# Spec 365 Action Eligibility Matrix

This matrix is the product and test contract for `OperationRunActionEligibility`. It is derived from existing OperationRun truth and does not introduce new persisted status/outcome values.

## Global Rules

- At most one primary action is visible per run.
- If eligibility is uncertain, the action is unavailable.
- Direct action execution must enforce the same authorization/scope rules as UI visibility.
- Reconcile writes through `AdapterRunReconciler` and `OperationRunService`.
- Retry is unavailable unless a repo-verified safe non-high-risk retry/start seam exists.
- Restore, tenant mutation, destructive mutation, unknown operation, and high-risk operation are never retryable in this spec.
- Force Complete, Mark Succeeded, Delete, Purge, and Restore Re-execute are always forbidden.
- Related actions use canonical metadata and existing link/policy seams.
- Diagnostics are secondary and capability-gated.

## Matrix

| Family | Canonical example | Run state | Primary action | Reconcile | Retry | Related | Diagnostics | Disabled / attention reason | Required tests |
|---|---|---|---|---|---|---|---|---|---|
| Queue | any supported operation | fresh queued | View details | no | no | maybe | yes if capability | Operation is still within expected lifecycle window | unit, browser |
| Queue | any supported operation | stale queued | Reconcile when adapter/proof exists, otherwise View details | maybe | no by default | maybe | yes if capability | Waiting longer than expected; reconciliation may be safe only with adapter proof | unit, feature |
| Queue | any supported operation | stale running | Reconcile when adapter/proof exists, otherwise View details | maybe | no by default | maybe | yes if capability | Running longer than expected; fail closed without proof | unit, feature |
| Review compose | `environment.review.compose` | related review already available / reconciled | View review | no after reconciled | only if failed and safe seam verified | yes | yes if capability | Review result already exists | unit, feature, browser |
| Review compose | `environment.review.compose` | stale eligible with adapter proof | Reconcile | yes | no by default | maybe after reconcile | yes if capability | Existing review proof can reconcile this run | unit, feature |
| Review pack / report | `environment.review_pack.generate` | artifact already available / reconciled | View report | no after reconciled | only if safe seam verified | yes | yes if capability | Report artifact already exists | unit, feature, browser |
| Evidence | `tenant.evidence.snapshot.generate` | evidence snapshot already available / reconciled | View evidence | no after reconciled | only if safe seam verified | yes | yes if capability | Evidence snapshot already exists | unit, feature, browser |
| Sync | `inventory.sync` / `policy.sync` | partial | View affected families | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified | maybe | yes if capability | Some resource families completed; others blocked or failed | unit, feature, browser |
| Sync | `inventory.sync` / `policy.sync` | blocked | View missing permissions/details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified | maybe | yes if capability | Provider access or precondition blocked capture | unit, feature |
| Backup | `backup.schedule.execute` | partial | View backup details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified and non-destructive | yes if backup set exists | yes if capability | Backup completed with partial results | unit, feature |
| Backup | `backup.schedule.execute` | blocked | View missing permissions/details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified and non-destructive | maybe | yes if capability | Backup blocked by access or precondition | unit, feature, browser |
| Restore | `restore.execute` | verification required | View restore details | maybe only if Spec364 verification proof is sufficient | no | yes | yes if capability | High-risk operation requires verification; retry unavailable | unit, feature, browser |
| Restore | `restore.execute` | partial | View restore details | maybe only if Spec364 proof is sufficient | no | yes | yes if capability | Restore completed only partially; retry unavailable | unit, feature |
| Restore | `restore.execute` | blocked | View restore details | no unless Spec364 proof allows safe blocked reconciliation | no | yes | yes if capability | Restore blocked; high-risk retry unavailable | unit, feature, browser |
| Restore | `restore.execute` | failed | View restore details | no unless Spec364 proof allows safe terminal reconciliation | no | maybe | yes if capability | Restore failed; retry/re-execute/force-success unavailable | unit, feature, browser |
| High-risk mutation | `promotion.execute` / tenant mutation | failed/blocked/unknown | View details | no unless explicit adapter proof exists | no | maybe | yes if capability | High-risk operation cannot be retried from this view | unit |
| Unknown | unmapped operation type | any terminal/active state | View details | no | no | no unless existing link resolves | yes if capability | Unsupported operation type | unit, feature |
| RBAC denied | any | otherwise eligible | none or disabled safe label | no direct execution | no direct execution | no direct execution | no if missing capability | User lacks required capability | feature, browser |
| Cross-scope denied | any | otherwise eligible | none | no direct execution | no direct execution | no direct execution | no | Operation is outside permitted workspace/environment | feature |

## Forbidden Action Assertions

Tests must assert these labels/actions do not exist for restore/high-risk runs:

- Retry restore
- Re-execute restore
- Force complete
- Mark succeeded
- Ignore error and complete
- Manually mark successful
- Delete run
- Purge run

## Retry Close-Out Template

Implementation must update this section before completion:

| Operation family | Safe retry seam found? | Implemented? | Disabled/deferred reason |
|---|---|---|---|
| Review compose | no generic retry seam verified; reconcile seam exists | no retry | Retry is deferred; stale runs use Reconcile only when adapter proof and RBAC allow it |
| Review pack/report | no generic retry seam verified | no retry | Retry is deferred; related artifact links are safe when canonical metadata resolves |
| Evidence snapshot | no generic retry seam verified | no retry | Retry is deferred; related evidence links are safe when canonical metadata resolves |
| Sync/capture | no generic retry seam verified | no retry | Retry is deferred; partial/blocked runs open affected-family/details surfaces |
| Backup capture | no generic retry seam verified | no retry | Retry is deferred; backup details are safe when backup truth resolves |
| Restore | no by spec | no | High-risk operations cannot be retried from this view |

## Acknowledge Close-Out Template

| Seam checked | Existing clean seam? | Implemented? | Deferral reason |
|---|---|---|---|
| OperationRun acknowledge/note/audit | no clean OperationRun-specific acknowledge/note seam verified | no | Acknowledge would create a local success-like state without existing domain truth; defer to a future explicit workflow spec |