# Tasks: Environment CTA Explicit Filter Contract **Input**: [spec.md](/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/315-environment-cta-explicit-filter-contract/spec.md), [plan.md](/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/315-environment-cta-explicit-filter-contract/plan.md) **Prerequisites**: Spec 313 audit context and Spec 314 clean sidebar/global workspace hub contract are treated as completed baseline context. **Important**: These are implementation tasks for the next phase. This preparation pass does not implement runtime code. ## Phase 1: Guardrails and Baseline - [x] T001 Verify the work starts from branch `315-environment-cta-explicit-filter-contract` and the worktree has no unrelated user changes before runtime edits. - [x] T002 Re-read Spec 313 and Spec 314 summaries for the sidebar/global clean-entry baseline before changing workspace hub query behavior. - [x] T003 Confirm current Laravel/Filament/Livewire versions through Laravel Boost `application_info` before implementation. - [x] T004 Confirm no migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change is required. - [x] T005 Identify the concrete Environment Dashboard and Environment-owned CTA/link call sites that target critical workspace hubs. ## Phase 2: Tests First - Canonical Contract - [x] T006 Add focused resolver tests for a valid `environment_id`, absent `environment_id`, malformed `environment_id`, and cross-workspace `environment_id`. - [x] T007 Add `it_environment_owned_ctas_use_environment_id_for_workspace_hub_filters` covering Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence, Reviews, and Customer Reviews. - [x] T008 Add `it_workspace_hubs_accept_environment_id_as_explicit_filter` for critical hubs with visible chip, filtered seeded data where available, and clean clear link assertions. - [x] T009 Add `it_workspace_hubs_do_not_apply_legacy_environment_filter_params` covering `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, `environment`, and `tableFilters`. - [x] T010 Add `it_environment_filter_must_belong_to_current_workspace` for at least one representative hub, then extend through shared resolver coverage. - [x] T011 Add `it_environment_filtered_workspace_hubs_keep_workspace_shell_context` for critical hubs where shell/context assertions are testable. - [x] T012 Add `it_environment_filtered_workspace_hubs_do_not_show_all_environments_as_primary_scope` covering Operations, Provider Connections, Customer Reviews, and Finding Exceptions Queue. - [x] T013 Add `it_environment_filter_chip_clear_link_points_to_clean_workspace_hub_url` for each critical hub. - [x] T014 Add `it_sidebar_workspace_hub_entry_remains_clean_after_environment_cta_filter_work` as a Spec 314 regression test. - [x] T015 Add `it_decision_register_supports_clean_and_environment_filtered_workspace_urls`. ## Phase 3: Shared Resolver and URL Contract - [x] T016 Create or reuse `apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php` as a narrow request-scoped resolver. - [x] T017 Make the resolver read only `environment_id` and ignore all legacy keys as filter inputs. - [x] T018 Make the resolver validate Managed Environment by primary key inside the current Workspace only. - [x] T019 Make invalid or cross-workspace `environment_id` return 404 or the existing safe no-access convention without leaking existence. - [x] T020 Add resolver helpers for `hasFilter()`, `environment()`, `environmentId()`, `displayName()`, `applyToQuery()`, and clean hub clear URL generation, adjusted to repo style. - [x] T021 Keep the resolver independent from `Filament::getTenant()`, remembered Environment state, provider external tenant IDs, slugs, and workspace switching. - [x] T022 Update `WorkspaceHubRegistry` only as needed to keep Spec 314 clean-entry behavior separate from valid explicit Environment CTA filter entry. ## Phase 4: Environment-Owned CTA URL Hard Cutover - [x] T023 Update `apps/platform/app/Support/ManagedEnvironmentLinks.php` so workspace hub Environment filters use `environment_id` with the Managed Environment database ID. - [x] T024 Update `apps/platform/app/Support/Operations/OperationRunLinks.php` where Environment-owned links target workspace hubs. - [x] T025 Update Environment Dashboard cards/header actions to emit `environment_id` for in-scope workspace hub CTAs. - [x] T026 Update Environment Governance Overview, provider readiness/onboarding, required permissions, permission posture, findings/drift, evidence, review, support, report, and provider connection link helpers where they target workspace hubs. - [x] T027 Remove CTA generation of `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, `environment`, and `tableFilters` for Environment CTA filter behavior. - [x] T028 Add or update tests proving no Environment-owned CTA to a workspace hub emits legacy Environment filter params. ## Phase 5: Shared Visible Filter Chip - [x] T029 Create or reuse a shared chip partial/primitive under `apps/platform/resources/views/filament/` for workspace hub Environment filters. - [x] T030 Ensure the chip renders only for a valid resolver result and displays `Environment filter: {display name}` or equivalent Environment wording. - [x] T031 Ensure the chip includes a `Clear filter` link to the clean workspace hub URL without `environment_id` or legacy params. - [x] T032 Ensure the chip does not use `Tenant`, `current tenant`, active Environment shell wording, ad-hoc status colors, or a new styling system. ## Phase 6: Critical Hub Runtime Changes - [x] T033 Update Operations to read the shared resolver, accept only `environment_id`, filter data to the selected Environment, render the shared chip, and avoid primary `All environments` wording while filtered. - [x] T034 Update Governance Inbox to hard-cut existing Environment filtering to `environment_id`, render the shared chip, filter data, and keep clean URL workspace-wide. - [x] T035 Update Decision Register to hard-cut existing Environment filtering to `environment_id`, support clean and filtered URLs, render the shared chip, and avoid 403 caused by absent filter. - [x] T036 Update Finding Exceptions Queue to replace legacy `tenant` CTA query behavior with `environment_id`, render the shared chip, filter data, and keep clean URL workspace-wide. - [x] T037 Update Provider Connections / Integrations to accept only `environment_id` for explicit Environment CTA filtering and avoid provider external tenant ID as the CTA filter key. - [x] T038 Update Evidence Overview to accept only `environment_id`, render the shared chip, filter rows/search/list data consistently, and document if filtering remains in-memory. - [x] T039 Update Reviews / Review Register to accept only `environment_id`, render the shared chip, filter review list data, and keep clean URL workspace-wide. - [x] T040 Update Customer Review Workspace to accept only `environment_id`, render the shared chip, filter customer-safe data, and remain workspace-scoped. ## Phase 7: Conditional Hubs and Exclusions - [x] T041 Classify Audit Log as Environment-filterable or not. If filterable, implement `environment_id` and visible chip; otherwise prevent Environment CTAs from passing filters and document exclusion. - [x] T042 Classify Alerts / Alert Deliveries / Rules / Destinations as Environment-filterable or not, then implement or exclude according to the spec. - [x] T043 Classify Reports / Stored Reports as workspace-owned Environment-filterable or environment-routed, then implement or exclude according to the spec. - [x] T044 Classify Support Requests as workspace-owned Environment-filterable or out of scope, then implement or exclude according to the spec. ## Phase 8: Legacy Alias Rejection and Clean Entry Regression - [x] T045 Search for workspace hub parsing of `tenant`, `tenant_id`, `managed_environment_id`, `tenant_scope`, `environment`, and `tableFilters`; remove or quarantine acceptance for the Spec 315 Environment CTA filter contract. - [x] T046 Preserve any unrelated legacy behavior only when outside Environment CTA filter scope, and document any intentionally deferred cleanup for Spec 317. - [x] T047 Re-run Spec 314 workspace hub navigation tests to confirm sidebar/global clean entry remains workspace-wide. - [x] T048 Verify clean hub URLs do not restore Environment filter state through remembered Environment or shell context. ## Phase 9: Browser Verification - [x] T049 Start the local platform stack using Sail or the repo's platform dev command. - [x] T050 Run Flow A from Environment Dashboard CTA for Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence, Reviews, and Customer Reviews. - [x] T051 Run Flow B clean sidebar/global regression for the same critical hubs. - [x] T052 Run Flow C clear-link smoke for the same critical hubs. - [x] T053 Save screenshots where useful under `specs/315-environment-cta-explicit-filter-contract/artifacts/screenshots/`. - [x] T054 Document any clear-filter limitations deferred to Spec 316. ## Phase 10: Final Validation - [x] T055 Run focused Pest tests for Spec 315 resolver, CTA URL, page contract, legacy param rejection, cross-workspace rejection, clear link, Decision Register, and sidebar regression coverage. - [x] T056 Run existing related Spec 314 tests to prove no clean-entry regression. - [x] T057 Run formatting/static checks expected by the touched files, including Pint if PHP files changed. - [x] T058 Run `git diff --check`. - [x] T059 Prepare final implementation report with changed behavior, canonical filter, files changed, tests, browser verification, remaining follow-ups, hubs supporting `environment_id`, CTAs updated, legacy params removed/ignored, intentional exclusions, and clear-filter limitations. - [x] T060 Confirm final report states no migrations, seeders, packages, env vars, queues, scheduler, storage changes, compatibility layer, or legacy alias support were introduced. ## Explicit Non-Tasks - [x] NT001 Do not implement full persisted/session/deferred clear-filter internals; leave to Spec 316 unless immediate clean URL correctness fails. - [x] NT002 Do not perform broad legacy Tenant / Environment naming cleanup; leave to Spec 317. - [x] NT003 Do not build durable browser regression guard infrastructure; leave to Spec 318. - [x] NT004 Do not make workspace hubs Environment-owned pages. - [x] NT005 Do not introduce dual-param support, compatibility middleware, or adapter layers.