ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
9e435ea91f
TenantAtlas/specs/313-workspace-environment-context-browser-verification/tasks.md
ahmido 2f7a521d5f spec: add workspace environment context browser audit (#368) 
## Summary
- add the full workspace/environment context browser verification audit for Spec 313
- include the surface matrix, query and clear-filter inventories, ownership map, and audit report
- attach browser evidence artifacts and screenshots for the current workspace/environment context contract

## Testing
- no automated tests run; this is an analysis-only spec and artifact package with no runtime changes

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #368
2026-05-16 08:51:19 +00:00

16 KiB
Raw Blame History

Tasks: Full Workspace / Environment Context Browser Verification Audit

Input: spec.md and plan.md in specs/313-workspace-environment-context-browser-verification/ Prerequisites: local admin app available through existing project conventions, browser tooling available, and an authorized workspace user. Scope: analysis-only audit artifacts. No application implementation.

Test Governance Checklist

  • Lane assignment is named: browser audit + repo discovery.
  • No runtime tests are added or changed in Spec 313.
  • No shared helpers, factories, seeds, fixtures, providers, session defaults, or browser defaults are widened.
  • Planned validation commands cover audit artifacts and no-runtime-change guardrails.
  • Browser evidence is explicit and not hidden inside fast feedback lanes.
  • Missing data/tooling is recorded as blocker instead of fixed by changing seeders or runtime code.

Phase 1: Setup and Safety

  • T001 Confirm current branch is 313-workspace-environment-context-browser-verification with git status --short --branch.
  • T002 Confirm the working tree contains only expected Spec 313 preparation/audit files before starting browser audit.
  • T003 Read specs/313-workspace-environment-context-browser-verification/spec.md.
  • T004 Read specs/313-workspace-environment-context-browser-verification/plan.md.
  • T005 Read .specify/memory/constitution.md and keep the audit analysis-only.
  • T006 Create specs/313-workspace-environment-context-browser-verification/artifacts/screenshots/.
  • T007 Create or initialize empty audit files: audit-report.md, surface-inventory.md, page-matrix.md, query-param-inventory.md, clear-filter-inventory.md, and code-ownership-map.md.
  • T008 Record initial command log and no-runtime-change posture in audit-report.md.

Phase 2: Repo Discovery

  • T009 Run find apps/platform/app/Filament -type f | sort and save the output to artifacts/filament-files.txt.
  • T010 Run the required context/state rg search from plan.md against apps/platform/app, apps/platform/resources, apps/platform/routes, and apps/platform/tests, saving output to artifacts/context-search.txt.
  • T011 List admin routes with Sail route list, Laravel Boost route list, or a documented read-only fallback, saving output to artifacts/routes-admin.txt.
  • T012 Inspect apps/platform/app/Providers/Filament/AdminPanelProvider.php and list every navigation item, registered page, registered resource, discovered resource/cluster path, render hook, and middleware relevant to context.
  • T013 Inspect apps/platform/app/Support/Navigation/WorkspaceSidebarNavigation.php and list every sidebar item, child item, URL builder, visibility gate, and navigation group.
  • T014 Inspect apps/platform/routes/web.php and record admin workspace routes, environment routes, smoke-login routes, context selection/clear routes, review pack download routes, and queue open routes.
  • T015 Inspect all files under apps/platform/app/Filament/Pages, apps/platform/app/Filament/Resources, and apps/platform/app/Filament/Clusters for route slugs, getUrl() overrides, query params, table filters, clear-filter actions, persisted table state, and page state contracts.
  • T016 Inspect apps/platform/resources/views for context bar links, clear environment forms, dashboard/action links, visible chips, breadcrumbs, and page-specific filter/CTA rendering.
  • T017 Inspect workspace overview sources, including apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php, for cards/actions and URL targets.
  • T018 Inspect environment dashboard sources, including apps/platform/app/Filament/Pages/EnvironmentDashboard.php and apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php, for cards/actions and URL targets.
  • T019 Inspect link helpers and context seams: ManagedEnvironmentLinks, OperationRunLinks, WorkspaceContext, OperateHubShell, ResolvedShellContext, CanonicalAdminTenantFilterState, WorkspaceRedirectResolver, WorkspaceIntendedUrl, and relevant support/report/evidence/review/support helpers.
  • T020 Populate the first pass of surface-inventory.md from repo discovery before browser verification.
  • T021 Populate the first pass of query-param-inventory.md with tenant, tenant_id, managed_environment_id, environment_id, tenant_scope, and tableFilters.
  • T022 Populate the first pass of clear-filter-inventory.md from code-discovered clear actions.
  • T023 Populate the first pass of code-ownership-map.md with all required seams from plan.md.

Phase 3: Browser Data Readiness

  • T024 Start the local app using existing project conventions if needed, preferring Sail: cd apps/platform && ./vendor/bin/sail up -d.
  • T025 Resolve the absolute app URL using Laravel Boost get_absolute_url or document the local URL source.
  • T026 Identify the local smoke-login path and actor from existing local config or seeded data. Do not modify seeders.
  • T027 Verify at least one Workspace is selectable in the browser.
  • T028 Verify whether at least two Managed Environments exist in that Workspace.
  • T029 Record available row coverage for Operations, Alerts, Audit Log, Findings, Finding Exceptions, Governance Inbox, Decision Register, Reviews, Customer Reviews, Evidence, Provider Connections, Reports / Stored Reports, and Support Requests.
  • T030 In audit-report.md, record missing seed data as a blocker wherever data scope cannot be proven.

Phase 4: Workspace-Origin Browser Verification

  • T031 From Workspace origin with no active Environment, open Workspace Overview and capture workspace-origin--workspace-overview.png.
  • T032 Open Operations from sidebar/global navigation and capture workspace-origin--operations.png.
  • T033 Open Provider Connections / Integrations from sidebar/global navigation and capture workspace-origin--provider-connections.png.
  • T034 Open Finding Exceptions Queue from sidebar/global navigation and capture workspace-origin--finding-exceptions-queue.png.
  • T035 Open Evidence Overview from sidebar/global navigation or direct route and capture workspace-origin--evidence.png.
  • T036 Open Reviews / Review Register and capture workspace-origin--reviews.png.
  • T037 Open Customer Reviews / Customer Review Workspace and capture workspace-origin--customer-reviews.png.
  • T038 Open Governance Inbox and capture workspace-origin--governance-inbox.png.
  • T039 Open Decision Register and capture workspace-origin--decision-register.png.
  • T040 Open Audit Log and capture workspace-origin--audit-log.png.
  • T041 Open Alerts and capture workspace-origin--alerts.png.
  • T042 Open Workspace Settings and capture workspace-origin--workspace-settings.png.
  • T043 Open Manage Workspaces and capture workspace-origin--manage-workspaces.png or classify as system/workspace settings if access is blocked.
  • T044 Open Reports / Stored Reports through every discovered route/link and capture workspace-origin--reports.png or document unreachable/blocker.
  • T045 Open Support Requests through every discovered route/link and capture workspace-origin--support-requests.png or document unreachable/blocker.
  • T046 For each page in T031-T045, record URL, query params, shell, breadcrumbs, title, visible chips, table filters, data-scope proof, screenshot, status, risk, and notes in page-matrix.md.

Phase 5: Environment-Sidebar Browser Verification

  • T047 Open Environment Dashboard for Environment A and capture environment-origin--dashboard-a.png.
  • T048 Confirm shell shows Workspace + Environment A and record route/query state.
  • T049 From that state, click sidebar/global Operations and capture environment-sidebar--operations.png.
  • T050 Click sidebar/global Provider Connections and capture environment-sidebar--provider-connections.png.
  • T051 Click sidebar/global Finding Exceptions Queue and capture environment-sidebar--finding-exceptions-queue.png.
  • T052 Click sidebar/global Evidence Overview and capture environment-sidebar--evidence.png.
  • T053 Click sidebar/global Reviews and capture environment-sidebar--reviews.png.
  • T054 Click sidebar/global Customer Reviews and capture environment-sidebar--customer-reviews.png.
  • T055 Click sidebar/global Governance Inbox and capture environment-sidebar--governance-inbox.png.
  • T056 Click sidebar/global Decision Register and capture environment-sidebar--decision-register.png.
  • T057 Click sidebar/global Audit Log and capture environment-sidebar--audit-log.png.
  • T058 Click sidebar/global Alerts and capture environment-sidebar--alerts.png.
  • T059 Repeat high-risk sidebar checks from Environment B where seed data or visible environment labels make scope comparison useful.
  • T060 Record shell-clearing, URL params, visible filters, persisted filters, apparent data scope, reload result, screenshot, status, and risk in page-matrix.md.

Phase 6: Environment CTA/Card Browser Verification

  • T061 From Environment A Dashboard, click the Operations CTA/card/action if present and capture environment-cta--operations.png.
  • T062 From Environment A Dashboard, click Provider Connections / Integrations CTA/card/action if present and capture environment-cta--provider-connections.png.
  • T063 From Environment A Dashboard, click Finding Exceptions / Risk Exceptions CTA/card/action if present and capture environment-cta--finding-exceptions-queue.png.
  • T064 From Environment A Dashboard, click Evidence CTA/card/action if present and capture environment-cta--evidence.png.
  • T065 From Environment A Dashboard, click Reviews CTA/card/action if present and capture environment-cta--reviews.png.
  • T066 From Environment A Dashboard, click Customer Reviews / Review Pack / Export Artifacts CTA/card/action if present and capture environment-cta--customer-reviews.png.
  • T067 From Environment A Dashboard, click Governance Inbox CTA/card/action if present and capture environment-cta--governance-inbox.png.
  • T068 From Environment A Dashboard, click Decision Register CTA/card/action if present and capture environment-cta--decision-register.png or document that no CTA exists.
  • T069 From Environment A Dashboard, click Required Permissions / Permission Posture and capture environment-cta--required-permissions.png.
  • T070 From Environment A Dashboard, click Provider Readiness / Diagnostics and capture environment-cta--provider-readiness-or-diagnostics.png.
  • T071 From Environment A Dashboard, click Reports / Stored Reports, Support Requests, Audit, or Alerts CTAs if present and capture stable screenshots.
  • T072 For each CTA, record target page, URL, query params, shell context, visible environment filter, table filter state, data-scope proof, clear-filter existence, and status in page-matrix.md.

Phase 7: Environment-Owned Page Verification

  • T073 Verify Environment Dashboard shell/header/breadcrumb and final status.
  • T074 Verify Environment Onboarding / Managed Environment onboarding routes if reachable.
  • T075 Verify Required Permissions page.
  • T076 Verify Environment Diagnostics page.
  • T077 Verify Inventory cluster/list and Inventory Coverage.
  • T078 Verify Directory / Groups if reachable.
  • T079 Verify Policies / Configurations if reachable.
  • T080 Verify Backup Schedules and Backup Sets if reachable.
  • T081 Verify Restore Runs / Restore Points if reachable.
  • T082 Verify Baseline Profiles / Baseline Snapshots / Baseline Compare if reachable.
  • T083 Verify Findings and Finding Exceptions environment resources if reachable.
  • T084 Verify Evidence environment resource if reachable.
  • T085 Verify Environment Reviews and Review Packs environment resources if reachable.
  • T086 Verify Stored Reports environment resource if reachable.
  • T087 For each environment page, record final status, shell/header/breadcrumb correctness, data-scope proof status, screenshot, and blocker notes.

Phase 8: Manual Filter, Clear-Filter, Reload, and Back/Forward

  • T088 On Operations, manually apply an Environment filter if possible, navigate away, revisit from sidebar, clear if possible, reload, and capture before/after/reload screenshots.
  • T089 Repeat T088 for Provider Connections.
  • T090 Repeat T088 for Finding Exceptions Queue.
  • T091 Repeat T088 for Evidence Overview.
  • T092 Repeat T088 for Reviews.
  • T093 Repeat T088 for Customer Reviews.
  • T094 Repeat T088 for Governance Inbox.
  • T095 Repeat T088 for Decision Register.
  • T096 Repeat T088 for Audit Log and Alerts if environment-like filters exist.
  • T097 For each clear-filter action, update clear-filter-inventory.md with every required state carrier.
  • T098 For high-risk pages, use browser back/forward after workspace-origin and environment-origin transitions and record whether stale environment filters or mismatched shell state return.

Phase 9: Matrix Reconciliation and Final Status Assignment

  • T099 Reconcile browser pages against surface-inventory.md and add any missing surface discovered during browsing.
  • T100 Reconcile page-matrix.md against surface-inventory.md so every in-scope browser-verified page has row/origin coverage.
  • T101 Reconcile query params observed in browser against query-param-inventory.md.
  • T102 Reconcile clear-filter browser behavior against clear-filter-inventory.md.
  • T103 Reconcile observed behavior to likely repo owners in code-ownership-map.md.
  • T104 Assign one allowed final status to every discovered surface.
  • T105 Confirm no final status says "likely OK".
  • T106 Confirm Reports / Stored Reports are classified.
  • T107 Confirm Support Requests are classified.
  • T108 Confirm Workspace Settings, Alerts, Provider Connections, Finding Exceptions Queue, Evidence, Reviews, Customer Reviews, Operations, Governance Inbox, and Decision Register are all classified.

Phase 10: Audit Report

  • T109 Write audit-report.md Executive Summary and classify the issue as isolated, page-specific drift, or systemic context contract drift.
  • T110 Add verified surface counts: workspace hubs, environment pages, system/platform pages, ambiguous/mixed, unreachable/dead candidates, blocked, and unresolved/ambiguous mapped to allowed statuses.
  • T111 Summarize workspace hub behavior matrix.
  • T112 Summarize environment page behavior matrix.
  • T113 List mismatched scope findings.
  • T114 Summarize clear-filter findings.
  • T115 Summarize query parameter findings.
  • T116 Summarize persisted filter findings.
  • T117 Summarize code ownership map.
  • T118 Rank risks as critical, high, medium, or low using the risk guidance from spec.md.
  • T119 Recommend follow-up specs and exact order, starting from 314 unless evidence proves another order.
  • T120 List open questions and blockers.
  • T121 Record exact commands run, browser tooling used, screenshots generated, tests run or not run, failures, and no-runtime-change statement.

Phase 11: Validation and Close-Out

  • T122 Run git diff --name-only from repo root and confirm only files under specs/313-workspace-environment-context-browser-verification/ changed.
  • T123 Run git diff --check from repo root.
  • T124 Confirm no files under apps/platform/app, apps/platform/config, apps/platform/database, apps/platform/resources, apps/platform/routes, apps/platform/tests, or apps/platform/lang changed.
  • T125 Confirm no commits were created unless explicitly requested.
  • T126 Confirm screenshots referenced in page-matrix.md exist on disk.
  • T127 Confirm every screenshot filename is stable and under artifacts/screenshots/.
  • T128 Confirm all required output files exist and are non-empty.
  • T129 Confirm every discovered surface has one allowed final status.
  • T130 Confirm final response includes summary, counts, highest-risk findings, generated file paths, screenshot path, recommended next spec, exact commands/results, and clear statement that no runtime fixes were made.

Explicit Non-Goals Checklist

  • No runtime files changed.
  • No tests changed.
  • No migrations changed.
  • No seeders changed.
  • No route files changed.
  • No Filament pages/resources/components changed.
  • No config files changed.
  • No application behavior changed.
  • No follow-up spec 314+ implementation started.