# Tasks: Spec 413 - Focused Pilot Gate Recheck **Input**: `specs/413-focused-pilot-gate-recheck/spec.md`, `plan.md`, `checklists/requirements.md`, user-provided Spec 413 draft, Spec 407/412 context, Spec 412 implementation report, roadmap/spec-candidate truth, and Product Surface Contract. **Prerequisites**: Working tree is clean or contains only user-approved planning changes for this spec package. Future execution must stop if unrelated dirty state appears. **Tests**: No test files are created or modified. Existing tests may be run only as validation commands and must be reported exactly. **Organization**: Tasks are grouped by gate execution phase. This is a read-only gate, not application implementation. ## Execution Close-Out - [x] Executed on 2026-06-24 as a read-only focused gate. Tasks below are checked when the required probe/report step was performed or when a missing live fixture/actor limitation was explicitly recorded with existing test proof. - [x] No application code, tests, migrations, seeders, factories, routes, policies, config, views, generated assets, runtime data, docs outside this spec package, or completed specs were intentionally modified. - [x] Gate result recorded in the assistant close-out report as `PASS WITH CONDITIONS`. ## Test Governance Checklist - [x] Test purpose is classified as Browser/read-only audit evidence. - [x] Affected validation lanes are recorded before execution. - [x] No new test family, fixture family, seed, factory, helper, or browser harness is created. - [x] Browser proof is required as gate output. - [x] Human Product Sanity and Product Surface close-out are recorded in the final report. - [x] Final report states Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, browser/test result, deployment impact, visible complexity outcome, and no application implementation. ## Phase 1: Baseline and Safety **Goal**: Prove the gate starts from a known state and stays read-only. - [x] T001 Read this spec package: `spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`. - [x] T002 Confirm current branch, HEAD commit, dirty state, untracked files, and active environment. - [x] T003 Run `git diff --check` before browser work and record result. - [x] T004 Record base URL using repo/Laravel configuration or Laravel Boost URL tooling where available. - [x] T005 Identify available actors/fixtures: workspace admin, customer reviewer, readonly/limited actor, unauthorized actor, cross-workspace actor, and system operator. - [x] T006 Confirm no application code, tests, migrations, seeders, factories, routes, policies, config, views, generated assets, runtime data, docs outside this spec package, or completed specs will be edited. - [x] T007 Stop if unrelated dirty state or unsafe environment conditions are present. ## Phase 2: Spec 412 Claim Inspection **Goal**: Turn Spec 412 claims into focused recheck targets. - [x] T008 Read `specs/407-full-browser-ux-runtime-audit/spec.md`, `plan.md`, and `tasks.md` as historical context only. - [x] T009 Read `specs/412-pilot-readiness-remediation-pack/spec.md`, `plan.md`, `tasks.md`, and `implementation-report.md`. - [x] T010 Extract the Spec 412 claimed remediation for management PDF surfacing. - [x] T011 Extract the Spec 412 claimed remediation for OperationRun index/detail browser navigation. - [x] T012 Extract the Spec 412 claimed remediation for finding hash demotion. - [x] T013 Extract the Spec 412 claimed remediation for readonly provider no-access clarity. - [x] T014 Record Spec 412 tests/browser proof claimed and any unrelated residual failures documented there. - [x] T015 Confirm Specs 407 and 412 remain completed/historical context and are not modified. ## Phase 3: Route and Fixture Probe **Goal**: Identify exact current routes, records, and actors for safe focused proof. - [x] T016 List or inspect routes matching review, report, PDF, download, operation, finding, provider, connection, signed, and customer report paths. - [x] T017 Identify a review pack with a ready stored management PDF, or record that no ready fixture exists. - [x] T018 Identify stored report/report receipt state connected to the selected review pack, or record limitation. - [x] T019 Identify authorized management PDF download/open route for the selected ready PDF, or record limitation. - [x] T020 Identify unauthorized and cross-workspace report/PDF direct-route probes that do not expose private signed URLs in the final report. - [x] T021 Identify valid signed report and unsigned/invalid report probes, or record limitation. - [x] T022 Identify admin OperationRun index and at least one OperationRun detail route. - [x] T023 Identify a finding detail route containing prior hash/fingerprint risk or equivalent technical identifiers. - [x] T024 Identify readonly/limited provider-connection route and authorized comparison route. - [x] T025 Identify customer review/report path connected to the PDF/report flow where available. ## Phase 4: Management PDF and Report/PDF Recheck **Goal**: Verify report/PDF state agreement and authorization remain safe. **Independent Test**: The Report/PDF State Matrix contains ready, missing/failed/unavailable, authorized, unauthorized, cross-workspace, signed, and unsigned outcomes or explicit limitations. - [x] T026 Open review pack detail for a ready stored management PDF and record expected vs observed primary action. - [x] T027 Confirm ready PDF state shows ready/download/open and does not show "Generate management PDF" as primary. Live fixture was customer-limited/internal-preview only; recorded as a condition rather than a clean customer-safe positive proof. - [x] T028 Compare review-pack UI state to stored report/report receipt state. - [x] T029 Open/download existing management PDF as authorized admin where safe and record outcome without exposing private URL details. Live customer-safe open was unavailable by gate state; existing browser proof was recorded. - [x] T030 Probe unauthorized direct PDF/download access and record authorization result. - [x] T031 Probe cross-workspace PDF/download access and record authorization result. - [x] T032 Open valid signed report route and record customer-safe result. Live signed customer output returned 404 by design for the limited fixture; existing browser proof was recorded. - [x] T033 Open unsigned/invalid report route and record blocked/invalid-signature result. - [x] T034 Record customer-safe report output checks for internal proof, raw IDs, raw OperationRun details, raw provider payloads, file paths, stack traces, and private URLs. ## Phase 5: OperationRun Load Recheck **Goal**: Verify operations pages complete usable browser navigation. **Independent Test**: Browser proof table records operations index/detail load result, console/runtime state, and authorization outcome. - [x] T035 Open admin operations index and record load completion, runtime status, console output, network failures, and any timeout distinction. - [x] T036 Open OperationRun detail and record load completion, runtime status, console output, network failures, and any timeout distinction. - [x] T037 Confirm no current OperationRun route 500 is observed. - [x] T038 Confirm no fatal Livewire/Filament error appears. - [x] T039 Check OperationRun proof links from related surfaces where available. - [x] T040 Probe unauthorized or cross-workspace OperationRun access where safe and record authorization result. ## Phase 6: Finding Detail Hash Recheck **Goal**: Verify raw internal hashes are not default product content. **Independent Test**: Browser proof records finding detail default body and where technical identifiers appear, if present. - [x] T041 Open selected finding detail as authorized operator. - [x] T042 Confirm default body does not prominently expose fingerprint hash. - [x] T043 Confirm default body does not prominently expose scope hash or source fingerprint. - [x] T044 Confirm technical hashes, if still present, are demoted to collapsed/support/operator/technical detail. - [x] T045 Confirm customer-facing/default review context does not expose internal hash fields where available. - [x] T046 Confirm human-readable finding triage information remains available. ## Phase 7: Readonly Provider No-Access Recheck **Goal**: Verify access remains denied and no-access is clearer/safe. **Independent Test**: Browser proof records readonly route, authorized comparison, redirect/no-access behavior, and leak checks. - [x] T047 Open provider-connection route as readonly/limited actor. No live same-workspace missing-capability actor existed; existing browser smoke proof and cross-workspace direct-route probe were recorded. - [x] T048 Confirm actor remains blocked from unauthorized provider connection access. - [x] T049 Confirm no confusing authenticated-user-to-login loop occurs. - [x] T050 Confirm no provider, workspace, or record data leaks to non-entitled actors. - [x] T051 Confirm no-access/missing permission/missing membership message is clearer and accurate where visible. - [x] T052 Open authorized provider connection route for comparison where safe. ## Phase 8: Focused Regression Checks **Goal**: Catch adjacent regressions without widening into a full audit. - [x] T053 Check customer-safe report output regression. - [x] T054 Check evidence/currentness labels in report/review path. - [x] T055 Check report lifecycle state display. - [x] T056 Check OperationRun authorization regression. - [x] T057 Check workspace/environment scoping regression. - [x] T058 Check signed/unsigned report boundary regression. - [x] T059 Check finding evidence/proof link regression. - [x] T060 Check provider authorization boundary regression. - [x] T061 Fill the Focused Regression Matrix with expected, observed, severity, and follow-up. ## Phase 9: Gate Decision and Report **Goal**: Produce the required gate report and stop before fixes. - [x] T062 Fill the Spec 407/412 Recheck Matrix. - [x] T063 Fill the Report/PDF State Matrix. - [x] T064 Fill the Focused Regression Matrix. - [x] T065 Fill Browser Proof table with surface, actor, workspace/environment, state, expected, result, and notes. - [x] T066 Summarize runtime/backend logs, browser console, OperationRun route results, report route results, provider no-access route, and current 500/403/404 findings. - [x] T067 Summarize authorization and customer-safe boundary results. - [x] T068 List remaining findings by P0/P1/P2/P3 using the required finding fields. - [x] T069 Set Focused Pilot Gate Result to `PASS`, `PASS WITH CONDITIONS`, or `FAIL` according to this spec. - [x] T070 Fill Readiness Decision table for Spec 414, controlled pilot planning, customer-facing hardening, sales/demo scripted path, and broader customer claims. - [x] T071 Record validation/audit commands run and exact results. - [x] T072 Record dirty state after the gate, including tracked/untracked changes. - [x] T073 Confirm no application implementation, code, tests, migrations, config, routes, views, policies, models, services, jobs, Filament resources/pages/widgets, Livewire components, Blade views, CSS, JavaScript, seeders, factories, lock files, generated assets, runtime data, docs outside this package, or completed specs were modified. - [x] T074 State Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, browser/test result, deployment impact, visible complexity outcome, and no completed-spec rewrite assertion. - [x] T075 Recommend next step: Spec 414 if gate passes, one bounded remediation spec if gate fails, or explicit exclusions if pass with conditions. ## Explicit Non-Goals - [x] NT001 Do not perform a full browser/UX/runtime audit. - [x] NT002 Do not implement fixes. - [x] NT003 Do not add or modify tests. - [x] NT004 Do not modify application runtime files. - [x] NT005 Do not create or mutate fixtures, seed data, database schema, provider connections, memberships, workspaces, environments, reports, restore runs, or runtime data intentionally. - [x] NT006 Do not execute destructive/high-impact actions. - [x] NT007 Do not expose private signed URLs, secrets, credentials, raw provider payloads, stack traces, or sensitive customer data in the final report. - [x] NT008 Do not rewrite completed Specs 407 or 412 or remove validation, task, smoke, browser, screenshot, close-out, or review history from completed specs. ## Dependencies and Execution Order - Phase 1 blocks all later phases. - Phase 2 must precede route/fixture probe. - Phase 3 must precede browser recheck. - Phases 4 through 8 may be executed in the safest practical order after route/fixture probe. - Phase 9 must happen last and must stop before remediation. ## Recommended Future Execution Commands Use Sail where possible and report exact outcomes: ```bash git status --short --branch git diff --name-only git diff --check git log -1 --oneline cd apps/platform && ./vendor/bin/sail artisan route:list cd apps/platform && ./vendor/bin/sail artisan test --filter=ReviewPack cd apps/platform && ./vendor/bin/sail artisan test --filter=Report cd apps/platform && ./vendor/bin/sail artisan test --filter=StoredReport cd apps/platform && ./vendor/bin/sail artisan test --filter=ManagementReport cd apps/platform && ./vendor/bin/sail artisan test --filter=Pdf cd apps/platform && ./vendor/bin/sail artisan test --filter=OperationRun cd apps/platform && ./vendor/bin/sail artisan test --filter=Finding cd apps/platform && ./vendor/bin/sail artisan test --filter=ProviderConnection cd apps/platform && ./vendor/bin/sail artisan test --filter=Authorization ``` Run only commands appropriate for the active local environment. Do not claim proof for commands not run.