# Source Audit Summary

## Scope

Spec 376 covers browser fixture reachability and evidence for these existing surfaces only:

| Surface | Current repo path | Spec 376 handling |
|---|---|---|
| Evidence Snapshot View | `EvidenceSnapshotResource::getUrl('view', ...)` under `/admin/workspaces/{workspace}/environments/{environment}/evidence/{record}` | Fresh browser-verified screenshot using existing admin smoke-login fixture. |
| Required Permissions | `/admin/workspaces/{workspace}/environments/{environment}/required-permissions` | Fresh browser-verified screenshot using existing admin smoke-login fixture and deterministic permission rows. |
| System Dashboard | `/system` | Fresh browser-verified screenshot using `PlatformUser` on the `platform` guard. |
| System Operations | `/system/ops/runs` | Fresh browser-verified screenshot using `PlatformUser` on the `platform` guard. |
| Provider Connection Detail | `/admin/provider-connections/{record}?environment_id={environment}` | Fresh browser-verified screenshot using scoped provider connection data and explicit environment authority. |

## Input Evidence

| Source | Relevant signal | Handling |
|---|---|---|
| Spec 368 `findings.md` | Evidence Snapshot detail redirected to `/admin/login`; System Dashboard/Ops redirected to `/system/login`. | Treated as the original blocker this spec closes. |
| Spec 368 `audit.md` | Required Permissions, Evidence Snapshot, and System pages were blocked by auth/fixture reachability. | Route/auth/data/browser truth is separated in Spec 376 reports. |
| Spec 353 | Required Permissions and Provider Connection browser screenshots exist under the Spec 353 package. | Used as completed context; not rewritten. |
| Spec 372 | Evidence Snapshot View browser pass exists with customer/auditor fixture. | Used as completed context; Spec 376 adds a consolidated fresh screenshot. |
| Spec 375 | Evidence/system browser fixture coverage remained a deferred follow-up. | Spec 376 implements that follow-up. |

## Related Completed Specs 370-375

| Spec | Relevant status | Handling |
|---|---|---|
| 370 | Source audit named Evidence Snapshot, Required Permissions, System Dashboard, and System Operations as `not available` source limitations. | Spec 376 adds browser fixture evidence for these limitations. |
| 371 | Backup Set browser verification passed and is outside the five-surface Spec 376 scope. | Read-only context. |
| 372 | Evidence Snapshot View browser verification passed in customer/auditor safety flow. | Read-only context plus fresh Spec 376 consolidated screenshot. |
| 373 | Diagnostic surfaces passed browser verification and explicitly did not recapture Provider Connections or Required Permissions. | Read-only context. |
| 374 | Diagnostic entrypoint browser verification passed and remained scoped to diagnostic/support handoff surfaces. | Read-only context. |
| 375 | Deferred evidence/system browser fixtures as a follow-up. | Implemented by this package. |

## Repo Truth

- Existing admin smoke-login route: `GET /admin/local/smoke-login`, local/testing-only, covered by `AdminLocalSmokeLoginTest`.
- Existing system auth route and panel: `SystemPanelProvider` uses `authGuard('platform')`, `UseSystemSessionCookie`, and `ensure-platform-capability:platform.access_system_panel`.
- Existing Pest Browser system proof: `Spec276SupportAccessGovernanceSmokeTest` authenticates with `$this->actingAs($platformUser, 'platform')`.
- `EvidenceSnapshotResource` has `protected static bool $isGloballySearchable = false`.
- `ProviderConnectionResource` has `protected static bool $isGloballySearchable = false`.
- Required Permissions and System surfaces are Filament pages, not globally searchable resources.

## Implementation Option Selected

Reuse existing fixtures and add one bounded browser smoke file:

- No new admin smoke route.
- No new system smoke route.
- No new Artisan fixture command.
- No production auth, policy, resource, panel, model, migration, Graph, or OperationRun behavior change.

## Fixture Gaps Closed

| Gap | Result |
|---|---|
| Evidence Snapshot auth fixture unclear | Closed by smoke-login redirect to environment-scoped evidence URL. |
| Required Permissions auth/data fixture unclear | Closed by smoke-login plus deterministic `ManagedEnvironmentPermission` rows. |
| System panel browser fixture absent | Closed by direct Pest Browser platform-guard `actingAs`. |
| Provider Connection detail timeout vs real defect unclear | Closed by scoped browser screenshot with explicit `environment_id`. |