# Quickstart: Post-Cutover Suite Stabilization & Baseline Reconciliation ## Purpose Use this guide to review or later implement Feature `293` as the bounded stabilization package that follows Specs `287` and `288`. ## Preconditions - The package stays limited to cutover-driven suite stabilization. - The pinned failure categories are: - `cutover-baseline-debt` - `cutover-runtime-regression` - `unrelated-existing-debt` - `flaky-or-environment` - `resolved-or-not-needed` - The pinned stabilization seams are: - `tenant_panel_baseline` - `legacy_admin_t_routes` - `workspace_aware_operations_routes` - `legacy_required_permissions_provider_connections` - `action_surface_rebaseline` - `289` remains untouched. - `292` remains untouched. - TenantPanel, `/admin/t/...`, tenant-scoped provider fallbacks, and tenant-scoped required-permissions fallbacks remain retired. - `managed_environment_memberships` remain narrowing-only access scope and must not regain independent role authority. ## Read Order 1. `spec.md` 2. `plan.md` 3. `research.md` 4. `data-model.md` 5. `failure-classification.md` 6. `tasks.md` 7. `checklists/requirements.md` ## Implementation Intent - classify failures before fixing anything - stabilize stale TenantPanel and `/admin/t/...` assumptions without restoring compatibility behavior - make in-scope operations routes workspace-aware through existing canonical helpers or explicit workspace parameters - remove tenant-scoped required-permissions and provider-connection legacy assumptions from the suite baseline - keep action-surface rebaseline bounded to cutover drift - keep the Spec `288` proof pack and browser anchors green - document remaining unrelated or flaky debt explicitly ## Review Scenarios ### Scenario 1: Initial baseline and classification - run the initial full suite or fallback lane split - record the observed groups in `failure-classification.md` - confirm every relevant group is classified before fixes begin ### Scenario 2: Retired panel and route assumptions are gone - re-run the targeted panel navigation and legacy tenant-core tests - confirm they no longer treat TenantPanel or `/admin/t/...` management routes as current runtime truth ### Scenario 3: Operations and legacy provider or permissions routes are canonical - re-run the targeted OpsUx, ProviderConnections, and Verification proof sets - confirm those tests use current workspace-aware or tenantless canonical paths instead of retired fallbacks ### Scenario 4: Action-surface rebaseline stays bounded - re-run the action-surface and adjacent RBAC or Filament tests - confirm only cutover-stale expectations changed and no new product actions were introduced just to satisfy tests - confirm managed-environment memberships are still treated as narrowing-only access scope and not as an independent role authority source ### Scenario 5: Enforcement and visible anchors remain green - re-run the Spec `288` proof pack - re-run the two browser anchors - confirm the stabilization work did not regress the enforcement baseline or visible canonical flows ## Planned Validation Commands ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && git status --short --branch ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && git diff --stat ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && ./scripts/platform-test-lane heavy-governance ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && ./scripts/platform-test-lane confidence ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/OpsUx/CanonicalViewRunLinksTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/OpsUx/FailureSanitizationTest.php tests/Feature/OpsUx/NonLeakageWorkspaceOperationsTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections tests/Feature/Verification) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Rbac/BackupItemsRelationManagerUiEnforcementTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent) ``` ## Explicit Stop Conditions - If implementation starts restoring TenantPanel or `/admin/t/...` compatibility behavior, stop. - If implementation starts absorbing Package Execution, Guided Operations, or new product features, stop. - If a failing group cannot be tied to one of the pinned failure categories, stop and classify it first. - If the Spec `288` proof pack or browser anchors regress, stop and restore them before proceeding.