TenantAtlas/specs/330-environment-dashboard-baseline-compare-productization/spec.md

Feature Specification: Spec 330 - Environment Dashboard / Baseline Compare Productization

Feature Branch: 330-environment-dashboard-baseline-compare-productization Created: 2026-05-19 Status: Draft Type: Runtime UI productization / environment readiness / baseline drift decision surface Runtime posture: Narrow runtime UI implementation. Repo-based. No invented backend foundation. Input: User-provided full Spec 330 draft.

Dependencies And Historical Context

Depends on:

• Spec 314 - Workspace Hub Navigation Context Contract.
• Spec 315 - Environment CTA Explicit Filter Contract.
• Spec 316 - Workspace Hub Clear Filter Contract.
• Spec 317 - Legacy Tenant / Environment Context Cleanup.
• Spec 318 - Admin Surface Scope & Shell Context Audit.
• Spec 319 - Environment-Owned Surface Routing & Shell Context Contract.
• Spec 320 - Workspace-Owned Analysis Surface Registration & Shell Cutover.
• Spec 321 - Alerts / Audit Log Environment Filter Contract Decision.
• Spec 322 - Browser No-Drift Regression Guard.
• Spec 325 - Screenshot-Anchored Strategic Target Images.
• Spec 326 - Customer Review Workspace v1 Productization.
• Spec 327 - Governance Inbox Decision-First Workbench Productization.
• Spec 328 - Operations Hub Decision-First Workbench Productization.
• Spec 329 - Evidence / Audit Log Disclosure Productization.

Repo truth adjustment: the user draft named likely files under resources/views/filament/pages/environment-dashboard.blade.php and app/Filament/Pages/Governance/BaselineCompare.php. Current repository truth is:

• Environment Dashboard page class: apps/platform/app/Filament/Pages/EnvironmentDashboard.php.
• Environment Dashboard layout widget: apps/platform/app/Filament/Widgets/Dashboard/EnvironmentDashboardOverview.php.
• Environment Dashboard main view: apps/platform/resources/views/filament/widgets/dashboard/environment-dashboard-overview.blade.php.
• Environment Dashboard context chips view: apps/platform/resources/views/filament/widgets/dashboard/environment-dashboard-context-chips.blade.php.
• Existing summary builder: apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php.
• Baseline Compare page class: apps/platform/app/Filament/Pages/BaselineCompareLanding.php.
• Baseline Compare view: apps/platform/resources/views/filament/pages/baseline-compare-landing.blade.php.
• Baseline Compare Matrix exists separately at apps/platform/app/Filament/Pages/BaselineCompareMatrix.php and is out of scope except as an existing downstream analysis/detail route.

Spec 325 target images and briefs are visual calibration only. They are not runtime truth for readiness, health, drift severity, evidence freshness, proof availability, certification, RBAC, or diagnostic access.

Spec Candidate Check (mandatory - SPEC-GATE-001)

• Problem: Environment Dashboard and Baseline Compare are repo-real, environment-owned surfaces, but the first read can still force operators to reconcile backup, recovery, provider, evidence, review, operation, assignment, compare, and drift signals instead of answering one decision question.
• Today's failure: Operators can misread technical status, raw compare/diagnostic state, OperationRun completion, or a zero-finding compare as broad environment readiness. Missing baseline, missing proof, stale recovery, or evidence gaps can be visible but not framed as the decision blocker and next action.
• User-visible improvement: Operators can immediately see status, reason, impact, proof path, and one primary next action for environment readiness and baseline drift before opening diagnostics or raw details.
• Smallest enterprise-capable version: Productize only the existing Environment Dashboard and Baseline Compare Landing using existing models, services, links, policies, capabilities, widgets, and Blade views. Existing tables/details remain secondary.
• Explicit non-goals: No new baseline engine, drift engine, backup engine, restore engine, evidence generator, provider readiness engine, AI summary, dashboard scoring system, migration, seed, package, env var, queue, scheduler, storage change, compatibility route, or legacy query alias support.
• Permanent complexity imported: Feature-local layout/payload helpers if needed, targeted Pest Feature/Livewire tests, one Pest Browser smoke file, screenshots, and repo-truth-map.md. No new persisted truth, public abstraction, enum/status family, taxonomy, or cross-domain UI framework.
• Why now: Specs 314-322 stabilized workspace/environment context and no-drift guards. Specs 326-329 established the decision-first productization pattern. Spec 325 identifies Environment Dashboard and Baseline Compare / Drift as P0 strategic surfaces that still need runtime productization.
• Why not local: Small copy or card tweaks would not make the first decision explicit across readiness, proof, action, and diagnostics. A new backend readiness engine would overbuild. The narrow correct slice is page-local productization over existing repo truth.
• Approval class: Core Enterprise.
• Red flags triggered: Strategic UI productization and presentation semantics across two surfaces. Defense: scope is limited to two existing pages, forbids new backend/state frameworks, and prevents false health/compliance/customer-safe claims.
• Score: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 2 | Produktnaehe: 2 | Wiederverwendung: 2 | Gesamt: 12/12
• Decision: approve.

Candidate Source And Completed-Spec Guardrail

• Candidate source: Direct user-provided manual promotion for Spec 330, aligned with docs/ui-ux-enterprise-audit/strategic-surfaces.md, grouped-follow-up-candidates.md, and follow-up-specs/325-strategic-target-image-implementation-candidates.md.
• Current package check: No specs/330-* package, local branch, or remote branch existed before this preparation run.
• Related completed-spec check: Specs 314-329 include historical/completed foundation and productization signals. They are dependency context only and must not be rewritten by Spec 330.
• Close alternatives deferred: Restore Safety Workflow Productization, Provider Readiness Productization, and Sidebar / Shell Native Filament Polish remain follow-up candidates 331-333.
• Smallest viable implementation slice: Existing Environment Dashboard and Baseline Compare Landing only: header/scope, decision card, summary cards, right-side proof/action/disclosure panel, ranked actions, secondary context, collapsed diagnostics, environment-owned route tests, RBAC-aware links/actions, and browser smoke.

Spec Scope Fields (mandatory)

• Scope: environment-owned runtime UI surfaces.
• Primary Routes:
  • Environment Dashboard route: /admin/workspaces/{workspace}/environments/{environment}.
  • Environment Dashboard route name: admin.workspace.environments.show.
  • Environment Dashboard page class: apps/platform/app/Filament/Pages/EnvironmentDashboard.php.
  • Environment Dashboard widget/view: apps/platform/app/Filament/Widgets/Dashboard/EnvironmentDashboardOverview.php, apps/platform/resources/views/filament/widgets/dashboard/environment-dashboard-overview.blade.php.
  • Baseline Compare route: /admin/workspaces/{workspace}/environments/{environment}/baseline-compare.
  • Baseline Compare route name: filament.admin.pages.workspaces.{workspace}.environments.{environment}.baseline-compare.
  • Baseline Compare page class: apps/platform/app/Filament/Pages/BaselineCompareLanding.php.
  • Baseline Compare view: apps/platform/resources/views/filament/pages/baseline-compare-landing.blade.php.
• Data Ownership:
  • Environment-owned records and observed state: ManagedEnvironment, ProviderConnection, ManagedEnvironmentPermission, BackupSet, BackupSchedule, RestoreRun, BaselineTenantAssignment, BaselineProfile, BaselineSnapshot, Finding, FindingException, EvidenceSnapshot, EnvironmentReview, ReviewPack, and OperationRun.
  • Workspace-owned standards/configuration: Workspace, BaselineProfile, report/review definitions where existing.
  • No new table or persisted state is introduced.
• RBAC:
  • Workspace membership and environment entitlement are required.
  • Environment Dashboard view uses existing TENANT_VIEW / member checks and existing capabilities for linked actions.
  • Baseline Compare view requires existing environment access and TENANT_VIEW; compare start uses existing TENANT_SYNC capability and UiEnforcement.
  • Provider readiness/permissions, backup posture, restore/recovery proof, baseline profiles/compare, findings, evidence, operations, reviews, review packs, support diagnostics, and raw diagnostics must use existing policies/capabilities.

For canonical-view specs: N/A. Both primary surfaces are environment-owned, not clean workspace-wide canonical views.

UI Surface Impact (mandatory - UI-COV-001)

Does this spec add, remove, rename, or materially change any reachable UI surface?

• No UI surface impact
• Existing page changed
• New page/route added
• Navigation changed
• Filament panel/provider surface changed
• New modal/drawer/wizard/action added
• New table/form/state added
• Customer-facing surface changed
• Dangerous action changed
• Status/evidence/review presentation changed
• Workspace/environment context presentation changed

UI/Productization Coverage

• Route/page/surface: Environment Dashboard, EnvironmentDashboardOverview widget/view, Baseline Compare Landing, and its Blade view.
• Current or new page archetype: Environment Dashboard = Overview / Dashboard, UI-002; Baseline Compare = Drift / Diff, UI-015 / strategic UI-061.
• Design depth: Strategic Surface.
• Repo-truth level: repo-verified routes/pages/model foundations; individual runtime elements are classified in repo-truth-map.md.
• Existing pattern reused: Filament Page/Dashboard/Widget, Filament Sections, Filament actions, badges, existing EnvironmentDashboardSummaryBuilder, TenantGovernanceAggregateResolver, BaselineCompareStats, OperationRunLinks, ManagedEnvironmentLinks, BadgeRenderer, UiEnforcement, existing policies/capabilities, and existing target images/briefs from Spec 325.
• New pattern required: no new runtime framework; page-local decision/proof panel composition only.
• Screenshot required: yes, Browser smoke screenshots under specs/330-environment-dashboard-baseline-compare-productization/artifacts/screenshots/.
• Page audit required: no new full audit unless implementation changes route/archetype/coverage classification. Existing UI-002 and UI-015 reports plus Spec 325 target artifacts remain the reference.
• Customer-safe review required: medium. These are operator pages, but readiness and drift copy may feed customer handoff. Do not claim customer-safe, healthy, compliant, protected, or complete unless exact repo proof supports it.
• Dangerous-action review required: no new dangerous action expected. Existing compare start remains high-impact and must keep Action::make(...)->action(...), ->requiresConfirmation(), capability enforcement, OperationRun, notifications, and tests.
• Coverage files updated or explicitly not needed:
  • docs/ui-ux-enterprise-audit/route-inventory.md
  • docs/ui-ux-enterprise-audit/design-coverage-matrix.md
  • docs/ui-ux-enterprise-audit/page-reports/...
  • docs/ui-ux-enterprise-audit/strategic-surfaces.md
  • docs/ui-ux-enterprise-audit/grouped-follow-up-candidates.md
  • docs/ui-ux-enterprise-audit/unresolved-pages.md
  • N/A - no reachable UI surface impact
  • Active spec package must carry repo-truth map, tests, browser screenshots, and close-out coverage decision. Registry updates are required only if runtime changes alter route/archetype/coverage classification.

Cross-Cutting / Shared Pattern Reuse

• Cross-cutting feature?: yes.
• Interaction class(es): dashboard signals/cards, status messaging, action links, header actions, evidence/proof links, OperationRun links, diagnostics disclosure, baseline compare state, empty states.
• Systems touched: Environment Dashboard page/widget/summary builder, Baseline Compare Landing page/view, baseline stats/aggregate helpers, backup/recovery support helpers, provider permission view models, OperationRun links, resource policies/capabilities, and browser fixtures/tests.
• Existing pattern(s) to extend: existing Environment Dashboard summary builder and widget, existing Baseline Compare stats/explanation pattern, existing OperationRun UX/link helpers, existing badge domains, existing UiEnforcement action gating, existing environment-owned routing helpers.
• Shared contract / presenter / builder / renderer to reuse: EnvironmentDashboardSummaryBuilder, BaselineCompareStats, TenantGovernanceAggregateResolver, OperationRunLinks, ManagedEnvironmentLinks, BadgeRenderer, UiEnforcement, and existing policies/capability resolvers.
• Why the existing shared path is sufficient or insufficient: Existing paths are sufficient for truth, links, RBAC, and baseline/backup/evidence calculations. They are insufficient only in first-read hierarchy and diagnostics disclosure ordering.
• Allowed deviation and why: bounded page-local payload/view helpers are allowed if needed to keep Blade and widgets reviewable. New readiness engines, proof engines, status families, or UI frameworks are not allowed.
• Consistency impact: Status, reason, impact, next action, proof, and diagnostics labels must align with related Operations, Evidence/Audit, Customer Review Workspace, and Governance Inbox language.
• Review focus: Verify no fake readiness/drift proof, no false green state, no raw diagnostics by default, no unauthorized links/actions, no shell-scope regression, no static platform tenant copy, and no duplicate local truth layer.

OperationRun UX Impact

• Touches OperationRun start/completion/link UX?: link/proof presentation plus existing Baseline Compare start action only. No new OperationRun type, lifecycle transition, summary count writer, queue notification policy, or terminal notification path.
• Shared OperationRun UX contract/layer reused: OperationRunLinks, OperationUxPresenter, OpsUxBrowserEvents, existing operation policies, existing operation detail pages, and existing BaselineCompareService::startCompare().
• Delegated start/completion UX behaviors: Baseline Compare start continues to delegate queued toast/browser event/run link to the existing Ops UX path. Environment Dashboard and proof panels only open existing operations.
• Local surface-owned behavior that remains: show Operation proof available, Operation proof missing, Latest operation proof, or equivalent based on existing linked runs.
• Queued DB-notification policy: unchanged / N/A.
• Terminal notification path: unchanged.
• Exception required?: none.

Provider Boundary / Platform Core Check

• Shared provider/platform boundary touched?: display-only provider readiness/permissions and copy boundaries.
• Boundary classification: mixed display seam. Environment/workspace/readiness/drift terms are platform-core; Microsoft/Entra/Intune terms may remain only where the source provider record or external identity uses them.
• Seams affected: provider connection descriptors, required permissions, verification/readiness copy, baseline compare copy, static tenant language guards.
• Neutral platform terms preserved or introduced: workspace, environment, provider, required permissions, readiness proof, operation proof, evidence, review, baseline, drift, diagnostics.
• Provider-specific semantics retained and why: Microsoft/Entra/Intune/provider tenant ID can appear only where existing provider-boundary truth requires it.
• Why this does not deepen provider coupling accidentally: no Graph calls, provider contracts, provider persistence, provider taxonomy, or provider-specific readiness model is added.
• Follow-up path: Provider Readiness Productization remains a separate follow-up spec.

UI / Surface Guardrail Impact

Surface / Change	Operator-facing surface change?	Native vs Custom	Shared-Family Relevance	State Layers Touched	Exception Needed?	Low-Impact / N/A Note
Environment Dashboard	yes	Filament Dashboard/Page plus existing widgets and Blade	dashboard signals, action links, proof/disclosure	shell, page, widget payload, route environment	no	Existing route only
EnvironmentDashboardOverview widget	yes	Existing Blade widget using Filament primitives	readiness cards, ranked actions, proof panel	widget payload	no	Refactor only
Baseline Compare Landing	yes	Filament Page plus existing Blade	compare state, OperationRun start/link, diagnostics	page, route environment, query launch context	no	Existing route only
Baseline Compare diagnostics/raw diff disclosure	yes	collapsed/progressive disclosure	support/raw detail	page payload/details	no	Collapsed by default
Existing compare/findings/details sections	yes	existing Filament/Blade sections	secondary context	page payload	no	Remain secondary

Decision-First Surface Role

Surface	Decision Role	Human-in-the-loop Moment	Immediately Visible for First Decision	On-Demand Detail / Evidence	Why This Is Primary or Why Not	Workflow Alignment	Attention-load Reduction
Environment Dashboard	Primary Decision Surface	Operator decides whether an environment is ready, blocked, stale, or requiring review	status, reason, impact, proof path, one next action, readiness dimensions	operations, evidence, review packs, provider checks, backup/restore details, diagnostics	Primary because it is the environment command/readiness surface	Follows environment governance readiness, not raw admin status	Prevents scanning many equal cards
Baseline Compare Landing	Primary Decision Surface	Operator decides whether baseline drift requires action or compare is unavailable	assigned baseline, compare trust, drift impact, reason, proof, one next action	findings, evidence gaps, operation run detail, raw diff/diagnostics	Primary because it answers baseline drift/action for one environment	Follows baseline governance decision before matrix/detail	Prevents raw diff or zero findings from reading as all-clear
Existing detail sections/tables	Secondary Context	Operator investigates after first decision	concise findings, latest run, evidence gaps, assignment data	full findings, matrix, run detail, raw diagnostics	Secondary because they support the decision	Keeps current drilldowns	Reduces first-read noise
Raw diagnostics/raw diff	Tertiary Evidence / Diagnostics	Support/operator inspects technical data after proof path	collapsed availability only	raw JSON/diff/payloads, provider diagnostics, debug metadata	Not primary	Preserves support depth	Prevents raw-console default

Audience-Aware Disclosure

Surface	Audience Modes In Scope	Decision-First Default-Visible Content	Operator Diagnostics	Support / Raw Evidence	One Dominant Next Action	Hidden / Gated By Default	Duplicate-Truth Prevention
Environment Dashboard	operator-MSP, manager, support reviewer	readiness question, status, reason, impact, proof path, ranked next actions, readiness dimensions	operations requiring attention, provider check details, evidence/review/backup details	raw provider payloads, support diagnostics bundle, raw run context	open the primary readiness blocker/action	raw payloads, provider secrets, stack traces, debug metadata, unsupported health claims	top card states readiness once; cards add proof not duplicate verdict
Baseline Compare Landing	governance operator, manager, support reviewer	drift question, assigned baseline, compare trust, drift impact, reason, proof, primary next action	findings breakdown, evidence gap buckets, operation proof	raw diff, raw diagnostics, raw OperationRun context, provider payloads	assign/open baseline, run compare, or review drift depending on state	raw diff/payloads/debug/provider detail	top card states drift decision once; sections add evidence/details

UI/UX Surface Classification

Surface	Action Surface Class	Surface Type	Likely Next Operator Action	Primary Inspect/Open Model	Row Click	Secondary Actions Placement	Destructive Actions Placement	Canonical Collection Route	Canonical Detail Route	Scope Signals	Canonical Noun	Critical Truth Visible by Default	Exception Type / Justification
Environment Dashboard	Workbench / Dashboard	Environment readiness command surface	Open the readiness blocker or proof path	explicit primary action plus existing linked cards	N/A	right-side panel / secondary cards	none introduced	/admin/workspaces/{workspace}/environments/{environment}	same route plus existing child routes	active workspace and route-bound environment	Environment Dashboard	readiness status, reason, impact, proof, next action	none
Baseline Compare Landing	Workbench / Drift	Environment baseline compare decision surface	Run compare, assign/open baseline, or review drift	explicit primary action plus existing findings/run/matrix links	N/A	proof panel and secondary detail sections	compare start remains confirmed action	/admin/workspaces/{workspace}/environments/{environment}/baseline-compare	same route plus existing matrix/findings/run routes	active workspace and route-bound environment	Baseline Compare	baseline assignment, compare trust, drift impact, evidence/proof	existing special compare action
Diagnostics disclosure	Diagnostics / Support Raw	Collapsed technical context	Expand/open diagnostics if authorized	disclosure/detail action	N/A	below proof panel	none	same pages	authorized detail/support surfaces	route-bound environment	Diagnostics	collapsed status only	none

Operator Surface Contract

Surface	Primary Persona	Decision / Operator Action Supported	Surface Type	Primary Operator Question	Default-visible Information	Diagnostics-only Information	Status Dimensions Used	Mutation Scope	Primary Actions	Dangerous Actions
Environment Dashboard	MSP operator / manager	Decide whether environment is ready, blocked, stale, or needs review	Environment readiness workbench	Is this environment ready, blocked, stale, or requiring review?	workspace/environment/provider, status, reason, impact, proof path, readiness dimensions, ranked next actions	raw provider payloads, support diagnostics, raw OperationRun context, debug metadata	provider readiness, permissions, backup posture, recovery proof, baseline/drift, evidence freshness, review freshness, accepted risk, operation attention	mostly navigation; support request remains TenantPilot/external handoff per existing action	open primary blocker/proof path	none introduced
Baseline Compare Landing	Governance operator	Decide whether drift requires action or compare cannot be trusted	Baseline drift workbench	Which baseline drift requires action?	assigned baseline, compare trust, drift impact, reason, evidence/proof, primary next action	raw diff, evidence gap diagnostics, raw run context, provider payloads	assignment, compare availability, execution outcome, result trust, drift impact, evidence gap, operation proof	compare start queues TenantPilot operation / simulation compare against current observed state	run compare, open baseline profiles/matrix/findings/run depending on state	compare start remains high-impact confirmed action

Proportionality Review

• New source of truth?: no.
• New persisted entity/table/artifact?: no. repo-truth-map.md is a Spec Kit preparation artifact, not runtime truth.
• New abstraction?: no public abstraction. Page-local private helpers are allowed only when they reduce Blade complexity and stay feature-local.
• New enum/state/reason family?: no domain state. Display states must derive from existing model/service truth.
• New cross-domain UI framework/taxonomy?: no.
• Current operator problem: Existing environment and compare pages must answer readiness/drift decisions without forcing raw technical reconstruction or implying false green states.
• Existing structure is insufficient because: Current pages already expose much of the truth but do not consistently enforce the status/reason/impact/proof/next-action hierarchy or diagnostics collapsed by default.
• Narrowest correct implementation: Refactor existing page/widget/view payloads and Blade layout, bind to existing sources, keep diagnostics collapsed, and add targeted tests/browser smoke.
• Ownership cost: Feature-local layout/payload tests, one Browser smoke, screenshots, and spec truth map. No durable backend model or new framework cost.
• Alternative intentionally rejected: new readiness scoring engine, baseline/drift backend rebuild, provider readiness foundation, recovery-proof engine, UI framework, AI summary, broad design system work, or route replacement.
• Release truth: current-release runtime UI productization over existing environment and baseline foundations.

Compatibility posture

This feature assumes pre-production runtime posture. Backward compatibility, historical aliases, migration shims, dual-read logic, legacy route redirects, and legacy query aliases are out of scope. Existing legacy query aliases (tenant, tenant_id, managed_environment_id, environment, tenant_scope, tableFilters) must not establish environment ownership or valid compare/dashboard context.

Testing / Lane / Runtime Impact (mandatory for runtime behavior changes)

• Test purpose / classification: Feature, Livewire, Browser.
• Validation lane(s): confidence and browser; targeted context guard filters for Specs 314-322.
• Why this classification and these lanes are sufficient: The change is page/view hierarchy, route ownership, RBAC-visible actions, and diagnostics disclosure. Feature/Livewire tests prove rendered contracts and authorization; Browser smoke proves end-to-end page framing and no context drift.
• New or expanded test families: one explicit Browser smoke file Spec330EnvironmentDashboardBaselineCompareSmokeTest.php; focused Feature/Livewire tests under existing Filament/Dashboard/Baseline families.
• Fixture / helper cost impact: use existing factories and baseline compare fixture helpers. Do not broaden default helpers or seeders.
• Heavy-family visibility / justification: Browser coverage is explicit because two strategic surfaces require visual/context smoke and screenshots.
• Special surface test profile: global-context-shell, monitoring-state-page, shared-detail-family.
• Standard-native relief or required special coverage: special coverage required because these are strategic environment-owned decision surfaces with diagnostics disclosure.
• Reviewer handoff: Review lane fit, hidden fixture cost, route ownership, RBAC gating, static tenant copy guard, false green guard, and raw diagnostics hidden by default.
• Budget / baseline / trend impact: none expected; browser file is explicit and scoped.
• Escalation needed: document-in-feature if implementation discovers an existing shared path is insufficient; follow-up-spec only for structural readiness/provider/restore gaps.
• Active feature PR close-out entry: Guardrail / Exception / Smoke Coverage.
• Planned validation commands:
  • cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Filament tests/Feature/Rbac tests/Feature/Navigation --filter='EnvironmentDashboard|TenantDashboard|BaselineCompare|EnvironmentOwned|LegacyTenant|Spec322' --compact
  • cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec330EnvironmentDashboardBaselineCompareSmokeTest.php --compact
  • cd apps/platform && ./vendor/bin/sail artisan test --filter='EnvironmentDashboard|BaselineCompare|AdminSurfaceScope|EnvironmentOwned|LegacyTenant|Spec322' --compact
  • cd apps/platform && ./vendor/bin/sail pint --dirty
  • git diff --check

User Scenarios & Testing (mandatory)

User Story 1 - Environment readiness is decidable (Priority: P1)

As an MSP operator, I want the Environment Dashboard to answer whether the environment is ready, blocked, stale, or needs review before I inspect technical details.

Why this priority: Environment Dashboard is the command surface for environment governance and customer handoff readiness.

Independent Test: Render an environment with missing proof/actions and assert the first-read shows the readiness question, status, reason, impact, proof path, next action, ranked actions, and collapsed diagnostics.

Acceptance Scenarios:

1. Given an authorized operator opens an explicit environment route, When the dashboard renders, Then it shows Is this environment ready, blocked, stale, or requiring review? before secondary details.
2. Given backup/evidence/baseline proof is missing or stale, When the dashboard renders, Then it shows an honest action-needed state and does not show false Healthy, Fully ready, Protected, Compliant, or Customer-safe claims.
3. Given a linked proof/action is not authorized, When the dashboard renders, Then the action is hidden or represented as unavailable without leaking protected details.

User Story 2 - Baseline drift is decidable (Priority: P1)

As a governance operator, I want Baseline Compare to answer which drift requires action or what prevents comparison before I inspect raw diff details.

Why this priority: Baseline Compare directly supports governance decisions and can otherwise be misread as raw technical output or implicit all-clear.

Independent Test: Render no-baseline, stale/missing compare, and drift states and assert the first-read shows assignment, compare trust, drift impact, evidence/proof, next action, and collapsed raw diff/diagnostics. For no-baseline, assert a compact visual Compare readiness stepper/pipeline and available-inputs section explain the missing compare chain without reintroducing duplicated summary cards.

Acceptance Scenarios:

1. Given an environment has no assigned baseline, When Baseline Compare renders, Then it shows Baseline not assigned, the reason, impact, a repo-real next action or unavailable state, a five-step Compare readiness flow rendered as an ordered visual pipeline, compact Available inputs, and no duplicated Assigned baseline / Compare trust / Drift impact lower summary blocks.
2. Given a compare result exists with findings or evidence gaps, When Baseline Compare renders, Then it shows drift impact and evidence state before raw details.
3. Given compare diagnostics exist, When the page initially renders, Then raw diff/diagnostics are collapsed or hidden by default.

User Story 3 - Environment ownership and legacy aliases stay sealed (Priority: P2)

As a platform owner, I want both pages to require explicit environment route ownership so workspace hub filters, remembered environment context, and legacy tenant aliases cannot create false scope.

Why this priority: Specs 314-322 are the safety foundation for these pages. Productization must not reopen context drift.

Independent Test: Exercise explicit environment route, clean workspace-style URL, remembered environment fallback, cross-workspace environment route, and legacy aliases for both pages.

Acceptance Scenarios:

1. Given an authorized user opens /admin/workspaces/{workspace}/environments/{environment}, When the route matches the environment workspace, Then the Environment Dashboard renders with active environment context.
2. Given an authorized user opens /admin/workspaces/{workspace}/environments/{environment}/baseline-compare, When the route matches the environment workspace, Then Baseline Compare renders with active environment context.
3. Given only a remembered environment or legacy query alias exists, When either page is requested without route-owned environment context, Then the request does not establish environment ownership.
4. Given workspace route and environment route disagree, When either page is requested, Then access is denied as not found.

Functional Requirements

• FR-330-001: Environment Dashboard MUST render a decision-first readiness question before technical detail.
• FR-330-002: Environment Dashboard MUST show default-visible Status, Reason, Impact, Proof, and Next action labels or final equivalent copy.
• FR-330-003: Environment Dashboard MUST derive readiness status from existing repo truth and MUST NOT create a persisted readiness status family.
• FR-330-004: Environment Dashboard MUST show compact readiness dimensions only where repo-supported or honestly unavailable.
• FR-330-005: Environment Dashboard MUST include a proof/action panel showing evidence, operation proof, review/review pack, provider check, backup/recovery proof, and diagnostics disclosure where repo-supported.
• FR-330-006: Environment Dashboard MUST show one primary next action and a ranked short list of additional repo-real actions.
• FR-330-007: Baseline Compare MUST render a decision-first drift/action question before raw compare details.
• FR-330-008: Baseline Compare MUST show assigned baseline, compare trust/availability, drift impact, evidence/proof, and primary next action when repo-supported.
• FR-330-009: Baseline Compare MUST render no-baseline and no-snapshot/no-compare states as actionable unavailable states, not empty technical states.
• FR-330-009a: Baseline Compare no-baseline state MUST render a compact visual Compare readiness flow stepper/pipeline with five ordered steps: Baseline assigned, Baseline snapshot, Environment snapshot, Compare run, and Decision output. It MUST show dependency/order indicators between steps, mark Baseline assigned as the current Missing blocker with a warning accent, mark Compare run as Unavailable, derive the environment snapshot state from repo truth where available, and avoid fake drift data.
• FR-330-009b: Baseline Compare no-baseline state MUST render compact Available inputs for environment snapshot, operation proof, and baseline snapshot, plus optional assignment-unlocks copy. It MUST NOT re-add duplicated lower summary blocks named Assigned baseline, Compare trust, Drift impact, or a duplicate Evidence path.
• FR-330-010: Baseline Compare MUST show drift findings/evidence gaps before raw diff or diagnostics when compare data exists.
• FR-330-011: Raw provider payloads, raw baseline diff JSON, raw OperationRun context, stack traces, debug metadata, provider secrets, and internal exception traces MUST NOT be default-visible.
• FR-330-012: Diagnostics/raw details MUST be collapsed, hidden, or capability-gated by default on both pages.
• FR-330-013: Existing useful detail sections, tables, links, widgets, and actions MUST remain available as secondary context where authorized.
• FR-330-014: Both pages MUST remain environment-owned and require explicit route-bound Environment context.
• FR-330-015: Clean workspace-wide URLs MUST NOT pretend to be environment-scoped pages for either surface.
• FR-330-016: Remembered Environment fallback MUST NOT establish ownership authority for either surface.
• FR-330-017: Legacy query aliases (tenant, tenant_id, managed_environment_id, environment, tenant_scope, tableFilters) MUST NOT establish valid context on either surface.
• FR-330-018: Cross-workspace environment route mismatches MUST be rejected as not found.
• FR-330-019: All actions and links MUST be real, route-backed, and authorization-aware.
• FR-330-020: Existing compare start MUST preserve confirmation, server-side authorization, OperationRun creation, notification, and tests.
• FR-330-021: Copy MUST avoid static platform-context tenant language while preserving dynamic display names and provider-bound terms such as Microsoft tenant/provider tenant ID.
• FR-330-022: The implementation MUST not show Healthy, Ready, Complete, Protected, Compliant, or Customer-safe unless the exact claim is repo-backed. Preferred labels include Ready for review, Action needed, Blocked, Evidence missing, Backup proof missing, Recovery proof stale, Baseline not assigned, Compare unavailable, Drift requires review, Provider readiness incomplete, Permissions complete, and Operation proof available.
• FR-330-023: repo-truth-map.md MUST exist before runtime implementation and MUST classify each visible element.

Non-Functional Requirements

• NFR-330-001: No Graph/provider API calls during page render.
• NFR-330-002: No migrations, seeders, packages, env vars, queues, scheduler, storage, or deployment asset changes are expected.
• NFR-330-003: Filament v5 and Livewire v4.0+ compliance MUST be preserved.
• NFR-330-004: Panel provider registration remains in apps/platform/bootstrap/providers.php; no provider registration changes are expected.
• NFR-330-005: No globally searchable resource is added or changed. If implementation touches resources, global search must remain disabled or backed by safe View/Edit pages and $recordTitleAttribute.
• NFR-330-006: Page render must stay DB-only and bounded to existing queries; no broad new query family or unbounded relationship loading.
• NFR-330-007: Browser smoke must capture required screenshots under the Spec 330 artifacts path when generated.

Repo Truth / Data Requirements

• Every visible runtime element MUST be classified in repo-truth-map.md as one of repo-verified, foundation-real, derived from existing model, empty/unavailable state, or deferred future capability.
• Source areas that MUST be considered:
  • ManagedEnvironment
  • provider connection/readiness
  • required permissions
  • backup sets and schedules
  • restore runs and recovery proof
  • baseline profile assignment
  • baseline snapshots
  • baseline compare result
  • drift findings
  • risk exceptions / accepted risks
  • evidence snapshots
  • review packs and environment reviews
  • OperationRuns
  • audit links if present
• If an element lacks a safe source, route, authorization path, or current-release truth, it MUST become unavailable/omitted/deferred instead of being invented.

Out Of Scope

• Rebuilding the Environment model.
• Rebuilding Baseline Compare backend logic.
• New drift detection logic.
• New baseline assignment workflow unless an existing action/link already exists.
• New evidence generation.
• New backup/restore checks.
• Operations Hub, Governance Inbox, Customer Review Workspace, Evidence/Audit, Restore Safety, and Provider Readiness redesign.
• Commercial entitlements.
• External portal.
• AI.
• New migrations, packages, env vars, queues, scheduler, storage, deployment assets, or compatibility layers.
• Legacy /admin/t routes or legacy query alias support.

Edge Cases

• Environment has no provider connection.
• Provider permissions are missing or stale.
• Backup proof exists but recovery proof is stale or unavailable.
• No baseline assignment exists.
• Baseline profile exists but no complete snapshot is consumable.
• Compare run is queued/running.
• Compare run failed or produced no usable result.
• Compare result has zero findings but coverage/evidence gaps exist.
• Compare result has drift findings but raw diff is unavailable or not authorized.
• Latest evidence snapshot or review pack is missing.
• OperationRun proof exists but the actor cannot view it.
• Dynamic environment/workspace display name contains Tenant; this is allowed.
• Static UI copy uses platform tenant wording; this is forbidden.

Acceptance Criteria

Environment Dashboard

• Environment Dashboard has decision-first readiness layout.
• Main readiness question is visible.
• Status/reason/impact/proof/next action are visible.
• Readiness dimensions are visible where repo-supported.
• Proof/action panel exists.
• Recommended next actions are ranked.
• Existing secondary context remains accessible.
• Diagnostics are collapsed by default.
• No false green readiness claim is introduced.

Baseline Compare

• Baseline Compare has decision-first layout.
• Main drift/action question is visible.
• Baseline assignment state is visible.
• Compare trust/state is visible.
• Drift/evidence state is visible where repo-supported.
• No-baseline state is actionable and honest.
• Raw diff/details are not first-read.
• Diagnostics/raw diff are collapsed by default.

Scope / Routing

• Both surfaces are environment-owned.
• Explicit Environment route is required.
• Remembered Environment is not used as ownership authority.
• Cross-workspace Environment is rejected.
• Legacy tenant aliases do not create valid context.
• No /admin/t route assumptions are reintroduced.

Safety / Copy

• Raw payloads hidden by default.
• Provider secrets not visible.
• Internal exception/debug text not visible.
• Static platform-copy does not use tenant.
• Dynamic names containing Tenant remain unchanged.
• No false health/compliance/customer-safe claims.

RBAC

• Unauthorized user cannot access protected environment/baseline data.
• Unauthorized actions are hidden/disabled or unavailable.
• Evidence access respects capability.
• Operation proof access respects capability.
• Diagnostics/raw details access respects capability.

Validation

• Repo truth map exists.
• Required Feature tests pass.
• Required Browser smoke passes.
• Relevant Spec 314-322 guards still pass.
• pint --dirty passes.
• git diff --check passes.
• No broad rebaseline.
• Full suite status is honestly reported if run/not run.

Success Criteria

• Environment operators can identify the primary readiness blocker and next action in the first viewport.
• Governance operators can identify baseline assignment/compare/drift posture before raw details.
• Missing proof and no-baseline states are explicit and action-oriented.
• Diagnostics/raw details stay secondary.
• Environment-owned route behavior remains sealed by tests and browser smoke.

Risks

• Existing Environment Dashboard already has several productized components; the implementation must improve decision hierarchy without broad redesign or duplicate truth.
• Existing Baseline Compare has mature explanation and stats logic; the implementation must not flatten matrix/launch semantics or imply all-clear from zero findings.
• Existing support diagnostics and raw metadata paths may tempt broader disclosure work; keep them collapsed/authorized and defer structural diagnostics productization.

Assumptions

• No schema change is required.
• Existing factories and browser fixture helpers can create enough environment, no-baseline, action-needed, and drift states for tests.
• Existing capabilities are sufficient for action visibility and raw diagnostics gating.
• Baseline Compare Matrix remains a separate secondary analysis surface.

Open Questions

None blocking preparation. Implementation must verify exact authorized action availability before rendering each action and must downgrade unsupported elements to unavailable/deferred states.

Follow-Up Spec Candidates

• Spec 331 - Restore Safety Workflow Productization.
• Spec 332 - Provider Readiness Productization.
• Spec 333 - Sidebar / Shell Native Filament Polish Pass.