201 lines
22 KiB
Markdown
201 lines
22 KiB
Markdown
# Tasks: Spec 403 - Evidence Anchor & Currentness Runtime Closure
|
|
|
|
**Input**: `specs/403-evidence-anchor-currentness-runtime-closure/spec.md`, `plan.md`, `checklists/requirements.md`, user-provided Spec 403 draft, Spec 400 context, Spec 402 implementation report, Product Surface Contract, and repo truth.
|
|
|
|
**Tests**: Required. This spec changes or verifies runtime evidence/currentness behavior and rendered product claims, so it must include focused Pest Unit/Feature/Filament tests plus focused browser proof for representative rendered paths.
|
|
|
|
**Completion note**: Tasks covering untouched downstream surfaces are closed by repo-truth inventory, the Evidence/Currentness Coverage Matrix, existing focused proof, and explicit P2 deferrals in `implementation-report.md`. Direct runtime edits were limited to Evidence Overview proof-state/currentness presentation, current-anchor missing/stale/empty-dimension guards, OperationRun default-link demotion, Customer Review Workspace canonical status and status-like decision-title presentation, canonical Evidence Inventory outcome mapping, and Evidence Snapshot artifact-truth classification for missing dimensions. Non-status action headings such as `Draft review exists` remain outside the canonical status-vocabulary claim.
|
|
|
|
## Test Governance Checklist
|
|
|
|
- [x] Lane assignment is named and is the narrowest sufficient proof for changed evidence/currentness behavior.
|
|
- [x] New or changed tests stay in focused Unit, Feature/Filament, and Browser families; heavy-governance additions are explicit if any.
|
|
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default; any widening is isolated or documented.
|
|
- [x] Planned validation commands cover evidence/currentness closure without pulling unrelated full-suite cost.
|
|
- [x] The declared surface test profile or `standard-native-filament` relief is explicit.
|
|
- [x] Browser proof covers representative rendered evidence/currentness behavior and does not claim full browser audit.
|
|
- [x] Human Product Sanity and Product Surface implementation-report close-out are completed.
|
|
- [x] Any material budget, baseline, trend, or escalation note is recorded in the implementation report.
|
|
|
|
## Phase 1: Preparation And Dirty-State Baseline
|
|
|
|
**Purpose**: Establish safe starting conditions and read all governing context before runtime edits.
|
|
|
|
- [x] T001 Read `specs/403-evidence-anchor-currentness-runtime-closure/spec.md`, `plan.md`, `tasks.md`, and `checklists/requirements.md`.
|
|
- [x] T002 Record current branch, HEAD, dirty state, tracked changed files, untracked files, and `git diff --check` in `specs/403-evidence-anchor-currentness-runtime-closure/implementation-report.md`.
|
|
- [x] T003 Re-read `AGENTS.md`, `.specify/memory/constitution.md`, `.specify/README.md`, `docs/ai-coding-rules.md`, `docs/security-guidelines.md`, `docs/testing-guidelines.md`, `docs/architecture-guidelines.md`, `docs/filament-guidelines.md`, and `docs/product/standards/product-surface-contract.md`.
|
|
- [x] T004 Re-read `specs/388-resolution-proof-currentness-contract-v1/`, `specs/393-evidence-anchor-reconciliation-v1/`, `specs/400-product-contract-spec-completeness-audit/`, `specs/401-high-risk-admin-action-proof-pack/implementation-report.md`, and `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md` as read-only context; preserve completed-spec history.
|
|
- [x] T005 Confirm Spec 402 has no unresolved P0/P1 authorization blocker before making Spec 403 runtime changes; record any residual authorization proof debt that affects evidence links.
|
|
- [x] T006 Confirm no new product vocabulary, routes, navigation, customer output category, report/PDF runtime, evidence provider, migration, package, env var, queue/scheduler/storage change, asset registration, or broad browser audit will be included.
|
|
|
|
## Phase 2: Repo Truth Inventory
|
|
|
|
**Purpose**: Build the matrix from current code and tests before fixing labels or helpers.
|
|
|
|
- [x] T007 Inventory evidence anchor/currentness helpers in `apps/platform/app/Services/Evidence/EvidenceAnchorResolver.php`, `EvidenceAnchorResult.php`, `EvidenceSnapshotResolver.php`, `EvidenceSnapshotService.php`, `apps/platform/app/Support/Evidence/EvidenceSnapshotStatus.php`, and `EvidenceCompletenessState.php`.
|
|
- [x] T008 Inventory Evidence Overview behavior in `apps/platform/app/Filament/Pages/Monitoring/EvidenceOverview.php`, including current evidence link resolution, workspace-wide behavior, explicit environment filter behavior, empty states, and row URLs.
|
|
- [x] T009 Inventory Evidence Snapshot resource behavior in `apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php` and nested pages, including stale/partial/failed/missing/expired display and authorization.
|
|
- [x] T010 Inventory Customer Review Workspace behavior in `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php`, especially customer-safe evidence summaries, package/download state, internal proof suppression, and environment filters.
|
|
- [x] T011 Inventory Environment Review and Review Publication Resolution behavior in `apps/platform/app/Filament/Resources/EnvironmentReviewResource.php`, nested pages, and `resolve-review-publication.blade.php`, including Spec 388 proof-currentness fields.
|
|
- [x] T012 Inventory Review Pack and Stored Report behavior in `apps/platform/app/Filament/Resources/ReviewPackResource.php` and `StoredReportResource.php`, including generated/released evidence basis, report receipt/output links, and OperationRun proof links.
|
|
- [x] T013 Inventory OperationRun proof links and access checks in `OperationRunLinks`, `OperationRunPolicy`, Monitoring/Operations pages, and any proof links emitted by review/report/restore/baseline/finding surfaces.
|
|
- [x] T014 Inventory restore readiness/proof behavior in `apps/platform/app/Filament/Resources/RestoreRunResource.php`, restore presenters, and restore proof Blade views.
|
|
- [x] T015 Inventory baseline compare/evidence behavior in `BaselineCompareMatrix`, baseline resources, baseline evidence providers, and related tests.
|
|
- [x] T016 Inventory finding/governance evidence references in finding resources, finding exception evidence references, governance inbox/register surfaces, and related tests.
|
|
- [x] T017 Inventory existing tests under `apps/platform/tests/` for evidence overview/resource, Spec 388, Spec 393, customer review workspace, review packs, stored reports, OperationRun access, restore readiness, baseline evidence, finding evidence, and browser proof.
|
|
- [x] T018 Inventory repo-real provider freshness or permission-limited state contracts that already affect evidence quality/currentness, and record whether each contract is provider-owned diagnostic detail or platform-core evidence semantics.
|
|
|
|
## Phase 3: Evidence/Currentness Coverage Matrix
|
|
|
|
**Purpose**: Create the proof matrix before runtime fixes.
|
|
|
|
- [x] T019 Create `specs/403-evidence-anchor-currentness-runtime-closure/implementation-report.md` with sections A through M from `spec.md`.
|
|
- [x] T020 Add the Evidence/Currentness Coverage Matrix with columns: Surface, Evidence Source, Currentness Source, Released Snapshot Source, Customer-safe Boundary, Internal-only Data Risk, Workspace/Environment Scope, Authorization Mechanism, Test Proof, Browser Proof, Status, Risk, Follow-up.
|
|
- [x] T021 Classify Evidence Overview rows and links for current, stale, missing, failed, partial, expired, superseded, wrong-workspace, wrong-environment, unauthorized, and workspace-wide no-environment states.
|
|
- [x] T022 Classify Evidence Snapshot detail/list surfaces for stale, failed, partial, missing, expired, source/detail disclosure, and technical proof demotion.
|
|
- [x] T023 Classify Review Pack, Environment Review, Customer Review Workspace, and Stored Report surfaces for current runtime evidence versus released/generated evidence.
|
|
- [x] T024 Classify customer-safe boundaries for review workspace, review pack output, report output, and any customer-facing labels or downloads.
|
|
- [x] T025 Classify OperationRun proof links for authorization, workspace/environment scope, failed/running/cancelled/blocked/succeeded distinction, and customer-safe visibility.
|
|
- [x] T026 Classify findings/governance references for current, released/historical, missing, failed, blocked, or needs-attention evidence.
|
|
- [x] T027 Classify baseline compare and restore readiness/proof surfaces for stale/missing/failed/partial/expired currentness claims.
|
|
- [x] T028 Mark each matrix row as `PASS`, `PASS WITH EXCEPTION`, `MISSING PROOF`, `DEFECT FOUND`, `PRODUCT DECISION REQUIRED`, or `DEFERRED`, with P0/P1/P2/P3/None risk.
|
|
- [x] T029 Add matrix rows for any provider freshness or permission-limited evidence-currentness contracts discovered in T018, including source, customer-safe boundary, authorization mechanism, and test proof or deferral.
|
|
|
|
## Phase 4: Gap Classification
|
|
|
|
**Purpose**: Decide whether each matrix issue needs a test, a runtime fix, a product decision, or a deferral.
|
|
|
|
- [x] T030 Classify P0 defects where customer-safe output leaks internal proof, false currentness is shown, released output claims live/current state, or unauthorized evidence/OperationRun proof is accessible.
|
|
- [x] T031 Classify P1 missing proof where behavior may be safe but lacks direct tests for critical current/released/customer-safe/OperationRun/scoping paths.
|
|
- [x] T032 Classify P2/P3 productization or cleanup debt separately from safety blockers.
|
|
- [x] T033 Classify missing product decisions using the categories from the spec draft: blocks customer-output claim, blocks currentness claim, blocks internal proof claim, blocks review-pack/release claim, or can defer.
|
|
- [x] T034 Confirm no matrix gap is solved by inventing a new product vocabulary, new status family, new route, or new evidence taxonomy.
|
|
- [x] T035 Stop and update spec/plan before implementing if a fix requires new persistence, migrations, a broad proof framework, new evidence provider, report/PDF runtime, provider integration, or lifecycle semantics.
|
|
|
|
## Phase 5: Tests First - Current Evidence And Anchors
|
|
|
|
**Purpose**: Prove current evidence behavior before changing runtime code.
|
|
|
|
- [x] T036 Add or update focused tests for `EvidenceAnchorResolver` proving current evidence is selected only when active, complete, with usable captured dimensions, without missing/stale dimensions, non-expired, scoped to workspace/environment, and authorized.
|
|
- [x] T037 Add or update tests proving stale, expired, failed, partial, queued, generating, superseded, wrong-workspace, wrong-environment, and missing evidence cannot produce a current evidence link.
|
|
- [x] T038 Add or update Feature/Filament tests for `EvidenceOverview` proving workspace-wide views do not choose arbitrary current evidence and environment-filtered views link only authorized scoped current evidence.
|
|
- [x] T039 Add or update Evidence Snapshot resource tests proving stale/partial/failed/missing/expired evidence labels do not imply current/complete/verified proof.
|
|
- [x] T040 Add or update cross-workspace and cross-environment denial tests for evidence anchor direct URLs and proof links.
|
|
|
|
## Phase 6: Tests First - Released And Customer-Safe Proof
|
|
|
|
**Purpose**: Prove released/customer-safe behavior before runtime changes.
|
|
|
|
- [x] T041 Add or update tests proving released review-pack evidence stays bound to the released review/pack and does not query arbitrary latest current evidence.
|
|
- [x] T042 Add or update tests proving report receipts/output identify generated/released evidence and do not claim live/current runtime state unless an existing contract explicitly says so.
|
|
- [x] T043 Add or update Customer Review Workspace tests proving customer-safe output hides EvidenceSnapshot routes, evidence IDs, source keys, detectors, fingerprints, raw provider payloads, OperationRun URLs, internal reason families, and raw diagnostics by default.
|
|
- [x] T044 Add or update tests proving missing, failed, stale, expired, or partial released evidence is represented as `Not configured`, `Needs attention`, `Failed`, `Blocked`, or `Expired` rather than customer-safe ready.
|
|
- [x] T045 Add or update tests proving newer runtime evidence does not silently rewrite released review/report proof and does not invalidate released evidence without clear existing-contract labeling.
|
|
|
|
## Phase 7: Tests First - OperationRun, Restore, Baseline, Finding, And Report Proof
|
|
|
|
**Purpose**: Prove proof-link and downstream readiness claims are scoped and truthful.
|
|
|
|
- [x] T046 Add or update OperationRun proof tests proving failed, cancelled, blocked, running, stale, wrong-workspace, and wrong-environment runs cannot render as successful current proof.
|
|
- [x] T047 Add or update tests proving OperationRun proof links are demoted from the Evidence Overview default proof path and remain hidden or denied when `OperationRunPolicy` or environment entitlement does not allow access.
|
|
- [x] T048 Add or update restore readiness/proof tests proving stale/missing/failed/partial/expired preview/check/proof state is not presented as current executable readiness.
|
|
- [x] T049 Add or update baseline compare/evidence tests proving stale/missing/failed/partial baseline proof is not presented as current compare proof.
|
|
- [x] T050 Add or update finding/governance reference tests proving evidence references distinguish current, released/historical, missing, failed, blocked, or needs-attention proof where applicable.
|
|
- [x] T051 Add or update stored report/report output tests proving failed/missing/incomplete reports do not support customer-safe ready proof.
|
|
- [x] T052 Add or update tests proving provider freshness or permission-limited state affects evidence/currentness claims only where an existing repo contract connects that provider state to evidence quality, and is otherwise classified as product-decision or follow-up debt.
|
|
|
|
## Phase 8: Minimal Runtime Closure
|
|
|
|
**Purpose**: Fix only confirmed defects using existing architecture.
|
|
|
|
- [x] T053 Update existing evidence/currentness helpers or call sites only where tests prove a false, unsafe, or unscoped claim.
|
|
- [x] T054 Correct misleading labels that show stale, failed, partial, missing, expired, or released proof as current, complete, ready, verified, or live.
|
|
- [x] T055 Remove or replace arbitrary-latest evidence fallback selectors from product-facing current-evidence surfaces.
|
|
- [x] T056 Ensure customer-safe surfaces consume customer-safe summaries and never emit raw evidence/OperationRun technical links by default.
|
|
- [x] T057 Ensure released review/report surfaces use release-bound/generated evidence basis and label it separately from current runtime evidence.
|
|
- [x] T058 Ensure OperationRun proof is treated as execution/history proof, with default Evidence Overview links demoted and remaining technical OperationRun routes still using existing scoped URL helpers and policies.
|
|
- [x] T059 Ensure restore/baseline/finding/report proof labels consume existing readiness/evidence truth rather than inferring success from stale or partial data.
|
|
- [x] T060 Keep all Graph/provider calls out of render-time code paths.
|
|
- [x] T061 Do not add compatibility aliases, old labels, fallback readers, duplicate UI, or legacy fixtures that preserve wrong evidence/currentness behavior.
|
|
|
|
## Phase 9: Product Surface And Human Sanity
|
|
|
|
**Purpose**: Keep rendered behavior calm, customer-safe, and contract-compliant.
|
|
|
|
- [x] T062 Review and update `docs/ui-ux-enterprise-audit/route-inventory.md` and `docs/ui-ux-enterprise-audit/design-coverage-matrix.md` for touched existing surfaces if runtime UI files or reachable evidence/status semantics change; otherwise record that existing registry entries were reviewed and remain current.
|
|
- [x] T063 Confirm Product Surface Contract fields in `implementation-report.md`: no-legacy, UI impact, page archetype, surface budgets, Technical Annex demotion, canonical status vocabulary for proof/readiness and Evidence Inventory outcomes, Product Surface exceptions, visible complexity outcome, browser proof, Human Product Sanity, and UI coverage registry result.
|
|
- [x] T064 Confirm no Product Surface exception is required; if one is required, document page, violated rule/budget, reason, and follow-up.
|
|
- [x] T065 Run Human Product Sanity on touched customer-safe/readiness/evidence surfaces and record result.
|
|
- [x] T066 Confirm visible complexity is neutral or decreased; document any approved increase.
|
|
- [x] T067 Confirm no completed historical spec was rewritten, normalized, unchecked, or stripped of close-out/validation/browser history.
|
|
|
|
## Phase 10: Focused Browser Proof
|
|
|
|
**Purpose**: Verify representative rendered evidence/currentness behavior without claiming a full browser audit.
|
|
|
|
- [x] T068 Add or update focused browser smoke `apps/platform/tests/Browser/Spec403EvidenceCurrentnessRuntimeClosureSmokeTest.php` if browser support is available.
|
|
- [x] T069 Browser-proof admin Evidence Overview or Evidence Snapshot current/stale/missing/failed/partial behavior.
|
|
- [x] T070 Browser-proof Customer Review Workspace or review/report output customer-safe released proof behavior.
|
|
- [x] T071 Browser-proof released review/report evidence is not claimed as live current runtime state.
|
|
- [x] T072 Browser-proof stale/missing/failed evidence state path.
|
|
- [x] T073 Browser-proof unauthorized or cross-workspace/cross-environment evidence-anchor denial.
|
|
- [x] T074 Browser-proof OperationRun proof state and default-link demotion.
|
|
- [x] T075 Record route/surface, actor, workspace/environment, evidence state, expected result, observed result, console/runtime errors, and screenshot path if screenshots are captured.
|
|
- [x] T076 If browser tests are unavailable, record the exact blocker and do not claim browser proof.
|
|
|
|
## Phase 11: Implementation Report And Validation
|
|
|
|
**Purpose**: Close the proof loop with explicit result, residual severity, and next-step recommendation.
|
|
|
|
- [x] T077 Complete implementation report section A with Candidate Gate Result: PASS, PASS WITH CONDITIONS, or FAIL.
|
|
- [x] T078 Complete section B with included and explicitly not included scope.
|
|
- [x] T079 Complete section C with dirty state before/after, tracked files changed, and untracked files.
|
|
- [x] T080 Complete section D with the Evidence/Currentness Coverage Matrix.
|
|
- [x] T081 Complete section E with runtime changes made, why needed, and scope risk.
|
|
- [x] T082 Complete section F with tests added/updated, positive/negative classification, and result.
|
|
- [x] T083 Complete section G with focused browser proof or exact no-browser limitation.
|
|
- [x] T084 Complete section H with current vs released proof summary.
|
|
- [x] T085 Complete section I with customer-safe boundary proof summary.
|
|
- [x] T086 Complete section J with remaining findings by P0/P1/P2/P3.
|
|
- [x] T087 Complete section K with deferred items: management PDF staging validation, governance lifecycle/retention, JSONB migration, full browser audit, provider readiness productization, and other items.
|
|
- [x] T088 Complete the Filament v5 output contract close-out in `implementation-report.md`: Livewire v4 compliance, panel provider registration location, global-search posture for each touched resource, destructive/high-impact action confirmation and authorization posture, asset strategy, tests/browser result, and deployment impact.
|
|
- [x] T089 Complete section L with validation commands and exact results.
|
|
- [x] T090 Complete section M with recommended next action: Spec 404 only if Spec 403 passes or conditions are resolved.
|
|
- [x] T091 Run targeted Spec 403 tests and record result.
|
|
- [x] T092 Run targeted existing regressions for Evidence, Customer Review Workspace, Environment Review, Review Pack, Stored Report, OperationRun access, Restore, Baseline, and Finding surfaces changed by implementation.
|
|
- [x] T093 Run focused browser validation command if available and record result.
|
|
- [x] T094 Run formatter for changed PHP files and record result.
|
|
- [x] T095 Run `git diff --check` and record result.
|
|
- [x] T096 Verify changed reports, tests, logs, fixtures, screenshots, and implementation notes do not include secrets, tokens, raw credential payloads, or sensitive raw provider payloads.
|
|
- [x] T097 Run final dirty-state commands and confirm no unrelated dirty files were reset, deleted, or cleaned.
|
|
|
|
## Non-Goals Checklist
|
|
|
|
- [x] NT001 Do not add new product vocabulary, status family, evidence taxonomy, proof taxonomy, or currentness framework.
|
|
- [x] NT002 Do not add new admin, system, customer, navigation, report, PDF, evidence provider, restore, baseline, finding, or lifecycle surfaces.
|
|
- [x] NT003 Do not add migrations, JSON-to-JSONB changes, new persisted truth, packages, env vars, queues, scheduler changes, storage changes, or assets.
|
|
- [x] NT004 Do not perform broad service/model/Filament refactors.
|
|
- [x] NT005 Do not rewrite completed specs or remove historical close-out, validation, smoke, browser, or task history.
|
|
- [x] NT006 Do not claim full browser/UX/runtime audit completion.
|
|
- [x] NT007 Do not claim browser proof unless browser proof was actually run.
|
|
- [x] NT008 Do not proceed to Spec 404 recommendation if P0 remains or unresolved P1 evidence/currentness blockers are unsafe.
|
|
|
|
## Dependencies And Execution Order
|
|
|
|
- Phase 1 must complete before runtime edits.
|
|
- Phase 2 inventory must complete before Phase 3 matrix decisions.
|
|
- T018 must complete before T029 and before runtime fixes that rely on provider freshness or permission-limited evidence state.
|
|
- Phase 3 matrix must exist before Phase 4 gap classification.
|
|
- T029 must complete before provider-related P0/P1 gap classification is closed.
|
|
- Phase 4 must classify gaps before tests or runtime fixes.
|
|
- Phases 5-7 tests should precede Phase 8 fixes wherever feasible.
|
|
- T052 must precede any provider-freshness runtime correction.
|
|
- Phase 8 fixes must stay bounded to confirmed evidence/currentness gaps.
|
|
- T062 must complete before Product Surface close-out when runtime UI files or reachable evidence/status semantics change.
|
|
- Phase 10 browser proof follows focused hardening and tests.
|
|
- Phase 11 closes with report, validation, Filament v5 output contract close-out, dirty state, and next-step recommendation.
|
|
|
|
## Recommended Implementation Strategy
|
|
|
|
Treat implementation as a runtime truth-closure loop, not a framework pass. Build the matrix, add failing proof tests for confirmed P0/P1 risks, fix only the smallest currentness/evidence defects, and record exact proof. Preserve current repo helpers unless they demonstrably cannot express the required behavior.
|