TenantAtlas/specs/340-post-scope-contract-browser-verification-gate/tasks.md

Tasks: Spec 340 - Post-Scope Contract Browser Verification Gate

• Input: specs/340-post-scope-contract-browser-verification-gate/spec.md, specs/340-post-scope-contract-browser-verification-gate/plan.md
• Preparation status: implementation-ready.

Tests: Required during implementation. This spec is a browser/IA verification gate and may add a bounded Pest Browser smoke only when stable.

Test Governance Checklist

• Lane assignment is named and narrow: browser verification, optional fast-feedback Feature probes.
• Any new Browser test stays representative and avoids broad full-app route sweep cost.
• Existing browser helpers, factories, and smoke-login paths are reused before adding new fixture setup.
• Blocked browser checks are reported as blocked, not passed.
• Runtime fixes require an active artifact update or follow-up spec before code changes.

Phase 1: Preflight And Guardrails

Purpose: Confirm safe branch/repo state and prevent completed-spec rewrites.

• T001 Re-read specs/340-post-scope-contract-browser-verification-gate/spec.md, specs/340-post-scope-contract-browser-verification-gate/plan.md, and this tasks.md.
• T002 Confirm branch and working tree intent with git status --short --branch and record the baseline commit in specs/340-post-scope-contract-browser-verification-gate/audit-report.md.
• T003 Re-read .specify/memory/constitution.md, docs/ai-coding-rules.md, and relevant docs/*-guidelines.md; record no-runtime-change posture in specs/340-post-scope-contract-browser-verification-gate/audit-report.md.
• T004 Confirm related completed specs are context only and do not modify specs/313-workspace-environment-context-browser-verification/, specs/322-browser-no-drift-regression-guard/, specs/338-workspace-environment-resource-scope-contract/, or specs/339-provider-connection-scope-hardening/.
• T005 Create specs/340-post-scope-contract-browser-verification-gate/artifacts/screenshots/ if screenshot evidence will be captured.

Phase 2: Repo Discovery And Matrix Setup

Purpose: Build a repo-based checklist before opening the browser.

• T006 Create specs/340-post-scope-contract-browser-verification-gate/surface-inventory.md with columns for surface, route, expected taxonomy, origin, filter support, code owner, and verification status.
• T007 Create specs/340-post-scope-contract-browser-verification-gate/scope-verification-matrix.md with columns for page, origin, URL/query, shell, sidebar, breadcrumb/header, visible filter evidence, reload/back-forward result, screenshot, status, and finding ID.
• T008 Create specs/340-post-scope-contract-browser-verification-gate/findings.md with P1/P2/P3/backlog definitions and empty finding sections.
• T009 Initialize specs/340-post-scope-contract-browser-verification-gate/audit-report.md with command log, branch, baseline commit, verification scope, and go/no-go placeholder.
• T010 Inspect apps/platform/routes/web.php and record the current admin workspace/environment route families in surface-inventory.md.
• T011 Inspect apps/platform/app/Providers/Filament/AdminPanelProvider.php for registered pages/resources, render hooks, and navigation-relevant provider configuration.
• T012 Inspect apps/platform/app/Support/Navigation/AdminSurfaceScope.php, WorkspaceHubRegistry.php, WorkspaceHubEnvironmentFilter.php, and WorkspaceSidebarNavigation.php; classify expected shell/sidebar ownership in surface-inventory.md.
• T013 Inspect apps/platform/app/Support/ManagedEnvironmentLinks.php, OperationRunLinks.php, and WorkspaceContext.php; record link/filter/topbar/remembered-environment seams in surface-inventory.md.
• T014 Inspect apps/platform/app/Filament/Resources/ProviderConnectionResource.php and apps/platform/app/Policies/ProviderConnectionPolicy.php; record Provider Connection authority expectations in surface-inventory.md.
• T015 Inspect existing browser tests under apps/platform/tests/Browser/Spec314*, Spec316*, Spec322*, Spec338*, and Spec281*; record reusable setup patterns in audit-report.md.

Phase 3: Browser Setup And Data Availability

Purpose: Make browser results reproducible and avoid false passes from missing data.

• T016 Resolve the app URL through Laravel Boost get_absolute_url or documented Sail/local config and record it in audit-report.md.
• T017 Identify the smoke-login actor and available workspace/environment fixture path from existing browser test conventions; record the source in audit-report.md.
• T018 Verify at least one Workspace is selectable in the browser and record available Workspace evidence in scope-verification-matrix.md.
• T019 Verify at least one Managed Environment is reachable from that Workspace and record whether a second environment exists for comparison in scope-verification-matrix.md.
• T020 Record unavailable seed data, blocked routes, or authorization-limited surfaces in findings.md as blocked, not pass.

Phase 4: Workspace-Origin Verification

Purpose: Prove clean Workspace mode does not imply hidden environment scope.

• T021 From a clean Workspace origin, open Workspace Overview and record shell/sidebar/header evidence in scope-verification-matrix.md.
• T022 From clean Workspace origin, open Operations and record URL/query, scope signals, local filter state, reload behavior, and screenshot path if captured.
• T023 From clean Workspace origin, open Alerts and Audit Log and record whether they behave as Workspace Hubs with local environment filters where supported.
• T024 From clean Workspace origin, open Evidence Overview and record whether it remains a Workspace Hub, not an environment-owned evidence route.
• T025 From clean Workspace origin, open Provider Connections and record list context, visible filter state, create affordance, and absence of remembered-environment authority.
• T026 From clean Workspace origin, open Review Register, Customer Review Workspace, Governance Inbox, Decision Register, and Finding Exceptions Queue where reachable; record pass/blocked/finding status per surface.
• T027 From clean Workspace origin, open Baseline Profiles and Baseline Snapshots and record that they remain workspace-owned source-of-truth surfaces.

Phase 5: Environment-Origin And Filtered Hub Verification

Purpose: Prove Environment mode and filtered Workspace Hub mode stay distinct.

• T028 From Environment Dashboard, record route, shell, sidebar, breadcrumb/header, and environment identity evidence.
• T029 From Environment Dashboard, open environment-owned detail surfaces that are present and record whether they remain environment-route-owned.
• T030 From Environment Dashboard, open Operations through sidebar/global navigation and record whether it becomes clean Workspace Hub entry or explicit filtered hub entry.
• T031 From Environment Dashboard, open Alerts, Audit Log, Evidence Overview, Provider Connections, Review Register, Customer Review Workspace, Governance Inbox, Decision Register, and Finding Exceptions Queue where reachable; record explicit environment_id behavior where intended.
• T032 For at least three representative filtered Workspace Hubs, reload the page and record whether filter state remains truthful and visible.
• T033 For at least three representative filtered Workspace Hubs, use browser back/forward and record whether shell/filter state remains truthful.
• T034 Clear the environment filter where supported and record whether the resulting clean hub entry matches the expected Workspace Hub contract.

Phase 6: Topbar Semantics Verification

Purpose: Prove topbar context does not silently become a page-local filter.

• T035 Use the Workspace selector from a Workspace Hub and record whether it switches workspace context rather than local page filter state.
• T036 Use the Environment selector from a Workspace Hub and record whether it navigates/opens environment context instead of silently filtering the current hub.
• T037 With a remembered environment present, open a clean Workspace Hub URL and record whether the hub remains unfiltered unless explicit environment_id is present.
• T038 Record any page copy that instructs users to use the topbar as a local filter in findings.md.

Phase 7: Provider Connection Authority Verification

Purpose: Prove credential-adjacent browser behavior matches Spec 339.

• T039 Open /admin/provider-connections clean and record list scope, filter state, and create affordance in scope-verification-matrix.md.
• T040 Open /admin/provider-connections?environment_id=<valid-environment> and record visible filter evidence plus create affordance tied to that environment.
• T041 Open /admin/provider-connections/create without environment_id and record whether create is blocked or safely guided without remembered-environment authority.
• T042 Open /admin/provider-connections/create?environment_id=<wrong-workspace-environment> where safely reproducible and record 404/blocked behavior without leaking foreign workspace details.
• T043 Open an existing Provider Connection view/edit route and record whether visible context derives from record ownership, not topbar/remembered environment.
• T044 Inspect credential-adjacent visible actions without executing destructive or external-provider operations; record confirmation/authorization/audit affordance expectations in findings.md.
• T045 If a suspected Provider Connection issue appears, run or reference targeted Feature coverage in apps/platform/tests/Feature/ProviderConnections/ before classifying severity.

Phase 8: Findings, Go/No-Go, And Follow-Up Control

Purpose: Convert browser evidence into a concrete decision.

• T046 Classify every matrix row in scope-verification-matrix.md as pass, P1, P2, P3, backlog, blocked, or not-applicable.
• T047 For each P1/P2 finding in findings.md, include surface, origin, URL, expected behavior, actual behavior, evidence, likely owner files, and smallest safe next action.
• T048 For each blocked check in findings.md, include the missing route/data/tooling condition and whether it blocks go/no-go confidence.
• T049 Write the final go/no-go recommendation in audit-report.md.
• T050 If no P1/P2 drift exists, state that new feature work may resume and list deferred candidates without opening them automatically.
• T051 If P1/P2 drift exists, recommend either a bounded in-scope fix path after artifact update or a follow-up spec; do not start unrelated feature work.

Phase 9: Optional Automated Regression Coverage

Purpose: Add bounded automation only when it is stable enough to maintain.

• T052 Decide in audit-report.md whether to add apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php or keep Spec 340 as manual/in-app browser verification only.
• T053 If automation is added, create apps/platform/tests/Browser/Spec340PostScopeContractVerificationSmokeTest.php using existing Pest 4 browser conventions and explicit workspace/environment fixtures.
• T054 If automation is added, assert no JavaScript errors and cover representative clean Workspace origin, Environment origin, filtered hub entry, topbar remembered-environment behavior, and Provider Connections create authority.
• T055 Keep exhaustive route/query permutations in Feature tests or artifact matrix, not the Browser test.
• T056 Do not add or modify seeders unless spec.md and plan.md are updated with the fixture-cost decision first.

Phase 10: Validation And Close-Out

Purpose: Prove the gate ran and preparation boundaries remained intact.

• T057 Run focused Browser validation if automated coverage exists: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser --filter=Spec340.
• T058 Run targeted Provider Connections Feature validation if Provider Connection authority findings were suspected: cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections --filter=ScopeHardening.
• T059 Run git diff --check from the repository root.
• T060 Update audit-report.md with exact commands, results, screenshots, blocked checks, full-suite status, unrelated residual failures, and final go/no-go.
• T061 Confirm no completed specs were modified and no application runtime code was changed unless explicitly authorized by updated Spec 340 artifacts.

Explicit Non-Goals

• NT001 Do not redesign sidebar, topbar, Provider Connections, Evidence, Baselines, or Review surfaces.
• NT002 Do not create migrations, models, services, jobs, policies, routes, or runtime behavior changes during preparation.
• NT003 Do not rewrite completed Spec 313/322/338/339 close-out, validation, or completed-task history.
• NT004 Do not create follow-up specs automatically without P1/P2 browser evidence.
• NT005 Do not execute destructive or external-provider actions during browser verification.