ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/340-post-scope-contract-browser-verification-gate/tasks.md
ahmido a3b21c48d8 test: add post-scope contract browser verification gate (340) (#411) 
## Summary
- add the Spec 340 browser verification gate package for the post-338/339 workspace and environment scope contract
- add a bounded Pest browser smoke that verifies clean workspace origin, environment origin, explicit `environment_id` hub filtering, remembered-environment non-authority, and Provider Connections create/view/edit authority signals
- record the verification inventory, matrix, findings, checklist, and audit report under `specs/340-post-scope-contract-browser-verification-gate/`
- document a `GO` recommendation with no confirmed P1/P2 drift and one backlog wording follow-up
- keep the change verification-only with no runtime behavior, schema, or route-family changes

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections --filter=ScopeHardening`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `git diff --check --no-index /dev/null apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php`
- `git diff --check`

## Notes
- Livewire v4 compliance unchanged
- Filament provider registration remains in `apps/platform/bootstrap/providers.php`
- no globally searchable resource behavior changed
- no destructive action behavior changed or executed in this verification gate
- no new Filament assets; deploy `filament:assets` posture is unchanged

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #411
2026-05-31 14:37:30 +00:00

134 lines
13 KiB
Markdown
Raw Permalink Blame History

# Tasks: Spec 340 - Post-Scope Contract Browser Verification Gate
- Input: `specs/340-post-scope-contract-browser-verification-gate/spec.md`, `specs/340-post-scope-contract-browser-verification-gate/plan.md`
- Preparation status: implementation-ready.
**Tests**: Required during implementation. This spec is a browser/IA verification gate and may add a bounded Pest Browser smoke only when stable.
## Test Governance Checklist
- [x] Lane assignment is named and narrow: browser verification, optional fast-feedback Feature probes.
- [x] Any new Browser test stays representative and avoids broad full-app route sweep cost.
- [x] Existing browser helpers, factories, and smoke-login paths are reused before adding new fixture setup.
- [x] Blocked browser checks are reported as blocked, not passed.
- [x] Runtime fixes require an active artifact update or follow-up spec before code changes.
## Phase 1: Preflight And Guardrails
**Purpose**: Confirm safe branch/repo state and prevent completed-spec rewrites.
- [x] T001 Re-read `specs/340-post-scope-contract-browser-verification-gate/spec.md`, `specs/340-post-scope-contract-browser-verification-gate/plan.md`, and this `tasks.md`.
- [x] T002 Confirm branch and working tree intent with `git status --short --branch` and record the baseline commit in `specs/340-post-scope-contract-browser-verification-gate/audit-report.md`.
- [x] T003 Re-read `.specify/memory/constitution.md`, `docs/ai-coding-rules.md`, and relevant `docs/*-guidelines.md`; record no-runtime-change posture in `specs/340-post-scope-contract-browser-verification-gate/audit-report.md`.
- [x] T004 Confirm related completed specs are context only and do not modify `specs/313-workspace-environment-context-browser-verification/`, `specs/322-browser-no-drift-regression-guard/`, `specs/338-workspace-environment-resource-scope-contract/`, or `specs/339-provider-connection-scope-hardening/`.
- [x] T005 Create `specs/340-post-scope-contract-browser-verification-gate/artifacts/screenshots/` if screenshot evidence will be captured.
## Phase 2: Repo Discovery And Matrix Setup
**Purpose**: Build a repo-based checklist before opening the browser.
- [x] T006 Create `specs/340-post-scope-contract-browser-verification-gate/surface-inventory.md` with columns for surface, route, expected taxonomy, origin, filter support, code owner, and verification status.
- [x] T007 Create `specs/340-post-scope-contract-browser-verification-gate/scope-verification-matrix.md` with columns for page, origin, URL/query, shell, sidebar, breadcrumb/header, visible filter evidence, reload/back-forward result, screenshot, status, and finding ID.
- [x] T008 Create `specs/340-post-scope-contract-browser-verification-gate/findings.md` with P1/P2/P3/backlog definitions and empty finding sections.
- [x] T009 Initialize `specs/340-post-scope-contract-browser-verification-gate/audit-report.md` with command log, branch, baseline commit, verification scope, and go/no-go placeholder.
- [x] T010 Inspect `apps/platform/routes/web.php` and record the current admin workspace/environment route families in `surface-inventory.md`.
- [x] T011 Inspect `apps/platform/app/Providers/Filament/AdminPanelProvider.php` for registered pages/resources, render hooks, and navigation-relevant provider configuration.
- [x] T012 Inspect `apps/platform/app/Support/Navigation/AdminSurfaceScope.php`, `WorkspaceHubRegistry.php`, `WorkspaceHubEnvironmentFilter.php`, and `WorkspaceSidebarNavigation.php`; classify expected shell/sidebar ownership in `surface-inventory.md`.
- [x] T013 Inspect `apps/platform/app/Support/ManagedEnvironmentLinks.php`, `OperationRunLinks.php`, and `WorkspaceContext.php`; record link/filter/topbar/remembered-environment seams in `surface-inventory.md`.
- [x] T014 Inspect `apps/platform/app/Filament/Resources/ProviderConnectionResource.php` and `apps/platform/app/Policies/ProviderConnectionPolicy.php`; record Provider Connection authority expectations in `surface-inventory.md`.
- [x] T015 Inspect existing browser tests under `apps/platform/tests/Browser/Spec314*`, `Spec316*`, `Spec322*`, `Spec338*`, and `Spec281*`; record reusable setup patterns in `audit-report.md`.
## Phase 3: Browser Setup And Data Availability
**Purpose**: Make browser results reproducible and avoid false passes from missing data.
- [x] T016 Resolve the app URL through Laravel Boost `get_absolute_url` or documented Sail/local config and record it in `audit-report.md`.
- [x] T017 Identify the smoke-login actor and available workspace/environment fixture path from existing browser test conventions; record the source in `audit-report.md`.
- [x] T018 Verify at least one Workspace is selectable in the browser and record available Workspace evidence in `scope-verification-matrix.md`.
- [x] T019 Verify at least one Managed Environment is reachable from that Workspace and record whether a second environment exists for comparison in `scope-verification-matrix.md`.
- [x] T020 Record unavailable seed data, blocked routes, or authorization-limited surfaces in `findings.md` as `blocked`, not pass.
## Phase 4: Workspace-Origin Verification
**Purpose**: Prove clean Workspace mode does not imply hidden environment scope.
- [x] T021 From a clean Workspace origin, open Workspace Overview and record shell/sidebar/header evidence in `scope-verification-matrix.md`.
- [x] T022 From clean Workspace origin, open Operations and record URL/query, scope signals, local filter state, reload behavior, and screenshot path if captured.
- [x] T023 From clean Workspace origin, open Alerts and Audit Log and record whether they behave as Workspace Hubs with local environment filters where supported.
- [x] T024 From clean Workspace origin, open Evidence Overview and record whether it remains a Workspace Hub, not an environment-owned evidence route.
- [x] T025 From clean Workspace origin, open Provider Connections and record list context, visible filter state, create affordance, and absence of remembered-environment authority.
- [x] T026 From clean Workspace origin, open Review Register, Customer Review Workspace, Governance Inbox, Decision Register, and Finding Exceptions Queue where reachable; record pass/blocked/finding status per surface.
- [x] T027 From clean Workspace origin, open Baseline Profiles and Baseline Snapshots and record that they remain workspace-owned source-of-truth surfaces.
## Phase 5: Environment-Origin And Filtered Hub Verification
**Purpose**: Prove Environment mode and filtered Workspace Hub mode stay distinct.
- [x] T028 From Environment Dashboard, record route, shell, sidebar, breadcrumb/header, and environment identity evidence.
- [x] T029 From Environment Dashboard, open environment-owned detail surfaces that are present and record whether they remain environment-route-owned.
- [x] T030 From Environment Dashboard, open Operations through sidebar/global navigation and record whether it becomes clean Workspace Hub entry or explicit filtered hub entry.
- [x] T031 From Environment Dashboard, open Alerts, Audit Log, Evidence Overview, Provider Connections, Review Register, Customer Review Workspace, Governance Inbox, Decision Register, and Finding Exceptions Queue where reachable; record explicit `environment_id` behavior where intended.
- [x] T032 For at least three representative filtered Workspace Hubs, reload the page and record whether filter state remains truthful and visible.
- [x] T033 For at least three representative filtered Workspace Hubs, use browser back/forward and record whether shell/filter state remains truthful.
- [x] T034 Clear the environment filter where supported and record whether the resulting clean hub entry matches the expected Workspace Hub contract.
## Phase 6: Topbar Semantics Verification
**Purpose**: Prove topbar context does not silently become a page-local filter.
- [x] T035 Use the Workspace selector from a Workspace Hub and record whether it switches workspace context rather than local page filter state.
- [x] T036 Use the Environment selector from a Workspace Hub and record whether it navigates/opens environment context instead of silently filtering the current hub.
- [x] T037 With a remembered environment present, open a clean Workspace Hub URL and record whether the hub remains unfiltered unless explicit `environment_id` is present.
- [x] T038 Record any page copy that instructs users to use the topbar as a local filter in `findings.md`.
## Phase 7: Provider Connection Authority Verification
**Purpose**: Prove credential-adjacent browser behavior matches Spec 339.
- [x] T039 Open `/admin/provider-connections` clean and record list scope, filter state, and create affordance in `scope-verification-matrix.md`.
- [x] T040 Open `/admin/provider-connections?environment_id=<valid-environment>` and record visible filter evidence plus create affordance tied to that environment.
- [x] T041 Open `/admin/provider-connections/create` without `environment_id` and record whether create is blocked or safely guided without remembered-environment authority.
- [x] T042 Open `/admin/provider-connections/create?environment_id=<wrong-workspace-environment>` where safely reproducible and record 404/blocked behavior without leaking foreign workspace details.
- [x] T043 Open an existing Provider Connection view/edit route and record whether visible context derives from record ownership, not topbar/remembered environment.
- [x] T044 Inspect credential-adjacent visible actions without executing destructive or external-provider operations; record confirmation/authorization/audit affordance expectations in `findings.md`.
- [x] T045 If a suspected Provider Connection issue appears, run or reference targeted Feature coverage in `apps/platform/tests/Feature/ProviderConnections/` before classifying severity.
## Phase 8: Findings, Go/No-Go, And Follow-Up Control
**Purpose**: Convert browser evidence into a concrete decision.
- [x] T046 Classify every matrix row in `scope-verification-matrix.md` as `pass`, `P1`, `P2`, `P3`, `backlog`, `blocked`, or `not-applicable`.
- [x] T047 For each P1/P2 finding in `findings.md`, include surface, origin, URL, expected behavior, actual behavior, evidence, likely owner files, and smallest safe next action.
- [x] T048 For each blocked check in `findings.md`, include the missing route/data/tooling condition and whether it blocks go/no-go confidence.
- [x] T049 Write the final go/no-go recommendation in `audit-report.md`.
- [x] T050 If no P1/P2 drift exists, state that new feature work may resume and list deferred candidates without opening them automatically.
- [x] T051 If P1/P2 drift exists, recommend either a bounded in-scope fix path after artifact update or a follow-up spec; do not start unrelated feature work.
## Phase 9: Optional Automated Regression Coverage
**Purpose**: Add bounded automation only when it is stable enough to maintain.
- [x] T052 Decide in `audit-report.md` whether to add `apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php` or keep Spec 340 as manual/in-app browser verification only.
- [x] T053 If automation is added, create `apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php` using existing Pest 4 browser conventions and explicit workspace/environment fixtures.
- [x] T054 If automation is added, assert no JavaScript errors and cover representative clean Workspace origin, Environment origin, filtered hub entry, topbar remembered-environment behavior, and Provider Connections create authority.
- [x] T055 Keep exhaustive route/query permutations in Feature tests or artifact matrix, not the Browser test.
- [x] T056 Do not add or modify seeders unless `spec.md` and `plan.md` are updated with the fixture-cost decision first.
## Phase 10: Validation And Close-Out
**Purpose**: Prove the gate ran and preparation boundaries remained intact.
- [x] T057 Run focused Browser validation if automated coverage exists: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser --filter=Spec340`.
- [x] T058 Run targeted Provider Connections Feature validation if Provider Connection authority findings were suspected: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections --filter=ScopeHardening`.
- [x] T059 Run `git diff --check` from the repository root.
- [x] T060 Update `audit-report.md` with exact commands, results, screenshots, blocked checks, full-suite status, unrelated residual failures, and final go/no-go.
- [x] T061 Confirm no completed specs were modified and no application runtime code was changed unless explicitly authorized by updated Spec 340 artifacts.
## Explicit Non-Goals
- [x] NT001 Do not redesign sidebar, topbar, Provider Connections, Evidence, Baselines, or Review surfaces.
- [x] NT002 Do not create migrations, models, services, jobs, policies, routes, or runtime behavior changes during preparation.
- [x] NT003 Do not rewrite completed Spec 313/322/338/339 close-out, validation, or completed-task history.
- [x] NT004 Do not create follow-up specs automatically without P1/P2 browser evidence.
- [x] NT005 Do not execute destructive or external-provider actions during browser verification.
Reference in New Issue View Git Blame Copy Permalink