ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/299-managed-environment-cutover-final-seal/tasks.md
ahmido b98bafcf86 feat: finalize managed environment cutover seal (#354) 
## Summary
- replace the remaining workspace overview tenant-first copy with environment-first wording in the builder, Blade view, and focused feature assertions
- add the Spec 299 workspace overview browser smoke and the final cutover audit documenting fixed copy, clean runtime scans, and allowed internal/provider/regression-guard `Tenant` references
- add the Spec 299 spec package (`spec.md`, `plan.md`, `tasks.md`, checklist, audit) to close the managed-environment cutover with an explicit final seal decision

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/WorkspaceOverviewContentTest.php tests/Feature/Filament/AdminHomeRedirectsToChooseTenantWhenWorkspaceSelectedTest.php tests/Feature/Filament/WorkspaceOverviewEmptyStatesTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Workspaces`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec299WorkspaceOverviewCutoverSealSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `git diff --check`

## Notes
- Filament remains on Livewire v4.
- Provider registration remains in `apps/platform/bootstrap/providers.php`.
- No new panel provider or asset-strategy changes are included.
- Remaining technical `Tenant` references are documented in `specs/299-managed-environment-cutover-final-seal/final-cutover-audit.md`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #354
2026-05-13 20:33:30 +00:00

135 lines
14 KiB
Markdown
Raw Permalink Blame History

---
description: "Task list for Managed Environment Cutover Final Seal & Regression Guard Pack"
---
# Tasks: Managed Environment Cutover Final Seal & Regression Guard Pack
**Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/299-managed-environment-cutover-final-seal/`
**Prerequisites**: `spec.md`, `plan.md`, `final-cutover-audit.md`, `checklists/requirements.md`
**Tests**: Required (Pest) for route/helper/navigation/copy guard changes. Browser smoke is required only if touched visible browser anchors or selectors change.
**Operations**: No new `OperationRun` lifecycle behavior. Existing workspace operations links and intended URL handling must keep the shared canonical contracts if touched.
**RBAC**: No authorization model change. Existing 404/403 semantics, capability checks, and destructive action authorization must remain intact.
**Filament / Panel Guardrails**: Filament remains v5 on Livewire v4. Provider registration remains in `apps/platform/bootstrap/providers.php`. No new panel. No asset-strategy change unless explicitly documented.
**Review Outcome**: documentation-required-exception
**Workflow Outcome**: keep
**Test-governance Outcome**: keep
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for each changed behavior.
- [x] New or changed tests stay in the smallest honest family; browser additions are explicit and anchor-only.
- [x] Shared helpers, factories, seeds, fixtures, provider setup, workspace context, session state, and capability defaults stay cheap by default.
- [x] Planned validation commands cover route, helper, navigation, copy, and allowlist changes without pulling in unrelated suite cost.
- [x] The declared surface test profiles or `standard-native-filament` relief are explicit.
- [x] Any material runtime, budget, baseline, trend, or escalation note is recorded in the active spec close-out.
## Phase 1: Safety Gate And Baseline Audit
**Purpose**: Start from a clean, dependency-safe implementation base and capture repo truth before runtime edits.
- [x] T001 Run `git status --short --branch`, `git diff --stat`, and `git log -1 --oneline` in `/Users/ahmeddarrazi/Documents/projects/wt-plattform`; stop if unrelated uncommitted changes are present.
- [x] T002 Confirm the implementation branch is `299-managed-environment-cutover-final-seal` or an isolated session branch derived from it.
- [x] T003 Confirm Spec 298 changes are already committed/merged into the implementation base or intentionally isolated in a separate clean worktree/session branch before any runtime edit.
- [x] T004 Review `/Users/ahmeddarrazi/Documents/projects/wt-plattform/.specify/memory/constitution.md`, this spec package, and Specs 297 and 298 as context only.
- [x] T005 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan route:list | rg "admin/t|admin/tenants|workspaces/.*/environments|operations|provider-connections|required-permissions"`.
- [x] T006 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && rg "TenantPanelProvider|panel:\s*'tenant'|panel:\s*\"tenant\"|/admin/t/|/admin/tenants|filament\.admin\.resources\.tenants|TenantResource::getUrl|TenantDashboard::getUrl|TenantRequiredPermissions::getUrl|setTenantPanelContext" app resources routes --glob '!vendor' --glob '!node_modules'`.
- [x] T007 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && rg "TenantResource::getUrl|TenantDashboard::getUrl|TenantRequiredPermissions::getUrl|setTenantPanelContext|/admin/t/|/admin/tenants" tests --glob '!vendor' --glob '!node_modules'`.
- [x] T008 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && rg "tenant scope|Microsoft tenant|Entra tenant|Accessible tenants|No accessible tenants|affected tenants" app resources lang tests --glob '!vendor' --glob '!node_modules'`.
- [x] T009 Update `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/299-managed-environment-cutover-final-seal/final-cutover-audit.md` with baseline findings before editing application code.
- [x] T010 Confirm the scope boundary remains explicit: no DB/model rename, no migration rewrite, no compatibility route or helper alias, no provider architecture rewrite, and no raw full-suite repair loop.
## Phase 2: Runtime Final Seal
**Goal**: Keep the runtime tree clean and fix only live cutover seams.
- [x] T011 [P] Inspect `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/ManagedEnvironmentLinks.php` and confirm it remains the canonical environment-link owner.
- [x] T012 [P] Inspect `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Workspaces/WorkspaceIntendedUrl.php` and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Workspaces/WorkspaceRedirectResolver.php` for retired tenant-path rejection and workspace-operations normalization.
- [x] T013 [P] Inspect `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Providers/Filament/AdminPanelProvider.php` and affected `apps/platform/app/Filament/**` navigation owners for route-scope-first navigation behavior.
- [x] T014 Confirm `TenantPanelProvider` is absent from the runtime app tree and not registered in `apps/platform/bootstrap/providers.php`.
- [x] T015 Confirm any remaining `TenantResource`, `TenantDashboard`, or `TenantRequiredPermissions` runtime usage is technical-only or already routed through canonical owners.
- [x] T016 If a direct runtime legacy route/helper seam still exists, replace it with the current canonical owner and do not add a compatibility path.
- [x] T017 Re-run the focused runtime source scan from T006 and update `final-cutover-audit.md`.
## Phase 3: Navigation Seal
**Goal**: Keep workspace surfaces workspace-scoped and environment surfaces environment-scoped.
- [x] T018 [P] Inspect `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` as the current proof owner.
- [x] T019 Reproduce the workspace overview navigation state with a remembered environment and stale `Filament::getTenant()` context.
- [x] T020 Reproduce the canonical environment route navigation state and confirm environment-owned navigation reappears there.
- [x] T021 Keep workspace surfaces limited to workspace-owned navigation: Overview, Operations, Alerts, Audit Log, Governance inbox, Customer reviews, Manage workspaces, Integrations, and Settings where authorized.
- [x] T022 Keep environment-owned entries off workspace surfaces and visible again only on canonical environment routes.
- [x] T023 Update route-scope helpers or `shouldRegisterNavigation()` owners only if the current proof surfaces a live leak.
- [x] T024 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Filament/WorkspaceOverviewNavigationTest.php tests/Feature/Filament/WorkspaceOverviewArrivalContextTest.php tests/Feature/Filament/WorkspaceContextTopbarAndTenantSelectionTest.php`.
## Phase 4: Intended URL And Helper Retirement Proof
**Goal**: Prevent stale session context or helper aliases from reviving retired tenant behavior.
- [x] T025 Confirm `WorkspaceIntendedUrl` rejects `/admin/t...` and `/admin/tenants...` inputs.
- [x] T026 Confirm `WorkspaceRedirectResolver` rejects retired tenant paths and only normalizes `/admin/operations` to the canonical workspace operations route.
- [x] T027 Confirm `setAdminEnvironmentContext()` remains the active test helper in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/tests/Pest.php`.
- [x] T028 Ensure no callable compatibility alias named `setTenantPanelContext()` is introduced.
- [x] T029 Allow `setTenantPanelContext` only as an explicit forbidden-pattern literal inside guard tests.
- [x] T030 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php`.
## Phase 5: Product Copy Boundary And Allowlist
**Goal**: Remove tenant-first wording from active product surfaces and classify everything else.
- [x] T031 [P] Audit `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php` for `Accessible tenants` and `No accessible tenants in this workspace`.
- [x] T032 [P] Audit `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/resources/views/filament/pages/workspace-overview.blade.php` for `Governance risk counts affected tenants`.
- [x] T033 [P] Audit provider-facing or support/raw wording in `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/Capabilities/ProviderCapabilityEvaluator.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/Providers/ProviderReasonTranslator.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php`, `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php`, and `/Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform/app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php`.
- [x] T034 Replace active product-facing tenant-first wording with environment-first wording where the subject is a managed environment.
- [x] T035 Preserve provider-specific Microsoft/Entra tenant wording only when the external provider is the subject.
- [x] T036 Classify remaining `Tenant` references in `final-cutover-audit.md` as `fixed`, `allowed-provider-term`, `allowed-internal-model`, `allowed-historical`, `allowed-regression-guard`, `needs-follow-up`, or `blocked-runtime-finding`.
- [x] T037 Update focused copy/guard/browser assertions if touched visible labels or selectors change.
## Phase 6: Proof Pack And Formatting
**Goal**: Prove the final cutover seal in the narrowest honest lanes.
- [x] T038 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php tests/Feature/Guards/ManagedEnvironmentCanonicalRouteContractTest.php tests/Feature/Guards/NoActiveTenantResourceRoutesTest.php tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Workspaces/WorkspaceIntendedUrlLegacyRejectionTest.php`.
- [x] T039 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards`.
- [x] T040 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Workspaces`.
- [x] T041 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections`.
- [x] T042 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions`.
- [x] T043 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament`.
- [x] T044 If visible browser anchors changed, run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php tests/Browser/Dashboard/TenantDashboardProductizationSmokeTest.php tests/Browser/Spec192RecordPageHeaderDisciplineSmokeTest.php`. Existing browser anchors/selectors did not change; Spec 299 instead added and ran `tests/Browser/Spec299WorkspaceOverviewCutoverSealSmokeTest.php` for the touched workspace-overview copy.
- [x] T045 Re-run the final route/source/test/copy scans from Phase 1 and update `final-cutover-audit.md` with final results.
- [x] T046 Run `cd /Users/ahmeddarrazi/Documents/projects/wt-plattform/apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [x] T047 Run `git diff --check` from `/Users/ahmeddarrazi/Documents/projects/wt-plattform`.
## Phase 7: Close-Out Summary
**Goal**: Finish with one reviewer-ready final seal decision.
- [x] T048 Confirm the Filament v5 output contract in the final implementation summary: Livewire v4.0+ compliance, provider registration in `bootstrap/providers.php`, global-search handling, destructive action confirmation/authorization, asset strategy, and testing plan.
- [x] T049 Record commands run and results in the final implementation summary.
- [x] T050 Record final runtime findings, final allowlisted references, and any residual risk from `final-cutover-audit.md`.
- [x] T051 Choose one final decision string: `merge-ready; managed environment cutover sealed`, `merge-ready with documented allowed internal Tenant references`, `blocked by active legacy runtime finding`, or `blocked by navigation context leak`.
## Dependencies & Execution Order
- Phase 1 blocks all runtime edits.
- Phase 2, Phase 3, and Phase 4 may proceed in parallel after Phase 1 if file ownership stays clear.
- Phase 5 depends on the baseline classification from Phase 1 and can overlap with Phase 2/3 only if copy and route ownership do not collide.
- Phase 6 must run after all runtime/copy updates.
- Phase 7 closes the proof loop.
## Parallel Execution Examples
- T011, T012, and T013 can run in parallel because they inspect different canonical owners.
- T031, T032, and T033 can run in parallel because they audit separate copy families.
- T039, T040, and T041 can run in parallel in CI if the lane runner supports it.
## Explicit Follow-Ups / Out Of Scope
- Database/model/table rename from `Tenant` to `ManagedEnvironment`
- Broad historical-doc rewrite or archived-spec cleanup
- Provider architecture rewrite
- New RBAC model or new product navigation framework
- Full-suite determinism work unrelated to cutover sealing
- Reactivation of `/admin/t...`, `/admin/tenants...`, `TenantPanelProvider`, or `setTenantPanelContext()`
Reference in New Issue View Git Blame Copy Permalink