specs/313-workspace-environment-context-browser-verification/artifacts/filament-files.txt

@@ -0,0 +1,170 @@
+app/Filament/Clusters/Inventory/InventoryCluster.php
+app/Filament/Clusters/Monitoring/AlertsCluster.php
+app/Filament/Concerns/InteractsWithTenantOwnedRecords.php
+app/Filament/Concerns/ResolvesPanelTenantContext.php
+app/Filament/Concerns/ScopesGlobalSearchToTenant.php
+app/Filament/Concerns/WorkspaceScopedTenantRoutes.php
+app/Filament/Pages/Auth/Login.php
+app/Filament/Pages/BaselineCompareLanding.php
+app/Filament/Pages/BaselineCompareMatrix.php
+app/Filament/Pages/BreakGlassRecovery.php
+app/Filament/Pages/ChooseEnvironment.php
+app/Filament/Pages/ChooseWorkspace.php
+app/Filament/Pages/CrossEnvironmentComparePage.php
+app/Filament/Pages/EnvironmentDashboard.php
+app/Filament/Pages/EnvironmentDiagnostics.php
+app/Filament/Pages/EnvironmentRequiredPermissions.php
+app/Filament/Pages/Findings/FindingsHygieneReport.php
+app/Filament/Pages/Findings/FindingsIntakeQueue.php
+app/Filament/Pages/Findings/MyFindingsInbox.php
+app/Filament/Pages/Governance/DecisionRegister.php
+app/Filament/Pages/Governance/GovernanceInbox.php
+app/Filament/Pages/InventoryCoverage.php
+app/Filament/Pages/Monitoring/Alerts.php
+app/Filament/Pages/Monitoring/AuditLog.php
+app/Filament/Pages/Monitoring/EvidenceOverview.php
+app/Filament/Pages/Monitoring/FindingExceptionsQueue.php
+app/Filament/Pages/Monitoring/Operations.php
+app/Filament/Pages/NoAccess.php
+app/Filament/Pages/Operations/TenantlessOperationRunViewer.php
+app/Filament/Pages/Reviews/CustomerReviewWorkspace.php
+app/Filament/Pages/Reviews/ReviewRegister.php
+app/Filament/Pages/Settings/WorkspaceSettings.php
+app/Filament/Pages/Tenancy/RegisterTenant.php
+app/Filament/Pages/WorkspaceOverview.php
+app/Filament/Pages/Workspaces/ManagedEnvironmentOnboardingWizard.php
+app/Filament/Pages/Workspaces/ManagedEnvironmentsLanding.php
+app/Filament/Resources/AlertDeliveryResource.php
+app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php
+app/Filament/Resources/AlertDeliveryResource/Pages/ViewAlertDelivery.php
+app/Filament/Resources/AlertDestinationResource.php
+app/Filament/Resources/AlertDestinationResource/Pages/CreateAlertDestination.php
+app/Filament/Resources/AlertDestinationResource/Pages/EditAlertDestination.php
+app/Filament/Resources/AlertDestinationResource/Pages/ListAlertDestinations.php
+app/Filament/Resources/AlertDestinationResource/Pages/ViewAlertDestination.php
+app/Filament/Resources/AlertRuleResource.php
+app/Filament/Resources/AlertRuleResource/Pages/CreateAlertRule.php
+app/Filament/Resources/AlertRuleResource/Pages/EditAlertRule.php
+app/Filament/Resources/AlertRuleResource/Pages/ListAlertRules.php
+app/Filament/Resources/BackupScheduleResource.php
+app/Filament/Resources/BackupScheduleResource/Pages/CreateBackupSchedule.php
+app/Filament/Resources/BackupScheduleResource/Pages/EditBackupSchedule.php
+app/Filament/Resources/BackupScheduleResource/Pages/ListBackupSchedules.php
+app/Filament/Resources/BackupScheduleResource/RelationManagers/BackupScheduleOperationRunsRelationManager.php
+app/Filament/Resources/BackupSetResource.php
+app/Filament/Resources/BackupSetResource/Pages/CreateBackupSet.php
+app/Filament/Resources/BackupSetResource/Pages/ListBackupSets.php
+app/Filament/Resources/BackupSetResource/Pages/ViewBackupSet.php
+app/Filament/Resources/BackupSetResource/RelationManagers/BackupItemsRelationManager.php
+app/Filament/Resources/BaselineProfileResource.php
+app/Filament/Resources/BaselineProfileResource/Pages/CreateBaselineProfile.php
+app/Filament/Resources/BaselineProfileResource/Pages/EditBaselineProfile.php
+app/Filament/Resources/BaselineProfileResource/Pages/ListBaselineProfiles.php
+app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php
+app/Filament/Resources/BaselineProfileResource/RelationManagers/BaselineTenantAssignmentsRelationManager.php
+app/Filament/Resources/BaselineSnapshotResource.php
+app/Filament/Resources/BaselineSnapshotResource/Pages/ListBaselineSnapshots.php
+app/Filament/Resources/BaselineSnapshotResource/Pages/ViewBaselineSnapshot.php
+app/Filament/Resources/EntraGroupResource.php
+app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php
+app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php
+app/Filament/Resources/EnvironmentReviewResource.php
+app/Filament/Resources/EnvironmentReviewResource/Pages/ListEnvironmentReviews.php
+app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php
+app/Filament/Resources/EvidenceSnapshotResource.php
+app/Filament/Resources/EvidenceSnapshotResource/Pages/ListEvidenceSnapshots.php
+app/Filament/Resources/EvidenceSnapshotResource/Pages/ViewEvidenceSnapshot.php
+app/Filament/Resources/FindingExceptionResource.php
+app/Filament/Resources/FindingExceptionResource/Pages/ListFindingExceptions.php
+app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php
+app/Filament/Resources/FindingResource.php
+app/Filament/Resources/FindingResource/Pages/ListFindings.php
+app/Filament/Resources/FindingResource/Pages/ViewFinding.php
+app/Filament/Resources/InventoryItemResource.php
+app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php
+app/Filament/Resources/InventoryItemResource/Pages/ViewInventoryItem.php
+app/Filament/Resources/ManagedEnvironmentResource.php
+app/Filament/Resources/ManagedEnvironmentResource/Pages/EditManagedEnvironment.php
+app/Filament/Resources/ManagedEnvironmentResource/Pages/ListManagedEnvironments.php
+app/Filament/Resources/ManagedEnvironmentResource/Pages/ManageEnvironmentAccessScopes.php
+app/Filament/Resources/ManagedEnvironmentResource/Pages/ViewManagedEnvironment.php
+app/Filament/Resources/ManagedEnvironmentResource/RelationManagers/ManagedEnvironmentMembershipsRelationManager.php
+app/Filament/Resources/OperationRunResource.php
+app/Filament/Resources/PolicyResource.php
+app/Filament/Resources/PolicyResource/Pages/ListPolicies.php
+app/Filament/Resources/PolicyResource/Pages/ViewPolicy.php
+app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php
+app/Filament/Resources/PolicyVersionResource.php
+app/Filament/Resources/PolicyVersionResource/Pages/ListPolicyVersions.php
+app/Filament/Resources/PolicyVersionResource/Pages/ViewPolicyVersion.php
+app/Filament/Resources/ProviderConnectionResource.php
+app/Filament/Resources/ProviderConnectionResource/Pages/CreateProviderConnection.php
+app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php
+app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php
+app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php
+app/Filament/Resources/RestoreRunResource.php
+app/Filament/Resources/RestoreRunResource/Pages/CreateRestoreRun.php
+app/Filament/Resources/RestoreRunResource/Pages/ListRestoreRuns.php
+app/Filament/Resources/RestoreRunResource/Pages/ViewRestoreRun.php
+app/Filament/Resources/ReviewPackResource.php
+app/Filament/Resources/ReviewPackResource/Pages/ListReviewPacks.php
+app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php
+app/Filament/Resources/StoredReportResource.php
+app/Filament/Resources/StoredReportResource/Pages/ListStoredReports.php
+app/Filament/Resources/StoredReportResource/Pages/ViewStoredReport.php
+app/Filament/Resources/Workspaces/Pages/CreateWorkspace.php
+app/Filament/Resources/Workspaces/Pages/EditWorkspace.php
+app/Filament/Resources/Workspaces/Pages/ListWorkspaces.php
+app/Filament/Resources/Workspaces/Pages/ViewWorkspace.php
+app/Filament/Resources/Workspaces/RelationManagers/WorkspaceMembershipsRelationManager.php
+app/Filament/Resources/Workspaces/WorkspaceResource.php
+app/Filament/Support/NormalizedDiffSurface.php
+app/Filament/Support/NormalizedSettingsSurface.php
+app/Filament/Support/VerificationReportChangeIndicator.php
+app/Filament/Support/VerificationReportViewer.php
+app/Filament/System/Pages/Auth/Login.php
+app/Filament/System/Pages/Dashboard.php
+app/Filament/System/Pages/Directory/Concerns/BuildsCustomerHealthDecisionData.php
+app/Filament/System/Pages/Directory/Tenants.php
+app/Filament/System/Pages/Directory/ViewTenant.php
+app/Filament/System/Pages/Directory/ViewWorkspace.php
+app/Filament/System/Pages/Directory/Workspaces.php
+app/Filament/System/Pages/Ops/Controls.php
+app/Filament/System/Pages/Ops/Failures.php
+app/Filament/System/Pages/Ops/Runbooks.php
+app/Filament/System/Pages/Ops/Runs.php
+app/Filament/System/Pages/Ops/Stuck.php
+app/Filament/System/Pages/Ops/ViewRun.php
+app/Filament/System/Pages/RepairWorkspaceOwners.php
+app/Filament/System/Pages/Security/AccessLogs.php
+app/Filament/System/Widgets/ControlTowerHealthIndicator.php
+app/Filament/System/Widgets/ControlTowerKpis.php
+app/Filament/System/Widgets/ControlTowerRecentFailures.php
+app/Filament/System/Widgets/ControlTowerTopOffenders.php
+app/Filament/System/Widgets/CustomerHealthKpis.php
+app/Filament/System/Widgets/CustomerHealthTopWorkspaces.php
+app/Filament/System/Widgets/ProductTelemetryKpis.php
+app/Filament/System/Widgets/RepairWorkspaceOwnersStats.php
+app/Filament/Widgets/Alerts/AlertsKpiHeader.php
+app/Filament/Widgets/Dashboard/BaselineCompareNow.php
+app/Filament/Widgets/Dashboard/DashboardKpis.php
+app/Filament/Widgets/Dashboard/EnvironmentDashboardContextChips.php
+app/Filament/Widgets/Dashboard/EnvironmentDashboardOverview.php
+app/Filament/Widgets/Dashboard/NeedsAttention.php
+app/Filament/Widgets/Dashboard/RecentDriftFindings.php
+app/Filament/Widgets/Dashboard/RecentOperations.php
+app/Filament/Widgets/Dashboard/RecoveryReadiness.php
+app/Filament/Widgets/Inventory/InventoryKpiHeader.php
+app/Filament/Widgets/ManagedEnvironment/AdminRolesSummaryWidget.php
+app/Filament/Widgets/ManagedEnvironment/BaselineCompareCoverageBanner.php
+app/Filament/Widgets/ManagedEnvironment/FindingExceptionStatsOverview.php
+app/Filament/Widgets/ManagedEnvironment/FindingStatsOverview.php
+app/Filament/Widgets/ManagedEnvironment/ManagedEnvironmentArchivedBanner.php
+app/Filament/Widgets/ManagedEnvironment/ManagedEnvironmentReviewPackCard.php
+app/Filament/Widgets/ManagedEnvironment/ManagedEnvironmentTriageArrivalContinuity.php
+app/Filament/Widgets/ManagedEnvironment/ManagedEnvironmentVerificationReport.php
+app/Filament/Widgets/ManagedEnvironment/RecentOperationsSummary.php
+app/Filament/Widgets/Operations/OperationsKpiHeader.php
+app/Filament/Widgets/Workspace/WorkspaceNeedsAttention.php
+app/Filament/Widgets/Workspace/WorkspaceRecentOperations.php
+app/Filament/Widgets/Workspace/WorkspaceSummaryStats.php

specs/313-workspace-environment-context-browser-verification/artifacts/routes-admin.txt

@@ -0,0 +1,100 @@
+
+  GET|HEAD   admin ................................................ admin.home
+  GET|HEAD   admin/alerts filament.admin.alerts › App\Filament\Clusters\Monit…
+  GET|HEAD   admin/alerts/alert-deliveries filament.admin.alerts.resources.al…
+  GET|HEAD   admin/alerts/alert-deliveries/{record} filament.admin.alerts.res…
+  GET|HEAD   admin/alerts/alert-destinations filament.admin.alerts.resources.…
+  GET|HEAD   admin/alerts/alert-destinations/create filament.admin.alerts.res…
+  GET|HEAD   admin/alerts/alert-destinations/{record} filament.admin.alerts.r…
+  GET|HEAD   admin/alerts/alert-destinations/{record}/edit filament.admin.ale…
+  GET|HEAD   admin/alerts/alert-rules filament.admin.alerts.resources.alert-r…
+  GET|HEAD   admin/alerts/alert-rules/create filament.admin.alerts.resources.…
+  GET|HEAD   admin/alerts/alert-rules/{record}/edit filament.admin.alerts.res…
+  GET|HEAD   admin/audit-log admin.monitoring.audit-log › App\Filament\Pages\…
+  GET|HEAD   admin/baseline-compare-landing filament.admin.pages.baseline-com…
+  GET|HEAD   admin/baseline-profiles filament.admin.resources.baseline-profil…
+  GET|HEAD   admin/baseline-profiles/create filament.admin.resources.baseline…
+  GET|HEAD   admin/baseline-profiles/{record} filament.admin.resources.baseli…
+  GET|HEAD   admin/baseline-profiles/{record}/compare-matrix filament.admin.r…
+  GET|HEAD   admin/baseline-profiles/{record}/edit filament.admin.resources.b…
+  GET|HEAD   admin/baseline-snapshots filament.admin.resources.baseline-snaps…
+  GET|HEAD   admin/baseline-snapshots/{record} filament.admin.resources.basel…
+  GET|HEAD   admin/choose-environment filament.admin.pages.choose-environment…
+  GET|HEAD   admin/choose-workspace filament.admin.pages.choose-workspace › A…
+  POST       admin/clear-environment-context admin.clear-environment-context …
+  GET|HEAD   admin/consent/callback admin.consent.callback › AdminConsentCall…
+  GET|HEAD   admin/consent/start admin.consent.start › ManagedEnvironmentOnbo…
+  GET|HEAD   admin/cross-environment-compare filament.admin.pages.cross-envir…
+  GET|HEAD   admin/evidence/overview admin.evidence.overview › App\Filament\P…
+  GET|HEAD   admin/finding-exceptions/open-queue/{environment} admin.finding-…
+  GET|HEAD   admin/finding-exceptions/queue filament.admin.pages.finding-exce…
+  GET|HEAD   admin/findings/hygiene filament.admin.pages.findings.hygiene › A…
+  GET|HEAD   admin/findings/intake filament.admin.pages.findings.intake › App…
+  GET|HEAD   admin/findings/my-work filament.admin.pages.findings.my-work › A…
+  GET|HEAD   admin/governance/decisions filament.admin.pages.governance.decis…
+  GET|HEAD   admin/governance/inbox filament.admin.pages.governance.inbox › A…
+  GET|HEAD   admin/local/backup-health-browser-fixture-login admin.local.back…
+  GET|HEAD   admin/local/smoke-login ................. admin.local.smoke-login
+  GET|HEAD   admin/login filament.admin.auth.login › App\Filament\Pages\Auth\…
+  POST       admin/logout filament.admin.auth.logout › Filament\Auth › Logout…
+  GET|HEAD   admin/no-access filament.admin.pages.no-access › App\Filament\Pa…
+  GET|HEAD   admin/onboarding admin.onboarding › App\Filament\Pages\Workspace…
+  GET|HEAD   admin/onboarding/{onboardingDraft} admin.onboarding.draft › App\…
+  GET|HEAD   admin/provider-connections filament.admin.resources.provider-con…
+  GET|HEAD   admin/provider-connections/create filament.admin.resources.provi…
+  GET|HEAD   admin/provider-connections/{record} filament.admin.resources.pro…
+  GET|HEAD   admin/provider-connections/{record}/edit filament.admin.resource…
+  GET|HEAD   admin/rbac/callback admin.rbac.callback › RbacDelegatedAuthContr…
+  GET|HEAD   admin/rbac/start admin.rbac.start › RbacDelegatedAuthController@…
+  GET|HEAD   admin/review-packs/{reviewPack}/download admin.review-packs.down…
+  GET|HEAD   admin/reviews filament.admin.pages.reviews › App\Filament\Pages\…
+  GET|HEAD   admin/reviews/workspace filament.admin.pages.reviews.workspace  …
+  POST       admin/select-environment admin.select-environment › SelectEnviro…
+  GET|HEAD   admin/settings/workspace filament.admin.pages.settings.workspace…
+  POST       admin/switch-workspace admin.switch-workspace › SwitchWorkspaceC…
+  GET|HEAD   admin/workspaces filament.admin.resources.workspaces.index › App…
+  GET|HEAD   admin/workspaces/create filament.admin.resources.workspaces.crea…
+  GET|HEAD   admin/workspaces/{record} filament.admin.resources.workspaces.vi…
+  GET|HEAD   admin/workspaces/{record}/edit filament.admin.resources.workspac…
+  GET|HEAD   admin/workspaces/{workspace}/environments admin.workspace.manage…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment} admin.wo…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/access-scopes admin.workspace.environments.access-scopes › App\Filament\Resources\ManagedEnvironmentResource\Pages\ManageEnvironmentAccess…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-schedules filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-schedules.index › App\Filament\Resources\BackupScheduleResource\Pages\ListBackup…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-schedules/create filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-schedules.create › App\Filament\Resources\BackupScheduleResource\Pages\Crea…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-schedules/{record}/edit filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-schedules.edit › App\Filament\Resources\BackupScheduleResource\P…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-sets filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-sets.index › App\Filament\Resources\BackupSetResource\Pages\ListBackup…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-sets/create filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-sets.create › App\Filament\Resources\BackupSetResource\Pages\Crea…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/backup-sets/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.backup-sets.view › App\Filament\Resources\BackupSetResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/diagnostics admin.workspace.environments.diagnostics › App\Filament\Pages\EnvironmentDiagnos…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/entra-groups filament.admin.resources.workspaces.{workspace}.environments.{environment}.entra-groups.index › App\Filament\Resources\EntraGroupResource\Pages\ListEntraG…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/entra-groups/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.entra-groups.view › App\Filament\Resources\EntraGroupResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/environment-reviews filament.admin.resources.workspaces.{workspace}.environments.{environment}.environment-reviews.index › App\Filament\Resources\EnvironmentReviewResource\Pages\ListEnviro…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/environment-reviews/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.environment-reviews.view › App\Filament\Resources\EnvironmentReviewResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/evidence filament.admin.resources.workspaces.{workspace}.environments.{environment}.evidence.index › App\Filament\Resources\EvidenceSnapshotResource\Pages\ListEvidenceSnapshot…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/evidence/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.evidence.view › App\Filament\Resources\EvidenceSnapshotResource\Pages\ViewEviden…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/finding-exceptions filament.admin.resources.workspaces.{workspace}.environments.{environment}.finding-exceptions.index › App\Filament\Resources\FindingExceptionResource\Pages\ListFindin…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/finding-exceptions/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.finding-exceptions.view › App\Filament\Resources\FindingExceptionResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/findings filament.admin.resources.workspaces.{workspace}.environments.{environment}.findings.index › App\Filament\Resources\FindingResource\Pages\ListFinding…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/findings/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.findings.view › App\Filament\Resources\FindingResource\Pages\V…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/inventory filament.admin.workspaces.{workspace}.environments.{environment}.inventory › App\Filament\Clusters\Inventory\InventoryClust…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/inventory-items filament.admin.resources.workspaces.{workspace}.environments.{environment}.inventory-items.index › App\Filament\Resources\InventoryItemResource\Pages\ListInvent…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/inventory-items/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.inventory-items.view › App\Filament\Resources\InventoryItemResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/inventory/inventory-coverage filament.admin.workspaces.{workspace}.environments.{environment}.inventory.pages.inventory-coverage › App\Filament\Pa…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/policies filament.admin.resources.workspaces.{workspace}.environments.{environment}.policies.index › App\Filament\Resources\PolicyResource\Pages\ListPolicie…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/policies/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.policies.view › App\Filament\Resources\PolicyResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/policy-versions filament.admin.resources.workspaces.{workspace}.environments.{environment}.policy-versions.index › App\Filament\Resources\PolicyVersionResource\Pages\ListPolicy…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/policy-versions/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.policy-versions.view › App\Filament\Resources\PolicyVersionResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/required-permissions filament.admin.pages.workspaces.{workspace}.environments.{environment}.required-permissions › App\Filament\Pages\EnvironmentRequir…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/restore-runs filament.admin.resources.workspaces.{workspace}.environments.{environment}.restore-runs.index › App\Filament\Resources\RestoreRunResource\Pages\ListRestor…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/restore-runs/create filament.admin.resources.workspaces.{workspace}.environments.{environment}.restore-runs.create › App\Filament\Resources\RestoreRunResource\Pages\Crea…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/restore-runs/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.restore-runs.view › App\Filament\Resources\RestoreRunResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/review-packs filament.admin.resources.workspaces.{workspace}.environments.{environment}.review-packs.index › App\Filament\Resources\ReviewPackResource\Pages\ListReview…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/review-packs/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.review-packs.view › App\Filament\Resources\ReviewPackResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/stored-reports filament.admin.resources.workspaces.{workspace}.environments.{environment}.stored-reports.index › App\Filament\Resources\StoredReportResource\Pages\ListStored…
+  GET|HEAD   admin/workspaces/{workspace}/environments/{environment}/stored-reports/{record} filament.admin.resources.workspaces.{workspace}.environments.{environment}.stored-reports.view › App\Filament\Resources\StoredReportResource\Pages\…
+  GET|HEAD   admin/workspaces/{workspace}/operations admin.operations.index  …
+  GET|HEAD   admin/workspaces/{workspace}/operations/{run} admin.operations.v…
+  GET|HEAD   admin/workspaces/{workspace}/overview admin.workspace.home › App…
+  GET|HEAD   admin/workspaces/{workspace}/ping .......... admin.workspace.ping
+
+                                                           Showing [97] routes

specs/313-workspace-environment-context-browser-verification/audit-report.md

@@ -0,0 +1,216 @@
+# Audit Report
+
+## 1. Executive Summary
+
+Spec 313 found systemic context contract drift, not an isolated page bug.
+
+The drift is concentrated where workspace hubs accept environment-prefiltered entry points while shell context, query params, table filters, persisted state, and visible clear controls are not governed by one contract. Highest risk pages are Provider Connections, Operations, Customer Review Workspace, Finding Exceptions Queue, Review Register, Decision Register, and Governance Inbox.
+
+No runtime files were modified. No tests were modified. No migrations were modified. No commits were created.
+
+## 2. Verified Surface Inventory Summary
+
+Discovered admin surfaces classified in `surface-inventory.md`: 58.
+
+Counts by final status:
+
+| Status group | Count |
+|---|---:|
+| Workspace hubs verified | 13 |
+| Environment pages verified | 10 |
+| System/platform pages verified | 3 |
+| Ambiguous/mixed | 7 |
+| Unreachable/dead candidates | 5 |
+| Blocked by missing seed data | 18 |
+| Unresolved | 0 |
+| Out of scope with reason | 2 |
+
+Important coverage notes:
+
+- Browser screenshots generated: 74 PNGs under `artifacts/screenshots/`.
+- Admin routes discovered: 97 routes in `artifacts/routes-admin.txt`.
+- Filament files discovered: 170 entries in `artifacts/filament-files.txt`.
+- Context/search hits captured: 8,234 lines in `artifacts/context-search.txt`.
+
+## 3. Workspace Hub Behavior Matrix Summary
+
+Workspace-origin with no active environment was browser verified for:
+
+- Workspace Overview
+- Operations
+- Provider Connections
+- Finding Exceptions Queue
+- Evidence Overview
+- Review Register
+- Customer Review Workspace
+- Governance Inbox
+- Decision Register
+- Audit Log
+- Alerts
+- Workspace Settings
+- Manage Workspaces
+
+Clean workspace-origin behavior was sound for Operations, Provider Connections, Audit Log, Governance Inbox, Workspace Settings, and Manage Workspaces. Data-scope proof was strongest where rows existed across two environments: Operations, Provider Connections, and Audit Log.
+
+Workspace-origin data proof was blocked for Finding Exceptions, Evidence, Reviews, Customer Reviews, and Alerts because the local seed data contains no rows for those surfaces.
+
+Decision Register is mixed: the clean workspace route returned 403 for the audited actor, while a filtered `managed_environment_id=4` URL opened the page.
+
+## 4. Environment Page Behavior Matrix Summary
+
+Environment-owned route pages aligned shell/header/route context:
+
+- Environment Dashboard A and B
+- Required Permissions
+- Environment Diagnostics
+- Inventory / Inventory Coverage
+- Policies / Policy Versions
+- Findings / Risk Exceptions
+- Evidence Snapshots
+- Environment Reviews / Review Packs
+- Stored Reports
+- Backup Schedules / Backup Sets / Restore Runs
+- Entra Groups
+- Access Scopes
+
+Stored Reports had actual data for env 4. Required Permissions had permission data. Most other environment-owned pages were shell-verified only because local seed rows were absent.
+
+Baseline Profiles, Baseline Snapshots, and Baseline Compare are mixed: they are global routes with `tenant=<slug>` query prefilters but render with environment shell context.
+
+## 5. Mismatched Scope Findings
+
+Critical:
+
+- Provider Connections with `?managed_environment_id=<env slug>` shows shell `No environment selected`, no visible environment filter chip, and a filtered row set.
+- Customer Review Workspace with `?tenant=<env slug>` shows shell `No environment selected`; clear temporarily hides the filter but reload restores it because the URL remains filtered.
+- Operations CTA URL includes `managed_environment_id=4`, but the page still displays `All environments` and has no `Clear filters` action.
+- Finding Exceptions Queue clear action does not remove `?tenant=<env slug>`; reload restores the environment scope.
+- Provider Connections from environment-sidebar origin can expose an Integrations link containing `managed_environment_id=<env slug>` even while the page shell says no environment is selected.
+
+High:
+
+- Review Register `?managed_environment_id=4` remained after Clear filters and reload.
+- Decision Register access differs between clean workspace route and filtered route.
+- Governance Inbox does show `ManagedEnvironment: YPTW2` and a clean clear link, but shell remains `No environment selected`, which may still confuse operators.
+
+## 6. Clear-Filter Findings
+
+Clear behavior is inconsistent:
+
+- Evidence Overview is the best current pattern: Clear filters redirected to clean `/admin/evidence/overview` and reload stayed clean.
+- Finding Exceptions Queue clears visible/table state only partially; URL remains `tenant=<slug>` and reload restores filter.
+- Customer Review Workspace clears visible/table state only partially; URL remains `tenant=<slug>` and reload restores filter.
+- Review Register clears table state only; tested filtered URL remained.
+- Operations and Provider Connections did not expose a page-level `Clear filters` action for environment query prefilters.
+
+## 7. Query Parameter Findings
+
+The environment prefilter contract is fragmented:
+
+- `tenant` is used by Finding Exceptions Queue, Customer Review Workspace, Governance Inbox, Baseline pages.
+- `managed_environment_id` is used by Operations, Provider Connections, Evidence Overview, Review Register, Decision Register, and Filament table state.
+- The same `managed_environment_id` param carries different identifier types: DB id for Operations/Evidence/Reviews/Decision, slug/external id for Provider Connections.
+- `tenant_scope=all` exists for Operations but is not consistently surfaced as the clear path from CTA-filtered states.
+- `tableFilters` persists tenant-sensitive state in session on multiple pages.
+
+## 8. Persisted Filter Findings
+
+Filament table persistence is a material risk, not harmless state:
+
+- Evidence Overview, Review Register, Customer Review Workspace, Decision Register, Audit Log, Operations, and Finding Exceptions Queue all have session/query/filter interplay.
+- Several pages explicitly call `persistFiltersInSession()`.
+- Code state contracts mark tenant-sensitive filters as restorable from session.
+- Browser findings confirm query state can survive clear/reload on Reviews, Customer Reviews, and Finding Exceptions Queue.
+
+## 9. Code Ownership Map Summary
+
+The main seams are documented in `code-ownership-map.md`.
+
+Primary owners:
+
+- `WorkspaceSidebarNavigation` owns workspace sidebar URLs.
+- `ManagedEnvironmentLinks` and `OperationRunLinks` own many environment CTA/link URL shapes.
+- `WorkspaceContext` and `OperateHubShell` own remembered tenant and shell resolution.
+- `ProviderConnectionResource`, `Operations`, `FindingExceptionsQueue`, `EvidenceOverview`, `ReviewRegister`, and `CustomerReviewWorkspace` each own divergent filter hydration/clear behavior.
+- `ClearEnvironmentContextController` clears remembered shell context but does not normalize page-specific URL/table state.
+
+## 10. Risk Ranking
+
+Critical:
+
+- Provider Connections hidden environment filtering without shell/filter agreement.
+- Customer Review Workspace clear/reload restores stale environment filter.
+- Finding Exceptions Queue clear/reload restores stale environment filter.
+- Operations environment CTA query does not match visible "All environments" scope.
+
+High:
+
+- Review Register query remains after clear.
+- Decision Register clean workspace route can be 403 while filtered route opens.
+- Provider/Integrations sidebar href can regain remembered environment query after shell appears cleared.
+
+Medium:
+
+- Governance Inbox shell says no environment selected while visible filter says ManagedEnvironment.
+- Audit Log and Alerts still need persisted-filter regression coverage.
+- Baseline global pages use environment query prefilters and environment shell.
+
+Low:
+
+- Environment-owned route pages generally align route/shell/header.
+- Workspace Settings, Manage Workspaces, and Workspace Overview are not environment data-scope risks.
+
+## 11. Recommended Follow-Up Specs
+
+Recommended order:
+
+1. `314 - Workspace Hub Navigation Context Contract`
+2. `315 - Environment CTA Explicit Filter Contract`
+3. `316 - Workspace Hub Clear Filter Contract`
+4. `317 - Legacy Tenant / Environment Context Cleanup`
+5. `318 - Browser Regression Coverage / No-Drift Guard`
+
+Rationale:
+
+- 314 must first prevent workspace sidebar/global navigation from inheriting remembered environment state.
+- 315 should standardize environment CTA query names, identifier types, filter chips, and target ownership.
+- 316 should then implement one complete clear-filter contract across URL, Livewire, Filament table/session state, and reload/back behavior.
+- 317 should remove or compatibility-wrap legacy `tenant`/`tenant_id`/external-id drift.
+- 318 should lock the contract with browser regression coverage.
+
+## 12. Open Questions and Blockers
+
+- Missing seed data blocks row-scope proof for Finding Exceptions, Evidence, Reviews, Customer Reviews, Alerts, Findings, Review Packs, Backup/Restore, Groups, and several environment-owned resources.
+- Decision Register clean-route behavior is data-dependent: the page may intentionally hide when there are no visible decisions, but the filtered URL opens. Product intent needs confirmation.
+- Support Requests has active modal/action code but no list/index admin page. It is classified as action-only/unreachable as a page.
+- Workspace 3 has no slug; the local smoke-login route with `workspace=3` hit a runtime bug (`orWhereKey()` in a query closure). The audit used tenant-based smoke login plus the existing clear-environment endpoint to establish workspace-origin state.
+- The in-app Browser client loaded pages and DOM snapshots, but `tab.screenshot()` timed out. PNG artifacts were captured through the available Playwright browser fallback and this tooling limitation is recorded here.
+
+## 13. Test / Browser Execution
+
+Commands and tooling used:
+
+| Command/tool | Result |
+|---|---|
+| `git status --short --branch` | Branch `313-workspace-environment-context-browser-verification`; only Spec 313 untracked files during audit. |
+| `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` | Active feature dir and `tasks.md` found. |
+| `cd apps/platform && ./vendor/bin/sail ps` | Sail stack already running; app reachable on `http://localhost`. |
+| Laravel Boost `application_info` | Laravel 12.52.0, Filament 5.2.1, Livewire 4.1.4, PostgreSQL. |
+| Laravel Boost `get_absolute_url('/admin')` | `http://localhost/admin`. |
+| `find app/Filament -type f \| sort > artifacts/filament-files.txt` | 170 Filament entries captured. |
+| Required `rg` context search > `artifacts/context-search.txt` | 8,234 context/search lines captured. |
+| `./vendor/bin/sail artisan route:list --path=admin > artifacts/routes-admin.txt` | 97 admin routes captured. |
+| Laravel Boost DB read queries | Confirmed 3 workspaces, 4 managed environments, and data coverage by table. |
+| Browser client via Node REPL | Page navigation and DOM snapshots worked; screenshot CDP command timed out. |
+| Playwright browser fallback | 74 screenshots generated under `artifacts/screenshots/`. |
+
+Tests were not run. This spec was a read-only browser/code audit.
+
+No runtime files were modified.
+No tests were modified.
+No migrations were modified.
+No commits were created.
+
+## 14. Acceptance Statement
+
+The audit is complete for the discovered admin surfaces with explicit final statuses in `surface-inventory.md`. Some surfaces are complete only to the permitted blocked status because local seed data or page reachability prevented row-scope proof.

specs/313-workspace-environment-context-browser-verification/checklists/requirements.md

@@ -0,0 +1,61 @@
+# Requirements Checklist: Full Workspace / Environment Context Browser Verification Audit
+
+**Purpose**: Preparation-readiness checklist for Spec 313.
+**Scope**: Spec Kit artifacts only. The audit itself runs later.
+
+## Candidate Selection Gate
+
+- [x] CHK001 The selected candidate was directly supplied by the user as Spec 313.
+- [x] CHK002 The candidate is not an existing completed spec package.
+- [x] CHK003 Related Specs 311 and 312 are treated as completed historical context, not rewritten.
+- [x] CHK004 The candidate aligns with post-Spec-311 scope-risk follow-up needs and the user-provided audit finding.
+- [x] CHK005 The scope is narrowed to analysis-only audit artifacts and browser verification evidence.
+- [x] CHK006 Runtime fixes, refactors, migrations, tests, seeders, routes, resources, pages, views, config, and follow-up specs are explicitly out of scope.
+- [x] CHK006A The product-roadmap note that had recommended Spec 313 for Decision-Based Governance Inbox v1 is documented as a numbering deviation, not edited in this preparation-only package.
+
+## Spec Readiness
+
+- [x] CHK007 `spec.md` exists.
+- [x] CHK008 `plan.md` exists.
+- [x] CHK009 `tasks.md` exists.
+- [x] CHK010 Spec Candidate Check is completed.
+- [x] CHK011 Functional requirements are behavior-oriented and testable.
+- [x] CHK012 Acceptance criteria include surface discovery, browser verification, completeness, evidence, reporting, and safety.
+- [x] CHK013 Allowed final statuses are fixed and match the user-provided completion gate.
+- [x] CHK014 The spec forbids "likely OK" as a final status.
+- [x] CHK015 Reports / Stored Reports and Support Requests are called out as must-classify surfaces.
+- [x] CHK016 High-risk pages are named explicitly.
+
+## Repo Alignment
+
+- [x] CHK017 The plan identifies `AdminPanelProvider`, `WorkspaceSidebarNavigation`, admin routes, Filament pages/resources/clusters, views, workspace/environment dashboard builders, and link/context helpers as discovery sources.
+- [x] CHK018 The plan reflects current repo seams observed during preparation: `WorkspaceContext`, `OperateHubShell`, `ManagedEnvironmentLinks`, `OperationRunLinks`, `ProviderConnectionResource`, `FindingExceptionsQueue`, `EvidenceOverview`, `ReviewRegister`, `CustomerReviewWorkspace`, `GovernanceInbox`, and `DecisionRegister`.
+- [x] CHK019 Filament v5 / Livewire v4 compliance is stated.
+- [x] CHK020 Provider registration location remains `apps/platform/bootstrap/providers.php`; no provider changes planned.
+- [x] CHK021 Global search behavior is not modified.
+- [x] CHK022 Destructive actions are not added or changed.
+- [x] CHK023 Asset strategy is unchanged; no new `filament:assets` requirement.
+
+## Audit Output Readiness
+
+- [x] CHK024 Required report files are listed.
+- [x] CHK025 Required screenshot directory is listed.
+- [x] CHK026 Matrix schemas are defined for surface inventory, page matrix, query-param inventory, clear-filter inventory, and code ownership map.
+- [x] CHK027 Browser origins are defined: workspace origin, environment sidebar origin, environment CTA origin, manual filter origin, reload, and back/forward.
+- [x] CHK028 Data-scope proof rules forbid guessing without seeded rows or visible UI evidence.
+- [x] CHK029 Missing seed data and browser/tooling limitations are explicit blocker categories.
+
+## Safety
+
+- [x] CHK030 The preparation package does not require application implementation.
+- [x] CHK031 The tasks include no-runtime-change validation.
+- [x] CHK032 The tasks forbid test, migration, seeder, route, resource, page, view, config, and runtime edits.
+- [x] CHK033 The tasks require `git diff --name-only` and `git diff --check`.
+- [x] CHK034 No follow-up spec 314+ is started inside Spec 313.
+
+## Review Outcome
+
+- [x] CHK035 Review outcome class: `acceptable-special-case`.
+- [x] CHK036 Workflow outcome: `keep`.
+- [x] CHK037 Candidate Selection Gate passes.
+- [x] CHK038 Spec Readiness Gate passes for preparation.

specs/313-workspace-environment-context-browser-verification/clear-filter-inventory.md

@@ -0,0 +1,15 @@
+# Clear Filter Inventory
+
+| Page | Filter type | Clear action exists? | Clear action label | Clears visible chip? | Clears URL query? | Clears Livewire property? | Clears Filament table filter? | Clears deferred filters? | Clears persisted/session state? | Clears actual data scope? | Reload safe? | Sidebar revisit safe? | Risk | Notes |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| Operations | `managed_environment_id`, `activeTab`, `problemClass`, table filter | Partial | `Show all environments` in code, not visible as `Clear filters` in tested CTA | No visible environment chip in CTA screenshot | Not through tested action | Code removes table filter only in show-all action | Code removes table filter | Unknown | Unknown | Browser CTA still showed All environments with URL filter | No, URL persisted after reload | Sidebar clean URL safe, remembered scope button still appeared | critical | Environment CTA URL retained query and row scope was not visibly narrowed despite env id query. |
+| Provider Connections | `managed_environment_id` slug/external id | No page-level clear | Only generic table reset / clear environment scope | No explicit chip | No | Unknown | Generic reset opens filter UI only | Unknown | Unknown | Filtered row set proved by one provider row | No, URL persisted after reload | Sidebar can regain environment query from remembered context | critical | Query prefilter has no visible page clear; shell says no environment selected while row set is environment-filtered. |
+| Finding Exceptions Queue | `tenant`, table filters | Partial | `Clear filters` | Partly | No | Yes for table state | Yes for table filters | Unknown | Unknown | Data scope unproven, no rows | No, URL and visible prefilter returned on reload | Clean sidebar URL safe | critical | Clicking clear removed visible filter text transiently but left `?tenant=...`; reload restored environment scope. |
+| Evidence Overview | `managed_environment_id`, search/table filters | Yes | `Clear filters` | Yes | Yes | Yes | Yes | Yes | Yes | Data scope unproven, no rows | Yes | Sidebar clean URL safe | medium | Best reference behavior among high-risk pages: URL redirected to clean overview and remained clean after reload. |
+| Review Register | `managed_environment_id`, status/completeness/published/date table filters | Partial | `Clear filters` | No reliable URL clear | No | Table-only | Yes | Unknown | Likely table/session only | Data scope unproven, no rows | No | Sidebar clean URL safe | high | Code calls `removeTableFilters()` only; browser retained `?managed_environment_id=4`. |
+| Customer Review Workspace | `tenant` query converted to `managed_environment_id` table filter | Partial | `Clear filters` | Temporarily | No | Table-only | Yes | Unknown | Likely table/session only | Data scope unproven | No, reload restored filter | Sidebar clean URL safe | critical | Customer-facing workspace retained `?tenant=<slug>` after clear and reload restored YPTW2 filter. |
+| Governance Inbox | `tenant` query | Yes | `Clear environment filter` | Yes | Yes by link | Page state | N/A | N/A | N/A | Yes for visible item count | Expected safe, not separately reloaded | Sidebar clean URL safe | medium | Reference candidate: visible filter text and clear link to clean URL. |
+| Decision Register | `managed_environment_id`, `register_state`, table filters | Yes for URL filter | `Clear environment filter` | Yes | Yes by link | Page state | Table reset exists | Unknown | Unknown | Data scope limited by zero rows | Not deeply retested | Clean URL 403 for actor | high | Clean URL can be inaccessible while filtered URL works. |
+| Audit Log | Table filter `managed_environment_id`, action/actor/resource filters | Generic | `Reset`, `Apply filters` | Not active in tested routes | N/A | Table-only | Yes | Unknown | Persisted filters in code contract | Workspace-wide data scope proven | Not manually filtered | Clean sidebar URL safe | medium | Needs future regression coverage for persisted table filters. |
+| Alerts / Alert Deliveries | Table filter `managed_environment_id` | Generic | `Reset`, `Apply filters` | Not active in tested routes | N/A | Table-only | Yes | Unknown | Unknown | No rows | Not provable | Clean sidebar URL safe | medium | Missing seed data blocks actual row-scope proof. |
+| Baseline Profiles/Snapshots | `tenant` query | Generic only | `Reset` | Shell shows environment | No clear environment filter observed | Unknown | Generic table filters | Unknown | Unknown | Data scope not material to workspace hubs | Not tested | Environment route only | medium | Uses global resources with environment query from environment nav. |

specs/313-workspace-environment-context-browser-verification/code-ownership-map.md

@@ -0,0 +1,29 @@
+# Code Ownership Map
+
+| Behavior | File | Class/method/view | Pages affected | Risk | Notes |
+|---|---|---|---|---|---|
+| Workspace sidebar URLs | `apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php` | `build()` | Operations, Provider Connections, Finding Exceptions, Reviews, Customer Reviews, Governance, Alerts, Audit | critical | Workspace builder emits clean URLs, but provider links can still regain query after page hydration/context resolution. |
+| Admin panel navigation registration | `apps/platform/app/Providers/Filament/AdminPanelProvider.php` | panel registration/navigation closure | All admin resources/pages | high | Registers custom workspace sidebar, environment-aware render hooks, pages, resources, and middleware. |
+| Environment dashboard CTA URLs | `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php` | card/link builders | Operations, reviews, evidence, required permissions, backup, risks | critical | Dashboard CTAs mix workspace hub URLs with explicit filters and environment-owned resource URLs. |
+| Environment dashboard support actions | `apps/platform/app/Filament/Pages/EnvironmentDashboard.php` | support request actions | Support Requests, Environment Dashboard | medium | Support request is modal/action-only, not a list page. Not submitted in audit. |
+| Context bar and clear environment scope | `apps/platform/resources/views/filament/partials/context-bar.blade.php` | clear environment forms | Shell/global navigation | critical | Browser showed "Clear environment scope" available on several workspace pages even while shell text said "No environment selected". |
+| Clear environment session handler | `apps/platform/app/Http/Controllers/ClearEnvironmentContextController.php` | `__invoke()` | Shell context and route redirects | high | Clears remembered tenant and Filament tenant, then redirects based on previous path category. |
+| Shell context resolver | `apps/platform/app/Support/OperateHub/OperateHubShell.php` | active tenant/scope/header actions | Operations, Finding Exceptions, Audit, evidence-like monitoring pages | critical | Combines route/query/page category/remembered tenant state. Mismatch observed when shell showed no environment but stale clear environment action remained. |
+| Remembered tenant/session map | `apps/platform/app/Support/Workspaces/WorkspaceContext.php` | `rememberTenantContext()`, `lastTenantId()`, `clearRememberedTenantContext()` | All workspace hubs | critical | Session carrier can influence navigation/helper output after shell context appears cleared. |
+| Provider connection filter behavior | `apps/platform/app/Filament/Resources/ProviderConnectionResource.php` | `resolveRequestedTenantExternalId()`, `resolveContextTenantExternalId()`, table query | Provider Connections | critical | `managed_environment_id` means slug/external id here. Context fallback can use remembered tenant. No browser-observed page clear. |
+| Provider connection link helper | `apps/platform/app/Support/ManagedEnvironmentLinks.php` | `providerConnectionsUrl()` | Provider Connections | critical | Adds `managed_environment_id` as environment external id/slug. |
+| Operations URL helper | `apps/platform/app/Support/OperationRunLinks.php` | `index()` | Operations and operation links | high | Adds database id `managed_environment_id`, `tenant_scope=all`, `activeTab`, `problemClass`, and nested `tableFilters`. |
+| Operations filter hydration | `apps/platform/app/Filament/Pages/Monitoring/Operations.php` | `applyRequestedDashboardPrefilter()`, header actions | Operations | critical | Browser showed URL prefilter without visible environment narrowing; show-all action exists in code but was not exposed as `Clear filters` in tested CTA state. |
+| Finding exceptions filter behavior | `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php` | state contract, `mount()`, clear actions | Finding Exceptions Queue | critical | `tenant` query is tenant-sensitive and restorable. Clear did not remove query; reload restored filter. |
+| Finding exceptions open controller | `apps/platform/app/Http/Controllers/OpenFindingExceptionsQueueController.php` | redirect with `tenant` | Finding Exceptions Queue | high | Environment-owned entry point to workspace queue. |
+| Evidence filter behavior | `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php` | `clearOverviewFilters()`, table records | Evidence Overview | medium | Best clear pattern: resets table/session/search and redirects to clean overview URL. |
+| Review register filter behavior | `apps/platform/app/Filament/Pages/Reviews/ReviewRegister.php` | `applyRequestedTenantPrefilter()`, `clearRegisterFilters()` | Reviews | high | Code applies `tenant` query, but tested `managed_environment_id` URL remained after clear; clear only removes table filters. |
+| Customer review workspace filter behavior | `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php` | `tenantPrefilterUrl()`, `applyRequestedTenantPrefilter()`, `clearWorkspaceFilters()` | Customer Reviews | critical | Query `tenant=<slug>` converted to table filter; clear removes table filters only and leaves query. Reload restores filter. |
+| Governance inbox query behavior | `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php` | `pageUrl()`, clear environment link/view | Governance Inbox | medium | Browser showed visible `ManagedEnvironment: YPTW2` and clean clear link. |
+| Decision register query/access behavior | `apps/platform/app/Filament/Pages/Governance/DecisionRegister.php` | `canAccess()`, `pageUrl()` | Decision Register | high | Clean workspace URL 403 when no visible decisions; filtered URL bypassed that path and opened. |
+| Audit log filters | `apps/platform/app/Filament/Pages/Monitoring/AuditLog.php` | state contract/table filters | Audit Log | medium | Workspace-wide data proof exists; persisted filter edge still needs regression guard. |
+| Canonical filter/session helper | `apps/platform/app/Support/Filament/CanonicalAdminTenantFilterState.php` | `sync()`, `currentFilterValue()` | Operations, Reviews, monitoring pages | high | Session table filters can survive beyond sidebar intent. |
+| Required permissions links | `apps/platform/app/Support/Links/RequiredPermissionsLinks.php` | required permissions URL builder | Required Permissions | low | Environment-owned route; shell/header aligned. |
+| Stored reports resource | `apps/platform/app/Filament/Resources/StoredReportResource.php` | route/table/query | Stored Reports | low | Environment-scoped resource; 2 env rows exist. No workspace reports hub found. |
+| Support request services | `apps/platform/app/Support/SupportRequests/*`, `apps/platform/app/Models/SupportRequest.php` | create modal submission | Support Requests | medium | Action-only support surface. No admin index route/resource discovered. |
+| System panel pages | `apps/platform/app/Filament/System/Pages/*` | platform panel | System/admin platform | low | Classified as system/platform scoped and not part of admin workspace context contract. |

specs/313-workspace-environment-context-browser-verification/page-matrix.md

@@ -0,0 +1,51 @@
+# Page Matrix
+
+| Page | Origin | URL | Query params | Shell workspace | Shell environment | Breadcrumb | Header/title | Visible scope/filter chip | Table filter state | Data scope proven? | Clear filter exists? | Clear filter result | Reload result | Back/forward result | Screenshot | Status | Risk | Notes |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| Workspace Overview | workspace_origin | `/admin/workspaces/3/overview` | none | `wp` | No environment selected | Overview | Overview | None | N/A | Shell only | N/A | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--workspace-overview.png` | `verified_workspace_scoped_hub` | low | Clear-environment POST was used to establish clean workspace origin. |
+| Operations | workspace_origin | `/admin/workspaces/3/operations` | none | `wp` | No environment selected | Monitoring | Operations | All environments | No tenant filter | Yes: 9 rows across 2 envs | Generic reset/apply only | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--operations.png` | `verified_workspace_scoped_hub` | low | Workspace-wide row count matched DB coverage. |
+| Operations | environment_sidebar_origin | `/admin/workspaces/3/operations` | none | `wp` | No environment selected | Monitoring | Operations | All environments | No tenant filter | Yes | No page clear needed | N/A | N/A | N/A | `artifacts/screenshots/environment-sidebar--operations.png` | `verified_workspace_scoped_hub` | medium | Sidebar from env A and env B opened workspace-wide operations. |
+| Operations | environment_cta_origin | `/admin/workspaces/3/operations?managed_environment_id=4&activeTab=terminal_follow_up&problemClass=terminal_follow_up` | `managed_environment_id=4`, `activeTab`, `problemClass` | `wp` | No environment selected | Monitoring | Operations | All environments | URL prefilter did not produce clear visible env chip | Partly: rows visible but query effect unclear | No `Clear filters`; only `Clear environment scope`/Reset | No click target found for `Clear filters` | Query persisted | Back restores filtered URL; forward returns clean URL | `artifacts/screenshots/environment-cta--operations.png` | `verified_workspace_scoped_hub` | critical | URL says env 4 but UI says All environments. |
+| Operations | reload | same as CTA | same | `wp` | No environment selected | Monitoring | Operations | All environments | Same as before | Partly | No | N/A | Query persisted | N/A | `artifacts/screenshots/environment-cta--operations--after-reload.png` | `verified_workspace_scoped_hub` | critical | Reload did not resolve mismatch. |
+| Provider Connections | workspace_origin | `/admin/provider-connections` | none | `wp` | No environment selected | Settings | Provider Connections | None | No query filter | Yes: 2 provider rows across 2 envs | Generic reset only | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--provider-connections.png` | `verified_workspace_scoped_hub` | low | Clean origin is workspace-wide. |
+| Provider Connections | environment_sidebar_origin | `/admin/provider-connections` | none | `wp` | No environment selected | Settings | Provider Connections | None | No query filter | Yes: 2 rows | No page clear; clear environment scope shown | N/A | N/A | N/A | `artifacts/screenshots/environment-sidebar--provider-connections.png` | `verified_workspace_scoped_hub` | critical | Sidebar page still exposed Integrations link with `managed_environment_id=<env slug>` from remembered context. |
+| Provider Connections | environment_cta_origin | `/admin/provider-connections?managed_environment_id=<env slug>` | `managed_environment_id=b009...` | `wp` | No environment selected | Settings | Provider Connections | None | Query filter active | Yes: only env 4 provider row visible | No page clear | No `Clear filters` target; query stayed | Query stayed | Back restores filtered URL | `artifacts/screenshots/environment-cta--provider-connections.png` | `verified_workspace_scoped_hub` | critical | Data filtered while shell said no environment selected and no visible filter chip existed. |
+| Finding Exceptions Queue | workspace_origin | `/admin/finding-exceptions/queue` | none | `wp` | No environment selected | Monitoring | Finding Exceptions Queue | All environments | No tenant filter | No, no rows | Yes | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--finding-exceptions-queue.png` | `blocked_missing_seed_data` | medium | Shell/filter behavior only. |
+| Finding Exceptions Queue | environment_sidebar_origin | `/admin/finding-exceptions/queue?tenant=<env slug>` | `tenant=b009...` | `wp` | `YPTW2 (DEV)` | Monitoring | Finding Exceptions Queue | Environment scope: YPTW2 | Tenant query active | No, no rows | Yes | Not tested in this row | N/A | N/A | `artifacts/screenshots/environment-sidebar--finding-exceptions-queue.png` | `blocked_missing_seed_data` | high | Sidebar from environment context generated a filtered queue URL. |
+| Finding Exceptions Queue | environment_cta_origin | `/admin/finding-exceptions/queue?tenant=<env slug>` | `tenant=b009...` | `wp` | `YPTW2 (DEV)` | Monitoring | Finding Exceptions Queue | Environment scope: YPTW2 | Tenant query active | No, no rows | Yes | Clicking Clear filters did not remove query | Reload restored visible filter | Back restores filtered URL | `artifacts/screenshots/environment-cta--finding-exceptions-queue.png` | `blocked_missing_seed_data` | critical | Clear is incomplete because URL remains tenant-prefiltered. |
+| Evidence Overview | workspace_origin | `/admin/evidence/overview` | none | `wp` | No environment selected | Monitoring | Evidence Overview | None | No filter | No, no rows | Generic reset/apply only | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--evidence.png` | `blocked_missing_seed_data` | medium | No evidence rows in DB. |
+| Evidence Overview | environment_cta_origin | `/admin/evidence/overview?managed_environment_id=4` | `managed_environment_id=4` | `wp` | No environment selected | Monitoring | Evidence Overview | Active filter ManagedEnvironment: YPTW2 | Table filter active | No, no rows | Yes | Clear redirected to `/admin/evidence/overview` | Clean after reload | Back restores filtered URL | `artifacts/screenshots/environment-cta--evidence.png` | `blocked_missing_seed_data` | medium | Best reference clear behavior among high-risk pages. |
+| Evidence Overview | after_clear | `/admin/evidence/overview` | none | `wp` | No environment selected | Monitoring | Evidence Overview | No active filter | Cleared | No | Yes | URL clean | Reload remained clean | N/A | `artifacts/screenshots/environment-cta--evidence--after-clear.png` | `blocked_missing_seed_data` | low | Clear action synchronized visual state and URL. |
+| Review Register | workspace_origin | `/admin/reviews` | none | `wp` | No environment selected | Reporting | Review Register | None | No filter | No, no rows | Yes | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--reviews.png` | `blocked_missing_seed_data` | medium | No environment review rows. |
+| Review Register | environment_cta_origin | `/admin/reviews?managed_environment_id=4` | `managed_environment_id=4` | `wp` | No environment selected | Reporting | Review Register | Empty filtered view | Table/query mixed | No, no rows | Yes | Clicking Clear filters did not remove URL query | Query persisted after reload | N/A | `artifacts/screenshots/environment-cta--reviews.png` | `blocked_missing_seed_data` | high | Code applies `tenant`, but browser-tested `managed_environment_id` query still created an uncleared URL state. |
+| Customer Review Workspace | workspace_origin | `/admin/reviews/workspace` | none | `wp` | No environment selected | Reporting | Customer Review Workspace | None | No filter | No, no review packs | Generic reset/apply only | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--customer-reviews.png` | `blocked_missing_seed_data` | medium | Customer package data absent. |
+| Customer Review Workspace | environment_sidebar_origin | `/admin/reviews/workspace?tenant=<env slug>` | `tenant=b009...` | `wp` | No environment selected | Reporting | Customer Review Workspace | Clear filters visible | Tenant query converted to table filter | No, no reviews | Yes | Not tested in this row | N/A | N/A | `artifacts/screenshots/environment-sidebar--customer-reviews.png` | `blocked_missing_seed_data` | critical | Shell said no environment selected while query/filter was environment-specific. |
+| Customer Review Workspace | environment_cta_origin | `/admin/reviews/workspace?tenant=<env slug>` | `tenant=b009...` | `wp` | No environment selected | Reporting | Customer Review Workspace | Filter to YPTW2 visible | Tenant query active | No | Yes | Clear removed visible filter temporarily but kept query | Reload restored visible filter | Back restores filtered URL | `artifacts/screenshots/environment-cta--customer-reviews.png` | `blocked_missing_seed_data` | critical | Customer-safe surface has stale filter reload risk. |
+| Governance Inbox | workspace_origin | `/admin/governance/inbox` | none | `wp` | No environment selected | Governance | Governance inbox | Scope: All attention | No filter | Yes: operation follow-up count visible | N/A | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--governance-inbox.png` | `verified_workspace_scoped_hub` | low | Reference workspace hub. |
+| Governance Inbox | environment_cta_origin | `/admin/governance/inbox?tenant=<env slug>` | `tenant=b009...` | `wp` | No environment selected | Governance | Governance inbox | ManagedEnvironment: YPTW2 | URL filter visible | Yes: visible count 3 | Yes, link | Clear link points clean URL | Not retested | N/A | `artifacts/screenshots/environment-cta--governance-inbox.png` | `verified_workspace_scoped_hub` | medium | Good visible filter, but shell still says no environment selected. |
+| Decision Register | workspace_origin | `/admin/governance/decisions` | none | None | None | Error | 403 | None | N/A | N/A | N/A | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--decision-register.png` | `verified_ambiguous_or_mixed` | high | Clean workspace route blocked because no visible decisions for actor. |
+| Decision Register | environment_cta_origin | `/admin/governance/decisions?managed_environment_id=4` | `managed_environment_id=4` | `wp` | No environment selected | Governance | Decision register | ManagedEnvironment: YPTW2 | URL filter active | No rows | Yes, link | Not clicked | N/A | N/A | `artifacts/screenshots/environment-cta--decision-register.png` | `verified_ambiguous_or_mixed` | high | Filtered route opens while clean route 403s. |
+| Audit Log | workspace_origin | `/admin/audit-log` | none | `wp` | No environment selected | Monitoring | Audit Log | All environments | No filter | Yes: 61 logs, 2 envs | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--audit-log.png` | `verified_workspace_scoped_hub` | low | Workspace-wide data proof. |
+| Audit Log | environment_sidebar_origin | `/admin/audit-log` | none | `wp` | No environment selected | Monitoring | Audit Log | All environments | No filter | Yes | N/A | N/A | N/A | N/A | `artifacts/screenshots/environment-sidebar--audit-log.png` | `verified_workspace_scoped_hub` | medium | Clear environment scope still visible from remembered state. |
+| Alerts | workspace_origin | `/admin/alerts/alert-deliveries` | none | `wp` | No environment selected | Monitoring | Alert Deliveries | All environments | No filter | No, no rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--alerts.png` | `blocked_missing_seed_data` | medium | Route redirected from `/admin/alerts`. |
+| Workspace Settings | workspace_origin | `/admin/settings/workspace` | none | `wp` | No environment selected | Settings | Workspace settings | None | N/A | N/A | N/A | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--workspace-settings.png` | `verified_workspace_scoped_hub` | low | Settings page only. |
+| Manage Workspaces | workspace_origin | `/admin/workspaces` | none | `wp` | No environment selected | Settings | Workspaces | None | N/A | N/A | N/A | N/A | N/A | N/A | `artifacts/screenshots/workspace-origin--manage-workspaces.png` | `verified_workspace_scoped_hub` | low | Workspace management list. |
+| Environment Dashboard A | environment_sidebar_origin | `/admin/workspaces/3/environments/b009...` | none | `wp` | `YPTW2 (DEV)` | Environment | YPTW2 Action needed | Environment shell | Route-owned environment | Yes | Clear environment scope | N/A | N/A | N/A | `artifacts/screenshots/environment-origin--dashboard-a.png` | `verified_environment_scoped_page` | low | Environment A active. |
+| Environment Dashboard B | environment_sidebar_origin | `/admin/workspaces/3/environments/3625...` | none | `wp` | `YPTW2 (DEV)` | Environment | YPTW2 Blocked | Environment shell | Route-owned environment | Yes | Clear environment scope | N/A | N/A | N/A | `artifacts/screenshots/environment-origin--dashboard-b.png` | `verified_environment_scoped_page` | low | Environment B active; duplicate display label makes data comparison harder. |
+| Required Permissions | environment_cta_origin | `/admin/workspaces/3/environments/b009.../required-permissions` | none | `wp` | `YPTW2 (DEV)` | Environment | Required permissions | Environment shell | Route-owned environment | Yes, permissions rows exist | N/A | N/A | N/A | N/A | `artifacts/screenshots/environment-cta--required-permissions.png` | `verified_environment_scoped_page` | low | Environment-owned page aligns shell and route. |
+| Diagnostics | environment_cta_origin | `/admin/workspaces/3/environments/b009.../diagnostics` | none | `wp` | `YPTW2 (DEV)` | Environment | Environment Diagnostics | Environment shell | Route-owned environment | Shell only | N/A | N/A | N/A | N/A | `artifacts/screenshots/environment-cta--provider-readiness-or-diagnostics.png` | `verified_environment_scoped_page` | low | Environment-owned page aligns shell and route. |
+| Inventory Items | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../inventory-items` | none | `wp` | `YPTW2 (DEV)` | Inventory | Inventory Items | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--inventory.png` | `blocked_missing_seed_data` | medium | Inventory cluster redirects to item list. |
+| Inventory Coverage | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../inventory/inventory-coverage` | none | `wp` | `YPTW2 (DEV)` | Inventory | Inventory Coverage | Environment shell | Route-owned environment | Shell only | N/A | N/A | N/A | N/A | `artifacts/screenshots/environment-page--inventory-coverage.png` | `verified_environment_scoped_page` | low | Route-owned environment. |
+| Policies | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../policies` | none | `wp` | `YPTW2 (DEV)` | Inventory | Policies | Environment shell | Route-owned environment | No rows for env 4 | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--policies.png` | `blocked_missing_seed_data` | medium | Policy data exists only in another workspace. |
+| Findings | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../findings` | none | `wp` | `YPTW2 (DEV)` | Governance | Findings | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--findings.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Risk Exceptions | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../finding-exceptions` | none | `wp` | `YPTW2 (DEV)` | Governance | Finding Exceptions | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--risk-exceptions.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Evidence Snapshots | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../evidence` | none | `wp` | `YPTW2 (DEV)` | Governance | Evidence Snapshots | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-sidebar--evidence.png` | `blocked_missing_seed_data` | medium | Environment-owned resource, distinct from Evidence Overview hub. |
+| Environment Reviews | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../environment-reviews` | none | `wp` | `YPTW2 (DEV)` | Reporting | Reviews | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-sidebar--reviews.png` | `blocked_missing_seed_data` | medium | Environment-owned resource, distinct from Review Register. |
+| Stored Reports | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../stored-reports` | none | `wp` | `YPTW2 (DEV)` | Reporting | Stored Reports | Environment shell | Route-owned environment | Yes: 2 env 4 rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--stored-reports.png` | `verified_environment_scoped_page` | low | Reports classified as environment-owned; no workspace report hub discovered. |
+| Backup Schedules | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../backup-schedules` | none | `wp` | `YPTW2 (DEV)` | Backups | Backup Schedules | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--backup-schedules.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Backup Sets | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../backup-sets` | none | `wp` | `YPTW2 (DEV)` | Backups | Backup Sets | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--backup-sets.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Restore Runs | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../restore-runs` | none | `wp` | `YPTW2 (DEV)` | Backups | Restore Runs | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--restore-runs.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Entra Groups | environment_sidebar_origin | `/admin/workspaces/3/environments/b009.../entra-groups` | none | `wp` | `YPTW2 (DEV)` | Directory | Entra Groups | Environment shell | Route-owned environment | No rows | Generic reset/apply | N/A | N/A | N/A | `artifacts/screenshots/environment-page--groups.png` | `blocked_missing_seed_data` | medium | Missing data. |
+| Baseline Compare | environment_sidebar_origin | `/admin/baseline-compare-landing?tenant=<env slug>` | `tenant=b009...` | `wp` | `YPTW2 (DEV)` | Governance | Baseline Compare | Environment shell | Query-owned environment | Shell only | N/A | N/A | N/A | N/A | `artifacts/screenshots/environment-page--baseline-compare.png` | `verified_ambiguous_or_mixed` | medium | Global page with environment query, not route-owned environment. |
+| Back/Forward - Provider Connections | back_forward | filtered -> clean -> back -> forward | filtered URL restored on back | `wp` | No environment selected | Settings | Provider Connections | Hidden filter on filtered URL | Query filter | Yes | No | N/A | Back returned query; forward clean | `back-forward--provider-connections.png` | `verified_workspace_scoped_hub` | critical | Browser history can reintroduce hidden filtered provider rows. |
+| Back/Forward - Customer Reviews | back_forward | filtered -> clean -> back -> forward | `tenant=<slug>` restored on back | `wp` | No environment selected | Reporting | Customer Review Workspace | Filter visible after back | Query/table filter | No data | Yes | Incomplete | Back returned query; forward clean | `back-forward--customer-reviews.png` | `blocked_missing_seed_data` | critical | Back navigation reintroduces customer review filter. |

specs/313-workspace-environment-context-browser-verification/plan.md

@@ -0,0 +1,425 @@
+# Implementation Plan: Full Workspace / Environment Context Browser Verification Audit
+
+**Branch**: `313-workspace-environment-context-browser-verification` | **Date**: 2026-05-16 | **Spec**: `specs/313-workspace-environment-context-browser-verification/spec.md`
+**Input**: Feature specification from `specs/313-workspace-environment-context-browser-verification/spec.md`
+
+## Summary
+
+Prepare and execute an analysis-only audit that discovers every relevant TenantPilot admin surface from repo sources and browser-verifies Workspace / Managed Environment context behavior. The audit produces markdown matrices, screenshots, and a risk-ranked remediation sequence. It must not change runtime code, tests, migrations, routes, resources, views, config, seeders, or behavior.
+
+## Technical Context
+
+**Language/Version**: PHP 8.4.15, Laravel 12.52.0
+**Primary Dependencies**: Filament 5.2.1, Livewire 4.1.4, Pest 4.3.1, PostgreSQL via Sail, Codex Browser / Playwright-style browser tooling where available
+**Storage**: No database schema changes. Audit may read local seeded data only.
+**Testing**: Browser/manual verification and repo-discovery checks; no Pest runtime changes in Spec 313.
+**Validation Lanes**: docs/spec validation, browser verification, optional read-only route/db inspection.
+**Target Platform**: TenantPilot admin panel under `apps/platform`.
+**Project Type**: Laravel monolith in a repo with Spec Kit under `.specify/`.
+**Performance Goals**: Discovery commands and browser flows should be bounded and evidence-focused; no broad test-suite expansion.
+**Constraints**: No runtime edits. No test edits. No migrations. No seeders. No route/resource/page/view/config edits. No commits unless explicitly requested.
+**Scale/Scope**: all discovered admin surfaces that interact with workspace/environment context, route/query/table/session state, navigation, dashboard CTAs, or link helpers.
+
+## UI / Surface Guardrail Plan
+
+- **Guardrail scope**: observed admin shell/context/filter/navigation behavior only.
+- **Native vs custom classification summary**: existing Filament pages/resources/widgets/views; no new UI.
+- **Shared-family relevance**: navigation, context bar, table filters, dashboard action cards, header actions, row actions, report/evidence/review links, support/help links.
+- **State layers in scope**: route params, query params, shell context, breadcrumbs, visible filter chips, Filament table filters, deferred table filters, session-persisted table state, Livewire hydration, remembered environment state, browser reload, back, and forward.
+- **Audience modes in scope**: MSP/admin operator and customer-safe review consumption surfaces where already present.
+- **Decision/diagnostic/raw hierarchy plan**: N/A for runtime; audit report must separate executive findings from raw matrix evidence.
+- **Raw/support gating plan**: do not bypass gated surfaces; classify blocked or system/support-scoped.
+- **One-primary-action / duplicate-truth control**: N/A for runtime; clear-filter behavior is observed and documented.
+- **Handling modes by drift class or surface**: critical/high/medium/low risk classification in `audit-report.md`.
+- **Repository-signal treatment**: every source hit is inventory input, not final truth until classified.
+- **Special surface test profiles**: `global-context-shell`, `monitoring-state-page`, `shared-detail-family`, `exception-coded-surface`, `environment-owned-resource`.
+- **Required tests or manual smoke**: browser verification is required for in-scope reachable surfaces; missing data/tooling becomes explicit blocker.
+- **Exception path and spread control**: no exceptions to no-runtime-change rule.
+- **Active feature PR close-out entry**: `Spec 313 Audit Evidence / No Runtime Changes`.
+
+## Shared Pattern & System Fit
+
+- **Cross-cutting feature marker**: context contract audit across admin shell, route/query/filter state, and link helpers.
+- **Systems touched by inspection**:
+  - `apps/platform/app/Providers/Filament/AdminPanelProvider.php`
+  - `apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php`
+  - `apps/platform/routes/web.php`
+  - `apps/platform/app/Filament/Pages`
+  - `apps/platform/app/Filament/Resources`
+  - `apps/platform/app/Filament/Clusters`
+  - `apps/platform/resources/views`
+  - `apps/platform/app/Support/Operations`
+  - `apps/platform/app/Support/ManagedEnvironmentLinks.php`
+  - `apps/platform/app/Support/Filament`
+  - `apps/platform/app/Support/Tenants`
+  - `apps/platform/app/Support/Workspaces`
+  - dashboard summary builders, context bar, support/report/evidence/review helpers.
+- **Shared abstractions reused**: none modified. Audit maps existing `WorkspaceContext`, `OperateHubShell`, `ResolvedShellContext`, `TenantPageCategory`, `NavigationScope`, `ManagedEnvironmentLinks`, `OperationRunLinks`, `CanonicalAdminTenantFilterState`, table persistence APIs, and page state contracts.
+- **New abstraction introduced? why?**: none.
+- **Why the existing abstraction was sufficient or insufficient**: unknown until audit completes. The plan is to prove which mechanisms currently compete.
+- **Bounded deviation / spread control**: all findings stay under `specs/313-workspace-environment-context-browser-verification/`.
+
+## OperationRun UX Impact
+
+- **Touches OperationRun start/completion/link UX?**: no runtime touch. Operations page and `OperationRunLinks` are audited.
+- **Central contract reused**: existing `OperationRunLinks::index()` and operation detail routes are observed.
+- **Delegated UX behaviors**: unchanged.
+- **Surface-owned behavior kept local**: unchanged.
+- **Queued DB-notification policy**: unchanged.
+- **Terminal notification path**: unchanged.
+- **Exception path**: none.
+
+## Provider Boundary & Portability Fit
+
+- **Shared provider/platform boundary touched?**: audit observes provider connection and provider readiness/required permissions surfaces.
+- **Provider-owned seams**: Microsoft/Entra/Intune semantics in provider readiness, required permissions, Graph callback/onboarding, and environment resources are not changed.
+- **Platform-core seams**: workspace hub navigation, provider connection workspace view, environment filter semantics, operation/evidence/review reporting surfaces.
+- **Neutral platform terms / contracts preserved**: workspace, managed environment, provider connection, environment filter, workspace-wide hub.
+- **Retained provider-specific semantics and why**: observed only; no refactor.
+- **Bounded extraction or follow-up path**: likely Spec 314/315/316/317 based on evidence.
+
+## Constitution Check
+
+- Inventory-first: PASS. No inventory or snapshot truth changes.
+- Read/write separation: PASS. Audit-only, read-only verification.
+- Graph contract path: PASS. No Graph calls are added or changed.
+- Deterministic capabilities: PASS. Existing capabilities only gate visibility/access during verification.
+- Workspace isolation: PASS. Audit must not bypass workspace access.
+- Tenant/environment isolation: PASS. Audit must not bypass environment access.
+- RBAC-UX: PASS. Blocked access is recorded as evidence.
+- Run observability: N/A. No operations are started.
+- Test governance: PASS. Browser verification is explicit audit scope, not hidden test-suite growth.
+- Proportionality: PASS. No runtime complexity; temporary audit artifacts only.
+- No premature abstraction: PASS. No abstraction introduced.
+- Persisted truth: PASS. No new database or runtime truth.
+- Shared pattern first: PASS. Existing shared paths are mapped before remediation.
+- Provider boundary: PASS. No provider/platform seam changes.
+- Filament-native UI: PASS. Existing UI observed only.
+
+## Test Governance Check
+
+- **Test purpose / classification by changed surface**: docs/spec prep now; browser audit during Spec 313 implementation.
+- **Affected validation lanes**: docs/spec validation, browser/manual verification.
+- **Why this lane mix is narrowest sufficient proof**: The audit question is browser behavior, not unit behavior. Filament persisted filters and Livewire hydration require browser observation.
+- **Narrowest proving commands**: discovery commands, Browser screenshots, `git diff --name-only`, `git diff --check`.
+- **Fixture / helper / factory / seed / context cost risks**: no fixture changes allowed; missing seeded data becomes blocker.
+- **Expensive defaults or shared helper growth introduced?**: none.
+- **Heavy-family additions, promotions, or visibility changes**: none in preparation. Browser evidence is the feature output.
+- **Surface-class relief / special coverage rule**: no runtime UI change, so no visual regression requirement beyond screenshot evidence.
+- **Closing validation and reviewer handoff**: verify all required files exist, screenshots are referenced, no runtime files changed, and every surface has final status.
+- **Budget / baseline / trend follow-up**: none.
+- **Review-stop questions**: any runtime file change, unclassified surface, "likely OK" status, unreferenced screenshot, claimed data-scope proof without rows, or missing command log.
+- **Escalation path**: remediation follow-up spec, not in Spec 313.
+- **Active feature PR close-out entry**: `Spec 313 Audit Evidence / No Runtime Changes`.
+
+## Project Structure
+
+### Preparation Artifacts Created Now
+
+```text
+specs/313-workspace-environment-context-browser-verification/
+├── checklists/
+│   └── requirements.md
+├── spec.md
+├── plan.md
+└── tasks.md
+```
+
+### Audit Artifacts To Create During Spec 313 Execution
+
+```text
+specs/313-workspace-environment-context-browser-verification/
+├── audit-report.md
+├── surface-inventory.md
+├── page-matrix.md
+├── query-param-inventory.md
+├── clear-filter-inventory.md
+├── code-ownership-map.md
+└── artifacts/
+    ├── context-search.txt
+    ├── filament-files.txt
+    ├── routes-admin.txt
+    └── screenshots/
+```
+
+### Must Not Change
+
+```text
+apps/platform/app/
+apps/platform/config/
+apps/platform/database/
+apps/platform/resources/
+apps/platform/routes/
+apps/platform/tests/
+apps/platform/lang/
+apps/platform/package.json
+apps/platform/composer.json
+```
+
+## Current Repo Findings From Preparation
+
+These findings guide the audit plan only. They are not final browser conclusions.
+
+- `docs/product/roadmap.md` still recommends "Spec 313" for Decision-Based Governance Inbox v1. This is a numbering note, not a completed spec conflict: the user directly supplied Spec 313 as the workspace/environment context browser verification audit. Product roadmap docs are not edited in this preparation-only package.
+- Admin panel provider registers workspace/global navigation and pages in `apps/platform/app/Providers/Filament/AdminPanelProvider.php`.
+- Workspace sidebar builder exists at `apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php` and includes Finding Exceptions Queue, Operations, Alerts, Audit Log, Reviews, Customer Reviews, Provider Connections/Integrations, Workspace Settings, Manage Workspaces, Governance Inbox, and Decision Register.
+- Admin routes include workspace hubs such as `/admin/workspaces/{workspace}/operations`, `/admin/provider-connections`, `/admin/finding-exceptions/queue`, `/admin/evidence/overview`, `/admin/reviews`, `/admin/reviews/workspace`, `/admin/governance/inbox`, `/admin/governance/decisions`, `/admin/audit-log`, `/admin/alerts`, and environment-owned routes under `/admin/workspaces/{workspace}/environments/{environment}/...`.
+- `WorkspaceContext` stores `current_workspace_id` and `workspace_last_tenant_ids`, so remembered environment behavior is a required audit target.
+- `OperateHubShell` resolves route tenant, query hint tenant, Filament tenant, remembered tenant, and tenantless workspace state. Its precedence is a required code ownership seam.
+- `ManagedEnvironmentLinks` passes `managed_environment_id` for provider connections and operations URLs when given an environment.
+- `OperationRunLinks::index()` uses `managed_environment_id`, `tenant_scope=all`, `activeTab`, `problemClass`, and `tableFilters[type][value]`.
+- `ProviderConnectionResource` is not tenant-scoped but contains request/context tenant resolution paths, including `managed_environment_id`, Livewire original URL/referer extraction, and remembered context fallback.
+- `FindingExceptionsQueue` uses `tenant` as a contextual prefilter, persisted table state, clear-filter action, and selected exception query param.
+- `EvidenceOverview`, `ReviewRegister`, and `CustomerReviewWorkspace` persist filters/search/sort in session and expose clear-filter behavior.
+- `GovernanceInbox` and `DecisionRegister` use `managed_environment_id` query params and clearable URL construction, making them likely reference candidates for explicit filter behavior.
+- Environment Dashboard CTAs and `EnvironmentDashboardSummaryBuilder` link to tenant-owned resources, operations, customer workspace, evidence, review packs, required permissions, and governance inbox paths.
+- Reports / Stored Reports and Support Requests need explicit classification because route visibility and entry points are not obvious from sidebar alone.
+
+## Required Markdown File Schemas
+
+### `surface-inventory.md`
+
+Columns:
+
+```text
+Surface | Type | Class/resource/component | Route | Sidebar visible? | Dashboard/card/action linked? | Workspace-scoped? | Environment-scoped? | System/platform scoped? | Ambiguous? | Browser verified? | Final status | Notes
+```
+
+### `page-matrix.md`
+
+Columns:
+
+```text
+Page | Origin | URL | Query params | Shell workspace | Shell environment | Breadcrumb | Header/title | Visible scope/filter chip | Table filter state | Data scope proven? | Clear filter exists? | Clear filter result | Reload result | Back/forward result | Screenshot | Status | Risk | Notes
+```
+
+Allowed origins:
+
+```text
+workspace_origin
+environment_sidebar_origin
+environment_cta_origin
+manual_filter_origin
+reload
+back_forward
+```
+
+### `query-param-inventory.md`
+
+Columns:
+
+```text
+Query param | Pages using it | Identifier type | Allowed? | Visible to user? | Clearable? | Persisted? | Conflicts | Notes
+```
+
+Identifier type values:
+
+```text
+database_id
+slug
+external_id
+mixed
+unknown
+not_applicable
+```
+
+Required params:
+
+```text
+tenant
+tenant_id
+managed_environment_id
+environment_id
+tenant_scope
+tableFilters
+```
+
+### `clear-filter-inventory.md`
+
+Columns:
+
+```text
+Page | Filter type | Clear action exists? | Clear action label | Clears visible chip? | Clears URL query? | Clears Livewire property? | Clears Filament table filter? | Clears deferred filters? | Clears persisted/session state? | Clears actual data scope? | Reload safe? | Sidebar revisit safe? | Risk | Notes
+```
+
+### `code-ownership-map.md`
+
+Columns:
+
+```text
+Behavior | File | Class/method/view | Pages affected | Risk | Notes
+```
+
+Must include these seams:
+
+```text
+Sidebar navigation URLs
+Page getUrl overrides
+Route helpers
+Environment Dashboard CTAs
+Workspace Overview CTAs
+Header actions
+Table row actions
+Context bar
+Shell context resolver
+WorkspaceContext remembered environment
+Filament tenant resolver
+Table filter definitions
+QueryString definitions
+Livewire mount/hydration
+Clear-filter actions/controllers
+Canonical filter state helpers
+Provider connection filter behavior
+Finding exceptions filter behavior
+Evidence filter behavior
+Reviews/customer reviews filter behavior
+Operations filter behavior
+```
+
+## Browser Verification Methodology
+
+1. Start from a clean workspace browser state or document existing state.
+2. Use an authorized local user and at least one workspace with two managed environments if available.
+3. Verify workspace-origin flows first, then environment-sidebar flows, then environment CTA/card flows.
+4. Capture screenshots with stable filenames under `artifacts/screenshots/`.
+5. Record URL, query params, shell workspace/environment, breadcrumbs, title, chips, filters, table state, data-scope proof, clear-filter behavior, reload behavior, and back/forward behavior.
+6. Mark data scope proven only when rows from at least two environments or explicit UI row labels make scope testable.
+7. If seed data is absent, record shell-only observation and classify with an allowed blocked or ambiguous final status.
+8. Reconcile browser findings back to repo seams and risk levels.
+
+## High-Risk Browser Flow Set
+
+Minimum stable screenshots:
+
+```text
+workspace-origin--operations.png
+environment-sidebar--operations.png
+environment-cta--operations.png
+environment-cta--operations--after-clear.png
+environment-cta--operations--after-reload.png
+
+workspace-origin--provider-connections.png
+environment-sidebar--provider-connections.png
+environment-cta--provider-connections.png
+environment-cta--provider-connections--after-clear.png
+environment-cta--provider-connections--after-reload.png
+
+workspace-origin--finding-exceptions-queue.png
+environment-sidebar--finding-exceptions-queue.png
+environment-cta--finding-exceptions-queue.png
+environment-cta--finding-exceptions-queue--after-clear.png
+environment-cta--finding-exceptions-queue--after-reload.png
+
+workspace-origin--evidence.png
+environment-sidebar--evidence.png
+environment-cta--evidence.png
+environment-cta--evidence--after-clear.png
+environment-cta--evidence--after-reload.png
+
+workspace-origin--reviews.png
+environment-sidebar--reviews.png
+environment-cta--reviews.png
+environment-cta--reviews--after-clear.png
+
+workspace-origin--customer-reviews.png
+environment-sidebar--customer-reviews.png
+environment-cta--customer-reviews.png
+environment-cta--customer-reviews--after-clear.png
+
+workspace-origin--governance-inbox.png
+environment-sidebar--governance-inbox.png
+environment-cta--governance-inbox.png
+
+workspace-origin--decision-register.png
+environment-sidebar--decision-register.png
+environment-cta--decision-register.png
+```
+
+Additional pages follow the same naming convention.
+
+## Discovery Commands
+
+Use repo-local commands and write audit artifacts during Spec 313 execution:
+
+```bash
+git status --short --branch
+cd apps/platform
+find app/Filament -type f | sort > ../../specs/313-workspace-environment-context-browser-verification/artifacts/filament-files.txt
+rg "getNavigationUrl|getUrl\\(|route\\(|->url\\(|Action::make|HeaderActions|tableFilters|persistFiltersInSession|defaultTableFilters|queryString|managed_environment_id|environment_id|tenant_scope|tenant_id|request\\('tenant'|Filament::getTenant|getTenant\\(|lastTenantId|lastEnvironmentId|clearFilter|clearEnvironment|clearScope" app resources routes tests -n > ../../specs/313-workspace-environment-context-browser-verification/artifacts/context-search.txt
+```
+
+Recommended route discovery:
+
+```bash
+cd apps/platform
+./vendor/bin/sail artisan route:list --path=admin > ../../specs/313-workspace-environment-context-browser-verification/artifacts/routes-admin.txt
+```
+
+If Sail is unavailable, document that and use the Laravel Boost route listing or non-Docker fallback only for read-only route inspection.
+
+## Optional Read-Only Test Commands
+
+Run only if useful for audit confidence. Do not edit tests.
+
+```bash
+cd apps/platform
+./vendor/bin/sail artisan test --compact --filter=Navigation
+./vendor/bin/sail artisan test --compact --filter=Workspace
+./vendor/bin/sail artisan test --compact --filter=Environment
+```
+
+If no tests are run, `audit-report.md` must state:
+
+```text
+Tests were not run. This spec was a read-only browser/code audit.
+```
+
+## Complexity Tracking
+
+| Violation | Why Needed | Simpler Alternative Rejected Because |
+|---|---|---|
+| Broad audit surface | Systemic context drift crosses many surfaces and state carriers | Starting localized fixes before classifying all surfaces risks another partial remediation |
+| Browser screenshots as required evidence | Livewire, SPA-like navigation, reload, and persisted Filament state differ from code-only assumptions | Code-only audit already proved insufficient for safe remediation |
+
+## Implementation Phases
+
+1. **Setup and safety**: confirm branch, working tree, no runtime edits, create audit artifact directories.
+2. **Repo discovery**: inventory pages/resources/clusters/routes/navigation/actions/link helpers/query params/filter methods.
+3. **Static classification draft**: classify likely workspace/environment/system/ambiguous surfaces before browser runs.
+4. **Browser data readiness**: identify local workspace, two managed environments, user, and seed row coverage.
+5. **Workspace-origin browser flow**: verify all workspace hubs from clean workspace origin.
+6. **Environment-sidebar browser flow**: verify workspace hubs after environment dashboard/sidebar origin.
+7. **Environment CTA/card browser flow**: verify CTA-filtered workspace hub flows and environment-owned pages.
+8. **Manual filter/reload/back-forward flow**: verify high-risk persisted filter behavior.
+9. **Clear-filter flow**: verify clear actions and state carriers.
+10. **Matrix reconciliation**: reconcile browser evidence against repo inventory and code ownership map.
+11. **Risk ranking and follow-up specs**: produce final remediation sequence.
+12. **Close-out validation**: verify required files/screenshots exist, no runtime files changed, and final report includes commands/results.
+
+## Definition of Done For Spec 313 Execution
+
+- All required output files exist.
+- Every discovered surface has an allowed final status.
+- High-risk pages have required screenshots or documented blocker.
+- Reports / Stored Reports and Support Requests are classified.
+- Query parameter inventory includes all required params.
+- Clear-filter inventory documents all clear actions and gaps.
+- Code ownership map points to likely repo seams for remediation.
+- Audit report includes counts, highest-risk findings, remediation sequence, exact commands, browser/test results, and no-runtime-change statement.
+- `git diff --name-only` shows only files under `specs/313-workspace-environment-context-browser-verification/`.
+- `git diff --check` passes.
+
+## No Runtime Change Contract
+
+Spec 313 implementation must not modify application runtime code. If a browser issue is found, record it in the audit report and propose a follow-up spec. Do not fix it inside Spec 313.
+
+## Preparation Analyze Notes
+
+Preparation review criteria:
+
+- `spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md` must exist.
+- No template placeholders should remain.
+- The tasks must lead to the required audit files and screenshots.
+- The scope must remain analysis-only.
+- Related completed specs 311 and 312 must be context only.
+- Follow-up specs 314+ must not be started.

specs/313-workspace-environment-context-browser-verification/query-param-inventory.md

@@ -0,0 +1,17 @@
+# Query Parameter Inventory
+
+| Query param | Pages using it | Identifier type | Allowed? | Visible to user? | Clearable? | Persisted? | Conflicts | Notes |
+|---|---|---|---|---|---|---|---|---|
+| `tenant` | Finding Exceptions Queue, Customer Review Workspace, Governance Inbox, Baseline Compare, Baseline Profiles, Baseline Snapshots | slug/external id for most pages; sometimes accepted as database id | Conditional | Sometimes | Inconsistent | Sometimes converted into table/session filter | Conflicts with `managed_environment_id` naming and route tenant semantics | Browser: `tenant=<slug>` showed visible filter on Finding Exceptions and Customer Reviews; Customer Reviews clear did not remove URL and reload restored visible filter. |
+| `tenant_id` | Legacy searches, compatibility code, tests | mixed | No for new context contract | Rarely | Unknown | Unknown | Conflicts with database key semantics | No high-risk browser route required `tenant_id`; keep as legacy cleanup target. |
+| `managed_environment_id` | Operations, Provider Connections, Evidence Overview, Review Register, Decision Register, table filters | mixed: database id on Operations/Evidence/Reviews/Decision; slug/external id on Provider Connections | Conditional explicit filter only | Sometimes | Inconsistent | Yes through Livewire/Filament table filters on several pages | Same name carries different identifier types | Browser: Operations accepted DB id but showed "All environments"; Provider Connections accepted slug and filtered rows with no page-level clear. |
+| `environment_id` | Search hits and compatibility code | unknown | No for new admin context contract | Not observed | Unknown | Unknown | Competes with `managed_environment_id` | Not observed in browser URLs during audited flows. |
+| `tenant_scope` | Operations | enum/string (`all`) | Allowed for explicit all-environment view | Partly | Via Show all environments action | Query-backed | Interacts with `managed_environment_id` | Code sets `tenant_scope=all` when clearing operation environment context, but the environment CTA flow did not expose a direct `Clear filters` action. |
+| `tableFilters` | Filament table state across list pages; route/query search hits | serialized Livewire/Filament state | Avoid for durable environment context | Usually hidden behind filter UI | Inconsistent | Yes | Can override sidebar intent after hydration | Code state contracts mark several `tableFilters` carriers as session-restorable and tenant-sensitive. |
+| `activeTab` | Operations dashboard CTA | string enum | Allowed for operations lane | Visible as tabs | Via URL/tab navigation | Query-backed | Combines with `problemClass` and tenant filter | CTA used `activeTab=terminal_follow_up`. |
+| `problemClass` | Operations dashboard CTA | string enum | Allowed for operations lane | Visible as tab/filters | Via URL/tab navigation | Query-backed | Can mask tenant filter impact | CTA used `problemClass=terminal_follow_up`. |
+| `register_state` | Decision Register | string enum | Allowed for register lane | Visible as register tab/count | Link-based | Query-backed | Page access depends on current/filtered state | Workspace clean URL 403 for audited actor, but `managed_environment_id=4` opened the page. |
+
+## Key Finding
+
+The same logical environment prefilter is represented by at least `tenant`, `managed_environment_id`, `tenant_scope`, and hidden `tableFilters`. Identifier type also drifts: Provider Connections uses environment slug/external id under `managed_environment_id`, while Operations/Evidence/Reviews/Decision use database ids under the same param name.

specs/313-workspace-environment-context-browser-verification/spec.md

@@ -0,0 +1,419 @@
+# Feature Specification: Full Workspace / Environment Context Browser Verification Audit
+
+**Feature Branch**: `313-workspace-environment-context-browser-verification`
+**Created**: 2026-05-16
+**Status**: Draft
+**Type**: Analysis-only / Browser verification / Context contract audit
+**Runtime posture**: No fixes, no refactors, no runtime behavior changes
+**Input**: User-provided Spec 313 completion-gate audit draft.
+
+## Spec Candidate Check *(mandatory - SPEC-GATE-001)*
+
+- **Problem**: TenantPilot admin workspace hubs, environment-owned pages, route/query state, Filament table state, remembered environment context, and browser navigation can disagree about the active Workspace / Managed Environment scope.
+- **Today's failure**: After Spec 311 and Spec 312, repo-level tests and code review show foundation progress, but browser-observed behavior can still drift through Livewire hydration, persisted Filament table filters, environment dashboard CTAs, query parameter naming, back/forward behavior, and hidden remembered context. Operators can see "all environments" or "no environment selected" while data remains filtered, or see an environment filter without a clear route/filter ownership contract.
+- **User-visible improvement**: Before any remediation spec starts, every relevant admin surface is classified with evidence as workspace-scoped, environment-scoped, system/platform scoped, ambiguous/mixed, unreachable/dead, blocked, or out of scope. Operators and implementers get a complete risk-ranked remediation map instead of another partial page-by-page fix.
+- **Smallest enterprise-capable version**: One analysis-only audit package that discovers all relevant admin surfaces from repo sources, browser-verifies representative flows for every discovered in-scope surface, captures screenshots, records query/table/filter/shell behavior, and recommends the next remediation sequence. No runtime behavior changes.
+- **Explicit non-goals**: No fixes, no refactors, no route/nav/resource/page/test/migration/config/view/runtime changes, no clear-filter implementation, no shared context system implementation, no compatibility layers, no product decisions made silently, and no start of follow-up specs 314+.
+- **Permanent complexity imported**: Temporary audit markdown files, screenshot artifacts, and a surface matrix under this spec directory only. No new persisted truth, enum/status family, runtime abstraction, model, table, service, route, UI component, asset bundle, test helper, or framework.
+- **Why now**: The user supplied a hard completion-gate audit for systemic context drift, and `docs/product/spec-candidates.md` already treats Spec 311 as completed foundation while listing provider connection scope and canonical query/link cleanup as post-311 gaps. Spec 313 prevents unsafe remediation ordering by proving the full blast radius first.
+- **Why not local**: Provider Connections, Finding Exceptions Queue, Operations, Evidence, Reviews, Customer Reviews, Governance Inbox, Decision Register, Reports, Support Requests, and environment-owned resources all interact with different state carriers. A local fix would only hide the next mismatched surface.
+- **Approval class**: Core Enterprise.
+- **Red flags triggered**: Many surfaces and cross-cutting state carriers. Defense: this is analysis-only and imports no runtime abstraction or behavioral complexity; the broad discovery is the narrowest safe input for later scoped remediation.
+- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 1 | Komplexitaet: 2 | Produktnaehe: 2 | Wiederverwendung: 2 | **Gesamt: 11/12**
+- **Decision**: approve.
+
+## Spec Scope Fields *(mandatory)*
+
+- **Scope**: canonical-view/admin workspace and environment context verification across the admin panel.
+- **Primary Routes**:
+  - Workspace hubs: `/admin/workspaces/{workspace}/overview`, `/admin/workspaces/{workspace}/operations`, `/admin/provider-connections`, `/admin/finding-exceptions/queue`, `/admin/evidence/overview`, `/admin/reviews`, `/admin/reviews/workspace`, `/admin/governance/inbox`, `/admin/governance/decisions`, `/admin/audit-log`, `/admin/alerts`, `/admin/settings/workspace`, `/admin/workspaces`.
+  - Environment routes: `/admin/workspaces/{workspace}/environments/{environment}` plus child inventory, required permissions, diagnostics, findings, finding exceptions, evidence, environment reviews, review packs, backup, restore, policies, groups, reports, and access-scope routes.
+  - System routes: `/system` surfaces are classification-only unless they interact with workspace/environment state.
+- **Data Ownership**: No data ownership changes. The audit must classify each observed surface against existing workspace-owned, environment-owned, tenant-owned legacy, system/platform, or ambiguous ownership.
+- **RBAC**: Existing authorization remains authoritative. The audit must document when a surface is blocked by missing access, not bypass RBAC or infer behavior from hidden data.
+
+For canonical-view specs:
+
+- **Default filter behavior when tenant-context is active**: Workspace-scoped hubs opened through sidebar/global navigation should clear active environment shell context and should not inherit route/query/Filament tenant/remembered/persisted-table environment scope. Environment dashboard CTAs may pass environment only as an explicit visible page filter.
+- **Explicit entitlement checks preventing cross-tenant leakage**: Data scope can be marked proven only when browser evidence and seeded rows show the visible rows are limited to authorized workspace/environment records. Missing rows or insufficient seed data must be marked blocked or shell-only, not guessed.
+
+## Cross-Cutting / Shared Pattern Reuse *(mandatory)*
+
+- **Cross-cutting feature?**: yes.
+- **Interaction class(es)**: navigation entry points, sidebar/global navigation, environment dashboard cards/actions, workspace overview actions, header actions, table row actions, context bar, breadcrumbs, table filters, clear-filter actions, evidence/report viewers, operation/review/support links.
+- **Systems touched**: audit reads only from `AdminPanelProvider`, `WorkspaceSidebarNavigation`, Filament pages/resources/clusters, route definitions, workspace/environment dashboard builders, link helpers, context resolvers, table filter definitions, query-string definitions, and browser-observed rendered admin pages.
+- **Existing pattern(s) to extend**: none during Spec 313. The audit observes existing `OperateHubShell`, `WorkspaceContext`, `NavigationScope`, `TenantPageCategory`, `ManagedEnvironmentLinks`, `OperationRunLinks`, and table filter/session behavior.
+- **Shared contract / presenter / builder / renderer to reuse**: N/A for implementation; this spec produces evidence for later contract specs.
+- **Why the existing shared path is sufficient or insufficient**: Current shared paths exist but may compete. The audit must map exactly which path controls which behavior before any remediation changes them.
+- **Allowed deviation and why**: No runtime deviation allowed. Browser/manual verification is allowed as analysis output.
+- **Consistency impact**: Later remediation depends on this matrix to prevent parallel local context rules.
+- **Review focus**: Confirm no discovered admin surface is omitted and every final row has an allowed final status.
+
+## OperationRun UX Impact *(mandatory)*
+
+- **Touches OperationRun start/completion/link UX?**: audit-only. It observes Operations links, OperationRun link helpers, and operation-related environment dashboard CTAs.
+- **Shared OperationRun UX contract/layer reused**: existing `OperationRunLinks` and Operations pages are inspected only.
+- **Delegated start/completion UX behaviors**: unchanged.
+- **Local surface-owned behavior that remains**: all runtime behavior remains unchanged.
+- **Queued DB-notification policy**: N/A.
+- **Terminal notification path**: N/A.
+- **Exception required?**: none.
+
+## Provider Boundary / Platform Core Check *(mandatory)*
+
+- **Shared provider/platform boundary touched?**: audit-only across provider connections, provider readiness, required permissions, and provider-related environment CTAs.
+- **Boundary classification**: observed seams may be provider-owned, platform-core, or mixed; `code-ownership-map.md` must classify them.
+- **Seams affected**: provider connection list/detail/create/edit routes, provider readiness, required permissions links, context query params, and target-scope semantics.
+- **Neutral platform terms preserved or introduced**: workspace, managed environment, provider connection, environment filter, workspace hub, environment-owned page.
+- **Provider-specific semantics retained and why**: existing Microsoft/Intune/Entra semantics are observed only and must not be generalized during audit.
+- **Why this does not deepen provider coupling accidentally**: no code or runtime contract changes are made.
+- **Follow-up path**: likely follow-up spec for Provider Connections scope hardening or canonical query cleanup if the audit proves drift.
+
+## UI / Surface Guardrail Impact *(mandatory)*
+
+| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
+|---|---:|---|---|---|---:|---|
+| Browser verification screenshots | no runtime change | Existing UI only | navigation, shell, filters | observed shell/page/URL/session/browser | no | Audit artifact only |
+| Audit report and matrices | no runtime change | N/A | navigation, filters, links, reports | repo-observed and browser-observed state | no | Spec-local markdown only |
+| Admin surfaces under audit | observed only | Existing Filament pages/resources/views | all relevant shared interaction classes | route/query/Livewire/table/session/context/breadcrumb | no | Must not modify UI |
+
+## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)*
+
+N/A - Spec 313 changes no operator-facing runtime surface. It audits decision and context surfaces only.
+
+## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)*
+
+N/A - no runtime surface change. The audit must still record whether customer-safe surfaces such as Customer Review Workspace hide or expose environment scope truth.
+
+## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
+
+N/A - no runtime UI changes. The audit output files classify existing surfaces for later specs.
+
+## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)*
+
+N/A - no runtime operator surface contract is changed. Spec 313 verifies whether existing surfaces honor their apparent scope contract.
+
+## Proportionality Review *(mandatory when structural complexity is introduced)*
+
+- **New source of truth?**: no runtime source of truth. Audit files are temporary evidence artifacts for this spec.
+- **New persisted entity/table/artifact?**: no database entity/table/artifact. Markdown reports and screenshots under `specs/313-.../` only.
+- **New abstraction?**: no.
+- **New enum/state/reason family?**: no runtime enum/state/reason family. The audit uses fixed final status labels for reporting only.
+- **New cross-domain UI framework/taxonomy?**: no runtime framework. The audit classifies existing surfaces to prepare later specs.
+- **Current operator problem**: hidden or conflicting workspace/environment context can mislead operators on critical governance, evidence, review, provider, and operations surfaces.
+- **Existing structure is insufficient because**: code-level tests and previous audit findings did not fully prove browser behavior across sidebar, CTA, reload, persisted filter, and back/forward flows.
+- **Narrowest correct implementation**: produce a complete evidence matrix and remediation sequence before changing runtime code.
+- **Ownership cost**: temporary review burden for comprehensive audit artifacts and screenshots.
+- **Alternative intentionally rejected**: start fixes immediately for high-risk pages without classifying the full surface inventory.
+- **Release truth**: current-release safety audit before context remediation.
+
+### Compatibility posture
+
+Pre-production compatibility does not matter for Spec 313 because it changes no runtime state. Existing legacy tenant naming and route compatibility must be observed and documented, not changed.
+
+## Summary
+
+Spec 313 is a strict completion-gate audit for Workspace / Managed Environment context behavior in the TenantPilot admin panel.
+
+It must produce a complete repo-discovered and browser-verified evidence package for:
+
+- all Filament pages, resources, clusters, routes, sidebar entries, dashboard cards, header actions, table row actions, link helpers, and notification/support/report/help links that can affect workspace/environment context;
+- workspace hub behavior when entered from workspace origin, environment dashboard/sidebar origin, explicit environment CTA origin, manual filter origin, reload, and browser back/forward;
+- environment page behavior for shell/header/breadcrumb/filter/data-scope consistency;
+- query parameter drift across `tenant`, `tenant_id`, `managed_environment_id`, `environment_id`, `tenant_scope`, and `tableFilters`;
+- clear-filter completeness across visible chips, URL, Livewire state, Filament table filters, deferred filters, persisted/session state, rendered rows, and reload/sidebar revisit behavior;
+- code ownership seams that later remediation specs must edit.
+
+No page may be silently skipped. No page may finish as "likely OK".
+
+## User Scenarios & Testing *(mandatory)*
+
+### User Story 1 - Complete workspace hub verification (Priority: P1)
+
+As an MSP operator using a workspace hub, I want sidebar/global navigation to open a workspace-wide surface without hidden environment scope so I can trust that operations, evidence, reviews, provider connections, finding exceptions, governance, alerts, and audit data are not silently narrowed.
+
+**Why this priority**: Silent environment filtering on a workspace hub is a critical governance correctness and operator-confusion risk.
+
+**Independent Test**: For every workspace-scoped or potentially workspace-scoped hub, run workspace-origin and environment-sidebar-origin browser flows, capture screenshots, and record shell, URL, breadcrumbs, visible filters, table filters, persisted state, reload, and data-scope evidence in `page-matrix.md`.
+
+**Acceptance Scenarios**:
+
+1. **Given** a selected Workspace and no active Environment, **When** a workspace hub is opened from sidebar/global navigation, **Then** the report records URL, query params, shell context, breadcrumbs, visible filters, table state, data-scope proof status, and screenshot path.
+2. **Given** Environment A is active through Environment Dashboard, **When** the same workspace hub is opened from sidebar/global navigation, **Then** the report records whether shell environment clears and whether hidden query/table/session filters still constrain data.
+3. **Given** reload/back/forward are feasible on a high-risk hub, **When** those browser actions are performed, **Then** the report records whether stale environment scope returns.
+
+### User Story 2 - Complete environment-owned entry-point verification (Priority: P1)
+
+As an MSP operator drilling from an Environment Dashboard, I want explicit environment CTAs to carry visible and clearable filters when they land on workspace hubs, and I want environment-owned pages to show true environment context.
+
+**Why this priority**: Environment CTAs are legitimate entry points, but they must not create hidden workspace-hub scope.
+
+**Independent Test**: For each Environment Dashboard CTA/card/action and each environment-scoped route, perform browser verification, capture screenshots, record explicit filters/clear actions, and classify final status.
+
+**Acceptance Scenarios**:
+
+1. **Given** Environment A is open, **When** a CTA opens a workspace hub, **Then** the matrix records whether the environment filter is visible, URL/query/table state is understandable, data appears filtered, and clear-filter exists.
+2. **Given** clear-filter exists, **When** it is used and the page is reloaded, **Then** the matrix records whether visible chip, URL, Livewire property, table filter, deferred filters, persisted/session state, rows, breadcrumb/header, and shell context are cleared.
+3. **Given** an environment-owned route is opened, **When** the page renders, **Then** shell/header/breadcrumbs clearly show the Environment or the surface is blocked/unreachable with evidence.
+
+### User Story 3 - Complete repo inventory and code ownership map (Priority: P1)
+
+As an implementer preparing remediation specs 314+, I want a repo-derived inventory of every relevant surface and likely code seam so follow-up specs can edit the correct owners in the right order.
+
+**Why this priority**: Without a complete inventory, remediation can fix only obvious pages while leaving hidden CTAs, row links, resources, or persisted table state broken.
+
+**Independent Test**: Run repo discovery against the mandatory sources and search terms, populate `surface-inventory.md`, `query-param-inventory.md`, `clear-filter-inventory.md`, and `code-ownership-map.md`, then reconcile them against browser-observed pages.
+
+**Acceptance Scenarios**:
+
+1. **Given** a surface appears in Filament navigation, routes, pages, resources, clusters, dashboard builders, header actions, row actions, link helpers, notifications, support links, report links, or help links, **When** the audit completes, **Then** it appears in `surface-inventory.md` with an allowed final status.
+2. **Given** a query parameter or persisted filter affects environment context, **When** it is discovered, **Then** `query-param-inventory.md` records identifier type, visibility, clearability, persistence, conflicts, and pages using it.
+3. **Given** a likely owner seam controls observed behavior, **When** the audit maps it, **Then** `code-ownership-map.md` names the file/class/method/view, affected pages, risk, and notes.
+
+### User Story 4 - Risk-ranked remediation sequence (Priority: P2)
+
+As a technical lead planning fixes, I want the final audit report to rank risks and recommend follow-up specs so the next work starts with the highest-impact contract and avoids broad runtime changes.
+
+**Why this priority**: The expected follow-up order is likely 314 to 318, but the order must be adjusted if browser evidence shows a different dependency.
+
+**Independent Test**: Review `audit-report.md` and confirm it contains executive summary, counts, mismatch findings, clear-filter findings, query parameter findings, persisted filter findings, code ownership summary, risk ranking, open questions, exact commands, and recommended follow-up specs.
+
+**Acceptance Scenarios**:
+
+1. **Given** all matrices are populated, **When** the final report is written, **Then** it states whether the issue is isolated, page-specific drift, or systemic context contract drift.
+2. **Given** high-risk pages are verified, **When** risk ranking is produced, **Then** Provider Connections, Finding Exceptions Queue, Operations, Evidence, Reviews, Customer Reviews, Governance Inbox, Decision Register, Audit Log, Reports, and Support Requests are each explicitly classified or blocked.
+3. **Given** follow-up specs are recommended, **When** the report is complete, **Then** it names the next remediation spec and explains why.
+
+## Functional Requirements
+
+- **FR-001**: The audit MUST discover admin surfaces from repo sources, not only from the visible sidebar.
+- **FR-002**: The audit MUST include every surface discovered from Filament navigation, `AdminPanelProvider`, Filament Page classes, Filament Resource classes, Filament Clusters, route definitions, workspace sidebar builder, workspace overview cards/actions, environment dashboard cards/actions, page header actions, table row actions, operation/review/evidence/support/report link helpers, contextual help/product knowledge links, notifications, and support/action links.
+- **FR-003**: Every discovered surface MUST have exactly one final status from the allowed final status list.
+- **FR-004**: The allowed final statuses are `verified_workspace_scoped_hub`, `verified_environment_scoped_page`, `verified_system_or_platform_scoped_page`, `verified_ambiguous_or_mixed`, `verified_unreachable`, `verified_legacy_or_dead_surface_candidate`, `blocked_missing_seed_data`, `blocked_browser_or_tooling_limitation`, and `out_of_scope_with_reason`.
+- **FR-005**: The final report MUST NOT use "likely OK" as a final status.
+- **FR-006**: Workspace hubs MUST be verified from workspace origin and environment-sidebar origin.
+- **FR-007**: High-risk workspace hubs MUST be verified from environment CTA origin when such CTAs exist.
+- **FR-008**: Environment-scoped pages MUST be verified for shell/header/breadcrumb correctness where browser access is possible.
+- **FR-009**: Pages with environment-like filtering MUST be verified for URL query params, visible chips, Filament table filters, persisted/session state, reload behavior, and clear-filter behavior where applicable.
+- **FR-010**: High-risk pages MUST be verified for browser back/forward behavior where feasible.
+- **FR-011**: Data scope MUST be marked proven only when browser-visible seeded rows or equivalent UI evidence prove the scope.
+- **FR-012**: Missing seed data MUST be documented as `blocked_missing_seed_data` or as a clearly marked shell-only browser observation that still maps to an allowed final status.
+- **FR-013**: Browser/tooling limitations MUST be documented as `blocked_browser_or_tooling_limitation`, not inferred.
+- **FR-014**: The audit MUST create the required report files under `specs/313-workspace-environment-context-browser-verification/`.
+- **FR-015**: Screenshot filenames MUST use stable names and each screenshot referenced in `page-matrix.md` MUST exist.
+- **FR-016**: The audit MUST record exact commands run, browser tooling used, tests run or not run, failures, and screenshot count.
+- **FR-017**: The audit MUST make no application runtime changes and MUST not modify tests, migrations, routes, Filament pages/resources/components, config, seeders, or production code.
+- **FR-018**: The audit MUST recommend a remediation sequence and the next spec to start.
+
+## In Scope Surfaces
+
+### Workspace-scoped or potentially workspace-scoped pages
+
+Workspace Overview, Operations, Alerts, Audit Log, Governance Inbox, Decision Register, Finding Exceptions Queue, Risk Exceptions, Reviews, Customer Reviews / Customer Review Workspace, Evidence Overview, Reports, Stored Reports, Provider Connections, Integrations, Support Requests, Workspace Settings, Manage Workspaces, Product Knowledge / Help if visible, Operational Controls if visible, Customer Health if visible, Notification Routing if visible, Provider Health if workspace-level, Permission Posture if workspace-level, Entra Admin Roles if workspace-level, Review Packs / Exports if visible, and any other workspace-level hub discovered.
+
+### Environment-scoped pages
+
+Environment Dashboard / Environment Governance Overview, Environment Onboarding, Provider Readiness / Onboarding Readiness, Required Permissions, Permission Posture if environment-owned, Entra Admin Roles if environment-owned, Environment Diagnostics, Inventory, Inventory Coverage, Directory / Groups if environment-bound, Policies / Configurations, Backup Schedules, Backup Sets, Restore Runs, Restore Points, Baseline Profiles if environment-owned, Baseline Snapshots, Baseline Compare, Drift Findings, Findings, Evidence related to current Environment if exposed locally, Recent Operations card/links from Environment Dashboard, and any other environment-level page discovered.
+
+### System / platform scoped pages
+
+System panel pages, local platform user pages, platform settings, global app health, system-level audit/ops if present, billing/admin-only system pages if not workspace-bound. These are classification-only unless they interact with workspace/environment context.
+
+## Required Output Files
+
+The later Spec 313 audit implementation MUST create:
+
+```text
+specs/313-workspace-environment-context-browser-verification/audit-report.md
+specs/313-workspace-environment-context-browser-verification/surface-inventory.md
+specs/313-workspace-environment-context-browser-verification/page-matrix.md
+specs/313-workspace-environment-context-browser-verification/query-param-inventory.md
+specs/313-workspace-environment-context-browser-verification/clear-filter-inventory.md
+specs/313-workspace-environment-context-browser-verification/code-ownership-map.md
+specs/313-workspace-environment-context-browser-verification/artifacts/screenshots/
+```
+
+This preparation step creates only `spec.md`, `plan.md`, `tasks.md`, and the requirements checklist. It does not perform the audit.
+
+## Required Report Structure
+
+`audit-report.md` MUST include:
+
+1. Executive Summary
+2. Verified Surface Inventory Summary
+3. Workspace Hub Behavior Matrix Summary
+4. Environment Page Behavior Matrix Summary
+5. Mismatched Scope Findings
+6. Clear-Filter Findings
+7. Query Parameter Findings
+8. Persisted Filter Findings
+9. Code Ownership Map Summary
+10. Risk Ranking
+11. Recommended Follow-Up Specs
+12. Open Questions
+13. Test / Browser Execution
+
+`surface-inventory.md`, `page-matrix.md`, `query-param-inventory.md`, `clear-filter-inventory.md`, and `code-ownership-map.md` MUST use the columns described in `plan.md`.
+
+## High-Risk Pages To Verify Thoroughly
+
+- Provider Connections / Integrations
+- Finding Exceptions Queue
+- Operations
+- Evidence Overview
+- Reviews / Review Register
+- Customer Reviews / Customer Review Workspace
+- Governance Inbox
+- Decision Register
+- Reports / Stored Reports
+- Support Requests
+- Audit Log
+- Alerts
+
+## Non-Functional Requirements
+
+- **NFR-001**: Runtime behavior must remain unchanged.
+- **NFR-002**: Browser verification must be evidence-backed with screenshots and exact notes.
+- **NFR-003**: The audit must distinguish repo-verified, browser-observed, inferred from code, blocked due to missing data, blocked due to tooling, unresolved/ambiguous, and out of scope.
+- **NFR-004**: The audit must prefer Sail/local project conventions and use local smoke login or seeded/demo data only where already supported.
+- **NFR-005**: The audit must not fabricate data-scope proof.
+- **NFR-006**: Screenshots must be stable, reviewable artifacts under the spec folder.
+- **NFR-007**: Browser verification must not bypass normal access control; blocked access is valid evidence.
+
+## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
+
+- **Test purpose / classification**: Browser audit and repo documentation audit. No runtime tests are required by this preparation package.
+- **Validation lane(s)**: browser/manual verification during audit implementation; preparation validation uses docs/spec checks only.
+- **Why this classification and these lanes are sufficient**: Spec 313 is itself a browser verification audit, not a runtime feature. The actual value is screenshots, matrix rows, and code ownership evidence.
+- **New or expanded test families**: none in preparation. Later Spec 318 may add browser regression coverage.
+- **Fixture / helper cost impact**: no new fixtures in preparation. Audit implementation may be blocked by missing seeded data and must document that instead of changing seeders.
+- **Heavy-family visibility / justification**: browser verification is explicit and central to the audit, not accidental test-suite expansion.
+- **Special surface test profile**: global-context-shell, monitoring-state-page, shared-detail-family, and exception-coded-surface as observed profiles.
+- **Standard-native relief or required special coverage**: no runtime UI change; browser coverage is required for evidence, not styling verification.
+- **Reviewer handoff**: reviewers must confirm no runtime files changed and every discovered surface has one allowed final status.
+- **Budget / baseline / trend impact**: none.
+- **Escalation needed**: follow-up-spec for remediation; no runtime escalation inside Spec 313.
+- **Active feature PR close-out entry**: `Spec 313 Audit Evidence / No Runtime Changes`.
+- **Planned validation commands**:
+  - `git status --short --branch`
+  - `git diff --name-only`
+  - `git diff --check`
+  - repo discovery commands listed in `tasks.md`
+  - browser verification flows listed in `tasks.md`
+
+## Acceptance Criteria
+
+### Surface Discovery
+
+- [ ] All Filament pages are discovered and listed.
+- [ ] All Filament resources are discovered and listed.
+- [ ] All Filament clusters are discovered and listed.
+- [ ] All AdminPanelProvider navigation registrations are inspected.
+- [ ] All workspace sidebar entries are listed.
+- [ ] All relevant admin routes are listed.
+- [ ] All Workspace Overview cards/actions are mapped.
+- [ ] All Environment Dashboard cards/actions are mapped.
+- [ ] All relevant header actions are mapped.
+- [ ] All relevant table row actions are mapped.
+- [ ] All operation/review/evidence/support/report link helpers are inspected.
+- [ ] Every discovered surface has a final status.
+
+### Browser Verification
+
+- [ ] Every workspace-scoped hub is browser-verified from Workspace origin.
+- [ ] Every workspace-scoped hub is browser-verified from Environment Dashboard via sidebar.
+- [ ] Every high-risk workspace hub is browser-verified from Environment CTA origin where CTA exists.
+- [ ] Every environment-scoped page is browser-verified for shell/header/breadcrumb correctness.
+- [ ] Every page with environment-like filtering is verified for query params.
+- [ ] Every page with environment-like filtering is verified for Filament table filters.
+- [ ] Every page with environment-like filtering is verified for persisted filter behavior.
+- [ ] Every page with clear-filter is verified for clear behavior.
+- [ ] Every high-risk page is verified for reload behavior.
+- [ ] Every high-risk page is verified for browser back/forward behavior where feasible.
+
+### Completeness
+
+- [ ] No page is silently skipped.
+- [ ] No page remains "likely OK".
+- [ ] Reports / Stored Reports are classified.
+- [ ] Support Requests are classified.
+- [ ] Workspace Settings are classified.
+- [ ] Alerts are classified.
+- [ ] Provider Connections are fully verified.
+- [ ] Finding Exceptions Queue is fully verified.
+- [ ] Evidence is fully verified.
+- [ ] Reviews and Customer Reviews are fully verified.
+- [ ] Operations are fully verified.
+- [ ] Governance Inbox and Decision Register are verified as reference candidates or documented otherwise.
+
+### Evidence
+
+- [ ] Screenshots exist for every verified browser flow.
+- [ ] Screenshot filenames are stable and referenced in the matrix.
+- [ ] Missing seed data is documented as blocker, not guessed.
+- [ ] Browser/tooling limitations are documented as blocker, not guessed.
+- [ ] Data scope is only marked proven when seeded rows make it provable.
+
+### Reporting
+
+- [ ] `audit-report.md` exists.
+- [ ] `surface-inventory.md` exists.
+- [ ] `page-matrix.md` exists.
+- [ ] `query-param-inventory.md` exists.
+- [ ] `clear-filter-inventory.md` exists.
+- [ ] `code-ownership-map.md` exists.
+- [ ] Final remediation sequence is recommended.
+- [ ] Tests/browser commands are reported exactly.
+
+### Safety
+
+- [ ] No runtime files changed.
+- [ ] No tests changed.
+- [ ] No migrations changed.
+- [ ] No seeders changed.
+- [ ] No commits created unless explicitly requested.
+- [ ] No destructive git commands executed.
+
+## Risks
+
+- Browser verification may be blocked by missing local seed data for some surfaces.
+- Browser SPA/Livewire behavior can vary from code assumptions; this is the reason for the audit and must be documented exactly.
+- Some routes may be capability-gated or unreachable for the available local actor.
+- Broad discovery can produce many low-risk pages; the final report must keep risk ranking clear and avoid burying critical findings.
+- Existing terminology still mixes tenant and managed environment in code/query params. The audit must observe this without renaming anything.
+
+## Assumptions
+
+- Spec 311 and Spec 312 are completed context, not targets to rewrite.
+- Local browser verification can use existing local smoke-login and seeded/demo data where available.
+- If data is missing, the audit may still verify shell/URL/filter behavior but must not mark data scope proven.
+- Follow-up specs 314+ will implement fixes separately.
+- `docs/product/roadmap.md` still contains a historical recommendation that Decision-Based Governance Inbox v1 could become Spec 313. The user directly supplied this Spec 313 audit package, so this preparation keeps the explicit user-provided 313 target and does not edit product roadmap docs inside this preparation-only scope.
+
+## Open Questions
+
+- Which local fixture command or seed state provides the broadest two-environment workspace with rows for every high-risk page?
+- Are Support Requests and Product Knowledge visible to the default local actor, or do they require system/support capabilities?
+- Are Reports / Stored Reports reachable from sidebar, environment dashboard, review/evidence links, or only environment resource routes?
+- Should shell-only browser observations map to `blocked_missing_seed_data` or `verified_ambiguous_or_mixed` when the surface is otherwise reachable but row scope cannot be proven? The audit must document the chosen mapping consistently.
+
+## Expected Follow-Up Specs
+
+The audit should recommend the exact order. The likely starting sequence is:
+
+1. `314 - Workspace Hub Navigation Context Contract`
+2. `315 - Environment CTA Explicit Filter Contract`
+3. `316 - Workspace Hub Clear Filter Contract`
+4. `317 - Legacy Tenant / Environment Context Cleanup`
+5. `318 - Browser Regression Coverage / No-Drift Guard`
+
+The final report may reorder these if browser evidence proves a different dependency.
+
+## Filament v5 Output Contract
+
+1. **Livewire v4.0+ compliance**: This app uses Livewire v4.1.4 with Filament v5.2.1. Spec 313 performs browser/Livewire behavior observation only and must not introduce Livewire v3 references.
+2. **Provider registration**: No panel provider registration changes. Laravel 12 panel providers remain registered in `apps/platform/bootstrap/providers.php`.
+3. **Global search**: No resource global search behavior changes. The audit must classify globally searchable resources if discovered, but no search settings are modified.
+4. **Destructive actions**: No destructive actions are added or changed. Existing destructive actions are observed only where they affect page context or navigation.
+5. **Assets**: No assets are added or changed. Existing Filament asset deployment posture remains unchanged; `cd apps/platform && php artisan filament:assets` is not newly required by Spec 313.
+6. **Testing plan**: Spec 313 requires browser verification and repo-discovery validation, not Pest implementation tests. Future Spec 318 may add automated browser regression coverage.

specs/313-workspace-environment-context-browser-verification/surface-inventory.md

@@ -0,0 +1,64 @@
+# Surface Inventory
+
+Final statuses use only the allowed Spec 313 status vocabulary. "Browser verified" means the surface was opened in the local admin UI on 2026-05-16 against `http://localhost/admin`; "repo only" means classified from route/resource code and not deeply browser-tested because the surface is system, auth, modal-only, or not context-bearing.
+
+| Surface | Type | Class/resource/component | Route | Sidebar visible? | Dashboard/card/action linked? | Workspace-scoped? | Environment-scoped? | System/platform scoped? | Ambiguous? | Browser verified? | Final status | Notes |
+|---|---|---|---|---|---|---:|---:|---:|---:|---|---|---|
+| Workspace Overview | Filament page | `App\Filament\Pages\WorkspaceOverview` | `/admin`, `/admin/workspaces/{workspace}/overview` | Yes | Home | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Shell shows workspace and no environment after clear; screenshot `workspace-origin--workspace-overview.png`. |
+| Operations | Filament page | `App\Filament\Pages\Monitoring\Operations` | `/admin/workspaces/{workspace}/operations` | Yes | Environment dashboard CTA | Yes | Explicit filter only | No | No | Yes | `verified_workspace_scoped_hub` | Workspace origin shows 9 rows across 2 environments. CTA query `managed_environment_id=4` was not visibly applied in shell/title and had no `Clear filters` action. |
+| Operation detail | Filament page | `App\Filament\Pages\Operations\TenantlessOperationRunViewer` | `/admin/workspaces/{workspace}/operations/{run}` | Row/action only | Environment dashboard recent operation links | Yes | Record-owned tenant context | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Support request modal exists here; not deeply tested to avoid mutation flows. |
+| Provider Connections / Integrations | Filament resource | `App\Filament\Resources\ProviderConnectionResource` | `/admin/provider-connections` | Yes | Link helper from operations/provider actions | Yes | Explicit filter query | No | Yes | Yes | `verified_workspace_scoped_hub` | Workspace origin showed both provider rows. Query prefilter `managed_environment_id=<slug>` filters rows but no page-level clear exists; sidebar link can regain query from remembered environment. |
+| Finding Exceptions Queue | Filament page | `App\Filament\Pages\Monitoring\FindingExceptionsQueue` | `/admin/finding-exceptions/queue` | Yes | Open queue helper | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Shell/query behavior verified; no `finding_exceptions` rows in seed data, so row-scope correctness is unproven. |
+| Alerts landing | Filament cluster page | `App\Filament\Pages\Monitoring\Alerts` | `/admin/alerts` redirects to alert deliveries | Yes | No | Yes | Table filters | No | No | Yes | `blocked_missing_seed_data` | No alert delivery rows; shell and filter behavior verified only. |
+| Alert Deliveries | Filament resource | `App\Filament\Resources\AlertDeliveryResource` | `/admin/alerts/alert-deliveries` | Child | No | Yes | Optional environment table filter | No | No | Yes | `blocked_missing_seed_data` | No rows. |
+| Alert Rules | Filament resource | `App\Filament\Resources\AlertRuleResource` | `/admin/alerts/alert-rules` | Child | No | Yes | No | No | No | Repo only | `verified_workspace_scoped_hub` | Navigation child under Alerts; not high-risk for environment inheritance. |
+| Alert Destinations | Filament resource | `App\Filament\Resources\AlertDestinationResource` | `/admin/alerts/alert-destinations` | Child | No | Yes | No | No | No | Repo only | `verified_workspace_scoped_hub` | Navigation child under Alerts; not high-risk for environment inheritance. |
+| Audit Log | Filament page | `App\Filament\Pages\Monitoring\AuditLog` | `/admin/audit-log` | Yes | No | Yes | Optional environment table filter | No | No | Yes | `verified_workspace_scoped_hub` | Workspace origin shows 61 rows across 2 environments; shell clean from sidebar. |
+| Evidence Overview | Filament page | `App\Filament\Pages\Monitoring\EvidenceOverview` | `/admin/evidence/overview` | No direct sidebar item | Environment/prefilter links | Yes | Explicit `managed_environment_id` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Clear filter worked for query prefilter, but no evidence rows exist. |
+| Review Register | Filament page | `App\Filament\Pages\Reviews\ReviewRegister` | `/admin/reviews` | Yes | Prefilter URL/action | Yes | Explicit prefilter | No | Yes | Yes | `blocked_missing_seed_data` | `managed_environment_id=4` query remained after clicking Clear filters; no environment review rows exist. |
+| Customer Review Workspace | Filament page | `App\Filament\Pages\Reviews\CustomerReviewWorkspace` | `/admin/reviews/workspace` | Yes | Environment dashboard export artifacts | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Query remained after clear and reload reintroduced visible filter; no review-pack/review data exists. |
+| Governance Inbox | Filament page | `App\Filament\Pages\Governance\GovernanceInbox` | `/admin/governance/inbox` | Yes | Environment sidebar/action links | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `verified_workspace_scoped_hub` | Filtered URL shows `ManagedEnvironment: YPTW2` with clear environment filter link; shell still says no environment selected. |
+| Decision Register | Filament page | `App\Filament\Pages\Governance\DecisionRegister` | `/admin/governance/decisions` | Conditional | Prefilter URL | Yes | Explicit `managed_environment_id` prefilter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Clean workspace URL returned 403 for this actor, while `?managed_environment_id=4` opened the page. Access is data/query dependent. |
+| Workspace Settings | Filament page | `App\Filament\Pages\Settings\WorkspaceSettings` | `/admin/settings/workspace` | Yes | No | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Workspace admin surface; no environment query observed. |
+| Manage Workspaces | Filament resource | `App\Filament\Resources\Workspaces\WorkspaceResource` | `/admin/workspaces` | Yes | Topbar/switcher | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Workspace management list opened cleanly. |
+| Managed Environments Landing | Filament page/resource | `ManagedEnvironmentResource`, `ManagedEnvironmentsLanding` | `/admin/workspaces/{workspace}/environments` | Via environment clear/switch | Workspace overview/context bar | Workspace list of environments | No | No | No | Yes | `verified_workspace_scoped_hub` | Environment catalog for current workspace; screenshot `environment-page--managed-environments-landing.png`. |
+| Choose Workspace | Filament page | `App\Filament\Pages\ChooseWorkspace` | `/admin/choose-workspace` | Topbar | Topbar | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Selection surface, not data hub. |
+| Choose Environment | Filament page | `App\Filament\Pages\ChooseEnvironment` | `/admin/choose-environment` | Topbar | Topbar | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Environment selection surface. |
+| Environment Dashboard | Filament page | `App\Filament\Pages\EnvironmentDashboard` | `/admin/workspaces/{workspace}/environments/{environment}` | Environment nav | Environment entry point | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell shows `YPTW2 (DEV)`; CTAs include Operations, required permissions, reviews, backup, evidence, risks. |
+| Environment Onboarding | Filament page | `ManagedEnvironmentOnboardingWizard` | `/admin/onboarding`, `/admin/onboarding/{draft}` | No | Onboarding CTA | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Browser redirected `/admin/onboarding` to draft `/admin/onboarding/1`. |
+| Required Permissions | Filament page | `App\Filament\Pages\EnvironmentRequiredPermissions` | `/admin/workspaces/{workspace}/environments/{environment}/required-permissions` | Environment nav/card | Dashboard card | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
+| Environment Diagnostics | Filament page | `App\Filament\Pages\EnvironmentDiagnostics` | `/admin/workspaces/{workspace}/environments/{environment}/diagnostics` | Route/action | Dashboard/action | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
+| Inventory Cluster | Filament cluster | `App\Filament\Clusters\Inventory\InventoryCluster` | `/admin/workspaces/{workspace}/environments/{environment}/inventory` | Environment nav | Dashboard/sidebar | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Redirected to inventory items with environment shell. |
+| Inventory Items | Filament resource | `App\Filament\Resources\InventoryItemResource` | `/admin/workspaces/{workspace}/environments/{environment}/inventory-items` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No inventory rows for audited environment. |
+| Inventory Coverage | Filament page | `App\Filament\Pages\InventoryCoverage` | `/admin/workspaces/{workspace}/environments/{environment}/inventory/inventory-coverage` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
+| Policies | Filament resource | `App\Filament\Resources\PolicyResource` | `/admin/workspaces/{workspace}/environments/{environment}/policies` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | Policies rows exist only in workspace 1/env 1, not in audited workspace 3/env 4. |
+| Policy Versions | Filament resource | `App\Filament\Resources\PolicyVersionResource` | `/admin/workspaces/{workspace}/environments/{environment}/policy-versions` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No policy version rows. |
+| Findings | Filament resource | `App\Filament\Resources\FindingResource` | `/admin/workspaces/{workspace}/environments/{environment}/findings` | Environment nav | Dashboard cards | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No finding rows. |
+| Risk Exceptions | Filament resource | `App\Filament\Resources\FindingExceptionResource` | `/admin/workspaces/{workspace}/environments/{environment}/finding-exceptions` | Environment nav | Dashboard card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No finding exception rows. |
+| Evidence Snapshots | Filament resource | `App\Filament\Resources\EvidenceSnapshotResource` | `/admin/workspaces/{workspace}/environments/{environment}/evidence` | Environment nav | Dashboard card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No evidence snapshot rows. |
+| Environment Reviews | Filament resource | `App\Filament\Resources\EnvironmentReviewResource` | `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews` | Environment nav | Dashboard cards | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No environment review rows. |
+| Review Packs | Filament resource | `App\Filament\Resources\ReviewPackResource` | `/admin/workspaces/{workspace}/environments/{environment}/review-packs` | Environment nav | Dashboard/export card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No review pack rows. |
+| Stored Reports | Filament resource | `App\Filament\Resources\StoredReportResource` | `/admin/workspaces/{workspace}/environments/{environment}/stored-reports` | Environment nav | Evidence/reports links | No | Yes | No | No | Yes | `verified_environment_scoped_page` | 2 stored report rows exist for env 4. No workspace-wide reports hub discovered. |
+| Backup Schedules | Filament resource | `App\Filament\Resources\BackupScheduleResource` | `/admin/workspaces/{workspace}/environments/{environment}/backup-schedules` | Environment nav | Dashboard backup card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No backup schedules. |
+| Backup Sets | Filament resource | `App\Filament\Resources\BackupSetResource` | `/admin/workspaces/{workspace}/environments/{environment}/backup-sets` | Environment nav | Dashboard backup card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No backup sets. |
+| Restore Runs | Filament resource | `App\Filament\Resources\RestoreRunResource` | `/admin/workspaces/{workspace}/environments/{environment}/restore-runs` | Environment nav | Backup flow | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No restore runs. |
+| Entra Groups | Filament resource | `App\Filament\Resources\EntraGroupResource` | `/admin/workspaces/{workspace}/environments/{environment}/entra-groups` | Environment nav | Directory group | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No group rows. |
+| Access Scopes | Filament resource page | `ManagedEnvironmentResource\Pages\ManageEnvironmentAccessScopes` | `/admin/workspaces/{workspace}/environments/{environment}/access-scopes` | Environment route | View/manage environment | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Environment ownership clear. |
+| Baseline Compare Landing | Filament page | `App\Filament\Pages\BaselineCompareLanding` | `/admin/baseline-compare-landing?tenant=...` | Environment nav | Dashboard card | No | Yes | No | Yes | Yes | `verified_ambiguous_or_mixed` | Environment query uses `tenant`, not route tenant; shell shows environment. |
+| Baseline Compare Matrix | Filament page/resource child | `App\Filament\Pages\BaselineCompareMatrix` | `/admin/baseline-profiles/{record}/compare-matrix` | Row/action | Baseline profile action | No | Mixed | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Record-bound compare surface; not opened because no usable baseline assignment. |
+| Baseline Profiles | Filament resource | `App\Filament\Resources\BaselineProfileResource` | `/admin/baseline-profiles?tenant=...` | Environment nav | Baseline card | Workspace-owned baseline library | Environment query filter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Global resource with environment query prefilter. |
+| Baseline Snapshots | Filament resource | `App\Filament\Resources\BaselineSnapshotResource` | `/admin/baseline-snapshots?tenant=...` | Environment nav | Baseline card | Workspace-owned artifact library | Environment query filter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Global resource with environment query prefilter. |
+| Cross Environment Compare | Filament page | `App\Filament\Pages\CrossEnvironmentComparePage` | `/admin/cross-environment-compare` | No | Compare workflows | Yes | Compares environments | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Not visible in sidebar during audited flow. |
+| Support Request action | Modal/action surface | `EnvironmentDashboard`, `TenantlessOperationRunViewer`, support services | No list route | Modal only | Header/action | No | Context-bound | No | Yes | Repo only | `verified_unreachable` | No Support Requests index/resource/route discovered. Existing surfaces create support requests through modals only; not submitted in this audit. |
+| Product Knowledge / Help | Not discovered | None | None | No | No | No | No | No | No | Repo only | `verified_unreachable` | No admin route/resource/navigation entry found. |
+| Operational Controls | System page | `App\Filament\System\Pages\Ops\Controls` | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | System panel only. |
+| Customer Health | System page/widgets | `System\Pages\Directory\Tenants`, customer health widgets | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | System platform surface. |
+| Provider Health | Workspace/provider rows | Provider connection health columns | `/admin/provider-connections` | Integrated | Provider resource | Yes | Explicit filter | No | No | Yes | `verified_workspace_scoped_hub` | No separate provider-health page discovered. |
+| Permission Posture | Environment/report surface | Required permissions + StoredReportResource | Required permissions, stored reports | Environment nav | Dashboard card | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Environment-owned. |
+| Entra Admin Roles | Environment/report surface | StoredReportResource, AdminRolesSummaryWidget | Stored reports/widget | Environment nav/card | Dashboard widget | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Stored report exists for env 4. |
+| Auth Login | Auth page | `App\Filament\Pages\Auth\Login` | `/admin/login` | No | Auth only | No | No | No | No | Repo only | `out_of_scope_with_reason` | Auth surface, not workspace/environment data scope. |
+| No Access | Utility page | `App\Filament\Pages\NoAccess` | `/admin/no-access` | No | Error/guard | No | No | No | No | Repo only | `out_of_scope_with_reason` | Guard/error surface. |
+| Break Glass Recovery | Utility page | `App\Filament\Pages\BreakGlassRecovery` | Not in admin route list | No | Emergency only | No | No | System-like | No | Repo only | `verified_legacy_or_dead_surface_candidate` | Class exists but no admin route was listed. |
+| Tenancy RegisterTenant | Utility page | `App\Filament\Pages\Tenancy\RegisterTenant` | Not in admin route list | No | Legacy tenancy | No | No | No | Yes | Repo only | `verified_legacy_or_dead_surface_candidate` | Legacy tenancy artifact in workspace-first app. |
+| OperationRunResource | Resource shell | `App\Filament\Resources\OperationRunResource` | No resource routes in route list | No | Replaced by Operations page | Yes | Record-owned | No | Yes | Repo only | `verified_legacy_or_dead_surface_candidate` | Resource class exists without surfaced resource routes. |
+| System Control Tower | System panel group | `System\Pages\Dashboard`, `Ops\*`, `Security\AccessLogs`, `Directory\*`, widgets | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | Classified only; outside admin workspace/environment contract unless linked back into admin. |

specs/313-workspace-environment-context-browser-verification/tasks.md

@@ -0,0 +1,189 @@
+# Tasks: Full Workspace / Environment Context Browser Verification Audit
+
+**Input**: `spec.md` and `plan.md` in `specs/313-workspace-environment-context-browser-verification/`
+**Prerequisites**: local admin app available through existing project conventions, browser tooling available, and an authorized workspace user.
+**Scope**: analysis-only audit artifacts. No application implementation.
+
+## Test Governance Checklist
+
+- [x] Lane assignment is named: `browser audit + repo discovery`.
+- [x] No runtime tests are added or changed in Spec 313.
+- [x] No shared helpers, factories, seeds, fixtures, providers, session defaults, or browser defaults are widened.
+- [x] Planned validation commands cover audit artifacts and no-runtime-change guardrails.
+- [x] Browser evidence is explicit and not hidden inside fast feedback lanes.
+- [x] Missing data/tooling is recorded as blocker instead of fixed by changing seeders or runtime code.
+
+## Phase 1: Setup and Safety
+
+- [x] T001 Confirm current branch is `313-workspace-environment-context-browser-verification` with `git status --short --branch`.
+- [x] T002 Confirm the working tree contains only expected Spec 313 preparation/audit files before starting browser audit.
+- [x] T003 Read `specs/313-workspace-environment-context-browser-verification/spec.md`.
+- [x] T004 Read `specs/313-workspace-environment-context-browser-verification/plan.md`.
+- [x] T005 Read `.specify/memory/constitution.md` and keep the audit analysis-only.
+- [x] T006 Create `specs/313-workspace-environment-context-browser-verification/artifacts/screenshots/`.
+- [x] T007 Create or initialize empty audit files: `audit-report.md`, `surface-inventory.md`, `page-matrix.md`, `query-param-inventory.md`, `clear-filter-inventory.md`, and `code-ownership-map.md`.
+- [x] T008 Record initial command log and no-runtime-change posture in `audit-report.md`.
+
+## Phase 2: Repo Discovery
+
+- [x] T009 Run `find apps/platform/app/Filament -type f | sort` and save the output to `artifacts/filament-files.txt`.
+- [x] T010 Run the required context/state `rg` search from `plan.md` against `apps/platform/app`, `apps/platform/resources`, `apps/platform/routes`, and `apps/platform/tests`, saving output to `artifacts/context-search.txt`.
+- [x] T011 List admin routes with Sail route list, Laravel Boost route list, or a documented read-only fallback, saving output to `artifacts/routes-admin.txt`.
+- [x] T012 Inspect `apps/platform/app/Providers/Filament/AdminPanelProvider.php` and list every navigation item, registered page, registered resource, discovered resource/cluster path, render hook, and middleware relevant to context.
+- [x] T013 Inspect `apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php` and list every sidebar item, child item, URL builder, visibility gate, and navigation group.
+- [x] T014 Inspect `apps/platform/routes/web.php` and record admin workspace routes, environment routes, smoke-login routes, context selection/clear routes, review pack download routes, and queue open routes.
+- [x] T015 Inspect all files under `apps/platform/app/Filament/Pages`, `apps/platform/app/Filament/Resources`, and `apps/platform/app/Filament/Clusters` for route slugs, `getUrl()` overrides, query params, table filters, clear-filter actions, persisted table state, and page state contracts.
+- [x] T016 Inspect `apps/platform/resources/views` for context bar links, clear environment forms, dashboard/action links, visible chips, breadcrumbs, and page-specific filter/CTA rendering.
+- [x] T017 Inspect workspace overview sources, including `apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php`, for cards/actions and URL targets.
+- [x] T018 Inspect environment dashboard sources, including `apps/platform/app/Filament/Pages/EnvironmentDashboard.php` and `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php`, for cards/actions and URL targets.
+- [x] T019 Inspect link helpers and context seams: `ManagedEnvironmentLinks`, `OperationRunLinks`, `WorkspaceContext`, `OperateHubShell`, `ResolvedShellContext`, `CanonicalAdminTenantFilterState`, `WorkspaceRedirectResolver`, `WorkspaceIntendedUrl`, and relevant support/report/evidence/review/support helpers.
+- [x] T020 Populate the first pass of `surface-inventory.md` from repo discovery before browser verification.
+- [x] T021 Populate the first pass of `query-param-inventory.md` with `tenant`, `tenant_id`, `managed_environment_id`, `environment_id`, `tenant_scope`, and `tableFilters`.
+- [x] T022 Populate the first pass of `clear-filter-inventory.md` from code-discovered clear actions.
+- [x] T023 Populate the first pass of `code-ownership-map.md` with all required seams from `plan.md`.
+
+## Phase 3: Browser Data Readiness
+
+- [x] T024 Start the local app using existing project conventions if needed, preferring Sail: `cd apps/platform && ./vendor/bin/sail up -d`.
+- [x] T025 Resolve the absolute app URL using Laravel Boost `get_absolute_url` or document the local URL source.
+- [x] T026 Identify the local smoke-login path and actor from existing local config or seeded data. Do not modify seeders.
+- [x] T027 Verify at least one Workspace is selectable in the browser.
+- [x] T028 Verify whether at least two Managed Environments exist in that Workspace.
+- [x] T029 Record available row coverage for Operations, Alerts, Audit Log, Findings, Finding Exceptions, Governance Inbox, Decision Register, Reviews, Customer Reviews, Evidence, Provider Connections, Reports / Stored Reports, and Support Requests.
+- [x] T030 In `audit-report.md`, record missing seed data as a blocker wherever data scope cannot be proven.
+
+## Phase 4: Workspace-Origin Browser Verification
+
+- [x] T031 From Workspace origin with no active Environment, open Workspace Overview and capture `workspace-origin--workspace-overview.png`.
+- [x] T032 Open Operations from sidebar/global navigation and capture `workspace-origin--operations.png`.
+- [x] T033 Open Provider Connections / Integrations from sidebar/global navigation and capture `workspace-origin--provider-connections.png`.
+- [x] T034 Open Finding Exceptions Queue from sidebar/global navigation and capture `workspace-origin--finding-exceptions-queue.png`.
+- [x] T035 Open Evidence Overview from sidebar/global navigation or direct route and capture `workspace-origin--evidence.png`.
+- [x] T036 Open Reviews / Review Register and capture `workspace-origin--reviews.png`.
+- [x] T037 Open Customer Reviews / Customer Review Workspace and capture `workspace-origin--customer-reviews.png`.
+- [x] T038 Open Governance Inbox and capture `workspace-origin--governance-inbox.png`.
+- [x] T039 Open Decision Register and capture `workspace-origin--decision-register.png`.
+- [x] T040 Open Audit Log and capture `workspace-origin--audit-log.png`.
+- [x] T041 Open Alerts and capture `workspace-origin--alerts.png`.
+- [x] T042 Open Workspace Settings and capture `workspace-origin--workspace-settings.png`.
+- [x] T043 Open Manage Workspaces and capture `workspace-origin--manage-workspaces.png` or classify as system/workspace settings if access is blocked.
+- [x] T044 Open Reports / Stored Reports through every discovered route/link and capture `workspace-origin--reports.png` or document unreachable/blocker.
+- [x] T045 Open Support Requests through every discovered route/link and capture `workspace-origin--support-requests.png` or document unreachable/blocker.
+- [x] T046 For each page in T031-T045, record URL, query params, shell, breadcrumbs, title, visible chips, table filters, data-scope proof, screenshot, status, risk, and notes in `page-matrix.md`.
+
+## Phase 5: Environment-Sidebar Browser Verification
+
+- [x] T047 Open Environment Dashboard for Environment A and capture `environment-origin--dashboard-a.png`.
+- [x] T048 Confirm shell shows Workspace + Environment A and record route/query state.
+- [x] T049 From that state, click sidebar/global Operations and capture `environment-sidebar--operations.png`.
+- [x] T050 Click sidebar/global Provider Connections and capture `environment-sidebar--provider-connections.png`.
+- [x] T051 Click sidebar/global Finding Exceptions Queue and capture `environment-sidebar--finding-exceptions-queue.png`.
+- [x] T052 Click sidebar/global Evidence Overview and capture `environment-sidebar--evidence.png`.
+- [x] T053 Click sidebar/global Reviews and capture `environment-sidebar--reviews.png`.
+- [x] T054 Click sidebar/global Customer Reviews and capture `environment-sidebar--customer-reviews.png`.
+- [x] T055 Click sidebar/global Governance Inbox and capture `environment-sidebar--governance-inbox.png`.
+- [x] T056 Click sidebar/global Decision Register and capture `environment-sidebar--decision-register.png`.
+- [x] T057 Click sidebar/global Audit Log and capture `environment-sidebar--audit-log.png`.
+- [x] T058 Click sidebar/global Alerts and capture `environment-sidebar--alerts.png`.
+- [x] T059 Repeat high-risk sidebar checks from Environment B where seed data or visible environment labels make scope comparison useful.
+- [x] T060 Record shell-clearing, URL params, visible filters, persisted filters, apparent data scope, reload result, screenshot, status, and risk in `page-matrix.md`.
+
+## Phase 6: Environment CTA/Card Browser Verification
+
+- [x] T061 From Environment A Dashboard, click the Operations CTA/card/action if present and capture `environment-cta--operations.png`.
+- [x] T062 From Environment A Dashboard, click Provider Connections / Integrations CTA/card/action if present and capture `environment-cta--provider-connections.png`.
+- [x] T063 From Environment A Dashboard, click Finding Exceptions / Risk Exceptions CTA/card/action if present and capture `environment-cta--finding-exceptions-queue.png`.
+- [x] T064 From Environment A Dashboard, click Evidence CTA/card/action if present and capture `environment-cta--evidence.png`.
+- [x] T065 From Environment A Dashboard, click Reviews CTA/card/action if present and capture `environment-cta--reviews.png`.
+- [x] T066 From Environment A Dashboard, click Customer Reviews / Review Pack / Export Artifacts CTA/card/action if present and capture `environment-cta--customer-reviews.png`.
+- [x] T067 From Environment A Dashboard, click Governance Inbox CTA/card/action if present and capture `environment-cta--governance-inbox.png`.
+- [x] T068 From Environment A Dashboard, click Decision Register CTA/card/action if present and capture `environment-cta--decision-register.png` or document that no CTA exists.
+- [x] T069 From Environment A Dashboard, click Required Permissions / Permission Posture and capture `environment-cta--required-permissions.png`.
+- [x] T070 From Environment A Dashboard, click Provider Readiness / Diagnostics and capture `environment-cta--provider-readiness-or-diagnostics.png`.
+- [x] T071 From Environment A Dashboard, click Reports / Stored Reports, Support Requests, Audit, or Alerts CTAs if present and capture stable screenshots.
+- [x] T072 For each CTA, record target page, URL, query params, shell context, visible environment filter, table filter state, data-scope proof, clear-filter existence, and status in `page-matrix.md`.
+
+## Phase 7: Environment-Owned Page Verification
+
+- [x] T073 Verify Environment Dashboard shell/header/breadcrumb and final status.
+- [x] T074 Verify Environment Onboarding / Managed Environment onboarding routes if reachable.
+- [x] T075 Verify Required Permissions page.
+- [x] T076 Verify Environment Diagnostics page.
+- [x] T077 Verify Inventory cluster/list and Inventory Coverage.
+- [x] T078 Verify Directory / Groups if reachable.
+- [x] T079 Verify Policies / Configurations if reachable.
+- [x] T080 Verify Backup Schedules and Backup Sets if reachable.
+- [x] T081 Verify Restore Runs / Restore Points if reachable.
+- [x] T082 Verify Baseline Profiles / Baseline Snapshots / Baseline Compare if reachable.
+- [x] T083 Verify Findings and Finding Exceptions environment resources if reachable.
+- [x] T084 Verify Evidence environment resource if reachable.
+- [x] T085 Verify Environment Reviews and Review Packs environment resources if reachable.
+- [x] T086 Verify Stored Reports environment resource if reachable.
+- [x] T087 For each environment page, record final status, shell/header/breadcrumb correctness, data-scope proof status, screenshot, and blocker notes.
+
+## Phase 8: Manual Filter, Clear-Filter, Reload, and Back/Forward
+
+- [x] T088 On Operations, manually apply an Environment filter if possible, navigate away, revisit from sidebar, clear if possible, reload, and capture before/after/reload screenshots.
+- [x] T089 Repeat T088 for Provider Connections.
+- [x] T090 Repeat T088 for Finding Exceptions Queue.
+- [x] T091 Repeat T088 for Evidence Overview.
+- [x] T092 Repeat T088 for Reviews.
+- [x] T093 Repeat T088 for Customer Reviews.
+- [x] T094 Repeat T088 for Governance Inbox.
+- [x] T095 Repeat T088 for Decision Register.
+- [x] T096 Repeat T088 for Audit Log and Alerts if environment-like filters exist.
+- [x] T097 For each clear-filter action, update `clear-filter-inventory.md` with every required state carrier.
+- [x] T098 For high-risk pages, use browser back/forward after workspace-origin and environment-origin transitions and record whether stale environment filters or mismatched shell state return.
+
+## Phase 9: Matrix Reconciliation and Final Status Assignment
+
+- [x] T099 Reconcile browser pages against `surface-inventory.md` and add any missing surface discovered during browsing.
+- [x] T100 Reconcile `page-matrix.md` against `surface-inventory.md` so every in-scope browser-verified page has row/origin coverage.
+- [x] T101 Reconcile query params observed in browser against `query-param-inventory.md`.
+- [x] T102 Reconcile clear-filter browser behavior against `clear-filter-inventory.md`.
+- [x] T103 Reconcile observed behavior to likely repo owners in `code-ownership-map.md`.
+- [x] T104 Assign one allowed final status to every discovered surface.
+- [x] T105 Confirm no final status says "likely OK".
+- [x] T106 Confirm Reports / Stored Reports are classified.
+- [x] T107 Confirm Support Requests are classified.
+- [x] T108 Confirm Workspace Settings, Alerts, Provider Connections, Finding Exceptions Queue, Evidence, Reviews, Customer Reviews, Operations, Governance Inbox, and Decision Register are all classified.
+
+## Phase 10: Audit Report
+
+- [x] T109 Write `audit-report.md` Executive Summary and classify the issue as isolated, page-specific drift, or systemic context contract drift.
+- [x] T110 Add verified surface counts: workspace hubs, environment pages, system/platform pages, ambiguous/mixed, unreachable/dead candidates, blocked, and unresolved/ambiguous mapped to allowed statuses.
+- [x] T111 Summarize workspace hub behavior matrix.
+- [x] T112 Summarize environment page behavior matrix.
+- [x] T113 List mismatched scope findings.
+- [x] T114 Summarize clear-filter findings.
+- [x] T115 Summarize query parameter findings.
+- [x] T116 Summarize persisted filter findings.
+- [x] T117 Summarize code ownership map.
+- [x] T118 Rank risks as `critical`, `high`, `medium`, or `low` using the risk guidance from `spec.md`.
+- [x] T119 Recommend follow-up specs and exact order, starting from 314 unless evidence proves another order.
+- [x] T120 List open questions and blockers.
+- [x] T121 Record exact commands run, browser tooling used, screenshots generated, tests run or not run, failures, and no-runtime-change statement.
+
+## Phase 11: Validation and Close-Out
+
+- [x] T122 Run `git diff --name-only` from repo root and confirm only files under `specs/313-workspace-environment-context-browser-verification/` changed.
+- [x] T123 Run `git diff --check` from repo root.
+- [x] T124 Confirm no files under `apps/platform/app`, `apps/platform/config`, `apps/platform/database`, `apps/platform/resources`, `apps/platform/routes`, `apps/platform/tests`, or `apps/platform/lang` changed.
+- [x] T125 Confirm no commits were created unless explicitly requested.
+- [x] T126 Confirm screenshots referenced in `page-matrix.md` exist on disk.
+- [x] T127 Confirm every screenshot filename is stable and under `artifacts/screenshots/`.
+- [x] T128 Confirm all required output files exist and are non-empty.
+- [x] T129 Confirm every discovered surface has one allowed final status.
+- [x] T130 Confirm final response includes summary, counts, highest-risk findings, generated file paths, screenshot path, recommended next spec, exact commands/results, and clear statement that no runtime fixes were made.
+
+## Explicit Non-Goals Checklist
+
+- [x] No runtime files changed.
+- [x] No tests changed.
+- [x] No migrations changed.
+- [x] No seeders changed.
+- [x] No route files changed.
+- [x] No Filament pages/resources/components changed.
+- [x] No config files changed.
+- [x] No application behavior changed.
+- [x] No follow-up spec 314+ implementation started.