ahmido
2f7a521d5f
## Summary - add the full workspace/environment context browser verification audit for Spec 313 - include the surface matrix, query and clear-filter inventories, ownership map, and audit report - attach browser evidence artifacts and screenshots for the current workspace/environment context contract ## Testing - no automated tests run; this is an analysis-only spec and artifact package with no runtime changes Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #368
18 KiB
18 KiB
Surface Inventory
Final statuses use only the allowed Spec 313 status vocabulary. "Browser verified" means the surface was opened in the local admin UI on 2026-05-16 against http://localhost/admin; "repo only" means classified from route/resource code and not deeply browser-tested because the surface is system, auth, modal-only, or not context-bearing.
| Surface | Type | Class/resource/component | Route | Sidebar visible? | Dashboard/card/action linked? | Workspace-scoped? | Environment-scoped? | System/platform scoped? | Ambiguous? | Browser verified? | Final status | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Workspace Overview | Filament page | App\Filament\Pages\WorkspaceOverview |
/admin, /admin/workspaces/{workspace}/overview |
Yes | Home | Yes | No | No | No | Yes | verified_workspace_scoped_hub |
Shell shows workspace and no environment after clear; screenshot workspace-origin--workspace-overview.png. |
| Operations | Filament page | App\Filament\Pages\Monitoring\Operations |
/admin/workspaces/{workspace}/operations |
Yes | Environment dashboard CTA | Yes | Explicit filter only | No | No | Yes | verified_workspace_scoped_hub |
Workspace origin shows 9 rows across 2 environments. CTA query managed_environment_id=4 was not visibly applied in shell/title and had no Clear filters action. |
| Operation detail | Filament page | App\Filament\Pages\Operations\TenantlessOperationRunViewer |
/admin/workspaces/{workspace}/operations/{run} |
Row/action only | Environment dashboard recent operation links | Yes | Record-owned tenant context | No | Yes | Repo only | verified_ambiguous_or_mixed |
Support request modal exists here; not deeply tested to avoid mutation flows. |
| Provider Connections / Integrations | Filament resource | App\Filament\Resources\ProviderConnectionResource |
/admin/provider-connections |
Yes | Link helper from operations/provider actions | Yes | Explicit filter query | No | Yes | Yes | verified_workspace_scoped_hub |
Workspace origin showed both provider rows. Query prefilter managed_environment_id=<slug> filters rows but no page-level clear exists; sidebar link can regain query from remembered environment. |
| Finding Exceptions Queue | Filament page | App\Filament\Pages\Monitoring\FindingExceptionsQueue |
/admin/finding-exceptions/queue |
Yes | Open queue helper | Yes | Explicit tenant prefilter |
No | Yes | Yes | blocked_missing_seed_data |
Shell/query behavior verified; no finding_exceptions rows in seed data, so row-scope correctness is unproven. |
| Alerts landing | Filament cluster page | App\Filament\Pages\Monitoring\Alerts |
/admin/alerts redirects to alert deliveries |
Yes | No | Yes | Table filters | No | No | Yes | blocked_missing_seed_data |
No alert delivery rows; shell and filter behavior verified only. |
| Alert Deliveries | Filament resource | App\Filament\Resources\AlertDeliveryResource |
/admin/alerts/alert-deliveries |
Child | No | Yes | Optional environment table filter | No | No | Yes | blocked_missing_seed_data |
No rows. |
| Alert Rules | Filament resource | App\Filament\Resources\AlertRuleResource |
/admin/alerts/alert-rules |
Child | No | Yes | No | No | No | Repo only | verified_workspace_scoped_hub |
Navigation child under Alerts; not high-risk for environment inheritance. |
| Alert Destinations | Filament resource | App\Filament\Resources\AlertDestinationResource |
/admin/alerts/alert-destinations |
Child | No | Yes | No | No | No | Repo only | verified_workspace_scoped_hub |
Navigation child under Alerts; not high-risk for environment inheritance. |
| Audit Log | Filament page | App\Filament\Pages\Monitoring\AuditLog |
/admin/audit-log |
Yes | No | Yes | Optional environment table filter | No | No | Yes | verified_workspace_scoped_hub |
Workspace origin shows 61 rows across 2 environments; shell clean from sidebar. |
| Evidence Overview | Filament page | App\Filament\Pages\Monitoring\EvidenceOverview |
/admin/evidence/overview |
No direct sidebar item | Environment/prefilter links | Yes | Explicit managed_environment_id prefilter |
No | Yes | Yes | blocked_missing_seed_data |
Clear filter worked for query prefilter, but no evidence rows exist. |
| Review Register | Filament page | App\Filament\Pages\Reviews\ReviewRegister |
/admin/reviews |
Yes | Prefilter URL/action | Yes | Explicit prefilter | No | Yes | Yes | blocked_missing_seed_data |
managed_environment_id=4 query remained after clicking Clear filters; no environment review rows exist. |
| Customer Review Workspace | Filament page | App\Filament\Pages\Reviews\CustomerReviewWorkspace |
/admin/reviews/workspace |
Yes | Environment dashboard export artifacts | Yes | Explicit tenant prefilter |
No | Yes | Yes | blocked_missing_seed_data |
Query remained after clear and reload reintroduced visible filter; no review-pack/review data exists. |
| Governance Inbox | Filament page | App\Filament\Pages\Governance\GovernanceInbox |
/admin/governance/inbox |
Yes | Environment sidebar/action links | Yes | Explicit tenant prefilter |
No | Yes | Yes | verified_workspace_scoped_hub |
Filtered URL shows ManagedEnvironment: YPTW2 with clear environment filter link; shell still says no environment selected. |
| Decision Register | Filament page | App\Filament\Pages\Governance\DecisionRegister |
/admin/governance/decisions |
Conditional | Prefilter URL | Yes | Explicit managed_environment_id prefilter |
No | Yes | Yes | verified_ambiguous_or_mixed |
Clean workspace URL returned 403 for this actor, while ?managed_environment_id=4 opened the page. Access is data/query dependent. |
| Workspace Settings | Filament page | App\Filament\Pages\Settings\WorkspaceSettings |
/admin/settings/workspace |
Yes | No | Yes | No | No | No | Yes | verified_workspace_scoped_hub |
Workspace admin surface; no environment query observed. |
| Manage Workspaces | Filament resource | App\Filament\Resources\Workspaces\WorkspaceResource |
/admin/workspaces |
Yes | Topbar/switcher | Yes | No | No | No | Yes | verified_workspace_scoped_hub |
Workspace management list opened cleanly. |
| Managed Environments Landing | Filament page/resource | ManagedEnvironmentResource, ManagedEnvironmentsLanding |
/admin/workspaces/{workspace}/environments |
Via environment clear/switch | Workspace overview/context bar | Workspace list of environments | No | No | No | Yes | verified_workspace_scoped_hub |
Environment catalog for current workspace; screenshot environment-page--managed-environments-landing.png. |
| Choose Workspace | Filament page | App\Filament\Pages\ChooseWorkspace |
/admin/choose-workspace |
Topbar | Topbar | Yes | No | No | No | Yes | verified_workspace_scoped_hub |
Selection surface, not data hub. |
| Choose Environment | Filament page | App\Filament\Pages\ChooseEnvironment |
/admin/choose-environment |
Topbar | Topbar | Yes | No | No | No | Yes | verified_workspace_scoped_hub |
Environment selection surface. |
| Environment Dashboard | Filament page | App\Filament\Pages\EnvironmentDashboard |
/admin/workspaces/{workspace}/environments/{environment} |
Environment nav | Environment entry point | No | Yes | No | No | Yes | verified_environment_scoped_page |
Shell shows YPTW2 (DEV); CTAs include Operations, required permissions, reviews, backup, evidence, risks. |
| Environment Onboarding | Filament page | ManagedEnvironmentOnboardingWizard |
/admin/onboarding, /admin/onboarding/{draft} |
No | Onboarding CTA | No | Yes | No | No | Yes | verified_environment_scoped_page |
Browser redirected /admin/onboarding to draft /admin/onboarding/1. |
| Required Permissions | Filament page | App\Filament\Pages\EnvironmentRequiredPermissions |
/admin/workspaces/{workspace}/environments/{environment}/required-permissions |
Environment nav/card | Dashboard card | No | Yes | No | No | Yes | verified_environment_scoped_page |
Shell/header environment aligned. |
| Environment Diagnostics | Filament page | App\Filament\Pages\EnvironmentDiagnostics |
/admin/workspaces/{workspace}/environments/{environment}/diagnostics |
Route/action | Dashboard/action | No | Yes | No | No | Yes | verified_environment_scoped_page |
Shell/header environment aligned. |
| Inventory Cluster | Filament cluster | App\Filament\Clusters\Inventory\InventoryCluster |
/admin/workspaces/{workspace}/environments/{environment}/inventory |
Environment nav | Dashboard/sidebar | No | Yes | No | No | Yes | verified_environment_scoped_page |
Redirected to inventory items with environment shell. |
| Inventory Items | Filament resource | App\Filament\Resources\InventoryItemResource |
/admin/workspaces/{workspace}/environments/{environment}/inventory-items |
Environment nav | Inventory cluster | No | Yes | No | No | Yes | blocked_missing_seed_data |
No inventory rows for audited environment. |
| Inventory Coverage | Filament page | App\Filament\Pages\InventoryCoverage |
/admin/workspaces/{workspace}/environments/{environment}/inventory/inventory-coverage |
Environment nav | Inventory cluster | No | Yes | No | No | Yes | verified_environment_scoped_page |
Shell/header environment aligned. |
| Policies | Filament resource | App\Filament\Resources\PolicyResource |
/admin/workspaces/{workspace}/environments/{environment}/policies |
Environment nav | Inventory cluster | No | Yes | No | No | Yes | blocked_missing_seed_data |
Policies rows exist only in workspace 1/env 1, not in audited workspace 3/env 4. |
| Policy Versions | Filament resource | App\Filament\Resources\PolicyVersionResource |
/admin/workspaces/{workspace}/environments/{environment}/policy-versions |
Environment nav | Inventory cluster | No | Yes | No | No | Yes | blocked_missing_seed_data |
No policy version rows. |
| Findings | Filament resource | App\Filament\Resources\FindingResource |
/admin/workspaces/{workspace}/environments/{environment}/findings |
Environment nav | Dashboard cards | No | Yes | No | No | Yes | blocked_missing_seed_data |
No finding rows. |
| Risk Exceptions | Filament resource | App\Filament\Resources\FindingExceptionResource |
/admin/workspaces/{workspace}/environments/{environment}/finding-exceptions |
Environment nav | Dashboard card | No | Yes | No | No | Yes | blocked_missing_seed_data |
No finding exception rows. |
| Evidence Snapshots | Filament resource | App\Filament\Resources\EvidenceSnapshotResource |
/admin/workspaces/{workspace}/environments/{environment}/evidence |
Environment nav | Dashboard card | No | Yes | No | No | Yes | blocked_missing_seed_data |
No evidence snapshot rows. |
| Environment Reviews | Filament resource | App\Filament\Resources\EnvironmentReviewResource |
/admin/workspaces/{workspace}/environments/{environment}/environment-reviews |
Environment nav | Dashboard cards | No | Yes | No | No | Yes | blocked_missing_seed_data |
No environment review rows. |
| Review Packs | Filament resource | App\Filament\Resources\ReviewPackResource |
/admin/workspaces/{workspace}/environments/{environment}/review-packs |
Environment nav | Dashboard/export card | No | Yes | No | No | Yes | blocked_missing_seed_data |
No review pack rows. |
| Stored Reports | Filament resource | App\Filament\Resources\StoredReportResource |
/admin/workspaces/{workspace}/environments/{environment}/stored-reports |
Environment nav | Evidence/reports links | No | Yes | No | No | Yes | verified_environment_scoped_page |
2 stored report rows exist for env 4. No workspace-wide reports hub discovered. |
| Backup Schedules | Filament resource | App\Filament\Resources\BackupScheduleResource |
/admin/workspaces/{workspace}/environments/{environment}/backup-schedules |
Environment nav | Dashboard backup card | No | Yes | No | No | Yes | blocked_missing_seed_data |
No backup schedules. |
| Backup Sets | Filament resource | App\Filament\Resources\BackupSetResource |
/admin/workspaces/{workspace}/environments/{environment}/backup-sets |
Environment nav | Dashboard backup card | No | Yes | No | No | Yes | blocked_missing_seed_data |
No backup sets. |
| Restore Runs | Filament resource | App\Filament\Resources\RestoreRunResource |
/admin/workspaces/{workspace}/environments/{environment}/restore-runs |
Environment nav | Backup flow | No | Yes | No | No | Yes | blocked_missing_seed_data |
No restore runs. |
| Entra Groups | Filament resource | App\Filament\Resources\EntraGroupResource |
/admin/workspaces/{workspace}/environments/{environment}/entra-groups |
Environment nav | Directory group | No | Yes | No | No | Yes | blocked_missing_seed_data |
No group rows. |
| Access Scopes | Filament resource page | ManagedEnvironmentResource\Pages\ManageEnvironmentAccessScopes |
/admin/workspaces/{workspace}/environments/{environment}/access-scopes |
Environment route | View/manage environment | No | Yes | No | No | Yes | verified_environment_scoped_page |
Environment ownership clear. |
| Baseline Compare Landing | Filament page | App\Filament\Pages\BaselineCompareLanding |
/admin/baseline-compare-landing?tenant=... |
Environment nav | Dashboard card | No | Yes | No | Yes | Yes | verified_ambiguous_or_mixed |
Environment query uses tenant, not route tenant; shell shows environment. |
| Baseline Compare Matrix | Filament page/resource child | App\Filament\Pages\BaselineCompareMatrix |
/admin/baseline-profiles/{record}/compare-matrix |
Row/action | Baseline profile action | No | Mixed | No | Yes | Repo only | verified_ambiguous_or_mixed |
Record-bound compare surface; not opened because no usable baseline assignment. |
| Baseline Profiles | Filament resource | App\Filament\Resources\BaselineProfileResource |
/admin/baseline-profiles?tenant=... |
Environment nav | Baseline card | Workspace-owned baseline library | Environment query filter | No | Yes | Yes | verified_ambiguous_or_mixed |
Global resource with environment query prefilter. |
| Baseline Snapshots | Filament resource | App\Filament\Resources\BaselineSnapshotResource |
/admin/baseline-snapshots?tenant=... |
Environment nav | Baseline card | Workspace-owned artifact library | Environment query filter | No | Yes | Yes | verified_ambiguous_or_mixed |
Global resource with environment query prefilter. |
| Cross Environment Compare | Filament page | App\Filament\Pages\CrossEnvironmentComparePage |
/admin/cross-environment-compare |
No | Compare workflows | Yes | Compares environments | No | Yes | Repo only | verified_ambiguous_or_mixed |
Not visible in sidebar during audited flow. |
| Support Request action | Modal/action surface | EnvironmentDashboard, TenantlessOperationRunViewer, support services |
No list route | Modal only | Header/action | No | Context-bound | No | Yes | Repo only | verified_unreachable |
No Support Requests index/resource/route discovered. Existing surfaces create support requests through modals only; not submitted in this audit. |
| Product Knowledge / Help | Not discovered | None | None | No | No | No | No | No | No | Repo only | verified_unreachable |
No admin route/resource/navigation entry found. |
| Operational Controls | System page | App\Filament\System\Pages\Ops\Controls |
System panel | No admin sidebar | No | No | No | Yes | No | Repo only | verified_system_or_platform_scoped_page |
System panel only. |
| Customer Health | System page/widgets | System\Pages\Directory\Tenants, customer health widgets |
System panel | No admin sidebar | No | No | No | Yes | No | Repo only | verified_system_or_platform_scoped_page |
System platform surface. |
| Provider Health | Workspace/provider rows | Provider connection health columns | /admin/provider-connections |
Integrated | Provider resource | Yes | Explicit filter | No | No | Yes | verified_workspace_scoped_hub |
No separate provider-health page discovered. |
| Permission Posture | Environment/report surface | Required permissions + StoredReportResource | Required permissions, stored reports | Environment nav | Dashboard card | No | Yes | No | No | Yes | verified_environment_scoped_page |
Environment-owned. |
| Entra Admin Roles | Environment/report surface | StoredReportResource, AdminRolesSummaryWidget | Stored reports/widget | Environment nav/card | Dashboard widget | No | Yes | No | No | Yes | verified_environment_scoped_page |
Stored report exists for env 4. |
| Auth Login | Auth page | App\Filament\Pages\Auth\Login |
/admin/login |
No | Auth only | No | No | No | No | Repo only | out_of_scope_with_reason |
Auth surface, not workspace/environment data scope. |
| No Access | Utility page | App\Filament\Pages\NoAccess |
/admin/no-access |
No | Error/guard | No | No | No | No | Repo only | out_of_scope_with_reason |
Guard/error surface. |
| Break Glass Recovery | Utility page | App\Filament\Pages\BreakGlassRecovery |
Not in admin route list | No | Emergency only | No | No | System-like | No | Repo only | verified_legacy_or_dead_surface_candidate |
Class exists but no admin route was listed. |
| Tenancy RegisterTenant | Utility page | App\Filament\Pages\Tenancy\RegisterTenant |
Not in admin route list | No | Legacy tenancy | No | No | No | Yes | Repo only | verified_legacy_or_dead_surface_candidate |
Legacy tenancy artifact in workspace-first app. |
| OperationRunResource | Resource shell | App\Filament\Resources\OperationRunResource |
No resource routes in route list | No | Replaced by Operations page | Yes | Record-owned | No | Yes | Repo only | verified_legacy_or_dead_surface_candidate |
Resource class exists without surfaced resource routes. |
| System Control Tower | System panel group | System\Pages\Dashboard, Ops\*, Security\AccessLogs, Directory\*, widgets |
System panel | No admin sidebar | No | No | No | Yes | No | Repo only | verified_system_or_platform_scoped_page |
Classified only; outside admin workspace/environment contract unless linked back into admin. |