps/platform/app/Console/Commands/TenantpilotRunDeployRunbooks.php
@ -0,0 +1,51 @@
 <?php
 declare(strict_types=1);
 namespace App\Console\Commands;
 use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
 use App\Services\Runbooks\FindingsLifecycleBackfillScope;
 use App\Services\Runbooks\RunbookReason;
 use Illuminate\Console\Command;
 use Illuminate\Validation\ValidationException;
 class TenantpilotRunDeployRunbooks extends Command
 {
    protected $signature = 'tenantpilot:run-deploy-runbooks';
    protected $description = 'Run deploy-time runbooks idempotently.';
    public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
    {
        try {
            $runbookService->start(
                scope: FindingsLifecycleBackfillScope::allTenants(),
                initiator: null,
                reason: new RunbookReason(
                    reasonCode: RunbookReason::CODE_DATA_REPAIR,
                    reasonText: 'Deploy hook automated runbooks',
                ),
                source: 'deploy_hook',
            );
            $this->info('Deploy runbooks started (if needed).');
            return self::SUCCESS;
        } catch (ValidationException $e) {
            $errors = $e->errors();
            $skippable = isset($errors['preflight.affected_count']) || isset($errors['scope']);
            if ($skippable) {
                $this->info('Deploy runbooks skipped (nothing to do or already running).');
                return self::SUCCESS;
            }
            $this->error('Deploy runbooks blocked by validation errors.');
            return self::FAILURE;
        }
    }
 }
--- a/apps/platform/app/Exceptions/Entitlements/WorkspaceEntitlementBlockedException.php
+++ b/apps/platform/app/Exceptions/Entitlements/WorkspaceEntitlementBlockedException.php
@ -1,24 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Exceptions\Entitlements;
 final class WorkspaceEntitlementBlockedException extends \RuntimeException
 {
    /**
     * @param  array<string, mixed>  $decision
     */
    public function __construct(private readonly array $decision)
    {
        parent::__construct((string) ($decision['block_reason'] ?? 'Workspace entitlement currently blocks this action.'));
    }
    /**
     * @return array<string, mixed>
     */
    public function decision(): array
    {
        return $this->decision;
    }
 }
--- a/apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php
+++ b/apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php
@ -13,9 +13,7 @@ trait ResolvesPanelTenantContext
 {
    protected static function resolveTenantContextForCurrentPanel(): ?Tenant
    {
-        $request = request();
+        if (Filament::getCurrentPanel()?->getId() === 'admin') {
        if (static::currentPanelId($request) === 'admin') {
            $tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
            return $tenant instanceof Tenant ? $tenant : null;
@ -51,41 +49,4 @@ protected static function resolveTrustedPanelTenantContextOrFail(): Tenant
    {
        return static::resolveTenantContextForCurrentPanelOrFail();
    }
    private static function currentPanelId(mixed $request): ?string
    {
        $panelId = Filament::getCurrentPanel()?->getId();
        if (is_string($panelId) && $panelId !== '') {
            return $panelId;
        }
        $routeName = is_object($request) && method_exists($request, 'route')
            ? $request->route()?->getName()
            : null;
        if (is_string($routeName) && $routeName !== '') {
            if (str_contains($routeName, '.tenant.')) {
                return 'tenant';
            }
            if (str_contains($routeName, '.admin.')) {
                return 'admin';
            }
        }
        $path = is_object($request) && method_exists($request, 'path')
            ? '/'.ltrim((string) $request->path(), '/')
            : null;
        if (is_string($path) && str_starts_with($path, '/admin/t/')) {
            return 'tenant';
        }
        if (is_string($path) && str_starts_with($path, '/admin/')) {
            return 'admin';
        }
        return null;
    }
 }
--- a/apps/platform/app/Filament/Pages/Auth/Login.php
+++ b/apps/platform/app/Filament/Pages/Auth/Login.php
@ -9,9 +9,4 @@
 class Login extends BaseLogin
 {
    protected string $view = 'filament.pages.auth.login';
    public function getTitle(): string
    {
        return __('localization.auth.sign_in_microsoft');
    }
 }
--- a/apps/platform/app/Filament/Pages/BaselineCompareLanding.php
+++ b/apps/platform/app/Filament/Pages/BaselineCompareLanding.php
@ -21,7 +21,6 @@
 use App\Support\Baselines\TenantGovernanceAggregate;
 use App\Support\Baselines\TenantGovernanceAggregateResolver;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunType;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\ReasonTranslation\ReasonPresenter;
@ -490,7 +489,7 @@ private function compareNowAction(): Action
                OpsUxBrowserEvents::dispatchRunEnqueued($this);
-                OperationUxPresenter::queuedToast($run instanceof OperationRun ? (string) $run->type : OperationRunType::BaselineCompare->value)
+                OperationUxPresenter::queuedToast($run instanceof OperationRun ? (string) $run->type : 'baseline_compare')
                    ->actions($run instanceof OperationRun ? [
                        Action::make('view_run')
                            ->label('Open operation')
--- a/apps/platform/app/Filament/Pages/BaselineCompareMatrix.php
+++ b/apps/platform/app/Filament/Pages/BaselineCompareMatrix.php
@ -18,7 +18,6 @@
 use App\Support\Baselines\Compare\CompareStrategyRegistry;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunType;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\WorkspaceUiEnforcement;
@ -811,8 +810,8 @@ private function compareAssignedTenants(): void
            OpsUxBrowserEvents::dispatchRunEnqueued($this);
            $toast = (int) $result['queuedCount'] > 0
-                ? OperationUxPresenter::queuedToast(OperationRunType::BaselineCompare->value)
+                ? OperationUxPresenter::queuedToast('baseline_compare')
-                : OperationUxPresenter::alreadyQueuedToast(OperationRunType::BaselineCompare->value);
+                : OperationUxPresenter::alreadyQueuedToast('baseline_compare');
            $toast
                ->body($summary.' Open Operations for progress and next steps.')
--- a/apps/platform/app/Filament/Pages/Findings/FindingsHygieneReport.php
+++ b/apps/platform/app/Filament/Pages/Findings/FindingsHygieneReport.php
@ -1,659 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Filament\Pages\Findings;
 use App\Filament\Resources\FindingExceptionResource;
 use App\Filament\Resources\FindingResource;
 use App\Models\Finding;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Findings\FindingAssignmentHygieneService;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
 class FindingsHygieneReport extends Page implements HasTable
 {
    use InteractsWithTable;
    protected static bool $isDiscovered = false;
    protected static bool $shouldRegisterNavigation = false;
    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-wrench-screwdriver';
    protected static string|UnitEnum|null $navigationGroup = 'Governance';
    protected static ?string $title = 'Findings hygiene report';
    protected static ?string $slug = 'findings/hygiene';
    protected string $view = 'filament.pages.findings.findings-hygiene-report';
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $visibleTenants = null;
    private ?Workspace $workspace = null;
    public string $reasonFilter = FindingAssignmentHygieneService::FILTER_ALL;
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header controls keep the hygiene scope fixed and expose only fixed reason views plus tenant-prefilter recovery when needed.')
            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The hygiene report stays read-only and exposes row click as the only inspect path.')
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The hygiene report does not expose bulk actions.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state stays calm and only offers a tenant-prefilter reset when the active tenant filter hides otherwise visible issues.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'Repair remains on the existing tenant finding detail surface.');
    }
    public function mount(): void
    {
        $this->reasonFilter = $this->resolveRequestedReasonFilter();
        $this->authorizePageAccess();
        app(CanonicalAdminTenantFilterState::class)->sync(
            $this->getTableFiltersSessionKey(),
            [],
            request(),
        );
        $this->applyRequestedTenantPrefilter();
        $this->mountInteractsWithTable();
        $this->normalizeTenantFilterState();
    }
    protected function getHeaderActions(): array
    {
        return [
            Action::make('clear_tenant_filter')
                ->label('Clear tenant filter')
                ->icon('heroicon-o-x-mark')
                ->color('gray')
                ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
                ->action(fn (): mixed => $this->clearTenantFilter()),
        ];
    }
    public function table(Table $table): Table
    {
        return $table
            ->query(fn (): Builder => $this->issueBaseQuery())
            ->paginated(TablePaginationProfiles::customPage())
            ->persistFiltersInSession()
            ->columns([
                TextColumn::make('tenant.name')
                    ->label('Tenant'),
                TextColumn::make('subject_display_name')
                    ->label('Finding')
                    ->state(fn (Finding $record): string => $record->resolvedSubjectDisplayName() ?? 'Finding #'.$record->getKey())
                    ->wrap(),
                TextColumn::make('owner')
                    ->label('Owner')
                    ->state(fn (Finding $record): string => FindingResource::accountableOwnerDisplayFor($record)),
                TextColumn::make('assignee')
                    ->label('Assignee')
                    ->state(fn (Finding $record): string => FindingResource::activeAssigneeDisplayFor($record))
                    ->description(fn (Finding $record): ?string => $this->assigneeContext($record)),
                TextColumn::make('due_at')
                    ->label('Due')
                    ->dateTime()
                    ->placeholder('—')
                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($record->due_at) ?? FindingResource::dueAttentionLabelFor($record)),
                TextColumn::make('hygiene_reasons')
                    ->label('Hygiene reason')
                    ->state(fn (Finding $record): string => implode(', ', $this->hygieneService()->reasonLabelsFor($record)))
                    ->wrap(),
                TextColumn::make('last_workflow_activity')
                    ->label('Last workflow activity')
                    ->state(fn (Finding $record): mixed => $this->hygieneService()->lastWorkflowActivityAt($record))
                    ->dateTime()
                    ->placeholder('—')
                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($this->hygieneService()->lastWorkflowActivityAt($record))),
            ])
            ->filters([
                SelectFilter::make('tenant_id')
                    ->label('Tenant')
                    ->options(fn (): array => $this->tenantFilterOptions())
                    ->searchable(),
            ])
            ->actions([])
            ->bulkActions([])
            ->recordUrl(fn (Finding $record): string => $this->findingDetailUrl($record))
            ->emptyStateHeading(fn (): string => $this->emptyState()['title'])
            ->emptyStateDescription(fn (): string => $this->emptyState()['body'])
            ->emptyStateIcon(fn (): string => $this->emptyState()['icon'])
            ->emptyStateActions($this->emptyStateActions());
    }
    /**
     * @return array<string, mixed>
     */
    public function appliedScope(): array
    {
        $tenant = $this->filteredTenant();
        return [
            'workspace_scoped' => true,
            'fixed_scope' => 'visible_findings_hygiene_only',
            'reason_filter' => $this->currentReasonFilter(),
            'reason_filter_label' => $this->hygieneService()->filterLabel($this->currentReasonFilter()),
            'tenant_prefilter_source' => $this->tenantPrefilterSource(),
            'tenant_label' => $tenant?->name,
        ];
    }
    /**
     * @return array<int, array<string, mixed>>
     */
    public function availableFilters(): array
    {
        return [
            [
                'key' => 'hygiene_scope',
                'label' => 'Findings hygiene only',
                'fixed' => true,
                'options' => [],
            ],
            [
                'key' => 'tenant',
                'label' => 'Tenant',
                'fixed' => false,
                'options' => collect($this->visibleTenants())
                    ->map(fn (Tenant $tenant): array => [
                        'value' => (string) $tenant->getKey(),
                        'label' => (string) $tenant->name,
                    ])
                    ->values()
                    ->all(),
            ],
        ];
    }
    /**
     * @return array<int, array<string, mixed>>
     */
    public function availableReasonFilters(): array
    {
        $summary = $this->summaryCounts();
        $currentFilter = $this->currentReasonFilter();
        return [
            [
                'key' => FindingAssignmentHygieneService::FILTER_ALL,
                'label' => 'All issues',
                'active' => $currentFilter === FindingAssignmentHygieneService::FILTER_ALL,
                'badge_count' => $summary['unique_issue_count'],
                'url' => $this->reportUrl(['reason' => null]),
            ],
            [
                'key' => FindingAssignmentHygieneService::REASON_BROKEN_ASSIGNMENT,
                'label' => 'Broken assignment',
                'active' => $currentFilter === FindingAssignmentHygieneService::REASON_BROKEN_ASSIGNMENT,
                'badge_count' => $summary['broken_assignment_count'],
                'url' => $this->reportUrl(['reason' => FindingAssignmentHygieneService::REASON_BROKEN_ASSIGNMENT]),
            ],
            [
                'key' => FindingAssignmentHygieneService::REASON_STALE_IN_PROGRESS,
                'label' => 'Stale in progress',
                'active' => $currentFilter === FindingAssignmentHygieneService::REASON_STALE_IN_PROGRESS,
                'badge_count' => $summary['stale_in_progress_count'],
                'url' => $this->reportUrl(['reason' => FindingAssignmentHygieneService::REASON_STALE_IN_PROGRESS]),
            ],
        ];
    }
    /**
     * @return array{unique_issue_count: int, broken_assignment_count: int, stale_in_progress_count: int}
     */
    public function summaryCounts(): array
    {
        $workspace = $this->workspace();
        $user = auth()->user();
        if (! $workspace instanceof Workspace || ! $user instanceof User) {
            return [
                'unique_issue_count' => 0,
                'broken_assignment_count' => 0,
                'stale_in_progress_count' => 0,
            ];
        }
        return $this->hygieneService()->summary(
            $workspace,
            $user,
            $this->currentTenantFilterId(),
        );
    }
    /**
     * @return array<string, mixed>
     */
    public function emptyState(): array
    {
        if ($this->tenantFilterAloneExcludesRows()) {
            return [
                'title' => 'No hygiene issues match this tenant scope',
                'body' => 'Your current tenant filter is hiding hygiene issues that are still visible elsewhere in this workspace.',
                'icon' => 'heroicon-o-funnel',
                'action_name' => 'clear_tenant_filter_empty',
                'action_label' => 'Clear tenant filter',
                'action_kind' => 'clear_tenant_filter',
            ];
        }
        if ($this->reasonFilterAloneExcludesRows()) {
            return [
                'title' => 'No findings match this hygiene reason',
                'body' => 'The current fixed reason view is narrower than the visible issue set in this workspace.',
                'icon' => 'heroicon-o-adjustments-horizontal',
            ];
        }
        return [
            'title' => 'No visible hygiene issues right now',
            'body' => 'Visible broken assignments and stale in-progress work are currently calm across the entitled tenant scope.',
            'icon' => 'heroicon-o-wrench-screwdriver',
        ];
    }
    public function updatedTableFilters(): void
    {
        $this->normalizeTenantFilterState();
    }
    public function clearTenantFilter(): void
    {
        $this->removeTableFilter('tenant_id');
        $this->resetTable();
    }
    /**
     * @return array<int, Tenant>
     */
    public function visibleTenants(): array
    {
        if ($this->visibleTenants !== null) {
            return $this->visibleTenants;
        }
        $workspace = $this->workspace();
        $user = auth()->user();
        if (! $workspace instanceof Workspace || ! $user instanceof User) {
            return $this->visibleTenants = [];
        }
        return $this->visibleTenants = $this->hygieneService()->visibleTenants($workspace, $user);
    }
    private function authorizePageAccess(): void
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User) {
            abort(403);
        }
        if (! $workspace instanceof Workspace) {
            throw new NotFoundHttpException;
        }
        if (! app(WorkspaceCapabilityResolver::class)->isMember($user, $workspace)) {
            throw new NotFoundHttpException;
        }
    }
    private function workspace(): ?Workspace
    {
        if ($this->workspace instanceof Workspace) {
            return $this->workspace;
        }
        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
        if (! is_int($workspaceId)) {
            return null;
        }
        return $this->workspace = Workspace::query()->whereKey($workspaceId)->first();
    }
    /**
     * @return Builder<Finding>
     */
    private function issueBaseQuery(): Builder
    {
        $workspace = $this->workspace();
        $user = auth()->user();
        if (! $workspace instanceof Workspace || ! $user instanceof User) {
            return Finding::query()->whereRaw('1 = 0');
        }
        return $this->hygieneService()->issueQuery(
            $workspace,
            $user,
            tenantId: null,
            reasonFilter: $this->currentReasonFilter(),
            applyOrdering: true,
        );
    }
    /**
     * @return Builder<Finding>
     */
    private function filteredIssueQuery(bool $includeTenantFilter = true, ?string $reasonFilter = null): Builder
    {
        $workspace = $this->workspace();
        $user = auth()->user();
        if (! $workspace instanceof Workspace || ! $user instanceof User) {
            return Finding::query()->whereRaw('1 = 0');
        }
        return $this->hygieneService()->issueQuery(
            $workspace,
            $user,
            tenantId: $includeTenantFilter ? $this->currentTenantFilterId() : null,
            reasonFilter: $reasonFilter ?? $this->currentReasonFilter(),
            applyOrdering: true,
        );
    }
    /**
     * @return array<string, string>
     */
    private function tenantFilterOptions(): array
    {
        return collect($this->visibleTenants())
            ->mapWithKeys(static fn (Tenant $tenant): array => [
                (string) $tenant->getKey() => (string) $tenant->name,
            ])
            ->all();
    }
    private function applyRequestedTenantPrefilter(): void
    {
        $requestedTenant = request()->query('tenant');
        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
            return;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
                continue;
            }
            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
            return;
        }
    }
    private function normalizeTenantFilterState(): void
    {
        $configuredTenantFilter = data_get($this->currentFiltersState(), 'tenant_id.value');
        if ($configuredTenantFilter === null || $configuredTenantFilter === '') {
            return;
        }
        if ($this->currentTenantFilterId() !== null) {
            return;
        }
        $this->removeTableFilter('tenant_id');
    }
    /**
     * @return array<string, mixed>
     */
    private function currentFiltersState(): array
    {
        $persisted = session()->get($this->getTableFiltersSessionKey(), []);
        return array_replace_recursive(
            is_array($persisted) ? $persisted : [],
            $this->tableFilters ?? [],
        );
    }
    private function currentTenantFilterId(): ?int
    {
        $tenantFilter = data_get($this->currentFiltersState(), 'tenant_id.value');
        if (! is_numeric($tenantFilter)) {
            return null;
        }
        $tenantId = (int) $tenantFilter;
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenantId;
            }
        }
        return null;
    }
    private function filteredTenant(): ?Tenant
    {
        $tenantId = $this->currentTenantFilterId();
        if (! is_int($tenantId)) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenant;
            }
        }
        return null;
    }
    private function activeVisibleTenant(): ?Tenant
    {
        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
        if (! $activeTenant instanceof Tenant) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ($tenant->is($activeTenant)) {
                return $tenant;
            }
        }
        return null;
    }
    private function tenantPrefilterSource(): string
    {
        $tenant = $this->filteredTenant();
        if (! $tenant instanceof Tenant) {
            return 'none';
        }
        $activeTenant = $this->activeVisibleTenant();
        if ($activeTenant instanceof Tenant && $activeTenant->is($tenant)) {
            return 'active_tenant_context';
        }
        return 'explicit_filter';
    }
    private function assigneeContext(Finding $record): ?string
    {
        if (! $this->hygieneService()->recordHasBrokenAssignment($record)) {
            return null;
        }
        if ($record->assigneeUser?->trashed()) {
            return 'Soft-deleted user';
        }
        return 'No current tenant membership';
    }
    private function tenantFilterAloneExcludesRows(): bool
    {
        if ($this->currentTenantFilterId() === null) {
            return false;
        }
        if ((clone $this->filteredIssueQuery())->exists()) {
            return false;
        }
        return (clone $this->filteredIssueQuery(includeTenantFilter: false))->exists();
    }
    private function reasonFilterAloneExcludesRows(): bool
    {
        if ($this->currentReasonFilter() === FindingAssignmentHygieneService::FILTER_ALL) {
            return false;
        }
        if ((clone $this->filteredIssueQuery())->exists()) {
            return false;
        }
        return (clone $this->filteredIssueQuery(includeTenantFilter: true, reasonFilter: FindingAssignmentHygieneService::FILTER_ALL))->exists();
    }
    private function findingDetailUrl(Finding $record): string
    {
        $tenant = $record->tenant;
        if (! $tenant instanceof Tenant) {
            return '#';
        }
        $url = FindingResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $tenant);
        return $this->appendQuery($url, $this->navigationContext()->toQuery());
    }
    private function navigationContext(): CanonicalNavigationContext
    {
        return new CanonicalNavigationContext(
            sourceSurface: 'findings.hygiene',
            canonicalRouteName: static::getRouteName(Filament::getPanel('admin')),
            tenantId: $this->currentTenantFilterId(),
            backLinkLabel: 'Back to findings hygiene',
            backLinkUrl: $this->reportUrl(),
        );
    }
    private function reportUrl(array $overrides = []): string
    {
        $resolvedTenant = array_key_exists('tenant', $overrides)
            ? $overrides['tenant']
            : $this->filteredTenant()?->external_id;
        $resolvedReason = array_key_exists('reason', $overrides)
            ? $overrides['reason']
            : $this->currentReasonFilter();
        return static::getUrl(
            panel: 'admin',
            parameters: array_filter([
                'tenant' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
                'reason' => is_string($resolvedReason) && $resolvedReason !== FindingAssignmentHygieneService::FILTER_ALL
                    ? $resolvedReason
                    : null,
            ], static fn (mixed $value): bool => $value !== null && $value !== ''),
        );
    }
    private function resolveRequestedReasonFilter(): string
    {
        $requestedFilter = request()->query('reason');
        $availableFilters = $this->hygieneService()->filterOptions();
        return is_string($requestedFilter) && array_key_exists($requestedFilter, $availableFilters)
            ? $requestedFilter
            : FindingAssignmentHygieneService::FILTER_ALL;
    }
    private function currentReasonFilter(): string
    {
        $availableFilters = $this->hygieneService()->filterOptions();
        return array_key_exists($this->reasonFilter, $availableFilters)
            ? $this->reasonFilter
            : FindingAssignmentHygieneService::FILTER_ALL;
    }
    /**
     * @return array<int, Action>
     */
    private function emptyStateActions(): array
    {
        $emptyState = $this->emptyState();
        if (($emptyState['action_kind'] ?? null) !== 'clear_tenant_filter') {
            return [];
        }
        return [
            Action::make((string) $emptyState['action_name'])
                ->label((string) $emptyState['action_label'])
                ->icon('heroicon-o-arrow-right')
                ->color('gray')
                ->action(fn (): mixed => $this->clearTenantFilter()),
        ];
    }
    /**
     * @param  array<string, mixed>  $query
     */
    private function appendQuery(string $url, array $query): string
    {
        if ($query === []) {
            return $url;
        }
        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
    }
    private function hygieneService(): FindingAssignmentHygieneService
    {
        return app(FindingAssignmentHygieneService::class);
    }
 }
--- a/apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php
+++ b/apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php
@ -1,775 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Filament\Pages\Findings;
 use App\Filament\Resources\FindingExceptionResource;
 use App\Filament\Resources\FindingResource;
 use App\Models\Finding;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Findings\FindingWorkflowService;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\Rbac\UiTooltips;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
 class FindingsIntakeQueue extends Page implements HasTable
 {
    use InteractsWithTable;
    protected static bool $isDiscovered = false;
    protected static bool $shouldRegisterNavigation = false;
    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-inbox-stack';
    protected static string|UnitEnum|null $navigationGroup = 'Governance';
    protected static ?string $title = 'Findings intake';
    protected static ?string $slug = 'findings/intake';
    protected string $view = 'filament.pages.findings.findings-intake-queue';
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $authorizedTenants = null;
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $visibleTenants = null;
    private ?Workspace $workspace = null;
    public string $queueView = 'unassigned';
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
            ->withListRowPrimaryActionLimit(1)
            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the shared-unassigned scope fixed and expose only a tenant-prefilter clear action when needed.')
            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The intake queue keeps Claim finding inline and does not render a secondary More menu on rows.')
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The intake queue does not expose bulk actions in v1.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state stays calm and offers exactly one recovery CTA per branch.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation returns to the existing tenant finding detail page while Claim finding remains the only inline safe shortcut.');
    }
    public function mount(): void
    {
        $this->queueView = $this->resolveRequestedQueueView();
        $this->authorizePageAccess();
        app(CanonicalAdminTenantFilterState::class)->sync(
            $this->getTableFiltersSessionKey(),
            [],
            request(),
        );
        $this->applyRequestedTenantPrefilter();
        $this->mountInteractsWithTable();
        $this->normalizeTenantFilterState();
    }
    protected function getHeaderActions(): array
    {
        return [
            Action::make('clear_tenant_filter')
                ->label('Clear tenant filter')
                ->icon('heroicon-o-x-mark')
                ->color('gray')
                ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
                ->action(fn (): mixed => $this->clearTenantFilter()),
        ];
    }
    public function table(Table $table): Table
    {
        return $table
            ->query(fn (): Builder => $this->queueViewQuery())
            ->paginated(TablePaginationProfiles::customPage())
            ->persistFiltersInSession()
            ->columns([
                TextColumn::make('tenant.name')
                    ->label('Tenant'),
                TextColumn::make('subject_display_name')
                    ->label('Finding')
                    ->state(fn (Finding $record): string => $record->resolvedSubjectDisplayName() ?? 'Finding #'.$record->getKey())
                    ->description(fn (Finding $record): ?string => $this->ownerContext($record))
                    ->wrap(),
                TextColumn::make('severity')
                    ->badge()
                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingSeverity))
                    ->color(BadgeRenderer::color(BadgeDomain::FindingSeverity))
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingSeverity))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingSeverity)),
                TextColumn::make('status')
                    ->badge()
                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingStatus))
                    ->color(BadgeRenderer::color(BadgeDomain::FindingStatus))
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingStatus))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingStatus))
                    ->description(fn (Finding $record): ?string => $this->reopenedCue($record)),
                TextColumn::make('due_at')
                    ->label('Due')
                    ->dateTime()
                    ->placeholder('—')
                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($record->due_at) ?? FindingResource::dueAttentionLabelFor($record)),
                TextColumn::make('intake_reason')
                    ->label('Queue reason')
                    ->badge()
                    ->state(fn (Finding $record): string => $this->queueReason($record))
                    ->color(fn (Finding $record): string => $this->queueReasonColor($record)),
            ])
            ->filters([
                SelectFilter::make('tenant_id')
                    ->label('Tenant')
                    ->options(fn (): array => $this->tenantFilterOptions())
                    ->searchable(),
            ])
            ->actions([
                $this->claimAction(),
            ])
            ->bulkActions([])
            ->recordUrl(fn (Finding $record): string => $this->findingDetailUrl($record))
            ->emptyStateHeading(fn (): string => $this->emptyState()['title'])
            ->emptyStateDescription(fn (): string => $this->emptyState()['body'])
            ->emptyStateIcon(fn (): string => $this->emptyState()['icon'])
            ->emptyStateActions($this->emptyStateActions());
    }
    /**
     * @return array<string, mixed>
     */
    public function appliedScope(): array
    {
        $tenant = $this->filteredTenant();
        $queueView = $this->currentQueueView();
        return [
            'workspace_scoped' => true,
            'fixed_scope' => 'visible_unassigned_open_findings_only',
            'queue_view' => $queueView,
            'queue_view_label' => $this->queueViewLabel($queueView),
            'tenant_prefilter_source' => $this->tenantPrefilterSource(),
            'tenant_label' => $tenant?->name,
        ];
    }
    /**
     * @return array<int, array<string, mixed>>
     */
    public function queueViews(): array
    {
        $queueView = $this->currentQueueView();
        return [
            [
                'key' => 'unassigned',
                'label' => 'Unassigned',
                'fixed' => true,
                'active' => $queueView === 'unassigned',
                'badge_count' => (clone $this->filteredQueueQuery(queueView: 'unassigned', applyOrdering: false))->count(),
                'url' => $this->queueUrl(['view' => null]),
            ],
            [
                'key' => 'needs_triage',
                'label' => 'Needs triage',
                'fixed' => true,
                'active' => $queueView === 'needs_triage',
                'badge_count' => (clone $this->filteredQueueQuery(queueView: 'needs_triage', applyOrdering: false))->count(),
                'url' => $this->queueUrl(['view' => 'needs_triage']),
            ],
        ];
    }
    /**
     * @return array{visible_unassigned: int, visible_needs_triage: int, visible_overdue: int}
     */
    public function summaryCounts(): array
    {
        $visibleQuery = $this->filteredQueueQuery(queueView: 'unassigned', applyOrdering: false);
        return [
            'visible_unassigned' => (clone $visibleQuery)->count(),
            'visible_needs_triage' => (clone $this->filteredQueueQuery(queueView: 'needs_triage', applyOrdering: false))->count(),
            'visible_overdue' => (clone $visibleQuery)
                ->whereNotNull('due_at')
                ->where('due_at', '<', now())
                ->count(),
        ];
    }
    /**
     * @return array<string, mixed>
     */
    public function emptyState(): array
    {
        if ($this->tenantFilterAloneExcludesRows()) {
            return [
                'title' => 'No intake findings match this tenant scope',
                'body' => 'Your current tenant filter is hiding shared intake work that is still visible elsewhere in this workspace.',
                'icon' => 'heroicon-o-funnel',
                'action_name' => 'clear_tenant_filter_empty',
                'action_label' => 'Clear tenant filter',
                'action_kind' => 'clear_tenant_filter',
            ];
        }
        return [
            'title' => 'Shared intake is clear',
            'body' => 'No visible unassigned findings currently need first routing across your entitled tenants. Open your personal queue if you want to continue with claimed work.',
            'icon' => 'heroicon-o-inbox-stack',
            'action_name' => 'open_my_findings_empty',
            'action_label' => 'Open my findings',
            'action_kind' => 'url',
            'action_url' => MyFindingsInbox::getUrl(panel: 'admin'),
        ];
    }
    public function updatedTableFilters(): void
    {
        $this->normalizeTenantFilterState();
    }
    public function clearTenantFilter(): void
    {
        $this->removeTableFilter('tenant_id');
        $this->resetTable();
    }
    /**
     * @return array<int, Tenant>
     */
    public function visibleTenants(): array
    {
        if ($this->visibleTenants !== null) {
            return $this->visibleTenants;
        }
        $user = auth()->user();
        $tenants = $this->authorizedTenants();
        if (! $user instanceof User || $tenants === []) {
            return $this->visibleTenants = [];
        }
        $resolver = app(CapabilityResolver::class);
        $resolver->primeMemberships(
            $user,
            array_map(static fn (Tenant $tenant): int => (int) $tenant->getKey(), $tenants),
        );
        return $this->visibleTenants = array_values(array_filter(
            $tenants,
            fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW),
        ));
    }
    private function claimAction(): Action
    {
        return UiEnforcement::forTableAction(
            Action::make('claim')
                ->label('Claim finding')
                ->icon('heroicon-o-user-plus')
                ->color('gray')
                ->visible(fn (Finding $record): bool => $record->assignee_user_id === null && in_array((string) $record->status, Finding::openStatuses(), true))
                ->requiresConfirmation()
                ->modalHeading('Claim finding')
                ->modalDescription(function (?Finding $record = null): string {
                    $findingLabel = $record?->resolvedSubjectDisplayName() ?? ($record instanceof Finding ? 'Finding #'.$record->getKey() : 'this finding');
                    $tenantLabel = $record?->tenant?->name ?? 'this tenant';
                    return sprintf(
                        'Claim "%s" in %s? It will move into your personal queue, while the accountable owner and lifecycle state stay unchanged.',
                        $findingLabel,
                        $tenantLabel,
                    );
                })
                ->modalSubmitActionLabel('Claim finding')
                ->action(function (Finding $record): void {
                    $tenant = $record->tenant;
                    $user = auth()->user();
                    if (! $tenant instanceof Tenant) {
                        throw new NotFoundHttpException;
                    }
                    if (! $user instanceof User) {
                        abort(403);
                    }
                    try {
                        $claimedFinding = app(FindingWorkflowService::class)->claim($record, $tenant, $user);
                        Notification::make()
                            ->success()
                            ->title('Finding claimed')
                            ->body('The finding left shared intake and is now assigned to you.')
                            ->actions([
                                Action::make('open_my_findings')
                                    ->label('Open my findings')
                                    ->url(MyFindingsInbox::getUrl(panel: 'admin')),
                                Action::make('open_finding')
                                    ->label('Open finding')
                                    ->url($this->findingDetailUrl($claimedFinding)),
                            ])
                            ->send();
                    } catch (ConflictHttpException) {
                        Notification::make()
                            ->warning()
                            ->title('Finding already claimed')
                            ->body('Another operator claimed this finding first. The intake queue has been refreshed.')
                            ->send();
                    }
                    $this->resetTable();
                    if (method_exists($this, 'unmountAction')) {
                        $this->unmountAction();
                    }
                }),
            fn () => null,
        )
            ->preserveVisibility()
            ->requireCapability(Capabilities::TENANT_FINDINGS_ASSIGN)
            ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
            ->apply();
    }
    private function authorizePageAccess(): void
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User) {
            abort(403);
        }
        if (! $workspace instanceof Workspace) {
            throw new NotFoundHttpException;
        }
        $resolver = app(WorkspaceCapabilityResolver::class);
        if (! $resolver->isMember($user, $workspace)) {
            throw new NotFoundHttpException;
        }
        if ($this->visibleTenants() === []) {
            abort(403);
        }
    }
    /**
     * @return array<int, Tenant>
     */
    private function authorizedTenants(): array
    {
        if ($this->authorizedTenants !== null) {
            return $this->authorizedTenants;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->authorizedTenants = [];
        }
        return $this->authorizedTenants = $user->tenants()
            ->where('tenants.workspace_id', (int) $workspace->getKey())
            ->where('tenants.status', 'active')
            ->orderBy('tenants.name')
            ->get(['tenants.id', 'tenants.name', 'tenants.external_id', 'tenants.workspace_id'])
            ->all();
    }
    private function workspace(): ?Workspace
    {
        if ($this->workspace instanceof Workspace) {
            return $this->workspace;
        }
        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
        if (! is_int($workspaceId)) {
            return null;
        }
        return $this->workspace = Workspace::query()->whereKey($workspaceId)->first();
    }
    private function queueBaseQuery(): Builder
    {
        $workspace = $this->workspace();
        $tenantIds = array_map(
            static fn (Tenant $tenant): int => (int) $tenant->getKey(),
            $this->visibleTenants(),
        );
        if (! $workspace instanceof Workspace) {
            return Finding::query()->whereRaw('1 = 0');
        }
        return Finding::query()
            ->with(['tenant', 'ownerUser', 'assigneeUser'])
            ->withSubjectDisplayName()
            ->where('workspace_id', (int) $workspace->getKey())
            ->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds)
            ->whereNull('assignee_user_id')
            ->whereIn('status', Finding::openStatuses());
    }
    private function queueViewQuery(): Builder
    {
        return $this->filteredQueueQuery(includeTenantFilter: false, queueView: $this->currentQueueView(), applyOrdering: true);
    }
    private function filteredQueueQuery(
        bool $includeTenantFilter = true,
        ?string $queueView = null,
        bool $applyOrdering = true,
    ): Builder {
        $query = $this->queueBaseQuery();
        $resolvedQueueView = $queueView ?? $this->queueView;
        if ($includeTenantFilter && ($tenantId = $this->currentTenantFilterId()) !== null) {
            $query->where('tenant_id', $tenantId);
        }
        if ($resolvedQueueView === 'needs_triage') {
            $query->whereIn('status', [
                Finding::STATUS_NEW,
                Finding::STATUS_REOPENED,
            ]);
        }
        if (! $applyOrdering) {
            return $query;
        }
        return $query
            ->orderByRaw(
                "case
                    when due_at is not null and due_at < ? then 0
                    when status = ? then 1
                    when status = ? then 2
                    else 3
                end asc",
                [now(), Finding::STATUS_REOPENED, Finding::STATUS_NEW],
            )
            ->orderByRaw('case when due_at is null then 1 else 0 end asc')
            ->orderBy('due_at')
            ->orderByDesc('id');
    }
    /**
     * @return array<string, string>
     */
    private function tenantFilterOptions(): array
    {
        return collect($this->visibleTenants())
            ->mapWithKeys(static fn (Tenant $tenant): array => [
                (string) $tenant->getKey() => (string) $tenant->name,
            ])
            ->all();
    }
    private function applyRequestedTenantPrefilter(): void
    {
        $requestedTenant = request()->query('tenant');
        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
            return;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
                continue;
            }
            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
            return;
        }
    }
    private function normalizeTenantFilterState(): void
    {
        $configuredTenantFilter = data_get($this->currentQueueFiltersState(), 'tenant_id.value');
        if ($configuredTenantFilter === null || $configuredTenantFilter === '') {
            return;
        }
        if ($this->currentTenantFilterId() !== null) {
            return;
        }
        $this->removeTableFilter('tenant_id');
    }
    /**
     * @return array<string, mixed>
     */
    private function currentQueueFiltersState(): array
    {
        $persisted = session()->get($this->getTableFiltersSessionKey(), []);
        return array_replace_recursive(
            is_array($persisted) ? $persisted : [],
            $this->tableFilters ?? [],
        );
    }
    private function currentTenantFilterId(): ?int
    {
        $tenantFilter = data_get($this->currentQueueFiltersState(), 'tenant_id.value');
        if (! is_numeric($tenantFilter)) {
            return null;
        }
        $tenantId = (int) $tenantFilter;
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenantId;
            }
        }
        return null;
    }
    private function filteredTenant(): ?Tenant
    {
        $tenantId = $this->currentTenantFilterId();
        if (! is_int($tenantId)) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenant;
            }
        }
        return null;
    }
    private function activeVisibleTenant(): ?Tenant
    {
        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
        if (! $activeTenant instanceof Tenant) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ($tenant->is($activeTenant)) {
                return $tenant;
            }
        }
        return null;
    }
    private function tenantPrefilterSource(): string
    {
        $tenant = $this->filteredTenant();
        if (! $tenant instanceof Tenant) {
            return 'none';
        }
        $activeTenant = $this->activeVisibleTenant();
        if ($activeTenant instanceof Tenant && $activeTenant->is($tenant)) {
            return 'active_tenant_context';
        }
        return 'explicit_filter';
    }
    private function ownerContext(Finding $record): ?string
    {
        if ($record->owner_user_id === null) {
            return null;
        }
        return 'Owner: '.FindingResource::accountableOwnerDisplayFor($record);
    }
    private function reopenedCue(Finding $record): ?string
    {
        if ($record->reopened_at === null) {
            return null;
        }
        return 'Reopened';
    }
    private function queueReason(Finding $record): string
    {
        return in_array((string) $record->status, [
            Finding::STATUS_NEW,
            Finding::STATUS_REOPENED,
        ], true)
            ? 'Needs triage'
            : 'Unassigned';
    }
    private function queueReasonColor(Finding $record): string
    {
        return $this->queueReason($record) === 'Needs triage'
            ? 'warning'
            : 'gray';
    }
    private function tenantFilterAloneExcludesRows(): bool
    {
        if ($this->currentTenantFilterId() === null) {
            return false;
        }
        if ((clone $this->filteredQueueQuery())->exists()) {
            return false;
        }
        return (clone $this->filteredQueueQuery(includeTenantFilter: false))->exists();
    }
    private function findingDetailUrl(Finding $record): string
    {
        $tenant = $record->tenant;
        if (! $tenant instanceof Tenant) {
            return '#';
        }
        $url = FindingResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $tenant);
        return $this->appendQuery($url, $this->navigationContext()->toQuery());
    }
    private function navigationContext(): CanonicalNavigationContext
    {
        return new CanonicalNavigationContext(
            sourceSurface: 'findings.intake',
            canonicalRouteName: static::getRouteName(Filament::getPanel('admin')),
            tenantId: $this->currentTenantFilterId(),
            backLinkLabel: 'Back to findings intake',
            backLinkUrl: $this->queueUrl(),
        );
    }
    private function queueUrl(array $overrides = []): string
    {
        $resolvedTenant = array_key_exists('tenant', $overrides)
            ? $overrides['tenant']
            : $this->filteredTenant()?->external_id;
        $resolvedView = array_key_exists('view', $overrides)
            ? $overrides['view']
            : $this->currentQueueView();
        return static::getUrl(
            panel: 'admin',
            parameters: array_filter([
                'tenant' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
                'view' => $resolvedView === 'needs_triage' ? 'needs_triage' : null,
            ], static fn (mixed $value): bool => $value !== null && $value !== ''),
        );
    }
    private function resolveRequestedQueueView(): string
    {
        $requestedView = request()->query('view');
        return $requestedView === 'needs_triage'
            ? 'needs_triage'
            : 'unassigned';
    }
    private function currentQueueView(): string
    {
        return $this->queueView === 'needs_triage'
            ? 'needs_triage'
            : 'unassigned';
    }
    private function queueViewLabel(string $queueView): string
    {
        return $queueView === 'needs_triage'
            ? 'Needs triage'
            : 'Unassigned';
    }
    /**
     * @return array<int, Action>
     */
    private function emptyStateActions(): array
    {
        $emptyState = $this->emptyState();
        $action = Action::make((string) $emptyState['action_name'])
            ->label((string) $emptyState['action_label'])
            ->icon('heroicon-o-arrow-right')
            ->color('gray');
        if (($emptyState['action_kind'] ?? null) === 'clear_tenant_filter') {
            return [
                $action->action(fn (): mixed => $this->clearTenantFilter()),
            ];
        }
        return [
            $action->url((string) $emptyState['action_url']),
        ];
    }
    /**
     * @param  array<string, mixed>  $query
     */
    private function appendQuery(string $url, array $query): string
    {
        if ($query === []) {
            return $url;
        }
        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
    }
 }
--- a/apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php
+++ b/apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php
@ -1,688 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Filament\Pages\Findings;
 use App\Filament\Resources\FindingExceptionResource;
 use App\Filament\Resources\FindingResource;
 use App\Models\Finding;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\Filter;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
 class MyFindingsInbox extends Page implements HasTable
 {
    use InteractsWithTable;
    protected static bool $isDiscovered = false;
    protected static bool $shouldRegisterNavigation = false;
    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-clipboard-document-check';
    protected static string|UnitEnum|null $navigationGroup = 'Governance';
    protected static ?string $title = 'My Findings';
    protected static ?string $slug = 'findings/my-work';
    protected string $view = 'filament.pages.findings.my-findings-inbox';
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $authorizedTenants = null;
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $visibleTenants = null;
    private ?Workspace $workspace = null;
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the assigned-to-me scope fixed and expose only a tenant-prefilter clear action when needed.')
            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The personal findings inbox exposes row click as the only inspect path and does not render a secondary More menu.')
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The personal findings inbox does not expose bulk actions.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state stays calm, explains scope boundaries, and offers exactly one recovery CTA.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation returns to the existing tenant finding detail page.');
    }
    public function mount(): void
    {
        $this->authorizePageAccess();
        app(CanonicalAdminTenantFilterState::class)->sync(
            $this->getTableFiltersSessionKey(),
            ['overdue', 'reopened', 'high_severity'],
            request(),
        );
        $this->applyRequestedTenantPrefilter();
        $this->mountInteractsWithTable();
        $this->normalizeTenantFilterState();
    }
    protected function getHeaderActions(): array
    {
        return [
            Action::make('clear_tenant_filter')
                ->label('Clear tenant filter')
                ->icon('heroicon-o-x-mark')
                ->color('gray')
                ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
                ->action(fn (): mixed => $this->clearTenantFilter()),
        ];
    }
    public function table(Table $table): Table
    {
        return $table
            ->query(fn (): Builder => $this->queueBaseQuery())
            ->paginated(TablePaginationProfiles::customPage())
            ->persistFiltersInSession()
            ->columns([
                TextColumn::make('tenant.name')
                    ->label('Tenant'),
                TextColumn::make('subject_display_name')
                    ->label('Finding')
                    ->state(fn (Finding $record): string => $record->resolvedSubjectDisplayName() ?? 'Finding #'.$record->getKey())
                    ->description(fn (Finding $record): ?string => $this->ownerContext($record))
                    ->wrap(),
                TextColumn::make('severity')
                    ->badge()
                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingSeverity))
                    ->color(BadgeRenderer::color(BadgeDomain::FindingSeverity))
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingSeverity))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingSeverity)),
                TextColumn::make('status')
                    ->badge()
                    ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingStatus))
                    ->color(BadgeRenderer::color(BadgeDomain::FindingStatus))
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingStatus))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingStatus))
                    ->description(fn (Finding $record): ?string => $this->reopenedCue($record)),
                TextColumn::make('due_at')
                    ->label('Due')
                    ->dateTime()
                    ->placeholder('—')
                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($record->due_at) ?? FindingResource::dueAttentionLabelFor($record)),
            ])
            ->filters([
                SelectFilter::make('tenant_id')
                    ->label('Tenant')
                    ->options(fn (): array => $this->tenantFilterOptions())
                    ->searchable(),
                Filter::make('overdue')
                    ->label('Overdue')
                    ->query(fn (Builder $query): Builder => $query
                        ->whereNotNull('due_at')
                        ->where('due_at', '<', now())),
                Filter::make('reopened')
                    ->label('Reopened')
                    ->query(fn (Builder $query): Builder => $query->whereNotNull('reopened_at')),
                Filter::make('high_severity')
                    ->label('High severity')
                    ->query(fn (Builder $query): Builder => $query->whereIn('severity', Finding::highSeverityValues())),
            ])
            ->actions([])
            ->bulkActions([])
            ->recordUrl(fn (Finding $record): string => $this->findingDetailUrl($record))
            ->emptyStateHeading(fn (): string => $this->emptyState()['title'])
            ->emptyStateDescription(fn (): string => $this->emptyState()['body'])
            ->emptyStateIcon(fn (): string => $this->emptyState()['icon'])
            ->emptyStateActions($this->emptyStateActions());
    }
    /**
     * @return array<string, mixed>
     */
    public function appliedScope(): array
    {
        $tenant = $this->filteredTenant();
        return [
            'workspace_scoped' => true,
            'assignee_scope' => 'current_user_only',
            'tenant_prefilter_source' => $this->tenantPrefilterSource(),
            'tenant_label' => $tenant?->name,
        ];
    }
    /**
     * @return array<int, array<string, mixed>>
     */
    public function availableFilters(): array
    {
        return [
            [
                'key' => 'assignee_scope',
                'label' => 'Assigned to me',
                'fixed' => true,
                'options' => [],
            ],
            [
                'key' => 'tenant',
                'label' => 'Tenant',
                'fixed' => false,
                'options' => collect($this->visibleTenants())
                    ->map(fn (Tenant $tenant): array => [
                        'value' => (string) $tenant->getKey(),
                        'label' => (string) $tenant->name,
                    ])
                    ->values()
                    ->all(),
            ],
            [
                'key' => 'overdue',
                'label' => 'Overdue',
                'fixed' => false,
                'options' => [],
            ],
            [
                'key' => 'reopened',
                'label' => 'Reopened',
                'fixed' => false,
                'options' => [],
            ],
            [
                'key' => 'high_severity',
                'label' => 'High severity',
                'fixed' => false,
                'options' => [],
            ],
        ];
    }
    /**
     * @return array{open_assigned: int, overdue_assigned: int}
     */
    public function summaryCounts(): array
    {
        $query = $this->filteredQueueQuery();
        return [
            'open_assigned' => (clone $query)->count(),
            'overdue_assigned' => (clone $query)
                ->whereNotNull('due_at')
                ->where('due_at', '<', now())
                ->count(),
        ];
    }
    /**
     * @return array<string, mixed>
     */
    public function emptyState(): array
    {
        if ($this->tenantFilterAloneExcludesRows()) {
            return [
                'title' => 'No assigned findings match this tenant scope',
                'body' => 'Your current tenant filter is hiding assigned work that is still visible elsewhere in this workspace.',
                'icon' => 'heroicon-o-funnel',
                'action_name' => 'clear_tenant_filter_empty',
                'action_label' => 'Clear tenant filter',
                'action_kind' => 'clear_tenant_filter',
            ];
        }
        $activeTenant = $this->activeVisibleTenant();
        if ($activeTenant instanceof Tenant) {
            return [
                'title' => 'No visible assigned findings right now',
                'body' => 'Nothing currently assigned to you needs attention in the visible tenant scope. You can still open tenant findings for broader context.',
                'icon' => 'heroicon-o-clipboard-document-check',
                'action_name' => 'open_tenant_findings_empty',
                'action_label' => 'Open tenant findings',
                'action_kind' => 'url',
                'action_url' => FindingResource::getUrl('index', panel: 'tenant', tenant: $activeTenant),
            ];
        }
        return [
            'title' => 'No visible assigned findings right now',
            'body' => 'Nothing currently assigned to you needs attention across the visible tenant scope. Choose a tenant to continue working elsewhere in the workspace.',
            'icon' => 'heroicon-o-clipboard-document-check',
            'action_name' => 'choose_tenant_empty',
            'action_label' => 'Choose a tenant',
            'action_kind' => 'url',
            'action_url' => route('filament.admin.pages.choose-tenant'),
        ];
    }
    public function updatedTableFilters(): void
    {
        $this->normalizeTenantFilterState();
    }
    public function clearTenantFilter(): void
    {
        $this->removeTableFilter('tenant_id');
        $this->resetTable();
    }
    /**
     * @return array<int, Tenant>
     */
    public function visibleTenants(): array
    {
        if ($this->visibleTenants !== null) {
            return $this->visibleTenants;
        }
        $user = auth()->user();
        $tenants = $this->authorizedTenants();
        if (! $user instanceof User || $tenants === []) {
            return $this->visibleTenants = [];
        }
        $resolver = app(CapabilityResolver::class);
        $resolver->primeMemberships(
            $user,
            array_map(static fn (Tenant $tenant): int => (int) $tenant->getKey(), $tenants),
        );
        return $this->visibleTenants = array_values(array_filter(
            $tenants,
            fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW),
        ));
    }
    private function authorizePageAccess(): void
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User) {
            abort(403);
        }
        if (! $workspace instanceof Workspace) {
            throw new NotFoundHttpException;
        }
        $resolver = app(WorkspaceCapabilityResolver::class);
        if (! $resolver->isMember($user, $workspace)) {
            throw new NotFoundHttpException;
        }
    }
    /**
     * @return array<int, Tenant>
     */
    private function authorizedTenants(): array
    {
        if ($this->authorizedTenants !== null) {
            return $this->authorizedTenants;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->authorizedTenants = [];
        }
        return $this->authorizedTenants = $user->tenants()
            ->where('tenants.workspace_id', (int) $workspace->getKey())
            ->where('tenants.status', 'active')
            ->orderBy('tenants.name')
            ->get(['tenants.id', 'tenants.name', 'tenants.external_id', 'tenants.workspace_id'])
            ->all();
    }
    private function workspace(): ?Workspace
    {
        if ($this->workspace instanceof Workspace) {
            return $this->workspace;
        }
        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
        if (! is_int($workspaceId)) {
            return null;
        }
        return $this->workspace = Workspace::query()->whereKey($workspaceId)->first();
    }
    private function queueBaseQuery(): Builder
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        $tenantIds = array_map(
            static fn (Tenant $tenant): int => (int) $tenant->getKey(),
            $this->visibleTenants(),
        );
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return Finding::query()->whereRaw('1 = 0');
        }
        return Finding::query()
            ->with(['tenant', 'ownerUser', 'assigneeUser'])
            ->withSubjectDisplayName()
            ->where('workspace_id', (int) $workspace->getKey())
            ->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds)
            ->where('assignee_user_id', (int) $user->getKey())
            ->whereIn('status', Finding::openStatusesForQuery())
            ->orderByRaw(
                'case when due_at is not null and due_at < ? then 0 when reopened_at is not null then 1 else 2 end asc',
                [now()],
            )
            ->orderByRaw('case when due_at is null then 1 else 0 end asc')
            ->orderBy('due_at')
            ->orderByDesc('id');
    }
    private function filteredQueueQuery(bool $includeTenantFilter = true): Builder
    {
        $query = $this->queueBaseQuery();
        $filters = $this->currentQueueFiltersState();
        if ($includeTenantFilter && ($tenantId = $this->currentTenantFilterIdFromFilters($filters)) !== null) {
            $query->where('tenant_id', $tenantId);
        }
        if ($this->filterIsActive($filters, 'overdue')) {
            $query
                ->whereNotNull('due_at')
                ->where('due_at', '<', now());
        }
        if ($this->filterIsActive($filters, 'reopened')) {
            $query->whereNotNull('reopened_at');
        }
        if ($this->filterIsActive($filters, 'high_severity')) {
            $query->whereIn('severity', Finding::highSeverityValues());
        }
        return $query;
    }
    /**
     * @return array<string, string>
     */
    private function tenantFilterOptions(): array
    {
        return collect($this->visibleTenants())
            ->mapWithKeys(static fn (Tenant $tenant): array => [
                (string) $tenant->getKey() => (string) $tenant->name,
            ])
            ->all();
    }
    private function applyRequestedTenantPrefilter(): void
    {
        $requestedTenant = request()->query('tenant');
        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
            return;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
                continue;
            }
            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
            return;
        }
    }
    private function normalizeTenantFilterState(): void
    {
        $configuredTenantFilter = data_get($this->currentQueueFiltersState(), 'tenant_id.value');
        if ($configuredTenantFilter === null || $configuredTenantFilter === '') {
            return;
        }
        if ($this->currentTenantFilterId() !== null) {
            return;
        }
        $this->removeTableFilter('tenant_id');
    }
    /**
     * @return array<string, mixed>
     */
    private function currentQueueFiltersState(): array
    {
        $persisted = session()->get($this->getTableFiltersSessionKey(), []);
        return array_replace_recursive(
            is_array($persisted) ? $persisted : [],
            $this->tableFilters ?? [],
        );
    }
    private function currentTenantFilterId(): ?int
    {
        return $this->currentTenantFilterIdFromFilters($this->currentQueueFiltersState());
    }
    /**
     * @param  array<string, mixed>  $filters
     */
    private function currentTenantFilterIdFromFilters(array $filters): ?int
    {
        $tenantFilter = data_get($filters, 'tenant_id.value');
        if (! is_numeric($tenantFilter)) {
            return null;
        }
        $tenantId = (int) $tenantFilter;
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenantId;
            }
        }
        return null;
    }
    /**
     * @param  array<string, mixed>  $filters
     */
    private function filterIsActive(array $filters, string $name): bool
    {
        return (bool) data_get($filters, "{$name}.isActive", false);
    }
    private function filteredTenant(): ?Tenant
    {
        $tenantId = $this->currentTenantFilterId();
        if (! is_int($tenantId)) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ((int) $tenant->getKey() === $tenantId) {
                return $tenant;
            }
        }
        return null;
    }
    private function activeVisibleTenant(): ?Tenant
    {
        $activeTenant = app(OperateHubShell::class)->activeEntitledTenant(request());
        if (! $activeTenant instanceof Tenant) {
            return null;
        }
        foreach ($this->visibleTenants() as $tenant) {
            if ($tenant->is($activeTenant)) {
                return $tenant;
            }
        }
        return null;
    }
    private function tenantPrefilterSource(): string
    {
        $tenant = $this->filteredTenant();
        if (! $tenant instanceof Tenant) {
            return 'none';
        }
        $activeTenant = $this->activeVisibleTenant();
        if ($activeTenant instanceof Tenant && $activeTenant->is($tenant)) {
            return 'active_tenant_context';
        }
        return 'explicit_filter';
    }
    private function ownerContext(Finding $record): ?string
    {
        $ownerLabel = FindingResource::accountableOwnerDisplayFor($record);
        $assigneeLabel = $record->assigneeUser?->name;
        if ($record->owner_user_id === null || $ownerLabel === $assigneeLabel) {
            return null;
        }
        return 'Owner: '.$ownerLabel;
    }
    private function reopenedCue(Finding $record): ?string
    {
        if ($record->reopened_at === null) {
            return null;
        }
        return 'Reopened';
    }
    private function tenantFilterAloneExcludesRows(): bool
    {
        if ($this->currentTenantFilterId() === null) {
            return false;
        }
        if ((clone $this->filteredQueueQuery())->exists()) {
            return false;
        }
        return (clone $this->filteredQueueQuery(includeTenantFilter: false))->exists();
    }
    private function findingDetailUrl(Finding $record): string
    {
        $tenant = $record->tenant;
        if (! $tenant instanceof Tenant) {
            return '#';
        }
        $url = FindingResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $tenant);
        return $this->appendQuery($url, $this->navigationContext()->toQuery());
    }
    private function navigationContext(): CanonicalNavigationContext
    {
        return new CanonicalNavigationContext(
            sourceSurface: 'findings.my_inbox',
            canonicalRouteName: static::getRouteName(Filament::getPanel('admin')),
            tenantId: $this->currentTenantFilterId(),
            backLinkLabel: 'Back to my findings',
            backLinkUrl: $this->queueUrl(),
        );
    }
    private function queueUrl(): string
    {
        $tenant = $this->filteredTenant();
        return static::getUrl(
            panel: 'admin',
            parameters: array_filter([
                'tenant' => $tenant?->external_id,
            ], static fn (mixed $value): bool => $value !== null && $value !== ''),
        );
    }
    /**
     * @return array<int, Action>
     */
    private function emptyStateActions(): array
    {
        $emptyState = $this->emptyState();
        $action = Action::make((string) $emptyState['action_name'])
            ->label((string) $emptyState['action_label'])
            ->icon('heroicon-o-arrow-right')
            ->color('gray');
        if (($emptyState['action_kind'] ?? null) === 'clear_tenant_filter') {
            return [
                $action->action(fn (): mixed => $this->clearTenantFilter()),
            ];
        }
        return [
            $action->url((string) $emptyState['action_url']),
        ];
    }
    /**
     * @param  array<string, mixed>  $query
     */
    private function appendQuery(string $url, array $query): string
    {
        if ($query === []) {
            return $url;
        }
        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
    }
 }
--- a/apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php
+++ b/apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php
@ -1,494 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Filament\Pages\Governance;
 use App\Filament\Pages\Findings\FindingsIntakeQueue;
 use App\Filament\Pages\Findings\MyFindingsInbox;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\TenantReviews\TenantReviewRegisterService;
 use App\Support\Auth\Capabilities;
 use App\Support\GovernanceInbox\GovernanceInboxSectionBuilder;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Facades\Filament;
 use Filament\Pages\Page;
 use Illuminate\Support\Str;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
 class GovernanceInbox extends Page
 {
    protected static bool $isDiscovered = false;
    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-inbox-stack';
    protected static string|UnitEnum|null $navigationGroup = 'Governance';
    protected static ?string $navigationLabel = 'Governance inbox';
    protected static ?int $navigationSort = 5;
    protected static ?string $title = 'Governance inbox';
    protected static ?string $slug = 'governance/inbox';
    protected string $view = 'filament.pages.governance.governance-inbox';
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $authorizedTenants = null;
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $visibleFindingTenants = null;
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $reviewTenants = null;
    /**
     * @var array<string, mixed>|null
     */
    private ?array $inboxPayload = null;
    /**
     * @var array<string, mixed>|null
     */
    private ?array $unfilteredInboxPayload = null;
    private ?Workspace $workspace = null;
    private ?bool $visibleAlertsFamily = null;
    public ?int $tenantId = null;
    public ?string $family = null;
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the workspace decision surface calm and read-only.')
            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The governance inbox routes into existing source surfaces instead of exposing row-level secondary actions.')
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The governance inbox does not expose bulk actions.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty states stay calm and capability-safe when no visible attention exists.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'The governance inbox owns no local detail surface in v1.');
    }
    public function mount(): void
    {
        $this->authorizeWorkspaceMembership();
        $this->applyRequestedTenantPrefilter();
        $this->family = $this->resolveRequestedFamily();
        $this->ensureAtLeastOneVisibleFamily();
        $this->ensureRequestedFamilyIsVisible();
    }
    /**
     * @return array<string, mixed>
     */
    public function appliedScope(): array
    {
        $selectedTenant = $this->selectedTenant();
        $availableFamilies = collect($this->availableFamilies())
            ->keyBy('key');
        return [
            'workspace_label' => $this->workspace()?->name,
            'tenant_label' => $selectedTenant?->name,
            'tenant_prefilter_source' => $selectedTenant instanceof Tenant ? 'explicit_filter' : 'none',
            'family_key' => $this->family,
            'family_label' => $this->family !== null
                ? ($availableFamilies->get($this->family)['label'] ?? Str::headline($this->family))
                : 'All attention',
            'total_count' => (int) ($this->inboxPayload()['total_count'] ?? 0),
        ];
    }
    /**
     * @return list<array{key: string, label: string, count: int}>
     */
    public function availableFamilies(): array
    {
        return $this->inboxPayload()['available_families'] ?? [];
    }
    /**
     * @return list<array<string, mixed>>
     */
    public function sections(): array
    {
        return $this->inboxPayload()['sections'] ?? [];
    }
    /**
     * @return array<string, mixed>
     */
    public function calmEmptyState(): array
    {
        if ($this->tenantFilterAloneExcludesRows()) {
            return [
                'title' => 'This tenant filter is hiding other visible attention',
                'body' => 'The current tenant scope is calm, but other visible tenants in this workspace still have governance attention.',
                'action_label' => 'Clear tenant filter',
                'action_url' => $this->pageUrl(['tenant' => null]),
            ];
        }
        return [
            'title' => 'No visible governance attention right now',
            'body' => 'The current workspace scope is calm across the visible governance families.',
            'action_label' => null,
            'action_url' => null,
        ];
    }
    public function hasTenantPrefilter(): bool
    {
        return $this->selectedTenant() instanceof Tenant;
    }
    public function isActiveFamily(?string $familyKey): bool
    {
        return $this->family === $familyKey;
    }
    public function pageUrl(array $overrides = []): string
    {
        $selectedTenant = $this->selectedTenant();
        $resolvedTenant = array_key_exists('tenant', $overrides)
            ? $overrides['tenant']
            : ($selectedTenant?->getKey() !== null ? (string) $selectedTenant->getKey() : null);
        $resolvedFamily = array_key_exists('family', $overrides)
            ? $overrides['family']
            : $this->family;
        return static::getUrl(
            panel: 'admin',
            parameters: array_filter([
                'tenant_id' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
                'family' => is_string($resolvedFamily) && $resolvedFamily !== '' ? $resolvedFamily : null,
            ], static fn (mixed $value): bool => $value !== null && $value !== ''),
        );
    }
    public function navigationContext(): CanonicalNavigationContext
    {
        return new CanonicalNavigationContext(
            sourceSurface: 'governance.inbox',
            canonicalRouteName: static::getRouteName(Filament::getPanel('admin')),
            tenantId: $this->tenantId,
            backLinkLabel: 'Back to governance inbox',
            backLinkUrl: $this->pageUrl(),
        );
    }
    private function authorizeWorkspaceMembership(): void
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User) {
            abort(403);
        }
        if (! $workspace instanceof Workspace) {
            throw new NotFoundHttpException;
        }
        $resolver = app(WorkspaceCapabilityResolver::class);
        if (! $resolver->isMember($user, $workspace)) {
            throw new NotFoundHttpException;
        }
    }
    private function ensureAtLeastOneVisibleFamily(): void
    {
        if (
            $this->hasVisibleOperationsFamily()
            || $this->visibleFindingTenants() !== []
            || $this->reviewTenants() !== []
            || $this->hasVisibleAlertsFamily()
        ) {
            return;
        }
        abort(403);
    }
    private function ensureRequestedFamilyIsVisible(): void
    {
        if ($this->family === null) {
            return;
        }
        if (in_array($this->family, collect($this->availableFamilies())->pluck('key')->all(), true)) {
            return;
        }
        throw new NotFoundHttpException;
    }
    private function hasVisibleOperationsFamily(): bool
    {
        return $this->authorizedTenants() !== [];
    }
    private function hasVisibleAlertsFamily(): bool
    {
        if (is_bool($this->visibleAlertsFamily)) {
            return $this->visibleAlertsFamily;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->visibleAlertsFamily = false;
        }
        return $this->visibleAlertsFamily = app(WorkspaceCapabilityResolver::class)->can($user, $workspace, Capabilities::ALERTS_VIEW);
    }
    /**
     * @return array<int, Tenant>
     */
    private function visibleFindingTenants(): array
    {
        if ($this->visibleFindingTenants !== null) {
            return $this->visibleFindingTenants;
        }
        $user = auth()->user();
        $tenants = $this->authorizedTenants();
        if (! $user instanceof User || $tenants === []) {
            return $this->visibleFindingTenants = [];
        }
        $resolver = app(CapabilityResolver::class);
        $resolver->primeMemberships(
            $user,
            array_map(static fn (Tenant $tenant): int => (int) $tenant->getKey(), $tenants),
        );
        return $this->visibleFindingTenants = array_values(array_filter(
            $tenants,
            fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW),
        ));
    }
    /**
     * @return array<int, Tenant>
     */
    private function reviewTenants(): array
    {
        if ($this->reviewTenants !== null) {
            return $this->reviewTenants;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->reviewTenants = [];
        }
        $service = app(TenantReviewRegisterService::class);
        if (! $service->canAccessWorkspace($user, $workspace)) {
            return $this->reviewTenants = [];
        }
        return $this->reviewTenants = $service->authorizedTenants($user, $workspace);
    }
    /**
     * @return array<int, Tenant>
     */
    private function authorizedTenants(): array
    {
        if ($this->authorizedTenants !== null) {
            return $this->authorizedTenants;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->authorizedTenants = [];
        }
        return $this->authorizedTenants = $user->tenants()
            ->where('tenants.workspace_id', (int) $workspace->getKey())
            ->where('tenants.status', 'active')
            ->orderBy('tenants.name')
            ->get(['tenants.id', 'tenants.name', 'tenants.external_id', 'tenants.workspace_id'])
            ->all();
    }
    private function applyRequestedTenantPrefilter(): void
    {
        $requestedTenant = request()->query('tenant_id', request()->query('tenant'));
        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
            return;
        }
        foreach ($this->authorizedTenants() as $tenant) {
            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
                continue;
            }
            $this->tenantId = (int) $tenant->getKey();
            return;
        }
        throw new NotFoundHttpException;
    }
    private function resolveRequestedFamily(): ?string
    {
        $family = request()->query('family');
        if (! is_string($family)) {
            return null;
        }
        return in_array($family, [
            'assigned_findings',
            'intake_findings',
            'stale_operations',
            'alert_delivery_failures',
            'review_follow_up',
        ], true) ? $family : null;
    }
    private function workspace(): ?Workspace
    {
        if ($this->workspace instanceof Workspace) {
            return $this->workspace;
        }
        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
        if (! is_int($workspaceId)) {
            return null;
        }
        return $this->workspace = Workspace::query()->whereKey($workspaceId)->first();
    }
    /**
     * @return array<string, mixed>
     */
    private function inboxPayload(): array
    {
        if (is_array($this->inboxPayload)) {
            return $this->inboxPayload;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->inboxPayload = [
                'sections' => [],
                'available_families' => [],
                'family_counts' => [],
                'total_count' => 0,
            ];
        }
        return $this->inboxPayload = app(GovernanceInboxSectionBuilder::class)->build(
            user: $user,
            workspace: $workspace,
            authorizedTenants: $this->authorizedTenants(),
            visibleFindingTenants: $this->visibleFindingTenants(),
            reviewTenants: $this->reviewTenants(),
            canViewAlerts: $this->hasVisibleAlertsFamily(),
            selectedTenant: $this->selectedTenant(),
            selectedFamily: $this->family,
            navigationContext: $this->navigationContext(),
        );
    }
    /**
     * @return array<string, mixed>
     */
    private function unfilteredInboxPayload(): array
    {
        if (is_array($this->unfilteredInboxPayload)) {
            return $this->unfilteredInboxPayload;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->unfilteredInboxPayload = [
                'sections' => [],
                'available_families' => [],
                'family_counts' => [],
                'total_count' => 0,
            ];
        }
        return $this->unfilteredInboxPayload = app(GovernanceInboxSectionBuilder::class)->build(
            user: $user,
            workspace: $workspace,
            authorizedTenants: $this->authorizedTenants(),
            visibleFindingTenants: $this->visibleFindingTenants(),
            reviewTenants: $this->reviewTenants(),
            canViewAlerts: $this->hasVisibleAlertsFamily(),
            selectedTenant: null,
            selectedFamily: null,
            navigationContext: $this->navigationContext(),
        );
    }
    private function selectedTenant(): ?Tenant
    {
        if (! is_int($this->tenantId)) {
            return null;
        }
        foreach ($this->authorizedTenants() as $tenant) {
            if ((int) $tenant->getKey() === $this->tenantId) {
                return $tenant;
            }
        }
        return null;
    }
    private function tenantFilterAloneExcludesRows(): bool
    {
        if (! is_int($this->tenantId) || $this->family !== null) {
            return false;
        }
        if ($this->sections() !== []) {
            return false;
        }
        return (int) ($this->unfilteredInboxPayload()['total_count'] ?? 0) > 0;
    }
 }
--- a/apps/platform/app/Filament/Pages/InventoryCoverage.php
+++ b/apps/platform/app/Filament/Pages/InventoryCoverage.php
@ -20,8 +20,6 @@
 use App\Support\Badges\TagBadgeDomain;
 use App\Support\Inventory\TenantCoverageTruth;
 use App\Support\Inventory\TenantCoverageTruthResolver;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunType;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
@ -523,7 +521,7 @@ public function basisRunSummary(): array
                'badgeColor' => null,
                'runUrl' => null,
                'historyUrl' => null,
-                'inventoryItemsUrl' => InventoryItemResource::getUrl('index', panel: 'tenant', tenant: $tenant),
+                'inventoryItemsUrl' => InventoryItemResource::getUrl('index', tenant: $tenant),
            ];
        }
@ -537,9 +535,9 @@ public function basisRunSummary(): array
                : 'The coverage basis is current, but your role cannot open the cited run detail.',
            'badgeLabel' => $badge->label,
            'badgeColor' => $badge->color,
-            'runUrl' => $canViewRun ? OperationRunLinks::view($truth->basisRun, $tenant) : null,
+            'runUrl' => $canViewRun ? route('admin.operations.view', ['run' => (int) $truth->basisRun->getKey()]) : null,
            'historyUrl' => $canViewRun ? $this->inventorySyncHistoryUrl($tenant) : null,
-            'inventoryItemsUrl' => InventoryItemResource::getUrl('index', panel: 'tenant', tenant: $tenant),
+            'inventoryItemsUrl' => InventoryItemResource::getUrl('index', tenant: $tenant),
        ];
    }
@ -562,6 +560,13 @@ protected function coverageTruth(): ?TenantCoverageTruth
    private function inventorySyncHistoryUrl(Tenant $tenant): string
    {
-        return OperationRunLinks::index($tenant, operationType: OperationRunType::InventorySync->value);
+        return route('admin.operations.index', [
            'tenant_id' => (int) $tenant->getKey(),
            'tableFilters' => [
                'type' => [
                    'value' => 'inventory_sync',
                ],
            ],
        ]);
    }
 }
--- a/apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php
+++ b/apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php
@ -6,10 +6,8 @@
 use App\Filament\Resources\OperationRunResource;
 use App\Models\OperationRun;
 use App\Models\SupportRequest;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Baselines\BaselineEvidenceCaptureResumeService;
@ -18,20 +16,13 @@
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperateHub\OperateHubShell;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunType;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\OpsUx\RunDetailPolling;
 use App\Support\ProductTelemetry\ProductTelemetryRecorder;
 use App\Support\ProductTelemetry\ProductUsageEventCatalog;
 use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\RedactionIntegrity;
 use App\Support\RestoreSafety\RestoreSafetyCopy;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
 use App\Support\SupportRequests\SupportRequestSubmissionService;
 use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
 use App\Support\Tenants\TenantInteractionLane;
 use App\Support\Tenants\TenantOperabilityQuestion;
@ -42,15 +33,10 @@
 use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
 use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Textarea;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 use Filament\Schemas\Components\EmbeddedSchema;
 use Filament\Schemas\Schema;
 use Illuminate\Contracts\View\View;
 use Illuminate\Contracts\Support\Htmlable;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Str;
@ -93,11 +79,6 @@ public function getTitle(): string|Htmlable
     */
    public ?array $navigationContextPayload = null;
    /**
     * @var list<string>
     */
    public array $supportDiagnosticsAuditKeys = [];
    /**
     * @return array<Action|ActionGroup>
     */
@ -129,14 +110,14 @@ protected function getHeaderActions(): array
            $actions[] = Action::make('operate_hub_back_to_operations')
                ->label('Back to Operations')
                ->color('gray')
-                ->url(fn (): string => OperationRunLinks::index());
+                ->url(fn (): string => route('admin.operations.index'));
        }
        if ($activeTenant instanceof Tenant) {
            $actions[] = Action::make('operate_hub_show_all_operations')
                ->label('Show all operations')
                ->color('gray')
-                ->url(fn (): string => OperationRunLinks::index());
+                ->url(fn (): string => route('admin.operations.index'));
        }
        $actions[] = Action::make('refresh')
@ -145,7 +126,7 @@ protected function getHeaderActions(): array
            ->color('primary')
            ->url(fn (): string => isset($this->run)
                ? OperationRunLinks::tenantlessView($this->run, $navigationContext)
-                : OperationRunLinks::index());
+                : route('admin.operations.index'));
        if (! isset($this->run)) {
            return $actions;
@ -169,14 +150,6 @@ protected function getHeaderActions(): array
                ->color('gray');
        }
        $actions[] = ActionGroup::make([
            $this->openSupportDiagnosticsAction(),
            $this->requestSupportAction(),
        ])
            ->label('More')
            ->icon('heroicon-o-ellipsis-horizontal')
            ->color('gray');
        $actions[] = $this->resumeCaptureAction();
        return $actions;
@ -233,226 +206,6 @@ public function monitoringDetailSummary(): array
        ];
    }
    private function openSupportDiagnosticsAction(): Action
    {
        $action = Action::make('openSupportDiagnostics')
            ->label('Open support diagnostics')
            ->icon('heroicon-o-lifebuoy')
            ->color('gray')
            ->record($this->run)
            ->modal()
            ->slideOver()
            ->stickyModalHeader()
            ->modalHeading('Support diagnostics')
            ->modalDescription('Redacted operation context from existing records.')
            ->modalSubmitAction(false)
            ->modalCancelAction(fn (Action $action): Action => $action->label('Close'))
            ->mountUsing(function (): void {
                $this->auditOperationSupportDiagnosticsOpen();
            })
            ->modalContent(fn (): View => view('filament.modals.support-diagnostic-bundle', [
                'bundle' => $this->operationRunSupportDiagnosticBundle(),
            ]));
        return UiEnforcement::forAction($action)
            ->requireCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
            ->apply();
    }
    public function authorizeOperationRunSupportRequest(): void
    {
        $this->resolveRunTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
    }
    private function requestSupportAction(): Action
    {
        $action = Action::make('requestSupport')
            ->label('Request support')
            ->icon('heroicon-o-paper-airplane')
            ->record($this->run)
            ->slideOver()
            ->stickyModalHeader()
            ->modalHeading('Request support')
            ->modalDescription('Share a concise summary and TenantAtlas will attach redacted context from the current run.')
            ->modalSubmitActionLabel('Submit support request')
            ->form([
                Placeholder::make('primary_context')
                    ->label('Primary context')
                    ->content(fn (): string => OperationRunLinks::identifier($this->run))
                    ->columnSpanFull(),
                Placeholder::make('included_context')
                    ->label('Included context')
                    ->content(fn (): string => $this->operationSupportRequestAttachmentSummary())
                    ->columnSpanFull(),
                Select::make('severity')
                    ->label('Severity')
                    ->options(SupportRequest::severityOptions())
                    ->default(SupportRequest::SEVERITY_NORMAL)
                    ->required()
                    ->native(false),
                TextInput::make('summary')
                    ->label('Summary')
                    ->required()
                    ->columnSpanFull(),
                Textarea::make('reproduction_notes')
                    ->label('Reproduction notes')
                    ->rows(4)
                    ->columnSpanFull(),
                TextInput::make('contact_name')
                    ->label('Contact name')
                    ->default(fn (): ?string => $this->resolveViewerActor()->name),
                TextInput::make('contact_email')
                    ->label('Contact email')
                    ->email()
                    ->default(fn (): ?string => $this->resolveViewerActor()->email),
            ])
            ->action(function (array $data): void {
                $actor = $this->resolveViewerActor();
                $supportRequest = app(SupportRequestSubmissionService::class)->submitForOperationRun($this->run, $actor, $data);
                Notification::make()
                    ->title('Support request submitted')
                    ->body('Reference '.$supportRequest->internal_reference)
                    ->success()
                    ->send();
            });
        return UiEnforcement::forAction($action)
            ->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
            ->apply();
    }
    /**
     * @return array<string, mixed>
     */
    public function operationRunSupportDiagnosticBundle(): array
    {
        $user = $this->resolveViewerActor();
        $tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
        return app(SupportDiagnosticBundleBuilder::class)->forOperationRun($this->run, $user);
    }
    private function auditOperationSupportDiagnosticsOpen(): void
    {
        $user = $this->resolveViewerActor();
        $tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
        $this->recordSupportDiagnosticsOpened(
            tenant: $tenant,
            bundle: $this->operationRunSupportDiagnosticBundle(),
            user: $user,
        );
    }
    private function supportDiagnosticsTenant(): ?Tenant
    {
        if (! isset($this->run)) {
            return null;
        }
        $tenant = $this->run->tenant;
        if ($tenant instanceof Tenant) {
            return $tenant;
        }
        return $this->run->loadMissing('tenant')->tenant;
    }
    private function resolveViewerActor(): User
    {
        $user = auth()->user();
        if (! $user instanceof User) {
            abort(403);
        }
        return $user;
    }
    private function resolveRunTenantForCapability(string $capability): Tenant
    {
        $tenant = $this->supportDiagnosticsTenant();
        $user = $this->resolveViewerActor();
        if (! $tenant instanceof Tenant) {
            abort(404);
        }
        $resolver = app(CapabilityResolver::class);
        if (! $resolver->isMember($user, $tenant)) {
            abort(404);
        }
        if (! $resolver->can($user, $tenant, $capability)) {
            abort(403);
        }
        return $tenant;
    }
    private function operationSupportRequestAttachmentSummary(): string
    {
        $tenant = $this->supportDiagnosticsTenant();
        $user = auth()->user();
        if (! $tenant instanceof Tenant || ! $user instanceof User) {
            return 'Only canonical redacted run context will be attached.';
        }
        $resolver = app(CapabilityResolver::class);
        if (! $resolver->isMember($user, $tenant)) {
            return 'Only canonical redacted run context will be attached.';
        }
        return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
            ? 'A redacted diagnostic snapshot and the canonical run context will be attached.'
            : 'Only the canonical redacted run context will be attached because you cannot view support diagnostics.';
    }
    /**
     * @param  array<string, mixed>  $bundle
     */
    private function recordSupportDiagnosticsOpened(Tenant $tenant, array $bundle, User $user): void
    {
        if (! isset($this->run)) {
            return;
        }
        $auditKey = 'operation:'.$this->run->getKey();
        if (in_array($auditKey, $this->supportDiagnosticsAuditKeys, true)) {
            return;
        }
        app(WorkspaceAuditLogger::class)->logSupportDiagnosticsOpened(
            tenant: $tenant,
            contextType: 'operation_run',
            bundle: $bundle,
            actor: $user,
            operationRun: $this->run,
        );
        app(ProductTelemetryRecorder::class)->record(
            eventName: ProductUsageEventCatalog::SUPPORT_DIAGNOSTICS_OPENED,
            workspaceId: (int) $tenant->workspace_id,
            tenantId: (int) $tenant->getKey(),
            userId: (int) $user->getKey(),
            subjectType: 'operation_run',
            subjectId: (int) $this->run->getKey(),
            metadata: [
                'source_surface' => 'operation_run_viewer',
                'operation_type' => (string) $this->run->type,
            ],
        );
        $this->supportDiagnosticsAuditKeys[] = $auditKey;
    }
    public function mount(OperationRun $run): void
    {
        $user = auth()->user();
@ -493,22 +246,21 @@ public function blockedExecutionBanner(): ?array
            return null;
        }
-        $reasonEnvelope = app(ReasonPresenter::class)->forOperationRun($this->run, 'detail');
+        $operatorExplanation = $this->governanceOperatorExplanation();
-        $body = 'This run was blocked before the artifact-producing work could finish. Review the summary below for the dominant blocker and next step.';
+        $reasonEnvelope = app(ReasonPresenter::class)->forOperationRun($this->run, 'run_detail');
-
+        $lines = $operatorExplanation instanceof OperatorExplanationPattern
-        if ($reasonEnvelope !== null) {
+            ? array_values(array_filter([
-            $body = trim(sprintf(
+                $operatorExplanation->headline,
-                '%s %s %s',
+                $operatorExplanation->dominantCauseExplanation,
-                $body,
+            ]))
-                rtrim($reasonEnvelope->operatorLabel, '.'),
+            : ($reasonEnvelope?->toBodyLines(false) ?? [
-                $reasonEnvelope->shortExplanation,
+                $this->surfaceFailureDetail() ?? 'The queued operation was refused before side effects could begin.',
-            ));
+            ]);
        }
        return [
            'tone' => 'amber',
            'title' => 'Blocked by prerequisite',
-            'body' => $body,
+            'body' => implode(' ', array_values(array_unique($lines))),
        ];
    }
@ -754,14 +506,12 @@ private function canResumeCapture(): bool
            return false;
        }
-        $canonicalType = OperationCatalog::canonicalCode((string) $this->run->type);
+        if (! in_array((string) $this->run->type, ['baseline_capture', 'baseline_compare'], true)) {
        if (! in_array($canonicalType, [OperationRunType::BaselineCapture->value, OperationRunType::BaselineCompare->value], true)) {
            return false;
        }
        $context = is_array($this->run->context) ? $this->run->context : [];
-        $tokenKey = $canonicalType === OperationRunType::BaselineCapture->value
+        $tokenKey = (string) $this->run->type === 'baseline_capture'
            ? 'baseline_capture.resume_token'
            : 'baseline_compare.resume_token';
        $token = data_get($context, $tokenKey);
--- a/apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php
+++ b/apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php
@ -1,530 +0,0 @@
 <?php
 declare(strict_types=1);
 namespace App\Filament\Pages\Reviews;
 use App\Filament\Resources\TenantReviewResource;
 use App\Models\Tenant;
 use App\Models\ReviewPack;
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\ReviewPackService;
 use App\Services\TenantReviews\TenantReviewRegisterService;
 use App\Support\Auth\Capabilities;
 use App\Support\Findings\FindingOutcomeSemantics;
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\ReviewPackStatus;
 use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
 use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
 use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
 use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
 use App\Support\Ui\GovernanceArtifactTruth\CompressedGovernanceOutcome;
 use App\Support\Ui\GovernanceArtifactTruth\SurfaceCompressionContext;
 use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Pages\Page;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
 use Filament\Tables\Contracts\HasTable;
 use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use UnitEnum;
 class CustomerReviewWorkspace extends Page implements HasTable
 {
    use InteractsWithTable;
    public const string DETAIL_CONTEXT_QUERY_KEY = 'customer_workspace';
    private const string SOURCE_SURFACE = 'customer_review_workspace';
    protected static bool $isDiscovered = false;
    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-text';
    protected static string|UnitEnum|null $navigationGroup = 'Reporting';
    protected static ?string $navigationLabel = 'Customer reviews';
    protected static ?int $navigationSort = 44;
    protected static ?string $title = 'Customer Review Workspace';
    protected static ?string $slug = 'reviews/workspace';
    protected string $view = 'filament.pages.reviews.customer-review-workspace';
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions provide a single Clear filters action for the customer review workspace.')
            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The customer review workspace remains scan-first and does not expose bulk actions.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state keeps exactly one Clear filters CTA when filters are active.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation opens the latest published review detail instead of an inline canonical detail panel.');
    }
    public static function getNavigationGroup(): string
    {
        return __('localization.review.reporting');
    }
    public static function getNavigationLabel(): string
    {
        return __('localization.review.customer_reviews');
    }
    public function getTitle(): string
    {
        return __('localization.review.customer_review_workspace');
    }
    public static function tenantPrefilterUrl(Tenant $tenant): string
    {
        $tenantIdentifier = filled($tenant->external_id)
            ? (string) $tenant->external_id
            : (string) $tenant->getKey();
        return static::getUrl(panel: 'admin').'?'.http_build_query([
            'tenant' => $tenantIdentifier,
        ]);
    }
    /**
     * @var array<int, Tenant>|null
     */
    private ?array $authorizedTenants = null;
    public function mount(): void
    {
        $this->authorizePageAccess();
        $this->applyRequestedTenantPrefilter();
        $this->mountInteractsWithTable();
    }
    protected function getHeaderActions(): array
    {
        return [
            Action::make('clear_filters')
                ->label(__('localization.review.clear_filters'))
                ->icon('heroicon-o-x-mark')
                ->color('gray')
                ->visible(fn (): bool => $this->hasActiveFilters())
                ->action(function (): void {
                    $this->clearWorkspaceFilters();
                }),
        ];
    }
    public function table(Table $table): Table
    {
        return $table
            ->query(fn (): Builder => $this->workspaceQuery())
            ->defaultSort('name')
            ->paginated(TablePaginationProfiles::customPage())
            ->persistFiltersInSession()
            ->persistSearchInSession()
            ->persistSortInSession()
            ->recordUrl(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
            ->columns([
                TextColumn::make('name')->label(__('localization.review.tenant'))->searchable()->sortable(),
                TextColumn::make('latest_review')
                    ->label(__('localization.review.latest_review'))
                    ->badge()
                    ->getStateUsing(fn (Tenant $record): string => $this->latestReviewStateLabel($record))
                    ->color(fn (Tenant $record): string => $this->latestReviewStateColor($record))
                    ->icon(fn (Tenant $record): ?string => $this->latestReviewStateIcon($record))
                    ->iconColor(fn (Tenant $record): ?string => $this->latestReviewStateIconColor($record))
                    ->description(fn (Tenant $record): ?string => $this->reviewOutcomeDescription($record))
                    ->wrap(),
                TextColumn::make('finding_summary')
                    ->label(__('localization.review.key_findings'))
                    ->getStateUsing(fn (Tenant $record): string => $this->findingSummary($record))
                    ->wrap(),
                TextColumn::make('accepted_risk_summary')
                    ->label(__('localization.review.accepted_risks'))
                    ->getStateUsing(fn (Tenant $record): string => $this->acceptedRiskSummary($record))
                    ->wrap(),
                TextColumn::make('published_at')
                    ->label(__('localization.review.published'))
                    ->getStateUsing(fn (Tenant $record): ?string => $this->latestPublishedAt($record)?->toDateTimeString())
                    ->dateTime()
                    ->placeholder('—'),
                TextColumn::make('review_pack_state')
                    ->label(__('localization.review.review_pack'))
                    ->getStateUsing(fn (Tenant $record): string => $this->reviewPackAvailability($record)),
            ])
            ->filters([
                SelectFilter::make('tenant_id')
                    ->label(__('localization.review.tenant'))
                    ->options(fn (): array => $this->tenantFilterOptions())
                    ->default(fn (): ?string => $this->defaultTenantFilter())
                    ->query(function (Builder $query, array $data): Builder {
                        $tenantId = $data['value'] ?? null;
                        return is_numeric($tenantId)
                            ? $query->whereKey((int) $tenantId)
                            : $query;
                    })
                    ->searchable(),
            ])
            ->actions([
                Action::make('open_latest_review')
                    ->label(__('localization.review.open_latest_review'))
                    ->icon('heroicon-o-arrow-top-right-on-square')
                    ->url(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
                    ->visible(fn (Tenant $record): bool => $this->latestPublishedReview($record) instanceof TenantReview),
                Action::make('download_review_pack')
                    ->label(__('localization.review.download_review_pack'))
                    ->icon('heroicon-o-arrow-down-tray')
                    ->url(fn (Tenant $record): ?string => $this->latestReviewPackDownloadUrl($record))
                    ->openUrlInNewTab()
                    ->visible(fn (Tenant $record): bool => is_string($this->latestReviewPackDownloadUrl($record))),
            ])
            ->bulkActions([])
            ->emptyStateHeading(__('localization.review.no_entitled_tenants'))
            ->emptyStateDescription(fn (): string => $this->hasActiveFilters()
                ? __('localization.review.clear_filters_description')
                : __('localization.review.adjust_filters_description'))
            ->emptyStateActions([
                Action::make('clear_filters_empty')
                    ->label(__('localization.review.clear_filters'))
                    ->icon('heroicon-o-x-mark')
                    ->color('gray')
                    ->visible(fn (): bool => $this->hasActiveFilters())
                    ->action(fn (): mixed => $this->clearWorkspaceFilters()),
            ]);
    }
    /**
     * @return array<int, Tenant>
     */
    public function authorizedTenants(): array
    {
        if ($this->authorizedTenants !== null) {
            return $this->authorizedTenants;
        }
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return $this->authorizedTenants = [];
        }
        return $this->authorizedTenants = app(TenantReviewRegisterService::class)->authorizedTenants($user, $workspace);
    }
    private function authorizePageAccess(): void
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User) {
            abort(403);
        }
        if (! $workspace instanceof Workspace) {
            throw new NotFoundHttpException;
        }
        $service = app(TenantReviewRegisterService::class);
        if (! $service->canAccessWorkspace($user, $workspace)) {
            throw new NotFoundHttpException;
        }
        if ($this->authorizedTenants() === []) {
            throw new NotFoundHttpException;
        }
    }
    private function workspaceQuery(): Builder
    {
        $user = auth()->user();
        $workspace = $this->workspace();
        if (! $user instanceof User || ! $workspace instanceof Workspace) {
            return Tenant::query()->whereRaw('1 = 0');
        }
        return app(TenantReviewRegisterService::class)->customerWorkspaceTenantQuery($user, $workspace);
    }
    /**
     * @return array<string, string>
     */
    private function tenantFilterOptions(): array
    {
        return collect($this->authorizedTenants())
            ->mapWithKeys(static fn (Tenant $tenant): array => [
                (string) $tenant->getKey() => $tenant->name,
            ])
            ->all();
    }
    private function defaultTenantFilter(): ?string
    {
        $tenantId = app(WorkspaceContext::class)->lastTenantId(request());
        return is_int($tenantId) && array_key_exists($tenantId, $this->authorizedTenants())
            ? (string) $tenantId
            : null;
    }
    private function applyRequestedTenantPrefilter(): void
    {
        $requestedTenant = request()->query('tenant', request()->query('tenant_id'));
        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
            return;
        }
        foreach ($this->authorizedTenants() as $tenant) {
            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
                continue;
            }
            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
            return;
        }
        throw new NotFoundHttpException;
    }
    private function hasActiveFilters(): bool
    {
        return $this->currentTenantFilterId() !== null;
    }
    private function clearWorkspaceFilters(): void
    {
        app(WorkspaceContext::class)->clearLastTenantId(request());
        $this->removeTableFilters();
    }
    private function currentTenantFilterId(): ?int
    {
        $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
        if (! is_numeric($tenantFilter)) {
            $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
        }
        return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
    }
    private function workspace(): ?Workspace
    {
        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
        return is_numeric($workspaceId)
            ? Workspace::query()->whereKey((int) $workspaceId)->first()
            : null;
    }
    private function latestPublishedReview(Tenant $tenant): ?TenantReview
    {
        $review = $tenant->tenantReviews->first();
        return $review instanceof TenantReview ? $review : null;
    }
    private function latestReviewUrl(Tenant $tenant): ?string
    {
        $review = $this->latestPublishedReview($tenant);
        if (! $review instanceof TenantReview) {
            return null;
        }
        return TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant, 'tenant').'?'.http_build_query([
            self::DETAIL_CONTEXT_QUERY_KEY => 1,
        ]);
    }
    private function latestReviewPack(Tenant $tenant): ?ReviewPack
    {
        $review = $this->latestPublishedReview($tenant);
        $pack = $review?->currentExportReviewPack;
        return $pack instanceof ReviewPack ? $pack : null;
    }
    private function latestReviewPackDownloadUrl(Tenant $tenant): ?string
    {
        $user = auth()->user();
        $pack = $this->latestReviewPack($tenant);
        if (! $user instanceof User || ! $pack instanceof ReviewPack) {
            return null;
        }
        if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
            return null;
        }
        if ($pack->status !== ReviewPackStatus::Ready->value) {
            return null;
        }
        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
            return null;
        }
        return app(ReviewPackService::class)->generateDownloadUrl($pack, [
            'source_surface' => self::SOURCE_SURFACE,
        ]);
    }
    private function latestPublishedAt(Tenant $tenant): ?\Illuminate\Support\Carbon
    {
        return $this->latestPublishedReview($tenant)?->published_at;
    }
    private function reviewTruth(Tenant $tenant): ?ArtifactTruthEnvelope
    {
        $review = $this->latestPublishedReview($tenant);
        return $review instanceof TenantReview
            ? app(ArtifactTruthPresenter::class)->forTenantReview($review)
            : null;
    }
    private function reviewOutcome(Tenant $tenant): ?CompressedGovernanceOutcome
    {
        $presenter = app(ArtifactTruthPresenter::class);
        $review = $this->latestPublishedReview($tenant);
        $truth = $this->reviewTruth($tenant);
        if (! $review instanceof TenantReview || ! $truth instanceof ArtifactTruthEnvelope) {
            return null;
        }
        return $presenter->compressedOutcomeFor($review, SurfaceCompressionContext::reviewRegister())
            ?? $presenter->compressedOutcomeFromEnvelope($truth, SurfaceCompressionContext::reviewRegister());
    }
    private function latestReviewStateLabel(Tenant $tenant): string
    {
        return $this->reviewOutcome($tenant)?->primaryLabel ?? __('localization.review.no_published_review');
    }
    private function latestReviewStateColor(Tenant $tenant): string
    {
        return $this->reviewOutcome($tenant)?->primaryBadge->color ?? 'gray';
    }
    private function latestReviewStateIcon(Tenant $tenant): ?string
    {
        return $this->reviewOutcome($tenant)?->primaryBadge->icon;
    }
    private function latestReviewStateIconColor(Tenant $tenant): ?string
    {
        return $this->reviewOutcome($tenant)?->primaryBadge->iconColor;
    }
    private function reviewOutcomeDescription(Tenant $tenant): ?string
    {
        $review = $this->latestPublishedReview($tenant);
        if (! $review instanceof TenantReview) {
            return __('localization.review.no_published_review_available');
        }
        $primaryReason = $this->reviewOutcome($tenant)?->primaryReason;
        $summary = is_array($review->summary) ? $review->summary : [];
        $findingOutcomes = $summary['finding_outcomes'] ?? null;
        if (! is_array($findingOutcomes)) {
            return $primaryReason;
        }
        $findingOutcomeSummary = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
        if ($findingOutcomeSummary === null) {
            return $primaryReason;
        }
        return trim($primaryReason.' '.__('localization.review.terminal_outcomes').': '.$findingOutcomeSummary.'.');
    }
    private function findingSummary(Tenant $tenant): string
    {
        $review = $this->latestPublishedReview($tenant);
        if (! $review instanceof TenantReview) {
            return __('localization.review.no_published_review_available');
        }
        $summary = is_array($review->summary) ? $review->summary : [];
        $findingCount = (int) ($summary['finding_count'] ?? 0);
        $findingOutcomes = is_array($summary['finding_outcomes'] ?? null) ? $summary['finding_outcomes'] : [];
        $terminalOutcomes = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
        if ($findingCount === 0) {
            return __('localization.review.no_findings_recorded');
        }
        if ($terminalOutcomes === null) {
            return __('localization.review.findings_count_summary', ['count' => $findingCount]);
        }
        return __('localization.review.findings_count_with_outcomes', [
            'count' => $findingCount,
            'outcomes' => $terminalOutcomes,
        ]);
    }
    private function acceptedRiskSummary(Tenant $tenant): string
    {
        $review = $this->latestPublishedReview($tenant);
        if (! $review instanceof TenantReview) {
            return __('localization.review.no_published_review_available');
        }
        $summary = is_array($review->summary) ? $review->summary : [];
        $riskAcceptance = is_array($summary['risk_acceptance'] ?? null) ? $summary['risk_acceptance'] : [];
        $statusMarkedCount = (int) ($riskAcceptance['status_marked_count'] ?? 0);
        $validGovernedCount = (int) ($riskAcceptance['valid_governed_count'] ?? 0);
        $warningCount = (int) ($riskAcceptance['warning_count'] ?? 0);
        return match (true) {
            $statusMarkedCount === 0 => __('localization.review.no_accepted_risks_recorded'),
            $warningCount > 0 => __('localization.review.accepted_risks_need_follow_up', ['warnings' => $warningCount, 'total' => $statusMarkedCount]),
            $validGovernedCount > 0 => __('localization.review.accepted_risks_governed', ['count' => $validGovernedCount]),
            default => __('localization.review.accepted_risks_on_record', ['count' => $statusMarkedCount]),
        };
    }
    private function reviewPackAvailability(Tenant $tenant): string
    {
        $pack = $this->latestReviewPack($tenant);
        if (! $pack instanceof ReviewPack) {
            return __('localization.review.unavailable');
        }
        if ($pack->status !== ReviewPackStatus::Ready->value) {
            return __('localization.review.unavailable');
        }
        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
            return __('localization.review.unavailable');
        }
        return __('localization.review.available');
    }
 }
--- a/apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php
+++ b/apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php
@ -9,13 +9,11 @@
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Services\ReviewPackService;
 use App\Services\TenantReviews\TenantReviewRegisterService;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Findings\FindingOutcomeSemantics;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\Filament\FilterPresets;
 use App\Support\Filament\TablePaginationProfiles;
@ -124,17 +122,17 @@ public function table(Table $table): Table
                TextColumn::make('outcome')
                    ->label('Outcome')
                    ->badge()
-                    ->getStateUsing(\Closure::fromCallable([$this, 'reviewOutcomeLabel']))
+                    ->getStateUsing(fn (TenantReview $record): string => $this->reviewOutcome($record)->primaryLabel)
-                    ->color(\Closure::fromCallable([$this, 'reviewOutcomeBadgeColor']))
+                    ->color(fn (TenantReview $record): string => $this->reviewOutcome($record)->primaryBadge->color)
-                    ->icon(\Closure::fromCallable([$this, 'reviewOutcomeBadgeIcon']))
+                    ->icon(fn (TenantReview $record): ?string => $this->reviewOutcome($record)->primaryBadge->icon)
-                    ->iconColor(\Closure::fromCallable([$this, 'reviewOutcomeBadgeIconColor']))
+                    ->iconColor(fn (TenantReview $record): ?string => $this->reviewOutcome($record)->primaryBadge->iconColor)
-                    ->description(\Closure::fromCallable([$this, 'reviewOutcomeDescription']))
+                    ->description(fn (TenantReview $record): ?string => $this->reviewOutcome($record)->primaryReason)
                    ->wrap(),
                TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
                TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
                TextColumn::make('next_step')
                    ->label('Next step')
-                    ->getStateUsing(\Closure::fromCallable([$this, 'reviewOutcomeNextStep']))
+                    ->getStateUsing(fn (TenantReview $record): string => $this->reviewOutcome($record)->nextActionText)
                    ->wrap(),
            ])
            ->filters([
@ -177,24 +175,6 @@ public function table(Table $table): Table
                    ->visible(fn (TenantReview $record): bool => auth()->user() instanceof User
                        && auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
                        && in_array($record->status, ['ready', 'published'], true))
                    ->disabled(fn (TenantReview $record): bool => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false))
                    ->tooltip(function (TenantReview $record): ?string {
                        $decision = app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant);
                        if ((bool) ($decision['is_blocked'] ?? false)) {
                            $reason = $decision['block_reason'] ?? null;
                            return is_string($reason) && $reason !== '' ? $reason : null;
                        }
                        if ((bool) ($decision['is_warning'] ?? false)) {
                            $reason = $decision['warning_reason'] ?? null;
                            return is_string($reason) && $reason !== '' ? $reason : null;
                        }
                        return null;
                    })
                    ->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
            ])
            ->bulkActions([])
@ -350,66 +330,14 @@ private function reviewTruth(TenantReview $record, bool $fresh = false): Artifac
            : $presenter->forTenantReview($record);
    }
    private function reviewOutcomeLabel(TenantReview $record): string
    {
        return $this->reviewOutcome($record)->primaryLabel;
    }
    private function reviewOutcomeBadgeColor(TenantReview $record): string
    {
        return $this->reviewOutcome($record)->primaryBadge->color;
    }
    private function reviewOutcomeBadgeIcon(TenantReview $record): ?string
    {
        return $this->reviewOutcome($record)->primaryBadge->icon;
    }
    private function reviewOutcomeBadgeIconColor(TenantReview $record): ?string
    {
        return $this->reviewOutcome($record)->primaryBadge->iconColor;
    }
    private function reviewOutcomeDescription(TenantReview $record): ?string
    {
        $primaryReason = $this->reviewOutcome($record)->primaryReason;
        $findingOutcomeSummary = $this->findingOutcomeSummary($record);
        if ($findingOutcomeSummary === null) {
            return $primaryReason;
        }
        return trim($primaryReason.' Terminal outcomes: '.$findingOutcomeSummary.'.');
    }
    private function reviewOutcomeNextStep(TenantReview $record): string
    {
        return $this->reviewOutcome($record)->nextActionText;
    }
    private function reviewOutcome(TenantReview $record, bool $fresh = false): CompressedGovernanceOutcome
    {
        $presenter = app(ArtifactTruthPresenter::class);
        $truth = $fresh
            ? $this->reviewTruth($record, true)
            : $this->reviewTruth($record);
        return $presenter->compressedOutcomeFor($record, SurfaceCompressionContext::reviewRegister(), $fresh)
            ?? $presenter->compressedOutcomeFromEnvelope(
-                $truth,
+                $this->reviewTruth($record, $fresh),
                SurfaceCompressionContext::reviewRegister(),
            );
    }
    private function findingOutcomeSummary(TenantReview $record): ?string
    {
        $summary = is_array($record->summary) ? $record->summary : [];
        $outcomeCounts = $summary['finding_outcomes'] ?? [];
        if (! is_array($outcomeCounts)) {
            return null;
        }
        return app(FindingOutcomeSemantics::class)->compactOutcomeSummary($outcomeCounts);
    }
 }
--- a/apps/platform/app/Filament/Pages/Settings/WorkspaceSettings.php
+++ b/apps/platform/app/Filament/Pages/Settings/WorkspaceSettings.php
@ -7,12 +7,7 @@
 use App\Models\User;
 use App\Models\Workspace;
 use App\Models\WorkspaceSetting;
 use App\Support\Ai\AiPolicyMode;
 use App\Support\Ai\AiUseCaseCatalog;
 use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\Entitlements\WorkspacePlanProfileCatalog;
 use App\Services\Localization\LocaleResolver;
 use App\Services\Settings\SettingsResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\Capabilities;
@ -25,9 +20,7 @@
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Forms\Components\KeyValue;
 use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\Textarea;
 use Filament\Forms\Components\TextInput;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
@ -58,8 +51,6 @@ class WorkspaceSettings extends Page
     * @var array<string, array{domain: string, key: string, type: 'int'|'json'|'string'|'bool'}>
     */
    private const SETTING_FIELDS = [
        'ai_policy_mode' => ['domain' => 'ai', 'key' => 'policy_mode', 'type' => 'string'],
        'localization_default_locale' => ['domain' => 'localization', 'key' => 'default_locale', 'type' => 'string'],
        'backup_retention_keep_last_default' => ['domain' => 'backup', 'key' => 'retention_keep_last_default', 'type' => 'int'],
        'backup_retention_min_floor' => ['domain' => 'backup', 'key' => 'retention_min_floor', 'type' => 'int'],
        'drift_severity_mapping' => ['domain' => 'drift', 'key' => 'severity_mapping', 'type' => 'json'],
@ -67,23 +58,10 @@ class WorkspaceSettings extends Page
        'baseline_alert_min_severity' => ['domain' => 'baseline', 'key' => 'alert_min_severity', 'type' => 'string'],
        'baseline_auto_close_enabled' => ['domain' => 'baseline', 'key' => 'auto_close_enabled', 'type' => 'bool'],
        'findings_sla_days' => ['domain' => 'findings', 'key' => 'sla_days', 'type' => 'json'],
        'entitlements_plan_profile' => ['domain' => 'entitlements', 'key' => 'plan_profile', 'type' => 'string'],
        'entitlements_managed_tenant_limit_override_value' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_value', 'type' => 'int'],
        'entitlements_managed_tenant_limit_override_reason' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_reason', 'type' => 'string'],
        'entitlements_review_pack_generation_override_value' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_value', 'type' => 'bool'],
        'entitlements_review_pack_generation_override_reason' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_reason', 'type' => 'string'],
        'operations_operation_run_retention_days' => ['domain' => 'operations', 'key' => 'operation_run_retention_days', 'type' => 'int'],
        'operations_stuck_run_threshold_minutes' => ['domain' => 'operations', 'key' => 'stuck_run_threshold_minutes', 'type' => 'int'],
    ];
    /**
     * @var array<string, string>
     */
    private const ENTITLEMENT_OVERRIDE_REASON_FIELDS = [
        'entitlements_managed_tenant_limit_override_value' => 'entitlements_managed_tenant_limit_override_reason',
        'entitlements_review_pack_generation_override_value' => 'entitlements_review_pack_generation_override_reason',
    ];
    /**
     * Fields rendered as Filament KeyValue components (array state, not JSON string).
     *
@ -133,14 +111,6 @@ class WorkspaceSettings extends Page
     */
    public array $resolvedSettings = [];
    /**
     * @var array{
     *     plan_profile?: array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool},
     *     decisions?: array<string, array<string, mixed>>
     * }
     */
    public array $entitlementSummary = [];
    /**
     * Per-domain "last modified" metadata: domain => {user_name, updated_at}.
     *
@ -155,22 +125,17 @@ protected function getHeaderActions(): array
    {
        return [
            Action::make('save')
-                ->label(__('localization.workspace.save'))
+                ->label('Save')
                ->action(function (): void {
                    $this->save();
                })
                ->disabled(fn (): bool => ! $this->currentUserCanManage())
                ->tooltip(fn (): ?string => $this->currentUserCanManage()
                    ? null
-                    : __('localization.workspace.no_manage_permission')),
+                    : 'You do not have permission to manage workspace settings.'),
        ];
    }
    public function getTitle(): string
    {
        return __('localization.workspace.title');
    }
    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
@ -215,83 +180,6 @@ public function content(Schema $schema): Schema
        return $schema
            ->statePath('data')
            ->schema([
                Section::make(__('localization.workspace.section'))
                    ->description($this->sectionDescription('localization', __('localization.workspace.section_description')))
                    ->schema([
                        Select::make('localization_default_locale')
                            ->label(__('localization.workspace.default_locale_label'))
                            ->options(LocaleResolver::localeOptions())
                            ->placeholder(__('localization.workspace.default_locale_placeholder'))
                            ->native(false)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->localeDefaultHelperText())
                            ->hintAction($this->makeResetAction('localization_default_locale')),
                    ]),
                Section::make('Workspace entitlements')
                    ->description($this->sectionDescription('entitlements', 'Select a plan profile and optional first-slice overrides for onboarding activation and review pack generation.'))
                    ->columns(2)
                    ->schema([
                        Select::make('entitlements_plan_profile')
                            ->label('Plan profile')
                            ->options(app(WorkspacePlanProfileCatalog::class)->optionLabels())
                            ->placeholder(sprintf('Use default profile (%s)', app(WorkspacePlanProfileCatalog::class)->default()['label']))
                            ->native(false)
                            ->columnSpanFull()
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->planProfileFieldHelperText()),
                        TextInput::make('entitlements_managed_tenant_limit_override_value')
                            ->label('Managed tenant activation limit override')
                            ->placeholder('Unset (uses plan profile default)')
                            ->suffix('tenants')
                            ->hint('0 or greater')
                            ->numeric()
                            ->integer()
                            ->minValue(0)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->managedTenantLimitHelperText())
                            ->hintAction($this->makeResetAction('entitlements_managed_tenant_limit_override_value')),
                        Textarea::make('entitlements_managed_tenant_limit_override_reason')
                            ->label('Managed tenant activation override reason')
                            ->rows(3)
                            ->maxLength(500)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->managedTenantLimitReasonHelperText()),
                        Select::make('entitlements_review_pack_generation_override_value')
                            ->label('Review pack generation override')
                            ->options(self::booleanOptions())
                            ->placeholder('Unset (uses plan profile default)')
                            ->native(false)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->reviewPackGenerationHelperText())
                            ->hintAction($this->makeResetAction('entitlements_review_pack_generation_override_value')),
                        Textarea::make('entitlements_review_pack_generation_override_reason')
                            ->label('Review pack generation override reason')
                            ->rows(3)
                            ->maxLength(500)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->reviewPackGenerationReasonHelperText()),
                    ]),
                Section::make('Workspace AI policy')
                    ->description($this->sectionDescription('ai', 'Control whether the workspace disables AI entirely or allows approved internal-only drafts on private-only infrastructure.'))
                    ->schema([
                        Select::make('ai_policy_mode')
                            ->label('AI posture')
                            ->options(AiPolicyMode::optionLabels())
                            ->placeholder('Unset (uses default)')
                            ->native(false)
                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
                            ->helperText(fn (): string => $this->aiPolicyModeHelperText())
                            ->hintAction($this->makeResetAction('ai_policy_mode')),
                        Placeholder::make('ai_approved_use_cases')
                            ->label('Approved use cases')
                            ->content(fn (): string => $this->aiApprovedUseCasesText()),
                        Placeholder::make('ai_allowed_provider_classes')
                            ->label('Allowed provider classes')
                            ->content(fn (): string => $this->aiAllowedProviderClassesText()),
                        Placeholder::make('ai_blocked_data_classifications')
                            ->label('Blocked data classifications')
                            ->content(fn (): string => $this->aiBlockedDataClassificationsText()),
                    ]),
                Section::make('Backup settings')
                    ->description($this->sectionDescription('backup', 'Workspace defaults used when a schedule has no explicit value.'))
                    ->schema([
@ -526,7 +414,7 @@ public function save(): void
        $this->loadFormState();
        Notification::make()
-            ->title($changedSettingsCount > 0 ? __('localization.notifications.workspace_settings_saved') : __('localization.notifications.workspace_settings_unchanged'))
+            ->title($changedSettingsCount > 0 ? 'Workspace settings saved' : 'No settings changes to save')
            ->success()
            ->send();
    }
@ -545,7 +433,7 @@ public function resetSetting(string $field): void
        if ($this->workspaceOverrideForField($field) === null) {
            Notification::make()
-                ->title(__('localization.notifications.setting_already_default'))
+                ->title('Setting already uses default')
                ->success()
                ->send();
@ -562,57 +450,7 @@ public function resetSetting(string $field): void
        $this->loadFormState();
        Notification::make()
-            ->title(__('localization.notifications.workspace_setting_reset'))
+            ->title('Workspace setting reset to default')
            ->success()
            ->send();
    }
    private function resetEntitlementOverridePair(string $field): void
    {
        $user = auth()->user();
        if (! $user instanceof User) {
            abort(403);
        }
        $this->authorizeWorkspaceManage($user);
        if (! $this->hasEntitlementOverridePair($field)) {
            Notification::make()
                ->title('Entitlement already uses plan profile default')
                ->success()
                ->send();
            return;
        }
        $writer = app(SettingsWriter::class);
        $valueSetting = $this->settingForField($field);
        $reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
        $reasonSetting = $this->settingForField($reasonField);
        if ($this->workspaceOverrideForField($field) !== null) {
            $writer->resetWorkspaceSetting(
                actor: $user,
                workspace: $this->workspace,
                domain: $valueSetting['domain'],
                key: $valueSetting['key'],
            );
        }
        if ($this->workspaceOverrideForField($reasonField) !== null) {
            $writer->resetWorkspaceSetting(
                actor: $user,
                workspace: $this->workspace,
                domain: $reasonSetting['domain'],
                key: $reasonSetting['key'],
            );
        }
        $this->loadFormState();
        Notification::make()
            ->title('Workspace entitlement override reset')
            ->success()
            ->send();
    }
@ -652,7 +490,6 @@ private function loadFormState(): void
        $this->data = $data;
        $this->workspaceOverrides = $workspaceOverrides;
        $this->resolvedSettings = $resolvedSettings;
        $this->entitlementSummary = app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
        $this->loadDomainLastModified();
    }
@ -711,240 +548,37 @@ private function sectionDescription(string $domain, string $baseDescription): st
        /** @var Carbon $updatedAt */
        $updatedAt = $meta['updated_at'];
-        return __('localization.workspace.last_modified_by', [
+        return sprintf(
-            'description' => $baseDescription,
+            '%s — Last modified by %s, %s.',
-            'user' => $meta['user_name'],
+            $baseDescription,
-            'time' => $updatedAt->diffForHumans(),
+            $meta['user_name'],
-        ]);
+            $updatedAt->diffForHumans(),
        );
    }
    private function makeResetAction(string $field): Action
    {
        return Action::make('reset_'.$field)
-            ->label(__('localization.workspace.reset'))
+            ->label('Reset')
            ->color('danger')
            ->requiresConfirmation()
            ->action(function () use ($field): void {
                if ($this->isEntitlementOverrideValueField($field)) {
                    $this->resetEntitlementOverridePair($field);
                    return;
                }
                $this->resetSetting($field);
            })
-            ->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->canResetField($field))
+            ->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->hasWorkspaceOverride($field))
            ->tooltip(function () use ($field): ?string {
                if (! $this->currentUserCanManage()) {
-                    return __('localization.workspace.no_manage_permission');
+                    return 'You do not have permission to manage workspace settings.';
                }
-                if (! $this->canResetField($field)) {
+                if (! $this->hasWorkspaceOverride($field)) {
-                    if ($this->isEntitlementOverrideValueField($field)) {
+                    return 'No workspace override to reset.';
                        return __('localization.workspace.no_workspace_override');
                    }
                    return __('localization.workspace.no_workspace_override');
                }
                return null;
            });
    }
    private function canResetField(string $field): bool
    {
        if ($this->isEntitlementOverrideValueField($field)) {
            return $this->hasEntitlementOverridePair($field);
        }
        return $this->hasWorkspaceOverride($field);
    }
    private function isEntitlementOverrideValueField(string $field): bool
    {
        return array_key_exists($field, self::ENTITLEMENT_OVERRIDE_REASON_FIELDS);
    }
    private function hasEntitlementOverridePair(string $field): bool
    {
        if (! $this->isEntitlementOverrideValueField($field)) {
            return false;
        }
        $reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
        return $this->workspaceOverrideForField($field) !== null
            || $this->workspaceOverrideForField($reasonField) !== null;
    }
    private function planProfileFieldHelperText(): string
    {
        $profile = $this->resolvedPlanProfile();
        $selectedProfile = $this->workspaceOverrideForField('entitlements_plan_profile');
        if (! is_string($selectedProfile) || $selectedProfile === '') {
            return sprintf('Default profile: %s. %s', $profile['label'], $profile['description']);
        }
        return sprintf('Effective profile: %s. %s', $profile['label'], $profile['description']);
    }
    private function managedTenantLimitHelperText(): string
    {
        $decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT);
        $effectiveValue = (int) ($decision['effective_value'] ?? 0);
        $currentUsage = (int) ($decision['current_usage'] ?? 0);
        $remainingCapacity = (int) ($decision['remaining_capacity'] ?? 0);
        $capacityText = $remainingCapacity < 0
            ? sprintf('Over limit by %d.', abs($remainingCapacity))
            : sprintf('%d remaining.', $remainingCapacity);
        return sprintf(
            'Effective limit: %d active managed tenants. Current usage: %d. %s Source: %s.',
            $effectiveValue,
            $currentUsage,
            $capacityText,
            $this->entitlementSourceLabel($decision),
        );
    }
    private function managedTenantLimitReasonHelperText(): string
    {
        return $this->entitlementReasonHelperText(
            valueField: 'entitlements_managed_tenant_limit_override_value',
            key: WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
        );
    }
    private function reviewPackGenerationHelperText(): string
    {
        $decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED);
        return sprintf(
            'Effective state: %s. Source: %s.',
            (bool) ($decision['effective_value'] ?? false) ? 'enabled' : 'disabled',
            $this->entitlementSourceLabel($decision),
        );
    }
    private function reviewPackGenerationReasonHelperText(): string
    {
        return $this->entitlementReasonHelperText(
            valueField: 'entitlements_review_pack_generation_override_value',
            key: WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
        );
    }
    private function aiPolicyModeHelperText(): string
    {
        $resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
        if (! is_array($resolved)) {
            return '';
        }
        $mode = AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
            ?? AiPolicyMode::Disabled;
        $prefix = ! $this->hasWorkspaceOverride('ai_policy_mode')
            ? sprintf('Effective posture: %s. Source: %s.', $mode->label(), $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')))
            : sprintf('Effective posture: %s.', $mode->label());
        return sprintf('%s %s', $prefix, $mode->summary());
    }
    private function aiApprovedUseCasesText(): string
    {
        return implode('; ', app(AiUseCaseCatalog::class)->labels()).'.';
    }
    private function aiAllowedProviderClassesText(): string
    {
        $labels = app(AiUseCaseCatalog::class)->allowedProviderClassLabelsForMode($this->effectiveAiPolicyMode());
        if ($labels === []) {
            return 'No provider classes are allowed while AI is disabled.';
        }
        return implode(', ', $labels).'.';
    }
    private function aiBlockedDataClassificationsText(): string
    {
        return implode(', ', app(AiUseCaseCatalog::class)->blockedDataClassificationLabels()).'.';
    }
    private function effectiveAiPolicyMode(): AiPolicyMode
    {
        $resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
        if (! is_array($resolved)) {
            return AiPolicyMode::Disabled;
        }
        return AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
            ?? AiPolicyMode::Disabled;
    }
    private function entitlementReasonHelperText(string $valueField, string $key): string
    {
        $decision = $this->entitlementDecision($key);
        $rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
        if ($this->workspaceOverrideForField($valueField) === null) {
            return 'Required when an explicit override value is set.';
        }
        if ($rationale === null || $rationale === '') {
            return 'Required when an explicit override value is set.';
        }
        return sprintf('Current rationale: %s', $rationale);
    }
    /**
     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
     */
    private function resolvedPlanProfile(): array
    {
        $profile = $this->entitlementSummary['plan_profile'] ?? null;
        if (is_array($profile)) {
            return $profile;
        }
        return app(WorkspacePlanProfileCatalog::class)->default();
    }
    /**
     * @return array<string, mixed>
     */
    private function entitlementDecision(string $key): array
    {
        $decision = $this->entitlementSummary['decisions'][$key] ?? null;
        return is_array($decision) ? $decision : [];
    }
    /**
     * @param  array<string, mixed>  $decision
     */
    private function entitlementSourceLabel(array $decision): string
    {
        if (($decision['source'] ?? null) === 'workspace_override') {
            return 'workspace override';
        }
        $planProfileLabel = $decision['plan_profile_label'] ?? null;
        if (is_string($planProfileLabel) && $planProfileLabel !== '') {
            return sprintf('%s plan profile', $planProfileLabel);
        }
        return 'plan profile default';
    }
    private function helperTextFor(string $field): string
    {
        $resolved = $this->resolvedSettings[$field] ?? null;
@ -966,29 +600,6 @@ private function helperTextFor(string $field): string
        return sprintf('Effective value: %s.', $effectiveValue);
    }
    private function localeDefaultHelperText(): string
    {
        $resolved = $this->resolvedSettings['localization_default_locale'] ?? null;
        if (! is_array($resolved)) {
            return '';
        }
        $effectiveLocale = LocaleResolver::normalize($resolved['value'] ?? null) ?? 'en';
        $localeLabel = LocaleResolver::localeOptions()[$effectiveLocale] ?? strtoupper($effectiveLocale);
        if (! $this->hasWorkspaceOverride('localization_default_locale')) {
            return __('localization.workspace.default_locale_helper_unset', [
                'locale' => $localeLabel,
                'source' => $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')),
            ]);
        }
        return __('localization.workspace.default_locale_helper_set', [
            'locale' => $localeLabel,
        ]);
    }
    private function slaFieldHelperText(string $severity): string
    {
        $resolved = $this->resolvedSettings['findings_sla_days'] ?? null;
@ -1110,27 +721,6 @@ private function normalizedInputValues(): array
            }
        }
        foreach (self::ENTITLEMENT_OVERRIDE_REASON_FIELDS as $valueField => $reasonField) {
            if (($normalizedValues[$valueField] ?? null) === null) {
                $normalizedValues[$reasonField] = null;
                continue;
            }
            if (($normalizedValues[$reasonField] ?? null) !== null) {
                continue;
            }
            $message = match ($valueField) {
                'entitlements_managed_tenant_limit_override_value' => 'Override reason is required when a managed tenant activation limit override is set.',
                'entitlements_review_pack_generation_override_value' => 'Override reason is required when a review pack generation override is set.',
                default => 'Override reason is required when an explicit override is set.',
            };
            $validationErrors['data.'.$reasonField] ??= [];
            $validationErrors['data.'.$reasonField][] = $message;
        }
        return [$normalizedValues, $validationErrors];
    }
@ -1394,9 +984,9 @@ private function formatValueForDisplay(string $field, mixed $value): string
    private function sourceLabel(string $source): string
    {
        return match ($source) {
-            'workspace_override' => __('localization.source.workspace_override'),
+            'workspace_override' => 'workspace override',
            'tenant_override' => 'tenant override',
-            default => __('localization.source.system_default'),
+            default => 'system default',
        };
    }
--- a/apps/platform/app/Filament/Pages/TenantDashboard.php
+++ b/apps/platform/app/Filament/Pages/TenantDashboard.php
@ -11,42 +11,13 @@
 use App\Filament\Widgets\Dashboard\RecentDriftFindings;
 use App\Filament\Widgets\Dashboard\RecentOperations;
 use App\Filament\Widgets\Dashboard\RecoveryReadiness;
 use App\Models\SupportRequest;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\CapabilityResolver;
 use App\Support\Auth\Capabilities;
 use App\Support\ProductTelemetry\ProductTelemetryRecorder;
 use App\Support\ProductTelemetry\ProductUsageEventCatalog;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
 use App\Support\SupportRequests\SupportRequestSubmissionService;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
 use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Textarea;
 use Filament\Notifications\Notification;
 use Filament\Pages\Dashboard;
 use Filament\Widgets\Widget;
 use Filament\Widgets\WidgetConfiguration;
 use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\Model;
 class TenantDashboard extends Dashboard
 {
    /**
     * @var list<string>
     */
    public array $supportDiagnosticsAuditKeys = [];
    public function getTitle(): string
    {
        return __('localization.dashboard.tenant_title');
    }
    /**
     * @param  array<mixed>  $parameters
     */
@ -75,210 +46,4 @@ public function getColumns(): int|array
    {
        return 2;
    }
    /**
     * @return array<Action>
     */
    protected function getHeaderActions(): array
    {
        return [
            $this->requestSupportAction(),
            $this->openSupportDiagnosticsAction(),
        ];
    }
    public function authorizeTenantSupportRequest(): void
    {
        $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
    }
    private function requestSupportAction(): Action
    {
        $action = Action::make('requestSupport')
            ->label(__('localization.dashboard.request_support'))
            ->icon('heroicon-o-paper-airplane')
            ->color('gray')
            ->slideOver()
            ->stickyModalHeader()
            ->modalHeading(__('localization.dashboard.support_request_heading'))
            ->modalDescription(__('localization.dashboard.support_request_description'))
            ->modalSubmitActionLabel(__('localization.dashboard.submit_request'))
            ->form([
                Placeholder::make('included_context')
                    ->label(__('localization.dashboard.included_context'))
                    ->content(fn (): string => $this->tenantSupportRequestAttachmentSummary())
                    ->columnSpanFull(),
                Select::make('severity')
                    ->label(__('localization.dashboard.severity'))
                    ->options(SupportRequest::severityOptions())
                    ->default(SupportRequest::SEVERITY_NORMAL)
                    ->required()
                    ->native(false),
                TextInput::make('summary')
                    ->label(__('localization.dashboard.summary'))
                    ->required()
                    ->columnSpanFull(),
                Textarea::make('reproduction_notes')
                    ->label(__('localization.dashboard.reproduction_notes'))
                    ->rows(4)
                    ->columnSpanFull(),
                TextInput::make('contact_name')
                    ->label(__('localization.dashboard.contact_name'))
                    ->default(fn (): ?string => $this->resolveDashboardActor()->name),
                TextInput::make('contact_email')
                    ->label(__('localization.dashboard.contact_email'))
                    ->email()
                    ->default(fn (): ?string => $this->resolveDashboardActor()->email),
            ])
            ->action(function (array $data): void {
                $actor = $this->resolveDashboardActor();
                $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
                $supportRequest = app(SupportRequestSubmissionService::class)->submitForTenant($tenant, $actor, $data);
                Notification::make()
                    ->title(__('localization.dashboard.support_request_submitted'))
                    ->body('Reference '.$supportRequest->internal_reference)
                    ->success()
                    ->send();
            });
        return UiEnforcement::forAction($action)
            ->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
            ->apply();
    }
    private function openSupportDiagnosticsAction(): Action
    {
        $action = Action::make('openSupportDiagnostics')
            ->label(__('localization.dashboard.open_support_diagnostics'))
            ->icon('heroicon-o-lifebuoy')
            ->color('gray')
            ->modal()
            ->slideOver()
            ->stickyModalHeader()
            ->modalHeading(__('localization.dashboard.support_diagnostics'))
            ->modalDescription(__('localization.dashboard.support_diagnostics_description'))
            ->modalSubmitAction(false)
            ->modalCancelAction(fn (Action $action): Action => $action->label(__('localization.dashboard.close')))
            ->mountUsing(function (): void {
                $this->auditTenantSupportDiagnosticsOpen();
            })
            ->modalContent(fn (): View => view('filament.modals.support-diagnostic-bundle', [
                'bundle' => $this->tenantSupportDiagnosticBundle(),
            ]));
        return UiEnforcement::forAction($action)
            ->requireCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
            ->apply();
    }
    /**
     * @return array<string, mixed>
     */
    public function tenantSupportDiagnosticBundle(): array
    {
        $user = $this->resolveDashboardActor();
        $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
        return app(SupportDiagnosticBundleBuilder::class)->forTenant($tenant, $user);
    }
    private function auditTenantSupportDiagnosticsOpen(): void
    {
        $user = $this->resolveDashboardActor();
        $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
        $this->recordSupportDiagnosticsOpened(
            tenant: $tenant,
            bundle: $this->tenantSupportDiagnosticBundle(),
            user: $user,
        );
    }
    /**
     * @param  array<string, mixed>  $bundle
     */
    private function recordSupportDiagnosticsOpened(Tenant $tenant, array $bundle, User $user): void
    {
        $auditKey = 'tenant:'.$tenant->getKey();
        if (in_array($auditKey, $this->supportDiagnosticsAuditKeys, true)) {
            return;
        }
        app(WorkspaceAuditLogger::class)->logSupportDiagnosticsOpened(
            tenant: $tenant,
            contextType: 'tenant',
            bundle: $bundle,
            actor: $user,
        );
        app(ProductTelemetryRecorder::class)->record(
            eventName: ProductUsageEventCatalog::SUPPORT_DIAGNOSTICS_OPENED,
            workspaceId: (int) $tenant->workspace_id,
            tenantId: (int) $tenant->getKey(),
            userId: (int) $user->getKey(),
            subjectType: 'tenant',
            subjectId: (int) $tenant->getKey(),
            metadata: [
                'source_surface' => 'tenant_dashboard',
            ],
        );
        $this->supportDiagnosticsAuditKeys[] = $auditKey;
    }
    private function resolveDashboardActor(): User
    {
        $user = auth()->user();
        if (! $user instanceof User) {
            abort(404);
        }
        return $user;
    }
    private function resolveCurrentTenantForCapability(string $capability): Tenant
    {
        $user = $this->resolveDashboardActor();
        $tenant = Filament::getTenant();
        if (! $tenant instanceof Tenant) {
            abort(404);
        }
        $resolver = app(CapabilityResolver::class);
        if (! $resolver->isMember($user, $tenant)) {
            abort(404);
        }
        if (! $resolver->can($user, $tenant, $capability)) {
            abort(403);
        }
        return $tenant;
    }
    private function tenantSupportRequestAttachmentSummary(): string
    {
        $tenant = Filament::getTenant();
        $user = auth()->user();
        if (! $tenant instanceof Tenant || ! $user instanceof User) {
            return 'Only canonical redacted tenant context will be attached.';
        }
        $resolver = app(CapabilityResolver::class);
        if (! $resolver->isMember($user, $tenant)) {
            return 'Only canonical redacted tenant context will be attached.';
        }
        return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
            ? 'A redacted diagnostic snapshot and the canonical tenant context will be attached.'
            : 'Only the canonical redacted tenant context will be attached because you cannot view support diagnostics.';
    }
 }
--- a/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
+++ b/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
--- a/apps/platform/app/Filament/Resources/AlertDeliveryResource.php
+++ b/apps/platform/app/Filament/Resources/AlertDeliveryResource.php
@ -234,8 +234,7 @@ public static function table(Table $table): Table
                    ->searchable(),
                TextColumn::make('event_type')
                    ->label('Event')
-                    ->badge()
+                    ->badge(),
                    ->formatStateUsing(fn (?string $state): string => AlertRuleResource::eventTypeLabel((string) $state)),
                TextColumn::make('severity')
                    ->badge()
                    ->formatStateUsing(fn (?string $state): string => ucfirst((string) $state))
--- a/apps/platform/app/Filament/Resources/AlertRuleResource.php
+++ b/apps/platform/app/Filament/Resources/AlertRuleResource.php
@ -380,10 +380,6 @@ public static function eventTypeOptions(): array
            AlertRule::EVENT_SLA_DUE => 'SLA due',
            AlertRule::EVENT_PERMISSION_MISSING => 'Permission missing',
            AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH => 'Entra admin roles (high privilege)',
            AlertRule::EVENT_FINDINGS_ASSIGNED => 'Finding assigned',
            AlertRule::EVENT_FINDINGS_REOPENED => 'Finding reopened',
            AlertRule::EVENT_FINDINGS_DUE_SOON => 'Finding due soon',
            AlertRule::EVENT_FINDINGS_OVERDUE => 'Finding overdue',
        ];
    }
--- a/apps/platform/app/Filament/Resources/BackupScheduleResource.php
+++ b/apps/platform/app/Filament/Resources/BackupScheduleResource.php
@ -25,7 +25,6 @@
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunType;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\Rbac\UiEnforcement;
@ -458,7 +457,7 @@ public static function table(Table $table): Table
                                $nonce = (string) Str::uuid();
                                $operationRun = $operationRunService->ensureRunWithIdentity(
                                    tenant: $tenant,
-                                    type: OperationRunType::BackupScheduleExecute->value,
+                                    type: 'backup_schedule_run',
                                    identityInputs: [
                                        'backup_schedule_id' => (int) $record->getKey(),
                                        'nonce' => $nonce,
@ -529,7 +528,7 @@ public static function table(Table $table): Table
                                $nonce = (string) Str::uuid();
                                $operationRun = $operationRunService->ensureRunWithIdentity(
                                    tenant: $tenant,
-                                    type: OperationRunType::BackupScheduleExecute->value,
+                                    type: 'backup_schedule_run',
                                    identityInputs: [
                                        'backup_schedule_id' => (int) $record->getKey(),
                                        'nonce' => $nonce,
@ -756,7 +755,7 @@ public static function table(Table $table): Table
                                    $nonce = (string) Str::uuid();
                                    $operationRun = $operationRunService->ensureRunWithIdentity(
                                        tenant: $tenant,
-                                        type: OperationRunType::BackupScheduleExecute->value,
+                                        type: 'backup_schedule_run',
                                        identityInputs: [
                                            'backup_schedule_id' => (int) $record->getKey(),
                                            'nonce' => $nonce,
@ -853,7 +852,7 @@ public static function table(Table $table): Table
                                    $nonce = (string) Str::uuid();
                                    $operationRun = $operationRunService->ensureRunWithIdentity(
                                        tenant: $tenant,
-                                        type: OperationRunType::BackupScheduleExecute->value,
+                                        type: 'backup_schedule_run',
                                        identityInputs: [
                                            'backup_schedule_id' => (int) $record->getKey(),
                                            'nonce' => $nonce,
--- a/apps/platform/app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php
+++ b/apps/platform/app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php
@ -137,7 +137,7 @@ public function table(Table $table): Table
                $opService = app(OperationRunService::class);
                $opRun = $opService->ensureRun(
                    tenant: $tenant,
-                    type: 'backup_set.update',
+                    type: 'backup_set.remove_policies',
                    inputs: [
                        'backup_set_id' => (int) $backupSet->getKey(),
                        'backup_item_ids' => $backupItemIds,
@ -220,7 +220,7 @@ public function table(Table $table): Table
                $opService = app(OperationRunService::class);
                $opRun = $opService->ensureRun(
                    tenant: $tenant,
-                    type: 'backup_set.update',
+                    type: 'backup_set.remove_policies',
                    inputs: [
                        'backup_set_id' => (int) $backupSet->getKey(),
                        'backup_item_ids' => $backupItemIds,
--- a/apps/platform/app/Filament/Resources/BaselineProfileResource.php
+++ b/apps/platform/app/Filament/Resources/BaselineProfileResource.php
@ -9,7 +9,6 @@
 use App\Models\BaselineProfile;
 use App\Models\BaselineSnapshot;
 use App\Models\BaselineTenantAssignment;
 use App\Models\OperationRun;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
@ -32,8 +31,6 @@
 use App\Support\Navigation\CrossResourceNavigationMatrix;
 use App\Support\Navigation\RelatedContextEntry;
 use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperationCatalog;
 use App\Support\OperationRunType;
 use App\Support\Rbac\WorkspaceUiEnforcement;
 use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
@ -843,17 +840,7 @@ private static function compareReadinessIcon(BaselineProfile $profile): ?string
    private static function profileNextStep(BaselineProfile $profile): string
    {
-        $compareAvailabilityReason = self::compareAvailabilityReason($profile);
+        return match (self::compareAvailabilityReason($profile)) {
        if ($compareAvailabilityReason === null) {
            $latestCaptureEnvelope = self::latestBaselineCaptureEnvelope($profile);
            if ($latestCaptureEnvelope instanceof ReasonResolutionEnvelope && trim($latestCaptureEnvelope->shortExplanation) !== '') {
                return $latestCaptureEnvelope->shortExplanation;
            }
        }
        return match ($compareAvailabilityReason) {
            BaselineReasonCodes::COMPARE_INVALID_SCOPE,
            BaselineReasonCodes::COMPARE_MIXED_SCOPE,
            BaselineReasonCodes::COMPARE_UNSUPPORTED_SCOPE => 'Review the governed subject selection before starting compare.',
@ -871,30 +858,6 @@ private static function latestAttemptedSnapshot(BaselineProfile $profile): ?Base
        return app(BaselineSnapshotTruthResolver::class)->resolveLatestAttemptedSnapshot($profile);
    }
    private static function latestBaselineCaptureEnvelope(BaselineProfile $profile): ?ReasonResolutionEnvelope
    {
        $run = OperationRun::query()
            ->where('workspace_id', (int) $profile->workspace_id)
            ->whereIn('type', OperationCatalog::rawValuesForCanonical(OperationRunType::BaselineCapture->value))
            ->where('context->baseline_profile_id', (int) $profile->getKey())
            ->where('status', 'completed')
            ->orderByDesc('completed_at')
            ->orderByDesc('id')
            ->first();
        if (! $run instanceof OperationRun) {
            return null;
        }
        $reasonCode = data_get($run->context, 'reason_code');
        if (! is_string($reasonCode) || trim($reasonCode) === '') {
            return null;
        }
        return app(ReasonPresenter::class)->forOperationRun($run, 'artifact_truth');
    }
    private static function compareAvailabilityReason(BaselineProfile $profile): ?string
    {
        $status = $profile->status instanceof BaselineProfileStatus
--- a/apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php
+++ b/apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php
@ -17,10 +17,8 @@
 use App\Support\Baselines\BaselineCaptureMode;
 use App\Support\Baselines\BaselineReasonCodes;
 use App\Support\OperationRunLinks;
 use App\Support\OperationRunType;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\ReasonTranslation\ReasonPresenter;
 use App\Support\Rbac\WorkspaceUiEnforcement;
 use App\Support\Workspaces\WorkspaceContext;
 use Filament\Actions\Action;
@ -107,10 +105,15 @@ private function captureAction(): Action
                if (! $result['ok']) {
                    $reasonCode = is_string($result['reason_code'] ?? null) ? (string) $result['reason_code'] : 'unknown';
-                    $translation = app(ReasonPresenter::class)->forArtifactTruth($reasonCode, 'artifact_truth');
+
-                    $message = is_string($translation?->shortExplanation) && trim($translation->shortExplanation) !== ''
+                    $message = match ($reasonCode) {
-                        ? trim($translation->shortExplanation)
+                        BaselineReasonCodes::CAPTURE_ROLLOUT_DISABLED => 'Full-content baseline capture is currently disabled for controlled rollout.',
-                        : 'Reason: '.str_replace('.', ' ', $reasonCode);
+                        BaselineReasonCodes::CAPTURE_PROFILE_NOT_ACTIVE => 'This baseline profile is not active.',
                        BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT => 'The selected tenant is not available for this baseline profile.',
                        BaselineReasonCodes::CAPTURE_INVALID_SCOPE => 'This baseline profile has an invalid governed-subject scope. Review the baseline definition before capturing.',
                        BaselineReasonCodes::CAPTURE_UNSUPPORTED_SCOPE => 'This baseline profile includes governed subjects that are not currently supported for capture.',
                        default => 'Reason: '.str_replace('.', ' ', $reasonCode),
                    };
                    Notification::make()
                        ->title('Cannot start capture')
@ -341,8 +344,8 @@ private function compareAssignedTenantsAction(): Action
                    OpsUxBrowserEvents::dispatchRunEnqueued($this);
                    $toast = (int) $result['queuedCount'] > 0
-                        ? OperationUxPresenter::queuedToast(OperationRunType::BaselineCompare->value)
+                        ? OperationUxPresenter::queuedToast('baseline_compare')
-                        : OperationUxPresenter::alreadyQueuedToast(OperationRunType::BaselineCompare->value);
+                        : OperationUxPresenter::alreadyQueuedToast('baseline_compare');
                    $toast
                        ->body($summary.' Open Operations for progress and next steps.')
--- a/apps/platform/app/Filament/Resources/BaselineSnapshotResource.php
+++ b/apps/platform/app/Filament/Resources/BaselineSnapshotResource.php
@ -182,11 +182,7 @@ public static function table(Table $table): Table
                    ->color(static fn (BaselineSnapshot $record): string => self::compressedOutcome($record)->primaryBadge->color)
                    ->icon(static fn (BaselineSnapshot $record): ?string => self::compressedOutcome($record)->primaryBadge->icon)
                    ->iconColor(static fn (BaselineSnapshot $record): ?string => self::compressedOutcome($record)->primaryBadge->iconColor)
-                    ->description(static fn (BaselineSnapshot $record): ?string => self::truthHeadline($record))
+                    ->description(static fn (BaselineSnapshot $record): ?string => self::compressedOutcome($record)->primaryReason)
                    ->wrap(),
                TextColumn::make('coverage_summary')
                    ->label('Coverage')
                    ->getStateUsing(static fn (BaselineSnapshot $record): string => self::fidelitySummary($record))
                    ->wrap(),
                TextColumn::make('next_step')
                    ->label('Next step')
@ -381,12 +377,6 @@ private static function truthEnvelope(BaselineSnapshot $snapshot, bool $fresh =
            : $presenter->forBaselineSnapshot($snapshot);
    }
    private static function truthHeadline(BaselineSnapshot $record): ?string
    {
        return self::truthEnvelope($record)->operatorExplanation?->headline
            ?? self::compressedOutcome($record)->primaryReason;
    }
    private static function compressedOutcome(BaselineSnapshot $snapshot, bool $fresh = false): CompressedGovernanceOutcome
    {
        $presenter = app(ArtifactTruthPresenter::class);
--- a/apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php
+++ b/apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php
@ -3,14 +3,16 @@
 namespace App\Filament\Resources\EntraGroupResource\Pages;
 use App\Filament\Resources\EntraGroupResource;
 use App\Jobs\EntraGroupSyncJob;
 use App\Models\Tenant;
 use App\Models\User;
-use App\Services\Directory\EntraGroupSyncService;
+use App\Services\Directory\EntraGroupSelection;
 use App\Services\OperationRunService;
 use App\Support\Auth\Capabilities;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
 use App\Support\OpsUx\ProviderOperationStartResultPresenter;
 use App\Support\Rbac\UiEnforcement;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
@ -53,7 +55,7 @@ protected function getHeaderActions(): array
                    ->label('Sync Groups')
                    ->icon('heroicon-o-arrow-path')
                    ->color('primary')
-                    ->action(function (EntraGroupSyncService $syncService): void {
+                    ->action(function (): void {
                        $user = auth()->user();
                        $tenant = EntraGroupResource::panelTenantContext();
@ -61,18 +63,52 @@ protected function getHeaderActions(): array
                            return;
                        }
-                        $result = $syncService->startManualSync($tenant, $user);
+                        $selectionKey = EntraGroupSelection::allGroupsV1();
-                        $notification = app(ProviderOperationStartResultPresenter::class)->notification(
+
-                            result: $result,
+                        // --- Phase 3: Canonical Operation Run Start ---
-                            blockedTitle: 'Directory groups sync blocked',
+                        /** @var OperationRunService $opService */
-                            runUrl: OperationRunLinks::view($result->run, $tenant),
+                        $opService = app(OperationRunService::class);
                        $opRun = $opService->ensureRunWithIdentity(
                            tenant: $tenant,
                            type: 'entra_group_sync',
                            identityInputs: ['selection_key' => $selectionKey],
                            context: [
                                'selection_key' => $selectionKey,
                                'trigger' => 'manual',
                            ],
                            initiator: $user,
                        );
-                        if (in_array($result->status, ['started', 'deduped', 'scope_busy'], true)) {
+                        if (! $opRun->wasRecentlyCreated && in_array($opRun->status, ['queued', 'running'])) {
                            OpsUxBrowserEvents::dispatchRunEnqueued($this);
-                        }
+                            OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
                                ->actions([
                                    Action::make('view_run')
                                        ->label('Open operation')
                                        ->url(OperationRunLinks::view($opRun, $tenant)),
                                ])
                                ->send();
-                        $notification->send();
+                            return;
                        }
                        // ----------------------------------------------
                        dispatch(new EntraGroupSyncJob(
                            tenantId: (int) $tenant->getKey(),
                            selectionKey: $selectionKey,
                            slotKey: null,
                            runId: null,
                            operationRun: $opRun
                        ));
                        OpsUxBrowserEvents::dispatchRunEnqueued($this);
                        OperationUxPresenter::queuedToast((string) $opRun->type)
                            ->actions([
                                Action::make('view_run')
                                    ->label('Open operation')
                                    ->url(OperationRunLinks::view($opRun, $tenant)),
                            ])
                            ->send();
                    })
            )
                ->requireCapability(Capabilities::TENANT_SYNC)
--- a/apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php
+++ b/apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php
@ -6,7 +6,6 @@
 use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
 use App\Filament\Concerns\ResolvesPanelTenantContext;
 use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Resources\EvidenceSnapshotResource\Pages;
 use App\Filament\Resources\ReviewPackResource;
 use App\Models\EvidenceSnapshot;
@ -268,20 +267,6 @@ public static function relatedContextEntries(EvidenceSnapshot $record): array
            )->toArray();
        }
        if ($record->tenant instanceof Tenant) {
            $entries[] = RelatedContextEntry::available(
                key: 'customer_review_workspace',
                label: 'Customer workspace',
                value: $record->tenant->name,
                secondaryValue: 'Open the customer-safe review workspace prefiltered to this tenant.',
                targetUrl: CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
                targetKind: 'canonical_page',
                priority: 30,
                actionLabel: 'Open customer workspace',
                contextBadge: 'Reporting',
            )->toArray();
        }
        return $entries;
    }
@ -706,12 +691,9 @@ private static function truthEnvelope(EvidenceSnapshot $record, bool $fresh = fa
    private static function truthState(EvidenceSnapshot $record, bool $fresh = false): array
    {
        $presenter = app(ArtifactTruthPresenter::class);
        $truth = $fresh
            ? static::truthEnvelope($record, true)
            : static::truthEnvelope($record);
        return $presenter->surfaceStateFor($record, SurfaceCompressionContext::evidenceSnapshot(), $fresh)
-            ?? $truth->toArray(static::compressedOutcome($record, $fresh));
+            ?? static::truthEnvelope($record, $fresh)->toArray(static::compressedOutcome($record, $fresh));
    }
    private static function compressedOutcome(EvidenceSnapshot $record, bool $fresh = false): CompressedGovernanceOutcome
--- a/apps/platform/app/Filament/Resources/FindingResource.php
+++ b/apps/platform/app/Filament/Resources/FindingResource.php
@ -21,7 +21,6 @@
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Filament\FilterOptionCatalog;
 use App\Support\Filament\FilterPresets;
 use App\Support\Findings\FindingOutcomeSemantics;
 use App\Support\Filament\TablePaginationProfiles;
 use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\Navigation\CrossResourceNavigationMatrix;
@ -75,6 +74,8 @@ class FindingResource extends Resource
    protected static string|UnitEnum|null $navigationGroup = 'Governance';
    protected static ?string $navigationLabel = 'Findings';
    public static function shouldRegisterNavigation(): bool
    {
        if (Filament::getCurrentPanel()?->getId() === 'admin') {
@ -84,26 +85,6 @@ public static function shouldRegisterNavigation(): bool
        return parent::shouldRegisterNavigation();
    }
    public static function getNavigationLabel(): string
    {
        return __('localization.navigation.findings');
    }
    public static function getNavigationGroup(): string
    {
        return __('localization.navigation.governance');
    }
    public static function getModelLabel(): string
    {
        return __('localization.navigation.findings');
    }
    public static function getPluralModelLabel(): string
    {
        return __('localization.navigation.findings');
    }
    public static function canViewAny(): bool
    {
        $tenant = static::resolveTenantContextForCurrentPanel();
@ -175,14 +156,6 @@ public static function infolist(Schema $schema): Schema
                            ->color(BadgeRenderer::color(BadgeDomain::FindingStatus))
                            ->icon(BadgeRenderer::icon(BadgeDomain::FindingStatus))
                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingStatus)),
                        TextEntry::make('finding_terminal_outcome')
                            ->label('Terminal outcome')
                            ->state(fn (Finding $record): ?string => static::terminalOutcomeLabel($record))
                            ->visible(fn (Finding $record): bool => static::terminalOutcomeLabel($record) !== null),
                        TextEntry::make('finding_verification_state')
                            ->label('Verification')
                            ->state(fn (Finding $record): ?string => static::verificationStateLabel($record))
                            ->visible(fn (Finding $record): bool => static::verificationStateLabel($record) !== null),
                        TextEntry::make('severity')
                            ->badge()
                            ->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingSeverity))
@ -192,9 +165,9 @@ public static function infolist(Schema $schema): Schema
                        TextEntry::make('finding_due_attention')
                            ->label('Due state')
                            ->badge()
-                            ->state(fn (Finding $record): ?string => static::dueAttentionLabelFor($record))
+                            ->state(fn (Finding $record): ?string => static::dueAttentionLabel($record))
-                            ->color(fn (Finding $record): string => static::dueAttentionColorFor($record))
+                            ->color(fn (Finding $record): string => static::dueAttentionColor($record))
-                            ->visible(fn (Finding $record): bool => static::dueAttentionLabelFor($record) !== null),
+                            ->visible(fn (Finding $record): bool => static::dueAttentionLabel($record) !== null),
                        TextEntry::make('finding_governance_validity_leading')
                            ->label('Governance')
                            ->badge()
@ -204,11 +177,12 @@ public static function infolist(Schema $schema): Schema
                            ->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
                            ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity))
                            ->visible(fn (Finding $record): bool => static::governanceValidityState($record) !== null),
-                        TextEntry::make('finding_responsibility_state_leading')
+                        TextEntry::make('owner_user_id_leading')
-                            ->label('Responsibility state')
+                            ->label('Owner')
-                            ->badge()
+                            ->state(fn (Finding $record): string => $record->ownerUser?->name ?? 'Unassigned'),
-                            ->state(fn (Finding $record): string => $record->responsibilityStateLabel())
+                        TextEntry::make('assignee_user_id_leading')
-                            ->color(fn (Finding $record): string => static::responsibilityStateColor($record)),
+                            ->label('Assignee')
                            ->state(fn (Finding $record): string => $record->assigneeUser?->name ?? 'Unassigned'),
                        TextEntry::make('finding_primary_narrative')
                            ->label('Current reading')
                            ->state(fn (Finding $record): string => static::primaryNarrative($record))
@ -233,27 +207,6 @@ public static function infolist(Schema $schema): Schema
                    ->columns(2)
                    ->columnSpanFull(),
                Section::make('Responsibility')
                    ->schema([
                        TextEntry::make('finding_responsibility_state')
                            ->label('Responsibility state')
                            ->badge()
                            ->state(fn (Finding $record): string => $record->responsibilityStateLabel())
                            ->color(fn (Finding $record): string => static::responsibilityStateColor($record)),
                        TextEntry::make('owner_user_id_leading')
                            ->label('Accountable owner')
                            ->state(fn (Finding $record): string => static::accountableOwnerDisplayFor($record)),
                        TextEntry::make('assignee_user_id_leading')
                            ->label('Active assignee')
                            ->state(fn (Finding $record): string => static::activeAssigneeDisplayFor($record)),
                        TextEntry::make('finding_responsibility_summary')
                            ->label('Current split')
                            ->state(fn (Finding $record): string => static::responsibilitySummary($record))
                            ->columnSpanFull(),
                    ])
                    ->columns(2)
                    ->columnSpanFull(),
                Section::make('Finding')
                    ->schema([
                        TextEntry::make('finding_type')->badge()->label('Type'),
@ -308,24 +261,26 @@ public static function infolist(Schema $schema): Schema
                                ? OperationRunLinks::tenantlessView((int) $record->current_operation_run_id, static::findingRunNavigationContext($record))
                                : null)
                            ->openUrlInNewTab(),
                        TextEntry::make('acknowledged_at')->dateTime()->placeholder('—'),
                        TextEntry::make('acknowledged_by_user_id')->label('Acknowledged by')->placeholder('—'),
                        TextEntry::make('first_seen_at')->label('First seen')->dateTime()->placeholder('—'),
                        TextEntry::make('last_seen_at')->label('Last seen')->dateTime()->placeholder('—'),
                        TextEntry::make('times_seen')->label('Times seen')->placeholder('—'),
                        TextEntry::make('sla_days')->label('SLA days')->placeholder('—'),
                        TextEntry::make('due_at')->label('Due at')->dateTime()->placeholder('—'),
                        TextEntry::make('owner_user_id')
                            ->label('Owner')
                            ->formatStateUsing(fn (mixed $state, Finding $record): string => $record->ownerUser?->name ?? ($state ? 'User #'.$state : '—')),
                        TextEntry::make('assignee_user_id')
                            ->label('Assignee')
                            ->formatStateUsing(fn (mixed $state, Finding $record): string => $record->assigneeUser?->name ?? ($state ? 'User #'.$state : '—')),
                        TextEntry::make('triaged_at')->label('Triaged at')->dateTime()->placeholder('—'),
                        TextEntry::make('in_progress_at')->label('In progress at')->dateTime()->placeholder('—'),
                        TextEntry::make('reopened_at')->label('Reopened at')->dateTime()->placeholder('—'),
                        TextEntry::make('resolved_at')->label('Resolved at')->dateTime()->placeholder('—'),
-                        TextEntry::make('resolved_reason')
+                        TextEntry::make('resolved_reason')->label('Resolved reason')->placeholder('—'),
                            ->label('Resolved reason')
                            ->formatStateUsing(fn (?string $state): string => static::resolveReasonLabel($state) ?? '—')
                            ->placeholder('—'),
                        TextEntry::make('closed_at')->label('Closed at')->dateTime()->placeholder('—'),
-                        TextEntry::make('closed_reason')
+                        TextEntry::make('closed_reason')->label('Closed/risk reason')->placeholder('—'),
                            ->label('Closed/risk reason')
                            ->formatStateUsing(fn (?string $state): string => static::closeReasonLabel($state) ?? '—')
                            ->placeholder('—'),
                        TextEntry::make('closed_by_user_id')
                            ->label('Closed by')
                            ->formatStateUsing(fn (mixed $state, Finding $record): string => $record->closedByUser?->name ?? ($state ? 'User #'.$state : '—')),
@ -757,7 +712,7 @@ public static function table(Table $table): Table
                    ->color(BadgeRenderer::color(BadgeDomain::FindingStatus))
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingStatus))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingStatus))
-                    ->description(fn (Finding $record): string => static::statusDescription($record)),
+                    ->description(fn (Finding $record): string => static::primaryNarrative($record)),
                Tables\Columns\TextColumn::make('governance_validity')
                    ->label('Governance')
                    ->badge()
@ -767,13 +722,7 @@ public static function table(Table $table): Table
                    ->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
                    ->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity))
                    ->placeholder('—')
-                    ->description(fn (Finding $record): ?string => static::governanceListDescription($record)),
+                    ->description(fn (Finding $record): ?string => static::governanceWarning($record)),
                Tables\Columns\TextColumn::make('responsibility_state')
                    ->label('Responsibility')
                    ->badge()
                    ->state(fn (Finding $record): string => $record->responsibilityStateLabel())
                    ->color(fn (Finding $record): string => static::responsibilityStateColor($record))
                    ->description(fn (Finding $record): string => static::responsibilitySummary($record)),
                Tables\Columns\TextColumn::make('evidence_fidelity')
                    ->label('Fidelity')
                    ->badge()
@ -795,20 +744,14 @@ public static function table(Table $table): Table
                    ->dateTime()
                    ->sortable()
                    ->placeholder('—')
-                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($record->due_at) ?? static::dueAttentionLabelFor($record))
+                    ->description(fn (Finding $record): ?string => FindingExceptionResource::relativeTimeDescription($record->due_at) ?? static::dueAttentionLabel($record)),
                    ->toggleable(isToggledHiddenByDefault: true),
                Tables\Columns\TextColumn::make('ownerUser.name')
                    ->label('Accountable owner')
                    ->placeholder('—'),
                Tables\Columns\TextColumn::make('assigneeUser.name')
-                    ->label('Active assignee')
+                    ->label('Assignee')
-                    ->placeholder('—'),
+                    ->placeholder('—')
                    ->description(fn (Finding $record): string => $record->ownerUser?->name !== null ? 'Owner: '.$record->ownerUser->name : 'Owner: unassigned'),
                Tables\Columns\TextColumn::make('subject_external_id')->label('External ID')->toggleable(isToggledHiddenByDefault: true),
                Tables\Columns\TextColumn::make('scope_key')->label('Scope')->toggleable(isToggledHiddenByDefault: true),
-                Tables\Columns\TextColumn::make('created_at')
+                Tables\Columns\TextColumn::make('created_at')->since()->label('Created'),
                    ->since()
                    ->label('Created')
                    ->toggleable(isToggledHiddenByDefault: true),
            ])
            ->filters([
                Tables\Filters\Filter::make('open')
@ -827,7 +770,7 @@ public static function table(Table $table): Table
                        Finding::SEVERITY_CRITICAL,
                    ])),
                Tables\Filters\Filter::make('my_assigned')
-                    ->label('My assigned work')
+                    ->label('My assigned')
                    ->query(function (Builder $query): Builder {
                        $userId = auth()->id();
@ -837,28 +780,9 @@ public static function table(Table $table): Table
                        return $query->where('assignee_user_id', (int) $userId);
                    }),
                Tables\Filters\Filter::make('my_accountability')
                    ->label('My accountability')
                    ->query(function (Builder $query): Builder {
                        $userId = auth()->id();
                        if (! is_numeric($userId)) {
                            return $query->whereRaw('1 = 0');
                        }
                        return $query->where('owner_user_id', (int) $userId);
                    }),
                Tables\Filters\SelectFilter::make('status')
                    ->options(FilterOptionCatalog::findingStatuses())
                    ->label('Status'),
                Tables\Filters\SelectFilter::make('terminal_outcome')
                    ->label('Terminal outcome')
                    ->options(FilterOptionCatalog::findingTerminalOutcomes())
                    ->query(fn (Builder $query, array $data): Builder => static::applyTerminalOutcomeFilter($query, $data['value'] ?? null)),
                Tables\Filters\SelectFilter::make('verification_state')
                    ->label('Verification')
                    ->options(FilterOptionCatalog::findingVerificationStates())
                    ->query(fn (Builder $query, array $data): Builder => static::applyVerificationStateFilter($query, $data['value'] ?? null)),
                Tables\Filters\SelectFilter::make('workflow_family')
                    ->label('Workflow family')
                    ->options(FilterOptionCatalog::findingWorkflowFamilies())
@ -998,6 +922,7 @@ public static function table(Table $table): Table
                                    if (! in_array((string) $record->status, [
                                        Finding::STATUS_NEW,
                                        Finding::STATUS_REOPENED,
                                        Finding::STATUS_ACKNOWLEDGED,
                                    ], true)) {
                                        $skippedCount++;
@ -1041,15 +966,13 @@ public static function table(Table $table): Table
                            ->requiresConfirmation()
                            ->form([
                                Select::make('assignee_user_id')
-                                    ->label('Active assignee')
+                                    ->label('Assignee')
                                    ->placeholder('Unassigned')
                                    ->helperText('Assign the person currently expected to perform or coordinate the remediation work.')
                                    ->options(fn (): array => static::tenantMemberOptions())
                                    ->searchable(),
                                Select::make('owner_user_id')
-                                    ->label('Accountable owner')
+                                    ->label('Owner')
                                    ->placeholder('Unassigned')
                                    ->helperText('Assign the person accountable for ensuring the finding reaches a governed outcome.')
                                    ->options(fn (): array => static::tenantMemberOptions())
                                    ->searchable(),
                            ])
@ -1067,7 +990,6 @@ public static function table(Table $table): Table
                                $assignedCount = 0;
                                $skippedCount = 0;
                                $failedCount = 0;
                                $classificationCounts = [];
                                foreach ($records as $record) {
                                    if (! $record instanceof Finding) {
@ -1090,25 +1012,14 @@ public static function table(Table $table): Table
                                    try {
                                        $record = static::resolveProtectedFindingRecordOrFail($record);
                                        $classification = $workflow->responsibilityChangeClassification(
                                            beforeOwnerUserId: is_numeric($record->owner_user_id) ? (int) $record->owner_user_id : null,
                                            beforeAssigneeUserId: is_numeric($record->assignee_user_id) ? (int) $record->assignee_user_id : null,
                                            afterOwnerUserId: $ownerUserId,
                                            afterAssigneeUserId: $assigneeUserId,
                                        );
                                        $workflow->assign($record, $tenant, $user, $assigneeUserId, $ownerUserId);
                                        $assignedCount++;
                                        $classificationCounts[$classification ?? 'unchanged'] = ($classificationCounts[$classification ?? 'unchanged'] ?? 0) + 1;
                                    } catch (Throwable) {
                                        $failedCount++;
                                    }
                                }
                                $body = "Updated {$assignedCount} finding".($assignedCount === 1 ? '' : 's').'.';
                                $classificationSummary = static::bulkResponsibilityClassificationSummary($classificationCounts);
                                if ($classificationSummary !== null) {
                                    $body .= ' '.$classificationSummary;
                                }
                                if ($skippedCount > 0) {
                                    $body .= " Skipped {$skippedCount}.";
                                }
@ -1130,20 +1041,16 @@ public static function table(Table $table): Table
                    UiEnforcement::forBulkAction(
                        BulkAction::make('resolve_selected')
-                            ->label(GovernanceActionCatalog::rule('resolve_finding')->canonicalLabel.' selected')
+                            ->label('Resolve selected')
                            ->icon('heroicon-o-check-badge')
                            ->color('success')
                            ->requiresConfirmation()
                            ->modalHeading(GovernanceActionCatalog::rule('resolve_finding')->modalHeading)
                            ->modalDescription(GovernanceActionCatalog::rule('resolve_finding')->modalDescription)
                            ->form([
-                                Select::make('resolved_reason')
+                                Textarea::make('resolved_reason')
-                                    ->label('Resolution outcome')
+                                    ->label('Resolution reason')
-                                    ->options(static::resolveReasonOptions())
+                                    ->rows(3)
                                    ->helperText('Use the canonical manual remediation outcome. Trusted verification is recorded later by system evidence.')
                                    ->native(false)
                                    ->required()
-                                    ->selectablePlaceholder(false),
+                                    ->maxLength(255),
                            ])
                            ->action(function (Collection $records, array $data, FindingWorkflowService $workflow): void {
                                $tenant = static::resolveTenantContextForCurrentPanel();
@ -1187,7 +1094,7 @@ public static function table(Table $table): Table
                                    }
                                }
-                                $body = "Resolved {$resolvedCount} finding".($resolvedCount === 1 ? '' : 's')." pending verification.";
+                                $body = "Resolved {$resolvedCount} finding".($resolvedCount === 1 ? '' : 's').'.';
                                if ($skippedCount > 0) {
                                    $body .= " Skipped {$skippedCount}.";
                                }
@ -1209,20 +1116,18 @@ public static function table(Table $table): Table
                    UiEnforcement::forBulkAction(
                        BulkAction::make('close_selected')
-                            ->label(GovernanceActionCatalog::rule('close_finding')->canonicalLabel.' selected')
+                            ->label('Close selected')
                            ->icon('heroicon-o-x-circle')
                            ->color('warning')
                            ->requiresConfirmation()
                            ->modalHeading(GovernanceActionCatalog::rule('close_finding')->modalHeading)
                            ->modalDescription(GovernanceActionCatalog::rule('close_finding')->modalDescription)
                            ->form([
-                                Select::make('closed_reason')
+                                Textarea::make('closed_reason')
                                    ->label('Close reason')
-                                    ->options(static::closeReasonOptions())
+                                    ->rows(3)
                                    ->helperText('Use the canonical administrative closure outcome for this finding.')
                                    ->native(false)
                                    ->required()
-                                    ->selectablePlaceholder(false),
+                                    ->maxLength(255),
                            ])
                            ->action(function (Collection $records, array $data, FindingWorkflowService $workflow): void {
                                $tenant = static::resolveTenantContextForCurrentPanel();
@ -1413,6 +1318,7 @@ public static function triageAction(): Actions\Action
                ->visible(fn (Finding $record): bool => in_array((string) $record->status, [
                    Finding::STATUS_NEW,
                    Finding::STATUS_REOPENED,
                    Finding::STATUS_ACKNOWLEDGED,
                ], true))
                ->action(function (Finding $record, FindingWorkflowService $workflow): void {
                    static::runWorkflowMutation(
@ -1437,6 +1343,7 @@ public static function startProgressAction(): Actions\Action
                ->color('info')
                ->visible(fn (Finding $record): bool => in_array((string) $record->status, [
                    Finding::STATUS_TRIAGED,
                    Finding::STATUS_ACKNOWLEDGED,
                ], true))
                ->action(function (Finding $record, FindingWorkflowService $workflow): void {
                    static::runWorkflowMutation(
@ -1466,20 +1373,28 @@ public static function assignAction(): Actions\Action
                ])
                ->form([
                    Select::make('assignee_user_id')
-                        ->label('Active assignee')
+                        ->label('Assignee')
                        ->placeholder('Unassigned')
                        ->helperText('Assign the person currently expected to perform or coordinate the remediation work.')
                        ->options(fn (): array => static::tenantMemberOptions())
                        ->searchable(),
                    Select::make('owner_user_id')
-                        ->label('Accountable owner')
+                        ->label('Owner')
                        ->placeholder('Unassigned')
                        ->helperText('Assign the person accountable for ensuring the finding reaches a governed outcome.')
                        ->options(fn (): array => static::tenantMemberOptions())
                        ->searchable(),
                ])
                ->action(function (Finding $record, array $data, FindingWorkflowService $workflow): void {
-                    static::runResponsibilityMutation($record, $data, $workflow);
+                    static::runWorkflowMutation(
                        record: $record,
                        successTitle: 'Finding assignment updated',
                        callback: fn (Finding $finding, Tenant $tenant, User $user): Finding => $workflow->assign(
                            $finding,
                            $tenant,
                            $user,
                            is_numeric($data['assignee_user_id'] ?? null) ? (int) $data['assignee_user_id'] : null,
                            is_numeric($data['owner_user_id'] ?? null) ? (int) $data['owner_user_id'] : null,
                        ),
                    );
                })
        )
            ->preserveVisibility()
@ -1490,30 +1405,24 @@ public static function assignAction(): Actions\Action
    public static function resolveAction(): Actions\Action
    {
        $rule = GovernanceActionCatalog::rule('resolve_finding');
        return UiEnforcement::forAction(
            Actions\Action::make('resolve')
-                ->label($rule->canonicalLabel)
+                ->label('Resolve')
                ->icon('heroicon-o-check-badge')
                ->color('success')
                ->visible(fn (Finding $record): bool => $record->hasOpenStatus())
                ->requiresConfirmation()
                ->modalHeading($rule->modalHeading)
                ->modalDescription($rule->modalDescription)
                ->form([
-                    Select::make('resolved_reason')
+                    Textarea::make('resolved_reason')
-                        ->label('Resolution outcome')
+                        ->label('Resolution reason')
-                        ->options(static::resolveReasonOptions())
+                        ->rows(3)
                        ->helperText('Use the canonical manual remediation outcome. Trusted verification is recorded later by system evidence.')
                        ->native(false)
                        ->required()
-                        ->selectablePlaceholder(false),
+                        ->maxLength(255),
                ])
-                ->action(function (Finding $record, array $data, FindingWorkflowService $workflow) use ($rule): void {
+                ->action(function (Finding $record, array $data, FindingWorkflowService $workflow): void {
                    static::runWorkflowMutation(
                        record: $record,
-                        successTitle: $rule->successTitle,
+                        successTitle: 'Finding resolved',
                        callback: fn (Finding $finding, Tenant $tenant, User $user): Finding => $workflow->resolve(
                            $finding,
                            $tenant,
@ -1543,13 +1452,11 @@ public static function closeAction(): Actions\Action
                ->modalHeading($rule->modalHeading)
                ->modalDescription($rule->modalDescription)
                ->form([
-                    Select::make('closed_reason')
+                    Textarea::make('closed_reason')
                        ->label('Close reason')
-                        ->options(static::closeReasonOptions())
+                        ->rows(3)
                        ->helperText('Use the canonical administrative closure outcome for this finding.')
                        ->native(false)
                        ->required()
-                        ->selectablePlaceholder(false),
+                        ->maxLength(255),
                ])
                ->action(function (Finding $record, array $data, FindingWorkflowService $workflow) use ($rule): void {
                    static::runWorkflowMutation(
@ -1581,9 +1488,8 @@ public static function requestExceptionAction(): Actions\Action
                ->requiresConfirmation()
                ->form([
                    Select::make('owner_user_id')
-                        ->label('Exception owner')
+                        ->label('Owner')
                        ->required()
                        ->helperText('Owns the exception record, not the finding outcome.')
                        ->options(fn (): array => static::tenantMemberOptions())
                        ->searchable(),
                    Textarea::make('request_reason')
@ -1650,9 +1556,8 @@ public static function renewExceptionAction(): Actions\Action
                ->modalDescription($rule->modalDescription)
                ->form([
                    Select::make('owner_user_id')
-                        ->label('Exception owner')
+                        ->label('Owner')
                        ->required()
                        ->helperText('Owns the exception record, not the finding outcome.')
                        ->options(fn (): array => static::tenantMemberOptions())
                        ->searchable(),
                    Textarea::make('request_reason')
@ -1744,17 +1649,12 @@ public static function reopenAction(): Actions\Action
                ->modalHeading($rule->modalHeading)
                ->modalDescription($rule->modalDescription)
                ->visible(fn (Finding $record): bool => Finding::isTerminalStatus((string) $record->status))
                ->fillForm([
                    'reopen_reason' => Finding::REOPEN_REASON_MANUAL_REASSESSMENT,
                ])
                ->form([
-                    Select::make('reopen_reason')
+                    Textarea::make('reopen_reason')
                        ->label('Reopen reason')
-                        ->options(static::reopenReasonOptions())
+                        ->rows(3)
                        ->helperText('Use the canonical reopen reason that best describes why this finding needs active workflow again.')
                        ->native(false)
                        ->required()
-                        ->selectablePlaceholder(false),
+                        ->maxLength(255),
                ])
                ->action(function (Finding $record, array $data, FindingWorkflowService $workflow) use ($rule): void {
                    static::runWorkflowMutation(
@ -1827,76 +1727,6 @@ private static function runWorkflowMutation(Finding $record, string $successTitl
            ->send();
    }
    /**
     * @param  array<string, mixed>  $data
     */
    private static function runResponsibilityMutation(Finding $record, array $data, FindingWorkflowService $workflow): void
    {
        $pageRecord = $record;
        $record = static::resolveProtectedFindingRecordOrFail($record);
        $tenant = static::resolveTenantContextForCurrentPanel();
        $user = auth()->user();
        if (! $tenant instanceof Tenant || ! $user instanceof User) {
            return;
        }
        if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
            Notification::make()
                ->title('Finding belongs to a different tenant')
                ->danger()
                ->send();
            return;
        }
        if ((int) $record->workspace_id !== (int) $tenant->workspace_id) {
            Notification::make()
                ->title('Finding belongs to a different workspace')
                ->danger()
                ->send();
            return;
        }
        $beforeOwnerUserId = is_numeric($record->owner_user_id) ? (int) $record->owner_user_id : null;
        $beforeAssigneeUserId = is_numeric($record->assignee_user_id) ? (int) $record->assignee_user_id : null;
        $assigneeUserId = is_numeric($data['assignee_user_id'] ?? null) ? (int) $data['assignee_user_id'] : null;
        $ownerUserId = is_numeric($data['owner_user_id'] ?? null) ? (int) $data['owner_user_id'] : null;
        try {
            $workflow->assign($record, $tenant, $user, $assigneeUserId, $ownerUserId);
            $pageRecord->refresh();
        } catch (InvalidArgumentException $e) {
            Notification::make()
                ->title('Responsibility update failed')
                ->body($e->getMessage())
                ->danger()
                ->send();
            return;
        }
        $classification = $workflow->responsibilityChangeClassification(
            beforeOwnerUserId: $beforeOwnerUserId,
            beforeAssigneeUserId: $beforeAssigneeUserId,
            afterOwnerUserId: $ownerUserId,
            afterAssigneeUserId: $assigneeUserId,
        );
        Notification::make()
            ->title($classification === null ? 'Finding responsibility unchanged' : 'Finding responsibility updated')
            ->body($workflow->responsibilityChangeSummary(
                beforeOwnerUserId: $beforeOwnerUserId,
                beforeAssigneeUserId: $beforeAssigneeUserId,
                afterOwnerUserId: $ownerUserId,
                afterAssigneeUserId: $assigneeUserId,
            ))
            ->success()
            ->send();
    }
    /**
     * @param  array<string, mixed>  $data
     */
@ -1924,7 +1754,6 @@ private static function runExceptionRequestMutation(Finding $record, array $data
        Notification::make()
            ->title('Exception request submitted')
            ->body('Exception ownership stays separate from the finding owner.')
            ->success()
            ->actions([
                Actions\Action::make('view_exception')
@ -1960,7 +1789,6 @@ private static function runExceptionRenewalMutation(Finding $record, array $data
        Notification::make()
            ->title('Renewal request submitted')
            ->body('Exception ownership stays separate from the finding owner.')
            ->success()
            ->actions([
                Actions\Action::make('view_exception')
@ -2085,87 +1913,6 @@ private static function findingExceptionViewUrl(\App\Models\FindingException $ex
        return FindingExceptionResource::getUrl('view', ['record' => $exception], panel: 'tenant', tenant: $tenant);
    }
    /**
     * @param  array<string, int>  $classificationCounts
     */
    private static function bulkResponsibilityClassificationSummary(array $classificationCounts): ?string
    {
        $parts = [];
        foreach ($classificationCounts as $classification => $count) {
            $parts[] = static::responsibilityClassificationLabel($classification).': '.$count;
        }
        if ($parts === []) {
            return null;
        }
        return implode('. ', $parts).'.';
    }
    private static function responsibilityClassificationLabel(string $classification): string
    {
        return match ($classification) {
            'owner_only' => 'Owner only',
            'assignee_only' => 'Assignee only',
            'owner_and_assignee' => 'Owner and assignee',
            'clear_owner' => 'Cleared owner',
            'clear_assignee' => 'Cleared assignee',
            default => 'Unchanged',
        };
    }
    private static function responsibilityStateColor(Finding $finding): string
    {
        return match ($finding->responsibilityState()) {
            Finding::RESPONSIBILITY_STATE_ORPHANED_ACCOUNTABILITY => 'danger',
            Finding::RESPONSIBILITY_STATE_OWNED_UNASSIGNED => 'warning',
            default => 'success',
        };
    }
    public static function accountableOwnerDisplayFor(Finding $finding): string
    {
        return $finding->ownerUser?->name ?? 'Unassigned';
    }
    public static function activeAssigneeDisplayFor(Finding $finding): string
    {
        return $finding->assigneeUser?->name ?? 'Unassigned';
    }
    private static function responsibilitySummary(Finding $finding): string
    {
        $ownerName = $finding->ownerUser?->name;
        $assigneeName = $finding->assigneeUser?->name;
        return match ($finding->responsibilityState()) {
            Finding::RESPONSIBILITY_STATE_ORPHANED_ACCOUNTABILITY => $assigneeName !== null
                ? "No accountable owner is set. {$assigneeName} is currently carrying the active remediation work."
                : 'No accountable owner or active assignee is set.',
            Finding::RESPONSIBILITY_STATE_OWNED_UNASSIGNED => "{$ownerName} owns the outcome, but active remediation is still unassigned.",
            default => $ownerName === $assigneeName
                ? "{$ownerName} owns the outcome and is also the active assignee."
                : "{$ownerName} owns the outcome. {$assigneeName} is the active assignee.",
        };
    }
    private static function governanceListDescription(Finding $finding): ?string
    {
        $parts = array_values(array_filter([
            static::governanceWarning($finding),
            static::resolvedFindingException($finding)?->owner?->name !== null
                ? 'Exception owner: '.static::resolvedFindingException($finding)?->owner?->name
                : null,
        ]));
        if ($parts === []) {
            return null;
        }
        return implode(' ', $parts);
    }
    private static function governanceWarning(Finding $finding): ?string
    {
        return app(FindingRiskGovernanceResolver::class)
@ -2193,150 +1940,6 @@ private static function governanceValidityState(Finding $finding): ?string
            ->resolveGovernanceValidity($finding, static::resolvedFindingException($finding));
    }
    private static function findingOutcomeSemantics(): FindingOutcomeSemantics
    {
        return app(FindingOutcomeSemantics::class);
    }
    /**
     * @return array{
     *     terminal_outcome_key: ?string,
     *     label: ?string,
     *     verification_state: string,
     *     verification_label: ?string,
     *     report_bucket: ?string
     * }
     */
    private static function findingOutcome(Finding $finding): array
    {
        return static::findingOutcomeSemantics()->describe($finding);
    }
    /**
     * @return array<string, string>
     */
    private static function resolveReasonOptions(): array
    {
        return [
            Finding::RESOLVE_REASON_REMEDIATED => 'Remediated',
        ];
    }
    /**
     * @return array<string, string>
     */
    private static function closeReasonOptions(): array
    {
        return [
            Finding::CLOSE_REASON_FALSE_POSITIVE => 'False positive',
            Finding::CLOSE_REASON_DUPLICATE => 'Duplicate',
            Finding::CLOSE_REASON_NO_LONGER_APPLICABLE => 'No longer applicable',
        ];
    }
    /**
     * @return array<string, string>
     */
    private static function reopenReasonOptions(): array
    {
        return [
            Finding::REOPEN_REASON_RECURRED_AFTER_RESOLUTION => 'Recurred after resolution',
            Finding::REOPEN_REASON_VERIFICATION_FAILED => 'Verification failed',
            Finding::REOPEN_REASON_MANUAL_REASSESSMENT => 'Manual reassessment',
        ];
    }
    private static function resolveReasonLabel(?string $reason): ?string
    {
        return static::resolveReasonOptions()[$reason] ?? match ($reason) {
            Finding::RESOLVE_REASON_NO_LONGER_DRIFTING => 'No longer drifting',
            Finding::RESOLVE_REASON_PERMISSION_GRANTED => 'Permission granted',
            Finding::RESOLVE_REASON_PERMISSION_REMOVED_FROM_REGISTRY => 'Permission removed from registry',
            Finding::RESOLVE_REASON_ROLE_ASSIGNMENT_REMOVED => 'Role assignment removed',
            Finding::RESOLVE_REASON_GA_COUNT_WITHIN_THRESHOLD => 'GA count within threshold',
            default => null,
        };
    }
    private static function closeReasonLabel(?string $reason): ?string
    {
        return static::closeReasonOptions()[$reason] ?? match ($reason) {
            Finding::CLOSE_REASON_ACCEPTED_RISK => 'Accepted risk',
            default => null,
        };
    }
    private static function reopenReasonLabel(?string $reason): ?string
    {
        return static::reopenReasonOptions()[$reason] ?? null;
    }
    private static function terminalOutcomeLabel(Finding $finding): ?string
    {
        return static::findingOutcome($finding)['label'] ?? null;
    }
    private static function verificationStateLabel(Finding $finding): ?string
    {
        return static::findingOutcome($finding)['verification_label'] ?? null;
    }
    private static function statusDescription(Finding $finding): string
    {
        return static::terminalOutcomeLabel($finding) ?? static::primaryNarrative($finding);
    }
    private static function applyTerminalOutcomeFilter(Builder $query, mixed $value): Builder
    {
        if (! is_string($value) || $value === '') {
            return $query;
        }
        return match ($value) {
            FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION => $query
                ->where('status', Finding::STATUS_RESOLVED)
                ->whereIn('resolved_reason', Finding::manualResolveReasonKeys()),
            FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED => $query
                ->where('status', Finding::STATUS_RESOLVED)
                ->whereIn('resolved_reason', Finding::systemResolveReasonKeys()),
            FindingOutcomeSemantics::OUTCOME_CLOSED_FALSE_POSITIVE => $query
                ->where('status', Finding::STATUS_CLOSED)
                ->where('closed_reason', Finding::CLOSE_REASON_FALSE_POSITIVE),
            FindingOutcomeSemantics::OUTCOME_CLOSED_DUPLICATE => $query
                ->where('status', Finding::STATUS_CLOSED)
                ->where('closed_reason', Finding::CLOSE_REASON_DUPLICATE),
            FindingOutcomeSemantics::OUTCOME_CLOSED_NO_LONGER_APPLICABLE => $query
                ->where('status', Finding::STATUS_CLOSED)
                ->where('closed_reason', Finding::CLOSE_REASON_NO_LONGER_APPLICABLE),
            FindingOutcomeSemantics::OUTCOME_RISK_ACCEPTED => $query
                ->where('status', Finding::STATUS_RISK_ACCEPTED),
            default => $query,
        };
    }
    private static function applyVerificationStateFilter(Builder $query, mixed $value): Builder
    {
        if (! is_string($value) || $value === '') {
            return $query;
        }
        return match ($value) {
            FindingOutcomeSemantics::VERIFICATION_PENDING => $query
                ->where('status', Finding::STATUS_RESOLVED)
                ->whereIn('resolved_reason', Finding::manualResolveReasonKeys()),
            FindingOutcomeSemantics::VERIFICATION_VERIFIED => $query
                ->where('status', Finding::STATUS_RESOLVED)
                ->whereIn('resolved_reason', Finding::systemResolveReasonKeys()),
            FindingOutcomeSemantics::VERIFICATION_NOT_APPLICABLE => $query->where(function (Builder $verificationQuery): void {
                $verificationQuery
                    ->where('status', '!=', Finding::STATUS_RESOLVED)
                    ->orWhereNull('resolved_reason')
                    ->orWhereNotIn('resolved_reason', Finding::resolveReasonKeys());
            }),
            default => $query,
        };
    }
    private static function primaryNarrative(Finding $finding): string
    {
        return app(FindingRiskGovernanceResolver::class)
@ -2355,7 +1958,7 @@ private static function primaryNextAction(Finding $finding): ?string
            ->resolvePrimaryNextAction($finding, static::resolvedFindingException($finding));
    }
-    public static function dueAttentionLabelFor(Finding $finding): ?string
+    private static function dueAttentionLabel(Finding $finding): ?string
    {
        if (! $finding->hasOpenStatus() || ! $finding->due_at) {
            return null;
@ -2372,9 +1975,9 @@ public static function dueAttentionLabelFor(Finding $finding): ?string
        return null;
    }
-    public static function dueAttentionColorFor(Finding $finding): string
+    private static function dueAttentionColor(Finding $finding): string
    {
-        return match (static::dueAttentionLabelFor($finding)) {
+        return match (static::dueAttentionLabel($finding)) {
            'Overdue' => 'danger',
            'Due soon' => 'warning',
            default => 'gray',
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ahmed Darrazi	85d93135e3	Merge remote-tracking branch 'origin/dev' into 214-governance-outcome-compression Some checks failed PR Fast Feedback / fast-feedback (pull_request) Failing after 46s Details # Conflicts: # .github/agents/copilot-instructions.md	2026-04-19 14:23:16 +02:00
Ahmed Darrazi	9f74f7a658	feat: compress governance operator outcomes Some checks failed PR Fast Feedback / fast-feedback (pull_request) Failing after 51s Details	2026-04-19 14:15:11 +02:00
		`@ -1 +1 @@`
			{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776976148151,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776976148156,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776976148162,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776976148168,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}				{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776593337482,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776593337489,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776593337495,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776593337500,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}
		`@ -1 +1 @@`
			{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776976148127,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776976148139,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776976148143,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776976148144,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776976148144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}				{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776593336106,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776593336125,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776593336132,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776593336138,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776593336144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}
		`@ -1 +1 @@`
			{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776976148162,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776976148164,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776976148166,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776976148173,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776976148180,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776976148185,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776976148187,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776976148192,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776976148195,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776976148199,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776976148200,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776976148210,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776976148214,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776976148225,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}				{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776593335180,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776593335194,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776593335198,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776593335206,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776593335213,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776593335219,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776593335230,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776593335236,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776593335243,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776593335251,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776593335258,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776593335264,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776593335271,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776593335278,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}