ahmido
6ac0913ff8
Implemented operations UI operator actions regression gate. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #436
7.2 KiB
7.2 KiB
Spec 365 Action Eligibility Matrix
This matrix is the product and test contract for OperationRunActionEligibility. It is derived from existing OperationRun truth and does not introduce new persisted status/outcome values.
Global Rules
- At most one primary action is visible per run.
- If eligibility is uncertain, the action is unavailable.
- Direct action execution must enforce the same authorization/scope rules as UI visibility.
- Reconcile writes through
AdapterRunReconcilerandOperationRunService. - Retry is unavailable unless a repo-verified safe non-high-risk retry/start seam exists.
- Restore, tenant mutation, destructive mutation, unknown operation, and high-risk operation are never retryable in this spec.
- Force Complete, Mark Succeeded, Delete, Purge, and Restore Re-execute are always forbidden.
- Related actions use canonical metadata and existing link/policy seams.
- Diagnostics are secondary and capability-gated.
Matrix
| Family | Canonical example | Run state | Primary action | Reconcile | Retry | Related | Diagnostics | Disabled / attention reason | Required tests |
|---|---|---|---|---|---|---|---|---|---|
| Queue | any supported operation | fresh queued | View details | no | no | maybe | yes if capability | Operation is still within expected lifecycle window | unit, browser |
| Queue | any supported operation | stale queued | Reconcile when adapter/proof exists, otherwise View details | maybe | no by default | maybe | yes if capability | Waiting longer than expected; reconciliation may be safe only with adapter proof | unit, feature |
| Queue | any supported operation | stale running | Reconcile when adapter/proof exists, otherwise View details | maybe | no by default | maybe | yes if capability | Running longer than expected; fail closed without proof | unit, feature |
| Review compose | environment.review.compose |
related review already available / reconciled | View review | no after reconciled | only if failed and safe seam verified | yes | yes if capability | Review result already exists | unit, feature, browser |
| Review compose | environment.review.compose |
stale eligible with adapter proof | Reconcile | yes | no by default | maybe after reconcile | yes if capability | Existing review proof can reconcile this run | unit, feature |
| Review pack / report | environment.review_pack.generate |
artifact already available / reconciled | View report | no after reconciled | only if safe seam verified | yes | yes if capability | Report artifact already exists | unit, feature, browser |
| Evidence | tenant.evidence.snapshot.generate |
evidence snapshot already available / reconciled | View evidence | no after reconciled | only if safe seam verified | yes | yes if capability | Evidence snapshot already exists | unit, feature, browser |
| Sync | inventory.sync / policy.sync |
partial | View affected families | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified | maybe | yes if capability | Some resource families completed; others blocked or failed | unit, feature, browser |
| Sync | inventory.sync / policy.sync |
blocked | View missing permissions/details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified | maybe | yes if capability | Provider access or precondition blocked capture | unit, feature |
| Backup | backup.schedule.execute |
partial | View backup details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified and non-destructive | yes if backup set exists | yes if capability | Backup completed with partial results | unit, feature |
| Backup | backup.schedule.execute |
blocked | View missing permissions/details | no unless adapter proof says terminal reconciliation is safe | only if safe seam verified and non-destructive | maybe | yes if capability | Backup blocked by access or precondition | unit, feature, browser |
| Restore | restore.execute |
verification required | View restore details | maybe only if Spec364 verification proof is sufficient | no | yes | yes if capability | High-risk operation requires verification; retry unavailable | unit, feature, browser |
| Restore | restore.execute |
partial | View restore details | maybe only if Spec364 proof is sufficient | no | yes | yes if capability | Restore completed only partially; retry unavailable | unit, feature |
| Restore | restore.execute |
blocked | View restore details | no unless Spec364 proof allows safe blocked reconciliation | no | yes | yes if capability | Restore blocked; high-risk retry unavailable | unit, feature, browser |
| Restore | restore.execute |
failed | View restore details | no unless Spec364 proof allows safe terminal reconciliation | no | maybe | yes if capability | Restore failed; retry/re-execute/force-success unavailable | unit, feature, browser |
| High-risk mutation | promotion.execute / tenant mutation |
failed/blocked/unknown | View details | no unless explicit adapter proof exists | no | maybe | yes if capability | High-risk operation cannot be retried from this view | unit |
| Unknown | unmapped operation type | any terminal/active state | View details | no | no | no unless existing link resolves | yes if capability | Unsupported operation type | unit, feature |
| RBAC denied | any | otherwise eligible | none or disabled safe label | no direct execution | no direct execution | no direct execution | no if missing capability | User lacks required capability | feature, browser |
| Cross-scope denied | any | otherwise eligible | none | no direct execution | no direct execution | no direct execution | no | Operation is outside permitted workspace/environment | feature |
Forbidden Action Assertions
Tests must assert these labels/actions do not exist for restore/high-risk runs:
- Retry restore
- Re-execute restore
- Force complete
- Mark succeeded
- Ignore error and complete
- Manually mark successful
- Delete run
- Purge run
Retry Close-Out Template
Implementation must update this section before completion:
| Operation family | Safe retry seam found? | Implemented? | Disabled/deferred reason |
|---|---|---|---|
| Review compose | no generic retry seam verified; reconcile seam exists | no retry | Retry is deferred; stale runs use Reconcile only when adapter proof and RBAC allow it |
| Review pack/report | no generic retry seam verified | no retry | Retry is deferred; related artifact links are safe when canonical metadata resolves |
| Evidence snapshot | no generic retry seam verified | no retry | Retry is deferred; related evidence links are safe when canonical metadata resolves |
| Sync/capture | no generic retry seam verified | no retry | Retry is deferred; partial/blocked runs open affected-family/details surfaces |
| Backup capture | no generic retry seam verified | no retry | Retry is deferred; backup details are safe when backup truth resolves |
| Restore | no by spec | no | High-risk operations cannot be retried from this view |
Acknowledge Close-Out Template
| Seam checked | Existing clean seam? | Implemented? | Deferral reason |
|---|---|---|---|
| OperationRun acknowledge/note/audit | no clean OperationRun-specific acknowledge/note seam verified | no | Acknowledge would create a local success-like state without existing domain truth; defer to a future explicit workflow spec |