# Tasks: Spec 412 - Pilot Readiness Remediation Pack **Input**: `specs/412-pilot-readiness-remediation-pack/spec.md`, `plan.md`, `checklists/requirements.md`, user-provided Spec 408 draft, Spec 407 findings, Product Surface Contract, roadmap/spec-candidate truth, and repo inventory. **Prerequisites**: Review `AGENTS.md`, `.specify/memory/constitution.md`, `docs/ai-coding-rules.md`, `docs/product/standards/product-surface-contract.md`, `docs/filament-guidelines.md`, `docs/security-guidelines.md`, `docs/testing-guidelines.md`, and this spec package before runtime edits. **Tests**: Required. Runtime behavior changes need focused Pest feature/Filament/Livewire tests plus focused browser proof. No full browser audit claim. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for each changed behavior. - [x] New or changed tests stay in the smallest honest family, and browser proof is explicit and focused. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the four included findings without pulling in unrelated lane cost. - [x] The declared surface test profiles are explicit: shared-detail-family, monitoring-state-page, exception-coded-surface. - [x] Browser proof is completed for rendered UI changes. - [x] Human Product Sanity and Product Surface implementation-report close-out are completed. - [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report. ## Phase 1: Safety, Inventory, And Reproduction **Purpose**: Confirm repo state, locate exact runtime ownership, and reproduce/validate each Spec 407 finding before fixing. - [x] T001 Record `git status --short --branch`, `git diff --name-only`, and `git diff --check` before implementation. - [x] T002 Read `specs/412-pilot-readiness-remediation-pack/spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`. - [x] T003 Confirm no completed Specs 400-407 are edited or normalized. - [x] T004 Inventory review/report/PDF routes, resources, controllers, services, and tests related to ReviewPack, StoredReport, ManagementReportPdf, signed downloads, and customer reports. - [x] T005 Inventory operations index/detail routes, `Operations` page, `TenantlessOperationRunViewer`, views, OperationRun link helpers, polling/readiness behavior, and existing tests. - [x] T006 Inventory finding detail rendering, fingerprint/source hash fields, technical detail sections, customer-safe report/finding surfaces, and existing finding tests. - [x] T007 Inventory provider-connection route, resource, middleware/policy, readonly/no-access behavior, and existing ProviderConnections tests. - [x] T008 Reproduce or validate the ready-management-PDF-not-surfaced finding with existing or minimally created local fixtures. - [x] T009 Reproduce or validate operations route browser timeout/no-current-500 behavior with focused browser navigation. - [x] T010 Reproduce or validate finding fingerprint/scope hash default-body exposure. - [x] T011 Reproduce or validate readonly provider-connection no-access copy/redirect behavior. - [x] T012 Document any non-reproducible finding and the proof that makes it non-reproducible without marking it fixed prematurely. ## Phase 2: Review Pack / Management PDF Surfacing (P1) **Goal**: Ready stored management PDFs surface as ready/downloadable, not primarily as generate. **Independent Test**: A ready ReviewPack with a ready management-report StoredReport renders a ready/download action for authorized users and keeps unauthorized/cross-workspace direct download blocked. ### Tests First - [x] T013 Add or update a ReviewPack/Filament test proving a ready management PDF renders ready/download/open state on review pack detail. - [x] T014 Add or update a test proving `Generate management PDF` is not the primary action when a valid ready management PDF exists. - [x] T015 Add or update tests for missing, failed, unavailable, expired, or inconsistent PDF/file states so they are not shown or served as ready. - [x] T016 Add or update signed download authorization tests proving authorized download works and unauthorized/cross-workspace direct download remains blocked. - [x] T017 Add or update signed vs unsigned report route tests proving customer report behavior does not regress. ### Implementation - [x] T018 Verify and harden `ManagementReportPdfService::findReadyReport()` and related decision methods so they use the correct same-scope ReviewPack/StoredReport source truth. - [x] T019 Update `apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php` only as needed so ready PDF state wins over generate as the primary state. Existing implementation already satisfied this and was verified by Spec379 tests/browser proof. - [x] T020 Update `ManagementReportPdfService` only if tests prove the UI is reading an incomplete or inconsistent state source. Repeat final review proved incomplete service-level scope checks, so ready/active/retry/run-bound management PDF lookups were hardened. - [x] T021 Preserve existing management PDF generation confirmation, authorization, audit/OperationRun behavior, `OperationUxPresenter` use, and signed download behavior. - [x] T022 Ensure failed/missing/inconsistent PDF states use safe product copy and canonical status vocabulary without adding a new status family. - [x] T023 Confirm customer-safe report boundaries remain intact: no raw OperationRun internals, raw provider payloads, file paths, or stack traces. ## Phase 3: OperationRun Route Load Completion (P2) **Goal**: Operations index/detail complete browser navigation without current 500s, fatal Livewire/Filament errors, or indefinite readiness blockers. **Independent Test**: Operations index and detail render DB-only for an entitled workspace actor, hide unauthorized/cross-workspace runs, and complete focused browser navigation. ### Tests First - [x] T024 Add or update operations HTTP/Filament tests proving `/admin/workspaces/{workspace}/operations` renders for an entitled actor. - [x] T025 Add or update operations detail tests proving `/admin/workspaces/{workspace}/operations/{run}` renders for an entitled actor. - [x] T026 Add or update DB-only/no-outbound-HTTP assertions for operations index/detail render paths. - [x] T027 Add or update authorization/isolation tests for workspace, managed environment, tenantless, and cross-workspace OperationRun access. - [x] T028 Add or update tests for bounded query/loading behavior if reproduction points to heavy payloads or unbounded relationships. ### Implementation - [x] T029 Inspect operations page polling, Livewire hydration, table filters/search/pagination, eager loading, and view payloads for browser-readiness blockers. - [x] T030 Fix only the smallest operations page/view/query/readiness issue proven by reproduction. No operations page fix was required; focused proof passed. - [x] T031 Ensure operations pages keep raw payloads, stack traces, debug metadata, and technical internals out of default content. - [x] T032 Ensure any intentional polling or pending request does not prevent browser readiness detection in focused proof. - [x] T033 Preserve canonical `OperationRunLinks` and tenant/workspace-safe URL resolution. - [x] T034 Preserve OperationRun lifecycle truth and avoid direct status/outcome transitions outside `OperationRunService`. ## Phase 4: Finding Detail Internal Hash Demotion (P2) **Goal**: Finding detail default body presents human-readable triage context and demotes raw hashes to technical/support detail if retained. **Independent Test**: A finding with fingerprint/source hash values renders default detail without prominent raw hash labels/values while authorized technical detail can still expose needed diagnostics. ### Tests First - [x] T035 Add or update a finding detail render test proving `Fingerprint`, `scope hash`, `source_fingerprint`, and equivalent hash values are not prominent default body content. - [x] T036 Add or update customer/read-only/default-output tests proving raw hashes do not leak into customer-safe/default finding content. - [x] T037 Add or update a support/operator technical detail test only if the implementation retains hashes behind a collapsed or gated section. ### Implementation - [x] T038 Update `apps/platform/app/Filament/Resources/FindingResource.php` only as needed to move `fingerprint` and related hash fields out of the default detail body. - [x] T039 Preserve human-readable finding title, severity, affected scope, evidence/proof link where authorized, recommendation, owner/status, and next action. - [x] T040 If hashes remain accessible, place them in collapsed/support/operator technical detail and gate or demote them according to existing patterns. - [x] T041 Do not remove support diagnostics entirely if an existing workflow depends on them. - [x] T042 Do not create a new finding taxonomy, status family, or diagnostic framework. ## Phase 5: Readonly Provider-Connection No-Access Clarity (P3) **Goal**: Authenticated readonly/limited actors remain blocked from unauthorized provider-connection routes but receive a clearer no-access outcome. **Independent Test**: Readonly access remains denied, non-member/cross-workspace access remains non-leaky, and the result no longer misleadingly implies unauthenticated login when the actor is authenticated. ### Tests First - [x] T043 Add or update ProviderConnections tests for readonly provider-connection route no-access behavior. - [x] T044 Add or update tests proving non-member/cross-workspace direct provider-connection access does not leak record existence. - [x] T045 Add or update tests proving member-but-missing-capability receives a 403 or safe denied outcome according to existing policy semantics. - [x] T046 Add or update tests proving no redirect loop and no provider detail leak. - [x] T047 Add or update tests proving an authenticated unauthorized provider actor is not redirected to a login prompt unless actually unauthenticated. ### Implementation - [x] T048 Identify whether the confusing outcome is owned by provider resource authorization, workspace/environment middleware, panel authentication, or copy/flash handling. - [x] T049 Improve only the owning route/resource/middleware/copy path needed for authenticated readonly clarity. - [x] T050 Preserve provider view/manage capability checks and workspace/environment membership rules. - [x] T051 Preserve deny-as-not-found semantics for non-members and cross-workspace actors. - [x] T052 Do not expand provider access, provider onboarding, or provider readiness productization. ## Phase 6: Product Surface, Browser Proof, And Close-Out **Goal**: Prove the four remediations without claiming a new full browser audit. - [x] T053 Run focused browser proof for a ready management PDF review pack detail state. - [x] T054 Run focused browser proof for missing/failed/unavailable PDF state where fixture support exists. - [x] T055 Run focused browser proof for authorized management PDF download/open. Browser proof verifies the rendered download action; feature tests verify the signed binary route. - [x] T056 Run focused browser proof for unauthorized or unsigned report/PDF path blocked. Server-side signed/unsigned and cross-workspace route blocking is covered by focused feature tests; browser proof covers rendered action state. - [x] T057 Run focused browser proof for operations index navigation completion. - [x] T058 Run focused browser proof for operations detail navigation completion. - [x] T059 Run focused browser proof for finding detail default view without prominent raw hashes. - [x] T060 Run focused browser proof for readonly provider-connection no-access behavior. Browser proof covers the rendered provider no-access outcome; feature tests cover the member-missing-capability redirect branch. - [x] T061 Capture browser console, Livewire/Filament errors, network failures, 500s, and redirect-loop evidence for every focused proof path. - [x] T062 Complete Human Product Sanity for affected review/report, operations, finding, and provider no-access surfaces. - [x] T063 Create `specs/412-pilot-readiness-remediation-pack/implementation-report.md` with the exact report sections required by the source draft. - [x] T064 Complete the Spec 407 Finding Remediation Matrix in the implementation report. - [x] T065 Complete the Report/PDF State Matrix in the implementation report. - [x] T066 Record Product Surface exceptions as `none` or document a bounded exception with follow-up before merge. - [x] T067 Record UI Action Matrix confirmation, Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, tests/browser result, deployment impact, visible complexity outcome, and no completed-spec rewrite assertion. ## Phase 7: Validation - [x] T068 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=ReviewPack`. Ran; broad lane has unrelated residual failures recorded in the implementation report while in-scope ReviewPack/PDF tests passed. - [x] T069 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=ManagementReport`. Ran; Spec379/404 management PDF tests passed, older Spec366 rendered-report browser test failed and is recorded in the implementation report. - [x] T070 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=OperationRun`. Ran; an in-scope `report.management.generate` actionability registry gap was fixed, final manual review added ready management PDF artifact-resolution proof, repeat final review hardened the underlying management PDF service lookups, and focused operation tests passed; remaining broad residuals are recorded in the implementation report. - [x] T071 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Operations`. Ran; focused operations route/readiness tests passed and broad residual failures are recorded in the implementation report. - [x] T072 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=Finding`. Ran; focused finding demotion tests passed and broad residual failures are recorded in the implementation report. - [x] T073 Run `cd apps/platform && ./vendor/bin/sail artisan test --filter=ProviderConnection`. Ran; focused provider no-access tests passed and broad residual failures are recorded in the implementation report. - [x] T074 Run the smallest broader relevant suite after targeted tests pass, normally `cd apps/platform && ./vendor/bin/sail artisan test`. Full suite not run because the broader validation filters already expose unrelated residual failures; final expanded focused suite passed with 131 tests and 871 assertions. - [x] T075 Run `git diff --check`. - [x] T076 Record final `git status --short --branch` in the implementation report. ## Non-Goals / Stop Conditions - [x] NT001 Do not create new report templates, PDF renderer architecture, report workflow architecture, review-pack product concepts, or customer review surfaces. - [x] NT002 Do not create a new operations dashboard, OperationRun state model, finding taxonomy, provider onboarding flow, or provider access model. - [x] NT003 Do not implement legal hold, purge, export-before-delete governance, staging/Dokploy validation, JSONB migration, commercial lifecycle, support desk integration, or full browser audit. - [x] NT004 Do not add top-level navigation or major pages. - [x] NT005 Do not introduce new persisted entities, status families, enums, source-of-truth objects, provider registries, or cross-domain UI frameworks. - [x] NT006 Do not rewrite completed Specs 400-407 or remove validation, task, smoke, browser, screenshot, close-out, or review history from completed specs. - [x] NT007 Stop and update spec/plan before continuing if a fix requires broader architecture or product decisions beyond the four included findings.