ahmido
b98bafcf86
## Summary - replace the remaining workspace overview tenant-first copy with environment-first wording in the builder, Blade view, and focused feature assertions - add the Spec 299 workspace overview browser smoke and the final cutover audit documenting fixed copy, clean runtime scans, and allowed internal/provider/regression-guard `Tenant` references - add the Spec 299 spec package (`spec.md`, `plan.md`, `tasks.md`, checklist, audit) to close the managed-environment cutover with an explicit final seal decision ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewContentTest.php tests/Feature/Filament/AdminHomeRedirectsToChooseTenantWhenWorkspaceSelectedTest.php tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Workspaces` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec299WorkspaceOverviewCutoverSealSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `git diff --check` ## Notes - Filament remains on Livewire v4. - Provider registration remains in `apps/platform/bootstrap/providers.php`. - No new panel provider or asset-strategy changes are included. - Remaining technical `Tenant` references are documented in `specs/299-managed-environment-cutover-final-seal/final-cutover-audit.md`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #354
16 KiB
16 KiB
Final Cutover Audit: Managed Environment Cutover Final Seal & Regression Guard Pack
Feature: 299-managed-environment-cutover-final-seal
Created: 2026-05-13
Status: Final implementation complete. Decision: merge-ready with documented allowed internal Tenant references.
Categories
| Category | Meaning |
|---|---|
clean-baseline |
Prep-time scans found no active runtime legacy hit in the named surface. |
fixed |
The implementation replaced or removed the old cutover drift. |
allowed-provider-term |
The wording describes external Microsoft/Entra provider truth and may remain. |
allowed-internal-model |
The term is an internal model/class/table/column/resource name; structural rename is out of scope. |
allowed-historical |
The term appears in historical specs/docs/audit history that this spec does not rewrite. |
allowed-regression-guard |
The term is kept only as a forbidden legacy pattern or negative assertion inside a guard test. |
needs-follow-up |
The prep baseline found a real seam that 299 must classify or fix during implementation. |
blocked-runtime-finding |
The final implementation found an active runtime legacy seam that blocks merge. |
Preparation Baseline Evidence
These entries reflect the repo evidence gathered during Spec 299 preparation before application code was edited.
| Evidence | Result | Decision |
|---|---|---|
Focused runtime legacy scan over apps/platform/{app,resources,routes}/** for TenantPanelProvider, retired tenant panel IDs, /admin/t, /admin/tenants, retired runtime URL generators, and setTenantPanelContext |
No matches found in the runtime app/resources/routes tree. | Runtime baseline is clean; re-prove with route list and final scans during implementation. |
File search for apps/platform/**/TenantPanelProvider.php |
No file found. | Keep tenant panel provider absent. |
Focused provider/copy scan for tenant scope, Microsoft tenant, Entra tenant, Accessible tenants, No accessible tenants, and affected tenants |
13 matches found across workspace overview, provider capability/identity wording, support diagnostics, onboarding technical details, and operations viewer copy. | Separate active product copy from allowed provider or support/raw wording. |
Focused test scan for TenantResource::getUrl, TenantDashboard::getUrl, TenantRequiredPermissions::getUrl, setTenantPanelContext, /admin/t/, and /admin/tenants under apps/platform/tests/** |
More than 100 matches found across auth, RBAC, workspaces, guards, provider-connections, and browser tests. | 299 must classify test references instead of trying to erase all technical legacy terms blindly. |
| Targeted file reads of canonical owners | ManagedEnvironmentLinks, WorkspaceIntendedUrl, WorkspaceRedirectResolver, AdminPanelProvider, PanelNavigationSegregationTest, and WorkspaceOverviewBuilder are the current repo-real owners. |
Reuse these owners; do not invent a new cutover framework. |
Active Runtime Legacy Findings
| Pattern | File / Surface | Category | Decision | Reason |
|---|---|---|---|---|
Retired tenant runtime patterns: TenantPanelProvider, retired panel IDs, /admin/t/..., /admin/tenants/..., retired runtime URL generators, setTenantPanelContext() |
apps/platform/app/**, apps/platform/resources/**, apps/platform/routes/** |
clean-baseline | keep clean and revalidate | The prep runtime scan found no direct matches in the runtime tree. |
| Retired tenant panel provider file | apps/platform/**/TenantPanelProvider.php |
clean-baseline | keep absent | File search returned no TenantPanelProvider.php. |
| Canonical environment link ownership | apps/platform/app/Support/ManagedEnvironmentLinks.php |
clean-baseline | re-prove | The repo already has a canonical environment link helper; 299 must ensure no live seam bypasses it. |
| Retired intended-URL rejection and workspace-operations normalization | apps/platform/app/Support/Workspaces/WorkspaceIntendedUrl.php, apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php |
clean-baseline | re-prove | Current code already rejects retired tenant paths and normalizes workspace operations; the final seal must keep that contract explicit. |
| Workspace-vs-environment navigation ownership | apps/platform/app/Providers/Filament/AdminPanelProvider.php, affected apps/platform/app/Filament/**, apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php |
clean-baseline | proved | PanelNavigationSegregationTest.php passed as part of the focused proof pack and the full Filament lane; no navigation leak was reproduced. |
Test Legacy Findings
| Pattern | File / Surface | Category | Decision | Reason |
|---|---|---|---|---|
setTenantPanelContext forbidden-pattern literals |
apps/platform/tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php |
allowed-regression-guard | keep | These strings are allowed only as explicit guard literals preventing reintroduction of the retired helper. |
Retired-path negative assertions such as /admin/t/... and /admin/tenants/... |
apps/platform/tests/Feature/078/**, apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, apps/platform/tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php, apps/platform/tests/Browser/Spec282GovernanceArtifactRetargetingSmokeTest.php |
allowed-regression-guard | keep | These assertions are part of the negative regression contract and must remain explicit. |
Broad TenantDashboard::getUrl(...) usage |
Representative files include apps/platform/tests/Feature/Auth/AdminLocalSmokeLoginTest.php, apps/platform/tests/Feature/Workspaces/ManagedTenantsWorkspaceRoutingTest.php, apps/platform/tests/Feature/Rbac/TenantDashboardArrivalContextVisibilityTest.php, apps/platform/tests/Feature/Filament/WorkspaceOverviewPermissionVisibilityTest.php |
allowed-internal-model | keep | These remain test references to the current technical page owner for canonical environment routes. Focused route scans and guard tests prove they do not revive /admin/t... or /admin/tenants.... |
Broad TenantResource::getUrl(...) usage |
Representative files include apps/platform/tests/Feature/Rbac/TenantResourceAuthorizationTest.php, apps/platform/tests/Feature/RequiredPermissions/RequiredPermissionsLinksTest.php, apps/platform/tests/Feature/Filament/WorkspaceOnlySurfaceTenantIndependenceTest.php, apps/platform/tests/Browser/Spec192RecordPageHeaderDisciplineSmokeTest.php, apps/platform/tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php |
allowed-internal-model | keep | These remain test references to the current technical resource owner and route-generation contract. ManagedEnvironmentCanonicalRouteContractTest.php and the runtime scan prove generated URLs stay canonical. |
Copy Findings
| Pattern | File | Category | Decision | Reason |
|---|---|---|---|---|
Accessible tenants |
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php |
fixed | replaced with Accessible environments |
This active workspace-overview product copy is now environment-first and covered by Feature and Browser assertions. |
No accessible tenants in this workspace |
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php |
fixed | replaced with No accessible environments in this workspace |
This active workspace empty-state title is now environment-first and covered by Feature and Browser assertions. |
Governance risk counts affected tenants |
apps/platform/resources/views/filament/pages/workspace-overview.blade.php |
fixed | replaced with Governance risk counts affected environments |
This active workspace-overview helper copy is now environment-first and covered by Feature and Browser assertions. |
Other workspace-overview tenant-first helper copy (entitled tenants, visible tenants, tenant dashboard, for this tenant, working in a tenant) |
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php, apps/platform/resources/views/filament/pages/workspace-overview.blade.php |
fixed | replaced with environment-first wording | These strings were in the same touched active workspace-overview surface, so they were fixed in scope rather than merely classified. |
Provider connection is missing target tenant scope., Microsoft tenant ID, The selected provider connection points to a different Microsoft tenant than the current scope., provider-owned Microsoft tenant detail helper text |
apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php, apps/platform/app/Support/Providers/TargetScope/ProviderIdentityContextMetadata.php, apps/platform/app/Support/Providers/ProviderReasonTranslator.php, apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php, apps/platform/app/Filament/Resources/ProviderConnectionResource.php |
allowed-provider-term | keep | These strings describe external provider truth and are not generic workspace/environment product labels. |
Provider capability could not be evaluated because the tenant scope is unavailable., Workspace and tenant scope resolved before support diagnostics were composed., The current workspace or tenant scope remains visible without behaving like a primary task action. |
apps/platform/app/Support/Providers/Capabilities/ProviderCapabilityEvaluator.php, apps/platform/app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php, apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php |
allowed-provider-term / allowed-internal-model | keep | These are provider capability, support diagnostics, or scope-debug explanatory strings, not primary workspace-overview product copy. |
Scope (Entra tenant) |
apps/platform/resources/views/filament/modals/onboarding-verification-technical-details.blade.php |
allowed-provider-term | keep | This is provider-specific onboarding technical detail, not generic platform terminology. |
Allowed References
| Reference Family | Example Files | Category | Why Allowed |
|---|---|---|---|
| Microsoft/Entra tenant identity and target-scope wording | apps/platform/app/Support/Providers/TargetScope/ProviderIdentityContextMetadata.php, apps/platform/app/Filament/Resources/ProviderConnectionResource.php, apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php |
allowed-provider-term | The external provider is the subject. |
Technical Tenant* model/class/resource names and DB columns |
apps/platform/app/**, apps/platform/tests/** where structural owners remain |
allowed-internal-model | DB/model/resource rename is out of scope for Spec 299. |
| Historical spec names and archived decisions | specs/**, .specify/**, historical docs |
allowed-historical | 299 is a final seal package, not a history rewrite. |
| Explicit forbidden-pattern literals and negative-path assertions | apps/platform/tests/Feature/Guards/**, apps/platform/tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php, apps/platform/tests/Feature/ProviderConnections/LegacyRedirectTest.php, apps/platform/tests/Browser/Spec282GovernanceArtifactRetargetingSmokeTest.php |
allowed-regression-guard | These references exist specifically to keep retired tenant behavior dead. |
Final Route / Source Scan Results
Final implementation results must be recorded here before close-out.
| Command | Result | Decision |
|---|---|---|
| `cd apps/platform && ./vendor/bin/sail artisan route:list | rg "admin/t | admin/tenants |
| `cd apps/platform && rg "TenantPanelProvider | panel:\s*'tenant' | panel:\s*"tenant" |
| `cd apps/platform && rg "TenantResource::getUrl | TenantDashboard::getUrl | TenantRequiredPermissions::getUrl |
| `cd apps/platform && rg "tenant scope | Microsoft tenant | Entra tenant |
Actual Validation Results
| Command | Result |
|---|---|
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewContentTest.php tests/Feature/Filament/AdminHomeRedirectsToChooseTenantWhenWorkspaceSelectedTest.php tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php |
passed: 9 tests, 59 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php |
passed: 72 tests, 232 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards |
passed: 265 tests, 4,705 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Workspaces |
passed: 96 tests, 276 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections |
passed: 78 tests, 588 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions |
passed: 21 tests, 82 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament |
passed: 773 tests, 5 skipped, 5,017 assertions |
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec299WorkspaceOverviewCutoverSealSmokeTest.php |
passed: 1 browser smoke test, 9 assertions |
cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent |
passed |
git diff --check |
passed |
Planned Validation Commands
cd apps/platform
./vendor/bin/sail artisan test --compact \
tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php \
tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php \
tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php \
tests/Feature/Filament/PanelNavigationSegregationTest.php \
tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php
./vendor/bin/sail artisan test --compact tests/Feature/Guards
./vendor/bin/sail artisan test --compact tests/Feature/Workspaces
./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections
./vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions
./vendor/bin/sail artisan test --compact tests/Feature/Filament
./vendor/bin/sail artisan test --compact \
tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php \
tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php \
tests/Browser/Dashboard/TenantDashboardProductizationSmokeTest.php \
tests/Browser/Spec192RecordPageHeaderDisciplineSmokeTest.php
./vendor/bin/sail bin pint --dirty --format agent
git diff --check
Final Decision
merge-ready with documented allowed internal Tenant references