ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/326-customer-review-workspace-v1-productization/tasks.md
ahmido c8224843b3 Spec 326: productize customer review workspace (#386) 
## Summary
- productizes the Customer Review Workspace into a more decision-first, customer-safe review surface
- updates the page class, Blade view, and localized copy for the new workspace presentation
- expands feature and browser coverage for workspace behavior, localization, and access rules
- adds the Spec 326 artifact package for this implementation

## Testing
- not run in this session

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #386
2026-05-18 13:30:38 +00:00

14 KiB
Raw Permalink Blame History

Tasks: Spec 326 - Customer Review Workspace v1 Productization

Input: Design documents from /specs/326-customer-review-workspace-v1-productization/ Prerequisites: spec.md, plan.md, repo-truth-map.md

Tests: Required. This is a runtime UI/customer-safe Filament/Livewire page productization with browser smoke.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family, and the browser addition is explicit.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
  • Planned validation commands cover the change without pulling in unrelated lane cost.
  • The declared surface test profile (global-context-shell plus customer-safe disclosure) is explicit.
  • Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.

Phase 1: Preparation And Repo Truth

Purpose: Confirm runtime truth and prevent invented claims before page edits.

  • T001 Re-read specs/326-customer-review-workspace-v1-productization/spec.md, plan.md, and repo-truth-map.md.
  • T002 Re-read related completed context only: Specs 312 and 314-325. Do not modify their artifacts.
  • T003 Verify current CustomerReviewWorkspace route/class/view and existing tests before editing.
  • T004 Update repo-truth-map.md with any newly discovered source, capability, fallback, or classification before runtime changes.
  • T005 Confirm no migration/package/env/queue/storage/deployment asset change is required; if one appears necessary, stop and update spec/plan first.
  • T006 Confirm Filament v5 / Livewire v4.0+ compliance and no Livewire v3/Filament legacy API use.
  • T007 Confirm panel provider registration remains apps/platform/bootstrap/providers.php.
  • T008 Confirm related globally searchable resources stay disabled or have safe View/Edit pages; expected related resources remain protected static bool $isGloballySearchable = false.

Phase 2: Feature Tests First

Purpose: Lock customer-safe behavior, scope, RBAC, and no-false-green before the UI refactor.

  • T009 Add or update a feature test asserting repo-truth-map.md exists and lists required data areas.
  • T010 Add or update a Feature/Livewire test for the decision-first layout text: Customer Review Workspace, Is this review ready to share?, Readiness, Evidence, Accepted risk, Evidence path, Review pack, and Decision trail.
  • T011 Add or update a Feature/Livewire test that raw diagnostics are hidden by default: raw payload, stack trace, provider secret, debug metadata, and internal exception must not appear.
  • T012 Add or update review-pack readiness tests for available, unavailable, and stale/needs-refresh or explicit unsupported/unavailable state.
  • T013 Add or update evidence freshness tests proving evidence state is visible and no generic green/success state appears without repo-backed proof.
  • T014 Add or update accepted-risk summary tests for total/current state and expiring/expired/pending where repo-supported; assert internal approval/debug details are absent by default.
  • T015 Add or update customer-safe follow-up tests for title, priority/severity if available, owner/due if available, proof state, next action, and no raw diagnostics by default.
  • T016 Add or update RBAC tests covering view review, view evidence, export/open review pack, and diagnostics action visibility/unavailability.
  • T017 Add or update canonical environment filter tests for ?environment_id=, visible chip, workspace shell only, clear filter, and provable filtered data.
  • T018 Add or update legacy alias rejection tests for tenant, tenant_id, managed_environment_id, environment, tenant_scope, and tableFilters.
  • T019 Add or update cross-workspace environment filter guard test returning safe 404/no-access.

Phase 3: Page Skeleton Productization

Purpose: Refactor existing page layout without new backend foundation.

  • T020 Update apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php to expose a repo-truth-bounded payload for header/scope, main decision card, readiness dimensions, evidence path, review pack, accepted risks, follow-ups, and diagnostics disclosure.
  • T021 Update apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php to render the decision-first structure before the table.
  • T022 Ensure the header/scope area shows workspace-wide vs environment-filtered context, visible environment chip when filtered, and customer-safe review mode.
  • T023 Ensure the main decision card shows status, reason, impact, and one primary next action.
  • T024 Ensure readiness summary cards show readiness, evidence, and accepted-risk dimensions or repo-verified equivalents.
  • T025 Ensure the evidence path panel shows evidence snapshot, review pack, decision trail, accepted-risk records, OperationRun proof, and export artifact as available/unavailable/stale/requires-refresh/not-applicable.
  • T026 Ensure the review-pack panel shows status, last generated where available, evidence snapshot where available, export/open availability, staleness/freshness where repo-supported, and operation proof where repo-supported.
  • T027 Ensure accepted-risk summary shows counts/states only where repo-supported and uses customer-safe language.
  • T028 Ensure customer-safe findings/follow-ups show supported fields and honest unavailable state where source truth is absent.
  • T029 Ensure diagnostics/internal details are collapsed or secondary by default and authorized before visibility.
  • T030 Keep the existing table as secondary context; it must not be the only default experience, must render from persisted data only, and must not make Graph calls during page render.

Phase 4: Actions, RBAC, And Safety

Purpose: Show only real, authorized actions and preserve read-only default behavior.

  • T031 Keep primary action repo-real and authorized: open/download review pack when ready and permitted, otherwise open latest review or show unavailable/follow-up state.
  • T032 Add/open evidence, accepted-risk, finding, operation-proof, or diagnostics links only when route and authorization are repo-real.
  • T033 Ensure unauthorized actions are hidden or unavailable without leaking sensitive details.
  • T034 Verify no customer-safe default action publishes, generates, refreshes, regenerates, expires, revokes, deletes, restores, or mutates tenant/provider state.
  • T035 If any high-impact action is unexpectedly required, implement it with Action::make(...)->action(...), ->requiresConfirmation(), server-side authorization, audit, notification, and tests after updating spec/plan first.
  • T036 Ensure existing page-open audit logging remains safe and does not include secrets/raw payloads.

Phase 5: Workspace / Environment Scope Contract

Purpose: Preserve Specs 314-322.

  • T037 Verify clean /admin/reviews/workspace does not read remembered environment shell state or persisted table filters.
  • T038 Verify /admin/reviews/workspace?environment_id={id} filters only page data, shows visible chip, and keeps Workspace shell ownership.
  • T039 Verify clear filter redirects to clean workspace URL and remains safe after reload.
  • T040 Verify legacy aliases are removed/neutralized and do not set filter state.
  • T041 Verify cross-workspace or unauthorized environment_id returns safe no-access/404.
  • T042 Verify back/forward/reload behavior does not resurrect cleared environment filter state.

Phase 6: Browser Smoke And Screenshots

Purpose: Prove the user-facing contract in the integrated browser lane.

  • T043 Create apps/platform/tests/Browser/Spec326CustomerReviewWorkspaceProductizationSmokeTest.php using existing Pest Browser conventions.
  • T044 Browser Flow A: clean workspace entry; assert Workspace shell only, no Environment chip, main decision card, evidence path, diagnostics collapsed, screenshot.
  • T045 Browser Flow B: filtered environment entry; assert Workspace shell only, visible chip, filter copy, clear filter, screenshot.
  • T046 Browser Flow C: clear filter and reload; assert clean URL, chip does not return, no active Environment shell.
  • T047 Browser Flow D: customer-safe disclosure; assert raw diagnostics absent by default, open diagnostics if available/authorized, verify secondary placement.
  • T048 Browser Flow E: light mode readability check if supported; capture optional screenshot.
  • T049 Save screenshots under specs/326-customer-review-workspace-v1-productization/artifacts/screenshots/ when generated and ensure they contain no secrets.

Phase 7: UI Coverage And Documentation Artifacts

Purpose: Satisfy UI-COV without unrelated docs churn.

  • T050 Decide after runtime diff whether docs/ui-ux-enterprise-audit/route-inventory.md or design-coverage-matrix.md needs an update.
  • T051 If coverage docs are not changed, add a close-out note explaining why existing UI-006 report plus Spec 325 target artifacts remain sufficient for the unchanged route.
  • T052 Update repo-truth-map.md final classifications for implemented/empty/deferred elements.
  • T053 Do not create general documentation files outside required Spec Kit/UI coverage artifacts.

Phase 8: Validation

Purpose: Run narrow proof and report honestly.

  • T054 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Reviews tests/Feature/Navigation/WorkspaceHubEnvironmentFilterContractTest.php tests/Feature/Navigation/WorkspaceHubClearFilterContractTest.php --compact.
  • T055 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec326CustomerReviewWorkspaceProductizationSmokeTest.php --compact.
  • T056 Run cd apps/platform && ./vendor/bin/sail artisan test --filter='CustomerReviewWorkspace|WorkspaceHub|EnvironmentFilter|ClearFilter|LegacyTenant|Spec322' --compact. Attempted after T054/T055; the process was killed with signal 9 after the feature/navigation portion completed, so this exact all-matching filtered command is not marked complete.
  • T057 Run cd apps/platform && ./vendor/bin/sail pint --dirty; artisan pint is not registered, so validation used ./vendor/bin/sail pint --dirty plus explicit touched PHP/localization paths.
  • T058 Run git diff --check.
  • T059 Report full-suite status honestly if not run.
  • T060 Confirm no migrations, seeders, packages, env vars, queues, scheduler, storage, deployment assets, backwards compatibility layer, or legacy tenant alias support were added.

Follow-up Phase: Premium Layout Alignment

Purpose: Continue Spec 326 without new numbering and align the Customer Review Workspace runtime UI more closely with the premium Spec 325 target direction.

  • T061 Compact the Customer Review Workspace intro and quiet the non-certification disclosure.
  • T062 Remove platform-context tenant wording from Customer Review Workspace runtime copy and tests.
  • T063 Recompose the Blade view into a dense main/aside layout with a decision-first main column and evidence/review-pack/disclosure aside.
  • T064 Keep the table as secondary Review package index context after the decision and evidence workbench.
  • T065 Extend Feature/Browser assertions for main question, evidence path, review-pack panel, accepted-risk panel, disclosure rule, collapsed diagnostics, hidden raw diagnostics, and no platform-context tenant copy.
  • T066 Capture artifacts/screenshots/customer-review-workspace-premium-layout.png.
  • T067 Re-run the requested Spec 326 validation commands and record results honestly. Feature/navigation tests passed, pint --dirty passed, and git diff --check passed. The requested Pest Browser smoke command was attempted twice in the follow-up and hung without output until manually stopped; manual browser smoke plus screenshot capture passed with no console warnings/errors.

Follow-up Phase: Accepted-Risk Readiness Alignment

Purpose: Keep the premium layout truthful when accepted-risk follow-up is required and avoid a false ready-to-share primary state.

  • T068 Align the main decision card with accepted-risk follow-up truth so it shows Shareable with follow-up or Review needed instead of Ready to share when follow-up is required.
  • T069 Keep the right-side Evidence / Review Pack / Accepted Risk / Disclosure aside visible and test-addressable at desktop width.
  • T070 Shorten the readiness, evidence, review-pack, and accepted-risk state-card copy.
  • T071 Add a regression test proving accepted-risk follow-up suppresses the Ready to share state.
  • T072 Re-run the requested final validation. Feature Reviews passed, Spec 326 Pest Browser smoke passed, pint --dirty passed, and git diff --check passed. Direct in-app browser verification passed at medium desktop width and the premium-layout screenshot artifact was refreshed.
  • T073 Demote Download review pack to a secondary action when the main state is Shareable with follow-up.
  • T074 Move the premium Evidence / Review Pack / Accepted Risk / Disclosure aside to the medium desktop breakpoint and compact the aside panels so it is visible earlier in the first viewport.

Non-Goals Checklist

  • NT001 Do not build an external customer portal.
  • NT002 Do not implement external authentication, invitation links, email delivery, or PSA handoff.
  • NT003 Do not implement a new review/evidence/review-pack backend.
  • NT004 Do not redesign Governance Inbox, Operations Hub, Evidence Overview, Environment Dashboard, Baseline Compare, or Restore Safety Workflow.
  • NT005 Do not add migrations unless spec/plan are updated first with proof.
  • NT006 Do not rewrite completed Specs 312 or 314-325.
  • NT007 Do not add legacy tenant query alias support.

Required Final Report Content

When implementation later completes, report:

  • Changed behavior.
  • Customer-safe review surface.
  • Evidence / Review Pack / Accepted Risk coverage.
  • Files changed.
  • Repo truth map status.
  • Tests run and results.
  • Browser verification and screenshots path.
  • Known gaps.
  • Remaining follow-ups.
  • Diagnostics default state.
  • RBAC-visible/hidden actions.
  • Repo-verified vs unavailable states.
  • Full suite run/not run.
  • Explicit no migrations/seeders/packages/env/queues/scheduler/storage/deployment assets/backcompat/legacy aliases statement.