TenantAtlas/specs/288-quality-gates-no-legacy-enforcement/contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml
ahmido 0a1377c5f5 feat(spec-288): add no-legacy quality gates (#347)
## Summary
- add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage
- extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling
- add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289

## Validation
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #347
2026-05-10 21:24:14 +00:00

335 lines
12 KiB
YAML

openapi: 3.1.0
info:
title: Quality Gates / No-Legacy Enforcement Logical Contract
version: 0.1.0
summary: Logical enforcement contract for the cutover guardrails that follow Spec 287.
x-canonical-command-authority:
- specs/288-quality-gates-no-legacy-enforcement/spec.md
- specs/288-quality-gates-no-legacy-enforcement/plan.md
- specs/288-quality-gates-no-legacy-enforcement/tasks.md
- specs/288-quality-gates-no-legacy-enforcement/quickstart.md
paths:
/__logical/guardrails/legacy-route-paths:
get:
summary: Retired route/path enforcement contract
operationId: getLegacyRoutePathGuardContract
responses:
'200':
description: Exact retired route/path families and scan exclusions for cutover enforcement
content:
application/json:
schema:
$ref: '#/components/schemas/LegacyRoutePathGuardContract'
/__logical/guardrails/route-emission:
get:
summary: Canonical emitted URL enforcement contract
operationId: getRouteEmissionGuardContract
responses:
'200':
description: Canonical launch-point URL rules for cutover-owned seams
content:
application/json:
schema:
$ref: '#/components/schemas/RouteEmissionGuardContract'
/__logical/guardrails/tenant-panel-helper:
get:
summary: Retired tenant-panel helper enforcement contract
operationId: getTenantPanelHelperGuardContract
responses:
'200':
description: Forbidden bootstrapping helpers and panel-selection patterns on owned seams
content:
application/json:
schema:
$ref: '#/components/schemas/TenantPanelHelperGuardContract'
/__logical/guardrails/provider-core-boundary:
get:
summary: Provider-core boundary enforcement contract
operationId: getProviderCoreBoundaryGuardContract
responses:
'200':
description: Shared provider-boundary seams and forbidden platform-core regressions
content:
application/json:
schema:
$ref: '#/components/schemas/ProviderCoreBoundaryGuardContract'
/__logical/guardrails/environment-scope-role-authority:
get:
summary: Workspace-role and environment-scope authority enforcement contract
operationId: getEnvironmentScopeRoleAuthorityGuardContract
responses:
'200':
description: Current authority invariants that must remain true
content:
application/json:
schema:
$ref: '#/components/schemas/EnvironmentScopeRoleAuthorityGuardContract'
/__logical/guardrails/browser-smoke-gates:
get:
summary: Targeted browser smoke contract
operationId: getBrowserSmokeGateContract
responses:
'200':
description: Named browser smoke anchors and their visible continuity obligations
content:
application/json:
schema:
$ref: '#/components/schemas/BrowserSmokeGateContract'
/__logical/guardrails/baseline-classification:
get:
summary: Classification-only broader baseline handling contract
operationId: getBaselineClassificationContract
responses:
'200':
description: Current lane/report seams used to classify broader baseline fallout without owning repair
content:
application/json:
schema:
$ref: '#/components/schemas/BaselineClassificationContract'
/__logical/guardrails/targeted-validation:
get:
summary: Targeted validation contract
operationId: getTargetedValidationContract
responses:
'200':
description: Exact minimal proof commands and the out-of-scope repair boundary
content:
application/json:
schema:
$ref: '#/components/schemas/TargetedValidationContract'
components:
schemas:
LegacyRoutePathGuardContract:
type: object
required:
- retiredPathFamilies
- scanExclusions
- enforcementBehavior
properties:
retiredPathFamilies:
type: array
items:
type: string
default:
- /admin/tenants/{tenant:slug}/provider-connections...
- /admin/t/{tenant}/provider-connections
- /admin/t/{tenant}/required-permissions
- /admin/t/{tenant}/memberships
- /admin/t/t/{tenant}/...
scanExclusions:
type: array
items:
type: string
default:
- database/migrations/**
- references/**
- docs/**
- specs/**
- spechistory/**
- vendor/**
- storage/**
- public/build/**
- bootstrap/cache/**
enforcementBehavior:
type: string
const: Exact retired route/path families fail targeted guards with path-specific messages.
RouteEmissionGuardContract:
type: object
required:
- canonicalFamilies
- ownedLaunchPointSeams
- forbiddenEmissions
properties:
canonicalFamilies:
type: array
items:
type: string
default:
- /admin/provider-connections...
- /admin/workspaces/{workspace}/environments/{managed_environment}/...
ownedLaunchPointSeams:
type: array
items:
type: string
default:
- apps/platform/app/Providers/Filament/AdminPanelProvider.php
- apps/platform/app/Filament/Resources/TenantResource.php
- apps/platform/app/Support/OperationRunLinks.php
- apps/platform/app/Support/Verification/VerificationLinkBehavior.php
forbiddenEmissions:
type: array
items:
type: string
default:
- /admin/tenants/{tenant:slug}/provider-connections...
- /admin/t/{tenant}/provider-connections
- /admin/t/{tenant}/required-permissions
- /admin/t/{tenant}/memberships
- /admin/t/t/{tenant}/...
TenantPanelHelperGuardContract:
type: object
required:
- forbiddenPatterns
- ownedSeams
- exceptionRule
properties:
forbiddenPatterns:
type: array
items:
type: string
default:
- setTenantPanelContext(
- getPanel('tenant')
- setCurrentPanel('tenant')
ownedSeams:
type: array
items:
type: string
default:
- apps/platform/tests/Pest.php
- apps/platform/tests/Feature/Guards/**
- apps/platform/tests/Browser/**
exceptionRule:
type: string
const: Exceptions beyond pinned historical directories must be file-scoped and justified.
ProviderCoreBoundaryGuardContract:
type: object
required:
- seamInputs
- forbiddenPlatformCoreSignals
- allowedProviderOwnedDetail
properties:
seamInputs:
type: array
items:
type: string
default:
- apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php
- apps/platform/app/Services/Providers/ProviderIdentityResolution.php
- apps/platform/app/Services/Providers/ProviderOperationRegistry.php
forbiddenPlatformCoreSignals:
type: array
items:
type: string
default:
- graphOptions
- client_request_id
- provider binding truth in operation definitions
allowedProviderOwnedDetail:
type: array
items:
type: string
default:
- provider-specific identifiers nested under provider-owned detail
- provider-specific consent links nested under provider-owned detail
- provider-specific diagnostics nested under provider-owned detail
EnvironmentScopeRoleAuthorityGuardContract:
type: object
required:
- authoritySource
- invariants
- forbiddenBehaviors
properties:
authoritySource:
type: string
const: workspace_memberships
invariants:
type: array
items:
type: string
default:
- wrong-scope denials stay 404
- in-scope capability denials stay 403
- direct role edits on managed-environment scope remain rejected
forbiddenBehaviors:
type: array
items:
type: string
default:
- managed-environment scope acting as a second role matrix
- mirrored workspace role values becoming environment role truth
BrowserSmokeGateContract:
type: object
required:
- smokeAnchors
- requiredAssertions
- laneOwnership
properties:
smokeAnchors:
type: array
items:
type: string
default:
- apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php
- apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php
requiredAssertions:
type: array
items:
type: string
default:
- canonical route continuity
- no JavaScript errors
- no console errors
laneOwnership:
type: string
const: browser
BaselineClassificationContract:
type: object
required:
- classificationSeams
- reviewRule
- forbiddenOwnershipClaim
properties:
classificationSeams:
type: array
items:
type: string
default:
- apps/platform/tests/Support/TestLaneManifest.php
- apps/platform/tests/Support/TestLaneReport.php
- apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php
- apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php
- apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php
- README.md
- scripts/platform-test-report
reviewRule:
type: string
const: Broader baseline fallout is classified only under Spec 288.
forbiddenOwnershipClaim:
type: string
const: Spec 288 does not own unrelated full-suite repair.
TargetedValidationContract:
type: object
required:
- commandAuthorities
- commandIds
- outOfScopeProof
properties:
commandAuthorities:
type: array
items:
type: string
default:
- specs/288-quality-gates-no-legacy-enforcement/spec.md
- specs/288-quality-gates-no-legacy-enforcement/plan.md
- specs/288-quality-gates-no-legacy-enforcement/tasks.md
- specs/288-quality-gates-no-legacy-enforcement/quickstart.md
commandIds:
type: array
items:
type: string
default:
- guard-proof-command
- browser-proof-command
- formatting-command
outOfScopeProof:
type: array
items:
type: string
default:
- no runtime cutover repair
- no provider-core rewrite
- no RBAC rewrite
- no Package Execution Contract work
- no Guided Operations work
- no full-suite repair program