ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/288-quality-gates-no-legacy-enforcement/spec.md
ahmido 0a1377c5f5 feat(spec-288): add no-legacy quality gates (#347) 
## Summary
- add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage
- extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling
- add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289

## Validation
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #347
2026-05-10 21:24:14 +00:00

29 KiB
Raw Permalink Blame History

Feature Specification: Quality Gates / No-Legacy Enforcement

Feature Branch: 288-quality-gates-no-legacy-enforcement
Created: 2026-05-10
Status: Ready
Input: User description: "Introduce the no-legacy and quality-gate enforcement layer now that Spec 287 completed the prerequisites. In scope: no-legacy guard tests, route emission guards, forbidden legacy route/path checks, forbidden tenant-panel helper checks, provider-core forbidden seam checks, environment-scope role-authority guard checks, quality gate documentation, targeted browser smoke gates, and full-suite baseline classification only, not full-suite repair. Package Execution Contract must move to Spec 289."

Spec Candidate Check (mandatory - SPEC-GATE-001)

  • Problem: Specs 279 through 287 established or completed the workspace-first, provider-neutral, and role-authority runtime baseline, but the repo still lacks one bounded enforcement layer that keeps those truths from drifting back through emitted route strings, retired helper patterns, provider-core seams, or role-authority regressions.
  • Today's failure: repo truth already contains fragmented protection in apps/platform/tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php, apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php, apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php, apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php, apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php, and apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php, but there is still no single cutover guard package that pins the exact retired route/path inventory, forbids retired tenant-panel helper bootstrapping on owned seams, classifies broader baseline fallout without taking repair ownership, and names the targeted browser smoke obligations in contributor-facing docs.
  • User-visible improvement: operators keep the existing canonical admin/workspace managed-environment flows without legacy route drift, while maintainers get fast, actionable failures before tenant- or Microsoft-centric seams silently re-enter the product.
  • Smallest enterprise-capable version: add one bounded enforcement layer that (1) fails on reintroduced retired management route/path families and bad emitted URLs, (2) blocks retired tenant-panel helper or panel-bootstrapping patterns on owned seams, (3) blocks provider-core forbidden seam regressions on shared identity and operation-definition paths, (4) proves workspace membership remains the only role-bearing authority while environment scope stays narrowing-only, (5) adds targeted browser smoke gates on the existing provider and RBAC environment surfaces, and (6) documents that broader baseline fallout is classified only, not repaired, under this spec.
  • Explicit non-goals: no Package Execution Contract work, no Guided Operations work, no Microsoft Starter Pack work, no runtime cutover work, no provider-core rewrite, no RBAC rewrite, no UI copy cleanup, no Review Pack export change, no global compatibility layer, and no full-suite repair program.
  • Permanent complexity imported: two bounded guard-test inventories, targeted browser smoke obligations on existing browser tests, one contributor-facing quality-gate documentation update, and one classification-only baseline-report rule using the existing lane manifest/report seams. No new panel, no new persisted truth, and no new guard subsystem are introduced.
  • Why now: Spec 287 explicitly moved runtime and helper prerequisites out of the way. Without 288, the cutover remains vulnerable to silent regressions, and future work such as Spec 289 would start from an unguarded baseline.
  • Why not local: the enforcement work spans route emission, provider boundaries, test helpers, role-authority semantics, browser proof, and lane/report classification. A local test patch on one surface would leave the rest of the cutover unprotected.
  • Approval class: Cleanup
  • Red flags triggered: source-scan guard breadth, browser-gate ownership, and contributor-workflow classification changes. Defense: the package reuses existing guard families, existing browser-smoke anchors, and the current TestLaneManifest / TestLaneReport seams; it explicitly forbids runtime rewrites and full-suite repair.
  • Score: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 2 | Gesamt: 11/12
  • Decision: approve

Review Outcome

  • Outcome class: acceptable-special-case
  • Workflow outcome: keep
  • Test-governance outcome: keep
  • Reason: the package is cross-cutting but still implementation-ready because it hardens an already-finished runtime baseline through bounded guard tests, targeted browser proof, and classification-only documentation updates.
  • Workflow result: Ready for implementation as the quality-gates and no-legacy enforcement layer that follows Spec 287.

Spec Scope Fields (mandatory)

  • Scope: repository
  • Primary Routes:
    • canonical admin provider-connection routes such as /admin/provider-connections...
    • canonical workspace/environment drill-down routes such as /admin/workspaces/{workspace}/environments/{managed_environment}/...
    • exact retired management-only route/path families that now must stay forbidden, including /admin/tenants/{tenant:slug}/provider-connections..., /admin/t/{tenant}/provider-connections, /admin/t/{tenant}/required-permissions, /admin/t/{tenant}/memberships, and duplicate-prefix emissions such as /admin/t/t/{tenant}/...
  • Data Ownership:
    • no new persisted entity, table, or artifact is introduced
    • guard inventories remain derived enforcement truth backed by tests and existing documentation
    • workspace_memberships remain the only role-bearing authority
    • managed_environment_memberships remain a narrowing-only scope overlay and must not become a second role-bearing matrix
    • existing lane report artifacts remain observational outputs only; this package does not establish a new baseline ledger
  • RBAC:
    • workspace membership remains the first entitlement boundary and the only role-bearing authority
    • managed-environment scope may narrow access only
    • wrong-workspace or wrong-environment access remains 404
    • in-scope actors missing capability remain 403

Cross-Cutting / Shared Pattern Reuse (mandatory when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, navigation entry points, alerts, evidence/report viewers, or any other existing shared operator interaction family; otherwise write N/A - no shared interaction family touched)

  • Cross-cutting feature?: yes
  • Interaction class(es): no-legacy guard tests, route emission guardrails, shared provider-boundary enforcement, targeted browser-smoke gates, and baseline classification documentation
  • Systems touched:
    • apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php
    • apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php
    • apps/platform/tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php
    • apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php
    • apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php
    • apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php
    • apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php
    • apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php
    • apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php
    • apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php
    • apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php
    • apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php
    • apps/platform/tests/Pest.php
    • apps/platform/tests/Support/TestLaneManifest.php
    • apps/platform/tests/Support/TestLaneReport.php
    • apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php
    • apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php
    • README.md
    • scripts/platform-test-report
  • Existing pattern(s) to extend: current no-legacy source-scan guard style, current provider-boundary guard style, current role-authority feature assertions, existing browser-smoke route assertions, and the current test-lane manifest/report contract style
  • Shared contract / presenter / builder / renderer to reuse: ProviderBoundaryCatalog, ProviderOperationRegistry, existing workspace-first policy tests, existing browser smoke tests, TestLaneManifest, TestLaneReport, and the existing lane wrapper scripts
  • Why the existing shared path is sufficient or insufficient: the repo already has the right guard and reporting seams, but they are fragmented. Extending them is sufficient; creating a new lint framework or a second baseline-report system would be wider than necessary.
  • Allowed deviation and why: scan exclusions are allowed only for immutable or historical material such as database/migrations/**, references/**, docs/**, specs/**, spechistory/**, vendor/**, and generated build or storage outputs. Any additional exception must be file-specific and justified.
  • Consistency impact: route/path truth, helper truth, provider-boundary truth, role-authority truth, browser proof, and classification wording must all describe the same post-287 cutover baseline.
  • Review focus: reviewers must verify that the package adds enforcement only, keeps runtime/product rewrites out of scope, and leaves Spec 289 as the Package Execution Contract follow-up.

OperationRun UX Impact (mandatory when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an OperationRun; otherwise write N/A - no OperationRun start or link semantics touched)

N/A - no OperationRun start or link semantics touched.

Provider Boundary / Platform Core Check (mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write N/A - no shared provider/platform boundary touched)

  • Shared provider/platform boundary touched?: yes
  • Boundary classification: mixed
  • Seams affected: shared provider identity resolution, shared provider operation definitions, and provider-boundary enforcement on platform-core seams
  • Neutral platform terms preserved or introduced: provider connection, target scope, scope kind, scope identifier, scope display name, workspace, and managed environment
  • Provider-specific semantics retained and why: provider-owned nested detail such as Microsoft tenant identifiers, consent links, or diagnostics may remain where the provider itself is the subject, but they must not re-enter platform-core identity or operation-definition truth.
  • Why this does not deepen provider coupling accidentally: the package forbids Microsoft-shaped request option helpers and provider binding status keys on platform-core seams and reuses the current provider-boundary catalogs instead of inventing a second provider-core layer.
  • Follow-up path: Spec 289 owns Package Execution Contract work once the cutover enforcement baseline is in place.

UI / Surface Guardrail Impact (mandatory when operator-facing surfaces are changed; otherwise write N/A)

Surface / Change Operator-facing surface change? Native vs Custom Shared-Family Relevance State Layers Touched Exception Needed? Low-Impact / N/A Note
Provider-connection detail and managed-environment launch-point smoke gate no direct runtime change Native Filament resources route emission truth and browser continuity URL, query, detail, browser proof no smoke gate only
Workspace/environment drill-down smoke gate no direct runtime change Native Filament resources role-authority proof and browser continuity route, page, detail, browser proof no smoke gate only
Quality gate docs and lane classification wording no operator surface change N/A contributor workflow only docs, report classification, wrapper wording no repository workflow only

Decision-First Surface Role (mandatory when operator-facing surfaces are changed)

N/A - the package does not change the decision contract of an operator-facing surface; it only proves the existing decision surfaces through targeted browser smoke.

Audience-Aware Disclosure (mandatory when operator-facing surfaces are changed)

N/A - browser smoke gates observe existing audience-aware disclosure but do not change it.

UI/UX Surface Classification (mandatory when operator-facing surfaces are changed)

N/A - no new runtime surface or action model is introduced.

Operator Surface Contract (mandatory when operator-facing surfaces are changed)

N/A - existing operator surface contracts remain unchanged.

Proportionality Review (mandatory when structural complexity is introduced)

  • New source of truth?: no
  • New persisted entity/table/artifact?: no
  • New abstraction?: no
  • New enum/state/reason family?: no independent family; reuse the existing test-lane classification and failure-class framework if a new cutover label is needed there
  • New cross-domain UI framework/taxonomy?: no
  • Current operator problem: a completed cutover can still regress silently if emitted URLs, helper patterns, provider-core seams, or role-authority boundaries are not enforced.
  • Existing structure is insufficient because: isolated runtime tests exist, but they do not yet form one explicit enforcement layer with targeted browser proof and a documented classification-only boundary for broader baseline fallout.
  • Narrowest correct implementation: add bounded guard tests, targeted browser smoke assertions, and classification-only documentation updates on the existing lane/report seams.
  • Ownership cost: one guard inventory for routes/helpers, one guard inventory for provider-core/role-authority, small browser smoke updates, and bounded docs/report wording updates.
  • Alternative intentionally rejected: reopening runtime cutover work or taking ownership of full-suite repair. That would widen the package beyond enforcement.
  • Release truth: current-release truth

Compatibility posture

This feature assumes a pre-production environment.

Canonical cutover truth is preferred over legacy compatibility shims.

Historical and immutable references may remain in excluded documentation or migration paths only.

Testing / Lane / Runtime Impact (mandatory for runtime behavior changes)

  • Test purpose / classification: Feature, Browser
  • Validation lane(s): heavy-governance, browser
  • Why this classification and these lanes are sufficient: the source-scan and contract checks are intentionally broad guard work and belong to the existing heavy-governance-style guard family, while the visible continuity proof belongs to the isolated browser lane. No full-suite run or repair is required.
  • New or expanded test families: cutover route/helper no-legacy guards, provider-core and role-authority guard coverage, targeted browser smoke assertions on existing Spec 281 and Spec 285 smoke anchors, and classification-contract coverage for the new guard/browser ownership
  • Fixture / helper cost impact: low to moderate. The broadest cost comes from explicit scan inventories and existing browser fixtures; no new expensive default helper or full-suite harness is introduced.
  • Heavy-family visibility / justification: yes. The enforcement pack is intentionally cross-cutting and belongs in the existing guard-heavy validation posture, but it must stay bounded to cutover-owned seams.
  • Special surface test profile: standard-native-filament, global-context-shell, browser-smoke
  • Standard-native relief or required special coverage: ordinary feature and unit coverage remains sufficient for role-authority semantics; browser smoke is required only for the two named user-visible path-continuity surfaces.
  • Reviewer handoff: reviewers must verify that Filament remains v5 on Livewire v4, provider registration remains in apps/platform/bootstrap/providers.php, no global-search contract changes are introduced, no new destructive action semantics are added, no asset registration or deployment step changes are introduced, the proof commands remain targeted, and Package Execution stays deferred to Spec 289.
  • Budget / baseline / trend impact: classification-only documentation and failure-contract updates are allowed; no full-suite baseline refresh or repair is owned by this package.
  • Escalation needed: document-in-feature
  • Active feature PR close-out entry: NoLegacyGuardrail
  • Planned validation commands:
    • export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)
    • export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)
    • export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)

User Scenarios & Testing (mandatory)

User Story 1 - Guard retired routes, paths, and helper bootstrapping (Priority: P1)

As a maintainer, I want explicit no-legacy guards for retired management route families, emitted URL shapes, and retired tenant-panel helper bootstrapping so the cutover cannot silently regress through small convenience changes.

Why this priority: if route/path or helper drift returns, the cutover fails at its edges before broader provider or RBAC guarantees matter.

Independent Test: Can be fully tested by running the targeted route/helper guard suite plus the existing runtime regression tests that already assert legacy provider and tenant-core paths stay not found.

Acceptance Scenarios:

  1. Given a change reintroduces a retired provider-management route or emitted URL shape, When the targeted guard suite runs, Then it fails with an actionable path-specific message.
  2. Given a shared test helper or owned seam attempts to boot the retired tenant panel again, When the targeted guard suite runs, Then it fails before that pattern spreads.

User Story 2 - Guard provider-core seams and role authority (Priority: P1)

As a maintainer or reviewer, I want shared provider-core and role-authority guard checks so platform-core seams stay provider-neutral and environment scope stays narrowing-only.

Why this priority: provider-core leakage and role-authority drift would reintroduce exactly the cross-cutting coupling that the cutover removed.

Independent Test: Can be fully tested by running the provider-core and role-authority guard suite alongside the existing policy and membership regression tests.

Acceptance Scenarios:

  1. Given a shared provider identity or operation-definition seam reintroduces provider-specific request shaping or provider binding truth, When the guard suite runs, Then it fails with a seam-specific message.
  2. Given a change lets managed-environment scope act like a second role-bearing matrix, When the role-authority tests run, Then the regression is caught as either wrong-scope 404 drift, in-scope 403 drift, or illegal direct role-edit behavior.

User Story 3 - Keep browser proof and quality-gate docs honest (Priority: P2)

As a maintainer, I want the guard package to name and run the existing high-signal browser smoke gates and document the quality-gate boundary so contributors know what proof is mandatory and what repair work is intentionally excluded.

Why this priority: browser proof and docs make the guard package actionable rather than purely theoretical.

Independent Test: Can be fully tested by running the two targeted browser smoke tests and verifying the contributor-facing quality-gate documentation points at the same proof set and the same classification-only boundary.

Acceptance Scenarios:

  1. Given a change affects canonical provider-connection or workspace/environment drill-down continuity, When the targeted browser smoke tests run, Then they prove the visible canonical route shapes and stay free of JavaScript or console errors.
  2. Given a maintainer reads the quality-gate docs for this pack, When they follow the guidance, Then they see the targeted proof commands and the rule that broader baseline fallout is classified only under Spec 288.

User Story 4 - Classify broader baseline fallout without owning repair (Priority: P3)

As a maintainer or reviewer, I want broader baseline fallout to be classified through the existing lane/report contracts so cutover-specific failures are visible without turning this package into a full-suite stabilization effort.

Why this priority: the repo needs reviewable signal, but this package must stay on enforcement rather than becoming a general test-repair lane.

Independent Test: Can be fully tested by extending the current classification-contract tests and verifying that the updated manifest/report wording distinguishes guard/browser ownership from unrelated broader failures.

Acceptance Scenarios:

  1. Given a wider baseline or report includes cutover guard failures, When classification contracts render the result, Then they identify the guard/browser ownership without implying that Spec 288 repairs unrelated failures.
  2. Given unrelated full-suite failures already exist, When this package is implemented, Then the package records or classifies them as external to 288 instead of silently absorbing repair work.

Edge Cases

  • What happens when a canonical /admin/t/{tenant} operational path remains valid while adjacent management-only /admin/t/{tenant}/provider-connections or duplicate /admin/t/t/{tenant} paths must stay forbidden?
  • How do source scans avoid flagging immutable historical references inside database/migrations/**, references/**, docs/**, specs/**, or spechistory/** while still failing on live code drift?
  • What happens when a helper still carries legacy naming but no longer boots the retired panel? Any allowed exception must be explicit and path-specific rather than global.
  • How does the package distinguish wrong-scope 404 behavior from in-scope capability 403 behavior when role-authority drift is introduced?
  • How is a broader baseline or lane report handled when the package surfaces a cutover regression but unrelated failures are already present?

Requirements (mandatory)

Constitution alignment (required): This package introduces no new Graph integration surface, no new queue workflow, no new persisted entity, and no new operator product flow. It hardens the completed cutover through bounded tests, browser proof, and documentation only.

Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001): The feature must reuse existing guard-test, browser-smoke, and lane/report structures. It may pin new inventories inside those seams, but it must not create a second enforcement framework or a new baseline data store.

Constitution alignment (XCUT-001 / PROV-001): The package must enforce shared provider/platform boundaries through existing catalogs and tests. It may extend those guardrails, but it must not rewrite provider-core runtime behavior under the banner of enforcement.

Functional Requirements

  • FR-001: The package MUST add targeted no-legacy guard tests that fail when exact retired management route/path families or duplicate route emissions reappear on cutover-owned seams.
  • FR-002: Route emission guards MUST verify that cutover-owned launch points and shared URL builders emit canonical admin/workspace managed-environment URLs instead of retired provider-management or duplicate-prefix route shapes.
  • FR-003: Forbidden route/path scans MUST use explicit exclusions for immutable or historical material such as database/migrations/**, references/**, docs/**, specs/**, spechistory/**, generated build output, vendor code, and storage artifacts.
  • FR-004: The package MUST add forbidden tenant-panel helper checks that fail when retired tenant-panel bootstrapping patterns such as setTenantPanelContext() or direct tenant panel selection re-enter the shared test harness or other owned seams outside explicit, file-scoped exceptions.
  • FR-005: Provider-core forbidden seam checks MUST fail when shared provider identity or operation-definition seams reintroduce request-option shaping or provider binding truth that belongs only in provider-owned seams.
  • FR-006: Environment-scope role-authority guard checks MUST prove that workspace membership remains the only role-bearing authority, wrong-scope denials remain 404, in-scope capability denials remain 403, and direct role edits on managed-environment scope records remain rejected.
  • FR-007: Targeted browser smoke gates MUST keep the existing provider-connection and workspace/environment drill-down surfaces green while asserting canonical route continuity and absence of browser-console or JavaScript errors.
  • FR-008: Quality-gate documentation MUST name the exact targeted proof set, the browser-smoke obligations, the scan-exclusion rules, and the classification-only rule for broader baseline fallout.
  • FR-009: Existing lane/report classification contracts MUST be updated only enough to classify cutover guard/browser ownership and broader baseline fallout; this package MUST NOT take ownership of unrelated full-suite repair.
  • FR-010: The package MUST NOT reopen runtime cutover work, provider-core rewrites, RBAC rewrites, UI copy cleanup, Review Pack export work, or Guided Operations work in order to make the guard suite pass.
  • FR-011: Spec 289 MUST remain the explicit follow-up for Package Execution Contract work; 288 must not absorb it.

Non-Functional Requirements

  • NFR-001: Filament remains v5 on Livewire v4, and provider registration remains in apps/platform/bootstrap/providers.php.
  • NFR-002: The package introduces no new panel, no new globally-searchable resource, and no change to destructive-action semantics.
  • NFR-003: The package introduces no new asset registration and no new deployment step. Existing deployment expectations such as php artisan filament:assets remain unchanged because this spec adds no assets.
  • NFR-004: Validation remains bounded to the targeted guard tests, the two named browser smoke tests, and formatting. No full-suite baseline rerun or repair is required.
  • NFR-005: Any exception added to a route/path, helper, or source-scan guard must be explicit, file-scoped, and justified; broad namespace or directory allowlists outside the pinned historical exclusions are forbidden.

Success Criteria (mandatory)

Measurable Outcomes

  • SC-001: Reintroducing any pinned retired route/path family or retired tenant-panel helper pattern on a live owned seam causes the targeted guard suite to fail with an actionable, path-specific message.
  • SC-002: The targeted browser smoke tests for Spec 281 and Spec 285 pass while still asserting canonical route continuity and no JavaScript or console drift.
  • SC-003: Contributor-facing quality-gate documentation points to the same proof commands and explicitly states that broader baseline fallout is classified only, not repaired, under Spec 288.
  • SC-004: Package Execution Contract remains deferred to Spec 289, and no runtime cutover, provider-core rewrite, RBAC rewrite, or full-suite repair work is absorbed into the implementation.