# Tasks: Spec 392 - Customer Output Gating & Review Pack Navigation v1 **Input**: `specs/392-customer-output-gating-review-pack-navigation/spec.md` and `plan.md` **Prerequisites**: Spec artifacts prepared; implementation must start from repo-truth verification and must not modify completed context specs. **Tests**: Required. This is a customer-output trust boundary and route-gating change with Unit, Feature/HTTP, Filament/Livewire, and bounded Browser proof. ## Test Governance Checklist - [x] Lane assignment is named and narrow: Unit for gate derivation, Feature/HTTP for direct routes, Filament/Livewire for action labels/state, Browser for final trust-path proof. - [x] New or changed tests stay in the smallest honest family; Browser coverage is one explicit Spec 392 smoke file. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the change without pulling unrelated heavy-governance cost. - [x] The declared surface profile is customer-safe strategic review surface + artifact download route. - [x] Any unreachable safe/unsafe state is documented in the active spec package rather than faked. ## Phase 1: Repo Truth And Action Inventory **Purpose**: Confirm all output paths before changing behavior and prevent reopening completed specs. - [x] T001 Re-read `specs/392-customer-output-gating-review-pack-navigation/spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`. - [x] T002 Re-read completed context specs as read-only inputs only: `specs/342-customer-review-workspace-final-consumption-productization`, `specs/347-review-pack-output-contract-readiness-semantics`, `specs/351-review-output-resolve-actions-v1`, and `specs/372-customer-auditor-surface-safety-pass`. - [x] T003 Re-read `specs/browser-productization-bug-audit/browser-bug-report.md` and confirm BUG-007 remains in scope as a CTA truthfulness defect. - [x] T004 Confirm current branch and dirty state with `git status --short --branch` and `git log -1 --oneline`. - [x] T005 Inventory every customer-output open/download action or route in `apps/platform/app`, `apps/platform/routes`, `apps/platform/resources`, and `apps/platform/lang` using search terms from the spec. - [x] T006 Record the action inventory in the implementation notes or PR close-out: label, page/route, destination, current visibility condition, current authorization, customer-facing/internal classification, and whether it streams/renders/links output. - [x] T007 Inspect existing readiness/disclosure sources before adding a new helper: - `apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php` - `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php` - `apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php` - [x] T008 Inspect current route/controller behavior: - `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php` - `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php` - `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php` - `apps/platform/routes/web.php` - [x] T009 Inspect current UI/action behavior: - `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php` - `apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php` - `apps/platform/app/Filament/Resources/ReviewPackResource.php` - `apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php` - `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php` - `apps/platform/app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php` - `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php` - `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php` - [x] T010 Confirm no migration, package, env var, queue, scheduler, storage topology, Graph scope, panel-provider, route family, report renderer, or customer portal change is required; stop and update spec/plan if false. - [x] T011 Confirm Filament v5 / Livewire v4.0+ compliance and no Filament v3/v4 or Livewire v3 APIs. - [x] T012 Confirm panel provider registration remains `apps/platform/bootstrap/providers.php`. - [x] T013 Confirm no global-search participation is added or changed. ## Phase 2: Gate Contract And Unit Tests **Purpose**: Define customer-output safety once and prove its state mapping before route/UI changes. - [x] T014 Add or update focused Unit tests for the customer-output gate under `apps/platform/tests/Unit/Support/ReviewPacks/` or the narrowest existing support test family. - [x] T015 Test `Ready` when review output is published, customer-safe, current, artifact-backed, and authorized. - [x] T016 Test `Blocked` when PII/unredacted sensitive data or explicit internal-only output blocks customer-facing output. - [x] T017 Test `Needs attention` or `Blocked` for limitations-bearing, incomplete evidence, required-section gaps, disclosure missing, or publish-blocker states according to existing severity. - [x] T018 Test `Not configured` for missing output artifact or unavailable customer workspace. - [x] T019 Test `Expired` for expired, stale, revoked, superseded, or archived output where repo-backed fields exist. - [x] T020 Test `Unknown` when safety cannot be determined from current repo truth. - [x] T021 Test permission denial blocks customer output even if output is otherwise safe. - [x] T022 Test permission grant does not override unsafe customer output. - [x] T023 Implement the narrowest customer-output gate/result adapter only if existing helpers cannot serve route and UI needs directly. - [x] T024 Ensure any new gate/result adapter reuses existing readiness/disclosure helpers and remains non-persistent. - [x] T025 Ensure gate evaluation is DB/storage-backed only and performs no Graph or remote calls. ## Phase 3: Route Enforcement **Purpose**: Prevent direct-route bypass before relying on UI state. - [x] T026 Add Feature/HTTP tests under `apps/platform/tests/Feature/ReviewPack/` or the narrowest existing family proving safe `ReviewPackDownloadController` downloads succeed and audit. - [x] T027 Add Feature/HTTP tests proving PII, limitations, missing, failed, expired, superseded, archived, and unknown customer-output states do not stream a Review Pack file through direct URL access. - [x] T028 Update `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php` to enforce the customer-output gate before file streaming. - [x] T029 Add or update Feature/HTTP tests for `ReviewPackRenderedReportController` proving blocked output does not render customer-facing download/open actions or customer-safe report claims. - [x] T030 Update `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php` to consume the same gate for customer-facing rendered report output and action labels. - [x] T031 Inspect `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`; classify it as customer-facing or internal-only using the spec/plan criteria, record the decision in implementation notes or PR close-out, and if customer-facing add equivalent gate tests and enforcement. - [x] T032 Add or update route regression tests proving wrong workspace/environment access remains 404 deny-as-not-found and entitled-member missing-capability access remains 403 for `ReviewPackDownloadController`, `ReviewPackRenderedReportController`, and `ManagementReportPdfDownloadController` if customer-facing. - [x] T033 Preserve existing workspace membership 404, managed-environment entitlement checks, capability 403, artifact status, expiry, file existence, and audit behavior while adding gate checks. - [x] T034 Ensure blocked direct access returns 403, 404 deny-as-not-found, or safe admin redirect without file content and without sensitive details. - [x] T035 Add or update audit assertions for successful customer-output downloads and internal-preview downloads if internal preview is implemented. ## Phase 4: Customer Workspace And Review Pack Action Labels **Purpose**: Make every customer-output CTA truthful by destination and safety state. - [x] T036 Add or update Filament/Livewire tests proving `Open customer workspace` opens only `CustomerReviewWorkspace` and never Review Pack detail. - [x] T037 Add or update Filament/Livewire tests proving Review Pack detail links are labelled `Open review pack`. - [x] T038 Update `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php` so customer-workspace CTA labels match actual destinations. - [x] T039 Update `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php` only if current links can still label internal artifact/detail routes as customer workspace. - [x] T040 Update `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php` and related view page only where customer workspace / review pack / report action labels are misleading. - [x] T041 Update `apps/platform/app/Filament/Resources/ReviewPackResource.php` and `apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php` so customer output, internal preview, rendered report, and review pack labels match destinations and gate state. - [x] T042 Update `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php` and `apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php` so the primary customer-output action appears only when the gate permits it. - [x] T043 Ensure affected pages show one top-level customer output state by default: `Ready`, `Needs attention`, `Blocked`, `Not configured`, `Expired`, or `Unknown`. - [x] T044 Ensure blocked states show one concise reason and avoid implementation terms such as artifact payload, detector, source key, operation failure, fingerprint, or raw policy internals in default copy. ## Phase 5: Internal Preview Separation **Purpose**: Keep operator-only preview useful without presenting it as customer output. - [x] T045 Add or update tests proving deprecated limited-download copy is absent from customer-facing pages and reports. - [x] T046 If a limitations-bearing artifact remains accessible, relabel it as `Download internal preview` in `apps/platform/lang/en/localization.php` and `apps/platform/lang/de/localization.php`. - [x] T047 Gate internal preview behind internal/operator permission and ensure it is secondary, not the primary customer-facing action. - [x] T048 Add tests proving customer/read-only users cannot see or access internal preview. - [x] T049 Add tests proving internal preview direct route/action cannot be used as customer-output bypass. - [x] T050 Ensure customer-output labels are not used for limitations-bearing or internal-only artifacts. ## Phase 6: Customer-Safe Disclosure And Proof Demotion **Purpose**: Preserve audit depth while preventing default customer-facing proof leakage. - [x] T051 Add or update Feature/Browser assertions that customer-facing surfaces do not show raw IDs, source keys, fingerprints, raw payloads, OperationRun internals, baseline internals, detector names, or report-generation metadata by default. - [x] T052 Keep technical proof reachable only through existing internal/audit/detail actions where authorized. - [x] T053 Ensure proof/action labels use `View audit trail`, `View technical details`, or similar internal labels, not customer-output labels. - [x] T054 Remove duplicated visible readiness/status badges where they compete with the canonical customer-output state on affected surfaces. ## Phase 7: Localization, UI Coverage, And Regression Guards **Purpose**: Align copy and active feature artifacts without broad docs churn. - [x] T055 Update only required localization keys in `apps/platform/lang/en/localization.php` and `apps/platform/lang/de/localization.php`. - [x] T056 Update targeted tests that assert current copy so they assert semantics rather than stale unsafe labels. - [x] T057 Decide after runtime diff whether existing page reports under `docs/ui-ux-enterprise-audit/page-reports/` require updates; update only materially affected page reports. - [x] T058 Document no-count-change/no-archetype-change if `route-inventory.md` and `design-coverage-matrix.md` remain unchanged. - [x] T059 Do not create general documentation files outside required Spec Kit/UI coverage artifacts. ## Phase 8: Browser Smoke And Direct URL Proof **Purpose**: Prove the user-visible trust path after targeted tests pass. - [x] T060 Add `apps/platform/tests/Browser/Spec392CustomerOutputGatingSmokeTest.php` using existing review-output fixture helpers where practical. - [x] T061 Browser state: safe output; assert `Open customer workspace` opens actual Customer Review Workspace and `Download customer output` succeeds only in ready state. - [x] T062 Browser state: unsafe/limited output; assert customer output is blocked, reason is visible, and no customer-facing deprecated limited-download copy appears. - [x] T063 Browser state: internal preview if present; assert label is internal, secondary, and hidden from customer/read-only mode. - [x] T064 Browser state: dashboard CTA; assert a link labelled `Open customer workspace` does not land on Review Pack detail. - [x] T065 Direct URL proof: assert blocked output direct route returns no file content. - [x] T066 Browser harness did not capture Spec 392 screenshots; no screenshot artifacts were added. ## Phase 9: Validation And Close-Out **Purpose**: Prove the implementation and record deployment impact clearly. - [x] T067 Attempt Sail validation; Docker was not running, so run the equivalent local Pest Spec 392 gate/route/architecture validation. - [x] T068 Run targeted existing regressions based on touched surfaces, at minimum `CustomerReviewWorkspace`, `ReviewPack`, and `StoredReport` filters if those surfaces changed. - [x] T069 Run local Pest Browser validation for `tests/Browser/Spec392CustomerOutputGatingSmokeTest.php` because Docker/Sail was unavailable. - [x] T070 Run `cd apps/platform && php vendor/bin/pint --dirty`. - [x] T071 Run `git diff --check`. - [x] T072 Confirm no migrations, seeders, packages, env vars, queues, scheduler, storage topology, Graph contracts/calls, panel providers, new route family, customer portal, report renderer, or legacy compatibility path were added. - [x] T073 Confirm final Livewire v4 compliance, provider registration location, global-search posture, destructive/high-impact action status, asset strategy, tests, deployment impact, and Guardrail / Exception / Smoke Coverage in the implementation close-out response. ## Dependencies - Phase 1 must complete before runtime implementation. - Phase 2 gate tests should land before or alongside route enforcement. - Phase 3 route enforcement must complete before UI-only assumptions are considered safe. - Phase 4 and Phase 5 can proceed in parallel after the gate decision shape is stable. - Phase 8 runs after targeted tests and route enforcement are implemented. - Phase 9 closes the feature. ## Parallel Execution Examples - T007, T008, and T009 can be split by repo surface during inspection. - T026-T031 can be split by route/controller after the gate API is stable. - T038-T042 can be split by UI surface if no shared helper conflict exists. - T055-T058 can run after labels and UI diff are known. ## Non-Goals / Stop Conditions - Stop if implementation requires a new persisted readiness table, new customer portal, new report renderer, new review publication workflow, new route family, or broad Customer Review Workspace redesign. - Stop if management-report PDF production enablement becomes necessary; that belongs to Spec 379 follow-through. - Stop if internal preview requires a new capability model not expressible by current capabilities; update spec/plan first. - Stop if route gating cannot be implemented without changing artifact lifecycle/retention semantics; promote a separate lifecycle spec. - Do not rewrite, normalize, uncheck, or remove implementation history from completed Specs 342, 347, 351, 372, or browser audit artifacts. ## Required Final Report Content For Later Implementation When implementation later completes, report: - Changed behavior. - Customer-output gate states and blocking reasons. - Route enforcement results for safe and unsafe output. - CTA label/destination corrections. - Internal preview behavior, if present. - RBAC/context behavior. - Files changed. - Tests run and results. - Browser smoke and screenshot path. - Known gaps and follow-up specs. - Full suite run/not run. - Explicit no migrations/packages/env/queues/scheduler/storage/deployment assets/Graph/panel-provider/destructive-action/backcompat/new-customer-portal statement.