ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/tasks.md
ahmido a9c54205bf feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425) 
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #425
2026-06-05 02:20:46 +00:00

13 KiB
Raw Permalink Blame History

Tasks: Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1

Input: specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/spec.md, plan.md, repo-truth-map.md, contracts/accepted-risk-guidance-signal-map.md, and checklists/requirements.md

Tests: Required. This spec changes strategic accepted-risk operator guidance on existing queue and detail owner surfaces.

Test Governance Checklist

  • Lane assignment is explicit and narrow: Unit for guidance selection, Feature/Livewire for queue/detail integration, Browser for first-screen hierarchy.
  • New or changed tests stay in the smallest honest family, and the browser addition is explicit.
  • Shared helpers, factories, seeds, and context defaults stay cheap by default.
  • Planned validation commands cover the slice without pulling in unrelated lane cost.
  • The changed surfaces are explicit strategic/detail accepted-risk surfaces, not an infra-only refactor.
  • No new persisted accepted-risk truth, workflow engine, or provider/platform abstraction is planned.

Phase 1: Preparation And Repo Truth

Purpose: Keep the implementation bounded to the existing accepted-risk owner surfaces and recorded draft-to-repo deviations.

  • T001 Re-read spec.md, plan.md, tasks.md, repo-truth-map.md, contracts/accepted-risk-guidance-signal-map.md, and checklists/requirements.md.
  • T002 Re-verify the current runtime truth in apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php, apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php, apps/platform/app/Filament/Resources/FindingExceptionResource.php, apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php, apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php, and apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php.
  • T003 Re-confirm the current repo constraints recorded in repo-truth-map.md: no new accepted-risk model, no new queue family, no global-search change, no standalone customer-facing risk page.
  • T004 Confirm no migration, package, env var, queue family, scheduler, storage, panel/provider, or filament:assets deployment change is required.
  • T005 Keep repo-truth-map.md and contracts/accepted-risk-guidance-signal-map.md current if runtime inspection proves a narrower or broader safe slice.

Phase 2: Tests First

Purpose: Lock decision hierarchy, scope, and no-fake-action behavior before runtime changes.

  • T006 Add apps/platform/tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php.
  • T007 Add unit assertions for accepted_risk.ready.
  • T008 Add unit assertions for accepted_risk.expiring.
  • T009 Add unit assertions for accepted_risk.expired.
  • T010 Add unit assertions for revoked and rejected support.
  • T011 Add unit assertions for pending and renewal-requested states.
  • T012 Add unit assertions for missing governance support on an existing exception record.
  • T013 Add unit assertions for incomplete governance support (missing owner/rationale/review support).
  • T014 Add unit assertions for the current fresh-decision-required signal and for conservative owner-surface wording reuse without mutating downstream review-output artifacts.
  • T015 Add a guard assertion proving accepted-risk guidance selection stays DB-local and does not require live provider or Graph calls.
  • T016 Add apps/platform/tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php.
  • T017 Add feature/Livewire assertions that FindingExceptionsQueue shows one dominant accepted-risk case with one dominant next-step affordance.
  • T018 Add feature/Livewire assertions that only existing repo-backed related context is rendered and unsupported auto-fix buttons are absent.
  • T019 Add feature/Livewire assertions that queue links remain workspace/environment scoped, preserve explicit environment_id behavior, and keep out-of-scope queue access as 404.
  • T020 Add feature/Livewire assertions that the queue keeps current approve/reject action safety intact.
  • T021 Add apps/platform/tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php.
  • T022 Add feature/Livewire assertions that ViewFindingException and its infolist render one dominant accepted-risk guidance case before deeper diagnostics.
  • T023 Add feature/Livewire assertions that renew/revoke stay state- and capability-bound and keep existing confirmation behavior.
  • T024 Add feature/Livewire assertions that owner/rationale/expiry or review support gaps are visible before decision history and deeper evidence, and that member-but-missing-capability behavior stays aligned with current detail semantics.
  • T025 Add a continuity assertion in the narrowest honest family for Governance Inbox Review accepted risk routing into the owner surface.
  • T026 Add apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php.
  • T027 Browser Flow A: expiring accepted-risk queue state shows one dominant blocker and one dominant next-step affordance.
  • T028 Browser Flow B: expired, revoked, or fresh-decision-required accepted-risk state shows a conservative operator affordance and only existing supporting context.
  • T029 Browser Flow C: incomplete governance support shows missing owner/rationale/review context before deep diagnostics.
  • T030 Browser Flow D: calm valid state stays calm and does not render a competing warning stack.

Phase 3: Derived Guidance Contract

Purpose: Build the narrowest derived accepted-risk payload over existing finding and exception truth.

  • T031 Choose the narrowest implementation shape: prefer one bounded accepted-risk adapter or selector under apps/platform/app/Support/ResolutionGuidance/.
  • T032 Consume existing signals from apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php, FindingException, FindingExceptionDecision, and linked Finding truth before adding any new helper.
  • T033 Derive one accepted-risk guidance payload with key, title, status, severity, reason, impact, primary_action, secondary_actions, and technical_details, while preserving the existing fresh-decision-required signal and avoiding any broader stale-governance invention.
  • T034 Keep blocker priority explicit: missing support -> fresh decision required -> expired/revoked/rejected -> expiring -> incomplete governance support -> pending/renewal -> ready.
  • T035 Keep the derived guidance DB-local and request-scoped only; no new persistence.
  • T036 Do not introduce a new accepted-risk enum family, workflow engine, or review-impact framework in this slice.

Phase 4: Queue Integration

Purpose: Make FindingExceptionsQueue read as an accepted-risk decision destination without removing current queue truth.

  • T037 Integrate the derived guidance into apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php while preserving explicit inspect/open behavior and current selected-record state.
  • T038 Update apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php and the focused-review partial so the dominant guidance case appears before secondary diagnostics and existing related context.
  • T039 Reuse existing repo-backed primary and secondary targets where appropriate: inspect accepted risk, approve/reject current request, open finding, and existing related context only.
  • T040 Preserve current destructive/high-impact actions exactly as confirmation-, authorization-, and audit-protected secondary actions.
  • T041 Do not let guidance visibility widen action authorization or scope.

Phase 5: Detail Integration

Purpose: Make ViewFindingException decision-first while keeping lifecycle ownership on the existing detail page.

  • T042 Integrate the derived guidance into apps/platform/app/Filament/Resources/FindingExceptionResource.php and apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php.
  • T043 Keep existing owner/rationale/expiry/review data visible before decision history or deep evidence.
  • T044 Reuse current repo-backed actions (renew_exception, revoke_exception) and keep them source-owned.
  • T045 Keep decision history, evidence references, and related context secondary.
  • T046 Preserve FindingExceptionResource global-search-disabled posture and current action-surface discipline.

Phase 6: Continuity And Conservative Wording

Purpose: Keep downstream accepted-risk continuity honest without turning other surfaces into second owner surfaces.

  • T047 Adjust apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php only if accepted-risk label/target continuity is inconsistent after queue/detail guidance becomes decision-first.
  • T048 Reuse existing conservative accepted-risk wording as owner-surface reference only and do not mutate EnvironmentReviewComposer or current review-output consumers in this slice.
  • T049 Keep customer-safe wording reference conservative and avoid exposing raw internal rationale or low-level diagnostics as default-visible summary text.

Phase 7: Copy, Audit, And Artifacts

Purpose: Align user-facing wording and UI audit coverage with the new accepted-risk hierarchy.

  • T050 Update only the required copy in apps/platform/lang/en/localization.php.
  • T051 Update matching copy in apps/platform/lang/de/localization.php.
  • T052 Update docs/ui-ux-enterprise-audit/page-reports/ui-012-finding-exceptions-queue.md.
  • T053 Create or update docs/ui-ux-enterprise-audit/page-reports/ui-036-exception-detail.md.
  • T054 Update docs/ui-ux-enterprise-audit/route-inventory.md and docs/ui-ux-enterprise-audit/unresolved-pages.md for UI-036.
  • T055 Save queue and detail screenshots under specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/artifacts/screenshots/, or record the host-visible artifact blocker explicitly if copies cannot be persisted.

Phase 8: Validation

Purpose: Prove the guidance remains bounded, scope-safe, and render-local.

  • T056 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php --compact.
  • T057 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php --compact.
  • T058 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php --compact.
  • T059 Run cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php --compact. Attempted twice; the Pest browser harness stalled without yielding output even after the auth/session fixes, so the browser acceptance path was re-verified in the integrated browser and artifact screenshots were saved manually.
  • T060 Re-run the narrowest current queue/detail guard and navigation tests that protect scope, state, action-surface discipline, and current fresh-decision signaling.
  • T061 Confirm final render paths remain DB-local and do not call GraphClientInterface or provider HTTP during page render.
  • T062 Run cd apps/platform && ./vendor/bin/sail pint --dirty.
  • T063 Run git diff --check.
  • T064 Report unrelated broader-suite or browser-harness issues honestly if they remain outside this slice.

Non-Goals Checklist

  • NT001 Do not add a new accepted-risk table, review-impact projection, or workflow engine.
  • NT002 Do not rebuild Governance Inbox, Customer Review Workspace, Environment Dashboard, or review-output architecture.
  • NT003 Do not add fake remediation or unsupported auto-fix actions.
  • NT004 Do not widen FindingExceptionResource global search, panel setup, or routing architecture.
  • NT005 Do not introduce live provider calls during render.
  • NT006 Do not mutate downstream review-output artifacts (EnvironmentReviewComposer, review-pack summaries, customer-review runtime) in this slice.

Required Final Report Content

When implementation later completes, report:

  • changed accepted-risk guidance behavior on queue and detail
  • dominant-case selection model
  • continuity behavior for Governance Inbox or review-output wording if changed
  • safe action set and any disabled or fallback cases
  • render-path result for no live provider calls
  • UI audit artifact updates and screenshot paths
  • files changed
  • tests run and results
  • explicit no migrations/packages/env/queues/scheduler/storage/panel/global-search change statement
  • known gaps or deferred findings