ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/320-workspace-owned-analysis-surface-registration-shell-cutover/spec.md
ahmido ec9649897a feat: cut over workspace-owned analysis shell context (#375) 
## Summary
- cut over workspace-owned analysis and library surfaces to workspace shell ownership instead of inheriting remembered environment shell context
- update the affected findings pages, scope resolution, navigation helpers, and related Blade views to keep environment focus explicit instead of implicit
- add and update Spec 320 artifacts plus focused regression coverage for findings navigation context, workspace hub registration, and admin surface scope behavior

## Guardrails
- Filament remains on v5 with Livewire v4 compliance unchanged
- provider registration remains in apps/platform/bootstrap/providers.php
- no new globally searchable resources were introduced or changed
- no new destructive actions were introduced or changed
- no Filament assets were added or changed, so the deploy requirement for filament:assets is unchanged

## Testing
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Findings/FindingsAssignmentHygieneReportTest.php tests/Feature/Findings/FindingsIntakeQueueNavigationContextTest.php tests/Feature/Findings/FindingsIntakeQueueTest.php tests/Feature/Findings/MyFindingsInboxNavigationContextTest.php tests/Feature/Findings/MyWorkInboxTest.php tests/Feature/Navigation/WorkspaceHubRegistryTest.php tests/Unit/Support/OperateHub/OperateHubShellResolutionTest.php tests/Unit/Tenants/AdminSurfaceScopeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #375
2026-05-16 23:16:53 +00:00

36 KiB
Raw Permalink Blame History

Feature Specification: Workspace-Owned Analysis Surface Registration & Shell Cutover

Feature Branch: 320-workspace-owned-analysis-surface-registration-shell-cutover Created: 2026-05-16 Status: Completed Input: User supplied Spec 320 draft: workspace-owned analysis and library pages must be classified centrally, open with Workspace shell only, and stop inheriting remembered Environment shell context.

Spec Candidate Check (mandatory - SPEC-GATE-001)

  • Problem: Workspace-owned analysis and library surfaces such as Baselines, Baseline Snapshots, baseline detail/matrix pages, and several unregistered analysis pages can show an active Environment shell when opened from Environment navigation or remembered context.
  • Today's failure: Operators can see Workspace > Environment shell on pages whose route and data model are workspace-owned, with no visible Environment filter chip and no route-level Environment ownership.
  • User-visible improvement: Opening a workspace-owned analysis page from sidebar, global navigation, direct URL, reload, or browser history shows Workspace shell only. If an Environment focus is supported, it is explicit through canonical environment_id plus a visible chip.
  • Smallest enterprise-capable version: Classify the exact workspace-owned analysis/library surfaces found by Spec 318, prevent remembered Environment shell fallback for them, update links/copy where needed, and add focused regression coverage.
  • Explicit non-goals: No Baseline Compare changes except regression checks, no Alerts/Audit Log filter decision, no durable browser no-drift framework, no redesign, no new product feature, no baseline assignment semantic change, no migrations, no compatibility redirects, no legacy query aliases.
  • Permanent complexity imported: Possible narrow classifier entries or a new AdminSurfaceScope value for workspace-owned analysis surfaces, plus targeted tests. No persisted entities, tables, enum/status families, broad registries, or cross-domain UI framework.
  • Why now: Spec 318 identified workspace-owned baseline/analysis surfaces as the remaining opposite-side mismatch after Specs 314-317 stabilized workspace hubs and Spec 319 handles Environment-owned Baseline Compare.
  • Why not local: Page-local copy or sidebar-only fixes would leave direct URLs, Livewire requests, reload/back-forward, and remembered-context shell restoration inconsistent.
  • Approval class: Cleanup / Consolidation.
  • Red flags triggered: New classifier semantics are possible, but the scope is bounded by existing audit evidence and does not create a new product taxonomy beyond shell-context ownership.
  • Score: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 2 | Produktnaehe: 2 | Wiederverwendung: 2 | Gesamt: 12/12
  • Decision: approve.

Spec Scope Fields (mandatory)

  • Scope: workspace.
  • Primary Routes:
    • /admin/baseline-profiles
    • /admin/baseline-profiles/{record}
    • /admin/baseline-profiles/{record}/edit
    • /admin/baseline-profiles/{record}/compare-matrix
    • /admin/baseline-snapshots
    • /admin/baseline-snapshots/{record}
    • /admin/findings/my-work
    • /admin/findings/intake
    • /admin/findings/hygiene
    • /admin/cross-environment-compare
    • any additional unregistered workspace analysis surface confirmed from Spec 318 or repo inspection.
  • Data Ownership: Existing workspace-owned Baseline Profile and Baseline Snapshot records, workspace analysis pages that aggregate across accessible Environments, and optional Environment filter state. No schema ownership change.
  • RBAC: Workspace membership and existing workspace capabilities remain required. Environment entitlements still constrain row/data visibility where the existing page aggregates Environment-owned rows. UI visibility is not authorization.

For canonical-view specs:

  • Default filter behavior when tenant-context is active: Clean workspace-owned analysis URLs must ignore active/remembered Environment shell context. They may retain data filters only when the page explicitly supports canonical environment_id and shows a visible filter chip.
  • Explicit entitlement checks preventing cross-tenant leakage: Any environment_id filter must resolve only inside the current Workspace and only to an Environment visible to the actor. Cross-workspace or unauthorized IDs must not create shell context or leak Environment identity.

Cross-Cutting / Shared Pattern Reuse (mandatory)

  • Cross-cutting feature?: yes.
  • Interaction class(es): navigation, shell/context bar, breadcrumbs, URL/query state, Filament resource/page routing, filter chips, clear-filter actions, browser reload/history behavior.
  • Systems touched: AdminSurfaceScope, WorkspaceHubRegistry, WorkspaceSidebarNavigation, WorkspaceScopedEnvironmentRoutes, ManagedEnvironmentLinks, OperateHubShell, WorkspaceHubEnvironmentFilter, WorkspaceHubFilterStateResetter, baseline resources/pages, findings analysis pages, cross-environment compare page, tests, and browser smoke artifacts.
  • Existing pattern(s) to extend: Workspace hub environmentless shell contract from Specs 314-316 and hard-cut no-legacy policy from Spec 317.
  • Shared contract / presenter / builder / renderer to reuse: Prefer existing AdminSurfaceScope, WorkspaceHubRegistry query cleaning, WorkspaceHubEnvironmentFilter/clear-filter behavior, and OperateHubShell shell resolution over page-local shell hacks.
  • Why the existing shared path is sufficient or insufficient: Registered workspace hubs already force environmentless shell. The gap is that unregistered workspace analysis pages currently fall into generic WorkspaceScoped, which still allows remembered Environment restore.
  • Allowed deviation and why: A distinct workspace_owned_analysis_surface classification is allowed only if adding these pages to WorkspaceHubRegistry would falsely make them first-class workspace hubs or filtered hub participants.
  • Consistency impact: Sidebar, URL, shell, breadcrumb, page header, copy, filter chip, and data scope must agree on Workspace ownership.
  • Review focus: Verify no remembered Environment, Filament tenant fallback, legacy Tenant query key, or tableFilters state creates active Environment shell on in-scope clean URLs.

OperationRun UX Impact

  • Touches OperationRun start/completion/link UX?: yes, only because existing Baseline Profile/Baseline Compare Matrix actions can start baseline capture/compare work or link to existing runs.
  • Shared OperationRun UX contract/layer reused: Existing OperationUxPresenter, OpsUxBrowserEvents, OperationRunLinks, services, jobs, and audit behavior must remain in place.
  • Delegated start/completion UX behaviors: Existing queued toast, run link, browser event, tenant/workspace-safe URL resolution, authorization, and audit behavior remain delegated to current helpers/services.
  • Local surface-owned behavior that remains: The pages keep their current initiation controls and filtering UI; this spec changes shell/scope classification, not operation semantics.
  • Queued DB-notification policy: N/A - no new DB notification behavior.
  • Terminal notification path: Existing central lifecycle behavior only.
  • Exception required?: none.

Provider Boundary / Platform Core Check

  • Shared provider/platform boundary touched?: yes.
  • Boundary classification: platform-core route/shell/scope contract; provider-specific Microsoft tenant identity remains provider-owned.
  • Seams affected: shell resolution, navigation scope, route classification, query key handling, operator vocabulary (Workspace, Environment, ManagedEnvironment), and baseline analysis links.
  • Neutral platform terms preserved or introduced: Workspace, Environment, workspace-owned analysis surface, workspace hub, filtered workspace hub, Environment-owned page.
  • Provider-specific semantics retained and why: Existing Intune baseline details, compare strategy, and Graph-backed snapshot content remain provider-specific because they are current product implementation truth.
  • Why this does not deepen provider coupling accidentally: The fix removes hidden Environment/provider tenant fallback from workspace-owned pages instead of adding provider ID routes or alias query support.
  • Follow-up path: Spec 321 decides Alerts/Audit Log environment_id behavior. Spec 322 adds durable browser no-drift regression infrastructure.

UI / Surface Guardrail Impact

Surface / Change Operator-facing surface change? Native vs Custom Shared-Family Relevance State Layers Touched Exception Needed? Low-Impact / N/A Note
Baselines / Baseline Profiles yes Existing Filament Resource navigation, shell, breadcrumbs, actions route, shell, page, copy no Workspace-owned baseline library.
Baseline Profile detail/edit yes Existing Filament Resource pages breadcrumbs, header actions, related links route, shell, record page no Workspace-owned record pages.
Baseline Compare Matrix yes Existing Filament Page + Blade view analysis page, action links, OperationRun links route, shell, query state no Workspace-owned analysis matrix, not Baseline Compare landing.
Baseline Snapshots yes Existing Filament Resource navigation, shell, filters route, shell, page, copy no Workspace-owned snapshot library/report.
My Findings / Intake / Hygiene yes Existing Filament Pages + tables analysis queues, filters, clear actions route, shell, URL query, table filters no Workspace-owned analysis pages with optional Environment filtering.
Cross-environment Compare yes Existing Filament Page + form analysis page and environment selectors route, shell, query state no Workspace-owned portfolio analysis.
Baseline Compare yes Existing Environment-owned page regression only route, shell no Must remain Environment-owned from Spec 319.

Decision-First Surface Role

Surface Decision Role Human-in-the-loop Moment Immediately Visible for First Decision On-Demand Detail / Evidence Why This Is Primary or Why Not Workflow Alignment Attention-load Reduction
Baselines / Baseline Profiles Secondary Context Operator manages reusable baseline definitions profile name, status, capture mode, snapshot truth, next step assignments, compare matrix, capture run detail Library/register, not Environment posture page Workspace governance library Removes false selected-Environment ownership.
Baseline Snapshots Tertiary Evidence / Diagnostics Operator inspects immutable snapshot evidence baseline, captured time, outcome, coverage, next step snapshot detail and related context Evidence library, not active Environment dashboard Workspace baseline evidence review Keeps evidence scan workspace-owned.
Baseline Compare Matrix Secondary Context Operator reviews assigned-environment compare matrix for one baseline matrix state, filters, visible assignments, compare readiness run/finding/environment drilldowns Workspace-owned analysis across assigned environments Baseline profile detail to analysis Clarifies that selected Environment shell is not the page owner.
My Findings / Intake / Hygiene Primary/Secondary Decision Surfaces Operator reviews assigned, intake, or hygiene finding work across visible environments queue counts, finding state, Environment column/filter finding detail Workspace work queues with optional Environment filter Governance inbox/workspace overview to queue Environment becomes a filter, not shell owner.
Cross-environment Compare Secondary Context Operator selects source/target environments for portfolio comparison source, target, policy type selection, preview/preflight state environment detail links and operation links Workspace portfolio analysis Workspace portfolio flow Avoids hidden current Environment changing a two-environment workflow.

Audience-Aware Disclosure

Surface Audience Modes In Scope Decision-First Default-Visible Content Operator Diagnostics Support / Raw Evidence One Dominant Next Action Hidden / Gated By Default Duplicate-Truth Prevention
Workspace-owned baseline library/snapshots operator-MSP, support-platform Workspace library/snapshot status and next step snapshot fidelity, compare readiness, related runs raw Graph payloads remain out of scope/default-hidden Open profile/snapshot or capture/compare where already allowed raw payload/debug detail Shell states Workspace once; Environment appears only as data column/filter.
Findings analysis queues operator-MSP, support-platform queue state, finding severity/status, Environment column/filter hygiene/intake reason, owner/assignee context raw provider evidence remains on detail/evidence surfaces Open finding, claim finding, or clear filter where allowed support/raw evidence Active filter chip and shell do not duplicate ownership.
Cross-environment Compare operator-MSP, support-platform source/target selection and preview readiness preflight detail, operation/run links raw policy payloads remain out of scope/default-hidden Generate preflight where allowed support/raw evidence Source/target controls are page state, not shell context.

UI/UX Surface Classification

Surface Action Surface Class Surface Type Likely Next Operator Action Primary Inspect/Open Model Row Click Secondary Actions Placement Destructive Actions Placement Canonical Collection Route Canonical Detail Route Scope Signals Canonical Noun Critical Truth Visible by Default Exception Type / Justification
Baselines List / Table / Bulk Workspace-owned library resource Open or create baseline profile Existing clickable row existing Existing More/detail header Existing archive/capture/compare confirmations stay as implemented /admin/baseline-profiles /admin/baseline-profiles/{record} Workspace shell, no active Environment Baselines profile status, capture mode, snapshot truth none
Baseline Snapshots List / Table Workspace-owned evidence report Open snapshot Existing clickable row existing Existing related action N/A /admin/baseline-snapshots /admin/baseline-snapshots/{record} Workspace shell, no active Environment Baseline Snapshots outcome, coverage, next step none
Baseline Compare Matrix Workflow / Page Workspace-owned analysis page Compare assigned environments or inspect matrix Explicit controls/links N/A Existing header/actions Existing high-impact compare action keeps confirmation /admin/baseline-profiles/{record}/compare-matrix N/A Workspace shell, explicit source data in page Compare matrix baseline and matrix scope none
Findings analysis queues List / Table Workspace-owned work queues/reports Open or claim finding Existing clickable row/action existing Existing header/table actions Existing claim behavior remains authorized /admin/findings/my-work, /admin/findings/intake, /admin/findings/hygiene existing finding detail route Workspace shell, optional Environment filter chip Findings queue scope, severity, status, Environment column none
Cross-environment Compare Workflow / Page Workspace-owned portfolio analysis Select source/target, generate preflight Explicit form/actions N/A Header actions Existing promotion preflight/execution confirmations remain /admin/cross-environment-compare N/A Workspace shell, explicit source/target selectors Cross-environment compare selected environments and preview readiness none
Baseline Compare Workflow / Page Environment-owned posture page Regression only Environment route N/A Existing Existing Compare Now remains confirmed N/A /admin/workspaces/{workspace}/environments/{environment}/baseline-compare Workspace + Environment shell Baseline Compare selected Environment posture regression only

Operator Surface Contract

Surface Primary Persona Decision / Operator Action Supported Surface Type Primary Operator Question Default-visible Information Diagnostics-only Information Status Dimensions Used Mutation Scope Primary Actions Dangerous Actions
Baselines Workspace operator / manager Manage reusable governance baseline definitions Workspace-owned library Which baseline should govern environments? status, capture mode, snapshot truth, assignments count, next step capture details, compare matrix, runs lifecycle, data completeness, governance result TenantPilot baseline library plus existing queued capture/compare create/open/edit/capture/compare per current capability archive/capture/compare remain confirmation/authorization governed
Baseline Snapshots Workspace operator / support Inspect immutable baseline evidence Workspace-owned evidence report Which baseline snapshots are usable? captured time, outcome, coverage, next step fidelity detail, related context lifecycle, evidence completeness TenantPilot immutable snapshot evidence open snapshot/related record none
Findings analysis queues Workspace operator Review assigned/intake/hygiene work across visible environments Workspace-owned queues What governance work needs attention? finding, severity, status, Environment, queue reason owner/assignee/hygiene diagnostics workflow state, severity, SLA Existing finding workflow only open finding, claim finding, clear filter existing mutations remain authorized
Cross-environment Compare Workspace operator / manager Compare/promote configuration across environments Workspace-owned portfolio analysis Which source/target comparison is valid? selected source/target, preview/preflight readiness preflight detail, run links selection validity, execution readiness Existing queued operation / Microsoft read-write behavior generate preflight / execute if already implemented existing execution action remains guarded

Proportionality Review (mandatory when structural complexity is introduced)

  • New source of truth?: no. The classification expresses existing product ownership; it does not create new domain truth.
  • New persisted entity/table/artifact?: no.
  • New abstraction?: possibly a narrow enum case or registry section if existing WorkspaceHubRegistry cannot represent workspace-owned analysis surfaces without falsely making them workspace hubs.
  • New enum/state/reason family?: no business state. A technical surface-scope enum case is allowed only if it replaces ambiguous generic WorkspaceScoped behavior.
  • New cross-domain UI framework/taxonomy?: no. This uses the existing shell/surface classification vocabulary.
  • Current operator problem: Clean workspace-owned analysis URLs can show selected Environment shell, making page ownership and data scope misleading.
  • Existing structure is insufficient because: Generic AdminSurfaceScope::WorkspaceScoped allows remembered Environment restore, while WorkspaceHubRegistry only covers first-class hubs and filtered hub behavior.
  • Narrowest correct implementation: Add explicit classifier coverage for the audited workspace-owned analysis paths and make those paths force environmentless shell; use environment_id only where the page already supports a visible filter.
  • Ownership cost: A small set of classifier/link/copy tests plus focused browser smoke. No schema, package, or product workflow cost.
  • Alternative intentionally rejected: Add the pages blindly to WorkspaceHubRegistry if that would imply hub/filter contracts they do not support, or keep remembered fallback because it is convenient.
  • Release truth: Current-release cleanup before production.

Compatibility posture

This feature assumes pre-production hard cutover.

Backward compatibility, legacy aliases, remembered Environment fallback, redirect shims, migration shims, dual route models, and compatibility-specific tests are out of scope.

Testing / Lane / Runtime Impact (mandatory for runtime behavior changes)

  • Test purpose / classification: Unit for classifier/registry behavior; Feature/Livewire for page access, shell state, URL/query/filter behavior, and existing action regression; Browser for integrated shell/sidebar/reload/back-forward verification.
  • Validation lane(s): fast-feedback, confidence, browser.
  • Why this classification and these lanes are sufficient: The defect is visible shell/context drift caused by classifier and navigation behavior; unit/feature tests prove the contract and browser smoke proves integrated UI state.
  • New or expanded test families: Focused global-context-shell coverage for workspace-owned analysis pages. Browser additions remain explicit and bounded to Spec 320 flows.
  • Fixture / helper cost impact: Reuse existing workspace/environment/member/baseline/finding fixtures. Do not introduce global expensive setup defaults.
  • Heavy-family visibility / justification: Browser coverage is required because reload/back-forward/sidebar shell mismatch was found by browser audit. It must be named as Spec 320 browser smoke, not hidden inside fast lanes.
  • Special surface test profile: global-context-shell.
  • Standard-native relief or required special coverage: Existing native Filament pages keep normal UI shape; special coverage is shell/context and filter visibility only.
  • Reviewer handoff: Verify in-scope clean URLs show Workspace shell only, explicit filtered URLs show visible chip where supported, legacy aliases do not create shell/filter state, and Baseline Compare remains Environment-owned.
  • Budget / baseline / trend impact: none expected; if browser runtime grows materially, record in the active PR close-out.
  • Escalation needed: document-in-feature.
  • Active feature PR close-out entry: Guardrail / Exception / Smoke Coverage.
  • Planned validation commands:
    • cd apps/platform && ./vendor/bin/sail artisan test --filter=AdminSurfaceScope
    • cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubRegistry
    • cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceOwnedAnalysis
    • cd apps/platform && ./vendor/bin/sail artisan test --filter=BaselineCompareEnvironmentRouteContract
    • cd apps/platform && ./vendor/bin/sail artisan test --filter=WorkspaceHubEnvironmentFilterContract
    • focused Spec 320 browser smoke for Baselines, Baseline Snapshots, Baseline Compare Matrix, My Findings/Intake/Hygiene, Cross-environment Compare, Baseline Compare regression, and Decision Register regression.

User Scenarios & Testing (mandatory)

User Story 1 - Open Baseline Library Without Environment Shell (Priority: P1)

As a workspace operator, I can open Baselines and Baseline Snapshots from workspace or environment navigation and see Workspace shell only, so reusable baseline libraries do not appear owned by the last Environment I visited.

Why this priority: Baseline library ownership is the main known mismatch and directly affects governance trust.

Independent Test: Start from an active Environment context, open clean Baselines and Baseline Snapshots URLs, and assert the shell has Workspace only with no active Environment.

Acceptance Scenarios:

  1. Given a remembered Environment exists, When the operator opens /admin/baseline-profiles, Then the shell shows Workspace only and no visible active Environment.
  2. Given the operator navigates from Environment Dashboard sidebar to Baseline Snapshots, When /admin/baseline-snapshots opens, Then it is a clean workspace-owned page with no hidden Environment shell.
  3. Given a valid baseline profile record, When view/edit/compare-matrix pages open by clean workspace URL, Then remembered Environment state does not become shell context.

User Story 2 - Workspace Analysis Pages Do Not Inherit Environment Context (Priority: P1)

As a workspace operator, I can open My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare without the previous Environment owning the shell, so workspace analysis/work queues stay scope-honest.

Why this priority: Spec 318 found these unregistered workspace analysis pages inherit remembered Environment shell because they are not registered or classified.

Independent Test: With remembered Environment state present, open each clean URL and assert Workspace shell only; if environment_id is supported, assert it is a visible filter, not shell ownership.

Acceptance Scenarios:

  1. Given an active Environment context, When the operator opens /admin/findings/my-work, /admin/findings/intake, or /admin/findings/hygiene, Then shell context remains Workspace only.
  2. Given a valid environment_id filter is supported for a findings analysis page, When the page opens with ?environment_id=..., Then shell remains Workspace only and a visible Environment filter chip/clear action exists.
  3. Given the operator opens /admin/cross-environment-compare, When source/target selectors are empty or query-hydrated, Then shell is Workspace only and selected source/target environments are page state.

User Story 3 - Legacy Query Aliases Cannot Recreate Hidden Environment Shell (Priority: P1)

As a security reviewer, I need legacy query aliases and Filament table filter query payloads to be ignored or stripped on workspace-owned analysis surfaces, so old Tenant/Environment parameters cannot silently resurrect shell context.

Why this priority: Specs 314-317 intentionally removed legacy Tenant context and hidden filter state.

Independent Test: Open each in-scope page with tenant, tenant_id, managed_environment_id, tenant_scope, and tableFilters payloads and assert no active Environment shell or hidden filter appears.

Acceptance Scenarios:

  1. Given a clean workspace-owned analysis page, When the URL includes tenant, tenant_id, managed_environment_id, tenant_scope, or tableFilters, Then those aliases do not set shell Environment or filter state.
  2. Given the page supports canonical environment_id, When invalid or cross-workspace environment_id is supplied, Then it is rejected/ignored without shell context or leakage.

User Story 4 - Environment-Owned and Workspace Hub Regressions Remain Green (Priority: P2)

As a reviewer, I can verify Baseline Compare remains Environment-owned and Decision Register remains a filtered workspace hub, so Spec 320 does not undo Specs 314-319.

Why this priority: The fix targets the opposite side of Spec 319 and must not flatten Environment-owned pages into workspace pages.

Independent Test: Assert canonical Baseline Compare route shows Workspace + Environment shell, old workspace-style Baseline Compare URLs still do not render, and Decision Register clean/filtered contracts remain green.

Acceptance Scenarios:

  1. Given a canonical Baseline Compare Environment route, When the page opens, Then Workspace + active Environment shell remains present.
  2. Given /admin/governance/decisions, When opened clean or with ?environment_id=..., Then it behaves exactly as Specs 314-316 require.

Edge Cases

  • A workspace-owned analysis page has no Environment selected or remembered.
  • A remembered Environment belongs to the current Workspace.
  • A remembered Environment belongs to a different Workspace.
  • A valid environment_id is supplied on a page that supports explicit filtering.
  • A valid environment_id is supplied on a page that does not support explicit filtering.
  • Legacy query aliases are supplied individually and together.
  • Browser reload/back/forward crosses Environment Dashboard, workspace-owned analysis pages, Baseline Compare, and Decision Register.
  • Livewire update requests use referer-based surface classification and must not reintroduce remembered Environment shell.

Functional Requirements

  • FR-001: Baselines/Baseline Profiles MUST be explicitly classified as workspace-owned analysis/library surfaces unless implementation evidence proves a narrower Environment-owned split is required.
  • FR-002: Baseline Snapshots MUST be explicitly classified as workspace-owned analysis/library surfaces unless implementation evidence proves a narrower Environment-owned split is required.
  • FR-003: Baseline Profile view/edit pages and Baseline Compare Matrix MUST be classified so clean URLs force Workspace shell only.
  • FR-004: My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, and any other Spec 318 unregistered workspace analysis pages confirmed in repo inspection MUST be registered/classified or explicitly excluded with evidence.
  • FR-005: In-scope clean workspace-owned analysis URLs MUST NOT restore remembered Environment shell context.
  • FR-006: In-scope clean URLs MUST open without requiring an active Environment context.
  • FR-007: Workspace context MUST remain selected and valid; the fix MUST NOT clear Workspace state.
  • FR-008: If a page supports Environment filtering, the only public filter key MUST be environment_id.
  • FR-009: environment_id filtering MUST keep Workspace shell only and show a visible Environment filter chip or equivalent clear affordance.
  • FR-010: tenant, tenant_id, managed_environment_id, tenant_scope, and tableFilters MUST NOT create active Environment shell or hidden Environment filter state on in-scope pages.
  • FR-011: Cross-workspace or unauthorized environment_id MUST NOT leak Environment identity or become shell context.
  • FR-012: Sidebar/global/workspace navigation entries for in-scope pages MUST emit clean workspace URLs unless they intentionally emit canonical environment_id filter URLs with visible chips.
  • FR-013: Environment Dashboard links to workspace-owned analysis pages MUST use clean workspace URLs or explicit environment_id filter URLs; they MUST NOT carry active Environment shell ownership.
  • FR-014: Breadcrumb/header/copy for workspace-owned analysis pages MUST not imply active Environment ownership as the primary scope.
  • FR-015: Workspace-owned analysis pages MAY show Environment columns, badges, selectors, and filter labels as data/filter state.
  • FR-016: Baseline Compare MUST remain Environment-owned according to Spec 319.
  • FR-017: Decision Register, Governance Inbox, Operations, Finding Exceptions Queue, Provider Connections, Evidence Overview, Review Register, Customer Review Workspace, Workspace Settings, Manage Workspaces, and Managed Environments MUST retain their existing workspace hub contracts.
  • FR-018: Alerts/Audit Log environment_id behavior MUST NOT be decided or changed except as regression context; that belongs to Spec 321.
  • FR-019: No compatibility route, redirect shim, legacy alias support, migration, seeder, package, env var, queue, scheduler, storage, or deployment asset change may be introduced for this spec.
  • FR-020: Browser verification screenshots SHOULD be saved under specs/320-workspace-owned-analysis-surface-registration-shell-cutover/artifacts/screenshots/ when generated.

Acceptance Criteria

Surface Classification

  • Baselines/Baseline Profiles classified as workspace-owned or explicitly reclassified with evidence.
  • Baseline Snapshots classified as workspace-owned or explicitly reclassified with evidence.
  • Baseline Profile detail/edit/compare-matrix classified as workspace-owned analysis surfaces.
  • My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare classified or explicitly excluded with evidence.
  • No in-scope workspace-owned analysis page remains generic ambiguous WorkspaceScoped if that permits remembered Environment shell fallback.
  • Baseline Compare remains Environment-owned.

Shell Context

  • Baselines clean URL shows Workspace shell only.
  • Baseline Snapshots clean URL shows Workspace shell only.
  • Baseline Profile detail/edit/compare-matrix clean URLs show Workspace shell only.
  • Findings analysis and Cross-environment Compare clean URLs show Workspace shell only.
  • Opening in-scope pages from Environment context cuts to Workspace shell only.
  • Reload and browser back/forward do not restore active Environment shell.

URL / Query Contract

  • In-scope clean URLs do not require Environment context.
  • Legacy query aliases do not create shell/filter state.
  • Supported Environment filters use only environment_id.
  • Visible filter chip/clear behavior exists for pages that support environment_id.
  • Unsupported environment_id is ignored/stripped/rejected without hidden shell/data mismatch; chosen behavior is documented in implementation close-out.

Regression

  • Spec 314 clean workspace hub entry remains green.
  • Spec 315 Environment CTA environment_id contract remains green.
  • Spec 316 clear filter contract remains green.
  • Spec 317 legacy Tenant cleanup remains green.
  • Spec 319 Baseline Compare Environment-owned route remains green.
  • Spec 318 workspace-owned analysis mismatch is resolved for in-scope surfaces.

Out of Scope

  • Baseline Compare implementation changes beyond regression checks.
  • Alerts/Audit Log filter decision from Spec 321.
  • Durable browser no-drift automation from Spec 322.
  • New product features, new baseline assignment semantics, or baseline data model redesign.
  • Migrations, seeders, data backfills, package changes, env vars, queues, scheduler, storage, or deployment asset changes.
  • Legacy alias support, backwards compatibility, redirects, dual shell models, or remembered Environment fallback preservation.

Source Evidence

  • specs/318-admin-surface-scope-shell-context-audit/audit-report.md identifies the classifier gap and workspace-owned baseline/analysis mismatches.
  • specs/318-admin-surface-scope-shell-context-audit/surface-inventory.md lists Baselines/Baseline Profiles, Baseline Snapshots, Baseline Compare Matrix, My Findings, Findings Intake, Findings Hygiene, and Cross-environment Compare as mismatches or unregistered workspace analysis pages.
  • specs/318-admin-surface-scope-shell-context-audit/mismatch-findings.md records M2 and M4 as the direct targets.
  • specs/318-admin-surface-scope-shell-context-audit/recommended-fixes.md recommends a Workspace-Owned Baseline Registry Contract and broader classifier coverage.
  • specs/319-environment-owned-surface-routing-shell-context-contract/spec.md leaves workspace-owned baseline analysis surfaces explicitly to Spec 320.

Assumptions

  • Baseline Profiles and Baseline Snapshots are workspace-owned based on current workspace_id queries and Spec 318 evidence.
  • Baseline Compare Matrix is workspace-owned analysis over assigned Environments, while Baseline Compare landing remains Environment-owned.
  • Findings analysis pages are workspace-owned queues/reports with optional Environment filters, not Environment-owned pages.
  • Cross-environment Compare is workspace-owned portfolio analysis because it explicitly selects source/target Environments.
  • Current product is pre-production; hard cutover is correct.

Risks

  • Adding all in-scope pages to WorkspaceHubRegistry could accidentally imply filtered-hub behavior for pages that do not support chips/clear state.
  • A new classifier enum case could become a broader taxonomy if not constrained to the audited route list.
  • Existing tests may assert remembered Environment fallback and must be replaced, not preserved.
  • Browser smoke can become too broad; keep it focused to Spec 318 evidence and required regressions.

Open Questions

  • Exact unsupported environment_id behavior for pages without filter support: ignore, strip, or reject. Implementation must choose per page and document the result.
  • Whether Baseline Profile create page should be included in workspace-owned analysis classification if implementation finds it inherits Environment shell.
  • Whether findings analysis pages should converge on canonical environment_id visible chip behavior in this spec or only prevent shell inheritance; if current filter UI is not chip-compatible, keep the fix narrow and document follow-up rather than adding feature scope.

Follow-up Spec Candidates

  • 321 - Alerts / Audit Log Environment Filter Contract Decision: decide support vs rejection of environment_id with no half-state.
  • 322 - Browser No-Drift Regression Guard: durable browser coverage for shell/context/filter/reload/back-forward drift.