TenantAtlas/specs/401-high-risk-admin-action-proof-pack/tasks.md

Tasks: Spec 401 - High-risk Admin Action Proof Pack

Input: specs/401-high-risk-admin-action-proof-pack/spec.md, plan.md, checklists/requirements.md, user-provided Spec 401 draft, Product Surface Contract, related restore/backup/provider specs, and repo truth.

Tests: Required. This spec changes or verifies high-risk rendered/admin action behavior and must include focused Pest Feature/Filament tests plus focused Pest Browser smoke. Tests should be added before runtime hardening wherever feasible.

Test Governance Checklist

• Lane assignment is confidence + browser, with fast-feedback only for pure Unit helper tests.
• New or changed tests stay in the smallest honest family; the single browser addition is explicitly named Spec 401.
• Shared helpers, factories, seeds, fixtures, and workspace/provider/browser context setup stay cheap by default and opt-in.
• Planned validation commands cover the selected high-risk action proof without pulling in a broad browser/runtime audit.
• Surface test profiles are dangerous-workflow wizard, shared-detail-family, monitoring-state-page where needed, and standard-native-filament where enough.
• Browser proof is required for rendered restore, backup, provider, and one unauthorized/blocked path.
• Human Product Sanity and Product Surface implementation-report close-out are completed before implementation close-out.
• Any material budget, fixture, or browser-lane escalation is recorded in implementation-report.md.

Phase 1: Safety, Inventory, And Proof Map

Purpose: Establish current repo truth and map missing proof before runtime edits.

• T001 Read specs/401-high-risk-admin-action-proof-pack/spec.md, plan.md, tasks.md, and checklists/requirements.md.
• T002 Record current branch, HEAD, dirty state, and tracked/untracked files before implementation in specs/401-high-risk-admin-action-proof-pack/implementation-report.md.
• T003 Inspect related historical/context specs 333, 335, 364, 390, 394, and 395-400 without modifying them.
• T004 Inspect current restore, backup, provider, OperationRun, audit, evidence, RBAC, and browser test files named in plan.md.
• T005 Confirm exact routes/actions/resources involved by reading Filament resources/pages and route definitions; do not invent route names from the draft.
• T006 Create the Spec 401 proof map in specs/401-high-risk-admin-action-proof-pack/implementation-report.md or proof-map.md if the table is too large.
• T007 Classify each target flow/state as Fully proven, Proven except explicitly deferred state, Product contract missing, Implementation defect found and fixed, or Implementation defect found but out of scope.
• T008 Identify existing tests that already prove required states and cite them in the proof map before adding new tests.
• T009 Confirm no new surface, navigation, panel, persisted truth, status family, provider family, or broad framework is required; stop and update spec/plan if this is false.

Phase 2: Foundational Cross-domain Tests

Purpose: Add reusable proof structure without widening runtime architecture.

• T010 [P] Add or update explicit test fixtures only where needed for Spec 401 states in existing factories/helpers; keep setup opt-in and record fixture cost in implementation-report.md.
• T011 [P] Confirm shared OperationRun/evidence/audit link authorization coverage through existing OperationRun link helpers and related smoke/tests cited in implementation-report.md; no apps/platform/tests/Feature/Operations/Spec401HighRiskAdminActionProofPackTest.php file was created for this BackupSchedule-only hardening slice.
• T012 [P] No-op after inventory: no shared Spec 401 assertion helpers were needed because the selected new tests stayed local to BackupSchedule confirmation/cancel proof.
• T013 Verify touched globally searchable resources have safe View/Edit pages plus $recordTitleAttribute or disabled global search, and verify touched table/list surfaces keep meaningful empty states and action hierarchy; record result in implementation-report.md.
• T014 Verify touched destructive/high-impact Filament actions are action-backed and not URL-only; record any defect before hardening.

Phase 3: Restore Proof (P1)

Goal: Prove restore preview/readiness/execution safety across authorization, stale/blocked/partial/failed states, confirmation, cancellation, and audit/evidence behavior.

Independent Test: Run the existing focused restore Feature/Filament tests cited in the proof map plus the restore path in the Spec 401 browser smoke.

Tests

• T015 [P] [US1] Confirm missing-input and stale/expired restore preview execution-blocking proof through existing restore hardening tests cited in implementation-report.md; no new restore Spec 401 feature test file was created.
• T016 [P] [US1] Confirm restore direct unauthorized invocation proof through existing RestoreRunUiEnforcementTest and execution reauthorization coverage cited in implementation-report.md.
• T017 [P] [US1] Confirm restore confirmation/action behavior through existing restore action definitions and action tests cited in the proof map; no restore runtime hardening was needed in this slice.
• T018 [P] [US1] Confirm restore audit/evidence negative proof through existing restore hardening and execution gate coverage where applicable; no new successful OperationRun/audit/evidence path was introduced.
• T019 [P] [US1] Confirm restore partial/failed/conflict display proof through existing restore result/detail tests cited in the proof map; no restore display runtime change was made.

Implementation

• T020 [US1] No-op after inventory: no RestoreRunResource or restore page/action hardening was applied because no in-scope restore runtime defect was found.
• T021 [US1] No-op after inventory: no restore presenter/view fragment hardening was applied because no misleading blocked/stale/partial/failed state was found in this slice.
• T022 [US1] No-op after inventory: no restore OperationRun/evidence link hardening was applied because no unauthorized or wrong-scope link defect was found in this slice.
• T023 [US1] Update the proof map with restore states proven, fixed, deferred, and out-of-scope.

Phase 4: Backup Proof (P1)

Goal: Prove backup schedule/set/run actions across authorization, confirmation where applicable, provider/environment blockers, partial/failed states, and audit/proof side effects.

Independent Test: Run focused backup Spec 401 Feature/Filament tests plus backup path in the browser smoke.

Tests

• T024 [P] [US2] Confirm backup schedule run/retry direct authorization proof through existing apps/platform/tests/Feature/BackupScheduling/RunNowRetryActionsTest.php, apps/platform/tests/Feature/RunStartAuthorizationTest.php, and the Spec 401 proof map.
• T025 [P] [US2] Add backup schedule action confirmation/cancel proof for runNow, retry, restore, bulk_run_now, and bulk_retry in apps/platform/tests/Feature/BackupScheduling/Spec401HighRiskAdminActionProofPackTest.php.
• T026 [P] [US2] Confirm cancelled/forbidden side-effect proof for the selected BackupSchedule slice through apps/platform/tests/Feature/BackupScheduling/Spec401HighRiskAdminActionProofPackTest.php, RunNowRetryActionsTest.php, BackupScheduleLifecycleTest.php, and BackupScheduleLifecycleAuthorizationTest.php; backup item/evidence artifacts are N/A for the selected BackupSchedule-only runtime hardening.
• T027 [P] [US2] Confirm environment-scope blocker proof for the selected BackupSchedule slice through existing lifecycle authorization tests and the Spec 401 browser cross-tenant denied path; broader provider-readiness blocker proof remains provider-domain evidence, not new BackupSchedule runtime work.
• T028 [P] [US2] Confirm failed/partial backup state display remained existing evidence-backed behavior in the proof map; no BackupSchedule runtime display change was made in this slice.
• T029 [P] [US2] Confirm BackupSet/items high-impact action proof was satisfied by existing Spec371BackupSetProductizationTest, Spec371BackupSetProductizationSmokeTest, and relation-manager RBAC tests; no new apps/platform/tests/Feature/Filament/Spec401HighRiskAdminActionProofPackTest.php file was created for this BackupSchedule-only hardening slice.

Implementation

• T030 [US2] Harden apps/platform/app/Filament/Resources/BackupScheduleResource.php and page/action classes only if tests reveal missing confirmation, authorization, or wrong side effects.
• T031 [US2] No-op after inventory: no BackupSetResource or BackupItemsRelationManager hardening was applied because no high-impact action proof gap was found in the selected slice.
• T032 [US2] No-op after inventory: no backup job/service hardening was applied because no misleading OperationRun/audit/proof state was found for this BackupSchedule confirmation slice.
• T033 [US2] Update the proof map with backup states proven, fixed, deferred, and out-of-scope.

Phase 5: Provider Setup / Detail Proof (P1)

Goal: Prove provider setup/detail/readiness actions across authorization, stale/missing permission/failed/partial states, raw-detail demotion, and audit/evidence/OperationRun scope safety.

Independent Test: Run existing provider Feature/Filament evidence cited in the proof map plus the provider path in the Spec 401 browser smoke; direct provider Spec 401 follow-up tests are deferred where listed below.

Tests

• T034 [P] [US3] Deferred: provider create/edit/verify/readiness/disable direct invocation authorization needs a dedicated provider follow-up test file if this proof pack expands beyond the BackupSchedule hardening slice.
• T035 [P] [US3] Confirm provider missing-permission/stale/failed/partial state display through existing Spec 394 provider freshness/permission smoke evidence and the Spec 401 browser stale-provider path; no ProviderConnections/Spec401HighRiskAdminActionProofPackTest.php file was created.
• T036 [P] [US3] Confirm provider raw-detail demotion through existing provider/resource evidence cited in implementation-report.md; no new provider runtime or provider Spec 401 feature test was added in this slice.
• T037 [P] [US3] Deferred: provider audit/evidence negative tests for cancelled/forbidden actions remain follow-up because provider runtime was not changed and ProviderConnectionsUiEnforcementTest.php has an independent readonly visibility residual.
• T038 [P] [US3] Deferred: provider OperationRun/evidence/audit link scope tests remain follow-up for the same provider residual; this BackupSchedule hardening did not expose or alter provider proof links.

Implementation

• T039 [US3] No-op after inventory: no provider resource/page hardening was applied in this BackupSchedule slice; provider residual is recorded for follow-up.
• T040 [US3] No-op after inventory: no required-permissions/readiness runtime hardening was applied in this BackupSchedule slice.
• T041 [US3] No-op after inventory: no provider jobs/services/audit paths were changed in this BackupSchedule slice.
• T042 [US3] Update the proof map with provider states proven, fixed, deferred, and out-of-scope.

Phase 6: Browser Proof And Product Surface Close-out (P2)

Goal: Prove focused rendered behavior and complete review evidence without broad browser audit.

Independent Test: apps/platform/tests/Browser/Spec401HighRiskAdminActionProofPackSmokeTest.php passes and report records exact paths, states, and limitations.

• T043 [P] [US4] Add focused browser smoke in apps/platform/tests/Browser/Spec401HighRiskAdminActionProofPackSmokeTest.php using existing authenticated workspace/environment browser harness patterns.
• T044 [US4] Browser smoke covers restore preview/readiness critical state and confirmation/cancel or equivalent high-impact guard.
• T045 [US4] Browser smoke covers backup create/view/detail or equivalent high-impact backup path.
• T046 [US4] Browser smoke covers provider setup/detail readiness/freshness/permission state.
• T047 [US4] Browser smoke covers one unauthorized, disabled, or blocked high-impact path.
• T048 [US4] Browser smoke checks console/runtime/network/Livewire/Filament/500-error result and records unrelated full-suite failures only when focused proof is green.
• T049 [US4] Complete Human Product Sanity result in specs/401-high-risk-admin-action-proof-pack/implementation-report.md.
• T050 [US4] Record Product Surface close-out fields in specs/401-high-risk-admin-action-proof-pack/implementation-report.md.

Phase 7: Final Validation And Report

Purpose: Prove the implementation is bounded, tested, and ready for review.

• T051 Run focused Feature/Filament Spec 401 tests and record command/output summary in implementation-report.md.
• T052 Run focused Spec 401 browser smoke and record command/output summary in implementation-report.md.
• T053 Run affected existing restore, backup, provider, OperationRun, audit, or evidence tests identified by implementation and record command/output summary.
• T054 Run cd apps/platform && ./vendor/bin/sail pint --dirty or justified equivalent formatting check.
• T055 Run git diff --check.
• T056 Record dirty state after implementation, tracked files changed, untracked files, and no completed-spec rewrite assertion.
• T057 Record Livewire v4 compliance, provider registration location, global search posture, destructive/high-impact action posture, asset strategy, deployment impact, tests, browser/no-browser, visible complexity outcome, and follow-up candidates.
• T058 Confirm no migrations, env vars, queue/scheduler/storage/assets/panel provider changes, new routes/pages/navigation, new status vocabulary, new provider families, or broad runtime framework were introduced unless spec/plan were updated first.

Dependencies And Execution Order

• Phase 1 must complete before any runtime edits.
• Phase 2 can run after proof map identifies shared gaps.
• Restore, Backup, and Provider phases may run in parallel after Phase 2 if they touch separate files.
• Browser proof waits for selected domain hardening and fixtures to stabilize.
• Final validation waits for all in-scope domain phases and browser proof.

Parallel Execution Examples

After Phase 2:

Agent A: T015-T023 restore proof and hardening.
Agent B: T024-T033 backup proof and hardening.
Agent C: T034-T042 provider proof and hardening.

Before merge:

Run T043-T050 browser/product-surface close-out after domain changes settle.
Run T051-T058 final validation after all in-scope fixes are complete.

Non-Goals Checklist

• NT001 Do not add new admin/customer surfaces, routes, pages, panels, navigation, or widgets.
• NT002 Do not introduce new persisted truth, migrations, status families, provider integrations, product concepts, or runtime frameworks.
• NT003 Do not rewrite completed specs, remove validation evidence, normalize completed task markers, or strip close-out/browser/smoke history.
• NT004 Do not perform a broad browser/UX/runtime audit.
• NT005 Do not solve management-report PDF staging validation, governance artifact lifecycle, JSON-to-JSONB hardening, resource-policy matrix, or full provider onboarding productization.
• NT006 Do not invent behavior where product contracts are silent; record product-decision debt.
• NT007 Do not include secrets, raw provider payloads, raw tenant data, credentials, or sensitive IDs in screenshots, logs, audit metadata, or reports.

Recommended Implementation Strategy

Start with proof, not fixes. Reuse existing tests and shared paths wherever possible. Make failing or missing proof explicit, harden only the exact defect, then record the proof evidence. Treat missing product decisions as reportable gaps instead of expanding this proof pack.