TenantAtlas/specs/389-governance-inbox-resolution-intake-v1/contracts/review-publication-resolution-inbox-item.md
ahmido 9912d94563 feat: add governance inbox resolution intake (#460)
Automated PR created by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #460
2026-06-20 07:46:12 +00:00

231 lines
9.3 KiB
Markdown

# Review Publication Resolution Inbox Item Contract
**Feature**: 389 - Governance Inbox Resolution Intake v1
**Status**: Contract for later implementation
**Scope**: One concrete Governance Inbox item type for Review Publication Resolution Cases
## Purpose
This contract maps existing `ReviewPublicationResolutionCase` records into operator-facing Governance Inbox items. It is a read-only intake contract. It must not become a generic workflow, task, adapter, or proof/currentness abstraction.
## Allowed Item Type
Only this item type is allowed in Spec 389:
```text
review_publication_resolution
```
Do not introduce generic item types such as `resolution_case`, `workflow_task`, `action_case`, `generic_readiness_item`, or `generic_resolution_item`.
## Source Truth
The item may consume:
- `ReviewPublicationResolutionCase` fields and relationships that are already scoped to the current workspace.
- The current `ReviewPublicationResolutionStep`, loaded through the case relationship.
- Existing safe summaries from Review Publication Resolution and Spec 388 proof/currentness logic.
- Existing policy/authorizer answers for the current viewer.
- Existing validated links to Resolution, Review, and OperationRun pages.
The item must not independently infer readiness or proof currentness from raw:
- OperationRun metadata.
- StoredReport metadata.
- EvidenceSnapshot metadata.
- ReviewOutput metadata.
- ReviewPack metadata.
- persisted `proof_summary`.
- persisted `operation_run_id`.
- `readiness_fingerprint`.
- internal step keys.
If safe classification cannot be completed cheaply in list rendering, the item status must be `needs_recheck` and the primary action must navigate to the Resolution Page.
## Existing Governance Inbox Entry Shape
The existing Governance Inbox renderer consumes section entries and normalizes them into operator items. A Review Publication Resolution entry should follow this shape unless implementation introduces a small source-specific DTO that is immediately normalized into the same fields:
| Existing entry key | Required | Contract |
| --- | --- | --- |
| `family_key` | Yes | `review_publication_resolution` |
| `source_model` | Yes | `App\Models\ReviewPublicationResolutionCase` |
| `source_key` | Yes | Case key as an internal source reference, not rendered as the item title. |
| `managed_environment_id` | Yes | Environment ID for environment-scoped cases. |
| `tenant_label` | Yes | Safe environment label visible to the viewer. |
| `headline` | Yes | Operator-facing title, for example `Review can't be published yet`. |
| `subline` | Optional | Safe review label, owner, or last-update context. No raw IDs unless already safe and useful. |
| `urgency_rank` | Yes | Sort rank derived from inbox status. |
| `status_label` | Yes | Human label for mapped inbox status. |
| `destination_url` | Yes when inspectable | Resolution Page URL or, only if primary operation action is safer and validated, OperationRun URL. |
| `decision_label` | Yes | Human decision label such as `Continue review publication preparation`. |
| `reason_label` | Yes | Human reason summary. No internal step/proof reason keys. |
| `impact_label` | Yes | Human impact summary, for example `Review publication remains blocked`. |
| `owner_label` | Optional | Assignee/creator/current owner if available and safe. |
| `due_label` | Optional | `Updated <relative time>` or existing due label pattern. |
| `evidence_label` | Optional | Safe proof availability summary. |
| `evidence_state` | Optional | Display state only, for example `available`, `missing`, `needs_recheck`. |
| `evidence_path_label` | Optional | Safe link label only. |
| `evidence_path_url` | Optional | Validated Review/Resolution/Operation URL only. |
| `exception_label` | Optional | Usually `No accepted-risk state`. |
| `primary_action_label` | Yes | `Continue preparation`, `Inspect preparation`, or validated `Open operation`. |
| `primary_action_url` | Yes when inspectable | URL to the allowed page. |
| `back_label` | Optional | Existing navigation context label. |
## Conceptual Item Fields
If a DTO is used, it must still represent only display-safe fields:
```php
final readonly class GovernanceInboxItem
{
public function __construct(
public string $type,
public string $key,
public string $status,
public string $severity,
public string $title,
public string $summary,
public string $nextActionLabel,
public ?string $nextActionUrl,
public ?string $environmentLabel,
public ?string $subjectLabel,
public ?CarbonImmutable $updatedAt,
public ?CarbonImmutable $createdAt,
public ?int $ownerId = null,
public array $badges = [],
public array $safeMetadata = [],
) {}
}
```
The DTO is optional. If added, it must be concrete to this source family or broadly display-only without creating a generic intake registry.
## Required Display Semantics
Each item must answer:
- What needs attention?
- Why?
- Which review/environment is affected?
- What is the next safe action?
- Is there current proof?
- Who owns it, if known?
- Where does the operator continue?
Default examples:
| Status | Title | Reason | Primary action |
| --- | --- | --- | --- |
| `needs_attention` | Review can't be published yet | Required reports are missing | Continue preparation |
| `waiting` | Review preparation running | Waiting for operation to finish | Continue preparation or validated Open operation |
| `failed` | Review preparation needs attention | Operation failed while preparing the review | Continue preparation |
| `ready_to_continue` | Review preparation can continue | Publication preparation can continue | Continue preparation |
| `needs_recheck` | Review preparation needs re-check | Preparation status needs to be refreshed | Continue preparation |
| `blocked` | Review preparation needs operator access | You can inspect this preparation, but cannot execute the next action | Inspect preparation |
## Safe Metadata Rules
`safe_metadata`, entry context, linked records, and secondary actions may include:
- display status.
- display severity.
- display step label.
- display proof label.
- environment label.
- review label.
- validated action labels and URLs.
- owner display label.
- last updated timestamp.
They must not include:
- raw provider payloads.
- raw Graph responses.
- raw evidence, report, review output, or review pack payloads.
- raw exception messages.
- secrets or tokens.
- `readiness_fingerprint`.
- internal proof reason codes by default.
- internal step keys by default.
- raw `operation_run_id` unless the operation link is fully validated and the ID is needed for an authorized link label.
- StoredReport IDs unless scope-safe and explicitly needed.
- EvidenceSnapshot IDs unless scope-safe and explicitly needed.
- OperationRun metadata.
## Link Contract
### Resolution Page
Use the existing Review Publication Resolution Page as the default destination:
```text
EnvironmentReviewResource::environmentScopedUrl('resolve-publication', ['record' => $review], $tenant)
```
The link is allowed only when the viewer may inspect the case. If the viewer can inspect but not execute, the label should be `Inspect preparation` or `Continue preparation` and the Resolution Page must remain inspection-only.
### Review Detail
`Open review` is secondary and allowed only when the viewer can view the Review in the same workspace/environment context.
### OperationRun Detail
`Open operation` is allowed only when all checks pass:
- same workspace.
- same environment where applicable.
- same EnvironmentReview context where applicable.
- same Review Publication Resolution Case context where available.
- operation belongs to the current step or current safe proof summary.
- operation/action type is expected for the current step.
- Spec 388 currentness/usability/visibility is acceptable for disclosure.
- current user can view the OperationRun.
Permission alone is not sufficient. Do not build operation URLs directly from persisted step metadata. `Open operation` may be the primary action only for a validated `waiting` item where opening the operation is the safest next action; otherwise it must be secondary or hidden. If any check fails, render a non-linked safe label such as `Operation is running` or fallback to `Needs re-check`.
## RBAC and Scope
The provider/query must hide items that the viewer cannot access. It must not reveal inaccessible counts.
Required visibility checks:
- workspace membership.
- environment entitlement.
- subject Review visibility.
- `ReviewPublicationResolutionCasePolicy::view`.
- safe summary visibility.
- customer-facing users and customer workspace surfaces receive no internal item.
Viewer-relative status must not be persisted back to the case.
## Sorting Contract
Default active sorting:
1. `failed`
2. `blocked`
3. `needs_attention`
4. `needs_recheck`
5. `ready_to_continue`
6. `waiting`
7. newest `updated_at` inside each group
If the existing Governance Inbox lane sorter is reused, map urgency ranks to preserve that order inside the new source family.
## Negative Contract
Spec 389 does not allow:
- inline provider checks.
- inline Entra scans.
- inline evidence collection.
- inline review refresh.
- inline export preparation.
- inline cancel resolution.
- inline publish.
- new top-level navigation.
- new global search Resource.
- generic workflow or task model.
- generic adapter registry.