ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
codex/322-post-319-validation-note
TenantAtlas/specs/293-post-cutover-suite-stabilization/quickstart.md
ahmido 83ab4690d5 fix: stabilize post-cutover suite baseline (#348) 
## Summary
- stabilize the active spec 293 post-cutover suite baseline around the current admin-panel and workspace-first runtime
- align operations, provider, required-permissions, and action-surface expectations to canonical workspace-aware routes
- add the monitoring operations workspace-membership guard and update the spec 293 classification artifacts
- include the browser smoke screenshots captured during verification

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/OpsUx/CanonicalViewRunLinksTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/OpsUx/FailureSanitizationTest.php tests/Feature/OpsUx/NonLeakageWorkspaceOperationsTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php tests/Feature/ProviderConnections/NavigationPlacementTest.php tests/Feature/ProviderConnections/ProviderConnectionListAuthorizationTest.php tests/Feature/Verification/VerificationAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

## Notes
- remaining provider/verification failures are classified in `specs/293-post-cutover-suite-stabilization/failure-classification.md` as unrelated existing debt and are not folded into this slice

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #348
2026-05-11 06:41:47 +00:00

6.5 KiB
Raw Permalink Blame History

Quickstart: Post-Cutover Suite Stabilization & Baseline Reconciliation

Purpose

Use this guide to review or later implement Feature 293 as the bounded stabilization package that follows Specs 287 and 288.

Preconditions

  • The package stays limited to cutover-driven suite stabilization.
  • The pinned failure categories are:
    • cutover-baseline-debt
    • cutover-runtime-regression
    • unrelated-existing-debt
    • flaky-or-environment
    • resolved-or-not-needed
  • The pinned stabilization seams are:
    • tenant_panel_baseline
    • legacy_admin_t_routes
    • workspace_aware_operations_routes
    • legacy_required_permissions_provider_connections
    • action_surface_rebaseline
  • 289 remains untouched.
  • 292 remains untouched.
  • TenantPanel, /admin/t/..., tenant-scoped provider fallbacks, and tenant-scoped required-permissions fallbacks remain retired.
  • managed_environment_memberships remain narrowing-only access scope and must not regain independent role authority.

Read Order

  1. spec.md
  2. plan.md
  3. research.md
  4. data-model.md
  5. failure-classification.md
  6. tasks.md
  7. checklists/requirements.md

Implementation Intent

  • classify failures before fixing anything
  • stabilize stale TenantPanel and /admin/t/... assumptions without restoring compatibility behavior
  • make in-scope operations routes workspace-aware through existing canonical helpers or explicit workspace parameters
  • remove tenant-scoped required-permissions and provider-connection legacy assumptions from the suite baseline
  • keep action-surface rebaseline bounded to cutover drift
  • keep the Spec 288 proof pack and browser anchors green
  • document remaining unrelated or flaky debt explicitly

Review Scenarios

Scenario 1: Initial baseline and classification

  • run the initial full suite or fallback lane split
  • record the observed groups in failure-classification.md
  • confirm every relevant group is classified before fixes begin

Scenario 2: Retired panel and route assumptions are gone

  • re-run the targeted panel navigation and legacy tenant-core tests
  • confirm they no longer treat TenantPanel or /admin/t/... management routes as current runtime truth

Scenario 3: Operations and legacy provider or permissions routes are canonical

  • re-run the targeted OpsUx, ProviderConnections, and Verification proof sets
  • confirm those tests use current workspace-aware or tenantless canonical paths instead of retired fallbacks

Scenario 4: Action-surface rebaseline stays bounded

  • re-run the action-surface and adjacent RBAC or Filament tests
  • confirm only cutover-stale expectations changed and no new product actions were introduced just to satisfy tests
  • confirm managed-environment memberships are still treated as narrowing-only access scope and not as an independent role authority source

Scenario 5: Enforcement and visible anchors remain green

  • re-run the Spec 288 proof pack
  • re-run the two browser anchors
  • confirm the stabilization work did not regress the enforcement baseline or visible canonical flows

Planned Validation Commands

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && git status --short --branch

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && git diff --stat

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && ./scripts/platform-test-lane heavy-governance

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && ./scripts/platform-test-lane confidence

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/OpsUx/CanonicalViewRunLinksTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/OpsUx/FailureSanitizationTest.php tests/Feature/OpsUx/NonLeakageWorkspaceOperationsTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections tests/Feature/Verification)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Rbac/BackupItemsRelationManagerUiEnforcementTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && (cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent)

Explicit Stop Conditions

  • If implementation starts restoring TenantPanel or /admin/t/... compatibility behavior, stop.
  • If implementation starts absorbing Package Execution, Guided Operations, or new product features, stop.
  • If a failing group cannot be tied to one of the pinned failure categories, stop and classify it first.
  • If the Spec 288 proof pack or browser anchors regress, stop and restore them before proceeding.