# Tasks: Browser No-Drift Regression Guard **Input**: Spec artifacts from `specs/322-browser-no-drift-regression-guard/` **Prerequisites**: `spec.md`, `plan.md`, `test-plan.md`, `coverage-manifest.md` **Runtime posture**: Test/guard-first. No new product behavior unless a narrow fix is required to satisfy existing Specs 314 through 321 contracts. ## Phase 1: Discovery Confirmation - [x] T001 Re-read `specs/322-browser-no-drift-regression-guard/spec.md`, `plan.md`, `test-plan.md`, and `coverage-manifest.md` before implementation starts. - [x] T002 Re-read Specs 314 through 321 as historical/context dependencies without editing their completed artifacts. - [x] T003 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php` and confirm required workspace hubs and exclusions still match the manifest. - [x] T004 Inspect `apps/platform/app/Support/Navigation/AdminSurfaceScope.php` and confirm workspace-owned analysis surface classification still matches the manifest. - [x] T005 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php` and confirm canonical `environment_id` remains the only accepted filter query key. - [x] T006 Inspect `apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php` and confirm legacy Environment-like query/table/session keys remain resettable. - [x] T007 Inspect route names and URLs for all required surfaces listed in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`. - [x] T008 Update `specs/322-browser-no-drift-regression-guard/coverage-manifest.md` if discovery proves a route, classification, or existing coverage status has changed. ## Phase 2: Feature / Static Guards - [x] T009 [P] Add `it('classifies_core_admin_surfaces_without_scope_drift')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`. - [x] T010 [P] Add `it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`. - [x] T011 [P] Add `it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`. - [x] T012 [P] Add `it('environment_id_filters_reject_cross_workspace_environment_ids')` in `apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php`. - [x] T013 [P] Add `it('environment_cta_urls_use_the_correct_surface_contract')` in `apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php`. - [x] T014 [P] Add `it('legacy_environment_query_aliases_do_not_create_filter_or_shell_state')` in `apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php`. - [x] T015 [P] Add `it('has_no_active_legacy_tenant_panel_routes')` coverage by extending or referencing `apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php`. - [x] T016 [P] Add `it('allows_tenant_terms_only_in_provider_boundary_contexts')` coverage by extending `apps/platform/tests/Feature/Guards/LegacyTenantPlatformContextCleanupTest.php` or adding a narrow Spec 322 guard. - [x] T017 Confirm Feature/static guards cover Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence Overview, Reviews, Customer Reviews, Alert Deliveries, Audit Log, Alerts, Alert Rules, Alert Destinations, Workspace Settings, Baseline Profiles, Baseline Snapshots, My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, and Baseline Compare. ## Phase 3: Browser Harness And Fixture Control - [x] T018 Inspect existing Pest Browser patterns in `apps/platform/tests/Browser/Spec314WorkspaceHubNavigationContextSmokeTest.php` and `apps/platform/tests/Browser/Spec316WorkspaceHubClearFilterSmokeTest.php`. - [x] T019 Decide whether a test-only helper such as `apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php` is necessary, or keep helpers local to the Spec 322 browser files. - [x] T020 If a harness is added, keep workspace, Environment, membership, and session setup explicit and opt-in in `apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php`. - [x] T021 If a harness is added, document its fixture-cost boundary in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`. - [x] T022 Avoid adding seeders; if deterministic browser fixtures cannot be built with factories, stop and update `spec.md` and `plan.md` before changing seeders. ## Phase 4: Workspace Hub Browser Guards - [x] T023 [P] Add `apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php` covering clean workspace hub entry from Environment origin. - [x] T024 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Operations. - [x] T025 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Governance Inbox. - [ ] T026 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Decision Register. - Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke. - [ ] T027 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Finding Exceptions Queue. - Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; Spec322 browser includes this surface in the representative legacy alias guard. - [x] T028 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Provider Connections. - [x] T029 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Evidence Overview. - [ ] T030 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Reviews and Customer Reviews. - Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke. - [ ] T031 [P] In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Alert Deliveries and Audit Log. - Covered in `Spec322AlertsAuditNoDriftSmokeTest.php`, with Audit Log clear/history retained as Feature fallback due browser click timing. - [ ] T032 In `Spec322WorkspaceHubNoDriftSmokeTest.php`, cover filtered entry, visible chip, clear, and reload for all filterable workspace hubs; include browser back/forward alignment for Provider Connections, Finding Exceptions Queue, Customer Reviews, Evidence Overview, Alert Deliveries, and Audit Log. - Spec322 browser covers Provider Connections, Evidence Overview, and Alert Deliveries; existing Spec316 browser and Spec322 Feature/static guards cover the remaining permutations. ## Phase 5: Environment-Owned Browser Guards - [x] T033 Add `apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php` covering Environment-owned route/shell contracts. - [ ] T034 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Environment Dashboard route, Workspace + Environment shell, reload, and back from a workspace hub. - Spec322 browser covers route/shell/reload; browser back is left to existing navigation anchors to keep this guard bounded. - [ ] T035 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Baseline Compare route, Workspace + Environment shell, no workspace-hub `environment_id` model, reload, and browser back. - Spec322 browser covers route/shell/reload and invalid old access; browser back is left to existing navigation anchors to keep this guard bounded. - [x] T036 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Baseline Compare old clean workspace-only invalid access using the existing `BaselineCompareEnvironmentRouteContractTest` behavior as the deterministic baseline. - [x] T037 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Required Permissions if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`. - [ ] T038 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Provider Readiness / Onboarding Readiness if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`. - No separate route was confirmed; coverage manifest documents Environment Dashboard browser coverage as the deterministic fallback. - [ ] T039 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Inventory or Inventory Coverage if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`. - Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract. - [ ] T040 In `Spec322EnvironmentOwnedSurfaceSmokeTest.php`, cover Environment Diagnostics if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in `coverage-manifest.md`. - Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract. ## Phase 6: Workspace-Owned Analysis And Configuration Browser Guards - [x] T041 Add `apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php` covering Workspace-only shell cutover from Environment origin. - [x] T042 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Baseline Profiles clean URL, Workspace-only shell, no Environment chip, and reload. - [ ] T043 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Baseline Snapshots clean URL, Workspace-only shell, no Environment chip, and reload. - Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract. - [x] T044 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover My Findings clean URL, Workspace-only shell, no Environment chip, and reload. - [ ] T045 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Findings Intake clean URL, Workspace-only shell, no Environment chip, and reload. - Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract. - [ ] T046 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Findings Hygiene clean URL, Workspace-only shell, no Environment chip, and reload. - Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract. - [x] T047 [P] In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Cross-environment Compare clean URL, Workspace-only shell, no Environment chip, and reload. - [ ] T048 In `Spec322WorkspaceOwnedAnalysisSmokeTest.php`, cover Alert Rules, Alert Destinations, and Workspace Settings as Workspace-only configuration surfaces from Environment origin. - Workspace Settings is covered here; Alert Rules and Alert Destinations are covered in `Spec322AlertsAuditNoDriftSmokeTest.php`. ## Phase 7: Alerts / Audit Log Browser Guards - [x] T049 Add `apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php`. - [ ] T050 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alerts Overview clean and filtered entry, visible chip, clear, reload, and links to Alert Deliveries/Audit Log. - Spec322 browser covers clean and filtered entry; clear/link permutations remain covered by Spec321/Spec322 Feature guards. - [x] T051 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alert Deliveries filtered entry, visible chip, clear, reload, and back/forward alignment. - [ ] T052 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Audit Log filtered entry, visible chip, clear, reload, and back/forward alignment. - Spec322 browser covers filtered and clean/reload shell state; clear/back-forward remains covered by Spec321/Spec322 Feature guards because browser click timing was unstable on this page. - [x] T053 In `Spec322AlertsAuditNoDriftSmokeTest.php`, cover Alert Rules and Alert Destinations reject stray `environment_id` chip/shell behavior in the browser. - [x] T054 Ensure `Spec322AlertsAuditNoDriftSmokeTest.php` aligns with `apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php` and does not change Spec 321 product decisions. ## Phase 8: Legacy Alias Browser Representative Guard - [x] T055 Add representative browser coverage for legacy aliases in `apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php` or `apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php`. - [x] T056 Keep exhaustive alias permutations in Feature tests rather than Browser tests. - [x] T057 Assert representative generated links do not preserve `tenant`, `tenant_id`, `managed_environment_id`, `environment`, `tenant_scope`, or `tableFilters`. ## Phase 9: Manifest, Screenshots, And Documentation Artifacts - [x] T058 Update `specs/322-browser-no-drift-regression-guard/coverage-manifest.md` with actual Browser and Feature coverage statuses after tests are implemented. - [x] T059 Mark any browser blocker or intentionally excluded optional surface in `specs/322-browser-no-drift-regression-guard/coverage-manifest.md`. - [x] T060 Save diagnostic screenshots under `specs/322-browser-no-drift-regression-guard/artifacts/screenshots/` only when useful for debugging or final review. - No final-review screenshots were needed; transient failed-run screenshots remained in the standard Pest Browser screenshot directory only. - [x] T061 Do not add implementation documentation outside `specs/322-browser-no-drift-regression-guard/` unless the user explicitly requests it. ## Phase 10: Validation - [x] T062 Run targeted Feature/static guards from `specs/322-browser-no-drift-regression-guard/test-plan.md`. - [x] T063 Run targeted Browser guards from `specs/322-browser-no-drift-regression-guard/test-plan.md`. - [ ] T064 Run existing related regression filter command from `specs/322-browser-no-drift-regression-guard/test-plan.md`. - The original combined command was attempted and then split for reviewability. The Unit/Feature slice completes with the Baseline Compare failures documented below. The Spec322 Browser slice completes green. The original combined command is not used as the merge gate because the mixed Feature/Browser run previously stalled behind a Playwright server after reporting Feature failures. - [x] T065 Run `cd apps/platform && ./vendor/bin/sail pint --dirty`. - [x] T066 Run `git diff --check` from the repository root. - [x] T067 Record exact commands, results, browser gaps, screenshots, full-suite status, and unrelated residual failures in the final implementation report. ### Broader Regression Note Scope check: - Branch: `322-browser-no-drift-regression-guard` - Diff scope: only Spec 322 spec artifacts, Spec 322 Feature tests, Spec 322 Browser tests, and `tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php`. - No 319/320/321 artifacts are included in the current diff. Targeted Spec 322 gates: - `./vendor/bin/sail artisan test tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php --compact` - Result: 8 passed, 400 assertions. - `./vendor/bin/sail artisan test tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php --compact` - Result: 9 passed, 510 assertions. Broader regression split: - `./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact --stop-on-failure` - Result: failed at the first Baseline Compare explanation failure before any Browser tests were involved. - `./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact` - Result: 5 failed, 237 passed, 1884 assertions. Known remaining broader-regression failures: - `Tests\Feature\Baselines\BaselineCompareExplanationFallbackTest` - Test: `it shows an unavailable explanation before any baseline compare result exists` - Individual rerun: fails. - Failure: expected page output to contain `A current baseline compare result is not available yet.` - `Tests\Feature\Filament\BaselineCompareExplanationSurfaceTest` - Test: `it renders suppressed baseline-compare results as explanation-first guidance` - Individual rerun: fails. - Failure: expected page output to contain `The last compare finished, but normal result output was suppressed.` - `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest` - Test: `it keeps widget, landing, and banner equally cautious for the same limited-confidence result` - Individual rerun: fails. - Failure: expected page output to contain `Needs review`. - `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest` - Test: `it keeps widget, landing, and banner aligned when overdue workflow makes the state action-required` - Individual rerun: fails. - Failure: expected page output to contain `Action required`. - `Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest` - Test: `it keeps widget, landing, and banner aligned while compare is still in progress` - Individual rerun: fails. - Failure: expected page output to contain `In progress`. Spec322-caused broader-regression issue found and fixed: - `Tests\Feature\Guards\LegacyTenantPlatformContextCleanupTest` initially failed because `Spec322LegacyQueryAliasGuardTest.php` contained the retired literal `ensure-filament-tenant-selected` inside its own search pattern list. - Fixed by splitting the literal in the pattern construction while preserving the generated regex. - Individual rerun result: `LegacyTenantPlatformContextCleanupTest` passes, 6 tests, 19 assertions. Out-of-scope assessment: - The remaining 5 failures are in untouched Baseline Compare test files and reproduce when run individually. - They are not Browser-harness failures and not Spec322 targeted guard failures. - They are not proven pre-existing against a clean `dev` checkout in this working tree, but they are independent of the Spec322 diff: Spec322 changed only tests/spec artifacts and no Baseline Compare product code. - Treat these as a separate Baseline Compare test-suite hygiene/runtime investigation, not as a Spec322 no-drift regression. ## Phase 11: Non-Goals / Stop Conditions - [x] NT001 Do not add migrations. - [x] NT002 Do not change seeders unless `spec.md` and `plan.md` are updated first with fixture justification. - [x] NT003 Do not add packages, env vars, queues, scheduler, storage, or deployment asset changes. - [x] NT004 Do not introduce Playwright MCP dependency or a broad visual-regression framework. - [x] NT005 Do not add backwards compatibility redirects, dual query contracts, or legacy query alias support. - [x] NT006 Do not rewrite completed Specs 314 through 321 or remove their close-out and validation history. - [x] NT007 Do not change Alerts/Audit Log decisions from Spec 321. - [x] NT008 Stop and update `spec.md` and `plan.md` before any product behavior change broader than a narrow contract fix. ## Dependencies 1. Phase 1 must complete before Feature/static or Browser implementation. 2. Feature/static guards in Phase 2 can run in parallel by file. 3. Browser harness decision in Phase 3 should happen before Phases 4 through 8. 4. Browser surface phases can run in parallel if they write separate files. 5. Manifest updates in Phase 9 depend on actual implementation results. 6. Validation in Phase 10 depends on all in-scope test files being in place. ## MVP Scope The minimum viable Spec 322 implementation is: 1. Feature/static guards for classification, clean URLs, CTA URLs, clear-state equivalence, cross-workspace rejection, legacy aliases, `/admin/t`, and provider Tenant allowlist. 2. Browser smoke for workspace hubs, Baseline Compare / Environment-owned route, workspace-owned analysis shell cutover, and Alerts/Audit Log. 3. Updated coverage manifest with any browser gaps. ## Parallel Work Examples ```text Agent A: Feature/static guards in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php Agent B: Legacy alias and provider-boundary guards in apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php Agent C: Workspace hub browser smoke in apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php Agent D: Environment-owned browser smoke in apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php ``` Parallel workers must not edit the same test file at the same time.