TenantAtlas/specs/261-provider-missing-policy-visibility/quickstart.md

Quickstart: Provider-Missing Policy Visibility & Restore Continuity v1

Preconditions

1. Start the platform runtime if it is not already running:

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH"
cd apps/platform && ./vendor/bin/sail up -d

2. Keep verification inside the existing policy, backup, and restore seams. No browser smoke or heavy-governance lane is required for this slice.

Scenario 1: Provider-missing is distinct from local ignore

1. Create or reuse a tenant policy fixture that sync normally into the local policies table.
2. Mark a second policy as locally ignored through the existing ignore flow.
3. Run sync with a provider payload that omits the first policy but still returns the second policy.
4. Verify:
   • the omitted policy receives missing_from_provider_at and remains visible as provider-missing
   • the locally ignored policy keeps ignored_at
   • sync does not clear ignored_at for the ignored policy

Scenario 2: Current backup/export blocks provider-missing policies

1. Reuse a policy marked provider-missing from Scenario 1 and apply the existing local ignore flow so the policy reaches the combined ignored-plus-missing state.
2. Attempt the current backup/export path from the existing policy or backup selection surface.
3. Verify:
   • the combined-state policy remains visible but blocked from fresh capture
   • the combined ignored-plus-missing policy is discoverable from both the ignored and provider_missing filter views
   • the primary blocked reason is provider-missing
   • local ignore remains visible only as secondary context, not the dominant blocker
   • no new backup/export run is created for a blocked policy

Scenario 3: Historical restore continuity remains available

1. Create or reuse a BackupItem for a policy that is now provider-missing.
2. Open the existing restore-run creation flow for the owning backup set.
3. Verify:
   • the historical item remains selectable when otherwise eligible
   • the selection UI shows a provider-missing continuity note rather than filtering the item out

Scenario 4: Reappearance clears only provider-missing state

1. Re-run sync with the previously missing policy present again.
2. Verify:
   • missing_from_provider_at clears
   • ignored_at remains unchanged if the policy is locally ignored
   • an audit event records the reappearance transition

Focused Validation Commands

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Jobs/PolicySyncProviderMissingSemanticsTest.php tests/Feature/Jobs/PolicySyncIgnoredRevivalTest.php tests/Feature/Jobs/AppProtectionPolicySyncFilteringTest.php tests/Feature/PolicySyncServiceTest.php tests/Feature/PolicySyncEnrollmentConfigurationTypeCollisionTest.php tests/Feature/PolicySyncStartSurfaceTest.php

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PolicyProviderMissingUiTest.php tests/Feature/PolicyGeneralViewTest.php tests/Feature/BulkDeletePoliciesTest.php tests/Feature/BulkUnignorePoliciesTest.php tests/Unit/Badges/PolicyBadgesTest.php

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/BulkExportToBackupTest.php tests/Feature/Filament/BackupCreationTest.php tests/Feature/Filament/BackupSetPolicyPickerTableTest.php tests/Feature/Filament/RestoreItemSelectionTest.php tests/Feature/RestoreUnknownPolicyTypeSafetyTest.php

Finish

1. Run Pint on touched PHP files:

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

2. Confirm there are no remaining sync-driven ignored_at writes in policy-sync code paths and that the slice did not introduce SoftDeletes, a purge path, or a new lifecycle framework before closing the feature.