ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/288-quality-gates-no-legacy-enforcement/tasks.md
ahmido 0a1377c5f5 feat(spec-288): add no-legacy quality gates (#347) 
## Summary
- add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage
- extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling
- add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289

## Validation
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #347
2026-05-10 21:24:14 +00:00

24 KiB
Raw Permalink Blame History

description
Task list for Quality Gates / No-Legacy Enforcement

Tasks: Quality Gates / No-Legacy Enforcement

Input: Design documents from /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/
Prerequisites: /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md (required), /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md (required), /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md (required), /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md, /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md, /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml, /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md

Review Artifact: /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md is the outcome-of-record for the review outcome class, workflow outcome, and test-governance outcome. If implementation expands into runtime cutover repair, Package Execution Contract work, Guided Operations, Review Pack export changes, or full-suite repair, update that artifact before continuing and stop when the work no longer fits 288.

Tests: Required (Pest) for guard, browser, and classification-contract changes. Keep proof bounded to the named guard and browser files plus formatting. Broader baseline fallout may be classified but not repaired under this spec.
Operations: No new OperationRun, queue family, remote workflow, or notification policy is introduced. 288 only adds enforcement and contributor-facing quality-gate documentation.
RBAC: Reuse the workspace-first access contract from Spec 285; do not add a new role family, raw capability strings, or a second role matrix.
Shared Pattern Reuse: Reuse /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report. Do not introduce a new lint framework, a second baseline-report system, or a full-suite repair wrapper under this spec.
Filament / Panel Guardrails: Filament remains v5 on Livewire v4. Provider registration remains unchanged in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php. No new panel, no new globally-searchable resource, and no asset-strategy change are allowed in this slice.
Organization: Tasks are grouped by route/helper guardrails, provider-core and role-authority guardrails, browser-smoke and documentation obligations, and the classification-only broader-baseline boundary.
Review Outcome: acceptable-special-case
Workflow Outcome: keep
Test-governance Outcome: keep

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New source scans use explicit exclusions and avoid broad, ambiguous allowlists.
  • Targeted browser smoke gates are named explicitly and remain isolated to the browser lane.
  • Planned validation commands cover the changed seams without becoming a full-suite baseline or repair program.
  • Surface test profile stays explicit: standard-native-filament, global-context-shell, and browser-smoke.
  • The active package records that Spec 289 owns Package Execution Contract work after this slice lands.

Phase 1: Setup (Shared Context)

Purpose: Lock the bounded enforcement role, exact retired inventories, and targeted validation scope before test or documentation edits begin.

  • T001 Review /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md, /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md to confirm the package stays on enforcement only
  • T002 [P] Review /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md, /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml to confirm the same retired-route, helper, provider-boundary, role-authority, and classification-only inventories are pinned everywhere
  • T003 [P] Confirm the focused Sail/Pest validation commands in /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md and the current guard, browser, and classification surfaces in apps/platform/tests/Feature/Guards/, apps/platform/tests/Browser/, apps/platform/tests/Support/, and README.md

Phase 2: Foundational (Blocking Prerequisites)

Purpose: Fix the exact enforcement inventory before story work begins and keep runtime rewrites and broader repair explicitly out of scope.

Critical: No user-story work should begin until this phase is complete.

  • T004 Audit the exact retired route/path and emitted-URL inventories across /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/routes/web.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Providers/Filament/AdminPanelProvider.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantResource.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/OperationRunLinks.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Verification/VerificationLinkBehavior.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php
  • T005 [P] Audit retired tenant-panel helper and panel-bootstrapping seams across /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/, and any directly affected support path named by this package
  • T006 [P] Audit provider-core and role-authority enforcement seams across /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php
  • T007 Confirm the classification-only broader-baseline boundary across /Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report, and verify that Spec 289 remains the explicit follow-up

Checkpoint: the enforcement inventories and scope boundary are fixed before story work begins.

Phase 3: User Story 1 - Guard retired routes, paths, and helper bootstrapping (Priority: P1)

Goal: Fail fast when retired management route/path families or retired tenant-panel bootstrapping patterns re-enter cutover-owned seams.

Independent Test: run the targeted route/helper guard suite plus the existing legacy redirect and tenant-core runtime regression tests to prove the exact retired path families and helper patterns fail with actionable messages.

Tests for User Story 1

  • T008 [P] [US1] Add or extend route/path and helper enforcement coverage in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php

Implementation for User Story 1

  • T009 [US1] Implement the exact retired route/path inventory, emitted-URL assertions on the audited launch-point seams, and scan exclusions in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php using the route and launch-point seams audited in Phase 2
  • T010 [US1] Implement forbidden tenant-panel helper and panel-bootstrapping checks in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php and any minimal supporting seam references in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php without widening into a repo-wide helper rewrite

Checkpoint: User Story 1 is independently functional when retired route/path and helper patterns fail targeted guards and the known runtime regressions still stay not found.

Phase 4: User Story 2 - Guard provider-core seams and role authority (Priority: P1)

Goal: Keep shared provider-core seams provider-neutral and keep workspace membership as the only role-bearing authority.

Independent Test: run the targeted provider-boundary and role-authority guard suite plus the current policy and scope-management regressions to prove platform-core neutrality and narrowing-only environment scope.

Tests for User Story 2

  • T011 [P] [US2] Add or extend provider-boundary and role-authority coverage in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php

Implementation for User Story 2

  • T012 [US2] Implement the provider-core forbidden seam inventory in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php using /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php without rewriting provider-core runtime behavior
  • T013 [US2] Implement environment-scope role-authority guard coverage in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php and any minimal supporting assertions in the named feature and unit tests without rewriting the RBAC model

Checkpoint: User Story 2 is independently functional when provider-core regressions fail targeted guards and role-authority semantics remain unchanged on the existing proof surfaces.

Phase 5: User Story 3 - Keep browser proof and quality-gate docs honest (Priority: P2)

Goal: Preserve visible canonical route continuity on the current cutover browser anchors and document the same proof boundary for contributors.

Independent Test: run the two targeted browser smoke tests and verify the contributor-facing quality-gate docs point to the same proof commands and the same classification-only baseline rule.

Tests for User Story 3

  • T014 [P] [US3] Extend /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php so they assert canonical admin/workspace route continuity and remain free of JavaScript or console errors after the guard pack lands

Implementation for User Story 3

  • T015 [US3] Update /Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md with the cutover quality-gate guidance, exact targeted proof commands, pinned scan-exclusion rule, and the statement that broader baseline/full-suite fallout is classified only under Spec 288

Checkpoint: User Story 3 is independently functional when browser proof stays green and contributors can follow the same quality-gate contract from the docs.

Phase 6: User Story 4 - Classify broader baseline fallout without owning repair (Priority: P3)

Goal: Make broader baseline fallout reviewable through the current lane/report seams without turning 288 into a full-suite stabilization package.

Independent Test: run the classification-contract tests and verify that the manifest/report wording distinguishes cutover guard/browser ownership from unrelated broader failures.

Tests for User Story 4

  • T016 [P] [US4] Extend /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php, and /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php to cover the new Spec 288 guard/browser ownership and classification semantics

Implementation for User Story 4

  • T017 [US4] Update /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php, /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php, and any minimal wrapper wording in /Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report so Spec 288 guard/browser failures and broader baseline fallout are classified without implying full-suite repair ownership

Checkpoint: User Story 4 is independently functional when broader baseline fallout is reviewable but still explicitly outside the repair scope of this package.

Phase 7: Polish & Cross-Cutting Validation

Purpose: Run the canonical targeted proof commands, format touched files, and confirm Spec 289 remains the next package instead of leaking back into 288.

  • T018 Run export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php) exactly as recorded in spec.md, plan.md, and quickstart.md
  • T019 Run export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php) exactly as recorded in spec.md, plan.md, and quickstart.md
  • T020 Run export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)
  • T021 Review the touched guard, browser, documentation, and classification seams plus the review artifact to confirm Filament remains v5 on Livewire v4, provider registration still lives in /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php, no global-search or destructive-action contract drift was introduced, no asset registration or deployment-step drift was introduced, no runtime cutover repair, provider-core rewrite, RBAC rewrite, Package Execution work, Guided Operations work, Review Pack export work, UI copy cleanup, or full-suite repair was absorbed, and Spec 289 remains the explicit follow-up

Dependencies & Execution Order

Phase Dependencies

  • Phase 1 (Setup): no dependencies; start immediately.
  • Phase 2 (Foundational): depends on Phase 1 and blocks all user-story work until the enforcement inventories and classification boundary are settled.
  • Phase 3 (US1): depends on Phase 2 and delivers the first independent guardrail slice.
  • Phase 4 (US2): depends on Phase 2 and should follow US1 so route/helper truth is pinned before provider-core and role-authority guardrails reuse it.
  • Phase 5 (US3): depends on Phases 3 and 4 because browser proof and docs should reflect the final guard inventories.
  • Phase 6 (US4): depends on Phases 3 through 5 so classification wording reflects the final proof ownership rather than a moving target.
  • Phase 7 (Polish): depends on all implemented stories.

User Story Dependencies

  • US1 (P1): first independently testable increment once the enforcement inventory is settled.
  • US2 (P1): independently testable after Phase 2, but safer after US1 because route/helper truth should stabilize before provider-boundary and role-authority enforcement are judged.
  • US3 (P2): independently testable after US1 and US2 because browser smoke and docs should reflect final proof obligations.
  • US4 (P3): independently testable after Phases 3 through 5 because classification wording must describe the final guard/browser ownership.

Within Each User Story

  • Add or extend the targeted tests first and make the current drift visible.
  • Complete the minimum guard or documentation seam needed for that story.
  • Re-run the narrowest relevant validation command after each story checkpoint before moving on.

Parallel Execution Examples

Phase 1

  • T002 and T003 can run in parallel after T001 confirms the bounded package role.

Phase 2

  • T004, T005, and T006 can run in parallel because they inspect different seam families.

User Story 1

  • T008 can run while T009 and T010 are being prepared, but the route and helper guard inventory should land as one coherent slice.

User Story 2

  • T011 can run in parallel with the seam audit, but T012 and T013 should land together because they define one shared provider-core and role-authority enforcement slice.

User Story 4

  • T016 can run in parallel across the named classification-contract tests once T017's target classification wording is clear.

Implementation Strategy

Suggested MVP Scope

  • MVP = Phase 2 + US1 + US2. The package starts delivering value once the cutover can fail fast on retired routes/helpers and provider/role-authority regressions.

Incremental Delivery

  1. Complete Phase 1 and Phase 2.
  2. Deliver US1 and validate route/helper enforcement.
  3. Deliver US2 and validate provider-core and role-authority enforcement.
  4. Deliver US3 and validate browser proof plus contributor-facing docs.
  5. Deliver US4 and validate classification-only broader-baseline handling.
  6. Finish with Phase 7 targeted validation, formatting, and scope review.

Team Strategy

  1. Keep Spec 289 explicitly out of implementation commits for this slice.
  2. Land guard inventories before browser or documentation wording so the contributor-facing proof contract reflects final enforcement truth.
  3. Serialize merges around apps/platform/tests/Pest.php, apps/platform/tests/Support/TestLaneManifest.php, README.md, and the new Spec 288 guard files because those are likely conflict hotspots.

Explicit Follow-Ups / Out of Scope

  • Package Execution Contract, which moves to Spec 289
  • Guided Operations
  • Microsoft Starter Pack
  • runtime cutover work
  • provider-core rewrites
  • RBAC rewrites
  • UI copy cleanup from Spec 286
  • Review Pack export changes
  • any full-suite repair or stabilization program