Ahmed Darrazi
bd19864a42
fix(spec-085-086): stabilize ops UX + provider connection fixtures
2026-02-11 13:50:44 +01:00
Ahmed Darrazi
b870c0c8d4
feat(spec-086): retire legacy runs into operation runs
2026-02-11 01:03:00 +01:00
4db8030f2a
Spec 081: Provider connection cutover ( #98 )
...
Implements Spec 081 provider-connection cutover.
Highlights:
- Adds provider connection resolution + gating for operations/verification.
- Adds provider credential observer wiring.
- Updates Filament tenant verify flow to block with next-steps when provider connection isn’t ready.
- Adds spec docs under specs/081-provider-connection-cutover/ and extensive Spec081 test coverage.
Tests:
- vendor/bin/sail artisan test --compact tests/Feature/Filament/TenantSetupTest.php
- Focused suites for ProviderConnections/Verification ran during implementation (see local logs).
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #98
2026-02-08 11:28:51 +00:00
9c56a2349a
feat/047-inventory-foundations-nodes ( #51 )
...
Adds Inventory Sync toggle include_foundations (default true) + persistence tests
Adds Coverage “Dependencies” column (✅ /—) derived deterministically from graph_contracts (no Graph calls)
Spec/tasks/checklists updated + tasks ticked off
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #51
2026-01-10 20:47:29 +00:00
da18d3cb14
feat/042-inventory-dependencies-graph ( #50 )
...
Dieses PR liefert den Inventory Dependencies Graph end-to-end: Abhängigkeiten (Edges) werden aus Inventory-Sync-Daten extrahiert, tenant-sicher gespeichert und in der Inventory Item Detailansicht angezeigt.
Ziel: Admins können Prerequisites + Blast Radius (direct) schnell erkennen, ohne Snapshot/Restore anzufassen.
⸻
Was ist drin?
Dependency Graph (Edges)
• inventory_links Schema + Indizes + idempotentes Upsert (Unique Key)
• Relationship Types (u.a.):
• assigned_to_include, assigned_to_exclude
• uses_assignment_filter
• scoped_by_scope_tag
• UI: Inventory Item → Dependencies Section
• Direction Filter: All / Inbound / Outbound
• Relationship Filter: All + spezifische Relationship Types
• Missing-Badge + sicheres Tooltip (safe subset)
Safety / Observability
• Unknown/unsupported Shapes erzeugen keine Edges, sondern:
• Warning in InventorySyncRun.error_context.warnings[]
• optional info-log (ohne Secrets)
• Limit-only Semantik (MVP): bis zu 50 Edges pro Richtung (max 100 bei “All”)
• Blast Radius in MVP = direct only (kein depth>1 traversal)
Name Resolution (lokal, ohne Entra Calls)
• Resolver/DTO Layer für deterministische Labels (kein “Unknown” mehr)
• Auflösung aus lokaler DB nur für Foundations, wenn vorhanden:
• scope_tag → roleScopeTag
• assignment_filter → assignmentFilter
• aad_group bleibt bewusst external ref: “Group (external): …” (keine Graph/Entra Lookups im UI)
• Zentraler FoundationTypeMap als Source-of-Truth (keine Hardcodings)
⸻
Out of Scope / Follow-up
• Entra Group Name Resolution (braucht eigenes “Group Inventory” Modul + Permissions)
• Foundations als Inventory Items / Coverage Tab (Scope Tags / Assignment Filters sichtbar & syncbar)
→ folgt als separater PR (Inventory Core/UI), damit 042 sauber “Edges-only” bleibt.
⸻
Tests / Verifikation
• Targeted Pest Tests (Unit + Feature + UI smoke) für:
• deterministische Edge-Erzeugung + idempotent upsert
• tenant isolation (UI/Query)
• warnings auf Run Record
• resolver/name rendering + links (wo möglich)
• pint --dirty ausgeführt
⸻
Manual QA (UI)
1. Inventory Sync Run mit include_dependencies=true starten
2. Inventory Item öffnen → Dependencies prüfen:
• include/exclude + filter + scoped_by sichtbar (wenn vorhanden)
• Relationship/Direction Filter funktionieren
• keine “Unknown” Labels mehr, sondern deterministische Labels
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #50
2026-01-10 12:50:08 +00:00
361e301f67
feat/042-inventory-dependencies-graph ( #49 )
...
Ordering + limit-only Test für created_at DESC in DependencyExtractionFeatureTest.php
UI Test für masked Identifier (ID: 123456…) + Guest-Access blocked in InventoryItemDependenciesTest.php
Quickstart ergänzt um manuellen <2s Check in quickstart.md
pr-gate Checkbox-Format normalisiert (kein leading space) in pr-gate.md
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #49
2026-01-10 00:20:14 +00:00
cf5b0027e3
046-inventory-sync-button ( #47 )
...
Zusammenfassung: Fügt im „Run Inventory Sync“-Modal einen include_dependencies-Toggle hinzu und persistiert die Auswahl in der InventorySyncRun.selection_payload. Tests, Quickstart und Tasks wurden entsprechend aktualisiert.
Files: InventoryLanding.php, InventorySyncButtonTest.php, quickstart.md, tasks.md
Motivation: Ermöglicht explizites Ein-/Ausschalten der Dependency-Extraktion pro Sync-Run (z. B. Assignments/Scope Tags/Foundations), statt starrer Defaults. Passt zur bestehenden selection_hash-Logik (InventorySelectionHasher) und zur deterministischen Selektionspersistenz.
Verhalten: include_dependencies ist im Modal standardmäßig true. Wird die Option gesetzt, landet der Wert als bool im selection_payload und beeinflusst selection_hash über die Normalisierung.
Tests: Neuer/angepasster Pest-Test stellt sicher, dass include_dependencies in selection_payload persistiert. Lokaler Testlauf:
./vendor/bin/sail artisan test tests/Feature/Inventory/InventorySyncButtonTest.php → alle Tests für diese Datei bestanden.
./vendor/bin/pint --dirty wurde ausgeführt (Formatting ok).
How to test (quick):
Start Sail + Queue:
Im Admin → Inventory: „Run Inventory Sync“ öffnen, Include dependencies umschalten, ausführen.
Prüfen: neu erstellter InventorySyncRun.selection_payload.include_dependencies ist der gesetzten Auswahl entsprechend. Oder laufen lassen:
Notes / Next steps:
Diese Änderung bereitet den Weg, später die Dependency-Extraction (042-inventory-dependencies-graph) optional tiefer zu integrieren.
Working tree ist sauber; es gibt ein nicht eingebundenes Verzeichnis 0800-future-features (unrelated).
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #47
2026-01-09 22:15:04 +00:00
8ae7a7234e
feat/040-inventory-core ( #43 )
...
Summary
Implements Inventory Core (Spec 040): a tenant-scoped, mutable “last observed” inventory catalog + sync run logging, with deterministic selection hashing and safe derived “missing” semantics.
This establishes the foundation for Inventory UI (041), Dependencies Graph (042), Compare/Promotion (043), and Drift (044).
What’s included
• DB schema
• inventory_items (unique: tenant_id + policy_type + external_id; indexes; last_seen_at, last_seen_run_id)
• inventory_sync_runs (tenant_id, selection_hash/payload, status, started/finished, counts, error_codes, correlation_id)
• Selection hashing
• Deterministic selection_hash via canonical JSON (sorted keys + sorted arrays) + sha256
• Sync semantics
• Idempotent upsert (no duplicates)
• Updates last_seen_* when observed
• Enforces tenant scoping for all reads/writes
• Guardrail: inventory sync does not create snapshots/backups
• Missing semantics (derived)
• “missing” computed relative to latest completed run for same (tenant_id, selection_hash)
• Low confidence when latest run is partial/failed or had_errors=true
• Selection isolation (runs for other selections don’t affect missing)
• deleted is reserved (not produced here)
• Safety
• meta_jsonb whitelist enforced (unknown keys dropped; never fail sync)
• Safe error persistence (no bearer tokens / secrets)
• Locking to prevent overlapping runs for same tenant+selection
• Concurrency limiter (global + per-tenant) and throttling resilience (429/503 backoff + jitter)
Tests
Added Pest coverage for:
• selection_hash determinism (array order invariant)
• upsert idempotency + last_seen updates
• missing derived semantics + selection isolation
• low confidence missing on partial/had_errors
• meta whitelist drop (no exception)
• lock prevents overlapping runs
• no snapshots/backups side effects
• safe error persistence (no bearer tokens)
Non-goals
• Inventory UI pages/resources (Spec 041)
• Dependency graph hydration (Spec 042)
• Cross-tenant compare/promotion flows (Spec 043)
• Drift analysis dashboards (Spec 044)
Review focus
• Data model correctness + indexes/constraints
• Selection hash canonicalization (determinism)
• Missing semantics (latest completed run + confidence rule)
• Guardrails (no snapshot/backups side effects)
• Safety: error_code taxonomy + safe persistence/logging
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #43
2026-01-07 14:54:24 +00:00
