ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
68ff50d460
TenantAtlas/specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/tasks.md
Ahmed Darrazi 68ff50d460
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 3m45s
Details
feat: finding exceptions accepted risk resolution guidance v1 (spec 354) 
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests.
2026-06-05 04:18:59 +02:00

13 KiB
Raw Blame History

Tasks: Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1

Input: specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/spec.md, plan.md, repo-truth-map.md, contracts/accepted-risk-guidance-signal-map.md, and checklists/requirements.md

Tests: Required. This spec changes strategic accepted-risk operator guidance on existing queue and detail owner surfaces.

Test Governance Checklist

  • Lane assignment is explicit and narrow: Unit for guidance selection, Feature/Livewire for queue/detail integration, Browser for first-screen hierarchy.
  • New or changed tests stay in the smallest honest family, and the browser addition is explicit.
  • Shared helpers, factories, seeds, and context defaults stay cheap by default.
  • Planned validation commands cover the slice without pulling in unrelated lane cost.
  • The changed surfaces are explicit strategic/detail accepted-risk surfaces, not an infra-only refactor.
  • No new persisted accepted-risk truth, workflow engine, or provider/platform abstraction is planned.

Phase 1: Preparation And Repo Truth

Purpose: Keep the implementation bounded to the existing accepted-risk owner surfaces and recorded draft-to-repo deviations.

  • T001 Re-read spec.md, plan.md, tasks.md, repo-truth-map.md, contracts/accepted-risk-guidance-signal-map.md, and checklists/requirements.md.
  • T002 Re-verify the current runtime truth in apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php, apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php, apps/platform/app/Filament/Resources/FindingExceptionResource.php, apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php, apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php, and apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php.
  • T003 Re-confirm the current repo constraints recorded in repo-truth-map.md: no new accepted-risk model, no new queue family, no global-search change, no standalone customer-facing risk page.
  • T004 Confirm no migration, package, env var, queue family, scheduler, storage, panel/provider, or filament:assets deployment change is required.
  • T005 Keep repo-truth-map.md and contracts/accepted-risk-guidance-signal-map.md current if runtime inspection proves a narrower or broader safe slice.

Phase 2: Tests First

Purpose: Lock decision hierarchy, scope, and no-fake-action behavior before runtime changes.

  • T006 Add apps/platform/tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php.
  • T007 Add unit assertions for accepted_risk.ready.
  • T008 Add unit assertions for accepted_risk.expiring.
  • T009 Add unit assertions for accepted_risk.expired.
  • T010 Add unit assertions for revoked and rejected support.
  • T011 Add unit assertions for pending and renewal-requested states.
  • T012 Add unit assertions for missing governance support on an existing exception record.
  • T013 Add unit assertions for incomplete governance support (missing owner/rationale/review support).
  • T014 Add unit assertions for the current fresh-decision-required signal and for conservative owner-surface wording reuse without mutating downstream review-output artifacts.
  • T015 Add a guard assertion proving accepted-risk guidance selection stays DB-local and does not require live provider or Graph calls.
  • T016 Add apps/platform/tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php.
  • T017 Add feature/Livewire assertions that FindingExceptionsQueue shows one dominant accepted-risk case with one dominant next-step affordance.
  • T018 Add feature/Livewire assertions that only existing repo-backed related context is rendered and unsupported auto-fix buttons are absent.
  • T019 Add feature/Livewire assertions that queue links remain workspace/environment scoped, preserve explicit environment_id behavior, and keep out-of-scope queue access as 404.
  • T020 Add feature/Livewire assertions that the queue keeps current approve/reject action safety intact.
  • T021 Add apps/platform/tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php.
  • T022 Add feature/Livewire assertions that ViewFindingException and its infolist render one dominant accepted-risk guidance case before deeper diagnostics.
  • T023 Add feature/Livewire assertions that renew/revoke stay state- and capability-bound and keep existing confirmation behavior.
  • T024 Add feature/Livewire assertions that owner/rationale/expiry or review support gaps are visible before decision history and deeper evidence, and that member-but-missing-capability behavior stays aligned with current detail semantics.
  • T025 Add a continuity assertion in the narrowest honest family for Governance Inbox Review accepted risk routing into the owner surface.
  • T026 Add apps/platform/tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php.
  • T027 Browser Flow A: expiring accepted-risk queue state shows one dominant blocker and one dominant next-step affordance.
  • T028 Browser Flow B: expired, revoked, or fresh-decision-required accepted-risk state shows a conservative operator affordance and only existing supporting context.
  • T029 Browser Flow C: incomplete governance support shows missing owner/rationale/review context before deep diagnostics.
  • T030 Browser Flow D: calm valid state stays calm and does not render a competing warning stack.

Phase 3: Derived Guidance Contract

Purpose: Build the narrowest derived accepted-risk payload over existing finding and exception truth.

  • T031 Choose the narrowest implementation shape: prefer one bounded accepted-risk adapter or selector under apps/platform/app/Support/ResolutionGuidance/.
  • T032 Consume existing signals from apps/platform/app/Services/Findings/FindingRiskGovernanceResolver.php, FindingException, FindingExceptionDecision, and linked Finding truth before adding any new helper.
  • T033 Derive one accepted-risk guidance payload with key, title, status, severity, reason, impact, primary_action, secondary_actions, and technical_details, while preserving the existing fresh-decision-required signal and avoiding any broader stale-governance invention.
  • T034 Keep blocker priority explicit: missing support -> fresh decision required -> expired/revoked/rejected -> expiring -> incomplete governance support -> pending/renewal -> ready.
  • T035 Keep the derived guidance DB-local and request-scoped only; no new persistence.
  • T036 Do not introduce a new accepted-risk enum family, workflow engine, or review-impact framework in this slice.

Phase 4: Queue Integration

Purpose: Make FindingExceptionsQueue read as an accepted-risk decision destination without removing current queue truth.

  • T037 Integrate the derived guidance into apps/platform/app/Filament/Pages/Monitoring/FindingExceptionsQueue.php while preserving explicit inspect/open behavior and current selected-record state.
  • T038 Update apps/platform/resources/views/filament/pages/monitoring/finding-exceptions-queue.blade.php and the focused-review partial so the dominant guidance case appears before secondary diagnostics and existing related context.
  • T039 Reuse existing repo-backed primary and secondary targets where appropriate: inspect accepted risk, approve/reject current request, open finding, and existing related context only.
  • T040 Preserve current destructive/high-impact actions exactly as confirmation-, authorization-, and audit-protected secondary actions.
  • T041 Do not let guidance visibility widen action authorization or scope.

Phase 5: Detail Integration

Purpose: Make ViewFindingException decision-first while keeping lifecycle ownership on the existing detail page.

  • T042 Integrate the derived guidance into apps/platform/app/Filament/Resources/FindingExceptionResource.php and apps/platform/app/Filament/Resources/FindingExceptionResource/Pages/ViewFindingException.php.
  • T043 Keep existing owner/rationale/expiry/review data visible before decision history or deep evidence.
  • T044 Reuse current repo-backed actions (renew_exception, revoke_exception) and keep them source-owned.
  • T045 Keep decision history, evidence references, and related context secondary.
  • T046 Preserve FindingExceptionResource global-search-disabled posture and current action-surface discipline.

Phase 6: Continuity And Conservative Wording

Purpose: Keep downstream accepted-risk continuity honest without turning other surfaces into second owner surfaces.

  • T047 Adjust apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php only if accepted-risk label/target continuity is inconsistent after queue/detail guidance becomes decision-first.
  • T048 Reuse existing conservative accepted-risk wording as owner-surface reference only and do not mutate EnvironmentReviewComposer or current review-output consumers in this slice.
  • T049 Keep customer-safe wording reference conservative and avoid exposing raw internal rationale or low-level diagnostics as default-visible summary text.

Phase 7: Copy, Audit, And Artifacts

Purpose: Align user-facing wording and UI audit coverage with the new accepted-risk hierarchy.

  • T050 Update only the required copy in apps/platform/lang/en/localization.php.
  • T051 Update matching copy in apps/platform/lang/de/localization.php.
  • T052 Update docs/ui-ux-enterprise-audit/page-reports/ui-012-finding-exceptions-queue.md.
  • T053 Create or update docs/ui-ux-enterprise-audit/page-reports/ui-036-exception-detail.md.
  • T054 Update docs/ui-ux-enterprise-audit/route-inventory.md and docs/ui-ux-enterprise-audit/unresolved-pages.md for UI-036.
  • T055 Save queue and detail screenshots under specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/artifacts/screenshots/, or record the host-visible artifact blocker explicitly if copies cannot be persisted.

Phase 8: Validation

Purpose: Prove the guidance remains bounded, scope-safe, and render-local.

  • T056 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Unit/ResolutionGuidance/Spec354AcceptedRiskResolutionAdapterTest.php --compact.
  • T057 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Monitoring/Spec354FindingExceptionsQueueGuidanceTest.php --compact.
  • T058 Run cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Findings/Spec354FindingExceptionDetailGuidanceTest.php --compact.
  • T059 Run cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec354AcceptedRiskGuidanceSmokeTest.php --compact. Attempted twice; the Pest browser harness stalled without yielding output even after the auth/session fixes, so the browser acceptance path was re-verified in the integrated browser and artifact screenshots were saved manually.
  • T060 Re-run the narrowest current queue/detail guard and navigation tests that protect scope, state, action-surface discipline, and current fresh-decision signaling.
  • T061 Confirm final render paths remain DB-local and do not call GraphClientInterface or provider HTTP during page render.
  • T062 Run cd apps/platform && ./vendor/bin/sail pint --dirty.
  • T063 Run git diff --check.
  • T064 Report unrelated broader-suite or browser-harness issues honestly if they remain outside this slice.

Non-Goals Checklist

  • NT001 Do not add a new accepted-risk table, review-impact projection, or workflow engine.
  • NT002 Do not rebuild Governance Inbox, Customer Review Workspace, Environment Dashboard, or review-output architecture.
  • NT003 Do not add fake remediation or unsupported auto-fix actions.
  • NT004 Do not widen FindingExceptionResource global search, panel setup, or routing architecture.
  • NT005 Do not introduce live provider calls during render.
  • NT006 Do not mutate downstream review-output artifacts (EnvironmentReviewComposer, review-pack summaries, customer-review runtime) in this slice.

Required Final Report Content

When implementation later completes, report:

  • changed accepted-risk guidance behavior on queue and detail
  • dominant-case selection model
  • continuity behavior for Governance Inbox or review-output wording if changed
  • safe action set and any disabled or fallback cases
  • render-path result for no live provider calls
  • UI audit artifact updates and screenshot paths
  • files changed
  • tests run and results
  • explicit no migrations/packages/env/queues/scheduler/storage/panel/global-search change statement
  • known gaps or deferred findings