TenantAtlas

ahmido/TenantAtlas

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ahmed Darrazi	051db1842d	feat(107): implement Workspace Chooser v1 — all 40 tasks complete Spec 107: Workspace Chooser v1 (Enterprise) + In-App Switch Entry Point ## Core changes - Refactor EnsureWorkspaceSelected middleware: 7-step algorithm with auto-resume (single membership + last_workspace_id), stale session detection, ?choose=1 forced chooser, workspace-optional path bypass - Create WorkspaceRedirectResolver for DRY tenant-count branching (0→managed-tenants, 1→tenant-dashboard, >1→choose-tenant) - Add WorkspaceAutoSelected + WorkspaceSelected audit enum cases - Rewrite ChooseWorkspace page: role badges, tenant counts, wire:click selection, audit logging, WorkspaceRedirectResolver - Add 'Switch workspace' user menu item in AdminPanelProvider - Rewrite SwitchWorkspaceController with audit + resolver - Replace inline tenant branching in routes/web.php with resolver ## New test files (6) - WorkspaceRedirectResolverTest (5 tests Spec 107: Workspace Chooser v1 (Enterprise) + In-App Switch Entry Point ## Core changes - Refactor EnsureWorkspaceSelected middleware: 7-step algorithmst ## Core changes - Refactor EnsureWorkspaceSelected middleware: 7-stepes - Refactor Ensng auto-resume (single membership + last_workspace_id), stale sessioid detection, ?choose=1 forced chooser, w (security invariant preserve- Create WorkspaceRedirectResolver for DRY tenant-count branching (0→managed-tenants, 1→tenant-dashboapped (8163 assertions)	2026-02-22 17:19:19 +01:00
ahmido	6a15fe978a	feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128 ) ## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - EntraAdminRolesReportService — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - EntraAdminRolesFindingGenerator — Creates/resolves/reopens findings based on high-privilege role catalog - HighPrivilegeRoleCatalog — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - ScanEntraAdminRolesJob — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - AdminRolesSummaryWidget — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - SummaryCountsNormalizer: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - 12 test files, 79+ tests, 307+ assertions - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #128	2026-02-22 02:37:36 +00:00

Author

SHA1

Message

Date

Ahmed Darrazi

051db1842d

feat(107): implement Workspace Chooser v1 — all 40 tasks complete

Spec 107: Workspace Chooser v1 (Enterprise) + In-App Switch Entry Point

## Core changes
- Refactor EnsureWorkspaceSelected middleware: 7-step algorithm with
  auto-resume (single membership + last_workspace_id), stale session
  detection, ?choose=1 forced chooser, workspace-optional path bypass
- Create WorkspaceRedirectResolver for DRY tenant-count branching
  (0→managed-tenants, 1→tenant-dashboard, >1→choose-tenant)
- Add WorkspaceAutoSelected + WorkspaceSelected audit enum cases
- Rewrite ChooseWorkspace page: role badges, tenant counts,
  wire:click selection, audit logging, WorkspaceRedirectResolver
- Add 'Switch workspace' user menu item in AdminPanelProvider
- Rewrite SwitchWorkspaceController with audit + resolver
- Replace inline tenant branching in routes/web.php with resolver

## New test files (6)
- WorkspaceRedirectResolverTest (5 tests
Spec 107: Workspace Chooser v1 (Enterprise) + In-App Switch Entry Point

## Core changes
- Refactor EnsureWorkspaceSelected middleware: 7-step algorithmst
## Core changes
- Refactor EnsureWorkspaceSelected middleware: 7-stepes - Refactor Ensng  auto-resume (single membership + last_workspace_id), stale sessioid  detection, ?choose=1 forced chooser, w (security invariant preserve- Create WorkspaceRedirectResolver for DRY tenant-count branching

  (0→managed-tenants, 1→tenant-dashboapped (8163 assertions)

2026-02-22 17:19:19 +01:00

ahmido

6a15fe978a

feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128 )

## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128

2026-02-22 02:37:36 +00:00

2 Commits