Merge remote-tracking branch 'origin/dev' into 242-operational-controls-session-1777207571

# Conflicts:
#	apps/platform/app/Filament/System/Pages/Ops/Controls.php
#	apps/platform/app/Support/OperationalControls/OperationalControlCatalog.php
#	apps/platform/tests/Feature/System/OpsControls/OperationalControlManagementTest.php
#	apps/platform/tests/Unit/Support/OperationalControls/OperationalControlCatalogTest.php
#	apps/platform/tests/Unit/Support/OperationalControls/OperationalControlScopeResolutionTest.php

.github/agents/copilot-instructions.md

@@ -260,12 +260,6 @@ ## Active Technologies
 - PostgreSQL via existing `managed_tenant_onboarding_sessions`, `provider_connections`, `operation_runs`, and stored permission-posture data; no new persistence planned (240-tenant-onboarding-readiness)
 - PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger` (241-support-diagnostic-pack)
 - PostgreSQL via existing `operation_runs`, `provider_connections`, `findings`, `stored_reports`, `tenant_reviews`, `review_packs`, and `audit_logs`; no new persistence planned (241-support-diagnostic-pack)
-- PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services (249-customer-review-workspace)
-- PostgreSQL via existing `tenant_reviews`, `review_packs`, `evidence_snapshots`, findings / finding-exception truth, workspace memberships, and `audit_logs`; no new persistence planned (249-customer-review-workspace)
-- PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page (251-commercial-entitlements-billing-state)
-- PostgreSQL via existing `workspace_settings` rows plus existing audit log records; no new table or billing/account model (251-commercial-entitlements-billing-state)
-- PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities` (253-remove-findings-backfill-runtime-surfaces)
-- PostgreSQL existing `findings`, `operation_runs`, `audit_logs`, and related runtime tables only; no new persistence, migration, or data backfill is planned (253-remove-findings-backfill-runtime-surfaces)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
@@ -300,9 +294,9 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
-- 253-remove-findings-backfill-runtime-surfaces: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities`
-- 251-commercial-entitlements-billing-state: Added PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page
-- 249-customer-review-workspace: Added PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services
+- 241-support-diagnostic-pack: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger`
+- 240-tenant-onboarding-readiness: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing onboarding services (`OnboardingLifecycleService`, `OnboardingDraftStageResolver`), provider connection summary, verification assist, and Ops-UX helpers
+- 239-canonical-operation-type-source-of-truth: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing `App\Support\OperationCatalog`, `App\Support\OperationRunType`, `App\Services\OperationRunService`, `App\Services\Providers\ProviderOperationRegistry`, `App\Services\Providers\ProviderOperationStartGate`, `App\Filament\Resources\OperationRunResource`, `App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard`, `App\Support\Filament\FilterOptionCatalog`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\References\Resolvers\OperationRunReferenceResolver`, `App\Services\Audit\AuditEventBuilder`, Pest v4
 <!-- MANUAL ADDITIONS START -->
 
 ### Pre-production compatibility check

.github/skills/platform-feature-finish/SKILL.md

@@ -1,625 +0,0 @@
-
-
----
-name: platform-feature-finish
-description: Commit, push, create a Gitea PR from a TenantPilot platform feature branch into platform-dev, and optionally refresh the platform-dev to dev integration PR by rebase.
----
-
-# Skill: platform-feature-finish
-
-## Purpose
-
-Automate the TenantPilot platform feature completion workflow.
-
-Trigger this skill when the user says something like:
-
-- "alles committen pushen und PR gegen platform-dev"
-- "feature fertig, bitte PR erstellen"
-- "platform feature abschließen"
-- "commit push PR mit Gitea MCP"
-- "mach PR gegen platform-dev"
-- "finish platform feature"
-- "platform-dev nach dev vorbereiten"
-- "platform-dev PR aktualisieren"
-- "out-of-date mit dev beheben"
-- "integration PR refresh"
-- "platform-dev auf dev rebasen"
-
-This skill handles:
-
-1. Validate current Git branch
-2. Commit all feature changes
-3. Push current feature branch
-4. Create a Gitea pull request into `platform-dev`
-5. Refresh the `platform-dev` → `dev` integration PR when explicitly requested
-6. Report the PR link and next integration step
-
----
-
-## Branch Model
-
-TenantPilot uses area branches:
-
-```text
-dev           = shared integration branch
-platform-dev  = platform/application area integration branch
-website-dev   = website/marketing area integration branch
-```
-
-For platform features:
-
-```text
-platform-dev
-  ↓
-feature branch
-  ↓
-PR back to platform-dev
-  ↓
-platform-dev → dev integration PR
-```
-
-Rules:
-
-- Platform feature branches MUST target `platform-dev`.
-- Do NOT target `dev` directly unless the user explicitly asks.
-- Do NOT use `website-dev` for platform features.
-- `platform-dev` is the default PR base for TenantPilot platform/application work.
-- `dev` is the shared integration branch.
-
-### Solo Workflow Rule
-
-The user works alone on `platform-dev`.
-
-For refreshing the integration branch before opening or updating the PR `platform-dev` → `dev`, prefer rebase over merge.
-
-Do not repeatedly merge `origin/dev` into `platform-dev` for refresh.
-
-Avoid creating repeated merge commits like:
-
-```text
-Merge remote-tracking branch 'origin/dev' into platform-dev
-```
-
-Use `--force-with-lease`, never plain `--force`.
-
-If rebase conflicts occur, stop and report the conflict files.
-
----
-
-## Preconditions
-
-Before committing:
-
-1. Confirm repository root.
-2. Confirm current branch is not protected.
-
-Protected branches:
-
-```text
-dev
-platform-dev
-website-dev
-main
-master
-```
-
-If the current branch is protected, STOP and report:
-
-```text
-Ich bin auf einem geschützten Branch. Bitte zuerst einen Feature-Branch auschecken.
-```
-
-3. Confirm remote exists.
-4. Confirm there are local changes, untracked files, or unpushed commits.
-5. Confirm there are no unresolved conflicts.
-
-Do not ask for confirmation unless:
-
-- The current branch is protected.
-- Git status indicates unresolved conflicts.
-- There is no remote configured.
-- `.env` or other local secret/config files would be committed.
-- Commit fails.
-- Push fails.
-- Gitea MCP PR creation fails.
-
----
-
-## Required Tools
-
-Use terminal for Git operations.
-
-Use Gitea MCP for pull request creation.
-
-Preferred Gitea MCP operation:
-
-```text
-create_pull_request
-```
-
-Required PR parameters:
-
-```json
-{
-  "owner": "ahmido",
-  "repo": "TenantAtlas",
-  "head": "<current-feature-branch>",
-  "base": "platform-dev",
-  "title": "<generated-title>",
-  "body": "<generated-body>"
-}
-```
-
----
-
-## Workflow
-
-### Step 1 — Inspect Git state
-
-Run:
-
-```bash
-git rev-parse --show-toplevel
-git rev-parse --abbrev-ref HEAD
-git status --porcelain
-git status -sb
-git config --get remote.origin.url
-git log --oneline --max-count=5
-```
-
-Determine:
-
-- repository root
-- current branch
-- changed files
-- untracked files
-- remote URL
-- whether there are unpushed commits
-- whether unresolved conflicts exist
-
-If the current branch is protected, stop.
-
-If unresolved conflicts exist, stop.
-
-If no remote exists, stop.
-
----
-
-### Step 2 — Check for local environment files
-
-Before `git add -A`, check whether local environment/config files are modified or untracked:
-
-```bash
-git status --porcelain | grep -E '(^.. \.env$|^.. apps/platform/\.env$|^.. .*\.env$)' || true
-```
-
-If `.env` or another environment file is included, STOP and report:
-
-```text
-Achtung: Eine .env-/Environment-Datei ist geändert oder untracked. Ich committe das nicht automatisch. Bitte prüfen oder aus dem Commit entfernen.
-```
-
-Do not commit secrets or local runtime configuration.
-
----
-
-### Step 3 — Build commit message
-
-Use the current branch name.
-
-If branch starts with a spec number, for example:
-
-```text
-256-external-support-desk-handoff
-```
-
-Generate:
-
-```text
-feat(specs/256): external support desk handoff
-```
-
-If branch does not contain a spec number, generate:
-
-```text
-feat(platform): complete <branch-name>
-```
-
-Rules:
-
-- Use lowercase subject.
-- Use feature-style subject.
-- Do not include `WIP`.
-- Do not include `final`.
-- Do not include overly generic `updates`.
-
-Examples:
-
-```text
-feat(specs/256): external support desk handoff
-feat(specs/252): platform localization v1
-feat(platform): improve tenant review workspace
-```
-
----
-
-### Step 4 — Commit all changes
-
-Run:
-
-```bash
-git add -A
-git commit -m "<commit-message>"
-```
-
-If there are no local changes to commit, continue only if the branch has unpushed commits.
-
-Check unpushed commits with:
-
-```bash
-git status -sb
-git log --oneline origin/<current-branch>..HEAD
-```
-
-If there are no local changes and no unpushed commits, report:
-
-```text
-Es gibt keine lokalen Änderungen und keine unpushed commits. Ich erstelle keinen leeren Commit.
-```
-
-Then continue to PR creation only if the branch already exists remotely or can be pushed.
-
----
-
-### Step 5 — Push branch
-
-Run:
-
-```bash
-git push --set-upstream origin <current-branch>
-```
-
-If the upstream already exists, this is acceptable.
-
-Never force-push unless the user explicitly requests it.
-
----
-
-### Step 6 — Create PR into platform-dev via Gitea MCP
-
-Use Gitea MCP to create a pull request:
-
-```json
-{
-  "owner": "ahmido",
-  "repo": "TenantAtlas",
-  "head": "<current-feature-branch>",
-  "base": "platform-dev",
-  "title": "<commit-message>",
-  "body": "Implements platform feature branch `<current-feature-branch>`.\n\nTarget branch: `platform-dev`.\n\nFollow-up integration path after merge:\n\n`platform-dev` → `dev`."
-}
-```
-
-If a PR already exists for the same branch and base, do not create a duplicate.
-
-Report the existing PR if available.
-
----
-
-## Optional Step — Check platform-dev to dev PR
-
-After creating the feature PR, check whether an open integration PR exists:
-
-```text
-platform-dev → dev
-```
-
-If a Gitea MCP list/search pull request function is available, use it.
-
-If one exists, report:
-
-```text
-Der Folge-PR `platform-dev` → `dev` existiert bereits: <url>
-```
-
-If none exists, report:
-
-```text
-Nach dem Merge dieses Feature-PRs sollte der Integrations-PR `platform-dev` → `dev` erstellt oder aktualisiert werden.
-```
-
-Do not automatically create the `platform-dev` → `dev` PR unless the user explicitly asks for it.
-
-Reason: before the feature PR is merged into `platform-dev`, the integration PR may not include the new feature yet.
-
----
-
-## Integration Refresh Mode
-
-Use this mode when the user explicitly says one of the following:
-
-- "platform-dev nach dev vorbereiten"
-- "platform-dev PR aktualisieren"
-- "out-of-date mit dev beheben"
-- "integration PR refresh"
-- "platform-dev auf dev rebasen"
-- "auch platform-dev nach dev"
-- "und danach platform-dev nach dev"
-- "full integration"
-- "kompletten platform-dev zu dev PR machen"
-- "folge-pr erstellen"
-
-This mode prepares or updates the integration PR:
-
-```text
-platform-dev → dev
-```
-
-Because the user works alone on `platform-dev`, prefer rebase over merge.
-
-### Integration Refresh Preconditions
-
-Before running this mode:
-
-1. Ensure the working tree is clean.
-2. Ensure there are no unresolved conflicts.
-3. Fetch remote branches.
-4. Ensure `origin/platform-dev` exists.
-5. Ensure `origin/dev` exists.
-
-If the working tree is dirty, STOP and report:
-
-```text
-Der Working Tree ist nicht sauber. Bitte erst Änderungen committen, stashen oder verwerfen, bevor `platform-dev` auf `dev` rebased wird.
-```
-
-If unresolved conflicts exist, STOP and report the conflict files.
-
-### Integration Refresh Workflow
-
-Run:
-
-```bash
-git fetch origin
-git checkout platform-dev
-git reset --hard origin/platform-dev
-git rebase origin/dev
-git push --force-with-lease origin platform-dev
-```
-
-After pushing, verify that `origin/dev` is now an ancestor of `origin/platform-dev`:
-
-```bash
-git fetch origin
-git merge-base --is-ancestor origin/dev origin/platform-dev \
-  && echo "OK: platform-dev contains dev" \
-  || echo "OUTDATED: platform-dev does not contain dev"
-```
-
-If the verification prints `OUTDATED`, stop and report it. Do not claim the PR is up-to-date.
-
-Rules:
-
-- Do not merge `origin/dev` into `platform-dev` for this refresh.
-- Do not create repeated merge commits from `origin/dev` into `platform-dev`.
-- Use `git push --force-with-lease origin platform-dev` after a successful rebase.
-- Never use plain `git push --force`.
-- If `git rebase origin/dev` reports conflicts, stop immediately.
-- Do not continue to PR creation while a rebase is unresolved.
-- Do not auto-merge the PR.
-- Do not claim Gitea will remove the out-of-date warning unless the ancestor check succeeds.
-
-If rebase conflicts occur, report:
-
-```text
-Rebase-Konflikte erkannt. Ich habe gestoppt.
-
-Konfliktdateien:
-<files>
-
-Bitte Konflikte lösen, dann `git rebase --continue` ausführen oder den Rebase mit `git rebase --abort` abbrechen.
-```
-
-### Create or Report Integration PR
-
-After the rebase, push, and ancestor verification succeeded, use Gitea MCP to create or report the integration PR:
-
-```json
-{
-  "owner": "ahmido",
-  "repo": "TenantAtlas",
-  "head": "platform-dev",
-  "base": "dev",
-  "title": "chore(platform): merge platform-dev into dev",
-  "body": "Integrates latest TenantPilot platform changes from `platform-dev` into `dev`.\n\nThis PR was created by agent on user request; do not merge automatically."
-}
-```
-
-If an open PR already exists for `platform-dev` → `dev`, do not create a duplicate. Report the existing PR.
-
-### Integration Refresh Reporting Format
-
-Final response for this mode must include:
-
-```text
-Fertig.
-
-- Branch aktualisiert: platform-dev
-- Refresh-Methode: rebase auf origin/dev
-- Ancestor-Check: origin/dev ist Ancestor von origin/platform-dev
-- Push: --force-with-lease origin/platform-dev
-- Integration PR: <url>
-- Base: dev
-- Hinweis: PR wurde nicht automatisch gemerged.
-```
-
-Do not claim tests passed unless they were actually executed.
-
----
-
-## Reporting Format
-
-Final response must be concise and include:
-
-```text
-Fertig.
-
-- Branch: <branch>
-- Commit: <commit-sha or "keine neuen Änderungen">
-- Push: origin/<branch>
-- PR: <url>
-- Base: platform-dev
-- Nächster Schritt: Nach Merge `platform-dev` → `dev` PR aktualisieren/erstellen
-```
-
-If tests were not run, say:
-
-```text
-Tests wurden in diesem Skill nicht automatisch ausgeführt.
-```
-
-Do not claim tests passed unless the tool actually ran them.
-
----
-
-## Safety Rules
-
-- Never commit directly to `dev`, `platform-dev`, `website-dev`, `main`, or `master`.
-- Never force-push unless explicitly requested.
-- For Integration Refresh Mode only, `git push --force-with-lease origin platform-dev` is allowed because the user works alone on `platform-dev`; never use plain `--force`.
-- Never auto-merge PRs unless explicitly requested.
-- Never target `dev` directly for platform feature PRs unless explicitly requested.
-- Never delete branches unless explicitly requested.
-- Never claim tests were run unless the tool actually ran them.
-- Never commit `.env`, secrets, local tokens, local mock-server configuration, or temporary runtime-only changes.
-- If migrations were created, mention that the target environment needs migration execution after deployment.
-- If unresolved conflicts exist, stop.
-
----
-
-## Useful Commands
-
-Inspect:
-
-```bash
-git rev-parse --show-toplevel
-git rev-parse --abbrev-ref HEAD
-git status --porcelain
-git status -sb
-git config --get remote.origin.url
-```
-
-Detect protected branch:
-
-```bash
-branch="$(git rev-parse --abbrev-ref HEAD)"
-case "$branch" in
-  dev|platform-dev|website-dev|main|master)
-    echo "PROTECTED_BRANCH:$branch"
-    exit 2
-    ;;
-esac
-```
-
-Detect unresolved conflicts:
-
-```bash
-git diff --name-only --diff-filter=U
-```
-
-Detect `.env` changes:
-
-```bash
-git status --porcelain | grep -E '(^.. \.env$|^.. apps/platform/\.env$|^.. .*\.env$)' || true
-```
-
-Commit:
-
-```bash
-git add -A
-git commit -m "<message>"
-```
-
-Push:
-
-```bash
-git push --set-upstream origin "$(git rev-parse --abbrev-ref HEAD)"
-```
-
-Latest commit:
-
-```bash
-git rev-parse --short HEAD
-git log -1 --pretty=%s
-```
-
-Integration refresh:
-
-```bash
-git fetch origin
-git checkout platform-dev
-git reset --hard origin/platform-dev
-git rebase origin/dev
-git push --force-with-lease origin platform-dev
-```
-
-Verify integration refresh:
-
-```bash
-git fetch origin
-git merge-base --is-ancestor origin/dev origin/platform-dev \
-  && echo "OK: platform-dev contains dev" \
-  || echo "OUTDATED: platform-dev does not contain dev"
-```
-
-Check rebase conflicts:
-
-```bash
-git diff --name-only --diff-filter=U
-```
-
----
-
-## Example User Request
-
-User:
-
-```text
-alles committen pushen und pr gegen platform-dev mit gitea mcp
-```
-
-Assistant should:
-
-1. Check current branch.
-2. Stop if branch is protected.
-3. Stop if `.env` or secrets would be committed.
-4. Commit all changes.
-5. Push current branch.
-6. Create PR into `platform-dev` with Gitea MCP.
-7. Report result.
-
-Do not ask unnecessary follow-up questions.
-
----
-
-## Example Integration Refresh Request
-
-User:
-
-```text
-platform-dev PR aktualisieren
-```
-
-Assistant should:
-
-1. Ensure the working tree is clean.
-2. Fetch origin.
-3. Checkout `platform-dev`.
-4. Reset local `platform-dev` to `origin/platform-dev`.
-5. Rebase `platform-dev` onto `origin/dev`.
-6. Push with `--force-with-lease`.
-7. Verify `origin/dev` is an ancestor of `origin/platform-dev`.
-8. Create or report the PR `platform-dev` → `dev`.
-9. Report result.
-
-Do not merge the PR automatically.

.github/skills/spec-kit-end-to-end/SKILL.md

@@ -0,0 +1,939 @@
+---
+name: spec-kit-end-to-end
+description: End-to-end Spec Kit workflow for TenantPilot/TenantAtlas: select the next suitable spec candidate from roadmap/spec-candidates when needed, create or update spec.md/plan.md/tasks.md, optionally implement the active spec, run tests, browser smoke checks where applicable, post-implementation analysis, fix confirmed findings, and repeat until no in-scope findings remain or a stop condition is reached.
+---
+
+# Skill: Spec Kit End-to-End Workflow
+
+## Purpose
+
+Use this skill to run an end-to-end Spec Kit workflow for TenantPilot/TenantAtlas.
+
+This skill supports three modes:
+
+1. **Preparation only**: select or scope the next suitable feature from roadmap/spec-candidates and create or update `spec.md`, `plan.md`, and `tasks.md`.
+2. **Implementation only**: implement an already prepared spec, run tests/checks, run strict post-implementation analysis, fix confirmed findings, and repeat until clean or a bounded stop condition is reached.
+3. **End-to-end**: select or create a spec and then implement it in the same invocation, but only when the user explicitly requests end-to-end execution.
+
+The intended workflow is:
+
+```text
+feature idea / roadmap item / spec candidate / active spec
+→ determine requested mode
+→ inspect repo truth, constitution, roadmap, spec candidates, existing specs, and relevant code
+→ create or update spec.md + plan.md + tasks.md when preparation is needed
+→ evaluate quality gates
+→ implement only when the user explicitly asks for implementation or end-to-end execution
+→ run relevant tests/checks
+→ run browser smoke test when UI/user-facing flows are affected
+→ run strict post-implementation analysis
+→ fix confirmed in-scope findings
+→ repeat test + analysis + fix loop until clean or bounded stop condition is reached
+→ final report
+```
+
+## When to Use
+
+Use this skill when the user asks for any Spec Kit workflow around TenantPilot/TenantAtlas, including:
+
+- selecting the next best spec candidate from `docs/product/spec-candidates.md` and roadmap sources
+- turning a feature idea, roadmap item, or candidate into `spec.md`, `plan.md`, and `tasks.md`
+- preparing Spec Kit artifacts in one pass
+- implementing an existing or newly prepared spec
+- running implementation followed by strict analysis and fix iterations
+- executing a full end-to-end flow from candidate selection to implementation verification
+
+Typical user prompts:
+
+```text
+Nimm den nächsten sinnvollen Spec Candidate aus Roadmap/spec-candidates und mach spec, plan und tasks.
+```
+
+```text
+Mach daraus spec, plan und tasks in einem Rutsch, aber noch nicht implementieren.
+```
+
+```text
+Erstelle die Spec Kit Artefakte und implementiere sie danach mit Analyse/Fix-Loop.
+```
+
+```text
+Implementiere die aktive Spec und analysiere danach, ob alles passt.
+```
+
+```text
+Mach Spec Kit implement und danach analyse. Behebe alle Abweichungen und wiederhole bis sauber.
+```
+
+```text
+Run end-to-end: choose next spec, create spec/plan/tasks, implement, analyze, fix until no in-scope findings remain.
+```
+
+## Hard Rules
+
+- Work strictly repo-based.
+- Use the repository's actual Spec Kit workflow, scripts, templates, branch naming rules, and generated paths when available.
+- Determine the requested mode before changing files:
+  - preparation only
+  - implementation only
+  - end-to-end preparation plus implementation
+- Do not implement application code unless the user explicitly asks for implementation, `implement`, or end-to-end execution.
+- When in preparation-only mode, create or update only Spec Kit preparation artifacts unless repository conventions require additional documentation artifacts.
+- When in implementation mode, implement only the active or explicitly named Spec Kit feature.
+- Do not manually invent spec numbers, branch names, or spec paths if Spec Kit provides a script or command for that.
+- Do not bypass Spec Kit branch mechanics.
+- Do not expand scope beyond the selected feature, `spec.md`, `plan.md`, and `tasks.md`.
+- Do not silently add roadmap features, adjacent UX rewrites, speculative architecture, or unrelated refactors.
+- Follow the repository constitution and existing Spec Kit conventions.
+- Preserve TenantPilot/TenantAtlas terminology.
+- Prefer small, reviewable, implementation-ready specs and patches over broad rewrites.
+- Treat repository truth as authoritative over assumptions.
+- If repository truth conflicts with the user-provided draft or spec, keep repository truth and document the deviation.
+- If repository truth conflicts with implementation scope, stop and report the conflict unless there is an obvious minimal correction inside active spec scope.
+- Fix only confirmed findings from tests, static checks, or post-implementation analysis.
+- Fix all confirmed in-scope findings, regardless of severity, when they are safe and bounded.
+- Do not leave Medium/Low findings open silently. If they are not fixed, document exactly why.
+- Never hide failing tests, weaken assertions, delete meaningful coverage, or mark tasks complete without implementation evidence.
+- Do not run destructive commands.
+- Do not force checkout, reset, stash, rebase, merge, or delete branches.
+- Do not perform database-destructive actions unless the repository test workflow explicitly requires isolated test database resets.
+- Do not continue analysis/fix loops indefinitely.
+- Do not move from preparation to implementation unless the Spec Readiness Gate passes or the user explicitly accepts the documented readiness risks.
+- Do not move from implementation to final status unless the Test Gate, Browser Smoke Test Gate where applicable, and Post-Implementation Analysis Gate have been evaluated.
+- Do not claim merge-readiness unless the Merge Readiness Gate passes.
+
+## Required Inputs
+
+The user should provide at least one of:
+
+- feature title and short goal
+- full spec candidate
+- roadmap item
+- rough problem statement
+- UX or architecture improvement idea
+- explicit spec directory such as `specs/<number>-<slug>/`
+- instruction to use the current active Spec Kit feature
+- instruction to choose the next best candidate from roadmap/spec-candidates
+
+If the input is incomplete, proceed with the smallest reasonable interpretation and document assumptions.
+
+If implementation is requested but the active spec cannot be determined safely, inspect the repository Spec Kit context first. If it is still ambiguous, stop and ask for the specific spec directory.
+
+## Required Repository Checks
+
+Always check the sources relevant to the requested mode.
+
+For preparation mode, always check:
+
+1. `.specify/memory/constitution.md`
+2. `.specify/templates/`
+3. `.specify/scripts/`
+4. existing Spec Kit command usage or repository instructions, if present
+5. current branch and git status
+6. `specs/`
+7. `docs/product/spec-candidates.md`
+8. relevant roadmap documents under `docs/product/`, especially `roadmap.md` if present
+9. nearby existing specs with related terminology or scope
+10. application code only as needed to avoid wrong naming, wrong architecture, duplicate concepts, impossible tasks, duplicated specs, or already-completed candidates
+
+For implementation mode, always check:
+
+1. active Spec Kit context / current branch
+2. git status
+3. `.specify/memory/constitution.md`
+4. the active spec directory
+5. `spec.md`
+6. `plan.md`
+7. `tasks.md`
+8. relevant templates or conventions under `.specify/templates/`
+9. nearby existing specs with related terminology or scope
+10. application code surfaces referenced by the active spec
+11. existing tests related to the changed behavior
+
+## Git and Branch Safety
+
+Before running any Spec Kit command or making implementation changes:
+
+1. Check the current branch.
+2. Check whether the working tree is clean.
+3. If there are unrelated uncommitted changes, stop and report them. Do not continue.
+4. If the working tree only contains user-intended planning edits for this operation, continue cautiously.
+5. Let Spec Kit create or switch to the correct feature branch when that is how the repository workflow works.
+6. Do not force checkout, reset, stash, rebase, merge, or delete branches.
+7. Do not overwrite existing specs.
+
+If the repo requires an explicit branch creation script for `specify`, use that script rather than manually creating the branch.
+
+## Mode Selection
+
+Select exactly one mode per invocation unless the user explicitly asks for end-to-end execution.
+
+### Preparation Only
+
+Use when the user asks to:
+
+- create spec/plan/tasks
+- prepare a feature
+- choose the next best spec candidate
+- turn roadmap/spec-candidates into a spec
+- run specify/plan/tasks/analyze without implementation
+- avoid implementation
+
+Output is limited to Spec Kit preparation artifacts, preparation-artifact fixes, and final preparation summary.
+
+### Implementation Only
+
+Use when the user asks to:
+
+- implement an active spec
+- run Spec Kit implement
+- analyze after implementation
+- fix implementation findings
+
+Requires an existing active or explicitly named spec.
+
+### End-to-End
+
+Use only when the user explicitly asks to:
+
+- choose/create the spec and then implement it
+- run the full workflow
+- go from candidate to implementation
+- prepare and implement in one pass
+
+End-to-end mode must keep preparation and implementation phases clearly separated.
+
+End-to-end mode must pass the Candidate Selection Gate and Spec Readiness Gate before implementation begins.
+
+## Quality Gates
+
+Quality gates are mandatory checkpoints. They make the workflow safe for agentic execution without allowing uncontrolled scope expansion.
+
+### Gate 1: Candidate Selection Gate
+
+Required before creating a new spec from roadmap/spec-candidates.
+
+Pass criteria:
+
+- The selected candidate exists in roadmap/spec-candidate material or is directly provided by the user.
+- The selected candidate is not already covered by an existing active or completed spec.
+- The selected candidate aligns with current roadmap priorities or explicitly documented product direction.
+- The candidate can be scoped as a small, reviewable, implementation-ready slice.
+- Major adjacent concerns are listed as follow-up candidates instead of being hidden inside the primary scope.
+
+Fail behavior:
+
+- If no candidate satisfies the gate, stop and report the top candidates plus the reason none is ready.
+- Do not invent a new roadmap direction to force progress.
+
+### Gate 2: Spec Readiness Gate
+
+Required before implementation starts, including end-to-end mode.
+
+Pass criteria:
+
+- `spec.md`, `plan.md`, and `tasks.md` exist.
+- The spec has clear problem statement, user value, functional requirements, out-of-scope boundaries, acceptance criteria, assumptions, and risks.
+- The plan identifies likely affected repo surfaces and does not contradict repository architecture.
+- The tasks are small, ordered, verifiable, and include test/validation tasks.
+- RBAC, workspace/tenant isolation, auditability, OperationRun semantics, evidence/result-truth, and UX requirements are addressed where relevant.
+- No open question blocks safe implementation.
+- The scope is small enough for a bounded implementation loop.
+
+Fail behavior:
+
+- In preparation-only mode, report the readiness gaps and provide the manual analysis prompt.
+- In end-to-end mode, stop before implementation unless the user explicitly asked to proceed despite the documented readiness risks.
+- Do not compensate for an unclear spec by inventing implementation scope.
+
+### Gate 3: Implementation Scope Gate
+
+Required before changing application code.
+
+Pass criteria:
+
+- The active spec directory is known.
+- The implementation target is traceable to specific tasks in `tasks.md`.
+- The affected files/surfaces are consistent with `plan.md` or clearly justified by repository truth.
+- No required change would introduce unrelated product behavior.
+- No required change conflicts with constitution, existing architecture, RBAC/isolation boundaries, or source-of-truth semantics.
+
+Fail behavior:
+
+- Stop before code changes and report the conflict or ambiguity.
+- Suggest a minimal spec/plan/tasks correction if the issue is in the artifacts rather than the codebase.
+
+### Gate 4: Test Gate
+
+Required after implementation and after each fix iteration.
+
+Pass criteria:
+
+- Targeted tests for changed behavior pass.
+- Relevant existing tests pass or failures are proven unrelated and documented.
+- Static analysis, linting, formatting, or type checks used by the repository pass when applicable.
+- Security/governance-relevant changes have backend, policy, or domain coverage; UI-only verification is not enough.
+- Regression coverage exists for each fixed Blocker or High finding where practical.
+
+Fail behavior:
+
+- Fix in-scope failures before post-implementation analysis.
+- If failures are unrelated or pre-existing, document evidence and continue only if they do not invalidate the active spec.
+- Do not weaken tests to pass the gate.
+
+### Gate 5: Browser Smoke Test Gate
+
+Required before claiming implementation is ready for manual review/merge when the change affects Filament UI, Livewire interactions, navigation, forms, tables, actions, modals, dashboards, operation drilldowns, tenant/workspace context, or any user-facing flow.
+
+Not required for documentation-only, spec-only, backend-only, domain-only, enum-only, contract-only, or test-only changes unless those changes alter a user-facing flow.
+
+Pass criteria:
+
+- The relevant page or flow loads in a real browser or the repository's browser-testing harness.
+- The primary action introduced or changed by the spec can be executed successfully.
+- Expected UI states, labels, badges, actions, empty states, tables, forms, modals, and navigation are visible where relevant.
+- Workspace/tenant context is preserved across the tested flow where relevant.
+- RBAC/capability-dependent visibility behaves as expected where practical to verify.
+- Livewire interactions complete without visible runtime errors.
+- No relevant browser console errors occur.
+- No failed network requests occur for the tested flow, except known unrelated development noise that is explicitly documented.
+- OperationRun, audit, evidence, result, or support-diagnostic drilldowns work where relevant.
+- The smoke-tested path is documented in the final response.
+
+Fail behavior:
+
+- Fix in-scope browser, UX, Livewire, navigation, or runtime failures before claiming merge-readiness.
+- If a browser issue is unrelated existing debt, document evidence and residual risk.
+- Do not treat a passing browser smoke test as a substitute for backend, policy, domain, security, feature, or integration tests.
+- Do not expand the smoke test into a full E2E suite unless the user explicitly asks for that.
+
+### Gate 6: Post-Implementation Analysis Gate
+
+Required after implementation and after each fix iteration.
+
+Pass criteria:
+
+- The implementation has been checked against `spec.md`, `plan.md`, `tasks.md`, and constitution.
+- All completed tasks have implementation evidence.
+- No confirmed in-scope findings remain.
+- Medium/Low findings are fixed when they are inside active spec scope, clearly bounded, and safe.
+- Medium/Low findings that remain open are explicitly documented with one of these reasons:
+  - out of scope
+  - requires separate spec
+  - risky refactor
+  - existing unrelated debt
+  - not reproducible
+  - blocked by unclear product/architecture decision
+- No scope expansion was introduced during fixes.
+
+Fail behavior:
+
+- Fix confirmed in-scope findings, regardless of severity, when the fix is safe and bounded.
+- Stop instead of fixing when remediation would expand scope, contradict repo architecture, introduce risky refactors, or repeat the same failed fix twice.
+
+### Gate 7: Merge Readiness Gate
+
+Required before claiming the implementation is ready for manual review/merge.
+
+Pass criteria:
+
+- Spec Readiness Gate passed.
+- Implementation Scope Gate passed.
+- Test Gate passed.
+- Browser Smoke Test Gate passed when applicable, or was explicitly marked not applicable with a reason.
+- Post-Implementation Analysis Gate passed.
+- `tasks.md` reflects actual completion status.
+- No confirmed in-scope findings remain.
+- All remaining findings are documented as out-of-scope, follow-up candidates, unrelated existing debt, or explicit residual risks.
+- Final response includes changed files, tests/checks run, iterations performed, residual risks, and follow-up candidates.
+
+Fail behavior:
+
+- Do not claim merge-readiness.
+- Report the failed gate, remaining risks, and the smallest recommended next action.
+
+## Candidate Selection Rules
+
+When the user asks for the next best spec from roadmap/spec-candidates:
+
+- Read `docs/product/spec-candidates.md`.
+- Read relevant roadmap documents under `docs/product/`, especially `roadmap.md` if present.
+- Check existing specs to avoid duplicates.
+- Prefer candidates that align with current roadmap priorities, platform foundations, enterprise UX, RBAC/isolation, auditability, observability, and governance workflow maturity.
+- Prefer candidates that unlock roadmap progress, reduce architectural drift, harden foundations, or remove known blockers.
+- Prefer small, implementation-ready slices over broad platform rewrites.
+- If multiple candidates are plausible, choose one primary candidate and document why it was selected.
+- Add non-selected relevant candidates as follow-up spec candidates, not hidden scope.
+- Do not invent a candidate if existing roadmap/spec-candidate material provides a suitable one.
+- Do not pick a spec only because it is listed first.
+- Evaluate the Candidate Selection Gate before creating the spec directory.
+
+Evaluate candidates using these criteria:
+
+1. **Roadmap Fit**: Does it support the current roadmap sequence or unlock the next roadmap layer?
+2. **Foundation Value**: Does it strengthen reusable platform foundations such as RBAC, isolation, auditability, evidence, OperationRun observability, provider boundaries, vocabulary, baseline/control/finding semantics, or enterprise UX patterns?
+3. **Dependency Unblocking**: Does it make future specs smaller, safer, or more consistent?
+4. **Scope Size**: Can it be implemented as a narrow, testable slice?
+5. **Repo Readiness**: Does the repo already have enough structure to implement the next slice safely?
+6. **Risk Reduction**: Does it reduce current architectural or product risk?
+7. **User/Product Value**: Does it produce visible operator value or make the platform more sellable without heavy scope?
+
+## Required Selection Output Before Spec Kit Execution
+
+Before running the Spec Kit flow, identify:
+
+- selected candidate title
+- source location in roadmap/spec-candidates
+- why it was selected
+- why close alternatives were deferred
+- roadmap relationship
+- smallest viable implementation slice
+- proposed concise feature description to feed into `specify`
+
+The feature description must be product- and behavior-oriented. It should not be a low-level implementation plan.
+
+## Spec Kit Preparation Flow
+
+Use this section when the selected mode is preparation-only or end-to-end.
+
+### Step 1: Determine the repository's Spec Kit command pattern
+
+Inspect repository instructions and scripts to identify how this repo expects Spec Kit to be run.
+
+Common locations to inspect:
+
+```text
+.specify/scripts/
+.specify/templates/
+.specify/memory/constitution.md
+.github/prompts/
+.github/skills/
+README.md
+specs/
+```
+
+Use the repo-specific mechanism if present.
+
+### Step 2: Run `specify`
+
+Run the repository's `specify` flow using the selected candidate and the smallest viable slice.
+
+The `specify` input should include:
+
+- selected candidate title
+- problem statement
+- operator/user value
+- roadmap relationship
+- out-of-scope boundaries
+- key acceptance criteria
+- important enterprise constraints
+
+Let Spec Kit create the correct branch and spec location if that is the repo's configured behavior.
+
+### Step 3: Run `plan`
+
+Run the repository's `plan` flow for the generated spec.
+
+The `plan` input should keep the scope tight and should require repo-based alignment with:
+
+- constitution
+- existing architecture
+- workspace/tenant isolation
+- RBAC
+- OperationRun/observability where relevant
+- evidence/snapshot/truth semantics where relevant
+- Filament/Livewire conventions where relevant
+- test strategy
+
+### Step 4: Run `tasks`
+
+Run the repository's `tasks` flow for the generated plan.
+
+The generated tasks must be:
+
+- ordered
+- small
+- testable
+- grouped by phase
+- limited to the selected scope
+- suitable for later implementation or manual analysis before implementation
+
+### Step 5: Run preparation `analyze`
+
+Run the repository's `analyze` flow against the generated Spec Kit artifacts when the repository supports it.
+
+Analyze must check:
+
+- consistency between `spec.md`, `plan.md`, and `tasks.md`
+- constitution alignment
+- roadmap alignment
+- whether the selected candidate was narrowed safely
+- whether tasks are complete enough for implementation
+- whether tasks accidentally require scope not described in the spec
+- whether plan details conflict with repository architecture or terminology
+- whether implementation risks are documented instead of silently ignored
+
+In preparation-only mode, do not use analyze as a trigger to implement application code.
+
+### Step 6: Fix preparation-artifact issues only
+
+If preparation analyze finds issues, fix only Spec Kit preparation artifacts such as:
+
+- `spec.md`
+- `plan.md`
+- `tasks.md`
+- generated Spec Kit metadata files, if the repository uses them
+
+Allowed fixes include:
+
+- clarify requirements
+- tighten scope
+- move out-of-scope work into follow-up candidates
+- correct terminology
+- add missing tasks
+- remove tasks not backed by the spec
+- align plan language with repository architecture
+- add missing acceptance criteria or validation tasks
+
+Forbidden fixes in preparation-only mode include:
+
+- modifying application code
+- creating migrations
+- editing models, services, jobs, policies, Filament resources, Livewire components, tests, or commands
+- running implementation or test-fix loops
+- changing runtime behavior
+
+### Step 7: Evaluate the Spec Readiness Gate
+
+After preparation analyze has passed or preparation-artifact issues have been fixed, evaluate the Spec Readiness Gate.
+
+In preparation-only mode, stop after this gate and do not implement.
+
+## Spec Directory Rules
+
+When creating a new spec directory, use the repository's Spec Kit-generated directory or path.
+
+If the repository does not provide a command for spec setup, use the next valid spec number and a kebab-case slug:
+
+```text
+specs/<number>-<slug>/
+```
+
+The exact number must be derived from the current repository state and existing numbering conventions.
+
+Create or update preparation artifacts inside the selected spec directory:
+
+```text
+specs/<number>-<slug>/spec.md
+specs/<number>-<slug>/plan.md
+specs/<number>-<slug>/tasks.md
+```
+
+If the repository templates require additional preparation files, create them only when this is consistent with existing Spec Kit conventions.
+
+## `spec.md` Requirements
+
+The spec must be product- and behavior-oriented. It should avoid premature implementation detail unless needed for correctness.
+
+Include:
+
+- Feature title
+- Problem statement
+- Business/product value
+- Primary users/operators
+- User stories
+- Functional requirements
+- Non-functional requirements
+- UX requirements
+- RBAC/security requirements
+- Auditability/observability requirements
+- Data/truth-source requirements where relevant
+- Out of scope
+- Acceptance criteria
+- Success criteria
+- Risks
+- Assumptions
+- Open questions
+
+TenantPilot/TenantAtlas specs should preserve enterprise SaaS principles:
+
+- workspace/tenant isolation
+- capability-first RBAC
+- auditability
+- operation/result truth separation
+- source-of-truth clarity
+- calm enterprise operator UX
+- progressive disclosure where useful
+- no false positive calmness
+
+## `plan.md` Requirements
+
+The plan must be repo-aware and implementation-oriented, but it must not make code changes by itself.
+
+Include:
+
+- Technical approach
+- Existing repository surfaces likely affected
+- Domain/model implications
+- UI/Filament implications
+- Livewire implications where relevant
+- OperationRun/monitoring implications where relevant
+- RBAC/policy implications
+- Audit/logging/evidence implications where relevant
+- Data/migration implications where relevant
+- Test strategy
+- Rollout considerations
+- Risk controls
+- Implementation phases
+
+The plan should clearly distinguish where relevant:
+
+- execution truth
+- artifact truth
+- backup/snapshot truth
+- recovery/evidence truth
+- operator next action
+
+## `tasks.md` Requirements
+
+Tasks must be ordered, small, and verifiable.
+
+Include:
+
+- checkbox tasks
+- phase grouping
+- tests before or alongside implementation tasks where practical
+- final validation tasks
+- documentation/update tasks if needed
+- explicit non-goals where useful
+
+Avoid vague tasks such as:
+
+```text
+Clean up code
+Refactor UI
+Improve performance
+Make it enterprise-ready
+```
+
+Prefer concrete tasks such as:
+
+```text
+- [ ] Add a feature test covering workspace isolation for <specific behavior>.
+- [ ] Update <specific Filament page/resource> to display <specific state>.
+- [ ] Add policy coverage for <specific capability>.
+```
+
+If exact file names are not known yet, phrase tasks as repo-verification tasks first rather than inventing file paths.
+
+## Preparation Scope Control
+
+If the requested feature implies multiple independent concerns, create one primary spec for the smallest valuable slice and add a `Follow-up spec candidates` section.
+
+Examples of follow-up candidates:
+
+- assigned findings
+- pending approvals
+- personal work queue
+- notification delivery settings
+- evidence pack export hardening
+- operation monitoring refinements
+- autonomous governance decision surfaces
+
+Do not force all follow-up candidates into the primary spec.
+
+## Implementation Loop
+
+Only execute this section when the selected mode is implementation-only or end-to-end.
+
+Execute the loop in bounded phases:
+
+1. Evaluate the Spec Readiness Gate.
+2. Evaluate the Implementation Scope Gate before changing application code.
+3. Implement the active Spec Kit feature scope.
+4. Run targeted tests and relevant static/dynamic checks.
+5. Evaluate the Test Gate.
+6. Run a Browser Smoke Test when the change affects UI/user-facing flows.
+7. Evaluate the Browser Smoke Test Gate as passed, failed, or not applicable with a reason.
+8. Run strict post-implementation analysis against spec, plan, tasks, constitution, changed code, changed tests, browser smoke results where applicable, and relevant existing patterns.
+9. Evaluate the Post-Implementation Analysis Gate.
+10. Identify confirmed findings by severity: Blocker, High, Medium, Low.
+11. Fix all confirmed in-scope findings regardless of severity when safe and bounded.
+12. Do not fix findings that require scope expansion, risky unrelated refactors, or architectural/product decisions outside the active spec; document them as follow-up/residual risks with reasons.
+13. Re-run relevant tests and browser smoke checks where applicable after fixes.
+14. Repeat test + browser smoke + analysis + fix loop until no confirmed in-scope findings remain or a stop condition is reached.
+15. Evaluate the Merge Readiness Gate.
+16. Report final implementation status, changed files, tests, browser smoke result, residual risks, failed/passed gates, and manual review prompt.
+
+## Stop Conditions
+
+Stop the implementation loop when any of the following is true:
+
+- No confirmed in-scope findings remain.
+- The same finding appears twice after attempted fixes.
+- A required fix conflicts with the spec, plan, constitution, or repository architecture.
+- A required fix would expand scope beyond the active spec.
+- A required fix would require a risky unrelated refactor.
+- A required fix depends on an unresolved product or architecture decision.
+- Tests reveal an unrelated pre-existing failure that cannot be safely fixed inside the active spec.
+- Browser smoke testing reveals an unrelated pre-existing UI/runtime failure that cannot be safely fixed inside the active spec.
+- Three analysis/fix iterations have already been completed.
+- The repository state is ambiguous enough that continuing would risk damaging architecture or data semantics.
+
+When stopping before full cleanliness, report exactly why the loop stopped and what remains.
+
+## Post-Implementation Analysis Prompt
+
+Use this prompt internally after implementation and after each fix iteration:
+
+```markdown
+Du bist ein Senior Staff Software Engineer, Software Architect und Enterprise SaaS Reviewer.
+
+Analysiere die Implementierung der aktiven Spec streng repo-basiert.
+
+Ziel:
+Prüfe, ob die Umsetzung vollständig, konsistent, getestet und constitution-konform ist.
+
+Prüfe gegen:
+- spec.md
+- plan.md
+- tasks.md
+- .specify/memory/constitution.md
+- geänderte Anwendungscodes
+- geänderte Tests
+- Browser-Smoke-Test-Ergebnis, falls UI/user-facing Flows betroffen sind
+- bestehende Repository-Patterns
+
+Wichtig:
+- Keine Spekulation ohne Repo-Beleg.
+- Keine Scope-Erweiterung.
+- Keine neuen Produktideen als Pflicht-Fixes.
+- Findings nach Blocker, High, Medium, Low gruppieren.
+- Für jedes Finding konkrete Datei-/Code-Belege nennen.
+- Für jedes Finding eine minimale Remediation nennen.
+- Separat ausweisen, welche Findings innerhalb der aktiven Spec behoben werden müssen.
+- Medium/Low Findings innerhalb der aktiven Spec ebenfalls zur Behebung markieren, wenn sie sicher und bounded sind.
+- Bei UI-/Filament-/Livewire-Änderungen prüfen, ob ein Browser Smoke Test durchgeführt wurde und ob der getestete Operator-Flow wirklich funktioniert.
+- Findings, die nicht behoben werden sollen, nur als Follow-up/Residual Risk ausweisen, wenn sie out of scope, risky refactor, unrelated existing debt, not reproducible oder durch eine offene Produkt-/Architekturentscheidung blockiert sind.
+- Wenn keine bestätigten In-Scope Findings verbleiben, klare Implementierungsfreigabe geben.
+```
+
+## Task Completion Rules
+
+- Keep `tasks.md` aligned with actual implementation status.
+- Check off tasks only after the implementation and test evidence exists.
+- If a task is obsolete because repository truth proves a different path, update the task note with the reason instead of silently deleting it.
+- If a task cannot be completed inside scope, leave it unchecked and report why.
+
+## Testing Rules
+
+- Add or update tests for all changed business behavior.
+- Include RBAC and workspace/tenant isolation tests where relevant.
+- Include OperationRun, audit, evidence, or result-truth tests where relevant.
+- Prefer regression tests for every fixed Blocker or High finding.
+- Add regression tests for Medium/Low findings when the behavior is important and testable without excessive churn.
+- Do not weaken tests to pass the suite.
+- Do not treat a green UI path as sufficient without backend or policy coverage when the behavior is security- or governance-relevant.
+
+## Browser Smoke Test Rules
+
+Apply these rules when the active spec changes Filament UI, Livewire interactions, navigation, forms, tables, actions, modals, dashboards, operation drilldowns, tenant/workspace context, or any user-facing flow.
+
+The browser smoke test should be narrow and focused. It is not a full E2E suite unless explicitly requested.
+
+Minimum smoke path:
+
+1. Open the relevant page or entry point.
+2. Confirm the expected workspace/tenant context where relevant.
+3. Confirm the changed or newly introduced UI element is visible.
+4. Execute the primary action or interaction changed by the spec.
+5. Confirm the expected result state, notification, redirect, table update, modal state, operation link, or drilldown.
+6. Check for relevant console errors.
+7. Check for failed network requests related to the tested flow.
+8. Document the tested path in the final response.
+
+For TenantPilot/TenantAtlas, pay special attention to:
+
+- Filament actions and header actions
+- Livewire polling, modals, validation, and actions
+- workspace/tenant context preservation
+- RBAC/capability-dependent action visibility
+- OperationRun links and drilldown continuity
+- audit/evidence/result/support-diagnostic drilldowns where relevant
+- empty states, badges, labels, and decision guidance where relevant
+
+Browser smoke testing is required for UI/user-facing changes and optional for backend-only changes.
+
+Do not treat browser smoke success as proof that backend security, policies, domain logic, auditability, or workspace/tenant isolation are correct. Those still require automated tests or repo-based verification.
+
+## Failure Handling
+
+If a Spec Kit command, preparation analyze phase, implementation step, test phase, browser smoke phase, or post-implementation analysis fails:
+
+1. Stop at the relevant gate or stop condition.
+2. Report the failing command or phase.
+3. Summarize the error.
+4. Do not attempt unrelated implementation as a workaround.
+5. Suggest the smallest safe next action.
+
+If the branch or working tree state is unsafe:
+
+1. Stop before running Spec Kit commands or implementation changes.
+2. Report the current branch and relevant uncommitted files.
+3. Ask the user to commit, stash, or move to a clean worktree.
+
+## Final Response Requirements
+
+For preparation-only mode, respond with:
+
+1. Selected candidate and why it was chosen
+2. Why close alternatives were deferred
+3. Current branch after Spec Kit execution, if changed
+4. Generated spec path
+5. Files created or updated by Spec Kit
+6. Preparation analyze result summary
+7. Preparation-artifact fixes applied after analyze
+8. Assumptions made
+9. Open questions, if any
+10. Quality gates evaluated and their result
+11. Recommended next implementation prompt
+12. Explicit statement that no application implementation was performed
+
+For implementation-only or end-to-end mode, respond with:
+
+1. Active spec directory
+2. Summary of implemented changes
+3. Tests/checks run and their results
+4. Browser smoke test result, tested path, or not-applicable reason
+5. Quality gates passed/failed and number of analysis/fix iterations performed
+6. Remaining in-scope findings, if any
+7. Residual risks and follow-up candidates, if relevant
+8. Files changed
+9. Explicit statement whether the Merge Readiness Gate passed and whether the implementation is ready for manual review/merge
+
+Keep the final response concise, but include enough detail for the user to continue immediately.
+
+## Manual Review Prompts
+
+For preparation-only mode, provide a ready-to-copy prompt like this, adapted to the generated spec branch/path:
+
+```markdown
+Du bist ein Senior Staff Software Architect und Enterprise SaaS Reviewer.
+
+Analysiere die neu erstellte Spec `<spec-branch-or-spec-path>` streng repo-basiert.
+
+Ziel:
+Prüfe, ob `spec.md`, `plan.md` und `tasks.md` vollständig, konsistent, implementierbar und constitution-konform sind.
+
+Wichtig:
+- Keine Implementierung.
+- Keine Codeänderungen.
+- Keine Scope-Erweiterung.
+- Prüfe nur gegen Repo-Wahrheit.
+- Benenne konkrete Konflikte mit Dateien, Patterns, Datenflüssen oder bestehenden Specs.
+- Schlage nur minimale Korrekturen an `spec.md`, `plan.md` und `tasks.md` vor.
+- Wenn alles passt, gib eine klare Implementierungsfreigabe.
+```
+
+For preparation-only mode, also provide a ready-to-copy implementation prompt after analyze has passed or preparation-artifact issues have been fixed:
+
+```markdown
+Du bist ein Senior Staff Software Engineer für TenantPilot/TenantAtlas.
+
+Implementiere die vorbereitete Spec `<spec-branch-or-spec-path>` streng anhand von `tasks.md`.
+
+Wichtig:
+- Arbeite task-sequenziell.
+- Ändere nur Dateien, die für die jeweilige Task notwendig sind.
+- Halte dich an `spec.md`, `plan.md`, `tasks.md` und die Constitution.
+- Keine Scope-Erweiterung.
+- Keine Opportunistic Refactors.
+- Führe passende Tests nach sinnvollen Task-Gruppen aus.
+- Wenn eine Task unklar oder falsch ist, stoppe und dokumentiere den Konflikt statt frei zu improvisieren.
+- Am Ende liefere geänderte Dateien, Teststatus, offene Risiken und nicht erledigte Tasks.
+```
+
+For implementation-only or end-to-end mode, provide a ready-to-copy prompt like this, adapted to the active spec number and slug:
+
+```markdown
+Du bist ein Senior Staff Software Architect und Enterprise SaaS Reviewer.
+
+Führe eine finale manuelle Review der implementierten Spec `<spec-number>-<slug>` streng repo-basiert durch.
+
+Ziel:
+Prüfe, ob die Implementierung nach dem Agenten-Loop wirklich merge-ready ist.
+
+Wichtig:
+- Keine Implementierung.
+- Keine Codeänderungen.
+- Keine Scope-Erweiterung.
+- Prüfe gegen spec.md, plan.md, tasks.md und constitution.md.
+- Prüfe die geänderten Dateien, Tests, Browser-Smoke-Test-Ergebnis, RBAC, Workspace-/Tenant-Isolation, Auditability, UX und OperationRun-Semantik, soweit relevant.
+- Benenne nur konkrete Findings mit Repo-Beleg.
+- Gib am Ende eine klare Entscheidung: Merge-ready, merge-ready with notes, oder not merge-ready.
+```
+
+## Example Invocations
+
+User:
+
+```text
+Nutze den Skill spec-kit-end-to-end.
+Wähle aus roadmap.md und spec-candidates.md die nächste sinnvollste Spec.
+Führe danach GitHub Spec Kit specify, plan, tasks und analyze in einem Rutsch aus.
+Behebe alle analyze-Issues in den Spec-Kit-Artefakten.
+Keine Application-Implementierung.
+```
+
+Expected behavior:
+
+1. Inspect constitution, Spec Kit scripts/templates, specs, roadmap, and spec candidates.
+2. Check branch and working tree safety.
+3. Compare candidate suitability.
+4. Select the next best candidate.
+5. Evaluate the Candidate Selection Gate.
+6. Run the repository's real Spec Kit `specify` flow, letting it handle branch/spec setup.
+7. Run the repository's real Spec Kit `plan` flow.
+8. Run the repository's real Spec Kit `tasks` flow.
+9. Run the repository's real Spec Kit preparation `analyze` flow.
+10. Fix analyze issues only in Spec Kit preparation artifacts.
+11. Evaluate the Spec Readiness Gate.
+12. Stop before application implementation.
+13. Return selection rationale, branch/path summary, artifact summary, analyze summary, fixes applied, gates, and next implementation prompt.
+
+User:
+
+```text
+Implementiere die aktive Spec. Danach analyse gegen spec/plan/tasks/constitution ausführen, alle in-scope Findings beheben und wiederhole bis sauber.
+```
+
+Expected behavior:
+
+1. Inspect active Spec Kit context, constitution, spec, plan, tasks, relevant code, and relevant tests.
+2. Evaluate the Spec Readiness Gate and Implementation Scope Gate.
+3. Implement only the active spec scope.
+4. Run targeted tests and relevant checks.
+5. Evaluate the Test Gate.
+6. Run and evaluate Browser Smoke Test when UI/user-facing flows are affected.
+7. Run post-implementation analysis.
+8. Fix all confirmed in-scope findings regardless of severity when safe and bounded.
+9. Repeat test + browser smoke + analysis + fix loop up to the stop conditions.
+10. Evaluate the Merge Readiness Gate.
+11. Report final status, changed files, tests, browser smoke result, residual risks, gates, and manual review prompt.
+
+User:
+
+```text
+Run end-to-end: wähle die nächste sinnvolle Spec aus spec-candidates/roadmap, erstelle spec/plan/tasks, implementiere sie danach und wiederhole analyse/fix bis sauber.
+```
+
+Expected behavior:
+
+1. Run preparation mode first.
+2. Clearly report the selected candidate and created spec directory.
+3. Continue into implementation mode only because the user explicitly requested end-to-end execution.
+4. Implement only the newly created active spec scope.
+5. Run tests/checks, browser smoke checks where applicable, post-implementation analysis, and bounded fix iterations.
+6. Fix all confirmed in-scope findings regardless of severity when safe and bounded.
+7. Report final implementation status, gates, browser smoke result, and residual risks.
+```

.specify/research_t186.md

@@ -1,10 +1,5 @@
 # Research T186 — settings_apply capability verification (LEGACY / DEPRECATED)
 
-> **Status:** Superseded  
-> **Last reviewed:** 2026-04-30  
-> **Use for:** Historical investigation context only if a later Settings Catalog write-path regression needs provenance  
-> **Do not use for:** Active feature research or current implementation truth
-
 > DEPRECATED: Do not add new research notes under `.specify/`.
 > Active feature research should live under `specs/<NNN>-<slug>/`.
 > Legacy history lives under `spechistory/`.

apps/platform/.env.example

@@ -59,13 +59,6 @@ MAIL_PASSWORD=null
 MAIL_FROM_ADDRESS="hello@example.com"
 MAIL_FROM_NAME="${APP_NAME}"
 
-SUPPORT_DESK_ENABLED=false
-SUPPORT_DESK_NAME="External support desk"
-SUPPORT_DESK_CREATE_URL=
-SUPPORT_DESK_API_TOKEN=
-SUPPORT_DESK_TICKET_URL_TEMPLATE=
-SUPPORT_DESK_TIMEOUT_SECONDS=5
-
 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 AWS_DEFAULT_REGION=us-east-1

apps/platform/app/Console/Commands/PurgeLegacyBaselineGapRuns.php

@@ -6,14 +6,12 @@
 
 use App\Models\OperationRun;
 use App\Models\Tenant;
-use App\Support\OperationCatalog;
-use App\Support\OperationRunType;
 use Illuminate\Console\Command;
 
 class PurgeLegacyBaselineGapRuns extends Command
 {
     protected $signature = 'tenantpilot:baselines:purge-legacy-gap-runs
-        {--type=* : Limit cleanup to baseline.compare and/or baseline.capture runs (legacy aliases also accepted)}
+        {--type=* : Limit cleanup to baseline_compare and/or baseline_capture runs}
         {--tenant=* : Limit cleanup to tenant ids or tenant external ids}
         {--workspace=* : Limit cleanup to workspace ids}
         {--limit=500 : Maximum candidate runs to inspect}
@@ -101,35 +99,21 @@ public function handle(): int
      */
     private function normalizedTypes(): array
     {
-        $requestedTypes = array_values(array_unique(array_filter(
+        $types = array_values(array_unique(array_filter(
             array_map(
                 static fn (mixed $type): ?string => is_string($type) && trim($type) !== '' ? trim($type) : null,
                 (array) $this->option('type'),
             ),
         )));
 
-        $canonicalTypes = array_values(array_unique(array_filter(array_map(
-            static fn (string $type): ?string => match ($type) {
-                OperationRunType::BaselineCompare->value, 'baseline_compare' => OperationRunType::BaselineCompare->value,
-                OperationRunType::BaselineCapture->value, 'baseline_capture' => OperationRunType::BaselineCapture->value,
-                default => null,
-            },
-            $requestedTypes,
-        ))));
-
-        if ($canonicalTypes === []) {
-            $canonicalTypes = [
-                OperationRunType::BaselineCompare->value,
-                OperationRunType::BaselineCapture->value,
-            ];
+        if ($types === []) {
+            return ['baseline_compare', 'baseline_capture'];
         }
 
-        return array_values(array_unique(array_merge(
-            ...array_map(
-                static fn (string $type): array => OperationCatalog::rawValuesForCanonical($type),
-                $canonicalTypes,
-            ),
-        )));
+        return array_values(array_filter(
+            $types,
+            static fn (string $type): bool => in_array($type, ['baseline_compare', 'baseline_capture'], true),
+        ));
     }
 
     /**

apps/platform/app/Console/Commands/TenantpilotBackfillFindingLifecycle.php

@@ -0,0 +1,129 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\Tenant;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Services\Runbooks\FindingsLifecycleBackfillScope;
+use App\Support\OperationalControls\OperationalControlBlockedException;
+use Illuminate\Console\Command;
+use Illuminate\Validation\ValidationException;
+
+class TenantpilotBackfillFindingLifecycle extends Command
+{
+    protected $signature = 'tenantpilot:findings:backfill-lifecycle
+        {--tenant=* : Limit to tenant_id/external_id}';
+
+    protected $description = 'Queue tenant-scoped findings lifecycle backfill jobs idempotently.';
+
+    public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
+    {
+        $tenantIdentifiers = array_values(array_filter((array) $this->option('tenant')));
+
+        if ($tenantIdentifiers === []) {
+            $this->error('Provide one or more tenants via --tenant={id|external_id}.');
+
+            return self::FAILURE;
+        }
+
+        $tenants = $this->resolveTenants($tenantIdentifiers);
+
+        if ($tenants->isEmpty()) {
+            $this->info('No tenants matched the provided identifiers.');
+
+            return self::SUCCESS;
+        }
+
+        $queued = 0;
+        $skipped = 0;
+        $nothingToDo = 0;
+
+        foreach ($tenants as $tenant) {
+            if (! $tenant instanceof Tenant) {
+                continue;
+            }
+
+            try {
+                $run = $runbookService->start(
+                    scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
+                    initiator: null,
+                    reason: null,
+                    source: 'cli',
+                );
+            } catch (OperationalControlBlockedException $e) {
+                $this->error(sprintf(
+                    'Backfill paused for tenant %d: %s',
+                    (int) $tenant->getKey(),
+                    $e->getMessage(),
+                ));
+
+                return self::FAILURE;
+            } catch (ValidationException $e) {
+                $errors = $e->errors();
+
+                if (isset($errors['preflight.affected_count'])) {
+                    $nothingToDo++;
+
+                    continue;
+                }
+
+                $this->error(sprintf(
+                    'Backfill blocked for tenant %d: %s',
+                    (int) $tenant->getKey(),
+                    $e->getMessage(),
+                ));
+
+                return self::FAILURE;
+            }
+
+            if (! $run->wasRecentlyCreated) {
+                $skipped++;
+
+                continue;
+            }
+
+            $queued++;
+        }
+
+        $this->info(sprintf(
+            'Queued %d backfill run(s), skipped %d duplicate run(s), nothing to do %d.',
+            $queued,
+            $skipped,
+            $nothingToDo,
+        ));
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * @param  array<int, string>  $tenantIdentifiers
+     * @return \Illuminate\Support\Collection<int, Tenant>
+     */
+    private function resolveTenants(array $tenantIdentifiers)
+    {
+        $tenantIds = [];
+
+        foreach ($tenantIdentifiers as $identifier) {
+            $tenant = Tenant::query()
+                ->forTenant($identifier)
+                ->first();
+
+            if ($tenant instanceof Tenant) {
+                $tenantIds[] = (int) $tenant->getKey();
+            }
+        }
+
+        $tenantIds = array_values(array_unique($tenantIds));
+
+        if ($tenantIds === []) {
+            return collect();
+        }
+
+        return Tenant::query()
+            ->whereIn('id', $tenantIds)
+            ->orderBy('id')
+            ->get();
+    }
+}

apps/platform/app/Console/Commands/TenantpilotRunDeployRunbooks.php

@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Services\Runbooks\FindingsLifecycleBackfillScope;
+use App\Services\Runbooks\RunbookReason;
+use App\Support\OperationalControls\OperationalControlBlockedException;
+use Illuminate\Console\Command;
+use Illuminate\Validation\ValidationException;
+
+class TenantpilotRunDeployRunbooks extends Command
+{
+    protected $signature = 'tenantpilot:run-deploy-runbooks';
+
+    protected $description = 'Run deploy-time runbooks idempotently.';
+
+    public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
+    {
+        try {
+            $runbookService->start(
+                scope: FindingsLifecycleBackfillScope::allTenants(),
+                initiator: null,
+                reason: new RunbookReason(
+                    reasonCode: RunbookReason::CODE_DATA_REPAIR,
+                    reasonText: 'Deploy hook automated runbooks',
+                ),
+                source: 'deploy_hook',
+            );
+
+            $this->info('Deploy runbooks started (if needed).');
+
+            return self::SUCCESS;
+        } catch (OperationalControlBlockedException $e) {
+            $this->info('Deploy runbooks paused: '.$e->getMessage());
+
+            return self::SUCCESS;
+        } catch (ValidationException $e) {
+            $errors = $e->errors();
+
+            $skippable = isset($errors['preflight.affected_count']) || isset($errors['scope']);
+
+            if ($skippable) {
+                $this->info('Deploy runbooks skipped (nothing to do or already running).');
+
+                return self::SUCCESS;
+            }
+
+            $this->error('Deploy runbooks blocked by validation errors.');
+
+            return self::FAILURE;
+        }
+    }
+}

apps/platform/app/Exceptions/Entitlements/WorkspaceEntitlementBlockedException.php

@@ -1,24 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Exceptions\Entitlements;
-
-final class WorkspaceEntitlementBlockedException extends \RuntimeException
-{
-    /**
-     * @param  array<string, mixed>  $decision
-     */
-    public function __construct(private readonly array $decision)
-    {
-        parent::__construct((string) ($decision['block_reason'] ?? 'Workspace entitlement currently blocks this action.'));
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function decision(): array
-    {
-        return $this->decision;
-    }
-}

apps/platform/app/Filament/Pages/Auth/Login.php

@@ -9,9 +9,4 @@
 class Login extends BaseLogin
 {
     protected string $view = 'filament.pages.auth.login';
-
-    public function getTitle(): string
-    {
-        return __('localization.auth.sign_in_microsoft');
-    }
 }

apps/platform/app/Filament/Pages/CrossTenantComparePage.php

@@ -1,674 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages;
-
-use App\Filament\Resources\TenantResource;
-use App\Models\InventoryItem;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Auth\WorkspaceCapabilityResolver;
-use App\Support\Auth\Capabilities;
-use App\Support\Navigation\CanonicalNavigationContext;
-use App\Support\PortfolioCompare\CrossTenantComparePreviewBuilder;
-use App\Support\PortfolioCompare\CrossTenantCompareSelection;
-use App\Support\PortfolioCompare\CrossTenantPromotionPreflight;
-use App\Support\Rbac\WorkspaceUiEnforcement;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Forms\Components\Select;
-use Filament\Forms\Concerns\InteractsWithForms;
-use Filament\Forms\Contracts\HasForms;
-use Filament\Pages\Page;
-use Filament\Schemas\Components\Grid;
-use Filament\Schemas\Schema;
-use Illuminate\Support\Collection;
-use Illuminate\Support\Str;
-use UnitEnum;
-
-class CrossTenantComparePage extends Page implements HasForms
-{
-    use InteractsWithForms;
-
-    private const string SOURCE_TENANT_QUERY_KEY = 'source_tenant_id';
-
-    private const string TARGET_TENANT_QUERY_KEY = 'target_tenant_id';
-
-    private const string POLICY_TYPE_QUERY_KEY = 'policy_type';
-
-    protected static bool $isDiscovered = false;
-
-    protected static bool $shouldRegisterNavigation = false;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-scale';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Governance';
-
-    protected static ?string $title = 'Cross-Tenant Compare';
-
-    protected static ?string $slug = 'cross-tenant-compare';
-
-    protected string $view = 'filament.pages.cross-tenant-compare';
-
-    public ?string $sourceTenantId = null;
-
-    public ?string $targetTenantId = null;
-
-    /**
-     * @var list<string>
-     */
-    public array $selectedPolicyTypes = [];
-
-    /**
-     * @var array<string, mixed>|null
-     */
-    public ?array $navigationContextPayload = null;
-
-    /**
-     * @var array<string, mixed>|null
-     */
-    public ?array $preview = null;
-
-    /**
-     * @var array<string, mixed>|null
-     */
-    public ?array $preflight = null;
-
-    public ?string $selectionMessage = null;
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions preserve return navigation, tenant drill-downs, and one dominant promotion-preflight action.')
-            ->exempt(ActionSurfaceSlot::InspectAffordance, 'The compare page uses explicit selection controls instead of row-click inspection.')
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Cross-tenant compare renders focused subject summaries instead of row-level overflow actions.')
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The compare page has no bulk actions.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The compare page explains when a selection is incomplete or invalid before any preview exists.')
-            ->exempt(ActionSurfaceSlot::DetailHeader, 'Cross-tenant compare is a workspace decision page, not a record detail header.');
-    }
-
-    public function mount(): void
-    {
-        $this->authorizePageAccess();
-
-        $this->navigationContextPayload = is_array(request()->query('nav')) ? request()->query('nav') : null;
-
-        $this->hydrateSelectionFromRequest();
-        $this->refreshPreview();
-
-        $this->form->fill($this->formState());
-    }
-
-    public function form(Schema $schema): Schema
-    {
-        return $schema
-            ->schema([
-                Grid::make([
-                    'default' => 1,
-                    'xl' => 3,
-                ])
-                    ->schema([
-                        Select::make('sourceTenantId')
-                            ->label('Source tenant')
-                            ->options(fn (): array => $this->tenantOptions())
-                            ->searchable()
-                            ->preload()
-                            ->native(false)
-                            ->placeholder('Select a source tenant')
-                            ->extraFieldWrapperAttributes(['data-testid' => 'cross-tenant-source'])
-                            ->extraInputAttributes(['data-testid' => 'cross-tenant-source']),
-                        Select::make('targetTenantId')
-                            ->label('Target tenant')
-                            ->options(fn (): array => $this->tenantOptions())
-                            ->searchable()
-                            ->preload()
-                            ->native(false)
-                            ->placeholder('Select a target tenant')
-                            ->extraFieldWrapperAttributes(['data-testid' => 'cross-tenant-target'])
-                            ->extraInputAttributes(['data-testid' => 'cross-tenant-target']),
-                        Select::make('selectedPolicyTypes')
-                            ->label('Governed subjects')
-                            ->options(fn (): array => $this->policyTypeOptions())
-                            ->multiple()
-                            ->searchable()
-                            ->preload()
-                            ->native(false)
-                            ->placeholder('All governed subjects')
-                            ->helperText(fn (): ?string => $this->policyTypeOptions() === []
-                                ? 'Governed subject filters appear after authorized tenant inventory exists in the active workspace.'
-                                : null)
-                            ->extraFieldWrapperAttributes(['data-testid' => 'cross-tenant-policy-types'])
-                            ->extraInputAttributes(['data-testid' => 'cross-tenant-policy-types']),
-                    ]),
-            ]);
-    }
-
-    /**
-     * @return array<Action>
-     */
-    protected function getHeaderActions(): array
-    {
-        $actions = [];
-
-        $navigationContext = $this->navigationContext();
-
-        if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
-            $actions[] = Action::make('return_to_origin')
-                ->label($navigationContext->backLinkLabel)
-                ->icon('heroicon-o-arrow-left')
-                ->color('gray')
-                ->url($navigationContext->backLinkUrl);
-        }
-
-        $sourceTenant = $this->selectedSourceTenant();
-
-        if ($sourceTenant instanceof Tenant) {
-            $actions[] = Action::make('open_source_tenant')
-                ->label('Open source tenant')
-                ->icon('heroicon-o-arrow-top-right-on-square')
-                ->color('gray')
-                ->url(TenantResource::getUrl('view', ['record' => $sourceTenant], panel: 'admin'));
-        }
-
-        $targetTenant = $this->selectedTargetTenant();
-
-        if ($targetTenant instanceof Tenant) {
-            $actions[] = Action::make('open_target_tenant')
-                ->label('Open target tenant')
-                ->icon('heroicon-o-arrow-top-right-on-square')
-                ->color('gray')
-                ->url(TenantResource::getUrl('view', ['record' => $targetTenant], panel: 'admin'));
-        }
-
-        $preflightAction = Action::make('generatePromotionPreflight')
-            ->label('Generate promotion preflight')
-            ->icon('heroicon-o-sparkles')
-            ->color('primary')
-            ->disabled(fn (): bool => $this->preflightDisabledReason() !== null)
-            ->tooltip(fn (): ?string => $this->preflightDisabledReason())
-            ->action(fn (): mixed => $this->generatePromotionPreflight());
-
-        $preflightAction = WorkspaceUiEnforcement::forAction(
-            $preflightAction,
-            fn (): ?Workspace => $this->workspace(),
-        )
-            ->requireCapability(Capabilities::WORKSPACE_BASELINES_MANAGE)
-            ->preserveDisabled()
-            ->tooltip('You need workspace baseline manage access to generate a promotion preflight.')
-            ->apply()
-            ->tooltip(function (): ?string {
-                $user = auth()->user();
-                $workspace = $this->workspace();
-
-                if ($user instanceof User && $workspace instanceof Workspace) {
-                    /** @var WorkspaceCapabilityResolver $resolver */
-                    $resolver = app(WorkspaceCapabilityResolver::class);
-
-                    if ($resolver->isMember($user, $workspace)
-                        && ! $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE)) {
-                        return 'You need workspace baseline manage access to generate a promotion preflight.';
-                    }
-                }
-
-                return $this->preflightDisabledReason();
-            });
-
-        $actions[] = $preflightAction;
-
-        return $actions;
-    }
-
-    public function applySelection(): void
-    {
-        $this->selectionMessage = null;
-        $this->preflight = null;
-
-        $this->sourceTenantId = $this->normalizeTenantIdentifier($this->sourceTenantId);
-        $this->targetTenantId = $this->normalizeTenantIdentifier($this->targetTenantId);
-        $this->selectedPolicyTypes = $this->normalizePolicyTypes($this->selectedPolicyTypes);
-
-        if ($this->sourceTenantId !== null
-            && $this->targetTenantId !== null
-            && $this->sourceTenantId === $this->targetTenantId) {
-            $this->selectionMessage = 'Choose two different tenants.';
-            $this->addError('targetTenantId', $this->selectionMessage);
-
-            return;
-        }
-
-        $this->redirect($this->selectionUrl(), navigate: true);
-    }
-
-    public function generatePromotionPreflight(): void
-    {
-        $this->authorizePageAccess();
-        $this->authorizePreflightExecution();
-
-        if ($this->preview === null) {
-            $this->refreshPreview();
-        }
-
-        if ($this->preview === null) {
-            return;
-        }
-
-        $selection = $this->compareSelection();
-
-        if (! $selection instanceof CrossTenantCompareSelection) {
-            return;
-        }
-
-        $this->preflight = app(CrossTenantPromotionPreflight::class)->build($this->preview);
-
-        $workspace = $this->workspace();
-        $user = auth()->user();
-
-        if ($workspace instanceof Workspace && $user instanceof User) {
-            app(WorkspaceAuditLogger::class)->logCrossTenantPromotionPreflightGenerated(
-                workspace: $workspace,
-                sourceTenant: $selection->sourceTenant,
-                targetTenant: $selection->targetTenant,
-                preflight: $this->preflight,
-                actor: $user,
-            );
-        }
-    }
-
-    public function clearSelectionUrl(): string
-    {
-        return static::getUrl($this->routeParameters([
-            self::SOURCE_TENANT_QUERY_KEY => null,
-            self::TARGET_TENANT_QUERY_KEY => null,
-            self::POLICY_TYPE_QUERY_KEY => null,
-        ]), panel: 'admin');
-    }
-
-    public function selectionUrl(): string
-    {
-        return static::getUrl($this->routeParameters(), panel: 'admin');
-    }
-
-    public static function launchUrl(
-        ?Tenant $sourceTenant = null,
-        ?Tenant $targetTenant = null,
-        ?CanonicalNavigationContext $navigationContext = null,
-    ): string {
-        $parameters = [];
-
-        if ($sourceTenant instanceof Tenant) {
-            $parameters[self::SOURCE_TENANT_QUERY_KEY] = (int) $sourceTenant->getKey();
-        }
-
-        if ($targetTenant instanceof Tenant) {
-            $parameters[self::TARGET_TENANT_QUERY_KEY] = (int) $targetTenant->getKey();
-        }
-
-        if ($navigationContext instanceof CanonicalNavigationContext) {
-            $parameters = array_replace($parameters, $navigationContext->toQuery());
-        }
-
-        return static::getUrl($parameters, panel: 'admin');
-    }
-
-    public function hasActiveSelection(): bool
-    {
-        return $this->sourceTenantId !== null
-            || $this->targetTenantId !== null
-            || $this->selectedPolicyTypes !== [];
-    }
-
-    public function stateColor(string $state): string
-    {
-        return match ($state) {
-            'match', 'ready' => 'success',
-            'different', 'manual_mapping_required' => 'warning',
-            'missing' => 'info',
-            'ambiguous' => 'gray',
-            'blocked' => 'danger',
-            default => 'gray',
-        };
-    }
-
-    public function stateLabel(string $value): string
-    {
-        return Str::headline(str_replace('_', ' ', $value));
-    }
-
-    public function reasonLabel(string $reasonCode): string
-    {
-        return Str::headline(str_replace('_', ' ', $reasonCode));
-    }
-
-    public function sourceTenantUrl(): ?string
-    {
-        $tenant = $this->selectedSourceTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return TenantResource::getUrl('view', ['record' => $tenant], panel: 'admin');
-    }
-
-    public function targetTenantUrl(): ?string
-    {
-        $tenant = $this->selectedTargetTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return null;
-        }
-
-        return TenantResource::getUrl('view', ['record' => $tenant], panel: 'admin');
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    private function formState(): array
-    {
-        return [
-            'sourceTenantId' => $this->sourceTenantId,
-            'targetTenantId' => $this->targetTenantId,
-            'selectedPolicyTypes' => $this->selectedPolicyTypes,
-        ];
-    }
-
-    private function hydrateSelectionFromRequest(): void
-    {
-        $this->sourceTenantId = $this->normalizeTenantIdentifier(request()->query(self::SOURCE_TENANT_QUERY_KEY));
-        $this->targetTenantId = $this->normalizeTenantIdentifier(request()->query(self::TARGET_TENANT_QUERY_KEY));
-        $this->selectedPolicyTypes = $this->normalizePolicyTypes(request()->query(self::POLICY_TYPE_QUERY_KEY, []));
-    }
-
-    private function refreshPreview(): void
-    {
-        $this->selectionMessage = null;
-        $this->preview = null;
-        $this->preflight = null;
-
-        $selection = $this->compareSelection();
-
-        if (! $selection instanceof CrossTenantCompareSelection) {
-            return;
-        }
-
-        $this->preview = app(CrossTenantComparePreviewBuilder::class)->build($selection);
-    }
-
-    private function authorizePageAccess(): void
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        if (! $workspace instanceof Workspace) {
-            abort(404);
-        }
-
-        /** @var WorkspaceCapabilityResolver $resolver */
-        $resolver = app(WorkspaceCapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $workspace)) {
-            abort(404);
-        }
-
-        if (! $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_VIEW)) {
-            abort(403);
-        }
-    }
-
-    private function authorizePreflightExecution(): void
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        if (! $workspace instanceof Workspace) {
-            abort(404);
-        }
-
-        /** @var WorkspaceCapabilityResolver $resolver */
-        $resolver = app(WorkspaceCapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $workspace)) {
-            abort(404);
-        }
-
-        if (! $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE)) {
-            abort(403);
-        }
-    }
-
-    private function compareSelection(): ?CrossTenantCompareSelection
-    {
-        $sourceTenant = $this->selectedSourceTenant();
-        $targetTenant = $this->selectedTargetTenant();
-
-        if (! $sourceTenant instanceof Tenant || ! $targetTenant instanceof Tenant) {
-            return null;
-        }
-
-        if ((int) $sourceTenant->getKey() === (int) $targetTenant->getKey()) {
-            $this->selectionMessage = 'Choose two different tenants.';
-
-            return null;
-        }
-
-        return new CrossTenantCompareSelection(
-            sourceTenant: $sourceTenant,
-            targetTenant: $targetTenant,
-            policyTypes: $this->selectedPolicyTypes,
-        );
-    }
-
-    private function selectedSourceTenant(): ?Tenant
-    {
-        if ($this->sourceTenantId === null) {
-            return null;
-        }
-
-        return $this->resolveAuthorizedTenant($this->sourceTenantId);
-    }
-
-    private function selectedTargetTenant(): ?Tenant
-    {
-        if ($this->targetTenantId === null) {
-            return null;
-        }
-
-        return $this->resolveAuthorizedTenant($this->targetTenantId);
-    }
-
-    private function resolveAuthorizedTenant(string $tenantId): Tenant
-    {
-        $workspace = $this->workspace();
-        $user = auth()->user();
-
-        if (! $workspace instanceof Workspace || ! $user instanceof User) {
-            abort(404);
-        }
-
-        $tenant = Tenant::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->whereKey((int) $tenantId)
-            ->first();
-
-        if (! $tenant instanceof Tenant) {
-            abort(404);
-        }
-
-        /** @var CapabilityResolver $resolver */
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $user->canAccessTenant($tenant) || ! $resolver->can($user, $tenant, Capabilities::TENANT_VIEW)) {
-            abort(404);
-        }
-
-        return $tenant;
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function tenantOptions(): array
-    {
-        $workspace = $this->workspace();
-        $user = auth()->user();
-
-        if (! $workspace instanceof Workspace || ! $user instanceof User) {
-            return [];
-        }
-
-        /** @var CapabilityResolver $resolver */
-        $resolver = app(CapabilityResolver::class);
-
-        $tenants = $user->tenants()
-            ->where('tenants.workspace_id', (int) $workspace->getKey())
-            ->select('tenants.*')
-            ->orderBy('tenants.name')
-            ->get();
-
-        $resolver->primeMemberships($user, $tenants->modelKeys());
-
-        return $tenants
-            ->filter(fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_VIEW))
-            ->mapWithKeys(fn (Tenant $tenant): array => [
-                (string) $tenant->getKey() => (string) $tenant->name,
-            ])
-            ->all();
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function policyTypeOptions(): array
-    {
-        $tenantIds = array_map(static fn (string $tenantId): int => (int) $tenantId, array_keys($this->tenantOptions()));
-
-        if ($tenantIds === []) {
-            return [];
-        }
-
-        return InventoryItem::query()
-            ->whereIn('tenant_id', $tenantIds)
-            ->whereNotNull('policy_type')
-            ->where('policy_type', '!=', '')
-            ->distinct()
-            ->orderBy('policy_type')
-            ->pluck('policy_type')
-            ->mapWithKeys(fn (string $policyType): array => [
-                $policyType => Str::headline($policyType),
-            ])
-            ->all();
-    }
-
-    private function preflightDisabledReason(): ?string
-    {
-        if ($this->selectionMessage !== null) {
-            return $this->selectionMessage;
-        }
-
-        if (! is_array($this->preview)) {
-            return 'Select an authorized source and target tenant to generate a promotion preflight.';
-        }
-
-        if ((int) data_get($this->preview, 'summary.total', 0) === 0) {
-            return 'No governed subjects are available for this compare selection yet.';
-        }
-
-        return null;
-    }
-
-    /**
-     * @param  mixed  $value
-     */
-    private function normalizeTenantIdentifier(mixed $value): ?string
-    {
-        if (! is_string($value) && ! is_int($value)) {
-            return null;
-        }
-
-        $normalized = trim((string) $value);
-
-        return is_numeric($normalized) && (int) $normalized > 0 ? (string) (int) $normalized : null;
-    }
-
-    /**
-     * @param  mixed  $value
-     * @return list<string>
-     */
-    private function normalizePolicyTypes(mixed $value): array
-    {
-        $allowed = array_fill_keys(array_keys($this->policyTypeOptions()), true);
-
-        $values = match (true) {
-            is_string($value) && $value !== '' => [$value],
-            is_array($value) => $value,
-            default => [],
-        };
-
-        return array_values(array_filter(array_unique(array_map(
-            static fn (mixed $item): string => is_string($item) ? trim($item) : '',
-            $values,
-        )), static fn (string $item): bool => $item !== '' && isset($allowed[$item])));
-    }
-
-    /**
-     * @param  array<string, mixed>  $overrides
-     * @return array<string, mixed>
-     */
-    private function routeParameters(array $overrides = []): array
-    {
-        $parameters = [
-            self::SOURCE_TENANT_QUERY_KEY => $this->sourceTenantId,
-            self::TARGET_TENANT_QUERY_KEY => $this->targetTenantId,
-            self::POLICY_TYPE_QUERY_KEY => $this->selectedPolicyTypes,
-        ];
-
-        if (is_array($this->navigationContextPayload)) {
-            $parameters['nav'] = $this->navigationContextPayload;
-        }
-
-        foreach ($overrides as $key => $value) {
-            $parameters[$key] = $value;
-        }
-
-        return array_filter($parameters, static fn (mixed $value): bool => $value !== null && $value !== '' && $value !== []);
-    }
-
-    private function navigationContext(): ?CanonicalNavigationContext
-    {
-        if (! is_array($this->navigationContextPayload)) {
-            return CanonicalNavigationContext::fromRequest(request());
-        }
-
-        return CanonicalNavigationContext::fromPayload($this->navigationContextPayload);
-    }
-
-    private function workspace(): ?Workspace
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if (! is_int($workspaceId)) {
-            return null;
-        }
-
-        $workspace = Workspace::query()->whereKey($workspaceId)->first();
-
-        return $workspace instanceof Workspace ? $workspace : null;
-    }
-}

apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php

@@ -105,26 +105,14 @@ public function mount(): void
 
     protected function getHeaderActions(): array
     {
-        $actions = [];
-
-        $governanceContext = $this->incomingGovernanceContext();
-
-        if ($governanceContext?->backLinkUrl !== null) {
-            $actions[] = Action::make('return_to_governance_inbox')
-                ->label($governanceContext->backLinkLabel ?? 'Back to governance inbox')
-                ->icon('heroicon-o-arrow-left')
+        return [
+            Action::make('clear_tenant_filter')
+                ->label('Clear tenant filter')
+                ->icon('heroicon-o-x-mark')
                 ->color('gray')
-                ->url($governanceContext->backLinkUrl);
-        }
-
-        $actions[] = Action::make('clear_tenant_filter')
-            ->label('Clear tenant filter')
-            ->icon('heroicon-o-x-mark')
-            ->color('gray')
-            ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
-            ->action(fn (): mixed => $this->clearTenantFilter());
-
-        return $actions;
+                ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
+                ->action(fn (): mixed => $this->clearTenantFilter()),
+        ];
     }
 
     public function table(Table $table): Table
@@ -710,15 +698,6 @@ private function navigationContext(): CanonicalNavigationContext
         );
     }
 
-    private function incomingGovernanceContext(): ?CanonicalNavigationContext
-    {
-        $context = CanonicalNavigationContext::fromRequest(request());
-
-        return $context?->sourceSurface === 'governance.inbox'
-            ? $context
-            : null;
-    }
-
     private function queueUrl(array $overrides = []): string
     {
         $resolvedTenant = array_key_exists('tenant', $overrides)

apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php

@@ -97,26 +97,14 @@ public function mount(): void
 
     protected function getHeaderActions(): array
     {
-        $actions = [];
-
-        $governanceContext = $this->incomingGovernanceContext();
-
-        if ($governanceContext?->backLinkUrl !== null) {
-            $actions[] = Action::make('return_to_governance_inbox')
-                ->label($governanceContext->backLinkLabel ?? 'Back to governance inbox')
-                ->icon('heroicon-o-arrow-left')
+        return [
+            Action::make('clear_tenant_filter')
+                ->label('Clear tenant filter')
+                ->icon('heroicon-o-x-mark')
                 ->color('gray')
-                ->url($governanceContext->backLinkUrl);
-        }
-
-        $actions[] = Action::make('clear_tenant_filter')
-            ->label('Clear tenant filter')
-            ->icon('heroicon-o-x-mark')
-            ->color('gray')
-            ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
-            ->action(fn (): mixed => $this->clearTenantFilter());
-
-        return $actions;
+                ->visible(fn (): bool => $this->currentTenantFilterId() !== null)
+                ->action(fn (): mixed => $this->clearTenantFilter()),
+        ];
     }
 
     public function table(Table $table): Table
@@ -652,15 +640,6 @@ private function navigationContext(): CanonicalNavigationContext
         );
     }
 
-    private function incomingGovernanceContext(): ?CanonicalNavigationContext
-    {
-        $context = CanonicalNavigationContext::fromRequest(request());
-
-        return $context?->sourceSurface === 'governance.inbox'
-            ? $context
-            : null;
-    }
-
     private function queueUrl(): string
     {
         $tenant = $this->filteredTenant();

apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php

@@ -1,520 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages\Governance;
-
-use App\Filament\Pages\Findings\FindingsIntakeQueue;
-use App\Filament\Pages\Findings\MyFindingsInbox;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Auth\CapabilityResolver;
-use App\Services\Auth\WorkspaceCapabilityResolver;
-use App\Services\TenantReviews\TenantReviewRegisterService;
-use App\Support\Auth\Capabilities;
-use App\Support\GovernanceInbox\GovernanceInboxSectionBuilder;
-use App\Support\Navigation\CanonicalNavigationContext;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Facades\Filament;
-use Filament\Pages\Page;
-use Illuminate\Support\Str;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-use UnitEnum;
-
-class GovernanceInbox extends Page
-{
-    protected static bool $isDiscovered = false;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-inbox-stack';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Governance';
-
-    protected static ?string $navigationLabel = 'Governance inbox';
-
-    protected static ?int $navigationSort = 5;
-
-    protected static ?string $title = 'Governance inbox';
-
-    protected static ?string $slug = 'governance/inbox';
-
-    protected string $view = 'filament.pages.governance.governance-inbox';
-
-    /**
-     * @var array<int, Tenant>|null
-     */
-    private ?array $authorizedTenants = null;
-
-    /**
-     * @var array<int, Tenant>|null
-     */
-    private ?array $visibleFindingTenants = null;
-
-    /**
-     * @var array<int, Tenant>|null
-     */
-    private ?array $reviewTenants = null;
-
-    /**
-     * @var array<string, mixed>|null
-     */
-    private ?array $inboxPayload = null;
-
-    /**
-     * @var array<string, mixed>|null
-     */
-    private ?array $unfilteredInboxPayload = null;
-
-    private ?Workspace $workspace = null;
-
-    private ?bool $visibleAlertsFamily = null;
-
-    private ?bool $visibleFindingExceptionsFamily = null;
-
-    public ?int $tenantId = null;
-
-    public ?string $family = null;
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly, ActionSurfaceType::ReadOnlyRegistryReport)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep the workspace decision surface calm and read-only.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The governance inbox routes into existing source surfaces instead of exposing row-level secondary actions.')
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The governance inbox does not expose bulk actions.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty states stay calm and capability-safe when no visible attention exists.')
-            ->exempt(ActionSurfaceSlot::DetailHeader, 'The governance inbox owns no local detail surface in v1.');
-    }
-
-    public function mount(): void
-    {
-        $this->authorizeWorkspaceMembership();
-        $this->applyRequestedTenantPrefilter();
-        $this->family = $this->resolveRequestedFamily();
-        $this->ensureAtLeastOneVisibleFamily();
-        $this->ensureRequestedFamilyIsVisible();
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function appliedScope(): array
-    {
-        $selectedTenant = $this->selectedTenant();
-        $availableFamilies = collect($this->availableFamilies())
-            ->keyBy('key');
-
-        return [
-            'workspace_label' => $this->workspace()?->name,
-            'tenant_label' => $selectedTenant?->name,
-            'tenant_prefilter_source' => $selectedTenant instanceof Tenant ? 'explicit_filter' : 'none',
-            'family_key' => $this->family,
-            'family_label' => $this->family !== null
-                ? ($availableFamilies->get($this->family)['label'] ?? Str::headline($this->family))
-                : 'All attention',
-            'total_count' => (int) ($this->inboxPayload()['total_count'] ?? 0),
-        ];
-    }
-
-    /**
-     * @return list<array{key: string, label: string, count: int}>
-     */
-    public function availableFamilies(): array
-    {
-        return $this->inboxPayload()['available_families'] ?? [];
-    }
-
-    /**
-     * @return list<array<string, mixed>>
-     */
-    public function sections(): array
-    {
-        return $this->inboxPayload()['sections'] ?? [];
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function calmEmptyState(): array
-    {
-        if ($this->tenantFilterAloneExcludesRows()) {
-            return [
-                'title' => 'This tenant filter is hiding other visible attention',
-                'body' => 'The current tenant scope is calm, but other visible tenants in this workspace still have governance attention.',
-                'action_label' => 'Clear tenant filter',
-                'action_url' => $this->pageUrl(['tenant' => null]),
-            ];
-        }
-
-        return [
-            'title' => 'No visible governance attention right now',
-            'body' => 'The current workspace scope is calm across the visible governance families.',
-            'action_label' => null,
-            'action_url' => null,
-        ];
-    }
-
-    public function hasTenantPrefilter(): bool
-    {
-        return $this->selectedTenant() instanceof Tenant;
-    }
-
-    public function isActiveFamily(?string $familyKey): bool
-    {
-        return $this->family === $familyKey;
-    }
-
-    public function pageUrl(array $overrides = []): string
-    {
-        $selectedTenant = $this->selectedTenant();
-        $resolvedTenant = array_key_exists('tenant', $overrides)
-            ? $overrides['tenant']
-            : ($selectedTenant?->getKey() !== null ? (string) $selectedTenant->getKey() : null);
-        $resolvedFamily = array_key_exists('family', $overrides)
-            ? $overrides['family']
-            : $this->family;
-
-        return static::getUrl(
-            panel: 'admin',
-            parameters: array_filter([
-                'tenant_id' => is_string($resolvedTenant) && $resolvedTenant !== '' ? $resolvedTenant : null,
-                'family' => is_string($resolvedFamily) && $resolvedFamily !== '' ? $resolvedFamily : null,
-            ], static fn (mixed $value): bool => $value !== null && $value !== ''),
-        );
-    }
-
-    public function navigationContext(): CanonicalNavigationContext
-    {
-        return CanonicalNavigationContext::forGovernanceInbox(
-            canonicalRouteName: static::getRouteName(Filament::getPanel('admin')),
-            tenantId: $this->tenantId,
-            backLinkUrl: $this->pageUrl(),
-            familyKey: $this->family,
-        );
-    }
-
-    private function authorizeWorkspaceMembership(): void
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        if (! $workspace instanceof Workspace) {
-            throw new NotFoundHttpException;
-        }
-
-        $resolver = app(WorkspaceCapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $workspace)) {
-            throw new NotFoundHttpException;
-        }
-    }
-
-    private function ensureAtLeastOneVisibleFamily(): void
-    {
-        if (
-            $this->hasVisibleOperationsFamily()
-            || $this->visibleFindingTenants() !== []
-            || $this->hasVisibleFindingExceptionsFamily()
-            || $this->reviewTenants() !== []
-            || $this->hasVisibleAlertsFamily()
-        ) {
-            return;
-        }
-
-        abort(403);
-    }
-
-    private function ensureRequestedFamilyIsVisible(): void
-    {
-        if ($this->family === null) {
-            return;
-        }
-
-        if (in_array($this->family, collect($this->availableFamilies())->pluck('key')->all(), true)) {
-            return;
-        }
-
-        throw new NotFoundHttpException;
-    }
-
-    private function hasVisibleOperationsFamily(): bool
-    {
-        return $this->authorizedTenants() !== [];
-    }
-
-    private function hasVisibleAlertsFamily(): bool
-    {
-        if (is_bool($this->visibleAlertsFamily)) {
-            return $this->visibleAlertsFamily;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->visibleAlertsFamily = false;
-        }
-
-        return $this->visibleAlertsFamily = app(WorkspaceCapabilityResolver::class)->can($user, $workspace, Capabilities::ALERTS_VIEW);
-    }
-
-    private function hasVisibleFindingExceptionsFamily(): bool
-    {
-        if (is_bool($this->visibleFindingExceptionsFamily)) {
-            return $this->visibleFindingExceptionsFamily;
-        }
-
-        if ($this->authorizedTenants() === []) {
-            return $this->visibleFindingExceptionsFamily = false;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->visibleFindingExceptionsFamily = false;
-        }
-
-        return $this->visibleFindingExceptionsFamily = app(WorkspaceCapabilityResolver::class)
-            ->can($user, $workspace, Capabilities::FINDING_EXCEPTION_APPROVE);
-    }
-
-    /**
-     * @return array<int, Tenant>
-     */
-    private function visibleFindingTenants(): array
-    {
-        if ($this->visibleFindingTenants !== null) {
-            return $this->visibleFindingTenants;
-        }
-
-        $user = auth()->user();
-        $tenants = $this->authorizedTenants();
-
-        if (! $user instanceof User || $tenants === []) {
-            return $this->visibleFindingTenants = [];
-        }
-
-        $resolver = app(CapabilityResolver::class);
-        $resolver->primeMemberships(
-            $user,
-            array_map(static fn (Tenant $tenant): int => (int) $tenant->getKey(), $tenants),
-        );
-
-        return $this->visibleFindingTenants = array_values(array_filter(
-            $tenants,
-            fn (Tenant $tenant): bool => $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW),
-        ));
-    }
-
-    /**
-     * @return array<int, Tenant>
-     */
-    private function reviewTenants(): array
-    {
-        if ($this->reviewTenants !== null) {
-            return $this->reviewTenants;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->reviewTenants = [];
-        }
-
-        $service = app(TenantReviewRegisterService::class);
-
-        if (! $service->canAccessWorkspace($user, $workspace)) {
-            return $this->reviewTenants = [];
-        }
-
-        return $this->reviewTenants = $service->authorizedTenants($user, $workspace);
-    }
-
-    /**
-     * @return array<int, Tenant>
-     */
-    private function authorizedTenants(): array
-    {
-        if ($this->authorizedTenants !== null) {
-            return $this->authorizedTenants;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->authorizedTenants = [];
-        }
-
-        return $this->authorizedTenants = $user->tenants()
-            ->where('tenants.workspace_id', (int) $workspace->getKey())
-            ->where('tenants.status', 'active')
-            ->orderBy('tenants.name')
-            ->get(['tenants.id', 'tenants.name', 'tenants.external_id', 'tenants.workspace_id'])
-            ->all();
-    }
-
-    private function applyRequestedTenantPrefilter(): void
-    {
-        $requestedTenant = request()->query('tenant_id', request()->query('tenant'));
-
-        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
-            return;
-        }
-
-        foreach ($this->authorizedTenants() as $tenant) {
-            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
-                continue;
-            }
-
-            $this->tenantId = (int) $tenant->getKey();
-
-            return;
-        }
-
-        throw new NotFoundHttpException;
-    }
-
-    private function resolveRequestedFamily(): ?string
-    {
-        $family = request()->query('family');
-
-        if (! is_string($family)) {
-            return null;
-        }
-
-        return in_array($family, [
-            'assigned_findings',
-            'intake_findings',
-            'finding_exceptions',
-            'stale_operations',
-            'alert_delivery_failures',
-            'review_follow_up',
-        ], true) ? $family : null;
-    }
-
-    private function workspace(): ?Workspace
-    {
-        if ($this->workspace instanceof Workspace) {
-            return $this->workspace;
-        }
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if (! is_int($workspaceId)) {
-            return null;
-        }
-
-        return $this->workspace = Workspace::query()->whereKey($workspaceId)->first();
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    private function inboxPayload(): array
-    {
-        if (is_array($this->inboxPayload)) {
-            return $this->inboxPayload;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->inboxPayload = [
-                'sections' => [],
-                'available_families' => [],
-                'family_counts' => [],
-                'total_count' => 0,
-            ];
-        }
-
-        return $this->inboxPayload = app(GovernanceInboxSectionBuilder::class)->build(
-            user: $user,
-            workspace: $workspace,
-            authorizedTenants: $this->authorizedTenants(),
-            visibleFindingTenants: $this->visibleFindingTenants(),
-            reviewTenants: $this->reviewTenants(),
-            canViewAlerts: $this->hasVisibleAlertsFamily(),
-            canViewFindingExceptions: $this->hasVisibleFindingExceptionsFamily(),
-            selectedTenant: $this->selectedTenant(),
-            selectedFamily: $this->family,
-            navigationContext: $this->navigationContext(),
-        );
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    private function unfilteredInboxPayload(): array
-    {
-        if (is_array($this->unfilteredInboxPayload)) {
-            return $this->unfilteredInboxPayload;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->unfilteredInboxPayload = [
-                'sections' => [],
-                'available_families' => [],
-                'family_counts' => [],
-                'total_count' => 0,
-            ];
-        }
-
-        return $this->unfilteredInboxPayload = app(GovernanceInboxSectionBuilder::class)->build(
-            user: $user,
-            workspace: $workspace,
-            authorizedTenants: $this->authorizedTenants(),
-            visibleFindingTenants: $this->visibleFindingTenants(),
-            reviewTenants: $this->reviewTenants(),
-            canViewAlerts: $this->hasVisibleAlertsFamily(),
-            canViewFindingExceptions: $this->hasVisibleFindingExceptionsFamily(),
-            selectedTenant: null,
-            selectedFamily: null,
-            navigationContext: $this->navigationContext(),
-        );
-    }
-
-    private function selectedTenant(): ?Tenant
-    {
-        if (! is_int($this->tenantId)) {
-            return null;
-        }
-
-        foreach ($this->authorizedTenants() as $tenant) {
-            if ((int) $tenant->getKey() === $this->tenantId) {
-                return $tenant;
-            }
-        }
-
-        return null;
-    }
-
-    private function tenantFilterAloneExcludesRows(): bool
-    {
-        if (! is_int($this->tenantId) || $this->family !== null) {
-            return false;
-        }
-
-        if ($this->sections() !== []) {
-            return false;
-        }
-
-        return (int) ($this->unfilteredInboxPayload()['total_count'] ?? 0) > 0;
-    }
-}

apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php

@@ -208,16 +208,6 @@ protected function getHeaderActions(): array
             returnActionName: 'operate_hub_return_finding_exceptions',
         );
 
-        $governanceContext = $this->incomingGovernanceContext();
-
-        if ($governanceContext?->backLinkUrl !== null) {
-            $actions[] = Action::make('return_to_governance_inbox')
-                ->label($governanceContext->backLinkLabel ?? 'Back to governance inbox')
-                ->icon('heroicon-o-arrow-left')
-                ->color('gray')
-                ->url($governanceContext->backLinkUrl);
-        }
-
         $actions[] = Action::make('clear_filters')
             ->label('Clear filters')
             ->icon('heroicon-o-x-mark')
@@ -489,10 +479,7 @@ public function selectedExceptionUrl(): ?string
             return null;
         }
 
-        return $this->appendQuery(
-            FindingExceptionResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $record->tenant),
-            $this->navigationContext()?->toQuery() ?? [],
-        );
+        return FindingExceptionResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $record->tenant);
     }
 
     public function selectedFindingUrl(): ?string
@@ -503,10 +490,7 @@ public function selectedFindingUrl(): ?string
             return null;
         }
 
-        return $this->appendQuery(
-            FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant),
-            $this->navigationContext()?->toQuery() ?? [],
-        );
+        return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
     }
 
     public function clearSelectedException(): void
@@ -670,15 +654,6 @@ private function navigationContext(): ?CanonicalNavigationContext
         return CanonicalNavigationContext::fromRequest(request());
     }
 
-    private function incomingGovernanceContext(): ?CanonicalNavigationContext
-    {
-        $context = $this->navigationContext();
-
-        return $context?->sourceSurface === 'governance.inbox'
-            ? $context
-            : null;
-    }
-
     private function normalizeSelectedFindingExceptionId(): void
     {
         if (! is_int($this->selectedFindingExceptionId) || $this->selectedFindingExceptionId <= 0) {
@@ -808,16 +783,4 @@ private function governanceWarningColor(FindingException $record): string
 
         return 'danger';
     }
-
-    /**
-     * @param  array<string, mixed>  $query
-     */
-    private function appendQuery(string $url, array $query): string
-    {
-        if ($query === []) {
-            return $url;
-        }
-
-        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
-    }
 }

apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -6,7 +6,6 @@
 
 use App\Filament\Resources\OperationRunResource;
 use App\Models\OperationRun;
-use App\Models\SupportRequest;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
@@ -31,8 +30,6 @@
 use App\Support\RestoreSafety\RestoreSafetyCopy;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
-use App\Support\SupportRequests\ExternalSupportDeskHandoffService;
-use App\Support\SupportRequests\SupportRequestSubmissionService;
 use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
 use App\Support\Tenants\TenantInteractionLane;
 use App\Support\Tenants\TenantOperabilityQuestion;
@@ -43,14 +40,9 @@
 use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
-use Filament\Forms\Components\Placeholder;
-use Filament\Forms\Components\Select;
-use Filament\Forms\Components\TextInput;
-use Filament\Forms\Components\Textarea;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 use Filament\Schemas\Components\EmbeddedSchema;
-use Filament\Schemas\Components\Utilities\Get;
 use Filament\Schemas\Schema;
 use Illuminate\Contracts\View\View;
 use Illuminate\Contracts\Support\Htmlable;
@@ -149,6 +141,10 @@ protected function getHeaderActions(): array
                 ? OperationRunLinks::tenantlessView($this->run, $navigationContext)
                 : OperationRunLinks::index());
 
+        if (isset($this->run)) {
+            $actions[] = $this->openSupportDiagnosticsAction();
+        }
+
         if (! isset($this->run)) {
             return $actions;
         }
@@ -171,14 +167,6 @@ protected function getHeaderActions(): array
                 ->color('gray');
         }
 
-        $actions[] = ActionGroup::make([
-            $this->openSupportDiagnosticsAction(),
-            $this->requestSupportAction(),
-        ])
-            ->label('More')
-            ->icon('heroicon-o-ellipsis-horizontal')
-            ->color('gray');
-
         $actions[] = $this->resumeCaptureAction();
 
         return $actions;
@@ -240,6 +228,8 @@ private function openSupportDiagnosticsAction(): Action
         $action = Action::make('openSupportDiagnostics')
             ->label('Open support diagnostics')
             ->icon('heroicon-o-lifebuoy')
+            ->iconButton()
+            ->tooltip('Open support diagnostics')
             ->color('gray')
             ->record($this->run)
             ->modal()
@@ -261,128 +251,39 @@ private function openSupportDiagnosticsAction(): Action
             ->apply();
     }
 
-    public function authorizeOperationRunSupportRequest(): void
-    {
-        $this->resolveRunTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
-    }
-
-    private function requestSupportAction(): Action
-    {
-        $action = Action::make('requestSupport')
-            ->label(__('localization.dashboard.request_support'))
-            ->icon('heroicon-o-paper-airplane')
-            ->record($this->run)
-            ->slideOver()
-            ->stickyModalHeader()
-            ->modalHeading(__('localization.dashboard.support_request_heading'))
-            ->modalDescription(__('localization.dashboard.support_request_run_description'))
-            ->modalSubmitActionLabel(__('localization.dashboard.submit_request'))
-            ->form([
-                Placeholder::make('primary_context')
-                    ->label(__('localization.dashboard.primary_context'))
-                    ->content(fn (): string => OperationRunLinks::identifier($this->run))
-                    ->columnSpanFull(),
-                Placeholder::make('included_context')
-                    ->label(__('localization.dashboard.included_context'))
-                    ->content(fn (): string => $this->operationSupportRequestAttachmentSummary())
-                    ->columnSpanFull(),
-                Placeholder::make('latest_external_handoff')
-                    ->label(__('localization.dashboard.latest_external_handoff'))
-                    ->content(fn (): string => $this->operationLatestSupportRequestHandoffSummary())
-                    ->columnSpanFull(),
-                Select::make('external_handoff_mode')
-                    ->label(__('localization.dashboard.external_handoff_mode'))
-                    ->options(fn (): array => $this->supportHandoffModeOptions())
-                    ->default(SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY)
-                    ->helperText(fn (): string => $this->supportDeskTargetAvailable()
-                        ? __('localization.dashboard.external_handoff_mode_helper_available')
-                        : __('localization.dashboard.external_handoff_mode_helper_unavailable'))
-                    ->required()
-                    ->live()
-                    ->native(false),
-                Placeholder::make('handoff_mutation_scope')
-                    ->label(__('localization.dashboard.handoff_mutation_scope'))
-                    ->content(fn (Get $get): string => $this->externalHandoffMutationScope($get('external_handoff_mode')))
-                    ->columnSpanFull(),
-                TextInput::make('external_ticket_reference')
-                    ->label(__('localization.dashboard.external_ticket_reference'))
-                    ->helperText(__('localization.dashboard.external_ticket_reference_helper'))
-                    ->required(fn (Get $get): bool => $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET)
-                    ->visible(fn (Get $get): bool => $this->supportDeskTargetAvailable()
-                        && $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET),
-                TextInput::make('external_ticket_url')
-                    ->label(__('localization.dashboard.external_ticket_url'))
-                    ->helperText(__('localization.dashboard.external_ticket_url_helper'))
-                    ->url()
-                    ->visible(fn (Get $get): bool => $this->supportDeskTargetAvailable()
-                        && $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET)
-                    ->columnSpanFull(),
-                Select::make('severity')
-                    ->label(__('localization.dashboard.severity'))
-                    ->options(SupportRequest::severityOptions())
-                    ->default(SupportRequest::SEVERITY_NORMAL)
-                    ->required()
-                    ->native(false),
-                TextInput::make('summary')
-                    ->label(__('localization.dashboard.summary'))
-                    ->required()
-                    ->columnSpanFull(),
-                Textarea::make('reproduction_notes')
-                    ->label(__('localization.dashboard.reproduction_notes'))
-                    ->rows(4)
-                    ->columnSpanFull(),
-                TextInput::make('contact_name')
-                    ->label(__('localization.dashboard.contact_name'))
-                    ->default(fn (): ?string => $this->resolveViewerActor()->name),
-                TextInput::make('contact_email')
-                    ->label(__('localization.dashboard.contact_email'))
-                    ->email()
-                    ->default(fn (): ?string => $this->resolveViewerActor()->email),
-            ])
-            ->action(function (array $data): void {
-                $actor = $this->resolveViewerActor();
-
-                $supportRequest = app(SupportRequestSubmissionService::class)->submitForOperationRun($this->run, $actor, $data);
-
-                Notification::make()
-                    ->title(__('localization.dashboard.support_request_submitted'))
-                    ->body($this->supportRequestNotificationBody($supportRequest))
-                    ->when(
-                        $supportRequest->hasExternalHandoffFailure(),
-                        fn (Notification $notification): Notification => $notification->warning(),
-                        fn (Notification $notification): Notification => $notification->success(),
-                    )
-                    ->when(
-                        $supportRequest->external_ticket_url !== null,
-                        fn (Notification $notification): Notification => $notification->actions([
-                            Action::make('openExternalTicket')
-                                ->label(__('localization.dashboard.open_external_ticket'))
-                                ->url((string) $supportRequest->external_ticket_url, shouldOpenInNewTab: true),
-                        ]),
-                    )
-                    ->send();
-            });
-
-        return UiEnforcement::forAction($action)
-            ->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
-            ->apply();
-    }
-
     /**
      * @return array<string, mixed>
      */
     public function operationRunSupportDiagnosticBundle(): array
     {
-        $user = $this->resolveViewerActor();
-        $tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
+        $user = auth()->user();
+        $tenant = $this->supportDiagnosticsTenant();
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant) {
+            abort(404);
+        }
+
+        $resolver = app(CapabilityResolver::class);
+
+        if (! $resolver->isMember($user, $tenant)) {
+            abort(404);
+        }
+
+        if (! $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)) {
+            abort(403);
+        }
 
         return app(SupportDiagnosticBundleBuilder::class)->forOperationRun($this->run, $user);
     }
 
     private function auditOperationSupportDiagnosticsOpen(): void
     {
-        $user = $this->resolveViewerActor();
-        $tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
+        $user = auth()->user();
+        $tenant = $this->supportDiagnosticsTenant();
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant) {
+            abort(404);
+        }
 
         $this->recordSupportDiagnosticsOpened(
             tenant: $tenant,
@@ -406,151 +307,6 @@ private function supportDiagnosticsTenant(): ?Tenant
         return $this->run->loadMissing('tenant')->tenant;
     }
 
-    private function resolveViewerActor(): User
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        return $user;
-    }
-
-    private function resolveRunTenantForCapability(string $capability): Tenant
-    {
-        $tenant = $this->supportDiagnosticsTenant();
-        $user = $this->resolveViewerActor();
-
-        if (! $tenant instanceof Tenant) {
-            abort(404);
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $tenant)) {
-            abort(404);
-        }
-
-        if (! $resolver->can($user, $tenant, $capability)) {
-            abort(403);
-        }
-
-        return $tenant;
-    }
-
-    private function operationSupportRequestAttachmentSummary(): string
-    {
-        $tenant = $this->supportDiagnosticsTenant();
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            return 'Only canonical redacted run context will be attached.';
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $tenant)) {
-            return 'Only canonical redacted run context will be attached.';
-        }
-
-        return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
-            ? 'A redacted diagnostic snapshot and the canonical run context will be attached.'
-            : 'Only the canonical redacted run context will be attached because you cannot view support diagnostics.';
-    }
-
-    private function operationLatestSupportRequestHandoffSummary(): string
-    {
-        $user = $this->resolveViewerActor();
-
-        $summary = app(SupportRequestSubmissionService::class)->latestOperationRunHandoffSummary($this->run, $user);
-
-        return $this->formatLatestHandoffSummary($summary);
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function supportHandoffModeOptions(): array
-    {
-        if (! $this->supportDeskTargetAvailable()) {
-            return [
-                SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY => __('localization.dashboard.handoff_mode_internal_only'),
-            ];
-        }
-
-        return [
-            SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY => __('localization.dashboard.handoff_mode_internal_only'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => __('localization.dashboard.handoff_mode_create_external_ticket'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => __('localization.dashboard.handoff_mode_link_existing_ticket'),
-        ];
-    }
-
-    private function supportDeskTargetAvailable(): bool
-    {
-        return app(ExternalSupportDeskHandoffService::class)->targetIsConfigured();
-    }
-
-    private function externalHandoffMutationScope(mixed $mode): string
-    {
-        return match ($mode) {
-            SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => __('localization.dashboard.mutation_scope_external_create'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => __('localization.dashboard.mutation_scope_external_link'),
-            default => __('localization.dashboard.mutation_scope_internal_only'),
-        };
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $summary
-     */
-    private function formatLatestHandoffSummary(?array $summary): string
-    {
-        if ($summary === null) {
-            return __('localization.dashboard.latest_external_handoff_none');
-        }
-
-        $internalReference = (string) $summary['internal_reference'];
-
-        if (($summary['has_failure'] ?? false) === true) {
-            return __('localization.dashboard.latest_external_handoff_failed', [
-                'reference' => $internalReference,
-                'failure' => (string) $summary['external_handoff_failure_summary'],
-            ]);
-        }
-
-        if (($summary['has_external_link'] ?? false) === true) {
-            return __('localization.dashboard.latest_external_handoff_linked', [
-                'reference' => $internalReference,
-                'external' => (string) $summary['external_ticket_reference'],
-            ]);
-        }
-
-        return __('localization.dashboard.latest_external_handoff_internal_only', [
-            'reference' => $internalReference,
-        ]);
-    }
-
-    private function supportRequestNotificationBody(SupportRequest $supportRequest): string
-    {
-        return match ($supportRequest->externalHandoffOutcome()) {
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_TICKET_CREATED => __('localization.dashboard.support_request_submitted_created', [
-                'reference' => $supportRequest->internal_reference,
-                'external' => $supportRequest->external_ticket_reference,
-            ]),
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_TICKET_LINKED => __('localization.dashboard.support_request_submitted_linked', [
-                'reference' => $supportRequest->internal_reference,
-                'external' => $supportRequest->external_ticket_reference,
-            ]),
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_HANDOFF_FAILED => __('localization.dashboard.support_request_submitted_failed', [
-                'reference' => $supportRequest->internal_reference,
-                'failure' => $supportRequest->external_handoff_failure_summary,
-            ]),
-            default => __('localization.dashboard.support_request_submitted_internal_only', [
-                'reference' => $supportRequest->internal_reference,
-            ]),
-        };
-    }
-
     /**
      * @param  array<string, mixed>  $bundle
      */

apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php

@@ -1,695 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Filament\Pages\Reviews;
-
-use App\Filament\Resources\TenantReviewResource;
-use App\Models\EvidenceSnapshot;
-use App\Models\FindingException;
-use App\Models\Tenant;
-use App\Models\ReviewPack;
-use App\Models\TenantReview;
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\ReviewPackService;
-use App\Services\TenantReviews\TenantReviewRegisterService;
-use App\Support\Audit\AuditActionId;
-use App\Support\Auth\Capabilities;
-use App\Support\Findings\FindingOutcomeSemantics;
-use App\Support\Filament\TablePaginationProfiles;
-use App\Support\Navigation\CanonicalNavigationContext;
-use App\Support\ReviewPackStatus;
-use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
-use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
-use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
-use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
-use App\Support\Ui\GovernanceArtifactTruth\CompressedGovernanceOutcome;
-use App\Support\Ui\GovernanceArtifactTruth\SurfaceCompressionContext;
-use App\Support\Workspaces\WorkspaceContext;
-use BackedEnum;
-use Filament\Actions\Action;
-use Filament\Pages\Page;
-use Filament\Tables\Columns\TextColumn;
-use Filament\Tables\Concerns\InteractsWithTable;
-use Filament\Tables\Contracts\HasTable;
-use Filament\Tables\Filters\SelectFilter;
-use Filament\Tables\Table;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Str;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-use UnitEnum;
-
-class CustomerReviewWorkspace extends Page implements HasTable
-{
-    use InteractsWithTable;
-
-    public const string DETAIL_CONTEXT_QUERY_KEY = 'customer_workspace';
-
-    public const string SOURCE_SURFACE = 'customer_review_workspace';
-
-    protected static bool $isDiscovered = false;
-
-    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-text';
-
-    protected static string|UnitEnum|null $navigationGroup = 'Reporting';
-
-    protected static ?string $navigationLabel = 'Customer reviews';
-
-    protected static ?int $navigationSort = 44;
-
-    protected static ?string $title = 'Customer Review Workspace';
-
-    protected static ?string $slug = 'reviews/workspace';
-
-    protected string $view = 'filament.pages.reviews.customer-review-workspace';
-
-    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
-    {
-        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions provide a single Clear filters action for the customer review workspace.')
-            ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The customer review workspace remains scan-first and does not expose bulk actions.')
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state keeps exactly one Clear filters CTA when filters are active.')
-            ->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation opens the latest published review detail instead of an inline canonical detail panel.');
-    }
-
-    public static function getNavigationGroup(): string
-    {
-        return __('localization.review.reporting');
-    }
-
-    public static function getNavigationLabel(): string
-    {
-        return __('localization.review.customer_reviews');
-    }
-
-    public function getTitle(): string
-    {
-        return __('localization.review.customer_review_workspace');
-    }
-
-    public static function tenantPrefilterUrl(Tenant $tenant): string
-    {
-        $tenantIdentifier = filled($tenant->external_id)
-            ? (string) $tenant->external_id
-            : (string) $tenant->getKey();
-
-        return static::getUrl(panel: 'admin').'?'.http_build_query([
-            'tenant' => $tenantIdentifier,
-        ]);
-    }
-
-    /**
-     * @var array<int, Tenant>|null
-     */
-    private ?array $authorizedTenants = null;
-
-    public function mount(): void
-    {
-        $this->authorizePageAccess();
-        $this->applyRequestedTenantPrefilter();
-        $this->mountInteractsWithTable();
-        $this->auditWorkspaceOpen();
-    }
-
-    protected function getHeaderActions(): array
-    {
-        $actions = [];
-
-        $governanceContext = $this->incomingGovernanceContext();
-
-        if ($governanceContext?->backLinkUrl !== null) {
-            $actions[] = Action::make('return_to_governance_inbox')
-                ->label($governanceContext->backLinkLabel ?? 'Back to governance inbox')
-                ->icon('heroicon-o-arrow-left')
-                ->color('gray')
-                ->url($governanceContext->backLinkUrl);
-        }
-
-        $actions[] = Action::make('clear_filters')
-            ->label(__('localization.review.clear_filters'))
-            ->icon('heroicon-o-x-mark')
-            ->color('gray')
-            ->visible(fn (): bool => $this->hasActiveFilters())
-            ->action(function (): void {
-                $this->clearWorkspaceFilters();
-            });
-
-        return $actions;
-    }
-
-    public function table(Table $table): Table
-    {
-        return $table
-            ->query(fn (): Builder => $this->workspaceQuery())
-            ->defaultSort('name')
-            ->paginated(TablePaginationProfiles::customPage())
-            ->persistFiltersInSession()
-            ->persistSearchInSession()
-            ->persistSortInSession()
-            ->recordUrl(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
-            ->columns([
-                TextColumn::make('name')->label(__('localization.review.tenant'))->searchable()->sortable(),
-                TextColumn::make('latest_review')
-                    ->label(__('localization.review.latest_review'))
-                    ->badge()
-                    ->getStateUsing(fn (Tenant $record): string => $this->latestReviewStateLabel($record))
-                    ->color(fn (Tenant $record): string => $this->latestReviewStateColor($record))
-                    ->icon(fn (Tenant $record): ?string => $this->latestReviewStateIcon($record))
-                    ->iconColor(fn (Tenant $record): ?string => $this->latestReviewStateIconColor($record))
-                    ->description(fn (Tenant $record): ?string => $this->reviewOutcomeDescription($record))
-                    ->wrap(),
-                TextColumn::make('finding_summary')
-                    ->label(__('localization.review.key_findings'))
-                    ->getStateUsing(fn (Tenant $record): string => $this->findingSummary($record))
-                    ->wrap(),
-                TextColumn::make('accepted_risk_summary')
-                    ->label(__('localization.review.accepted_risks'))
-                    ->getStateUsing(fn (Tenant $record): string => $this->acceptedRiskSummary($record))
-                    ->wrap(),
-                TextColumn::make('evidence_proof_state')
-                    ->label(__('localization.review.evidence_proof'))
-                    ->getStateUsing(fn (Tenant $record): string => $this->evidenceProofAvailability($record))
-                    ->wrap(),
-                TextColumn::make('published_at')
-                    ->label(__('localization.review.published'))
-                    ->getStateUsing(fn (Tenant $record): ?string => $this->latestPublishedAt($record)?->toDateTimeString())
-                    ->dateTime()
-                    ->placeholder('—'),
-                TextColumn::make('review_pack_state')
-                    ->label(__('localization.review.review_pack'))
-                    ->getStateUsing(fn (Tenant $record): string => $this->reviewPackAvailability($record))
-                    ->wrap(),
-            ])
-            ->filters([
-                SelectFilter::make('tenant_id')
-                    ->label(__('localization.review.tenant'))
-                    ->options(fn (): array => $this->tenantFilterOptions())
-                    ->default(fn (): ?string => $this->defaultTenantFilter())
-                    ->query(function (Builder $query, array $data): Builder {
-                        $tenantId = $data['value'] ?? null;
-
-                        return is_numeric($tenantId)
-                            ? $query->whereKey((int) $tenantId)
-                            : $query;
-                    })
-                    ->searchable(),
-            ])
-            ->actions([
-                Action::make('open_latest_review')
-                    ->label(__('localization.review.open_latest_review'))
-                    ->icon('heroicon-o-arrow-top-right-on-square')
-                    ->url(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
-                    ->visible(fn (Tenant $record): bool => $this->latestPublishedReview($record) instanceof TenantReview),
-                Action::make('download_review_pack')
-                    ->label(__('localization.review.download_review_pack'))
-                    ->icon('heroicon-o-arrow-down-tray')
-                    ->url(fn (Tenant $record): ?string => $this->latestReviewPackDownloadUrl($record))
-                    ->openUrlInNewTab()
-                    ->visible(fn (Tenant $record): bool => is_string($this->latestReviewPackDownloadUrl($record))),
-            ])
-            ->bulkActions([])
-            ->emptyStateHeading(__('localization.review.no_entitled_tenants'))
-            ->emptyStateDescription(fn (): string => $this->hasActiveFilters()
-                ? __('localization.review.clear_filters_description')
-                : __('localization.review.adjust_filters_description'))
-            ->emptyStateActions([
-                Action::make('clear_filters_empty')
-                    ->label(__('localization.review.clear_filters'))
-                    ->icon('heroicon-o-x-mark')
-                    ->color('gray')
-                    ->visible(fn (): bool => $this->hasActiveFilters())
-                    ->action(fn (): mixed => $this->clearWorkspaceFilters()),
-            ]);
-    }
-
-    /**
-     * @return array<int, Tenant>
-     */
-    public function authorizedTenants(): array
-    {
-        if ($this->authorizedTenants !== null) {
-            return $this->authorizedTenants;
-        }
-
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return $this->authorizedTenants = [];
-        }
-
-        return $this->authorizedTenants = app(TenantReviewRegisterService::class)->authorizedTenants($user, $workspace);
-    }
-
-    private function authorizePageAccess(): void
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        if (! $workspace instanceof Workspace) {
-            throw new NotFoundHttpException;
-        }
-
-        $service = app(TenantReviewRegisterService::class);
-
-        if (! $service->canAccessWorkspace($user, $workspace)) {
-            throw new NotFoundHttpException;
-        }
-
-        if ($this->authorizedTenants() === []) {
-            throw new NotFoundHttpException;
-        }
-    }
-
-    private function auditWorkspaceOpen(): void
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return;
-        }
-
-        app(WorkspaceAuditLogger::class)->log(
-            workspace: $workspace,
-            action: AuditActionId::CustomerReviewWorkspaceOpened,
-            context: [
-                'metadata' => [
-                    'source_surface' => self::SOURCE_SURFACE,
-                    'tenant_filter_id' => $this->currentTenantFilterId(),
-                    'entitled_tenant_count' => count($this->authorizedTenants()),
-                ],
-            ],
-            actor: $user,
-            resourceType: 'customer_review_workspace',
-            resourceId: (string) $workspace->getKey(),
-            targetLabel: __('localization.review.customer_review_workspace'),
-        );
-    }
-
-    private function workspaceQuery(): Builder
-    {
-        $user = auth()->user();
-        $workspace = $this->workspace();
-
-        if (! $user instanceof User || ! $workspace instanceof Workspace) {
-            return Tenant::query()->whereRaw('1 = 0');
-        }
-
-        return app(TenantReviewRegisterService::class)->customerWorkspaceTenantQuery($user, $workspace);
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function tenantFilterOptions(): array
-    {
-        return collect($this->authorizedTenants())
-            ->mapWithKeys(static fn (Tenant $tenant): array => [
-                (string) $tenant->getKey() => $tenant->name,
-            ])
-            ->all();
-    }
-
-    private function defaultTenantFilter(): ?string
-    {
-        $tenantId = app(WorkspaceContext::class)->lastTenantId(request());
-
-        return is_int($tenantId) && array_key_exists($tenantId, $this->authorizedTenants())
-            ? (string) $tenantId
-            : null;
-    }
-
-    private function applyRequestedTenantPrefilter(): void
-    {
-        $requestedTenant = request()->query('tenant', request()->query('tenant_id'));
-
-        if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
-            return;
-        }
-
-        foreach ($this->authorizedTenants() as $tenant) {
-            if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
-                continue;
-            }
-
-            $this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
-            $this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
-
-            return;
-        }
-
-        throw new NotFoundHttpException;
-    }
-
-    private function hasActiveFilters(): bool
-    {
-        return $this->currentTenantFilterId() !== null;
-    }
-
-    private function clearWorkspaceFilters(): void
-    {
-        app(WorkspaceContext::class)->clearLastTenantId(request());
-        $this->removeTableFilters();
-    }
-
-    private function currentTenantFilterId(): ?int
-    {
-        $tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
-
-        if (! is_numeric($tenantFilter)) {
-            $tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
-        }
-
-        return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
-    }
-
-    private function workspace(): ?Workspace
-    {
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        return is_numeric($workspaceId)
-            ? Workspace::query()->whereKey((int) $workspaceId)->first()
-            : null;
-    }
-
-    private function latestPublishedReview(Tenant $tenant): ?TenantReview
-    {
-        $review = $tenant->tenantReviews->first();
-
-        return $review instanceof TenantReview ? $review : null;
-    }
-
-    private function latestReviewUrl(Tenant $tenant): ?string
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        if (! $review instanceof TenantReview) {
-            return null;
-        }
-
-        return $this->appendQuery(
-            TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant, 'tenant'),
-            array_replace(
-                [self::DETAIL_CONTEXT_QUERY_KEY => 1],
-                $this->navigationContext()?->toQuery() ?? [],
-            ),
-        );
-    }
-
-    private function latestReviewPack(Tenant $tenant): ?ReviewPack
-    {
-        $review = $this->latestPublishedReview($tenant);
-        $pack = $review?->currentExportReviewPack;
-
-        return $pack instanceof ReviewPack ? $pack : null;
-    }
-
-    private function latestReviewPackDownloadUrl(Tenant $tenant): ?string
-    {
-        $user = auth()->user();
-        $pack = $this->latestReviewPack($tenant);
-
-        if (! $user instanceof User || ! $pack instanceof ReviewPack) {
-            return null;
-        }
-
-        if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
-            return null;
-        }
-
-        if ($pack->status !== ReviewPackStatus::Ready->value) {
-            return null;
-        }
-
-        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
-            return null;
-        }
-
-        return app(ReviewPackService::class)->generateDownloadUrl($pack, [
-            'source_surface' => self::SOURCE_SURFACE,
-        ]);
-    }
-
-    private function latestPublishedAt(Tenant $tenant): ?\Illuminate\Support\Carbon
-    {
-        return $this->latestPublishedReview($tenant)?->published_at;
-    }
-
-    private function reviewTruth(Tenant $tenant): ?ArtifactTruthEnvelope
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        return $review instanceof TenantReview
-            ? app(ArtifactTruthPresenter::class)->forTenantReview($review)
-            : null;
-    }
-
-    private function reviewOutcome(Tenant $tenant): ?CompressedGovernanceOutcome
-    {
-        $presenter = app(ArtifactTruthPresenter::class);
-        $review = $this->latestPublishedReview($tenant);
-        $truth = $this->reviewTruth($tenant);
-
-        if (! $review instanceof TenantReview || ! $truth instanceof ArtifactTruthEnvelope) {
-            return null;
-        }
-
-        return $presenter->compressedOutcomeFor($review, SurfaceCompressionContext::reviewRegister())
-            ?? $presenter->compressedOutcomeFromEnvelope($truth, SurfaceCompressionContext::reviewRegister());
-    }
-
-    private function latestReviewStateLabel(Tenant $tenant): string
-    {
-        return $this->reviewOutcome($tenant)?->primaryLabel ?? __('localization.review.no_published_review');
-    }
-
-    private function latestReviewStateColor(Tenant $tenant): string
-    {
-        return $this->reviewOutcome($tenant)?->primaryBadge->color ?? 'gray';
-    }
-
-    private function latestReviewStateIcon(Tenant $tenant): ?string
-    {
-        return $this->reviewOutcome($tenant)?->primaryBadge->icon;
-    }
-
-    private function latestReviewStateIconColor(Tenant $tenant): ?string
-    {
-        return $this->reviewOutcome($tenant)?->primaryBadge->iconColor;
-    }
-
-    private function reviewOutcomeDescription(Tenant $tenant): ?string
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        if (! $review instanceof TenantReview) {
-            return __('localization.review.no_published_review_available');
-        }
-
-        $primaryReason = $this->reviewOutcome($tenant)?->primaryReason;
-        $summary = is_array($review->summary) ? $review->summary : [];
-        $findingOutcomes = $summary['finding_outcomes'] ?? null;
-
-        if (! is_array($findingOutcomes)) {
-            return $primaryReason;
-        }
-
-        $findingOutcomeSummary = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
-
-        if ($findingOutcomeSummary === null) {
-            return $primaryReason;
-        }
-
-        return trim($primaryReason.' '.__('localization.review.terminal_outcomes').': '.$findingOutcomeSummary.'.');
-    }
-
-    private function findingSummary(Tenant $tenant): string
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        if (! $review instanceof TenantReview) {
-            return __('localization.review.no_published_review_available');
-        }
-
-        $summary = is_array($review->summary) ? $review->summary : [];
-        $findingCount = (int) ($summary['finding_count'] ?? 0);
-        $findingOutcomes = is_array($summary['finding_outcomes'] ?? null) ? $summary['finding_outcomes'] : [];
-        $terminalOutcomes = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
-
-        if ($findingCount === 0) {
-            return __('localization.review.no_findings_recorded');
-        }
-
-        if ($terminalOutcomes === null) {
-            return __('localization.review.findings_count_summary', ['count' => $findingCount]);
-        }
-
-        return __('localization.review.findings_count_with_outcomes', [
-            'count' => $findingCount,
-            'outcomes' => $terminalOutcomes,
-        ]);
-    }
-
-    private function acceptedRiskSummary(Tenant $tenant): string
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        if (! $review instanceof TenantReview) {
-            return __('localization.review.no_published_review_available');
-        }
-
-        $summary = is_array($review->summary) ? $review->summary : [];
-        $riskAcceptance = is_array($summary['risk_acceptance'] ?? null) ? $summary['risk_acceptance'] : [];
-        $statusMarkedCount = (int) ($riskAcceptance['status_marked_count'] ?? 0);
-        $validGovernedCount = (int) ($riskAcceptance['valid_governed_count'] ?? 0);
-        $warningCount = (int) ($riskAcceptance['warning_count'] ?? 0);
-
-        $countSummary = match (true) {
-            $statusMarkedCount === 0 => __('localization.review.no_accepted_risks_recorded'),
-            $warningCount > 0 => __('localization.review.accepted_risks_need_follow_up', ['warnings' => $warningCount, 'total' => $statusMarkedCount]),
-            $validGovernedCount > 0 => __('localization.review.accepted_risks_governed', ['count' => $validGovernedCount]),
-            default => __('localization.review.accepted_risks_on_record', ['count' => $statusMarkedCount]),
-        };
-
-        $accountability = $this->acceptedRiskAccountability($tenant);
-
-        return $accountability === null
-            ? $countSummary
-            : $countSummary.' '.$accountability;
-    }
-
-    private function reviewPackAvailability(Tenant $tenant): string
-    {
-        if (! $this->latestPublishedReview($tenant) instanceof TenantReview) {
-            return __('localization.review.no_published_review_available');
-        }
-
-        $pack = $this->latestReviewPack($tenant);
-        $user = auth()->user();
-
-        if (! $pack instanceof ReviewPack) {
-            return __('localization.review.no_current_review_pack');
-        }
-
-        if (! $user instanceof User || ! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
-            return __('localization.review.review_pack_access_unavailable');
-        }
-
-        if ($pack->status !== ReviewPackStatus::Ready->value) {
-            return __('localization.review.review_pack_unavailable');
-        }
-
-        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
-            return __('localization.review.review_pack_expired');
-        }
-
-        return __('localization.review.review_pack_available');
-    }
-
-    private function evidenceProofAvailability(Tenant $tenant): string
-    {
-        $review = $this->latestPublishedReview($tenant);
-
-        if (! $review instanceof TenantReview) {
-            return __('localization.review.no_published_review_available');
-        }
-
-        $snapshot = $review->evidenceSnapshot;
-        $user = auth()->user();
-
-        if (! $snapshot instanceof EvidenceSnapshot) {
-            return __('localization.review.evidence_proof_absent');
-        }
-
-        if (! $user instanceof User || ! $user->can(Capabilities::EVIDENCE_VIEW, $tenant)) {
-            return __('localization.review.evidence_proof_access_unavailable');
-        }
-
-        if ((string) $snapshot->status === 'expired' || ($snapshot->expires_at !== null && $snapshot->expires_at->isPast())) {
-            return __('localization.review.evidence_proof_expired');
-        }
-
-        return __('localization.review.evidence_proof_available');
-    }
-
-    private function acceptedRiskAccountability(Tenant $tenant): ?string
-    {
-        $exception = FindingException::query()
-            ->with(['owner', 'approver', 'currentDecision'])
-            ->where('workspace_id', (int) $tenant->workspace_id)
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->current()
-            ->orderByRaw("case when current_validity_state in ('valid', 'expiring') then 0 else 1 end")
-            ->latest('approved_at')
-            ->latest('requested_at')
-            ->latest('id')
-            ->first();
-
-        if (! $exception instanceof FindingException) {
-            return null;
-        }
-
-        $accountable = $exception->owner?->name
-            ?? $exception->approver?->name;
-        $decisionType = $exception->currentDecision?->decision_type;
-        $reviewDue = $exception->review_due_at ?? $exception->expires_at;
-        $reason = is_string($exception->request_reason) ? trim($exception->request_reason) : '';
-        $parts = [];
-
-        if (is_string($accountable) && trim($accountable) !== '') {
-            $parts[] = $reviewDue === null
-                ? __('localization.review.accepted_risk_accountable', ['name' => $accountable])
-                : __('localization.review.accepted_risk_accountable_until', [
-                    'name' => $accountable,
-                    'date' => $reviewDue->toDateString(),
-                ]);
-        } elseif (is_string($decisionType) && trim($decisionType) !== '') {
-            $parts[] = __('localization.review.accepted_risk_partial_accountability');
-        }
-
-        if ($reason !== '') {
-            $parts[] = __('localization.review.accepted_risk_reason', [
-                'reason' => Str::limit($reason, 160),
-            ]);
-        }
-
-        return $parts === [] ? null : implode(' ', $parts);
-    }
-
-    private function navigationContext(): ?CanonicalNavigationContext
-    {
-        return CanonicalNavigationContext::fromRequest(request());
-    }
-
-    private function incomingGovernanceContext(): ?CanonicalNavigationContext
-    {
-        $context = $this->navigationContext();
-
-        return $context?->sourceSurface === 'governance.inbox'
-            ? $context
-            : null;
-    }
-
-    /**
-     * @param  array<string, mixed>  $query
-     */
-    private function appendQuery(string $url, array $query): string
-    {
-        if ($query === []) {
-            return $url;
-        }
-
-        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
-    }
-}

apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php

@@ -9,7 +9,6 @@
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Models\Workspace;
-use App\Services\ReviewPackService;
 use App\Services\TenantReviews\TenantReviewRegisterService;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeCatalog;
@@ -177,24 +176,6 @@ public function table(Table $table): Table
                     ->visible(fn (TenantReview $record): bool => auth()->user() instanceof User
                         && auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
                         && in_array($record->status, ['ready', 'published'], true))
-                    ->disabled(fn (TenantReview $record): bool => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false))
-                    ->tooltip(function (TenantReview $record): ?string {
-                        $decision = app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant);
-
-                        if ((bool) ($decision['is_blocked'] ?? false)) {
-                            $reason = $decision['block_reason'] ?? null;
-
-                            return is_string($reason) && $reason !== '' ? $reason : null;
-                        }
-
-                        if ((bool) ($decision['is_warning'] ?? false)) {
-                            $reason = $decision['warning_reason'] ?? null;
-
-                            return is_string($reason) && $reason !== '' ? $reason : null;
-                        }
-
-                        return null;
-                    })
                     ->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
             ])
             ->bulkActions([])

apps/platform/app/Filament/Pages/Settings/WorkspaceSettings.php

@@ -7,12 +7,7 @@
 use App\Models\User;
 use App\Models\Workspace;
 use App\Models\WorkspaceSetting;
-use App\Support\Ai\AiPolicyMode;
-use App\Support\Ai\AiUseCaseCatalog;
 use App\Services\Auth\WorkspaceCapabilityResolver;
-use App\Services\Entitlements\WorkspaceEntitlementResolver;
-use App\Services\Entitlements\WorkspacePlanProfileCatalog;
-use App\Services\Localization\LocaleResolver;
 use App\Services\Settings\SettingsResolver;
 use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\Capabilities;
@@ -25,9 +20,7 @@
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Forms\Components\KeyValue;
-use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\Select;
-use Filament\Forms\Components\Textarea;
 use Filament\Forms\Components\TextInput;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
@@ -58,8 +51,6 @@ class WorkspaceSettings extends Page
      * @var array<string, array{domain: string, key: string, type: 'int'|'json'|'string'|'bool'}>
      */
     private const SETTING_FIELDS = [
-        'ai_policy_mode' => ['domain' => 'ai', 'key' => 'policy_mode', 'type' => 'string'],
-        'localization_default_locale' => ['domain' => 'localization', 'key' => 'default_locale', 'type' => 'string'],
         'backup_retention_keep_last_default' => ['domain' => 'backup', 'key' => 'retention_keep_last_default', 'type' => 'int'],
         'backup_retention_min_floor' => ['domain' => 'backup', 'key' => 'retention_min_floor', 'type' => 'int'],
         'drift_severity_mapping' => ['domain' => 'drift', 'key' => 'severity_mapping', 'type' => 'json'],
@@ -67,23 +58,10 @@ class WorkspaceSettings extends Page
         'baseline_alert_min_severity' => ['domain' => 'baseline', 'key' => 'alert_min_severity', 'type' => 'string'],
         'baseline_auto_close_enabled' => ['domain' => 'baseline', 'key' => 'auto_close_enabled', 'type' => 'bool'],
         'findings_sla_days' => ['domain' => 'findings', 'key' => 'sla_days', 'type' => 'json'],
-        'entitlements_plan_profile' => ['domain' => 'entitlements', 'key' => 'plan_profile', 'type' => 'string'],
-        'entitlements_managed_tenant_limit_override_value' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_value', 'type' => 'int'],
-        'entitlements_managed_tenant_limit_override_reason' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_reason', 'type' => 'string'],
-        'entitlements_review_pack_generation_override_value' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_value', 'type' => 'bool'],
-        'entitlements_review_pack_generation_override_reason' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_reason', 'type' => 'string'],
         'operations_operation_run_retention_days' => ['domain' => 'operations', 'key' => 'operation_run_retention_days', 'type' => 'int'],
         'operations_stuck_run_threshold_minutes' => ['domain' => 'operations', 'key' => 'stuck_run_threshold_minutes', 'type' => 'int'],
     ];
 
-    /**
-     * @var array<string, string>
-     */
-    private const ENTITLEMENT_OVERRIDE_REASON_FIELDS = [
-        'entitlements_managed_tenant_limit_override_value' => 'entitlements_managed_tenant_limit_override_reason',
-        'entitlements_review_pack_generation_override_value' => 'entitlements_review_pack_generation_override_reason',
-    ];
-
     /**
      * Fields rendered as Filament KeyValue components (array state, not JSON string).
      *
@@ -133,14 +111,6 @@ class WorkspaceSettings extends Page
      */
     public array $resolvedSettings = [];
 
-    /**
-     * @var array{
-     *     plan_profile?: array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool},
-     *     decisions?: array<string, array<string, mixed>>
-     * }
-     */
-    public array $entitlementSummary = [];
-
     /**
      * Per-domain "last modified" metadata: domain => {user_name, updated_at}.
      *
@@ -155,22 +125,17 @@ protected function getHeaderActions(): array
     {
         return [
             Action::make('save')
-                ->label(__('localization.workspace.save'))
+                ->label('Save')
                 ->action(function (): void {
                     $this->save();
                 })
                 ->disabled(fn (): bool => ! $this->currentUserCanManage())
                 ->tooltip(fn (): ?string => $this->currentUserCanManage()
                     ? null
-                    : __('localization.workspace.no_manage_permission')),
+                    : 'You do not have permission to manage workspace settings.'),
         ];
     }
 
-    public function getTitle(): string
-    {
-        return __('localization.workspace.title');
-    }
-
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
@@ -215,83 +180,6 @@ public function content(Schema $schema): Schema
         return $schema
             ->statePath('data')
             ->schema([
-                Section::make(__('localization.workspace.section'))
-                    ->description($this->sectionDescription('localization', __('localization.workspace.section_description')))
-                    ->schema([
-                        Select::make('localization_default_locale')
-                            ->label(__('localization.workspace.default_locale_label'))
-                            ->options(LocaleResolver::localeOptions())
-                            ->placeholder(__('localization.workspace.default_locale_placeholder'))
-                            ->native(false)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->localeDefaultHelperText())
-                            ->hintAction($this->makeResetAction('localization_default_locale')),
-                    ]),
-                Section::make('Workspace entitlements')
-                    ->description($this->sectionDescription('entitlements', 'Select a plan profile and optional first-slice overrides for onboarding activation and review pack generation.'))
-                    ->columns(2)
-                    ->schema([
-                        Select::make('entitlements_plan_profile')
-                            ->label('Plan profile')
-                            ->options(app(WorkspacePlanProfileCatalog::class)->optionLabels())
-                            ->placeholder(sprintf('Use default profile (%s)', app(WorkspacePlanProfileCatalog::class)->default()['label']))
-                            ->native(false)
-                            ->columnSpanFull()
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->planProfileFieldHelperText()),
-                        TextInput::make('entitlements_managed_tenant_limit_override_value')
-                            ->label('Managed tenant activation limit override')
-                            ->placeholder('Unset (uses plan profile default)')
-                            ->suffix('tenants')
-                            ->hint('0 or greater')
-                            ->numeric()
-                            ->integer()
-                            ->minValue(0)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->managedTenantLimitHelperText())
-                            ->hintAction($this->makeResetAction('entitlements_managed_tenant_limit_override_value')),
-                        Textarea::make('entitlements_managed_tenant_limit_override_reason')
-                            ->label('Managed tenant activation override reason')
-                            ->rows(3)
-                            ->maxLength(500)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->managedTenantLimitReasonHelperText()),
-                        Select::make('entitlements_review_pack_generation_override_value')
-                            ->label('Review pack generation override')
-                            ->options(self::booleanOptions())
-                            ->placeholder('Unset (uses plan profile default)')
-                            ->native(false)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->reviewPackGenerationHelperText())
-                            ->hintAction($this->makeResetAction('entitlements_review_pack_generation_override_value')),
-                        Textarea::make('entitlements_review_pack_generation_override_reason')
-                            ->label('Review pack generation override reason')
-                            ->rows(3)
-                            ->maxLength(500)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->reviewPackGenerationReasonHelperText()),
-                    ]),
-                Section::make('Workspace AI policy')
-                    ->description($this->sectionDescription('ai', 'Control whether the workspace disables AI entirely or allows approved internal-only drafts on private-only infrastructure.'))
-                    ->schema([
-                        Select::make('ai_policy_mode')
-                            ->label('AI posture')
-                            ->options(AiPolicyMode::optionLabels())
-                            ->placeholder('Unset (uses default)')
-                            ->native(false)
-                            ->disabled(fn (): bool => ! $this->currentUserCanManage())
-                            ->helperText(fn (): string => $this->aiPolicyModeHelperText())
-                            ->hintAction($this->makeResetAction('ai_policy_mode')),
-                        Placeholder::make('ai_approved_use_cases')
-                            ->label('Approved use cases')
-                            ->content(fn (): string => $this->aiApprovedUseCasesText()),
-                        Placeholder::make('ai_allowed_provider_classes')
-                            ->label('Allowed provider classes')
-                            ->content(fn (): string => $this->aiAllowedProviderClassesText()),
-                        Placeholder::make('ai_blocked_data_classifications')
-                            ->label('Blocked data classifications')
-                            ->content(fn (): string => $this->aiBlockedDataClassificationsText()),
-                    ]),
                 Section::make('Backup settings')
                     ->description($this->sectionDescription('backup', 'Workspace defaults used when a schedule has no explicit value.'))
                     ->schema([
@@ -526,7 +414,7 @@ public function save(): void
         $this->loadFormState();
 
         Notification::make()
-            ->title($changedSettingsCount > 0 ? __('localization.notifications.workspace_settings_saved') : __('localization.notifications.workspace_settings_unchanged'))
+            ->title($changedSettingsCount > 0 ? 'Workspace settings saved' : 'No settings changes to save')
             ->success()
             ->send();
     }
@@ -545,7 +433,7 @@ public function resetSetting(string $field): void
 
         if ($this->workspaceOverrideForField($field) === null) {
             Notification::make()
-                ->title(__('localization.notifications.setting_already_default'))
+                ->title('Setting already uses default')
                 ->success()
                 ->send();
 
@@ -562,57 +450,7 @@ public function resetSetting(string $field): void
         $this->loadFormState();
 
         Notification::make()
-            ->title(__('localization.notifications.workspace_setting_reset'))
-            ->success()
-            ->send();
-    }
-
-    private function resetEntitlementOverridePair(string $field): void
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            abort(403);
-        }
-
-        $this->authorizeWorkspaceManage($user);
-
-        if (! $this->hasEntitlementOverridePair($field)) {
-            Notification::make()
-                ->title('Entitlement already uses plan profile default')
-                ->success()
-                ->send();
-
-            return;
-        }
-
-        $writer = app(SettingsWriter::class);
-        $valueSetting = $this->settingForField($field);
-        $reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
-        $reasonSetting = $this->settingForField($reasonField);
-
-        if ($this->workspaceOverrideForField($field) !== null) {
-            $writer->resetWorkspaceSetting(
-                actor: $user,
-                workspace: $this->workspace,
-                domain: $valueSetting['domain'],
-                key: $valueSetting['key'],
-            );
-        }
-
-        if ($this->workspaceOverrideForField($reasonField) !== null) {
-            $writer->resetWorkspaceSetting(
-                actor: $user,
-                workspace: $this->workspace,
-                domain: $reasonSetting['domain'],
-                key: $reasonSetting['key'],
-            );
-        }
-
-        $this->loadFormState();
-
-        Notification::make()
-            ->title('Workspace entitlement override reset')
+            ->title('Workspace setting reset to default')
             ->success()
             ->send();
     }
@@ -652,7 +490,6 @@ private function loadFormState(): void
         $this->data = $data;
         $this->workspaceOverrides = $workspaceOverrides;
         $this->resolvedSettings = $resolvedSettings;
-        $this->entitlementSummary = app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
 
         $this->loadDomainLastModified();
     }
@@ -711,240 +548,37 @@ private function sectionDescription(string $domain, string $baseDescription): st
         /** @var Carbon $updatedAt */
         $updatedAt = $meta['updated_at'];
 
-        return __('localization.workspace.last_modified_by', [
-            'description' => $baseDescription,
-            'user' => $meta['user_name'],
-            'time' => $updatedAt->diffForHumans(),
-        ]);
+        return sprintf(
+            '%s — Last modified by %s, %s.',
+            $baseDescription,
+            $meta['user_name'],
+            $updatedAt->diffForHumans(),
+        );
     }
 
     private function makeResetAction(string $field): Action
     {
         return Action::make('reset_'.$field)
-            ->label(__('localization.workspace.reset'))
+            ->label('Reset')
             ->color('danger')
             ->requiresConfirmation()
             ->action(function () use ($field): void {
-                if ($this->isEntitlementOverrideValueField($field)) {
-                    $this->resetEntitlementOverridePair($field);
-
-                    return;
-                }
-
                 $this->resetSetting($field);
             })
-            ->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->canResetField($field))
+            ->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->hasWorkspaceOverride($field))
             ->tooltip(function () use ($field): ?string {
                 if (! $this->currentUserCanManage()) {
-                    return __('localization.workspace.no_manage_permission');
+                    return 'You do not have permission to manage workspace settings.';
                 }
 
-                if (! $this->canResetField($field)) {
-                    if ($this->isEntitlementOverrideValueField($field)) {
-                        return __('localization.workspace.no_workspace_override');
-                    }
-
-                    return __('localization.workspace.no_workspace_override');
+                if (! $this->hasWorkspaceOverride($field)) {
+                    return 'No workspace override to reset.';
                 }
 
                 return null;
             });
     }
 
-    private function canResetField(string $field): bool
-    {
-        if ($this->isEntitlementOverrideValueField($field)) {
-            return $this->hasEntitlementOverridePair($field);
-        }
-
-        return $this->hasWorkspaceOverride($field);
-    }
-
-    private function isEntitlementOverrideValueField(string $field): bool
-    {
-        return array_key_exists($field, self::ENTITLEMENT_OVERRIDE_REASON_FIELDS);
-    }
-
-    private function hasEntitlementOverridePair(string $field): bool
-    {
-        if (! $this->isEntitlementOverrideValueField($field)) {
-            return false;
-        }
-
-        $reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
-
-        return $this->workspaceOverrideForField($field) !== null
-            || $this->workspaceOverrideForField($reasonField) !== null;
-    }
-
-    private function planProfileFieldHelperText(): string
-    {
-        $profile = $this->resolvedPlanProfile();
-        $selectedProfile = $this->workspaceOverrideForField('entitlements_plan_profile');
-
-        if (! is_string($selectedProfile) || $selectedProfile === '') {
-            return sprintf('Default profile: %s. %s', $profile['label'], $profile['description']);
-        }
-
-        return sprintf('Effective profile: %s. %s', $profile['label'], $profile['description']);
-    }
-
-    private function managedTenantLimitHelperText(): string
-    {
-        $decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT);
-        $effectiveValue = (int) ($decision['effective_value'] ?? 0);
-        $currentUsage = (int) ($decision['current_usage'] ?? 0);
-        $remainingCapacity = (int) ($decision['remaining_capacity'] ?? 0);
-
-        $capacityText = $remainingCapacity < 0
-            ? sprintf('Over limit by %d.', abs($remainingCapacity))
-            : sprintf('%d remaining.', $remainingCapacity);
-
-        return sprintf(
-            'Effective limit: %d active managed tenants. Current usage: %d. %s Source: %s.',
-            $effectiveValue,
-            $currentUsage,
-            $capacityText,
-            $this->entitlementSourceLabel($decision),
-        );
-    }
-
-    private function managedTenantLimitReasonHelperText(): string
-    {
-        return $this->entitlementReasonHelperText(
-            valueField: 'entitlements_managed_tenant_limit_override_value',
-            key: WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
-        );
-    }
-
-    private function reviewPackGenerationHelperText(): string
-    {
-        $decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED);
-
-        return sprintf(
-            'Effective state: %s. Source: %s.',
-            (bool) ($decision['effective_value'] ?? false) ? 'enabled' : 'disabled',
-            $this->entitlementSourceLabel($decision),
-        );
-    }
-
-    private function reviewPackGenerationReasonHelperText(): string
-    {
-        return $this->entitlementReasonHelperText(
-            valueField: 'entitlements_review_pack_generation_override_value',
-            key: WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
-        );
-    }
-
-    private function aiPolicyModeHelperText(): string
-    {
-        $resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
-
-        if (! is_array($resolved)) {
-            return '';
-        }
-
-        $mode = AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
-            ?? AiPolicyMode::Disabled;
-
-        $prefix = ! $this->hasWorkspaceOverride('ai_policy_mode')
-            ? sprintf('Effective posture: %s. Source: %s.', $mode->label(), $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')))
-            : sprintf('Effective posture: %s.', $mode->label());
-
-        return sprintf('%s %s', $prefix, $mode->summary());
-    }
-
-    private function aiApprovedUseCasesText(): string
-    {
-        return implode('; ', app(AiUseCaseCatalog::class)->labels()).'.';
-    }
-
-    private function aiAllowedProviderClassesText(): string
-    {
-        $labels = app(AiUseCaseCatalog::class)->allowedProviderClassLabelsForMode($this->effectiveAiPolicyMode());
-
-        if ($labels === []) {
-            return 'No provider classes are allowed while AI is disabled.';
-        }
-
-        return implode(', ', $labels).'.';
-    }
-
-    private function aiBlockedDataClassificationsText(): string
-    {
-        return implode(', ', app(AiUseCaseCatalog::class)->blockedDataClassificationLabels()).'.';
-    }
-
-    private function effectiveAiPolicyMode(): AiPolicyMode
-    {
-        $resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
-
-        if (! is_array($resolved)) {
-            return AiPolicyMode::Disabled;
-        }
-
-        return AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
-            ?? AiPolicyMode::Disabled;
-    }
-
-    private function entitlementReasonHelperText(string $valueField, string $key): string
-    {
-        $decision = $this->entitlementDecision($key);
-        $rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
-
-        if ($this->workspaceOverrideForField($valueField) === null) {
-            return 'Required when an explicit override value is set.';
-        }
-
-        if ($rationale === null || $rationale === '') {
-            return 'Required when an explicit override value is set.';
-        }
-
-        return sprintf('Current rationale: %s', $rationale);
-    }
-
-    /**
-     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
-     */
-    private function resolvedPlanProfile(): array
-    {
-        $profile = $this->entitlementSummary['plan_profile'] ?? null;
-
-        if (is_array($profile)) {
-            return $profile;
-        }
-
-        return app(WorkspacePlanProfileCatalog::class)->default();
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    private function entitlementDecision(string $key): array
-    {
-        $decision = $this->entitlementSummary['decisions'][$key] ?? null;
-
-        return is_array($decision) ? $decision : [];
-    }
-
-    /**
-     * @param  array<string, mixed>  $decision
-     */
-    private function entitlementSourceLabel(array $decision): string
-    {
-        if (($decision['source'] ?? null) === 'workspace_override') {
-            return 'workspace override';
-        }
-
-        $planProfileLabel = $decision['plan_profile_label'] ?? null;
-
-        if (is_string($planProfileLabel) && $planProfileLabel !== '') {
-            return sprintf('%s plan profile', $planProfileLabel);
-        }
-
-        return 'plan profile default';
-    }
-
     private function helperTextFor(string $field): string
     {
         $resolved = $this->resolvedSettings[$field] ?? null;
@@ -966,29 +600,6 @@ private function helperTextFor(string $field): string
         return sprintf('Effective value: %s.', $effectiveValue);
     }
 
-    private function localeDefaultHelperText(): string
-    {
-        $resolved = $this->resolvedSettings['localization_default_locale'] ?? null;
-
-        if (! is_array($resolved)) {
-            return '';
-        }
-
-        $effectiveLocale = LocaleResolver::normalize($resolved['value'] ?? null) ?? 'en';
-        $localeLabel = LocaleResolver::localeOptions()[$effectiveLocale] ?? strtoupper($effectiveLocale);
-
-        if (! $this->hasWorkspaceOverride('localization_default_locale')) {
-            return __('localization.workspace.default_locale_helper_unset', [
-                'locale' => $localeLabel,
-                'source' => $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')),
-            ]);
-        }
-
-        return __('localization.workspace.default_locale_helper_set', [
-            'locale' => $localeLabel,
-        ]);
-    }
-
     private function slaFieldHelperText(string $severity): string
     {
         $resolved = $this->resolvedSettings['findings_sla_days'] ?? null;
@@ -1110,27 +721,6 @@ private function normalizedInputValues(): array
             }
         }
 
-        foreach (self::ENTITLEMENT_OVERRIDE_REASON_FIELDS as $valueField => $reasonField) {
-            if (($normalizedValues[$valueField] ?? null) === null) {
-                $normalizedValues[$reasonField] = null;
-
-                continue;
-            }
-
-            if (($normalizedValues[$reasonField] ?? null) !== null) {
-                continue;
-            }
-
-            $message = match ($valueField) {
-                'entitlements_managed_tenant_limit_override_value' => 'Override reason is required when a managed tenant activation limit override is set.',
-                'entitlements_review_pack_generation_override_value' => 'Override reason is required when a review pack generation override is set.',
-                default => 'Override reason is required when an explicit override is set.',
-            };
-
-            $validationErrors['data.'.$reasonField] ??= [];
-            $validationErrors['data.'.$reasonField][] = $message;
-        }
-
         return [$normalizedValues, $validationErrors];
     }
 
@@ -1394,9 +984,9 @@ private function formatValueForDisplay(string $field, mixed $value): string
     private function sourceLabel(string $source): string
     {
         return match ($source) {
-            'workspace_override' => __('localization.source.workspace_override'),
+            'workspace_override' => 'workspace override',
             'tenant_override' => 'tenant override',
-            default => __('localization.source.system_default'),
+            default => 'system default',
         };
     }
 

apps/platform/app/Filament/Pages/TenantDashboard.php

@@ -11,7 +11,6 @@
 use App\Filament\Widgets\Dashboard\RecentDriftFindings;
 use App\Filament\Widgets\Dashboard\RecentOperations;
 use App\Filament\Widgets\Dashboard\RecoveryReadiness;
-use App\Models\SupportRequest;
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
@@ -21,17 +20,9 @@
 use App\Support\ProductTelemetry\ProductUsageEventCatalog;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
-use App\Support\SupportRequests\ExternalSupportDeskHandoffService;
-use App\Support\SupportRequests\SupportRequestSubmissionService;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
-use Filament\Forms\Components\Placeholder;
-use Filament\Forms\Components\Select;
-use Filament\Forms\Components\TextInput;
-use Filament\Forms\Components\Textarea;
-use Filament\Notifications\Notification;
 use Filament\Pages\Dashboard;
-use Filament\Schemas\Components\Utilities\Get;
 use Filament\Widgets\Widget;
 use Filament\Widgets\WidgetConfiguration;
 use Illuminate\Contracts\View\View;
@@ -44,11 +35,6 @@ class TenantDashboard extends Dashboard
      */
     public array $supportDiagnosticsAuditKeys = [];
 
-    public function getTitle(): string
-    {
-        return __('localization.dashboard.tenant_title');
-    }
-
     /**
      * @param  array<mixed>  $parameters
      */
@@ -84,128 +70,23 @@ public function getColumns(): int|array
     protected function getHeaderActions(): array
     {
         return [
-            $this->requestSupportAction(),
             $this->openSupportDiagnosticsAction(),
         ];
     }
 
-    public function authorizeTenantSupportRequest(): void
-    {
-        $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
-    }
-
-    private function requestSupportAction(): Action
-    {
-        $action = Action::make('requestSupport')
-            ->label(__('localization.dashboard.request_support'))
-            ->icon('heroicon-o-paper-airplane')
-            ->color('gray')
-            ->slideOver()
-            ->stickyModalHeader()
-            ->modalHeading(__('localization.dashboard.support_request_heading'))
-            ->modalDescription(__('localization.dashboard.support_request_description'))
-            ->modalSubmitActionLabel(__('localization.dashboard.submit_request'))
-            ->form([
-                Placeholder::make('included_context')
-                    ->label(__('localization.dashboard.included_context'))
-                    ->content(fn (): string => $this->tenantSupportRequestAttachmentSummary())
-                    ->columnSpanFull(),
-                Placeholder::make('latest_external_handoff')
-                    ->label(__('localization.dashboard.latest_external_handoff'))
-                    ->content(fn (): string => $this->tenantLatestSupportRequestHandoffSummary())
-                    ->columnSpanFull(),
-                Select::make('external_handoff_mode')
-                    ->label(__('localization.dashboard.external_handoff_mode'))
-                    ->options(fn (): array => $this->supportHandoffModeOptions())
-                    ->default(SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY)
-                    ->helperText(fn (): string => $this->supportDeskTargetAvailable()
-                        ? __('localization.dashboard.external_handoff_mode_helper_available')
-                        : __('localization.dashboard.external_handoff_mode_helper_unavailable'))
-                    ->required()
-                    ->live()
-                    ->native(false),
-                Placeholder::make('handoff_mutation_scope')
-                    ->label(__('localization.dashboard.handoff_mutation_scope'))
-                    ->content(fn (Get $get): string => $this->externalHandoffMutationScope($get('external_handoff_mode')))
-                    ->columnSpanFull(),
-                TextInput::make('external_ticket_reference')
-                    ->label(__('localization.dashboard.external_ticket_reference'))
-                    ->helperText(__('localization.dashboard.external_ticket_reference_helper'))
-                    ->required(fn (Get $get): bool => $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET)
-                    ->visible(fn (Get $get): bool => $this->supportDeskTargetAvailable()
-                        && $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET),
-                TextInput::make('external_ticket_url')
-                    ->label(__('localization.dashboard.external_ticket_url'))
-                    ->helperText(__('localization.dashboard.external_ticket_url_helper'))
-                    ->url()
-                    ->visible(fn (Get $get): bool => $this->supportDeskTargetAvailable()
-                        && $get('external_handoff_mode') === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET)
-                    ->columnSpanFull(),
-                Select::make('severity')
-                    ->label(__('localization.dashboard.severity'))
-                    ->options(SupportRequest::severityOptions())
-                    ->default(SupportRequest::SEVERITY_NORMAL)
-                    ->required()
-                    ->native(false),
-                TextInput::make('summary')
-                    ->label(__('localization.dashboard.summary'))
-                    ->required()
-                    ->columnSpanFull(),
-                Textarea::make('reproduction_notes')
-                    ->label(__('localization.dashboard.reproduction_notes'))
-                    ->rows(4)
-                    ->columnSpanFull(),
-                TextInput::make('contact_name')
-                    ->label(__('localization.dashboard.contact_name'))
-                    ->default(fn (): ?string => $this->resolveDashboardActor()->name),
-                TextInput::make('contact_email')
-                    ->label(__('localization.dashboard.contact_email'))
-                    ->email()
-                    ->default(fn (): ?string => $this->resolveDashboardActor()->email),
-            ])
-            ->action(function (array $data): void {
-                $actor = $this->resolveDashboardActor();
-                $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
-
-                $supportRequest = app(SupportRequestSubmissionService::class)->submitForTenant($tenant, $actor, $data);
-
-                Notification::make()
-                    ->title(__('localization.dashboard.support_request_submitted'))
-                    ->body($this->supportRequestNotificationBody($supportRequest))
-                    ->when(
-                        $supportRequest->hasExternalHandoffFailure(),
-                        fn (Notification $notification): Notification => $notification->warning(),
-                        fn (Notification $notification): Notification => $notification->success(),
-                    )
-                    ->when(
-                        $supportRequest->external_ticket_url !== null,
-                        fn (Notification $notification): Notification => $notification->actions([
-                            Action::make('openExternalTicket')
-                                ->label(__('localization.dashboard.open_external_ticket'))
-                                ->url((string) $supportRequest->external_ticket_url, shouldOpenInNewTab: true),
-                        ]),
-                    )
-                    ->send();
-            });
-
-        return UiEnforcement::forAction($action)
-            ->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
-            ->apply();
-    }
-
     private function openSupportDiagnosticsAction(): Action
     {
         $action = Action::make('openSupportDiagnostics')
-            ->label(__('localization.dashboard.open_support_diagnostics'))
+            ->label('Open support diagnostics')
             ->icon('heroicon-o-lifebuoy')
             ->color('gray')
             ->modal()
             ->slideOver()
             ->stickyModalHeader()
-            ->modalHeading(__('localization.dashboard.support_diagnostics'))
-            ->modalDescription(__('localization.dashboard.support_diagnostics_description'))
+            ->modalHeading('Support diagnostics')
+            ->modalDescription('Redacted tenant context from existing records.')
             ->modalSubmitAction(false)
-            ->modalCancelAction(fn (Action $action): Action => $action->label(__('localization.dashboard.close')))
+            ->modalCancelAction(fn (Action $action): Action => $action->label('Close'))
             ->mountUsing(function (): void {
                 $this->auditTenantSupportDiagnosticsOpen();
             })
@@ -223,16 +104,34 @@ private function openSupportDiagnosticsAction(): Action
      */
     public function tenantSupportDiagnosticBundle(): array
     {
-        $user = $this->resolveDashboardActor();
-        $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
+        $user = auth()->user();
+        $tenant = Filament::getTenant();
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant) {
+            abort(404);
+        }
+
+        $resolver = app(CapabilityResolver::class);
+
+        if (! $resolver->isMember($user, $tenant)) {
+            abort(404);
+        }
+
+        if (! $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)) {
+            abort(403);
+        }
 
         return app(SupportDiagnosticBundleBuilder::class)->forTenant($tenant, $user);
     }
 
     private function auditTenantSupportDiagnosticsOpen(): void
     {
-        $user = $this->resolveDashboardActor();
-        $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
+        $user = auth()->user();
+        $tenant = Filament::getTenant();
+
+        if (! $user instanceof User || ! $tenant instanceof Tenant) {
+            abort(404);
+        }
 
         $this->recordSupportDiagnosticsOpened(
             tenant: $tenant,
@@ -273,150 +172,4 @@ private function recordSupportDiagnosticsOpened(Tenant $tenant, array $bundle, U
 
         $this->supportDiagnosticsAuditKeys[] = $auditKey;
     }
-
-    private function resolveDashboardActor(): User
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            abort(404);
-        }
-
-        return $user;
-    }
-
-    private function resolveCurrentTenantForCapability(string $capability): Tenant
-    {
-        $user = $this->resolveDashboardActor();
-        $tenant = Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            abort(404);
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $tenant)) {
-            abort(404);
-        }
-
-        if (! $resolver->can($user, $tenant, $capability)) {
-            abort(403);
-        }
-
-        return $tenant;
-    }
-
-    private function tenantSupportRequestAttachmentSummary(): string
-    {
-        $tenant = Filament::getTenant();
-        $user = auth()->user();
-
-        if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            return 'Only canonical redacted tenant context will be attached.';
-        }
-
-        $resolver = app(CapabilityResolver::class);
-
-        if (! $resolver->isMember($user, $tenant)) {
-            return 'Only canonical redacted tenant context will be attached.';
-        }
-
-        return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
-            ? 'A redacted diagnostic snapshot and the canonical tenant context will be attached.'
-            : 'Only the canonical redacted tenant context will be attached because you cannot view support diagnostics.';
-    }
-
-    private function tenantLatestSupportRequestHandoffSummary(): string
-    {
-        $tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
-        $user = $this->resolveDashboardActor();
-
-        $summary = app(SupportRequestSubmissionService::class)->latestTenantHandoffSummary($tenant, $user);
-
-        return $this->formatLatestHandoffSummary($summary);
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function supportHandoffModeOptions(): array
-    {
-        if (! $this->supportDeskTargetAvailable()) {
-            return [
-                SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY => __('localization.dashboard.handoff_mode_internal_only'),
-            ];
-        }
-
-        return [
-            SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY => __('localization.dashboard.handoff_mode_internal_only'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => __('localization.dashboard.handoff_mode_create_external_ticket'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => __('localization.dashboard.handoff_mode_link_existing_ticket'),
-        ];
-    }
-
-    private function supportDeskTargetAvailable(): bool
-    {
-        return app(ExternalSupportDeskHandoffService::class)->targetIsConfigured();
-    }
-
-    private function externalHandoffMutationScope(mixed $mode): string
-    {
-        return match ($mode) {
-            SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => __('localization.dashboard.mutation_scope_external_create'),
-            SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => __('localization.dashboard.mutation_scope_external_link'),
-            default => __('localization.dashboard.mutation_scope_internal_only'),
-        };
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $summary
-     */
-    private function formatLatestHandoffSummary(?array $summary): string
-    {
-        if ($summary === null) {
-            return __('localization.dashboard.latest_external_handoff_none');
-        }
-
-        $internalReference = (string) $summary['internal_reference'];
-
-        if (($summary['has_failure'] ?? false) === true) {
-            return __('localization.dashboard.latest_external_handoff_failed', [
-                'reference' => $internalReference,
-                'failure' => (string) $summary['external_handoff_failure_summary'],
-            ]);
-        }
-
-        if (($summary['has_external_link'] ?? false) === true) {
-            return __('localization.dashboard.latest_external_handoff_linked', [
-                'reference' => $internalReference,
-                'external' => (string) $summary['external_ticket_reference'],
-            ]);
-        }
-
-        return __('localization.dashboard.latest_external_handoff_internal_only', [
-            'reference' => $internalReference,
-        ]);
-    }
-
-    private function supportRequestNotificationBody(SupportRequest $supportRequest): string
-    {
-        return match ($supportRequest->externalHandoffOutcome()) {
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_TICKET_CREATED => __('localization.dashboard.support_request_submitted_created', [
-                'reference' => $supportRequest->internal_reference,
-                'external' => $supportRequest->external_ticket_reference,
-            ]),
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_TICKET_LINKED => __('localization.dashboard.support_request_submitted_linked', [
-                'reference' => $supportRequest->internal_reference,
-                'external' => $supportRequest->external_ticket_reference,
-            ]),
-            SupportRequest::HANDOFF_OUTCOME_EXTERNAL_HANDOFF_FAILED => __('localization.dashboard.support_request_submitted_failed', [
-                'reference' => $supportRequest->internal_reference,
-                'failure' => $supportRequest->external_handoff_failure_summary,
-            ]),
-            default => __('localization.dashboard.support_request_submitted_internal_only', [
-                'reference' => $supportRequest->internal_reference,
-            ]),
-        };
-    }
 }

apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php

@@ -30,8 +30,6 @@
 use App\Services\Onboarding\OnboardingDraftResolver;
 use App\Services\Onboarding\OnboardingDraftStageResolver;
 use App\Services\Onboarding\OnboardingLifecycleService;
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
-use App\Services\Entitlements\WorkspaceEntitlementResolver;
 use App\Services\OperationRunService;
 use App\Services\Providers\ProviderConnectionMutationService;
 use App\Services\Providers\ProviderOperationRegistry;
@@ -664,16 +662,7 @@ public function content(Schema $schema): Schema
                                             Text::make(fn (): string => $this->completionSummaryBootstrapSummary())
                                                 ->badge()
                                                 ->color(fn (): string => $this->completionSummaryBootstrapColor()),
-                                            Text::make('Activation entitlement')
-                                                ->color('gray'),
-                                            Text::make(fn (): string => $this->completionSummaryEntitlementSummary())
-                                                ->badge()
-                                                ->color(fn (): string => $this->completionSummaryEntitlementColor()),
                                         ]),
-                                    Callout::make('Activation entitlement')
-                                        ->description(fn (): string => $this->completionSummaryEntitlementDetail())
-                                        ->warning()
-                                        ->visible(fn (): bool => $this->completionSummaryEntitlementBlocked()),
                                     Callout::make('Bootstrap needs attention')
                                         ->description(fn (): string => $this->completionSummaryBootstrapRecoveryMessage())
                                         ->warning()
@@ -711,7 +700,9 @@ public function content(Schema $schema): Schema
                                             ->modalSubmitActionLabel('Yes, complete onboarding')
                                             ->disabled(fn (): bool => ! $this->canCompleteOnboarding()
                                                 || ! $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE))
-                                            ->tooltip(fn (): ?string => $this->completionActionTooltip())
+                                            ->tooltip(fn (): ?string => $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE)
+                                                ? null
+                                                : 'Owner required to complete onboarding.')
                                             ->action(fn () => $this->completeOnboarding()),
                                     ]),
                                 ]),
@@ -4507,10 +4498,6 @@ private function canCompleteOnboarding(): bool
             return false;
         }
 
-        if ($this->completionSummaryEntitlementBlocked()) {
-            return false;
-        }
-
         $user = $this->currentUser();
 
         if (! app(TenantOperabilityService::class)->outcomeFor(
@@ -4543,116 +4530,6 @@ private function canCompleteOnboarding(): bool
         return trim((string) ($this->data['override_reason'] ?? '')) !== '';
     }
 
-    /**
-     * @return array<string, mixed>
-     */
-    private function completionSummaryEntitlementDecision(): array
-    {
-        if (! isset($this->workspace) || ! $this->workspace instanceof Workspace) {
-            return [];
-        }
-
-        return app(WorkspaceCommercialLifecycleResolver::class)->actionDecision(
-            $this->workspace,
-            WorkspaceCommercialLifecycleResolver::ACTION_MANAGED_TENANT_ACTIVATION,
-        );
-    }
-
-    private function completionSummaryEntitlementBlocked(): bool
-    {
-        return ($this->completionSummaryEntitlementDecision()['outcome'] ?? null) === WorkspaceCommercialLifecycleResolver::OUTCOME_BLOCK;
-    }
-
-    private function completionSummaryEntitlementSummary(): string
-    {
-        $decision = $this->completionSummaryEntitlementDecision();
-        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null) ? $decision['entitlement_decision'] : [];
-        $currentUsage = (int) ($entitlementDecision['current_usage'] ?? 0);
-        $effectiveValue = (int) ($entitlementDecision['effective_value'] ?? 0);
-        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($entitlementDecision);
-        $stateLabel = is_string($decision['state_label'] ?? null) ? $decision['state_label'] : 'Active paid';
-
-        return sprintf(
-            '%s - %s - %d active of %d allowed (%s)',
-            $this->completionSummaryEntitlementBlocked() ? 'Blocked' : 'Allowed',
-            $stateLabel,
-            $currentUsage,
-            $effectiveValue,
-            $sourceLabel,
-        );
-    }
-
-    private function completionSummaryEntitlementDetail(): string
-    {
-        $decision = $this->completionSummaryEntitlementDecision();
-        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null) ? $decision['entitlement_decision'] : [];
-        $currentUsage = (int) ($entitlementDecision['current_usage'] ?? 0);
-        $effectiveValue = (int) ($entitlementDecision['effective_value'] ?? 0);
-        $remainingCapacity = (int) ($entitlementDecision['remaining_capacity'] ?? 0);
-        $sourceLabel = $this->completionSummaryEntitlementSourceLabel($entitlementDecision);
-        $rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
-        $message = sprintf(
-            '%s Current usage is %d active managed tenant%s out of %d allowed. Source: %s.',
-            (string) ($decision['message'] ?? 'Managed-tenant activation is available for this workspace commercial state.'),
-            $currentUsage,
-            $currentUsage === 1 ? '' : 's',
-            $effectiveValue,
-            $sourceLabel,
-        );
-
-        if ($remainingCapacity >= 0) {
-            $message .= sprintf(' Remaining capacity: %d.', $remainingCapacity);
-        }
-
-        if ($this->completionSummaryEntitlementBlocked()) {
-            $blockReason = is_string($decision['block_reason'] ?? null) ? $decision['block_reason'] : null;
-
-            if ($blockReason !== null && $blockReason !== '') {
-                $message = $blockReason;
-            }
-        }
-
-        if ($rationale !== null && $rationale !== '' && ($decision['source'] ?? null) === WorkspaceCommercialLifecycleResolver::SOURCE_WORKSPACE_SETTING) {
-            $message .= ' Rationale: '.$rationale;
-        }
-
-        return $message;
-    }
-
-    private function completionSummaryEntitlementColor(): string
-    {
-        return $this->completionSummaryEntitlementBlocked() ? 'warning' : 'success';
-    }
-
-    /**
-     * @param  array<string, mixed>  $decision
-     */
-    private function completionSummaryEntitlementSourceLabel(array $decision): string
-    {
-        if (($decision['source'] ?? null) === 'workspace_override') {
-            return 'workspace override';
-        }
-
-        $label = $decision['plan_profile_label'] ?? null;
-
-        return is_string($label) && $label !== ''
-            ? sprintf('%s plan profile', $label)
-            : 'plan profile default';
-    }
-
-    private function completionActionTooltip(): ?string
-    {
-        if (! $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE)) {
-            return 'Owner required to complete onboarding.';
-        }
-
-        if ($this->completionSummaryEntitlementBlocked()) {
-            return $this->completionSummaryEntitlementDetail();
-        }
-
-        return null;
-    }
-
     private function completionSummaryTenantLine(): string
     {
         $tenant = $this->currentManagedTenantRecord();
@@ -4986,16 +4863,6 @@ public function completeOnboarding(): void
             return;
         }
 
-        if ($this->completionSummaryEntitlementBlocked()) {
-            Notification::make()
-                ->title('Activation unavailable')
-                ->body($this->completionSummaryEntitlementDetail())
-                ->warning()
-                ->send();
-
-            return;
-        }
-
         $run = $this->verificationRun();
         $verificationSucceeded = $this->verificationHasSucceeded();
         $verificationCanProceed = $this->verificationCanProceed();

apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php

@@ -6,7 +6,6 @@
 
 use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
 use App\Filament\Concerns\ResolvesPanelTenantContext;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Resources\EvidenceSnapshotResource\Pages;
 use App\Filament\Resources\ReviewPackResource;
 use App\Models\EvidenceSnapshot;
@@ -174,12 +173,9 @@ public static function infolist(Schema $schema): Schema
                         ->label('Operation')
                         ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
                         ->url(fn (EvidenceSnapshot $record): ?string => $record->operation_run_id ? OperationRunLinks::tenantlessView((int) $record->operation_run_id) : null)
-                        ->openUrlInNewTab()
-                        ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
-                    TextEntry::make('fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono')
-                        ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
-                    TextEntry::make('previous_fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono')
-                        ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
+                        ->openUrlInNewTab(),
+                    TextEntry::make('fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
+                    TextEntry::make('previous_fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
                 ])
                 ->columns(2),
             Section::make('Summary')
@@ -225,7 +221,6 @@ public static function infolist(Schema $schema): Schema
                                 ->label('Raw summary JSON')
                                 ->view('filament.infolists.entries.snapshot-json')
                                 ->state(fn (EvidenceSnapshotItem $record): array => is_array($record->summary_payload) ? $record->summary_payload : [])
-                                ->hidden(fn (): bool => static::isCustomerWorkspaceFlow())
                                 ->columnSpanFull(),
                         ])
                         ->columns(4),
@@ -240,7 +235,7 @@ public static function relatedContextEntries(EvidenceSnapshot $record): array
     {
         $entries = [];
 
-        if (! static::isCustomerWorkspaceFlow() && is_numeric($record->operation_run_id)) {
+        if (is_numeric($record->operation_run_id)) {
             $entries[] = RelatedContextEntry::available(
                 key: 'operation_run',
                 label: 'Operation',
@@ -259,20 +254,12 @@ public static function relatedContextEntries(EvidenceSnapshot $record): array
             ->first();
 
         if ($pack instanceof \App\Models\ReviewPack && $pack->tenant instanceof Tenant) {
-            $packUrl = ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant);
-
-            if (static::isCustomerWorkspaceFlow()) {
-                $packUrl = static::appendQuery($packUrl, [
-                    'source_surface' => CustomerReviewWorkspace::SOURCE_SURFACE,
-                ]);
-            }
-
             $entries[] = RelatedContextEntry::available(
                 key: 'review_pack',
                 label: 'Review pack',
                 value: sprintf('#%d', (int) $pack->getKey()),
                 secondaryValue: 'Inspect the latest executive-pack output for this evidence basis.',
-                targetUrl: $packUrl,
+                targetUrl: ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant),
                 targetKind: 'direct_record',
                 priority: 20,
                 actionLabel: 'View review pack',
@@ -280,40 +267,9 @@ public static function relatedContextEntries(EvidenceSnapshot $record): array
             )->toArray();
         }
 
-        if ($record->tenant instanceof Tenant) {
-            $entries[] = RelatedContextEntry::available(
-                key: 'customer_review_workspace',
-                label: 'Customer workspace',
-                value: $record->tenant->name,
-                secondaryValue: 'Open the customer-safe review workspace prefiltered to this tenant.',
-                targetUrl: CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
-                targetKind: 'canonical_page',
-                priority: 30,
-                actionLabel: 'Open customer workspace',
-                contextBadge: 'Reporting',
-            )->toArray();
-        }
-
         return $entries;
     }
 
-    public static function isCustomerWorkspaceFlow(): bool
-    {
-        return request()->query('source_surface') === CustomerReviewWorkspace::SOURCE_SURFACE;
-    }
-
-    /**
-     * @param  array<string, mixed>  $query
-     */
-    private static function appendQuery(string $url, array $query): string
-    {
-        if ($query === []) {
-            return $url;
-        }
-
-        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
-    }
-
     public static function table(Table $table): Table
     {
         return $table

apps/platform/app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php

@@ -5,13 +5,8 @@
 namespace App\Filament\Resources\EvidenceSnapshotResource\Pages;
 
 use App\Filament\Resources\EvidenceSnapshotResource;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
-use App\Models\EvidenceSnapshot;
-use App\Models\Tenant;
 use App\Models\User;
-use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Evidence\EvidenceSnapshotService;
-use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\Ui\GovernanceActions\GovernanceActionCatalog;
@@ -25,13 +20,6 @@ class ViewEvidenceSnapshot extends ViewRecord
 {
     protected static string $resource = EvidenceSnapshotResource::class;
 
-    public function mount(int|string $record): void
-    {
-        parent::mount($record);
-
-        $this->auditCustomerWorkspaceProofOpen();
-    }
-
     protected function resolveRecord(int|string $key): Model
     {
         return EvidenceSnapshotResource::resolveScopedRecordOrFail($key);
@@ -39,10 +27,6 @@ protected function resolveRecord(int|string $key): Model
 
     protected function getHeaderActions(): array
     {
-        if (EvidenceSnapshotResource::isCustomerWorkspaceFlow()) {
-            return [];
-        }
-
         $refreshRule = GovernanceActionCatalog::rule('refresh_evidence');
         $expireRule = GovernanceActionCatalog::rule('expire_snapshot');
 
@@ -106,41 +90,4 @@ protected function getHeaderActions(): array
                 ->apply(),
         ];
     }
-
-    private function auditCustomerWorkspaceProofOpen(): void
-    {
-        if (! EvidenceSnapshotResource::isCustomerWorkspaceFlow()) {
-            return;
-        }
-
-        $record = $this->record;
-        $user = auth()->user();
-
-        if (! $record instanceof EvidenceSnapshot || ! $user instanceof User) {
-            return;
-        }
-
-        $tenant = $record->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            return;
-        }
-
-        app(WorkspaceAuditLogger::class)->log(
-            workspace: $tenant->workspace,
-            action: AuditActionId::EvidenceSnapshotOpened,
-            context: [
-                'metadata' => [
-                    'evidence_snapshot_id' => (int) $record->getKey(),
-                    'source_surface' => CustomerReviewWorkspace::SOURCE_SURFACE,
-                ],
-            ],
-            actor: $user,
-            resourceType: 'evidence_snapshot',
-            resourceId: (string) $record->getKey(),
-            targetLabel: sprintf('Evidence snapshot #%d', (int) $record->getKey()),
-            tenant: $tenant,
-            operationRunId: $record->operation_run_id !== null ? (int) $record->operation_run_id : null,
-        );
-    }
 }

apps/platform/app/Filament/Resources/FindingResource.php

@@ -75,6 +75,8 @@ class FindingResource extends Resource
 
     protected static string|UnitEnum|null $navigationGroup = 'Governance';
 
+    protected static ?string $navigationLabel = 'Findings';
+
     public static function shouldRegisterNavigation(): bool
     {
         if (Filament::getCurrentPanel()?->getId() === 'admin') {
@@ -84,26 +86,6 @@ public static function shouldRegisterNavigation(): bool
         return parent::shouldRegisterNavigation();
     }
 
-    public static function getNavigationLabel(): string
-    {
-        return __('localization.navigation.findings');
-    }
-
-    public static function getNavigationGroup(): string
-    {
-        return __('localization.navigation.governance');
-    }
-
-    public static function getModelLabel(): string
-    {
-        return __('localization.navigation.findings');
-    }
-
-    public static function getPluralModelLabel(): string
-    {
-        return __('localization.navigation.findings');
-    }
-
     public static function canViewAny(): bool
     {
         $tenant = static::resolveTenantContextForCurrentPanel();
@@ -308,6 +290,8 @@ public static function infolist(Schema $schema): Schema
                                 ? OperationRunLinks::tenantlessView((int) $record->current_operation_run_id, static::findingRunNavigationContext($record))
                                 : null)
                             ->openUrlInNewTab(),
+                        TextEntry::make('acknowledged_at')->dateTime()->placeholder('—'),
+                        TextEntry::make('acknowledged_by_user_id')->label('Acknowledged by')->placeholder('—'),
                         TextEntry::make('first_seen_at')->label('First seen')->dateTime()->placeholder('—'),
                         TextEntry::make('last_seen_at')->label('Last seen')->dateTime()->placeholder('—'),
                         TextEntry::make('times_seen')->label('Times seen')->placeholder('—'),
@@ -998,6 +982,7 @@ public static function table(Table $table): Table
                                     if (! in_array((string) $record->status, [
                                         Finding::STATUS_NEW,
                                         Finding::STATUS_REOPENED,
+                                        Finding::STATUS_ACKNOWLEDGED,
                                     ], true)) {
                                         $skippedCount++;
 
@@ -1413,6 +1398,7 @@ public static function triageAction(): Actions\Action
                 ->visible(fn (Finding $record): bool => in_array((string) $record->status, [
                     Finding::STATUS_NEW,
                     Finding::STATUS_REOPENED,
+                    Finding::STATUS_ACKNOWLEDGED,
                 ], true))
                 ->action(function (Finding $record, FindingWorkflowService $workflow): void {
                     static::runWorkflowMutation(
@@ -1437,6 +1423,7 @@ public static function startProgressAction(): Actions\Action
                 ->color('info')
                 ->visible(fn (Finding $record): bool => in_array((string) $record->status, [
                     Finding::STATUS_TRIAGED,
+                    Finding::STATUS_ACKNOWLEDGED,
                 ], true))
                 ->action(function (Finding $record, FindingWorkflowService $workflow): void {
                     static::runWorkflowMutation(

apps/platform/app/Filament/Resources/FindingResource/Pages/ListFindings.php

@@ -10,8 +10,14 @@
 use App\Models\Tenant;
 use App\Models\User;
 use App\Services\Findings\FindingWorkflowService;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Services\Runbooks\FindingsLifecycleBackfillScope;
 use App\Support\Auth\Capabilities;
 use App\Support\Filament\CanonicalAdminTenantFilterState;
+use App\Support\OperationRunLinks;
+use App\Support\OpsUx\OperationUxPresenter;
+use App\Support\OpsUx\OpsUxBrowserEvents;
+use App\Support\OperationalControls\OperationalControlBlockedException;
 use App\Support\Rbac\UiEnforcement;
 use App\Support\Rbac\UiTooltips;
 use Filament\Actions;
@@ -71,15 +77,15 @@ public function getTabs(): array
         $stats = FindingResource::findingStatsForCurrentTenant();
 
         return [
-            'all' => Tab::make(__('localization.findings.all'))
+            'all' => Tab::make('All')
                 ->icon('heroicon-m-list-bullet'),
-            'needs_action' => Tab::make(__('localization.findings.needs_action'))
+            'needs_action' => Tab::make('Needs action')
                 ->icon('heroicon-m-exclamation-triangle')
                 ->modifyQueryUsing(fn (Builder $query): Builder => $query
                     ->whereIn('status', Finding::openStatusesForQuery()))
                 ->badge($stats['open'] > 0 ? $stats['open'] : null)
                 ->badgeColor('warning'),
-            'overdue' => Tab::make(__('localization.findings.overdue'))
+            'overdue' => Tab::make('Overdue')
                 ->icon('heroicon-m-clock')
                 ->modifyQueryUsing(fn (Builder $query): Builder => $query
                     ->whereIn('status', Finding::openStatusesForQuery())
@@ -87,11 +93,11 @@ public function getTabs(): array
                     ->where('due_at', '<', now()))
                 ->badge($stats['overdue'] > 0 ? $stats['overdue'] : null)
                 ->badgeColor('danger'),
-            'risk_accepted' => Tab::make(__('localization.findings.risk_accepted'))
+            'risk_accepted' => Tab::make('Risk accepted')
                 ->icon('heroicon-m-shield-check')
                 ->modifyQueryUsing(fn (Builder $query): Builder => $query
                     ->where('status', Finding::STATUS_RISK_ACCEPTED)),
-            'resolved' => Tab::make(__('localization.findings.resolved'))
+            'resolved' => Tab::make('Resolved')
                 ->icon('heroicon-m-archive-box')
                 ->modifyQueryUsing(fn (Builder $query): Builder => $query
                     ->whereIn('status', [Finding::STATUS_RESOLVED, Finding::STATUS_CLOSED])),
@@ -102,6 +108,77 @@ protected function getHeaderActions(): array
     {
         $actions = [];
 
+        $actions[] = UiEnforcement::forAction(
+            Actions\Action::make('backfill_lifecycle')
+                ->label('Backfill findings lifecycle')
+                ->icon('heroicon-o-wrench-screwdriver')
+                ->color('gray')
+                ->requiresConfirmation()
+                ->modalHeading('Backfill findings lifecycle')
+                ->modalDescription('This will backfill legacy Findings data (lifecycle fields, SLA due dates, and drift duplicate consolidation) for the current tenant. The operation runs in the background.')
+                ->action(function (FindingsLifecycleBackfillRunbookService $runbookService): void {
+                    $user = auth()->user();
+
+                    if (! $user instanceof User) {
+                        abort(403);
+                    }
+
+                    $tenant = static::resolveTenantContextForCurrentPanel();
+
+                    if (! $tenant instanceof Tenant) {
+                        abort(404);
+                    }
+
+                    try {
+                        $opRun = $runbookService->start(
+                            scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
+                            initiator: $user,
+                            reason: null,
+                            source: 'tenant_ui',
+                        );
+                    } catch (OperationalControlBlockedException $exception) {
+                        Notification::make()
+                            ->title($exception->title())
+                            ->body($exception->getMessage())
+                            ->warning()
+                            ->send();
+
+                        throw new \Filament\Support\Exceptions\Halt;
+                    }
+
+                    $runUrl = OperationRunLinks::view($opRun, $tenant);
+
+                    if ($opRun->wasRecentlyCreated === false) {
+                        OpsUxBrowserEvents::dispatchRunEnqueued($this);
+
+                        OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
+                            ->actions([
+                                Actions\Action::make('view_run')
+                                    ->label('Open operation')
+                                    ->url($runUrl),
+                            ])
+                            ->send();
+
+                        return;
+                    }
+
+                    OpsUxBrowserEvents::dispatchRunEnqueued($this);
+
+                    OperationUxPresenter::queuedToast((string) $opRun->type)
+                        ->body('The backfill will run in the background. You can continue working while it completes.')
+                        ->actions([
+                            Actions\Action::make('view_run')
+                                ->label('Open operation')
+                                ->url($runUrl),
+                        ])
+                        ->send();
+                })
+        )
+            ->preserveVisibility()
+            ->requireCapability(Capabilities::TENANT_MANAGE)
+            ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
+            ->apply();
+
         $actions[] = UiEnforcement::forAction(
             Actions\Action::make('triage_all_matching')
                 ->label('Triage all matching')
@@ -171,6 +248,7 @@ protected function getHeaderActions(): array
                             if (! in_array((string) $finding->status, [
                                 Finding::STATUS_NEW,
                                 Finding::STATUS_REOPENED,
+                                Finding::STATUS_ACKNOWLEDGED,
                             ], true)) {
                                 $skippedCount++;
 

apps/platform/app/Filament/Resources/FindingResource/Pages/ViewFinding.php

@@ -44,7 +44,7 @@ protected function getHeaderActions(): array
                     ->primaryListAction(CrossResourceNavigationMatrix::SOURCE_FINDING, $this->getRecord())?->isAvailable() ?? false))
                 ->color('gray'),
             Actions\Action::make('open_approval_queue')
-                ->label(__('localization.findings.open_approval_queue'))
+                ->label('Open approval queue')
                 ->icon('heroicon-o-arrow-top-right-on-square')
                 ->color('gray')
                 ->visible(function (): bool {
@@ -61,7 +61,7 @@ protected function getHeaderActions(): array
                         : null;
                 }),
             Actions\ActionGroup::make(FindingResource::workflowActions())
-                ->label(__('localization.findings.actions'))
+                ->label('Actions')
                 ->icon('heroicon-o-ellipsis-vertical')
                 ->color('gray'),
         ]);

apps/platform/app/Filament/Resources/ReviewPackResource.php

@@ -2,10 +2,7 @@
 
 namespace App\Filament\Resources;
 
-use App\Filament\Concerns\ResolvesPanelTenantContext;
-use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
 use App\Exceptions\ReviewPackEvidenceResolutionException;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Resources\EvidenceSnapshotResource as TenantEvidenceSnapshotResource;
 use App\Filament\Resources\ReviewPackResource\Pages;
 use App\Models\ReviewPack;
@@ -13,7 +10,6 @@
 use App\Models\User;
 use App\Services\ReviewPackService;
 use App\Support\Auth\Capabilities;
-use App\Support\Auth\UiTooltips as AuthUiTooltips;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
@@ -49,8 +45,6 @@
 
 class ReviewPackResource extends Resource
 {
-    use ResolvesPanelTenantContext;
-
     protected static ?string $model = ReviewPack::class;
 
     protected static ?string $tenantOwnershipRelationshipName = 'tenant';
@@ -108,9 +102,9 @@ public static function canView(Model $record): bool
     public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
     {
         return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
-            ->satisfy(ActionSurfaceSlot::ListHeader, 'Generate Pack action appears in the list header once review packs exist.')
+            ->satisfy(ActionSurfaceSlot::ListHeader, 'Generate Pack action available in list header.')
             ->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
-            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state carries the single Generate CTA while the registry is empty.')
+            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes Generate CTA.')
             ->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Download remains the only direct row shortcut and Expire is grouped under More.')
             ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'No bulk operations are supported for review packs.')
             ->satisfy(ActionSurfaceSlot::DetailHeader, 'Download and Regenerate actions in ViewReviewPack header.');
@@ -148,8 +142,7 @@ public static function infolist(Schema $schema): Schema
                         TextEntry::make('file_size')
                             ->label('File size')
                             ->formatStateUsing(fn ($state): string => $state ? Number::fileSize((int) $state) : '—'),
-                        TextEntry::make('sha256')->label('SHA-256')->copyable()->placeholder('—')
-                            ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
+                        TextEntry::make('sha256')->label('SHA-256')->copyable()->placeholder('—'),
                     ])
                     ->columns(2)
                     ->columnSpanFull(),
@@ -185,7 +178,6 @@ public static function infolist(Schema $schema): Schema
                             ->formatStateUsing(fn ($state): string => $state ? 'Yes' : 'No'),
                     ])
                     ->columns(2)
-                    ->hidden(fn (): bool => static::isCustomerWorkspaceFlow())
                     ->columnSpanFull(),
 
                 Section::make('Metadata')
@@ -198,13 +190,6 @@ public static function infolist(Schema $schema): Schema
                                 ? TenantReviewResource::tenantScopedUrl('view', ['record' => $record->tenantReview], $record->tenant)
                                 : null)
                             ->placeholder('—'),
-                        TextEntry::make('customer_workspace')
-                            ->label('Customer workspace')
-                            ->state(fn (): string => 'Open workspace')
-                            ->url(fn (ReviewPack $record): ?string => $record->tenant instanceof Tenant
-                                ? CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant)
-                                : null)
-                            ->placeholder('—'),
                         TextEntry::make('summary.review_status')
                             ->label('Review status')
                             ->badge()
@@ -229,12 +214,9 @@ public static function infolist(Schema $schema): Schema
                                 return OperationRunLinks::tenantlessView((int) $record->operation_run_id);
                             })
                             ->openUrlInNewTab()
-                            ->hidden(fn (): bool => static::isCustomerWorkspaceFlow())
                             ->placeholder('—'),
-                        TextEntry::make('fingerprint')->label('Fingerprint')->copyable()->placeholder('—')
-                            ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
-                        TextEntry::make('previous_fingerprint')->label('Previous fingerprint')->copyable()->placeholder('—')
-                            ->hidden(fn (): bool => static::isCustomerWorkspaceFlow()),
+                        TextEntry::make('fingerprint')->label('Fingerprint')->copyable()->placeholder('—'),
+                        TextEntry::make('previous_fingerprint')->label('Previous fingerprint')->copyable()->placeholder('—'),
                         TextEntry::make('created_at')->label('Created')->dateTime(),
                     ])
                     ->columns(2)
@@ -248,7 +230,9 @@ public static function infolist(Schema $schema): Schema
                         TextEntry::make('evidenceSnapshot.id')
                             ->label('Snapshot')
                             ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
-                            ->url(fn (ReviewPack $record): ?string => static::evidenceSnapshotUrl($record)),
+                            ->url(fn (ReviewPack $record): ?string => $record->evidenceSnapshot
+                                ? TenantEvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
+                                : null),
                         TextEntry::make('evidenceSnapshot.completeness_state')
                             ->label('Snapshot completeness')
                             ->badge()
@@ -366,62 +350,41 @@ public static function table(Table $table): Table
             ->emptyStateDescription('Generate a review pack to export tenant data for external review.')
             ->emptyStateIcon('heroicon-o-document-arrow-down')
             ->emptyStateActions([
-                static::generatePackAction(name: 'generate_first', label: 'Generate first pack'),
+                UiEnforcement::forAction(
+                    Actions\Action::make('generate_first')
+                        ->label('Generate first pack')
+                        ->icon('heroicon-o-plus')
+                        ->action(function (array $data): void {
+                            static::executeGeneration($data);
+                        })
+                        ->form([
+                            Section::make('Pack options')
+                                ->schema([
+                                    Toggle::make('include_pii')
+                                        ->label('Include PII')
+                                        ->helperText('Include personally identifiable information in the export.')
+                                        ->default(config('tenantpilot.review_pack.include_pii_default', true)),
+                                    Toggle::make('include_operations')
+                                        ->label('Include operations')
+                                        ->helperText('Include recent operation history in the export.')
+                                        ->default(config('tenantpilot.review_pack.include_operations_default', true)),
+                                ]),
+                        ])
+                )
+                    ->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
+                    ->apply(),
             ]);
     }
 
-    public static function generatePackAction(string $name = 'generate_pack', string $label = 'Generate Pack'): Actions\Action
-    {
-        $action = UiEnforcement::forAction(
-            Actions\Action::make($name)
-                ->label($label)
-                ->icon('heroicon-o-plus')
-                ->disabled(fn (): bool => static::reviewPackGenerationBlocked())
-                ->action(function (array $data): void {
-                    static::executeGeneration($data);
-                })
-                ->form(static::reviewPackGenerationFormSchema())
-        )
-            ->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
-            ->preserveDisabled()
-            ->apply();
-
-        $action->tooltip(fn (): ?string => static::reviewPackGenerationActionTooltip());
-
-        return $action;
-    }
-
-    /**
-     * @return array<int, Section>
-     */
-    public static function reviewPackGenerationFormSchema(): array
-    {
-        return [
-            Section::make('Pack options')
-                ->schema([
-                    Toggle::make('include_pii')
-                        ->label('Include PII')
-                        ->helperText('Include personally identifiable information in the export.')
-                        ->default(config('tenantpilot.review_pack.include_pii_default', true)),
-                    Toggle::make('include_operations')
-                        ->label('Include operations')
-                        ->helperText('Include recent operation history in the export.')
-                        ->default(config('tenantpilot.review_pack.include_operations_default', true)),
-                ]),
-        ];
-    }
-
     public static function getEloquentQuery(): Builder
     {
-        $tenant = Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
+        $tenant = Filament::getTenant();
 
         if (! $tenant instanceof Tenant) {
             return parent::getEloquentQuery()->whereRaw('1 = 0');
         }
 
-        return parent::getEloquentQuery()
-            ->with(['tenant', 'operationRun', 'evidenceSnapshot', 'tenantReview'])
-            ->where('tenant_id', (int) $tenant->getKey());
+        return parent::getEloquentQuery()->where('tenant_id', (int) $tenant->getKey());
     }
 
     public static function getPages(): array
@@ -432,36 +395,6 @@ public static function getPages(): array
         ];
     }
 
-    public static function isCustomerWorkspaceFlow(): bool
-    {
-        return request()->query('source_surface') === CustomerReviewWorkspace::SOURCE_SURFACE;
-    }
-
-    private static function evidenceSnapshotUrl(ReviewPack $record): ?string
-    {
-        if (! $record->evidenceSnapshot) {
-            return null;
-        }
-
-        $url = TenantEvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant);
-
-        return static::isCustomerWorkspaceFlow()
-            ? static::appendQuery($url, ['source_surface' => CustomerReviewWorkspace::SOURCE_SURFACE])
-            : $url;
-    }
-
-    /**
-     * @param  array<string, mixed>  $query
-     */
-    private static function appendQuery(string $url, array $query): string
-    {
-        if ($query === []) {
-            return $url;
-        }
-
-        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
-    }
-
     private static function truthEnvelope(ReviewPack $record, bool $fresh = false): ArtifactTruthEnvelope
     {
         $presenter = app(ArtifactTruthPresenter::class);
@@ -525,14 +458,6 @@ public static function executeGeneration(array $data): void
 
         try {
             $reviewPack = $service->generate($tenant, $user, $options);
-        } catch (WorkspaceEntitlementBlockedException $exception) {
-            Notification::make()
-                ->warning()
-                ->title('Review pack generation unavailable')
-                ->body($exception->getMessage())
-                ->send();
-
-            return;
         } catch (ReviewPackEvidenceResolutionException $exception) {
             $reasons = $exception->result->reasons;
 
@@ -568,69 +493,4 @@ public static function executeGeneration(array $data): void
 
         OperationUxPresenter::queuedToast('tenant.review_pack.generate')->send();
     }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public static function reviewPackGenerationDecision(?Tenant $tenant = null): array
-    {
-        $tenant ??= Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [];
-        }
-
-        return app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($tenant);
-    }
-
-    public static function currentTenantContext(): ?Tenant
-    {
-        $tenant = Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
-
-        return $tenant instanceof Tenant ? $tenant : null;
-    }
-
-    public static function reviewPackGenerationBlocked(?Tenant $tenant = null): bool
-    {
-        return (bool) (static::reviewPackGenerationDecision($tenant)['is_blocked'] ?? false);
-    }
-
-    public static function reviewPackGenerationBlockReason(?Tenant $tenant = null): ?string
-    {
-        $decision = static::reviewPackGenerationDecision($tenant);
-
-        if (! (bool) ($decision['is_blocked'] ?? false)) {
-            return null;
-        }
-
-        $reason = $decision['block_reason'] ?? null;
-
-        return is_string($reason) && $reason !== '' ? $reason : null;
-    }
-
-    public static function reviewPackGenerationWarningReason(?Tenant $tenant = null): ?string
-    {
-        $decision = static::reviewPackGenerationDecision($tenant);
-
-        if (! (bool) ($decision['is_warning'] ?? false)) {
-            return null;
-        }
-
-        $reason = $decision['warning_reason'] ?? null;
-
-        return is_string($reason) && $reason !== '' ? $reason : null;
-    }
-
-    public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
-    {
-        $tenant ??= static::currentTenantContext();
-        $user = auth()->user();
-
-        if ($tenant instanceof Tenant && $user instanceof User && ! $user->can(Capabilities::REVIEW_PACK_MANAGE, $tenant)) {
-            return AuthUiTooltips::insufficientPermission();
-        }
-
-        return static::reviewPackGenerationBlockReason($tenant)
-            ?? static::reviewPackGenerationWarningReason($tenant);
-    }
 }

apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ListReviewPacks.php

@@ -3,7 +3,12 @@
 namespace App\Filament\Resources\ReviewPackResource\Pages;
 
 use App\Filament\Resources\ReviewPackResource;
+use App\Support\Auth\Capabilities;
+use App\Support\Rbac\UiEnforcement;
+use Filament\Actions;
+use Filament\Forms\Components\Toggle;
 use Filament\Resources\Pages\ListRecords;
+use Filament\Schemas\Components\Section;
 
 class ListReviewPacks extends ListRecords
 {
@@ -12,13 +17,29 @@ class ListReviewPacks extends ListRecords
     protected function getHeaderActions(): array
     {
         return [
-            ReviewPackResource::generatePackAction()
-                ->visible(fn (): bool => $this->tableHasRecords()),
+            UiEnforcement::forAction(
+                Actions\Action::make('generate_pack')
+                    ->label('Generate Pack')
+                    ->icon('heroicon-o-plus')
+                    ->action(function (array $data): void {
+                        ReviewPackResource::executeGeneration($data);
+                    })
+                    ->form([
+                        Section::make('Pack options')
+                            ->schema([
+                                Toggle::make('include_pii')
+                                    ->label('Include PII')
+                                    ->helperText('Include personally identifiable information in the export.')
+                                    ->default(config('tenantpilot.review_pack.include_pii_default', true)),
+                                Toggle::make('include_operations')
+                                    ->label('Include operations')
+                                    ->helperText('Include recent operation history in the export.')
+                                    ->default(config('tenantpilot.review_pack.include_operations_default', true)),
+                            ]),
+                    ])
+            )
+                ->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
+                ->apply(),
         ];
     }
-
-    private function tableHasRecords(): bool
-    {
-        return $this->getTableRecords()->count() > 0;
-    }
 }

apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php

@@ -19,65 +19,6 @@ class ViewReviewPack extends ViewRecord
 
     protected function getHeaderActions(): array
     {
-        if (ReviewPackResource::isCustomerWorkspaceFlow()) {
-            return [
-                Actions\Action::make('download')
-                    ->label('Download')
-                    ->icon('heroicon-o-arrow-down-tray')
-                    ->color('primary')
-                    ->visible(fn (): bool => $this->record->status === ReviewPackStatus::Ready->value)
-                    ->url(fn (): string => app(ReviewPackService::class)->generateDownloadUrl($this->record, [
-                        'source_surface' => \App\Filament\Pages\Reviews\CustomerReviewWorkspace::SOURCE_SURFACE,
-                    ]))
-                    ->openUrlInNewTab(),
-            ];
-        }
-
-        $regenerateAction = UiEnforcement::forAction(
-            Actions\Action::make('regenerate')
-                ->label('Regenerate')
-                ->icon('heroicon-o-arrow-path')
-                ->color('primary')
-                ->disabled(fn (): bool => ReviewPackResource::reviewPackGenerationBlocked($this->record->tenant))
-                ->requiresConfirmation()
-                ->modalDescription('This will generate a new review pack with the same options. The current pack will remain available until it expires.')
-                ->action(function (array $data): void {
-                    /** @var ReviewPack $record */
-                    $record = $this->record;
-
-                    $options = array_merge($record->options ?? [], [
-                        'include_pii' => (bool) ($data['include_pii'] ?? ($record->options['include_pii'] ?? true)),
-                        'include_operations' => (bool) ($data['include_operations'] ?? ($record->options['include_operations'] ?? true)),
-                    ]);
-
-                    ReviewPackResource::executeGeneration($options);
-                })
-                ->form(function (): array {
-                    /** @var ReviewPack $record */
-                    $record = $this->record;
-                    $currentOptions = $record->options ?? [];
-
-                    return [
-                        Section::make('Pack options')
-                            ->schema([
-                                Toggle::make('include_pii')
-                                    ->label('Include PII')
-                                    ->helperText('Include personally identifiable information in the export.')
-                                    ->default((bool) ($currentOptions['include_pii'] ?? true)),
-                                Toggle::make('include_operations')
-                                    ->label('Include operations')
-                                    ->helperText('Include recent operation history in the export.')
-                                    ->default((bool) ($currentOptions['include_operations'] ?? true)),
-                            ]),
-                    ];
-                })
-        )
-            ->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
-            ->preserveDisabled()
-            ->apply();
-
-        $regenerateAction->tooltip(fn (): ?string => ReviewPackResource::reviewPackGenerationActionTooltip($this->record->tenant));
-
         return [
             Actions\Action::make('download')
                 ->label('Download')
@@ -87,7 +28,46 @@ protected function getHeaderActions(): array
                 ->url(fn (): string => app(ReviewPackService::class)->generateDownloadUrl($this->record))
                 ->openUrlInNewTab(),
 
-            $regenerateAction,
+            UiEnforcement::forAction(
+                Actions\Action::make('regenerate')
+                    ->label('Regenerate')
+                    ->icon('heroicon-o-arrow-path')
+                    ->color('primary')
+                    ->requiresConfirmation()
+                    ->modalDescription('This will generate a new review pack with the same options. The current pack will remain available until it expires.')
+                    ->action(function (array $data): void {
+                        /** @var ReviewPack $record */
+                        $record = $this->record;
+
+                        $options = array_merge($record->options ?? [], [
+                            'include_pii' => (bool) ($data['include_pii'] ?? ($record->options['include_pii'] ?? true)),
+                            'include_operations' => (bool) ($data['include_operations'] ?? ($record->options['include_operations'] ?? true)),
+                        ]);
+
+                        ReviewPackResource::executeGeneration($options);
+                    })
+                    ->form(function (): array {
+                        /** @var ReviewPack $record */
+                        $record = $this->record;
+                        $currentOptions = $record->options ?? [];
+
+                        return [
+                            Section::make('Pack options')
+                                ->schema([
+                                    Toggle::make('include_pii')
+                                        ->label('Include PII')
+                                        ->helperText('Include personally identifiable information in the export.')
+                                        ->default((bool) ($currentOptions['include_pii'] ?? true)),
+                                    Toggle::make('include_operations')
+                                        ->label('Include operations')
+                                        ->helperText('Include recent operation history in the export.')
+                                        ->default((bool) ($currentOptions['include_operations'] ?? true)),
+                                ]),
+                        ];
+                    })
+            )
+                ->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
+                ->apply(),
         ];
     }
 }

apps/platform/app/Filament/Resources/TenantResource.php

@@ -2,7 +2,6 @@
 
 namespace App\Filament\Resources;
 
-use App\Filament\Pages\CrossTenantComparePage;
 use App\Filament\Pages\TenantDashboard;
 use App\Filament\Resources\TenantResource\Pages;
 use App\Filament\Resources\TenantResource\RelationManagers;
@@ -16,11 +15,9 @@
 use App\Models\TenantOnboardingSession;
 use App\Models\TenantTriageReview;
 use App\Models\User;
-use App\Models\Workspace;
 use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\RoleCapabilityMap;
-use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Services\Directory\EntraGroupLabelResolver;
 use App\Services\Directory\RoleDefinitionsSyncService;
 use App\Services\Graph\GraphClientInterface;
@@ -47,7 +44,6 @@
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\ProviderOperationStartResultPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
-use App\Support\Navigation\CanonicalNavigationContext;
 use App\Support\PortfolioTriage\PortfolioArrivalContextToken;
 use App\Support\PortfolioTriage\TenantTriageReviewStateResolver;
 use App\Support\Rbac\UiEnforcement;
@@ -72,7 +68,6 @@
 use Filament\Actions;
 use Filament\Actions\ActionGroup;
 use Filament\Actions\BulkActionGroup;
-use Filament\Facades\Filament;
 use Filament\Forms;
 use Filament\Infolists;
 use Filament\Notifications\Notification;
@@ -829,27 +824,6 @@ public static function table(Table $table): Table
                         ->url(fn (Tenant $record): string => static::relatedOnboardingDraftUrl($record) ?? route('admin.onboarding'))
                         ->visible(fn (Tenant $record): bool => static::relatedOnboardingDraftAction($record, TenantActionSurface::TenantIndexRow) instanceof TenantActionDescriptor
                             && static::tenantIndexPrimaryAction($record)?->key !== 'related_onboarding'),
-                    Actions\Action::make('compareTenants')
-                        ->label('Compare tenants')
-                        ->icon('heroicon-o-scale')
-                        ->color('gray')
-                        ->url(function (Tenant $record, mixed $livewire): string {
-                            $triageState = $livewire instanceof Pages\ListTenants
-                                ? static::currentPortfolioTriageState($livewire)
-                                : [];
-
-                            if (! static::hasActivePortfolioTriageState(
-                                static::sanitizeBackupPostures($triageState['backup_posture'] ?? []),
-                                static::sanitizeRecoveryEvidenceStates($triageState['recovery_evidence'] ?? []),
-                                static::sanitizeReviewStates($triageState['review_state'] ?? []),
-                                static::sanitizeTriageSort($triageState['triage_sort'] ?? null),
-                            )) {
-                                $triageState = static::portfolioReturnFiltersFromRequest(request()->query());
-                            }
-
-                            return static::crossTenantCompareOpenUrl($record, $triageState);
-                        })
-                        ->visible(fn (Tenant $record): bool => static::crossTenantCompareActionVisible($record)),
                     UiEnforcement::forAction(
                         Actions\Action::make('edit')
                             ->label('Edit')
@@ -992,34 +966,6 @@ public static function table(Table $table): Table
             ])
             ->bulkActions([
                 BulkActionGroup::make([
-                    Actions\BulkAction::make('compareSelected')
-                        ->label('Compare selected')
-                        ->icon('heroicon-o-scale')
-                        ->color('gray')
-                        ->visible(fn (): bool => auth()->user() instanceof User)
-                        ->authorize(fn (): bool => auth()->user() instanceof User)
-                        ->extraAttributes(fn (mixed $livewire): array => [
-                            'x-bind:aria-disabled' => static::crossTenantCompareBulkClientDisabledExpression($livewire).' ? true : null',
-                            'x-bind:disabled' => static::crossTenantCompareBulkClientDisabledExpression($livewire),
-                            'x-bind:title' => static::crossTenantCompareBulkClientTooltipExpression($livewire),
-                            'x-bind:class' => "{ 'fi-disabled': ".static::crossTenantCompareBulkClientDisabledExpression($livewire).' }',
-                        ])
-                        ->action(function (Collection $records, mixed $livewire): void {
-                            $disabledReason = static::crossTenantCompareBulkDisabledReason($records);
-
-                            if ($disabledReason !== null) {
-                                Notification::make()
-                                    ->title($disabledReason)
-                                    ->danger()
-                                    ->send();
-
-                                return;
-                            }
-
-                            if (method_exists($livewire, 'redirect')) {
-                                $livewire->redirect(static::crossTenantCompareBulkOpenUrl($records, $livewire), navigate: true);
-                            }
-                        }),
                     Actions\BulkAction::make('syncSelected')
                         ->label('Sync selected')
                         ->icon('heroicon-o-arrow-path')
@@ -1212,52 +1158,6 @@ public static function tenantDashboardOpenUrl(Tenant $record, array $triageState
         );
     }
 
-    /**
-     * @param  array{
-     *     backup_posture?: list<string>,
-     *     recovery_evidence?: list<string>,
-     *     review_state?: list<string>,
-     *     triage_sort?: string|null
-     * }  $triageState
-     */
-    public static function crossTenantCompareOpenUrl(Tenant $record, array $triageState = []): string
-    {
-        return static::crossTenantCompareOpenUrlForSelection(
-            targetTenant: $record,
-            triageState: $triageState,
-        );
-    }
-
-    /**
-     * @param  array{
-     *     backup_posture?: list<string>,
-     *     recovery_evidence?: list<string>,
-     *     review_state?: list<string>,
-     *     triage_sort?: string|null
-     * }  $triageState
-     */
-    public static function crossTenantCompareOpenUrlForSelection(
-        Tenant $targetTenant,
-        array $triageState = [],
-        ?Tenant $sourceTenant = null,
-    ): string {
-        $normalizedState = static::portfolioReturnFilters(
-            static::sanitizeBackupPostures($triageState['backup_posture'] ?? []),
-            static::sanitizeRecoveryEvidenceStates($triageState['recovery_evidence'] ?? []),
-            static::sanitizeReviewStates($triageState['review_state'] ?? []),
-            static::sanitizeTriageSort($triageState['triage_sort'] ?? null),
-        );
-
-        return CrossTenantComparePage::launchUrl(
-            sourceTenant: $sourceTenant,
-            targetTenant: $targetTenant,
-            navigationContext: CanonicalNavigationContext::forTenantRegistry(
-                backLinkUrl: static::getUrl(panel: 'admin', parameters: $normalizedState),
-                tenantId: $sourceTenant instanceof Tenant ? null : (int) $targetTenant->getKey(),
-            ),
-        );
-    }
-
     /**
      * @param  array{
      *     backup_posture?: list<string>,
@@ -1348,168 +1248,6 @@ private static function portfolioReturnFiltersFromRequest(array $query): array
         );
     }
 
-    private static function crossTenantCompareActionVisible(Tenant $record): bool
-    {
-        if (! $record->isActive()) {
-            return false;
-        }
-
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return false;
-        }
-
-        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
-
-        if (! is_int($workspaceId) || $workspaceId !== (int) $record->workspace_id) {
-            return false;
-        }
-
-        $workspace = Workspace::query()->whereKey($workspaceId)->first();
-
-        if (! $workspace instanceof Workspace) {
-            return false;
-        }
-
-        /** @var WorkspaceCapabilityResolver $workspaceResolver */
-        $workspaceResolver = app(WorkspaceCapabilityResolver::class);
-
-        if (! $workspaceResolver->isMember($user, $workspace)
-            || ! $workspaceResolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_VIEW)) {
-            return false;
-        }
-
-        /** @var CapabilityResolver $tenantResolver */
-        $tenantResolver = app(CapabilityResolver::class);
-
-        return $user->canAccessTenant($record)
-            && $tenantResolver->can($user, $record, Capabilities::TENANT_VIEW);
-    }
-
-    private static function crossTenantCompareBulkDisabledReason(Collection $records): ?string
-    {
-        $user = auth()->user();
-
-        if (! $user instanceof User) {
-            return UiTooltips::insufficientPermission();
-        }
-
-        $tenants = $records
-            ->filter(fn ($record): bool => $record instanceof Tenant)
-            ->values();
-
-        if ($records->count() !== 2 || $tenants->count() !== 2) {
-            return 'Select exactly two tenants to compare.';
-        }
-
-        if ($tenants->contains(fn (Tenant $tenant): bool => ! $tenant->isActive())) {
-            return 'Only active tenants can be compared.';
-        }
-
-        $workspaceIds = $tenants
-            ->map(fn (Tenant $tenant): int => (int) $tenant->workspace_id)
-            ->unique()
-            ->values();
-
-        if ($workspaceIds->count() !== 1) {
-            return UiTooltips::insufficientPermission();
-        }
-
-        $workspaceId = $workspaceIds->first();
-
-        $workspace = Workspace::query()->whereKey($workspaceId)->first();
-
-        if (! $workspace instanceof Workspace) {
-            return UiTooltips::insufficientPermission();
-        }
-
-        /** @var WorkspaceCapabilityResolver $workspaceResolver */
-        $workspaceResolver = app(WorkspaceCapabilityResolver::class);
-
-        if (! $workspaceResolver->isMember($user, $workspace)
-            || ! $workspaceResolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_VIEW)) {
-            return UiTooltips::insufficientPermission();
-        }
-
-        /** @var CapabilityResolver $tenantResolver */
-        $tenantResolver = app(CapabilityResolver::class);
-
-        $isDenied = $tenants->contains(fn (Tenant $tenant): bool => ! $user->canAccessTenant($tenant)
-            || ! $tenantResolver->can($user, $tenant, Capabilities::TENANT_VIEW));
-
-        return $isDenied ? UiTooltips::insufficientPermission() : null;
-    }
-
-    private static function crossTenantCompareBulkClientDisabledExpression(mixed $livewire): string
-    {
-        $containsInactiveSelection = static::crossTenantCompareBulkContainsInactiveSelectionExpression($livewire);
-
-        return "getSelectedRecordsCount() !== 2 || {$containsInactiveSelection}";
-    }
-
-    private static function crossTenantCompareBulkClientTooltipExpression(mixed $livewire): string
-    {
-        $containsInactiveSelection = static::crossTenantCompareBulkContainsInactiveSelectionExpression($livewire);
-
-        return "getSelectedRecordsCount() !== 2 ? 'Select exactly two tenants to compare.' : ({$containsInactiveSelection} ? 'Only active tenants can be compared.' : null)";
-    }
-
-    private static function crossTenantCompareBulkContainsInactiveSelectionExpression(mixed $livewire): string
-    {
-        $inactiveRecordKeys = \Illuminate\Support\Js::from(static::crossTenantCompareInactiveSelectionRecordKeys($livewire));
-
-        return "[...selectedRecords].some((key) => {$inactiveRecordKeys}.includes(key))";
-    }
-
-    /**
-     * @return list<string>
-     */
-    private static function crossTenantCompareInactiveSelectionRecordKeys(mixed $livewire): array
-    {
-        if (! $livewire instanceof HasTable || ! method_exists($livewire, 'getTableRecordKey')) {
-            return [];
-        }
-
-        $tableRecords = $livewire->getTableRecords();
-
-        if (method_exists($tableRecords, 'getCollection')) {
-            $tableRecords = $tableRecords->getCollection();
-        }
-
-        return collect($tableRecords)
-            ->filter(fn ($record): bool => $record instanceof Tenant && ! $record->isActive())
-            ->map(fn (Tenant $tenant): string => (string) $livewire->getTableRecordKey($tenant))
-            ->values()
-            ->all();
-    }
-
-    private static function crossTenantCompareBulkOpenUrl(Collection $records, mixed $livewire): string
-    {
-        $triageState = $livewire instanceof Pages\ListTenants
-            ? static::currentPortfolioTriageState($livewire)
-            : [];
-
-        if (! static::hasActivePortfolioTriageState(
-            static::sanitizeBackupPostures($triageState['backup_posture'] ?? []),
-            static::sanitizeRecoveryEvidenceStates($triageState['recovery_evidence'] ?? []),
-            static::sanitizeReviewStates($triageState['review_state'] ?? []),
-            static::sanitizeTriageSort($triageState['triage_sort'] ?? null),
-        )) {
-            $triageState = static::portfolioReturnFiltersFromRequest(request()->query());
-        }
-
-        $tenants = $records
-            ->filter(fn ($record): bool => $record instanceof Tenant)
-            ->values();
-
-        return static::crossTenantCompareOpenUrlForSelection(
-            targetTenant: $tenants->get(1),
-            triageState: $triageState,
-            sourceTenant: $tenants->get(0),
-        );
-    }
-
     private static function hasActivePortfolioTriageState(
         array $backupPostures,
         array $recoveryEvidence,

apps/platform/app/Filament/Resources/TenantReviewResource.php

@@ -6,9 +6,7 @@
 
 use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
 use App\Filament\Concerns\ResolvesPanelTenantContext;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Resources\TenantReviewResource\Pages;
-use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
 use App\Models\EvidenceSnapshot;
 use App\Models\Tenant;
 use App\Models\TenantReview;
@@ -17,7 +15,6 @@
 use App\Services\ReviewPackService;
 use App\Services\TenantReviews\TenantReviewService;
 use App\Support\Auth\Capabilities;
-use App\Support\Auth\UiTooltips as AuthUiTooltips;
 use App\Support\Badges\BadgeCatalog;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
@@ -85,26 +82,6 @@ public static function shouldRegisterNavigation(): bool
         return Filament::getCurrentPanel()?->getId() === 'tenant';
     }
 
-    public static function getNavigationGroup(): string
-    {
-        return __('localization.review.reporting');
-    }
-
-    public static function getNavigationLabel(): string
-    {
-        return __('localization.review.reviews');
-    }
-
-    public static function getModelLabel(): string
-    {
-        return __('localization.review.review');
-    }
-
-    public static function getPluralModelLabel(): string
-    {
-        return __('localization.review.reviews');
-    }
-
     public static function canViewAny(): bool
     {
         $tenant = static::resolveTenantContextForCurrentPanel();
@@ -173,7 +150,7 @@ public static function form(Schema $schema): Schema
     public static function infolist(Schema $schema): Schema
     {
         return $schema->schema([
-            Section::make(__('localization.review.outcome_summary'))
+            Section::make('Outcome summary')
                 ->schema([
                     ViewEntry::make('artifact_truth')
                         ->hiddenLabel()
@@ -182,7 +159,7 @@ public static function infolist(Schema $schema): Schema
                         ->columnSpanFull(),
                 ])
                 ->columnSpanFull(),
-            Section::make(__('localization.review.review'))
+            Section::make('Review')
                 ->schema([
                     TextEntry::make('status')
                         ->badge()
@@ -191,23 +168,23 @@ public static function infolist(Schema $schema): Schema
                         ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
                         ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
                     TextEntry::make('completeness_state')
-                        ->label(__('localization.review.completeness'))
+                        ->label('Completeness')
                         ->badge()
                         ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
                         ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
                         ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
                         ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
-                    TextEntry::make('tenant.name')->label(__('localization.review.tenant')),
+                    TextEntry::make('tenant.name')->label('Tenant'),
                     TextEntry::make('generated_at')->dateTime()->placeholder('—'),
                     TextEntry::make('published_at')->dateTime()->placeholder('—'),
                     TextEntry::make('evidenceSnapshot.id')
-                        ->label(__('localization.review.evidence_snapshot'))
+                        ->label('Evidence snapshot')
                         ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
                         ->url(fn (TenantReview $record): ?string => $record->evidenceSnapshot
                             ? EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
                             : null),
                     TextEntry::make('currentExportReviewPack.id')
-                        ->label(__('localization.review.current_export'))
+                        ->label('Current export')
                         ->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
                         ->url(fn (TenantReview $record): ?string => $record->currentExportReviewPack
                             ? ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant)
@@ -215,14 +192,13 @@ public static function infolist(Schema $schema): Schema
                     TextEntry::make('fingerprint')
                         ->copyable()
                         ->placeholder('—')
-                        ->hidden(fn (): bool => static::isCustomerWorkspaceMode())
                         ->columnSpanFull()
                         ->fontFamily('mono')
                         ->size(TextSize::ExtraSmall),
                 ])
                 ->columns(2)
                 ->columnSpanFull(),
-            Section::make(__('localization.review.executive_posture'))
+            Section::make('Executive posture')
                 ->schema([
                     ViewEntry::make('review_summary')
                         ->hiddenLabel()
@@ -231,21 +207,21 @@ public static function infolist(Schema $schema): Schema
                         ->columnSpanFull(),
                 ])
                 ->columnSpanFull(),
-            Section::make(__('localization.review.sections'))
+            Section::make('Sections')
                 ->schema([
                     RepeatableEntry::make('sections')
                         ->hiddenLabel()
                         ->schema([
                             TextEntry::make('title'),
                             TextEntry::make('completeness_state')
-                                ->label(__('localization.review.completeness'))
+                                ->label('Completeness')
                                 ->badge()
                                 ->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
                                 ->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
                                 ->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
                                 ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
                             TextEntry::make('measured_at')->dateTime()->placeholder('—'),
-                            Section::make(__('localization.review.details'))
+                            Section::make('Details')
                                 ->schema([
                                     ViewEntry::make('section_payload')
                                         ->hiddenLabel()
@@ -265,25 +241,6 @@ public static function infolist(Schema $schema): Schema
 
     public static function table(Table $table): Table
     {
-        $exportExecutivePackAction = UiEnforcement::forTableAction(
-            Actions\Action::make('export_executive_pack')
-                ->label(__('localization.review.export_executive_pack'))
-                ->icon('heroicon-o-arrow-down-tray')
-                ->visible(fn (TenantReview $record): bool => in_array($record->status, [
-                    TenantReviewStatus::Ready->value,
-                    TenantReviewStatus::Published->value,
-                ], true))
-                ->disabled(fn (TenantReview $record): bool => static::reviewPackGenerationBlocked($record->tenant))
-                ->action(fn (TenantReview $record): mixed => static::executeExport($record)),
-            fn (TenantReview $record): TenantReview => $record,
-        )
-            ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
-            ->preserveVisibility()
-            ->preserveDisabled()
-            ->apply();
-
-        $exportExecutivePackAction->tooltip(fn (TenantReview $record): ?string => static::reviewPackGenerationActionTooltip($record->tenant));
-
         return $table
             ->defaultSort('generated_at', 'desc')
             ->persistFiltersInSession()
@@ -299,7 +256,7 @@ public static function table(Table $table): Table
                     ->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
                     ->sortable(),
                 Tables\Columns\TextColumn::make('outcome')
-                    ->label(__('localization.review.outcome'))
+                    ->label('Outcome')
                     ->badge()
                     ->getStateUsing(fn (TenantReview $record): string => static::compressedOutcome($record)->primaryLabel)
                     ->color(fn (TenantReview $record): string => static::compressedOutcome($record)->primaryBadge->color)
@@ -310,10 +267,10 @@ public static function table(Table $table): Table
                 Tables\Columns\TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
                 Tables\Columns\TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
                 Tables\Columns\IconColumn::make('summary.has_ready_export')
-                    ->label(__('localization.review.export'))
+                    ->label('Export')
                     ->boolean(),
                 Tables\Columns\TextColumn::make('next_step')
-                    ->label(__('localization.review.next_step'))
+                    ->label('Next step')
                     ->getStateUsing(fn (TenantReview $record): string => static::compressedOutcome($record)->nextActionText)
                     ->wrap(),
                 Tables\Columns\TextColumn::make('fingerprint')
@@ -327,18 +284,31 @@ public static function table(Table $table): Table
                         ->all()),
                 Tables\Filters\SelectFilter::make('completeness_state')
                     ->options(BadgeCatalog::options(BadgeDomain::TenantReviewCompleteness, TenantReviewCompletenessState::values())),
-                \App\Support\Filament\FilterPresets::dateRange('review_date', __('localization.review.review_date'), 'generated_at'),
+                \App\Support\Filament\FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
             ])
             ->actions([
-                $exportExecutivePackAction,
+                UiEnforcement::forTableAction(
+                    Actions\Action::make('export_executive_pack')
+                        ->label('Export executive pack')
+                        ->icon('heroicon-o-arrow-down-tray')
+                        ->visible(fn (TenantReview $record): bool => in_array($record->status, [
+                            TenantReviewStatus::Ready->value,
+                            TenantReviewStatus::Published->value,
+                        ], true))
+                        ->action(fn (TenantReview $record): mixed => static::executeExport($record)),
+                    fn (TenantReview $record): TenantReview => $record,
+                )
+                    ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+                    ->preserveVisibility()
+                    ->apply(),
             ])
             ->bulkActions([])
-            ->emptyStateHeading(__('localization.review.no_tenant_reviews_yet'))
-            ->emptyStateDescription(__('localization.review.create_first_review_description'))
+            ->emptyStateHeading('No tenant reviews yet')
+            ->emptyStateDescription('Create the first review from an anchored evidence snapshot to start the recurring review history for this tenant.')
             ->emptyStateActions([
                 static::makeCreateReviewAction(
                     name: 'create_first_review',
-                    label: __('localization.review.create_first_review'),
+                    label: 'Create first review',
                     icon: 'heroicon-o-plus',
                 ),
             ]);
@@ -357,23 +327,19 @@ public static function makeCreateReviewAction(
         string $label = 'Create review',
         string $icon = 'heroicon-o-plus',
     ): Actions\Action {
-        $label = $label === 'Create review'
-            ? __('localization.review.create_review')
-            : $label;
-
         return UiEnforcement::forAction(
             Actions\Action::make($name)
                 ->label($label)
                 ->icon($icon)
                 ->form([
-                    Section::make(__('localization.review.evidence_basis'))
+                    Section::make('Evidence basis')
                         ->schema([
                             Select::make('evidence_snapshot_id')
-                                ->label(__('localization.review.evidence_snapshot'))
+                                ->label('Evidence snapshot')
                                 ->required()
                                 ->options(fn (): array => static::evidenceSnapshotOptions())
                                 ->searchable()
-                                ->helperText(__('localization.review.evidence_basis_helper')),
+                                ->helperText('Choose the anchored evidence snapshot for this review.'),
                         ]),
                 ])
                 ->action(fn (array $data): mixed => static::executeCreateReview($data)),
@@ -391,7 +357,7 @@ public static function executeCreateReview(array $data): void
         $user = auth()->user();
 
         if (! $tenant instanceof Tenant || ! $user instanceof User) {
-            Notification::make()->danger()->title(__('localization.review.unable_create_missing_context'))->send();
+            Notification::make()->danger()->title('Unable to create review — missing context.')->send();
 
             return;
         }
@@ -413,7 +379,7 @@ public static function executeCreateReview(array $data): void
             : null;
 
         if (! $snapshot instanceof EvidenceSnapshot) {
-            Notification::make()->danger()->title(__('localization.review.select_valid_evidence_snapshot'))->send();
+            Notification::make()->danger()->title('Select a valid evidence snapshot.')->send();
 
             return;
         }
@@ -421,7 +387,7 @@ public static function executeCreateReview(array $data): void
         try {
             $review = app(TenantReviewService::class)->create($tenant, $snapshot, $user);
         } catch (\Throwable $throwable) {
-            Notification::make()->danger()->title(__('localization.review.unable_create_review'))->body($throwable->getMessage())->send();
+            Notification::make()->danger()->title('Unable to create review')->body($throwable->getMessage())->send();
 
             return;
         }
@@ -431,11 +397,11 @@ public static function executeCreateReview(array $data): void
         if (! $review->wasRecentlyCreated) {
             Notification::make()
                 ->success()
-                ->title(__('localization.review.review_already_available'))
-                ->body(__('localization.review.review_already_available_body'))
+                ->title('Review already available')
+                ->body('A matching mutable review already exists for this evidence basis.')
                 ->actions([
                     Actions\Action::make('view_review')
-                        ->label(__('localization.review.view_review'))
+                        ->label('View review')
                         ->url(static::tenantScopedUrl('view', ['record' => $review], $tenant)),
                 ])
                 ->send();
@@ -444,12 +410,12 @@ public static function executeCreateReview(array $data): void
         }
 
         $toast = OperationUxPresenter::queuedToast(OperationRunType::TenantReviewCompose->value)
-            ->body(__('localization.review.review_composing_background'));
+            ->body('The review is being composed in the background.');
 
         if ($review->operation_run_id) {
             $toast->actions([
                 Actions\Action::make('view_run')
-                    ->label(__('localization.review.open_operation'))
+                    ->label('Open operation')
                     ->url(OperationRunLinks::tenantlessView((int) $review->operation_run_id)),
             ]);
         }
@@ -457,71 +423,13 @@ public static function executeCreateReview(array $data): void
         $toast->send();
     }
 
-    /**
-     * @return array<string, mixed>
-     */
-    public static function reviewPackGenerationDecision(?Tenant $tenant = null): array
-    {
-        $tenant ??= Filament::getTenant();
-
-        if (! $tenant instanceof Tenant) {
-            return [];
-        }
-
-        return app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($tenant);
-    }
-
-    public static function reviewPackGenerationBlocked(?Tenant $tenant = null): bool
-    {
-        return (bool) (static::reviewPackGenerationDecision($tenant)['is_blocked'] ?? false);
-    }
-
-    public static function reviewPackGenerationBlockReason(?Tenant $tenant = null): ?string
-    {
-        $decision = static::reviewPackGenerationDecision($tenant);
-
-        if (! (bool) ($decision['is_blocked'] ?? false)) {
-            return null;
-        }
-
-        $reason = $decision['block_reason'] ?? null;
-
-        return is_string($reason) && $reason !== '' ? $reason : null;
-    }
-
-    public static function reviewPackGenerationWarningReason(?Tenant $tenant = null): ?string
-    {
-        $decision = static::reviewPackGenerationDecision($tenant);
-
-        if (! (bool) ($decision['is_warning'] ?? false)) {
-            return null;
-        }
-
-        $reason = $decision['warning_reason'] ?? null;
-
-        return is_string($reason) && $reason !== '' ? $reason : null;
-    }
-
-    public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
-    {
-        $tenant ??= static::panelTenantContext();
-        $user = auth()->user();
-
-        if ($tenant instanceof Tenant && $user instanceof User && ! $user->can(Capabilities::TENANT_REVIEW_MANAGE, $tenant)) {
-            return AuthUiTooltips::insufficientPermission();
-        }
-
-        return static::reviewPackGenerationBlockReason($tenant)
-            ?? static::reviewPackGenerationWarningReason($tenant);
-    }
-
     public static function executeExport(TenantReview $review): void
     {
         $review->loadMissing(['tenant', 'currentExportReviewPack']);
         $user = auth()->user();
 
         if (! $user instanceof User || ! $review->tenant instanceof Tenant) {
-            Notification::make()->danger()->title(__('localization.review.unable_export_missing_context'))->send();
+            Notification::make()->danger()->title('Unable to export review — missing context.')->send();
 
             return;
         }
@@ -538,7 +446,7 @@ public static function executeExport(TenantReview $review): void
 
         if ($service->checkActiveRunForReview($review)) {
             OperationUxPresenter::alreadyQueuedToast(OperationRunType::ReviewPackGenerate->value)
-                ->body(__('localization.review.export_already_queued_body'))
+                ->body('An executive pack export is already queued or running for this review.')
                 ->send();
 
             return;
@@ -549,12 +457,8 @@ public static function executeExport(TenantReview $review): void
                 'include_pii' => true,
                 'include_operations' => true,
             ]);
-        } catch (WorkspaceEntitlementBlockedException $exception) {
-            Notification::make()->warning()->title(__('localization.review.executive_pack_export_unavailable'))->body($exception->getMessage())->send();
-
-            return;
         } catch (\Throwable $throwable) {
-            Notification::make()->danger()->title(__('localization.review.unable_export_executive_pack'))->body($throwable->getMessage())->send();
+            Notification::make()->danger()->title('Unable to export executive pack')->body($throwable->getMessage())->send();
 
             return;
         }
@@ -565,11 +469,11 @@ public static function executeExport(TenantReview $review): void
         if (! $pack->wasRecentlyCreated) {
             Notification::make()
                 ->success()
-                ->title(__('localization.review.executive_pack_already_available'))
-                ->body(__('localization.review.executive_pack_already_available_body'))
+                ->title('Executive pack already available')
+                ->body('A matching executive pack already exists for this review.')
                 ->actions([
                     Actions\Action::make('view_pack')
-                        ->label(__('localization.review.view_pack'))
+                        ->label('View pack')
                         ->url(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $review->tenant)),
                 ])
                 ->send();
@@ -578,7 +482,7 @@ public static function executeExport(TenantReview $review): void
         }
 
         OperationUxPresenter::queuedToast(OperationRunType::ReviewPackGenerate->value)
-            ->body(__('localization.review.executive_pack_generating_background'))
+            ->body('The executive pack is being generated in the background.')
             ->send();
     }
 
@@ -618,7 +522,7 @@ private static function evidenceSnapshotOptions(): array
                     '#%d · %s · %s',
                     (int) $snapshot->getKey(),
                     BadgeCatalog::spec(BadgeDomain::EvidenceCompleteness, $snapshot->completeness_state)->label,
-                    $snapshot->generated_at?->format('Y-m-d H:i') ?? __('localization.review.pending')
+                    $snapshot->generated_at?->format('Y-m-d H:i') ?? 'Pending'
                 ),
             ])
             ->all();
@@ -642,89 +546,59 @@ private static function summaryPresentation(TenantReview $record): array
         $findingOutcomes = is_array($summary['finding_outcomes'] ?? null) ? $summary['finding_outcomes'] : [];
 
         if ($findingOutcomeSummary !== null) {
-            $highlights[] = __('localization.review.terminal_outcomes').': '.$findingOutcomeSummary.'.';
+            $highlights[] = 'Terminal outcomes: '.$findingOutcomeSummary.'.';
         }
 
         return [
             'operator_explanation' => $truthEnvelope->operatorExplanation?->toArray(),
             'compressed_outcome' => static::compressedOutcome($record)->toArray(),
-            'customer_workspace_mode' => static::isCustomerWorkspaceMode(),
-            'reason_semantics' => static::isCustomerWorkspaceMode()
-                ? []
-                : $reasonPresenter->semantics($truthEnvelope->reason?->toReasonResolutionEnvelope()),
+            'reason_semantics' => $reasonPresenter->semantics($truthEnvelope->reason?->toReasonResolutionEnvelope()),
             'highlights' => $highlights,
             'next_actions' => is_array($summary['recommended_next_actions'] ?? null) ? $summary['recommended_next_actions'] : [],
             'publish_blockers' => is_array($summary['publish_blockers'] ?? null) ? $summary['publish_blockers'] : [],
-            'context_links' => static::summaryContextLinks($record, static::isCustomerWorkspaceMode()),
-            'metrics' => static::isCustomerWorkspaceMode() ? [
-                ['label' => __('localization.review.findings'), 'value' => (string) ($summary['finding_count'] ?? 0)],
-                ['label' => __('localization.review.pending_verification'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION] ?? 0)],
-                ['label' => __('localization.review.verified_cleared'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED] ?? 0)],
-            ] : [
-                ['label' => __('localization.review.findings'), 'value' => (string) ($summary['finding_count'] ?? 0)],
-                ['label' => __('localization.review.reports'), 'value' => (string) ($summary['report_count'] ?? 0)],
-                ['label' => __('localization.review.operations'), 'value' => (string) ($summary['operation_count'] ?? 0)],
-                ['label' => __('localization.review.sections'), 'value' => (string) ($summary['section_count'] ?? 0)],
-                ['label' => __('localization.review.pending_verification'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION] ?? 0)],
-                ['label' => __('localization.review.verified_cleared'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED] ?? 0)],
+            'context_links' => static::summaryContextLinks($record),
+            'metrics' => [
+                ['label' => 'Findings', 'value' => (string) ($summary['finding_count'] ?? 0)],
+                ['label' => 'Reports', 'value' => (string) ($summary['report_count'] ?? 0)],
+                ['label' => 'Operations', 'value' => (string) ($summary['operation_count'] ?? 0)],
+                ['label' => 'Sections', 'value' => (string) ($summary['section_count'] ?? 0)],
+                ['label' => 'Pending verification', 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION] ?? 0)],
+                ['label' => 'Verified cleared', 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED] ?? 0)],
             ],
         ];
     }
 
     /**
-     * @return array<int, array{title:string,label:string,url:?string,description:string}>
+     * @return array<int, array{title:string,label:string,url:string,description:string}>
      */
-    private static function summaryContextLinks(TenantReview $record, bool $customerWorkspaceMode = false): array
+    private static function summaryContextLinks(TenantReview $record): array
     {
         $links = [];
 
-        if (! $customerWorkspaceMode && is_numeric($record->operation_run_id)) {
+        if (is_numeric($record->operation_run_id)) {
             $links[] = [
-                'title' => __('localization.review.operation'),
-                'label' => __('localization.review.open_operation'),
+                'title' => 'Operation',
+                'label' => 'Open operation',
                 'url' => OperationRunLinks::tenantlessView((int) $record->operation_run_id),
-                'description' => __('localization.review.operation_description'),
+                'description' => 'Inspect the latest review composition or refresh run.',
             ];
         }
 
-        if (! $customerWorkspaceMode && $record->currentExportReviewPack && $record->tenant) {
+        if ($record->currentExportReviewPack && $record->tenant) {
             $links[] = [
-                'title' => __('localization.review.executive_pack'),
-                'label' => __('localization.review.view_executive_pack'),
+                'title' => 'Executive pack',
+                'label' => 'View executive pack',
                 'url' => ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant),
-                'description' => __('localization.review.executive_pack_description'),
-            ];
-        }
-
-        if ($record->tenant) {
-            $links[] = [
-                'title' => __('localization.review.customer_workspace'),
-                'label' => __('localization.review.open_customer_workspace'),
-                'url' => CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
-                'description' => __('localization.review.customer_workspace_description'),
+                'description' => 'Open the current export that belongs to this review.',
             ];
         }
 
         if ($record->evidenceSnapshot && $record->tenant) {
-            $user = auth()->user();
-            $canViewEvidence = $user instanceof User && $user->can(Capabilities::EVIDENCE_VIEW, $record->tenant);
-            $evidenceUrl = $canViewEvidence
-                ? EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
-                : null;
-
-            if ($customerWorkspaceMode && $evidenceUrl !== null) {
-                $evidenceUrl = static::appendQuery($evidenceUrl, [
-                    'source_surface' => CustomerReviewWorkspace::SOURCE_SURFACE,
-                ]);
-            }
-
             $links[] = [
-                'title' => __('localization.review.evidence_snapshot'),
-                'label' => __('localization.review.view_evidence_snapshot'),
-                'url' => $evidenceUrl,
-                'description' => $canViewEvidence
-                    ? __('localization.review.evidence_snapshot_description')
-                    : __('localization.review.evidence_proof_access_unavailable'),
+                'title' => 'Evidence snapshot',
+                'label' => 'View evidence snapshot',
+                'url' => EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant),
+                'description' => 'Return to the evidence basis behind this review.',
             ];
         }
 
@@ -805,21 +679,4 @@ private static function findingOutcomeSummary(array $summary): ?string
 
         return app(FindingOutcomeSemantics::class)->compactOutcomeSummary($outcomeCounts);
     }
-
-    private static function isCustomerWorkspaceMode(): bool
-    {
-        return request()->boolean(CustomerReviewWorkspace::DETAIL_CONTEXT_QUERY_KEY);
-    }
-
-    /**
-     * @param  array<string, mixed>  $query
-     */
-    private static function appendQuery(string $url, array $query): string
-    {
-        if ($query === []) {
-            return $url;
-        }
-
-        return $url.(str_contains($url, '?') ? '&' : '?').http_build_query($query);
-    }
 }

apps/platform/app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php

@@ -4,20 +4,14 @@
 
 namespace App\Filament\Resources\TenantReviewResource\Pages;
 
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Resources\TenantReviewResource;
-use App\Models\ReviewPack;
 use App\Models\Tenant;
 use App\Models\TenantReview;
 use App\Models\User;
-use App\Services\ReviewPackService;
-use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\TenantReviews\TenantReviewLifecycleService;
 use App\Services\TenantReviews\TenantReviewService;
-use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
 use App\Support\Rbac\UiEnforcement;
-use App\Support\ReviewPackStatus;
 use App\Support\TenantReviewStatus;
 use App\Support\Ui\GovernanceActions\GovernanceActionCatalog;
 use Filament\Actions;
@@ -30,13 +24,6 @@ class ViewTenantReview extends ViewRecord
 {
     protected static string $resource = TenantReviewResource::class;
 
-    public function mount(int|string $record): void
-    {
-        parent::mount($record);
-
-        $this->auditCustomerWorkspaceOpen();
-    }
-
     protected function resolveRecord(int|string $key): Model
     {
         return TenantReviewResource::resolveScopedRecordOrFail($key);
@@ -67,12 +54,6 @@ protected function authorizeAccess(): void
 
     protected function getHeaderActions(): array
     {
-        if ($this->isCustomerWorkspaceView()) {
-            return [
-                $this->downloadCurrentReviewPackAction(),
-            ];
-        }
-
         $secondaryActions = $this->secondaryLifecycleActions();
 
         return array_values(array_filter([
@@ -88,7 +69,7 @@ protected function getHeaderActions(): array
                 ->label('Danger')
                 ->icon('heroicon-o-archive-box')
                 ->color('danger')
-                ->visible(fn (): bool => ! $this->isCustomerWorkspaceView() && ! $this->record->statusEnum()->isTerminal()),
+                ->visible(fn (): bool => ! $this->record->statusEnum()->isTerminal()),
         ]));
     }
 
@@ -104,10 +85,6 @@ private function primaryLifecycleAction(): ?Actions\Action
 
     private function primaryLifecycleActionName(): ?string
     {
-        if ($this->isCustomerWorkspaceView()) {
-            return null;
-        }
-
         if ((string) $this->record->status === TenantReviewStatus::Published->value) {
             return 'export_executive_pack';
         }
@@ -145,10 +122,6 @@ private function secondaryLifecycleActions(): array
      */
     private function secondaryLifecycleActionNames(): array
     {
-        if ($this->isCustomerWorkspaceView()) {
-            return [];
-        }
-
         $names = [];
 
         if ($this->record->isMutable()) {
@@ -205,6 +178,7 @@ private function refreshReviewAction(): Actions\Action
                 }),
         )
             ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
+            ->preserveVisibility()
             ->apply();
     }
 
@@ -258,7 +232,7 @@ private function publishReviewAction(): Actions\Action
 
     private function exportExecutivePackAction(): Actions\Action
     {
-        $action = UiEnforcement::forAction(
+        return UiEnforcement::forAction(
             Actions\Action::make('export_executive_pack')
                 ->label('Export executive pack')
                 ->icon('heroicon-o-arrow-down-tray')
@@ -267,17 +241,11 @@ private function exportExecutivePackAction(): Actions\Action
                     TenantReviewStatus::Ready->value,
                     TenantReviewStatus::Published->value,
                 ], true))
-                ->disabled(fn (): bool => TenantReviewResource::reviewPackGenerationBlocked($this->record->tenant))
                 ->action(fn (): mixed => TenantReviewResource::executeExport($this->record)),
         )
             ->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
             ->preserveVisibility()
-            ->preserveDisabled()
             ->apply();
-
-        $action->tooltip(fn (): ?string => TenantReviewResource::reviewPackGenerationActionTooltip($this->record->tenant));
-
-        return $action;
     }
 
     private function createNextReviewAction(): Actions\Action
@@ -351,107 +319,4 @@ private function archiveReviewAction(): Actions\Action
             ->preserveVisibility()
             ->apply();
     }
-
-    private function downloadCurrentReviewPackAction(): Actions\Action
-    {
-        return Actions\Action::make('download_current_review_pack')
-            ->label(__('localization.review.download_current_review_pack'))
-            ->icon('heroicon-o-arrow-down-tray')
-            ->color('primary')
-            ->disabled(fn (): bool => $this->currentReviewPackDownloadUrl() === null)
-            ->tooltip(fn (): ?string => $this->currentReviewPackUnavailableReason())
-            ->url(fn (): ?string => $this->currentReviewPackDownloadUrl())
-            ->openUrlInNewTab();
-    }
-
-    private function currentReviewPackDownloadUrl(): ?string
-    {
-        $pack = $this->record->currentExportReviewPack;
-        $tenant = $this->record->tenant;
-        $user = auth()->user();
-
-        if (! $pack instanceof ReviewPack || ! $tenant instanceof Tenant || ! $user instanceof User) {
-            return null;
-        }
-
-        if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
-            return null;
-        }
-
-        if ($pack->status !== ReviewPackStatus::Ready->value) {
-            return null;
-        }
-
-        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
-            return null;
-        }
-
-        return app(ReviewPackService::class)->generateDownloadUrl($pack, [
-            'source_surface' => CustomerReviewWorkspace::SOURCE_SURFACE,
-        ]);
-    }
-
-    private function currentReviewPackUnavailableReason(): ?string
-    {
-        if ($this->currentReviewPackDownloadUrl() !== null) {
-            return null;
-        }
-
-        $pack = $this->record->currentExportReviewPack;
-        $tenant = $this->record->tenant;
-        $user = auth()->user();
-
-        if (! $pack instanceof ReviewPack) {
-            return __('localization.review.customer_review_pack_missing');
-        }
-
-        if (! $user instanceof User || ! $tenant instanceof Tenant || ! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
-            return __('localization.review.customer_review_pack_forbidden');
-        }
-
-        if ($pack->status !== ReviewPackStatus::Ready->value) {
-            return __('localization.review.customer_review_pack_not_ready');
-        }
-
-        if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
-            return __('localization.review.customer_review_pack_expired');
-        }
-
-        return __('localization.review.customer_review_pack_unavailable');
-    }
-
-    private function isCustomerWorkspaceView(): bool
-    {
-        return request()->boolean(CustomerReviewWorkspace::DETAIL_CONTEXT_QUERY_KEY);
-    }
-
-    private function auditCustomerWorkspaceOpen(): void
-    {
-        if (! $this->isCustomerWorkspaceView()) {
-            return;
-        }
-
-        $user = auth()->user();
-        $tenant = $this->record->tenant;
-
-        if (! $user instanceof User || ! $tenant instanceof Tenant) {
-            return;
-        }
-
-        app(WorkspaceAuditLogger::class)->log(
-            workspace: $tenant->workspace,
-            action: AuditActionId::TenantReviewOpened,
-            context: [
-                'metadata' => [
-                    'review_id' => (int) $this->record->getKey(),
-                    'source_surface' => 'customer_review_workspace',
-                ],
-            ],
-            actor: $user,
-            resourceType: 'tenant_review',
-            resourceId: (string) $this->record->getKey(),
-            targetLabel: sprintf('Tenant review #%d', (int) $this->record->getKey()),
-            tenant: $tenant,
-        );
-    }
 }

apps/platform/app/Filament/System/Pages/Dashboard.php

@@ -28,11 +28,6 @@ class Dashboard extends BaseDashboard
 {
     public string $window = SystemConsoleWindow::LastDay;
 
-    public function getTitle(): string
-    {
-        return __('localization.dashboard.system_title');
-    }
-
     /**
      * @param  array<mixed>  $parameters
      */
@@ -114,12 +109,12 @@ protected function getHeaderActions(): array
 
         return [
             Action::make('set_window')
-                ->label(__('localization.dashboard.time_window'))
+                ->label('Time window')
                 ->icon('heroicon-o-clock')
                 ->color('gray')
                 ->form([
                     Select::make('window')
-                        ->label(__('localization.dashboard.window'))
+                        ->label('Window')
                         ->options(SystemConsoleWindow::options())
                         ->default($this->window)
                         ->required(),
@@ -135,7 +130,7 @@ protected function getHeaderActions(): array
                 }),
 
             Action::make('enter_break_glass')
-                ->label(__('localization.dashboard.enter_break_glass'))
+                ->label('Enter break-glass mode')
                 ->color('danger')
                 ->visible(fn (): bool => $canUseBreakGlass && ! $breakGlass->isActive())
                 ->requiresConfirmation()
@@ -163,13 +158,13 @@ protected function getHeaderActions(): array
                     $breakGlass->start($user, (string) ($data['reason'] ?? ''));
 
                     Notification::make()
-                        ->title(__('localization.dashboard.recovery_mode_enabled'))
+                        ->title('Recovery mode enabled')
                         ->success()
                         ->send();
                 }),
 
             Action::make('exit_break_glass')
-                ->label(__('localization.dashboard.exit_break_glass'))
+                ->label('Exit break-glass')
                 ->color('gray')
                 ->visible(fn (): bool => $canUseBreakGlass && $breakGlass->isActive())
                 ->requiresConfirmation()
@@ -185,7 +180,7 @@ protected function getHeaderActions(): array
                     $breakGlass->exit($user);
 
                     Notification::make()
-                        ->title(__('localization.dashboard.recovery_mode_ended'))
+                        ->title('Recovery mode ended')
                         ->success()
                         ->send();
                 }),

apps/platform/app/Filament/System/Pages/Directory/ViewWorkspace.php

@@ -9,19 +9,12 @@
 use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\Workspace;
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
-use App\Services\Entitlements\WorkspaceEntitlementResolver;
-use App\Services\Settings\SettingsWriter;
 use App\Support\Auth\PlatformCapabilities;
 use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
 use App\Support\OperationCatalog;
 use App\Support\System\SystemDirectoryLinks;
 use App\Support\System\SystemOperationRunLinks;
 use App\Support\SystemConsole\SystemConsoleWindow;
-use Filament\Actions\Action;
-use Filament\Forms\Components\Select;
-use Filament\Forms\Components\Textarea;
-use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 use Illuminate\Support\Collection;
 
@@ -92,85 +85,6 @@ public function runsUrl(): string
         return SystemOperationRunLinks::index();
     }
 
-    /**
-     * @return array<string, mixed>
-     */
-    public function workspaceEntitlementSummary(): array
-    {
-        return app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function workspaceCommercialLifecycleSummary(): array
-    {
-        return app(WorkspaceCommercialLifecycleResolver::class)->summary($this->workspace);
-    }
-
-    /**
-     * @return array<Action>
-     */
-    protected function getHeaderActions(): array
-    {
-        return [
-            Action::make('change_commercial_state')
-                ->label('Change commercial state')
-                ->icon('heroicon-o-adjustments-horizontal')
-                ->color('warning')
-                ->visible(fn (): bool => $this->canManageCommercialLifecycle())
-                ->requiresConfirmation()
-                ->modalHeading('Change commercial state')
-                ->modalDescription('This changes the workspace commercial lifecycle overlay. The rationale is audited and affects onboarding activation and review-pack starts.')
-                ->form([
-                    Select::make('state')
-                        ->label('Commercial state')
-                        ->options(WorkspaceCommercialLifecycleResolver::stateLabels())
-                        ->required()
-                        ->default(fn (): string => (string) ($this->workspaceCommercialLifecycleSummary()['state'] ?? WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID)),
-                    Textarea::make('reason')
-                        ->label('Rationale')
-                        ->required()
-                        ->minLength(5)
-                        ->maxLength(500)
-                        ->rows(4),
-                ])
-                ->action(function (array $data, SettingsWriter $settingsWriter): void {
-                    $actor = auth('platform')->user();
-
-                    if (! $actor instanceof PlatformUser) {
-                        abort(403);
-                    }
-
-                    if (! $actor->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE)) {
-                        abort(403);
-                    }
-
-                    $settingsWriter->updateWorkspaceCommercialLifecycle(
-                        actor: $actor,
-                        workspace: $this->workspace,
-                        state: (string) ($data['state'] ?? ''),
-                        reason: (string) ($data['reason'] ?? ''),
-                    );
-
-                    $this->workspace->refresh();
-
-                    Notification::make()
-                        ->title('Commercial state updated')
-                        ->success()
-                        ->send();
-                }),
-        ];
-    }
-
-    private function canManageCommercialLifecycle(): bool
-    {
-        $user = auth('platform')->user();
-
-        return $user instanceof PlatformUser
-            && $user->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE);
-    }
-
     /**
      * @return array{
      *     overall: array{label: string, color: string, icon: string|null},

apps/platform/app/Filament/System/Pages/Ops/Controls.php

@@ -57,6 +57,11 @@ public static function canAccess(): bool
             && $user->hasCapability(PlatformCapabilities::OPS_CONTROLS_MANAGE);
     }
 
+    public function mount(): void
+    {
+        abort_unless(static::canAccess(), 403);
+    }
+
     public function getHeader(): ?View
     {
         return view('filament.system.pages.ops.partials.controls-header', [
@@ -72,12 +77,12 @@ public function getHeader(): ?View
     protected function getHeaderActions(): array
     {
         return [
+            $this->pauseFindingsLifecycleBackfillAction(),
+            $this->resumeFindingsLifecycleBackfillAction(),
+            $this->viewHistoryFindingsLifecycleBackfillAction(),
             $this->pauseRestoreExecuteAction(),
             $this->resumeRestoreExecuteAction(),
             $this->viewHistoryRestoreExecuteAction(),
-            $this->pauseAiExecutionAction(),
-            $this->resumeAiExecutionAction(),
-            $this->viewHistoryAiExecutionAction(),
         ];
     }
 
@@ -182,6 +187,21 @@ public function scopeImpactPreview(string $controlKey, string $scopeType, ?int $
         ];
     }
 
+    public function pauseFindingsLifecycleBackfillAction(): Action
+    {
+        return $this->pauseActionFor('findings.lifecycle.backfill');
+    }
+
+    public function resumeFindingsLifecycleBackfillAction(): Action
+    {
+        return $this->resumeActionFor('findings.lifecycle.backfill');
+    }
+
+    public function viewHistoryFindingsLifecycleBackfillAction(): Action
+    {
+        return $this->historyActionFor('findings.lifecycle.backfill');
+    }
+
     public function pauseRestoreExecuteAction(): Action
     {
         return $this->pauseActionFor('restore.execute');
@@ -197,21 +217,6 @@ public function viewHistoryRestoreExecuteAction(): Action
         return $this->historyActionFor('restore.execute');
     }
 
-    public function pauseAiExecutionAction(): Action
-    {
-        return $this->pauseActionFor('ai.execution');
-    }
-
-    public function resumeAiExecutionAction(): Action
-    {
-        return $this->resumeActionFor('ai.execution');
-    }
-
-    public function viewHistoryAiExecutionAction(): Action
-    {
-        return $this->historyActionFor('ai.execution');
-    }
-
     private function pauseActionFor(string $controlKey): Action
     {
         $label = app(OperationalControlCatalog::class)->label($controlKey);
@@ -226,7 +231,7 @@ private function pauseActionFor(string $controlKey): Action
             ->form($this->pauseFormSchema($controlKey))
             ->action(function (array $data, AuditRecorder $auditRecorder, WorkspaceAuditLogger $workspaceAuditLogger) use ($controlKey, $label): void {
                 $actor = $this->controlsActor();
-                [$scopeType, $workspace, $reasonText, $expiresAt] = $this->normalizePauseInput($controlKey, $data);
+                [$scopeType, $workspace, $reasonText, $expiresAt] = $this->normalizePauseInput($data);
 
                 $scopeQuery = $this->activationScopeQuery($controlKey, $scopeType, $workspace);
 
@@ -286,7 +291,7 @@ private function resumeActionFor(string $controlKey): Action
             ->form($this->resumeFormSchema($controlKey))
             ->action(function (array $data, AuditRecorder $auditRecorder, WorkspaceAuditLogger $workspaceAuditLogger) use ($controlKey, $label): void {
                 $actor = $this->controlsActor();
-                [$scopeType, $workspace] = $this->normalizeResumeInput($controlKey, $data);
+                [$scopeType, $workspace] = $this->normalizeResumeInput($data);
 
                 $activation = $this->activationScopeQuery($controlKey, $scopeType, $workspace)
                     ->notExpired()
@@ -344,8 +349,11 @@ private function pauseFormSchema(string $controlKey): array
         return [
             Radio::make('scope_type')
                 ->label('Scope')
-                ->options($this->scopeOptions($controlKey))
-                ->default($this->defaultScopeFor($controlKey))
+                ->options([
+                    'global' => 'Global',
+                    'workspace' => 'One workspace',
+                ])
+                ->default('global')
                 ->live()
                 ->required(),
 
@@ -405,8 +413,11 @@ private function resumeFormSchema(string $controlKey): array
         return [
             Radio::make('scope_type')
                 ->label('Scope')
-                ->options($this->scopeOptions($controlKey))
-                ->default($this->defaultScopeFor($controlKey))
+                ->options([
+                    'global' => 'Global',
+                    'workspace' => 'One workspace',
+                ])
+                ->default('global')
                 ->live()
                 ->required(),
 
@@ -463,9 +474,9 @@ private function controlsActor(): PlatformUser
     /**
      * @return array{0: string, 1: ?Workspace, 2: string, 3: ?CarbonInterface}
      */
-    private function normalizePauseInput(string $controlKey, array $data): array
+    private function normalizePauseInput(array $data): array
     {
-        [$scopeType, $workspace] = $this->resolveScopeInput($controlKey, $data);
+        [$scopeType, $workspace] = $this->resolveScopeInput($data);
         $reasonText = trim((string) ($data['reason_text'] ?? ''));
 
         if ($reasonText === '') {
@@ -492,20 +503,19 @@ private function normalizePauseInput(string $controlKey, array $data): array
     /**
      * @return array{0: string, 1: ?Workspace}
      */
-    private function normalizeResumeInput(string $controlKey, array $data): array
+    private function normalizeResumeInput(array $data): array
     {
-        return $this->resolveScopeInput($controlKey, $data);
+        return $this->resolveScopeInput($data);
     }
 
     /**
      * @return array{0: string, 1: ?Workspace}
      */
-    private function resolveScopeInput(string $controlKey, array $data): array
+    private function resolveScopeInput(array $data): array
     {
         $scopeType = (string) ($data['scope_type'] ?? 'global');
-        $supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'] ?? ['global'];
 
-        if (! in_array($scopeType, $supportedScopes, true)) {
+        if (! in_array($scopeType, ['global', 'workspace'], true)) {
             throw ValidationException::withMessages([
                 'scope_type' => 'Invalid scope selected.',
             ]);
@@ -534,26 +544,6 @@ private function resolveScopeInput(string $controlKey, array $data): array
         return [$scopeType, $workspace];
     }
 
-    /**
-     * @return array<string, string>
-     */
-    private function scopeOptions(string $controlKey): array
-    {
-        $supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'];
-
-        return Arr::only([
-            'global' => 'Global',
-            'workspace' => 'One workspace',
-        ], $supportedScopes);
-    }
-
-    private function defaultScopeFor(string $controlKey): string
-    {
-        $supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'];
-
-        return $supportedScopes[0] ?? 'global';
-    }
-
     private function activationScopeQuery(string $controlKey, string $scopeType, ?Workspace $workspace): \Illuminate\Database\Eloquent\Builder
     {
         $query = OperationalControlActivation::query()

apps/platform/app/Filament/System/Pages/Ops/Runbooks.php

@@ -4,9 +4,26 @@
 
 namespace App\Filament\System\Pages\Ops;
 
+use App\Models\OperationRun;
 use App\Models\PlatformUser;
+use App\Models\Tenant;
+use App\Services\Auth\BreakGlassSession;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Services\Runbooks\FindingsLifecycleBackfillScope;
+use App\Services\Runbooks\RunbookReason;
+use App\Services\System\AllowedTenantUniverse;
 use App\Support\Auth\PlatformCapabilities;
+use App\Support\OpsUx\OperationUxPresenter;
+use App\Support\OperationalControls\OperationalControlBlockedException;
+use App\Support\System\SystemOperationRunLinks;
+use Filament\Actions\Action;
+use Filament\Forms\Components\Radio;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
 use Filament\Pages\Page;
+use Illuminate\Validation\ValidationException;
 
 class Runbooks extends Page
 {
@@ -20,6 +37,53 @@ class Runbooks extends Page
 
     protected string $view = 'filament.system.pages.ops.runbooks';
 
+    public string $findingsScopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;
+
+    public ?int $findingsTenantId = null;
+
+    public string $scopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;
+
+    public ?int $tenantId = null;
+
+    /**
+     * @var array{affected_count: int, total_count: int, estimated_tenants?: int|null}|null
+     */
+    public ?array $findingsPreflight = null;
+
+    /**
+     * @var array{affected_count: int, total_count: int, estimated_tenants?: int|null}|null
+     */
+    public ?array $preflight = null;
+
+    public function findingsScopeLabel(): string
+    {
+        if ($this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS) {
+            return 'All tenants';
+        }
+
+        $tenantName = $this->selectedTenantName($this->findingsTenantId);
+
+        if ($tenantName !== null) {
+            return "Single tenant ({$tenantName})";
+        }
+
+        return $this->findingsTenantId !== null ? "Single tenant (#{$this->findingsTenantId})" : 'Single tenant';
+    }
+
+    public function findingsLastRun(): ?OperationRun
+    {
+        return $this->lastRunForType(FindingsLifecycleBackfillRunbookService::RUNBOOK_KEY);
+    }
+
+    public function selectedTenantName(?int $tenantId): ?string
+    {
+        if ($tenantId === null) {
+            return null;
+        }
+
+        return Tenant::query()->whereKey($tenantId)->value('name');
+    }
+
     public static function canAccess(): bool
     {
         $user = auth('platform')->user();
@@ -31,4 +95,231 @@ public static function canAccess(): bool
         return $user->hasCapability(PlatformCapabilities::OPS_VIEW)
             && $user->hasCapability(PlatformCapabilities::RUNBOOKS_VIEW);
     }
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('preflight')
+                ->label('Preflight')
+                ->color('gray')
+                ->icon('heroicon-o-magnifying-glass')
+                ->form($this->findingsScopeForm())
+                ->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
+                    $scope = $this->trustedFindingsScopeFromFormData($data, app(AllowedTenantUniverse::class));
+
+                    $this->findingsScopeMode = $scope->mode;
+                    $this->findingsTenantId = $scope->tenantId;
+                    $this->scopeMode = $scope->mode;
+                    $this->tenantId = $scope->tenantId;
+
+                    $this->findingsPreflight = $runbookService->preflight($scope);
+                    $this->preflight = $this->findingsPreflight;
+
+                    Notification::make()
+                        ->title('Preflight complete')
+                        ->success()
+                        ->send();
+                }),
+
+            Action::make('run')
+                ->label('Run…')
+                ->icon('heroicon-o-play')
+                ->color('danger')
+                ->requiresConfirmation()
+                ->modalHeading('Run: Rebuild Findings Lifecycle')
+                ->modalDescription('This operation may modify customer data. Review the preflight and confirm before running.')
+                ->form($this->findingsRunForm())
+                ->disabled(fn (): bool => ! is_array($this->findingsPreflight) || (int) ($this->findingsPreflight['affected_count'] ?? 0) <= 0)
+                ->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
+                    if (! is_array($this->findingsPreflight) || (int) ($this->findingsPreflight['affected_count'] ?? 0) <= 0) {
+                        throw ValidationException::withMessages([
+                            'preflight' => 'Run preflight first.',
+                        ]);
+                    }
+
+                    $scope = $this->trustedFindingsScopeFromState(app(AllowedTenantUniverse::class));
+
+                    $user = auth('platform')->user();
+
+                    if (! $user instanceof PlatformUser) {
+                        abort(403);
+                    }
+
+                    if (! $user->hasCapability(PlatformCapabilities::RUNBOOKS_RUN)
+                        || ! $user->hasCapability(PlatformCapabilities::RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL)
+                    ) {
+                        abort(403);
+                    }
+
+                    if ($scope->isAllTenants()) {
+                        $typedConfirmation = (string) ($data['typed_confirmation'] ?? '');
+
+                        if ($typedConfirmation !== 'BACKFILL') {
+                            throw ValidationException::withMessages([
+                                'typed_confirmation' => 'Please type BACKFILL to confirm.',
+                            ]);
+                        }
+                    }
+
+                    $reason = RunbookReason::fromNullableArray([
+                        'reason_code' => $data['reason_code'] ?? null,
+                        'reason_text' => $data['reason_text'] ?? null,
+                    ]);
+
+                    try {
+                        $run = $runbookService->start(
+                            scope: $scope,
+                            initiator: $user,
+                            reason: $reason,
+                            source: 'system_ui',
+                        );
+                    } catch (OperationalControlBlockedException $exception) {
+                        Notification::make()
+                            ->title($exception->title())
+                            ->body($exception->getMessage())
+                            ->warning()
+                            ->send();
+
+                        throw new \Filament\Support\Exceptions\Halt;
+                    }
+
+                    $viewUrl = SystemOperationRunLinks::view($run);
+
+                    $toast = $run->wasRecentlyCreated
+                        ? OperationUxPresenter::queuedToast((string) $run->type)->body('The runbook will execute in the background.')
+                        : OperationUxPresenter::alreadyQueuedToast((string) $run->type);
+
+                    $toast
+                        ->actions([
+                            Action::make('view_run')
+                                ->label('View run')
+                                ->url($viewUrl),
+                        ])
+                        ->send();
+                }),
+        ];
+    }
+
+    /**
+     * @return array<int, \Filament\Schemas\Components\Component>
+     */
+    private function findingsScopeForm(): array
+    {
+        return [
+            Radio::make('scope_mode')
+                ->label('Scope')
+                ->options([
+                    FindingsLifecycleBackfillScope::MODE_ALL_TENANTS => 'All tenants',
+                    FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT => 'Single tenant',
+                ])
+                ->default($this->findingsScopeMode)
+                ->live()
+                ->required(),
+
+            Select::make('tenant_id')
+                ->label('Tenant')
+                ->searchable()
+                ->visible(fn (callable $get): bool => $get('scope_mode') === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT)
+                ->required(fn (callable $get): bool => $get('scope_mode') === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT)
+                ->getSearchResultsUsing(function (string $search, AllowedTenantUniverse $universe): array {
+                    return $universe
+                        ->query()
+                        ->where('name', 'like', "%{$search}%")
+                        ->orderBy('name')
+                        ->limit(25)
+                        ->pluck('name', 'id')
+                        ->all();
+                })
+                ->getOptionLabelUsing(function ($value, AllowedTenantUniverse $universe): ?string {
+                    if (! is_numeric($value)) {
+                        return null;
+                    }
+
+                    return $universe
+                        ->query()
+                        ->whereKey((int) $value)
+                        ->value('name');
+                }),
+        ];
+    }
+
+    /**
+     * @return array<int, \Filament\Schemas\Components\Component>
+     */
+    private function findingsRunForm(): array
+    {
+        return [
+            TextInput::make('typed_confirmation')
+                ->label('Type BACKFILL to confirm')
+                ->visible(fn (): bool => $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS)
+                ->required(fn (): bool => $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS)
+                ->in(['BACKFILL'])
+                ->validationMessages([
+                    'in' => 'Please type BACKFILL to confirm.',
+                ]),
+
+            Select::make('reason_code')
+                ->label('Reason code')
+                ->options(RunbookReason::options())
+                ->required(function (BreakGlassSession $breakGlass): bool {
+                    return $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS || $breakGlass->isActive();
+                }),
+
+            Textarea::make('reason_text')
+                ->label('Reason')
+                ->rows(4)
+                ->maxLength(500)
+                ->required(function (BreakGlassSession $breakGlass): bool {
+                    return $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS || $breakGlass->isActive();
+                }),
+        ];
+    }
+
+    private function lastRunForType(string $type): ?OperationRun
+    {
+        $platformTenant = Tenant::query()->where('external_id', 'platform')->first();
+
+        if (! $platformTenant instanceof Tenant) {
+            return null;
+        }
+
+        return OperationRun::query()
+            ->where('workspace_id', (int) $platformTenant->workspace_id)
+            ->where('type', $type)
+            ->latest('id')
+            ->first();
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    private function trustedFindingsScopeFromFormData(array $data, AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
+    {
+        $scope = FindingsLifecycleBackfillScope::fromArray([
+            'mode' => $data['scope_mode'] ?? null,
+            'tenant_id' => $data['tenant_id'] ?? null,
+        ]);
+
+        if (! $scope->isSingleTenant()) {
+            return $scope;
+        }
+
+        $tenant = $allowedTenantUniverse->resolveAllowedOrFail($scope->tenantId);
+
+        return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
+    }
+
+    private function trustedFindingsScopeFromState(AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
+    {
+        if ($this->findingsScopeMode !== FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT) {
+            return FindingsLifecycleBackfillScope::allTenants();
+        }
+
+        $tenant = $allowedTenantUniverse->resolveAllowedOrFail($this->findingsTenantId);
+
+        return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
+    }
 }

apps/platform/app/Filament/Widgets/Tenant/TenantReviewPackCard.php

@@ -4,8 +4,6 @@
 
 namespace App\Filament\Widgets\Tenant;
 
-use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Models\OperationRun;
 use App\Models\ReviewPack;
 use App\Models\Tenant;
@@ -20,7 +18,6 @@
 use App\Support\ReviewPackStatus;
 use Filament\Actions\Action;
 use Filament\Facades\Filament;
-use Filament\Notifications\Notification;
 use Filament\Widgets\Widget;
 
 class TenantReviewPackCard extends Widget
@@ -69,26 +66,6 @@ public function generatePack(bool $includePii = true, bool $includeOperations =
         /** @var ReviewPackService $service */
         $service = app(ReviewPackService::class);
 
-        $decision = $service->reviewPackGenerationDecisionForTenant($tenant);
-
-        if ((bool) ($decision['is_blocked'] ?? false)) {
-            Notification::make()
-                ->title('Review pack generation unavailable')
-                ->body((string) ($decision['block_reason'] ?? 'Workspace entitlement currently blocks review pack generation.'))
-                ->warning()
-                ->send();
-
-            return;
-        }
-
-        if ((bool) ($decision['is_warning'] ?? false) && is_string($decision['warning_reason'] ?? null)) {
-            Notification::make()
-                ->title('Review pack generation allowed with warning')
-                ->body($decision['warning_reason'])
-                ->warning()
-                ->send();
-        }
-
         $activeRun = $service->checkActiveRun($tenant)
             ? OperationRun::query()
                 ->where('tenant_id', (int) $tenant->getKey())
@@ -113,20 +90,10 @@ public function generatePack(bool $includePii = true, bool $includeOperations =
             return;
         }
 
-        try {
-            $reviewPack = $service->generate($tenant, $user, [
-                'include_pii' => $includePii,
-                'include_operations' => $includeOperations,
-            ]);
-        } catch (WorkspaceEntitlementBlockedException $exception) {
-            Notification::make()
-                ->title('Review pack generation unavailable')
-                ->body($exception->getMessage())
-                ->warning()
-                ->send();
-
-            return;
-        }
+        $reviewPack = $service->generate($tenant, $user, [
+            'include_pii' => $includePii,
+            'include_operations' => $includeOperations,
+        ]);
 
         $runUrl = $reviewPack->operationRun
             ? OperationRunLinks::tenantlessView($reviewPack->operationRun)
@@ -163,17 +130,6 @@ protected function getViewData(): array
         $isTenantMember = $user instanceof User && $user->canAccessTenant($tenant);
         $canView = $isTenantMember && $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant);
         $canManage = $isTenantMember && $user->can(Capabilities::REVIEW_PACK_MANAGE, $tenant);
-        $service = app(ReviewPackService::class);
-        $generationEntitlement = $canManage
-            ? $service->reviewPackGenerationDecisionForTenant($tenant)
-            : null;
-        $generationBlocked = (bool) ($generationEntitlement['is_blocked'] ?? false);
-        $generationBlockReason = is_string($generationEntitlement['block_reason'] ?? null)
-            ? $generationEntitlement['block_reason']
-            : null;
-        $generationWarningReason = is_string($generationEntitlement['warning_reason'] ?? null)
-            ? $generationEntitlement['warning_reason']
-            : null;
 
         $latestPack = ReviewPack::query()
             ->with(['tenantReview', 'operationRun'])
@@ -190,10 +146,6 @@ protected function getViewData(): array
                 'pollingInterval' => null,
                 'canView' => $canView,
                 'canManage' => $canManage,
-                'generationBlocked' => $generationBlocked,
-                'generationBlockReason' => $generationBlockReason,
-                'generationWarningReason' => $generationWarningReason,
-                'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
                 'downloadUrl' => null,
                 'failedReason' => null,
                 'reviewUrl' => null,
@@ -242,10 +194,6 @@ protected function getViewData(): array
             'pollingInterval' => self::resolvePollingInterval($latestPack),
             'canView' => $canView,
             'canManage' => $canManage,
-            'generationBlocked' => $generationBlocked,
-            'generationBlockReason' => $generationBlockReason,
-            'generationWarningReason' => $generationWarningReason,
-            'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
             'downloadUrl' => $downloadUrl,
             'failedReason' => $failedReason,
             'failedReasonDetail' => $failedReasonDetail,
@@ -276,10 +224,6 @@ private function emptyState(): array
             'pollingInterval' => null,
             'canView' => false,
             'canManage' => false,
-            'generationBlocked' => false,
-            'generationBlockReason' => null,
-            'generationWarningReason' => null,
-            'customerWorkspaceUrl' => null,
             'downloadUrl' => null,
             'failedReason' => null,
             'failedReasonDetail' => null,

apps/platform/app/Http/Controllers/LocalizationController.php

@@ -1,80 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Http\Controllers;
-
-use App\Models\User;
-use App\Services\Localization\LocaleResolver;
-use Illuminate\Http\RedirectResponse;
-use Illuminate\Http\JsonResponse;
-use Illuminate\Http\Request;
-use Illuminate\Http\Response;
-use Illuminate\Support\Facades\App;
-use Illuminate\Validation\ValidationException;
-
-class LocalizationController extends Controller
-{
-    public function context(Request $request, LocaleResolver $resolver): JsonResponse
-    {
-        $plane = $request->query('plane');
-        $context = $request->attributes->get(LocaleResolver::REQUEST_ATTRIBUTE);
-
-        if (is_string($plane) && $plane !== '') {
-            $context = $resolver->resolve($request, $plane);
-        }
-
-        return response()->json(is_array($context) ? $context : $resolver->resolve($request));
-    }
-
-    public function updateOverride(Request $request): RedirectResponse
-    {
-        $locale = LocaleResolver::normalize($request->input('locale'));
-
-        if ($locale === null) {
-            throw ValidationException::withMessages([
-                'locale' => [__('localization.validation.unsupported_locale')],
-            ]);
-        }
-
-        $request->session()->put(LocaleResolver::SESSION_OVERRIDE_KEY, $locale);
-        App::setLocale($locale);
-
-        return back()->with('status', __('localization.notifications.locale_override_saved'));
-    }
-
-    public function clearOverride(Request $request, LocaleResolver $resolver): RedirectResponse
-    {
-        $request->session()->forget(LocaleResolver::SESSION_OVERRIDE_KEY);
-        App::setLocale($resolver->resolve($request)['locale']);
-
-        return back()->with('status', __('localization.notifications.locale_override_cleared'));
-    }
-
-    public function updateUserPreference(Request $request, LocaleResolver $resolver): RedirectResponse
-    {
-        $user = $request->user();
-
-        abort_unless($user instanceof User, Response::HTTP_NOT_FOUND);
-
-        $rawLocale = $request->input('preferred_locale');
-        $locale = $rawLocale === null || $rawLocale === ''
-            ? null
-            : LocaleResolver::normalize($rawLocale);
-
-        if ($rawLocale !== null && $rawLocale !== '' && $locale === null) {
-            throw ValidationException::withMessages([
-                'preferred_locale' => [__('localization.validation.unsupported_locale')],
-            ]);
-        }
-
-        $user->forceFill(['preferred_locale' => $locale])->save();
-        $user->refresh();
-
-        App::setLocale($resolver->resolve($request)['locale']);
-
-        return back()->with('status', $locale === null
-            ? __('localization.notifications.user_preference_cleared')
-            : __('localization.notifications.user_preference_saved'));
-    }
-}

apps/platform/app/Http/Controllers/ReviewPackDownloadController.php

@@ -4,12 +4,7 @@
 
 namespace App\Http\Controllers;
 
-use App\Models\Tenant;
 use App\Models\ReviewPack;
-use App\Models\User;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Support\Audit\AuditActionId;
-use App\Support\Auth\Capabilities;
 use App\Support\ReviewPackStatus;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Storage;
@@ -20,21 +15,6 @@ class ReviewPackDownloadController extends Controller
 {
     public function __invoke(Request $request, ReviewPack $reviewPack): StreamedResponse
     {
-        $user = $request->user();
-        $tenant = $reviewPack->tenant;
-
-        if (! $user instanceof User || ! $tenant instanceof Tenant) {
-            throw new NotFoundHttpException;
-        }
-
-        if (! $user->canAccessTenant($tenant)) {
-            throw new NotFoundHttpException;
-        }
-
-        if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
-            abort(403);
-        }
-
         if ($reviewPack->status !== ReviewPackStatus::Ready->value) {
             throw new NotFoundHttpException;
         }
@@ -49,26 +29,7 @@ public function __invoke(Request $request, ReviewPack $reviewPack): StreamedResp
             throw new NotFoundHttpException;
         }
 
-        app(WorkspaceAuditLogger::class)->log(
-            workspace: $tenant->workspace,
-            action: AuditActionId::ReviewPackDownloaded,
-            context: [
-                'metadata' => [
-                    'review_pack_id' => (int) $reviewPack->getKey(),
-                    'tenant_review_id' => $reviewPack->tenant_review_id !== null
-                        ? (int) $reviewPack->tenant_review_id
-                        : null,
-                    'source_surface' => (string) $request->query('source_surface', 'review_pack'),
-                ],
-            ],
-            actor: $user,
-            resourceType: 'review_pack',
-            resourceId: (string) $reviewPack->getKey(),
-            targetLabel: sprintf('Review pack #%d', (int) $reviewPack->getKey()),
-            tenant: $tenant,
-            operationRunId: $reviewPack->operation_run_id,
-        );
-
+        $tenant = $reviewPack->tenant;
         $filename = sprintf(
             'review-pack-%s-%s.zip',
             $tenant?->external_id ?? 'unknown',

apps/platform/app/Http/Middleware/ApplyResolvedLocale.php

@@ -1,29 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Http\Middleware;
-
-use App\Services\Localization\LocaleResolver;
-use Closure;
-use Illuminate\Http\Request;
-use Illuminate\Support\Carbon;
-use Illuminate\Support\Facades\App;
-use Symfony\Component\HttpFoundation\Response;
-
-class ApplyResolvedLocale
-{
-    public function __construct(private LocaleResolver $resolver) {}
-
-    public function handle(Request $request, Closure $next, ?string $plane = null): Response
-    {
-        $context = $this->resolver->resolve($request, $plane);
-
-        App::setLocale($context['locale']);
-        Carbon::setLocale($context['locale']);
-
-        $request->attributes->set(LocaleResolver::REQUEST_ATTRIBUTE, $context);
-
-        return $next($request);
-    }
-}

apps/platform/app/Jobs/BackfillFindingLifecycleJob.php

@@ -0,0 +1,398 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use App\Models\Finding;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Findings\FindingSlaPolicy;
+use App\Services\OperationRunService;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Support\OperationRunOutcome;
+use App\Support\OperationRunStatus;
+use App\Support\OpsUx\RunFailureSanitizer;
+use Carbon\CarbonImmutable;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Cache;
+use Throwable;
+
+class BackfillFindingLifecycleJob implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public function __construct(
+        public readonly int $tenantId,
+        public readonly int $workspaceId,
+        public readonly ?int $initiatorUserId = null,
+    ) {}
+
+    public function handle(
+        OperationRunService $operationRuns,
+        FindingSlaPolicy $slaPolicy,
+        FindingsLifecycleBackfillRunbookService $runbookService,
+    ): void {
+        $tenant = Tenant::query()->find($this->tenantId);
+
+        if (! $tenant instanceof Tenant) {
+            return;
+        }
+
+        $initiator = $this->initiatorUserId !== null
+            ? User::query()->find($this->initiatorUserId)
+            : null;
+
+        $operationRun = $operationRuns->ensureRunWithIdentity(
+            tenant: $tenant,
+            type: 'findings.lifecycle.backfill',
+            identityInputs: [
+                'tenant_id' => $this->tenantId,
+                'trigger' => 'backfill',
+            ],
+            context: [
+                'workspace_id' => $this->workspaceId,
+                'initiator_user_id' => $this->initiatorUserId,
+            ],
+            initiator: $initiator instanceof User ? $initiator : null,
+        );
+
+        $lock = Cache::lock(sprintf('tenantpilot:findings:lifecycle_backfill:tenant:%d', $this->tenantId), 900);
+
+        if (! $lock->get()) {
+            if ($operationRun->status !== OperationRunStatus::Completed->value) {
+                $operationRuns->updateRun(
+                    $operationRun,
+                    status: OperationRunStatus::Completed->value,
+                    outcome: OperationRunOutcome::Blocked->value,
+                    failures: [
+                        [
+                            'code' => 'findings.lifecycle.backfill.lock_busy',
+                            'message' => 'Another findings lifecycle backfill is already running for this tenant.',
+                        ],
+                    ],
+                );
+            }
+
+            $runbookService->maybeFinalize($operationRun);
+
+            return;
+        }
+
+        try {
+            $total = (int) Finding::query()
+                ->where('tenant_id', $tenant->getKey())
+                ->count();
+
+            $operationRuns->updateRun(
+                $operationRun,
+                status: OperationRunStatus::Running->value,
+                outcome: OperationRunOutcome::Pending->value,
+                summaryCounts: [
+                    'total' => $total,
+                    'processed' => 0,
+                    'updated' => 0,
+                    'skipped' => 0,
+                    'failed' => 0,
+                ],
+            );
+
+            $operationRun->refresh();
+
+            $backfillStartedAt = $operationRun->started_at !== null
+                ? CarbonImmutable::instance($operationRun->started_at)
+                : CarbonImmutable::now('UTC');
+
+            Finding::query()
+                ->where('tenant_id', $tenant->getKey())
+                ->orderBy('id')
+                ->chunkById(200, function (Collection $findings) use ($tenant, $slaPolicy, $operationRuns, $operationRun, $backfillStartedAt): void {
+                    $processed = 0;
+                    $updated = 0;
+                    $skipped = 0;
+
+                    foreach ($findings as $finding) {
+                        if (! $finding instanceof Finding) {
+                            continue;
+                        }
+
+                        $processed++;
+
+                        $originalAttributes = $finding->getAttributes();
+
+                        $this->backfillLifecycleFields($finding, $backfillStartedAt);
+                        $this->backfillLegacyAcknowledgedStatus($finding);
+                        $this->backfillSlaFields($finding, $tenant, $slaPolicy, $backfillStartedAt);
+                        $this->backfillDriftRecurrenceKey($finding);
+
+                        if ($finding->isDirty()) {
+                            $finding->save();
+                            $updated++;
+                        } else {
+                            $finding->setRawAttributes($originalAttributes, sync: true);
+                            $skipped++;
+                        }
+                    }
+
+                    $operationRuns->incrementSummaryCounts($operationRun, [
+                        'processed' => $processed,
+                        'updated' => $updated,
+                        'skipped' => $skipped,
+                    ]);
+                });
+
+            $consolidatedDuplicates = $this->consolidateDriftDuplicates($tenant, $backfillStartedAt);
+
+            if ($consolidatedDuplicates > 0) {
+                $operationRuns->incrementSummaryCounts($operationRun, [
+                    'updated' => $consolidatedDuplicates,
+                ]);
+            }
+
+            $operationRuns->updateRun(
+                $operationRun,
+                status: OperationRunStatus::Completed->value,
+                outcome: OperationRunOutcome::Succeeded->value,
+            );
+
+            $runbookService->maybeFinalize($operationRun);
+        } catch (Throwable $e) {
+            $message = RunFailureSanitizer::sanitizeMessage($e->getMessage());
+            $reasonCode = RunFailureSanitizer::normalizeReasonCode($e->getMessage());
+
+            $operationRuns->updateRun(
+                $operationRun,
+                status: OperationRunStatus::Completed->value,
+                outcome: OperationRunOutcome::Failed->value,
+                failures: [[
+                    'code' => 'findings.lifecycle.backfill.failed',
+                    'reason_code' => $reasonCode,
+                    'message' => $message !== '' ? $message : 'Findings lifecycle backfill failed.',
+                ]],
+            );
+
+            $runbookService->maybeFinalize($operationRun);
+
+            throw $e;
+        } finally {
+            $lock->release();
+        }
+    }
+
+    private function backfillLifecycleFields(Finding $finding, CarbonImmutable $backfillStartedAt): void
+    {
+        $createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at) : $backfillStartedAt;
+
+        if ($finding->first_seen_at === null) {
+            $finding->first_seen_at = $createdAt;
+        }
+
+        if ($finding->last_seen_at === null) {
+            $finding->last_seen_at = $createdAt;
+        }
+
+        if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
+            $lastSeen = CarbonImmutable::instance($finding->last_seen_at);
+            $firstSeen = CarbonImmutable::instance($finding->first_seen_at);
+
+            if ($lastSeen->lessThan($firstSeen)) {
+                $finding->last_seen_at = $firstSeen;
+            }
+        }
+
+        $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
+
+        if ($timesSeen < 1) {
+            $finding->times_seen = 1;
+        }
+    }
+
+    private function backfillLegacyAcknowledgedStatus(Finding $finding): void
+    {
+        if ($finding->status !== Finding::STATUS_ACKNOWLEDGED) {
+            return;
+        }
+
+        $finding->status = Finding::STATUS_TRIAGED;
+
+        if ($finding->triaged_at === null) {
+            if ($finding->acknowledged_at !== null) {
+                $finding->triaged_at = CarbonImmutable::instance($finding->acknowledged_at);
+            } elseif ($finding->created_at !== null) {
+                $finding->triaged_at = CarbonImmutable::instance($finding->created_at);
+            }
+        }
+    }
+
+    private function backfillSlaFields(
+        Finding $finding,
+        Tenant $tenant,
+        FindingSlaPolicy $slaPolicy,
+        CarbonImmutable $backfillStartedAt,
+    ): void {
+        if (! Finding::isOpenStatus((string) $finding->status)) {
+            return;
+        }
+
+        if ($finding->sla_days === null) {
+            $finding->sla_days = $slaPolicy->daysForSeverity((string) $finding->severity, $tenant);
+        }
+
+        if ($finding->due_at === null) {
+            $finding->due_at = $slaPolicy->dueAtForSeverity((string) $finding->severity, $tenant, $backfillStartedAt);
+        }
+    }
+
+    private function backfillDriftRecurrenceKey(Finding $finding): void
+    {
+        if ($finding->finding_type !== Finding::FINDING_TYPE_DRIFT) {
+            return;
+        }
+
+        if ($finding->recurrence_key !== null && trim((string) $finding->recurrence_key) !== '') {
+            return;
+        }
+
+        $tenantId = (int) ($finding->tenant_id ?? 0);
+        $scopeKey = (string) ($finding->scope_key ?? '');
+        $subjectType = (string) ($finding->subject_type ?? '');
+        $subjectExternalId = (string) ($finding->subject_external_id ?? '');
+
+        if ($tenantId <= 0 || $scopeKey === '' || $subjectType === '' || $subjectExternalId === '') {
+            return;
+        }
+
+        $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
+        $kind = Arr::get($evidence, 'summary.kind');
+        $changeType = Arr::get($evidence, 'change_type');
+
+        $kind = is_string($kind) ? $kind : '';
+        $changeType = is_string($changeType) ? $changeType : '';
+
+        if ($kind === '') {
+            return;
+        }
+
+        $dimension = $this->recurrenceDimension($kind, $changeType);
+
+        $finding->recurrence_key = hash('sha256', sprintf(
+            'drift:%d:%s:%s:%s:%s',
+            $tenantId,
+            $scopeKey,
+            $subjectType,
+            $subjectExternalId,
+            $dimension,
+        ));
+    }
+
+    private function recurrenceDimension(string $kind, string $changeType): string
+    {
+        $kind = strtolower(trim($kind));
+        $changeType = strtolower(trim($changeType));
+
+        return match ($kind) {
+            'policy_snapshot', 'baseline_compare' => sprintf('%s:%s', $kind, $changeType !== '' ? $changeType : 'modified'),
+            default => $kind,
+        };
+    }
+
+    private function consolidateDriftDuplicates(Tenant $tenant, CarbonImmutable $backfillStartedAt): int
+    {
+        $duplicateKeys = Finding::query()
+            ->where('tenant_id', $tenant->getKey())
+            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
+            ->whereNotNull('recurrence_key')
+            ->select(['recurrence_key'])
+            ->groupBy('recurrence_key')
+            ->havingRaw('COUNT(*) > 1')
+            ->pluck('recurrence_key')
+            ->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
+            ->values();
+
+        if ($duplicateKeys->isEmpty()) {
+            return 0;
+        }
+
+        $consolidated = 0;
+
+        foreach ($duplicateKeys as $recurrenceKey) {
+            if (! is_string($recurrenceKey) || $recurrenceKey === '') {
+                continue;
+            }
+
+            $findings = Finding::query()
+                ->where('tenant_id', $tenant->getKey())
+                ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
+                ->where('recurrence_key', $recurrenceKey)
+                ->orderBy('id')
+                ->get();
+
+            $canonical = $this->chooseCanonicalDriftFinding($findings, $recurrenceKey);
+
+            foreach ($findings as $finding) {
+                if (! $finding instanceof Finding) {
+                    continue;
+                }
+
+                if ($canonical instanceof Finding && (int) $finding->getKey() === (int) $canonical->getKey()) {
+                    continue;
+                }
+
+                $finding->forceFill([
+                    'status' => Finding::STATUS_CLOSED,
+                    'resolved_at' => null,
+                    'resolved_reason' => null,
+                    'closed_at' => $backfillStartedAt,
+                    'closed_reason' => Finding::CLOSE_REASON_DUPLICATE,
+                    'closed_by_user_id' => null,
+                    'recurrence_key' => null,
+                ])->save();
+
+                $consolidated++;
+            }
+        }
+
+        return $consolidated;
+    }
+
+    /**
+     * @param  Collection<int, Finding>  $findings
+     */
+    private function chooseCanonicalDriftFinding(Collection $findings, string $recurrenceKey): ?Finding
+    {
+        if ($findings->isEmpty()) {
+            return null;
+        }
+
+        $openCandidates = $findings->filter(static fn (Finding $finding): bool => Finding::isOpenStatus((string) $finding->status));
+
+        $candidates = $openCandidates->isNotEmpty() ? $openCandidates : $findings;
+
+        $alreadyCanonical = $candidates->first(static fn (Finding $finding): bool => (string) $finding->fingerprint === $recurrenceKey);
+
+        if ($alreadyCanonical instanceof Finding) {
+            return $alreadyCanonical;
+        }
+
+        /** @var Finding $sorted */
+        $sorted = $candidates
+            ->sortByDesc(function (Finding $finding): array {
+                $lastSeen = $finding->last_seen_at !== null ? CarbonImmutable::instance($finding->last_seen_at)->getTimestamp() : 0;
+                $createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at)->getTimestamp() : 0;
+
+                return [
+                    max($lastSeen, $createdAt),
+                    (int) $finding->getKey(),
+                ];
+            })
+            ->first();
+
+        return $sorted;
+    }
+}

apps/platform/app/Jobs/BackfillFindingLifecycleTenantIntoWorkspaceRunJob.php

@@ -0,0 +1,378 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use App\Models\Finding;
+use App\Models\OperationRun;
+use App\Models\Tenant;
+use App\Services\Findings\FindingSlaPolicy;
+use App\Services\OperationRunService;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Support\OpsUx\RunFailureSanitizer;
+use Carbon\CarbonImmutable;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Cache;
+use Throwable;
+
+class BackfillFindingLifecycleTenantIntoWorkspaceRunJob implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public function __construct(
+        public readonly int $operationRunId,
+        public readonly int $workspaceId,
+        public readonly int $tenantId,
+    ) {}
+
+    public function handle(
+        OperationRunService $operationRunService,
+        FindingSlaPolicy $slaPolicy,
+        FindingsLifecycleBackfillRunbookService $runbookService,
+    ): void {
+        $tenant = Tenant::query()->find($this->tenantId);
+
+        if (! $tenant instanceof Tenant) {
+            return;
+        }
+
+        if ((int) $tenant->workspace_id !== $this->workspaceId) {
+            return;
+        }
+
+        $run = OperationRun::query()->find($this->operationRunId);
+
+        if (! $run instanceof OperationRun) {
+            return;
+        }
+
+        if ((int) $run->workspace_id !== $this->workspaceId) {
+            return;
+        }
+
+        if ($run->tenant_id !== null) {
+            return;
+        }
+
+        if ($run->status === 'queued') {
+            $operationRunService->updateRun($run, status: 'running');
+        }
+
+        $lock = Cache::lock(sprintf('tenantpilot:findings:lifecycle_backfill:tenant:%d', $this->tenantId), 900);
+
+        if (! $lock->get()) {
+            $operationRunService->appendFailures($run, [
+                [
+                    'code' => 'findings.lifecycle.backfill.lock_busy',
+                    'message' => sprintf('Tenant %d is already running a findings lifecycle backfill.', $this->tenantId),
+                ],
+            ]);
+
+            $operationRunService->incrementSummaryCounts($run, [
+                'failed' => 1,
+                'processed' => 1,
+            ]);
+
+            $operationRunService->maybeCompleteBulkRun($run);
+            $runbookService->maybeFinalize($run);
+
+            return;
+        }
+
+        try {
+            $backfillStartedAt = $run->started_at !== null
+                ? CarbonImmutable::instance($run->started_at)
+                : CarbonImmutable::now('UTC');
+
+            Finding::query()
+                ->where('tenant_id', $tenant->getKey())
+                ->orderBy('id')
+                ->chunkById(200, function (Collection $findings) use ($tenant, $slaPolicy, $operationRunService, $run, $backfillStartedAt): void {
+                    $updated = 0;
+                    $skipped = 0;
+
+                    foreach ($findings as $finding) {
+                        if (! $finding instanceof Finding) {
+                            continue;
+                        }
+
+                        $originalAttributes = $finding->getAttributes();
+
+                        $this->backfillLifecycleFields($finding, $backfillStartedAt);
+                        $this->backfillLegacyAcknowledgedStatus($finding);
+                        $this->backfillSlaFields($finding, $tenant, $slaPolicy, $backfillStartedAt);
+                        $this->backfillDriftRecurrenceKey($finding);
+
+                        if ($finding->isDirty()) {
+                            $finding->save();
+                            $updated++;
+                        } else {
+                            $finding->setRawAttributes($originalAttributes, sync: true);
+                            $skipped++;
+                        }
+                    }
+
+                    if ($updated > 0 || $skipped > 0) {
+                        $operationRunService->incrementSummaryCounts($run, [
+                            'updated' => $updated,
+                            'skipped' => $skipped,
+                        ]);
+                    }
+                });
+
+            $consolidatedDuplicates = $this->consolidateDriftDuplicates($tenant, $backfillStartedAt);
+
+            if ($consolidatedDuplicates > 0) {
+                $operationRunService->incrementSummaryCounts($run, [
+                    'updated' => $consolidatedDuplicates,
+                ]);
+            }
+
+            $operationRunService->incrementSummaryCounts($run, [
+                'processed' => 1,
+            ]);
+
+            $operationRunService->maybeCompleteBulkRun($run);
+            $runbookService->maybeFinalize($run);
+        } catch (Throwable $e) {
+            $message = RunFailureSanitizer::sanitizeMessage($e->getMessage());
+            $reasonCode = RunFailureSanitizer::normalizeReasonCode($e->getMessage());
+
+            $operationRunService->appendFailures($run, [[
+                'code' => 'findings.lifecycle.backfill.failed',
+                'reason_code' => $reasonCode,
+                'message' => $message !== '' ? $message : sprintf('Tenant %d findings lifecycle backfill failed.', $this->tenantId),
+            ]]);
+
+            $operationRunService->incrementSummaryCounts($run, [
+                'failed' => 1,
+                'processed' => 1,
+            ]);
+
+            $operationRunService->maybeCompleteBulkRun($run);
+            $runbookService->maybeFinalize($run);
+
+            throw $e;
+        } finally {
+            $lock->release();
+        }
+    }
+
+    private function backfillLifecycleFields(Finding $finding, CarbonImmutable $backfillStartedAt): void
+    {
+        $createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at) : $backfillStartedAt;
+
+        if ($finding->first_seen_at === null) {
+            $finding->first_seen_at = $createdAt;
+        }
+
+        if ($finding->last_seen_at === null) {
+            $finding->last_seen_at = $createdAt;
+        }
+
+        if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
+            $lastSeen = CarbonImmutable::instance($finding->last_seen_at);
+            $firstSeen = CarbonImmutable::instance($finding->first_seen_at);
+
+            if ($lastSeen->lessThan($firstSeen)) {
+                $finding->last_seen_at = $firstSeen;
+            }
+        }
+
+        $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
+
+        if ($timesSeen < 1) {
+            $finding->times_seen = 1;
+        }
+    }
+
+    private function backfillLegacyAcknowledgedStatus(Finding $finding): void
+    {
+        if ($finding->status !== Finding::STATUS_ACKNOWLEDGED) {
+            return;
+        }
+
+        $finding->status = Finding::STATUS_TRIAGED;
+
+        if ($finding->triaged_at === null) {
+            if ($finding->acknowledged_at !== null) {
+                $finding->triaged_at = CarbonImmutable::instance($finding->acknowledged_at);
+            } elseif ($finding->created_at !== null) {
+                $finding->triaged_at = CarbonImmutable::instance($finding->created_at);
+            }
+        }
+    }
+
+    private function backfillSlaFields(
+        Finding $finding,
+        Tenant $tenant,
+        FindingSlaPolicy $slaPolicy,
+        CarbonImmutable $backfillStartedAt,
+    ): void {
+        if (! Finding::isOpenStatus((string) $finding->status)) {
+            return;
+        }
+
+        if ($finding->sla_days === null) {
+            $finding->sla_days = $slaPolicy->daysForSeverity((string) $finding->severity, $tenant);
+        }
+
+        if ($finding->due_at === null) {
+            $finding->due_at = $slaPolicy->dueAtForSeverity((string) $finding->severity, $tenant, $backfillStartedAt);
+        }
+    }
+
+    private function backfillDriftRecurrenceKey(Finding $finding): void
+    {
+        if ($finding->finding_type !== Finding::FINDING_TYPE_DRIFT) {
+            return;
+        }
+
+        if ($finding->recurrence_key !== null && trim((string) $finding->recurrence_key) !== '') {
+            return;
+        }
+
+        $tenantId = (int) ($finding->tenant_id ?? 0);
+        $scopeKey = (string) ($finding->scope_key ?? '');
+        $subjectType = (string) ($finding->subject_type ?? '');
+        $subjectExternalId = (string) ($finding->subject_external_id ?? '');
+
+        if ($tenantId <= 0 || $scopeKey === '' || $subjectType === '' || $subjectExternalId === '') {
+            return;
+        }
+
+        $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
+        $kind = Arr::get($evidence, 'summary.kind');
+        $changeType = Arr::get($evidence, 'change_type');
+
+        $kind = is_string($kind) ? $kind : '';
+        $changeType = is_string($changeType) ? $changeType : '';
+
+        if ($kind === '') {
+            return;
+        }
+
+        $dimension = $this->recurrenceDimension($kind, $changeType);
+
+        $finding->recurrence_key = hash('sha256', sprintf(
+            'drift:%d:%s:%s:%s:%s',
+            $tenantId,
+            $scopeKey,
+            $subjectType,
+            $subjectExternalId,
+            $dimension,
+        ));
+    }
+
+    private function recurrenceDimension(string $kind, string $changeType): string
+    {
+        $kind = strtolower(trim($kind));
+        $changeType = strtolower(trim($changeType));
+
+        return match ($kind) {
+            'policy_snapshot', 'baseline_compare' => sprintf('%s:%s', $kind, $changeType !== '' ? $changeType : 'modified'),
+            default => $kind,
+        };
+    }
+
+    private function consolidateDriftDuplicates(Tenant $tenant, CarbonImmutable $backfillStartedAt): int
+    {
+        $duplicateKeys = Finding::query()
+            ->where('tenant_id', $tenant->getKey())
+            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
+            ->whereNotNull('recurrence_key')
+            ->select(['recurrence_key'])
+            ->groupBy('recurrence_key')
+            ->havingRaw('COUNT(*) > 1')
+            ->pluck('recurrence_key')
+            ->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
+            ->values();
+
+        if ($duplicateKeys->isEmpty()) {
+            return 0;
+        }
+
+        $consolidated = 0;
+
+        foreach ($duplicateKeys as $recurrenceKey) {
+            if (! is_string($recurrenceKey) || $recurrenceKey === '') {
+                continue;
+            }
+
+            $findings = Finding::query()
+                ->where('tenant_id', $tenant->getKey())
+                ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
+                ->where('recurrence_key', $recurrenceKey)
+                ->orderBy('id')
+                ->get();
+
+            $canonical = $this->chooseCanonicalDriftFinding($findings, $recurrenceKey);
+
+            foreach ($findings as $finding) {
+                if (! $finding instanceof Finding) {
+                    continue;
+                }
+
+                if ($canonical instanceof Finding && (int) $finding->getKey() === (int) $canonical->getKey()) {
+                    continue;
+                }
+
+                $finding->forceFill([
+                    'status' => Finding::STATUS_CLOSED,
+                    'resolved_at' => null,
+                    'resolved_reason' => null,
+                    'closed_at' => $backfillStartedAt,
+                    'closed_reason' => Finding::CLOSE_REASON_DUPLICATE,
+                    'closed_by_user_id' => null,
+                    'recurrence_key' => null,
+                ])->save();
+
+                $consolidated++;
+            }
+        }
+
+        return $consolidated;
+    }
+
+    /**
+     * @param  Collection<int, Finding>  $findings
+     */
+    private function chooseCanonicalDriftFinding(Collection $findings, string $recurrenceKey): ?Finding
+    {
+        if ($findings->isEmpty()) {
+            return null;
+        }
+
+        $openCandidates = $findings->filter(static fn (Finding $finding): bool => Finding::isOpenStatus((string) $finding->status));
+
+        $candidates = $openCandidates->isNotEmpty() ? $openCandidates : $findings;
+
+        $alreadyCanonical = $candidates->first(static fn (Finding $finding): bool => (string) $finding->fingerprint === $recurrenceKey);
+
+        if ($alreadyCanonical instanceof Finding) {
+            return $alreadyCanonical;
+        }
+
+        /** @var Finding $sorted */
+        $sorted = $candidates
+            ->sortByDesc(function (Finding $finding): array {
+                $lastSeen = $finding->last_seen_at !== null ? CarbonImmutable::instance($finding->last_seen_at)->getTimestamp() : 0;
+                $createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at)->getTimestamp() : 0;
+
+                return [
+                    max($lastSeen, $createdAt),
+                    (int) $finding->getKey(),
+                ];
+            })
+            ->first();
+
+        return $sorted;
+    }
+}

apps/platform/app/Jobs/BackfillFindingLifecycleWorkspaceJob.php

@@ -0,0 +1,95 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use App\Models\OperationRun;
+use App\Services\OperationRunService;
+use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
+use App\Services\System\AllowedTenantUniverse;
+use App\Support\OperationRunOutcome;
+use App\Support\OperationRunStatus;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+
+class BackfillFindingLifecycleWorkspaceJob implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public function __construct(
+        public readonly int $operationRunId,
+        public readonly int $workspaceId,
+    ) {}
+
+    public function handle(
+        OperationRunService $operationRunService,
+        AllowedTenantUniverse $allowedTenantUniverse,
+        FindingsLifecycleBackfillRunbookService $runbookService,
+    ): void {
+        $run = OperationRun::query()->find($this->operationRunId);
+
+        if (! $run instanceof OperationRun) {
+            return;
+        }
+
+        if ((int) $run->workspace_id !== $this->workspaceId) {
+            return;
+        }
+
+        if ($run->tenant_id !== null) {
+            return;
+        }
+
+        $tenantIds = $allowedTenantUniverse
+            ->query()
+            ->where('workspace_id', $this->workspaceId)
+            ->orderBy('id')
+            ->pluck('id')
+            ->map(static fn (mixed $id): int => (int) $id)
+            ->all();
+
+        $tenantCount = count($tenantIds);
+
+        $operationRunService->updateRun(
+            $run,
+            status: OperationRunStatus::Running->value,
+            outcome: OperationRunOutcome::Pending->value,
+            summaryCounts: [
+                'tenants' => $tenantCount,
+                'total' => $tenantCount,
+                'processed' => 0,
+                'updated' => 0,
+                'skipped' => 0,
+                'failed' => 0,
+            ],
+        );
+
+        if ($tenantCount === 0) {
+            $operationRunService->updateRun(
+                $run,
+                status: OperationRunStatus::Completed->value,
+                outcome: OperationRunOutcome::Succeeded->value,
+            );
+
+            $runbookService->maybeFinalize($run);
+
+            return;
+        }
+
+        foreach ($tenantIds as $tenantId) {
+            if ($tenantId <= 0) {
+                continue;
+            }
+
+            BackfillFindingLifecycleTenantIntoWorkspaceRunJob::dispatch(
+                operationRunId: (int) $run->getKey(),
+                workspaceId: $this->workspaceId,
+                tenantId: $tenantId,
+            );
+        }
+    }
+}

apps/platform/app/Jobs/CompareBaselineToTenantJob.php

@@ -1871,11 +1871,8 @@ private function upsertFindings(
             } else {
                 $this->observeFinding(
                     finding: $finding,
-                    tenant: $tenant,
                     observedAt: $observedAt,
                     currentOperationRunId: (int) $this->operationRun->getKey(),
-                    severity: (string) $driftItem['severity'],
-                    slaPolicy: $slaPolicy,
                 );
             }
 
@@ -1950,21 +1947,12 @@ private function upsertFindings(
         ];
     }
 
-    private function observeFinding(
-        Finding $finding,
-        Tenant $tenant,
-        CarbonImmutable $observedAt,
-        int $currentOperationRunId,
-        string $severity,
-        FindingSlaPolicy $slaPolicy,
-    ): void
+    private function observeFinding(Finding $finding, CarbonImmutable $observedAt, int $currentOperationRunId): void
     {
         if ($finding->first_seen_at === null) {
             $finding->first_seen_at = $observedAt;
         }
 
-        $firstSeenAt = CarbonImmutable::instance($finding->first_seen_at);
-
         if ($finding->last_seen_at === null || $observedAt->greaterThan(CarbonImmutable::instance($finding->last_seen_at))) {
             $finding->last_seen_at = $observedAt;
         }
@@ -1976,14 +1964,6 @@ private function observeFinding(
         } elseif ($timesSeen < 1) {
             $finding->times_seen = 1;
         }
-
-        if ($finding->sla_days === null) {
-            $finding->sla_days = $slaPolicy->daysForSeverity($severity, $tenant);
-        }
-
-        if ($finding->due_at === null) {
-            $finding->due_at = $slaPolicy->dueAtForSeverity($severity, $tenant, $firstSeenAt);
-        }
     }
 
     /**

apps/platform/app/Models/Finding.php

@@ -33,6 +33,8 @@ class Finding extends Model
 
     public const string STATUS_NEW = 'new';
 
+    public const string STATUS_ACKNOWLEDGED = 'acknowledged';
+
     public const string STATUS_TRIAGED = 'triaged';
 
     public const string STATUS_IN_PROGRESS = 'in_progress';
@@ -167,7 +169,10 @@ public static function terminalStatuses(): array
      */
     public static function openStatusesForQuery(): array
     {
-        return self::openStatuses();
+        return [
+            ...self::openStatuses(),
+            self::STATUS_ACKNOWLEDGED,
+        ];
     }
 
     /**
@@ -290,6 +295,10 @@ public static function isReopenReason(?string $reason): bool
 
     public static function canonicalizeStatus(?string $status): ?string
     {
+        if ($status === self::STATUS_ACKNOWLEDGED) {
+            return self::STATUS_TRIAGED;
+        }
+
         return $status;
     }
 
@@ -315,6 +324,23 @@ public function isRiskAccepted(): bool
         return (string) $this->status === self::STATUS_RISK_ACCEPTED;
     }
 
+    public function acknowledge(User $user): self
+    {
+        if ($this->status === self::STATUS_ACKNOWLEDGED) {
+            return $this;
+        }
+
+        $this->forceFill([
+            'status' => self::STATUS_ACKNOWLEDGED,
+            'acknowledged_at' => now(),
+            'acknowledged_by_user_id' => $user->getKey(),
+        ]);
+
+        $this->save();
+
+        return $this;
+    }
+
     public function resolve(string $reason): self
     {
         $this->forceFill([

apps/platform/app/Models/SupportRequest.php

@@ -1,182 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Models;
-
-use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
-use Illuminate\Database\Eloquent\Factories\HasFactory;
-use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
-
-class SupportRequest extends Model
-{
-    use DerivesWorkspaceIdFromTenant;
-
-    /** @use HasFactory<\Database\Factories\SupportRequestFactory> */
-    use HasFactory;
-
-    public const string PRIMARY_CONTEXT_TENANT = 'tenant';
-
-    public const string PRIMARY_CONTEXT_OPERATION_RUN = 'operation_run';
-
-    public const string ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED = 'diagnostic_snapshot_attached';
-
-    public const string ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY = 'canonical_context_only';
-
-    public const string SEVERITY_LOW = 'low';
-
-    public const string SEVERITY_NORMAL = 'normal';
-
-    public const string SEVERITY_HIGH = 'high';
-
-    public const string SEVERITY_BLOCKING = 'blocking';
-
-    public const string EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY = 'internal_only';
-
-    public const string EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET = 'create_external_ticket';
-
-    public const string EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET = 'link_existing_ticket';
-
-    public const string HANDOFF_OUTCOME_INTERNAL_ONLY = 'internal_only';
-
-    public const string HANDOFF_OUTCOME_EXTERNAL_TICKET_CREATED = 'external_ticket_created';
-
-    public const string HANDOFF_OUTCOME_EXTERNAL_TICKET_LINKED = 'external_ticket_linked';
-
-    public const string HANDOFF_OUTCOME_EXTERNAL_HANDOFF_FAILED = 'external_handoff_failed';
-
-    protected $guarded = [];
-
-    /**
-     * @return array<string, string>
-     */
-    protected function casts(): array
-    {
-        return [
-            'context_envelope' => 'array',
-        ];
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function severityOptions(): array
-    {
-        return [
-            self::SEVERITY_LOW => 'Low',
-            self::SEVERITY_NORMAL => 'Normal',
-            self::SEVERITY_HIGH => 'High',
-            self::SEVERITY_BLOCKING => 'Blocking',
-        ];
-    }
-
-    /**
-     * @return list<string>
-     */
-    public static function severityValues(): array
-    {
-        return array_keys(self::severityOptions());
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function externalHandoffModeOptions(): array
-    {
-        return [
-            self::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY => 'TenantPilot only',
-            self::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => 'Create external ticket',
-            self::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => 'Link existing ticket',
-        ];
-    }
-
-    /**
-     * @return list<string>
-     */
-    public static function externalHandoffModeValues(): array
-    {
-        return array_keys(self::externalHandoffModeOptions());
-    }
-
-    public function hasExternalTicket(): bool
-    {
-        return is_string($this->external_ticket_reference) && trim($this->external_ticket_reference) !== '';
-    }
-
-    public function hasExternalHandoffFailure(): bool
-    {
-        return is_string($this->external_handoff_failure_summary) && trim($this->external_handoff_failure_summary) !== '';
-    }
-
-    public function externalHandoffOutcome(): string
-    {
-        if ($this->hasExternalHandoffFailure()) {
-            return self::HANDOFF_OUTCOME_EXTERNAL_HANDOFF_FAILED;
-        }
-
-        if (! $this->hasExternalTicket()) {
-            return self::HANDOFF_OUTCOME_INTERNAL_ONLY;
-        }
-
-        return match ($this->external_handoff_mode) {
-            self::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET => self::HANDOFF_OUTCOME_EXTERNAL_TICKET_CREATED,
-            self::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET => self::HANDOFF_OUTCOME_EXTERNAL_TICKET_LINKED,
-            default => self::HANDOFF_OUTCOME_INTERNAL_ONLY,
-        };
-    }
-
-    /**
-     * @return list<string>
-     */
-    public static function primaryContextTypes(): array
-    {
-        return [
-            self::PRIMARY_CONTEXT_TENANT,
-            self::PRIMARY_CONTEXT_OPERATION_RUN,
-        ];
-    }
-
-    /**
-     * @return list<string>
-     */
-    public static function attachmentModes(): array
-    {
-        return [
-            self::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED,
-            self::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY,
-        ];
-    }
-
-    /**
-     * @return BelongsTo<Workspace, $this>
-     */
-    public function workspace(): BelongsTo
-    {
-        return $this->belongsTo(Workspace::class);
-    }
-
-    /**
-     * @return BelongsTo<Tenant, $this>
-     */
-    public function tenant(): BelongsTo
-    {
-        return $this->belongsTo(Tenant::class);
-    }
-
-    /**
-     * @return BelongsTo<OperationRun, $this>
-     */
-    public function operationRun(): BelongsTo
-    {
-        return $this->belongsTo(OperationRun::class);
-    }
-
-    /**
-     * @return BelongsTo<User, $this>
-     */
-    public function initiator(): BelongsTo
-    {
-        return $this->belongsTo(User::class, 'initiated_by_user_id');
-    }
-}

apps/platform/app/Models/User.php

@@ -39,7 +39,6 @@ class User extends Authenticatable implements FilamentUser, HasDefaultTenant, Ha
         'password',
         'entra_tenant_id',
         'entra_object_id',
-        'preferred_locale',
     ];
 
     /**

apps/platform/app/Policies/FindingPolicy.php

@@ -49,7 +49,10 @@ public function update(User $user, Finding $finding): Response|bool
 
     public function triage(User $user, Finding $finding): Response|bool
     {
-        return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_TRIAGE);
+        return $this->canMutateWithAnyCapability($user, $finding, [
+            Capabilities::TENANT_FINDINGS_TRIAGE,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+        ]);
     }
 
     public function assign(User $user, Finding $finding): Response|bool

apps/platform/app/Providers/Filament/AdminPanelProvider.php

@@ -5,16 +5,13 @@
 use App\Filament\Pages\Auth\Login;
 use App\Filament\Pages\ChooseTenant;
 use App\Filament\Pages\ChooseWorkspace;
-use App\Filament\Pages\CrossTenantComparePage;
 use App\Filament\Pages\Findings\FindingsHygieneReport;
 use App\Filament\Pages\Findings\FindingsIntakeQueue;
-use App\Filament\Pages\Governance\GovernanceInbox;
 use App\Filament\Pages\Findings\MyFindingsInbox;
 use App\Filament\Pages\InventoryCoverage;
 use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
 use App\Filament\Pages\NoAccess;
 use App\Filament\Pages\Reviews\ReviewRegister;
-use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
 use App\Filament\Pages\Settings\WorkspaceSettings;
 use App\Filament\Pages\TenantRequiredPermissions;
 use App\Filament\Pages\WorkspaceOverview;
@@ -80,16 +77,16 @@ public function panel(Panel $panel): Panel
             ])
             ->navigationItems([
                 WorkspaceOverview::navigationItem(),
-                NavigationItem::make(fn (): string => __('localization.navigation.integrations'))
+                NavigationItem::make('Integrations')
                     ->url(fn (): string => route('filament.admin.resources.provider-connections.index'))
                     ->icon('heroicon-o-link')
-                    ->group(fn (): string => __('localization.navigation.settings'))
+                    ->group('Settings')
                     ->sort(15)
                     ->visible(fn (): bool => ProviderConnectionResource::canViewAny()),
-                NavigationItem::make(fn (): string => __('localization.navigation.settings'))
+                NavigationItem::make('Settings')
                     ->url(fn (): string => WorkspaceSettings::getUrl(panel: 'admin'))
                     ->icon('heroicon-o-cog-6-tooth')
-                    ->group(fn (): string => __('localization.navigation.settings'))
+                    ->group('Settings')
                     ->sort(20)
                     ->visible(function (): bool {
                         $user = auth()->user();
@@ -116,12 +113,12 @@ public function panel(Panel $panel): Panel
                         return $resolver->isMember($user, $workspace)
                             && $resolver->can($user, $workspace, Capabilities::WORKSPACE_SETTINGS_VIEW);
                     }),
-                NavigationItem::make(fn (): string => __('localization.navigation.manage_workspaces'))
+                NavigationItem::make('Manage workspaces')
                     ->url(function (): string {
                         return route('filament.admin.resources.workspaces.index');
                     })
                     ->icon('heroicon-o-squares-2x2')
-                    ->group(fn (): string => __('localization.navigation.settings'))
+                    ->group('Settings')
                     ->sort(10)
                     ->visible(function (): bool {
                         $user = auth()->user();
@@ -137,15 +134,15 @@ public function panel(Panel $panel): Panel
                             ->whereIn('role', $roles)
                             ->exists();
                     }),
-                NavigationItem::make(fn (): string => __('localization.navigation.operations'))
+                NavigationItem::make('Operations')
                     ->url(fn (): string => route('admin.operations.index'))
                     ->icon('heroicon-o-queue-list')
-                    ->group(fn (): string => __('localization.navigation.monitoring'))
+                    ->group('Monitoring')
                     ->sort(10),
-                NavigationItem::make(fn (): string => __('localization.navigation.audit_log'))
+                NavigationItem::make('Audit Log')
                     ->url(fn (): string => route('admin.monitoring.audit-log'))
                     ->icon('heroicon-o-clipboard-document-list')
-                    ->group(fn (): string => __('localization.navigation.monitoring'))
+                    ->group('Monitoring')
                     ->sort(30),
             ])
             ->renderHook(
@@ -182,13 +179,10 @@ public function panel(Panel $panel): Panel
                 InventoryCoverage::class,
                 TenantRequiredPermissions::class,
                 WorkspaceSettings::class,
-                CrossTenantComparePage::class,
-                GovernanceInbox::class,
                 FindingsHygieneReport::class,
                 FindingsIntakeQueue::class,
                 MyFindingsInbox::class,
                 FindingExceptionsQueue::class,
-                CustomerReviewWorkspace::class,
                 ReviewRegister::class,
             ])
             ->widgets([
@@ -212,7 +206,6 @@ public function panel(Panel $panel): Panel
                 DisableBladeIconComponents::class,
                 DispatchServingFilamentEvent::class,
             ])
-            ->middleware(['apply-resolved-locale:admin'], isPersistent: true)
             ->authMiddleware([
                 Authenticate::class,
             ]);

apps/platform/app/Providers/Filament/SystemPanelProvider.php

@@ -42,14 +42,6 @@ public function panel(Panel $panel): Panel
                 PanelsRenderHook::BODY_START,
                 fn () => view('filament.system.components.break-glass-banner')->render(),
             )
-            ->renderHook(
-                PanelsRenderHook::TOPBAR_START,
-                fn () => view('filament.partials.locale-switcher', [
-                    'plane' => 'system',
-                    'showPreference' => false,
-                    'embedded' => false,
-                ])->render(),
-            )
             ->discoverPages(in: app_path('Filament/System/Pages'), for: 'App\\Filament\\System\\Pages')
             ->pages([
                 Dashboard::class,
@@ -67,7 +59,6 @@ public function panel(Panel $panel): Panel
                 DisableBladeIconComponents::class,
                 DispatchServingFilamentEvent::class,
             ])
-            ->middleware(['apply-resolved-locale:system'], isPersistent: true)
             ->authMiddleware([
                 Authenticate::class,
                 'ensure-platform-capability:'.PlatformCapabilities::ACCESS_SYSTEM_PANEL,

apps/platform/app/Providers/Filament/TenantPanelProvider.php

@@ -50,20 +50,20 @@ public function panel(Panel $panel): Panel
                 'primary' => Color::Indigo,
             ])
             ->navigationItems([
-                NavigationItem::make(fn (): string => __('localization.navigation.operations'))
+                NavigationItem::make(OperationRunLinks::collectionLabel())
                     ->url(fn (): string => route('admin.operations.index'))
                     ->icon('heroicon-o-queue-list')
-                    ->group(fn (): string => __('localization.navigation.monitoring'))
+                    ->group('Monitoring')
                     ->sort(10),
-                NavigationItem::make(fn (): string => __('localization.navigation.alerts'))
+                NavigationItem::make('Alerts')
                     ->url(fn (): string => url('/admin/alerts'))
                     ->icon('heroicon-o-bell-alert')
-                    ->group(fn (): string => __('localization.navigation.monitoring'))
+                    ->group('Monitoring')
                     ->sort(20),
-                NavigationItem::make(fn (): string => __('localization.navigation.audit_log'))
+                NavigationItem::make('Audit Log')
                     ->url(fn (): string => route('admin.monitoring.audit-log'))
                     ->icon('heroicon-o-clipboard-document-list')
-                    ->group(fn (): string => __('localization.navigation.monitoring'))
+                    ->group('Monitoring')
                     ->sort(30),
             ])
             ->renderHook(
@@ -111,7 +111,6 @@ public function panel(Panel $panel): Panel
                 DisableBladeIconComponents::class,
                 DispatchServingFilamentEvent::class,
             ])
-            ->middleware(['apply-resolved-locale:tenant'], isPersistent: true)
             ->authMiddleware([
                 Authenticate::class,
             ]);

apps/platform/app/Services/Audit/WorkspaceAuditLogger.php

@@ -4,10 +4,9 @@
 
 namespace App\Services\Audit;
 
+use App\Models\Tenant;
 use App\Models\OperationRun;
 use App\Models\PlatformUser;
-use App\Models\SupportRequest;
-use App\Models\Tenant;
 use App\Models\User;
 use App\Models\Workspace;
 use App\Support\Audit\AuditActionId;
@@ -15,7 +14,6 @@
 use App\Support\Audit\AuditActorType;
 use App\Support\Audit\AuditTargetSnapshot;
 use Carbon\CarbonImmutable;
-use InvalidArgumentException;
 
 class WorkspaceAuditLogger
 {
@@ -138,159 +136,4 @@ public function logSupportDiagnosticsOpened(
             tenant: $tenant,
         );
     }
-
-    /**
-     * @param  array<string, mixed>  $preflight
-     */
-    public function logCrossTenantPromotionPreflightGenerated(
-        Workspace $workspace,
-        Tenant $sourceTenant,
-        Tenant $targetTenant,
-        array $preflight,
-        User|PlatformUser|null $actor = null,
-    ): \App\Models\AuditLog {
-        $summary = is_array($preflight['summary'] ?? null) ? $preflight['summary'] : [];
-
-        return $this->log(
-            workspace: $workspace,
-            action: AuditActionId::CrossTenantPromotionPreflightGenerated,
-            context: [
-                'source_tenant_id' => (int) $sourceTenant->getKey(),
-                'source_tenant_name' => (string) $sourceTenant->name,
-                'target_tenant_id' => (int) $targetTenant->getKey(),
-                'target_tenant_name' => (string) $targetTenant->name,
-                'ready_count' => (int) ($summary['ready'] ?? 0),
-                'blocked_count' => (int) ($summary['blocked'] ?? 0),
-                'manual_mapping_required_count' => (int) ($summary['manual_mapping_required'] ?? 0),
-                'total_count' => (int) ($summary['total'] ?? 0),
-                'blocked_reason_counts' => is_array($preflight['blockedReasonCounts'] ?? null)
-                    ? $preflight['blockedReasonCounts']
-                    : [],
-            ],
-            actor: $actor,
-            status: 'success',
-            resourceType: 'cross_tenant_promotion_preflight',
-            resourceId: sprintf('%s:%s', $sourceTenant->getKey(), $targetTenant->getKey()),
-            targetLabel: $sourceTenant->name.' -> '.$targetTenant->name,
-            summary: 'Cross-tenant promotion preflight generated for '.$sourceTenant->name.' -> '.$targetTenant->name,
-        );
-    }
-
-    public function logSupportRequestCreated(
-        SupportRequest $supportRequest,
-        User|PlatformUser|null $actor = null,
-    ): \App\Models\AuditLog {
-        $supportRequest->loadMissing(['tenant.workspace']);
-
-        $tenant = $supportRequest->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            throw new InvalidArgumentException('Support requests must belong to a tenant.');
-        }
-
-        return $this->log(
-            workspace: $tenant->workspace,
-            action: AuditActionId::SupportRequestCreated,
-            context: [
-                'internal_reference' => $supportRequest->internal_reference,
-                'primary_context_type' => $supportRequest->primary_context_type,
-                'primary_context_id' => $supportRequest->primary_context_type === SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN
-                    ? (string) $supportRequest->operation_run_id
-                    : (string) $tenant->getKey(),
-                'attachment_mode' => $supportRequest->attachment_mode,
-                'redaction_mode' => (string) data_get($supportRequest->context_envelope, 'redaction_mode', 'default_redacted'),
-            ],
-            actor: $actor,
-            status: 'success',
-            resourceType: 'support_request',
-            resourceId: (string) $supportRequest->getKey(),
-            targetLabel: $supportRequest->internal_reference,
-            summary: 'Support request created for '.$supportRequest->internal_reference,
-            operationRunId: $supportRequest->operation_run_id !== null ? (int) $supportRequest->operation_run_id : null,
-            tenant: $tenant,
-        );
-    }
-
-    public function logSupportRequestExternalTicketCreated(
-        SupportRequest $supportRequest,
-        User|PlatformUser|null $actor = null,
-    ): \App\Models\AuditLog {
-        return $this->logSupportRequestExternalHandoff(
-            supportRequest: $supportRequest,
-            actor: $actor,
-            action: AuditActionId::SupportRequestExternalTicketCreated,
-            status: 'success',
-            summaryPrefix: 'External ticket created for support request ',
-        );
-    }
-
-    public function logSupportRequestExternalTicketLinked(
-        SupportRequest $supportRequest,
-        User|PlatformUser|null $actor = null,
-    ): \App\Models\AuditLog {
-        return $this->logSupportRequestExternalHandoff(
-            supportRequest: $supportRequest,
-            actor: $actor,
-            action: AuditActionId::SupportRequestExternalTicketLinked,
-            status: 'success',
-            summaryPrefix: 'External ticket linked for support request ',
-        );
-    }
-
-    public function logSupportRequestExternalHandoffFailed(
-        SupportRequest $supportRequest,
-        User|PlatformUser|null $actor = null,
-    ): \App\Models\AuditLog {
-        return $this->logSupportRequestExternalHandoff(
-            supportRequest: $supportRequest,
-            actor: $actor,
-            action: AuditActionId::SupportRequestExternalHandoffFailed,
-            status: 'failed',
-            summaryPrefix: 'External handoff failed for support request ',
-        );
-    }
-
-    private function logSupportRequestExternalHandoff(
-        SupportRequest $supportRequest,
-        User|PlatformUser|null $actor,
-        AuditActionId $action,
-        string $status,
-        string $summaryPrefix,
-    ): \App\Models\AuditLog {
-        $supportRequest->loadMissing(['tenant.workspace']);
-
-        $tenant = $supportRequest->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            throw new InvalidArgumentException('Support requests must belong to a tenant.');
-        }
-
-        $metadata = [
-            'internal_reference' => $supportRequest->internal_reference,
-            'primary_context_type' => $supportRequest->primary_context_type,
-            'primary_context_id' => $supportRequest->primary_context_type === SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN
-                ? (string) $supportRequest->operation_run_id
-                : (string) $tenant->getKey(),
-            'external_handoff_mode' => $supportRequest->external_handoff_mode,
-            'external_ticket_reference' => $supportRequest->external_ticket_reference,
-        ];
-
-        if ($supportRequest->external_handoff_failure_summary !== null) {
-            $metadata['external_handoff_failure_summary'] = $supportRequest->external_handoff_failure_summary;
-        }
-
-        return $this->log(
-            workspace: $tenant->workspace,
-            action: $action,
-            context: $metadata,
-            actor: $actor,
-            status: $status,
-            resourceType: 'support_request',
-            resourceId: (string) $supportRequest->getKey(),
-            targetLabel: $supportRequest->internal_reference,
-            summary: $summaryPrefix.$supportRequest->internal_reference,
-            operationRunId: $supportRequest->operation_run_id !== null ? (int) $supportRequest->operation_run_id : null,
-            tenant: $tenant,
-        );
-    }
 }

apps/platform/app/Services/Auth/RoleCapabilityMap.php

@@ -20,7 +20,6 @@ class RoleCapabilityMap
             Capabilities::TENANT_DELETE,
             Capabilities::TENANT_SYNC,
             Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
-            Capabilities::SUPPORT_REQUESTS_CREATE,
             Capabilities::TENANT_INVENTORY_SYNC_RUN,
             Capabilities::TENANT_FINDINGS_VIEW,
             Capabilities::TENANT_FINDINGS_TRIAGE,
@@ -28,6 +27,7 @@ class RoleCapabilityMap
             Capabilities::TENANT_FINDINGS_RESOLVE,
             Capabilities::TENANT_FINDINGS_CLOSE,
             Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
             Capabilities::FINDING_EXCEPTION_VIEW,
             Capabilities::FINDING_EXCEPTION_MANAGE,
             Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
@@ -65,7 +65,6 @@ class RoleCapabilityMap
             Capabilities::TENANT_MANAGE,
             Capabilities::TENANT_SYNC,
             Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
-            Capabilities::SUPPORT_REQUESTS_CREATE,
             Capabilities::TENANT_INVENTORY_SYNC_RUN,
             Capabilities::TENANT_FINDINGS_VIEW,
             Capabilities::TENANT_FINDINGS_TRIAGE,
@@ -73,6 +72,7 @@ class RoleCapabilityMap
             Capabilities::TENANT_FINDINGS_RESOLVE,
             Capabilities::TENANT_FINDINGS_CLOSE,
             Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
             Capabilities::FINDING_EXCEPTION_VIEW,
             Capabilities::FINDING_EXCEPTION_MANAGE,
             Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
@@ -106,10 +106,10 @@ class RoleCapabilityMap
             Capabilities::TENANT_VIEW,
             Capabilities::TENANT_SYNC,
             Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
-            Capabilities::SUPPORT_REQUESTS_CREATE,
             Capabilities::TENANT_INVENTORY_SYNC_RUN,
             Capabilities::TENANT_FINDINGS_VIEW,
             Capabilities::TENANT_FINDINGS_TRIAGE,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
             Capabilities::FINDING_EXCEPTION_VIEW,
 
             Capabilities::TENANT_MEMBERSHIP_VIEW,

apps/platform/app/Services/Entitlements/WorkspaceCommercialLifecycleResolver.php

@@ -1,410 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Entitlements;
-
-use App\Models\AuditLog;
-use App\Models\Tenant;
-use App\Models\Workspace;
-use App\Models\WorkspaceSetting;
-use App\Services\Settings\SettingsResolver;
-use App\Support\Audit\AuditActionId;
-use Carbon\CarbonInterface;
-
-final class WorkspaceCommercialLifecycleResolver
-{
-    public const SETTING_DOMAIN = WorkspaceEntitlementResolver::SETTING_DOMAIN;
-
-    public const SETTING_COMMERCIAL_LIFECYCLE_STATE = 'commercial_lifecycle_state';
-
-    public const SETTING_COMMERCIAL_LIFECYCLE_REASON = 'commercial_lifecycle_reason';
-
-    public const STATE_TRIAL = 'trial';
-
-    public const STATE_GRACE = 'grace';
-
-    public const STATE_ACTIVE_PAID = 'active_paid';
-
-    public const STATE_SUSPENDED_READ_ONLY = 'suspended_read_only';
-
-    public const SOURCE_DEFAULT_ACTIVE_PAID = 'default_active_paid';
-
-    public const SOURCE_WORKSPACE_SETTING = 'workspace_setting';
-
-    public const ACTION_MANAGED_TENANT_ACTIVATION = 'managed_tenant_activation';
-
-    public const ACTION_REVIEW_PACK_START = 'review_pack_start';
-
-    public const ACTION_REVIEW_HISTORY_READ = 'review_history_read';
-
-    public const ACTION_EVIDENCE_READ = 'evidence_read';
-
-    public const ACTION_GENERATED_PACK_READ = 'generated_pack_read';
-
-    public const OUTCOME_ALLOW = 'allow';
-
-    public const OUTCOME_WARN = 'warn';
-
-    public const OUTCOME_BLOCK = 'block';
-
-    public const OUTCOME_ALLOW_READ_ONLY = 'allow_read_only';
-
-    public const REASON_FAMILY_ENTITLEMENT_SUBSTRATE = 'entitlement_substrate';
-
-    public const REASON_FAMILY_COMMERCIAL_LIFECYCLE = 'commercial_lifecycle';
-
-    public function __construct(
-        private readonly SettingsResolver $settingsResolver,
-        private readonly WorkspaceEntitlementResolver $workspaceEntitlementResolver,
-    ) {}
-
-    /**
-     * @return list<string>
-     */
-    public static function stateIds(): array
-    {
-        return [
-            self::STATE_TRIAL,
-            self::STATE_GRACE,
-            self::STATE_ACTIVE_PAID,
-            self::STATE_SUSPENDED_READ_ONLY,
-        ];
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function stateLabels(): array
-    {
-        return [
-            self::STATE_TRIAL => 'Trial',
-            self::STATE_GRACE => 'Grace',
-            self::STATE_ACTIVE_PAID => 'Active paid',
-            self::STATE_SUSPENDED_READ_ONLY => 'Suspended / read-only',
-        ];
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function stateDescriptions(): array
-    {
-        return [
-            self::STATE_TRIAL => 'Expansion and review-pack starts are available while the workspace is in trial.',
-            self::STATE_GRACE => 'New managed-tenant activation is frozen, but review-pack starts remain available with a warning.',
-            self::STATE_ACTIVE_PAID => 'Expansion and review-pack starts are available for the active paid workspace.',
-            self::STATE_SUSPENDED_READ_ONLY => 'New activation and review-pack starts are blocked while existing review, evidence, and generated-pack access remains read-only.',
-        ];
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function summary(Workspace $workspace): array
-    {
-        $lifecycle = $this->resolve($workspace);
-
-        return $lifecycle + [
-            'entitlement_summary' => $this->workspaceEntitlementResolver->summary($workspace),
-            'action_decisions' => [
-                self::ACTION_MANAGED_TENANT_ACTIVATION => $this->actionDecision($workspace, self::ACTION_MANAGED_TENANT_ACTIVATION, $lifecycle),
-                self::ACTION_REVIEW_PACK_START => $this->actionDecision($workspace, self::ACTION_REVIEW_PACK_START, $lifecycle),
-                self::ACTION_REVIEW_HISTORY_READ => $this->actionDecision($workspace, self::ACTION_REVIEW_HISTORY_READ, $lifecycle),
-                self::ACTION_EVIDENCE_READ => $this->actionDecision($workspace, self::ACTION_EVIDENCE_READ, $lifecycle),
-                self::ACTION_GENERATED_PACK_READ => $this->actionDecision($workspace, self::ACTION_GENERATED_PACK_READ, $lifecycle),
-            ],
-        ];
-    }
-
-    /**
-     * @return array{
-     *     workspace_id: int,
-     *     state: string,
-     *     state_label: string,
-     *     source: string,
-     *     source_label: string,
-     *     rationale: string|null,
-     *     description: string,
-     *     last_changed_at: CarbonInterface|null,
-     *     last_changed_by: string|null
-     * }
-     */
-    public function resolve(Workspace $workspace): array
-    {
-        $stateSetting = $this->settingsResolver->resolveDetailed(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-        );
-
-        $rawState = is_string($stateSetting['value'] ?? null)
-            ? strtolower(trim((string) $stateSetting['value']))
-            : null;
-
-        $state = in_array($rawState, self::stateIds(), true)
-            ? $rawState
-            : self::STATE_ACTIVE_PAID;
-
-        $source = ($stateSetting['source'] ?? null) === 'workspace_override' && $rawState !== null
-            ? self::SOURCE_WORKSPACE_SETTING
-            : self::SOURCE_DEFAULT_ACTIVE_PAID;
-
-        $rationale = $this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_COMMERCIAL_LIFECYCLE_REASON,
-        );
-
-        $labels = self::stateLabels();
-        $descriptions = self::stateDescriptions();
-        $lastChanged = $this->lastChangedMetadata($workspace);
-
-        return [
-            'workspace_id' => (int) $workspace->getKey(),
-            'state' => $state,
-            'state_label' => $labels[$state],
-            'source' => $source,
-            'source_label' => $source === self::SOURCE_WORKSPACE_SETTING
-                ? 'workspace setting'
-                : 'default active paid',
-            'rationale' => is_string($rationale) && trim($rationale) !== '' ? trim($rationale) : null,
-            'description' => $descriptions[$state],
-            'last_changed_at' => $lastChanged['last_changed_at'],
-            'last_changed_by' => $lastChanged['last_changed_by'],
-        ];
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $lifecycle
-     * @return array<string, mixed>
-     */
-    public function actionDecision(Workspace $workspace, string $actionKey, ?array $lifecycle = null): array
-    {
-        $lifecycle ??= $this->resolve($workspace);
-
-        return match ($actionKey) {
-            self::ACTION_MANAGED_TENANT_ACTIVATION => $this->managedTenantActivationDecision($workspace, $lifecycle),
-            self::ACTION_REVIEW_PACK_START => $this->reviewPackStartDecision($workspace, $lifecycle),
-            self::ACTION_REVIEW_HISTORY_READ,
-            self::ACTION_EVIDENCE_READ,
-            self::ACTION_GENERATED_PACK_READ => $this->readOnlyDecision($actionKey, $lifecycle),
-            default => throw new \InvalidArgumentException(sprintf('Unknown commercial lifecycle action key: %s', $actionKey)),
-        };
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function reviewPackStartDecisionForTenant(Tenant $tenant): array
-    {
-        $tenant->loadMissing('workspace');
-
-        return $this->actionDecision($tenant->workspace, self::ACTION_REVIEW_PACK_START);
-    }
-
-    /**
-     * @param  array<string, mixed>  $lifecycle
-     * @return array<string, mixed>
-     */
-    private function managedTenantActivationDecision(Workspace $workspace, array $lifecycle): array
-    {
-        $substrateDecision = $this->workspaceEntitlementResolver->resolve(
-            $workspace,
-            WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
-        );
-
-        if ((bool) ($substrateDecision['is_blocked'] ?? false)) {
-            return $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
-                outcome: self::OUTCOME_BLOCK,
-                reasonFamily: self::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
-                message: (string) ($substrateDecision['block_reason'] ?? 'Workspace entitlement currently blocks managed tenant activation.'),
-                substrateDecision: $substrateDecision,
-            );
-        }
-
-        return match ($lifecycle['state']) {
-            self::STATE_GRACE => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
-                outcome: self::OUTCOME_BLOCK,
-                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
-                message: 'New managed-tenant activation is frozen while this workspace is in grace.',
-                substrateDecision: $substrateDecision,
-            ),
-            self::STATE_SUSPENDED_READ_ONLY => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
-                outcome: self::OUTCOME_BLOCK,
-                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
-                message: 'This workspace is suspended / read-only. New managed-tenant activation is blocked, but existing review and evidence history remains available.',
-                substrateDecision: $substrateDecision,
-            ),
-            default => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_MANAGED_TENANT_ACTIVATION,
-                outcome: self::OUTCOME_ALLOW,
-                reasonFamily: null,
-                message: 'Managed-tenant activation is available for this workspace commercial state.',
-                substrateDecision: $substrateDecision,
-            ),
-        };
-    }
-
-    /**
-     * @param  array<string, mixed>  $lifecycle
-     * @return array<string, mixed>
-     */
-    private function reviewPackStartDecision(Workspace $workspace, array $lifecycle): array
-    {
-        $substrateDecision = $this->workspaceEntitlementResolver->resolve(
-            $workspace,
-            WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
-        );
-
-        if ((bool) ($substrateDecision['is_blocked'] ?? false)) {
-            return $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_REVIEW_PACK_START,
-                outcome: self::OUTCOME_BLOCK,
-                reasonFamily: self::REASON_FAMILY_ENTITLEMENT_SUBSTRATE,
-                message: (string) ($substrateDecision['block_reason'] ?? 'Workspace entitlement currently blocks review pack generation.'),
-                substrateDecision: $substrateDecision,
-            );
-        }
-
-        return match ($lifecycle['state']) {
-            self::STATE_GRACE => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_REVIEW_PACK_START,
-                outcome: self::OUTCOME_WARN,
-                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
-                message: 'Workspace is in grace. Review-pack starts remain available, but managed-tenant expansion is frozen.',
-                substrateDecision: $substrateDecision,
-            ),
-            self::STATE_SUSPENDED_READ_ONLY => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_REVIEW_PACK_START,
-                outcome: self::OUTCOME_BLOCK,
-                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
-                message: 'This workspace is suspended / read-only. New review-pack starts are blocked, but existing review packs, evidence, and review history remain available.',
-                substrateDecision: $substrateDecision,
-            ),
-            default => $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: self::ACTION_REVIEW_PACK_START,
-                outcome: self::OUTCOME_ALLOW,
-                reasonFamily: null,
-                message: 'Review-pack starts are available for this workspace commercial state.',
-                substrateDecision: $substrateDecision,
-            ),
-        };
-    }
-
-    /**
-     * @param  array<string, mixed>  $lifecycle
-     * @return array<string, mixed>
-     */
-    private function readOnlyDecision(string $actionKey, array $lifecycle): array
-    {
-        if (($lifecycle['state'] ?? null) === self::STATE_SUSPENDED_READ_ONLY) {
-            return $this->decision(
-                lifecycle: $lifecycle,
-                actionKey: $actionKey,
-                outcome: self::OUTCOME_ALLOW_READ_ONLY,
-                reasonFamily: self::REASON_FAMILY_COMMERCIAL_LIFECYCLE,
-                message: 'Suspended / read-only workspaces keep existing review, evidence, and generated-pack consumption available under current RBAC.',
-                substrateDecision: null,
-            );
-        }
-
-        return $this->decision(
-            lifecycle: $lifecycle,
-            actionKey: $actionKey,
-            outcome: self::OUTCOME_ALLOW,
-            reasonFamily: null,
-            message: 'Read-only history remains available under current RBAC.',
-            substrateDecision: null,
-        );
-    }
-
-    /**
-     * @param  array<string, mixed>  $lifecycle
-     * @param  array<string, mixed>|null  $substrateDecision
-     * @return array<string, mixed>
-     */
-    private function decision(
-        array $lifecycle,
-        string $actionKey,
-        string $outcome,
-        ?string $reasonFamily,
-        string $message,
-        ?array $substrateDecision,
-    ): array {
-        return [
-            'workspace_id' => (int) ($lifecycle['workspace_id'] ?? 0),
-            'action_key' => $actionKey,
-            'outcome' => $outcome,
-            'is_blocked' => $outcome === self::OUTCOME_BLOCK,
-            'is_warning' => $outcome === self::OUTCOME_WARN,
-            'block_reason' => $outcome === self::OUTCOME_BLOCK ? $message : null,
-            'warning_reason' => $outcome === self::OUTCOME_WARN ? $message : null,
-            'message' => $message,
-            'reason_family' => $reasonFamily,
-            'state' => (string) $lifecycle['state'],
-            'state_label' => (string) $lifecycle['state_label'],
-            'source' => (string) $lifecycle['source'],
-            'source_label' => (string) $lifecycle['source_label'],
-            'rationale' => $lifecycle['rationale'] ?? null,
-            'entitlement_decision' => $substrateDecision,
-        ];
-    }
-
-    /**
-     * @return array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}
-     */
-    private function lastChangedMetadata(Workspace $workspace): array
-    {
-        $audit = AuditLog::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->where('action', AuditActionId::WorkspaceSettingUpdated->value)
-            ->where('resource_type', 'workspace_setting')
-            ->where('resource_id', self::SETTING_DOMAIN.'.'.self::SETTING_COMMERCIAL_LIFECYCLE_STATE)
-            ->latest('recorded_at')
-            ->latest('id')
-            ->first();
-
-        if ($audit instanceof AuditLog) {
-            return [
-                'last_changed_at' => $audit->recorded_at,
-                'last_changed_by' => $audit->actorDisplayLabel(),
-            ];
-        }
-
-        $record = WorkspaceSetting::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->where('domain', self::SETTING_DOMAIN)
-            ->whereIn('key', [
-                self::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-                self::SETTING_COMMERCIAL_LIFECYCLE_REASON,
-            ])
-            ->with('updatedByUser:id,name')
-            ->latest('updated_at')
-            ->latest('id')
-            ->first();
-
-        if (! $record instanceof WorkspaceSetting) {
-            return [
-                'last_changed_at' => null,
-                'last_changed_by' => null,
-            ];
-        }
-
-        return [
-            'last_changed_at' => $record->updated_at,
-            'last_changed_by' => $record->updatedByUser?->name,
-        ];
-    }
-}

apps/platform/app/Services/Entitlements/WorkspaceEntitlementResolver.php

@@ -1,327 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Entitlements;
-
-use App\Models\Tenant;
-use App\Models\Workspace;
-use App\Models\WorkspaceSetting;
-use App\Services\Settings\SettingsResolver;
-use Carbon\CarbonInterface;
-
-final class WorkspaceEntitlementResolver
-{
-    public const SETTING_DOMAIN = 'entitlements';
-
-    public const SETTING_PLAN_PROFILE = 'plan_profile';
-
-    public const SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE = 'managed_tenant_limit_override_value';
-
-    public const SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON = 'managed_tenant_limit_override_reason';
-
-    public const SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE = 'review_pack_generation_override_value';
-
-    public const SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON = 'review_pack_generation_override_reason';
-
-    public const KEY_MANAGED_TENANT_ACTIVATION_LIMIT = 'managed_tenant_activation_limit';
-
-    public const KEY_REVIEW_PACK_GENERATION_ENABLED = 'review_pack_generation_enabled';
-
-    public function __construct(
-        private SettingsResolver $settingsResolver,
-        private WorkspacePlanProfileCatalog $planProfileCatalog,
-    ) {}
-
-    /**
-     * @return array{
-     *     plan_profile: array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool},
-     *     decisions: array<string, array{
-     *         workspace_id: int,
-     *         plan_profile_id: string,
-     *         plan_profile_label: string,
-     *         plan_profile_description: string,
-     *         key: string,
-     *         effective_value: int|bool,
-     *         source: 'plan_profile_default'|'workspace_override',
-     *         rationale: string|null,
-     *         current_usage: int|null,
-     *         remaining_capacity: int|null,
-     *         is_blocked: bool,
-     *         block_reason: string|null,
-     *         last_changed_at: CarbonInterface|null,
-     *         last_changed_by: string|null
-     *     }>
-     * }
-     */
-    public function summary(Workspace $workspace): array
-    {
-        $planProfile = $this->resolvePlanProfile($workspace);
-
-        return [
-            'plan_profile' => $planProfile,
-            'decisions' => [
-                self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT => $this->resolve($workspace, self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT, $planProfile),
-                self::KEY_REVIEW_PACK_GENERATION_ENABLED => $this->resolve($workspace, self::KEY_REVIEW_PACK_GENERATION_ENABLED, $planProfile),
-            ],
-        ];
-    }
-
-    /**
-     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
-     */
-    public function resolvePlanProfile(Workspace $workspace): array
-    {
-        $planProfileId = $this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_PLAN_PROFILE,
-        );
-
-        return $this->planProfileCatalog->resolve(is_string($planProfileId) ? $planProfileId : null);
-    }
-
-    /**
-     * @param  array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}|null  $planProfile
-     * @return array{
-     *     workspace_id: int,
-     *     plan_profile_id: string,
-     *     plan_profile_label: string,
-     *     plan_profile_description: string,
-     *     key: string,
-     *     effective_value: int|bool,
-     *     source: 'plan_profile_default'|'workspace_override',
-     *     rationale: string|null,
-     *     current_usage: int|null,
-     *     remaining_capacity: int|null,
-     *     is_blocked: bool,
-     *     block_reason: string|null,
-     *     last_changed_at: CarbonInterface|null,
-     *     last_changed_by: string|null
-     * }
-     */
-    public function resolve(Workspace $workspace, string $key, ?array $planProfile = null): array
-    {
-        $planProfile ??= $this->resolvePlanProfile($workspace);
-        $lastChanged = $this->lastChangedMetadata($workspace);
-
-        return match ($key) {
-            self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT => $this->resolveManagedTenantActivationLimitDecision($workspace, $planProfile, $lastChanged),
-            self::KEY_REVIEW_PACK_GENERATION_ENABLED => $this->resolveReviewPackGenerationDecision($workspace, $planProfile, $lastChanged),
-            default => throw new \InvalidArgumentException(sprintf('Unknown workspace entitlement key: %s', $key)),
-        };
-    }
-
-    /**
-     * @param  array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}  $planProfile
-     * @param  array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}  $lastChanged
-     * @return array{
-     *     workspace_id: int,
-     *     plan_profile_id: string,
-     *     plan_profile_label: string,
-     *     plan_profile_description: string,
-     *     key: string,
-     *     effective_value: int,
-     *     source: 'plan_profile_default'|'workspace_override',
-     *     rationale: string|null,
-     *     current_usage: int,
-     *     remaining_capacity: int,
-     *     is_blocked: bool,
-     *     block_reason: string|null,
-     *     last_changed_at: CarbonInterface|null,
-     *     last_changed_by: string|null
-     * }
-     */
-    private function resolveManagedTenantActivationLimitDecision(Workspace $workspace, array $planProfile, array $lastChanged): array
-    {
-        $overrideValue = $this->settingsResolver->resolveDetailed(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
-        );
-
-        $overrideReason = $this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON,
-        );
-
-        $effectiveValue = is_int($overrideValue['value'])
-            ? $overrideValue['value']
-            : (int) $planProfile['managed_tenant_limit_default'];
-
-        $source = $overrideValue['source'] === 'workspace_override'
-            ? 'workspace_override'
-            : 'plan_profile_default';
-
-        $currentUsage = Tenant::activeQuery()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->count();
-
-        $remainingCapacity = $effectiveValue - $currentUsage;
-        $isBlocked = $currentUsage >= $effectiveValue;
-        $rationale = $source === 'workspace_override'
-            ? (is_string($overrideReason) && $overrideReason !== '' ? $overrideReason : null)
-            : (string) $planProfile['description'];
-
-        return [
-            'workspace_id' => (int) $workspace->getKey(),
-            'plan_profile_id' => (string) $planProfile['id'],
-            'plan_profile_label' => (string) $planProfile['label'],
-            'plan_profile_description' => (string) $planProfile['description'],
-            'key' => self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
-            'effective_value' => $effectiveValue,
-            'source' => $source,
-            'rationale' => $rationale,
-            'current_usage' => $currentUsage,
-            'remaining_capacity' => $remainingCapacity,
-            'is_blocked' => $isBlocked,
-            'block_reason' => $isBlocked
-                ? $this->managedTenantLimitBlockReason($currentUsage, $effectiveValue, $source, $planProfile, $rationale)
-                : null,
-            'last_changed_at' => $lastChanged['last_changed_at'],
-            'last_changed_by' => $lastChanged['last_changed_by'],
-        ];
-    }
-
-    /**
-     * @param  array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}  $planProfile
-     * @param  array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}  $lastChanged
-     * @return array{
-     *     workspace_id: int,
-     *     plan_profile_id: string,
-     *     plan_profile_label: string,
-     *     plan_profile_description: string,
-     *     key: string,
-     *     effective_value: bool,
-     *     source: 'plan_profile_default'|'workspace_override',
-     *     rationale: string|null,
-     *     current_usage: null,
-     *     remaining_capacity: null,
-     *     is_blocked: bool,
-     *     block_reason: string|null,
-     *     last_changed_at: CarbonInterface|null,
-     *     last_changed_by: string|null
-     * }
-     */
-    private function resolveReviewPackGenerationDecision(Workspace $workspace, array $planProfile, array $lastChanged): array
-    {
-        $overrideValue = $this->settingsResolver->resolveDetailed(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE,
-        );
-
-        $overrideReason = $this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON,
-        );
-
-        $effectiveValue = is_bool($overrideValue['value'])
-            ? $overrideValue['value']
-            : (bool) $planProfile['review_pack_generation_default'];
-
-        $source = $overrideValue['source'] === 'workspace_override'
-            ? 'workspace_override'
-            : 'plan_profile_default';
-
-        $rationale = $source === 'workspace_override'
-            ? (is_string($overrideReason) && $overrideReason !== '' ? $overrideReason : null)
-            : (string) $planProfile['description'];
-
-        return [
-            'workspace_id' => (int) $workspace->getKey(),
-            'plan_profile_id' => (string) $planProfile['id'],
-            'plan_profile_label' => (string) $planProfile['label'],
-            'plan_profile_description' => (string) $planProfile['description'],
-            'key' => self::KEY_REVIEW_PACK_GENERATION_ENABLED,
-            'effective_value' => $effectiveValue,
-            'source' => $source,
-            'rationale' => $rationale,
-            'current_usage' => null,
-            'remaining_capacity' => null,
-            'is_blocked' => ! $effectiveValue,
-            'block_reason' => $effectiveValue
-                ? null
-                : $this->reviewPackGenerationBlockReason($source, $planProfile, $rationale),
-            'last_changed_at' => $lastChanged['last_changed_at'],
-            'last_changed_by' => $lastChanged['last_changed_by'],
-        ];
-    }
-
-    /**
-     * @return array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}
-     */
-    private function lastChangedMetadata(Workspace $workspace): array
-    {
-        $record = WorkspaceSetting::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->where('domain', self::SETTING_DOMAIN)
-            ->whereIn('key', [
-                self::SETTING_PLAN_PROFILE,
-                self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
-                self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON,
-                self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE,
-                self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON,
-            ])
-            ->whereNotNull('updated_by_user_id')
-            ->with('updatedByUser:id,name')
-            ->latest('updated_at')
-            ->latest('id')
-            ->first();
-
-        if (! $record instanceof WorkspaceSetting) {
-            return [
-                'last_changed_at' => null,
-                'last_changed_by' => null,
-            ];
-        }
-
-        return [
-            'last_changed_at' => $record->updated_at,
-            'last_changed_by' => $record->updatedByUser?->name,
-        ];
-    }
-
-    /**
-     * @param  array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}  $planProfile
-     */
-    private function managedTenantLimitBlockReason(int $currentUsage, int $effectiveValue, string $source, array $planProfile, ?string $rationale): string
-    {
-        $prefix = $source === 'workspace_override'
-            ? 'This workspace override currently allows'
-            : sprintf('The %s plan profile currently allows', $planProfile['label']);
-
-        $message = sprintf(
-            '%s %d active managed tenant%s, and this workspace already has %d active managed tenant%s.',
-            $prefix,
-            $effectiveValue,
-            $effectiveValue === 1 ? '' : 's',
-            $currentUsage,
-            $currentUsage === 1 ? '' : 's',
-        );
-
-        if ($source === 'workspace_override' && $rationale !== null) {
-            $message .= ' Reason: '.$rationale;
-        }
-
-        return $message;
-    }
-
-    /**
-     * @param  array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}  $planProfile
-     */
-    private function reviewPackGenerationBlockReason(string $source, array $planProfile, ?string $rationale): string
-    {
-        $message = $source === 'workspace_override'
-            ? 'Review pack generation is disabled by workspace override.'
-            : sprintf('Review pack generation is disabled by the %s plan profile.', $planProfile['label']);
-
-        if ($source === 'workspace_override' && $rationale !== null) {
-            $message .= ' Reason: '.$rationale;
-        }
-
-        return $message;
-    }
-}

apps/platform/app/Services/Entitlements/WorkspacePlanProfileCatalog.php

@@ -1,104 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Entitlements;
-
-final class WorkspacePlanProfileCatalog
-{
-    /**
-     * @var array<string, array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}>
-     */
-    private const PROFILES = [
-        'starter' => [
-            'id' => 'starter',
-            'label' => 'Starter',
-            'description' => 'Minimal allowance for early workspace access and low-volume operations.',
-            'managed_tenant_limit_default' => 1,
-            'review_pack_generation_default' => false,
-            'is_default' => false,
-        ],
-        'standard' => [
-            'id' => 'standard',
-            'label' => 'Standard',
-            'description' => 'Balanced defaults for most managed workspaces.',
-            'managed_tenant_limit_default' => 25,
-            'review_pack_generation_default' => true,
-            'is_default' => true,
-        ],
-        'scale' => [
-            'id' => 'scale',
-            'label' => 'Scale',
-            'description' => 'Higher managed-tenant capacity for larger workspace portfolios.',
-            'managed_tenant_limit_default' => 100,
-            'review_pack_generation_default' => true,
-            'is_default' => false,
-        ],
-    ];
-
-    /**
-     * @return list<array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}>
-     */
-    public function all(): array
-    {
-        return array_values(self::PROFILES);
-    }
-
-    /**
-     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
-     */
-    public function default(): array
-    {
-        return self::PROFILES[self::defaultProfileId()];
-    }
-
-    /**
-     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}|null
-     */
-    public function find(?string $id): ?array
-    {
-        if ($id === null) {
-            return null;
-        }
-
-        return self::PROFILES[$id] ?? null;
-    }
-
-    /**
-     * @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
-     */
-    public function resolve(?string $id): array
-    {
-        return $this->find($id) ?? $this->default();
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public function optionLabels(): array
-    {
-        return array_map(
-            static fn (array $profile): string => $profile['label'],
-            self::PROFILES,
-        );
-    }
-
-    /**
-     * @return list<string>
-     */
-    public static function profileIds(): array
-    {
-        return array_keys(self::PROFILES);
-    }
-
-    public static function defaultProfileId(): string
-    {
-        foreach (self::PROFILES as $id => $profile) {
-            if ($profile['is_default']) {
-                return $id;
-            }
-        }
-
-        throw new \RuntimeException('Workspace plan profile catalog is missing a default profile.');
-    }
-}

apps/platform/app/Services/EntraAdminRoles/EntraAdminRolesFindingGenerator.php

@@ -163,7 +163,7 @@ private function upsertFinding(
             ->first();
 
         if ($existing instanceof Finding) {
-            $this->observeFinding($existing, $tenant, $observedAt, $severity);
+            $this->observeFinding($existing, $observedAt);
 
             $existing->forceFill([
                 'severity' => $severity,
@@ -253,7 +253,7 @@ private function handleGaAggregate(
                 ->first();
 
             if ($existing instanceof Finding) {
-                $this->observeFinding($existing, $tenant, $observedAt, Finding::SEVERITY_HIGH);
+                $this->observeFinding($existing, $observedAt);
 
                 $existing->forceFill([
                     'severity' => Finding::SEVERITY_HIGH,
@@ -380,33 +380,25 @@ private function resolveSlaPolicy(): FindingSlaPolicy
         return $this->slaPolicy ?? app(FindingSlaPolicy::class);
     }
 
-    private function observeFinding(Finding $finding, Tenant $tenant, CarbonImmutable $observedAt, string $severity): void
+    private function observeFinding(Finding $finding, CarbonImmutable $observedAt): void
     {
         if ($finding->first_seen_at === null) {
             $finding->first_seen_at = $observedAt;
         }
 
-        $firstSeenAt = CarbonImmutable::instance($finding->first_seen_at);
-
         $lastSeenAt = $finding->last_seen_at;
         $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
 
         if ($lastSeenAt === null || $observedAt->greaterThan(CarbonImmutable::instance($lastSeenAt))) {
             $finding->last_seen_at = $observedAt;
             $finding->times_seen = max(0, $timesSeen) + 1;
-        } elseif ($timesSeen < 1) {
+
+            return;
+        }
+
+        if ($timesSeen < 1) {
             $finding->times_seen = 1;
         }
-
-        $slaPolicy = $this->resolveSlaPolicy();
-
-        if ($finding->sla_days === null) {
-            $finding->sla_days = $slaPolicy->daysForSeverity($severity, $tenant);
-        }
-
-        if ($finding->due_at === null) {
-            $finding->due_at = $slaPolicy->dueAtForSeverity($severity, $tenant, $firstSeenAt);
-        }
     }
 
     private function produceAlertEvent(Tenant $tenant, string $fingerprint, array $evidence): void

apps/platform/app/Services/Findings/FindingWorkflowService.php

@@ -46,13 +46,17 @@ public static function meaningfulActivityActionValues(): array
 
     public function triage(Finding $finding, Tenant $tenant, User $actor): Finding
     {
-        $this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
+        $this->authorize($finding, $tenant, $actor, [
+            Capabilities::TENANT_FINDINGS_TRIAGE,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+        ]);
 
         $currentStatus = (string) $finding->status;
 
         if (! in_array($currentStatus, [
             Finding::STATUS_NEW,
             Finding::STATUS_REOPENED,
+            Finding::STATUS_ACKNOWLEDGED,
         ], true)) {
             throw new InvalidArgumentException('Finding cannot be triaged from the current status.');
         }
@@ -78,9 +82,12 @@ public function triage(Finding $finding, Tenant $tenant, User $actor): Finding
 
     public function startProgress(Finding $finding, Tenant $tenant, User $actor): Finding
     {
-        $this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
+        $this->authorize($finding, $tenant, $actor, [
+            Capabilities::TENANT_FINDINGS_TRIAGE,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+        ]);
 
-        if ((string) $finding->status !== Finding::STATUS_TRIAGED) {
+        if (! in_array((string) $finding->status, [Finding::STATUS_TRIAGED, Finding::STATUS_ACKNOWLEDGED], true)) {
             throw new InvalidArgumentException('Finding cannot be moved to in-progress from the current status.');
         }
 
@@ -362,7 +369,10 @@ private function riskAcceptWithoutAuthorization(Finding $finding, Tenant $tenant
 
     public function reopen(Finding $finding, Tenant $tenant, User $actor, string $reason): Finding
     {
-        $this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
+        $this->authorize($finding, $tenant, $actor, [
+            Capabilities::TENANT_FINDINGS_TRIAGE,
+            Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+        ]);
 
         if (! in_array((string) $finding->status, Finding::terminalStatuses(), true)) {
             throw new InvalidArgumentException('Only terminal findings can be reopened.');

apps/platform/app/Services/Localization/LocaleResolver.php

@@ -1,215 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Services\Localization;
-
-use App\Models\User;
-use App\Models\Workspace;
-use App\Services\Settings\SettingsResolver;
-use App\Support\Workspaces\WorkspaceContext;
-use Illuminate\Http\Request;
-
-class LocaleResolver
-{
-    public const SESSION_OVERRIDE_KEY = 'tenantpilot.locale_override';
-
-    public const REQUEST_ATTRIBUTE = 'tenantpilot.resolved_locale';
-
-    public const SETTING_DOMAIN = 'localization';
-
-    public const SETTING_DEFAULT_LOCALE = 'default_locale';
-
-    public const SOURCE_EXPLICIT_OVERRIDE = 'explicit_override';
-
-    public const SOURCE_USER_PREFERENCE = 'user_preference';
-
-    public const SOURCE_WORKSPACE_DEFAULT = 'workspace_default';
-
-    public const SOURCE_SYSTEM_DEFAULT = 'system_default';
-
-    /**
-     * @var list<string>
-     */
-    private const SUPPORTED_LOCALES = ['en', 'de'];
-
-    public function __construct(
-        private SettingsResolver $settingsResolver,
-        private WorkspaceContext $workspaceContext,
-    ) {}
-
-    /**
-     * @return list<string>
-     */
-    public static function supportedLocales(): array
-    {
-        return self::SUPPORTED_LOCALES;
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function localeOptions(): array
-    {
-        return [
-            'en' => __('localization.locales.en'),
-            'de' => __('localization.locales.de'),
-        ];
-    }
-
-    public static function isSupported(mixed $locale): bool
-    {
-        return self::normalize($locale) !== null;
-    }
-
-    public static function normalize(mixed $locale): ?string
-    {
-        if (! is_string($locale)) {
-            return null;
-        }
-
-        $normalized = strtolower(trim($locale));
-
-        return in_array($normalized, self::SUPPORTED_LOCALES, true) ? $normalized : null;
-    }
-
-    /**
-     * @return array{
-     *     locale: string,
-     *     source: string,
-     *     fallback_locale: string,
-     *     user_preference_locale: ?string,
-     *     workspace_default_locale: ?string,
-     *     machine_artifacts_invariant: true
-     * }
-     */
-    public function resolve(Request $request, ?string $plane = null): array
-    {
-        $plane = $this->normalizePlane($plane, $request);
-
-        $explicitOverride = $this->explicitOverride($request);
-        $systemDefault = (string) config('app.fallback_locale', 'en');
-
-        if ($plane === 'system') {
-            return $this->resolveFromSources(
-                explicitOverride: $explicitOverride,
-                userPreference: null,
-                workspaceDefault: null,
-                systemDefault: $systemDefault,
-                includeUserPreference: false,
-                includeWorkspaceDefault: false,
-            );
-        }
-
-        $user = $request->user();
-        $userPreference = $user instanceof User ? $user->preferred_locale : null;
-        $workspaceDefault = $this->workspaceDefault($request);
-
-        return $this->resolveFromSources(
-            explicitOverride: $explicitOverride,
-            userPreference: $userPreference,
-            workspaceDefault: $workspaceDefault,
-            systemDefault: $systemDefault,
-            includeUserPreference: true,
-            includeWorkspaceDefault: true,
-        );
-    }
-
-    /**
-     * @return array{
-     *     locale: string,
-     *     source: string,
-     *     fallback_locale: string,
-     *     user_preference_locale: ?string,
-     *     workspace_default_locale: ?string,
-     *     machine_artifacts_invariant: true
-     * }
-     */
-    public function resolveFromSources(
-        mixed $explicitOverride,
-        mixed $userPreference,
-        mixed $workspaceDefault,
-        mixed $systemDefault,
-        bool $includeUserPreference = true,
-        bool $includeWorkspaceDefault = true,
-    ): array {
-        $fallbackLocale = self::normalize(config('app.fallback_locale', 'en')) ?? 'en';
-
-        $candidates = [
-            self::SOURCE_EXPLICIT_OVERRIDE => self::normalize($explicitOverride),
-        ];
-
-        if ($includeUserPreference) {
-            $candidates[self::SOURCE_USER_PREFERENCE] = self::normalize($userPreference);
-        }
-
-        if ($includeWorkspaceDefault) {
-            $candidates[self::SOURCE_WORKSPACE_DEFAULT] = self::normalize($workspaceDefault);
-        }
-
-        $candidates[self::SOURCE_SYSTEM_DEFAULT] = self::normalize($systemDefault) ?? $fallbackLocale;
-
-        foreach ($candidates as $source => $locale) {
-            if ($locale !== null) {
-                return [
-                    'locale' => $locale,
-                    'source' => $source,
-                    'fallback_locale' => $fallbackLocale,
-                    'user_preference_locale' => $includeUserPreference ? self::normalize($userPreference) : null,
-                    'workspace_default_locale' => $includeWorkspaceDefault ? self::normalize($workspaceDefault) : null,
-                    'machine_artifacts_invariant' => true,
-                ];
-            }
-        }
-
-        return [
-            'locale' => $fallbackLocale,
-            'source' => self::SOURCE_SYSTEM_DEFAULT,
-            'fallback_locale' => $fallbackLocale,
-            'user_preference_locale' => $includeUserPreference ? self::normalize($userPreference) : null,
-            'workspace_default_locale' => $includeWorkspaceDefault ? self::normalize($workspaceDefault) : null,
-            'machine_artifacts_invariant' => true,
-        ];
-    }
-
-    private function explicitOverride(Request $request): ?string
-    {
-        $queryLocale = self::normalize($request->query('locale'));
-
-        if ($queryLocale !== null) {
-            return $queryLocale;
-        }
-
-        if (! $request->hasSession()) {
-            return null;
-        }
-
-        return self::normalize($request->session()->get(self::SESSION_OVERRIDE_KEY));
-    }
-
-    private function workspaceDefault(Request $request): ?string
-    {
-        $workspace = $this->workspaceContext->currentWorkspace($request);
-
-        if (! $workspace instanceof Workspace) {
-            return null;
-        }
-
-        return self::normalize($this->settingsResolver->resolveValue(
-            workspace: $workspace,
-            domain: self::SETTING_DOMAIN,
-            key: self::SETTING_DEFAULT_LOCALE,
-        ));
-    }
-
-    private function normalizePlane(?string $plane, Request $request): string
-    {
-        $plane = strtolower(trim((string) $plane));
-
-        if (in_array($plane, ['admin', 'tenant', 'system'], true)) {
-            return $plane;
-        }
-
-        return $request->is('system', 'system/*') ? 'system' : 'admin';
-    }
-}

apps/platform/app/Services/PermissionPosture/PermissionPostureFindingGenerator.php

@@ -140,7 +140,7 @@ private function handleMissingPermission(
             ->first();
 
         if ($finding instanceof Finding) {
-            $this->observeFinding($finding, $tenant, $observedAt, $severity);
+            $this->observeFinding($finding, $observedAt);
 
             $finding->forceFill([
                 'severity' => $severity,
@@ -216,7 +216,7 @@ private function handleErrorPermission(
             ->first();
 
         if ($existing instanceof Finding) {
-            $this->observeFinding($existing, $tenant, $observedAt, $severity);
+            $this->observeFinding($existing, $observedAt);
 
             $existing->forceFill([
                 'severity' => $severity,
@@ -349,31 +349,25 @@ private function resolveObservedAt(array $comparison, ?OperationRun $operationRu
         return CarbonImmutable::now();
     }
 
-    private function observeFinding(Finding $finding, Tenant $tenant, CarbonImmutable $observedAt, string $severity): void
+    private function observeFinding(Finding $finding, CarbonImmutable $observedAt): void
     {
         if ($finding->first_seen_at === null) {
             $finding->first_seen_at = $observedAt;
         }
 
-        $firstSeenAt = CarbonImmutable::instance($finding->first_seen_at);
-
         $lastSeenAt = $finding->last_seen_at;
         $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
 
         if ($lastSeenAt === null || $observedAt->greaterThan(CarbonImmutable::instance($lastSeenAt))) {
             $finding->last_seen_at = $observedAt;
             $finding->times_seen = max(0, $timesSeen) + 1;
-        } elseif ($timesSeen < 1) {
+
+            return;
+        }
+
+        if ($timesSeen < 1) {
             $finding->times_seen = 1;
         }
-
-        if ($finding->sla_days === null) {
-            $finding->sla_days = $this->slaPolicy->daysForSeverity($severity, $tenant);
-        }
-
-        if ($finding->due_at === null) {
-            $finding->due_at = $this->slaPolicy->dueAtForSeverity($severity, $tenant, $firstSeenAt);
-        }
     }
 
     /**

apps/platform/app/Services/ReviewPackService.php

@@ -4,7 +4,6 @@
 
 namespace App\Services;
 
-use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
 use App\Exceptions\ReviewPackEvidenceResolutionException;
 use App\Jobs\GenerateReviewPackJob;
 use App\Models\EvidenceSnapshot;
@@ -14,7 +13,6 @@
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Services\Evidence\EvidenceResolutionRequest;
 use App\Services\Evidence\EvidenceSnapshotResolver;
 use App\Support\Audit\AuditActionId;
@@ -30,7 +28,6 @@ public function __construct(
         private OperationRunService $operationRunService,
         private EvidenceSnapshotResolver $snapshotResolver,
         private WorkspaceAuditLogger $auditLogger,
-        private WorkspaceCommercialLifecycleResolver $workspaceCommercialLifecycleResolver,
         private ProductTelemetryRecorder $productTelemetryRecorder,
     ) {}
 
@@ -52,8 +49,6 @@ public function __construct(
      */
     public function generate(Tenant $tenant, User $user, array $options = []): ReviewPack
     {
-        $this->assertReviewPackGenerationAllowed($tenant);
-
         $options = $this->normalizeOptions($options);
         $snapshot = $this->resolveSnapshot($tenant);
         $fingerprint = $this->computeFingerprintForSnapshot($snapshot, $options);
@@ -143,8 +138,6 @@ public function generateFromReview(TenantReview $review, User $user, array $opti
             throw new \InvalidArgumentException('Review exports require an anchored evidence snapshot.');
         }
 
-        $this->assertReviewPackGenerationAllowed($tenant);
-
         $options = $this->normalizeOptions($options);
         $fingerprint = $this->computeFingerprintForReview($review, $options);
         $existing = $this->findExistingPackForReview($review, $fingerprint);
@@ -234,43 +227,18 @@ public function computeFingerprint(Tenant $tenant, array $options): string
 
     /**
      * Generate a signed download URL for a review pack.
-     *
-     * @param  array<string, scalar|null>  $parameters
      */
-    public function generateDownloadUrl(ReviewPack $pack, array $parameters = []): string
+    public function generateDownloadUrl(ReviewPack $pack): string
     {
         $ttlMinutes = (int) config('tenantpilot.review_pack.download_url_ttl_minutes', 60);
 
         return URL::signedRoute(
             'admin.review-packs.download',
-            array_merge(['reviewPack' => $pack->getKey()], $parameters),
+            ['reviewPack' => $pack->getKey()],
             now()->addMinutes($ttlMinutes),
         );
     }
 
-    /**
-     * @return array<string, mixed>
-     */
-    public function reviewPackGenerationDecisionForTenant(Tenant $tenant): array
-    {
-        $tenant->loadMissing('workspace');
-        $decision = $this->workspaceCommercialLifecycleResolver->actionDecision(
-            $tenant->workspace,
-            WorkspaceCommercialLifecycleResolver::ACTION_REVIEW_PACK_START,
-        );
-
-        $entitlementDecision = is_array($decision['entitlement_decision'] ?? null)
-            ? $decision['entitlement_decision']
-            : [];
-
-        return $decision + [
-            'effective_value' => $entitlementDecision['effective_value'] ?? null,
-            'source' => $decision['source'] ?? null,
-            'current_usage' => $entitlementDecision['current_usage'] ?? null,
-            'remaining_capacity' => $entitlementDecision['remaining_capacity'] ?? null,
-        ];
-    }
-
     private function recordReviewPackRequestTelemetry(ReviewPack $reviewPack, User $user, string $sourceSurface): void
     {
         $this->productTelemetryRecorder->record(
@@ -346,17 +314,6 @@ private function normalizeOptions(array $options): array
         ];
     }
 
-    private function assertReviewPackGenerationAllowed(Tenant $tenant): void
-    {
-        $decision = $this->reviewPackGenerationDecisionForTenant($tenant);
-
-        if (! (bool) ($decision['is_blocked'] ?? false)) {
-            return;
-        }
-
-        throw new WorkspaceEntitlementBlockedException($decision);
-    }
-
     private function computeFingerprintForSnapshot(EvidenceSnapshot $snapshot, array $options): string
     {
         $data = [

apps/platform/app/Services/Runbooks/FindingsLifecycleBackfillRunbookService.php

@@ -0,0 +1,739 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Runbooks;
+
+use App\Jobs\BackfillFindingLifecycleJob;
+use App\Jobs\BackfillFindingLifecycleWorkspaceJob;
+use App\Models\Finding;
+use App\Models\OperationRun;
+use App\Models\PlatformUser;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Notifications\OperationRunCompleted;
+use App\Services\Alerts\AlertDispatchService;
+use App\Services\Audit\AuditRecorder;
+use App\Services\Audit\WorkspaceAuditLogger;
+use App\Services\Auth\BreakGlassSession;
+use App\Services\Intune\AuditLogger;
+use App\Services\OperationRunService;
+use App\Services\System\AllowedTenantUniverse;
+use App\Support\Audit\AuditActionId;
+use App\Support\Audit\AuditActorSnapshot;
+use App\Support\Audit\AuditTargetSnapshot;
+use App\Support\OperationCatalog;
+use App\Support\OperationRunOutcome;
+use App\Support\OperationRunStatus;
+use App\Support\OperationalControls\OperationalControlBlockedException;
+use App\Support\OperationalControls\OperationalControlEvaluator;
+use App\Support\System\SystemOperationRunLinks;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Validation\ValidationException;
+use Throwable;
+
+class FindingsLifecycleBackfillRunbookService
+{
+    public const string RUNBOOK_KEY = 'findings.lifecycle.backfill';
+
+    public function __construct(
+        private readonly AllowedTenantUniverse $allowedTenantUniverse,
+        private readonly BreakGlassSession $breakGlassSession,
+        private readonly OperationRunService $operationRunService,
+        private readonly AuditLogger $auditLogger,
+        private readonly AlertDispatchService $alertDispatchService,
+        private readonly OperationalControlEvaluator $operationalControls,
+        private readonly AuditRecorder $auditRecorder,
+        private readonly WorkspaceAuditLogger $workspaceAuditLogger,
+    ) {}
+
+    /**
+     * @return array{affected_count: int, total_count: int, estimated_tenants?: int|null}
+     */
+    public function preflight(FindingsLifecycleBackfillScope $scope): array
+    {
+        $result = $this->computePreflight($scope);
+
+        $this->auditSafely(
+            action: 'platform.ops.runbooks.preflight',
+            scope: $scope,
+            operationRunId: null,
+            initiator: null,
+            context: [
+                'preflight' => $result,
+            ],
+        );
+
+        return $result;
+    }
+
+    public function start(
+        FindingsLifecycleBackfillScope $scope,
+        User|PlatformUser|null $initiator,
+        ?RunbookReason $reason,
+        string $source,
+    ): OperationRun {
+        $source = trim($source);
+
+        if ($source === '') {
+            throw ValidationException::withMessages([
+                'source' => 'A run source is required.',
+            ]);
+        }
+
+        $isBreakGlassActive = $this->breakGlassSession->isActive();
+
+        if ($scope->isAllTenants() || $isBreakGlassActive) {
+            if (! $reason instanceof RunbookReason) {
+                throw ValidationException::withMessages([
+                    'reason' => 'A reason is required for this run.',
+                ]);
+            }
+        }
+
+        $preflight = $this->computePreflight($scope);
+
+        if (($preflight['affected_count'] ?? 0) <= 0) {
+            throw ValidationException::withMessages([
+                'preflight.affected_count' => 'Nothing to do for this scope.',
+            ]);
+        }
+
+        $workspace = null;
+        $tenant = null;
+
+        if ($scope->isSingleTenant()) {
+            $tenant = Tenant::query()->whereKey((int) $scope->tenantId)->firstOrFail();
+            $this->allowedTenantUniverse->ensureAllowed($tenant);
+
+            $workspace = $tenant->workspace;
+        } else {
+            $platformTenant = $this->platformTenant();
+            $workspace = $platformTenant->workspace;
+        }
+
+        if (! $workspace instanceof Workspace) {
+            throw new \RuntimeException('Platform tenant is missing its workspace.');
+        }
+
+        $decision = $this->operationalControls->evaluate(self::RUNBOOK_KEY, $workspace);
+
+        if ($decision->isPaused()) {
+            $this->auditBlockedStart(
+                decision: $decision,
+                scope: $scope,
+                workspace: $workspace,
+                tenant: $tenant,
+                initiator: $initiator,
+                source: $source,
+            );
+
+            throw OperationalControlBlockedException::forDecision(
+                decision: $decision,
+                actionLabel: OperationCatalog::label(self::RUNBOOK_KEY),
+            );
+        }
+
+        if ($scope->isAllTenants()) {
+            $lockKey = sprintf('tenantpilot:runbooks:%s:workspace:%d', self::RUNBOOK_KEY, (int) $workspace->getKey());
+            $lock = Cache::lock($lockKey, 900);
+
+            if (! $lock->get()) {
+                throw ValidationException::withMessages([
+                    'scope' => 'Another run is already in progress for this scope.',
+                ]);
+            }
+
+            try {
+                return $this->startAllTenants(
+                    workspace: $workspace,
+                    initiator: $initiator,
+                    reason: $reason,
+                    preflight: $preflight,
+                    source: $source,
+                    isBreakGlassActive: $isBreakGlassActive,
+                );
+            } finally {
+                $lock->release();
+            }
+        }
+
+        return $this->startSingleTenant(
+            tenant: $tenant,
+            initiator: $initiator,
+            reason: $reason,
+            preflight: $preflight,
+            source: $source,
+            isBreakGlassActive: $isBreakGlassActive,
+        );
+    }
+
+    public function maybeFinalize(OperationRun $run): void
+    {
+        $run->refresh();
+
+        if ($run->status !== OperationRunStatus::Completed->value) {
+            return;
+        }
+
+        $context = is_array($run->context) ? $run->context : [];
+
+        if ((string) data_get($context, 'runbook.key') !== self::RUNBOOK_KEY) {
+            return;
+        }
+
+        $lockKey = sprintf('tenantpilot:runbooks:%s:finalize:%d', self::RUNBOOK_KEY, (int) $run->getKey());
+        $lock = Cache::lock($lockKey, 86400);
+
+        if (! $lock->get()) {
+            return;
+        }
+
+        try {
+            $this->auditSafely(
+                action: $run->outcome === OperationRunOutcome::Failed->value
+                    ? 'platform.ops.runbooks.failed'
+                    : 'platform.ops.runbooks.completed',
+                scope: $this->scopeFromRunContext($context),
+                operationRunId: (int) $run->getKey(),
+                context: [
+                    'status' => (string) $run->status,
+                    'outcome' => (string) $run->outcome,
+                    'is_break_glass' => (bool) data_get($context, 'platform_initiator.is_break_glass', false),
+                    'reason_code' => data_get($context, 'reason.reason_code'),
+                    'reason_text' => data_get($context, 'reason.reason_text'),
+                ],
+            );
+
+            $this->notifyInitiatorSafely($run);
+
+            if ($run->outcome === OperationRunOutcome::Failed->value) {
+                $this->dispatchFailureAlertSafely($run);
+            }
+        } finally {
+            $lock->release();
+        }
+    }
+
+    /**
+     * @return array{affected_count: int, total_count: int, estimated_tenants?: int|null}
+     */
+    private function computePreflight(FindingsLifecycleBackfillScope $scope): array
+    {
+        if ($scope->isSingleTenant()) {
+            $tenant = Tenant::query()->whereKey((int) $scope->tenantId)->firstOrFail();
+            $this->allowedTenantUniverse->ensureAllowed($tenant);
+
+            return $this->computeTenantPreflight($tenant);
+        }
+
+        $platformTenant = $this->platformTenant();
+        $workspaceId = (int) ($platformTenant->workspace_id ?? 0);
+
+        $tenants = $this->allowedTenantUniverse
+            ->query()
+            ->where('workspace_id', $workspaceId)
+            ->orderBy('id')
+            ->get();
+
+        $affected = 0;
+        $total = 0;
+
+        foreach ($tenants as $tenant) {
+            if (! $tenant instanceof Tenant) {
+                continue;
+            }
+
+            $counts = $this->computeTenantPreflight($tenant);
+
+            $affected += (int) ($counts['affected_count'] ?? 0);
+            $total += (int) ($counts['total_count'] ?? 0);
+        }
+
+        return [
+            'affected_count' => $affected,
+            'total_count' => $total,
+            'estimated_tenants' => $tenants->count(),
+        ];
+    }
+
+    /**
+     * @return array{affected_count: int, total_count: int}
+     */
+    private function computeTenantPreflight(Tenant $tenant): array
+    {
+        $query = Finding::query()->where('tenant_id', (int) $tenant->getKey());
+
+        $total = (int) (clone $query)->count();
+
+        $affected = 0;
+
+        (clone $query)
+            ->orderBy('id')
+            ->chunkById(500, function ($findings) use (&$affected): void {
+                foreach ($findings as $finding) {
+                    if (! $finding instanceof Finding) {
+                        continue;
+                    }
+
+                    if ($this->findingNeedsBackfill($finding)) {
+                        $affected++;
+                    }
+                }
+            });
+
+        $affected += $this->countDriftDuplicateConsolidations($tenant);
+
+        return [
+            'affected_count' => $affected,
+            'total_count' => $total,
+        ];
+    }
+
+    private function findingNeedsBackfill(Finding $finding): bool
+    {
+        if ($finding->first_seen_at === null || $finding->last_seen_at === null) {
+            return true;
+        }
+
+        if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
+            if ($finding->last_seen_at->lt($finding->first_seen_at)) {
+                return true;
+            }
+        }
+
+        $timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
+
+        if ($timesSeen < 1) {
+            return true;
+        }
+
+        if ($finding->status === Finding::STATUS_ACKNOWLEDGED) {
+            return true;
+        }
+
+        if (Finding::isOpenStatus((string) $finding->status)) {
+            if ($finding->sla_days === null || $finding->due_at === null) {
+                return true;
+            }
+        }
+
+        if ($finding->finding_type === Finding::FINDING_TYPE_DRIFT) {
+            $recurrenceKey = $finding->recurrence_key !== null ? trim((string) $finding->recurrence_key) : '';
+
+            if ($recurrenceKey === '') {
+                $scopeKey = trim((string) ($finding->scope_key ?? ''));
+                $subjectType = trim((string) ($finding->subject_type ?? ''));
+                $subjectExternalId = trim((string) ($finding->subject_external_id ?? ''));
+
+                if ($scopeKey !== '' && $subjectType !== '' && $subjectExternalId !== '') {
+                    $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
+                    $kind = data_get($evidence, 'summary.kind');
+
+                    if (is_string($kind) && trim($kind) !== '') {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    private function countDriftDuplicateConsolidations(Tenant $tenant): int
+    {
+        $rows = Finding::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->where('finding_type', Finding::FINDING_TYPE_DRIFT)
+            ->whereNotNull('recurrence_key')
+            ->select(['recurrence_key', DB::raw('COUNT(*) as count')])
+            ->groupBy('recurrence_key')
+            ->havingRaw('COUNT(*) > 1')
+            ->get();
+
+        $duplicates = 0;
+
+        foreach ($rows as $row) {
+            $count = is_numeric($row->count ?? null) ? (int) $row->count : 0;
+
+            if ($count > 1) {
+                $duplicates += ($count - 1);
+            }
+        }
+
+        return $duplicates;
+    }
+
+    private function startAllTenants(
+        Workspace $workspace,
+        User|PlatformUser|null $initiator,
+        ?RunbookReason $reason,
+        array $preflight,
+        string $source,
+        bool $isBreakGlassActive,
+    ): OperationRun {
+        $run = $this->operationRunService->ensureWorkspaceRunWithIdentity(
+            workspace: $workspace,
+            type: self::RUNBOOK_KEY,
+            identityInputs: [
+                'runbook' => self::RUNBOOK_KEY,
+                'scope' => FindingsLifecycleBackfillScope::MODE_ALL_TENANTS,
+            ],
+            context: $this->buildRunContext(
+                workspaceId: (int) $workspace->getKey(),
+                scope: FindingsLifecycleBackfillScope::allTenants(),
+                initiator: $initiator,
+                reason: $reason,
+                preflight: $preflight,
+                source: $source,
+                isBreakGlassActive: $isBreakGlassActive,
+            ),
+            initiator: $initiator instanceof User ? $initiator : null,
+        );
+
+        if ($initiator instanceof PlatformUser && $run->wasRecentlyCreated) {
+            $run->update(['initiator_name' => $initiator->name ?: $initiator->email]);
+            $run->refresh();
+        }
+
+        $this->auditSafely(
+            action: 'platform.ops.runbooks.start',
+            scope: FindingsLifecycleBackfillScope::allTenants(),
+            operationRunId: (int) $run->getKey(),
+            initiator: $initiator,
+            context: [
+                'preflight' => $preflight,
+                'is_break_glass' => $isBreakGlassActive,
+            ] + ($reason instanceof RunbookReason ? $reason->toArray() : []),
+        );
+
+        if (! $run->wasRecentlyCreated) {
+            return $run;
+        }
+
+        $this->operationRunService->dispatchOrFail($run, function () use ($run, $workspace): void {
+            BackfillFindingLifecycleWorkspaceJob::dispatch(
+                operationRunId: (int) $run->getKey(),
+                workspaceId: (int) $workspace->getKey(),
+            );
+        });
+
+        return $run;
+    }
+
+    private function startSingleTenant(
+        ?Tenant $tenant,
+        User|PlatformUser|null $initiator,
+        ?RunbookReason $reason,
+        array $preflight,
+        string $source,
+        bool $isBreakGlassActive,
+    ): OperationRun {
+        if (! $tenant instanceof Tenant) {
+            throw new \RuntimeException('Target tenant is required for single-tenant runs.');
+        }
+
+        $run = $this->operationRunService->ensureRunWithIdentity(
+            tenant: $tenant,
+            type: self::RUNBOOK_KEY,
+            identityInputs: [
+                'tenant_id' => (int) $tenant->getKey(),
+                'trigger' => 'backfill',
+            ],
+            context: $this->buildRunContext(
+                workspaceId: (int) $tenant->workspace_id,
+                scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
+                initiator: $initiator,
+                reason: $reason,
+                preflight: $preflight,
+                source: $source,
+                isBreakGlassActive: $isBreakGlassActive,
+            ),
+            initiator: $initiator instanceof User ? $initiator : null,
+        );
+
+        if ($initiator instanceof PlatformUser && $run->wasRecentlyCreated) {
+            $run->update(['initiator_name' => $initiator->name ?: $initiator->email]);
+            $run->refresh();
+        }
+
+        $this->auditSafely(
+            action: 'platform.ops.runbooks.start',
+            scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
+            operationRunId: (int) $run->getKey(),
+            initiator: $initiator,
+            context: [
+                'preflight' => $preflight,
+                'is_break_glass' => $isBreakGlassActive,
+            ] + ($reason instanceof RunbookReason ? $reason->toArray() : []),
+        );
+
+        if (! $run->wasRecentlyCreated) {
+            return $run;
+        }
+
+        $this->operationRunService->dispatchOrFail($run, function () use ($tenant): void {
+            BackfillFindingLifecycleJob::dispatch(
+                tenantId: (int) $tenant->getKey(),
+                workspaceId: (int) $tenant->workspace_id,
+                initiatorUserId: null,
+            );
+        });
+
+        return $run;
+    }
+
+    private function platformTenant(): Tenant
+    {
+        $tenant = Tenant::query()->where('external_id', 'platform')->first();
+
+        if (! $tenant instanceof Tenant) {
+            throw new \RuntimeException('Platform tenant is missing.');
+        }
+
+        return $tenant;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function buildRunContext(
+        int $workspaceId,
+        FindingsLifecycleBackfillScope $scope,
+        User|PlatformUser|null $initiator,
+        ?RunbookReason $reason,
+        array $preflight,
+        string $source,
+        bool $isBreakGlassActive,
+    ): array {
+        $context = [
+            'workspace_id' => $workspaceId,
+            'runbook' => [
+                'key' => self::RUNBOOK_KEY,
+                'scope' => $scope->mode,
+                'target_tenant_id' => $scope->tenantId,
+                'source' => $source,
+            ],
+            'preflight' => [
+                'affected_count' => (int) ($preflight['affected_count'] ?? 0),
+                'total_count' => (int) ($preflight['total_count'] ?? 0),
+                'estimated_tenants' => $preflight['estimated_tenants'] ?? null,
+            ],
+        ];
+
+        if ($reason instanceof RunbookReason) {
+            $context['reason'] = $reason->toArray();
+        }
+
+        if ($initiator instanceof PlatformUser) {
+            $context['platform_initiator'] = [
+                'platform_user_id' => (int) $initiator->getKey(),
+                'email' => (string) $initiator->email,
+                'name' => (string) $initiator->name,
+                'is_break_glass' => $isBreakGlassActive,
+            ];
+        } elseif ($initiator instanceof User) {
+            $context['tenant_initiator'] = [
+                'user_id' => (int) $initiator->getKey(),
+                'email' => (string) $initiator->email,
+                'name' => (string) $initiator->name,
+            ];
+        }
+
+        return $context;
+    }
+
+    private function scopeFromRunContext(array $context): FindingsLifecycleBackfillScope
+    {
+        $scope = data_get($context, 'runbook.scope');
+        $tenantId = data_get($context, 'runbook.target_tenant_id');
+
+        if ($scope === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT && is_numeric($tenantId)) {
+            return FindingsLifecycleBackfillScope::singleTenant((int) $tenantId);
+        }
+
+        return FindingsLifecycleBackfillScope::allTenants();
+    }
+
+    /**
+     * @param  array<string, mixed>  $context
+     */
+    private function auditSafely(
+        string $action,
+        FindingsLifecycleBackfillScope $scope,
+        ?int $operationRunId,
+        User|PlatformUser|null $initiator,
+        array $context = [],
+    ): void {
+        try {
+            $metadata = [
+                'runbook_key' => self::RUNBOOK_KEY,
+                'scope' => $scope->mode,
+                'target_tenant_id' => $scope->tenantId,
+                'operation_run_id' => $operationRunId,
+                'ip' => request()->ip(),
+                'user_agent' => request()->userAgent(),
+            ];
+
+            if ($initiator instanceof User && $scope->isSingleTenant()) {
+                $tenant = Tenant::query()->whereKey((int) $scope->tenantId)->first();
+
+                if ($tenant instanceof Tenant) {
+                    $this->auditLogger->log(
+                        tenant: $tenant,
+                        action: $action,
+                        context: [
+                            'metadata' => array_filter($metadata, static fn (mixed $value): bool => $value !== null),
+                        ] + $context,
+                        actorId: (int) $initiator->getKey(),
+                        actorEmail: (string) $initiator->email,
+                        actorName: (string) $initiator->name,
+                        status: 'success',
+                        resourceType: 'operation_run',
+                        resourceId: $operationRunId !== null ? (string) $operationRunId : null,
+                    );
+
+                    return;
+                }
+            }
+
+            $platformTenant = $this->platformTenant();
+            $platformActor = $initiator instanceof PlatformUser
+                ? $initiator
+                : auth('platform')->user();
+
+            $actorId = $platformActor instanceof PlatformUser ? (int) $platformActor->getKey() : null;
+            $actorEmail = $platformActor instanceof PlatformUser ? (string) $platformActor->email : null;
+            $actorName = $platformActor instanceof PlatformUser ? (string) $platformActor->name : null;
+
+            $this->auditLogger->log(
+                tenant: $platformTenant,
+                action: $action,
+                context: [
+                    'metadata' => array_filter($metadata, static fn (mixed $value): bool => $value !== null),
+                ] + $context,
+                actorId: $actorId,
+                actorEmail: $actorEmail,
+                actorName: $actorName,
+                status: 'success',
+                resourceType: 'operation_run',
+                resourceId: $operationRunId !== null ? (string) $operationRunId : null,
+            );
+        } catch (Throwable) {
+            // Audit is fail-safe (must not crash runbooks).
+        }
+    }
+
+    private function auditBlockedStart(
+        \App\Support\OperationalControls\OperationalControlDecision $decision,
+        FindingsLifecycleBackfillScope $scope,
+        Workspace $workspace,
+        ?Tenant $tenant,
+        User|PlatformUser|null $initiator,
+        string $source,
+    ): void {
+        try {
+            $metadata = array_filter([
+                'control_key' => $decision->controlKey,
+                'scope_type' => $decision->matchedScopeType,
+                'workspace_id' => (int) $workspace->getKey(),
+                'reason_text' => $decision->reasonText,
+                'expires_at' => $decision->expiresAt?->toIso8601String(),
+                'actor_id' => $initiator instanceof User || $initiator instanceof PlatformUser ? (int) $initiator->getKey() : null,
+                'requested_scope' => $scope->mode,
+                'target_tenant_id' => $scope->tenantId,
+                'source' => $source,
+                'runbook_key' => self::RUNBOOK_KEY,
+            ], static fn (mixed $value): bool => $value !== null && $value !== '');
+
+            $summary = sprintf('%s blocked by operational control', OperationCatalog::label(self::RUNBOOK_KEY));
+
+            if ($scope->isAllTenants()) {
+                $this->auditRecorder->record(
+                    action: AuditActionId::OperationalControlExecutionBlocked,
+                    context: ['metadata' => $metadata],
+                    actor: $initiator instanceof PlatformUser ? AuditActorSnapshot::platform($initiator) : null,
+                    target: new AuditTargetSnapshot(
+                        type: 'operational_control',
+                        id: $decision->sourceActivationId,
+                        label: OperationCatalog::label(self::RUNBOOK_KEY),
+                    ),
+                    outcome: 'blocked',
+                    summary: $summary,
+                );
+
+                return;
+            }
+
+            if (! $tenant instanceof Tenant) {
+                return;
+            }
+
+            $this->workspaceAuditLogger->log(
+                workspace: $workspace,
+                action: AuditActionId::OperationalControlExecutionBlocked,
+                context: ['metadata' => $metadata],
+                actor: $initiator,
+                status: 'blocked',
+                resourceType: 'operational_control',
+                resourceId: $decision->sourceActivationId !== null ? (string) $decision->sourceActivationId : null,
+                targetLabel: OperationCatalog::label(self::RUNBOOK_KEY),
+                summary: $summary,
+                tenant: $tenant,
+            );
+        } catch (Throwable) {
+            // Audit is fail-safe (must not crash runbooks).
+        }
+    }
+
+    private function notifyInitiatorSafely(OperationRun $run): void
+    {
+        try {
+            $platformUserId = data_get($run->context, 'platform_initiator.platform_user_id');
+
+            if (! is_numeric($platformUserId)) {
+                return;
+            }
+
+            $platformUser = PlatformUser::query()->whereKey((int) $platformUserId)->first();
+
+            if (! $platformUser instanceof PlatformUser) {
+                return;
+            }
+
+            $platformUser->notify(new OperationRunCompleted($run));
+        } catch (Throwable) {
+            // Notifications must not crash the runbook.
+        }
+    }
+
+    private function dispatchFailureAlertSafely(OperationRun $run): void
+    {
+        try {
+            $platformTenant = $this->platformTenant();
+            $workspace = $platformTenant->workspace;
+
+            if (! $workspace instanceof Workspace) {
+                return;
+            }
+
+            $this->alertDispatchService->dispatchEvent($workspace, [
+                'tenant_id' => (int) $platformTenant->getKey(),
+                'event_type' => 'operations.run.failed',
+                'severity' => 'high',
+                'title' => 'Operation failed: Findings lifecycle backfill',
+                'body' => 'A findings lifecycle backfill run failed.',
+                'metadata' => [
+                    'operation_run_id' => (int) $run->getKey(),
+                    'operation_type' => $run->canonicalOperationType(),
+                    'scope' => (string) data_get($run->context, 'runbook.scope', ''),
+                    'view_run_url' => SystemOperationRunLinks::view($run),
+                ],
+            ]);
+        } catch (Throwable) {
+            // Alerts must not crash the runbook.
+        }
+    }
+}

apps/platform/app/Services/Runbooks/FindingsLifecycleBackfillScope.php

@@ -0,0 +1,81 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Runbooks;
+
+use Illuminate\Validation\ValidationException;
+
+final readonly class FindingsLifecycleBackfillScope
+{
+    public const string MODE_ALL_TENANTS = 'all_tenants';
+
+    public const string MODE_SINGLE_TENANT = 'single_tenant';
+
+    private function __construct(
+        public string $mode,
+        public ?int $tenantId,
+    ) {}
+
+    public static function allTenants(): self
+    {
+        return new self(
+            mode: self::MODE_ALL_TENANTS,
+            tenantId: null,
+        );
+    }
+
+    public static function singleTenant(int $tenantId): self
+    {
+        $tenantId = (int) $tenantId;
+
+        if ($tenantId <= 0) {
+            throw ValidationException::withMessages([
+                'scope.tenant_id' => 'Select a valid tenant.',
+            ]);
+        }
+
+        return new self(
+            mode: self::MODE_SINGLE_TENANT,
+            tenantId: $tenantId,
+        );
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public static function fromArray(array $data): self
+    {
+        $mode = trim((string) ($data['mode'] ?? ''));
+
+        if ($mode === '' || $mode === self::MODE_ALL_TENANTS) {
+            return self::allTenants();
+        }
+
+        if ($mode !== self::MODE_SINGLE_TENANT) {
+            throw ValidationException::withMessages([
+                'scope.mode' => 'Select a valid scope mode.',
+            ]);
+        }
+
+        $tenantId = $data['tenant_id'] ?? null;
+
+        if (! is_numeric($tenantId)) {
+            throw ValidationException::withMessages([
+                'scope.tenant_id' => 'Select a tenant.',
+            ]);
+        }
+
+        return self::singleTenant((int) $tenantId);
+    }
+
+    public function isAllTenants(): bool
+    {
+        return $this->mode === self::MODE_ALL_TENANTS;
+    }
+
+    public function isSingleTenant(): bool
+    {
+        return $this->mode === self::MODE_SINGLE_TENANT;
+    }
+}

apps/platform/app/Services/Settings/SettingsWriter.php

@@ -4,7 +4,6 @@
 
 namespace App\Services\Settings;
 
-use App\Models\PlatformUser;
 use App\Models\Tenant;
 use App\Models\TenantSetting;
 use App\Models\User;
@@ -12,14 +11,11 @@
 use App\Models\WorkspaceSetting;
 use App\Services\Audit\WorkspaceAuditLogger;
 use App\Services\Auth\WorkspaceCapabilityResolver;
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
 use App\Support\Audit\AuditActionId;
 use App\Support\Auth\Capabilities;
-use App\Support\Auth\PlatformCapabilities;
 use App\Support\Settings\SettingDefinition;
 use App\Support\Settings\SettingsRegistry;
 use Illuminate\Auth\Access\AuthorizationException;
-use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -37,7 +33,27 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
     {
         $this->authorizeManage($actor, $workspace);
 
-        $result = $this->persistWorkspaceSetting($workspace, $domain, $key, $value, (int) $actor->getKey());
+        $definition = $this->requireDefinition($domain, $key);
+        $normalizedValue = $this->validatedValue($definition, $value);
+
+        $existing = WorkspaceSetting::query()
+            ->where('workspace_id', (int) $workspace->getKey())
+            ->where('domain', $domain)
+            ->where('key', $key)
+            ->first();
+
+        $beforeValue = $existing instanceof WorkspaceSetting
+            ? $this->decodeStoredValue($existing->getAttribute('value'))
+            : null;
+
+        $setting = WorkspaceSetting::query()->updateOrCreate([
+            'workspace_id' => (int) $workspace->getKey(),
+            'domain' => $domain,
+            'key' => $key,
+        ], [
+            'value' => $normalizedValue,
+            'updated_by_user_id' => (int) $actor->getKey(),
+        ]);
 
         $this->resolver->clearCache();
 
@@ -51,7 +67,7 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
                     'scope' => 'workspace',
                     'domain' => $domain,
                     'key' => $key,
-                    'before_value' => $result['before_value'],
+                    'before_value' => $beforeValue,
                     'after_value' => $afterValue,
                 ],
             ],
@@ -60,79 +76,7 @@ public function updateWorkspaceSetting(User $actor, Workspace $workspace, string
             resourceId: $domain.'.'.$key,
         );
 
-        return $result['setting'];
-    }
-
-    public function updateWorkspaceCommercialLifecycle(
-        PlatformUser $actor,
-        Workspace $workspace,
-        string $state,
-        string $reason,
-    ): void {
-        $state = strtolower(trim($state));
-        $reason = trim($reason);
-
-        if (! $actor->hasCapability(PlatformCapabilities::COMMERCIAL_LIFECYCLE_MANAGE)) {
-            throw new AuthorizationException('Missing commercial lifecycle manage capability.');
-        }
-
-        if ($reason === '') {
-            throw ValidationException::withMessages([
-                'reason' => ['A rationale is required when changing commercial lifecycle state.'],
-            ]);
-        }
-
-        DB::transaction(function () use ($actor, $workspace, $state, $reason): void {
-            $stateResult = $this->persistWorkspaceSetting(
-                workspace: $workspace,
-                domain: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
-                key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-                value: $state,
-                updatedByUserId: null,
-            );
-
-            $reasonResult = $this->persistWorkspaceSetting(
-                workspace: $workspace,
-                domain: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
-                key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
-                value: $reason,
-                updatedByUserId: null,
-            );
-
-            $this->resolver->clearCache();
-
-            $afterState = $this->resolver->resolveValue(
-                $workspace,
-                WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
-                WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-            );
-
-            $afterReason = $this->resolver->resolveValue(
-                $workspace,
-                WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
-                WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
-            );
-
-            $this->auditLogger->log(
-                workspace: $workspace,
-                action: AuditActionId::WorkspaceSettingUpdated->value,
-                context: [
-                    'metadata' => [
-                        'scope' => 'workspace',
-                        'domain' => WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN,
-                        'key' => WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-                        'before_state' => $stateResult['before_value'],
-                        'after_state' => $afterState,
-                        'before_reason' => $reasonResult['before_value'],
-                        'after_reason' => $afterReason,
-                    ],
-                ],
-                actor: $actor,
-                resourceType: 'workspace_setting',
-                resourceId: WorkspaceCommercialLifecycleResolver::SETTING_DOMAIN.'.'.WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-                targetLabel: 'Commercial lifecycle state',
-            );
-        });
+        return $setting;
     }
 
     public function resetWorkspaceSetting(User $actor, Workspace $workspace, string $domain, string $key): void
@@ -230,39 +174,6 @@ private function requireDefinition(string $domain, string $key): SettingDefiniti
         ]);
     }
 
-    /**
-     * @return array{setting: WorkspaceSetting, before_value: mixed}
-     */
-    private function persistWorkspaceSetting(Workspace $workspace, string $domain, string $key, mixed $value, ?int $updatedByUserId): array
-    {
-        $definition = $this->requireDefinition($domain, $key);
-        $normalizedValue = $this->validatedValue($definition, $value);
-
-        $existing = WorkspaceSetting::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->where('domain', $domain)
-            ->where('key', $key)
-            ->first();
-
-        $beforeValue = $existing instanceof WorkspaceSetting
-            ? $this->decodeStoredValue($existing->getAttribute('value'))
-            : null;
-
-        $setting = WorkspaceSetting::query()->updateOrCreate([
-            'workspace_id' => (int) $workspace->getKey(),
-            'domain' => $domain,
-            'key' => $key,
-        ], [
-            'value' => $normalizedValue,
-            'updated_by_user_id' => $updatedByUserId,
-        ]);
-
-        return [
-            'setting' => $setting,
-            'before_value' => $beforeValue,
-        ];
-    }
-
     private function validatedValue(SettingDefinition $definition, mixed $value): mixed
     {
         $validator = Validator::make(

apps/platform/app/Services/SystemConsole/OperationRunTriageService.php

@@ -17,6 +17,7 @@ final class OperationRunTriageService
         'inventory.sync',
         'policy.sync',
         'directory.groups.sync',
+        'findings.lifecycle.backfill',
         'rbac.health_check',
         'entra.admin_roles.scan',
         'tenant.review_pack.generate',
@@ -27,6 +28,7 @@ final class OperationRunTriageService
         'inventory.sync',
         'policy.sync',
         'directory.groups.sync',
+        'findings.lifecycle.backfill',
         'rbac.health_check',
         'entra.admin_roles.scan',
         'tenant.review_pack.generate',

apps/platform/app/Services/TenantReviews/TenantReviewRegisterService.php

@@ -12,7 +12,6 @@
 use App\Services\Auth\RoleCapabilityMap;
 use App\Support\Auth\Capabilities;
 use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Facades\DB;
 
 final class TenantReviewRegisterService
 {
@@ -44,55 +43,6 @@ public function query(User $user, Workspace $workspace): Builder
             ->latest('id');
     }
 
-    public function latestPublishedQuery(User $user, Workspace $workspace): Builder
-    {
-        $tenantIds = array_keys($this->authorizedTenants($user, $workspace));
-
-        $rankedReviews = TenantReview::query()
-            ->select([
-                'tenant_reviews.id',
-                'tenant_reviews.tenant_id',
-                'tenant_reviews.published_at',
-                'tenant_reviews.generated_at',
-            ])
-            ->selectRaw('ROW_NUMBER() OVER (PARTITION BY tenant_id ORDER BY published_at DESC, generated_at DESC, id DESC) as rn')
-            ->forWorkspace((int) $workspace->getKey())
-            ->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds)
-            ->published();
-
-        $latestPublishedIds = DB::query()
-            ->fromSub($rankedReviews, 'ranked_tenant_reviews')
-            ->where('rn', 1)
-            ->select('id');
-
-        return TenantReview::query()
-            ->with(['tenant', 'evidenceSnapshot', 'currentExportReviewPack'])
-            ->forWorkspace((int) $workspace->getKey())
-            ->whereIn('tenant_reviews.id', $latestPublishedIds)
-            ->orderByDesc('published_at')
-            ->orderByDesc('generated_at')
-            ->orderByDesc('id');
-    }
-
-    public function customerWorkspaceTenantQuery(User $user, Workspace $workspace): Builder
-    {
-        $tenantIds = array_keys($this->authorizedTenants($user, $workspace));
-
-        return Tenant::query()
-            ->where('workspace_id', (int) $workspace->getKey())
-            ->whereIn('id', $tenantIds === [] ? [-1] : $tenantIds)
-            ->with([
-                'tenantReviews' => fn ($query) => $query
-                    ->with(['tenant', 'evidenceSnapshot', 'currentExportReviewPack'])
-                    ->published()
-                    ->orderByDesc('published_at')
-                    ->orderByDesc('generated_at')
-                    ->orderByDesc('id')
-                    ->limit(1),
-            ])
-            ->orderBy('name');
-    }
-
     public function canAccessWorkspace(User $user, Workspace $workspace): bool
     {
         return WorkspaceMembership::query()

apps/platform/app/Services/TenantReviews/TenantReviewSectionFactory.php

@@ -128,7 +128,7 @@ private function openRisksSection(?EvidenceSnapshotItem $findingsItem): array
     {
         $summary = $this->summary($findingsItem);
         $entries = collect(Arr::wrap($summary['entries'] ?? []))
-            ->filter(static fn (mixed $entry): bool => is_array($entry) && in_array((string) ($entry['status'] ?? ''), ['open', 'new', 'triaged', 'in_progress', 'reopened'], true))
+            ->filter(static fn (mixed $entry): bool => is_array($entry) && in_array((string) ($entry['status'] ?? ''), ['open', 'in_progress', 'acknowledged'], true))
             ->sortByDesc(static fn (array $entry): int => match ((string) ($entry['severity'] ?? 'low')) {
                 'critical' => 4,
                 'high' => 3,

apps/platform/app/Support/Ai/AiDataClassification.php

@@ -1,27 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-enum AiDataClassification: string
-{
-    case ProductKnowledge = 'product_knowledge';
-    case OperationalMetadata = 'operational_metadata';
-    case RedactedSupportSummary = 'redacted_support_summary';
-    case PersonalData = 'personal_data';
-    case CustomerConfidential = 'customer_confidential';
-    case RawProviderPayload = 'raw_provider_payload';
-
-    public function label(): string
-    {
-        return match ($this) {
-            self::ProductKnowledge => 'Product knowledge',
-            self::OperationalMetadata => 'Operational metadata',
-            self::RedactedSupportSummary => 'Redacted support summary',
-            self::PersonalData => 'Personal data',
-            self::CustomerConfidential => 'Customer confidential',
-            self::RawProviderPayload => 'Raw provider payload',
-        };
-    }
-}

apps/platform/app/Support/Ai/AiDecisionAuditMetadataFactory.php

@@ -1,39 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-final class AiDecisionAuditMetadataFactory
-{
-    /**
-     * @return array<string, mixed>
-     */
-    public function make(AiExecutionRequest $request, AiExecutionDecision $decision): array
-    {
-        return array_filter([
-            'use_case_key' => $decision->useCaseKey,
-            'decision_outcome' => $decision->outcome,
-            'decision_reason' => $decision->reasonCode->value,
-            'workspace_ai_policy_mode' => $decision->workspaceAiPolicyMode,
-            'requested_provider_class' => $decision->requestedProviderClass,
-            'data_classifications' => $decision->dataClassifications,
-            'source_family' => $decision->sourceFamily,
-            'workspace_id' => $request->workspace?->getKey(),
-            'tenant_id' => $request->tenant?->getKey(),
-            'context_fingerprint' => $this->normalizedFingerprint($request->contextFingerprint),
-            'matched_operational_control_scope' => $decision->matchedOperationalControlScope,
-        ], static fn (mixed $value): bool => $value !== null);
-    }
-
-    private function normalizedFingerprint(?string $contextFingerprint): ?string
-    {
-        if (! is_string($contextFingerprint)) {
-            return null;
-        }
-
-        $normalized = trim($contextFingerprint);
-
-        return $normalized === '' ? null : $normalized;
-    }
-}

apps/platform/app/Support/Ai/AiDecisionReasonCode.php

@@ -1,18 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-enum AiDecisionReasonCode: string
-{
-    case Allowed = 'allowed';
-    case MissingWorkspaceContext = 'missing_workspace_context';
-    case TenantOutsideWorkspace = 'tenant_outside_workspace';
-    case OperationalControlPaused = 'operational_control_paused';
-    case WorkspacePolicyDisabled = 'workspace_policy_disabled';
-    case UnregisteredUseCase = 'unregistered_use_case';
-    case ProviderClassBlocked = 'provider_class_blocked';
-    case DataClassificationBlocked = 'data_classification_blocked';
-    case SourceFamilyMismatch = 'source_family_mismatch';
-}

apps/platform/app/Support/Ai/AiExecutionDecision.php

@@ -1,37 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-use App\Support\Audit\AuditActionId;
-
-final readonly class AiExecutionDecision
-{
-    /**
-     * @param  list<string>  $dataClassifications
-     * @param  array<string, mixed>  $auditMetadata
-     */
-    public function __construct(
-        public string $outcome,
-        public AiDecisionReasonCode $reasonCode,
-        public string $workspaceAiPolicyMode,
-        public ?string $matchedOperationalControlScope,
-        public string $useCaseKey,
-        public string $requestedProviderClass,
-        public array $dataClassifications,
-        public string $sourceFamily,
-        public AuditActionId $auditAction,
-        public array $auditMetadata,
-    ) {}
-
-    public function isAllowed(): bool
-    {
-        return $this->outcome === 'allowed';
-    }
-
-    public function isBlocked(): bool
-    {
-        return $this->outcome === 'blocked';
-    }
-}

apps/platform/app/Support/Ai/AiExecutionRequest.php

@@ -1,28 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-use App\Models\PlatformUser;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Models\Workspace;
-
-final readonly class AiExecutionRequest
-{
-    /**
-     * @param  list<string>  $dataClassifications
-     */
-    public function __construct(
-        public ?Workspace $workspace,
-        public ?Tenant $tenant,
-        public User|PlatformUser|null $actor,
-        public string $useCaseKey,
-        public string $requestedProviderClass,
-        public array $dataClassifications,
-        public string $sourceFamily,
-        public ?string $callerSurface = null,
-        public ?string $contextFingerprint = null,
-    ) {}
-}

apps/platform/app/Support/Ai/AiPolicyMode.php

@@ -1,43 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-enum AiPolicyMode: string
-{
-    case Disabled = 'disabled';
-    case PrivateOnly = 'private_only';
-
-    public function label(): string
-    {
-        return match ($this) {
-            self::Disabled => 'Disabled',
-            self::PrivateOnly => 'Private only',
-        };
-    }
-
-    public function summary(): string
-    {
-        return match ($this) {
-            self::Disabled => 'No AI execution is allowed for this workspace.',
-            self::PrivateOnly => 'Only approved internal drafts may use private-only AI for approved use cases.',
-        };
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    public static function optionLabels(): array
-    {
-        return array_reduce(
-            self::cases(),
-            static function (array $labels, self $mode): array {
-                $labels[$mode->value] = $mode->label();
-
-                return $labels;
-            },
-            [],
-        );
-    }
-}

apps/platform/app/Support/Ai/AiProviderClass.php

@@ -1,19 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-enum AiProviderClass: string
-{
-    case LocalPrivate = 'local_private';
-    case ExternalPublic = 'external_public';
-
-    public function label(): string
-    {
-        return match ($this) {
-            self::LocalPrivate => 'Local private',
-            self::ExternalPublic => 'External public',
-        };
-    }
-}

apps/platform/app/Support/Ai/AiUseCaseCatalog.php

@@ -1,126 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-final class AiUseCaseCatalog
-{
-    /**
-     * @var array<string, array{
-     *     key: string,
-     *     label: string,
-     *     future_consumer: string,
-     *     visibility: string,
-     *     allowed_provider_classes: list<string>,
-     *     allowed_data_classifications: list<string>,
-     *     source_family: string,
-     *     tenant_context_permitted: bool
-     * }>
-     */
-    private const USE_CASES = [
-        'product_knowledge.answer_draft' => [
-            'key' => 'product_knowledge.answer_draft',
-            'label' => 'Product knowledge answer draft',
-            'future_consumer' => 'ContextualHelpResolver',
-            'visibility' => 'internal_only_draft',
-            'allowed_provider_classes' => [AiProviderClass::LocalPrivate->value],
-            'allowed_data_classifications' => [
-                AiDataClassification::ProductKnowledge->value,
-                AiDataClassification::OperationalMetadata->value,
-            ],
-            'source_family' => 'product_knowledge',
-            'tenant_context_permitted' => false,
-        ],
-        'support_diagnostics.summary_draft' => [
-            'key' => 'support_diagnostics.summary_draft',
-            'label' => 'Support diagnostics summary draft',
-            'future_consumer' => 'SupportDiagnosticBundleBuilder',
-            'visibility' => 'internal_only_draft',
-            'allowed_provider_classes' => [AiProviderClass::LocalPrivate->value],
-            'allowed_data_classifications' => [AiDataClassification::RedactedSupportSummary->value],
-            'source_family' => 'support_diagnostics',
-            'tenant_context_permitted' => true,
-        ],
-    ];
-
-    /**
-     * @return list<array{
-     *     key: string,
-     *     label: string,
-     *     future_consumer: string,
-     *     visibility: string,
-     *     allowed_provider_classes: list<string>,
-     *     allowed_data_classifications: list<string>,
-     *     source_family: string,
-     *     tenant_context_permitted: bool
-     * }>
-     */
-    public function all(): array
-    {
-        return array_values(self::USE_CASES);
-    }
-
-    /**
-     * @return array{
-     *     key: string,
-     *     label: string,
-     *     future_consumer: string,
-     *     visibility: string,
-     *     allowed_provider_classes: list<string>,
-     *     allowed_data_classifications: list<string>,
-     *     source_family: string,
-     *     tenant_context_permitted: bool
-     * }|null
-     */
-    public function find(string $key): ?array
-    {
-        return self::USE_CASES[$key] ?? null;
-    }
-
-    /**
-     * @return list<string>
-     */
-    public function labels(): array
-    {
-        return array_map(
-            static fn (array $definition): string => $definition['label'],
-            $this->all(),
-        );
-    }
-
-    /**
-     * @return list<string>
-     */
-    public function allowedProviderClassLabelsForMode(AiPolicyMode $mode): array
-    {
-        if ($mode === AiPolicyMode::Disabled) {
-            return [];
-        }
-
-        $labels = [];
-
-        foreach ($this->all() as $definition) {
-            foreach ($definition['allowed_provider_classes'] as $providerClass) {
-                $labels[$providerClass] = AiProviderClass::from($providerClass)->label();
-            }
-        }
-
-        return array_values($labels);
-    }
-
-    /**
-     * @return list<string>
-     */
-    public function blockedDataClassificationLabels(): array
-    {
-        return array_map(
-            static fn (AiDataClassification $classification): string => $classification->label(),
-            [
-                AiDataClassification::PersonalData,
-                AiDataClassification::CustomerConfidential,
-                AiDataClassification::RawProviderPayload,
-            ],
-        );
-    }
-}

apps/platform/app/Support/Ai/GovernedAiExecutionBoundary.php

@@ -1,181 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Ai;
-
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\Settings\SettingsResolver;
-use App\Support\Audit\AuditActionId;
-use App\Support\OperationalControls\OperationalControlEvaluator;
-
-final class GovernedAiExecutionBoundary
-{
-    public function __construct(
-        private readonly AiUseCaseCatalog $useCaseCatalog,
-        private readonly SettingsResolver $settingsResolver,
-        private readonly OperationalControlEvaluator $operationalControls,
-        private readonly AiDecisionAuditMetadataFactory $auditMetadataFactory,
-        private readonly WorkspaceAuditLogger $workspaceAuditLogger,
-    ) {}
-
-    public function evaluate(AiExecutionRequest $request): AiExecutionDecision
-    {
-        $decision = $this->decisionFor($request);
-        $metadata = $this->auditMetadataFactory->make($request, $decision);
-
-        $decision = new AiExecutionDecision(
-            outcome: $decision->outcome,
-            reasonCode: $decision->reasonCode,
-            workspaceAiPolicyMode: $decision->workspaceAiPolicyMode,
-            matchedOperationalControlScope: $decision->matchedOperationalControlScope,
-            useCaseKey: $decision->useCaseKey,
-            requestedProviderClass: $decision->requestedProviderClass,
-            dataClassifications: $decision->dataClassifications,
-            sourceFamily: $decision->sourceFamily,
-            auditAction: $decision->auditAction,
-            auditMetadata: $metadata,
-        );
-
-        if ($request->workspace !== null) {
-            $definition = $this->useCaseCatalog->find($request->useCaseKey);
-
-            $this->workspaceAuditLogger->log(
-                workspace: $request->workspace,
-                action: $decision->auditAction,
-                context: ['metadata' => $decision->auditMetadata],
-                actor: $request->actor,
-                status: $decision->isAllowed() ? 'success' : 'blocked',
-                resourceType: 'ai_use_case',
-                resourceId: $request->useCaseKey,
-                targetLabel: $definition['label'] ?? $request->useCaseKey,
-                summary: 'AI execution decision evaluated',
-                tenant: $request->tenant,
-            );
-        }
-
-        return $decision;
-    }
-
-    private function decisionFor(AiExecutionRequest $request): AiExecutionDecision
-    {
-        if ($request->workspace === null) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::MissingWorkspaceContext,
-                workspaceAiPolicyMode: AiPolicyMode::Disabled->value,
-            );
-        }
-
-        if ($request->tenant !== null && (int) $request->tenant->workspace_id !== (int) $request->workspace->getKey()) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::TenantOutsideWorkspace,
-                workspaceAiPolicyMode: AiPolicyMode::Disabled->value,
-            );
-        }
-
-        $controlDecision = $this->operationalControls->evaluate('ai.execution', $request->workspace);
-
-        if ($controlDecision->isPaused()) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::OperationalControlPaused,
-                workspaceAiPolicyMode: $this->resolvedPolicyMode($request),
-                matchedOperationalControlScope: $controlDecision->matchedScopeType,
-            );
-        }
-
-        $policyMode = $this->resolvedPolicyMode($request);
-
-        if ($policyMode === AiPolicyMode::Disabled->value) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::WorkspacePolicyDisabled,
-                workspaceAiPolicyMode: $policyMode,
-            );
-        }
-
-        $definition = $this->useCaseCatalog->find($request->useCaseKey);
-
-        if ($definition === null) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::UnregisteredUseCase,
-                workspaceAiPolicyMode: $policyMode,
-            );
-        }
-
-        if ($definition['source_family'] !== $request->sourceFamily) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::SourceFamilyMismatch,
-                workspaceAiPolicyMode: $policyMode,
-            );
-        }
-
-        if (! in_array($request->requestedProviderClass, $definition['allowed_provider_classes'], true)) {
-            return $this->blockedDecision(
-                request: $request,
-                reasonCode: AiDecisionReasonCode::ProviderClassBlocked,
-                workspaceAiPolicyMode: $policyMode,
-            );
-        }
-
-        foreach ($request->dataClassifications as $classification) {
-            if (! in_array($classification, $definition['allowed_data_classifications'], true)) {
-                return $this->blockedDecision(
-                    request: $request,
-                    reasonCode: AiDecisionReasonCode::DataClassificationBlocked,
-                    workspaceAiPolicyMode: $policyMode,
-                );
-            }
-        }
-
-        return new AiExecutionDecision(
-            outcome: 'allowed',
-            reasonCode: AiDecisionReasonCode::Allowed,
-            workspaceAiPolicyMode: $policyMode,
-            matchedOperationalControlScope: null,
-            useCaseKey: $request->useCaseKey,
-            requestedProviderClass: $request->requestedProviderClass,
-            dataClassifications: $request->dataClassifications,
-            sourceFamily: $request->sourceFamily,
-            auditAction: AuditActionId::AiExecutionDecisionEvaluated,
-            auditMetadata: [],
-        );
-    }
-
-    private function resolvedPolicyMode(AiExecutionRequest $request): string
-    {
-        if ($request->workspace === null) {
-            return AiPolicyMode::Disabled->value;
-        }
-
-        $resolved = $this->settingsResolver->resolveValue($request->workspace, 'ai', 'policy_mode');
-
-        return is_string($resolved) && $resolved !== ''
-            ? $resolved
-            : AiPolicyMode::Disabled->value;
-    }
-
-    private function blockedDecision(
-        AiExecutionRequest $request,
-        AiDecisionReasonCode $reasonCode,
-        string $workspaceAiPolicyMode,
-        ?string $matchedOperationalControlScope = null,
-    ): AiExecutionDecision {
-        return new AiExecutionDecision(
-            outcome: 'blocked',
-            reasonCode: $reasonCode,
-            workspaceAiPolicyMode: $workspaceAiPolicyMode,
-            matchedOperationalControlScope: $matchedOperationalControlScope,
-            useCaseKey: $request->useCaseKey,
-            requestedProviderClass: $request->requestedProviderClass,
-            dataClassifications: $request->dataClassifications,
-            sourceFamily: $request->sourceFamily,
-            auditAction: AuditActionId::AiExecutionDecisionEvaluated,
-            auditMetadata: [],
-        );
-    }
-}

apps/platform/app/Support/Audit/AuditActionId.php

@@ -69,7 +69,6 @@ enum AuditActionId: string
     case BaselineCompareStarted = 'baseline_compare.started';
     case BaselineCompareCompleted = 'baseline_compare.completed';
     case BaselineCompareFailed = 'baseline_compare.failed';
-    case CrossTenantPromotionPreflightGenerated = 'cross_tenant_promotion_preflight.generated';
     case BaselineAssignmentCreated = 'baseline_assignment.created';
     case BaselineAssignmentUpdated = 'baseline_assignment.updated';
     case BaselineAssignmentDeleted = 'baseline_assignment.deleted';
@@ -91,25 +90,16 @@ enum AuditActionId: string
     case EvidenceSnapshotCreated = 'evidence_snapshot.created';
     case EvidenceSnapshotRefreshed = 'evidence_snapshot.refreshed';
     case EvidenceSnapshotExpired = 'evidence_snapshot.expired';
-    case EvidenceSnapshotOpened = 'evidence_snapshot.opened';
     case TenantReviewCreated = 'tenant_review.created';
     case TenantReviewRefreshed = 'tenant_review.refreshed';
     case TenantReviewPublished = 'tenant_review.published';
     case TenantReviewArchived = 'tenant_review.archived';
-    case TenantReviewOpened = 'tenant_review.opened';
     case TenantReviewExported = 'tenant_review.exported';
     case TenantReviewSuccessorCreated = 'tenant_review.successor_created';
-    case CustomerReviewWorkspaceOpened = 'customer_review_workspace.opened';
-    case ReviewPackDownloaded = 'review_pack.downloaded';
     case TenantTriageReviewMarkedReviewed = 'tenant_triage_review.marked_reviewed';
     case TenantTriageReviewMarkedFollowUpNeeded = 'tenant_triage_review.marked_follow_up_needed';
 
     case SupportDiagnosticsOpened = 'support_diagnostics.opened';
-    case SupportRequestCreated = 'support_request.created';
-    case SupportRequestExternalTicketCreated = 'support_request.external_ticket_created';
-    case SupportRequestExternalTicketLinked = 'support_request.external_ticket_linked';
-    case SupportRequestExternalHandoffFailed = 'support_request.external_handoff_failed';
-    case AiExecutionDecisionEvaluated = 'ai_execution.decision_evaluated';
     case OperationalControlPaused = 'operational_control.paused';
     case OperationalControlUpdated = 'operational_control.updated';
     case OperationalControlResumed = 'operational_control.resumed';
@@ -221,7 +211,6 @@ private static function labels(): array
             self::BaselineCompareStarted->value => 'Baseline compare started',
             self::BaselineCompareCompleted->value => 'Baseline compare completed',
             self::BaselineCompareFailed->value => 'Baseline compare failed',
-            self::CrossTenantPromotionPreflightGenerated->value => 'Cross-tenant promotion preflight generated',
             self::BaselineAssignmentCreated->value => 'Baseline assignment created',
             self::BaselineAssignmentUpdated->value => 'Baseline assignment updated',
             self::BaselineAssignmentDeleted->value => 'Baseline assignment deleted',
@@ -243,24 +232,15 @@ private static function labels(): array
             self::EvidenceSnapshotCreated->value => 'Evidence snapshot created',
             self::EvidenceSnapshotRefreshed->value => 'Evidence snapshot refreshed',
             self::EvidenceSnapshotExpired->value => 'Evidence snapshot expired',
-            self::EvidenceSnapshotOpened->value => 'Evidence snapshot opened',
             self::TenantReviewCreated->value => 'Tenant review created',
             self::TenantReviewRefreshed->value => 'Tenant review refreshed',
             self::TenantReviewPublished->value => 'Tenant review published',
             self::TenantReviewArchived->value => 'Tenant review archived',
-            self::TenantReviewOpened->value => 'Tenant review opened',
             self::TenantReviewExported->value => 'Tenant review exported',
             self::TenantReviewSuccessorCreated->value => 'Tenant review next cycle created',
-            self::CustomerReviewWorkspaceOpened->value => 'Customer review workspace opened',
-            self::ReviewPackDownloaded->value => 'Review pack downloaded',
             self::TenantTriageReviewMarkedReviewed->value => 'Triage review marked reviewed',
             self::TenantTriageReviewMarkedFollowUpNeeded->value => 'Triage review marked follow-up needed',
             self::SupportDiagnosticsOpened->value => 'Support diagnostics opened',
-            self::SupportRequestCreated->value => 'Support request created',
-            self::SupportRequestExternalTicketCreated->value => 'Support request external ticket created',
-            self::SupportRequestExternalTicketLinked->value => 'Support request external ticket linked',
-            self::SupportRequestExternalHandoffFailed->value => 'Support request external handoff failed',
-            self::AiExecutionDecisionEvaluated->value => 'AI execution decision evaluated',
             self::OperationalControlPaused->value => 'Operational control paused',
             self::OperationalControlUpdated->value => 'Operational control updated',
             self::OperationalControlResumed->value => 'Operational control resumed',
@@ -318,7 +298,6 @@ private static function summaries(): array
             self::BaselineProfileUpdated->value => 'Baseline profile updated',
             self::BaselineProfileArchived->value => 'Baseline profile archived',
             self::BaselineProfileScopeBackfilled->value => 'Baseline profile scope backfilled',
-            self::CrossTenantPromotionPreflightGenerated->value => 'Cross-tenant promotion preflight generated',
             self::AlertDestinationCreated->value => 'Alert destination created',
             self::AlertDestinationUpdated->value => 'Alert destination updated',
             self::AlertDestinationDeleted->value => 'Alert destination deleted',
@@ -341,22 +320,13 @@ private static function summaries(): array
             self::EvidenceSnapshotCreated->value => 'Evidence snapshot created',
             self::EvidenceSnapshotRefreshed->value => 'Evidence snapshot refreshed',
             self::EvidenceSnapshotExpired->value => 'Evidence snapshot expired',
-            self::EvidenceSnapshotOpened->value => 'Evidence snapshot opened',
             self::TenantReviewCreated->value => 'Tenant review created',
             self::TenantReviewRefreshed->value => 'Tenant review refreshed',
             self::TenantReviewPublished->value => 'Tenant review published',
             self::TenantReviewArchived->value => 'Tenant review archived',
-            self::TenantReviewOpened->value => 'Tenant review opened',
             self::TenantReviewExported->value => 'Tenant review exported',
             self::TenantReviewSuccessorCreated->value => 'Tenant review next cycle created',
-            self::CustomerReviewWorkspaceOpened->value => 'Customer review workspace opened',
-            self::ReviewPackDownloaded->value => 'Review pack downloaded',
             self::SupportDiagnosticsOpened->value => 'Support diagnostics opened',
-            self::SupportRequestCreated->value => 'Support request created',
-            self::SupportRequestExternalTicketCreated->value => 'Support request external ticket created',
-            self::SupportRequestExternalTicketLinked->value => 'Support request external ticket linked',
-            self::SupportRequestExternalHandoffFailed->value => 'Support request external handoff failed',
-            self::AiExecutionDecisionEvaluated->value => 'AI execution decision evaluated',
             self::OperationalControlPaused->value => 'Operational control paused',
             self::OperationalControlUpdated->value => 'Operational control updated',
             self::OperationalControlResumed->value => 'Operational control resumed',

apps/platform/app/Support/Auth/Capabilities.php

@@ -72,9 +72,6 @@ class Capabilities
     // Support diagnostics
     public const SUPPORT_DIAGNOSTICS_VIEW = 'support_diagnostics.view';
 
-    // Support requests
-    public const SUPPORT_REQUESTS_CREATE = 'support_requests.create';
-
     // Inventory
     public const TENANT_INVENTORY_SYNC_RUN = 'tenant_inventory_sync.run';
 
@@ -91,6 +88,8 @@ class Capabilities
 
     public const TENANT_FINDINGS_RISK_ACCEPT = 'tenant_findings.risk_accept';
 
+    public const TENANT_FINDINGS_ACKNOWLEDGE = 'tenant_findings.acknowledge';
+
     public const FINDING_EXCEPTION_VIEW = 'finding_exception.view';
 
     public const FINDING_EXCEPTION_MANAGE = 'finding_exception.manage';

apps/platform/app/Support/Auth/PlatformCapabilities.php

@@ -18,8 +18,6 @@ class PlatformCapabilities
 
     public const DIRECTORY_VIEW = 'platform.directory.view';
 
-    public const COMMERCIAL_LIFECYCLE_MANAGE = 'platform.commercial_lifecycle.manage';
-
     public const OPERATIONS_VIEW = 'platform.operations.view';
 
     public const OPERATIONS_MANAGE = 'platform.operations.manage';
@@ -30,6 +28,8 @@ class PlatformCapabilities
 
     public const RUNBOOKS_RUN = 'platform.runbooks.run';
 
+    public const RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL = 'platform.runbooks.findings.lifecycle_backfill';
+
     public const OPS_CONTROLS_MANAGE = 'platform.ops.controls.manage';
 
     /**

apps/platform/app/Support/Badges/BadgeCatalog.php

@@ -57,7 +57,6 @@ final class BadgeCatalog
         BadgeDomain::BaselineProfileStatus->value => Domains\BaselineProfileStatusBadge::class,
         BadgeDomain::FindingType->value => Domains\FindingTypeBadge::class,
         BadgeDomain::ReviewPackStatus->value => Domains\ReviewPackStatusBadge::class,
-        BadgeDomain::CommercialLifecycleState->value => Domains\CommercialLifecycleStateBadge::class,
         BadgeDomain::EvidenceSnapshotStatus->value => Domains\EvidenceSnapshotStatusBadge::class,
         BadgeDomain::EvidenceCompleteness->value => Domains\EvidenceCompletenessBadge::class,
         BadgeDomain::TenantReviewStatus->value => Domains\TenantReviewStatusBadge::class,

apps/platform/app/Support/Badges/BadgeDomain.php

@@ -48,7 +48,6 @@ enum BadgeDomain: string
     case BaselineProfileStatus = 'baseline_profile_status';
     case FindingType = 'finding_type';
     case ReviewPackStatus = 'review_pack_status';
-    case CommercialLifecycleState = 'commercial_lifecycle_state';
     case EvidenceSnapshotStatus = 'evidence_snapshot_status';
     case EvidenceCompleteness = 'evidence_completeness';
     case TenantReviewStatus = 'tenant_review_status';

apps/platform/app/Support/Badges/Domains/CommercialLifecycleStateBadge.php

@@ -1,26 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\Badges\Domains;
-
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
-use App\Support\Badges\BadgeCatalog;
-use App\Support\Badges\BadgeMapper;
-use App\Support\Badges\BadgeSpec;
-
-final class CommercialLifecycleStateBadge implements BadgeMapper
-{
-    public function spec(mixed $value): BadgeSpec
-    {
-        $state = BadgeCatalog::normalizeState($value);
-
-        return match ($state) {
-            WorkspaceCommercialLifecycleResolver::STATE_TRIAL => new BadgeSpec('Trial', 'info', 'heroicon-m-clock'),
-            WorkspaceCommercialLifecycleResolver::STATE_GRACE => new BadgeSpec('Grace', 'warning', 'heroicon-m-exclamation-triangle'),
-            WorkspaceCommercialLifecycleResolver::STATE_ACTIVE_PAID => new BadgeSpec('Active paid', 'success', 'heroicon-m-check-circle'),
-            WorkspaceCommercialLifecycleResolver::STATE_SUSPENDED_READ_ONLY => new BadgeSpec('Suspended / read-only', 'danger', 'heroicon-m-lock-closed'),
-            default => BadgeSpec::unknown(),
-        };
-    }
-}

apps/platform/app/Support/Baselines/BaselineCompareStats.php

@@ -796,6 +796,7 @@ private static function findingAttentionCounts(Tenant $tenant): array
         $activeNonNewFindingsCount = Finding::query()
             ->where('tenant_id', $tenantId)
             ->whereIn('status', [
+                Finding::STATUS_ACKNOWLEDGED,
                 Finding::STATUS_TRIAGED,
                 Finding::STATUS_IN_PROGRESS,
                 Finding::STATUS_REOPENED,

apps/platform/app/Support/Concerns/DerivesWorkspaceIdFromTenant.php

@@ -99,7 +99,7 @@ private static function resolveTenantWorkspaceId(Model $model, int $tenantId): i
         $tenant = $model->relationLoaded('tenant') ? $model->getRelation('tenant') : null;
 
         if (! $tenant instanceof Tenant || (int) $tenant->getKey() !== $tenantId) {
-            $tenant = Tenant::query()->withTrashed()->find($tenantId);
+            $tenant = Tenant::query()->find($tenantId);
         }
 
         if (! $tenant instanceof Tenant) {

apps/platform/app/Support/Filament/FilterOptionCatalog.php

@@ -103,9 +103,9 @@ public static function baselineProfileStatuses(): array
     /**
      * @return array<string, string>
      */
-    public static function findingStatuses(): array
+    public static function findingStatuses(bool $includeLegacyAcknowledged = true): array
     {
-        return self::badgeOptions(BadgeDomain::FindingStatus, [
+        $options = self::badgeOptions(BadgeDomain::FindingStatus, [
             Finding::STATUS_NEW,
             Finding::STATUS_TRIAGED,
             Finding::STATUS_IN_PROGRESS,
@@ -114,6 +114,21 @@ public static function findingStatuses(): array
             Finding::STATUS_CLOSED,
             Finding::STATUS_RISK_ACCEPTED,
         ]);
+
+        if (! $includeLegacyAcknowledged) {
+            return $options;
+        }
+
+        return [
+            Finding::STATUS_NEW => $options[Finding::STATUS_NEW],
+            Finding::STATUS_TRIAGED => $options[Finding::STATUS_TRIAGED],
+            Finding::STATUS_ACKNOWLEDGED => self::legacyFindingAcknowledgedLabel(),
+            Finding::STATUS_IN_PROGRESS => $options[Finding::STATUS_IN_PROGRESS],
+            Finding::STATUS_REOPENED => $options[Finding::STATUS_REOPENED],
+            Finding::STATUS_RESOLVED => $options[Finding::STATUS_RESOLVED],
+            Finding::STATUS_CLOSED => $options[Finding::STATUS_CLOSED],
+            Finding::STATUS_RISK_ACCEPTED => $options[Finding::STATUS_RISK_ACCEPTED],
+        ];
     }
 
     /**
@@ -297,6 +312,11 @@ private static function badgeOptions(BadgeDomain $domain, array $values): array
             ->all();
     }
 
+    private static function legacyFindingAcknowledgedLabel(): string
+    {
+        return BadgeCatalog::spec(BadgeDomain::FindingStatus, Finding::STATUS_ACKNOWLEDGED)->label.' (legacy acknowledged)';
+    }
+
     private static function platformLabel(string $platform): string
     {
         return match (Str::of($platform)

apps/platform/app/Support/Livewire/TrustedState/TrustedStatePolicy.php

@@ -12,6 +12,8 @@ final class TrustedStatePolicy
 
     public const TENANT_REQUIRED_PERMISSIONS = 'tenant_required_permissions';
 
+    public const SYSTEM_RUNBOOKS = 'system_runbooks';
+
     /**
      * @return array{
      *     name: string,
@@ -327,6 +329,92 @@ public function firstSlice(): array
                     'scopedTenant',
                 ],
             ],
+            self::SYSTEM_RUNBOOKS => [
+                'component_name' => 'System runbooks',
+                'plane' => 'system_platform',
+                'route_anchor' => null,
+                'authority_sources' => [
+                    'allowed_tenant_universe',
+                    'explicit_scoped_query',
+                ],
+                'locked_identities' => [],
+                'locked_identity_fields' => [],
+                'mutable_selectors' => [
+                    'findingsTenantId',
+                    'tenantId',
+                    'findingsScopeMode',
+                    'scopeMode',
+                ],
+                'mutable_selector_fields' => [
+                    $this->field(
+                        name: 'findingsTenantId',
+                        stateClass: TrustedStateClass::Presentation,
+                        phpType: '?int',
+                        sourceOfTruth: 'allowed_tenant_universe',
+                        usedForProtectedAction: true,
+                        revalidationRequired: true,
+                        implementationMarkers: [
+                            'public ?int $findingsTenantId = null;',
+                            'resolveAllowedOrFail($this->findingsTenantId)',
+                        ],
+                        notes: 'Single-tenant runbook proposal only; it must be validated against the operator allowed-tenant universe.',
+                    ),
+                    $this->field(
+                        name: 'tenantId',
+                        stateClass: TrustedStateClass::Presentation,
+                        phpType: '?int',
+                        sourceOfTruth: 'allowed_tenant_universe',
+                        usedForProtectedAction: false,
+                        revalidationRequired: false,
+                        implementationMarkers: [
+                            'public ?int $tenantId = null;',
+                        ],
+                        notes: 'Mirrored display state for the last trusted preflight result.',
+                    ),
+                    $this->field(
+                        name: 'findingsScopeMode',
+                        stateClass: TrustedStateClass::Presentation,
+                        phpType: 'string',
+                        sourceOfTruth: 'presentation_only',
+                        usedForProtectedAction: true,
+                        revalidationRequired: true,
+                        implementationMarkers: [
+                            'public string $findingsScopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;',
+                            'trustedFindingsScopeFromState(',
+                        ],
+                        notes: 'Scope mode remains mutable UI state but protected actions re-normalize it into a trusted scope DTO.',
+                    ),
+                    $this->field(
+                        name: 'scopeMode',
+                        stateClass: TrustedStateClass::Presentation,
+                        phpType: 'string',
+                        sourceOfTruth: 'presentation_only',
+                        usedForProtectedAction: false,
+                        revalidationRequired: false,
+                        implementationMarkers: [
+                            'public string $scopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;',
+                        ],
+                        notes: 'Mirrored display state for the last trusted preflight result.',
+                    ),
+                ],
+                'server_derived_authority_fields' => [
+                    $this->field(
+                        name: 'findingsScope',
+                        stateClass: TrustedStateClass::ServerDerivedAuthority,
+                        phpType: 'FindingsLifecycleBackfillScope',
+                        sourceOfTruth: 'allowed_tenant_universe',
+                        usedForProtectedAction: true,
+                        revalidationRequired: true,
+                        implementationMarkers: [
+                            'trustedFindingsScopeFromFormData(',
+                            'trustedFindingsScopeFromState(',
+                            'resolveAllowedOrFail(',
+                        ],
+                        notes: 'Protected actions must convert mutable selector state into a trusted scope DTO via AllowedTenantUniverse.',
+                    ),
+                ],
+                'forbidden_public_authority_fields' => [],
+            ],
         ];
     }
 

apps/platform/app/Support/Navigation/CanonicalNavigationContext.php

@@ -5,10 +5,8 @@
 namespace App\Support\Navigation;
 
 use App\Filament\Pages\BaselineCompareMatrix;
-use App\Filament\Resources\TenantResource\Pages\ListTenants;
 use App\Models\BaselineProfile;
 use App\Models\Tenant;
-use Filament\Facades\Filament;
 use Illuminate\Http\Request;
 
 final readonly class CanonicalNavigationContext
@@ -20,7 +18,6 @@ public function __construct(
         public string $sourceSurface,
         public string $canonicalRouteName,
         public ?int $tenantId = null,
-        public ?string $familyKey = null,
         public ?string $backLinkLabel = null,
         public ?string $backLinkUrl = null,
         public array $filterPayload = [],
@@ -59,42 +56,12 @@ public static function fromRequest(Request $request): ?self
             sourceSurface: $sourceSurface,
             canonicalRouteName: $canonicalRouteName,
             tenantId: is_numeric($tenantId) ? (int) $tenantId : null,
-            familyKey: is_string($payload['family_key'] ?? null) && (string) $payload['family_key'] !== ''
-                ? (string) $payload['family_key']
-                : null,
             backLinkLabel: is_string($payload['back_label'] ?? null) ? (string) $payload['back_label'] : null,
             backLinkUrl: is_string($payload['back_url'] ?? null) ? (string) $payload['back_url'] : null,
             filterPayload: [],
         );
     }
 
-    public static function forGovernanceInbox(
-        string $canonicalRouteName,
-        ?int $tenantId,
-        ?string $familyKey,
-        string $backLinkUrl,
-    ): self {
-        return new self(
-            sourceSurface: 'governance.inbox',
-            canonicalRouteName: $canonicalRouteName,
-            tenantId: $tenantId,
-            familyKey: $familyKey,
-            backLinkLabel: 'Back to governance inbox',
-            backLinkUrl: $backLinkUrl,
-        );
-    }
-
-    public static function forTenantRegistry(string $backLinkUrl, ?int $tenantId = null): self
-    {
-        return new self(
-            sourceSurface: 'tenant_registry',
-            canonicalRouteName: ListTenants::getRouteName(Filament::getPanel('admin')),
-            tenantId: $tenantId,
-            backLinkLabel: 'Back to tenant registry',
-            backLinkUrl: $backLinkUrl,
-        );
-    }
-
     /**
      * @return array<string, mixed>
      */
@@ -150,7 +117,6 @@ private function navPayload(): array
             'source_surface' => $this->sourceSurface,
             'canonical_route_name' => $this->canonicalRouteName,
             'tenant_id' => $this->tenantId,
-            'family_key' => $this->familyKey,
             'back_label' => $this->backLinkLabel,
             'back_url' => $this->backLinkUrl,
         ], static fn (mixed $value): bool => $value !== null && $value !== '');

apps/platform/app/Support/OperationCatalog.php

@@ -278,6 +278,7 @@ private static function canonicalDefinitions(): array
             'tenant.review.compose' => new CanonicalOperationType('tenant.review.compose', 'platform_foundation', 'tenant_review', 'Review composition', true, 60),
             'tenant.evidence.snapshot.generate' => new CanonicalOperationType('tenant.evidence.snapshot.generate', 'platform_foundation', 'evidence_snapshot', 'Evidence snapshot generation', true, 120),
             'rbac.health_check' => new CanonicalOperationType('rbac.health_check', 'intune', null, 'RBAC health check', false, 30),
+            'findings.lifecycle.backfill' => new CanonicalOperationType('findings.lifecycle.backfill', 'platform_foundation', null, 'Findings lifecycle backfill', false, 300),
         ];
     }
 
@@ -289,36 +290,27 @@ private static function operationAliases(): array
         return [
             new OperationTypeAlias('policy.sync', 'policy.sync', 'canonical', true),
             new OperationTypeAlias('policy.sync_one', 'policy.sync', 'legacy_alias', false, 'Legacy single-policy sync values resolve to the canonical policy.sync operation.', 'Prefer policy.sync on platform-owned read paths.'),
-            new OperationTypeAlias('policy.snapshot', 'policy.snapshot', 'canonical', true),
             new OperationTypeAlias('policy.capture_snapshot', 'policy.snapshot', 'canonical', true),
             new OperationTypeAlias('policy.delete', 'policy.delete', 'canonical', true),
-            new OperationTypeAlias('policy.restore', 'policy.restore', 'canonical', true),
             new OperationTypeAlias('policy.unignore', 'policy.restore', 'legacy_alias', false, 'Legacy policy.unignore values resolve to policy.restore for operator-facing wording.', 'Prefer policy.restore on new platform-owned read models.'),
             new OperationTypeAlias('policy.export', 'policy.export', 'canonical', true),
             new OperationTypeAlias('provider.connection.check', 'provider.connection.check', 'canonical', true),
-            new OperationTypeAlias('inventory.sync', 'inventory.sync', 'canonical', true),
             new OperationTypeAlias('inventory_sync', 'inventory.sync', 'legacy_alias', false, 'Legacy inventory_sync storage values resolve to the canonical inventory.sync operation.', 'Preserve stored values during rollout while showing inventory.sync semantics on read paths.'),
             new OperationTypeAlias('provider.inventory.sync', 'inventory.sync', 'legacy_alias', false, 'Provider-prefixed historical inventory sync values share the same operator meaning as inventory sync.', 'Avoid emitting provider.inventory.sync on new platform-owned surfaces.'),
             new OperationTypeAlias('compliance.snapshot', 'compliance.snapshot', 'canonical', true),
             new OperationTypeAlias('provider.compliance.snapshot', 'compliance.snapshot', 'legacy_alias', false, 'Provider-prefixed compliance snapshot values resolve to the canonical compliance.snapshot operation.', 'Avoid emitting provider.compliance.snapshot on new platform-owned surfaces.'),
-            new OperationTypeAlias('directory.groups.sync', 'directory.groups.sync', 'canonical', true),
             new OperationTypeAlias('entra_group_sync', 'directory.groups.sync', 'legacy_alias', false, 'Historical entra_group_sync values resolve to directory.groups.sync.', 'Prefer directory.groups.sync on new platform-owned read models.'),
             new OperationTypeAlias('backup_set.update', 'backup_set.update', 'canonical', true),
-            new OperationTypeAlias('backup_set.archive', 'backup_set.archive', 'canonical', true),
             new OperationTypeAlias('backup_set.delete', 'backup_set.archive', 'canonical', true),
             new OperationTypeAlias('backup_set.restore', 'backup_set.restore', 'canonical', true),
             new OperationTypeAlias('backup_set.force_delete', 'backup_set.delete', 'legacy_alias', false, 'Force-delete wording is normalized to the canonical delete label.', 'Use backup_set.delete for new platform-owned summaries.'),
-            new OperationTypeAlias('backup.schedule.execute', 'backup.schedule.execute', 'canonical', true),
             new OperationTypeAlias('backup_schedule_run', 'backup.schedule.execute', 'legacy_alias', false, 'Historical backup_schedule_run values resolve to backup.schedule.execute.', 'Prefer backup.schedule.execute on canonical read paths.'),
-            new OperationTypeAlias('backup.schedule.retention', 'backup.schedule.retention', 'canonical', true),
             new OperationTypeAlias('backup_schedule_retention', 'backup.schedule.retention', 'legacy_alias', false, 'Legacy backup schedule retention values resolve to backup.schedule.retention.', 'Prefer dotted canonical backup schedule naming on new read paths.'),
-            new OperationTypeAlias('backup.schedule.purge', 'backup.schedule.purge', 'canonical', true),
             new OperationTypeAlias('backup_schedule_purge', 'backup.schedule.purge', 'legacy_alias', false, 'Legacy backup schedule purge values resolve to backup.schedule.purge.', 'Prefer dotted canonical backup schedule naming on new read paths.'),
             new OperationTypeAlias('restore.execute', 'restore.execute', 'canonical', true),
             new OperationTypeAlias('assignments.fetch', 'assignments.fetch', 'canonical', true),
             new OperationTypeAlias('assignments.restore', 'assignments.restore', 'canonical', true),
             new OperationTypeAlias('ops.reconcile_adapter_runs', 'ops.reconcile_adapter_runs', 'canonical', true),
-            new OperationTypeAlias('directory.role_definitions.sync', 'directory.role_definitions.sync', 'canonical', true),
             new OperationTypeAlias('directory_role_definitions.sync', 'directory.role_definitions.sync', 'legacy_alias', false, 'Legacy directory_role_definitions.sync values resolve to directory.role_definitions.sync.', 'Prefer dotted role-definition naming on new read paths.'),
             new OperationTypeAlias('restore_run.delete', 'restore_run.delete', 'canonical', true),
             new OperationTypeAlias('restore_run.restore', 'restore_run.restore', 'canonical', true),
@@ -333,13 +325,13 @@ private static function operationAliases(): array
             new OperationTypeAlias('baseline.compare', 'baseline.compare', 'canonical', true),
             new OperationTypeAlias('baseline_capture', 'baseline.capture', 'legacy_alias', false, 'Historical baseline_capture values resolve to baseline.capture.', 'Prefer baseline.capture on canonical read paths.'),
             new OperationTypeAlias('baseline_compare', 'baseline.compare', 'legacy_alias', false, 'Historical baseline_compare values resolve to baseline.compare.', 'Prefer baseline.compare on canonical read paths.'),
-            new OperationTypeAlias('permission.posture.check', 'permission.posture.check', 'canonical', true),
             new OperationTypeAlias('permission_posture_check', 'permission.posture.check', 'legacy_alias', false, 'Historical permission_posture_check values resolve to permission.posture.check.', 'Prefer dotted permission posture naming on new read paths.'),
             new OperationTypeAlias('entra.admin_roles.scan', 'entra.admin_roles.scan', 'canonical', true),
             new OperationTypeAlias('tenant.review_pack.generate', 'tenant.review_pack.generate', 'canonical', true),
             new OperationTypeAlias('tenant.review.compose', 'tenant.review.compose', 'canonical', true),
             new OperationTypeAlias('tenant.evidence.snapshot.generate', 'tenant.evidence.snapshot.generate', 'canonical', true),
             new OperationTypeAlias('rbac.health_check', 'rbac.health_check', 'canonical', true),
+            new OperationTypeAlias('findings.lifecycle.backfill', 'findings.lifecycle.backfill', 'canonical', true),
         ];
     }
 }

apps/platform/app/Support/OperationalControls/OperationalControlCatalog.php

@@ -10,6 +10,13 @@ final class OperationalControlCatalog
      * @var array<string, array{key: string, label: string, supported_scopes: array<int, string>, operation_types: array<int, string>, affected_surfaces: array<int, string>}>
      */
     private const DEFINITIONS = [
+        'findings.lifecycle.backfill' => [
+            'key' => 'findings.lifecycle.backfill',
+            'label' => 'Findings lifecycle backfill',
+            'supported_scopes' => ['global', 'workspace'],
+            'operation_types' => ['findings.lifecycle.backfill'],
+            'affected_surfaces' => ['system.ops.runbooks', 'tenant.findings.list'],
+        ],
         'restore.execute' => [
             'key' => 'restore.execute',
             'label' => 'Restore execution',
@@ -17,13 +24,6 @@ final class OperationalControlCatalog
             'operation_types' => ['restore.execute'],
             'affected_surfaces' => ['tenant.restore_runs.create'],
         ],
-        'ai.execution' => [
-            'key' => 'ai.execution',
-            'label' => 'AI execution',
-            'supported_scopes' => ['global'],
-            'operation_types' => ['ai.execution'],
-            'affected_surfaces' => ['governed_ai.execution'],
-        ],
     ];
 
     /**

apps/platform/app/Support/PortfolioCompare/CrossTenantComparePreviewBuilder.php

@@ -1,416 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\PortfolioCompare;
-
-use App\Models\InventoryItem;
-use App\Models\Tenant;
-use App\Services\Baselines\CurrentStateHashResolver;
-use App\Services\Baselines\Evidence\EvidenceProvenance;
-use App\Services\Baselines\Evidence\ResolvedEvidence;
-use App\Support\Baselines\BaselineSubjectKey;
-use Illuminate\Support\Collection;
-use Illuminate\Support\Str;
-
-final class CrossTenantComparePreviewBuilder
-{
-    public function __construct(
-        private readonly CurrentStateHashResolver $currentStateHashResolver,
-    ) {}
-
-    /**
-     * @return array{
-     *     selection: array{
-     *         workspaceId: int,
-     *         sourceTenantId: int,
-     *         sourceTenantName: string,
-     *         targetTenantId: int,
-     *         targetTenantName: string,
-     *         policyTypes: list<string>
-     *     },
-     *     summary: array{match: int, different: int, missing: int, ambiguous: int, blocked: int, total: int},
-     *     subjects: list<array<string, mixed>>
-     * }
-     */
-    public function build(CrossTenantCompareSelection $selection): array
-    {
-        $sourceIndex = $this->indexTenantSubjects($selection->sourceTenant, $selection->policyTypes);
-        $targetIndex = $this->indexTenantSubjects($selection->targetTenant, $selection->policyTypes);
-
-        $sourceEvidence = $this->resolvedEvidenceMap($selection->sourceTenant, $sourceIndex['evidence_subjects']);
-        $targetEvidence = $this->resolvedEvidenceMap($selection->targetTenant, $targetIndex['evidence_subjects']);
-
-        $subjects = [];
-        $summary = [
-            'match' => 0,
-            'different' => 0,
-            'missing' => 0,
-            'ambiguous' => 0,
-            'blocked' => 0,
-            'total' => 0,
-        ];
-
-        foreach ($sourceIndex['preview_subjects'] as $sourceSubject) {
-            $previewSubject = $this->buildPreviewSubject(
-                sourceSubject: $sourceSubject,
-                sourceTenant: $selection->sourceTenant,
-                targetTenant: $selection->targetTenant,
-                targetIndex: $targetIndex['subjects'],
-                sourceEvidence: $sourceEvidence,
-                targetEvidence: $targetEvidence,
-            );
-
-            $subjects[] = $previewSubject;
-            $summary[$previewSubject['state']]++;
-            $summary['total']++;
-        }
-
-        usort($subjects, function (array $left, array $right): int {
-            $policyTypeComparison = strcmp((string) ($left['policyType'] ?? ''), (string) ($right['policyType'] ?? ''));
-
-            if ($policyTypeComparison !== 0) {
-                return $policyTypeComparison;
-            }
-
-            $displayNameComparison = strcmp(
-                Str::lower((string) ($left['displayName'] ?? '')),
-                Str::lower((string) ($right['displayName'] ?? '')),
-            );
-
-            if ($displayNameComparison !== 0) {
-                return $displayNameComparison;
-            }
-
-            return strcmp((string) ($left['subjectKey'] ?? ''), (string) ($right['subjectKey'] ?? ''));
-        });
-
-        return [
-            'selection' => [
-                'workspaceId' => $selection->workspaceId(),
-                'sourceTenantId' => $selection->sourceTenantId(),
-                'sourceTenantName' => (string) $selection->sourceTenant->name,
-                'targetTenantId' => $selection->targetTenantId(),
-                'targetTenantName' => (string) $selection->targetTenant->name,
-                'policyTypes' => $selection->policyTypes,
-            ],
-            'summary' => $summary,
-            'subjects' => $subjects,
-        ];
-    }
-
-    /**
-     * @param  Tenant  $tenant
-     * @param  list<string>  $policyTypes
-     * @return array{
-     *     preview_subjects: list<array<string, mixed>>,
-     *     evidence_subjects: list<array{policy_type: string, subject_external_id: string}>,
-     *     subjects: array<string, array<string, mixed>>
-     * }
-     */
-    private function indexTenantSubjects(Tenant $tenant, array $policyTypes): array
-    {
-        $inventoryItems = InventoryItem::query()
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->when(
-                $policyTypes !== [],
-                fn ($query) => $query->whereIn('policy_type', $policyTypes),
-            )
-            ->orderBy('policy_type')
-            ->orderBy('display_name')
-            ->orderBy('id')
-            ->get();
-
-        $subjects = [];
-        $previewSubjects = [];
-        $evidenceSubjects = [];
-
-        foreach ($inventoryItems as $inventoryItem) {
-            if (! $inventoryItem instanceof InventoryItem) {
-                continue;
-            }
-
-            $policyType = trim((string) $inventoryItem->policy_type);
-            $subjectKey = BaselineSubjectKey::forPolicy(
-                $policyType,
-                is_string($inventoryItem->display_name ?? null) ? (string) $inventoryItem->display_name : null,
-                is_string($inventoryItem->external_id ?? null) ? (string) $inventoryItem->external_id : null,
-            );
-
-            $subjectRecord = $this->inventorySubjectRecord($tenant, $inventoryItem, $policyType, $subjectKey);
-
-            if ($subjectKey === null) {
-                $previewSubjects[] = [
-                    ...$subjectRecord,
-                    'resolution' => 'identifier_missing',
-                    'duplicateCount' => 1,
-                ];
-
-                continue;
-            }
-
-            $indexKey = $this->subjectIndexKey($policyType, $subjectKey);
-
-            if (! array_key_exists($indexKey, $subjects)) {
-                $subjects[$indexKey] = [
-                    'policyType' => $policyType,
-                    'subjectKey' => $subjectKey,
-                    'displayName' => $subjectRecord['displayName'],
-                    'items' => [],
-                ];
-            }
-
-            $subjects[$indexKey]['items'][] = $subjectRecord;
-        }
-
-        foreach ($subjects as $indexKey => $subjectGroup) {
-            $items = is_array($subjectGroup['items'] ?? null) ? $subjectGroup['items'] : [];
-            $firstItem = $items[0] ?? null;
-
-            if (! is_array($firstItem)) {
-                continue;
-            }
-
-            $previewSubjects[] = [
-                ...$firstItem,
-                'resolution' => count($items) > 1 ? 'ambiguous_match' : 'resolved',
-                'duplicateCount' => count($items),
-            ];
-
-            if (count($items) === 1) {
-                $evidenceSubjects[] = [
-                    'policy_type' => (string) $firstItem['policyType'],
-                    'subject_external_id' => (string) $firstItem['subjectExternalId'],
-                ];
-            }
-
-            $subjects[$indexKey]['representative'] = $firstItem;
-            $subjects[$indexKey]['duplicateCount'] = count($items);
-        }
-
-        return [
-            'preview_subjects' => $previewSubjects,
-            'evidence_subjects' => $evidenceSubjects,
-            'subjects' => $subjects,
-        ];
-    }
-
-    /**
-     * @param  array<string, array<string, mixed>>  $targetIndex
-     * @param  array<string, ResolvedEvidence|null>  $sourceEvidence
-     * @param  array<string, ResolvedEvidence|null>  $targetEvidence
-     * @return array<string, mixed>
-     */
-    private function buildPreviewSubject(
-        array $sourceSubject,
-        Tenant $sourceTenant,
-        Tenant $targetTenant,
-        array $targetIndex,
-        array $sourceEvidence,
-        array $targetEvidence,
-    ): array {
-        $policyType = (string) ($sourceSubject['policyType'] ?? '');
-        $displayName = (string) ($sourceSubject['displayName'] ?? '');
-        $subjectKey = is_string($sourceSubject['subjectKey'] ?? null) ? (string) $sourceSubject['subjectKey'] : null;
-        $reasonCodes = [];
-        $state = 'blocked';
-        $trustLevel = 'unusable';
-
-        $sourceEvidenceRecord = $this->resolvedEvidenceForSubject($sourceEvidence, $sourceSubject);
-        $targetEvidenceRecord = null;
-        $targetSubject = null;
-
-        if (($sourceSubject['resolution'] ?? null) === 'identifier_missing') {
-            $reasonCodes[] = 'source_identifier_missing';
-        } elseif (($sourceSubject['resolution'] ?? null) === 'ambiguous_match') {
-            $state = 'ambiguous';
-            $trustLevel = 'diagnostic_only';
-            $reasonCodes[] = 'source_subject_ambiguous';
-        } elseif ($subjectKey !== null) {
-            $targetSubject = $targetIndex[$this->subjectIndexKey($policyType, $subjectKey)] ?? null;
-
-            if (! is_array($targetSubject)) {
-                $state = 'missing';
-                $trustLevel = $sourceEvidenceRecord instanceof ResolvedEvidence
-                    && $sourceEvidenceRecord->fidelity === EvidenceProvenance::FidelityContent
-                    ? 'trustworthy'
-                    : 'limited_confidence';
-                $reasonCodes[] = 'target_subject_missing';
-            } elseif ((int) ($targetSubject['duplicateCount'] ?? 0) > 1) {
-                $state = 'ambiguous';
-                $trustLevel = 'diagnostic_only';
-                $reasonCodes[] = 'target_subject_ambiguous';
-            } else {
-                $representative = $targetSubject['representative'] ?? null;
-
-                if (is_array($representative)) {
-                    $targetEvidenceRecord = $this->resolvedEvidenceForSubject($targetEvidence, $representative);
-                }
-
-                if (! $sourceEvidenceRecord instanceof ResolvedEvidence) {
-                    $reasonCodes[] = 'source_evidence_refresh_required';
-                }
-
-                if (! $targetEvidenceRecord instanceof ResolvedEvidence) {
-                    $reasonCodes[] = 'target_evidence_refresh_required';
-                }
-
-                if ($sourceEvidenceRecord instanceof ResolvedEvidence && $targetEvidenceRecord instanceof ResolvedEvidence) {
-                    $state = $sourceEvidenceRecord->hash === $targetEvidenceRecord->hash ? 'match' : 'different';
-                    $trustLevel = $sourceEvidenceRecord->fidelity === EvidenceProvenance::FidelityContent
-                        && $targetEvidenceRecord->fidelity === EvidenceProvenance::FidelityContent
-                        ? 'trustworthy'
-                        : 'limited_confidence';
-
-                    if ($sourceEvidenceRecord->fidelity !== EvidenceProvenance::FidelityContent) {
-                        $reasonCodes[] = 'source_evidence_refresh_required';
-                    }
-
-                    if ($targetEvidenceRecord->fidelity !== EvidenceProvenance::FidelityContent) {
-                        $reasonCodes[] = 'target_evidence_refresh_required';
-                    }
-                } else {
-                    $state = 'blocked';
-                    $trustLevel = 'unusable';
-                }
-            }
-        }
-
-        if ($state === 'missing' && ! $sourceEvidenceRecord instanceof ResolvedEvidence) {
-            $reasonCodes[] = 'source_evidence_refresh_required';
-        }
-
-        if ($state === 'blocked' && $reasonCodes === []) {
-            $reasonCodes[] = 'source_evidence_refresh_required';
-        }
-
-        $reasonCodes = array_values(array_unique($reasonCodes));
-
-        return [
-            'policyType' => $policyType,
-            'displayName' => $displayName,
-            'subjectKey' => $subjectKey,
-            'state' => $state,
-            'trustLevel' => $trustLevel,
-            'reasonCodes' => $reasonCodes,
-            'source' => $this->subjectSidePayload($sourceTenant, $sourceSubject, $sourceEvidenceRecord),
-            'target' => $this->subjectSidePayload(
-                $targetTenant,
-                is_array($targetSubject['representative'] ?? null) ? $targetSubject['representative'] : null,
-                $targetEvidenceRecord,
-            ),
-        ];
-    }
-
-    /**
-     * @param  list<array{policy_type: string, subject_external_id: string}>  $subjects
-     * @return array<string, ResolvedEvidence|null>
-     */
-    private function resolvedEvidenceMap(Tenant $tenant, array $subjects): array
-    {
-        return $this->currentStateHashResolver->resolveForSubjects($tenant, $subjects);
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $subject
-     * @return array<string, mixed>
-     */
-    private function subjectSidePayload(Tenant $tenant, ?array $subject, ?ResolvedEvidence $evidence): array
-    {
-        return [
-            'tenantId' => (int) $tenant->getKey(),
-            'tenantName' => (string) $tenant->name,
-            'inventoryItemId' => is_numeric($subject['inventoryItemId'] ?? null) ? (int) $subject['inventoryItemId'] : null,
-            'subjectExternalId' => is_string($subject['subjectExternalId'] ?? null) ? (string) $subject['subjectExternalId'] : null,
-            'displayName' => is_string($subject['displayName'] ?? null) ? (string) $subject['displayName'] : null,
-            'subjectKey' => is_string($subject['subjectKey'] ?? null) ? (string) $subject['subjectKey'] : null,
-            'lastSeenAt' => is_string($subject['lastSeenAt'] ?? null) ? (string) $subject['lastSeenAt'] : null,
-            'evidence' => $this->evidencePayload($evidence),
-        ];
-    }
-
-    /**
-     * @return array{
-     *     policyType: string,
-     *     displayName: string,
-     *     subjectKey: ?string,
-     *     inventoryItemId: int,
-     *     subjectExternalId: string,
-     *     lastSeenAt: ?string
-     * }
-     */
-    private function inventorySubjectRecord(Tenant $tenant, InventoryItem $inventoryItem, string $policyType, ?string $subjectKey): array
-    {
-        $displayName = is_string($inventoryItem->display_name ?? null) ? trim((string) $inventoryItem->display_name) : '';
-        $displayName = $displayName !== ''
-            ? $displayName
-            : ($subjectKey !== null ? Str::headline($subjectKey) : Str::headline($policyType));
-
-        return [
-            'tenantId' => (int) $tenant->getKey(),
-            'policyType' => $policyType,
-            'displayName' => $displayName,
-            'subjectKey' => $subjectKey,
-            'inventoryItemId' => (int) $inventoryItem->getKey(),
-            'subjectExternalId' => (string) $inventoryItem->external_id,
-            'lastSeenAt' => $inventoryItem->last_seen_at?->toIso8601String(),
-        ];
-    }
-
-    /**
-     * @param  array<string, ResolvedEvidence|null>  $evidenceMap
-     */
-    private function resolvedEvidenceForSubject(array $evidenceMap, array $subject): ?ResolvedEvidence
-    {
-        $policyType = trim((string) ($subject['policyType'] ?? ''));
-        $subjectExternalId = trim((string) ($subject['subjectExternalId'] ?? ''));
-
-        if ($policyType === '' || $subjectExternalId === '') {
-            return null;
-        }
-
-        $key = $policyType.'|'.$subjectExternalId;
-        $evidence = $evidenceMap[$key] ?? null;
-
-        return $evidence instanceof ResolvedEvidence ? $evidence : null;
-    }
-
-    /**
-     * @return array{
-     *     hash: string,
-     *     fidelity: string,
-     *     source: string,
-     *     observedAt: ?string,
-     *     policyVersionId: ?int,
-     *     operationRunId: ?int,
-     *     capturePurpose: ?string
-     * }|null
-     */
-    private function evidencePayload(?ResolvedEvidence $evidence): ?array
-    {
-        if (! $evidence instanceof ResolvedEvidence) {
-            return null;
-        }
-
-        return [
-            'hash' => $evidence->hash,
-            'fidelity' => $evidence->fidelity,
-            'source' => $evidence->source,
-            'observedAt' => $evidence->observedAt?->toIso8601String(),
-            'policyVersionId' => is_numeric($evidence->meta['policy_version_id'] ?? null)
-                ? (int) $evidence->meta['policy_version_id']
-                : null,
-            'operationRunId' => is_numeric($evidence->meta['operation_run_id'] ?? null)
-                ? (int) $evidence->meta['operation_run_id']
-                : null,
-            'capturePurpose' => is_string($evidence->meta['capture_purpose'] ?? null)
-                ? (string) $evidence->meta['capture_purpose']
-                : null,
-        ];
-    }
-
-    private function subjectIndexKey(string $policyType, string $subjectKey): string
-    {
-        return $policyType.'|'.$subjectKey;
-    }
-}

apps/platform/app/Support/PortfolioCompare/CrossTenantCompareSelection.php

@@ -1,83 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\PortfolioCompare;
-
-use App\Models\Tenant;
-use InvalidArgumentException;
-
-final readonly class CrossTenantCompareSelection
-{
-    public Tenant $sourceTenant;
-
-    public Tenant $targetTenant;
-
-    /**
-     * @var list<string>
-     */
-    public array $policyTypes;
-
-    /**
-     * @param  list<string>  $policyTypes
-     */
-    public function __construct(
-        Tenant $sourceTenant,
-        Tenant $targetTenant,
-        array $policyTypes = [],
-    ) {
-        $this->sourceTenant = $sourceTenant;
-        $this->targetTenant = $targetTenant;
-
-        if ((int) $this->sourceTenant->getKey() === (int) $this->targetTenant->getKey()) {
-            throw new InvalidArgumentException('Source and target tenants must differ.');
-        }
-
-        if ((int) $this->sourceTenant->workspace_id !== (int) $this->targetTenant->workspace_id) {
-            throw new InvalidArgumentException('Source and target tenants must belong to the same workspace.');
-        }
-
-        $this->policyTypes = $this->normalizePolicyTypes($policyTypes);
-    }
-
-    public function workspaceId(): int
-    {
-        return (int) $this->sourceTenant->workspace_id;
-    }
-
-    public function sourceTenantId(): int
-    {
-        return (int) $this->sourceTenant->getKey();
-    }
-
-    public function targetTenantId(): int
-    {
-        return (int) $this->targetTenant->getKey();
-    }
-
-    public function hasPolicyTypeFilter(): bool
-    {
-        return $this->policyTypes !== [];
-    }
-
-    /**
-     * @param  list<string>  $policyTypes
-     * @return list<string>
-     */
-    private function normalizePolicyTypes(array $policyTypes): array
-    {
-        $normalized = array_values(array_unique(array_filter(array_map(static function (mixed $policyType): ?string {
-            if (! is_string($policyType)) {
-                return null;
-            }
-
-            $normalizedPolicyType = trim($policyType);
-
-            return $normalizedPolicyType !== '' ? $normalizedPolicyType : null;
-        }, $policyTypes))));
-
-        sort($normalized, SORT_STRING);
-
-        return $normalized;
-    }
-}

apps/platform/app/Support/PortfolioCompare/CrossTenantPromotionPreflight.php

@@ -1,143 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\PortfolioCompare;
-
-final class CrossTenantPromotionPreflight
-{
-    /**
-     * @param  array{
-     *     selection?: array<string, mixed>,
-     *     subjects?: list<array<string, mixed>>
-     * }  $preview
-     * @return array{
-     *     selection: array<string, mixed>,
-     *     summary: array{ready: int, blocked: int, manual_mapping_required: int, total: int},
-     *     blockedReasonCounts: array<string, int>,
-     *     buckets: array{
-     *         ready: list<array<string, mixed>>,
-     *         blocked: list<array<string, mixed>>,
-     *         manual_mapping_required: list<array<string, mixed>>
-     *     }
-     * }
-     */
-    public function build(array $preview): array
-    {
-        $subjects = is_array($preview['subjects'] ?? null) ? $preview['subjects'] : [];
-        $buckets = [
-            'ready' => [],
-            'blocked' => [],
-            'manual_mapping_required' => [],
-        ];
-        $blockedReasonCounts = [];
-
-        foreach ($subjects as $subject) {
-            if (! is_array($subject)) {
-                continue;
-            }
-
-            $decision = $this->classifySubject($subject);
-            $subject['preflight'] = $decision;
-            $buckets[$decision['bucket']][] = $subject;
-
-            if ($decision['bucket'] !== 'ready') {
-                foreach ($decision['reasonCodes'] as $reasonCode) {
-                    $blockedReasonCounts[$reasonCode] = ($blockedReasonCounts[$reasonCode] ?? 0) + 1;
-                }
-            }
-        }
-
-        return [
-            'selection' => is_array($preview['selection'] ?? null) ? $preview['selection'] : [],
-            'summary' => [
-                'ready' => count($buckets['ready']),
-                'blocked' => count($buckets['blocked']),
-                'manual_mapping_required' => count($buckets['manual_mapping_required']),
-                'total' => count($buckets['ready']) + count($buckets['blocked']) + count($buckets['manual_mapping_required']),
-            ],
-            'blockedReasonCounts' => $blockedReasonCounts,
-            'buckets' => $buckets,
-        ];
-    }
-
-    /**
-     * @param  array<string, mixed>  $subject
-     * @return array{bucket: 'ready'|'blocked'|'manual_mapping_required', reasonCodes: list<string>, reasonLabels: list<string>}
-     */
-    private function classifySubject(array $subject): array
-    {
-        $state = is_string($subject['state'] ?? null) ? (string) $subject['state'] : 'blocked';
-        $reasonCodes = is_array($subject['reasonCodes'] ?? null)
-            ? array_values(array_filter($subject['reasonCodes'], 'is_string'))
-            : [];
-
-        if (in_array('source_identifier_missing', $reasonCodes, true)) {
-            return $this->decision('blocked', ['source_identifier_missing']);
-        }
-
-        if (in_array('source_subject_ambiguous', $reasonCodes, true)) {
-            return $this->decision('blocked', ['source_subject_ambiguous']);
-        }
-
-        if (in_array('target_subject_ambiguous', $reasonCodes, true) || $state === 'ambiguous') {
-            return $this->decision('manual_mapping_required', ['target_subject_ambiguous']);
-        }
-
-        $sourceEvidence = is_array(data_get($subject, 'source.evidence')) ? data_get($subject, 'source.evidence') : null;
-        $targetEvidence = is_array(data_get($subject, 'target.evidence')) ? data_get($subject, 'target.evidence') : null;
-
-        if (! $this->evidenceSupportsPromotion($sourceEvidence)) {
-            return $this->decision('blocked', ['source_evidence_refresh_required']);
-        }
-
-        if ($state !== 'missing' && ! $this->evidenceSupportsPromotion($targetEvidence)) {
-            return $this->decision('blocked', ['target_evidence_refresh_required']);
-        }
-
-        return match ($state) {
-            'match' => $this->decision('ready', ['target_already_aligned']),
-            'different' => $this->decision('ready', ['target_subject_requires_update']),
-            'missing' => $this->decision('ready', ['target_subject_missing']),
-            default => $this->decision('blocked', ['source_evidence_refresh_required']),
-        };
-    }
-
-    /**
-     * @param  array<string, mixed>|null  $evidence
-     */
-    private function evidenceSupportsPromotion(?array $evidence): bool
-    {
-        return is_array($evidence)
-            && is_string($evidence['fidelity'] ?? null)
-            && (string) $evidence['fidelity'] === 'content';
-    }
-
-    /**
-     * @param  list<string>  $reasonCodes
-     * @return array{bucket: 'ready'|'blocked'|'manual_mapping_required', reasonCodes: list<string>, reasonLabels: list<string>}
-     */
-    private function decision(string $bucket, array $reasonCodes): array
-    {
-        return [
-            'bucket' => $bucket,
-            'reasonCodes' => $reasonCodes,
-            'reasonLabels' => array_map(fn (string $reasonCode): string => $this->reasonLabel($reasonCode), $reasonCodes),
-        ];
-    }
-
-    private function reasonLabel(string $reasonCode): string
-    {
-        return match ($reasonCode) {
-            'source_identifier_missing' => 'Source tenant subject is missing a stable compare identifier.',
-            'source_subject_ambiguous' => 'Source tenant subject resolves to multiple candidates and cannot drive promotion safely.',
-            'target_subject_ambiguous' => 'Target tenant has multiple matching subjects and needs manual mapping.',
-            'source_evidence_refresh_required' => 'Refresh source evidence before relying on this subject.',
-            'target_evidence_refresh_required' => 'Refresh target evidence before relying on this subject.',
-            'target_already_aligned' => 'Target tenant already matches the source for this subject.',
-            'target_subject_requires_update' => 'Target tenant differs from the source but has enough evidence for later promotion planning.',
-            'target_subject_missing' => 'Target tenant does not currently contain this subject and can be planned as a missing target item.',
-            default => 'This subject needs additional review before promotion planning can continue.',
-        };
-    }
-}

apps/platform/app/Support/ProductKnowledge/ContextualHelpResolver.php

@@ -6,7 +6,6 @@
 
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
-use App\Support\Ai\AiDataClassification;
 use App\Support\Governance\PlatformVocabularyGlossary;
 use App\Support\Links\RequiredPermissionsLinks;
 use App\Support\ReasonTranslation\ReasonPresenter;
@@ -148,43 +147,6 @@ public function knowledgeSource(): array
         return $this->catalog->knowledgeSource();
     }
 
-    /**
-     * @return array{
-     *     use_case_key: string,
-     *     source_family: string,
-     *     data_classifications: list<string>,
-     *     operational_metadata: array{version: int, topic_count: int},
-     *     topics: list<array{
-     *         topic_key: string,
-     *         surface_families: list<string>,
-     *         headline: string,
-     *         short_explanation: string,
-     *         troubleshooting_steps: list<string>,
-     *         safe_next_action: string,
-     *         glossary_terms: list<string>,
-     *         docs_links: list<array{label: string, kind: string, url: ?string, resolver: ?string}>
-     *     }>
-     * }
-     */
-    public function aiProductKnowledgeAnswerDraftSource(): array
-    {
-        $source = $this->knowledgeSource();
-
-        return [
-            'use_case_key' => 'product_knowledge.answer_draft',
-            'source_family' => 'product_knowledge',
-            'data_classifications' => [
-                AiDataClassification::ProductKnowledge->value,
-                AiDataClassification::OperationalMetadata->value,
-            ],
-            'operational_metadata' => [
-                'version' => (int) $source['version'],
-                'topic_count' => (int) $source['topic_count'],
-            ],
-            'topics' => $source['topics'],
-        ];
-    }
-
     /**
      * @param  array<string, mixed>|null  $verificationReport
      */

apps/platform/app/Support/Settings/SettingsRegistry.php

@@ -5,10 +5,6 @@
 namespace App\Support\Settings;
 
 use App\Models\Finding;
-use App\Services\Localization\LocaleResolver;
-use App\Support\Ai\AiPolicyMode;
-use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
-use App\Services\Entitlements\WorkspacePlanProfileCatalog;
 
 final class SettingsRegistry
 {
@@ -21,34 +17,6 @@ public function __construct()
     {
         $this->definitions = [];
 
-        $this->register(new SettingDefinition(
-            domain: 'ai',
-            key: 'policy_mode',
-            type: 'string',
-            systemDefault: AiPolicyMode::Disabled->value,
-            rules: ['required', 'string', 'in:disabled,private_only'],
-            normalizer: static fn (mixed $value): string => strtolower(trim((string) $value)),
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: LocaleResolver::SETTING_DOMAIN,
-            key: LocaleResolver::SETTING_DEFAULT_LOCALE,
-            type: 'string',
-            systemDefault: null,
-            rules: [
-                'nullable',
-                'string',
-                'in:'.implode(',', LocaleResolver::supportedLocales()),
-            ],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                return LocaleResolver::normalize($value);
-            },
-        ));
-
         $this->register(new SettingDefinition(
             domain: 'backup',
             key: 'retention_keep_last_default',
@@ -250,129 +218,6 @@ static function (string $attribute, mixed $value, \Closure $fail): void {
             rules: ['required', 'integer', 'min:0', 'max:10080'],
             normalizer: static fn (mixed $value): int => (int) $value,
         ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: 'plan_profile',
-            type: 'string',
-            systemDefault: WorkspacePlanProfileCatalog::defaultProfileId(),
-            rules: [
-                'nullable',
-                'string',
-                'in:'.implode(',', WorkspacePlanProfileCatalog::profileIds()),
-            ],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                $normalized = trim((string) $value);
-
-                return $normalized === '' ? null : $normalized;
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: 'managed_tenant_limit_override_value',
-            type: 'int',
-            systemDefault: null,
-            rules: ['nullable', 'integer', 'min:0'],
-            normalizer: static function (mixed $value): ?int {
-                if ($value === null || $value === '') {
-                    return null;
-                }
-
-                return (int) $value;
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: 'managed_tenant_limit_override_reason',
-            type: 'string',
-            systemDefault: null,
-            rules: ['nullable', 'string', 'max:500'],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                $normalized = trim((string) $value);
-
-                return $normalized === '' ? null : $normalized;
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: 'review_pack_generation_override_value',
-            type: 'bool',
-            systemDefault: null,
-            rules: ['nullable', 'boolean'],
-            normalizer: static function (mixed $value): ?bool {
-                if ($value === null || $value === '') {
-                    return null;
-                }
-
-                return filter_var($value, FILTER_VALIDATE_BOOL);
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: 'review_pack_generation_override_reason',
-            type: 'string',
-            systemDefault: null,
-            rules: ['nullable', 'string', 'max:500'],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                $normalized = trim((string) $value);
-
-                return $normalized === '' ? null : $normalized;
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_STATE,
-            type: 'string',
-            systemDefault: null,
-            rules: [
-                'nullable',
-                'string',
-                'in:'.implode(',', WorkspaceCommercialLifecycleResolver::stateIds()),
-            ],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                $normalized = strtolower(trim((string) $value));
-
-                return $normalized === '' ? null : $normalized;
-            },
-        ));
-
-        $this->register(new SettingDefinition(
-            domain: 'entitlements',
-            key: WorkspaceCommercialLifecycleResolver::SETTING_COMMERCIAL_LIFECYCLE_REASON,
-            type: 'string',
-            systemDefault: null,
-            rules: ['nullable', 'string', 'max:500'],
-            normalizer: static function (mixed $value): ?string {
-                if ($value === null) {
-                    return null;
-                }
-
-                $normalized = trim((string) $value);
-
-                return $normalized === '' ? null : $normalized;
-            },
-        ));
     }
 
     /**

apps/platform/app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php

@@ -19,7 +19,6 @@
 use App\Models\TenantReview;
 use App\Models\User;
 use App\Models\Workspace;
-use App\Support\Ai\AiDataClassification;
 use App\Support\Navigation\RelatedNavigationResolver;
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\GovernanceRunDiagnosticSummaryBuilder;
@@ -134,39 +133,6 @@ public function forOperationRun(OperationRun $run, ?User $actor = null): array
         );
     }
 
-    /**
-     * @return array{
-     *     use_case_key: string,
-     *     source_family: string,
-     *     data_classifications: list<string>,
-     *     summary: array{
-     *         headline: string,
-     *         dominant_issue: string,
-     *         freshness_state: string,
-     *         completeness_note: ?string,
-     *         redaction_note: string,
-     *         generated_from: string
-     *     },
-     *     redaction: array{mode: string, markers: list<string>},
-     *     notes: list<string>
-     * }
-     */
-    public function aiSupportDiagnosticsSummaryDraftSource(Tenant $tenant, ?User $actor = null): array
-    {
-        $bundle = $this->forTenant($tenant, $actor);
-
-        return [
-            'use_case_key' => 'support_diagnostics.summary_draft',
-            'source_family' => 'support_diagnostics',
-            'data_classifications' => [
-                AiDataClassification::RedactedSupportSummary->value,
-            ],
-            'summary' => $bundle['summary'],
-            'redaction' => $bundle['redaction'],
-            'notes' => $bundle['notes'],
-        ];
-    }
-
     /**
      * @param  list<array<string, mixed>>  $sections
      * @return array<string, mixed>

apps/platform/app/Support/SupportRequests/ExternalSupportDeskHandoffService.php

@@ -1,256 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\SupportRequests;
-
-use App\Models\SupportRequest;
-use Illuminate\Http\Client\ConnectionException;
-use Illuminate\Http\Client\RequestException;
-use Illuminate\Support\Facades\Http;
-use Illuminate\Validation\ValidationException;
-
-final class ExternalSupportDeskHandoffService
-{
-    private const int MAX_TIMEOUT_SECONDS = 5;
-
-    /**
-     * @return array{
-     *     successful: bool,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string,
-     *     failure_summary: ?string
-     * }
-     */
-    public function createTicket(SupportRequest $supportRequest): array
-    {
-        if (! $this->targetIsConfigured()) {
-            return $this->failed('External support desk target is not configured.');
-        }
-
-        try {
-            $response = Http::timeout($this->timeoutSeconds())
-                ->acceptJson()
-                ->asJson()
-                ->withHeaders($this->headers())
-                ->post($this->createUrl(), $this->payloadFor($supportRequest));
-        } catch (ConnectionException) {
-            return $this->failed('External support desk did not respond before the configured timeout.');
-        } catch (RequestException $exception) {
-            return $this->failed('External support desk rejected the ticket create request (HTTP '.$exception->response->status().').');
-        }
-
-        if (! $response->successful()) {
-            return $this->failed('External support desk rejected the ticket create request (HTTP '.$response->status().').');
-        }
-
-        $responsePayload = $response->json();
-        $responsePayload = is_array($responsePayload) ? $responsePayload : [];
-
-        $reference = $this->normalizeReference(
-            data_get($responsePayload, 'ticket_reference')
-                ?? data_get($responsePayload, 'external_ticket_reference')
-                ?? data_get($responsePayload, 'reference')
-                ?? data_get($responsePayload, 'key')
-                ?? data_get($responsePayload, 'id'),
-            throwOnInvalid: false,
-        );
-
-        if ($reference === null) {
-            return $this->failed('External support desk did not return a ticket reference.');
-        }
-
-        $url = $this->normalizeUrl(
-            data_get($responsePayload, 'ticket_url')
-                ?? data_get($responsePayload, 'external_ticket_url')
-                ?? data_get($responsePayload, 'url')
-                ?? data_get($responsePayload, 'web_url')
-                ?? data_get($responsePayload, 'html_url'),
-            throwOnInvalid: false,
-        ) ?? $this->urlFromTemplate($reference);
-
-        return [
-            'successful' => true,
-            'external_ticket_reference' => $reference,
-            'external_ticket_url' => $url,
-            'failure_summary' => null,
-        ];
-    }
-
-    /**
-     * @return array{external_ticket_reference: string, external_ticket_url: ?string}
-     */
-    public function normalizeLinkedTicket(mixed $reference, mixed $url): array
-    {
-        $normalizedReference = $this->normalizeReference($reference, throwOnInvalid: true);
-
-        if ($normalizedReference === null) {
-            throw ValidationException::withMessages([
-                'external_ticket_reference' => 'The external ticket reference field is required.',
-            ]);
-        }
-
-        return [
-            'external_ticket_reference' => $normalizedReference,
-            'external_ticket_url' => $this->normalizeUrl($url, throwOnInvalid: true) ?? $this->urlFromTemplate($normalizedReference),
-        ];
-    }
-
-    public function targetIsConfigured(): bool
-    {
-        return (bool) config('support_desk.target.enabled', false)
-            && $this->createUrl() !== null;
-    }
-
-    public function targetName(): string
-    {
-        $name = config('support_desk.target.name', 'External support desk');
-
-        return is_string($name) && trim($name) !== ''
-            ? trim($name)
-            : 'External support desk';
-    }
-
-    public function timeoutSeconds(): int
-    {
-        $configured = config('support_desk.target.timeout_seconds', self::MAX_TIMEOUT_SECONDS);
-
-        $seconds = is_numeric($configured) ? (int) $configured : self::MAX_TIMEOUT_SECONDS;
-
-        return max(1, min($seconds, self::MAX_TIMEOUT_SECONDS));
-    }
-
-    /**
-     * @return array{successful: false, external_ticket_reference: null, external_ticket_url: null, failure_summary: string}
-     */
-    private function failed(string $summary): array
-    {
-        return [
-            'successful' => false,
-            'external_ticket_reference' => null,
-            'external_ticket_url' => null,
-            'failure_summary' => $this->boundedFailureSummary($summary),
-        ];
-    }
-
-    private function createUrl(): ?string
-    {
-        return $this->normalizeUrl(config('support_desk.target.create_url'), throwOnInvalid: false);
-    }
-
-    /**
-     * @return array<string, string>
-     */
-    private function headers(): array
-    {
-        $headers = [];
-        $token = config('support_desk.target.api_token');
-
-        if (is_string($token) && trim($token) !== '') {
-            $headers['Authorization'] = 'Bearer '.trim($token);
-        }
-
-        return $headers;
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    private function payloadFor(SupportRequest $supportRequest): array
-    {
-        return [
-            'support_request' => [
-                'internal_reference' => $supportRequest->internal_reference,
-                'severity' => $supportRequest->severity,
-                'summary' => $supportRequest->summary,
-                'reproduction_notes' => $supportRequest->reproduction_notes,
-                'contact_name' => $supportRequest->contact_name,
-                'contact_email' => $supportRequest->contact_email,
-                'primary_context_type' => $supportRequest->primary_context_type,
-                'primary_context_id' => $supportRequest->primary_context_type === SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN
-                    ? $supportRequest->operation_run_id
-                    : $supportRequest->tenant_id,
-                'workspace_id' => $supportRequest->workspace_id,
-                'tenant_id' => $supportRequest->tenant_id,
-                'operation_run_id' => $supportRequest->operation_run_id,
-            ],
-            'context_envelope' => $supportRequest->context_envelope,
-        ];
-    }
-
-    private function normalizeReference(mixed $value, bool $throwOnInvalid): ?string
-    {
-        if (! is_string($value) && ! is_numeric($value)) {
-            return null;
-        }
-
-        $reference = trim((string) $value);
-
-        if ($reference === '') {
-            return null;
-        }
-
-        if (mb_strlen($reference) > 128 || preg_match('/\A[A-Za-z0-9][A-Za-z0-9._:-]*\z/', $reference) !== 1) {
-            if ($throwOnInvalid) {
-                throw ValidationException::withMessages([
-                    'external_ticket_reference' => 'The external ticket reference format is invalid.',
-                ]);
-            }
-
-            return null;
-        }
-
-        return $reference;
-    }
-
-    private function normalizeUrl(mixed $value, bool $throwOnInvalid): ?string
-    {
-        if (! is_string($value)) {
-            return null;
-        }
-
-        $url = trim($value);
-
-        if ($url === '') {
-            return null;
-        }
-
-        $scheme = parse_url($url, PHP_URL_SCHEME);
-
-        if (! in_array($scheme, ['http', 'https'], true) || filter_var($url, FILTER_VALIDATE_URL) === false) {
-            if ($throwOnInvalid) {
-                throw ValidationException::withMessages([
-                    'external_ticket_url' => 'The external ticket URL must be a valid HTTP or HTTPS URL.',
-                ]);
-            }
-
-            return null;
-        }
-
-        return $url;
-    }
-
-    private function urlFromTemplate(string $reference): ?string
-    {
-        $template = config('support_desk.target.ticket_url_template');
-
-        if (! is_string($template) || trim($template) === '') {
-            return null;
-        }
-
-        $url = str_replace(
-            ['{reference}', '{ticket}'],
-            rawurlencode($reference),
-            trim($template),
-        );
-
-        return $this->normalizeUrl($url, throwOnInvalid: false);
-    }
-
-    private function boundedFailureSummary(string $summary): string
-    {
-        $summary = trim(preg_replace('/\s+/', ' ', $summary) ?? $summary);
-
-        return mb_substr($summary, 0, 500);
-    }
-}

apps/platform/app/Support/SupportRequests/SupportRequestContextBuilder.php

@@ -1,129 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\SupportRequests;
-
-use App\Models\OperationRun;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
-
-final class SupportRequestContextBuilder
-{
-    public const ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED = 'diagnostic_snapshot_attached';
-
-    public const ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY = 'canonical_context_only';
-
-    public function __construct(
-        private readonly SupportDiagnosticBundleBuilder $supportDiagnosticBundleBuilder,
-    ) {}
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function forTenant(Tenant $tenant, User $actor, bool $attachDiagnosticSnapshot): array
-    {
-        return $this->buildEnvelope(
-            bundle: $this->supportDiagnosticBundleBuilder->forTenant($tenant, $actor),
-            attachDiagnosticSnapshot: $attachDiagnosticSnapshot,
-        );
-    }
-
-    /**
-     * @return array<string, mixed>
-     */
-    public function forOperationRun(OperationRun $run, User $actor, bool $attachDiagnosticSnapshot): array
-    {
-        return $this->buildEnvelope(
-            bundle: $this->supportDiagnosticBundleBuilder->forOperationRun($run, $actor),
-            attachDiagnosticSnapshot: $attachDiagnosticSnapshot,
-        );
-    }
-
-    /**
-     * @param  array<string, mixed>  $bundle
-     * @return array<string, mixed>
-     */
-    private function buildEnvelope(array $bundle, bool $attachDiagnosticSnapshot): array
-    {
-        $attachmentMode = $attachDiagnosticSnapshot
-            ? self::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED
-            : self::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY;
-
-        return [
-            'schema_version' => 1,
-            'generated_from' => 'support_diagnostics_bundle',
-            'attachment_mode' => $attachmentMode,
-            'redaction_mode' => (string) data_get($bundle, 'redaction.mode', 'default_redacted'),
-            'primary_context' => [
-                'type' => (string) data_get($bundle, 'context.type'),
-                'workspace_id' => data_get($bundle, 'context.workspace_id'),
-                'tenant_id' => data_get($bundle, 'context.tenant_id'),
-                'operation_run_id' => data_get($bundle, 'context.operation_run_id'),
-                'workspace_label' => data_get($bundle, 'context.workspace_label'),
-                'tenant_label' => data_get($bundle, 'context.tenant_label'),
-            ],
-            'canonical_context' => [
-                'headline' => (string) data_get($bundle, 'summary.headline', data_get($bundle, 'headline')),
-                'dominant_issue' => (string) data_get($bundle, 'summary.dominant_issue', data_get($bundle, 'dominant_issue')),
-                'freshness_state' => (string) data_get($bundle, 'freshness_state'),
-                'completeness_note' => data_get($bundle, 'summary.completeness_note'),
-                'redaction_note' => data_get($bundle, 'summary.redaction_note'),
-                'context' => data_get($bundle, 'context', []),
-                'tenant' => data_get($bundle, 'tenant'),
-                'operation_run' => data_get($bundle, 'operation_run'),
-                'sections' => $this->canonicalSections($bundle),
-                'notes' => is_array($bundle['notes'] ?? null)
-                    ? array_values($bundle['notes'])
-                    : [],
-            ],
-            'diagnostic_snapshot' => $attachDiagnosticSnapshot
-                ? [
-                    'contextual_help' => data_get($bundle, 'contextual_help'),
-                    'sections' => is_array($bundle['sections'] ?? null)
-                        ? array_values($bundle['sections'])
-                        : [],
-                    'redaction' => is_array($bundle['redaction'] ?? null)
-                        ? $bundle['redaction']
-                        : [],
-                    'notes' => is_array($bundle['notes'] ?? null)
-                        ? array_values($bundle['notes'])
-                        : [],
-                ]
-                : null,
-            'omissions' => $attachDiagnosticSnapshot
-                ? []
-                : [[
-                    'type' => 'diagnostic_snapshot',
-                    'reason' => 'omitted_without_support_diagnostics_view',
-                    'message' => 'Redacted diagnostic evidence was omitted because the creator could not view support diagnostics.',
-                ]],
-        ];
-    }
-
-    /**
-     * @param  array<string, mixed>  $bundle
-     * @return list<array<string, mixed>>
-     */
-    private function canonicalSections(array $bundle): array
-    {
-        if (! is_array($bundle['sections'] ?? null)) {
-            return [];
-        }
-
-        return array_values(array_map(
-            static fn (array $section): array => [
-                'key' => (string) ($section['key'] ?? ''),
-                'label' => (string) ($section['label'] ?? ''),
-                'availability' => (string) ($section['availability'] ?? 'missing'),
-                'summary' => (string) ($section['summary'] ?? ''),
-                'freshness_note' => $section['freshness_note'] ?? null,
-                'references' => is_array($section['references'] ?? null)
-                    ? array_values($section['references'])
-                    : [],
-            ],
-            $bundle['sections'],
-        ));
-    }
-}

apps/platform/app/Support/SupportRequests/SupportRequestReferenceGenerator.php

@@ -1,15 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\SupportRequests;
-
-use Illuminate\Support\Str;
-
-final class SupportRequestReferenceGenerator
-{
-    public function generate(): string
-    {
-        return 'SR-'.strtoupper((string) Str::ulid());
-    }
-}

apps/platform/app/Support/SupportRequests/SupportRequestSubmissionService.php

@@ -1,399 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace App\Support\SupportRequests;
-
-use App\Models\OperationRun;
-use App\Models\SupportRequest;
-use App\Models\Tenant;
-use App\Models\User;
-use App\Services\Audit\WorkspaceAuditLogger;
-use App\Services\Auth\CapabilityResolver;
-use App\Support\Auth\Capabilities;
-use Illuminate\Validation\Rule;
-use Illuminate\Validation\ValidationException;
-
-final class SupportRequestSubmissionService
-{
-    public function __construct(
-        private readonly CapabilityResolver $capabilityResolver,
-        private readonly SupportRequestContextBuilder $supportRequestContextBuilder,
-        private readonly SupportRequestReferenceGenerator $supportRequestReferenceGenerator,
-        private readonly ExternalSupportDeskHandoffService $externalSupportDeskHandoffService,
-        private readonly WorkspaceAuditLogger $workspaceAuditLogger,
-    ) {}
-
-    /**
-     * @param  array<string, mixed>  $data
-     */
-    public function submitForTenant(Tenant $tenant, User $actor, array $data): SupportRequest
-    {
-        $this->authorizeCreation($tenant, $actor);
-
-        return $this->submit(
-            tenant: $tenant,
-            actor: $actor,
-            data: $data,
-            primaryContextType: SupportRequest::PRIMARY_CONTEXT_TENANT,
-            operationRun: null,
-        );
-    }
-
-    /**
-     * @param  array<string, mixed>  $data
-     */
-    public function submitForOperationRun(OperationRun $run, User $actor, array $data): SupportRequest
-    {
-        $run->loadMissing('tenant.workspace');
-
-        $tenant = $run->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            abort(404);
-        }
-
-        $this->authorizeCreation($tenant, $actor);
-
-        return $this->submit(
-            tenant: $tenant,
-            actor: $actor,
-            data: $data,
-            primaryContextType: SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN,
-            operationRun: $run,
-        );
-    }
-
-    private function authorizeCreation(Tenant $tenant, User $actor): void
-    {
-        if (! $this->capabilityResolver->isMember($actor, $tenant)) {
-            abort(404);
-        }
-
-        if (! $this->capabilityResolver->can($actor, $tenant, Capabilities::SUPPORT_REQUESTS_CREATE)) {
-            abort(403);
-        }
-    }
-
-    /**
-     * @param  array<string, mixed>  $data
-     */
-    private function submit(
-        Tenant $tenant,
-        User $actor,
-        array $data,
-        string $primaryContextType,
-        ?OperationRun $operationRun,
-    ): SupportRequest {
-        $validated = $this->validate($data);
-        $attachDiagnosticSnapshot = $this->capabilityResolver->can($actor, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
-
-        $contextEnvelope = $operationRun instanceof OperationRun
-            ? $this->supportRequestContextBuilder->forOperationRun($operationRun, $actor, $attachDiagnosticSnapshot)
-            : $this->supportRequestContextBuilder->forTenant($tenant, $actor, $attachDiagnosticSnapshot);
-
-        $contactName = $validated['contact_name'] ?? $this->normalizeNullableString($actor->name) ?? $this->normalizeNullableString($actor->email);
-        $contactEmail = $validated['contact_email'] ?? $this->normalizeNullableString($actor->email);
-        $connection = SupportRequest::query()->getModel()->getConnection();
-
-        $supportRequest = $connection->transaction(function () use (
-            $actor,
-            $contactEmail,
-            $contactName,
-            $contextEnvelope,
-            $operationRun,
-            $primaryContextType,
-            $tenant,
-            $validated,
-        ): SupportRequest {
-            $supportRequest = SupportRequest::query()->create([
-                'workspace_id' => (int) $tenant->workspace_id,
-                'tenant_id' => (int) $tenant->getKey(),
-                'operation_run_id' => $operationRun instanceof OperationRun ? (int) $operationRun->getKey() : null,
-                'initiated_by_user_id' => (int) $actor->getKey(),
-                'internal_reference' => $this->supportRequestReferenceGenerator->generate(),
-                'primary_context_type' => $primaryContextType,
-                'attachment_mode' => (string) data_get($contextEnvelope, 'attachment_mode', SupportRequest::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY),
-                'severity' => $validated['severity'],
-                'summary' => $validated['summary'],
-                'reproduction_notes' => $validated['reproduction_notes'],
-                'contact_name' => $contactName,
-                'contact_email' => $contactEmail,
-                'context_envelope' => $contextEnvelope,
-            ]);
-
-            $supportRequest->loadMissing(['tenant.workspace']);
-
-            $this->workspaceAuditLogger->logSupportRequestCreated($supportRequest, $actor);
-
-            return $supportRequest;
-        });
-
-        return $this->finalizeExternalHandoff($supportRequest, $actor, $validated);
-    }
-
-    /**
-     * @param  array{
-     *     external_handoff_mode: string,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string
-     * }  $validated
-     */
-    private function finalizeExternalHandoff(SupportRequest $supportRequest, User $actor, array $validated): SupportRequest
-    {
-        $mode = $validated['external_handoff_mode'];
-
-        if ($mode === SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY) {
-            $supportRequest->forceFill([
-                'external_handoff_mode' => SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY,
-                'external_ticket_reference' => null,
-                'external_ticket_url' => null,
-                'external_handoff_failure_summary' => null,
-            ])->save();
-
-            return $supportRequest->refresh();
-        }
-
-        if ($mode === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET) {
-            $linkedTicket = $this->externalSupportDeskHandoffService->normalizeLinkedTicket(
-                $validated['external_ticket_reference'],
-                $validated['external_ticket_url'],
-            );
-
-            $supportRequest->forceFill([
-                'external_handoff_mode' => SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET,
-                'external_ticket_reference' => $linkedTicket['external_ticket_reference'],
-                'external_ticket_url' => $linkedTicket['external_ticket_url'],
-                'external_handoff_failure_summary' => null,
-            ])->save();
-
-            $supportRequest = $supportRequest->refresh();
-            $this->workspaceAuditLogger->logSupportRequestExternalTicketLinked($supportRequest, $actor);
-
-            return $supportRequest;
-        }
-
-        $createdTicket = $this->externalSupportDeskHandoffService->createTicket($supportRequest);
-
-        if ($createdTicket['successful']) {
-            $supportRequest->forceFill([
-                'external_handoff_mode' => SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET,
-                'external_ticket_reference' => $createdTicket['external_ticket_reference'],
-                'external_ticket_url' => $createdTicket['external_ticket_url'],
-                'external_handoff_failure_summary' => null,
-            ])->save();
-
-            $supportRequest = $supportRequest->refresh();
-            $this->workspaceAuditLogger->logSupportRequestExternalTicketCreated($supportRequest, $actor);
-
-            return $supportRequest;
-        }
-
-        $supportRequest->forceFill([
-            'external_handoff_mode' => SupportRequest::EXTERNAL_HANDOFF_MODE_CREATE_EXTERNAL_TICKET,
-            'external_ticket_reference' => null,
-            'external_ticket_url' => null,
-            'external_handoff_failure_summary' => $createdTicket['failure_summary'],
-        ])->save();
-
-        $supportRequest = $supportRequest->refresh();
-        $this->workspaceAuditLogger->logSupportRequestExternalHandoffFailed($supportRequest, $actor);
-
-        return $supportRequest;
-    }
-
-    /**
-     * @return array{
-     *     internal_reference: string,
-     *     primary_context_type: string,
-     *     primary_context_id: int|null,
-     *     submitted_at: ?string,
-     *     external_handoff_mode: string,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string,
-     *     external_handoff_failure_summary: ?string,
-     *     has_external_link: bool,
-     *     has_failure: bool
-     * }|null
-     */
-    public function latestTenantHandoffSummary(Tenant $tenant, User $actor): ?array
-    {
-        $this->authorizeCreation($tenant, $actor);
-
-        $supportRequest = SupportRequest::query()
-            ->where('workspace_id', (int) $tenant->workspace_id)
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->where('primary_context_type', SupportRequest::PRIMARY_CONTEXT_TENANT)
-            ->latest('created_at')
-            ->latest('id')
-            ->first();
-
-        return $supportRequest instanceof SupportRequest
-            ? $this->summaryFor($supportRequest)
-            : null;
-    }
-
-    /**
-     * @return array{
-     *     internal_reference: string,
-     *     primary_context_type: string,
-     *     primary_context_id: int|null,
-     *     submitted_at: ?string,
-     *     external_handoff_mode: string,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string,
-     *     external_handoff_failure_summary: ?string,
-     *     has_external_link: bool,
-     *     has_failure: bool
-     * }|null
-     */
-    public function latestOperationRunHandoffSummary(OperationRun $run, User $actor): ?array
-    {
-        $run->loadMissing('tenant.workspace');
-
-        $tenant = $run->tenant;
-
-        if (! $tenant instanceof Tenant) {
-            abort(404);
-        }
-
-        $this->authorizeCreation($tenant, $actor);
-
-        $supportRequest = SupportRequest::query()
-            ->where('workspace_id', (int) $run->workspace_id)
-            ->where('tenant_id', (int) $tenant->getKey())
-            ->where('primary_context_type', SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN)
-            ->where('operation_run_id', (int) $run->getKey())
-            ->latest('created_at')
-            ->latest('id')
-            ->first();
-
-        return $supportRequest instanceof SupportRequest
-            ? $this->summaryFor($supportRequest)
-            : null;
-    }
-
-    /**
-     * @return array{
-     *     internal_reference: string,
-     *     primary_context_type: string,
-     *     primary_context_id: int|null,
-     *     submitted_at: ?string,
-     *     external_handoff_mode: string,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string,
-     *     external_handoff_failure_summary: ?string,
-     *     has_external_link: bool,
-     *     has_failure: bool
-     * }
-     */
-    private function summaryFor(SupportRequest $supportRequest): array
-    {
-        return [
-            'internal_reference' => (string) $supportRequest->internal_reference,
-            'primary_context_type' => (string) $supportRequest->primary_context_type,
-            'primary_context_id' => $supportRequest->primary_context_type === SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN
-                ? (is_numeric($supportRequest->operation_run_id) ? (int) $supportRequest->operation_run_id : null)
-                : (is_numeric($supportRequest->tenant_id) ? (int) $supportRequest->tenant_id : null),
-            'submitted_at' => $supportRequest->created_at?->toIso8601String(),
-            'external_handoff_mode' => (string) ($supportRequest->external_handoff_mode ?? SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY),
-            'external_ticket_reference' => $this->normalizeNullableString($supportRequest->external_ticket_reference),
-            'external_ticket_url' => $this->normalizeNullableString($supportRequest->external_ticket_url),
-            'external_handoff_failure_summary' => $this->normalizeNullableString($supportRequest->external_handoff_failure_summary),
-            'has_external_link' => $supportRequest->hasExternalTicket(),
-            'has_failure' => $supportRequest->hasExternalHandoffFailure(),
-        ];
-    }
-
-    /**
-     * @param  array<string, mixed>  $data
-     * @return array{
-     *     severity: string,
-     *     summary: string,
-     *     reproduction_notes: ?string,
-     *     contact_name: ?string,
-     *     contact_email: ?string,
-     *     external_handoff_mode: string,
-     *     external_ticket_reference: ?string,
-     *     external_ticket_url: ?string,
-     * }
-     */
-    private function validate(array $data): array
-    {
-        $requestedHandoffMode = $this->normalizeNullableString($data['external_handoff_mode'] ?? null)
-            ?? SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY;
-
-        if (! $this->externalSupportDeskHandoffService->targetIsConfigured()) {
-            $requestedHandoffMode = SupportRequest::EXTERNAL_HANDOFF_MODE_INTERNAL_ONLY;
-        }
-
-        $validated = validator(
-            [
-                'severity' => $data['severity'] ?? SupportRequest::SEVERITY_NORMAL,
-                'summary' => $data['summary'] ?? null,
-                'reproduction_notes' => $data['reproduction_notes'] ?? null,
-                'contact_name' => $data['contact_name'] ?? null,
-                'contact_email' => $data['contact_email'] ?? null,
-                'external_handoff_mode' => $requestedHandoffMode,
-                'external_ticket_reference' => $data['external_ticket_reference'] ?? null,
-                'external_ticket_url' => $data['external_ticket_url'] ?? null,
-            ],
-            [
-                'severity' => ['required', 'string', Rule::in(SupportRequest::severityValues())],
-                'summary' => ['required', 'string'],
-                'reproduction_notes' => ['nullable', 'string'],
-                'contact_name' => ['nullable', 'string'],
-                'contact_email' => ['nullable', 'email'],
-                'external_handoff_mode' => ['required', 'string', Rule::in(SupportRequest::externalHandoffModeValues())],
-                'external_ticket_reference' => ['nullable', 'string', 'max:255'],
-                'external_ticket_url' => ['nullable', 'url', 'max:2048'],
-            ],
-        )->validate();
-
-        $validated['summary'] = trim((string) $validated['summary']);
-
-        if ($validated['summary'] === '') {
-            throw ValidationException::withMessages([
-                'summary' => 'The summary field is required.',
-            ]);
-        }
-
-        $validated['reproduction_notes'] = $this->normalizeNullableString($validated['reproduction_notes'] ?? null);
-        $validated['contact_name'] = $this->normalizeNullableString($validated['contact_name'] ?? null);
-        $validated['contact_email'] = $this->normalizeNullableString($validated['contact_email'] ?? null);
-        $validated['external_ticket_reference'] = $this->normalizeNullableString($validated['external_ticket_reference'] ?? null);
-        $validated['external_ticket_url'] = $this->normalizeNullableString($validated['external_ticket_url'] ?? null);
-
-        if ($validated['external_handoff_mode'] === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET
-            && $validated['external_ticket_reference'] === null) {
-            throw ValidationException::withMessages([
-                'external_ticket_reference' => 'The external ticket reference field is required.',
-            ]);
-        }
-
-        if ($validated['external_handoff_mode'] === SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET) {
-            $this->externalSupportDeskHandoffService->normalizeLinkedTicket(
-                $validated['external_ticket_reference'],
-                $validated['external_ticket_url'],
-            );
-        }
-
-        if ($validated['external_handoff_mode'] !== SupportRequest::EXTERNAL_HANDOFF_MODE_LINK_EXISTING_TICKET) {
-            $validated['external_ticket_reference'] = null;
-            $validated['external_ticket_url'] = null;
-        }
-
-        return $validated;
-    }
-
-    private function normalizeNullableString(mixed $value): ?string
-    {
-        if (! is_string($value)) {
-            return null;
-        }
-
-        $normalized = trim($value);
-
-        return $normalized === '' ? null : $normalized;
-    }
-}