TenantAtlas/specs/379-management-report-pdf-runtime/artifacts/runtime-validation.md

# Spec 379 Runtime Validation Evidence

Date: 2026-06-14

## Baseline

- Branch: `379-management-report-pdf-runtime`
- Starting HEAD: `d43ebcb4 feat(report): implement management report pdf v1 (#449)`
- Initial dirty state: only `specs/379-management-report-pdf-runtime/` was untracked.
- Spec 378 files verified:
  - `docker-compose.yml`
  - `apps/platform/config/tenantpilot.php`
  - `apps/platform/app/Services/Pdf/PdfRenderingGateway.php`
  - `apps/platform/tests/Unit/Pdf/Spec378PdfRenderingGatewayTest.php`

## Local Runtime Controls

- Gotenberg image remains pinned to `gotenberg/gotenberg:8.34.0-chromium`.
- No public Gotenberg port is exposed by the `gotenberg` service.
- Runtime safeguards remain configured:
  - `API_DISABLE_DOWNLOAD_FROM=true`
  - `WEBHOOK_DISABLE=true`
  - `CHROMIUM_ALLOW_FILE_ACCESS_FROM_FILES=true`
  - `CHROMIUM_ALLOW_LIST=^file:///tmp/.*$`
  - `CHROMIUM_DENY_PRIVATE_IPS=true`
  - `CHROMIUM_DENY_PUBLIC_IPS=true`
  - timeout, body-limit, queue, and concurrency env controls remain present.
- `docs/deployment-checklist.md` documents the pinned image, internal service URL, and renderer hardening controls.
- Local validation on 2026-06-15 confirmed that `CHROMIUM_ALLOW_LIST=^$` makes `/forms/chromium/convert/html` return `403 Forbidden` because Chromium must navigate to Gotenberg's temporary `file:///tmp/.../index.html`. The allow-list remains restricted to that internal file path and external fetches remain disabled.

## Staging/Dokploy Validation

Staging/Dokploy runtime validation was not executable from this local workspace. Generation therefore remains blocked by default through:

- `TENANTPILOT_PDF_RENDERER_RUNTIME_VALIDATED=false`
- `tenantpilot.pdf_renderer.runtime_validated`
- `ManagementReportPdfRuntimeGate`

To enable management PDF generation in Staging/Production, validate the deployed Gotenberg container/runtime path first, then set `TENANTPILOT_PDF_RENDERER_RUNTIME_VALIDATED=true` in the environment.

## Verification Commands

- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec379`
  - Result: 7 passed, 81 assertions.
- `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest tests/Browser/Spec379ManagementReportPdfSmokeTest.php --compact`
  - Result: 1 passed, 12 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec378`
  - Result: 11 passed, 44 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec357`
  - Result: 13 passed, 108 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact --filter=Spec366`
  - Result: 9 passed, 181 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ReviewPack/ReviewPackDownloadTest.php tests/Feature/ReviewPack/ReviewPackResourceTest.php tests/Unit/Pdf/Spec378PdfRenderingGatewayTest.php`
  - Result: 49 passed, 268 assertions.
- `cd apps/platform && ./vendor/bin/sail pint ...`
  - Result: PASS on changed runtime/test files.
- `git diff --check`
  - Result: PASS.

## Guard Notes

The optional guard command below was run and produced two pre-existing failures unrelated to Spec 379:

- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/OperationLifecycleOpsUxGuardTest.php tests/Feature/Guards/ActionSurfaceContractTest.php`
  - `ActionSurfaceContractTest`: operation registry URL assertion expects no navigation context, but current code returns an operations-index navigation context.
  - `ActionSurfaceContractTest`: required-permissions page assertion expects `Start verification`, which the current page no longer renders.

Both failures reproduce in isolation and no Spec379 code path is involved.