ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/288-quality-gates-no-legacy-enforcement/quickstart.md
ahmido 0a1377c5f5 feat(spec-288): add no-legacy quality gates (#347) 
## Summary
- add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage
- extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling
- add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289

## Validation
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #347
2026-05-10 21:24:14 +00:00

4.7 KiB
Raw Permalink Blame History

Quickstart: Quality Gates / No-Legacy Enforcement

Purpose

Use this guide to review or implement Feature 288 as the bounded enforcement layer that follows Spec 287.

Preconditions

  • The package stays limited to:
    • no-legacy guard tests
    • route emission guards
    • forbidden legacy route/path checks
    • forbidden tenant-panel helper checks
    • provider-core forbidden seam checks
    • environment-scope role-authority guard checks
    • quality-gate documentation
    • targeted browser smoke gates
    • full-suite baseline classification only, not full-suite repair
  • Package Execution Contract remains deferred to Spec 289.
  • The implementation does not reopen runtime cutover, provider-core rewrites, RBAC rewrites, Guided Operations, UI copy cleanup, Review Pack export work, or a full-suite repair program.
  • Filament remains v5 on Livewire v4 and provider registration remains in apps/platform/bootstrap/providers.php.

Read Order

  1. spec.md
  2. plan.md
  3. research.md
  4. data-model.md
  5. contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml
  6. tasks.md
  7. checklists/requirements.md

Implementation Intent

  • add bounded no-legacy and route-emission guards instead of reopening route migration work
  • add bounded provider-core and role-authority guards instead of rewriting provider-core or RBAC
  • keep browser proof on the existing Spec 281 and Spec 285 smoke anchors
  • document the quality-gate contract and the rule that broader baseline fallout is classified only under this spec
  • keep Spec 289 as the explicit follow-up for Package Execution Contract work

Review Scenarios

Scenario 1: Retired management routes and helper patterns fail fast

  • introduce or simulate a retired route/path or helper token on an owned seam
  • run the targeted guard suite
  • confirm the failure message names the offending path or helper pattern explicitly

Scenario 2: Provider-core seams stay provider-neutral and role authority stays workspace-owned

  • run the targeted provider-boundary and role-authority proof set
  • confirm platform-core seams do not reintroduce provider-specific request shaping or binding truth
  • confirm wrong-scope 404, in-scope 403, and direct role-edit rejection semantics remain intact

Scenario 3: Browser proof still reflects canonical visible continuity

  • run the two targeted browser smoke tests
  • confirm the provider-connection and workspace/environment drill-down flows render their canonical route continuity
  • confirm the browser suite reports no JavaScript or console errors

Scenario 4: Broader baseline fallout stays classification-only

  • review the contributor-facing quality-gate docs and any changed report/manifest wording
  • confirm the package classifies wider baseline fallout without taking ownership of unrelated repair work

Planned Validation Commands

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)

Explicit Stop Conditions

  • If implementation starts repairing unrelated full-suite failures, stop and split that work out of 288.
  • If implementation starts reopening runtime cutover, provider-core rewrite, RBAC rewrite, or product-surface cleanup, stop and split the extra work out of 288.
  • If implementation starts absorbing Package Execution Contract work, stop and move that work to Spec 289.