## Summary - add Spec 288 no-legacy route/helper and provider-core/role-authority guard coverage - extend the pinned Spec 281 and Spec 285 browser smokes plus lane/report classification wording for classification-only fallout handling - add the Spec 288 artifact package and contributor-facing quality-gate guidance while keeping Package Execution deferred to Spec 289 ## Validation - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php)` - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php)` - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent)` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #347
335 lines
12 KiB
YAML
335 lines
12 KiB
YAML
openapi: 3.1.0
|
|
info:
|
|
title: Quality Gates / No-Legacy Enforcement Logical Contract
|
|
version: 0.1.0
|
|
summary: Logical enforcement contract for the cutover guardrails that follow Spec 287.
|
|
x-canonical-command-authority:
|
|
- specs/288-quality-gates-no-legacy-enforcement/spec.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/plan.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/tasks.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/quickstart.md
|
|
paths:
|
|
/__logical/guardrails/legacy-route-paths:
|
|
get:
|
|
summary: Retired route/path enforcement contract
|
|
operationId: getLegacyRoutePathGuardContract
|
|
responses:
|
|
'200':
|
|
description: Exact retired route/path families and scan exclusions for cutover enforcement
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/LegacyRoutePathGuardContract'
|
|
/__logical/guardrails/route-emission:
|
|
get:
|
|
summary: Canonical emitted URL enforcement contract
|
|
operationId: getRouteEmissionGuardContract
|
|
responses:
|
|
'200':
|
|
description: Canonical launch-point URL rules for cutover-owned seams
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/RouteEmissionGuardContract'
|
|
/__logical/guardrails/tenant-panel-helper:
|
|
get:
|
|
summary: Retired tenant-panel helper enforcement contract
|
|
operationId: getTenantPanelHelperGuardContract
|
|
responses:
|
|
'200':
|
|
description: Forbidden bootstrapping helpers and panel-selection patterns on owned seams
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/TenantPanelHelperGuardContract'
|
|
/__logical/guardrails/provider-core-boundary:
|
|
get:
|
|
summary: Provider-core boundary enforcement contract
|
|
operationId: getProviderCoreBoundaryGuardContract
|
|
responses:
|
|
'200':
|
|
description: Shared provider-boundary seams and forbidden platform-core regressions
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/ProviderCoreBoundaryGuardContract'
|
|
/__logical/guardrails/environment-scope-role-authority:
|
|
get:
|
|
summary: Workspace-role and environment-scope authority enforcement contract
|
|
operationId: getEnvironmentScopeRoleAuthorityGuardContract
|
|
responses:
|
|
'200':
|
|
description: Current authority invariants that must remain true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/EnvironmentScopeRoleAuthorityGuardContract'
|
|
/__logical/guardrails/browser-smoke-gates:
|
|
get:
|
|
summary: Targeted browser smoke contract
|
|
operationId: getBrowserSmokeGateContract
|
|
responses:
|
|
'200':
|
|
description: Named browser smoke anchors and their visible continuity obligations
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/BrowserSmokeGateContract'
|
|
/__logical/guardrails/baseline-classification:
|
|
get:
|
|
summary: Classification-only broader baseline handling contract
|
|
operationId: getBaselineClassificationContract
|
|
responses:
|
|
'200':
|
|
description: Current lane/report seams used to classify broader baseline fallout without owning repair
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/BaselineClassificationContract'
|
|
/__logical/guardrails/targeted-validation:
|
|
get:
|
|
summary: Targeted validation contract
|
|
operationId: getTargetedValidationContract
|
|
responses:
|
|
'200':
|
|
description: Exact minimal proof commands and the out-of-scope repair boundary
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/TargetedValidationContract'
|
|
components:
|
|
schemas:
|
|
LegacyRoutePathGuardContract:
|
|
type: object
|
|
required:
|
|
- retiredPathFamilies
|
|
- scanExclusions
|
|
- enforcementBehavior
|
|
properties:
|
|
retiredPathFamilies:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- /admin/tenants/{tenant:slug}/provider-connections...
|
|
- /admin/t/{tenant}/provider-connections
|
|
- /admin/t/{tenant}/required-permissions
|
|
- /admin/t/{tenant}/memberships
|
|
- /admin/t/t/{tenant}/...
|
|
scanExclusions:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- database/migrations/**
|
|
- references/**
|
|
- docs/**
|
|
- specs/**
|
|
- spechistory/**
|
|
- vendor/**
|
|
- storage/**
|
|
- public/build/**
|
|
- bootstrap/cache/**
|
|
enforcementBehavior:
|
|
type: string
|
|
const: Exact retired route/path families fail targeted guards with path-specific messages.
|
|
RouteEmissionGuardContract:
|
|
type: object
|
|
required:
|
|
- canonicalFamilies
|
|
- ownedLaunchPointSeams
|
|
- forbiddenEmissions
|
|
properties:
|
|
canonicalFamilies:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- /admin/provider-connections...
|
|
- /admin/workspaces/{workspace}/environments/{managed_environment}/...
|
|
ownedLaunchPointSeams:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- apps/platform/app/Providers/Filament/AdminPanelProvider.php
|
|
- apps/platform/app/Filament/Resources/TenantResource.php
|
|
- apps/platform/app/Support/OperationRunLinks.php
|
|
- apps/platform/app/Support/Verification/VerificationLinkBehavior.php
|
|
forbiddenEmissions:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- /admin/tenants/{tenant:slug}/provider-connections...
|
|
- /admin/t/{tenant}/provider-connections
|
|
- /admin/t/{tenant}/required-permissions
|
|
- /admin/t/{tenant}/memberships
|
|
- /admin/t/t/{tenant}/...
|
|
TenantPanelHelperGuardContract:
|
|
type: object
|
|
required:
|
|
- forbiddenPatterns
|
|
- ownedSeams
|
|
- exceptionRule
|
|
properties:
|
|
forbiddenPatterns:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- setTenantPanelContext(
|
|
- getPanel('tenant')
|
|
- setCurrentPanel('tenant')
|
|
ownedSeams:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- apps/platform/tests/Pest.php
|
|
- apps/platform/tests/Feature/Guards/**
|
|
- apps/platform/tests/Browser/**
|
|
exceptionRule:
|
|
type: string
|
|
const: Exceptions beyond pinned historical directories must be file-scoped and justified.
|
|
ProviderCoreBoundaryGuardContract:
|
|
type: object
|
|
required:
|
|
- seamInputs
|
|
- forbiddenPlatformCoreSignals
|
|
- allowedProviderOwnedDetail
|
|
properties:
|
|
seamInputs:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php
|
|
- apps/platform/app/Services/Providers/ProviderIdentityResolution.php
|
|
- apps/platform/app/Services/Providers/ProviderOperationRegistry.php
|
|
forbiddenPlatformCoreSignals:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- graphOptions
|
|
- client_request_id
|
|
- provider binding truth in operation definitions
|
|
allowedProviderOwnedDetail:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- provider-specific identifiers nested under provider-owned detail
|
|
- provider-specific consent links nested under provider-owned detail
|
|
- provider-specific diagnostics nested under provider-owned detail
|
|
EnvironmentScopeRoleAuthorityGuardContract:
|
|
type: object
|
|
required:
|
|
- authoritySource
|
|
- invariants
|
|
- forbiddenBehaviors
|
|
properties:
|
|
authoritySource:
|
|
type: string
|
|
const: workspace_memberships
|
|
invariants:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- wrong-scope denials stay 404
|
|
- in-scope capability denials stay 403
|
|
- direct role edits on managed-environment scope remain rejected
|
|
forbiddenBehaviors:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- managed-environment scope acting as a second role matrix
|
|
- mirrored workspace role values becoming environment role truth
|
|
BrowserSmokeGateContract:
|
|
type: object
|
|
required:
|
|
- smokeAnchors
|
|
- requiredAssertions
|
|
- laneOwnership
|
|
properties:
|
|
smokeAnchors:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- apps/platform/tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php
|
|
- apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php
|
|
requiredAssertions:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- canonical route continuity
|
|
- no JavaScript errors
|
|
- no console errors
|
|
laneOwnership:
|
|
type: string
|
|
const: browser
|
|
BaselineClassificationContract:
|
|
type: object
|
|
required:
|
|
- classificationSeams
|
|
- reviewRule
|
|
- forbiddenOwnershipClaim
|
|
properties:
|
|
classificationSeams:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- apps/platform/tests/Support/TestLaneManifest.php
|
|
- apps/platform/tests/Support/TestLaneReport.php
|
|
- apps/platform/tests/Feature/Guards/BrowserLaneIsolationTest.php
|
|
- apps/platform/tests/Feature/Guards/CiLaneFailureClassificationContractTest.php
|
|
- apps/platform/tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php
|
|
- README.md
|
|
- scripts/platform-test-report
|
|
reviewRule:
|
|
type: string
|
|
const: Broader baseline fallout is classified only under Spec 288.
|
|
forbiddenOwnershipClaim:
|
|
type: string
|
|
const: Spec 288 does not own unrelated full-suite repair.
|
|
TargetedValidationContract:
|
|
type: object
|
|
required:
|
|
- commandAuthorities
|
|
- commandIds
|
|
- outOfScopeProof
|
|
properties:
|
|
commandAuthorities:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- specs/288-quality-gates-no-legacy-enforcement/spec.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/plan.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/tasks.md
|
|
- specs/288-quality-gates-no-legacy-enforcement/quickstart.md
|
|
commandIds:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- guard-proof-command
|
|
- browser-proof-command
|
|
- formatting-command
|
|
outOfScopeProof:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default:
|
|
- no runtime cutover repair
|
|
- no provider-core rewrite
|
|
- no RBAC rewrite
|
|
- no Package Execution Contract work
|
|
- no Guided Operations work
|
|
- no full-suite repair program |