557 lines
39 KiB
Markdown
557 lines
39 KiB
Markdown
# Browser Productization Bug Audit
|
|
|
|
## Audit Metadata
|
|
|
|
* Branch: `390-restore-readiness-resolution-adapter-v1`
|
|
* Commit SHA: `920f726acefc1a3fa66fcc3bd326225e75f2b839`
|
|
* Date/time: 2026-06-20 09:30 Europe/Berlin
|
|
* Browser method used: Playwright
|
|
* Auth/session notes: Admin `/admin` session was authenticated as Ahmed Darrazi. `/system/*` redirected to `/system/login`; system panel was not authenticated.
|
|
* Test environment / workspace / environment names used: workspace `wp` (`id=3`), environment `YPTW2` (`id=4`, route key `b0091e5d-944f-4a34-bcd9-12cbfb7b75cf`).
|
|
* Whether repo was dirty before audit: No. Initial `git status --short` returned no entries before audit artifacts were written.
|
|
* Initial `git status --short`:
|
|
|
|
```text
|
|
|
|
```
|
|
|
|
* Final `git status --short`:
|
|
|
|
```text
|
|
M apps/platform/app/Filament/Resources/RestoreRunResource.php
|
|
M apps/platform/app/Filament/Resources/RestoreRunResource/Presenters/RestoreRunCreatePresenter.php
|
|
M apps/platform/app/Filament/Resources/RestoreRunResource/Presenters/RestoreRunDetailPresenter.php
|
|
M apps/platform/resources/views/filament/forms/components/restore-run-safety-decision.blade.php
|
|
M apps/platform/resources/views/filament/infolists/entries/restore-results.blade.php
|
|
M apps/platform/tests/Browser/Spec333RestoreCreateUxFinalProductizationSmokeTest.php
|
|
M apps/platform/tests/Browser/Spec335RestoreRunDetailProductizationSmokeTest.php
|
|
M docs/ui-ux-enterprise-audit/design-coverage-matrix.md
|
|
M docs/ui-ux-enterprise-audit/page-reports/ui-014-restore-runs.md
|
|
M docs/ui-ux-enterprise-audit/route-inventory.md
|
|
M docs/ui-ux-enterprise-audit/target-experience-briefs/restore-safety-workflow.md
|
|
M docs/ui-ux-enterprise-audit/unresolved-pages.md
|
|
?? apps/platform/app/Support/RestoreReadinessResolution/
|
|
?? apps/platform/tests/Feature/Filament/Spec390RestoreReadinessGuidanceTest.php
|
|
?? apps/platform/tests/Unit/Support/RestoreReadinessResolution/
|
|
?? specs/390-restore-readiness-resolution-adapter-v1/artifacts/
|
|
?? specs/390-restore-readiness-resolution-adapter-v1/contracts/
|
|
?? specs/browser-productization-bug-audit/
|
|
```
|
|
|
|
* Whether any files were modified: Yes. Audit screenshots/logs/report were written under `specs/browser-productization-bug-audit/`. The final worktree also contained non-audit RestoreRun/docs/spec changes that appeared during the audit and were not edited by this audit.
|
|
* Confirmation that only allowed report/screenshot/log files were modified: No. I only intentionally wrote allowed audit files, but the final worktree contains non-allowed modified/untracked files outside the audit directory.
|
|
* Tool/browser limitations: Integrated Browser connector failed during bootstrap with missing `sandboxPolicy` metadata, so Playwright was used per fallback rule. Playwright route-sweep output was truncated by tool output limits, so screenshots, console logs, network logs, DOM snapshots, and read-only DB/source checks are the evidence basis. Local config has `app.env=local`, `app.debug=true`, and `app.name=Laravel`, so Debugbar and debug error pages were visible in this audit environment.
|
|
|
|
## Executive Summary
|
|
|
|
* Total bugs found: 10
|
|
* P0/P1/P2/P3 counts: P0=0, P1=6, P2=3, P3=1
|
|
* Top 10 issues to fix first:
|
|
1. `Operations` workspace hub times out and exposes a Laravel debug page.
|
|
2. Primary `Open evidence basis` CTA points to superseded partial Evidence #30 while active complete Evidence #34 exists.
|
|
3. Customer Review Workspace also anchors to stale/superseded Evidence #30.
|
|
4. Download-with-limitations links are visible while output is PII-bearing, incomplete, and not customer-ready.
|
|
5. Required Permissions page shows `Present 0` / no configured permissions despite 15 granted permission rows.
|
|
6. Provider health is shown as `Healthy` while the same page says verification is stale and action required.
|
|
7. Environment dashboard `Open customer workspace` CTA opens a Review Pack detail page.
|
|
8. System login is branded `Laravel` and exposes Debugbar in local audit.
|
|
9. Debugbar/source links and Vite client failures pollute the browser/runtime signal.
|
|
10. Environment page title lacks a separator: `YPTW2Action needed - TenantPilot`.
|
|
* Merge/customer-readiness recommendation: Not customer-ready. The Operations 500, evidence-anchor drift, provider readiness contradictions, and download-with-limitations affordances should block productization until fixed and re-smoked in browser.
|
|
|
|
## Route Coverage
|
|
|
|
| Area | Route | Page name | Status | Screenshot path | Notes |
|
|
|---|---|---|---|---|---|
|
|
| Admin | `/admin` | Workspace overview | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-admin-dashboard.png` | Redirected to `/admin/workspaces/3/overview`. |
|
|
| Workspace | `/admin/workspaces/3/overview` | Workspace overview | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-workspace-overview.png` | Priority queue and recent ops visible. |
|
|
| Workspace | `/admin/choose-workspace?choose=1` | Choose workspace | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-choose-workspace.png` | Workspace switcher reachable. |
|
|
| Workspace | `/admin/choose-environment` | Choose environment | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-choose-environment.png` | Environment switcher reachable. |
|
|
| Environment | `/admin/workspaces/3/environments` | Managed environments | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-managed-environments.png` | Environment list captured. |
|
|
| Environment | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf` | Environment dashboard | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-environment-dashboard.png` | Multiple readiness contradictions. |
|
|
| Environment | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/required-permissions` | Required permissions | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-required-permissions.png` | Permission counts contradict DB rows. |
|
|
| Inventory | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/inventory` | Inventory items | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-inventory-items.png` | Route loaded. |
|
|
| Inventory | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/policies` | Policies | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-policies.png` | Route loaded. |
|
|
| Inventory | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/policy-versions` | Policy versions | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-policy-versions.png` | Route loaded. |
|
|
| Inventory | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/inventory/inventory-coverage` | Inventory coverage | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-inventory-coverage.png` | Route loaded. |
|
|
| Reporting | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/environment-reviews` | Environment reviews | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-environment-reviews.png` | Route loaded. |
|
|
| Reporting | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/stored-reports` | Stored reports | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-stored-reports.png` | Route loaded. |
|
|
| Reporting | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/review-packs` | Review packs | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-review-packs.png` | Route loaded. |
|
|
| Reporting | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/review-packs/32` | View Review Pack | checked | `specs/browser-productization-bug-audit/screenshots/BUG-003-internal-pack-download-enabled-while-not-usable.png` | Download action visible despite limitations. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/findings` | Findings | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-findings.png` | First rows and first detail inspected. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/findings/254` | View Findings | checked | not captured separately | Detail showed technical IDs as admin-only evidence. |
|
|
| Governance | `/admin/baseline-profiles` | Baseline profiles | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-baseline-profiles.png` | Route loaded. |
|
|
| Governance | `/admin/baseline-snapshots` | Baseline snapshots | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-baseline-snapshots.png` | Route loaded. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/baseline-compare` | Baseline compare | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-baseline-compare.png` | Route loaded. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/evidence` | Evidence snapshots | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-evidence-snapshots.png` | Route loaded. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/evidence/30` | View Evidence Snapshot | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-evidence-snapshot-detail.png` | Superseded partial evidence. |
|
|
| Governance | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/finding-exceptions` | Risk exceptions | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-risk-exceptions.png` | Route loaded. |
|
|
| Backup/Restore | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/backup-schedules` | Backup schedules | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-backup-schedules.png` | Route loaded. |
|
|
| Backup/Restore | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/backup-sets` | Backup sets | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-backup-sets.png` | First three rows inspected; destructive actions verified read-only in source. |
|
|
| Backup/Restore | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/restore-runs` | Restore runs | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-restore-runs.png` | Preview row inspected. |
|
|
| Backup/Restore | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/restore-runs/create` | Create Restore Run | checked | not captured separately | Wizard inspected without submitting. |
|
|
| Directory | `/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/entra-groups` | Entra groups | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-entra-groups.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/finding-exceptions/queue?environment_id=4` | Finding exceptions queue | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-finding-exceptions-queue.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/reviews?environment_id=4` | Reviews | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-reviews-workspace-filtered.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/governance/inbox?environment_id=4` | Governance inbox | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-governance-inbox.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/governance/decisions?environment_id=4` | Decision register | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-decision-register.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/workspaces/3/operations?environment_id=4` | Operations | blocked | `specs/browser-productization-bug-audit/screenshots/BUG-001-operations-500-debug-page.png` | 500 / timeout / debug page. |
|
|
| Workspace-wide | `/admin/alerts?environment_id=4` | Alerts | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-alerts.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/evidence/overview?environment_id=4` | Evidence overview | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-evidence-overview.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/audit-log?environment_id=4` | Audit log | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-audit-log.png` | Route loaded. |
|
|
| Workspace-wide | `/admin/reviews/workspace?environment_id=4` | Customer Review Workspace | checked | `specs/browser-productization-bug-audit/screenshots/BUG-006-customer-review-download-and-stale-evidence.png` | Stale evidence and download-with-limitations. |
|
|
| Workspace admin | `/admin/workspaces` | Workspaces | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-workspaces.png` | Route loaded. |
|
|
| Workspace admin | `/admin/provider-connections?environment_id=4` | Provider connections | checked | `specs/browser-productization-bug-audit/screenshots/BUG-007-provider-health-healthy-while-verification-stale.png` | Provider verification contradiction. |
|
|
| Workspace admin | `/admin/settings/workspace` | Workspace settings | checked | `specs/browser-productization-bug-audit/screenshots/ROUTE-workspace-settings.png` | Route loaded. |
|
|
| System | `/system` | System dashboard | blocked | `specs/browser-productization-bug-audit/screenshots/BUG-008-system-login-default-laravel-branding.png` | Redirected to `/system/login`. |
|
|
| System | `/system/directory/tenants` | System tenants | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-tenants.png` | System auth required. |
|
|
| System | `/system/directory/workspaces` | System workspaces | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-workspaces.png` | System auth required. |
|
|
| System | `/system/ops/runs` | System ops runs | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-ops-runs.png` | System auth required. |
|
|
| System | `/system/ops/failures` | System ops failures | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-ops-failures.png` | System auth required. |
|
|
| System | `/system/ops/stuck` | System ops stuck | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-ops-stuck.png` | System auth required. |
|
|
| System | `/system/ops/controls` | System ops controls | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-ops-controls.png` | System auth required. |
|
|
| System | `/system/ops/runbooks` | System ops runbooks | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-ops-runbooks.png` | System auth required. |
|
|
| System | `/system/security/access-logs` | System access logs | blocked | `specs/browser-productization-bug-audit/screenshots/ROUTE-system-access-logs.png` | System auth required. |
|
|
|
|
## Bugs
|
|
|
|
### BUG-001 — Operations index times out and exposes debug page
|
|
|
|
Severity: P1
|
|
Area: Workspace-wide / Operations
|
|
Route: `http://localhost/admin/workspaces/3/operations?environment_id=4`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-001-operations-500-debug-page.png`
|
|
Console/network errors: yes. Network log includes `GET http://localhost/admin/workspaces/3/operations?environment_id=4 => [500] Internal Server Error`; console includes Filament/Alpine reference errors and Vite client failures.
|
|
|
|
Actual:
|
|
Opening the Operations route takes roughly 40 seconds and lands on a Laravel debug/error page. The browser reports 35 console errors and 33 warnings. Laravel Boost `last_error` shows `Maximum execution time of 30 seconds exceeded` at `Illuminate\Database\Eloquent\Concerns\HasAttributes.php:1577`.
|
|
|
|
Expected:
|
|
The Operations hub should render a bounded, paginated operations list or a controlled error state. Operators should never see a raw Laravel debug page or stack trace in a customer-ready environment.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Authenticate in `/admin`.
|
|
2. Open `http://localhost/admin/workspaces/3/operations?environment_id=4`.
|
|
3. Wait for the request to complete.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-001-operations-500-debug-page.png`
|
|
* Console: `specs/browser-productization-bug-audit/logs/console-warnings-final.txt`
|
|
* Network: `specs/browser-productization-bug-audit/logs/network-requests-final.txt`
|
|
* Read-only log: local error at `2026-06-20 09:19:07`, max execution time exceeded.
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Filament/Pages/Monitoring/Operations.php:610`
|
|
* `apps/platform/app/Filament/Resources/OperationRunResource.php:134`
|
|
|
|
Suggested fix:
|
|
Profile the Operations index render path with the environment filter applied. Bound expensive model attribute/accessor work in table columns/actions, avoid per-row heavy presenters, and replace local debug exposure with a controlled Filament error/empty state.
|
|
|
|
Product impact:
|
|
Operations is a core operator workflow and the main drilldown for dashboard follow-up. A 500 blocks incident triage and can expose implementation details if debug mode leaks outside local.
|
|
|
|
### BUG-002 — Primary evidence CTA points to superseded evidence
|
|
|
|
Severity: P1
|
|
Area: Environment dashboard / Evidence
|
|
Route: `http://localhost/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-004-primary-evidence-cta-points-to-superseded-snapshot.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
The hero recommendation says `Evidence basis is incomplete` and the primary CTA `Open evidence basis` links to Evidence Snapshot #30. Read-only DB shows Evidence #30 is `superseded` and `partial`, while Evidence #34 is `active` and `complete`. The same dashboard's readiness proof `Open evidence` action points to #34.
|
|
|
|
Expected:
|
|
A primary evidence CTA should either open the active/current evidence basis or explicitly explain that it is intentionally opening the anchored historical evidence that blocks the released review. It should not silently point to stale/superseded evidence while another proof section points to current evidence.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open the YPTW2 environment dashboard.
|
|
2. Inspect the primary `Open evidence basis` CTA.
|
|
3. Compare it with the `Readiness proof -> Evidence coverage -> Open evidence` action.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-004-primary-evidence-cta-points-to-superseded-snapshot.png`
|
|
* Read-only DB: Evidence #34 = `active/complete`, generated `2026-06-20 08:36:00`; Evidence #30 = `superseded/partial`, generated `2026-06-14 23:47:48`.
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php:327`
|
|
* `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php:1568`
|
|
* `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php:441`
|
|
|
|
Suggested fix:
|
|
Make the CTA source explicit: use latest active evidence for environment readiness, or label anchored released-review evidence as historical and show the current-evidence alternative next to it.
|
|
|
|
Product impact:
|
|
Operators are sent to the wrong evidence object for the primary decision. That can cause stale governance conclusions and unnecessary remediation work.
|
|
|
|
### BUG-003 — Customer Review Workspace anchors to stale evidence
|
|
|
|
Severity: P1
|
|
Area: Customer Review Workspace / Evidence
|
|
Route: `http://localhost/admin/reviews/workspace?environment_id=4`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-006-customer-review-download-and-stale-evidence.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
Customer Review Workspace shows `Evidence snapshot Available Generated Jun 14, 2026 23:47` and links `View evidence snapshot` to Evidence #30. That evidence is superseded/partial, while the environment has active/complete Evidence #34 generated on Jun 20, 2026.
|
|
|
|
Expected:
|
|
Customer-facing review workspace should clearly distinguish released-review anchored evidence from current environment evidence. If it intentionally uses historical evidence, it should say "released-review evidence" and warn that newer complete evidence exists.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open `http://localhost/admin/reviews/workspace?environment_id=4`.
|
|
2. Scroll to Supporting Reference.
|
|
3. Inspect Evidence path and `View evidence snapshot`.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-006-customer-review-download-and-stale-evidence.png`
|
|
* Read-only DB evidence comparison from BUG-002.
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php:745`
|
|
* `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php:768`
|
|
|
|
Suggested fix:
|
|
Show both anchored release evidence and current evidence when they differ; update labels and warnings so customer review operators understand whether they are looking at historical or current proof.
|
|
|
|
Product impact:
|
|
Customer-facing review workflows can appear stale or misleading even after evidence has been regenerated successfully.
|
|
|
|
### BUG-004 — Download-with-limitations is enabled for PII-bearing, not-ready output
|
|
|
|
Severity: P1
|
|
Area: Customer Review / Review Packs
|
|
Route: `http://localhost/admin/reviews/workspace?environment_id=4` and `http://localhost/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/review-packs/32`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-003-internal-pack-download-enabled-while-not-usable.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
Review Pack #32 says `Internal only`, `Result trust Not usable yet`, `Coverage Partially complete`, and `This package includes internal or PII-bearing detail`. Customer Review Workspace says `Requires review`, `PII Contains PII`, and `Customer sharing still depends on readiness blockers`, but still renders a direct `Download review pack with limitations` signed URL.
|
|
|
|
Expected:
|
|
When output is not customer-ready and contains PII, direct download should be gated behind an explicit confirmation or moved behind a review/detail action. The UI should avoid presenting a direct download as a normal supporting action.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open Customer Review Workspace with `environment_id=4`.
|
|
2. Inspect `Supporting actions`.
|
|
3. Open Review Pack #32 and inspect header actions and output guidance.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-003-internal-pack-download-enabled-while-not-usable.png`
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-006-customer-review-download-and-stale-evidence.png`
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Support/ReviewPacks/ReviewPackOutputResolutionGuidance.php:400`
|
|
* `apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php:2659`
|
|
|
|
Suggested fix:
|
|
Require an explicit confirmation for download-with-limitations, make the primary path open review/redaction checks, and only enable direct customer-safe downloads when the output state is customer-safe ready.
|
|
|
|
Product impact:
|
|
An MSP/operator could download and share an internal or PII-bearing package despite on-page warnings that it is not ready. This is a customer disclosure risk.
|
|
|
|
### BUG-005 — Required permissions detail shows zero present despite granted rows
|
|
|
|
Severity: P1
|
|
Area: Provider permissions / Required permissions
|
|
Route: `http://localhost/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf/required-permissions`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-005-required-permissions-zero-present-despite-grants.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
The page summary shows `Missing (app) 0`, `Missing (delegated) 0`, `Present 0`, `Errors 0`, says `No required permissions are configured yet`, and still recommends `Run provider verification` / `Open admin consent`. Read-only DB shows 15 `managed_environment_permissions` rows for environment 4, all `status=granted`, last checked `2026-05-14 20:42:51`.
|
|
|
|
Expected:
|
|
The detail page should show the 15 granted permissions as present but stale, and the next action should be refresh/verification, not imply no configured permissions or missing consent.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open Required permissions for YPTW2.
|
|
2. Compare summary counts and issue text.
|
|
3. Query `managed_environment_permissions` for environment 4 read-only.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-005-required-permissions-zero-present-despite-grants.png`
|
|
* DB: `SELECT status, COUNT(*) ...` returned 15 granted rows.
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Services/Intune/ManagedEnvironmentRequiredPermissionsViewModelBuilder.php:249`
|
|
* `apps/platform/app/Filament/Pages/EnvironmentRequiredPermissions.php:125`
|
|
|
|
Suggested fix:
|
|
Ensure stored granted rows are included in the default view/counts when evidence is stale. Default filter can still focus on missing permissions, but the summary must not collapse present granted rows to zero or "not configured".
|
|
|
|
Product impact:
|
|
Operators cannot tell whether permissions are absent, stale, or complete. This can drive unnecessary admin-consent workflows and undermine trust in readiness gates.
|
|
|
|
### BUG-006 — Provider health is marked Healthy while verification is stale
|
|
|
|
Severity: P1
|
|
Area: Provider connections / Environment readiness
|
|
Route: `http://localhost/admin/provider-connections?environment_id=4`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-007-provider-health-healthy-while-verification-stale.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
Provider Connections top guidance says `Action required / Provider verification required` because stored verification evidence is stale. The table row simultaneously shows `Verification Healthy` and `Provider capability Unknown`. The environment dashboard also shows `Provider permissions Needs attention` while `Provider Health Healthy` repeats that the verification snapshot is stale.
|
|
|
|
Expected:
|
|
Provider health should not be green/healthy when the verification basis is stale and capabilities are unknown. It should read `Needs attention`, `Stale`, or `Verification required` consistently across dashboard and list.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open Provider Connections with `environment_id=4`.
|
|
2. Compare the top action-required banner with the table `Verification` and `Provider capability` columns.
|
|
3. Open the environment dashboard and compare `Provider permissions` with `Provider Health`.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-007-provider-health-healthy-while-verification-stale.png`
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/ROUTE-environment-dashboard.png`
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php:1708`
|
|
* `apps/platform/app/Filament/Resources/ProviderConnectionResource.php` (not line-investigated)
|
|
|
|
Suggested fix:
|
|
Make provider health tone/status consume permission freshness and capability uncertainty. A stale verification snapshot should downgrade health even when the last stored grant set was complete.
|
|
|
|
Product impact:
|
|
Provider readiness gates can look green while write/read capability checks are unknown or stale, causing unsafe operational decisions.
|
|
|
|
### BUG-007 — Open customer workspace CTA opens Review Pack detail
|
|
|
|
Severity: P2
|
|
Area: Environment dashboard / Review output
|
|
Route: `http://localhost/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-002-customer-workspace-cta-opens-review-pack.png`
|
|
Console/network errors: no.
|
|
|
|
Actual:
|
|
The dashboard link labelled `Open customer workspace` navigates to `.../review-packs/32`, whose heading is `View Review Pack`. It does not open Customer Review Workspace.
|
|
|
|
Expected:
|
|
A link labelled `Open customer workspace` should open `Customer Review Workspace`, or the label should say `Open review pack`.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open the YPTW2 environment dashboard.
|
|
2. Click `Open customer workspace`.
|
|
3. Observe the destination heading.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-002-customer-workspace-cta-opens-review-pack.png`
|
|
|
|
Likely source:
|
|
|
|
* `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php:327`
|
|
* `apps/platform/app/Support/EnvironmentDashboard/EnvironmentDashboardSummaryBuilder.php:2038`
|
|
|
|
Suggested fix:
|
|
Align label and destination: use CustomerReviewWorkspace URL for this label, or change the CTA text when the action opens a review pack artifact.
|
|
|
|
Product impact:
|
|
Operators lose orientation between customer workspace, review detail, and review pack artifact. This increases the chance of sharing or reviewing the wrong surface.
|
|
|
|
### BUG-008 — System login uses default Laravel branding
|
|
|
|
Severity: P2
|
|
Area: System / Authentication
|
|
Route: `http://localhost/system`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-008-system-login-default-laravel-branding.png`
|
|
Console/network errors: no current route error.
|
|
|
|
Actual:
|
|
The system login page title is `Login - Laravel`, the card brand text is `Laravel`, and a Debugbar icon is visible in the lower-left corner. Read-only config shows `app.name=Laravel`.
|
|
|
|
Expected:
|
|
System login should be TenantPilot-branded and make it clear this is the system/admin panel. Debugbar should not be visible outside local development and should not be part of customer-ready screenshots.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open `http://localhost/system`.
|
|
2. Observe redirect to `/system/login`.
|
|
3. Inspect title and login card branding.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-008-system-login-default-laravel-branding.png`
|
|
* Config read-only: `app.name=Laravel`, `app.debug=true`, `app.env=local`.
|
|
|
|
Likely source:
|
|
|
|
* `config/app.php` / environment `APP_NAME` (not line-investigated)
|
|
* System panel login branding configuration (not line-investigated)
|
|
|
|
Suggested fix:
|
|
Set application/panel branding to TenantPilot and ensure Debugbar is disabled in staging/production validation environments.
|
|
|
|
Product impact:
|
|
Default framework branding looks unfinished and makes system/admin scope less clear for platform admins.
|
|
|
|
### BUG-009 — Debugbar and asset failures pollute browser runtime
|
|
|
|
Severity: P2
|
|
Area: Cross-cutting / Frontend runtime
|
|
Route: Multiple admin and system routes
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-001-operations-500-debug-page.png`
|
|
Console/network errors: yes. Console logs include `filamentSchema is not defined`, `filamentSchemaComponent is not defined`, `filamentTable is not defined`, `selectFormComponent is not defined`, and network failures for `http://localhost:5173/@vite/client`.
|
|
|
|
Actual:
|
|
Debugbar links and `phpstorm://open?...` links appear in the DOM on admin/system pages. Network logs include repeated Debugbar requests and Vite client failures. The Operations route exposed a full debug error surface.
|
|
|
|
Expected:
|
|
Browser validation for productization should run with compiled/stable assets and no Debugbar/source-link leakage. If local debug remains enabled, it should be recorded as a tooling limitation and not confused with customer UX.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open several admin routes.
|
|
2. Inspect console warnings and network requests.
|
|
3. Inspect DOM links for `phpstorm://` and `_debugbar`.
|
|
|
|
Evidence:
|
|
|
|
* Console: `specs/browser-productization-bug-audit/logs/console-warnings-final.txt`
|
|
* Network: `specs/browser-productization-bug-audit/logs/network-requests-final.txt`
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/BUG-001-operations-500-debug-page.png`
|
|
|
|
Likely source:
|
|
|
|
* Local environment config/assets; exact source not investigated.
|
|
|
|
Suggested fix:
|
|
Run audit/staging with `APP_DEBUG=false`, Debugbar disabled, and built Filament/Vite assets. Add a smoke check that fails on missing Filament JS globals or Vite client load failures.
|
|
|
|
Product impact:
|
|
JS runtime failures can make filters/actions unreliable and debug surfaces can obscure real customer UX issues.
|
|
|
|
### BUG-010 — Environment page title has missing separator
|
|
|
|
Severity: P3
|
|
Area: Environment dashboard / Browser metadata
|
|
Route: `http://localhost/admin/workspaces/3/environments/b0091e5d-944f-4a34-bcd9-12cbfb7b75cf`
|
|
Screenshot: `specs/browser-productization-bug-audit/screenshots/ROUTE-environment-dashboard.png`
|
|
Console/network errors: no.
|
|
|
|
Actual:
|
|
The browser title is `YPTW2Action needed - TenantPilot` with no space or separator between the environment name and status.
|
|
|
|
Expected:
|
|
The page title should read something like `YPTW2 - Action needed - TenantPilot`.
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Open the YPTW2 environment dashboard.
|
|
2. Inspect browser title.
|
|
|
|
Evidence:
|
|
|
|
* Screenshot: `specs/browser-productization-bug-audit/screenshots/ROUTE-environment-dashboard.png`
|
|
* Playwright page title: `YPTW2Action needed - TenantPilot`
|
|
|
|
Likely source:
|
|
|
|
* Environment dashboard page title composition, exact file not investigated.
|
|
|
|
Suggested fix:
|
|
Add a separator between environment name and status in title composition.
|
|
|
|
Product impact:
|
|
Minor polish issue, but it makes browser tabs/history look unprofessional.
|
|
|
|
## Cross-cutting Patterns
|
|
|
|
* Misleading readiness labels: Provider permissions, provider health, evidence basis, and customer output readiness use inconsistent states for the same underlying data.
|
|
* Stale data displayed as current: Superseded Evidence #30 remains the primary/customer evidence path even though active Evidence #34 exists.
|
|
* Workspace/environment scope confusion: Environment dashboard mixes Customer Workspace, Review Pack, Review Detail, and Evidence Detail labels without clearly naming the destination.
|
|
* Customer-facing report/disclosure problems: Direct download links are visible while the page says the package contains PII and requires review.
|
|
* Debugbar/stack trace leakage: Local debug settings exposed Debugbar, `phpstorm://` source links, and a Laravel error page during the audit.
|
|
* Broken redirects/back/navigation flows: Operations links from dashboard, backup sets, customer workspace, findings, and notifications route to a hub that currently 500s.
|
|
* Inconsistent badges/tones: `Healthy` appears next to stale/unknown provider capability states.
|
|
* Raw IDs/GUIDs in UI: Admin finding detail shows provider GUIDs and fingerprints in technical sections; acceptable for admin detail, but these must remain hidden from customer output.
|
|
|
|
## Suggested Follow-up Specs
|
|
|
|
* Proposed spec number placeholder: `SPEC-OPS-001`
|
|
Title: Stabilize operations hub rendering and frontend runtime.
|
|
Bugs covered: BUG-001, BUG-009.
|
|
Why this should be one spec: Operations is the common drilldown from many surfaces, and the JS/runtime/debug failure affects table actions and filters.
|
|
Acceptance criteria summary: Operations index renders under environment filters in under 3 seconds; no debug page; no Filament JS missing-global console errors; route has controlled empty/error states.
|
|
|
|
* Proposed spec number placeholder: `SPEC-EVIDENCE-001`
|
|
Title: Reconcile current vs anchored evidence across dashboards and customer review.
|
|
Bugs covered: BUG-002, BUG-003.
|
|
Why this should be one spec: Both bugs are evidence-anchor selection and labeling issues across environment and customer-review surfaces.
|
|
Acceptance criteria summary: Active evidence and released-review anchored evidence are separately labelled; primary CTAs point to the intended evidence; stale/superseded evidence is never silently presented as current.
|
|
|
|
* Proposed spec number placeholder: `SPEC-OUTPUT-001`
|
|
Title: Gate review-pack downloads by customer readiness and PII state.
|
|
Bugs covered: BUG-004, BUG-007.
|
|
Why this should be one spec: Download affordances and customer workspace/review-pack navigation are part of the same output handoff model.
|
|
Acceptance criteria summary: Direct download only for customer-safe-ready output; limitation downloads require confirmation and explicit internal-only language; labels match destinations.
|
|
|
|
* Proposed spec number placeholder: `SPEC-PROVIDER-001`
|
|
Title: Normalize provider permission and health freshness semantics.
|
|
Bugs covered: BUG-005, BUG-006.
|
|
Why this should be one spec: Permission counts, stale verification, provider connection health, and capability readiness must share one status taxonomy.
|
|
Acceptance criteria summary: Granted stale permissions count as present-but-stale; health tone downgrades on stale verification; list, detail, and dashboard states match.
|
|
|
|
* Proposed spec number placeholder: `SPEC-SYSTEM-001`
|
|
Title: Productize system panel login and debug configuration checks.
|
|
Bugs covered: BUG-008, BUG-009, BUG-010.
|
|
Why this should be one spec: Branding, debug settings, and metadata polish are cross-panel readiness concerns.
|
|
Acceptance criteria summary: TenantPilot branding on system login; no Debugbar/source links in staging/productization; browser titles are formatted consistently.
|
|
|
|
## Appendix
|
|
|
|
* Screenshot index:
|
|
* 47 `ROUTE-*` screenshots under `specs/browser-productization-bug-audit/screenshots/`
|
|
* Bug screenshots: `BUG-001-operations-500-debug-page.png`, `BUG-002-customer-workspace-cta-opens-review-pack.png`, `BUG-003-internal-pack-download-enabled-while-not-usable.png`, `BUG-004-primary-evidence-cta-points-to-superseded-snapshot.png`, `BUG-005-required-permissions-zero-present-despite-grants.png`, `BUG-006-customer-review-download-and-stale-evidence.png`, `BUG-007-provider-health-healthy-while-verification-stale.png`, `BUG-008-system-login-default-laravel-branding.png`
|
|
* Console error index:
|
|
* `specs/browser-productization-bug-audit/logs/console-warnings.txt`
|
|
* `specs/browser-productization-bug-audit/logs/console-warnings-final.txt`
|
|
* Key entries: Filament/Alpine missing globals, Vite client failure, Operations debug-page stack traces.
|
|
* Network error index:
|
|
* `specs/browser-productization-bug-audit/logs/network-requests.txt`
|
|
* `specs/browser-productization-bug-audit/logs/network-requests-final.txt`
|
|
* Key entries: Operations 500, Vite client connection reset, Debugbar aborted requests, old Microsoft login favicon/SSO probe noise.
|
|
* Blocked routes:
|
|
* `/admin/workspaces/3/operations?environment_id=4` blocked by 500/timeout.
|
|
* `/system/*` routes blocked by system auth; `/system/login` was inspected.
|
|
* Not reachable routes:
|
|
* Authenticated system panel internals were not reachable without a system login session.
|
|
* Dangerous actions intentionally not executed:
|
|
* Evidence: `Refresh evidence`, `Expire snapshot`.
|
|
* Provider Connections: `Check connection`, `Inventory sync`, `Compliance snapshot`, `Enable dedicated override`, `Disable connection`.
|
|
* Required Permissions: `Run provider verification`, external `Open admin consent`.
|
|
* Review/customer output: `Download review pack with limitations`, `Download internal review pack`, `View internal report`, `Regenerate review pack`, `Acknowledge review`.
|
|
* Findings: `Triage`, `Assign`, `Resolve`, `Close`, `Request exception`, all bulk variants.
|
|
* Backup/Restore: archive/restore/force-delete and bulk archive actions, restore wizard submit/execute steps.
|
|
* Read-only code/db inspections performed:
|
|
* `git status --short`, `git branch --show-current`, `git rev-parse HEAD`.
|
|
* Laravel routes via Boost `list_routes`.
|
|
* Laravel config via Boost `get_config` for `app.name`, `app.env`, `app.debug`, `debugbar.enabled`.
|
|
* Laravel logs via Boost `last_error` and `read_log_entries`.
|
|
* Read-only DB queries for `evidence_snapshots`, `managed_environment_permissions`, `operation_runs`, `backup_sets`, `restore_runs`.
|
|
* Source reads for Operations, EnvironmentDashboardSummaryBuilder, ReviewPackOutputResolutionGuidance, CustomerReviewWorkspace, RequiredPermissions, BackupSetResource.
|
|
* Tool/browser limitations:
|
|
* Integrated Browser control was unavailable due missing `sandboxPolicy` metadata, so Playwright was used.
|
|
* Full route-sweep tool output was truncated; screenshots/logs and targeted DOM evaluations were used for durable evidence.
|
|
* Local debug mode and Debugbar were enabled, so debug artifacts are recorded as both observed risk and local-environment limitation.
|