ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/359-operationrun-reconciliation-adapter-framework-review-compose-adapter/plan.md
ahmido 3a750726fd feat: implement review compose reconciliation adapter (spec 359) (#430) 
Spec 359: add a narrow review-compose reconciliation path, deterministic duplicate/superseded recovery, shared review truth resolution, and bounded unit/feature/browser coverage. PGSQL validation remains locally blocked because the pgsql host/Docker runtime was unavailable.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #430
2026-06-06 14:58:16 +00:00

274 lines
18 KiB
Markdown
Raw Permalink Blame History

# Implementation Plan: OperationRun Reconciliation Adapter Framework & Review Compose Adapter
**Branch**: `359-operationrun-reconciliation-adapter-framework-review-compose-adapter` | **Date**: 2026-06-06 | **Spec**: `specs/359-operationrun-reconciliation-adapter-framework-review-compose-adapter/spec.md`
**Input**: Feature specification from `specs/359-operationrun-reconciliation-adapter-framework-review-compose-adapter/spec.md`
## Summary
Implement a narrow business-truth reconciliation seam for `OperationRun` that reuses existing service-owned lifecycle writes and existing review-compose start/monitoring UX. The slice introduces one typed adapter contract plus one `environment.review.compose` adapter, proves same-scope `EnvironmentReview` truth, recovers duplicate fingerprint collisions deterministically, and keeps restore-specific reconciliation behavior intact as existing context rather than reopening it as a second feature.
This plan must stay smaller than a universal reconciliation engine. It extends current repo seams only where current review-compose truth cannot be proven safely by the existing scheduled stale-run reconciler or the hard-coded restore adapter.
## Technical Context
**Language/Version**: PHP 8.4.15, Laravel 12.52, Filament 5.2.1, Livewire 4.1.4
**Primary Dependencies**: existing `OperationRunService`, `OperationRun`, `OperationCatalog`, current restore adapter reconciler, current review-compose services/jobs/resources, Pest 4.3
**Storage**: PostgreSQL `operation_runs` and `environment_reviews`; no schema change planned
**Testing**: Pest Unit + Feature + one bounded Browser smoke; PGSQL lane required for duplicate-index/locking proof
**Validation Lanes**: fast-feedback, confidence, pgsql, browser
**Target Platform**: Laravel monolith in `apps/platform`
**Project Type**: web application
**Performance Goals**: reuse current DB-only monitoring posture, avoid new render-time Graph work, and keep adapter evaluation to scoped local DB reads only
**Constraints**: no new `OperationRun` status/outcome field, no new review status family, no new panel/provider/asset change, no provider-boundary widening, no destructive cleanup, and no broad restore/report/evidence adapter expansion
**Scale/Scope**: one new review-compose path on the existing adapter reconciliation seam plus the smallest local decision/result helper needed to make adapter reconciliation auditable and repeatable
## Likely Affected Repo Surfaces
- Existing reconciliation and lifecycle seams:
- `apps/platform/app/Services/OperationRunService.php`
- `apps/platform/app/Models/OperationRun.php`
- `apps/platform/app/Services/Operations/OperationLifecycleReconciler.php`
- `apps/platform/app/Services/AdapterRunReconciler.php`
- `apps/platform/app/Support/OperationCatalog.php`
- `apps/platform/app/Support/OperationRunType.php`
- `apps/platform/app/Support/OperationRunStatus.php`
- `apps/platform/app/Support/OperationRunOutcome.php`
- Existing review-compose runtime seams:
- `apps/platform/app/Services/EnvironmentReviews/EnvironmentReviewService.php`
- `apps/platform/app/Jobs/ComposeEnvironmentReviewJob.php`
- `apps/platform/app/Services/EnvironmentReviews/EnvironmentReviewComposer.php`
- `apps/platform/app/Services/EnvironmentReviews/EnvironmentReviewFingerprint.php`
- `apps/platform/app/Services/EnvironmentReviews/EnvironmentReviewLifecycleService.php`
- `apps/platform/app/Models/EnvironmentReview.php`
- Existing operator-facing surfaces likely to consume richer metadata:
- `apps/platform/app/Support/OpsUx/OperationUxPresenter.php`
- `apps/platform/app/Support/Ui/GovernanceArtifactTruth/ArtifactTruthPresenter.php`
- `apps/platform/app/Support/OperationRunLinks.php`
- `apps/platform/app/Filament/Pages/Monitoring/Operations.php`
- `apps/platform/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php`
- `apps/platform/app/Filament/Resources/OperationRunResource.php`
- `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`
- `apps/platform/app/Filament/Widgets/Dashboard/RecentOperations.php`
- `apps/platform/app/Filament/System/Pages/Ops/Runs.php`
- `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php`
- `apps/platform/lang/en/localization.php`
- `apps/platform/lang/de/localization.php`
- Focused tests:
- `apps/platform/tests/Unit/Support/Operations/Reconciliation/`
- `apps/platform/tests/Feature/Operations/`
- `apps/platform/tests/Feature/EnvironmentReview/`
- `apps/platform/tests/Feature/Monitoring/`
- `apps/platform/tests/Browser/`
## Domain And Data Implications
- `operation_runs` remains the only persisted run-lifecycle truth. Reconciliation remains a context extension, not a new status model.
- `environment_reviews` remains the only domain-truth source for review availability. The adapter proves truth from existing review rows only.
- The partial unique index `environment_reviews_fingerprint_mutable_unique` remains the core duplicate-collision constraint. The feature must adapt to it, not replace it.
- Existing mutable/superseded semantics remain authoritative:
- mutable: `draft`, `ready`, `failed`
- historical/terminal lineage: `published`, `archived`, `superseded`
- No migration is planned. If implementation appears to need one, that is a scope alarm and should stop for review.
## UI / Surface Guardrail Plan
- **Guardrail scope**: existing operator-facing monitoring surfaces plus existing review-start feedback
- **Affected routes/pages/actions/states/navigation/panel/provider surfaces**:
- `/admin/workspaces/{workspace}/operations`
- `/admin/workspaces/{workspace}/operations/{run}`
- `EnvironmentReviewResource` create/refresh notifications and open-link feedback
- tenant dashboard recent-operations widget
- system operations list
- environment dashboard recent/attention summaries
- **No-impact class, if applicable**: non-material existing-surface wording/state handling only
- **Native vs custom classification summary**: native Filament surfaces plus existing action notifications
- **Shared-family relevance**: monitoring-state messaging, reconciliation diagnostics, run-start feedback
- **State layers in scope**: page, detail, action feedback
- **Audience modes in scope**: operator-MSP, support-platform
- **Decision/diagnostic/raw hierarchy plan**: decision-first reconciliation result, diagnostics second, raw evidence third
- **Raw/support gating plan**: existing detail/raw context remains secondary and must never become the primary explanation
- **One-primary-action / duplicate-truth control**: keep the existing open-run/open-review actions authoritative and avoid a second local “duplicate recovered” surface
- **Handling modes by drift class or surface**:
- review-compose succeeded from domain truth: `review-mandatory`
- blocked/attention without safe proof: `review-mandatory`
- any raw SQL/constraint leak: `hard-stop-candidate`
- **Repository-signal treatment**: review-mandatory
- **Special surface test profiles**: monitoring-state-page, shared-detail-family
- **Required tests or manual smoke**: Unit + Feature + PGSQL + one bounded Browser smoke
- **Exception path and spread control**: any move toward new operator-center UX, report/evidence adapter copy, or customer-facing surface changes is `reject-or-split`
- **Active feature PR close-out entry**: Guardrail / Smoke Coverage
- **UI/Productization coverage decision**: existing surface follow-through only
- **Coverage artifacts to update**: none by default; update existing page reports only if final visible hierarchy materially changes
- **No-impact rationale**: no route or page identity change
- **Navigation / Filament provider-panel handling**: unchanged; provider registration stays in `apps/platform/bootstrap/providers.php`
- **Screenshot or page-report need**: no new page-report identity; one bounded browser smoke screenshot is sufficient only if implementation materially changes visible wording hierarchy
## Shared Pattern & System Fit
- **Cross-cutting feature marker**: yes
- **Systems touched**:
- scheduled reconciliation path
- restore-specific adapter reconciliation precedent
- review-compose start/complete flow
- monitoring list/detail surfaces
- review-create notifications
- **Shared abstractions reused**:
- `OperationRunService::updateRunWithReconciliation()`
- `OperationRun::reconciliation()`
- `OperationUxPresenter`
- `OperationRunLinks`
- `ArtifactTruthPresenter`
- `EnvironmentReviewResource::executeCreateReview()`
- **New abstraction introduced? why?**: yes; one local review-compose decision/result helper is introduced because the current restore-only adapter path is too hard-coded to absorb review fingerprint/scope/supersession proof safely.
- **Why the existing abstraction was sufficient or insufficient**: current abstractions already own run lifecycle and generic stale truth, but `AdapterRunReconciler` currently only knows `restore.execute`; this slice extends that seam rather than adding a parallel registry.
- **Bounded deviation / spread control**: keep the new helper local to adapter reconciliation and explicitly bounded to review-compose plus existing restore context
## OperationRun UX Impact
- **Touches OperationRun start/completion/link UX?**: yes
- **Central contract reused**: current service-owned lifecycle plus current review-create queued-toast/open-run path
- **Delegated UX behaviors**:
- create/refresh keeps the current queued toast and `Open operation` link
- adapter completion writes terminal truth through `OperationRunService`
- operations list/detail continue to read one reconciliation metadata shape
- **Surface-owned behavior kept local**: only review-create body copy and any additional review-available/recovered wording
- **Queued DB-notification policy**: unchanged
- **Terminal notification path**: unchanged central lifecycle mechanism
- **Exception path**: none
## Provider Boundary & Portability Fit
- **Shared provider/platform boundary touched?**: no
- **Provider-owned seams**: N/A
- **Platform-core seams**: `OperationRun` lifecycle truth and `EnvironmentReview` artifact truth only
- **Neutral platform terms / contracts preserved**: `operation`, `reconciliation`, `review`, `workspace`, `managed environment`
- **Retained provider-specific semantics and why**: none
- **Bounded extraction or follow-up path**: none
## Authorization, Audit, And Observability
- Existing workspace-first and managed-environment entitlement checks remain unchanged.
- Adapter lookup must not widen who can see or use a review; it only determines which local record may prove the run.
- `OperationRunService` remains the owner of terminal audit emission.
- Reconciliation evidence must stay bounded to safe identifiers and state:
- allowed: workspace ID, managed environment ID, review ID, review status, fingerprint hash, considered review IDs, timestamps
- forbidden: raw Graph payloads, signed URLs, tokens, raw SQL errors, full snapshot blobs
- Optional operational logging may emit adapter name, run ID, type, decision, and related review ID only.
## Constitution Check
- Inventory-first: unchanged; `EnvironmentReview` remains the local artifact truth and still derives from anchored evidence snapshots.
- Read/write separation: adapter reconciliation mutates only `OperationRun`, not the provider or remote state.
- Graph contract path: unchanged; no Graph calls are introduced.
- Deterministic capabilities: unchanged; current capability checks remain authoritative.
- Workspace and tenant isolation: unchanged and still mandatory for both runs and reviews.
- Run observability: strengthened; late or duplicate review-compose work remains visible on `OperationRun` instead of being silently inferred elsewhere.
- Proportionality / anti-bloat: pass only if the adapter contract stays narrow and does not become a universal business-reconciliation engine.
- No premature abstraction: this is allowed only because queue correctness and auditability already justify a typed seam, and the repo already ships one restore-specific adapter precedent.
- Persisted truth: no new tables or persisted status families.
- Shared pattern first: reuse current run lifecycle, current monitoring/detail surfaces, and current review-start feedback.
- Filament v5 / Livewire v4 posture: unchanged; no panel/provider or asset work is allowed.
## Test Governance Check
- **Test purpose / classification by changed surface**:
- Unit: reconciliation decisions, supported-type handling, adapter same-scope proof
- Feature: service/job/idempotency/reconciliation metadata flow
- Browser: visible operations/review wording smoke
- **Affected validation lanes**: fast-feedback, confidence, pgsql, browser
- **Why this lane mix is the narrowest sufficient proof**: duplicate fingerprint recovery depends on a PGSQL partial unique index and scope-safe DB truth, while visible monitoring wording needs only one bounded browser smoke rather than a broad productization run.
- **Narrowest proving command(s)**:
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec359`
- `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml --filter=Spec359`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec358`
- `git diff --check`
- **Fixture / helper / factory / seed / context cost risks**: reuse existing review/evidence/run factories; do not widen default tenant/workspace setup
- **Expensive defaults or shared helper growth introduced?**: none planned
- **Heavy-family additions, promotions, or visibility changes**: none
- **Surface-class relief / special coverage rule**: monitoring-state-page plus shared-detail-family; one explicit browser smoke only
- **Closing validation and reviewer handoff**: reviewers should compare ready-review reuse, ambiguous duplicate collisions, repeated create/refresh triggers, and visible operations detail wording before merge
- **Budget / baseline / trend follow-up**: none expected beyond feature-local tests
- **Review-stop questions**:
- Did implementation add a second persisted status shape?
- Did implementation widen into report/evidence/restore business reconciliation?
- Can any duplicate/superseded case still remain queued/running forever?
- Does any visible copy leak SQL/constraint wording?
- **Escalation path**: `reject-or-split` for universal reconciliation scope growth
- **Active feature PR close-out entry**: Guardrail / Smoke Coverage
- **Why no dedicated follow-up spec is needed**: this slice is already the follow-through over Spec 358 and must remain bounded to review-compose truth only
## Implementation Phases
### Phase 1 — Lock repo truth and convergence boundaries
- Reconfirm the current scheduled reconciler, restore-specific adapter reconciler, and review-compose seams.
- Decide whether the existing restore adapter stays as-is or is bridged behind the new contract without behavioral change.
- Freeze the current visible operations/review feedback vocabulary that must remain consistent.
### Phase 2 — Add the narrow reconciliation contract
- Extend the existing adapter reconciliation seam with one local review-compose decision/result helper and explicit supported-type handling.
- Extend or wrap `OperationRunService::updateRunWithReconciliation()` so richer metadata can be merged idempotently.
- Keep all persistence shapes unchanged.
### Phase 3 — Implement review-compose proof and recovery
- Add a same-scope review-compose adapter that proves ready/published review truth and fails closed on ambiguity.
- Integrate duplicate recovery and pre/post compose checks into `ComposeEnvironmentReviewJob`.
- Tighten `EnvironmentReviewService` repeated-trigger behavior so active review truth or active run truth is reused rather than multiplied.
### Phase 4 — Retrofit existing operator surfaces
- Keep current monitoring list/detail surfaces authoritative for reconciled review-compose explanation.
- Reuse current review-start feedback and current `Open operation` / `View review` patterns.
- Add bounded EN/DE copy only where the existing language is too generic or too technical.
### Phase 5 — Validate and hand off
- Add Unit + Feature + PGSQL + Browser proof.
- Re-run Spec 358 plus the named review/report regressions.
- Record final guardrail, smoke, and bounded-scope notes in the feature close-out entry.
## Risks and Mitigations
- **Framework creep**: mitigate by forbidding new adapter families and by treating restore/report/evidence follow-through as out of scope.
- **Scope-safety mistakes**: mitigate with explicit cross-workspace, cross-environment, and wrong-fingerprint negative tests.
- **PGSQL-only blind spots**: mitigate with an explicit `phpunit.pgsql.xml` lane for duplicate-index and lock behavior.
- **Visible copy drift**: mitigate by keeping all user-facing wording on current operations/review paths and adding one bounded browser smoke.
## Project Structure
### Documentation
```text
specs/359-operationrun-reconciliation-adapter-framework-review-compose-adapter/
├── spec.md
├── plan.md
├── tasks.md
└── checklists/
└── requirements.md
```
### Likely Runtime Structure
```text
apps/platform/app/Services/
├── OperationRunService.php
├── AdapterRunReconciler.php
└── EnvironmentReviews/
├── EnvironmentReviewService.php
├── EnvironmentReviewComposer.php
├── EnvironmentReviewFingerprint.php
└── EnvironmentReviewLifecycleService.php
apps/platform/app/Jobs/
└── ComposeEnvironmentReviewJob.php
apps/platform/app/Filament/
├── Pages/Monitoring/Operations.php
├── Pages/Operations/TenantlessOperationRunViewer.php
└── Resources/
├── OperationRunResource.php
└── EnvironmentReviewResource.php
```
Reference in New Issue View Git Blame Copy Permalink