ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b3e6dfdb7c
TenantAtlas/specs/392-customer-output-gating-review-pack-navigation/tasks.md
ahmido dd7139ebe3 Spec392 customer output gating (#463) 
Implements Spec392 customer output gating for review pack downloads, rendered reports, management PDFs, and customer workspace CTAs.

Validation:
- php vendor/bin/pest --filter=Spec392: 12 passed / 58 assertions
- php vendor/bin/pest --filter='ReviewPack|CustomerReviewWorkspace|StoredReport': 283 passed / 1 skipped / 2053 assertions
- affected browser matrix: 12 passed / 420 assertions
- php vendor/bin/pint --dirty: pass
- git diff --check: pass

Notes:
- Deprecated limited-download semantics remain removed.
- Unsafe customer-facing output returns 403/no output.
- Internal preview/report access is operator-only.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #463
2026-06-20 20:54:50 +00:00

189 lines
16 KiB
Markdown
Raw Blame History

# Tasks: Spec 392 - Customer Output Gating & Review Pack Navigation v1
**Input**: `specs/392-customer-output-gating-review-pack-navigation/spec.md` and `plan.md`
**Prerequisites**: Spec artifacts prepared; implementation must start from repo-truth verification and must not modify completed context specs.
**Tests**: Required. This is a customer-output trust boundary and route-gating change with Unit, Feature/HTTP, Filament/Livewire, and bounded Browser proof.
## Test Governance Checklist
- [x] Lane assignment is named and narrow: Unit for gate derivation, Feature/HTTP for direct routes, Filament/Livewire for action labels/state, Browser for final trust-path proof.
- [x] New or changed tests stay in the smallest honest family; Browser coverage is one explicit Spec 392 smoke file.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
- [x] Planned validation commands cover the change without pulling unrelated heavy-governance cost.
- [x] The declared surface profile is customer-safe strategic review surface + artifact download route.
- [x] Any unreachable safe/unsafe state is documented in the active spec package rather than faked.
## Phase 1: Repo Truth And Action Inventory
**Purpose**: Confirm all output paths before changing behavior and prevent reopening completed specs.
- [x] T001 Re-read `specs/392-customer-output-gating-review-pack-navigation/spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`.
- [x] T002 Re-read completed context specs as read-only inputs only: `specs/342-customer-review-workspace-final-consumption-productization`, `specs/347-review-pack-output-contract-readiness-semantics`, `specs/351-review-output-resolve-actions-v1`, and `specs/372-customer-auditor-surface-safety-pass`.
- [x] T003 Re-read `specs/browser-productization-bug-audit/browser-bug-report.md` and confirm BUG-007 remains in scope as a CTA truthfulness defect.
- [x] T004 Confirm current branch and dirty state with `git status --short --branch` and `git log -1 --oneline`.
- [x] T005 Inventory every customer-output open/download action or route in `apps/platform/app`, `apps/platform/routes`, `apps/platform/resources`, and `apps/platform/lang` using search terms from the spec.
- [x] T006 Record the action inventory in the implementation notes or PR close-out: label, page/route, destination, current visibility condition, current authorization, customer-facing/internal classification, and whether it streams/renders/links output.
- [x] T007 Inspect existing readiness/disclosure sources before adding a new helper:
- `apps/platform/app/Support/ReviewPacks/ReviewPackOutputReadiness.php`
- `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php`
- `apps/platform/app/Support/ReviewPacks/ReportDisclosurePolicy.php`
- [x] T008 Inspect current route/controller behavior:
- `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php`
- `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`
- `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`
- `apps/platform/routes/web.php`
- [x] T009 Inspect current UI/action behavior:
- `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`
- `apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php`
- `apps/platform/app/Filament/Resources/ReviewPackResource.php`
- `apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php`
- `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`
- `apps/platform/app/Filament/Resources/EnvironmentReviewResource/Pages/ViewEnvironmentReview.php`
- `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php`
- `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`
- [x] T010 Confirm no migration, package, env var, queue, scheduler, storage topology, Graph scope, panel-provider, route family, report renderer, or customer portal change is required; stop and update spec/plan if false.
- [x] T011 Confirm Filament v5 / Livewire v4.0+ compliance and no Filament v3/v4 or Livewire v3 APIs.
- [x] T012 Confirm panel provider registration remains `apps/platform/bootstrap/providers.php`.
- [x] T013 Confirm no global-search participation is added or changed.
## Phase 2: Gate Contract And Unit Tests
**Purpose**: Define customer-output safety once and prove its state mapping before route/UI changes.
- [x] T014 Add or update focused Unit tests for the customer-output gate under `apps/platform/tests/Unit/Support/ReviewPacks/` or the narrowest existing support test family.
- [x] T015 Test `Ready` when review output is published, customer-safe, current, artifact-backed, and authorized.
- [x] T016 Test `Blocked` when PII/unredacted sensitive data or explicit internal-only output blocks customer-facing output.
- [x] T017 Test `Needs attention` or `Blocked` for limitations-bearing, incomplete evidence, required-section gaps, disclosure missing, or publish-blocker states according to existing severity.
- [x] T018 Test `Not configured` for missing output artifact or unavailable customer workspace.
- [x] T019 Test `Expired` for expired, stale, revoked, superseded, or archived output where repo-backed fields exist.
- [x] T020 Test `Unknown` when safety cannot be determined from current repo truth.
- [x] T021 Test permission denial blocks customer output even if output is otherwise safe.
- [x] T022 Test permission grant does not override unsafe customer output.
- [x] T023 Implement the narrowest customer-output gate/result adapter only if existing helpers cannot serve route and UI needs directly.
- [x] T024 Ensure any new gate/result adapter reuses existing readiness/disclosure helpers and remains non-persistent.
- [x] T025 Ensure gate evaluation is DB/storage-backed only and performs no Graph or remote calls.
## Phase 3: Route Enforcement
**Purpose**: Prevent direct-route bypass before relying on UI state.
- [x] T026 Add Feature/HTTP tests under `apps/platform/tests/Feature/ReviewPack/` or the narrowest existing family proving safe `ReviewPackDownloadController` downloads succeed and audit.
- [x] T027 Add Feature/HTTP tests proving PII, limitations, missing, failed, expired, superseded, archived, and unknown customer-output states do not stream a Review Pack file through direct URL access.
- [x] T028 Update `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php` to enforce the customer-output gate before file streaming.
- [x] T029 Add or update Feature/HTTP tests for `ReviewPackRenderedReportController` proving blocked output does not render customer-facing download/open actions or customer-safe report claims.
- [x] T030 Update `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php` to consume the same gate for customer-facing rendered report output and action labels.
- [x] T031 Inspect `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`; classify it as customer-facing or internal-only using the spec/plan criteria, record the decision in implementation notes or PR close-out, and if customer-facing add equivalent gate tests and enforcement.
- [x] T032 Add or update route regression tests proving wrong workspace/environment access remains 404 deny-as-not-found and entitled-member missing-capability access remains 403 for `ReviewPackDownloadController`, `ReviewPackRenderedReportController`, and `ManagementReportPdfDownloadController` if customer-facing.
- [x] T033 Preserve existing workspace membership 404, managed-environment entitlement checks, capability 403, artifact status, expiry, file existence, and audit behavior while adding gate checks.
- [x] T034 Ensure blocked direct access returns 403, 404 deny-as-not-found, or safe admin redirect without file content and without sensitive details.
- [x] T035 Add or update audit assertions for successful customer-output downloads and internal-preview downloads if internal preview is implemented.
## Phase 4: Customer Workspace And Review Pack Action Labels
**Purpose**: Make every customer-output CTA truthful by destination and safety state.
- [x] T036 Add or update Filament/Livewire tests proving `Open customer workspace` opens only `CustomerReviewWorkspace` and never Review Pack detail.
- [x] T037 Add or update Filament/Livewire tests proving Review Pack detail links are labelled `Open review pack`.
- [x] T038 Update `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php` so customer-workspace CTA labels match actual destinations.
- [x] T039 Update `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php` only if current links can still label internal artifact/detail routes as customer workspace.
- [x] T040 Update `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php` and related view page only where customer workspace / review pack / report action labels are misleading.
- [x] T041 Update `apps/platform/app/Filament/Resources/ReviewPackResource.php` and `apps/platform/app/Filament/Resources/ReviewPackResource/Pages/ViewReviewPack.php` so customer output, internal preview, rendered report, and review pack labels match destinations and gate state.
- [x] T042 Update `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php` and `apps/platform/resources/views/filament/pages/reviews/customer-review-workspace.blade.php` so the primary customer-output action appears only when the gate permits it.
- [x] T043 Ensure affected pages show one top-level customer output state by default: `Ready`, `Needs attention`, `Blocked`, `Not configured`, `Expired`, or `Unknown`.
- [x] T044 Ensure blocked states show one concise reason and avoid implementation terms such as artifact payload, detector, source key, operation failure, fingerprint, or raw policy internals in default copy.
## Phase 5: Internal Preview Separation
**Purpose**: Keep operator-only preview useful without presenting it as customer output.
- [x] T045 Add or update tests proving deprecated limited-download copy is absent from customer-facing pages and reports.
- [x] T046 If a limitations-bearing artifact remains accessible, relabel it as `Download internal preview` in `apps/platform/lang/en/localization.php` and `apps/platform/lang/de/localization.php`.
- [x] T047 Gate internal preview behind internal/operator permission and ensure it is secondary, not the primary customer-facing action.
- [x] T048 Add tests proving customer/read-only users cannot see or access internal preview.
- [x] T049 Add tests proving internal preview direct route/action cannot be used as customer-output bypass.
- [x] T050 Ensure customer-output labels are not used for limitations-bearing or internal-only artifacts.
## Phase 6: Customer-Safe Disclosure And Proof Demotion
**Purpose**: Preserve audit depth while preventing default customer-facing proof leakage.
- [x] T051 Add or update Feature/Browser assertions that customer-facing surfaces do not show raw IDs, source keys, fingerprints, raw payloads, OperationRun internals, baseline internals, detector names, or report-generation metadata by default.
- [x] T052 Keep technical proof reachable only through existing internal/audit/detail actions where authorized.
- [x] T053 Ensure proof/action labels use `View audit trail`, `View technical details`, or similar internal labels, not customer-output labels.
- [x] T054 Remove duplicated visible readiness/status badges where they compete with the canonical customer-output state on affected surfaces.
## Phase 7: Localization, UI Coverage, And Regression Guards
**Purpose**: Align copy and active feature artifacts without broad docs churn.
- [x] T055 Update only required localization keys in `apps/platform/lang/en/localization.php` and `apps/platform/lang/de/localization.php`.
- [x] T056 Update targeted tests that assert current copy so they assert semantics rather than stale unsafe labels.
- [x] T057 Decide after runtime diff whether existing page reports under `docs/ui-ux-enterprise-audit/page-reports/` require updates; update only materially affected page reports.
- [x] T058 Document no-count-change/no-archetype-change if `route-inventory.md` and `design-coverage-matrix.md` remain unchanged.
- [x] T059 Do not create general documentation files outside required Spec Kit/UI coverage artifacts.
## Phase 8: Browser Smoke And Direct URL Proof
**Purpose**: Prove the user-visible trust path after targeted tests pass.
- [x] T060 Add `apps/platform/tests/Browser/Spec392CustomerOutputGatingSmokeTest.php` using existing review-output fixture helpers where practical.
- [x] T061 Browser state: safe output; assert `Open customer workspace` opens actual Customer Review Workspace and `Download customer output` succeeds only in ready state.
- [x] T062 Browser state: unsafe/limited output; assert customer output is blocked, reason is visible, and no customer-facing deprecated limited-download copy appears.
- [x] T063 Browser state: internal preview if present; assert label is internal, secondary, and hidden from customer/read-only mode.
- [x] T064 Browser state: dashboard CTA; assert a link labelled `Open customer workspace` does not land on Review Pack detail.
- [x] T065 Direct URL proof: assert blocked output direct route returns no file content.
- [x] T066 Browser harness did not capture Spec 392 screenshots; no screenshot artifacts were added.
## Phase 9: Validation And Close-Out
**Purpose**: Prove the implementation and record deployment impact clearly.
- [x] T067 Attempt Sail validation; Docker was not running, so run the equivalent local Pest Spec 392 gate/route/architecture validation.
- [x] T068 Run targeted existing regressions based on touched surfaces, at minimum `CustomerReviewWorkspace`, `ReviewPack`, and `StoredReport` filters if those surfaces changed.
- [x] T069 Run local Pest Browser validation for `tests/Browser/Spec392CustomerOutputGatingSmokeTest.php` because Docker/Sail was unavailable.
- [x] T070 Run `cd apps/platform && php vendor/bin/pint --dirty`.
- [x] T071 Run `git diff --check`.
- [x] T072 Confirm no migrations, seeders, packages, env vars, queues, scheduler, storage topology, Graph contracts/calls, panel providers, new route family, customer portal, report renderer, or legacy compatibility path were added.
- [x] T073 Confirm final Livewire v4 compliance, provider registration location, global-search posture, destructive/high-impact action status, asset strategy, tests, deployment impact, and Guardrail / Exception / Smoke Coverage in the implementation close-out response.
## Dependencies
- Phase 1 must complete before runtime implementation.
- Phase 2 gate tests should land before or alongside route enforcement.
- Phase 3 route enforcement must complete before UI-only assumptions are considered safe.
- Phase 4 and Phase 5 can proceed in parallel after the gate decision shape is stable.
- Phase 8 runs after targeted tests and route enforcement are implemented.
- Phase 9 closes the feature.
## Parallel Execution Examples
- T007, T008, and T009 can be split by repo surface during inspection.
- T026-T031 can be split by route/controller after the gate API is stable.
- T038-T042 can be split by UI surface if no shared helper conflict exists.
- T055-T058 can run after labels and UI diff are known.
## Non-Goals / Stop Conditions
- Stop if implementation requires a new persisted readiness table, new customer portal, new report renderer, new review publication workflow, new route family, or broad Customer Review Workspace redesign.
- Stop if management-report PDF production enablement becomes necessary; that belongs to Spec 379 follow-through.
- Stop if internal preview requires a new capability model not expressible by current capabilities; update spec/plan first.
- Stop if route gating cannot be implemented without changing artifact lifecycle/retention semantics; promote a separate lifecycle spec.
- Do not rewrite, normalize, uncheck, or remove implementation history from completed Specs 342, 347, 351, 372, or browser audit artifacts.
## Required Final Report Content For Later Implementation
When implementation later completes, report:
- Changed behavior.
- Customer-output gate states and blocking reasons.
- Route enforcement results for safe and unsafe output.
- CTA label/destination corrections.
- Internal preview behavior, if present.
- RBAC/context behavior.
- Files changed.
- Tests run and results.
- Browser smoke and screenshot path.
- Known gaps and follow-up specs.
- Full suite run/not run.
- Explicit no migrations/packages/env/queues/scheduler/storage/deployment assets/Graph/panel-provider/destructive-action/backcompat/new-customer-portal statement.
Reference in New Issue View Git Blame Copy Permalink