# Tasks: Spec 357 - Report Profiles & Disclosure Policy v1 **Input**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/spec.md` **Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/plan.md`, `checklists/requirements.md` **Tests**: Required. This is a runtime report/disclosure change on existing customer-facing strategic surfaces. Unit, Feature, and one bounded Browser smoke are required. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New or changed tests stay in the smallest honest family, and the browser addition is explicit. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the change without pulling in unrelated lane cost. - [x] The declared surface test profile (`shared-detail-family`) is explicit. - [x] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR. ## Phase 1: Repo Truth And Scope Gate - [x] T001 Re-read `spec.md`, `plan.md`, and `checklists/requirements.md` before editing runtime code. - [x] T002 Confirm branch/worktree intent with `git status --short --branch` and record the baseline commit with `git log -1 --oneline`. - [x] T003 Inspect the existing rendered-report seams in: - `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php` - `apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php` - `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php` - `apps/platform/resources/views/review-packs/rendered-report.blade.php` - [x] T004 Inspect current owner-surface handoff seams in: - `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php` - `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php` - `apps/platform/app/Filament/Resources/ReviewPackResource.php` - [x] T005 Confirm no new persistence, new delivery workflow, public route family, PDF stack, portal route, AI runtime, or framework-report implementation is needed. ## Phase 2: Tests First - [x] T006 Add `apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php` covering required implemented profiles, placeholder handling, and invalid-profile fail-closed behavior. - [x] T007 Add `apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php` covering mandatory disclosures, blocking reasons, and proof states (`verified`, `assumed`, `not_applicable`, `missing`, `unknown`). - [x] T008 Add `apps/platform/tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php` covering effective profile selection, visible profile metadata, mandatory disclosure override, and customer/internal boundary behavior. - [x] T009 Add `apps/platform/tests/Browser/Spec357ReportProfilesSmokeTest.php` covering internal MSP, customer executive limited, customer-safe ready, auditor appendix, and invalid/placeholder profile behavior. ## Phase 3: Static Report Profile Registry - [x] T010 Create `apps/platform/app/Support/ReviewPacks/ReportProfileRegistry.php` with static implemented profiles: - `customer_executive` - `customer_technical` - `internal_msp_review` - `auditor_appendix` - [x] T011 Model `framework_readiness` as placeholder-only and not implemented by default. - [x] T012 Keep the registry bounded to the current review-pack/report family; do not add CRUD, config writes, or generalized reporting infrastructure. - [x] T013 Fail closed for unknown or unimplemented profile keys and keep the fallback behavior explicit and tested. ## Phase 4: Disclosure Policy - [x] T014 Create `apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php` to evaluate profile + readiness + evidence + internal-only/PII + available source/disclosure metadata. - [x] T015 Ensure the policy emits mandatory disclosures, warnings, blocking reasons, and proof states without provider/Graph calls. - [x] T016 Preserve the distinction between independently proven and assumed safety signals; do not silently treat current boolean assumptions as verified truth. - [x] T017 Keep blocking and boundary behavior derived-only inside the current rendered-report flow; do not implement scheduling, approval, send, or future-consumer delivery semantics. ## Phase 5: Rendered Report Integration - [x] T018 Update the existing signed rendered-report URL seams (`ReviewPackService::generateRenderedReportUrl()` callers/helpers and `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`) to resolve an effective profile on the existing authenticated report route without adding an unsigned ad hoc query contract. - [x] T019 Keep the controller-local implementation bounded; no extra cross-domain viewer framework was introduced. - [x] T020 Apply profile-aware section and appendix filtering while guaranteeing that mandatory disclosures, readiness, evidence state, and source metadata still render. - [x] T021 Show effective profile and audience metadata in the report payload and keep invalid or placeholder profile requests truthfully limited or blocked. - [x] T022 Keep the current `ReviewPack` route, current-export guard, and existing ZIP/download contract intact. ## Phase 6: UI Surfaces And Localization - [x] T023 Update `apps/platform/resources/views/review-packs/rendered-report.blade.php` so the report visibly shows profile, audience, readiness, limitations, disclosure/proof-state information, and generated/source metadata. - [x] T024 Update existing owner-surface report URL helpers/labels in `EnvironmentReviewResource` and `ReviewPackResource` so the profile-aware handoff stays clear without creating a management UI. - [x] T025 Add EN and DE localization keys in: - `apps/platform/lang/en/localization.php` - `apps/platform/lang/de/localization.php` for profile names, audience labels, external-sharing warnings, proof-state labels, and mandatory disclosure copy. - [x] T026 Keep the report read-only; do not add destructive or state-mutating actions. ## Phase 7: UI Audit Follow-Through - [x] T027 Inspect `docs/ui-ux-enterprise-audit/page-reports/ui-006-customer-review-workspace.md`; no material hierarchy change required an update. - [x] T028 Inspect `docs/ui-ux-enterprise-audit/page-reports/ui-042-review-pack-detail.md`; no rendered-report vs ZIP hierarchy change required an update. - [x] T029 Update `docs/ui-ux-enterprise-audit/page-reports/ui-099-rendered-review-report.md` with profile metadata, disclosure-proof behavior, and bounded audience modes. - [x] T030 Inspect `docs/ui-ux-enterprise-audit/route-inventory.md` and `design-coverage-matrix.md`; no material route-classification change required an update. ## Phase 8: Validation And Close-Out - [x] T031 Run: - `cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php --compact` - [x] T032 Run: - `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec357ReportProfilesSmokeTest.php --compact` - [x] T033 Run focused regressions: - `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec356` returned `No tests found` - `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/ReviewPack/EnvironmentReviewDerivedReviewPackTest.php tests/Feature/EnvironmentReview/EnvironmentReviewExecutivePackTest.php --compact` passed - `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php --compact` passed - broader filters surfaced unrelated existing failures in `tests/Browser/Spec347ReviewPackOutputReadinessSmokeTest.php` and `tests/Feature/Filament/EnvironmentReviewHeaderDisciplineTest.php` - [x] T034 Run formatting and patch checks: - `cd apps/platform && ./vendor/bin/sail pint --dirty` - `cd apps/platform && ./vendor/bin/sail pint app/Support/ReviewPacks/ReportProfileRegistry.php app/Support/ReviewPacks/ReportDisclosurePolicy.php app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php app/Http/Controllers/ReviewPackRenderedReportController.php app/Filament/Resources/EnvironmentReviewResource.php app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php lang/en/localization.php lang/de/localization.php tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php tests/Browser/Spec357ReportProfilesSmokeTest.php` - `git diff --check` - [x] T035 Save browser screenshots under `specs/357-report-profiles-disclosure-policy-v1/artifacts/screenshots/`. - [x] T036 Report full-suite status honestly if not run. ## Non-Goals - [x] NT001 Do not add a `report_profiles` table, profile CRUD, or any profile persistence. - [x] NT002 Do not add scheduled delivery, approval workflow, email sending, or any public link/share contract. - [x] NT003 Do not add a second rendered artifact family or replace the existing `ReviewPack` ZIP family. - [x] NT004 Do not add native PDF infrastructure, branding editor, or white-label theme management. - [x] NT005 Do not add AI/HITL runtime behavior or framework-specific NIS2/CIS/BSI report implementation. - [x] NT006 Do not widen provider, Graph, or authentication boundaries during report rendering.