# Diagnostic Surface Contracts

Status: pre-runtime implementation contract.

## Environment Diagnostics

| Field | Contract |
|---|---|
| Route | `/admin/workspaces/{workspace}/environments/{environment}/diagnostics` |
| Source | `App\Filament\Pages\EnvironmentDiagnostics` and `filament.pages.environment-diagnostics` |
| Surface role | Tertiary Evidence / Diagnostics Surface |
| Primary question | What failed in this environment, why does it matter, and what should I check next? |
| Default-visible content | diagnostic outcome, failed condition(s), impact, recommended next check/action |
| Secondary content | individual blocker proof and repair context |
| Raw/support detail | not default-visible unless repo-backed and necessary |
| Actions | existing `Bootstrap owner` and `Merge duplicate access scopes` only when applicable |
| Safety | confirmation, `TENANT_MANAGE`, `UiEnforcement`, server-side service ownership, and audit ownership preserved |
| Scope | current Filament environment tenant and workspace context |

## Support Diagnostics Modal

| Field | Contract |
|---|---|
| Source | `filament.modals.support-diagnostic-bundle` rendered from existing action hosts |
| Builder | `App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder` |
| Surface role | Tertiary support diagnostics modal |
| Primary question | What should support check first, and what context is available? |
| Default-visible content | headline, dominant issue, recommended first check, freshness/completeness, redaction note |
| Secondary content | provider connection, operation context, findings, stored reports, environment review, review pack, audit history |
| Raw/support detail | redaction markers and raw-provider/support details stay lower-priority and redacted |
| Actions | repo-backed reference links only; unavailable references render as unavailable, not fake links |
| Safety | existing capability-gated support diagnostics actions, audit, telemetry, and redaction preserved |

## Provider Connections Context

- Completed by Spec 353.
- Treat as context/regression only.
- Do not reimplement provider-readiness guidance.

## Required Permissions Context

- Completed by Spec 353.
- Treat as context/regression only.
- Required Permissions browser reachability gaps from Spec 368 remain historical context unless a new shared regression is introduced.

## System Panel Deferred Status

- `/system` and `/system/ops/runs` browser reachability remain deferred.
- Spec 373 must not fix system-panel auth, fixtures, routes, or productization.