# Tasks: Spec 403 - Evidence Anchor & Currentness Runtime Closure **Input**: `specs/403-evidence-anchor-currentness-runtime-closure/spec.md`, `plan.md`, `checklists/requirements.md`, user-provided Spec 403 draft, Spec 400 context, Spec 402 implementation report, Product Surface Contract, and repo truth. **Tests**: Required. This spec changes or verifies runtime evidence/currentness behavior and rendered product claims, so it must include focused Pest Unit/Feature/Filament tests plus focused browser proof for representative rendered paths. **Completion note**: Tasks covering untouched downstream surfaces are closed by repo-truth inventory, the Evidence/Currentness Coverage Matrix, existing focused proof, and explicit P2 deferrals in `implementation-report.md`. Direct runtime edits were limited to Evidence Overview proof-state/currentness presentation, current-anchor missing/stale/empty-dimension guards, OperationRun default-link demotion, Customer Review Workspace canonical status and status-like decision-title presentation, canonical Evidence Inventory outcome mapping, and Evidence Snapshot artifact-truth classification for missing dimensions. Non-status action headings such as `Draft review exists` remain outside the canonical status-vocabulary claim. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for changed evidence/currentness behavior. - [x] New or changed tests stay in focused Unit, Feature/Filament, and Browser families; heavy-governance additions are explicit if any. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented. - [x] Planned validation commands cover evidence/currentness closure without pulling unrelated full-suite cost. - [x] The declared surface test profile or `standard-native-filament` relief is explicit. - [x] Browser proof covers representative rendered evidence/currentness behavior and does not claim full browser audit. - [x] Human Product Sanity and Product Surface implementation-report close-out are completed. - [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report. ## Phase 1: Preparation And Dirty-State Baseline **Purpose**: Establish safe starting conditions and read all governing context before runtime edits. - [x] T001 Read `specs/403-evidence-anchor-currentness-runtime-closure/spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`. - [x] T002 Record current branch, HEAD, dirty state, tracked changed files, untracked files, and `git diff --check` in `specs/403-evidence-anchor-currentness-runtime-closure/implementation-report.md`. - [x] T003 Re-read `AGENTS.md`, `.specify/memory/constitution.md`, `.specify/README.md`, `docs/ai-coding-rules.md`, `docs/security-guidelines.md`, `docs/testing-guidelines.md`, `docs/architecture-guidelines.md`, `docs/filament-guidelines.md`, and `docs/product/standards/product-surface-contract.md`. - [x] T004 Re-read `specs/388-resolution-proof-currentness-contract-v1/`, `specs/393-evidence-anchor-reconciliation-v1/`, `specs/400-product-contract-spec-completeness-audit/`, `specs/401-high-risk-admin-action-proof-pack/implementation-report.md`, and `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md` as read-only context; preserve completed-spec history. - [x] T005 Confirm Spec 402 has no unresolved P0/P1 authorization blocker before making Spec 403 runtime changes; record any residual authorization proof debt that affects evidence links. - [x] T006 Confirm no new product vocabulary, routes, navigation, customer output category, report/PDF runtime, evidence provider, migration, package, env var, queue/scheduler/storage change, asset registration, or broad browser audit will be included. ## Phase 2: Repo Truth Inventory **Purpose**: Build the matrix from current code and tests before fixing labels or helpers. - [x] T007 Inventory evidence anchor/currentness helpers in `apps/platform/app/Services/Evidence/EvidenceAnchorResolver.php`, `EvidenceAnchorResult.php`, `EvidenceSnapshotResolver.php`, `EvidenceSnapshotService.php`, `apps/platform/app/Support/Evidence/EvidenceSnapshotStatus.php`, and `EvidenceCompletenessState.php`. - [x] T008 Inventory Evidence Overview behavior in `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`, including current evidence link resolution, workspace-wide behavior, explicit environment filter behavior, empty states, and row URLs. - [x] T009 Inventory Evidence Snapshot resource behavior in `apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php` and nested pages, including stale/partial/failed/missing/expired display and authorization. - [x] T010 Inventory Customer Review Workspace behavior in `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`, especially customer-safe evidence summaries, package/download state, internal proof suppression, and environment filters. - [x] T011 Inventory Environment Review and Review Publication Resolution behavior in `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`, nested pages, and `resolve-review-publication.blade.php`, including Spec 388 proof-currentness fields. - [x] T012 Inventory Review Pack and Stored Report behavior in `apps/platform/app/Filament/Resources/ReviewPackResource.php` and `StoredReportResource.php`, including generated/released evidence basis, report receipt/output links, and OperationRun proof links. - [x] T013 Inventory OperationRun proof links and access checks in `OperationRunLinks`, `OperationRunPolicy`, Monitoring/Operations pages, and any proof links emitted by review/report/restore/baseline/finding surfaces. - [x] T014 Inventory restore readiness/proof behavior in `apps/platform/app/Filament/Resources/RestoreRunResource.php`, restore presenters, and restore proof Blade views. - [x] T015 Inventory baseline compare/evidence behavior in `BaselineCompareMatrix`, baseline resources, baseline evidence providers, and related tests. - [x] T016 Inventory finding/governance evidence references in finding resources, finding exception evidence references, governance inbox/register surfaces, and related tests. - [x] T017 Inventory existing tests under `apps/platform/tests/` for evidence overview/resource, Spec 388, Spec 393, customer review workspace, review packs, stored reports, OperationRun access, restore readiness, baseline evidence, finding evidence, and browser proof. - [x] T018 Inventory repo-real provider freshness or permission-limited state contracts that already affect evidence quality/currentness, and record whether each contract is provider-owned diagnostic detail or platform-core evidence semantics. ## Phase 3: Evidence/Currentness Coverage Matrix **Purpose**: Create the proof matrix before runtime fixes. - [x] T019 Create `specs/403-evidence-anchor-currentness-runtime-closure/implementation-report.md` with sections A through M from `spec.md`. - [x] T020 Add the Evidence/Currentness Coverage Matrix with columns: Surface, Evidence Source, Currentness Source, Released Snapshot Source, Customer-safe Boundary, Internal-only Data Risk, Workspace/Environment Scope, Authorization Mechanism, Test Proof, Browser Proof, Status, Risk, Follow-up. - [x] T021 Classify Evidence Overview rows and links for current, stale, missing, failed, partial, expired, superseded, wrong-workspace, wrong-environment, unauthorized, and workspace-wide no-environment states. - [x] T022 Classify Evidence Snapshot detail/list surfaces for stale, failed, partial, missing, expired, source/detail disclosure, and technical proof demotion. - [x] T023 Classify Review Pack, Environment Review, Customer Review Workspace, and Stored Report surfaces for current runtime evidence versus released/generated evidence. - [x] T024 Classify customer-safe boundaries for review workspace, review pack output, report output, and any customer-facing labels or downloads. - [x] T025 Classify OperationRun proof links for authorization, workspace/environment scope, failed/running/cancelled/blocked/succeeded distinction, and customer-safe visibility. - [x] T026 Classify findings/governance references for current, released/historical, missing, failed, blocked, or needs-attention evidence. - [x] T027 Classify baseline compare and restore readiness/proof surfaces for stale/missing/failed/partial/expired currentness claims. - [x] T028 Mark each matrix row as `PASS`, `PASS WITH EXCEPTION`, `MISSING PROOF`, `DEFECT FOUND`, `PRODUCT DECISION REQUIRED`, or `DEFERRED`, with P0/P1/P2/P3/None risk. - [x] T029 Add matrix rows for any provider freshness or permission-limited evidence-currentness contracts discovered in T018, including source, customer-safe boundary, authorization mechanism, and test proof or deferral. ## Phase 4: Gap Classification **Purpose**: Decide whether each matrix issue needs a test, a runtime fix, a product decision, or a deferral. - [x] T030 Classify P0 defects where customer-safe output leaks internal proof, false currentness is shown, released output claims live/current state, or unauthorized evidence/OperationRun proof is accessible. - [x] T031 Classify P1 missing proof where behavior may be safe but lacks direct tests for critical current/released/customer-safe/OperationRun/scoping paths. - [x] T032 Classify P2/P3 productization or cleanup debt separately from safety blockers. - [x] T033 Classify missing product decisions using the categories from the spec draft: blocks customer-output claim, blocks currentness claim, blocks internal proof claim, blocks review-pack/release claim, or can defer. - [x] T034 Confirm no matrix gap is solved by inventing a new product vocabulary, new status family, new route, or new evidence taxonomy. - [x] T035 Stop and update spec/plan before implementing if a fix requires new persistence, migrations, a broad proof framework, new evidence provider, report/PDF runtime, provider integration, or lifecycle semantics. ## Phase 5: Tests First - Current Evidence And Anchors **Purpose**: Prove current evidence behavior before changing runtime code. - [x] T036 Add or update focused tests for `EvidenceAnchorResolver` proving current evidence is selected only when active, complete, with usable captured dimensions, without missing/stale dimensions, non-expired, scoped to workspace/environment, and authorized. - [x] T037 Add or update tests proving stale, expired, failed, partial, queued, generating, superseded, wrong-workspace, wrong-environment, and missing evidence cannot produce a current evidence link. - [x] T038 Add or update Feature/Filament tests for `EvidenceOverview` proving workspace-wide views do not choose arbitrary current evidence and environment-filtered views link only authorized scoped current evidence. - [x] T039 Add or update Evidence Snapshot resource tests proving stale/partial/failed/missing/expired evidence labels do not imply current/complete/verified proof. - [x] T040 Add or update cross-workspace and cross-environment denial tests for evidence anchor direct URLs and proof links. ## Phase 6: Tests First - Released And Customer-Safe Proof **Purpose**: Prove released/customer-safe behavior before runtime changes. - [x] T041 Add or update tests proving released review-pack evidence stays bound to the released review/pack and does not query arbitrary latest current evidence. - [x] T042 Add or update tests proving report receipts/output identify generated/released evidence and do not claim live/current runtime state unless an existing contract explicitly says so. - [x] T043 Add or update Customer Review Workspace tests proving customer-safe output hides EvidenceSnapshot routes, evidence IDs, source keys, detectors, fingerprints, raw provider payloads, OperationRun URLs, internal reason families, and raw diagnostics by default. - [x] T044 Add or update tests proving missing, failed, stale, expired, or partial released evidence is represented as `Not configured`, `Needs attention`, `Failed`, `Blocked`, or `Expired` rather than customer-safe ready. - [x] T045 Add or update tests proving newer runtime evidence does not silently rewrite released review/report proof and does not invalidate released evidence without clear existing-contract labeling. ## Phase 7: Tests First - OperationRun, Restore, Baseline, Finding, And Report Proof **Purpose**: Prove proof-link and downstream readiness claims are scoped and truthful. - [x] T046 Add or update OperationRun proof tests proving failed, cancelled, blocked, running, stale, wrong-workspace, and wrong-environment runs cannot render as successful current proof. - [x] T047 Add or update tests proving OperationRun proof links are demoted from the Evidence Overview default proof path and remain hidden or denied when `OperationRunPolicy` or environment entitlement does not allow access. - [x] T048 Add or update restore readiness/proof tests proving stale/missing/failed/partial/expired preview/check/proof state is not presented as current executable readiness. - [x] T049 Add or update baseline compare/evidence tests proving stale/missing/failed/partial baseline proof is not presented as current compare proof. - [x] T050 Add or update finding/governance reference tests proving evidence references distinguish current, released/historical, missing, failed, blocked, or needs-attention proof where applicable. - [x] T051 Add or update stored report/report output tests proving failed/missing/incomplete reports do not support customer-safe ready proof. - [x] T052 Add or update tests proving provider freshness or permission-limited state affects evidence/currentness claims only where an existing repo contract connects that provider state to evidence quality, and is otherwise classified as product-decision or follow-up debt. ## Phase 8: Minimal Runtime Closure **Purpose**: Fix only confirmed defects using existing architecture. - [x] T053 Update existing evidence/currentness helpers or call sites only where tests prove a false, unsafe, or unscoped claim. - [x] T054 Correct misleading labels that show stale, failed, partial, missing, expired, or released proof as current, complete, ready, verified, or live. - [x] T055 Remove or replace arbitrary-latest evidence fallback selectors from product-facing current-evidence surfaces. - [x] T056 Ensure customer-safe surfaces consume customer-safe summaries and never emit raw evidence/OperationRun technical links by default. - [x] T057 Ensure released review/report surfaces use release-bound/generated evidence basis and label it separately from current runtime evidence. - [x] T058 Ensure OperationRun proof is treated as execution/history proof, with default Evidence Overview links demoted and remaining technical OperationRun routes still using existing scoped URL helpers and policies. - [x] T059 Ensure restore/baseline/finding/report proof labels consume existing readiness/evidence truth rather than inferring success from stale or partial data. - [x] T060 Keep all Graph/provider calls out of render-time code paths. - [x] T061 Do not add compatibility aliases, old labels, fallback readers, duplicate UI, or legacy fixtures that preserve wrong evidence/currentness behavior. ## Phase 9: Product Surface And Human Sanity **Purpose**: Keep rendered behavior calm, customer-safe, and contract-compliant. - [x] T062 Review and update `docs/ui-ux-enterprise-audit/route-inventory.md` and `docs/ui-ux-enterprise-audit/design-coverage-matrix.md` for touched existing surfaces if runtime UI files or reachable evidence/status semantics change; otherwise record that existing registry entries were reviewed and remain current. - [x] T063 Confirm Product Surface Contract fields in `implementation-report.md`: no-legacy, UI impact, page archetype, surface budgets, Technical Annex demotion, canonical status vocabulary for proof/readiness and Evidence Inventory outcomes, Product Surface exceptions, visible complexity outcome, browser proof, Human Product Sanity, and UI coverage registry result. - [x] T064 Confirm no Product Surface exception is required; if one is required, document page, violated rule/budget, reason, and follow-up. - [x] T065 Run Human Product Sanity on touched customer-safe/readiness/evidence surfaces and record result. - [x] T066 Confirm visible complexity is neutral or decreased; document any approved increase. - [x] T067 Confirm no completed historical spec was rewritten, normalized, unchecked, or stripped of close-out/validation/browser history. ## Phase 10: Focused Browser Proof **Purpose**: Verify representative rendered evidence/currentness behavior without claiming a full browser audit. - [x] T068 Add or update focused browser smoke `apps/platform/tests/Browser/Spec403EvidenceCurrentnessRuntimeClosureSmokeTest.php` if browser support is available. - [x] T069 Browser-proof admin Evidence Overview or Evidence Snapshot current/stale/missing/failed/partial behavior. - [x] T070 Browser-proof Customer Review Workspace or review/report output customer-safe released proof behavior. - [x] T071 Browser-proof released review/report evidence is not claimed as live current runtime state. - [x] T072 Browser-proof stale/missing/failed evidence state path. - [x] T073 Browser-proof unauthorized or cross-workspace/cross-environment evidence-anchor denial. - [x] T074 Browser-proof OperationRun proof state and default-link demotion. - [x] T075 Record route/surface, actor, workspace/environment, evidence state, expected result, observed result, console/runtime errors, and screenshot path if screenshots are captured. - [x] T076 If browser tests are unavailable, record the exact blocker and do not claim browser proof. ## Phase 11: Implementation Report And Validation **Purpose**: Close the proof loop with explicit result, residual severity, and next-step recommendation. - [x] T077 Complete implementation report section A with Candidate Gate Result: PASS, PASS WITH CONDITIONS, or FAIL. - [x] T078 Complete section B with included and explicitly not included scope. - [x] T079 Complete section C with dirty state before/after, tracked files changed, and untracked files. - [x] T080 Complete section D with the Evidence/Currentness Coverage Matrix. - [x] T081 Complete section E with runtime changes made, why needed, and scope risk. - [x] T082 Complete section F with tests added/updated, positive/negative classification, and result. - [x] T083 Complete section G with focused browser proof or exact no-browser limitation. - [x] T084 Complete section H with current vs released proof summary. - [x] T085 Complete section I with customer-safe boundary proof summary. - [x] T086 Complete section J with remaining findings by P0/P1/P2/P3. - [x] T087 Complete section K with deferred items: management PDF staging validation, governance lifecycle/retention, JSONB migration, full browser audit, provider readiness productization, and other items. - [x] T088 Complete the Filament v5 output contract close-out in `implementation-report.md`: Livewire v4 compliance, panel provider registration location, global-search posture for each touched resource, destructive/high-impact action confirmation and authorization posture, asset strategy, tests/browser result, and deployment impact. - [x] T089 Complete section L with validation commands and exact results. - [x] T090 Complete section M with recommended next action: Spec 404 only if Spec 403 passes or conditions are resolved. - [x] T091 Run targeted Spec 403 tests and record result. - [x] T092 Run targeted existing regressions for Evidence, Customer Review Workspace, Environment Review, Review Pack, Stored Report, OperationRun access, Restore, Baseline, and Finding surfaces changed by implementation. - [x] T093 Run focused browser validation command if available and record result. - [x] T094 Run formatter for changed PHP files and record result. - [x] T095 Run `git diff --check` and record result. - [x] T096 Verify changed reports, tests, logs, fixtures, screenshots, and implementation notes do not include secrets, tokens, raw credential payloads, or sensitive raw provider payloads. - [x] T097 Run final dirty-state commands and confirm no unrelated dirty files were reset, deleted, or cleaned. ## Non-Goals Checklist - [x] NT001 Do not add new product vocabulary, status family, evidence taxonomy, proof taxonomy, or currentness framework. - [x] NT002 Do not add new admin, system, customer, navigation, report, PDF, evidence provider, restore, baseline, finding, or lifecycle surfaces. - [x] NT003 Do not add migrations, JSON-to-JSONB changes, new persisted truth, packages, env vars, queues, scheduler changes, storage changes, or assets. - [x] NT004 Do not perform broad service/model/Filament refactors. - [x] NT005 Do not rewrite completed specs or remove historical close-out, validation, smoke, browser, or task history. - [x] NT006 Do not claim full browser/UX/runtime audit completion. - [x] NT007 Do not claim browser proof unless browser proof was actually run. - [x] NT008 Do not proceed to Spec 404 recommendation if P0 remains or unresolved P1 evidence/currentness blockers are unsafe. ## Dependencies And Execution Order - Phase 1 must complete before runtime edits. - Phase 2 inventory must complete before Phase 3 matrix decisions. - T018 must complete before T029 and before runtime fixes that rely on provider freshness or permission-limited evidence state. - Phase 3 matrix must exist before Phase 4 gap classification. - T029 must complete before provider-related P0/P1 gap classification is closed. - Phase 4 must classify gaps before tests or runtime fixes. - Phases 5-7 tests should precede Phase 8 fixes wherever feasible. - T052 must precede any provider-freshness runtime correction. - Phase 8 fixes must stay bounded to confirmed evidence/currentness gaps. - T062 must complete before Product Surface close-out when runtime UI files or reachable evidence/status semantics change. - Phase 10 browser proof follows focused hardening and tests. - Phase 11 closes with report, validation, Filament v5 output contract close-out, dirty state, and next-step recommendation. ## Recommended Implementation Strategy Treat implementation as a runtime truth-closure loop, not a framework pass. Build the matrix, add failing proof tests for confirmed P0/P1 risks, fix only the smallest currentness/evidence defects, and record exact proof. Preserve current repo helpers unless they demonstrably cannot express the required behavior.