# Fixture Design

## Design Decision

No new fixture route or command is needed. Existing repo-native patterns are sufficient:

- Admin-plane surfaces use `GET /admin/local/smoke-login` in `local`/`testing`.
- System-plane surfaces use Pest Browser `actingAs($platformUser, 'platform')`.
- Data is created with existing factories and test helpers.

## Per-Surface Fixture Contract

| Surface | Auth | Scope | Data source | Existing fixture source | New fixture source | Local/testing guarantee | Browser URL | Failure mode if regressed |
|---|---|---|---|---|---|---|---|---|
| Evidence Snapshot View | `web` guard through `admin.local.smoke-login` | workspace + environment | `seedEnvironmentReviewEvidence()` | Spec 372 smoke pattern | Spec 376 local test fixture | smoke-login route is local/testing-only | `EvidenceSnapshotResource::getUrl('view', ...)` | `auth-blocked`, `scope-blocked`, or `data-blocked` |
| Required Permissions | `web` guard through `admin.local.smoke-login` | workspace + environment | `ManagedEnvironmentPermission` rows from configured permission registry | Spec 353/283 patterns | Spec 376 local permission seed helper | smoke-login route is local/testing-only | `ManagedEnvironmentLinks::requiredPermissionsUrl()` | `auth-blocked`, `scope-blocked`, or `data-blocked` |
| System Dashboard | `platform` guard via Pest Browser `actingAs` | platform plane | `PlatformUser` capabilities | Spec 276 pattern | Spec 376 platform user fixture | no HTTP fixture route added | `/system` | `auth-blocked` or `capability-blocked` |
| System Operations | `platform` guard via Pest Browser `actingAs` | platform plane | same `PlatformUser`; empty-state data allowed | Spec 276 pattern | Spec 376 platform user fixture | no HTTP fixture route added | `/system/ops/runs` | `auth-blocked` or `capability-blocked` |
| Provider Connection Detail | `web` guard through existing admin session | workspace + record-derived environment authority | `ProviderConnection::factory()->platform()->verifiedHealthy()` plus explicit `environment_id` | Spec 353/281 patterns | Spec 376 local provider connection fixture | no new route added | `ManagedEnvironmentLinks::providerConnectionUrl(..., 'view', $environment)` | `scope-blocked`, `data-blocked`, or `timeout-blocked` |

## Route Safety

- No system smoke-login route was added.
- No admin smoke-login behavior was changed.
- No redirect validation behavior was changed.
- No production route or product UI route was added.

## Browser Screenshot Contract

Screenshots are saved under `artifacts/screenshots/`:

- `001-evidence-snapshot-view.png`
- `002-required-permissions.png`
- `003-system-dashboard.png`
- `004-system-operations.png`
- `005-provider-connection-detail.png`