# Tasks: Workspace-Owned Analysis Surface Registration & Shell Cutover **Input**: Design documents from `/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/` **Prerequisites**: `plan.md`, `spec.md` **Tests**: Required. This is a runtime route/shell/query/navigation contract change. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for classifier, shell, query, reload/history, and regression behavior. - [x] New or changed tests stay in the smallest honest family; browser additions are explicit. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the change without pulling in unrelated lane cost. - [x] The declared surface test profile `global-context-shell` is explicit. - [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation close-out. ## Phase 1: Guardrails and Repo Verification **Purpose**: Confirm current repo truth before runtime edits. - [x] T001 Verify implementation starts from branch `320-workspace-owned-analysis-surface-registration-shell-cutover` and record any unrelated uncommitted files. - [x] T002 Re-read `specs/318-admin-surface-scope-shell-context-audit/audit-report.md`, `surface-inventory.md`, `page-matrix.md`, `mismatch-findings.md`, and `recommended-fixes.md`. - [x] T003 Re-read `specs/319-environment-owned-surface-routing-shell-context-contract/spec.md`, `plan.md`, and `tasks.md` as dependency context only. - [x] T004 Confirm Laravel/Filament/Livewire/Pest versions through Laravel Boost `application_info`. - [x] T005 Confirm no migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change is required. - [x] T006 Inventory current classifier behavior in `apps/platform/app/Support/Navigation/AdminSurfaceScope.php`. - [x] T007 Inventory current workspace hub behavior in `apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php` and `WorkspaceSidebarNavigation.php`. - [x] T008 Inventory shell resolution in `apps/platform/app/Support/OperateHub/OperateHubShell.php`, including remembered Environment and query hint behavior. - [x] T009 Inventory in-scope baseline routes/pages in `BaselineProfileResource`, `BaselineSnapshotResource`, and `BaselineCompareMatrix`. - [x] T010 Inventory in-scope workspace analysis routes/pages in `MyFindingsInbox`, `FindingsIntakeQueue`, `FindingsHygieneReport`, and `CrossEnvironmentComparePage`. - [x] T011 Search routes/navigation for any additional Spec 318 unregistered workspace analysis page still present and decide include/exclude with evidence. - [x] T012 Identify any existing tests asserting remembered Environment fallback on in-scope pages and mark them for replacement. ## Phase 2: Tests First / Contract Coverage **Purpose**: Add failing or alongside tests that define the new contract. - [x] T013 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baselines/Baseline Profiles paths are workspace-owned analysis or environmentless shell paths. - [x] T014 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baseline Snapshots paths are workspace-owned analysis or environmentless shell paths. - [x] T015 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving Baseline Profile detail/edit/compare-matrix paths do not allow remembered Environment restore. - [x] T016 Add/update `apps/platform/tests/Unit/Tenants/AdminSurfaceScopeTest.php` proving My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare paths do not allow remembered Environment restore. - [x] T017 Add/update `apps/platform/tests/Unit/Support/OperateHub/OperateHubShellResolutionTest.php` proving workspace-owned analysis clean URLs show Workspace shell only when a remembered Environment exists. - [x] T018 Add/update `apps/platform/tests/Feature/Navigation/WorkspaceHubRegistryTest.php` proving in-scope pages are not accidentally treated as full workspace hubs unless implementation intentionally registers them with hub behavior. - [x] T019 Add/update tests proving clean Baselines and Baseline Snapshots URLs open without active Environment context. - [x] T020 Add/update tests proving Baseline Profile view/edit/compare-matrix URLs open with Workspace shell only. - [x] T021 Add/update tests proving My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare clean URLs open with Workspace shell only. - [x] T022 Add/update tests proving remembered Environment state alone does not set shell context on in-scope pages. - [x] T023 Add/update tests proving `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, and `tableFilters` do not create shell or filter state on in-scope pages. - [x] T024 For pages that support canonical `environment_id`, add/update tests proving shell remains Workspace only and a visible chip/clear affordance exists. - [x] T025 For pages that do not support canonical `environment_id`, add/update tests proving unsupported `environment_id` is ignored, stripped, or rejected without hidden shell/data mismatch. - [x] T026 Add/update tests proving Environment Dashboard or Environment-origin links to in-scope workspace-owned analysis pages do not carry active Environment shell ownership. - [x] T027 Keep/add Baseline Compare regression coverage proving its canonical route remains Environment-owned. - [x] T028 Keep/add Decision Register regression coverage proving clean and filtered workspace hub behavior remains green. - [x] T029 Keep/add Specs 314-317 regression coverage for clean workspace hub entry, Environment CTA `environment_id`, clear filter, and no legacy Tenant aliases. - [x] T030 Add/update existing high-impact baseline action tests only as needed to prove capture/compare actions still keep confirmation, authorization, audit, and OperationRun UX after shell classification changes. ## Phase 3: Classification and Shell Cutover **Purpose**: Implement the narrowest route/shell classification fix. - [x] T031 Update `apps/platform/app/Support/Navigation/AdminSurfaceScope.php` to classify in-scope workspace-owned analysis paths explicitly. - [x] T032 Ensure the chosen classification forces environmentless shell context for clean workspace-owned analysis URLs. - [x] T033 Ensure the chosen classification does not allow remembered Environment restore. - [x] T034 Ensure Livewire referer-based classification uses the same in-scope path behavior. - [x] T035 If adding a new `AdminSurfaceScope` enum case, complete the proportionality note in implementation close-out and avoid using it outside audited routes. - [x] T036 If registering any in-scope page in `WorkspaceHubRegistry`, verify it truly satisfies workspace hub/filter/clear semantics and add matching registry tests. - [x] T037 Keep `WorkspaceHubRegistry::forbiddenQueryKeys()` and related query-cleaning behavior aligned with no legacy aliases. - [x] T038 Do not add Baseline Compare to workspace hub or workspace-owned analysis classification. - [x] T039 Do not alter Environment-bound route classification for required permissions, inventory, backups, evidence, reviews, stored reports, review packs, or other Spec 319 out-of-scope Environment pages. ## Phase 4: Baseline Surfaces **Purpose**: Align baseline library/report pages with workspace-owned shell semantics. - [x] T040 Update `apps/platform/app/Filament/Resources/BaselineProfileResource.php` only if needed so list/view/edit/create URLs and navigation do not rely on active Environment shell. - [x] T041 Update Baseline Profile breadcrumbs/header/copy if any primary wording implies active Environment ownership. - [x] T042 Update Baseline Profile related navigation links if they carry hidden Environment shell ownership or legacy query aliases. - [x] T043 Update `apps/platform/app/Filament/Pages/BaselineCompareMatrix.php` only if needed so the page shell is Workspace only while source Environment drilldowns remain explicit page links. - [x] T044 Preserve Baseline Compare Matrix filter query keys such as `tenant_sort` only as page matrix state, not shell Environment ownership. - [x] T045 Update `apps/platform/app/Filament/Resources/BaselineSnapshotResource.php` only if needed so list/view URLs and copy remain workspace snapshot library/report semantics. - [x] T046 Preserve Baseline Profile and Baseline Snapshot global search disabled status unless implementation deliberately verifies and tests safe View/Edit pages. - [x] T047 Preserve existing baseline archive/capture/compare action confirmation, authorization, notifications, audit, and OperationRun behavior. ## Phase 5: Findings and Portfolio Analysis Surfaces **Purpose**: Align unregistered workspace analysis pages found by Spec 318. - [x] T048 Update `apps/platform/app/Filament/Pages/Findings/MyFindingsInbox.php` only if needed so clean URL shell is Workspace only. - [x] T049 Update `apps/platform/app/Filament/Pages/Findings/FindingsIntakeQueue.php` only if needed so clean URL shell is Workspace only. - [x] T050 Update `apps/platform/app/Filament/Pages/Findings/FindingsHygieneReport.php` only if needed so clean URL shell is Workspace only. - [x] T051 Replace `tenant` query prefilter handling on findings analysis pages with canonical `environment_id` if this is already intended product behavior and can show visible filter/clear affordance. - [x] T052 If findings analysis pages cannot safely migrate filter behavior in this slice, prevent shell inheritance and document filter-key follow-up rather than adding half-state support. - [x] T053 Update `apps/platform/app/Filament/Pages/CrossEnvironmentComparePage.php` only if needed so source/target Environment selectors remain page state and shell is Workspace only. - [x] T054 Ensure Cross-environment Compare direct URL, query-hydrated URL, and reload do not restore remembered Environment shell. - [x] T055 Preserve existing promotion/preflight authorization, confirmation, audit, OperationRun links, and provider-boundary behavior. ## Phase 6: Navigation, Links, Copy, and Legacy Aliases **Purpose**: Make visible navigation agree with page ownership. - [x] T056 Update `WorkspaceSidebarNavigation` or related navigation builders only if in-scope pages are present there and currently emit ambiguous URLs. - [x] T057 Update `ManagedEnvironmentLinks` only if Environment-origin cards/actions link to workspace-owned analysis pages with hidden shell ownership. - [x] T058 Ensure sidebar/global/workspace entry to Baselines, Baseline Snapshots, baseline matrix, findings analysis pages, and Cross-environment Compare uses clean workspace URLs unless canonical `environment_id` filter is intentionally supported. - [x] T059 Ensure Environment Dashboard links to in-scope workspace-owned analysis pages use clean workspace URLs or explicit `environment_id` filter URLs with visible chip/clear behavior. - [x] T060 Remove or replace user-facing copy that says `this environment`, `current environment`, or similar primary ownership wording on in-scope workspace-owned analysis pages. - [x] T061 Keep Environment columns, Environment badges, source/target selectors, and Environment filters where they are data/filter state rather than shell ownership. - [x] T062 Ensure no in-scope page starts accepting `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, or `tableFilters` as public Environment filter aliases. ## Phase 7: Browser Verification **Purpose**: Prove visible route/shell/copy behavior. - [x] T063 Start local platform stack using Sail or the repo platform dev command. - [x] T064 Browser Flow A: Workspace Overview -> Baselines; verify Workspace shell only, no active Environment, workspace/library wording. - [x] T065 Save Flow A screenshot to `specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/workspace-origin--baselines.png`. - [x] T066 Browser Flow B: Environment Dashboard -> Baselines through sidebar/global/navigation/card; verify shell cuts to Workspace only. - [x] T067 Save Flow B screenshot to `artifacts/screenshots/environment-origin--baselines.png`. - [x] T068 Browser Flow C: reload Baselines and verify active Environment shell does not return. - [x] T069 Save Flow C screenshot to `artifacts/screenshots/baselines--after-reload.png`. - [x] T070 Repeat workspace origin, environment origin, and reload flows for Baseline Snapshots. - [x] T071 Save Baseline Snapshots screenshots using `workspace-origin--baseline-snapshots.png`, `environment-origin--baseline-snapshots.png`, and `baseline-snapshots--after-reload.png`. - [x] T072 Browser verify Baseline Compare Matrix direct/reload/back-forward behavior if local fixture has a baseline profile. - [x] T073 Browser verify My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare clean URLs from remembered Environment context. - [x] T074 Browser verify Baseline Compare remains Environment-owned. - [x] T075 Save Baseline Compare regression screenshot to `artifacts/screenshots/baseline-compare--regression-environment-owned.png`. - [x] T076 Browser verify Decision Register clean and filtered workspace hub regressions. - [x] T077 Save Decision Register regression screenshot to `artifacts/screenshots/decision-register--regression-workspace-hub.png`. - [x] T078 If browser setup or fixture data blocks any flow, document the exact blocker and alternate proof in the implementation close-out. > Browser coverage note: Matrix and Baseline Compare browser flows were partially blocked by local Spec 180 fixture/capability state. The local fixture has no baseline profile for a matrix browser flow, and the environment-owned Baseline Compare browser route is intentionally capability-denied. The environment-owned Baseline Compare contract and matrix route behavior are covered by focused Pest route/RBAC tests. No runtime gap remains in Spec 320 scope. ## Phase 8: Final Validation and Close-Out **Purpose**: Complete implementation proof without broad rebaseline. - [x] T079 Run `git diff --check`. - [x] T080 Run the focused Pest commands listed in `plan.md`. - [x] T081 Run formatting with the repo-standard Pint command for touched PHP files. - [x] T082 Review `git diff --stat` and confirm only in-scope runtime/test/spec artifacts changed. - [x] T083 Confirm no migrations, seeders, package files, env files, queue/scheduler/storage config, or deployment asset files changed. - [x] T084 Confirm no backwards compatibility layer, redirect shim, dual route model, or legacy query alias support was introduced. - [x] T085 Prepare final implementation report with changed behavior, workspace-owned analysis surfaces classified, surfaces registered, files changed, tests, browser verification, screenshots path, follow-ups 321/322, and any unrelated residual failures. - [x] T086 Include the Filament v5 output contract in the final report: Livewire v4.0+ compliance, provider registration location, global search status, destructive/high-impact actions, asset strategy, and testing plan/results. ## Explicit Non-Tasks - [x] NT001 Do not implement Alerts/Audit Log filter behavior; leave it to Spec 321. - [x] NT002 Do not build durable browser no-drift infrastructure; leave it to Spec 322. - [x] NT003 Do not change Baseline Compare except regression coverage needed to prove Spec 319 remains intact. - [x] NT004 Do not add migrations, seeders, packages, env vars, queues, scheduler, storage, or deployment asset changes. - [x] NT005 Do not add legacy `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, or `tableFilters` aliases. - [x] NT006 Do not preserve remembered Environment fallback for workspace-owned analysis clean URLs.