ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/tasks.md
ahmido a9c54205bf feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425) 
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #425
2026-06-05 02:20:46 +00:00

144 lines
13 KiB
Markdown
Raw Permalink Blame History

# Tasks: Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1
**Input**: `specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/spec.md`, `plan.md`, `repo-truth-map.md`, `contracts/accepted-risk-guidance-signal-map.md`, and `checklists/requirements.md`
**Tests**: Required. This spec changes strategic accepted-risk operator guidance on existing queue and detail owner surfaces.
## Test Governance Checklist
- [x] Lane assignment is explicit and narrow: Unit for guidance selection, Feature/Livewire for queue/detail integration, Browser for first-screen hierarchy.
- [x] New or changed tests stay in the smallest honest family, and the browser addition is explicit.
- [x] Shared helpers, factories, seeds, and context defaults stay cheap by default.
- [x] Planned validation commands cover the slice without pulling in unrelated lane cost.
- [x] The changed surfaces are explicit strategic/detail accepted-risk surfaces, not an infra-only refactor.
- [x] No new persisted accepted-risk truth, workflow engine, or provider/platform abstraction is planned.
## Phase 1: Preparation And Repo Truth
**Purpose**: Keep the implementation bounded to the existing accepted-risk owner surfaces and recorded draft-to-repo deviations.
- [x] T001 Re-read `spec.md`, `plan.md`, `tasks.md`, `repo-truth-map.md`, `contracts/accepted-risk-guidance-signal-map.md`, and `checklists/requirements.md`.
- [x] T002 Re-verify the current runtime truth in `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php`, `apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php`, `apps/platform/app/Filament/Resources/FindingExceptionResource.php`, `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`, `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php`, and `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php`.
- [x] T003 Re-confirm the current repo constraints recorded in `repo-truth-map.md`: no new accepted-risk model, no new queue family, no global-search change, no standalone customer-facing risk page.
- [x] T004 Confirm no migration, package, env var, queue family, scheduler, storage, panel/provider, or `filament:assets` deployment change is required.
- [x] T005 Keep `repo-truth-map.md` and `contracts/accepted-risk-guidance-signal-map.md` current if runtime inspection proves a narrower or broader safe slice.
## Phase 2: Tests First
**Purpose**: Lock decision hierarchy, scope, and no-fake-action behavior before runtime changes.
- [x] T006 Add `apps/platform/tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php`.
- [x] T007 Add unit assertions for `accepted_risk.ready`.
- [x] T008 Add unit assertions for `accepted_risk.expiring`.
- [x] T009 Add unit assertions for `accepted_risk.expired`.
- [x] T010 Add unit assertions for revoked and rejected support.
- [x] T011 Add unit assertions for pending and renewal-requested states.
- [x] T012 Add unit assertions for missing governance support on an existing exception record.
- [x] T013 Add unit assertions for incomplete governance support (missing owner/rationale/review support).
- [x] T014 Add unit assertions for the current fresh-decision-required signal and for conservative owner-surface wording reuse without mutating downstream review-output artifacts.
- [x] T015 Add a guard assertion proving accepted-risk guidance selection stays DB-local and does not require live provider or Graph calls.
- [x] T016 Add `apps/platform/tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php`.
- [x] T017 Add feature/Livewire assertions that `FindingExceptionsQueue` shows one dominant accepted-risk case with one dominant next-step affordance.
- [x] T018 Add feature/Livewire assertions that only existing repo-backed related context is rendered and unsupported auto-fix buttons are absent.
- [x] T019 Add feature/Livewire assertions that queue links remain workspace/environment scoped, preserve explicit `environment_id` behavior, and keep out-of-scope queue access as 404.
- [x] T020 Add feature/Livewire assertions that the queue keeps current approve/reject action safety intact.
- [x] T021 Add `apps/platform/tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php`.
- [x] T022 Add feature/Livewire assertions that `ViewFindingException` and its infolist render one dominant accepted-risk guidance case before deeper diagnostics.
- [x] T023 Add feature/Livewire assertions that renew/revoke stay state- and capability-bound and keep existing confirmation behavior.
- [x] T024 Add feature/Livewire assertions that owner/rationale/expiry or review support gaps are visible before decision history and deeper evidence, and that member-but-missing-capability behavior stays aligned with current detail semantics.
- [x] T025 Add a continuity assertion in the narrowest honest family for Governance Inbox `Review accepted risk` routing into the owner surface.
- [x] T026 Add `apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php`.
- [x] T027 Browser Flow A: expiring accepted-risk queue state shows one dominant blocker and one dominant next-step affordance.
- [x] T028 Browser Flow B: expired, revoked, or fresh-decision-required accepted-risk state shows a conservative operator affordance and only existing supporting context.
- [x] T029 Browser Flow C: incomplete governance support shows missing owner/rationale/review context before deep diagnostics.
- [x] T030 Browser Flow D: calm valid state stays calm and does not render a competing warning stack.
## Phase 3: Derived Guidance Contract
**Purpose**: Build the narrowest derived accepted-risk payload over existing finding and exception truth.
- [x] T031 Choose the narrowest implementation shape: prefer one bounded accepted-risk adapter or selector under `apps/platform/app/Support/ResolutionGuidance/`.
- [x] T032 Consume existing signals from `apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php`, `FindingException`, `FindingExceptionDecision`, and linked `Finding` truth before adding any new helper.
- [x] T033 Derive one accepted-risk guidance payload with `key`, `title`, `status`, `severity`, `reason`, `impact`, `primary_action`, `secondary_actions`, and `technical_details`, while preserving the existing fresh-decision-required signal and avoiding any broader stale-governance invention.
- [x] T034 Keep blocker priority explicit: missing support -> fresh decision required -> expired/revoked/rejected -> expiring -> incomplete governance support -> pending/renewal -> ready.
- [x] T035 Keep the derived guidance DB-local and request-scoped only; no new persistence.
- [x] T036 Do not introduce a new accepted-risk enum family, workflow engine, or review-impact framework in this slice.
## Phase 4: Queue Integration
**Purpose**: Make `FindingExceptionsQueue` read as an accepted-risk decision destination without removing current queue truth.
- [x] T037 Integrate the derived guidance into `apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php` while preserving explicit inspect/open behavior and current selected-record state.
- [x] T038 Update `apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php` and the focused-review partial so the dominant guidance case appears before secondary diagnostics and existing related context.
- [x] T039 Reuse existing repo-backed primary and secondary targets where appropriate: inspect accepted risk, approve/reject current request, open finding, and existing related context only.
- [x] T040 Preserve current destructive/high-impact actions exactly as confirmation-, authorization-, and audit-protected secondary actions.
- [x] T041 Do not let guidance visibility widen action authorization or scope.
## Phase 5: Detail Integration
**Purpose**: Make `ViewFindingException` decision-first while keeping lifecycle ownership on the existing detail page.
- [x] T042 Integrate the derived guidance into `apps/platform/app/Filament/Resources/FindingExceptionResource.php` and `apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php`.
- [x] T043 Keep existing owner/rationale/expiry/review data visible before decision history or deep evidence.
- [x] T044 Reuse current repo-backed actions (`renew_exception`, `revoke_exception`) and keep them source-owned.
- [x] T045 Keep decision history, evidence references, and related context secondary.
- [x] T046 Preserve `FindingExceptionResource` global-search-disabled posture and current action-surface discipline.
## Phase 6: Continuity And Conservative Wording
**Purpose**: Keep downstream accepted-risk continuity honest without turning other surfaces into second owner surfaces.
- [x] T047 Adjust `apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php` only if accepted-risk label/target continuity is inconsistent after queue/detail guidance becomes decision-first.
- [x] T048 Reuse existing conservative accepted-risk wording as owner-surface reference only and do not mutate `EnvironmentReviewComposer` or current review-output consumers in this slice.
- [x] T049 Keep customer-safe wording reference conservative and avoid exposing raw internal rationale or low-level diagnostics as default-visible summary text.
## Phase 7: Copy, Audit, And Artifacts
**Purpose**: Align user-facing wording and UI audit coverage with the new accepted-risk hierarchy.
- [x] T050 Update only the required copy in `apps/platform/lang/en/localization.php`.
- [x] T051 Update matching copy in `apps/platform/lang/de/localization.php`.
- [x] T052 Update `docs/ui-ux-enterprise-audit/page-reports/ui-012-finding-exceptions-queue.md`.
- [x] T053 Create or update `docs/ui-ux-enterprise-audit/page-reports/ui-036-exception-detail.md`.
- [x] T054 Update `docs/ui-ux-enterprise-audit/route-inventory.md` and `docs/ui-ux-enterprise-audit/unresolved-pages.md` for `UI-036`.
- [x] T055 Save queue and detail screenshots under `specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/artifacts/screenshots/`, or record the host-visible artifact blocker explicitly if copies cannot be persisted.
## Phase 8: Validation
**Purpose**: Prove the guidance remains bounded, scope-safe, and render-local.
- [x] T056 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php --compact`.
- [x] T057 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php --compact`.
- [x] T058 Run `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php --compact`.
- [ ] T059 Run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php --compact`.
Attempted twice; the Pest browser harness stalled without yielding output even after the auth/session fixes, so the browser acceptance path was re-verified in the integrated browser and artifact screenshots were saved manually.
- [x] T060 Re-run the narrowest current queue/detail guard and navigation tests that protect scope, state, action-surface discipline, and current fresh-decision signaling.
- [x] T061 Confirm final render paths remain DB-local and do not call `GraphClientInterface` or provider HTTP during page render.
- [x] T062 Run `cd apps/platform && ./vendor/bin/sail pint --dirty`.
- [x] T063 Run `git diff --check`.
- [x] T064 Report unrelated broader-suite or browser-harness issues honestly if they remain outside this slice.
## Non-Goals Checklist
- [x] NT001 Do not add a new accepted-risk table, review-impact projection, or workflow engine.
- [x] NT002 Do not rebuild Governance Inbox, Customer Review Workspace, Environment Dashboard, or review-output architecture.
- [x] NT003 Do not add fake remediation or unsupported auto-fix actions.
- [x] NT004 Do not widen `FindingExceptionResource` global search, panel setup, or routing architecture.
- [x] NT005 Do not introduce live provider calls during render.
- [x] NT006 Do not mutate downstream review-output artifacts (`EnvironmentReviewComposer`, review-pack summaries, customer-review runtime) in this slice.
## Required Final Report Content
When implementation later completes, report:
- changed accepted-risk guidance behavior on queue and detail
- dominant-case selection model
- continuity behavior for Governance Inbox or review-output wording if changed
- safe action set and any disabled or fallback cases
- render-path result for no live provider calls
- UI audit artifact updates and screenshot paths
- files changed
- tests run and results
- explicit no migrations/packages/env/queues/scheduler/storage/panel/global-search change statement
- known gaps or deferred findings
Reference in New Issue View Git Blame Copy Permalink