TenantAtlas

ahmido/TenantAtlas

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ahmed Darrazi	1212412db6	refactor: finish post-wave-1 singleton page cleanup Enroll InventoryCoverage, Monitoring Operations, NoAccess, TenantlessOperationRunViewer, TenantDiagnostics, and TenantRequiredPermissions in the action surface contract. Keep Monitoring Alerts explicitly exempt because /admin/alerts resolves through the alerts cluster entry rather than the page-class route.	2026-03-29 11:30:45 +02:00
ahmido	a989ef1a23	feat: workspace context enforcement (specs 070–072) (#85 ) Implements specs 070–072 (workspace foundation, workspace-scoped tenant selection, managed-tenants workspace enforcement). Highlights - Adds Workspace + WorkspaceMembership models/migrations + middleware to persist/enforce current workspace context. - Scopes tenant selection to the current workspace. - Makes legacy `/admin/managed-tenants*` routes redirect into workspace-scoped URLs. - Enforces tenant routes under `/admin/t/{tenant}` to 404 when workspace context is missing or mismatched. - Fixes Filament page Blade wrappers so header actions render on choose-workspace / choose-tenant / no-access pages. Verification - Pint: `vendor/bin/sail bin pint --dirty` - Tests: `vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php tests/Feature/Workspaces tests/Feature/Filament/ChooseTenantIsWorkspaceScopedTest.php tests/Feature/Filament/ChooseTenantRequiresWorkspaceTest.php tests/Feature/Filament/TenantSwitcherUrlResolvesTenantTest.php tests/Feature/ManagedTenants tests/Feature/AdminNewRedirectTest.php` Notes - Filament v5 / Livewire v4 compatible. - Panel provider registration stays in `bootstrap/providers.php` (Laravel 11+ rule). - No new heavy frontend assets added. Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #85	2026-02-02 10:07:41 +00:00
ahmido	c5fbcaa692	063-entra-signin (#76 ) Key changes Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there). Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens. Blocks disabled / soft-deleted users with a generic error and safe logging. Membership-based post-login routing: 0 memberships → /admin/no-access 1 membership → tenant dashboard (via Filament URL helpers) >1 memberships → /admin/choose-tenant Adds Filament pages: /admin/choose-tenant (tenant selection + redirect) /admin/no-access (tenantless-safe) Both use simple layout to avoid tenant-required UI. Guards / tests Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for: /admin/login, /admin/no-access, /admin/choose-tenant with Http::preventStrayRequests() Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa. Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #76	2026-01-27 16:38:53 +00:00

Author

SHA1

Message

Date

Ahmed Darrazi

1212412db6

refactor: finish post-wave-1 singleton page cleanup

Enroll InventoryCoverage, Monitoring Operations, NoAccess, TenantlessOperationRunViewer, TenantDiagnostics, and TenantRequiredPermissions in the action surface contract.

Keep Monitoring Alerts explicitly exempt because /admin/alerts resolves through the alerts cluster entry rather than the page-class route.

2026-03-29 11:30:45 +02:00

ahmido

a989ef1a23

feat: workspace context enforcement (specs 070–072) (#85 )

Implements specs 070–072 (workspace foundation, workspace-scoped tenant selection, managed-tenants workspace enforcement).

Highlights
- Adds Workspace + WorkspaceMembership models/migrations + middleware to persist/enforce current workspace context.
- Scopes tenant selection to the current workspace.
- Makes legacy `/admin/managed-tenants*` routes redirect into workspace-scoped URLs.
- Enforces tenant routes under `/admin/t/{tenant}` to 404 when workspace context is missing or mismatched.
- Fixes Filament page Blade wrappers so header actions render on choose-workspace / choose-tenant / no-access pages.

Verification
- Pint: `vendor/bin/sail bin pint --dirty`
- Tests: `vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php tests/Feature/Workspaces tests/Feature/Filament/ChooseTenantIsWorkspaceScopedTest.php tests/Feature/Filament/ChooseTenantRequiresWorkspaceTest.php tests/Feature/Filament/TenantSwitcherUrlResolvesTenantTest.php tests/Feature/ManagedTenants tests/Feature/AdminNewRedirectTest.php`

Notes
- Filament v5 / Livewire v4 compatible.
- Panel provider registration stays in `bootstrap/providers.php` (Laravel 11+ rule).
- No new heavy frontend assets added.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #85

2026-02-02 10:07:41 +00:00

ahmido

c5fbcaa692

063-entra-signin (#76 )

Key changes

Adds Entra OIDC redirect + callback endpoints under /auth/entra/* (token exchange only there).
Upserts tenant users keyed by (entra_tenant_id = tid, entra_object_id = oid); regenerates session; never stores tokens.
Blocks disabled / soft-deleted users with a generic error and safe logging.
Membership-based post-login routing:
0 memberships → /admin/no-access
1 membership → tenant dashboard (via Filament URL helpers)
>1 memberships → /admin/choose-tenant
Adds Filament pages:
/admin/choose-tenant (tenant selection + redirect)
/admin/no-access (tenantless-safe)
Both use simple layout to avoid tenant-required UI.
Guards / tests

Adds DbOnlyPagesDoNotMakeHttpRequestsTest to enforce DB-only render/hydration for:
/admin/login, /admin/no-access, /admin/choose-tenant
with Http::preventStrayRequests()
Adds session separation smoke coverage to ensure tenant session doesn’t access system and vice versa.
Runs: vendor/bin/sail artisan test --compact tests/Feature/Auth

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #76

2026-01-27 16:38:53 +00:00

3 Commits