# Tasks: Tenant Panel Dead-Code Retirement **Input**: Design documents from `/specs/304-tenant-panel-dead-code-retirement/` **Prerequisites**: `spec.md`, `plan.md`, `checklists/requirements.md` **Tests**: Tests are required. This is a runtime cleanup and guardrail change for provider registration, route collection, canonical links, and Filament navigation contracts. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New or changed tests stay in the smallest honest family, and any browser smoke is explicit and justified. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the change without pulling unrelated lane cost. - [x] The declared surface test profile is `global-context-shell` plus `standard-native-filament`. - [x] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR. ## Phase 1: Preparation and Runtime Truth Lock **Purpose**: Confirm repo truth before deleting or rewriting anything. - [x] T001 Review `specs/304-tenant-panel-dead-code-retirement/spec.md`, `specs/304-tenant-panel-dead-code-retirement/plan.md`, `specs/304-tenant-panel-dead-code-retirement/tasks.md`, and `specs/304-tenant-panel-dead-code-retirement/checklists/requirements.md`. - [x] T002 Review completed context in `specs/301-admin-inventory-navigation-cutover/`, `specs/302-tenant-owned-surface-route-audit/`, and `specs/303-admin-directory-groups-cutover/` without modifying those completed specs. - [x] T003 Inspect `apps/platform/bootstrap/providers.php` and confirm the active providers are admin/system only for Filament runtime. - [x] T004 Inspect `apps/platform/app/Providers/Filament/TenantPanelProvider.php` and `apps/platform/app/Filament/Providers/TenantPanelProvider.php`; if either active runtime file exists, record references before removal. - [x] T005 Inspect `apps/platform/routes/web.php` and the runtime route collection for `admin/t`, `admin/tenants`, tenant-panel route names, and compatibility redirects. - [x] T006 Search `apps/platform/app/`, `apps/platform/bootstrap/`, `apps/platform/routes/`, and `apps/platform/tests/` for `/admin/t`, `/admin/tenants`, `TenantPanelProvider`, `panel: 'tenant'`, `panel: "tenant"`, and `filament.admin.resources.tenants` and classify each hit as historical/removal-test, stale active test, runtime dependency, or link-emission risk. - [x] T007 Confirm no implementation task introduces migrations, models, provider adapters, assets, new product surfaces, destructive actions, route aliases, redirects, or compatibility shims. --- ## Phase 2: User Story 1 - Retired Tenant Panel runtime cannot boot (Priority: P1) **Goal**: Tenant Panel provider/runtime registration is absent and guarded. **Independent Test**: Provider bootstrap and Filament panel resolution assertions fail if the retired tenant panel returns. - [x] T008 [P] [US1] Update `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php` to assert `apps/platform/bootstrap/providers.php` does not register any Tenant Panel provider class. - [x] T009 [P] [US1] Update `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php` to assert no active Tenant Panel provider class exists at `app/Providers/Filament/TenantPanelProvider.php` or `app/Filament/Providers/TenantPanelProvider.php`. - [x] T010 [P] [US1] Update `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php` to assert `Filament::getPanel('tenant')` remains null. - [x] T011 [US1] If an active Tenant Panel provider class exists and no runtime/test dependency remains, delete `apps/platform/app/Providers/Filament/TenantPanelProvider.php` or `apps/platform/app/Filament/Providers/TenantPanelProvider.php`. Repo truth: no active provider file existed, so no deletion was needed. - [x] T012 [US1] If a Tenant Panel provider cannot be deleted safely, document the narrow blocker in `specs/304-tenant-panel-dead-code-retirement/plan.md` and keep the class unregistered. Repo truth: no blocker existed because no active provider file remained. --- ## Phase 3: User Story 2 - Legacy route families are unavailable (Priority: P1) **Goal**: `/admin/t` and legacy `/admin/tenants` route families are not registered, not reachable, and not redirected. **Independent Test**: Route collection and HTTP request assertions prove retired route families are absent. - [x] T013 [P] [US2] Update `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php` to assert no route URI begins with `admin/t`. - [x] T014 [P] [US2] Update `apps/platform/tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php` to assert no active product route URI begins with `admin/tenants`. - [x] T015 [P] [US2] Update `apps/platform/tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php` to assert route names do not include retired tenant-panel naming conventions such as `filament.tenant.` or `filament.admin.resources.tenants.`. - [x] T016 [US2] Update `apps/platform/tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php` to assert `/admin/t/{environment}`, `/admin/t/{environment}/inventory-items`, `/admin/tenants`, and `/admin/tenants/{environment}` return not found for an authenticated workspace/environment user. - [x] T017 [US2] Inspect `apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`; replace any stale expectation that `/admin/tenants/{environment}/provider-connections` redirects with an assertion matching current route truth, or document why it is current canonical behavior. - [x] T018 [US2] Inspect `apps/platform/tests/Feature/RequiredPermissions/RequiredPermissionsLegacyRouteTest.php`, `apps/platform/tests/Feature/Operations/LegacyRunRoutesNotFoundTest.php`, and `apps/platform/tests/Feature/078/LegacyRoutesReturnNotFoundTest.php` and keep only removal-focused legacy route assertions. - [x] T019 [US2] Remove active route definitions or redirects from `apps/platform/routes/web.php` only if T005 finds a confirmed legacy route. Repo truth: no active legacy route or redirect was found, so no route deletion was needed. --- ## Phase 4: User Story 3 - Workspace and environment navigation contracts remain precise (Priority: P2) **Goal**: Workspace home stays clean while eligible environment-bound surfaces remain visible and reachable. **Independent Test**: Workspace-home and canonical environment tests prove absence/presence independently. - [x] T020 [P] [US3] Update `apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` so workspace-home clean navigation and environment-bound visibility are separate assertions, not one blanket admin-hidden rule. - [x] T021 [P] [US3] Update `apps/platform/tests/Feature/Filament/AdminTenantSurfaceParityTest.php` to stop enforcing stale "admin can never see tenant-owned resources" semantics and instead assert canonical environment context where applicable. - [x] T022 [P] [US3] Update `apps/platform/tests/Feature/Filament/AdminSharedSurfacePanelParityTest.php` to preserve workspace-owned/admin-shared surfaces without referencing Tenant Panel compatibility. - [x] T023 [P] [US3] Update `apps/platform/tests/Feature/Filament/TenantOwnedResourceScopeParityTest.php` to preserve server-side environment scoping and cross-environment denial without depending on retired panel routes. - [x] T024 [P] [US3] Verify `apps/platform/tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php` still proves Inventory Coverage uses canonical workspace/environment routes and does not emit `/admin/t`. - [x] T025 [P] [US3] Verify `apps/platform/tests/Feature/Filament/EntraGroupAdminScopeTest.php` still proves Entra Groups are hidden on workspace home, visible in environment context, scoped to the active environment, and do not emit `/admin/t`. - [x] T026 [P] [US3] Verify `apps/platform/tests/Feature/Filament/PolicyResourceAdminSearchParityTest.php` and `apps/platform/tests/Feature/Filament/PolicyVersionAdminSearchParityTest.php` still prove policy search destinations remain canonical and route-safe. - [x] T027 [US3] If navigation runtime code must change, keep edits limited to existing shared helpers such as `apps/platform/app/Support/Navigation/NavigationScope.php`, `apps/platform/app/Support/OperateHub/OperateHubShell.php`, or resource `shouldRegisterNavigation()` methods. Runtime edit stayed limited to `InventoryCoverage::resolveAdminUrlTenant()` so it delegates to the existing panel tenant resolver instead of reading raw panel tenant state. --- ## Phase 5: User Story 4 - Links and search never emit retired routes (Priority: P3) **Goal**: High-signal link builders and global-search destinations never generate `/admin/t` or tenant-panel URLs. **Independent Test**: Generated URLs from known link builders and search destinations use canonical workspace/environment paths. - [x] T028 [P] [US4] Add or update assertions in `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` that global-search result URLs do not contain `/admin/t` and resolve to canonical View routes. - [x] T029 [P] [US4] Add or update assertions in `apps/platform/tests/Feature/Monitoring/OperationsDashboardDrillthroughTest.php` to prove `OperationRunLinks` and `OperationRunUrl` do not emit `/admin/t`. - [x] T030 [P] [US4] Add or update assertions covering `apps/platform/app/Support/ManagedEnvironmentLinks.php` through an existing workspace/environment routing test such as `apps/platform/tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php`. Existing assertions already covered canonical ManagedEnvironment links and were rerun. - [x] T031 [US4] Inspect `apps/platform/app/Support/OperationRunLinks.php`, `apps/platform/app/Support/OpsUx/OperationRunUrl.php`, and `apps/platform/app/Support/ManagedEnvironmentLinks.php`; fix only confirmed active legacy emissions. - [x] T032 [US4] Inspect resource URL helpers in `apps/platform/app/Filament/Resources/InventoryItemResource.php`, `apps/platform/app/Filament/Resources/EntraGroupResource.php`, `apps/platform/app/Filament/Resources/PolicyResource.php`, `apps/platform/app/Filament/Resources/PolicyVersionResource.php`, `apps/platform/app/Filament/Resources/BackupSetResource.php`, `apps/platform/app/Filament/Resources/RestoreRunResource.php`, `apps/platform/app/Filament/Resources/FindingResource.php`, `apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php`, `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`, `apps/platform/app/Filament/Resources/ReviewPackResource.php`, and `apps/platform/app/Filament/Resources/StoredReportResource.php`; fix only confirmed active legacy emissions. Static search and focused URL tests found no active legacy emissions. - [x] T033 [US4] Keep historical `/admin/t` strings in old specs, docs, and explicit removal tests allowlisted rather than performing a broad docs purge. --- ## Phase 6: Minimal Product Docs **Purpose**: Update only current product truth if implementation changes it. - [x] T034 Inspect `docs/product/spec-candidates.md` and `docs/product/implementation-ledger.md` after runtime cleanup. - [x] T035 If Tenant Panel runtime is fully retired or already proven absent, add a minimal ledger or candidate note stating that active Tenant Panel runtime and `/admin/t` routes are unavailable and guarded. - [x] T036 Do not rewrite historical specs, historical docs, roadmap sections, or old implementation evidence. --- ## Phase 7: Validation and Close-Out **Purpose**: Prove the cleanup and record exact findings. - [x] T037 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php`. - [x] T038 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Filament/AdminTenantSurfaceParityTest.php tests/Feature/Filament/AdminSharedSurfacePanelParityTest.php tests/Feature/Filament/TenantOwnedResourceScopeParityTest.php tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/Filament/PolicyResourceAdminSearchParityTest.php tests/Feature/Filament/PolicyVersionAdminSearchParityTest.php`. - [x] T039 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Monitoring/OperationsDashboardDrillthroughTest.php tests/Feature/Operations/LegacyRunRoutesNotFoundTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/RequiredPermissions/RequiredPermissionsLegacyRouteTest.php`. - [x] T040 Run `git diff --check` from `/Users/ahmeddarrazi/Documents/projects/wt-plattform`. - [x] T041 Run browser smoke only if rendered navigation or route registration changes; otherwise document the feature-test substitute in close-out. - [x] T042 Update implementation close-out notes with files changed, provider status, route status, `/admin/tenants` status, route retirement test result, Inventory result, Entra Groups result, global-search/link result, browser smoke result or reason not run, `git diff --check` result, and deferred blockers. ## Implementation Close-Out Notes - Files changed: `apps/platform/app/Filament/Pages/InventoryCoverage.php`; focused guard, Filament, operations, and reference-link tests; `docs/product/implementation-ledger.md`; `docs/product/spec-candidates.md`; this spec task file. - Tenant Panel provider status: already absent before implementation. Guard coverage now checks both active app provider paths, provider bootstrap contents, and `Filament::getPanel('tenant')`. - `/admin/t` route status: already absent before implementation. Guard coverage now checks route collection absence and direct 404s for base and child retired URLs. - `/admin/tenants/{environment}` route status: no active legacy route or redirect was found. Guard and provider-connection tests assert not found with no `Location` header. - Route retirement test result: `NoLegacyTenantPanelRuntimeTest`, `NoActiveTenantResourceRoutesTest`, and `WorkspaceIntendedUrlLegacyRejectionTest` passed. - Inventory contract result: `InventoryCoverageAdminTenantParityTest` and the full focused Filament lane passed after `InventoryCoverage` was changed to use the shared resolver path. - Entra Groups contract result: `EntraGroupAdminScopeTest` and `EntraGroupGlobalSearchScopeTest` passed; generated global-search URLs use canonical workspace/environment View routes and do not contain `/admin/t` or `/admin/tenants`. - Global-search/link result: `ManagedEnvironmentCanonicalRouteContractTest`, `OperationsDashboardDrillthroughTest`, and `PolicyVersionResolvedReferenceLinksTest` passed; high-signal link builders do not emit retired routes. - Browser smoke result: not run. This implementation changed route/provider/link guardrails and one backend URL-context resolver but did not change rendered Filament navigation, forms, actions, assets, or route registration. Feature tests rendered and exercised the relevant workspace/environment navigation and resource pages as the substitute. - `git diff --check`: passed. - Deferred blockers: none. ## Dependencies - Phase 1 must complete before any runtime or test edits. - Phase 2 and Phase 3 can run in parallel after Phase 1 if different test files are owned. - Phase 4 depends on classifying stale tests in Phase 1 and should not weaken RBAC/context assertions. - Phase 5 can run in parallel with Phase 4 when link-builder tests are in separate files. - Phase 6 only runs after implementation findings are known. - Phase 7 runs after all in-scope edits are complete. ## Parallel Execution Examples - T008, T009, T010, T013, T014, and T015 can run in parallel if each worker owns separate assertions or coordinates within guard test files. - T020, T021, T022, and T023 can run in parallel if each worker owns the named test file. - T028, T029, and T030 can run in parallel because they target different link/search proof paths. - T024, T025, and T026 are verification tasks and can run independently after related test updates. ## Implementation Strategy 1. Treat current runtime truth as authoritative. 2. Preserve or strengthen removal-focused guard tests. 3. Replace stale compatibility or blanket-hidden assertions with precise workspace/environment contracts. 4. Fix only active runtime/link emissions found by tests or repo inspection. 5. Keep historical docs and completed specs intact. 6. Validate with focused tests and document browser-smoke decision. ## Explicit Non-Goals - [x] Do not add `/admin/t` or `/admin/tenants` compatibility aliases. - [x] Do not add redirects from retired route families to canonical workspace/environment routes. - [x] Do not introduce a new route-helper architecture. - [x] Do not migrate schema, models, `tenant_id`, or provider connection ownership. - [x] Do not add product surfaces, navigation features, destructive actions, Graph behavior, jobs, assets, or migrations. - [x] Do not purge historical docs or rewrite completed specs. - [x] Do not weaken RBAC, workspace isolation, environment scoping, or global-search scoping.