--- description: "Task list for Quality Gates / No-Legacy Enforcement" --- # Tasks: Quality Gates / No-Legacy Enforcement **Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/` **Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md` **Review Artifact**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` is the outcome-of-record for the review outcome class, workflow outcome, and test-governance outcome. If implementation expands into runtime cutover repair, Package Execution Contract work, Guided Operations, Review Pack export changes, or full-suite repair, update that artifact before continuing and stop when the work no longer fits `288`. **Tests**: Required (Pest) for guard, browser, and classification-contract changes. Keep proof bounded to the named guard and browser files plus formatting. Broader baseline fallout may be classified but not repaired under this spec. **Operations**: No new `OperationRun`, queue family, remote workflow, or notification policy is introduced. `288` only adds enforcement and contributor-facing quality-gate documentation. **RBAC**: Reuse the workspace-first access contract from Spec `285`; do not add a new role family, raw capability strings, or a second role matrix. **Shared Pattern Reuse**: Reuse `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report`. Do not introduce a new lint framework, a second baseline-report system, or a full-suite repair wrapper under this spec. **Filament / Panel Guardrails**: Filament remains v5 on Livewire v4. Provider registration remains unchanged in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php`. No new panel, no new globally-searchable resource, and no asset-strategy change are allowed in this slice. **Organization**: Tasks are grouped by route/helper guardrails, provider-core and role-authority guardrails, browser-smoke and documentation obligations, and the classification-only broader-baseline boundary. **Review Outcome**: `acceptable-special-case` **Workflow Outcome**: `keep` **Test-governance Outcome**: `keep` ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New source scans use explicit exclusions and avoid broad, ambiguous allowlists. - [x] Targeted browser smoke gates are named explicitly and remain isolated to the browser lane. - [x] Planned validation commands cover the changed seams without becoming a full-suite baseline or repair program. - [x] Surface test profile stays explicit: `standard-native-filament`, `global-context-shell`, and `browser-smoke`. - [x] The active package records that Spec `289` owns Package Execution Contract work after this slice lands. ## Phase 1: Setup (Shared Context) **Purpose**: Lock the bounded enforcement role, exact retired inventories, and targeted validation scope before test or documentation edits begin. - [x] T001 Review `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` to confirm the package stays on enforcement only - [x] T002 [P] Review `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml` to confirm the same retired-route, helper, provider-boundary, role-authority, and classification-only inventories are pinned everywhere - [x] T003 [P] Confirm the focused Sail/Pest validation commands in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md` and the current guard, browser, and classification surfaces in `apps/platform/tests/Feature/Guards/`, `apps/platform/tests/Browser/`, `apps/platform/tests/Support/`, and `README.md` --- ## Phase 2: Foundational (Blocking Prerequisites) **Purpose**: Fix the exact enforcement inventory before story work begins and keep runtime rewrites and broader repair explicitly out of scope. **Critical**: No user-story work should begin until this phase is complete. - [x] T004 Audit the exact retired route/path and emitted-URL inventories across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/routes/web.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantResource.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/OperationRunLinks.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Verification/VerificationLinkBehavior.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php` - [x] T005 [P] Audit retired tenant-panel helper and panel-bootstrapping seams across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/`, and any directly affected support path named by this package - [x] T006 [P] Audit provider-core and role-authority enforcement seams across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php` - [x] T007 Confirm the classification-only broader-baseline boundary across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report`, and verify that Spec `289` remains the explicit follow-up **Checkpoint**: the enforcement inventories and scope boundary are fixed before story work begins. --- ## Phase 3: User Story 1 - Guard retired routes, paths, and helper bootstrapping (Priority: P1) **Goal**: Fail fast when retired management route/path families or retired tenant-panel bootstrapping patterns re-enter cutover-owned seams. **Independent Test**: run the targeted route/helper guard suite plus the existing legacy redirect and tenant-core runtime regression tests to prove the exact retired path families and helper patterns fail with actionable messages. ### Tests for User Story 1 - [x] T008 [P] [US1] Add or extend route/path and helper enforcement coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php` ### Implementation for User Story 1 - [x] T009 [US1] Implement the exact retired route/path inventory, emitted-URL assertions on the audited launch-point seams, and scan exclusions in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php` using the route and launch-point seams audited in Phase 2 - [x] T010 [US1] Implement forbidden tenant-panel helper and panel-bootstrapping checks in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php` and any minimal supporting seam references in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php` without widening into a repo-wide helper rewrite **Checkpoint**: User Story 1 is independently functional when retired route/path and helper patterns fail targeted guards and the known runtime regressions still stay not found. --- ## Phase 4: User Story 2 - Guard provider-core seams and role authority (Priority: P1) **Goal**: Keep shared provider-core seams provider-neutral and keep workspace membership as the only role-bearing authority. **Independent Test**: run the targeted provider-boundary and role-authority guard suite plus the current policy and scope-management regressions to prove platform-core neutrality and narrowing-only environment scope. ### Tests for User Story 2 - [x] T011 [P] [US2] Add or extend provider-boundary and role-authority coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php` ### Implementation for User Story 2 - [x] T012 [US2] Implement the provider-core forbidden seam inventory in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php` using `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php` without rewriting provider-core runtime behavior - [x] T013 [US2] Implement environment-scope role-authority guard coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php` and any minimal supporting assertions in the named feature and unit tests without rewriting the RBAC model **Checkpoint**: User Story 2 is independently functional when provider-core regressions fail targeted guards and role-authority semantics remain unchanged on the existing proof surfaces. --- ## Phase 5: User Story 3 - Keep browser proof and quality-gate docs honest (Priority: P2) **Goal**: Preserve visible canonical route continuity on the current cutover browser anchors and document the same proof boundary for contributors. **Independent Test**: run the two targeted browser smoke tests and verify the contributor-facing quality-gate docs point to the same proof commands and the same classification-only baseline rule. ### Tests for User Story 3 - [x] T014 [P] [US3] Extend `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` so they assert canonical admin/workspace route continuity and remain free of JavaScript or console errors after the guard pack lands ### Implementation for User Story 3 - [x] T015 [US3] Update `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md` with the cutover quality-gate guidance, exact targeted proof commands, pinned scan-exclusion rule, and the statement that broader baseline/full-suite fallout is classified only under Spec `288` **Checkpoint**: User Story 3 is independently functional when browser proof stays green and contributors can follow the same quality-gate contract from the docs. --- ## Phase 6: User Story 4 - Classify broader baseline fallout without owning repair (Priority: P3) **Goal**: Make broader baseline fallout reviewable through the current lane/report seams without turning `288` into a full-suite stabilization package. **Independent Test**: run the classification-contract tests and verify that the manifest/report wording distinguishes cutover guard/browser ownership from unrelated broader failures. ### Tests for User Story 4 - [x] T016 [P] [US4] Extend `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php` to cover the new Spec `288` guard/browser ownership and classification semantics ### Implementation for User Story 4 - [x] T017 [US4] Update `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, and any minimal wrapper wording in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report` so Spec `288` guard/browser failures and broader baseline fallout are classified without implying full-suite repair ownership **Checkpoint**: User Story 4 is independently functional when broader baseline fallout is reviewable but still explicitly outside the repair scope of this package. --- ## Phase 7: Polish & Cross-Cutting Validation **Purpose**: Run the canonical targeted proof commands, format touched files, and confirm Spec `289` remains the next package instead of leaking back into `288`. - [x] T018 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)` exactly as recorded in `spec.md`, `plan.md`, and `quickstart.md` - [x] T019 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)` exactly as recorded in `spec.md`, `plan.md`, and `quickstart.md` - [x] T020 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)` - [x] T021 Review the touched guard, browser, documentation, and classification seams plus the review artifact to confirm Filament remains v5 on Livewire v4, provider registration still lives in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php`, no global-search or destructive-action contract drift was introduced, no asset registration or deployment-step drift was introduced, no runtime cutover repair, provider-core rewrite, RBAC rewrite, Package Execution work, Guided Operations work, Review Pack export work, UI copy cleanup, or full-suite repair was absorbed, and Spec `289` remains the explicit follow-up --- ## Dependencies & Execution Order ### Phase Dependencies - **Phase 1 (Setup)**: no dependencies; start immediately. - **Phase 2 (Foundational)**: depends on Phase 1 and blocks all user-story work until the enforcement inventories and classification boundary are settled. - **Phase 3 (US1)**: depends on Phase 2 and delivers the first independent guardrail slice. - **Phase 4 (US2)**: depends on Phase 2 and should follow US1 so route/helper truth is pinned before provider-core and role-authority guardrails reuse it. - **Phase 5 (US3)**: depends on Phases 3 and 4 because browser proof and docs should reflect the final guard inventories. - **Phase 6 (US4)**: depends on Phases 3 through 5 so classification wording reflects the final proof ownership rather than a moving target. - **Phase 7 (Polish)**: depends on all implemented stories. ### User Story Dependencies - **US1 (P1)**: first independently testable increment once the enforcement inventory is settled. - **US2 (P1)**: independently testable after Phase 2, but safer after US1 because route/helper truth should stabilize before provider-boundary and role-authority enforcement are judged. - **US3 (P2)**: independently testable after US1 and US2 because browser smoke and docs should reflect final proof obligations. - **US4 (P3)**: independently testable after Phases 3 through 5 because classification wording must describe the final guard/browser ownership. ### Within Each User Story - Add or extend the targeted tests first and make the current drift visible. - Complete the minimum guard or documentation seam needed for that story. - Re-run the narrowest relevant validation command after each story checkpoint before moving on. --- ## Parallel Execution Examples ### Phase 1 - T002 and T003 can run in parallel after T001 confirms the bounded package role. ### Phase 2 - T004, T005, and T006 can run in parallel because they inspect different seam families. ### User Story 1 - T008 can run while T009 and T010 are being prepared, but the route and helper guard inventory should land as one coherent slice. ### User Story 2 - T011 can run in parallel with the seam audit, but T012 and T013 should land together because they define one shared provider-core and role-authority enforcement slice. ### User Story 4 - T016 can run in parallel across the named classification-contract tests once T017's target classification wording is clear. --- ## Implementation Strategy ### Suggested MVP Scope - MVP = **Phase 2 + US1 + US2**. The package starts delivering value once the cutover can fail fast on retired routes/helpers and provider/role-authority regressions. ### Incremental Delivery 1. Complete Phase 1 and Phase 2. 2. Deliver US1 and validate route/helper enforcement. 3. Deliver US2 and validate provider-core and role-authority enforcement. 4. Deliver US3 and validate browser proof plus contributor-facing docs. 5. Deliver US4 and validate classification-only broader-baseline handling. 6. Finish with Phase 7 targeted validation, formatting, and scope review. ### Team Strategy 1. Keep Spec `289` explicitly out of implementation commits for this slice. 2. Land guard inventories before browser or documentation wording so the contributor-facing proof contract reflects final enforcement truth. 3. Serialize merges around `apps/platform/tests/Pest.php`, `apps/platform/tests/Support/TestLaneManifest.php`, `README.md`, and the new Spec `288` guard files because those are likely conflict hotspots. --- ## Explicit Follow-Ups / Out of Scope - Package Execution Contract, which moves to Spec `289` - Guided Operations - Microsoft Starter Pack - runtime cutover work - provider-core rewrites - RBAC rewrites - UI copy cleanup from Spec `286` - Review Pack export changes - any full-suite repair or stabilization program