ahmido
8cffdbdb2c
Implemented the final operator workflow for the Governance Inbox. This includes refactoring the inbox page, updating finding resources, adding UI enforcement policies, updating related blade views, and adding comprehensive tests for operator workflow and scope contracts. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #418
91 lines
4.9 KiB
Markdown
91 lines
4.9 KiB
Markdown
# Spec 346 Repo Truth Map
|
|
|
|
Status: implemented
|
|
Created: 2026-06-02
|
|
Purpose: record the repo-backed inputs, scope contracts, and current gaps that shaped the final Governance Inbox operator workflow.
|
|
|
|
## Runtime Surfaces
|
|
|
|
| Area | Repo source | Current truth |
|
|
| --- | --- | --- |
|
|
| Governance Inbox page | `apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php` | Workspace-owned Filament page at `/admin/governance/inbox` with visible optional `environment_id` filter. |
|
|
| Governance Inbox view | `apps/platform/resources/views/filament/pages/governance/governance-inbox.blade.php` | Operator summary first, lane groups second, source-family context and diagnostics secondary. |
|
|
| Derived source families | `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php` | Existing read-only source families remain: assigned findings, intake findings, finding exceptions, stale operations, alert delivery failures, review follow-up. |
|
|
| Decision history / proof | `apps/platform/app/Filament/Pages/Governance/DecisionRegister.php`, `apps/platform/app/Support/GovernanceDecisions/GovernanceDecisionRegisterBuilder.php` | Existing read-only decision ledger with `open` and `recently_closed` states. Reused, not rebuilt. |
|
|
|
|
## Repo-Backed Inputs
|
|
|
|
| Signal | Repo-backed source | Inbox use |
|
|
| --- | --- | --- |
|
|
| Assigned findings | `Finding`, `FindingResource`, section builder assigned query | `Requires decision` or `Evidence required` depending on linked evidence state. |
|
|
| Intake findings | `Finding`, intake query | `Needs triage`. |
|
|
| Accepted-risk / exception records | `FindingException`, `FindingExceptionDecision`, `FindingExceptionsQueue` | `Risk / exception review`. |
|
|
| Failed / stale operations | `OperationRun`, `OperationRunLinks` | `Blocked`. |
|
|
| Failed alert deliveries | `AlertDelivery`, `AlertDeliveryResource` | `Blocked`. |
|
|
| Review follow-up | `ManagedEnvironmentTriageReview`, `EnvironmentReviewRegisterService`, `CustomerReviewWorkspace` | `Requires decision` with customer-review linkage. |
|
|
| Recently closed governance decisions | `GovernanceDecisionRegisterBuilder` | Secondary `Recently resolved` disclosure only. |
|
|
|
|
## Current Item Fields
|
|
|
|
Current source entries already expose the fields needed for a derived operator card without new persistence:
|
|
|
|
- `headline`
|
|
- `status_label`
|
|
- `reason_label`
|
|
- `impact_label`
|
|
- `tenant_label`
|
|
- `owner_label`
|
|
- `due_label`
|
|
- `evidence_label`
|
|
- `exception_label`
|
|
- `primary_action_label`
|
|
- `primary_action_url`
|
|
- `destination_url`
|
|
- `evidence_path_url`
|
|
- `urgency_rank`
|
|
|
|
Spec 346 keeps these fields derived and page-local.
|
|
|
|
## Link Targets
|
|
|
|
| Link type | Current truth |
|
|
| --- | --- |
|
|
| Finding detail | Existing tenant-owned `FindingResource` view route. |
|
|
| Finding exceptions queue | Existing workspace hub route with canonical `environment_id` and `exception`. |
|
|
| Decision Register | Existing workspace hub route with optional `environment_id` and `register_state`. |
|
|
| Evidence overview | Existing workspace hub route `route('admin.evidence.overview', ['environment_id' => ...])`. |
|
|
| Customer Review Workspace | Existing workspace hub route `CustomerReviewWorkspace::environmentFilterUrl($environment)`. |
|
|
| Operation proof | Existing `OperationRunLinks::tenantlessView(...)`. |
|
|
| Environment detail | Existing `ManagedEnvironmentLinks::viewUrl(...)`. |
|
|
|
|
## Scope Contract
|
|
|
|
- Governance Inbox remains workspace-owned.
|
|
- The only visible local environment scope contract is `?environment_id={id}`.
|
|
- Clean entry must stay tenantless/workspace-wide even when the shell remembers an environment.
|
|
- No Governance Inbox first-party link may emit retired public query aliases:
|
|
- `tenant`
|
|
- `tenant_id`
|
|
- `managed_environment_id`
|
|
- `environment`
|
|
- `tenant_scope`
|
|
- `tableFilters`
|
|
|
|
## Gaps And Conservative Decisions
|
|
|
|
| Topic | Repo truth | Spec 346 decision |
|
|
| --- | --- | --- |
|
|
| Review-ready lane | No bounded repo-backed governance-inbox-ready state exists on this page today. | Omitted instead of invented. |
|
|
| Persisted inbox items | No new truth table or workflow engine exists. | Not added. |
|
|
| New mutating actions | Existing page is read-first and current source surfaces own mutations. | Not added. |
|
|
| Recently resolved lane | Repo truth exists only in the Decision Register, not in current inbox source-family entries. | Shown as a secondary disclosure backed by the existing register builder. |
|
|
| Provider-readiness blocker classification | Repo truth exists on adjacent readiness/required-permissions surfaces, but not as a generalized inbox state. | Existing operation / alert / environment links reused; no new readiness engine introduced. |
|
|
|
|
## Filament / Runtime Guardrails
|
|
|
|
- Livewire v4-only patterns retained.
|
|
- No panel registration changes; Laravel 12 panel providers remain in `apps/platform/bootstrap/providers.php`.
|
|
- No global-search posture changed.
|
|
- No new assets registered.
|
|
- No migration, queue, scheduler, env-var, or deployment contract change was required.
|