ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
aacd82849a
TenantAtlas/specs/249-customer-review-workspace/checklists/requirements.md
ahmido aacd82849a
Some checks failed
Main Confidence / confidence (push) Failing after 54s
Details
feat(reviews): add CustomerReviewWorkspace with audit logging and RBAC enforcement (#289) 
Add `CustomerReviewWorkspace` page for tenant pre-filtered reviews
Add customer workspace links to `EvidenceSnapshotResource`, `ReviewPackResource`, and `TenantReviewResource`
Implement audit logging for `TenantReviewOpened` and `ReviewPackDownloaded` actions
Update ReviewPack download controller to enforce tenant-scoped RBAC
Add tests for ReviewPack download authorization and audit logging

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #289
2026-04-28 07:15:41 +00:00

7.3 KiB
Raw Blame History

Preparation Review Checklist: Customer Review Workspace v1

Purpose: Validate the customer-safe review-consumption package against the repo's guardrail, disclosure, shared-family, and close-out workflow before implementation
Created: 2026-04-27
Feature: spec.md

Applicability And Low-Impact Gate

  • CHK001 The package explicitly treats this as an operator-facing and read-only/customer-safe surface change, so the low-impact N/A path is not used.
  • CHK002 The spec, plan, and tasks carry the same native/shared-primitives-first classification, shared-family relevance, state ownership, and close-out targeting without inventing second wording.

Native, Shared-Family, And State Ownership

  • CHK003 The primary surface remains a native Filament page that composes existing review, pack, and evidence viewers instead of introducing a fake-native shell or standalone customer portal.
  • CHK004 Shared detail families remain shared: tenant review, review pack, and evidence detail stay on their existing resource routes, while the new page stays a calm entry point rather than a parallel viewer family.
  • CHK005 Shell, page, and URL/query state owners are named once, and the package does not collapse them into new persisted customer-review state.
  • CHK006 The likely next operator action and primary inspect/open model stay coherent: Open latest review is primary, Download review pack is the only safe inline shortcut, and deeper proof stays secondary.

Shared Pattern Reuse

  • CHK007 Cross-cutting interaction classes are explicit, and the shared reuse path is named once through TenantReviewRegisterService, existing resource URL helpers, ArtifactTruthPresenter, ReviewPackService, RedactionIntegrity, and the audit pipeline.
  • CHK008 The package extends existing shared paths where they are sufficient, and any fallback to a bounded page-local read helper or additive audit action is explicitly constrained as a last resort rather than a new default abstraction.
  • CHK009 The package does not create a parallel customer-review UX language; it reuses current artifact-truth, publication-readiness, review-pack, and redaction vocabulary.

OperationRun Start UX Contract

  • CHK019 The package explicitly states that the new page does not create, queue, deduplicate, resume, block, complete, or deep-link to an OperationRun as a primary workflow.
  • CHK020 Any existing OperationRun links remain on reused detail surfaces, so queued toast/link/browser-event/dedupe behavior is not reimplemented on the customer workspace page.
  • CHK021 No queued DB notification behavior or terminal notification path is added because the slice stays read-only and never starts a run.
  • CHK022 No OperationRun exception is required; if implementation later promotes run-oriented behavior onto the page, that deviation must be recorded in the active close-out entry before merge.

Provider Boundary And Vocabulary

  • CHK010 The package keeps provider-specific semantics behind existing normalized review, evidence, and artifact-truth seams and does not spread provider language into a new platform-core contract.
  • CHK011 No retained provider-specific shared boundary is introduced; the slice stays within current workspace, tenant, review, evidence, review-pack, accepted-risk, and audit vocabulary.

Signals, Exceptions, And Test Depth

  • CHK012 The triggered repository signal is explicitly handled as review-mandatory, with no hidden hard-stop drift accepted into the package.
  • CHK013 No bounded exception is required in the preparation package; if implementation discovers a local read helper or additive audit action is unavoidable, that exception must be documented in the active feature close-out entry instead of becoming silent spread.
  • CHK014 The required surface test profile is explicit: standard-native-filament for the page plus shared-detail-family for navigation into existing review, pack, and evidence detail surfaces.
  • CHK015 The chosen lane mix is the narrowest honest proof for this disclosure-heavy slice: focused Feature coverage plus one bounded Browser smoke, with optional Unit coverage only if a small read helper is extracted.

Audience-Aware Disclosure And Decision Hierarchy

  • CHK023 Default-visible content stays decision-first and clearly separated from deeper diagnostics and support/raw evidence.
  • CHK024 The read-only/customer-safe default path does not expose raw JSON, copied payloads, fingerprints, internal reason ownership, platform-debug semantics, or unrestricted audit detail by default.
  • CHK025 Exactly one dominant next action is primary: Open latest review; safe artifact download remains secondary and does not compete at equal weight.
  • CHK026 Duplicate visible blocker, status, or next-action summaries are avoided by reusing one artifact-truth summary per row and leaving detailed proof to the existing detail surfaces.
  • CHK027 Support/raw sections remain hidden or capability-gated through reused detail routes only, and the page keeps Filament visual language, progressive disclosure, and calm read-only presentation.

Review Outcome

  • CHK016 Review outcome class: acceptable-special-case
  • CHK017 Workflow outcome: keep
  • CHK018 The final note location is explicit: the active feature PR close-out entry Guardrail / Exception / Smoke Coverage records the guardrail result, smoke outcome, and any bounded implementation exception.

Notes

  • This checklist validates the preparation package only: spec.md, plan.md, tasks.md, and the supporting design artifacts. It does not claim application code already exists.
  • The slice remains bounded to one read-only customer-safe workspace surface in the current admin plane. No new identity plane, persistence layer, review-generation workflow, remediation path, or raw-diagnostic default path is approved by this package.
  • If implementation later proves TenantReviewRegisterService reuse insufficient or shows that explicit artifact access requires a new stable AuditActionId, that must be recorded as a bounded note in Guardrail / Exception / Smoke Coverage rather than silently widening the architecture.

Implementation Close-out Addendum

  • Implemented surface: native CustomerReviewWorkspace page and Blade view in the existing admin-plane reviews family, still reusing current tenant review, review-pack, evidence, artifact-truth, RBAC, and audit seams.
  • T010 outcome: direct workspace links landed on tenant review detail, review-pack detail, evidence related context, and the tenant review-pack widget. ReviewRegister and EvidenceOverview remained acceptable reuse via existing row/detail navigation.
  • T020 outcome: pack-download plumbing changed, so ReviewPackDownloadTest.php and ReviewPackRbacTest.php were updated and passed after request-time membership plus REVIEW_PACK_VIEW enforcement was added to the signed download route.
  • T023 outcome: the current audit infrastructure was reused with additive tenant_review.opened and review_pack.downloaded action IDs. No new audit store was introduced.
  • Smoke evidence outcome: the implementation close-out used the bounded Pest browser smoke plus the focused feature lane as executed smoke proof. No separate manual integrated-browser run was completed.
  • Final review outcome class: acceptable-special-case.
  • Final workflow outcome: keep.