ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/288-quality-gates-no-legacy-enforcement/tasks.md
ahmido 0a1377c5f5 feat(spec-288): add no-legacy quality gates (#347) 
## Summary
- add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage
- extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling
- add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289

## Validation
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #347
2026-05-10 21:24:14 +00:00

225 lines
24 KiB
Markdown
Raw Permalink Blame History

---
description: "Task list for Quality Gates / No-Legacy Enforcement"
---
# Tasks: Quality Gates / No-Legacy Enforcement
**Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/`
**Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` (required), `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md`
**Review Artifact**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` is the outcome-of-record for the review outcome class, workflow outcome, and test-governance outcome. If implementation expands into runtime cutover repair, Package Execution Contract work, Guided Operations, Review Pack export changes, or full-suite repair, update that artifact before continuing and stop when the work no longer fits `288`.
**Tests**: Required (Pest) for guard, browser, and classification-contract changes. Keep proof bounded to the named guard and browser files plus formatting. Broader baseline fallout may be classified but not repaired under this spec.
**Operations**: No new `OperationRun`, queue family, remote workflow, or notification policy is introduced. `288` only adds enforcement and contributor-facing quality-gate documentation.
**RBAC**: Reuse the workspace-first access contract from Spec `285`; do not add a new role family, raw capability strings, or a second role matrix.
**Shared Pattern Reuse**: Reuse `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report`. Do not introduce a new lint framework, a second baseline-report system, or a full-suite repair wrapper under this spec.
**Filament / Panel Guardrails**: Filament remains v5 on Livewire v4. Provider registration remains unchanged in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php`. No new panel, no new globally-searchable resource, and no asset-strategy change are allowed in this slice.
**Organization**: Tasks are grouped by route/helper guardrails, provider-core and role-authority guardrails, browser-smoke and documentation obligations, and the classification-only broader-baseline boundary.
**Review Outcome**: `acceptable-special-case`
**Workflow Outcome**: `keep`
**Test-governance Outcome**: `keep`
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [x] New source scans use explicit exclusions and avoid broad, ambiguous allowlists.
- [x] Targeted browser smoke gates are named explicitly and remain isolated to the browser lane.
- [x] Planned validation commands cover the changed seams without becoming a full-suite baseline or repair program.
- [x] Surface test profile stays explicit: `standard-native-filament`, `global-context-shell`, and `browser-smoke`.
- [x] The active package records that Spec `289` owns Package Execution Contract work after this slice lands.
## Phase 1: Setup (Shared Context)
**Purpose**: Lock the bounded enforcement role, exact retired inventories, and targeted validation scope before test or documentation edits begin.
- [x] T001 Review `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/spec.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/plan.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/checklists/requirements.md` to confirm the package stays on enforcement only
- [x] T002 [P] Review `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/data-model.md`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml` to confirm the same retired-route, helper, provider-boundary, role-authority, and classification-only inventories are pinned everywhere
- [x] T003 [P] Confirm the focused Sail/Pest validation commands in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/288-quality-gates-no-legacy-enforcement/quickstart.md` and the current guard, browser, and classification surfaces in `apps/platform/tests/Feature/Guards/`, `apps/platform/tests/Browser/`, `apps/platform/tests/Support/`, and `README.md`
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Fix the exact enforcement inventory before story work begins and keep runtime rewrites and broader repair explicitly out of scope.
**Critical**: No user-story work should begin until this phase is complete.
- [x] T004 Audit the exact retired route/path and emitted-URL inventories across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/routes/web.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Resources/TenantResource.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/OperationRunLinks.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Verification/VerificationLinkBehavior.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`
- [x] T005 [P] Audit retired tenant-panel helper and panel-bootstrapping seams across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/`, and any directly affected support path named by this package
- [x] T006 [P] Audit provider-core and role-authority enforcement seams across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php`
- [x] T007 Confirm the classification-only broader-baseline boundary across `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report`, and verify that Spec `289` remains the explicit follow-up
**Checkpoint**: the enforcement inventories and scope boundary are fixed before story work begins.
---
## Phase 3: User Story 1 - Guard retired routes, paths, and helper bootstrapping (Priority: P1)
**Goal**: Fail fast when retired management route/path families or retired tenant-panel bootstrapping patterns re-enter cutover-owned seams.
**Independent Test**: run the targeted route/helper guard suite plus the existing legacy redirect and tenant-core runtime regression tests to prove the exact retired path families and helper patterns fail with actionable messages.
### Tests for User Story 1
- [x] T008 [P] [US1] Add or extend route/path and helper enforcement coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`
### Implementation for User Story 1
- [x] T009 [US1] Implement the exact retired route/path inventory, emitted-URL assertions on the audited launch-point seams, and scan exclusions in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php` using the route and launch-point seams audited in Phase 2
- [x] T010 [US1] Implement forbidden tenant-panel helper and panel-bootstrapping checks in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php` and any minimal supporting seam references in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php` without widening into a repo-wide helper rewrite
**Checkpoint**: User Story 1 is independently functional when retired route/path and helper patterns fail targeted guards and the known runtime regressions still stay not found.
---
## Phase 4: User Story 2 - Guard provider-core seams and role authority (Priority: P1)
**Goal**: Keep shared provider-core seams provider-neutral and keep workspace membership as the only role-bearing authority.
**Independent Test**: run the targeted provider-boundary and role-authority guard suite plus the current policy and scope-management regressions to prove platform-core neutrality and narrowing-only environment scope.
### Tests for User Story 2
- [x] T011 [P] [US2] Add or extend provider-boundary and role-authority coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Unit/Auth/NoRoleStringChecksTest.php`
### Implementation for User Story 2
- [x] T012 [US2] Implement the provider-core forbidden seam inventory in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php` using `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderIdentityResolution.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/ProviderOperationRegistry.php` without rewriting provider-core runtime behavior
- [x] T013 [US2] Implement environment-scope role-authority guard coverage in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php` and any minimal supporting assertions in the named feature and unit tests without rewriting the RBAC model
**Checkpoint**: User Story 2 is independently functional when provider-core regressions fail targeted guards and role-authority semantics remain unchanged on the existing proof surfaces.
---
## Phase 5: User Story 3 - Keep browser proof and quality-gate docs honest (Priority: P2)
**Goal**: Preserve visible canonical route continuity on the current cutover browser anchors and document the same proof boundary for contributors.
**Independent Test**: run the two targeted browser smoke tests and verify the contributor-facing quality-gate docs point to the same proof commands and the same classification-only baseline rule.
### Tests for User Story 3
- [x] T014 [P] [US3] Extend `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` so they assert canonical admin/workspace route continuity and remain free of JavaScript or console errors after the guard pack lands
### Implementation for User Story 3
- [x] T015 [US3] Update `/Users/ahmeddarrazi/Documents/projects/wt-plattform/README.md` with the cutover quality-gate guidance, exact targeted proof commands, pinned scan-exclusion rule, and the statement that broader baseline/full-suite fallout is classified only under Spec `288`
**Checkpoint**: User Story 3 is independently functional when browser proof stays green and contributors can follow the same quality-gate contract from the docs.
---
## Phase 6: User Story 4 - Classify broader baseline fallout without owning repair (Priority: P3)
**Goal**: Make broader baseline fallout reviewable through the current lane/report seams without turning `288` into a full-suite stabilization package.
**Independent Test**: run the classification-contract tests and verify that the manifest/report wording distinguishes cutover guard/browser ownership from unrelated broader failures.
### Tests for User Story 4
- [x] T016 [P] [US4] Extend `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php` to cover the new Spec `288` guard/browser ownership and classification semantics
### Implementation for User Story 4
- [x] T017 [US4] Update `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneManifest.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Support/TestLaneReport.php`, and any minimal wrapper wording in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/scripts/platform-test-report` so Spec `288` guard/browser failures and broader baseline fallout are classified without implying full-suite repair ownership
**Checkpoint**: User Story 4 is independently functional when broader baseline fallout is reviewable but still explicitly outside the repair scope of this package.
---
## Phase 7: Polish & Cross-Cutting Validation
**Purpose**: Run the canonical targeted proof commands, format touched files, and confirm Spec `289` remains the next package instead of leaking back into `288`.
- [x] T018 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)` exactly as recorded in `spec.md`, `plan.md`, and `quickstart.md`
- [x] T019 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)` exactly as recorded in `spec.md`, `plan.md`, and `quickstart.md`
- [x] T020 Run `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`
- [x] T021 Review the touched guard, browser, documentation, and classification seams plus the review artifact to confirm Filament remains v5 on Livewire v4, provider registration still lives in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/bootstrap/providers.php`, no global-search or destructive-action contract drift was introduced, no asset registration or deployment-step drift was introduced, no runtime cutover repair, provider-core rewrite, RBAC rewrite, Package Execution work, Guided Operations work, Review Pack export work, UI copy cleanup, or full-suite repair was absorbed, and Spec `289` remains the explicit follow-up
---
## Dependencies & Execution Order
### Phase Dependencies
- **Phase 1 (Setup)**: no dependencies; start immediately.
- **Phase 2 (Foundational)**: depends on Phase 1 and blocks all user-story work until the enforcement inventories and classification boundary are settled.
- **Phase 3 (US1)**: depends on Phase 2 and delivers the first independent guardrail slice.
- **Phase 4 (US2)**: depends on Phase 2 and should follow US1 so route/helper truth is pinned before provider-core and role-authority guardrails reuse it.
- **Phase 5 (US3)**: depends on Phases 3 and 4 because browser proof and docs should reflect the final guard inventories.
- **Phase 6 (US4)**: depends on Phases 3 through 5 so classification wording reflects the final proof ownership rather than a moving target.
- **Phase 7 (Polish)**: depends on all implemented stories.
### User Story Dependencies
- **US1 (P1)**: first independently testable increment once the enforcement inventory is settled.
- **US2 (P1)**: independently testable after Phase 2, but safer after US1 because route/helper truth should stabilize before provider-boundary and role-authority enforcement are judged.
- **US3 (P2)**: independently testable after US1 and US2 because browser smoke and docs should reflect final proof obligations.
- **US4 (P3)**: independently testable after Phases 3 through 5 because classification wording must describe the final guard/browser ownership.
### Within Each User Story
- Add or extend the targeted tests first and make the current drift visible.
- Complete the minimum guard or documentation seam needed for that story.
- Re-run the narrowest relevant validation command after each story checkpoint before moving on.
---
## Parallel Execution Examples
### Phase 1
- T002 and T003 can run in parallel after T001 confirms the bounded package role.
### Phase 2
- T004, T005, and T006 can run in parallel because they inspect different seam families.
### User Story 1
- T008 can run while T009 and T010 are being prepared, but the route and helper guard inventory should land as one coherent slice.
### User Story 2
- T011 can run in parallel with the seam audit, but T012 and T013 should land together because they define one shared provider-core and role-authority enforcement slice.
### User Story 4
- T016 can run in parallel across the named classification-contract tests once T017's target classification wording is clear.
---
## Implementation Strategy
### Suggested MVP Scope
- MVP = **Phase 2 + US1 + US2**. The package starts delivering value once the cutover can fail fast on retired routes/helpers and provider/role-authority regressions.
### Incremental Delivery
1. Complete Phase 1 and Phase 2.
2. Deliver US1 and validate route/helper enforcement.
3. Deliver US2 and validate provider-core and role-authority enforcement.
4. Deliver US3 and validate browser proof plus contributor-facing docs.
5. Deliver US4 and validate classification-only broader-baseline handling.
6. Finish with Phase 7 targeted validation, formatting, and scope review.
### Team Strategy
1. Keep Spec `289` explicitly out of implementation commits for this slice.
2. Land guard inventories before browser or documentation wording so the contributor-facing proof contract reflects final enforcement truth.
3. Serialize merges around `apps/platform/tests/Pest.php`, `apps/platform/tests/Support/TestLaneManifest.php`, `README.md`, and the new Spec `288` guard files because those are likely conflict hotspots.
---
## Explicit Follow-Ups / Out of Scope
- Package Execution Contract, which moves to Spec `289`
- Guided Operations
- Microsoft Starter Pack
- runtime cutover work
- provider-core rewrites
- RBAC rewrites
- UI copy cleanup from Spec `286`
- Review Pack export changes
- any full-suite repair or stabilization program
Reference in New Issue View Git Blame Copy Permalink