ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/357-report-profiles-disclosure-policy-v1/tasks.md
ahmido b7907bd69d feat: add report profile and disclosure policy to rendered review reports (#428) 
Implementing report profiles and disclosure policy as per spec 357.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #428
2026-06-06 09:41:19 +00:00

108 lines
9.4 KiB
Markdown
Raw Permalink Blame History

# Tasks: Spec 357 - Report Profiles & Disclosure Policy v1
**Input**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/spec.md`
**Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-plattform/specs/357-report-profiles-disclosure-policy-v1/plan.md`, `checklists/requirements.md`
**Tests**: Required. This is a runtime report/disclosure change on existing customer-facing strategic surfaces. Unit, Feature, and one bounded Browser smoke are required.
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [x] New or changed tests stay in the smallest honest family, and the browser addition is explicit.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
- [x] Planned validation commands cover the change without pulling in unrelated lane cost.
- [x] The declared surface test profile (`shared-detail-family`) is explicit.
- [x] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.
## Phase 1: Repo Truth And Scope Gate
- [x] T001 Re-read `spec.md`, `plan.md`, and `checklists/requirements.md` before editing runtime code.
- [x] T002 Confirm branch/worktree intent with `git status --short --branch` and record the baseline commit with `git log -1 --oneline`.
- [x] T003 Inspect the existing rendered-report seams in:
- `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`
- `apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php`
- `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php`
- `apps/platform/resources/views/review-packs/rendered-report.blade.php`
- [x] T004 Inspect current owner-surface handoff seams in:
- `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
- `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`
- `apps/platform/app/Filament/Resources/ReviewPackResource.php`
- [x] T005 Confirm no new persistence, new delivery workflow, public route family, PDF stack, portal route, AI runtime, or framework-report implementation is needed.
## Phase 2: Tests First
- [x] T006 Add `apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php` covering required implemented profiles, placeholder handling, and invalid-profile fail-closed behavior.
- [x] T007 Add `apps/platform/tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php` covering mandatory disclosures, blocking reasons, and proof states (`verified`, `assumed`, `not_applicable`, `missing`, `unknown`).
- [x] T008 Add `apps/platform/tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php` covering effective profile selection, visible profile metadata, mandatory disclosure override, and customer/internal boundary behavior.
- [x] T009 Add `apps/platform/tests/Browser/Spec357ReportProfilesSmokeTest.php` covering internal MSP, customer executive limited, customer-safe ready, auditor appendix, and invalid/placeholder profile behavior.
## Phase 3: Static Report Profile Registry
- [x] T010 Create `apps/platform/app/Support/ReviewPacks/ReportProfileRegistry.php` with static implemented profiles:
- `customer_executive`
- `customer_technical`
- `internal_msp_review`
- `auditor_appendix`
- [x] T011 Model `framework_readiness` as placeholder-only and not implemented by default.
- [x] T012 Keep the registry bounded to the current review-pack/report family; do not add CRUD, config writes, or generalized reporting infrastructure.
- [x] T013 Fail closed for unknown or unimplemented profile keys and keep the fallback behavior explicit and tested.
## Phase 4: Disclosure Policy
- [x] T014 Create `apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php` to evaluate profile + readiness + evidence + internal-only/PII + available source/disclosure metadata.
- [x] T015 Ensure the policy emits mandatory disclosures, warnings, blocking reasons, and proof states without provider/Graph calls.
- [x] T016 Preserve the distinction between independently proven and assumed safety signals; do not silently treat current boolean assumptions as verified truth.
- [x] T017 Keep blocking and boundary behavior derived-only inside the current rendered-report flow; do not implement scheduling, approval, send, or future-consumer delivery semantics.
## Phase 5: Rendered Report Integration
- [x] T018 Update the existing signed rendered-report URL seams (`ReviewPackService::generateRenderedReportUrl()` callers/helpers and `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`) to resolve an effective profile on the existing authenticated report route without adding an unsigned ad hoc query contract.
- [x] T019 Keep the controller-local implementation bounded; no extra cross-domain viewer framework was introduced.
- [x] T020 Apply profile-aware section and appendix filtering while guaranteeing that mandatory disclosures, readiness, evidence state, and source metadata still render.
- [x] T021 Show effective profile and audience metadata in the report payload and keep invalid or placeholder profile requests truthfully limited or blocked.
- [x] T022 Keep the current `ReviewPack` route, current-export guard, and existing ZIP/download contract intact.
## Phase 6: UI Surfaces And Localization
- [x] T023 Update `apps/platform/resources/views/review-packs/rendered-report.blade.php` so the report visibly shows profile, audience, readiness, limitations, disclosure/proof-state information, and generated/source metadata.
- [x] T024 Update existing owner-surface report URL helpers/labels in `EnvironmentReviewResource` and `ReviewPackResource` so the profile-aware handoff stays clear without creating a management UI.
- [x] T025 Add EN and DE localization keys in:
- `apps/platform/lang/en/localization.php`
- `apps/platform/lang/de/localization.php`
for profile names, audience labels, external-sharing warnings, proof-state labels, and mandatory disclosure copy.
- [x] T026 Keep the report read-only; do not add destructive or state-mutating actions.
## Phase 7: UI Audit Follow-Through
- [x] T027 Inspect `docs/ui-ux-enterprise-audit/page-reports/ui-006-customer-review-workspace.md`; no material hierarchy change required an update.
- [x] T028 Inspect `docs/ui-ux-enterprise-audit/page-reports/ui-042-review-pack-detail.md`; no rendered-report vs ZIP hierarchy change required an update.
- [x] T029 Update `docs/ui-ux-enterprise-audit/page-reports/ui-099-rendered-review-report.md` with profile metadata, disclosure-proof behavior, and bounded audience modes.
- [x] T030 Inspect `docs/ui-ux-enterprise-audit/route-inventory.md` and `design-coverage-matrix.md`; no material route-classification change required an update.
## Phase 8: Validation And Close-Out
- [x] T031 Run:
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php --compact`
- [x] T032 Run:
- `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec357ReportProfilesSmokeTest.php --compact`
- [x] T033 Run focused regressions:
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec356` returned `No tests found`
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/ReviewPack/EnvironmentReviewDerivedReviewPackTest.php tests/Feature/EnvironmentReview/EnvironmentReviewExecutivePackTest.php --compact` passed
- `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php --compact` passed
- broader filters surfaced unrelated existing failures in `tests/Browser/Spec347ReviewPackOutputReadinessSmokeTest.php` and `tests/Feature/Filament/EnvironmentReviewHeaderDisciplineTest.php`
- [x] T034 Run formatting and patch checks:
- `cd apps/platform && ./vendor/bin/sail pint --dirty`
- `cd apps/platform && ./vendor/bin/sail pint app/Support/ReviewPacks/ReportProfileRegistry.php app/Support/ReviewPacks/ReportDisclosurePolicy.php app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php app/Http/Controllers/ReviewPackRenderedReportController.php app/Filament/Resources/EnvironmentReviewResource.php app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php lang/en/localization.php lang/de/localization.php tests/Unit/Support/ReviewPacks/Spec357ReportProfileRegistryTest.php tests/Unit/Support/ReviewPacks/Spec357ReportDisclosurePolicyTest.php tests/Feature/ReviewPack/Spec357RenderedReportProfileTest.php tests/Browser/Spec357ReportProfilesSmokeTest.php`
- `git diff --check`
- [x] T035 Save browser screenshots under `specs/357-report-profiles-disclosure-policy-v1/artifacts/screenshots/`.
- [x] T036 Report full-suite status honestly if not run.
## Non-Goals
- [x] NT001 Do not add a `report_profiles` table, profile CRUD, or any profile persistence.
- [x] NT002 Do not add scheduled delivery, approval workflow, email sending, or any public link/share contract.
- [x] NT003 Do not add a second rendered artifact family or replace the existing `ReviewPack` ZIP family.
- [x] NT004 Do not add native PDF infrastructure, branding editor, or white-label theme management.
- [x] NT005 Do not add AI/HITL runtime behavior or framework-specific NIS2/CIS/BSI report implementation.
- [x] NT006 Do not widen provider, Graph, or authentication boundaries during report rendering.
Reference in New Issue View Git Blame Copy Permalink