ahmido
f35782a163
Added artifacts, screenshots, and documentation for the platform sellable smoke matrix. Fixed a bug in FindingRiskGovernanceResolver and updated related tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #426
457 lines
44 KiB
Markdown
457 lines
44 KiB
Markdown
# Feature Specification: Spec 355 - Platform Sellable Smoke Matrix
|
|
|
|
**Feature Branch**: `355-platform-sellable-smoke-matrix`
|
|
**Created**: 2026-06-05
|
|
**Status**: Draft
|
|
**Type**: Productization gate / browser smoke matrix / sellable readiness / operator-flow verification
|
|
**Depends on**: Specs 351, 352, 353, 354
|
|
**Runtime posture**: Verification-first. Browser/readiness gate with minimal fixes only when a verified P0/P1 issue is directly in scope. No new product surface, no new framework, no customer portal, no PDF renderer, no AI lane, and no broad navigation rewrite.
|
|
**Input**: Direct user-provided Spec 355 draft plus repo truth from current operator/productization surfaces, existing browser smoke tests, and adjacent Specs 351-354.
|
|
|
|
## Dependencies And Repo-Truth Adjustments
|
|
|
|
Spec 355 is a bounded readiness gate over already repo-real operator surfaces:
|
|
|
|
- `App\Filament\Pages\EnvironmentDashboard`
|
|
- `App\Filament\Resources\ProviderConnectionResource`
|
|
- `App\Filament\Pages\EnvironmentRequiredPermissions`
|
|
- `App\Filament\Pages\Reviews\CustomerReviewWorkspace`
|
|
- `App\Filament\Resources\EnvironmentReviewResource\Pages\ViewEnvironmentReview`
|
|
- `App\Filament\Pages\Monitoring\FindingExceptionsQueue`
|
|
- `App\Filament\Resources\FindingExceptionResource\Pages\ViewFindingException`
|
|
- `App\Filament\Pages\Governance\GovernanceInbox`
|
|
- `App\Filament\Pages\Monitoring\EvidenceOverview`
|
|
- `App\Filament\Resources\EvidenceSnapshotResource\Pages\ViewEvidenceSnapshot`
|
|
- `App\Filament\Resources\OperationRunResource`
|
|
|
|
Repo-truth adjustments against the user draft:
|
|
|
|
- Specs 351-354 are commit-backed on `platform-dev`, but the close-out metadata is not perfectly uniform across their spec packages. Spec 355 must treat dependency verification as an explicit first-phase gate instead of assuming all neighboring packages are perfectly normalized.
|
|
- Spec 351 has checked implementation tasks and a commit (`d4e4d2d1`), but its spec header still says `Draft` and its browser-flow audit records residual P2 observations. Spec 355 may depend on the implemented runtime truth, but must not silently treat historical P2 notes as already closed.
|
|
- Spec 352 is the cleanest dependency signal: repo-truth and page-report artifacts both describe the dashboard guidance slice as implemented.
|
|
- Spec 353 marks itself `Implemented (close-out audit pending)` and has a commit (`d2876af9`), but some checklist language still reflects prep wording. Spec 355 should rely on runtime truth plus committed tests/screenshots, not on any single metadata field alone.
|
|
- Spec 354 has a commit (`a9c54205`), checked implementation tasks, screenshots, and an existing browser smoke test file, but the spec header still says `Draft` and the spec package does not yet contain a dedicated browser-flow audit report. Spec 355 must verify whether the specific named dependency concerns are actually closed before issuing a sellable-readiness verdict.
|
|
- Existing browser smoke assets already exist for Governance Inbox, review-output guidance, provider-readiness guidance, accepted-risk guidance, and dashboard guidance. Spec 355 should reuse that repo history as context, but the sellable-readiness claim must come from a fresh cross-surface matrix rather than from neighboring spec assertions alone.
|
|
- `docs/ui-ux-enterprise-audit/route-inventory.md` already covers most in-scope surfaces. Evidence Overview (`UI-044`) and workspace operation detail (`UI-017`) still lack the same durable page-report depth as other strategic surfaces, so Spec 355 should use its own artifacts first and only expand the audit registry if a minimal P0/P1 fix materially changes those surfaces.
|
|
|
|
## Spec Candidate Check *(mandatory - SPEC-GATE-001)*
|
|
|
|
- **Problem**: TenantPilot now has several productized operator flows, but they were implemented across separate specs. The platform can still feel fragmented if the first blocker, next action, scope boundary, customer-safe boundary, and proof path do not line up across dashboard, provider, review, risk, evidence, governance, and operations surfaces.
|
|
- **Today's failure**: An MSP operator can still land in a troubleshooting maze where one page says "provider blocked", another says "review blocked", a detail page promotes the wrong CTA, accepted-risk wording drifts from review wording, or proof links and environment scope feel disconnected.
|
|
- **User-visible improvement**: A sellable smoke matrix proves whether the current platform feels like one governed MSP operating system: one dominant next action, correct scope continuity, conservative customer-safe boundaries, and coherent evidence/proof paths across the most important workflows.
|
|
- **Smallest enterprise-capable version**: Verify the existing surfaces end-to-end in a browser, capture screenshots, classify failures, and allow only direct P0/P1 fixes on the owning surfaces when absolutely necessary to make the platform coherent enough for operator demo/sellable-readiness use.
|
|
- **Explicit non-goals**: No customer portal, no PDF/HTML renderer, no AI guidance, no PSA/ITSM handoff, no new provider execution logic, no new resolution-adapter rollout, no dashboard rewrite, no Governance Inbox rewrite, no EvidenceSnapshot generation rewrite, no new database table, and no broad localization initiative.
|
|
- **Permanent complexity imported**: One spec-local smoke matrix, one readiness report, optional blocked-fixture notes, screenshots, and at most targeted regression tests for direct P0/P1 fixes. No new persisted product truth, no new enum family, no new framework, and no new workflow engine are intended.
|
|
- **Why now**: Specs 351-354 created a strong operator-guidance foundation, but the next sellability question is cross-surface coherence, not another isolated feature. This is the bounded gate before broader follow-up lanes such as renderers, customer portal contracts, or private AI assistance.
|
|
- **Why not local**: A page-local review on only dashboard, only provider readiness, or only accepted risk would miss the actual productization risk, which is cross-surface contradiction and broken continuity. The smallest honest slice is one integrated browser matrix across the existing owner surfaces.
|
|
- **Approval class**: Core Enterprise.
|
|
- **Red flags triggered**: Strategic operator surfaces, cross-surface workflow assertions, customer-safe boundary verification, and browser-heavy proof. Defense: the slice is verification-first, forbids broad runtime expansion, reuses existing product truth, and allows only minimal P0/P1 fixes.
|
|
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 1 | **Gesamt: 10/12**
|
|
- **Decision**: approve with strict dependency-gate and no-new-surface guardrails.
|
|
|
|
## Candidate Source And Completed-Spec Guardrail
|
|
|
|
- **Candidate source**:
|
|
- direct user-provided Spec 355 draft
|
|
- immediate follow-through over Specs 351-354
|
|
- existing UI audit registry, route inventory, and browser smoke coverage across the affected operator surfaces
|
|
- **Completed-spec guardrail result**:
|
|
- no `specs/355-*` package existed before this preparation run
|
|
- Specs 351-354 are adjacent historical/runtime context only and must not be rewritten back into preparation-only wording
|
|
- no completed task markers, screenshots, or historical findings are being removed from any earlier spec package
|
|
- **Close alternatives deferred**:
|
|
- Spec 356 - Review Pack PDF/HTML Renderer v1
|
|
- Spec 357 - Customer Portal Boundary Contract
|
|
- Spec 358 - Private AI Resolution Suggestion Foundation
|
|
- Spec 359 - Localization v1
|
|
- Spec 360 - Portfolio / Cross-Tenant Action Readiness
|
|
- **Smallest viable implementation slice**: browser-verify the current productized operator surfaces, record a defensible pass/fail/blocked matrix, and only patch direct P0/P1 issues on the owning surfaces when the issue is clearly in scope and cheaply provable.
|
|
|
|
## Spec Scope Fields *(mandatory)*
|
|
|
|
- **Scope**: workspace-wide hubs plus environment-bound owner surfaces, verified as one integrated operator flow.
|
|
- **Primary Routes**:
|
|
- `/admin/workspaces/{workspace}/environments/{environment}`
|
|
- `/admin/provider-connections`
|
|
- `/admin/workspaces/{workspace}/environments/{environment}/required-permissions`
|
|
- `/admin/reviews/workspace`
|
|
- `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews/{record}`
|
|
- `/admin/finding-exceptions/queue`
|
|
- `/admin/workspaces/{workspace}/environments/{environment}/finding-exceptions/{record}`
|
|
- `/admin/governance/inbox`
|
|
- `/admin/evidence/overview`
|
|
- `/admin/workspaces/{workspace}/operations`
|
|
- `/admin/workspaces/{workspace}/operations/{run}`
|
|
- **Data Ownership**:
|
|
- existing dashboard, provider, review, accepted-risk, evidence, and `OperationRun` truth remain authoritative
|
|
- smoke matrix, readiness report, blocked-fixture notes, and screenshots are spec-package artifacts only
|
|
- no new database persistence is introduced
|
|
- **RBAC**:
|
|
- existing workspace membership, environment entitlement, and capability checks remain authoritative
|
|
- no new authorization plane or capability family is introduced
|
|
- any minimal fix must preserve `404` for out-of-scope access and current capability-enforced mutation behavior
|
|
|
|
For mixed workspace-hub and environment-owner verification:
|
|
|
|
- **Default filter behavior when environment-context is active**: workspace hubs may use explicit `environment_id` filters where already repo-real, but they must not depend on hidden shell/session scope or stale `tenant` query behavior.
|
|
- **Explicit entitlement checks preventing cross-tenant leakage**: all deep links and proof routes must continue to resolve through the current workspace membership plus entitled environment scope only.
|
|
|
|
## UI Surface Impact *(mandatory - UI-COV-001)*
|
|
|
|
- [ ] No UI surface impact
|
|
- [x] Existing page changed
|
|
- [x] Navigation changed
|
|
- [ ] Filament panel/provider surface changed
|
|
- [ ] New modal/drawer/wizard/action added
|
|
- [ ] New table/form/state added
|
|
- [x] Customer-facing surface changed
|
|
- [x] Dangerous action changed
|
|
- [x] Status/evidence/review presentation changed
|
|
- [x] Workspace/environment context presentation changed
|
|
|
|
## UI/Productization Coverage *(mandatory when UI Surface Impact is not "No UI surface impact")*
|
|
|
|
- **Route/page/surface**:
|
|
- Environment Dashboard top guidance and CTA continuity
|
|
- Provider Connections and Required Permissions
|
|
- Customer Review Workspace and Environment Review detail
|
|
- Finding Exceptions Queue and Exception Detail
|
|
- Governance Inbox
|
|
- Evidence Overview and evidence-basis drill-through
|
|
- Operations hub / operation proof detail
|
|
- **Current or new page archetype**:
|
|
- existing strategic workspace or environment operator surfaces only
|
|
- no new page archetype is introduced
|
|
- **Design depth**:
|
|
- Environment Dashboard, Provider Connections, Governance Inbox, Customer Review Workspace, Evidence Overview, and Operations are Strategic Surfaces
|
|
- Environment Review detail, Exception Detail, and Required Permissions remain existing detail/domain surfaces with high productization sensitivity
|
|
- **Repo-truth level**: repo-verified runtime surfaces
|
|
- **Existing pattern reused**:
|
|
- Specs 351-354 operator-guidance patterns
|
|
- current page reports for dashboard, provider connections, required permissions, customer review workspace, environment review detail, governance inbox, operations, finding exceptions queue, and exception detail
|
|
- current route inventory for Evidence Overview and operation detail
|
|
- **New pattern required**: none in the product. The only new artifact pattern is the spec-local smoke matrix and readiness report.
|
|
- **Screenshot required**: yes, under `specs/355-platform-sellable-smoke-matrix/artifacts/screenshots/`
|
|
- **Page audit required**:
|
|
- no broad UI audit rewrite by default
|
|
- use existing page reports plus Spec 355 artifacts as the primary verification package
|
|
- if a minimal P0/P1 fix materially changes Evidence Overview or operation detail, record the audit follow-up explicitly during close-out
|
|
- **Customer-safe review required**: yes, because review-output, evidence, accepted-risk, and operation-proof flows may otherwise overclaim customer-ready or shareable output
|
|
- **Dangerous-action review required**: yes; publish, approve/reject, renew/revoke, and other state-changing actions must remain confirmation- and authorization-safe even when the smoke matrix evaluates prominence or disabled state
|
|
- **Coverage files updated or explicitly not needed**:
|
|
- [ ] `docs/ui-ux-enterprise-audit/route-inventory.md`
|
|
- [ ] `docs/ui-ux-enterprise-audit/design-coverage-matrix.md`
|
|
- [x] `docs/ui-ux-enterprise-audit/page-reports/...`
|
|
- [ ] `docs/ui-ux-enterprise-audit/strategic-surfaces.md`
|
|
- [ ] `docs/ui-ux-enterprise-audit/grouped-follow-up-candidates.md`
|
|
- [x] `docs/ui-ux-enterprise-audit/unresolved-pages.md`
|
|
- [ ] `N/A - no reachable UI surface impact`
|
|
- **No-impact rationale when applicable**: N/A
|
|
|
|
## Cross-Cutting / Shared Pattern Reuse *(mandatory)*
|
|
|
|
- **Cross-cutting feature?**: yes
|
|
- **Interaction class(es)**: dashboard signals, next-action guidance, status messaging, proof links, evidence/report viewers, governance queue routing, and customer-safe review messaging
|
|
- **Systems touched**:
|
|
- `App\Support\EnvironmentDashboard\EnvironmentDashboardSummaryBuilder`
|
|
- `App\Support\ResolutionGuidance\ResolutionCase`
|
|
- `App\Support\ResolutionGuidance\ResolutionAction`
|
|
- `App\Support\ReviewPacks\ReviewPackOutputResolutionGuidance`
|
|
- `App\Services\Findings\FindingRiskGovernanceResolver`
|
|
- `App\Support\GovernanceInbox\GovernanceInboxSectionBuilder`
|
|
- `App\Support\OperationRunLinks`
|
|
- `App\Support\OpsUx\OperationRunUrl`
|
|
- existing provider-readiness summary and required-permissions builders
|
|
- **Existing pattern(s) to extend**:
|
|
- Specs 351-354 guidance hierarchy and owner-surface continuity
|
|
- existing `OperationRun` proof-link helpers
|
|
- current page-report and route-inventory productization registry
|
|
- **Shared contract / presenter / builder / renderer to reuse**:
|
|
- `ResolutionCase` / `ResolutionAction`
|
|
- `GovernanceActionCatalog`
|
|
- `EnvironmentDashboardSummaryBuilder`
|
|
- `GovernanceInboxSectionBuilder`
|
|
- `OperationRunUrl` / `OperationRunLinks`
|
|
- **Why the existing shared path is sufficient or insufficient**: the repo already has the operator-guidance and proof-link paths needed for this gate. Spec 355 should verify and minimally align them, not invent a second integration framework.
|
|
- **Allowed deviation and why**: none inside product runtime. Spec-local matrix/report artifacts are allowed because the product itself has no current sellable-readiness artifact surface.
|
|
- **Consistency impact**: one dominant next action, conservative customer-safe claims, stable canonical nouns, consistent deep-link behavior, and diagnostics-secondary disclosure must stay aligned across all tested surfaces.
|
|
- **Review focus**: prevent duplicate local CTA rails, fake remediation actions, raw-first detail defaults, broken proof links, and cross-surface terminology drift.
|
|
|
|
## OperationRun UX Impact *(mandatory)*
|
|
|
|
- **Touches OperationRun start/completion/link UX?**: deep-link and proof continuity only
|
|
- **Shared OperationRun UX contract/layer reused**:
|
|
- existing `OperationRunUrl`
|
|
- existing `OperationRunLinks`
|
|
- existing workspace operation hub and operation detail resource routes
|
|
- **Delegated start/completion UX behaviors**:
|
|
- `Open operation` / `View run` link continuity
|
|
- tenant/workspace-safe URL resolution
|
|
- proof/deep-link behavior only
|
|
- **Local surface-owned behavior that remains**: deciding whether operation proof is the right secondary follow-up or whether it should remain tertiary diagnostics beneath a more important next action
|
|
- **Queued DB-notification policy**: unchanged
|
|
- **Terminal notification path**: unchanged
|
|
- **Exception required?**: none
|
|
|
|
## Provider Boundary / Platform Core Check *(mandatory)*
|
|
|
|
- **Shared provider/platform boundary touched?**: yes, as verification-only mixed context
|
|
- **Boundary classification**: mixed
|
|
- **Seams affected**:
|
|
- provider-owned readiness surfaces: Provider Connections, Required Permissions
|
|
- platform-core operator surfaces: Environment Dashboard, Customer Review Workspace, Governance Inbox, Evidence Overview, accepted-risk owner surfaces, Operations
|
|
- **Neutral platform terms preserved or introduced**:
|
|
- provider blocker
|
|
- review output blocker
|
|
- accepted risk
|
|
- evidence basis
|
|
- operation proof
|
|
- customer-safe boundary
|
|
- **Provider-specific semantics retained and why**: Microsoft/provider-specific permission and consent wording remains only on the provider-owned surfaces where current repo truth already requires it.
|
|
- **Why this does not deepen provider coupling accidentally**: Spec 355 does not add new shared taxonomy, persistence, or provider abstraction. It only verifies the current provider-owned and platform-core seams behave coherently.
|
|
- **Follow-up path**: `document-in-feature` if the smoke matrix uncovers a provider/platform drift that is out of scope for a minimal direct fix
|
|
|
|
## UI / Surface Guardrail Impact *(mandatory)*
|
|
|
|
| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
|
|
|---|---|---|---|---|---|---|
|
|
| Environment Dashboard top guidance and CTA continuity | yes | Native Filament dashboard plus shared guidance payload | dashboard signals, proof links, next-action guidance | page, header, URL | no | existing route only |
|
|
| Provider Connections / Required Permissions | yes | Native Filament resource + page | provider-readiness guidance, blocker routing | page, table/filter, detail | no | existing routes only |
|
|
| Customer Review Workspace / Environment Review detail | yes | Native Filament page + resource detail | review-output guidance, customer-safe disclosure, action hierarchy | page, detail, URL | no | existing routes only |
|
|
| Finding Exceptions Queue / Exception Detail | yes | Native Filament page + resource detail | accepted-risk guidance, governance continuity | page, detail, URL | no | existing routes only |
|
|
| Governance Inbox | yes | Native Filament page | cross-domain queue routing, next-action labels | page, URL | no | existing route only |
|
|
| Evidence Overview / Evidence basis drill-through | yes | Native Filament page + resource detail | evidence/proof disclosure, customer-safe boundary | page, detail, table/filter | no | current page-report depth is lighter than other strategic surfaces |
|
|
| Operations hub / operation proof | yes | Native Filament route + resource detail | proof links, monitoring detail, diagnostics hierarchy | page, detail, URL | no | current route-inventory coverage exists; close-out may need extra note |
|
|
|
|
## Decision-First Surface Role *(mandatory)*
|
|
|
|
| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|
|
|---|---|---|---|---|---|---|---|
|
|
| Environment Dashboard | Primary Decision Surface | Decide what blocks the environment first | blocker, reason, impact, one next action | proof rails, diagnostics, secondary links | primary because it is the environment command surface | environment-first operating flow | avoids opening multiple admin pages before understanding the blocker |
|
|
| Provider Connections / Required Permissions | Primary Decision Surface | Resolve provider readiness blocker safely | blocker category, why it matters, one next action | matrix, verification detail, technical disclosure | primary when provider readiness is the top blocker | provider-owner flow | avoids badge/count interpretation work |
|
|
| Customer Review Workspace | Primary Decision Surface | Decide what is needed before customer-safe output | output readiness, limitation boundary, one next action | deeper review/evidence context | primary when review output is the top blocker | review-owner flow | avoids review-detail reconstruction |
|
|
| Environment Review detail | Secondary Context | Validate the selected review and perform source-owned actions | readiness state, limitations, source-owned action hierarchy | evidence, history, proof | secondary because the workspace owns the overview decision | review-owner detail flow | avoids duplicate equal-weight decision homes |
|
|
| Finding Exceptions Queue | Primary Decision Surface | Decide which accepted risk needs governance action now | risk state, why it matters, one next action | deeper evidence/history | primary because it owns accepted-risk triage | accepted-risk owner flow | avoids status-badge translation |
|
|
| Governance Inbox | Primary Decision Surface | Clear cross-domain governance follow-up | queue summary, why it matters, one next action | deeper owner-surface context after click | primary as the cross-domain workbench, but not the owner for every domain action | daily operator queue | avoids hunting across many hubs |
|
|
| Evidence Overview | Secondary Context | Decide whether evidence is sufficient to trust or share an output | readiness/proof summary, stale/missing evidence state | raw evidence rows and detail | secondary because evidence supports other owner surfaces | evidence/proof support flow | avoids raw-report-first reading |
|
|
| Operations hub / operation proof | Tertiary Evidence / Diagnostics | Verify truth of a referenced operation or follow-up | run status, outcome, environment/source linkage | full operation context and technical detail | tertiary because proof should not compete with the primary workflow CTA | proof-verification flow | keeps monitoring detail out of first-decision space unless needed |
|
|
|
|
## Audience-Aware Disclosure *(mandatory)*
|
|
|
|
| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|
|
|---|---|---|---|---|---|---|---|
|
|
| Dashboard and provider/review/risk owner surfaces | operator-MSP, manager | blocker, impact, next action, scope | related proof, secondary links | raw payloads, technical diagnostics | yes | raw/support detail remains secondary | the blocker is stated once and not restated as a competing CTA rail |
|
|
| Customer Review Workspace and review detail | operator-MSP, customer-safe operator handoff | release/readiness state, customer-safe boundary, next action | evidence basis, accepted-risk summary | internal rationale, raw metadata, debug detail | yes | internal-only detail remains secondary | customer-ready claim is kept distinct from internal draft/proof detail |
|
|
| Governance Inbox | operator-MSP | queue summary, why it matters, one next step | lane-specific detail after inspection | raw/support data belongs on owner surfaces | yes | deep diagnostics stay off the first screen | inbox routes into owner surfaces rather than duplicating their truths |
|
|
| Evidence Overview | operator-MSP, support where authorized | missing/stale/ready evidence state and what it blocks | evidence source detail, row-level artifact state | raw payload detail, fingerprints, support-only data | yes, if blocked | raw/support detail remains secondary | evidence supports a blocker; it does not restate every owner-surface summary |
|
|
| Operations hub / operation proof | operator-MSP, support-platform | run status, outcome, environment/source association | full run context, summary counts, timestamps | raw support details and deep technical context | no new primary beyond proof verification | deep diagnostics remain tertiary | proof answers "did it happen?" without becoming the default action rail |
|
|
|
|
## UI/UX Surface Classification *(mandatory)*
|
|
|
|
| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
| Environment Dashboard | Dashboard / Workbench | Command surface | Open the dominant owner surface | page-level CTA | N/A | compact subordinate links | none in this spec | environment dashboard route | owner surface route | workspace + environment | Environment Dashboard | top blocker and next action | none |
|
|
| Provider Connections | List / Table / Bulk | Strategic integration list | Open required permissions, grant consent, or run verification | table inspect/open | existing | More / supporting links | existing grouped actions only | `/admin/provider-connections` | current record/detail routes | workspace + optional environment filter | Provider Connections | blocker category and next action | none |
|
|
| Required Permissions | Detail / Guidance | Guidance-first diagnostic detail | Review missing permission category or verification blocker | page-level sections | N/A | supporting diagnostic sections | none introduced | required-permissions route | N/A | workspace + environment | Required Permissions | blocker and why it matters | none |
|
|
| Customer Review Workspace | Dashboard / Workbench | Customer-safe operator hub | Create/open/refresh/publish only when repo-backed and safe | page-level CTA | existing list/detail entry points | supporting actions below dominant CTA | source-owned destructive actions stay secondary | `/admin/reviews/workspace` | review detail route | workspace + explicit environment filter | Customer Review Workspace | output readiness and next action | none |
|
|
| Environment Review Detail | Detail / Record | Review-owner detail | Validate or execute the source-owned action | existing detail/open model | existing | contextual detail only | existing header actions only | environment review list | current detail route | workspace + environment + record | Environment Review | readiness, limitations, primary owner action | none |
|
|
| Finding Exceptions Queue / Detail | Queue + Record Detail | Accepted-risk owner surfaces | Review accepted risk or execute source-owned lifecycle action | queue inspect/open then detail | existing | supporting context | existing approve/reject/renew/revoke placement | queue route | current detail route | workspace or environment + record | Accepted Risk / Exception | governance state and next action | none |
|
|
| Governance Inbox | Queue | Cross-domain operator queue | Open the owning surface for the active case | queue inspect/open | existing | secondary context only | none introduced | `/admin/governance/inbox` | owner surface route | workspace + optional environment filter | Governance Inbox | why this item matters and what to open | none |
|
|
| Evidence Overview / Operation proof | List / Detail | Evidence / diagnostics support | Inspect evidence or verify operation proof | current list/detail model | existing where available | diagnostics and technical detail remain secondary | none introduced | `/admin/evidence/overview`, `/admin/workspaces/{workspace}/operations` | current detail routes | workspace + optional environment filter | Evidence / Operation | readiness or run truth needed for trust | none |
|
|
|
|
## Operator Surface Contract *(mandatory)*
|
|
|
|
| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|
|
|---|---|---|---|---|---|---|---|---|---|---|
|
|
| Environment Dashboard | MSP operator / manager | Decide what to do first in this environment | command surface | What blocks this environment first? | top blocker, impact, one next step | proof and secondary diagnostics | provider, review, governance, evidence, operations | navigation-only in this spec | open owner surface | none introduced |
|
|
| Provider readiness owner surfaces | MSP operator / manager | Resolve provider blocker safely | strategic list/detail | What provider readiness issue matters now? | blocker category, effect on TenantPilot, one next action | permission matrix, technical verification detail | consent, permission, verification freshness | existing source-owned provider actions only | grant consent, run verification, open permissions | existing provider actions remain guarded |
|
|
| Review owner surfaces | MSP operator / manager | Resolve blocked output or confirm ready output | workspace hub + detail | What is preventing customer-safe output? | readiness, limitations, one next action | deeper evidence and lifecycle detail | publication, output readiness, evidence completeness | existing review actions only | create/open/refresh/publish when safe | existing publish/refresh/create actions stay source-owned |
|
|
| Accepted-risk owner surfaces | MSP operator / manager | Review accepted-risk governance coverage | queue + detail | Which accepted risk needs action and why? | governance state, impact, one next action | history, deeper evidence, related context | expiry, freshness, governance support | existing exception actions only | review accepted risk | approve/reject/renew/revoke remain guarded |
|
|
| Governance Inbox | MSP operator / manager | Route cross-domain work to the right owner surface | queue | What governance item should I clear next? | queue summary, reason, one next step | full owner-surface detail after open | queue state, severity, follow-up need | navigation-only in this spec | open owner surface | none introduced |
|
|
| Evidence / Operations proof | MSP operator / support | Verify proof and trust boundaries | evidence/monitoring support | Is the referenced evidence or run trustworthy and in scope? | readiness/proof summary, environment/source association | raw detail, technical context, timestamps | evidence completeness, run status, run outcome | none | inspect evidence or run | none introduced |
|
|
|
|
## Proportionality Review *(mandatory when structural complexity is introduced)*
|
|
|
|
- **New source of truth?**: no
|
|
- **New persisted entity/table/artifact?**: no product persistence; spec artifacts only
|
|
- **New abstraction?**: no
|
|
- **New enum/state/reason family?**: no
|
|
- **New cross-domain UI framework/taxonomy?**: no
|
|
- **Current operator problem**: the platform may still feel fragmented across already-productized flows even when each individual flow works in isolation.
|
|
- **Existing structure is insufficient because**: isolated specs and page-local tests do not prove the integrated sellable operator experience.
|
|
- **Narrowest correct implementation**: one browser smoke matrix, one readiness report, and only minimal direct P0/P1 fixes on current owner surfaces.
|
|
- **Ownership cost**: artifact upkeep, screenshots, and regression verification only.
|
|
- **Alternative intentionally rejected**: broad navigation or workflow redesign, new portal, or new guidance engine.
|
|
- **Release truth**: current-release truth.
|
|
|
|
### Compatibility posture
|
|
|
|
This feature assumes the repo's current pre-production posture.
|
|
|
|
Backward compatibility, migration shims, data-shape aliases, and legacy fixtures are out of scope unless a minimal direct fix explicitly proves they are needed, which is not expected for this verification gate.
|
|
|
|
## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)*
|
|
|
|
- **Livewire version contract**: unchanged; current repo truth remains Livewire v4.x.
|
|
- **Filament panel/provider registration**: unchanged; `apps/platform/bootstrap/providers.php` remains authoritative and is not part of this slice.
|
|
- **Global search**: unchanged; no resource is made globally searchable by this spec.
|
|
- **Test purpose / classification**:
|
|
- Browser for the integrated sellable smoke matrix
|
|
- Feature/Livewire and/or Unit only if a direct P0/P1 fix needs targeted proof
|
|
- **Validation lane(s)**: browser + confidence + fast-feedback
|
|
- **Why this lane mix is the narrowest sufficient proof**: the primary question is cross-surface operator trust and workflow continuity. Browser verification must lead; code-level tests are only needed to guard a direct in-scope fix.
|
|
- **New or expanded test families**: none by default; one bounded `Spec355` browser smoke or targeted regression additions only if needed
|
|
- **Fixture / helper cost impact**: may reuse existing smoke-login and local/testing fixture commands; no new persisted product fixture truth is planned
|
|
- **Heavy-family visibility / justification**: browser coverage is explicit because this is a sellable-readiness gate over strategic operator surfaces
|
|
- **Special surface test profile**:
|
|
- `monitoring-state-page` for Operations proof
|
|
- `shared-detail-family` for review and exception detail
|
|
- `standard-native-filament` elsewhere
|
|
- **Reviewer handoff**: reviewers must confirm that blocked flows are not misclassified as pass, that dependency caveats are documented, and that any fix stayed direct and owner-surface-local.
|
|
- **Budget / baseline / trend impact**: none expected beyond one bounded browser verification/reporting slice
|
|
- **Escalation needed**: `document-in-feature` if dependency close-out or fixture blockers remain; `follow-up-spec` only if repeated structural drift appears
|
|
- **Active feature PR close-out entry**: Guardrail / Exception / Smoke Coverage
|
|
- **Planned validation commands**:
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec351`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec352`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec353`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec354`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=CustomerReviewWorkspace`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=EnvironmentDashboard`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ProviderConnection`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=FindingException`
|
|
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=ResolutionGuidance`
|
|
- `cd apps/platform && ./vendor/bin/sail pint --dirty`
|
|
- `git diff --check`
|
|
|
|
## Functional Requirements
|
|
|
|
- **FR-355-001**: Spec 355 must produce `artifacts/platform-sellable-smoke-matrix.md` with the required matrix columns and one row per required smoke flow.
|
|
- **FR-355-002**: Spec 355 must verify at least these flows when fixture truth exists: Environment Dashboard -> provider blocker, Environment Dashboard -> review-output blocker, Customer Review Workspace resolve loop, Environment Review detail in customer-workspace context, Provider Connections / Required Permissions, accepted-risk owner surfaces, Governance Inbox, Evidence Overview / evidence basis, operation proof, and calm no-urgent-action state.
|
|
- **FR-355-003**: Each tested surface must answer, within one first-screen decision view, what the state is, why it matters, and what the next action is.
|
|
- **FR-355-004**: Each tested flow must verify one dominant primary action and no competing duplicate CTA rails.
|
|
- **FR-355-005**: Each tested flow must verify workspace/environment/source-record scope continuity and document any stale query or hidden-context dependency.
|
|
- **FR-355-006**: Each tested flow must verify customer-safe boundaries and explicitly fail if blocked/internal/limited output is shown as customer-safe or shareable.
|
|
- **FR-355-007**: Each tested flow must record browser-visible errors, console errors, and network/server errors when present.
|
|
- **FR-355-008**: Required screenshots must be saved under `artifacts/screenshots/` or marked blocked with a concrete reason in the matrix.
|
|
- **FR-355-009**: The readiness report must classify the platform as `demo-ready`, `near-demo-ready`, `not demo-ready`, `sellable foundation-ready`, or `blocked`.
|
|
- **FR-355-010**: Blocked flows must remain `BLOCKED` and must not be re-labeled as pass because the operator guessed what the page should have done.
|
|
- **FR-355-011**: Only verified P0/P1 issues may be fixed in-spec, and only when the fix is direct, narrow, and covered by targeted proof.
|
|
- **FR-355-012**: If a direct P0/P1 fix is applied, the affected flow must be re-run and the matrix/report must reflect the post-fix result.
|
|
- **FR-355-013**: The final close-out for Spec 355 must state clearly whether full-suite validation was or was not run.
|
|
|
|
## Non-Functional Requirements
|
|
|
|
- **NFR-355-001**: Verification-first. The spec must prefer browser evidence and artifact honesty over optimistic product claims.
|
|
- **NFR-355-002**: No new runtime architecture, persistence, or workflow engine may be introduced.
|
|
- **NFR-355-003**: Existing RBAC, audit, confirmation, and `OperationRun` ownership must remain authoritative.
|
|
- **NFR-355-004**: No live provider or Graph call may be introduced during render as part of any minimal smoke-fix.
|
|
- **NFR-355-005**: The smoke package must stay reviewable and bounded: one spec directory, one matrix, one readiness report, targeted screenshots, and optional blocked-fixture notes only.
|
|
- **NFR-355-006**: The readiness verdict must remain conservative whenever dependencies or fixtures are incomplete.
|
|
- **NFR-355-007**: No claim of sellable readiness may be made without browser-backed evidence stored in the spec package.
|
|
|
|
## UX Requirements
|
|
|
|
- The first visible state on each tested surface must be decision-first, not diagnostics-first.
|
|
- Exactly one action may be visually primary per tested case.
|
|
- Raw diagnostics, matrices, JSON-like detail, and support-only context must remain secondary or collapsed by default.
|
|
- Calm/no-urgent-action states must not read as empty or broken.
|
|
- Navigation continuity must feel intentional: the operator should not wonder why the CTA landed on a different story than the source page suggested.
|
|
|
|
## RBAC / Security Requirements
|
|
|
|
- Existing workspace membership and environment entitlement remain authoritative and must be smoke-verified where relevant.
|
|
- Customer-safe output must not overclaim when evidence is incomplete, publication is blocked, accepted risk is expired/incomplete, or the export is limited/internal-only.
|
|
- Dangerous actions must keep current confirmation and authorization posture even if Spec 355 changes their prominence, disabled state, or label.
|
|
- The smoke matrix must classify wrong-scope, wrong-workspace, or unauthorized-link exposure as P0.
|
|
|
|
## Auditability / Observability Requirements
|
|
|
|
- Existing `OperationRun`, audit-log, and verification ownership remain authoritative.
|
|
- The smoke matrix and readiness report must explicitly state whether console, network, or server errors were observed.
|
|
- Any minimal fix must preserve existing audit and proof-link behavior; Spec 355 is not allowed to create a second proof path.
|
|
|
|
## Data / Truth-Source Requirements
|
|
|
|
- Existing surface truth remains derived from the current repo runtime only.
|
|
- Smoke artifacts under `specs/355-platform-sellable-smoke-matrix/artifacts/` are the only new durable artifacts.
|
|
- No database table, snapshot, or persisted readiness classifier may be introduced.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- **AC1**: `artifacts/platform-sellable-smoke-matrix.md` exists and lists all required flows with result/status fields.
|
|
- **AC2**: Required screenshots exist or each missing screenshot is explicitly explained.
|
|
- **AC3**: No open P0/P1 remains at close unless the user explicitly chooses to defer it.
|
|
- **AC4**: Customer-safe boundary handling is browser-verified on the relevant review/evidence/risk flows.
|
|
- **AC5**: Workspace/environment continuity is browser-verified on the relevant dashboard/provider/review/governance/evidence/operations flows.
|
|
- **AC6**: Each key surface in the matrix shows one dominant next action or is explicitly failed for not doing so.
|
|
- **AC7**: No fake remediation or unsupported execution action is introduced as part of a smoke-driven fix.
|
|
- **AC8**: `artifacts/platform-sellable-readiness-report.md` exists and states a conservative readiness classification.
|
|
- **AC9**: The targeted regression commands named in this spec remain green after any direct in-scope fix.
|
|
- **AC10**: No migration, new package, new panel/provider change, new queue family, or new persisted truth is introduced by this spec.
|
|
|
|
## Success Criteria
|
|
|
|
- An MSP operator can move from first blocker to owning surface to proof/follow-up without hitting a contradictory or diagnostics-first product path.
|
|
- The platform no longer requires hidden context knowledge to understand which page owns the next step.
|
|
- Customer-safe output claims stay conservative and truthful across the tested flows.
|
|
- The readiness report gives a defensible close/fix/defer recommendation without hand-waving over blocked fixtures or open critical findings.
|
|
|
|
## User Scenarios & Testing *(mandatory)*
|
|
|
|
### User Story 1 - Follow the dominant blocker path (Priority: P1)
|
|
|
|
As an MSP operator, I can open an environment, understand the highest-priority blocker, and land on the owning surface that shows the same story and one safe next step.
|
|
|
|
**Independent Test**: Browser verification of dashboard -> provider blocker and dashboard -> review-output blocker continuity with matching blocker language, preserved scope, and one dominant CTA.
|
|
|
|
### User Story 2 - Resolve review and accepted-risk follow-up without CTA conflict (Priority: P1)
|
|
|
|
As an MSP operator, I can use the review-output and accepted-risk owner surfaces without competing action rails, fake buttons, or diagnostics overtaking the main next step.
|
|
|
|
**Independent Test**: Browser verification of Customer Review Workspace, Environment Review detail, Finding Exceptions Queue, and Exception Detail with one dominant next action and conservative secondary disclosure.
|
|
|
|
### User Story 3 - Verify evidence and proof before trusting customer-safe output (Priority: P1)
|
|
|
|
As an MSP operator, I can verify whether evidence and operation proof support the current claim before I treat the output as ready or shareable.
|
|
|
|
**Independent Test**: Browser verification of Evidence Overview/evidence-basis links and operation proof links, plus explicit checks that blocked or limited outputs do not present themselves as customer-ready.
|
|
|
|
### User Story 4 - See a calm no-urgent-action state and a defensible readiness verdict (Priority: P2)
|
|
|
|
As a product owner or demo operator, I can distinguish a calm ready state from a broken/empty page and get a final readiness classification that honestly reflects what was and was not proven.
|
|
|
|
**Independent Test**: Browser verification of at least one no-urgent-action state when fixture truth exists, plus a completed readiness report that counts pass/fail/blocked flows conservatively.
|
|
|
|
## Risks
|
|
|
|
- **Risk 1 - Dependency ambiguity**: neighboring spec packages do not all carry identical close-out metadata. Mitigation: explicit dependency gate in Phase 1 and conservative blocked/readiness language.
|
|
- **Risk 2 - Fixture incompleteness**: one or more target states may not exist in current local/demo data. Mitigation: inventory fixtures first, record blocked states explicitly, and avoid false pass claims.
|
|
- **Risk 3 - Scope creep into redesign**: productization pain across many surfaces can tempt a broad rewrite. Mitigation: allow only direct P0/P1 fixes on owner surfaces.
|
|
- **Risk 4 - Customer-safe overclaim**: a smoke flow may accidentally trust internal-only detail, stale evidence, or expired accepted risk. Mitigation: treat any such case as at least P1 and usually P0 when output safety is affected.
|
|
- **Risk 5 - Browser-only proof drift**: manual browser success without stored artifacts can become unreviewable. Mitigation: save screenshots and fill the matrix/report as the source of truth.
|
|
|
|
## Follow-Up Candidates
|
|
|
|
- Spec 356 - Review Pack PDF/HTML Renderer v1
|
|
- Spec 357 - Customer Portal Boundary Contract
|
|
- Spec 358 - Private AI Resolution Suggestion Foundation
|
|
- Spec 359 - Localization v1
|
|
- Spec 360 - Portfolio / Cross-Tenant Action Readiness
|
|
|
|
## Assumptions
|
|
|
|
- Existing dashboard/provider/review/risk/evidence/operations surfaces already contain enough repo-real behavior to make a meaningful integrated sellable-readiness call without inventing new flows.
|
|
- Existing smoke-login and local/testing fixture helpers are sufficient to exercise at least the core required flows, or blocked states can be documented honestly without widening scope.
|
|
- Any direct P0/P1 fix will be local to an existing owner surface and will not require new persistence or framework work.
|
|
- The user wants preparation artifacts only in this turn; no application implementation is performed as part of the prep.
|
|
|
|
## Open Questions
|
|
|
|
No blocking preparation questions remain.
|
|
|
|
Implementation should still verify two runtime gates before declaring the platform ready:
|
|
|
|
- whether Spec 354's specifically named dependency concerns are demonstrably closed on the current repo truth
|
|
- whether all required smoke states can be exercised with current local/testing fixtures or whether some flows must remain `BLOCKED`
|