TenantAtlas/specs/279-workspace-managed-environment-core/spec.md

# Feature Specification: Workspace-first Managed Environment Core Cutover

**Feature Branch**: `279-workspace-managed-environment-core`  
**Created**: 2026-05-06  
**Status**: Ready with approved feature-local exception  
**Input**: User description: "Use the next unspecced reserved cutover slot from the roadmap/spec-candidate pack and prepare the `Workspace-first Managed Environment Core Cutover` package as the next bounded implementation-ready spec."

## Spec Candidate Check

- **Problem**: TenantPilot still treats `Tenant` as the active managed-target core across models, route binding, Filament tenancy, memberships, query helpers, and operator context. That blocks the planned workspace-first / provider-neutral evolution because the platform core still assumes the managed target is a Microsoft-shaped tenant instead of a generic managed environment inside a workspace.
- **Today's failure**: Current repo seams such as `TenantPanelProvider`, `Tenant`, `ProviderConnection::tenant()`, tenant-owned query helpers, `Filament::getTenant()` usage, and many `tenant_id` foreign keys force every new workspace-first or provider-neutral change to either deepen `Tenant` coupling or add compatibility shims the constitution explicitly rejects.
- **User-visible improvement**: Operators and future features get one consistent managed-target identity inside a workspace. Context selection, authorization boundaries, route binding, and current environment-scoped surfaces stop depending on `Tenant` as platform-core truth.
- **Smallest enterprise-capable version**: Replace `Tenant` as the active managed-target core with `ManagedEnvironment`, retarget current core foreign-key anchors and context helpers to `managed_environment_id`, keep the existing panel bootable by temporarily rebinding the current `/admin/t/{environment}` path family to `ManagedEnvironment`, and defer the public workspace-first route/IA rewrite, provider-profile extraction, artifact retargeting refinements, and RBAC scope redesign to follow-up specs `280`-`287`.
- **Explicit non-goals**: No dual-read or dual-write compatibility layer, no legacy `Tenant` alias model, no production-data backfill strategy, no full workspace-first public route-family rewrite, no provider-profile extraction, no artifact-language rewrite, no package engine, no guided-operations layer, and no speculative multi-provider framework.
- **Permanent complexity imported**: One new managed-target root entity, one breaking schema cutover from `tenant_id` to `managed_environment_id`, one renamed environment-membership seam, existing context-helper replacement, and focused unit/feature/browser plus guard-test coverage.
- **Why now**: `279` is the first unspecced reserved slot in the roadmap-backed cutover pack, and every later cutover spec (`280`-`287`) depends on this core replacement. Waiting adds more `Tenant`- and Microsoft-specific coupling to the platform core.
- **Why not local**: The problem spans schema, Eloquent relations, route binding, Filament tenancy, current-context resolution, authorization helpers, commands, and tests. A local rename or adapter would immediately drift.
- **Approval class**: Core Enterprise
- **Red flags triggered**: New persisted truth, new state family, many touched seams, and a foundation-sounding cutover. Defense: this is current-release architecture truth, not speculative extensibility; it explicitly forbids compatibility shims and defers broader route, copy, provider, and artifact follow-through to the next reserved specs.
- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 1 | Komplexitaet: 1 | Produktnaehe: 1 | Wiederverwendung: 2 | **Gesamt: 9/12**
- **Decision**: approve

## Spec Scope Fields

- **Scope**: workspace
- **Primary Routes**:
  - existing workspace chooser route under `/admin`
  - existing tenant chooser surface, retargeted to managed-environment selection
  - current environment-scoped panel routes under `/admin/t/{environment}` as a temporary bounded exception until Spec `280` replaces the public path family
  - current admin resource/detail routes that bind the managed target model directly or derive environment context from it
- **Data Ownership**:
  - `Workspace` remains the primary SaaS and organization context
  - `ManagedEnvironment` becomes the new managed-target root record inside a workspace
  - current core-owned managed-target anchors and context-owned relations retarget from `tenant_id` to `managed_environment_id`; provider-connection extraction and broader governance-artifact retargeting remain follow-up work for Specs `281` and `282`
- **RBAC**:
  - workspace membership remains the first isolation boundary
  - current tenant-membership semantics are retargeted to managed-environment membership semantics without widening role scope in this spec
  - wrong-workspace and non-member access remain `404`
  - in-scope actors missing a capability remain `403`

Canonical-view handling for current admin surfaces:

- **Default filter behavior when tenant-context is active**: current canonical admin views continue to prefilter to the active managed environment whenever they currently prefilter to the active tenant; broader workspace-first canonical-view semantics remain Spec `280` follow-up work
- **Explicit entitlement checks preventing cross-tenant leakage**: any route, query helper, or global-search path that currently resolves tenant scope must resolve the active managed environment plus current workspace membership before revealing environment-bound records

## Cross-Cutting / Shared Pattern Reuse

- **Cross-cutting feature?**: yes
- **Interaction class(es)**: context selection, route links, global-search scoping, current-target chips, resource query helpers, and environment-bound deep links
- **Systems touched**: `TenantPanelProvider`, `WorkspaceContext`, `ChooseTenant`, `ResolvesPanelTenantContext`, `InteractsWithTenantOwnedRecords`, `ScopesGlobalSearchToTenant`, `TenantOwnedModelFamilies`, `OperationRunLinks`, current tenant widgets, and tenant-scoped resources/pages
- **Existing pattern(s) to extend**: workspace-first context storage, current Filament panel-provider seams, current deny-as-not-found membership enforcement, and existing environment-bound route builders
- **Shared contract / presenter / builder / renderer to reuse**: existing `WorkspaceContext`, panel-provider registration, current resource query scoping helpers, `OperationRunLinks`, and the existing workspace capability resolver
- **Why the existing shared path is sufficient or insufficient**: those seams are sufficient as cutover points, but insufficient because they still encode `Tenant` as the platform-core managed target
- **Exception type**: `Cross-panel Canonical Route Exception`
- **Allowed deviation and why**: one bounded deviation is allowed: the current `/admin/t/{environment}` shell may remain temporarily while binding `ManagedEnvironment` instead of `Tenant`, even though the source-pack end state moves Filament tenancy to `Workspace` in Spec `280`. This temporary bridge exists only to keep the runtime operable while `Tenant` is removed from the core. No second compatibility route family is allowed.
- **Reason block**: only one canonical surface makes sense during the cutover. Keeping the existing shell avoids a second public route family, keeps shell transition explicit, preserves truthful scope signals, and leaves final canonical Workspace tenancy to Spec `280`.
- **Dedicated proof**: `apps/platform/tests/Feature/ManagedEnvironment/ManagedEnvironmentPanelContextTest.php`, `apps/platform/tests/Browser/Spec279ManagedEnvironmentCoreCutoverSmokeTest.php`, and `specs/279-workspace-managed-environment-core/checklists/constitution-scope-001-exception.md`
- **Consistency impact**: route keys, chooser labels, context bars, global-search scope resolution, tenant-owned query helpers, and deep-link builders must all agree on `ManagedEnvironment` as the active managed target
- **Review focus**: reviewers must verify that the cutover replaces current shared seams in place, that the temporary `/admin/t` path is the only documented exception, and that no alias model or second context stack appears

## OperationRun UX Impact

- **Touches OperationRun start/completion/link UX?**: yes, link semantics only
- **Shared OperationRun UX contract/layer reused**: `OperationRunLinks` and the existing OperationRun URL-resolution helpers
- **Delegated start/completion UX behaviors**: tenant/workspace-safe environment link resolution only; no new queued toasts, start events, completion notifications, or dedupe messaging are added in this slice
- **Local surface-owned behavior that remains**: none; existing surfaces continue to use the central OperationRun link helpers after their context model is retargeted
- **Queued DB-notification policy**: `N/A`
- **Terminal notification path**: `N/A`
- **Exception required?**: yes - the temporary `/admin/t/{environment}` path retention described above. This is a bounded route exception only and does not permit a second compatibility family.

## Provider Boundary / Platform Core Check

- **Shared provider/platform boundary touched?**: yes
- **Boundary classification**: mixed
- **Seams affected**: managed-target identity, provider-connection foreign-key anchors, current context model, operator vocabulary, route binding, and current target selection
- **Neutral platform terms preserved or introduced**: `workspace`, `managed environment`, `provider connection`, `target scope`, `operation`, `finding`, `review`, and `governance artifact`
- **Provider-specific semantics retained and why**: Microsoft-specific identifiers such as `entra_tenant_id`, Graph consent details, and portal metadata may remain in provider-owned tables or provider metadata until Spec `281` extracts and normalizes them. They must not live on `ManagedEnvironment`.
- **Why this does not deepen provider coupling accidentally**: the core cutover explicitly forbids Microsoft-specific identity, Graph, or Intune fields on `ManagedEnvironment` and replaces `Tenant` as the shared core noun
- **Follow-up path**: Spec `281` for provider-profile extraction, Spec `284` for provider-neutral artifact-source taxonomy, and Spec `286` for copy/localization cleanup

## UI / Surface Guardrail Impact

| Surface / Change | Operator-facing surface change? | Native vs Custom | Shared-Family Relevance | State Layers Touched | Exception Needed? | Low-Impact / `N/A` Note |
|---|---|---|---|---|---|---|
| Managed-environment chooser replacing current tenant chooser | yes | Native Filament page | context selection, navigation entry point | page, URL/query | no | Keeps the existing chooser family and retargets it to managed environments |
| Current environment-scoped panel routes under `/admin/t/{environment}` | yes | Native Filament panel shell | route links, context bar, global search, resource scope | shell, page, detail, URL/query | yes | Temporary path retention only until Spec `280` owns the public route-family rewrite |
| Admin directory/resource surfaces that currently list `Tenant` records | yes | Native Filament resources/pages | detail links, current-target summaries | page, detail | no | Core noun and route binding change here; broader IA and copy polish remain deferred |

## Decision-First Surface Role

| Surface | Decision Role | Human-in-the-loop Moment | Immediately Visible for First Decision | On-Demand Detail / Evidence | Why This Is Primary or Why Not | Workflow Alignment | Attention-load Reduction |
|---|---|---|---|---|---|---|---|
| Managed-environment chooser | Primary Decision Surface | Operator selects the current managed target inside the active workspace | environment name, display name, lifecycle posture, and current workspace | provider-specific diagnostics stay secondary and remain follow-up work | Primary because current environment selection is the first explicit decision before any environment-scoped workflow begins | Keeps the existing current-target selection workflow intact | Removes ambiguity between workspace scope and managed-target scope |
| Current environment-scoped panel shell | Secondary Context Surface | Operator verifies they are acting in the correct managed environment while using existing pages | active workspace plus active managed-environment identity | deeper provider or governance detail remains on the current pages | Not primary because it carries context while work happens elsewhere | Aligns with existing panel-shell behavior instead of inventing a new workbench | Reduces wrong-target actions during the cutover |

## Audience-Aware Disclosure

| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|---|---|---|---|---|---|---|---|
| Managed-environment chooser | operator-MSP, support-platform | environment identity, display name, lifecycle posture, and workspace context | provider-health detail and migration notes remain secondary | raw provider metadata stays hidden | `Enter environment` | provider-specific raw metadata | chooser cards show selection truth once and defer diagnostics |
| Current environment-scoped panel shell | operator-MSP, support-platform | active workspace and active managed-environment context | deeper per-page diagnostics remain where they already live | raw payloads remain page-local and secondary | existing page action | any migration/debug hints stay lower-priority | shell surfaces should not repeat full page-level summaries |

## UI/UX Surface Classification

| Surface | Action Surface Class | Surface Type | Likely Next Operator Action | Primary Inspect/Open Model | Row Click | Secondary Actions Placement | Destructive Actions Placement | Canonical Collection Route | Canonical Detail Route | Scope Signals | Canonical Noun | Critical Truth Visible by Default | Exception Type / Justification |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Managed-environment chooser | Selector / Context / Entry | Context-selection page | Enter the intended managed environment | card/list selection | optional current pattern | workspace switch remains secondary | none | `/admin/choose-environment` (logical) | environment entry path | active workspace plus environment identity | Managed environment | selected target identity and lifecycle posture | none |
| Current environment-scoped panel shell | Shell / Context / Navigation | Filament panel shell | Continue into the current environment page | current shell context | forbidden | page-local links stay secondary | none | `/admin/t/{environment}` (temporary) | existing page routes under the shell | active workspace plus active managed environment | Managed environment | current environment identity | temporary route retention until Spec `280` |

## Operator Surface Contract

| Surface | Primary Persona | Decision / Operator Action Supported | Surface Type | Primary Operator Question | Default-visible Information | Diagnostics-only Information | Status Dimensions Used | Mutation Scope | Primary Actions | Dangerous Actions |
|---|---|---|---|---|---|---|---|---|---|---|
| Managed-environment chooser | TenantPilot operator | Decide which managed environment inside the current workspace should become active | Context-selection page | Which managed environment am I about to act in? | environment identity, workspace context, lifecycle posture | provider-specific diagnostics and migration detail | lifecycle, access posture | none | Enter environment | none |
| Current environment-scoped panel shell | TenantPilot operator | Confirm that all current environment-bound pages resolve the right managed target | Panel shell | Am I in the correct workspace and managed environment? | active workspace and active managed-environment identity | page-local diagnostics only | access posture, lifecycle | none | existing page action | none |

## Proportionality Review

- **New source of truth?**: yes
- **New persisted entity/table/artifact?**: yes
- **New abstraction?**: no new generic abstraction; existing tenant-context seams are replaced or neutralized in place
- **New enum/state/reason family?**: yes, bounded managed-environment kind and lifecycle posture fields
- **New cross-domain UI framework/taxonomy?**: no
- **Current operator problem**: the product cannot become workspace-first or provider-neutral while the core managed target, current context, and route binding still assume `Tenant`
- **Existing structure is insufficient because**: the current `Tenant` model mixes managed-target identity, provider-specific metadata, current-context behavior, and Filament tenant binding across the app
- **Narrowest correct implementation**: a single breaking core cutover to `ManagedEnvironment` with one documented temporary route-path exception and no compatibility aliases
- **Ownership cost**: broad schema and relation retargeting, command and test updates, temporary exception tracking for `/admin/t/{environment}`, and explicit follow-up ownership for Specs `280`-`287`
- **Alternative intentionally rejected**: dual-read/dual-write aliases, a `Tenant` wrapper around `ManagedEnvironment`, or one giant combined route/IA/provider/artifact rewrite. Those options either violate the constitution or make the first cutover slice too broad to review safely.
- **Release truth**: current-release truth with explicit follow-up slices for the remaining cutover pack

### Compatibility posture

This feature assumes a pre-production environment.

Backward compatibility, legacy aliases, dual-read/dual-write shims, historical fixtures, and compatibility-specific tests are out of scope unless explicitly required by this spec.

Canonical replacement is preferred over preservation.

## Testing / Lane / Runtime Impact

- **Test purpose / classification**: Unit, Feature, Browser
- **Validation lane(s)**: fast-feedback, confidence, browser
- **Why this classification and these lanes are sufficient**: the cutover changes core model truth, route/model binding, and Filament context selection. Unit tests prove model and context rules, feature tests prove scope and routing semantics, and one browser smoke proves the workspace-to-environment selection flow stays operable after the cutover.
- **New or expanded test families**: one managed-environment unit family, one managed-environment feature family, and one narrow browser smoke
- **Fixture / helper cost impact**: moderate; existing tenant fixtures and helper families must be replaced with managed-environment equivalents rather than layered adapters
- **Heavy-family visibility / justification**: none
- **Special surface test profile**: standard-native-filament, global-context-shell, exception-coded-surface
- **Standard-native relief or required special coverage**: standard Filament feature coverage is sufficient for chooser and panel-context semantics; one browser smoke is required because the cutover changes end-to-end context selection and panel bootstrapping
- **Reviewer handoff**: reviewers must verify that `ManagedEnvironment` replaces `Tenant` in core-owned paths, the temporary `/admin/t` exception is the only path deviation, the legacy-core guard proves `tenant_id` removal inside the declared core-owned cutover inventory while keeping Specs `281` and `282` exclusions explicit, `ManagedEnvironment` carries no Microsoft-specific identity fields, any touched globally searchable resource still satisfies Filament’s edit/view eligibility rule or remains out of global search, no new asset registration or deployment-step change appears, and provider registration remains in `apps/platform/bootstrap/providers.php`
- **Budget / baseline / trend impact**: moderate feature-local increase only
- **Escalation needed**: `document-in-feature` for the temporary `/admin/t` path exception; `follow-up-spec` already assigned for the remaining cutover pack
- **Active feature PR close-out entry**: Guardrail
- **Planned validation commands**:
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Unit/ManagedEnvironment/ManagedEnvironmentModelTest.php tests/Unit/ManagedEnvironment/ManagedEnvironmentContextResolverTest.php)`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/ManagedEnvironment/ManagedEnvironmentRouteBindingTest.php tests/Feature/ManagedEnvironment/ManagedEnvironmentAuthorizationTest.php tests/Feature/ManagedEnvironment/ManagedEnvironmentPanelContextTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php)`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec279ManagedEnvironmentCoreCutoverSmokeTest.php)`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n --fixed-strings 'App\Models\Tenant' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/database"`
  - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && rg -n -- '->tenant\(Tenant::class' "$REPO_ROOT/apps/platform/app" "$REPO_ROOT/apps/platform/tests" "$REPO_ROOT/apps/platform/database"`

## Scope Boundaries *(required for this slice)*

### In Scope

- introduce `ManagedEnvironment` as the active managed-target root inside a workspace
- introduce the breaking schema/model cutover away from `Tenant` and `tenant_id` in core-owned paths
- retarget current context selection, route binding, query helpers, memberships, and the current tenant-panel shell bridge to `ManagedEnvironment` while keeping the final `Workspace` Filament-tenancy switch deferred to Spec `280`
- keep the current environment-scoped panel operable through the documented temporary `/admin/t/{environment}` exception until Spec `280`
- update factories, seeders, policies, guards, route binding, and tests so core-owned paths no longer rely on `App\Models\Tenant`
- ensure `ManagedEnvironment` carries no Microsoft-specific identity, Graph, or Intune fields

### Non-Goals

- final workspace-first public route family and navigation IA rewrite
- provider-profile extraction and provider-scope normalization
- governance artifact naming and route retargeting polish
- RBAC scope redesign or new capability families
- copy/localization neutralization beyond the minimum core cutover terms
- quality-gate automation beyond the feature-local guard tests needed for this slice
- package execution, guided operations, virtual consultant, or any new provider implementation

## Assumptions

- the repo remains pre-production, so destructive in-place replacement is acceptable and compatibility shims are not
- the temporary `/admin/t/{environment}` path retention is the only allowed path exception for this slice
- broader workspace-first IA, provider extraction, artifact retargeting, and RBAC scoping remain explicitly deferred to Specs `280`-`287`
- current workspace membership and capability semantics stay materially unchanged in this slice; only the managed-target noun and foreign-key anchors move

## Risks

- the implementation could accidentally combine the core cutover with the public route/IA rewrite, which would make review and rollback reasoning too broad
- lingering `Tenant` references in commands, tests, or helper traits could hide cutover drift and produce mixed context behavior
- provider-specific identity could accidentally land on `ManagedEnvironment` if current `Tenant` fields are copied forward without discipline
- the temporary `/admin/t` exception could become permanent if Spec `280` is not treated as mandatory follow-up

## Candidate Selection Gate Summary

- **Selected candidate**: `279 - Workspace-first Managed Environment Core Cutover`
- **Source locations**:
  - `docs/product/spec-candidates.md` under the `Workspace-first / ManagedEnvironment Core Cutover candidate pack`
  - `docs/product/roadmap.md` under the planned cutover pack ordering
- **Why selected now**: `279` is the first unspecced reserved slot in the cutover pack and is the prerequisite for the remaining reserved follow-ups
- **Why close alternatives were deferred**:
  - `280` depends on the core entity and context replacement from `279`
  - `281` depends on the new managed-target root before provider-profile extraction makes sense
  - `282` depends on `managed_environment_id` becoming the core anchor first
  - `283`-`287` are later normalization and guardrail layers, not the initial breaking cutover
- **Smallest viable implementation slice**: core entity replacement, foreign-key retargeting, current-context replacement, and one bounded path exception only
- **Documented deviation from raw candidate wording**: this package defers the public workspace-first route-family rewrite and final `Workspace` Filament-tenancy end state to Spec `280`. To keep the implementation bounded and the runtime operable, `279` allows the current `/admin/t/{environment}` shell to remain temporarily while rebinding it to `ManagedEnvironment`.

## Completed-Spec Guardrail Result

- `specs/276-support-access-governance/` already exists and remains a separate prepared package
- `specs/277-stored-reports-surface/` already exists and remains a separate prepared package
- `specs/278-cross-domain-indicator-audit/` already exists and carries completed docs-only close-out history
- `specs/247-plans-entitlements-billing-readiness/`, `specs/251-commercial-entitlements-billing-state/`, `specs/252-platform-localization-v1/`, `specs/262-lifecycle-governance-taxonomy/`, and `specs/264-cross-tenant-promotion-execution/` remain context only and are not rewritten by this package

## Deferred Adjacent Candidates

- `280 - Filament Workspace Tenancy & Environment Routing Cutover`
- `281 - Provider Connection, Provider Scope & Microsoft Profile Extraction`
- `282 - Governance Artifact Retargeting to ManagedEnvironment`
- `283 - Provider Capability Registry v1`
- `284 - Provider-neutral Artifact Source Taxonomy v1`
- `285 - Workspace-first RBAC & Environment Access Scoping`
- `286 - UI Copy, IA & Localization Neutralization`
- `287 - Cutover Quality Gates & No-Legacy Enforcement`

## User Scenarios & Testing

### User Story 1 - Resolve managed environments as the active target inside a workspace (Priority: P1)

As a platform operator, I want the active managed target to be a `ManagedEnvironment` inside my current workspace so the platform core stops depending on `Tenant` as its primary identity model.

**Why this priority**: every later cutover slice depends on the managed-target root being replaced first.

**Independent Test**: Seed a workspace plus one managed environment, resolve the record through route binding and current-context helpers, and confirm the core paths no longer require `App\Models\Tenant`.

**Acceptance Scenarios**:

1. **Given** a workspace has a managed environment, **When** the current environment is resolved by route key, **Then** the app returns the `ManagedEnvironment` record and current workspace context instead of a `Tenant` model.
2. **Given** a wrong-workspace or non-member actor, **When** they try to resolve the same managed environment, **Then** the app responds with `404` and leaks no environment-bound data.

---

### User Story 2 - Keep current environment-scoped surfaces operable through the cutover (Priority: P1)

As an operator using the current admin panel, I want the existing environment-scoped shell to keep working while the core noun changes so the cutover is reviewable without bundling the full route/IA rewrite.

**Why this priority**: the cutover is not implementation-ready unless the current panel still boots on the new core entity.

**Independent Test**: Select a workspace, enter a managed environment from the retargeted chooser, and open the current environment dashboard through the temporary `/admin/t/{environment}` shell.

**Acceptance Scenarios**:

1. **Given** an operator selected a workspace, **When** they choose a managed environment, **Then** the current panel shell loads with that managed environment as the active bound model.
2. **Given** the same environment-scoped shell, **When** a page or deep link resolves the active target, **Then** route builders, query helpers, and current-target chips use `ManagedEnvironment` consistently.

---

### User Story 3 - Remove active tenant-core drift from schema, policies, and tests (Priority: P2)

As a maintainer, I want core-owned schema, policies, factories, and guard tests to use `ManagedEnvironment` and `managed_environment_id` so later specs do not inherit mixed core nouns.

**Why this priority**: lingering tenant-core drift would make the follow-up cutover pack unstable and ambiguous.

**Independent Test**: Run the managed-environment unit/feature suite and the legacy-core guard checks, then confirm no active `App\Models\Tenant` or `->tenant(Tenant::class)` binding remains in core-owned paths.

**Acceptance Scenarios**:

1. **Given** the cutover implementation is complete, **When** factories, policies, and tests create the managed target, **Then** they use `ManagedEnvironment` and managed-environment memberships rather than `Tenant`.
2. **Given** the final core-owned paths are searched or guard-tested, **When** forbidden legacy core patterns are checked, **Then** no active `Tenant` core model or Filament tenant binding remains.

### Edge Cases

- The current public `/admin/t/{environment}` path may remain temporarily, but it must bind `ManagedEnvironment` and must not coexist with a second compatibility route family.
- Microsoft-specific external terms such as `Microsoft Entra Tenant ID` may remain only in provider-owned metadata or provider profiles, not on `ManagedEnvironment`.
- Archived or inactive managed environments must not become selectable current context by default.
- Old tenant-specific factories, seeders, and fixtures must be removed or replaced in the same cutover PR rather than kept for convenience.

## Requirements *(mandatory)*

**Constitution alignment (required):** This feature changes core data ownership, route binding, context selection, and existing operator-facing shell behavior. It adds no Microsoft Graph calls and no new `OperationRun` family. Any security-relevant mutation that is not represented by `OperationRun` still uses existing audit behavior where applicable.

**Constitution alignment (PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001):** The feature introduces a new persisted root entity because the current product truth needs a provider-neutral managed-target core now. A narrower alias or adapter would preserve the wrong truth and would violate the repo’s pre-production lean doctrine.

**Constitution alignment (XCUT-001):** Current context-selection, route-building, query-scoping, and shell-context seams must be replaced in place. No second local environment-context language is allowed.

**Constitution alignment (PROV-001):** `ManagedEnvironment` must remain provider-neutral. Provider-specific identity stays in provider-owned seams and follow-up Spec `281`.

**Constitution alignment (SCOPE-001 exception/update prerequisite):** The current constitution still requires tenant-owned tables to use `workspace_id` plus `tenant_id` as `NOT NULL`. This package intentionally replaces active core-owned managed-target keys with `managed_environment_id`. Implementation is gated by the explicit exception record in `specs/279-workspace-managed-environment-core/checklists/constitution-scope-001-exception.md` until the constitution itself is amended.

### Functional Requirements

- **FR-001**: The package MUST introduce `ManagedEnvironment` as the active managed-target root record inside a workspace.
- **FR-002**: The package MUST remove active core dependence on `App\Models\Tenant` and retarget core-owned foreign keys from `tenant_id` to `managed_environment_id`.
- **FR-003**: `ManagedEnvironment` MUST NOT contain Microsoft-specific identity, Graph, or Intune fields.
- **FR-004**: Current workspace-plus-target context resolution MUST bind `ManagedEnvironment` instead of `Tenant`.
- **FR-005**: Current environment membership and capability checks MUST continue to enforce `404` for non-members and `403` for in-scope capability denials.
- **FR-006**: The current environment-scoped panel shell may retain the `/admin/t/{environment}` path temporarily, but it MUST bind `ManagedEnvironment` and MUST remain the only documented path exception in this slice.
- **FR-007**: Current tenant-scoped query helpers, global-search scoping, route builders, and current-target UI seams MUST resolve `ManagedEnvironment` consistently.
- **FR-008**: Tests, factories, policies, and seeders in core-owned paths MUST use `ManagedEnvironment` naming and IDs after the cutover.
- **FR-009**: The package MUST not introduce dual columns, alias models, dual-write logic, or compatibility routes.
- **FR-010**: The package MUST explicitly defer the remaining workspace-first route-family rewrite, provider extraction, artifact retargeting, RBAC scope redesign, copy neutralization, and long-lived cutover quality gates to Specs `280`-`287`.

### Authorization and Safety Requirements

- **AR-001**: Workspace membership remains the first access boundary and must still deny non-members as `404`.
- **AR-002**: Managed-environment membership remains the second access boundary and must still deny wrong-environment access as `404`.
- **AR-003**: No new destructive action semantics are introduced. Any touched existing destructive actions must preserve `->requiresConfirmation()` and current authorization checks.

### Non-Functional Requirements

- **NFR-001**: Filament remains v5 on Livewire v4.
- **NFR-002**: Provider registration stays in `apps/platform/bootstrap/providers.php`; no new panel provider registration location is introduced.
- **NFR-003**: Any existing globally searchable resource touched by the cutover must continue to satisfy Filament’s edit/view-page requirement or remain out of global search.
- **NFR-004**: No new asset registration or `filament:assets` deployment change is introduced in this slice.
- **NFR-005**: The cutover must remain reviewable as one bounded implementation loop and must not silently absorb the broader Spec `280`-`287` work.