ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/333-restore-create-ux-final-productization/restore-create-state-contract.md
ahmido 1e45a29937 feat: finalize restore create ux productization (#403) 
## Summary
- finalize the restore create wizard productization across safety, validation, preview, and confirmation steps
- refine the restore presenter output and Blade component rendering for clearer proof, scope, resolver, and execution-readiness states
- add and update feature and browser coverage plus Spec 333 artifacts and screenshots

## Testing
- Not run as part of this commit/PR task

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #403
2026-05-28 22:04:32 +00:00

17 KiB
Raw Permalink Blame History

Restore Create State Contract - Spec 333

This contract describes the visible product-state matrix for the Restore Create wizard. It is a preparation artifact for implementation. Runtime truth must remain centralized in RestoreRunCreatePresenter; Blade components render this contract and must not invent independent status, proof, gate, or next-action truth.

Contract Columns

Column Meaning
State The product state represented in the current wizard step
Visible status The operator-facing state label
Reason Why the state is true
Impact What the state means for safe progression
Primary next action The one dominant action for the operator
Gate state Complete, required, blocked, warning, or unavailable
Can continue? Whether the wizard may advance from this state
Proof claims allowed? What the UI may claim without overclaiming
Diagnostics Default diagnostic visibility

Central Wizard Gate Contract

RestoreRunCreatePresenter must expose one wizard_gate section. Step views, compact safety evidence, button hooks, disabled states, and blocking notifications consume this section rather than recreating gate copy locally.

Required concepts:

  • current_gate / current_gate_label
  • next_gate / next_gate_label
  • blocking_prerequisite / blocking_prerequisite_label
  • required_action / required_action_label
  • can_continue
  • continue_label
  • continue_disabled_reason
  • execution_state / execution_label
  • can_execute
  • proof_state
  • preview_state
  • confirmation_state

If validation and preview evidence are current but real execution prerequisites are unavailable, Step 4 may still advance to confirmation review. In that state, next_gate_label is Confirmation required, can_continue is true, can_execute is false, and execution_label must state that execution is unavailable until prerequisites are resolved. Step 4 must not emit a generic Execution blocked notification while advertising confirmation as the next gate.

Step 1 - Select Backup Set

State Visible status Reason Impact Primary next action Gate state Can continue? Proof claims allowed? Diagnostics
No backup selected Source required Select a completed backup set before restore validation. Restore validation and preview cannot start without a source backup. Select backup set. required no Source backup pending; operation proof unavailable; post-run evidence unavailable. Collapsed
Backup selected with no captured/restorable items Source not usable Selected backup contains no captured restorable items. Restore validation cannot prove a usable restore source. Select another backup set. blocked no Source backup selected but unusable; no execution or recovery proof. Collapsed
Backup selected and usable with quality/dependency issues Source selected, review required Source backup is usable but contains quality or dependency issues. Validation and preview must resolve these issues before execution. Continue to scope and resolve required mappings. warning yes, to scope only Source backup usable; input quality caveat; no execution or recovery proof. Collapsed
Backup selected and clean Source selected A usable source backup is selected. Restore scope and validation can continue. Continue to scope. complete yes Source backup selected and input quality shown; no execution or recovery proof. Collapsed

Step 1 default layout:

  • Restore Safety decision card
  • Backup set selector
  • Backup quality summary
  • Full Restore Safety Gates flow
  • Restore Proof panel
  • Diagnostics collapsed

Step 1 must not show tenant-wide recoverability, technical startability, write-gate, hard-blocker, or claims that Graph works again.

Step 2 - Define Restore Scope

State Visible status Reason Impact Primary next action Gate state Can continue? Proof claims allowed? Diagnostics
Scope not defined Scope required Select all items or selected items before validation. Validation cannot prove an undefined restore draft. Define restore scope. required no Source proof may be available; scope proof pending. Collapsed
All items in scope, no mappings required Scope ready All restorable items remain in scope and no unresolved mappings are detected. Validation can run for the current draft. Run safety checks. complete yes Scope selected; dependency mapping not required; no execution/recovery proof. Collapsed
Selected items in scope, no mappings required Scope ready Selected restore items define the current draft and no unresolved mappings are detected. Validation can run for the selected scope. Run safety checks. complete yes Scope selected; no execution/recovery proof. Collapsed
Required mappings unresolved Dependency mappings required Target mappings are unresolved for the current draft. Validation cannot prove the current draft until required mappings are resolved or explicitly skipped where allowed. Resolve mappings. blocked no Source and scope may be selected; dependency proof pending. Collapsed
Mappings resolved Dependency mappings resolved Required target mappings are resolved or explicitly skipped where allowed. Validation can run for the current draft. Run safety checks. complete yes Mapping decision recorded for draft; no execution/recovery proof. Collapsed
Resolver expanded Resolve target mappings Operator explicitly opened mapping details. Row-level mapping decisions are visible for review. Select target group, enter manual object ID, or skip where supported. required or complete by row no while unresolved Source/target display names and IDs as metadata; no execution/recovery proof. Row details visible; raw payloads hidden
Group picker has current-environment results Target group selection available Cached directory groups exist for this environment. Operator can choose a target group from cache. Select target group. required returns to resolver Cache availability only; no proof of execution safety. Table visible
Group picker cache empty No directory group cache available TenantPilot needs cached directory groups before target mappings can be selected. Cached target selection cannot proceed until group sync runs, unless manual fallback is supported. Open group sync or enter object ID manually. blocked or fallback no cached selection Cache unavailable; manual fallback allowed only as explicit fallback. Empty state visible

Step 2 default layout:

  • Define restore scope card
  • Scope options
  • Scope impact summary
  • Restore dependency mapping summary
  • Resolve mappings action
  • Compact Restore Safety Status
  • Restore Proof panel
  • Diagnostics collapsed

Step 2 default hidden content:

  • full mapping details
  • 20+ raw mapping fields
  • full seven-gate safety flow
  • repeated GUID helper text
  • raw IDs as primary source labels

Mapping row identity:

  • Source group display name first
  • Source ID secondary
  • Target group display name first when cached target selected
  • Target ID secondary
  • Manual fallback badge if GUID entered manually
  • Skipped state if intentionally skipped

Allowed fallback:

  • Unknown source group
  • Source ID: {id}

Forbidden primary labels:

  • raw GUID only
  • Unresolved (...id)
  • state label as group name
  • SKIP as primary UX

Step 3 - Validate

State Visible status Reason Impact Primary next action Gate state Can continue? Proof claims allowed? Diagnostics
No checks run Validation required Run checks after scope and required mappings are complete. Preview and execution remain unavailable until validation runs. Run safety checks. required no Validation not recorded; no preview/execution proof. Collapsed
Provider credentials missing Validation blocked Provider credentials are not available for this environment. Restore checks cannot run until provider connection is repaired. Review provider connection. blocked no Provider readiness currently prevents checks; no raw provider exception. Collapsed
Checks finished with blockers Validation blocked Resolve blocking validation checks before preview. Preview or execution cannot be trusted while blockers remain. Review blockers. blocked no Validation ran and blockers exist; no execution/recovery proof. Blockers visible; raw details collapsed
Checks passed with warnings Validation ready with warnings Validation completed, but warnings require review before confirmation. Preview can continue; execution remains gated by confirmation. Review preview. warning yes Validation complete with warnings; no execution/recovery proof. Warnings visible; raw details collapsed
Checks passed cleanly Validation ready Required validation checks completed for the current scope. Preview can be reviewed before confirmation. Review preview. complete yes Validation complete; no execution/recovery proof. Safe checks compact

Step 3 must not show:

  • Safety checks completed when blockers exist
  • Graph works again
  • Technical startability
  • write-gate
  • hard-blocker
  • raw provider credential exception
  • raw Graph exception

Product-safe provider wording:

Provider readiness or restore prerequisites currently prevent real execution.

Step 4 - Preview

State Visible status Reason Impact Primary next action Gate state Can continue? Proof claims allowed? Diagnostics
Validation incomplete Preview unavailable Run validation before generating preview. Preview cannot be trusted without current validation. Run safety checks. blocked no No preview proof. Collapsed
Validation blockers exist Preview blocked Resolve blockers before preview can be generated. Preview cannot proceed while blockers remain. Review blockers. blocked no No trusted preview proof. Collapsed
Preview not generated Preview required Generate a normalized preview before confirmation. Confirmation remains unavailable until preview is current. Generate preview. required no Validation may be complete; preview proof unavailable. Collapsed
Preview generated with needs attention Preview ready with review items Preview is current and items require review. Operator must review needs attention before confirmation. Review preview and complete confirmation. warning yes if execution prerequisites allow Current preview proof exists; no execution/recovery proof. Needs attention visible; raw diff collapsed
Preview generated cleanly Preview ready Preview is current for the selected scope. Confirmation is the next gate before execution can be queued. Complete confirmation. complete yes if execution prerequisites allow Current preview proof exists; no execution/recovery proof. Details collapsed
Preview current but execution prerequisites unavailable Preview ready, confirmation reviewable Preview is current but real execution prerequisites are not available. Confirmation can be reviewed, but real execution remains unavailable until prerequisites are resolved. Review preview and continue to confirmation; resolve execution prerequisites before executing. warning yes, to confirmation only Preview proof exists; execution proof unavailable. Collapsed

Preview decision summary must show:

  • Total items reviewed
  • Items changed
  • Items unchanged
  • Items requiring review
  • Assignments changed
  • Scope tags changed
  • Blockers
  • Warnings
  • Next gate

Preview grouping order:

  1. Needs attention
  2. Changes detected
  3. No changes detected
  4. All reviewed items

Preview must not render by default:

  • every restore item as a large card
  • 100+ item cards
  • raw diff JSON
  • raw provider payload
  • repeated Policy change preview label for every item

Step 5 - Confirm & Execute

State Visible status Reason Impact Primary next action Gate state Can continue? Proof claims allowed? Diagnostics
Required gates incomplete Confirmation unavailable Required mappings, validation, preview, or prerequisites are incomplete. Execution cannot be queued. Complete required gate. blocked no Operation proof unavailable; post-run evidence unavailable. Collapsed
Preview-only/dry-run selected Preview-only ready Operator is creating a preview-only restore run. No real provider write will be queued from this state. Create preview-only restore run. complete for dry-run yes if form valid Preview-only intent; no execution/recovery proof. Collapsed
Execution prerequisites ready, acknowledgement missing Confirmation required Execution requires explicit acknowledgement and typed confirmation where supported. Real execution remains unavailable until confirmation is satisfied. Acknowledge impact and type confirmation. required no Operation proof unavailable; post-run evidence unavailable. Collapsed
Confirmation satisfied Ready to queue execution Required gates are complete and operator confirmation is satisfied. Real execution can be queued if RBAC/capability permits. Create restore run / queue execution. complete yes Execution intent may be queued; recovery still not verified until post-run evidence exists. Collapsed
Actor lacks capability Execution unavailable Current actor is not permitted to execute restore. Execution cannot be queued for this actor. Review permissions or keep preview-only. blocked no for execution No execution proof or recovery proof. Collapsed

Required safety copy before execution:

  • Operation proof unavailable before execution.
  • Post-run evidence unavailable before execution.
  • Recovery is not verified until post-run evidence exists.

Forbidden pre-execution claims:

  • Recovery verified
  • Execution proof complete
  • Post-run evidence available
  • Customer-safe
  • Healthy
  • Fully restored

Execution availability requires:

  • required mappings resolved or allowed skipped
  • validation not blocked
  • preview current
  • confirmation satisfied
  • RBAC/capability permits execution

Restore Proof Panel Contract

Restore Proof is not the process flow. It shows proof basis:

Proof item Allowed pre-execution state Allowed post-execution state only if repo-supported Forbidden claim
Source backup Selected / Available / Needs review / Blocked N/A source proves recovery
Target environment Selected / Available N/A target is healthy
Requested by Recorded / Unavailable N/A user approval beyond current action
Restore scope Selected / Needs review / Blocked N/A scope is safe to execute without validation
Operation proof Unavailable before execution Available only after existing execution proof exists execution proof complete before execution
Post-run evidence Unavailable before execution Available / Unavailable only after existing repo-supported result evidence exists recovery verified before evidence
Diagnostics Collapsed Collapsed / support-gated raw proof shown by default

Allowed states:

  • Available
  • Unavailable
  • Recorded
  • Selected
  • Needs review
  • Blocked
  • Collapsed

Restore Safety Status Contract

Step Default safety display Full gates visible by default? Expansion behavior
Step 1 Full Restore Safety Gates yes N/A
Step 2 Compact Restore Safety Status no Full gates only after explicit View safety gates
Step 3 Compact Restore Safety Status no Full gates only after explicit View safety gates
Step 4 Compact Restore Safety Status no Full gates only after explicit View safety gates
Step 5 Compact Restore Safety Status no Full gates only after explicit View safety gates

Compact status must show:

  • X of Y gates complete
  • Next gate
  • Execution state
  • View safety gates

The UI must not show compact and full gates by default at the same time for Step 2+.

Navigation / Context Contract

Actions that leave the wizard must preserve context or be clearly secondary:

Action Context rule Target behavior
Open group sync Use active workspace/environment; no hardcoded IDs Open new tab if leaving wizard
View group sync operations Use active workspace/environment and operation type filter if supported Open new tab
Open provider connection Use active environment provider connection route Open new tab
Open operation proof Use existing authorized OperationRun link Open new tab if leaving wizard
Open evidence Use existing authorized evidence link only if repo-supported Open new tab
Open backup detail Use existing authorized backup route only if repo-supported Open new tab

Rules:

  • No hardcoded numeric workspace IDs.
  • No 404 URLs.
  • Use active workspace/environment context.
  • Label actions task-specifically.
  • Avoid generic primary CTAs such as Operations.

Forbidden Default Copy

Default Restore Create UI must not show:

  • Graph works again
  • Technical startability
  • write-gate
  • hard-blocker
  • raw provider credential exception
  • raw Graph exception
  • tenant as platform context when environment is meant
  • recovery verified before post-run evidence
  • execution proof complete before execution
  • post-run evidence available before execution
  • customer-safe/healthy/fully restored before proof exists