Research: Cutover Prerequisite Completion

Decision 1: Spec `287` now completes prerequisites; Spec `288` owns enforcement

Use this package to finish the remaining runtime and test-harness seams that still block quality-gates / no-legacy enforcement.
Do not add a guard suite, a full-suite baseline, or global quality gates here.
Keep the follow-up boundary explicit: Spec 288 starts after this runtime baseline exists.

The provider-connection legacy alias family in apps/platform/routes/web.php is a runtime seam, not an enforcement-only concern.
Remove it in this slice so later enforcement can guard the completed route truth instead of compensating for it.

Neutralize the shared provider-core contract where repo truth still depends on Microsoft-shaped identity or target-scope fields.
Keep Microsoft-specific tenant/profile, consent, and support detail nested under provider-owned seams only.
Do not add a new provider profile table, registry, or framework.

Treat workspace membership as the only role-bearing truth.
Finish the cleanup that keeps managed-environment scope narrowing-only.
Do not introduce a second role system, a compatibility shim, or a new role family.

apps/platform/tests/Pest.php still carries tenant-panel-era setup such as setTenantPanelContext() and related legacy profile alias helpers.
Replace the retired panel assumption on the shared helper path and the in-slice direct consumers tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php plus tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php.
Do not turn this into a broad test-suite rewrite; keep it to the helpers and direct consumers needed by this slice.

Use focused feature tests and targeted browser validation for the changed seams only.
Do not add a global guard family, broad source-scan package, or full-suite baseline under this spec.

That would force the later enforcement slice to compete with unfinished runtime work and would keep the package blocked for the wrong reason.

That would preserve the same ambiguity that Spec 288 is supposed to eliminate.

The existing seams are already sufficient; they need completion, not a second architectural layer.

The slice is bounded and should prove only the changed seams.

apps/platform/routes/web.php still contains /admin/tenants/{tenant:slug}/provider-connections redirect routes.
apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeNormalizer.php and related provider-core seams still participate in the shared target-scope contract that this slice completes.
apps/platform/app/Services/Auth/TenantMembershipManager.php still persists managed-environment membership records with copied workspace role values.
apps/platform/tests/Pest.php still contains setTenantPanelContext() and createUserWithTenantLegacyProfileAliases().
The in-slice direct consumer tests tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php and tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php still depend on the retired tenant-panel helper path.

The package is implementation-ready as a bounded prerequisite-completion slice.
It is no longer a blocked-by-prerequisites guard package.
If implementation starts adding guard suites, full-suite baselines, or adjacent feature work, stop and split that work out of 287.
The canonical executable command set lives only in spec.md, plan.md, tasks.md, and quickstart.md; this artifact intentionally references that command authority without restating a second command set.