TenantAtlas/specs/287-cutover-prerequisite-completion/research.md
Ahmed Darrazi a9f0ace9f4
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 9m28s
feat: complete spec 287 prerequisite cutover
2026-05-10 16:59:30 +02:00

68 lines
4.3 KiB
Markdown

# Research: Cutover Prerequisite Completion
## Decision 1: Spec `287` now completes prerequisites; Spec `288` owns enforcement
- Use this package to finish the remaining runtime and test-harness seams that still block quality-gates / no-legacy enforcement.
- Do not add a guard suite, a full-suite baseline, or global quality gates here.
- Keep the follow-up boundary explicit: Spec `288` starts after this runtime baseline exists.
## Decision 2: Retire the provider-connection legacy route family instead of guarding it
- The provider-connection legacy alias family in `apps/platform/routes/web.php` is a runtime seam, not an enforcement-only concern.
- Remove it in this slice so later enforcement can guard the completed route truth instead of compensating for it.
## Decision 3: Finish provider target-scope core neutralization on shared seams only
- Neutralize the shared provider-core contract where repo truth still depends on Microsoft-shaped identity or target-scope fields.
- Keep Microsoft-specific tenant/profile, consent, and support detail nested under provider-owned seams only.
- Do not add a new provider profile table, registry, or framework.
## Decision 4: Complete workspace-first access persistence instead of layering more RBAC logic
- Treat workspace membership as the only role-bearing truth.
- Finish the cleanup that keeps managed-environment scope narrowing-only.
- Do not introduce a second role system, a compatibility shim, or a new role family.
## Decision 5: Replace tenant-panel-era test helpers with post-cutover admin or workspace helpers
- `apps/platform/tests/Pest.php` still carries tenant-panel-era setup such as `setTenantPanelContext()` and related legacy profile alias helpers.
- Replace the retired panel assumption on the shared helper path and the in-slice direct consumers `tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php` plus `tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php`.
- Do not turn this into a broad test-suite rewrite; keep it to the helpers and direct consumers needed by this slice.
## Decision 6: Validation must stay targeted
- Use focused feature tests and targeted browser validation for the changed seams only.
- Do not add a global guard family, broad source-scan package, or full-suite baseline under this spec.
## Rejected Alternatives
### Rejected: keep `287` as a blocked no-legacy guard package
That would force the later enforcement slice to compete with unfinished runtime work and would keep the package blocked for the wrong reason.
### Rejected: solve the route and helper drift with compatibility aliases
That would preserve the same ambiguity that Spec `288` is supposed to eliminate.
### Rejected: introduce a new provider profile or access-scope framework
The existing seams are already sufficient; they need completion, not a second architectural layer.
### Rejected: use a full-suite baseline as the proof requirement
The slice is bounded and should prove only the changed seams.
## Evidence Anchors
- `apps/platform/routes/web.php` still contains `/admin/tenants/{tenant:slug}/provider-connections` redirect routes.
- `apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeNormalizer.php` and related provider-core seams still participate in the shared target-scope contract that this slice completes.
- `apps/platform/app/Services/Auth/TenantMembershipManager.php` still persists managed-environment membership records with copied workspace role values.
- `apps/platform/tests/Pest.php` still contains `setTenantPanelContext()` and `createUserWithTenantLegacyProfileAliases()`.
- The in-slice direct consumer tests `tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php` and `tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php` still depend on the retired tenant-panel helper path.
## Implementation Boundary Summary
- The package is implementation-ready as a bounded prerequisite-completion slice.
- It is no longer a blocked-by-prerequisites guard package.
- If implementation starts adding guard suites, full-suite baselines, or adjacent feature work, stop and split that work out of `287`.
- The canonical executable command set lives only in `spec.md`, `plan.md`, `tasks.md`, and `quickstart.md`; this artifact intentionally references that command authority without restating a second command set.