45a804970e
feat: complete admin canonical tenant rollout ( #165 )
...
## Summary
- complete Spec 136 canonical admin tenant rollout across admin-visible and shared Filament surfaces
- add the shared panel-aware tenant resolver helper, persisted filter-state synchronization, and admin navigation segregation for tenant-sensitive resources
- expand regression, guard, and parity coverage for admin-path tenant resolution, stale filters, workspace-wide tenant-default surfaces, and panel split behavior
## Validation
- `vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/TableStatePersistenceTest.php`
- `vendor/bin/sail artisan test --compact --filter='CanonicalAdminTenantFilterState|PolicyResource|BackupSchedule|BackupSet|FindingResource|BaselineCompareLanding|RestoreRunResource|InventoryItemResource|PolicyVersionResource|ProviderConnectionResource|TenantDiagnostics|InventoryCoverage|InventoryKpiHeader|AuditLog|EntraGroup'`
- `vendor/bin/sail bin pint --dirty --format agent`
## Notes
- Livewire v4.0+ compliance is preserved with Filament v5.
- Provider registration remains unchanged in `bootstrap/providers.php`.
- `PolicyResource` and `PolicyVersionResource` have admin global search disabled explicitly; `EntraGroupResource` keeps admin-aware scoped search with a View page.
- Destructive and governance-sensitive actions retain existing confirmation and authorization behavior while using canonical tenant parity.
- No new assets were introduced, so deployment asset strategy is unchanged and does not add new `filament:assets` work.
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #165
2026-03-13 08:09:20 +00:00
cd811cff4f
Spec 120: harden secret redaction integrity ( #146 )
...
## Summary
- replace broad substring-based masking with a shared exact/path-based secret classifier and workspace-scoped fingerprint hashing
- persist protected snapshot metadata on `policy_versions` and keep secret-only changes visible in compare, drift, restore, review, verification, and ops surfaces
- add Spec 120 artifacts, audit documentation, and focused Pest regression coverage for snapshot, audit, verification, review-pack, and notification behavior
## Validation
- `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php`
- `vendor/bin/sail bin pint --dirty --format agent`
## Spec / checklist status
| Checklist | Total | Completed | Incomplete | Status |
|-----------|-------|-----------|------------|--------|
| requirements.md | 16 | 16 | 0 | ✓ PASS |
- `tasks.md`: T001-T032 complete
- `tasks.md`: T033 manual quickstart validation is still open and noted for follow-up
## Filament / platform notes
- Livewire v4 compliance is unchanged
- no panel provider changes; `bootstrap/providers.php` remains the registration location
- no new globally searchable resources were introduced, so global search requirements are unchanged
- no new destructive Filament actions were added
- no new Filament assets were added; no `filament:assets` deployment change is required
## Testing coverage touched
- snapshot persistence and fingerprint isolation
- compare/drift protected-change evidence
- audit, verification, review-pack, ops-failure, and notification sanitization
- viewer/read-only Filament presentation updates
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #146
2026-03-07 16:43:01 +00:00
53dc89e6ef
Spec 075: Verification Checklist Framework V1.5 (fingerprint + acknowledgements) ( #93 )
...
Implements Spec 075 (V1.5) on top of Spec 074.
Highlights
- Deterministic report fingerprint (sha256) + previous_report_id linkage
- Viewer change indicator: "No changes" vs "Changed" when previous exists
- Check acknowledgements (fail|warn|block) with capability-first auth, confirmation, and audit event
- Verify-step UX polish (issues-first, primary CTA)
Testing
- Focused Pest coverage for fingerprint, previous resolver, change indicator, acknowledgements, badge semantics, DB-only viewer guard.
Notes
- Viewing remains DB-only (no external calls while rendering).
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #93
2026-02-05 21:44:19 +00:00
439248ba15
feat: verification report framework (074) ( #89 )
...
Implements the 074 verification checklist framework.
Highlights:
- Versioned verification report contract stored in operation_runs.context.verification_report (DB-only viewer).
- Strict sanitizer/redaction (evidence pointers only; no tokens/headers/payloads) + schema validation.
- Centralized BADGE-001 semantics for check status, severity, and overall report outcome.
- Deterministic start (dedupe while active) via shared StartVerification service; capability-first authorization (non-member 404, member missing capability 403).
- Completion audit event (verification.completed) with redacted metadata.
- Integrations: OperationRun detail viewer, onboarding wizard verification step, provider connection start surfaces.
Tests:
- vendor/bin/sail artisan test --compact tests/Feature/Verification tests/Unit/Badges/VerificationBadgesTest.php
- vendor/bin/sail bin pint --dirty
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #89
2026-02-03 23:58:17 +00:00
da18d3cb14
feat/042-inventory-dependencies-graph ( #50 )
...
Dieses PR liefert den Inventory Dependencies Graph end-to-end: Abhängigkeiten (Edges) werden aus Inventory-Sync-Daten extrahiert, tenant-sicher gespeichert und in der Inventory Item Detailansicht angezeigt.
Ziel: Admins können Prerequisites + Blast Radius (direct) schnell erkennen, ohne Snapshot/Restore anzufassen.
⸻
Was ist drin?
Dependency Graph (Edges)
• inventory_links Schema + Indizes + idempotentes Upsert (Unique Key)
• Relationship Types (u.a.):
• assigned_to_include, assigned_to_exclude
• uses_assignment_filter
• scoped_by_scope_tag
• UI: Inventory Item → Dependencies Section
• Direction Filter: All / Inbound / Outbound
• Relationship Filter: All + spezifische Relationship Types
• Missing-Badge + sicheres Tooltip (safe subset)
Safety / Observability
• Unknown/unsupported Shapes erzeugen keine Edges, sondern:
• Warning in InventorySyncRun.error_context.warnings[]
• optional info-log (ohne Secrets)
• Limit-only Semantik (MVP): bis zu 50 Edges pro Richtung (max 100 bei “All”)
• Blast Radius in MVP = direct only (kein depth>1 traversal)
Name Resolution (lokal, ohne Entra Calls)
• Resolver/DTO Layer für deterministische Labels (kein “Unknown” mehr)
• Auflösung aus lokaler DB nur für Foundations, wenn vorhanden:
• scope_tag → roleScopeTag
• assignment_filter → assignmentFilter
• aad_group bleibt bewusst external ref: “Group (external): …” (keine Graph/Entra Lookups im UI)
• Zentraler FoundationTypeMap als Source-of-Truth (keine Hardcodings)
⸻
Out of Scope / Follow-up
• Entra Group Name Resolution (braucht eigenes “Group Inventory” Modul + Permissions)
• Foundations als Inventory Items / Coverage Tab (Scope Tags / Assignment Filters sichtbar & syncbar)
→ folgt als separater PR (Inventory Core/UI), damit 042 sauber “Edges-only” bleibt.
⸻
Tests / Verifikation
• Targeted Pest Tests (Unit + Feature + UI smoke) für:
• deterministische Edge-Erzeugung + idempotent upsert
• tenant isolation (UI/Query)
• warnings auf Run Record
• resolver/name rendering + links (wo möglich)
• pint --dirty ausgeführt
⸻
Manual QA (UI)
1. Inventory Sync Run mit include_dependencies=true starten
2. Inventory Item öffnen → Dependencies prüfen:
• include/exclude + filter + scoped_by sichtbar (wenn vorhanden)
• Relationship/Direction Filter funktionieren
• keine “Unknown” Labels mehr, sondern deterministische Labels
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #50
2026-01-10 12:50:08 +00:00
361e301f67
feat/042-inventory-dependencies-graph ( #49 )
...
Ordering + limit-only Test für created_at DESC in DependencyExtractionFeatureTest.php
UI Test für masked Identifier (ID: 123456…) + Guest-Access blocked in InventoryItemDependenciesTest.php
Quickstart ergänzt um manuellen <2s Check in quickstart.md
pr-gate Checkbox-Format normalisiert (kein leading space) in pr-gate.md
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #49
2026-01-10 00:20:14 +00:00
