ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/322-browser-no-drift-regression-guard/tasks.md
ahmido ec4ff1074c Spec 322: add browser no-drift regression guards (#379) 
## Summary
- add the Spec 322 artifact set for the browser no-drift regression guard
- add Feature navigation guards for admin surface scope, environment CTA URLs, and legacy alias rejection
- add Browser smoke coverage for workspace hubs, environment-owned surfaces, workspace-owned analysis surfaces, and alerts/audit flows
- add the Spec 322 browser support harness used by the new smoke coverage

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php --compact`
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php --compact`
- `cd apps/platform && ./vendor/bin/sail pint --dirty`
- `git diff --check`

## Notes
- a broader filtered regression run still reports existing Baseline Compare feature-test failures outside this diff

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #379
2026-05-17 11:34:31 +00:00

21 KiB
Raw Permalink Blame History

Tasks: Browser No-Drift Regression Guard

Input: Spec artifacts from specs/322-browser-no-drift-regression-guard/ Prerequisites: spec.md, plan.md, test-plan.md, coverage-manifest.md Runtime posture: Test/guard-first. No new product behavior unless a narrow fix is required to satisfy existing Specs 314 through 321 contracts.

Phase 1: Discovery Confirmation

  • T001 Re-read specs/322-browser-no-drift-regression-guard/spec.md, plan.md, test-plan.md, and coverage-manifest.md before implementation starts.
  • T002 Re-read Specs 314 through 321 as historical/context dependencies without editing their completed artifacts.
  • T003 Inspect apps/platform/app/Support/Navigation/WorkspaceHubRegistry.php and confirm required workspace hubs and exclusions still match the manifest.
  • T004 Inspect apps/platform/app/Support/Navigation/AdminSurfaceScope.php and confirm workspace-owned analysis surface classification still matches the manifest.
  • T005 Inspect apps/platform/app/Support/Navigation/WorkspaceHubEnvironmentFilter.php and confirm canonical environment_id remains the only accepted filter query key.
  • T006 Inspect apps/platform/app/Support/Navigation/WorkspaceHubFilterStateResetter.php and confirm legacy Environment-like query/table/session keys remain resettable.
  • T007 Inspect route names and URLs for all required surfaces listed in specs/322-browser-no-drift-regression-guard/coverage-manifest.md.
  • T008 Update specs/322-browser-no-drift-regression-guard/coverage-manifest.md if discovery proves a route, classification, or existing coverage status has changed.

Phase 2: Feature / Static Guards

  • T009 [P] Add it('classifies_core_admin_surfaces_without_scope_drift') in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php.
  • T010 [P] Add it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params') in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php.
  • T011 [P] Add it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs') in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php.
  • T012 [P] Add it('environment_id_filters_reject_cross_workspace_environment_ids') in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php.
  • T013 [P] Add it('environment_cta_urls_use_the_correct_surface_contract') in apps/platform/tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php.
  • T014 [P] Add it('legacy_environment_query_aliases_do_not_create_filter_or_shell_state') in apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php.
  • T015 [P] Add it('has_no_active_legacy_tenant_panel_routes') coverage by extending or referencing apps/platform/tests/Feature/Guards/NoLegacyTenantPanelRuntimeTest.php.
  • T016 [P] Add it('allows_tenant_terms_only_in_provider_boundary_contexts') coverage by extending apps/platform/tests/Feature/Guards/LegacyTenantPlatformContextCleanupTest.php or adding a narrow Spec 322 guard.
  • T017 Confirm Feature/static guards cover Operations, Governance Inbox, Decision Register, Finding Exceptions Queue, Provider Connections, Evidence Overview, Reviews, Customer Reviews, Alert Deliveries, Audit Log, Alerts, Alert Rules, Alert Destinations, Workspace Settings, Baseline Profiles, Baseline Snapshots, My Findings, Findings Intake, Findings Hygiene, Cross-environment Compare, and Baseline Compare.

Phase 3: Browser Harness And Fixture Control

  • T018 Inspect existing Pest Browser patterns in apps/platform/tests/Browser/Spec314WorkspaceHubNavigationContextSmokeTest.php and apps/platform/tests/Browser/Spec316WorkspaceHubClearFilterSmokeTest.php.
  • T019 Decide whether a test-only helper such as apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php is necessary, or keep helpers local to the Spec 322 browser files.
  • T020 If a harness is added, keep workspace, Environment, membership, and session setup explicit and opt-in in apps/platform/tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php.
  • T021 If a harness is added, document its fixture-cost boundary in specs/322-browser-no-drift-regression-guard/coverage-manifest.md.
  • T022 Avoid adding seeders; if deterministic browser fixtures cannot be built with factories, stop and update spec.md and plan.md before changing seeders.

Phase 4: Workspace Hub Browser Guards

  • T023 [P] Add apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php covering clean workspace hub entry from Environment origin.
  • T024 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Operations.
  • T025 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Governance Inbox.
  • T026 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Decision Register.
    • Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke.
  • T027 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Finding Exceptions Queue.
    • Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; Spec322 browser includes this surface in the representative legacy alias guard.
  • T028 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Provider Connections.
  • T029 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Evidence Overview.
  • T030 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Reviews and Customer Reviews.
    • Covered by existing Spec314/316 browser anchors plus Spec322 Feature/static guards; not duplicated in the focused Spec322 browser smoke.
  • T031 [P] In Spec322WorkspaceHubNoDriftSmokeTest.php, cover clean URL, Workspace-only shell, no Environment chip, no legacy params, and reload for Alert Deliveries and Audit Log.
    • Covered in Spec322AlertsAuditNoDriftSmokeTest.php, with Audit Log clear/history retained as Feature fallback due browser click timing.
  • T032 In Spec322WorkspaceHubNoDriftSmokeTest.php, cover filtered entry, visible chip, clear, and reload for all filterable workspace hubs; include browser back/forward alignment for Provider Connections, Finding Exceptions Queue, Customer Reviews, Evidence Overview, Alert Deliveries, and Audit Log.
    • Spec322 browser covers Provider Connections, Evidence Overview, and Alert Deliveries; existing Spec316 browser and Spec322 Feature/static guards cover the remaining permutations.

Phase 5: Environment-Owned Browser Guards

  • T033 Add apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php covering Environment-owned route/shell contracts.
  • T034 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Environment Dashboard route, Workspace + Environment shell, reload, and back from a workspace hub.
    • Spec322 browser covers route/shell/reload; browser back is left to existing navigation anchors to keep this guard bounded.
  • T035 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Baseline Compare route, Workspace + Environment shell, no workspace-hub environment_id model, reload, and browser back.
    • Spec322 browser covers route/shell/reload and invalid old access; browser back is left to existing navigation anchors to keep this guard bounded.
  • T036 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Baseline Compare old clean workspace-only invalid access using the existing BaselineCompareEnvironmentRouteContractTest behavior as the deterministic baseline.
  • T037 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Required Permissions if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in coverage-manifest.md.
  • T038 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Provider Readiness / Onboarding Readiness if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in coverage-manifest.md.
    • No separate route was confirmed; coverage manifest documents Environment Dashboard browser coverage as the deterministic fallback.
  • T039 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Inventory or Inventory Coverage if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in coverage-manifest.md.
    • Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract.
  • T040 In Spec322EnvironmentOwnedSurfaceSmokeTest.php, cover Environment Diagnostics if route and fixture are browser-stable; otherwise document browser gap and Feature fallback in coverage-manifest.md.
    • Browser coverage intentionally excluded for runtime cost; Feature URL/scope guards cover the route contract.

Phase 6: Workspace-Owned Analysis And Configuration Browser Guards

  • T041 Add apps/platform/tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php covering Workspace-only shell cutover from Environment origin.
  • T042 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Baseline Profiles clean URL, Workspace-only shell, no Environment chip, and reload.
  • T043 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Baseline Snapshots clean URL, Workspace-only shell, no Environment chip, and reload.
    • Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
  • T044 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover My Findings clean URL, Workspace-only shell, no Environment chip, and reload.
  • T045 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Findings Intake clean URL, Workspace-only shell, no Environment chip, and reload.
    • Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
  • T046 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Findings Hygiene clean URL, Workspace-only shell, no Environment chip, and reload.
    • Browser coverage intentionally excluded for runtime cost; Spec322 Feature/static guards cover the surface classification and URL contract.
  • T047 [P] In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Cross-environment Compare clean URL, Workspace-only shell, no Environment chip, and reload.
  • T048 In Spec322WorkspaceOwnedAnalysisSmokeTest.php, cover Alert Rules, Alert Destinations, and Workspace Settings as Workspace-only configuration surfaces from Environment origin.
    • Workspace Settings is covered here; Alert Rules and Alert Destinations are covered in Spec322AlertsAuditNoDriftSmokeTest.php.

Phase 7: Alerts / Audit Log Browser Guards

  • T049 Add apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php.
  • T050 In Spec322AlertsAuditNoDriftSmokeTest.php, cover Alerts Overview clean and filtered entry, visible chip, clear, reload, and links to Alert Deliveries/Audit Log.
    • Spec322 browser covers clean and filtered entry; clear/link permutations remain covered by Spec321/Spec322 Feature guards.
  • T051 In Spec322AlertsAuditNoDriftSmokeTest.php, cover Alert Deliveries filtered entry, visible chip, clear, reload, and back/forward alignment.
  • T052 In Spec322AlertsAuditNoDriftSmokeTest.php, cover Audit Log filtered entry, visible chip, clear, reload, and back/forward alignment.
    • Spec322 browser covers filtered and clean/reload shell state; clear/back-forward remains covered by Spec321/Spec322 Feature guards because browser click timing was unstable on this page.
  • T053 In Spec322AlertsAuditNoDriftSmokeTest.php, cover Alert Rules and Alert Destinations reject stray environment_id chip/shell behavior in the browser.
  • T054 Ensure Spec322AlertsAuditNoDriftSmokeTest.php aligns with apps/platform/tests/Feature/Navigation/Spec321AlertsAuditEnvironmentFilterContractTest.php and does not change Spec 321 product decisions.

Phase 8: Legacy Alias Browser Representative Guard

  • T055 Add representative browser coverage for legacy aliases in apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php or apps/platform/tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php.
  • T056 Keep exhaustive alias permutations in Feature tests rather than Browser tests.
  • T057 Assert representative generated links do not preserve tenant, tenant_id, managed_environment_id, environment, tenant_scope, or tableFilters.

Phase 9: Manifest, Screenshots, And Documentation Artifacts

  • T058 Update specs/322-browser-no-drift-regression-guard/coverage-manifest.md with actual Browser and Feature coverage statuses after tests are implemented.
  • T059 Mark any browser blocker or intentionally excluded optional surface in specs/322-browser-no-drift-regression-guard/coverage-manifest.md.
  • T060 Save diagnostic screenshots under specs/322-browser-no-drift-regression-guard/artifacts/screenshots/ only when useful for debugging or final review.
    • No final-review screenshots were needed; transient failed-run screenshots remained in the standard Pest Browser screenshot directory only.
  • T061 Do not add implementation documentation outside specs/322-browser-no-drift-regression-guard/ unless the user explicitly requests it.

Phase 10: Validation

  • T062 Run targeted Feature/static guards from specs/322-browser-no-drift-regression-guard/test-plan.md.
  • T063 Run targeted Browser guards from specs/322-browser-no-drift-regression-guard/test-plan.md.
  • T064 Run existing related regression filter command from specs/322-browser-no-drift-regression-guard/test-plan.md.
    • The original combined command was attempted and then split for reviewability. The Unit/Feature slice completes with the Baseline Compare failures documented below. The Spec322 Browser slice completes green. The original combined command is not used as the merge gate because the mixed Feature/Browser run previously stalled behind a Playwright server after reporting Feature failures.
  • T065 Run cd apps/platform && ./vendor/bin/sail pint --dirty.
  • T066 Run git diff --check from the repository root.
  • T067 Record exact commands, results, browser gaps, screenshots, full-suite status, and unrelated residual failures in the final implementation report.

Broader Regression Note

Scope check:

  • Branch: 322-browser-no-drift-regression-guard
  • Diff scope: only Spec 322 spec artifacts, Spec 322 Feature tests, Spec 322 Browser tests, and tests/Browser/Support/Spec322WorkspaceEnvironmentBrowserHarness.php.
  • No 319/320/321 artifacts are included in the current diff.

Targeted Spec 322 gates:

  • ./vendor/bin/sail artisan test tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php tests/Feature/Navigation/Spec322EnvironmentCtaUrlContractTest.php --compact
    • Result: 8 passed, 400 assertions.
  • ./vendor/bin/sail artisan test tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php tests/Browser/Spec322WorkspaceOwnedAnalysisSmokeTest.php tests/Browser/Spec322AlertsAuditNoDriftSmokeTest.php --compact
    • Result: 9 passed, 510 assertions.

Broader regression split:

  • ./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact --stop-on-failure
    • Result: failed at the first Baseline Compare explanation failure before any Browser tests were involved.
  • ./vendor/bin/sail artisan test tests/Unit tests/Feature --filter='WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|BaselineCompare|WorkspaceOwnedAnalysis|AlertsAudit' --compact
    • Result: 5 failed, 237 passed, 1884 assertions.

Known remaining broader-regression failures:

  • Tests\Feature\Baselines\BaselineCompareExplanationFallbackTest
    • Test: it shows an unavailable explanation before any baseline compare result exists
    • Individual rerun: fails.
    • Failure: expected page output to contain A current baseline compare result is not available yet.
  • Tests\Feature\Filament\BaselineCompareExplanationSurfaceTest
    • Test: it renders suppressed baseline-compare results as explanation-first guidance
    • Individual rerun: fails.
    • Failure: expected page output to contain The last compare finished, but normal result output was suppressed.
  • Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest
    • Test: it keeps widget, landing, and banner equally cautious for the same limited-confidence result
    • Individual rerun: fails.
    • Failure: expected page output to contain Needs review.
  • Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest
    • Test: it keeps widget, landing, and banner aligned when overdue workflow makes the state action-required
    • Individual rerun: fails.
    • Failure: expected page output to contain Action required.
  • Tests\Feature\Filament\BaselineCompareSummaryConsistencyTest
    • Test: it keeps widget, landing, and banner aligned while compare is still in progress
    • Individual rerun: fails.
    • Failure: expected page output to contain In progress.

Spec322-caused broader-regression issue found and fixed:

  • Tests\Feature\Guards\LegacyTenantPlatformContextCleanupTest initially failed because Spec322LegacyQueryAliasGuardTest.php contained the retired literal ensure-filament-tenant-selected inside its own search pattern list.
  • Fixed by splitting the literal in the pattern construction while preserving the generated regex.
  • Individual rerun result: LegacyTenantPlatformContextCleanupTest passes, 6 tests, 19 assertions.

Out-of-scope assessment:

  • The remaining 5 failures are in untouched Baseline Compare test files and reproduce when run individually.
  • They are not Browser-harness failures and not Spec322 targeted guard failures.
  • They are not proven pre-existing against a clean dev checkout in this working tree, but they are independent of the Spec322 diff: Spec322 changed only tests/spec artifacts and no Baseline Compare product code.
  • Treat these as a separate Baseline Compare test-suite hygiene/runtime investigation, not as a Spec322 no-drift regression.

Phase 11: Non-Goals / Stop Conditions

  • NT001 Do not add migrations.
  • NT002 Do not change seeders unless spec.md and plan.md are updated first with fixture justification.
  • NT003 Do not add packages, env vars, queues, scheduler, storage, or deployment asset changes.
  • NT004 Do not introduce Playwright MCP dependency or a broad visual-regression framework.
  • NT005 Do not add backwards compatibility redirects, dual query contracts, or legacy query alias support.
  • NT006 Do not rewrite completed Specs 314 through 321 or remove their close-out and validation history.
  • NT007 Do not change Alerts/Audit Log decisions from Spec 321.
  • NT008 Stop and update spec.md and plan.md before any product behavior change broader than a narrow contract fix.

Dependencies

  1. Phase 1 must complete before Feature/static or Browser implementation.
  2. Feature/static guards in Phase 2 can run in parallel by file.
  3. Browser harness decision in Phase 3 should happen before Phases 4 through 8.
  4. Browser surface phases can run in parallel if they write separate files.
  5. Manifest updates in Phase 9 depend on actual implementation results.
  6. Validation in Phase 10 depends on all in-scope test files being in place.

MVP Scope

The minimum viable Spec 322 implementation is:

  1. Feature/static guards for classification, clean URLs, CTA URLs, clear-state equivalence, cross-workspace rejection, legacy aliases, /admin/t, and provider Tenant allowlist.
  2. Browser smoke for workspace hubs, Baseline Compare / Environment-owned route, workspace-owned analysis shell cutover, and Alerts/Audit Log.
  3. Updated coverage manifest with any browser gaps.

Parallel Work Examples

Agent A: Feature/static guards in apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php
Agent B: Legacy alias and provider-boundary guards in apps/platform/tests/Feature/Navigation/Spec322LegacyQueryAliasGuardTest.php
Agent C: Workspace hub browser smoke in apps/platform/tests/Browser/Spec322WorkspaceHubNoDriftSmokeTest.php
Agent D: Environment-owned browser smoke in apps/platform/tests/Browser/Spec322EnvironmentOwnedSurfaceSmokeTest.php

Parallel workers must not edit the same test file at the same time.