# Data Model: Cutover Prerequisite Completion

## Overview

`287` introduces no new persisted entity, table, lifecycle state, or runtime DTO. The "data model" for this package is a derived seam inventory that pins which runtime and test-harness seams must be completed, which canonical replacements are expected, and which validation commands stay aligned across the package.

## Canonical Completion Categories

| Completion Key | Meaning | Primary Targets | Canonical Replacement |
|---|---|---|---|
| `provider_connection_route_contract` | provider-connection runtime no longer accepts tenant-first legacy aliases | `apps/platform/routes/web.php`, `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Filament/Resources/TenantResource.php`, `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`, `apps/platform/app/Support/OperationRunLinks.php`, `apps/platform/app/Support/Providers/ProviderReasonTranslator.php`, `apps/platform/app/Support/Verification/VerificationLinkBehavior.php` | canonical `/admin/provider-connections...` route family |
| `provider_target_scope_core_contract` | shared provider target-scope and identity outputs no longer require Microsoft-only core keys | shared provider target-scope and identity seams | neutral target-scope fields with provider-owned nested detail only |
| `workspace_role_authority_contract` | workspace membership remains the only role-bearing truth | access-scope persistence seams and directly affected policy or resolver paths | workspace membership role truth with narrowing-only environment scope |
| `test_harness_context_contract` | the shared test harness no longer boots the retired tenant panel for the changed seams | `apps/platform/tests/Pest.php`, `apps/platform/tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php`, and `apps/platform/tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php` | post-cutover admin or workspace context helper path |
| `targeted_validation_contract` | proof remains limited to the changed seams | targeted feature tests, targeted browser tests, formatting command | exact command set shared across the package |

## Pinned Canonical Replacements

| Completion Key | Retired Pattern | Canonical Replacement |
|---|---|---|
| `provider_connection_route_contract` | `/admin/tenants/{tenant:slug}/provider-connections...` | `/admin/provider-connections...` |
| `provider_target_scope_core_contract` | `entra_tenant_id`, `tenantContext`, `target_scope.entra_tenant_id` as shared primary truth | provider-neutral target-scope fields such as scope kind, scope identifier, and scope display name |
| `workspace_role_authority_contract` | copied role-bearing `ManagedEnvironmentMembership` persistence | workspace membership role truth plus narrowing-only environment scope |
| `test_harness_context_contract` | `setTenantPanelContext()` and related tenant-panel-era setup | admin or workspace context bootstrapping suitable for the completed runtime |
| `targeted_validation_contract` | guard-suite or full-suite proof expectation | targeted feature and browser validation only |

## Allowed Provider-Owned Detail

| Detail Class | Meaning | Examples |
|---|---|---|
| `provider_owned_profile_detail` | provider-specific detail is allowed where the provider is genuinely the subject | Microsoft tenant identifiers, consent URLs, Graph-specific diagnostics |
| `provider_owned_support_detail` | lower-level support or troubleshooting context remains nested provider detail | raw provider metadata, provider-specific error context |

## Invariants

- `287` adds no new runtime state and no new persistence.
- The same completion categories and the same Spec `288` follow-up boundary must appear across `spec.md`, `plan.md`, `tasks.md`, `quickstart.md`, `data-model.md`, and `checklists/requirements.md`.
- The literal proof commands live only in `spec.md`, `plan.md`, `tasks.md`, and `quickstart.md`; the remaining artifacts reference that canonical command set rather than restating another variant.
- Validation remains targeted to the changed seams only.
- Provider-owned Microsoft detail may remain nested, but it must not stay the shared platform-core contract.
- Environment scope must remain narrowing-only after the cleanup.

## Out of Scope Data Changes

- no database migrations
- no new provider profile table or registry
- no new role family or persisted access overlay
- no global no-legacy guard inventory
- no full-suite baseline or lane-wide enforcement artifact