# Final Tenant Reference Audit

**Feature**: Spec 300 Internal Tenant Model Naming Consolidation  
**Audit date**: 2026-05-14  
**Status**: Passing with one documented, isolated-passing browser timeout in the raw full suite.

This audit does not require every `tenant` string to disappear. It requires every remaining `Tenant` / `tenant` / `tenants` hit in active platform code, resources, routes, database artifacts, and tests to be classified as either renamed away or intentionally allowed.

## Final Spec 300 Proof

### Runtime Legacy Scan

| Check | Result | Allowed? | Reason |
|---|---:|---:|---|
| `/admin/t` active route | no active route | yes | Retired tenant-panel route remains absent from `route:list`. |
| `/admin/tenants` active route | no active route | yes | Retired tenant resource route remains absent from `route:list`. |
| `TenantPanelProvider` runtime file/provider registration | no runtime hit | yes | Remaining hits are negative regression guards only. |
| `setTenantPanelContext` runtime helper | no runtime hit | yes | Remaining hits are negative regression guards only. |
| `panel: 'tenant'` / `panel: "tenant"` runtime bootstrap | no runtime hit | yes | No active tenant-panel bootstrap remains. |
| `TenantResource::getUrl` | 0 hits | yes | Retired helper dependency removed. |
| `TenantDashboard::getUrl` | 0 hits | yes | Retired helper dependency removed. |
| `TenantRequiredPermissions::getUrl` | 0 hits | yes | Retired helper dependency removed. |
| Priority old-family scan | 0 hits | yes | `TenantReview`, `TenantPermission`, `TenantTriageReview`, `TenantOnboardingSession`, managed-tenant onboarding names, old context routes, cross-tenant compare/promotion names, and `source_tenant_id` / `target_tenant_id` are removed from active scan scope. |

Commands:

```bash
cd apps/platform

rg "TenantPanelProvider|setTenantPanelContext|panel:\s*'tenant'|panel:\s*\"tenant\"" app resources routes tests --glob '!vendor' --glob '!node_modules'
rg "/admin/t/|/admin/tenants|filament\.admin\.resources\.tenants" app resources routes tests --glob '!vendor' --glob '!node_modules'
rg "TenantResource::getUrl|TenantDashboard::getUrl|TenantRequiredPermissions::getUrl" app resources routes tests --glob '!vendor' --glob '!node_modules'
rg "TenantReview|tenant_reviews|tenant_review_sections|tenant-reviews|TenantPermission|tenant_permissions|TenantTriageReview|tenant_triage_reviews|TenantOnboardingSession|ManagedTenantOnboarding|managed_tenant_onboarding|managed_tenant_onboarding_sessions|choose-tenant|select-tenant|clear-tenant-context|cross-tenant-compare|CrossTenantCompare|CrossTenantPromotion|source_tenant_id|target_tenant_id|sourceTenantId|targetTenantId" app database resources routes tests --glob '!vendor' --glob '!node_modules'
```

Results:

| Scan | Count | Classification |
|---|---:|---|
| Legacy panel literals | 10 | Allowed regression guards in `tests/Feature/WorkspaceFoundation/PlatformBootSmokeTest.php`, `tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php`, and `tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php`. |
| Legacy route/name literals | 123 | Allowed negative route assertions, historical redirect/not-found tests, and Spec 300 browser guard assertions. No runtime route is present. |
| Retired URL helpers | 0 | Clean. |
| Priority old families | 0 | Clean. |

### Remaining Tenant References

Broad scan:

```bash
cd apps/platform
rg "\bTenant\b|\btenant\b|tenants" app database resources routes tests --glob '!vendor' --glob '!node_modules'
```

Result: **22,571 matches across 1,561 files**.

| Scope | Files | Allowed? | Classification |
|---|---:|---:|---|
| `tests` | 1076 | yes | Provider fixtures, framework tenancy API assertions, security/isolation tests, negative legacy route guards, historical compatibility tests, and renamed managed-environment regression coverage. |
| `app` | 433 | yes | Provider/Entra terminology, Filament tenancy APIs, system directory tenant terminology, tenant-isolation support domain, residual allowed schema families, product-brand namespaces, and operation/workload identifiers. |
| `resources` | 38 | yes | Filament/UI views using provider/system-directory terminology, framework tenant context terms, and allowed tenant-isolation copy where the domain still intentionally uses tenant as a security boundary. |
| `database` | 12 | yes | Historical migration filenames, provider columns, and residual schema families listed below; priority old tables were renamed. |
| `routes` | 2 | yes | System directory tenant routes only; no retired admin tenant routes. |

Allowed categories:

| Category | Representative references | Representative files / scopes | Allowed? | Reason |
|---|---|---|---:|---|
| Provider term | `Microsoft tenant ID`, `Entra tenant ID`, `tenantId`, `entra_tenant_id`, `microsoft_tenant_id`, provider tenant scope payloads | provider connections, onboarding provider identity, Graph/provider services, verification/report tests | yes | These describe external Microsoft/Entra/provider identity or raw API payload contracts. |
| Filament/framework-required | `Filament::getTenant()`, `Filament::setTenant()`, `canAccessTenant()`, tenant ownership relationship names, tenancy middleware | Filament resources/pages/widgets, test helpers, RBAC tests | yes | Filament v5 and related package APIs use tenant terminology; renaming local calls would break framework integration. |
| Regression guard | `/admin/t`, `/admin/tenants`, `filament.admin.resources.tenants`, `TenantPanelProvider`, `setTenantPanelContext`, `panel: 'tenant'` | guard tests, legacy route not-found tests, Spec 300 smoke guard | yes | These literals prove retired routes, panels, and helpers do not return. |
| System directory | `system/directory/tenants`, `ViewTenant`, `{tenant}` system route parameter | `app/Filament/System/Pages/Directory/ViewTenant.php`, `routes/web.php`, system directory tests | yes | System panel directory intentionally models external/customer tenants, not the admin managed-environment product route. |
| Tenant-isolation domain | `App\Support\Tenants\*`, `TenantAction*`, `TenantOperability*`, tenant-owned tables/model families, tenant lifecycle/security terminology | RBAC, middleware, workspace isolation, operability, action-surface, support-diagnostics code/tests | yes | These references denote the isolation/security boundary and compatibility contracts; the primary product model is now `ManagedEnvironment`. |
| Residual schema family | `tenant_settings`, `tenant_role_mappings`, `baseline_tenant_assignments`, `UserTenantPreference`, `user_managed_environment_preferences` | models, migrations, factories, workspace isolation tests, baseline assignment tests | yes | These are retained schema/compatibility families. Where they point at the product environment, columns/relations use `managed_environment_id`; no old Tenant resource or route is generated from them. |
| Historical migration filename | old `*_tenants*` migration filenames that create or alter current `managed_environments`-based schema | `database/migrations` | yes | Migration filenames are historical ledger entries. Runtime table/constraint names were renamed where they were part of the priority families or active route/resource proof. |
| Product brand / namespace | `tenantpilot`, `TenantPilot`, env/config namespaces | config, console, docs/tests | yes | Product naming remains intentionally separate from the internal model rename. |
| Operation/workload identifier | provider or workload operation strings that still include tenant as domain language, for example tenant evidence snapshot generation | operation catalog, operation tests, telemetry/support diagnostics | yes | Operation IDs are compatibility/workload identifiers. Spec 300 changed active managed-environment surfaces without rewriting unrelated historical operation keys. |

No unclassified active platform-owned priority family remains in `app`, `database`, `resources`, `routes`, or `tests`.

### Route Proof

| Command | Result |
|---|---|
| `cd apps/platform && ./vendor/bin/sail artisan route:list \| rg "admin/t\|admin/tenants\|filament\.admin\.resources\.tenants"` | No output. |
| `cd apps/platform && ./vendor/bin/sail artisan route:list \| rg "tenant\|choose-environment\|select-environment\|clear-environment-context\|cross-environment-compare\|managed-environments\|environment-reviews"` | Shows `admin/choose-environment`, `admin/clear-environment-context`, `admin/cross-environment-compare`, `admin/select-environment`, environment review routes under `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews`, and system directory routes `/system/directory/tenants`. |

Active route classification:

| Route family | Allowed? | Reason |
|---|---:|---|
| `/admin/choose-environment`, `/admin/select-environment`, `/admin/clear-environment-context`, `/admin/cross-environment-compare` | yes | Renamed replacements for old choose/select/clear/cross tenant routes. |
| `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews` | yes | Renamed replacement for old `tenant-reviews` route. |
| `/system/directory/tenants` and `/system/directory/tenants/{tenant}` | yes | System directory route for external/customer tenant directory, not retired admin TenantResource route. |

### DB Proof

| Command | Result |
|---|---|
| `cd apps/platform && ./vendor/bin/sail artisan migrate:fresh --seed` | Passed on 2026-05-14 after the priority schema renames. No DB-affecting changes were made after this pass. |
| Boost read-only table check for old/new priority tables | Old tables absent; new tables present: `environment_review_sections`, `environment_reviews`, `managed_environment_onboarding_sessions`, `managed_environment_permissions`, `managed_environment_triage_reviews`. |
| Boost read-only constraint check `pg_constraint where conname ilike '%tenant%'` | Residual tenant-named constraints are classified as provider (`users_entra_tenant_id_entra_object_id_unique`), residual schema (`baseline_tenant_assignments_*`, `tenant_role_mappings_*`, `tenant_settings_*`), or audit/isolation (`audit_logs_tenant_workspace_scope_check`). |

Read-only table proof result:

| Table | Classification |
|---|---|
| `environment_reviews` | renamed priority family |
| `environment_review_sections` | renamed priority family |
| `managed_environment_permissions` | renamed priority family |
| `managed_environment_triage_reviews` | renamed priority family |
| `managed_environment_onboarding_sessions` | renamed priority family |

### Test Proof

| Lane | Result |
|---|---|
| TenantReview -> EnvironmentReview focused lane | Passed: 54 tests, 445 assertions. |
| TenantPermission -> ManagedEnvironmentPermission focused lane | Passed: 95 tests, 491 assertions. |
| TenantTriageReview -> ManagedEnvironmentTriageReview focused lane | Passed: 35 tests, 246 assertions. |
| TenantOnboardingSession -> ManagedEnvironmentOnboardingSession focused lane | Passed: 135 tests, 641 assertions. |
| choose/select/clear/cross environment route/context lane | Passed: 80 tests, 467 assertions. |
| Baseline source/target environment lane | Passed: 34 tests, 299 assertions. |
| Finding exception open-queue environment route lane | Passed: 10 tests, 56 assertions. |
| `tests/Feature/Guards` | Passed: 266 tests, 4,708 assertions. |
| `tests/Feature/Workspaces` | Passed: 96 tests, 276 assertions. |
| `tests/Feature/Filament` | Passed: 773 tests, 5,017 assertions, 5 skipped. |
| `tests/Feature/ProviderConnections` | Passed: 78 tests, 588 assertions. |
| `tests/Feature/RequiredPermissions` | Passed: 21 tests, 82 assertions. |
| `tests/Feature/Rbac` | Passed: 156 tests, 744 assertions. |
| Focused GovernanceArtifacts context test after review-pack flake fix | Passed: 5 tests, 12 assertions. |
| Focused ReviewPack regression group after deterministic operation fixture fix | Passed: 54 tests, 255 assertions. |
| `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` | Passed. |
| `git diff --check` | Passed. |

Raw full suite:

| Command | Result |
|---|---|
| `cd apps/platform && ./vendor/bin/sail artisan test --compact` | Failed only on `tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php` with a 15s browser click timeout at line 110. Summary: 1 failed, 8 skipped, 4,680 passed, 31,620 assertions, 4,489.12s. |
| Isolated rerun: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php` | Passed: 1 test, 46 assertions, 7.36s. |

The raw full suite failure is classified as an isolated browser timeout flake because the same test passed immediately in isolation without code changes.

### Browser Proof

| Test | Result |
|---|---|
| `tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php` | Passed in browser smoke lane. |
| `tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` | Passed in browser smoke lane. |
| `tests/Browser/Dashboard/TenantDashboardProductizationSmokeTest.php` | Passed in browser smoke lane. |
| `tests/Browser/Spec299WorkspaceOverviewCutoverSealSmokeTest.php` | Passed in browser smoke lane. |
| `tests/Browser/Spec300ManagedEnvironmentNamingConsolidationSmokeTest.php` | Passed in browser smoke lane. |
| Combined required browser smoke lane | Passed: 5 tests, 138 assertions. |
| Additional stale route/detail browser group (`Spec172`, `Spec192`, `Spec194`, `Spec202`, `Spec265`) | Passed: 13 tests, 211 assertions. |
| `tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php` isolated after full-suite timeout | Passed: 1 test, 46 assertions. |

### Decision

**merge-ready with documented isolated browser flake**

The conditions for Spec 300 close-out are met:

- Old `/admin/t` and `/admin/tenants` routes are absent.
- Old URL helpers and old TenantPanel provider/helper references have no runtime usage.
- Priority platform-owned families were renamed or classified.
- Remaining `Tenant` / `tenant` / `tenants` hits are classified by provider, framework, regression-guard, system-directory, tenant-isolation, residual-schema, historical-migration, product-brand, or operation-workload category.
- Migration/seed proof passed after schema renames.
- Feature, Filament, Workspace, Provider, RequiredPermissions, RBAC, focused ReviewPack, and browser smoke lanes passed.
- Raw full suite had one browser timeout that passed immediately in isolation and is documented above.