ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c3d331a507
TenantAtlas/specs/413-focused-pilot-gate-recheck/tasks.md
Ahmed Darrazi c3d331a507
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m10s
Details
feat: add 413 focused pilot gate recheck spec
2026-06-25 00:56:21 +02:00

14 KiB
Raw Blame History

Tasks: Spec 413 - Focused Pilot Gate Recheck

Input: specs/413-focused-pilot-gate-recheck/spec.md, plan.md, checklists/requirements.md, user-provided Spec 413 draft, Spec 407/412 context, Spec 412 implementation report, roadmap/spec-candidate truth, and Product Surface Contract.

Prerequisites: Working tree is clean or contains only user-approved planning changes for this spec package. Future execution must stop if unrelated dirty state appears.

Tests: No test files are created or modified. Existing tests may be run only as validation commands and must be reported exactly.

Organization: Tasks are grouped by gate execution phase. This is a read-only gate, not application implementation.

Execution Close-Out

  • Executed on 2026-06-24 as a read-only focused gate. Tasks below are checked when the required probe/report step was performed or when a missing live fixture/actor limitation was explicitly recorded with existing test proof.
  • No application code, tests, migrations, seeders, factories, routes, policies, config, views, generated assets, runtime data, docs outside this spec package, or completed specs were intentionally modified.
  • Gate result recorded in the assistant close-out report as PASS WITH CONDITIONS.

Test Governance Checklist

  • Test purpose is classified as Browser/read-only audit evidence.
  • Affected validation lanes are recorded before execution.
  • No new test family, fixture family, seed, factory, helper, or browser harness is created.
  • Browser proof is required as gate output.
  • Human Product Sanity and Product Surface close-out are recorded in the final report.
  • Final report states Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, browser/test result, deployment impact, visible complexity outcome, and no application implementation.

Phase 1: Baseline and Safety

Goal: Prove the gate starts from a known state and stays read-only.

  • T001 Read this spec package: spec.md, plan.md, tasks.md, and checklists/requirements.md.
  • T002 Confirm current branch, HEAD commit, dirty state, untracked files, and active environment.
  • T003 Run git diff --check before browser work and record result.
  • T004 Record base URL using repo/Laravel configuration or Laravel Boost URL tooling where available.
  • T005 Identify available actors/fixtures: workspace admin, customer reviewer, readonly/limited actor, unauthorized actor, cross-workspace actor, and system operator.
  • T006 Confirm no application code, tests, migrations, seeders, factories, routes, policies, config, views, generated assets, runtime data, docs outside this spec package, or completed specs will be edited.
  • T007 Stop if unrelated dirty state or unsafe environment conditions are present.

Phase 2: Spec 412 Claim Inspection

Goal: Turn Spec 412 claims into focused recheck targets.

  • T008 Read specs/407-full-browser-ux-runtime-audit/spec.md, plan.md, and tasks.md as historical context only.
  • T009 Read specs/412-pilot-readiness-remediation-pack/spec.md, plan.md, tasks.md, and implementation-report.md.
  • T010 Extract the Spec 412 claimed remediation for management PDF surfacing.
  • T011 Extract the Spec 412 claimed remediation for OperationRun index/detail browser navigation.
  • T012 Extract the Spec 412 claimed remediation for finding hash demotion.
  • T013 Extract the Spec 412 claimed remediation for readonly provider no-access clarity.
  • T014 Record Spec 412 tests/browser proof claimed and any unrelated residual failures documented there.
  • T015 Confirm Specs 407 and 412 remain completed/historical context and are not modified.

Phase 3: Route and Fixture Probe

Goal: Identify exact current routes, records, and actors for safe focused proof.

  • T016 List or inspect routes matching review, report, PDF, download, operation, finding, provider, connection, signed, and customer report paths.
  • T017 Identify a review pack with a ready stored management PDF, or record that no ready fixture exists.
  • T018 Identify stored report/report receipt state connected to the selected review pack, or record limitation.
  • T019 Identify authorized management PDF download/open route for the selected ready PDF, or record limitation.
  • T020 Identify unauthorized and cross-workspace report/PDF direct-route probes that do not expose private signed URLs in the final report.
  • T021 Identify valid signed report and unsigned/invalid report probes, or record limitation.
  • T022 Identify admin OperationRun index and at least one OperationRun detail route.
  • T023 Identify a finding detail route containing prior hash/fingerprint risk or equivalent technical identifiers.
  • T024 Identify readonly/limited provider-connection route and authorized comparison route.
  • T025 Identify customer review/report path connected to the PDF/report flow where available.

Phase 4: Management PDF and Report/PDF Recheck

Goal: Verify report/PDF state agreement and authorization remain safe.

Independent Test: The Report/PDF State Matrix contains ready, missing/failed/unavailable, authorized, unauthorized, cross-workspace, signed, and unsigned outcomes or explicit limitations.

  • T026 Open review pack detail for a ready stored management PDF and record expected vs observed primary action.
  • T027 Confirm ready PDF state shows ready/download/open and does not show "Generate management PDF" as primary. Live fixture was customer-limited/internal-preview only; recorded as a condition rather than a clean customer-safe positive proof.
  • T028 Compare review-pack UI state to stored report/report receipt state.
  • T029 Open/download existing management PDF as authorized admin where safe and record outcome without exposing private URL details. Live customer-safe open was unavailable by gate state; existing browser proof was recorded.
  • T030 Probe unauthorized direct PDF/download access and record authorization result.
  • T031 Probe cross-workspace PDF/download access and record authorization result.
  • T032 Open valid signed report route and record customer-safe result. Live signed customer output returned 404 by design for the limited fixture; existing browser proof was recorded.
  • T033 Open unsigned/invalid report route and record blocked/invalid-signature result.
  • T034 Record customer-safe report output checks for internal proof, raw IDs, raw OperationRun details, raw provider payloads, file paths, stack traces, and private URLs.

Phase 5: OperationRun Load Recheck

Goal: Verify operations pages complete usable browser navigation.

Independent Test: Browser proof table records operations index/detail load result, console/runtime state, and authorization outcome.

  • T035 Open admin operations index and record load completion, runtime status, console output, network failures, and any timeout distinction.
  • T036 Open OperationRun detail and record load completion, runtime status, console output, network failures, and any timeout distinction.
  • T037 Confirm no current OperationRun route 500 is observed.
  • T038 Confirm no fatal Livewire/Filament error appears.
  • T039 Check OperationRun proof links from related surfaces where available.
  • T040 Probe unauthorized or cross-workspace OperationRun access where safe and record authorization result.

Phase 6: Finding Detail Hash Recheck

Goal: Verify raw internal hashes are not default product content.

Independent Test: Browser proof records finding detail default body and where technical identifiers appear, if present.

  • T041 Open selected finding detail as authorized operator.
  • T042 Confirm default body does not prominently expose fingerprint hash.
  • T043 Confirm default body does not prominently expose scope hash or source fingerprint.
  • T044 Confirm technical hashes, if still present, are demoted to collapsed/support/operator/technical detail.
  • T045 Confirm customer-facing/default review context does not expose internal hash fields where available.
  • T046 Confirm human-readable finding triage information remains available.

Phase 7: Readonly Provider No-Access Recheck

Goal: Verify access remains denied and no-access is clearer/safe.

Independent Test: Browser proof records readonly route, authorized comparison, redirect/no-access behavior, and leak checks.

  • T047 Open provider-connection route as readonly/limited actor. No live same-workspace missing-capability actor existed; existing browser smoke proof and cross-workspace direct-route probe were recorded.
  • T048 Confirm actor remains blocked from unauthorized provider connection access.
  • T049 Confirm no confusing authenticated-user-to-login loop occurs.
  • T050 Confirm no provider, workspace, or record data leaks to non-entitled actors.
  • T051 Confirm no-access/missing permission/missing membership message is clearer and accurate where visible.
  • T052 Open authorized provider connection route for comparison where safe.

Phase 8: Focused Regression Checks

Goal: Catch adjacent regressions without widening into a full audit.

  • T053 Check customer-safe report output regression.
  • T054 Check evidence/currentness labels in report/review path.
  • T055 Check report lifecycle state display.
  • T056 Check OperationRun authorization regression.
  • T057 Check workspace/environment scoping regression.
  • T058 Check signed/unsigned report boundary regression.
  • T059 Check finding evidence/proof link regression.
  • T060 Check provider authorization boundary regression.
  • T061 Fill the Focused Regression Matrix with expected, observed, severity, and follow-up.

Phase 9: Gate Decision and Report

Goal: Produce the required gate report and stop before fixes.

  • T062 Fill the Spec 407/412 Recheck Matrix.
  • T063 Fill the Report/PDF State Matrix.
  • T064 Fill the Focused Regression Matrix.
  • T065 Fill Browser Proof table with surface, actor, workspace/environment, state, expected, result, and notes.
  • T066 Summarize runtime/backend logs, browser console, OperationRun route results, report route results, provider no-access route, and current 500/403/404 findings.
  • T067 Summarize authorization and customer-safe boundary results.
  • T068 List remaining findings by P0/P1/P2/P3 using the required finding fields.
  • T069 Set Focused Pilot Gate Result to PASS, PASS WITH CONDITIONS, or FAIL according to this spec.
  • T070 Fill Readiness Decision table for Spec 414, controlled pilot planning, customer-facing hardening, sales/demo scripted path, and broader customer claims.
  • T071 Record validation/audit commands run and exact results.
  • T072 Record dirty state after the gate, including tracked/untracked changes.
  • T073 Confirm no application implementation, code, tests, migrations, config, routes, views, policies, models, services, jobs, Filament resources/pages/widgets, Livewire components, Blade views, CSS, JavaScript, seeders, factories, lock files, generated assets, runtime data, docs outside this package, or completed specs were modified.
  • T074 State Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, browser/test result, deployment impact, visible complexity outcome, and no completed-spec rewrite assertion.
  • T075 Recommend next step: Spec 414 if gate passes, one bounded remediation spec if gate fails, or explicit exclusions if pass with conditions.

Explicit Non-Goals

  • NT001 Do not perform a full browser/UX/runtime audit.
  • NT002 Do not implement fixes.
  • NT003 Do not add or modify tests.
  • NT004 Do not modify application runtime files.
  • NT005 Do not create or mutate fixtures, seed data, database schema, provider connections, memberships, workspaces, environments, reports, restore runs, or runtime data intentionally.
  • NT006 Do not execute destructive/high-impact actions.
  • NT007 Do not expose private signed URLs, secrets, credentials, raw provider payloads, stack traces, or sensitive customer data in the final report.
  • NT008 Do not rewrite completed Specs 407 or 412 or remove validation, task, smoke, browser, screenshot, close-out, or review history from completed specs.

Dependencies and Execution Order

  • Phase 1 blocks all later phases.
  • Phase 2 must precede route/fixture probe.
  • Phase 3 must precede browser recheck.
  • Phases 4 through 8 may be executed in the safest practical order after route/fixture probe.
  • Phase 9 must happen last and must stop before remediation.

Recommended Future Execution Commands

Use Sail where possible and report exact outcomes:

git status --short --branch
git diff --name-only
git diff --check
git log -1 --oneline
cd apps/platform && ./vendor/bin/sail artisan route:list
cd apps/platform && ./vendor/bin/sail artisan test --filter=ReviewPack
cd apps/platform && ./vendor/bin/sail artisan test --filter=Report
cd apps/platform && ./vendor/bin/sail artisan test --filter=StoredReport
cd apps/platform && ./vendor/bin/sail artisan test --filter=ManagementReport
cd apps/platform && ./vendor/bin/sail artisan test --filter=Pdf
cd apps/platform && ./vendor/bin/sail artisan test --filter=OperationRun
cd apps/platform && ./vendor/bin/sail artisan test --filter=Finding
cd apps/platform && ./vendor/bin/sail artisan test --filter=ProviderConnection
cd apps/platform && ./vendor/bin/sail artisan test --filter=Authorization

Run only commands appropriate for the active local environment. Do not claim proof for commands not run.