TenantAtlas/specs/337-evidence-review-pack-product-process-flow-alignment/tasks.md

# Tasks: Spec 337 - Evidence Path / Review Pack Product Process Flow Alignment

- Input: `specs/337-evidence-review-pack-product-process-flow-alignment/spec.md`, `specs/337-evidence-review-pack-product-process-flow-alignment/plan.md`
- Prerequisites: `repo-truth-map.md`, `evidence-review-pack-state-contract.md`
- Preparation status: runtime implementation completed; checkboxes below reflect implementation and validation evidence.

**Tests**: Required. This changes strategic evidence/review surfaces and customer-safe package readiness presentation.

## Test Governance Checklist

- [x] Lane assignment remains explicit and narrowest sufficient (Feature + Browser).
- [x] Browser coverage stays single-file and scenario-scoped.
- [x] No new default-heavy helpers/factories/seeds are introduced; reuse existing fixture helpers.
- [x] Validation commands remain minimal and directly prove the changed contract.
- [x] Any unreachable state resolves as `document-in-feature` instead of fake screenshots or fake data.

## Phase 1: Preparation And Repo Truth

**Purpose**: Confirm repo truth and lock the state contract before runtime edits.

- [x] T001 Re-read `spec.md`, `plan.md`, this `tasks.md`, `repo-truth-map.md`, and `evidence-review-pack-state-contract.md`.
- [x] T002 Confirm working tree intent and record baseline commit (`git status`, `git log -1`).
- [x] T003 Re-verify related specs and guardrails:
  - `specs/332-product-process-flow-system-v1/`
  - `specs/326-customer-review-workspace-v1-productization/`
  - `specs/329-evidence-audit-log-disclosure-productization/`
  - `specs/336-baseline-compare-product-process-flow-alignment/`
  - `.specify/memory/constitution.md`
  - `docs/ai-coding-rules.md`
  - `docs/filament-guidelines.md`
  - `docs/security-guidelines.md`
  - `docs/testing-guidelines.md`
- [x] T004 Re-verify repo truth sources and step semantics:
  - `apps/platform/app/Models/EvidenceSnapshot.php`
  - `apps/platform/app/Models/StoredReport.php`
  - `apps/platform/app/Models/ReviewPack.php`
  - `apps/platform/app/Models/EnvironmentReview.php`
  - `apps/platform/app/Models/OperationRun.php`
  - `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`
  - `apps/platform/resources/views/filament/pages/monitoring/evidence-overview.blade.php`
  - `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
  - `apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php`
  - `apps/platform/app/Filament/Resources/ReviewPackResource.php`
  - `apps/platform/app/Filament/Resources/StoredReportResource.php`
  - `apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php`
  - `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`
  - `apps/platform/app/Services/Evidence/EvidenceSnapshotService.php`
  - `apps/platform/app/Services/ReviewPackService.php`
  - `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php`
- [x] T005 Update `repo-truth-map.md` and `evidence-review-pack-state-contract.md` if implementation-time code differs from the prepared truth. No update required; implementation stayed within the prepared derived-state contract.
- [x] T006 Confirm Product Process Flow rendering conventions from Spec 332 and decide reuse strategy before editing UI.

## Phase 2: Presenter / Flow Model

**Purpose**: Centralize "what exists, what is missing, what is customer-safe, and what can be exported" without adding persisted truth.

- [x] T007 Decide whether a small `EvidenceReviewPackPresenter` is needed or whether existing page payload builders can produce the flow model cleanly.
- [x] T008 Implement the narrowest derived-only mapping for:
  - decision card (`Status`, `Reason`, `Impact`, `Primary next action`)
  - six readiness flow steps
  - proof items
  - coverage/contents summary
  - customer-safe state
  - export/download state
  - diagnostics default state
- [x] T009 Ensure mapping uses existing models/statuses only and introduces no new enum/status/reason family.
- [x] T010 Ensure primary next action is exactly one per state and capability-aware.
- [x] T011 Ensure unsupported states render as unavailable/deferred with honest copy.

## Phase 3: Evidence Overview UI Alignment

**Purpose**: Make Evidence Overview the decision-first evidence readiness workbench.

- [x] T012 Add the decision question: `Is this evidence package ready for customer or auditor consumption?`
- [x] T013 Render `Status`, `Reason`, `Impact`, and `Primary next action` before raw artifact lists.
- [x] T014 Render `Evidence readiness flow` with Product Process Flow steps:
  - Source data selected
  - Evidence snapshot
  - Stored report
  - Review pack
  - Customer-safe output
  - Export / delivery
- [x] T015 Productize the Evidence Proof panel with rows for source data, snapshot, stored report, review pack, operation proof, export artifact, customer-safe state, and diagnostics.
- [x] T016 Keep raw artifact inventory secondary and diagnostics collapsed by default.
- [x] T017 Remove or avoid duplicated readiness/verdict blocks below the decision card.
- [x] T018 Ensure badges/status labels remain readable in light and dark mode.

## Phase 4: Review Pack / Customer Review Workspace / Export States

**Purpose**: Productize only repo-backed customer-safe and export states.

- [x] T019 Align Review Pack Resource list/detail copy or proof placement only where needed for state truth. No runtime change required; existing resource state/download semantics already matched the repo-truth contract.
- [x] T020 Align Customer Review Workspace evidence path only if current copy conflicts with the Spec 337 state contract. No runtime change required; existing customer-safe workspace tests remain the source of customer-safe readiness truth.
- [x] T021 Derive review-pack available/generating/failed/expired states from `ReviewPack.status`, `expires_at`, and file metadata.
- [x] T022 Derive export/download available only from ready, non-expired packs with `file_disk`, `file_path`, and authorized signed download.
- [x] T023 Render external delivery as unavailable unless a repo-backed delivery mechanism exists.
- [x] T024 Derive customer-safe output ready only from Customer Review Workspace / Environment Review readiness that is already repo-backed.
- [x] T025 Show coverage/contents metrics only if they exist in review/evidence/report summary data.

## Phase 5: OperationRun Proof / RBAC / Context / Diagnostics

**Purpose**: Preserve auditability and tenancy safety while hiding raw internals by default.

- [x] T026 Show OperationRun proof when linked and authorized:
  - status
  - started/completed timestamps
  - requested by / initiator
  - run type
  - result/outcome
  - operation detail link
- [x] T027 Show failed linked OperationRuns as failed proof, not as usable evidence output.
- [x] T028 Prevent cross-workspace/environment OperationRun and artifact links.
- [x] T029 Preserve workspace/environment/review query context in all secondary links.
- [x] T030 Keep diagnostics collapsed by default and hide raw JSON, raw payloads, stack traces, and internal exceptions on first render.
- [x] T031 Respect existing capabilities for generate evidence, generate report, generate review pack, export/download, open operation proof, open diagnostics, and open Customer Review Workspace.
- [x] T032 Do not add destructive actions; preserve confirmation and authorization on existing destructive/high-impact actions.

## Phase 6: Feature Tests (Pest)

- [x] T033 Add `apps/platform/tests/Feature/Filament/Spec337EvidenceReviewPackProductFlowTest.php`.
- [x] T034 Test missing evidence:
  - decision question renders
  - `Evidence snapshot required`
  - flow visible
  - evidence snapshot marked missing
  - review pack unavailable
  - customer-safe output not ready
  - diagnostics collapsed
  - no raw JSON visible
- [x] T035 Test evidence snapshot available / report missing when fixture-supported:
  - evidence snapshot available
  - stored report required
  - no fake review pack ready claim
- [x] T036 Test review pack required when fixture-supported:
  - stored report available
  - review pack required
  - generate review pack primary action only if authorized
- [x] T037 Test review pack available when fixture-supported:
  - review pack available
  - customer-safe state truthful
  - export state truthful
  - no false auditor-ready claim
- [x] T038 Test OperationRun proof:
  - generation OperationRun visible when linked
  - no cross-workspace OperationRun leak
  - failed OperationRun shown as failed proof
- [x] T039 Test RBAC/context:
  - unauthorized user cannot generate/export
  - cross-workspace evidence not visible
  - no legacy tenant alias
- [x] T040 Update existing Evidence/ReviewPack/CustomerReview tests only where assertions are strengthened.

## Phase 7: Browser Smoke + Screenshots

- [x] T041 Add `apps/platform/tests/Browser/Spec337EvidenceReviewPackProductFlowSmokeTest.php`.
- [x] T042 Cover browser states:
  - missing evidence snapshot
  - evidence generating if fixture-supported
  - stored report available / review pack missing
  - review pack available if fixture-supported
  - export unavailable
  - diagnostics collapsed
  - dark mode if practical
- [x] T043 Assert in browser:
  - Evidence readiness flow visible
  - decision card visible
  - proof panel visible
  - customer-safe state visible
  - raw payload hidden
  - primary next action visible
  - badges readable
- [x] T044 Capture screenshots into `specs/337-evidence-review-pack-product-process-flow-alignment/artifacts/screenshots/`:
  - `01-evidence-snapshot-required.png`
  - `02-evidence-generating.png`
  - `03-stored-report-required.png`
  - `04-review-pack-required.png`
  - `05-review-pack-available.png`
  - `06-customer-safe-output-state.png`
  - `07-export-unavailable.png`
  - `08-diagnostics-collapsed.png`
  - `09-dark-mode.png`
- [x] T045 If a state is unreachable, document the repo-truth reason in implementation close-out. All required screenshot states were reachable with repo-backed fixtures.

## Phase 8: Validation

- [x] T046 Run narrow Feature tests:

```bash
cd apps/platform
./vendor/bin/sail artisan test tests/Feature/Filament/Spec337EvidenceReviewPackProductFlowTest.php --compact
```

- [x] T047 Run browser smoke:

```bash
cd apps/platform
./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec337EvidenceReviewPackProductFlowSmokeTest.php --compact
```

- [x] T048 Run overlapping guard filters. Command ran; unrelated dashboard/restore/customer-review failures reproduced individually and are documented in close-out:

```bash
cd apps/platform
./vendor/bin/sail artisan test --filter='Evidence|ReviewPack|StoredReport|CustomerReview|ProductProcessFlow' --compact
```

- [x] T049 Run formatting and whitespace checks:

```bash
cd apps/platform
./vendor/bin/sail pint --dirty
git diff --check
```

- [x] T050 Report full-suite status honestly if not run.

## Final Report Template

When implementation completes, report:

```text
Spec 337 completed.

Changed behavior:
...

Evidence / Review Pack states:
- Evidence missing:
- Evidence generating:
- Stored report required:
- Review pack required:
- Review pack available:
- Customer-safe state:
- Export state:

Product Process Flow:
...

Files changed:
...

Tests:
- command:
- result:

Browser screenshots:
...

Known gaps:
...

Merge readiness:
...

No migrations were created.
No packages, env vars, queues, scheduler, storage, or deployment asset changes were made.
No destructive action behavior was changed.
No false customer-safe/evidence/export claims were introduced.
```