--- description: "Task list for Filament Workspace Tenancy & Environment Routing Cutover" --- # Tasks: Filament Workspace Tenancy & Environment Routing Cutover **Input**: Design documents from `specs/280-workspace-tenancy-environment-routing/` **Prerequisites**: `specs/280-workspace-tenancy-environment-routing/spec.md`, `specs/280-workspace-tenancy-environment-routing/plan.md`, `specs/280-workspace-tenancy-environment-routing/checklists/requirements.md`, `specs/280-workspace-tenancy-environment-routing/research.md`, `specs/280-workspace-tenancy-environment-routing/data-model.md`, `specs/280-workspace-tenancy-environment-routing/quickstart.md`, `specs/280-workspace-tenancy-environment-routing/contracts/workspace-tenancy-environment-routing.logical.openapi.yaml` **Tests**: REQUIRED (Pest). The prep-era placeholder filenames drifted before implementation; final bounded proof used `apps/platform/tests/Feature/WorkspaceFoundation`, `apps/platform/tests/Feature/Workspaces`, `apps/platform/tests/Feature/ManagedEnvironment`, `apps/platform/tests/Feature/RequiredPermissions`, `apps/platform/tests/Feature/Operations`, `apps/platform/tests/Feature/MonitoringOperationsTest.php`, and `apps/platform/tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php`. **Operations**: No new `OperationRun` family. Reuse `apps/platform/app/Support/OperationRunLinks.php`, `apps/platform/app/Support/Navigation/RelatedNavigationResolver.php`, and `apps/platform/app/Filament/Pages/Monitoring/Operations.php` for workspace-first operations route ownership. **RBAC**: Workspace membership remains the first `404` boundary, managed-environment access remains the second `404` boundary, and in-scope capability denials stay `403`. **Shared Pattern Reuse**: Reuse `WorkspaceOverviewBuilder`, `TenantDashboardSummaryBuilder`, `ManagedTenantsLanding`, `ChooseTenant`, `WorkspaceRedirectResolver`, `OperationRunLinks`, and `RelatedNavigationResolver`. Do not add compatibility routes, dual-panel fallbacks, or replacement dashboards. **Filament / Panel Guardrails**: Filament remains v5 on Livewire v4. Provider registration remains in `apps/platform/bootstrap/providers.php`. `Workspace` becomes the only Filament tenant for operator routing. Any touched searchable resource must keep a valid view/edit destination or disable global search in the same slice. Any touched destructive action must preserve `->requiresConfirmation()` plus current server authorization. Asset strategy stays unchanged. **Compatibility Posture**: Reject `/admin/t` compatibility routes, `/admin/tenants/{environment}` aliases, redirect shims, dual-panel ownership, and hidden route fallbacks. Keep Specs `281` through `287` deferred. **Organization**: Tasks are grouped by user story so panel tenancy, workspace-first environment routing, workspace-first operations routing, dashboard/context rebinding, and search/legacy guardrails remain independently testable. **Review Outcome**: `implementation-ready` **Workflow Outcome**: `keep` **Test-governance Outcome**: `keep` **Implementation Status**: Completed on 2026-05-07. The prep package was executed afterward; the completed runtime, validation, and close-out are recorded below and in `checklists/requirements.md`. ## Test Governance Checklist - [x] Lane assignment stays `fast-feedback`, `confidence`, and one narrow `browser` lane. - [x] New or changed tests stay in the smallest honest families under `apps/platform/tests/Feature/` plus one browser smoke file only. - [x] Workspace and managed-environment fixtures remain explicit; no compatibility fixtures, dual-panel defaults, or hidden route fallbacks become shared setup. - [x] Planned validation commands match `spec.md`, `plan.md`, and `quickstart.md` exactly. - [x] `standard-native-filament`, `global-context-shell`, and `monitoring-state-page` expectations stay explicit for touched surfaces. - [x] Any attempt to absorb Specs `281` through `287` resolves as `split` or `reject-or-split`, not hidden scope. ## Implementation Close-out Note - [x] The runtime cutover shipped on 2026-05-07 using the surviving admin panel only. - [x] The prep-era test filenames below were satisfied by equivalent current coverage in the workspace, managed-environment, required-permissions, operations, and browser-smoke suites recorded in `checklists/requirements.md`. - [x] Final validation used `./vendor/bin/sail artisan test --compact tests/Feature/WorkspaceFoundation tests/Feature/Workspaces tests/Feature/ManagedEnvironment tests/Feature/RequiredPermissions tests/Feature/Operations tests/Feature/MonitoringOperationsTest.php`, `./vendor/bin/sail artisan test --compact tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php`, and `./vendor/bin/sail bin pint --dirty --format agent`. ## Phase 1: Setup (Shared Context) **Purpose**: Confirm the bounded cutover inventory, the proving files, and the explicit no-compatibility posture before runtime edits begin. - [x] T001 Review `specs/280-workspace-tenancy-environment-routing/spec.md`, `plan.md`, `checklists/requirements.md`, `research.md`, `data-model.md`, `quickstart.md`, and `contracts/workspace-tenancy-environment-routing.logical.openapi.yaml` together so implementation stays on Spec 280 only. - [x] T002 [P] Confirm the current panel-provider and registration seams in `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Providers/Filament/TenantPanelProvider.php`, and `apps/platform/bootstrap/providers.php` before changing operator tenancy. - [x] T003 [P] Confirm the current entry, chooser, and route-language seams in `apps/platform/routes/web.php`, `apps/platform/app/Filament/Pages/ChooseWorkspace.php`, `apps/platform/app/Filament/Pages/ChooseTenant.php`, `apps/platform/app/Filament/Pages/Workspaces/ManagedTenantsLanding.php`, and `apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php`. - [x] T004 [P] Confirm the current context-classification seams in `apps/platform/app/Http/Middleware/EnsureWorkspaceSelected.php`, `apps/platform/app/Support/Middleware/EnsureFilamentTenantSelected.php`, `apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php`, and `apps/platform/app/Support/Tenants/TenantPageCategory.php`. - [x] T005 [P] Confirm the current dashboard and operations link owners in `apps/platform/app/Filament/Pages/WorkspaceOverview.php`, `apps/platform/app/Filament/Pages/TenantDashboard.php`, `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`, `apps/platform/app/Filament/Pages/Monitoring/Operations.php`, `apps/platform/app/Support/OperationRunLinks.php`, and `apps/platform/app/Support/Navigation/RelatedNavigationResolver.php`. - [x] T006 [P] Confirm the touched global-search and deferred-scope surfaces in `apps/platform/app/Filament/Resources/Workspaces/WorkspaceResource.php`, `apps/platform/app/Filament/Resources/TenantResource.php`, and `specs/280-workspace-tenancy-environment-routing/checklists/requirements.md` so Specs `281` through `287` remain explicitly out of scope. --- ## Phase 2: Foundational (Blocking Prerequisites) **Purpose**: Establish the proving suite and the shared workspace-first route skeleton that all stories depend on. **Critical**: No user-story work should begin until this phase is complete. - [x] T007 [P] Add failing coverage in `apps/platform/tests/Feature/Workspace/WorkspaceFilamentTenancyCutoverTest.php` for `Workspace` as the only Filament tenant, `/admin` entry ownership, `TenantPanelProvider` retirement from public operator routing, and provider registration expectations in `apps/platform/bootstrap/providers.php`. - [x] T008 [P] Add failing coverage in `apps/platform/tests/Feature/ManagedEnvironment/WorkspaceFirstEnvironmentRoutingTest.php` for `/admin/workspaces/{workspace}/environments`, `/admin/workspaces/{workspace}/environments/{environment}`, stale cross-workspace environment clearing, archived-environment exclusion, and wrong-workspace `404` behavior. - [x] T009 [P] Add failing coverage in `apps/platform/tests/Feature/Monitoring/WorkspaceOperationsEnvironmentContextTest.php` for `/admin/workspaces/{workspace}/operations`, `managed_environment_id` filtering, `Show all environments` widening, workspace-safe run detail routes, and hostile filter `404` behavior. - [x] T010 [P] Add failing coverage in `apps/platform/tests/Feature/Navigation/WorkspaceEnvironmentBreadcrumbsTest.php` for workspace-dashboard versus environment-dashboard signal ownership and `Workspace -> Managed Environment -> page` breadcrumb/context ordering. - [x] T011 [P] Add failing guard coverage in `apps/platform/tests/Feature/Guards/LegacyAdminTenantRouteRemovalGuardTest.php` for `/admin/t`, `/admin/tenants/{environment}/required-permissions`, `/admin/w/{workspace}/managed-tenants`, `/admin/operations`, `/admin/operations/{run}`, `panel: 'tenant'`, `TenantPanelProvider::class` registration in `apps/platform/bootstrap/providers.php`, compatibility redirects, aliases, dual-panel fallbacks, and the searchable-destination rule for touched resources. - [x] T012 [P] Add the narrow browser smoke in `apps/platform/tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php` for workspace selection, workspace-scoped environment choice, managed-environment dashboard entry, and workspace-operations drillthrough on the surviving admin panel. - [x] T013 Establish the one-panel workspace-first route skeleton in `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Providers/Filament/TenantPanelProvider.php`, `apps/platform/bootstrap/providers.php`, and `apps/platform/routes/web.php` with no compatibility aliases, redirect shims, or dual-panel fallback. - [x] T014 Update `apps/platform/app/Filament/Pages/ChooseWorkspace.php` and `apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php` so `/admin` resolves only to workspace selection or `/admin/workspaces/{workspace}` before story-specific environment routing work begins. **Checkpoint**: The proving files exist, `/admin` entry ownership is workspace-first, and the implementation has a single admin-panel route skeleton to extend. --- ## Phase 3: User Story 1 - Enter an environment without leaving the workspace admin panel (Priority: P1) **Goal**: Operators choose a workspace, then open one managed environment through the surviving admin panel and land on the canonical workspace-first environment dashboard. **Independent Test**: Select a workspace, open `/admin/workspaces/{workspace}/environments`, choose one managed environment, and confirm the destination is `/admin/workspaces/{workspace}/environments/{environment}` while `/admin/t/{environment}` stays not found. ### Tests for User Story 1 - [x] T015 [P] [US1] Extend `apps/platform/tests/Feature/Workspace/WorkspaceFilamentTenancyCutoverTest.php` after T013-T014 to prove the public chooser and environment entry stay on the `admin` panel and direct `/admin/t/{environment}` requests return `404`. - [x] T016 [P] [US1] Extend `apps/platform/tests/Feature/ManagedEnvironment/WorkspaceFirstEnvironmentRoutingTest.php` after T013-T014 to prove chooser submission, managed-environment dashboard resolution, and wrong-workspace route binding remain `404`. ### Implementation for User Story 1 - [x] T017 [US1] Rework `apps/platform/app/Filament/Pages/ChooseTenant.php` and `apps/platform/app/Filament/Pages/Workspaces/ManagedTenantsLanding.php` so `/admin/workspaces/{workspace}/environments` is the only public environment chooser and stale cross-workspace remembered environment context is cleared before resolution. - [x] T018 [US1] Move managed-environment dashboard and required-permissions route ownership in `apps/platform/app/Filament/Pages/TenantDashboard.php`, `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`, and `apps/platform/routes/web.php` to `/admin/workspaces/{workspace}/environments/{environment}` with no `/admin/tenants/{environment}` compatibility reader. - [x] T019 [US1] Update workspace-to-environment URL generation in `apps/platform/app/Filament/Pages/ChooseTenant.php`, `apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php`, `apps/platform/app/Filament/Pages/TenantDashboard.php`, and any touched environment page classes under `apps/platform/app/Filament/Pages/` so no entry flow emits `panel: 'tenant'` or `/admin/t` destinations. **Checkpoint**: Workspace selection, environment chooser entry, and managed-environment dashboard routing all stay inside one workspace-first admin panel. --- ## Phase 4: User Story 2 - Move from environment work into workspace operations with explicit scope (Priority: P1) **Goal**: Environment dashboards and environment pages open the workspace operations hub through canonical workspace routes while preserving explicit environment context. **Independent Test**: From a managed-environment dashboard or touched environment page, open operations and confirm the destination is `/admin/workspaces/{workspace}/operations` with the correct `managed_environment_id` filter and workspace-safe back-navigation. ### Tests for User Story 2 - [x] T020 [P] [US2] Extend `apps/platform/tests/Feature/Monitoring/WorkspaceOperationsEnvironmentContextTest.php` to prove environment dashboards and touched environment pages open `/admin/workspaces/{workspace}/operations` with explicit `managed_environment_id`, preserve run-detail ownership under `/admin/workspaces/{workspace}/operations/{run}`, widen scope only through explicit user action, and keep `/admin/operations` plus `/admin/operations/{run}` unavailable. ### Implementation for User Story 2 - [x] T021 [US2] Retarget `apps/platform/app/Support/OperationRunLinks.php` and `apps/platform/app/Support/Navigation/RelatedNavigationResolver.php` so operations collection/detail links emit only workspace-first routes with explicit environment filter and return-context data. - [x] T022 [US2] Update `apps/platform/app/Filament/Pages/Monitoring/Operations.php` so workspace collection/detail ownership, `managed_environment_id` hydration, `Show all environments` behavior, and hostile filter handling match the new workspace-first route contract. - [x] T023 [US2] Update operations entry actions in `apps/platform/app/Filament/Pages/TenantDashboard.php`, `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`, and any touched environment-scoped page classes under `apps/platform/app/Filament/Pages/` so they delegate through the shared workspace operations builders instead of local tenant-panel URLs. **Checkpoint**: Operations links, run-detail links, and return context are all workspace-canonical while preserving explicit environment scope. --- ## Phase 5: User Story 3 - Read workspace-wide and environment-scoped signals on the correct surfaces (Priority: P2) **Goal**: Workspace-wide signals stay on the workspace dashboard, environment-scoped signals stay on the managed-environment dashboard, and breadcrumbs/context bars reflect the new route ownership. **Independent Test**: Open `/admin/workspaces/{workspace}` and `/admin/workspaces/{workspace}/environments/{environment}` for the same workspace and verify the workspace dashboard shows workspace-wide signals while the environment dashboard stays scoped to one environment with `Workspace -> Managed Environment -> page` context. ### Tests for User Story 3 - [x] T024 [P] [US3] Extend `apps/platform/tests/Feature/Navigation/WorkspaceEnvironmentBreadcrumbsTest.php` to prove workspace-wide dashboard signals remain on `WorkspaceOverview`, environment-scoped signals remain on `TenantDashboard`, and breadcrumb/context ordering becomes `Workspace -> Managed Environment -> page`. ### Implementation for User Story 3 - [x] T025 [US3] Rebind `apps/platform/app/Filament/Pages/WorkspaceOverview.php` and `apps/platform/app/Filament/Pages/TenantDashboard.php` to the canonical `/admin/workspaces/{workspace}` and `/admin/workspaces/{workspace}/environments/{environment}` routes while preserving `WorkspaceOverviewBuilder` and `TenantDashboardSummaryBuilder` ownership. - [x] T026 [US3] Update `apps/platform/app/Http/Middleware/EnsureWorkspaceSelected.php`, `apps/platform/app/Support/Middleware/EnsureFilamentTenantSelected.php`, `apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php`, and `apps/platform/app/Support/Tenants/TenantPageCategory.php` so workspace-first environment routes are the only active environment-bound language and remembered cross-workspace environment context cannot leak. - [x] T027 [US3] Update context bars, breadcrumbs, and chooser/dashboard CTA links in `apps/platform/app/Filament/Pages/ChooseTenant.php`, `apps/platform/app/Filament/Pages/Workspaces/ManagedTenantsLanding.php`, `apps/platform/app/Filament/Pages/WorkspaceOverview.php`, and `apps/platform/app/Filament/Pages/TenantDashboard.php` so the new route ownership reads `Workspace -> Managed Environment -> domain page` everywhere this slice touches. **Checkpoint**: Workspace dashboard, managed-environment dashboard, and current-context shells all present the correct scope and breadcrumb truth. --- ## Phase 6: User Story 4 - Keep search and authorization truthful after the route cutover (Priority: P3) **Goal**: Searchable resources, direct URLs, and legacy-route guards stay truthful after the cutover, with no broken search results and no hidden compatibility routes. **Independent Test**: Open touched global-search results and direct workspace/environment URLs, confirm authorized destinations resolve under the workspace-first routes, and confirm `/admin/t/{environment}` plus `/admin/tenants/{environment}/required-permissions` remain `404`. ### Tests for User Story 4 - [x] T028 [P] [US4] Extend `apps/platform/tests/Feature/Guards/LegacyAdminTenantRouteRemovalGuardTest.php` to prove no compatibility routes, aliases, redirects, or dual-panel fallbacks survive for `/admin/t`, `/admin/tenants/{environment}/required-permissions`, `/admin/w/{workspace}/managed-tenants`, or `/admin/operations` plus `/admin/operations/{run}`. - [x] T029 [P] [US4] Extend `apps/platform/tests/Feature/Workspace/WorkspaceFilamentTenancyCutoverTest.php` and `apps/platform/tests/Feature/ManagedEnvironment/WorkspaceFirstEnvironmentRoutingTest.php` to cover `WorkspaceResource` and `TenantResource` global-search destinations plus `404` versus `403` behavior for direct workspace/environment URLs. ### Implementation for User Story 4 - [x] T030 [US4] Update `apps/platform/app/Filament/Resources/Workspaces/WorkspaceResource.php` and `apps/platform/app/Filament/Resources/TenantResource.php` so each touched resource keeps a valid view/edit destination under workspace-first routing or disables global search in the same slice. - [x] T031 [US4] Remove remaining legacy-route ownership and panel-language fallbacks from `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Providers/Filament/TenantPanelProvider.php`, `apps/platform/bootstrap/providers.php`, `apps/platform/routes/web.php`, `apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php`, `apps/platform/app/Support/OperationRunLinks.php`, and any touched helpers under `apps/platform/tests/` so Specs `281` through `287` remain deferred instead of absorbed. **Checkpoint**: Search, direct URLs, and no-legacy route guards all reflect the final workspace-first contract with no hidden fallback path. --- ## Phase 7: Polish & Cross-Cutting Validation **Purpose**: Run the exact bounded proof set, perform the final Filament review, and close the cutover without reopening deferred specs. - [x] T032 [P] Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/WorkspaceFoundation tests/Feature/Workspaces tests/Feature/ManagedEnvironment tests/Feature/RequiredPermissions tests/Feature/Operations tests/Feature/MonitoringOperationsTest.php)`. - [x] T033 [P] Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php)`. - [x] T034 [P] Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`. - [x] T035 [P] Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings '/admin/t/' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/routes" "$REPO_ROOT/apps/platform/bootstrap"`, `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings '/admin/tenants/' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/routes" "$REPO_ROOT/apps/platform/bootstrap"`, `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings '/admin/w/' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/routes" "$REPO_ROOT/apps/platform/bootstrap"`, and `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings '/admin/operations' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/routes" "$REPO_ROOT/apps/platform/bootstrap"` and confirm only intentional removal-guard output remains. - [x] T036 [P] Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings "panel: 'tenant'" "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/routes" "$REPO_ROOT/apps/platform/bootstrap"` and `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && rg -n --fixed-strings 'TenantPanelProvider::class' "$REPO_ROOT/apps/platform/bootstrap/providers.php"` and confirm only intentional removal-guard output remains. - [x] T037 [P] Review `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Providers/Filament/TenantPanelProvider.php`, `apps/platform/bootstrap/providers.php`, `apps/platform/app/Filament/Resources/Workspaces/WorkspaceResource.php`, `apps/platform/app/Filament/Resources/TenantResource.php`, and touched Filament pages/actions to confirm Filament v5 / Livewire v4 compliance, provider registration stays in `apps/platform/bootstrap/providers.php`, the global-search destination rule is satisfied, touched destructive actions still preserve `->requiresConfirmation()` plus authorization, and no asset strategy or deploy-step change was introduced. - [x] T038 [P] Record the implementation close-out in `specs/280-workspace-tenancy-environment-routing/checklists/requirements.md` or the active PR notes confirming no compatibility routes, aliases, redirects, or dual-panel fallback shipped and Specs `281` through `287` remain explicitly deferred. --- ## Dependencies & Execution Order ### Phase Dependencies - **Phase 1 (Setup)**: no dependencies; start immediately. - **Phase 2 (Foundational)**: depends on Phase 1 and blocks all story work. - **Phase 3 (US1)**: depends on Phase 2 and establishes the canonical environment-entry contract. - **Phase 4 (US2)**: depends on Phase 2 and should follow US1 route ownership so operations links target the finished workspace-first environment family. - **Phase 5 (US3)**: depends on US1 and should land with or immediately after US2 so dashboards, breadcrumbs, and middleware all reflect the same route contract. - **Phase 6 (US4)**: depends on US1 through US3 so search, authorization, and no-legacy guards prove the final route language rather than an intermediate state. - **Phase 7 (Polish)**: depends on all desired user stories being complete. ### User Story Dependencies - **US1 (P1)**: independently testable after Phase 2 and is the first required implementation increment. - **US2 (P1)**: independently testable after Phase 2, but should ship after or with US1 because operations links rely on the canonical workspace-first environment family. - **US3 (P2)**: independently testable after US1 and should land before US4 so breadcrumb and context truth are final. - **US4 (P3)**: independently testable after US1 through US3 and closes search, authorization, and legacy-route honesty. ### Within Each User Story - Write or extend the listed Pest coverage first and make it fail for the intended gap. - Apply the smallest shared-seam changes needed to satisfy the story without reopening Specs `281` through `287`. - Re-run the narrowest relevant validation command for that story before moving to the next story. ## Parallel Execution Examples - **Setup**: T002 through T006 can run in parallel once T001 sets the bounded scope. - **Foundational**: T007 through T012 can run in parallel before T013 and T014 converge the route skeleton. - **US1**: T015 and T016 can run in parallel; T017 through T019 should merge serially around chooser and route-owner files. - **US2**: T020 can run alongside T021, then T022 and T023 should follow once shared operations builders are updated. - **US3**: T024 can run in parallel with T025, then T026 and T027 should merge serially around the shared middleware and page-context seams. - **US4**: T028 and T029 can run in parallel; T030 and T031 should follow once the final route contract is stable. - **Polish**: T032 through T037 can run in parallel after implementation is complete; T038 should close out last. ## Implementation Strategy ### Suggested MVP Scope - MVP = **US1**. Land the single surviving admin panel plus workspace-first environment entry before widening into operations, dashboard-context hardening, and search/no-legacy enforcement. ### Incremental Delivery 1. Complete Phase 1 and Phase 2. 2. Deliver US1 so environment entry no longer depends on `/admin/t`. 3. Deliver US2 so operations links become workspace-canonical with explicit environment scope. 4. Deliver US3 so dashboard ownership, breadcrumbs, and middleware all converge on the same workspace-first context. 5. Deliver US4 to lock search, authorization, and legacy-route honesty. 6. Finish with the exact validation commands and the final Filament review in Phase 7. ### Team Strategy 1. Parallelize the failing test work first. 2. Serialize merges around `apps/platform/app/Providers/Filament/`, `apps/platform/routes/web.php`, and the middleware/context helpers to avoid conflicting route-language edits. 3. Reject any implementation branch that introduces compatibility routes, dual-panel ownership, or hidden follow-up work from Specs `281` through `287`. ## Deferred Follow-Ups / Non-Goals - Spec `281` provider connection, provider scope, and Microsoft profile extraction - Spec `282` governance artifact retargeting to `ManagedEnvironment` - Spec `283` provider capability registry work - Spec `284` provider-neutral artifact source taxonomy work - Spec `285` workspace-first RBAC and environment access redesign - Spec `286` UI copy, IA, and localization neutralization beyond route/context truth - Spec `287` cutover quality gates and broader no-legacy enforcement beyond this feature-local proof