ahmido
f35782a163
Added artifacts, screenshots, and documentation for the platform sellable smoke matrix. Fixed a bug in FindingRiskGovernanceResolver and updated related tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #426
12 KiB
12 KiB
Repo Truth Map: Spec 355 - Platform Sellable Smoke Matrix
Status: implementation complete / browser-verified
Branch: 355-platform-sellable-smoke-matrix
Date: 2026-06-05
Baseline commit before prep branch: a9c54205 (feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425))
Branch And Working-Tree Safety
- Starting branch before prep:
platform-dev - Initial
git status --short --branch: clean - Initial
git diff --stat: empty - Spec Kit branch created via repo script:
.specify/scripts/bash/create-new-feature.sh --json --short-name 'platform-sellable-smoke-matrix' --number 355 'Platform Sellable Smoke Matrix'
- Current branch after setup:
355-platform-sellable-smoke-matrix - Current uncommitted change before writing prep artifacts: only
specs/355-platform-sellable-smoke-matrix/
Why 355 Was Selected
- The user provided Spec 355 directly, so this is not an auto-selected backlog refresh.
- Specs 351-354 already productized the main operator-guidance lanes, but they did so one surface at a time.
- The next honest question is integrated sellability, not another isolated feature:
- Does the first blocker make sense?
- Does the next action stay dominant?
- Does scope continuity survive the click?
- Are customer-safe boundaries still truthful?
- Do evidence and proof surfaces support trust instead of pulling the operator into diagnostics-first detail?
Why Close Alternatives Were Deferred
- Spec 356 (
Review Pack PDF/HTML Renderer v1) depends on the underlying operator/productization flow being coherent first. - Spec 357 (
Customer Portal Boundary Contract) should not be promoted before customer-safe boundary truth is proven inside the current operator surfaces. - Spec 358 (
Private AI Resolution Suggestion Foundation) is intentionally later than human-guided workflow stability. - Spec 359 (
Localization v1) is a likely follow-up if this matrix exposes mixed-language or dominant-copy gaps, but it should not hide workflow incoherence. - Spec 360 (
Portfolio / Cross-Tenant Action Readiness) is broader than the current single-platform sellable gate.
Completed-Spec Guardrail Result
| Related spec | Current repo signal | Guardrail handling for Spec 355 |
|---|---|---|
| Spec 351 - Review Output Resolve Actions v1 | commit d4e4d2d1, checked implementation tasks, residual P2 browser notes, spec header still Draft |
runtime context only; do not normalize or silently erase historical findings |
| Spec 352 - Environment Dashboard Operator Guidance Consolidation | commit 9a564d6b, repo-truth says implemented |
direct dependency; use as the dashboard baseline |
| Spec 353 - Provider Connections Resolution Guidance v1 | commit d2876af9, spec says implemented with close-out audit pending |
runtime context only; use committed behavior, not checklist wording, as truth |
| Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1 | commit a9c54205, checked tasks, screenshots, browser smoke test file exists, spec header still Draft |
direct dependency; verify named blocker conditions explicitly before final readiness verdict |
No completed spec package is being normalized back into preparation-only wording.
Dependency Gate Verification
Spec 355's own draft required:
- Specs 351-354 closed/committed
- Spec 354 patched, browser-verified, and free of specific open P1/P2 findings around:
- accepted-risk state priority
- approval queue scope continuity
- dominant guidance localization
- fake/inert recommended action semantics
The implementation-phase verification completed this gate:
- accepted-risk state priority: verified in browser on expired and expiring focused queue states
- approval queue scope continuity: verified from Governance Inbox into the focused accepted-risk lane with preserved back-link context
- dominant guidance localization: initially failed in the German focused queue lane because
FindingRiskGovernanceResolverreturned hardcoded English warning copy; fixed in-scope and re-verified - fake or inert recommended action semantics: not observed in the tested flows
Result:
- implementation proceeded legitimately
- final readiness language is no longer blocked by the Spec 354 dependency gate
Primary Runtime Surfaces
| Surface | Repo truth | Why it matters to Spec 355 |
|---|---|---|
EnvironmentDashboard |
environment-owned command surface with implemented top guidance from Spec 352 | starting point for first-blocker coherence |
ProviderConnectionResource |
workspace provider hub with implemented guidance from Spec 353 | provider-owner destination for dashboard blocker routing |
EnvironmentRequiredPermissions |
environment-bound provider-readiness surface with implemented guidance from Spec 353 | verifies decision-first provider blocker explanation |
CustomerReviewWorkspace |
workspace review hub with implemented review-output guidance and action mapping from Spec 351 | owner surface for review-output blocker resolution |
ViewEnvironmentReview |
review-owner detail surface | verifies no duplicate CTA rails and customer-safe boundary discipline |
FindingExceptionsQueue |
workspace accepted-risk queue with implemented guidance from Spec 354 | owner surface for accepted-risk follow-up |
ViewFindingException |
accepted-risk lifecycle detail | verifies accepted-risk guidance continuity and action safety |
GovernanceInbox |
workspace-wide operator queue with existing productization and browser smoke history | cross-domain workbench continuity check |
EvidenceOverview |
workspace-wide evidence hub | verifies evidence path and calm/blocked evidence messaging |
ViewEvidenceSnapshot |
evidence basis detail | owner proof surface for evidence detail when review/provider flows deep-link into it |
OperationRunResource / operation detail routes |
workspace operation proof truth | verifies run proof and follow-up traceability |
Existing Proof And Browser Assets
| Asset | Current repo truth |
|---|---|
| Local/testing login helper | /admin/local/smoke-login exists in apps/platform/routes/web.php |
| Review ready-path fixture helper | tenantpilot:review-output:seed-browser-fixture exists |
| Browser smoke for Governance Inbox | apps/platform/tests/Browser/Spec346GovernanceInboxOperatorWorkflowSmokeTest.php exists |
| Browser smoke for review-output actions | apps/platform/tests/Browser/Spec351ReviewOutputResolveActionsSmokeTest.php exists |
| Browser smoke for dashboard guidance | apps/platform/tests/Browser/Spec352EnvironmentDashboardGuidanceSmokeTest.php exists |
| Browser smoke for provider readiness | apps/platform/tests/Browser/Spec353ProviderReadinessGuidanceSmokeTest.php exists |
| Browser smoke for accepted-risk guidance | apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php exists |
| Existing screenshots for key flows | Spec packages 351-354 already contain screenshots for dashboard, provider, review, and accepted-risk surfaces |
Coverage Gaps That Spec 355 Should Not Hide
| Area | Repo truth | Implication |
|---|---|---|
Evidence Overview (UI-044) |
route-inventory entry exists, but no page report or screenshot is currently linked there | use Spec 355 artifacts first; do not claim strong durable audit history yet |
Workspace operation detail (UI-017) |
route-inventory entry exists, but no page report is linked there | use Spec 355 matrix/report to capture proof-path observations |
| Spec 351 close-out state | historical browser notes still mention residual P2 items | the sellable gate must verify whether those notes still reproduce |
| Spec 354 close-out shape | screenshots exist, but no spec-package browser-flow audit artifact is present | dependency gate must be runtime-verified, not assumed |
Existing Fixture And Context Signals
| Need | Current signal |
|---|---|
| Review-output blocked flow | Spec 351 smoke history plus current runtime surface and fixture command |
| Review-output ready flow | tenantpilot:review-output:seed-browser-fixture exists |
| Provider blocker flow | Spec 352/353 smoke history plus current provider-readiness surfaces |
| Accepted-risk expiring / expired flow | Spec 354 runtime, screenshots, and browser smoke test exist |
| Governance Inbox item flow | Governance Inbox page and existing browser smoke exist |
| Evidence path | Evidence Overview and evidence-detail surfaces exist, but fixture richness must still be inventoried |
| Operation proof path | operation hub/detail surfaces and proof-link helpers exist, but fixture richness must still be inventoried |
| No urgent action state | dashboard/provider/review surfaces already claim calm states in neighboring specs; Spec 355 must verify a calm case still exists in current data |
Fixture Inventory Actually Used
| Need | Verified local fixture used in Spec 355 |
|---|---|
| Dashboard provider blocker | workspace spec-352-guidance-browser-audit, environment spec-352-audit-provider-blocker, smoke-login user smoke-requester+352@tenantpilot.local |
| Dashboard review-output blocker | workspace spec-352-guidance-browser-audit, environment spec-352-audit-review-output, review #31 |
| Customer Review Workspace | environment_id=52, draft review #31 |
| Accepted-risk expiring / expired / incomplete | workspace wp, environment spec342-demo-accepted-risks, exceptions #7, #8, #9 after local-only fixture augmentation |
| Governance Inbox item | workspace wp, environment spec342-demo-accepted-risks |
| Evidence incomplete | workspace wp, environment spec342-demo-evidence-incomplete, operation #24 |
| Operation proof | workspace wp, environment spec342-demo-evidence-incomplete, operation #24 |
| Calm no-urgent-action state | workspace spec-352-guidance-browser-audit, environment spec-352-audit-no-urgent |
Browser Matrix Outcome
- 10 of 10 required flows were exercised in the browser
- 12 of 12 required screenshots were captured under
specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/ - no browser console errors were observed in the Playwright session
- no failing network or server responses were observed in the verified flows
- one in-scope defect was found and fixed during the run:
apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.phpno longer emits hardcoded English accepted-risk warning messages in the German focused queue lane
Regression Outcome
- targeted affected Spec 354 regressions passed after the localization fix:
tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.phptests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.phptests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php
./vendor/bin/sail php ./vendor/bin/pint --dirtypassedgit diff --checkpassed- broader
Spec351throughSpec354family-filter runs were attempted in Sail but were killed with exit137, so close-out rests on the narrower affected regressions plus browser proof
Draft-To-Repo Corrections That Must Stay Explicit
- Spec 355 is not a greenfield "sellable mode". It is a verification package over already-existing surfaces.
- Evidence Overview and operation detail are real surfaces, but their durable audit/report coverage is lighter than dashboard/provider/review/risk/governance.
- Browser proof already exists around many adjacent specs, but no current artifact ties them together into one integrated sellable-readiness call.
- Dependency truth for Specs 351-354 is strong but not cosmetically uniform; implementation must verify real blocker closure before claiming readiness.
Out Of Scope Confirmed By Repo Truth
- no new portal or customer-facing standalone product surface
- no PDF/HTML review-pack renderer
- no AI guidance or private AI runtime consumer
- no provider execution rewrite
- no Governance Inbox or dashboard rebuild
- no new persistence or new release-gate entity
Actual Narrow Implementation Shape
- browser-first verification across the current owner surfaces
- spec-local matrix, report, screenshot, and fixture artifacts
- one bounded runtime fix in a pre-existing accepted-risk warning resolver
- one targeted feature-test expansion to lock the localization boundary