ahmido
a3b21c48d8
## Summary - add the Spec 340 browser verification gate package for the post-338/339 workspace and environment scope contract - add a bounded Pest browser smoke that verifies clean workspace origin, environment origin, explicit `environment_id` hub filtering, remembered-environment non-authority, and Provider Connections create/view/edit authority signals - record the verification inventory, matrix, findings, checklist, and audit report under `specs/340-post-scope-contract-browser-verification-gate/` - document a `GO` recommendation with no confirmed P1/P2 drift and one backlog wording follow-up - keep the change verification-only with no runtime behavior, schema, or route-family changes ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections --filter=ScopeHardening` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `git diff --check --no-index /dev/null apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php` - `git diff --check` ## Notes - Livewire v4 compliance unchanged - Filament provider registration remains in `apps/platform/bootstrap/providers.php` - no globally searchable resource behavior changed - no destructive action behavior changed or executed in this verification gate - no new Filament assets; deploy `filament:assets` posture is unchanged Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #411
37 lines
6.6 KiB
Markdown
37 lines
6.6 KiB
Markdown
# Spec 340 Surface Inventory
|
|
|
|
| Surface | Route / Entry Point | Expected Taxonomy | Origin(s) | Filter Support | Code Owner / Evidence | Verification Status |
|
|
|---|---|---|---|---|---|---|
|
|
| Workspace Overview | `/admin`, `/admin/workspaces/{workspace}/overview` | Workspace-owned source of truth | Clean Workspace origin | No environment filter | `routes/web.php`, `WorkspaceOverview`, `WorkspaceSidebarNavigation` | pass - Spec340 Browser smoke |
|
|
| Environment Dashboard | `/admin/workspaces/{workspace}/environments/{environment}` | Environment-owned detail surface | Environment origin | Route-owned environment, no `environment_id` query | `EnvironmentDashboard`, `ManagedEnvironmentLinks::viewUrl()` | pass - Spec340 Browser smoke |
|
|
| Environment Diagnostics | `/admin/workspaces/{workspace}/environments/{environment}/diagnostics` | Environment-owned detail surface | Environment origin | Route-owned environment, no hub filter | `routes/web.php`, `AdminSurfaceScope::EnvironmentBound` | pass - repo-classified; no runtime change |
|
|
| Environment Access Scopes | `/admin/workspaces/{workspace}/environments/{environment}/access-scopes` | Environment-owned detail surface | Environment origin | Route-owned environment, no hub filter | `routes/web.php`, `AdminSurfaceScope::EnvironmentBound` | pass - repo-classified; no runtime change |
|
|
| Operations | `/admin/workspaces/{workspace}/operations` | Workspace Hub with local environment filter | Workspace origin, Environment origin, filtered hub | Explicit `environment_id` only | `OperationRunLinks`, `Operations`, `WorkspaceHubEnvironmentFilter` | pass - Spec340 Browser smoke |
|
|
| Operation Run Detail | `/admin/workspaces/{workspace}/operations/{run}` | Canonical workspace record viewer | Operation drilldown | Record-derived workspace/tenant entitlement | `OperationRunLinks::tenantlessView()`, `TenantlessOperationRunViewer` | pass - repo-classified; no runtime change |
|
|
| Alerts Hub | `/admin/alerts` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `WorkspaceHubRegistry`, `Alerts` page | pass - Spec340 Browser smoke |
|
|
| Alert Deliveries | `/admin/alerts/alert-deliveries` | Workspace Hub child with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` chip via page hook | `AlertDeliveryResource`, `WorkspaceHubRegistry` | pass - repo-classified; related Spec322 harness data |
|
|
| Audit Log | `/admin/audit-log` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `AuditLog` page, `WorkspaceHubRegistry` | pass - Spec340 Browser smoke |
|
|
| Evidence Overview | `/admin/evidence/overview` | Workspace Hub with local environment filter | Workspace origin, Environment origin, filtered hub | Explicit `environment_id` only | `EvidenceOverview`, `WorkspaceHubEnvironmentFilter` | pass - Spec340 Browser smoke |
|
|
| Provider Connections List | `/admin/provider-connections` | Credential-adjacent Workspace Hub | Clean, remembered, filtered origins | Explicit `environment_id` only; create disabled/guided without it | `ProviderConnectionResource`, `ProviderConnectionPolicy` | pass - Spec340 Browser smoke |
|
|
| Provider Connections Create | `/admin/provider-connections/create` | Credential-adjacent provider surface | Clean or filtered origin | Requires explicit valid `environment_id` | `CreateProviderConnection`, `ProviderConnectionPolicy::create()` | pass - Spec340 Browser smoke |
|
|
| Provider Connection View/Edit | `/admin/provider-connections/{record}`, `/edit` | Credential-adjacent provider record surface | Record route, optional filtered query | Record-derived ownership and capability | `ProviderConnectionPolicy::view/update/delete()` | pass - Spec340 Browser smoke |
|
|
| Review Register | `/admin/reviews` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `ReviewRegister`, `WorkspaceHubRegistry` | pass - Spec340 Browser smoke |
|
|
| Customer Review Workspace | `/admin/reviews/workspace` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `CustomerReviewWorkspace`, `WorkspaceHubRegistry` | pass - Spec340 Browser smoke |
|
|
| Governance Inbox | `/admin/governance/inbox` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `GovernanceInbox`, `WorkspaceHubRegistry` | pass - Spec340 Browser smoke |
|
|
| Decision Register | `/admin/governance/decisions` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `DecisionRegister`, `WorkspaceHubRegistry` | pass - Spec340 Browser smoke |
|
|
| Finding Exceptions Queue | `/admin/finding-exceptions/queue` | Workspace Hub with local environment filter | Workspace origin, filtered hub where supported | Explicit `environment_id` only | `FindingExceptionsQueue`, `OpenFindingExceptionsQueueController` | pass - Spec340 Browser smoke |
|
|
| Baseline Profiles | `/admin/baseline-profiles` | Workspace-owned analysis/source-of-truth surface | Clean Workspace origin | No hidden environment filter | `BaselineProfileResource`, `AdminSurfaceScope::WorkspaceOwnedAnalysisSurface` | pass - Spec340 Browser smoke |
|
|
| Baseline Snapshots | `/admin/baseline-snapshots` | Workspace-owned analysis/source-of-truth surface | Clean Workspace origin | No hidden environment filter | `BaselineSnapshotResource`, `AdminSurfaceScope::WorkspaceOwnedAnalysisSurface` | pass - Spec340 Browser smoke |
|
|
| Managed Environments Registry | `/admin/workspaces/{workspace}/environments` | Workspace-owned source-of-truth surface | Workspace origin | No hidden environment filter | `ManagedEnvironmentsLanding`, `ManagedEnvironmentLinks::indexUrl()` | pass - repo-classified; no runtime change |
|
|
| Workspace Settings | `/admin/settings/workspace` | Workspace-owned configuration surface | Workspace origin | No hidden environment filter | `WorkspaceSettings`, `WorkspaceSidebarNavigation` | pass - repo-classified; no runtime change |
|
|
| Workspace Management | `/admin/workspaces` | Workspace-owned admin surface | Workspace origin | No hidden environment filter | `WorkspaceResource`, `WorkspaceSidebarNavigation` | pass - repo-classified; no runtime change |
|
|
|
|
## Completed-Spec Guardrail
|
|
|
|
The following packages were read as context only and were not modified:
|
|
|
|
- `specs/313-workspace-environment-context-browser-verification/`
|
|
- `specs/322-browser-no-drift-regression-guard/`
|
|
- `specs/338-workspace-environment-resource-scope-contract/`
|
|
- `specs/339-provider-connection-scope-hardening/`
|