ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/357-report-profiles-disclosure-policy-v1/tasks.md
ahmido b7907bd69d feat: add report profile and disclosure policy to rendered review reports (#428) 
Implementing report profiles and disclosure policy as per spec 357.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #428
2026-06-06 09:41:19 +00:00

9.4 KiB
Raw Permalink Blame History

Tasks: Spec 357 - Report Profiles & Disclosure Policy v1

Input: /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/spec.md
Prerequisites: /Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/plan.md, checklists/requirements.md

Tests: Required. This is a runtime report/disclosure change on existing customer-facing strategic surfaces. Unit, Feature, and one bounded Browser smoke are required.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family, and the browser addition is explicit.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
  • Planned validation commands cover the change without pulling in unrelated lane cost.
  • The declared surface test profile (shared-detail-family) is explicit.
  • Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.

Phase 1: Repo Truth And Scope Gate

  • T001 Re-read spec.md, plan.md, and checklists/requirements.md before editing runtime code.
  • T002 Confirm branch/worktree intent with git status --short --branch and record the baseline commit with git log -1 --oneline.
  • T003 Inspect the existing rendered-report seams in:
    • apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php
    • apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php
    • apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php
    • apps/platform/resources/views/review-packs/rendered-report.blade.php
  • T004 Inspect current owner-surface handoff seams in:
    • apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php
    • apps/platform/app/Filament/Resources/EnvironmentReviewResource.php
    • apps/platform/app/Filament/Resources/ReviewPackResource.php
  • T005 Confirm no new persistence, new delivery workflow, public route family, PDF stack, portal route, AI runtime, or framework-report implementation is needed.

Phase 2: Tests First

  • T006 Add apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php covering required implemented profiles, placeholder handling, and invalid-profile fail-closed behavior.
  • T007 Add apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php covering mandatory disclosures, blocking reasons, and proof states (verified, assumed, not_applicable, missing, unknown).
  • T008 Add apps/platform/tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php covering effective profile selection, visible profile metadata, mandatory disclosure override, and customer/internal boundary behavior.
  • T009 Add apps/platform/tests/Browser/Spec357ReportProfilesSmokeTest.php covering internal MSP, customer executive limited, customer-safe ready, auditor appendix, and invalid/placeholder profile behavior.

Phase 3: Static Report Profile Registry

  • T010 Create apps/platform/app/Support/ReviewPacks/ReportProfileRegistry.php with static implemented profiles:
    • customer_executive
    • customer_technical
    • internal_msp_review
    • auditor_appendix
  • T011 Model framework_readiness as placeholder-only and not implemented by default.
  • T012 Keep the registry bounded to the current review-pack/report family; do not add CRUD, config writes, or generalized reporting infrastructure.
  • T013 Fail closed for unknown or unimplemented profile keys and keep the fallback behavior explicit and tested.

Phase 4: Disclosure Policy

  • T014 Create apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php to evaluate profile + readiness + evidence + internal-only/PII + available source/disclosure metadata.
  • T015 Ensure the policy emits mandatory disclosures, warnings, blocking reasons, and proof states without provider/Graph calls.
  • T016 Preserve the distinction between independently proven and assumed safety signals; do not silently treat current boolean assumptions as verified truth.
  • T017 Keep blocking and boundary behavior derived-only inside the current rendered-report flow; do not implement scheduling, approval, send, or future-consumer delivery semantics.

Phase 5: Rendered Report Integration

  • T018 Update the existing signed rendered-report URL seams (ReviewPackService::generateRenderedReportUrl() callers/helpers and apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php) to resolve an effective profile on the existing authenticated report route without adding an unsigned ad hoc query contract.
  • T019 Keep the controller-local implementation bounded; no extra cross-domain viewer framework was introduced.
  • T020 Apply profile-aware section and appendix filtering while guaranteeing that mandatory disclosures, readiness, evidence state, and source metadata still render.
  • T021 Show effective profile and audience metadata in the report payload and keep invalid or placeholder profile requests truthfully limited or blocked.
  • T022 Keep the current ReviewPack route, current-export guard, and existing ZIP/download contract intact.

Phase 6: UI Surfaces And Localization

  • T023 Update apps/platform/resources/views/review-packs/rendered-report.blade.php so the report visibly shows profile, audience, readiness, limitations, disclosure/proof-state information, and generated/source metadata.
  • T024 Update existing owner-surface report URL helpers/labels in EnvironmentReviewResource and ReviewPackResource so the profile-aware handoff stays clear without creating a management UI.
  • T025 Add EN and DE localization keys in:
    • apps/platform/lang/en/localization.php
    • apps/platform/lang/de/localization.php for profile names, audience labels, external-sharing warnings, proof-state labels, and mandatory disclosure copy.
  • T026 Keep the report read-only; do not add destructive or state-mutating actions.

Phase 7: UI Audit Follow-Through

  • T027 Inspect docs/ui-ux-enterprise-audit/page-reports/ui-006-customer-review-workspace.md; no material hierarchy change required an update.
  • T028 Inspect docs/ui-ux-enterprise-audit/page-reports/ui-042-review-pack-detail.md; no rendered-report vs ZIP hierarchy change required an update.
  • T029 Update docs/ui-ux-enterprise-audit/page-reports/ui-099-rendered-review-report.md with profile metadata, disclosure-proof behavior, and bounded audience modes.
  • T030 Inspect docs/ui-ux-enterprise-audit/route-inventory.md and design-coverage-matrix.md; no material route-classification change required an update.

Phase 8: Validation And Close-Out

  • T031 Run:
    • cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php --compact
  • T032 Run:
    • cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec357ReportProfilesSmokeTest.php --compact
  • T033 Run focused regressions:
    • cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec356 returned No tests found
    • cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/ReviewPack/EnvironmentReviewDerivedReviewPackTest.php tests/Feature/EnvironmentReview/EnvironmentReviewExecutivePackTest.php --compact passed
    • cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php --compact passed
    • broader filters surfaced unrelated existing failures in tests/Browser/Spec347ReviewPackOutputReadinessSmokeTest.php and tests/Feature/Filament/EnvironmentReviewHeaderDisciplineTest.php
  • T034 Run formatting and patch checks:
    • cd apps/platform && ./vendor/bin/sail pint --dirty
    • cd apps/platform && ./vendor/bin/sail pint app/Support/ReviewPacks/ReportProfileRegistry.php app/Support/ReviewPacks/ReportDisclosurePolicy.php app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php app/Http/Controllers/ReviewPackRenderedReportController.php app/Filament/Resources/EnvironmentReviewResource.php app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php lang/en/localization.php lang/de/localization.php tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php tests/Browser/Spec357ReportProfilesSmokeTest.php
    • git diff --check
  • T035 Save browser screenshots under specs/357-report-profiles-disclosure-policy-v1/artifacts/screenshots/.
  • T036 Report full-suite status honestly if not run.

Non-Goals

  • NT001 Do not add a report_profiles table, profile CRUD, or any profile persistence.
  • NT002 Do not add scheduled delivery, approval workflow, email sending, or any public link/share contract.
  • NT003 Do not add a second rendered artifact family or replace the existing ReviewPack ZIP family.
  • NT004 Do not add native PDF infrastructure, branding editor, or white-label theme management.
  • NT005 Do not add AI/HITL runtime behavior or framework-specific NIS2/CIS/BSI report implementation.
  • NT006 Do not widen provider, Graph, or authentication boundaries during report rendering.