ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b3e6dfdb7c
TenantAtlas/specs/389-governance-inbox-resolution-intake-v1/tasks.md
ahmido 9912d94563 feat: add governance inbox resolution intake (#460) 
Automated PR created by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #460
2026-06-20 07:46:12 +00:00

12 KiB
Raw Blame History

Tasks: Governance Inbox Resolution Intake v1

Input: Design documents from specs/389-governance-inbox-resolution-intake-v1/ Prerequisites: spec.md, plan.md, contracts/, artifacts/current-governance-inbox-inventory.md

Execution Notes

  • Work on this feature must start from the current feature branch and follow the repo's session-branch workflow.
  • Do not implement a generic workflow engine, task model, adapter registry, or global-search Resource.
  • Do not add a migration unless implementation proves the existing Spec 386 indexes are insufficient and spec.md/plan.md are updated first.
  • Keep Governance Inbox read-only. All mutating actions remain on existing source-owned pages.
  • Use Laravel Sail for local validation unless explicitly blocked.
  • Implementation branch: 389-governance-inbox-resolution-intake-v1; baseline commit observed before implementation: 83c679cf feat: add review publication proof currentness contract (#459).
  • Initial dirty state was limited to the untracked Spec 389 artifact directory. No migration, panel provider registration, global-search Resource, top-level navigation, Filament asset registration, or customer workspace runtime change was added.
  • Implemented tests live under apps/platform/tests/Feature/Governance/Spec389GovernanceInboxResolutionIntakeTest.php and apps/platform/tests/Browser/Spec389GovernanceInboxResolutionIntakeSmokeTest.php.

Phase 1: Safety and Inventory

  • T001 Run repo safety commands from the repo root and record branch, dirty files, baseline commit, and Spec 386/387/388 baseline status in the implementation notes.
  • T002 Re-read specs/389-governance-inbox-resolution-intake-v1/spec.md, plan.md, contracts/review-publication-resolution-inbox-item.md, contracts/status-mapping.md, and artifacts/current-governance-inbox-inventory.md.
  • T003 Re-check existing Governance Inbox implementation in apps/platform/app/Filament/Pages/Governance/GovernanceInbox.php, apps/platform/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php, and apps/platform/resources/views/filament/pages/governance/governance-inbox.blade.php.
  • T004 Re-check Review Publication Resolution foundations in apps/platform/app/Models/ReviewPublicationResolutionCase.php, apps/platform/app/Models/ReviewPublicationResolutionStep.php, and apps/platform/app/Support/ReviewPublicationResolution/.
  • T005 Re-check authorization/link foundations in apps/platform/app/Policies/ReviewPublicationResolutionCasePolicy.php, apps/platform/app/Policies/OperationRunPolicy.php, and apps/platform/app/Support/OperationRunLinks.php.
  • T006 Confirm no implementation task requires panel provider registration, new top-level navigation, new global-search Resource, new Filament assets, or customer workspace changes.

Phase 2: Tests First

  • T007 [P] Create apps/platform/tests/Feature/Governance/Spec389GovernanceInboxResolutionIntakeTest.php with factories/helpers for visible workspace, environment, review, resolution case, current step, and viewer.
  • T008 [P] Add a test proving an active Review Publication Resolution Case appears in the Governance Inbox with operator-facing title, reason, environment, review context, and Continue preparation.
  • T009 [P] Add tests proving completed, cancelled, and superseded cases are hidden by default.
  • T010 [P] Add tests proving failed/blocked cases sort above needs-attention, needs-recheck, ready, and waiting cases.
  • T011 [P] Add tests proving needs_recheck appears for stale, unknown, hidden, unsafe, or too-expensive-to-classify state instead of false waiting/failed/ready precision.
  • T012 [P] Add RBAC/scope tests proving foreign workspace, foreign environment, inaccessible review, and customer-facing user cases are hidden with no leaked counts.
  • T013 [P] Add operation-link tests proving current/scope-valid/context-valid/RBAC-authorized operations can be linked and stale/cross-scope/cross-case/cross-review operations are not linked or disclosed.
  • T014 [P] Add action-safety and audit-neutrality tests proving the Inbox renders no publish, cancel, update reports, collect evidence, refresh review, prepare export, provider check, or Entra scan action and that list rendering emits no new audit event by default.

Phase 3: Provider and Mapping Core

  • T015 Implement a concrete ReviewPublicationResolutionInboxProvider in apps/platform/app/Support/GovernanceInbox/ or a tightly scoped builder method if that better fits the existing class.
  • T016 Query ReviewPublicationResolutionCase through workspace-first and environment-filtered constraints, using active case statuses by default.
  • T017 Eager-load only display-safe relationships needed for list rendering: tenant, environment review, assignee/creator if used, current steps, and candidate operation relation when necessary.
  • T018 Enforce ReviewPublicationResolutionCasePolicy::view or equivalent batch-safe visibility before mapping each item.
  • T019 Map each visible case to existing Governance Inbox source-entry fields using family_key=review_publication_resolution.
  • T020 Ensure safe metadata excludes raw provider, Graph, evidence/report/review payloads, exception messages, secrets, tokens, readiness fingerprints, proof reason codes by default, internal step keys by default, and unvalidated operation IDs.
  • T021 Ensure provider returns no customer-facing items and is never called from customer workspace surfaces.

Phase 4: Status, Currentness, and Operation Link Hardening

  • T022 Implement the status mapping in contracts/status-mapping.md with allowed statuses only.
  • T023 Use Spec 388 proof/currentness summaries or resolver output where available; do not infer readiness from raw persisted metadata.
  • T024 Fall back to needs_recheck when currentness cannot be safely and cheaply classified.
  • T025 Compute viewer-relative ready_to_continue versus blocked using existing capability/policy/step-authorizer behavior without persisting inbox status.
  • T026 Hide completed/cancelled/superseded cases from the default active list.
  • T027 Revalidate OperationRun links with workspace, environment, review, case, current step, expected type, Spec 388 currentness/visibility/usability, and OperationRunPolicy::view.
  • T028 Ensure failed and waiting statuses are shown only when current/scope-valid/context-valid; otherwise show needs_recheck.
  • T029 Ensure OperationRun ID, label, URL, and Open operation are absent whenever validation fails.

Phase 5: Governance Inbox UI Integration

  • T030 Add review_publication_resolution to the existing Governance Inbox source-family ordering and available family filter only when visible.
  • T031 Add bounded status and updated-date filtering for Review Publication Resolution items, reusing existing page query-string/filter conventions and without a generic resolution-type registry. Updated-date presets are Any time, Last 24 hours, Last 7 days, and Last 30 days.
  • T032 Add lane classification for the new family while preserving existing lane semantics and sorting.
  • T033 Render decision-first copy: title, status badge, environment, review reference, reason summary, next safe action, owner if available, and last update.
  • T034 Add the primary action label rules: Continue preparation, Inspect preparation, and narrowly validated Open operation.
  • T035 Add secondary Open review and optional Open operation links only when RBAC/scope/currentness validation permits them.
  • T036 Keep technical details collapsed or absent by default; do not render internal step keys, proof reason codes, readiness fingerprints, raw operation metadata, or raw payloads.
  • T037 Add or verify empty states for no active review publication work, no accessible review publication work, and no filter results.

Phase 6: Browser and UI Smoke

  • T038 [P] Add apps/platform/tests/Browser/Spec389GovernanceInboxResolutionIntakeSmokeTest.php if the browser harness is available for this feature.
  • T039 [P] Cover a visible review publication item with friendly title, reason, status, environment, and primary action.
  • T040 [P] Cover Continue preparation opening the existing Resolution Page.
  • T041 [P] Cover absence of publish and inline mutation buttons in the Inbox item.
  • T042 [P] Cover mobile viewport readability for the item.
  • T043 [P] Cover customer workspace or customer-facing route showing no internal resolution item.
  • T044 Capture screenshots under specs/389-governance-inbox-resolution-intake-v1/artifacts/screenshots/ when browser smoke is run.

Phase 7: Validation

  • T045 Run focused Governance Inbox feature tests: cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Governance/GovernanceInboxPageTest.php tests/Feature/Governance/Spec346GovernanceInboxOperatorWorkflowTest.php tests/Feature/Governance/Spec389GovernanceInboxResolutionIntakeTest.php.
  • T046 Run focused regression tests: cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/EnvironmentReview/Spec386ReviewPublicationResolutionWorkflowTest.php; cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/EnvironmentReview/Spec387ReviewPublicationResolutionDecisionUxTest.php tests/Feature/EnvironmentReview/Spec388ReviewPublicationProofCurrentnessTest.php.
  • T047 Run browser test if created: cd apps/platform && ./vendor/bin/sail artisan test tests/Browser/Spec389GovernanceInboxResolutionIntakeSmokeTest.php.
  • T048 Run formatting: cd apps/platform && ./vendor/bin/sail pint app/Support/GovernanceInbox/ReviewPublicationResolutionInboxProvider.php app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php app/Filament/Pages/Governance/GovernanceInbox.php tests/Feature/Governance/Spec389GovernanceInboxResolutionIntakeTest.php tests/Browser/Spec389GovernanceInboxResolutionIntakeSmokeTest.php.
  • T049 Run git diff --check from the repo root.
  • T050 Review the final diff for forbidden patterns: generic engine/registry, top-level nav, global-search Resource, inline mutation, publish action, customer leakage, raw payload leakage, operation ID disclosure, and unplanned migrations/schema changes.
  • T051 Confirm no migration/schema file was added, or verify spec.md and plan.md were updated with explicit index justification before the migration/schema change.
  • T052 Document validation commands actually run and any skipped browser/full-suite coverage in the PR close-out.

Dependencies

  • T001-T006 must complete before code edits.
  • T007-T014 should be written before implementation when practical.
  • T015-T021 provide the mapping core required by UI tasks.
  • T022-T029 must complete before operation links are rendered.
  • T030-T037 depend on provider/mapping output.
  • T038-T044 depend on UI integration.
  • T045-T052 close the implementation.

Parallel Work

  • T007-T014 can be split across test scenarios after fixtures are agreed.
  • T022-T029 can be reviewed independently from UI rendering after provider output exists.
  • T038-T043 can be added in parallel with final UI copy tuning once stable routes exist.

Definition of Done

  • Active Review Publication Resolution Cases appear in the existing Governance Inbox.
  • Completed/cancelled/superseded cases are hidden by default.
  • Failed/blocked items sort ahead of waiting/ready items.
  • Unknown, stale, hidden, unsafe, or expensive-to-classify state shows Needs re-check.
  • Items use decision-first labels.
  • Primary actions navigate only to existing authorized pages.
  • Operation links are scope/currentness/context/RBAC revalidated.
  • No inline mutation, cancel, or publish action exists.
  • Customer-facing users and surfaces see no internal resolution items.
  • Focused tests pass.
  • Browser smoke and screenshots are produced if the harness is available.
  • Final diff contains only Spec 389-related runtime and test changes.