openapi: 3.1.0 info: title: Quality Gates / No-Legacy Enforcement Logical Contract version: 0.1.0 summary: Logical enforcement contract for the cutover guardrails that follow Spec 287. x-canonical-command-authority: - specs/288-quality-gates-no-legacy-enforcement/spec.md - specs/288-quality-gates-no-legacy-enforcement/plan.md - specs/288-quality-gates-no-legacy-enforcement/tasks.md - specs/288-quality-gates-no-legacy-enforcement/quickstart.md paths: /__logical/guardrails/legacy-route-paths: get: summary: Retired route/path enforcement contract operationId: getLegacyRoutePathGuardContract responses: '200': description: Exact retired route/path families and scan exclusions for cutover enforcement content: application/json: schema: $ref: '#/components/schemas/LegacyRoutePathGuardContract' /__logical/guardrails/route-emission: get: summary: Canonical emitted URL enforcement contract operationId: getRouteEmissionGuardContract responses: '200': description: Canonical launch-point URL rules for cutover-owned seams content: application/json: schema: $ref: '#/components/schemas/RouteEmissionGuardContract' /__logical/guardrails/tenant-panel-helper: get: summary: Retired tenant-panel helper enforcement contract operationId: getTenantPanelHelperGuardContract responses: '200': description: Forbidden bootstrapping helpers and panel-selection patterns on owned seams content: application/json: schema: $ref: '#/components/schemas/TenantPanelHelperGuardContract' /__logical/guardrails/provider-core-boundary: get: summary: Provider-core boundary enforcement contract operationId: getProviderCoreBoundaryGuardContract responses: '200': description: Shared provider-boundary seams and forbidden platform-core regressions content: application/json: schema: $ref: '#/components/schemas/ProviderCoreBoundaryGuardContract' /__logical/guardrails/environment-scope-role-authority: get: summary: Workspace-role and environment-scope authority enforcement contract operationId: getEnvironmentScopeRoleAuthorityGuardContract responses: '200': description: Current authority invariants that must remain true content: application/json: schema: $ref: '#/components/schemas/EnvironmentScopeRoleAuthorityGuardContract' /__logical/guardrails/browser-smoke-gates: get: summary: Targeted browser smoke contract operationId: getBrowserSmokeGateContract responses: '200': description: Named browser smoke anchors and their visible continuity obligations content: application/json: schema: $ref: '#/components/schemas/BrowserSmokeGateContract' /__logical/guardrails/baseline-classification: get: summary: Classification-only broader baseline handling contract operationId: getBaselineClassificationContract responses: '200': description: Current lane/report seams used to classify broader baseline fallout without owning repair content: application/json: schema: $ref: '#/components/schemas/BaselineClassificationContract' /__logical/guardrails/targeted-validation: get: summary: Targeted validation contract operationId: getTargetedValidationContract responses: '200': description: Exact minimal proof commands and the out-of-scope repair boundary content: application/json: schema: $ref: '#/components/schemas/TargetedValidationContract' components: schemas: LegacyRoutePathGuardContract: type: object required: - retiredPathFamilies - scanExclusions - enforcementBehavior properties: retiredPathFamilies: type: array items: type: string default: - /admin/tenants/{tenant:slug}/provider-connections... - /admin/t/{tenant}/provider-connections - /admin/t/{tenant}/required-permissions - /admin/t/{tenant}/memberships - /admin/t/t/{tenant}/... scanExclusions: type: array items: type: string default: - database/migrations/** - references/** - docs/** - specs/** - spechistory/** - vendor/** - storage/** - public/build/** - bootstrap/cache/** enforcementBehavior: type: string const: Exact retired route/path families fail targeted guards with path-specific messages. RouteEmissionGuardContract: type: object required: - canonicalFamilies - ownedLaunchPointSeams - forbiddenEmissions properties: canonicalFamilies: type: array items: type: string default: - /admin/provider-connections... - /admin/workspaces/{workspace}/environments/{managed_environment}/... ownedLaunchPointSeams: type: array items: type: string default: - apps/platform/app/Providers/Filament/AdminPanelProvider.php - apps/platform/app/Filament/Resources/TenantResource.php - apps/platform/app/Support/OperationRunLinks.php - apps/platform/app/Support/Verification/VerificationLinkBehavior.php forbiddenEmissions: type: array items: type: string default: - /admin/tenants/{tenant:slug}/provider-connections... - /admin/t/{tenant}/provider-connections - /admin/t/{tenant}/required-permissions - /admin/t/{tenant}/memberships - /admin/t/t/{tenant}/... TenantPanelHelperGuardContract: type: object required: - forbiddenPatterns - ownedSeams - exceptionRule properties: forbiddenPatterns: type: array items: type: string default: - setTenantPanelContext( - getPanel('tenant') - setCurrentPanel('tenant') ownedSeams: type: array items: type: string default: - apps/platform/tests/Pest.php - apps/platform/tests/Feature/Guards/** - apps/platform/tests/Browser/** exceptionRule: type: string const: Exceptions beyond pinned historical directories must be file-scoped and justified. ProviderCoreBoundaryGuardContract: type: object required: - seamInputs - forbiddenPlatformCoreSignals - allowedProviderOwnedDetail properties: seamInputs: type: array items: type: string default: - apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php - apps/platform/app/Services/Providers/ProviderIdentityResolution.php - apps/platform/app/Services/Providers/ProviderOperationRegistry.php forbiddenPlatformCoreSignals: type: array items: type: string default: - graphOptions - client_request_id - provider binding truth in operation definitions allowedProviderOwnedDetail: type: array items: type: string default: - provider-specific identifiers nested under provider-owned detail - provider-specific consent links nested under provider-owned detail - provider-specific diagnostics nested under provider-owned detail EnvironmentScopeRoleAuthorityGuardContract: type: object required: - authoritySource - invariants - forbiddenBehaviors properties: authoritySource: type: string const: workspace_memberships invariants: type: array items: type: string default: - wrong-scope denials stay 404 - in-scope capability denials stay 403 - direct role edits on managed-environment scope remain rejected forbiddenBehaviors: type: array items: type: string default: - managed-environment scope acting as a second role matrix - mirrored workspace role values becoming environment role truth BrowserSmokeGateContract: type: object required: - smokeAnchors - requiredAssertions - laneOwnership properties: smokeAnchors: type: array items: type: string default: - apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php - apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php requiredAssertions: type: array items: type: string default: - canonical route continuity - no JavaScript errors - no console errors laneOwnership: type: string const: browser BaselineClassificationContract: type: object required: - classificationSeams - reviewRule - forbiddenOwnershipClaim properties: classificationSeams: type: array items: type: string default: - apps/platform/tests/Support/TestLaneManifest.php - apps/platform/tests/Support/TestLaneReport.php - apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php - apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php - apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php - README.md - scripts/platform-test-report reviewRule: type: string const: Broader baseline fallout is classified only under Spec 288. forbiddenOwnershipClaim: type: string const: Spec 288 does not own unrelated full-suite repair. TargetedValidationContract: type: object required: - commandAuthorities - commandIds - outOfScopeProof properties: commandAuthorities: type: array items: type: string default: - specs/288-quality-gates-no-legacy-enforcement/spec.md - specs/288-quality-gates-no-legacy-enforcement/plan.md - specs/288-quality-gates-no-legacy-enforcement/tasks.md - specs/288-quality-gates-no-legacy-enforcement/quickstart.md commandIds: type: array items: type: string default: - guard-proof-command - browser-proof-command - formatting-command outOfScopeProof: type: array items: type: string default: - no runtime cutover repair - no provider-core rewrite - no RBAC rewrite - no Package Execution Contract work - no Guided Operations work - no full-suite repair program