# Tasks: Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1 **Input**: `specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/spec.md`, `plan.md`, `repo-truth-map.md`, `contracts/accepted-risk-guidance-signal-map.md`, and `checklists/requirements.md` **Tests**: Required. This spec changes strategic accepted-risk operator guidance on existing queue and detail owner surfaces. ## Test Governance Checklist - [x] Lane assignment is explicit and narrow: Unit for guidance selection, Feature/Livewire for queue/detail integration, Browser for first-screen hierarchy. - [x] New or changed tests stay in the smallest honest family, and the browser addition is explicit. - [x] Shared helpers, factories, seeds, and context defaults stay cheap by default. - [x] Planned validation commands cover the slice without pulling in unrelated lane cost. - [x] The changed surfaces are explicit strategic/detail accepted-risk surfaces, not an infra-only refactor. - [x] No new persisted accepted-risk truth, workflow engine, or provider/platform abstraction is planned. ## Phase 1: Preparation And Repo Truth **Purpose**: Keep the implementation bounded to the existing accepted-risk owner surfaces and recorded draft-to-repo deviations. - [x] T001 Re-read `spec.md`, `plan.md`, `tasks.md`, `repo-truth-map.md`, `contracts/accepted-risk-guidance-signal-map.md`, and `checklists/requirements.md`. - [x] T002 Re-verify the current runtime truth in `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`, `apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php`, `apps/platform/app/Filament/Resources/FindingExceptionResource.php`, `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`, `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php`, and `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php`. - [x] T003 Re-confirm the current repo constraints recorded in `repo-truth-map.md`: no new accepted-risk model, no new queue family, no global-search change, no standalone customer-facing risk page. - [x] T004 Confirm no migration, package, env var, queue family, scheduler, storage, panel/provider, or `filament:assets` deployment change is required. - [x] T005 Keep `repo-truth-map.md` and `contracts/accepted-risk-guidance-signal-map.md` current if runtime inspection proves a narrower or broader safe slice. ## Phase 2: Tests First **Purpose**: Lock decision hierarchy, scope, and no-fake-action behavior before runtime changes. - [x] T006 Add `apps/platform/tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php`. - [x] T007 Add unit assertions for `accepted_risk.ready`. - [x] T008 Add unit assertions for `accepted_risk.expiring`. - [x] T009 Add unit assertions for `accepted_risk.expired`. - [x] T010 Add unit assertions for revoked and rejected support. - [x] T011 Add unit assertions for pending and renewal-requested states. - [x] T012 Add unit assertions for missing governance support on an existing exception record. - [x] T013 Add unit assertions for incomplete governance support (missing owner/rationale/review support). - [x] T014 Add unit assertions for the current fresh-decision-required signal and for conservative owner-surface wording reuse without mutating downstream review-output artifacts. - [x] T015 Add a guard assertion proving accepted-risk guidance selection stays DB-local and does not require live provider or Graph calls. - [x] T016 Add `apps/platform/tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php`. - [x] T017 Add feature/Livewire assertions that `FindingExceptionsQueue` shows one dominant accepted-risk case with one dominant next-step affordance. - [x] T018 Add feature/Livewire assertions that only existing repo-backed related context is rendered and unsupported auto-fix buttons are absent. - [x] T019 Add feature/Livewire assertions that queue links remain workspace/environment scoped, preserve explicit `environment_id` behavior, and keep out-of-scope queue access as 404. - [x] T020 Add feature/Livewire assertions that the queue keeps current approve/reject action safety intact. - [x] T021 Add `apps/platform/tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php`. - [x] T022 Add feature/Livewire assertions that `ViewFindingException` and its infolist render one dominant accepted-risk guidance case before deeper diagnostics. - [x] T023 Add feature/Livewire assertions that renew/revoke stay state- and capability-bound and keep existing confirmation behavior. - [x] T024 Add feature/Livewire assertions that owner/rationale/expiry or review support gaps are visible before decision history and deeper evidence, and that member-but-missing-capability behavior stays aligned with current detail semantics. - [x] T025 Add a continuity assertion in the narrowest honest family for Governance Inbox `Review accepted risk` routing into the owner surface. - [x] T026 Add `apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php`. - [x] T027 Browser Flow A: expiring accepted-risk queue state shows one dominant blocker and one dominant next-step affordance. - [x] T028 Browser Flow B: expired, revoked, or fresh-decision-required accepted-risk state shows a conservative operator affordance and only existing supporting context. - [x] T029 Browser Flow C: incomplete governance support shows missing owner/rationale/review context before deep diagnostics. - [x] T030 Browser Flow D: calm valid state stays calm and does not render a competing warning stack. ## Phase 3: Derived Guidance Contract **Purpose**: Build the narrowest derived accepted-risk payload over existing finding and exception truth. - [x] T031 Choose the narrowest implementation shape: prefer one bounded accepted-risk adapter or selector under `apps/platform/app/Support/ResolutionGuidance/`. - [x] T032 Consume existing signals from `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php`, `FindingException`, `FindingExceptionDecision`, and linked `Finding` truth before adding any new helper. - [x] T033 Derive one accepted-risk guidance payload with `key`, `title`, `status`, `severity`, `reason`, `impact`, `primary_action`, `secondary_actions`, and `technical_details`, while preserving the existing fresh-decision-required signal and avoiding any broader stale-governance invention. - [x] T034 Keep blocker priority explicit: missing support -> fresh decision required -> expired/revoked/rejected -> expiring -> incomplete governance support -> pending/renewal -> ready. - [x] T035 Keep the derived guidance DB-local and request-scoped only; no new persistence. - [x] T036 Do not introduce a new accepted-risk enum family, workflow engine, or review-impact framework in this slice. ## Phase 4: Queue Integration **Purpose**: Make `FindingExceptionsQueue` read as an accepted-risk decision destination without removing current queue truth. - [x] T037 Integrate the derived guidance into `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php` while preserving explicit inspect/open behavior and current selected-record state. - [x] T038 Update `apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php` and the focused-review partial so the dominant guidance case appears before secondary diagnostics and existing related context. - [x] T039 Reuse existing repo-backed primary and secondary targets where appropriate: inspect accepted risk, approve/reject current request, open finding, and existing related context only. - [x] T040 Preserve current destructive/high-impact actions exactly as confirmation-, authorization-, and audit-protected secondary actions. - [x] T041 Do not let guidance visibility widen action authorization or scope. ## Phase 5: Detail Integration **Purpose**: Make `ViewFindingException` decision-first while keeping lifecycle ownership on the existing detail page. - [x] T042 Integrate the derived guidance into `apps/platform/app/Filament/Resources/FindingExceptionResource.php` and `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`. - [x] T043 Keep existing owner/rationale/expiry/review data visible before decision history or deep evidence. - [x] T044 Reuse current repo-backed actions (`renew_exception`, `revoke_exception`) and keep them source-owned. - [x] T045 Keep decision history, evidence references, and related context secondary. - [x] T046 Preserve `FindingExceptionResource` global-search-disabled posture and current action-surface discipline. ## Phase 6: Continuity And Conservative Wording **Purpose**: Keep downstream accepted-risk continuity honest without turning other surfaces into second owner surfaces. - [x] T047 Adjust `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php` only if accepted-risk label/target continuity is inconsistent after queue/detail guidance becomes decision-first. - [x] T048 Reuse existing conservative accepted-risk wording as owner-surface reference only and do not mutate `EnvironmentReviewComposer` or current review-output consumers in this slice. - [x] T049 Keep customer-safe wording reference conservative and avoid exposing raw internal rationale or low-level diagnostics as default-visible summary text. ## Phase 7: Copy, Audit, And Artifacts **Purpose**: Align user-facing wording and UI audit coverage with the new accepted-risk hierarchy. - [x] T050 Update only the required copy in `apps/platform/lang/en/localization.php`. - [x] T051 Update matching copy in `apps/platform/lang/de/localization.php`. - [x] T052 Update `docs/ui-ux-enterprise-audit/page-reports/ui-012-finding-exceptions-queue.md`. - [x] T053 Create or update `docs/ui-ux-enterprise-audit/page-reports/ui-036-exception-detail.md`. - [x] T054 Update `docs/ui-ux-enterprise-audit/route-inventory.md` and `docs/ui-ux-enterprise-audit/unresolved-pages.md` for `UI-036`. - [x] T055 Save queue and detail screenshots under `specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/artifacts/screenshots/`, or record the host-visible artifact blocker explicitly if copies cannot be persisted. ## Phase 8: Validation **Purpose**: Prove the guidance remains bounded, scope-safe, and render-local. - [x] T056 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php --compact`. - [x] T057 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php --compact`. - [x] T058 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php --compact`. - [ ] T059 Run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php --compact`. Attempted twice; the Pest browser harness stalled without yielding output even after the auth/session fixes, so the browser acceptance path was re-verified in the integrated browser and artifact screenshots were saved manually. - [x] T060 Re-run the narrowest current queue/detail guard and navigation tests that protect scope, state, action-surface discipline, and current fresh-decision signaling. - [x] T061 Confirm final render paths remain DB-local and do not call `GraphClientInterface` or provider HTTP during page render. - [x] T062 Run `cd apps/platform && ./vendor/bin/sail pint --dirty`. - [x] T063 Run `git diff --check`. - [x] T064 Report unrelated broader-suite or browser-harness issues honestly if they remain outside this slice. ## Non-Goals Checklist - [x] NT001 Do not add a new accepted-risk table, review-impact projection, or workflow engine. - [x] NT002 Do not rebuild Governance Inbox, Customer Review Workspace, Environment Dashboard, or review-output architecture. - [x] NT003 Do not add fake remediation or unsupported auto-fix actions. - [x] NT004 Do not widen `FindingExceptionResource` global search, panel setup, or routing architecture. - [x] NT005 Do not introduce live provider calls during render. - [x] NT006 Do not mutate downstream review-output artifacts (`EnvironmentReviewComposer`, review-pack summaries, customer-review runtime) in this slice. ## Required Final Report Content When implementation later completes, report: - changed accepted-risk guidance behavior on queue and detail - dominant-case selection model - continuity behavior for Governance Inbox or review-output wording if changed - safe action set and any disabled or fallback cases - render-path result for no live provider calls - UI audit artifact updates and screenshot paths - files changed - tests run and results - explicit no migrations/packages/env/queues/scheduler/storage/panel/global-search change statement - known gaps or deferred findings