TenantAtlas/specs/392-customer-output-gating-review-pack-navigation/tasks.md

Tasks: Spec 392 - Customer Output Gating & Review Pack Navigation v1

Input: specs/392-customer-output-gating-review-pack-navigation/spec.md and plan.md Prerequisites: Spec artifacts prepared; implementation must start from repo-truth verification and must not modify completed context specs. Tests: Required. This is a customer-output trust boundary and route-gating change with Unit, Feature/HTTP, Filament/Livewire, and bounded Browser proof.

Test Governance Checklist

• Lane assignment is named and narrow: Unit for gate derivation, Feature/HTTP for direct routes, Filament/Livewire for action labels/state, Browser for final trust-path proof.
• New or changed tests stay in the smallest honest family; Browser coverage is one explicit Spec 392 smoke file.
• Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
• Planned validation commands cover the change without pulling unrelated heavy-governance cost.
• The declared surface profile is customer-safe strategic review surface + artifact download route.
• Any unreachable safe/unsafe state is documented in the active spec package rather than faked.

Phase 1: Repo Truth And Action Inventory

Purpose: Confirm all output paths before changing behavior and prevent reopening completed specs.

• T001 Re-read specs/392-customer-output-gating-review-pack-navigation/spec.md, plan.md, tasks.md, and checklists/requirements.md.
• T002 Re-read completed context specs as read-only inputs only: specs/342-customer-review-workspace-final-consumption-productization, specs/347-review-pack-output-contract-readiness-semantics, specs/351-review-output-resolve-actions-v1, and specs/372-customer-auditor-surface-safety-pass.
• T003 Re-read specs/browser-productization-bug-audit/browser-bug-report.md and confirm BUG-007 remains in scope as a CTA truthfulness defect.
• T004 Confirm current branch and dirty state with git status --short --branch and git log -1 --oneline.
• T005 Inventory every customer-output open/download action or route in apps/platform/app, apps/platform/routes, apps/platform/resources, and apps/platform/lang using search terms from the spec.
• T006 Record the action inventory in the implementation notes or PR close-out: label, page/route, destination, current visibility condition, current authorization, customer-facing/internal classification, and whether it streams/renders/links output.
• T007 Inspect existing readiness/disclosure sources before adding a new helper:
  • apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php
  • apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php
  • apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php
• T008 Inspect current route/controller behavior:
  • apps/platform/app/Http/Controllers/ReviewPackDownloadController.php
  • apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php
  • apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php
  • apps/platform/routes/web.php
• T009 Inspect current UI/action behavior:
  • apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php
  • apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php
  • apps/platform/app/Filament/Resources/ReviewPackResource.php
  • apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php
  • apps/platform/app/Filament/Resources/EnvironmentReviewResource.php
  • apps/platform/app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php
  • apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php
  • apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php
• T010 Confirm no migration, package, env var, queue, scheduler, storage topology, Graph scope, panel-provider, route family, report renderer, or customer portal change is required; stop and update spec/plan if false.
• T011 Confirm Filament v5 / Livewire v4.0+ compliance and no Filament v3/v4 or Livewire v3 APIs.
• T012 Confirm panel provider registration remains apps/platform/bootstrap/providers.php.
• T013 Confirm no global-search participation is added or changed.

Phase 2: Gate Contract And Unit Tests

Purpose: Define customer-output safety once and prove its state mapping before route/UI changes.

• T014 Add or update focused Unit tests for the customer-output gate under apps/platform/tests/Unit/Support/ReviewPacks/ or the narrowest existing support test family.
• T015 Test Ready when review output is published, customer-safe, current, artifact-backed, and authorized.
• T016 Test Blocked when PII/unredacted sensitive data or explicit internal-only output blocks customer-facing output.
• T017 Test Needs attention or Blocked for limitations-bearing, incomplete evidence, required-section gaps, disclosure missing, or publish-blocker states according to existing severity.
• T018 Test Not configured for missing output artifact or unavailable customer workspace.
• T019 Test Expired for expired, stale, revoked, superseded, or archived output where repo-backed fields exist.
• T020 Test Unknown when safety cannot be determined from current repo truth.
• T021 Test permission denial blocks customer output even if output is otherwise safe.
• T022 Test permission grant does not override unsafe customer output.
• T023 Implement the narrowest customer-output gate/result adapter only if existing helpers cannot serve route and UI needs directly.
• T024 Ensure any new gate/result adapter reuses existing readiness/disclosure helpers and remains non-persistent.
• T025 Ensure gate evaluation is DB/storage-backed only and performs no Graph or remote calls.

Phase 3: Route Enforcement

Purpose: Prevent direct-route bypass before relying on UI state.

• T026 Add Feature/HTTP tests under apps/platform/tests/Feature/ReviewPack/ or the narrowest existing family proving safe ReviewPackDownloadController downloads succeed and audit.
• T027 Add Feature/HTTP tests proving PII, limitations, missing, failed, expired, superseded, archived, and unknown customer-output states do not stream a Review Pack file through direct URL access.
• T028 Update apps/platform/app/Http/Controllers/ReviewPackDownloadController.php to enforce the customer-output gate before file streaming.
• T029 Add or update Feature/HTTP tests for ReviewPackRenderedReportController proving blocked output does not render customer-facing download/open actions or customer-safe report claims.
• T030 Update apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php to consume the same gate for customer-facing rendered report output and action labels.
• T031 Inspect apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php; classify it as customer-facing or internal-only using the spec/plan criteria, record the decision in implementation notes or PR close-out, and if customer-facing add equivalent gate tests and enforcement.
• T032 Add or update route regression tests proving wrong workspace/environment access remains 404 deny-as-not-found and entitled-member missing-capability access remains 403 for ReviewPackDownloadController, ReviewPackRenderedReportController, and ManagementReportPdfDownloadController if customer-facing.
• T033 Preserve existing workspace membership 404, managed-environment entitlement checks, capability 403, artifact status, expiry, file existence, and audit behavior while adding gate checks.
• T034 Ensure blocked direct access returns 403, 404 deny-as-not-found, or safe admin redirect without file content and without sensitive details.
• T035 Add or update audit assertions for successful customer-output downloads and internal-preview downloads if internal preview is implemented.

Phase 4: Customer Workspace And Review Pack Action Labels

Purpose: Make every customer-output CTA truthful by destination and safety state.

• T036 Add or update Filament/Livewire tests proving Open customer workspace opens only CustomerReviewWorkspace and never Review Pack detail.
• T037 Add or update Filament/Livewire tests proving Review Pack detail links are labelled Open review pack.
• T038 Update apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php so customer-workspace CTA labels match actual destinations.
• T039 Update apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php only if current links can still label internal artifact/detail routes as customer workspace.
• T040 Update apps/platform/app/Filament/Resources/EnvironmentReviewResource.php and related view page only where customer workspace / review pack / report action labels are misleading.
• T041 Update apps/platform/app/Filament/Resources/ReviewPackResource.php and apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php so customer output, internal preview, rendered report, and review pack labels match destinations and gate state.
• T042 Update apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php and apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php so the primary customer-output action appears only when the gate permits it.
• T043 Ensure affected pages show one top-level customer output state by default: Ready, Needs attention, Blocked, Not configured, Expired, or Unknown.
• T044 Ensure blocked states show one concise reason and avoid implementation terms such as artifact payload, detector, source key, operation failure, fingerprint, or raw policy internals in default copy.

Phase 5: Internal Preview Separation

Purpose: Keep operator-only preview useful without presenting it as customer output.

• T045 Add or update tests proving deprecated limited-download copy is absent from customer-facing pages and reports.
• T046 If a limitations-bearing artifact remains accessible, relabel it as Download internal preview in apps/platform/lang/en/localization.php and apps/platform/lang/de/localization.php.
• T047 Gate internal preview behind internal/operator permission and ensure it is secondary, not the primary customer-facing action.
• T048 Add tests proving customer/read-only users cannot see or access internal preview.
• T049 Add tests proving internal preview direct route/action cannot be used as customer-output bypass.
• T050 Ensure customer-output labels are not used for limitations-bearing or internal-only artifacts.

Phase 6: Customer-Safe Disclosure And Proof Demotion

Purpose: Preserve audit depth while preventing default customer-facing proof leakage.

• T051 Add or update Feature/Browser assertions that customer-facing surfaces do not show raw IDs, source keys, fingerprints, raw payloads, OperationRun internals, baseline internals, detector names, or report-generation metadata by default.
• T052 Keep technical proof reachable only through existing internal/audit/detail actions where authorized.
• T053 Ensure proof/action labels use View audit trail, View technical details, or similar internal labels, not customer-output labels.
• T054 Remove duplicated visible readiness/status badges where they compete with the canonical customer-output state on affected surfaces.

Phase 7: Localization, UI Coverage, And Regression Guards

Purpose: Align copy and active feature artifacts without broad docs churn.

• T055 Update only required localization keys in apps/platform/lang/en/localization.php and apps/platform/lang/de/localization.php.
• T056 Update targeted tests that assert current copy so they assert semantics rather than stale unsafe labels.
• T057 Decide after runtime diff whether existing page reports under docs/ui-ux-enterprise-audit/page-reports/ require updates; update only materially affected page reports.
• T058 Document no-count-change/no-archetype-change if route-inventory.md and design-coverage-matrix.md remain unchanged.
• T059 Do not create general documentation files outside required Spec Kit/UI coverage artifacts.

Phase 8: Browser Smoke And Direct URL Proof

Purpose: Prove the user-visible trust path after targeted tests pass.

• T060 Add apps/platform/tests/Browser/Spec392CustomerOutputGatingSmokeTest.php using existing review-output fixture helpers where practical.
• T061 Browser state: safe output; assert Open customer workspace opens actual Customer Review Workspace and Download customer output succeeds only in ready state.
• T062 Browser state: unsafe/limited output; assert customer output is blocked, reason is visible, and no customer-facing deprecated limited-download copy appears.
• T063 Browser state: internal preview if present; assert label is internal, secondary, and hidden from customer/read-only mode.
• T064 Browser state: dashboard CTA; assert a link labelled Open customer workspace does not land on Review Pack detail.
• T065 Direct URL proof: assert blocked output direct route returns no file content.
• T066 Browser harness did not capture Spec 392 screenshots; no screenshot artifacts were added.

Phase 9: Validation And Close-Out

Purpose: Prove the implementation and record deployment impact clearly.

• T067 Attempt Sail validation; Docker was not running, so run the equivalent local Pest Spec 392 gate/route/architecture validation.
• T068 Run targeted existing regressions based on touched surfaces, at minimum CustomerReviewWorkspace, ReviewPack, and StoredReport filters if those surfaces changed.
• T069 Run local Pest Browser validation for tests/Browser/Spec392CustomerOutputGatingSmokeTest.php because Docker/Sail was unavailable.
• T070 Run cd apps/platform && php vendor/bin/pint --dirty.
• T071 Run git diff --check.
• T072 Confirm no migrations, seeders, packages, env vars, queues, scheduler, storage topology, Graph contracts/calls, panel providers, new route family, customer portal, report renderer, or legacy compatibility path were added.
• T073 Confirm final Livewire v4 compliance, provider registration location, global-search posture, destructive/high-impact action status, asset strategy, tests, deployment impact, and Guardrail / Exception / Smoke Coverage in the implementation close-out response.

Dependencies

• Phase 1 must complete before runtime implementation.
• Phase 2 gate tests should land before or alongside route enforcement.
• Phase 3 route enforcement must complete before UI-only assumptions are considered safe.
• Phase 4 and Phase 5 can proceed in parallel after the gate decision shape is stable.
• Phase 8 runs after targeted tests and route enforcement are implemented.
• Phase 9 closes the feature.

Parallel Execution Examples

• T007, T008, and T009 can be split by repo surface during inspection.
• T026-T031 can be split by route/controller after the gate API is stable.
• T038-T042 can be split by UI surface if no shared helper conflict exists.
• T055-T058 can run after labels and UI diff are known.

Non-Goals / Stop Conditions

• Stop if implementation requires a new persisted readiness table, new customer portal, new report renderer, new review publication workflow, new route family, or broad Customer Review Workspace redesign.
• Stop if management-report PDF production enablement becomes necessary; that belongs to Spec 379 follow-through.
• Stop if internal preview requires a new capability model not expressible by current capabilities; update spec/plan first.
• Stop if route gating cannot be implemented without changing artifact lifecycle/retention semantics; promote a separate lifecycle spec.
• Do not rewrite, normalize, uncheck, or remove implementation history from completed Specs 342, 347, 351, 372, or browser audit artifacts.

Required Final Report Content For Later Implementation

When implementation later completes, report:

• Changed behavior.
• Customer-output gate states and blocking reasons.
• Route enforcement results for safe and unsafe output.
• CTA label/destination corrections.
• Internal preview behavior, if present.
• RBAC/context behavior.
• Files changed.
• Tests run and results.
• Browser smoke and screenshot path.
• Known gaps and follow-up specs.
• Full suite run/not run.
• Explicit no migrations/packages/env/queues/scheduler/storage/deployment assets/Graph/panel-provider/destructive-action/backcompat/new-customer-portal statement.