ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: ahmido:233-stale-run-visibility
Branches Tags
ahmido:dev
ahmido:237-provider-boundary-hardening-session-1777061713
ahmido:236-canonical-control-catalog-foundation
ahmido:235-baseline-capture-truth
ahmido:234-dead-transitional-residue
ahmido:233-stale-run-visibility
ahmido:232-operation-run-link-contract
ahmido:231-finding-outcome-taxonomy
ahmido:chore/spec-kit-migration-20260422
ahmido:230-findings-notification-convergence
ahmido:225-assignment-hygiene
ahmido:226-astrodeck-inventory-planning
ahmido:223-astrodeck-website-rebuild
ahmido:224-findings-notifications-escalation
ahmido:222-findings-intake-team-queue
ahmido:217-homepage-hero-session-1776809852
ahmido:221-findings-operator-inbox
ahmido:220-governance-run-summaries
ahmido:219-finding-ownership-semantics
ahmido:216-provider-dispatch-gate
ahmido:216-homepage-structure
ahmido:214-governance-outcome-compression
ahmido:215-website-core-pages
ahmido:214-website-visual-foundation
ahmido:201-enforcement-review-guardrails
ahmido:213-website-foundation-v0
ahmido:200-filament-surface-rules
ahmido:199-global-context-shell-contract-session-1776515985
ahmido:212-test-authoring-guardrails
ahmido:211-runtime-trend-recalibration
ahmido:210-ci-matrix-budget-enforcement
ahmido:209-heavy-governance-cost
ahmido:208-heavy-suite-segmentation
ahmido:207-shared-test-fixture-slimming
ahmido:206-test-suite-governance
ahmido:198-monitoring-page-state
ahmido:197-shared-detail-contract
ahmido:feat/196-hard-filament-nativity-cleanup
ahmido:205-compare-job-cleanup
ahmido:204-platform-core-vocabulary-hardening
ahmido:203-baseline-compare-strategy
ahmido:202-governance-subject-taxonomy
ahmido:196-hard-filament-nativity-cleanup
ahmido:195-action-surface-closure
ahmido:194-governance-friction-hardening
ahmido:feat/decision-based-operating-foundations
ahmido:191-baseline-compare-operator-mode
ahmido:193-monitoring-action-hierarchy
ahmido:192-record-header-discipline
ahmido:190-baseline-compare-matrix
ahmido:189-portfolio-triage-review-state
ahmido:188-provider-connection-state-cleanup
ahmido:187-portfolio-triage-arrival-context
ahmido:186-tenant-registry-recovery-triage
ahmido:185-workspace-recovery-posture-visibility
ahmido:184-dashboard-recovery-honesty
ahmido:183-website-workspace-foundation
ahmido:182-platform-relocation
ahmido:180-tenant-backup-health
ahmido:176-backup-quality-truth
ahmido:181-restore-safety-integrity
ahmido:178-ops-truth-alignment
ahmido:feat/177-inventory-coverage-truth
ahmido:179-provider-truth-cleanup
ahmido:175-workspace-governance-attention
ahmido:174-evidence-freshness-publication-trust
ahmido:173-tenant-dashboard-truth-alignment
ahmido:172-deferred-operator-surfaces-retrofit
ahmido:171-operations-naming-consolidation
ahmido:170-system-operations-surface-alignment
ahmido:169-action-surface-v11-session-1774840370
ahmido:168-tenant-governance-aggregate-contract
ahmido:167-derived-state-memoization
ahmido:166-finding-governance-health
ahmido:165-baseline-summary-trust
ahmido:164-run-detail-hardening
ahmido:163-baseline-subject-resolution
ahmido:162-baseline-gap-details
ahmido:161-operator-explanation-layer
ahmido:160-operation-lifecycle-guarantees
ahmido:159-baseline-snapshot-truth
ahmido:158-artifact-truth-semantics-session-1774215243
ahmido:157-reason-code-translation
ahmido:156-operator-outcome-taxonomy
ahmido:155-tenant-review-layer
ahmido:154-finding-risk-acceptance
ahmido:153-evidence-domain-foundation
ahmido:152-livewire-context-locking
ahmido:151-findings-workflow-backstop
ahmido:150-tenant-owned-query-canon-and-wrong-tenant-guards
ahmido:149-queued-execution-reauthorization
ahmido:docs/domain-expansion-roadmap-candidates
ahmido:148-central-tenant-operability-policy
ahmido:147-tenant-selector-remembered-context-enforcement
ahmido:146-central-tenant-status-presentation
ahmido:145-tenant-action-taxonomy-lifecycle-safe-visibility
ahmido:144-canonical-operation-viewer-context-decoupling
ahmido:143-tenant-lifecycle-operability-context-semantics
ahmido:142-rbac-role-definition-diff-ux-upgrade
ahmido:141-shared-diff-presentation-foundation
ahmido:140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp
ahmido:139-verify-access-permissions-assist
ahmido:feat/138-managed-tenant-onboarding-draft-identity
ahmido:137-platform-provider-identity
ahmido:136-admin-canonical-tenant
ahmido:135-canonical-tenant-context-resolution
ahmido:codex/134-audit-log-foundation-session-1773186754
ahmido:133-detail-page-template
ahmido:codex/132-guid-context-resolver-session-1773161839
ahmido:131-cross-resource-navigation
ahmido:ui-naming-constitution-session-1773152548
ahmido:131-cross-resource-navigation-session-1773152477
ahmido:130-structured-snapshot-rendering
ahmido:129-workspace-admin-home
ahmido:feat/128-rbac-baseline-compare
ahmido:127-rbac-inventory-backup
ahmido:126-filter-ux-standardization
ahmido:dev-session-1773011801
ahmido:125-table-ux-standardization
ahmido:124-inventory-coverage-table
ahmido:docs/remove-monitoring-hub-candidate
ahmido:123-operations-auto-refresh
ahmido:122-empty-state-consistency
ahmido:121-workspace-switch-fix
ahmido:120-secret-redaction-integrity
ahmido:feat/119-baseline-drift-engine
ahmido:118-baseline-drift-engine
ahmido:117-baseline-drift-engine
ahmido:116-baseline-drift-engine
ahmido:115-baseline-operability-alerts
ahmido:114-system-console-control-tower
ahmido:114-system-console-control-tower-session-1772188674
ahmido:113-platform-ops-runbooks
ahmido:112-list-expand-parity
ahmido:111-findings-workflow-sla
ahmido:feat/110-ops-ux-enforcement
ahmido:110-ops-ux-enforcement
ahmido:109-review-pack-export
ahmido:108-provider-access-hardening
ahmido:107-workspace-chooser
ahmido:fix/pest-makeassignment-collision
ahmido:106-required-permissions-sidebar-context
ahmido:105-entra-admin-roles-evidence-findings
ahmido:104-provider-permission-posture
ahmido:103-ia-scope-filter-semantics
ahmido:feat/700-bugfix
ahmido:feat/102-filament-5-2-1-upgrade
ahmido:101-golden-master-baseline-governance-v1
ahmido:101-golden-master-baseline-governance-v1-session-1771506612
ahmido:feat/100-alert-target-test-actions
ahmido:feat/099-alerts-v1-teams-email
ahmido:098-settings-slices-v1-backup-drift-ops
ahmido:097-settings-foundation
ahmido:fix/tenant-permissions-workspace-id
ahmido:fix/tenant-permissions-workspace-id-session-1771192503
ahmido:096-ops-polish-assignment-dedupe-system-tracking
ahmido:095-graph-contracts-registry-completeness
ahmido:094-assignment-ops-observability-hardening
ahmido:093-scope-001-workspace-id-isolation
ahmido:docs/constitution-scope-1.8.2
ahmido:092-legacy-purge-final
ahmido:091-backupschedule-retention-lifecycle
ahmido:090-action-surface-contract-compliance
ahmido:089-provider-connections-tenantless-ui
ahmido:087-legacy-runs-removal
ahmido:088-remove-tenant-graphoptions-legacy
ahmido:085-tenant-operate-hub
ahmido:084-verification-surfaces-unification
ahmido:083-required-permissions-hardening
ahmido:082-action-surface-contract
ahmido:chore/spec-kit-action-surface-contract
ahmido:081-provider-connection-cutover
ahmido:080-workspace-managed-tenant-admin
ahmido:079-inventory-links-non-uuid-ids
ahmido:078-operations-tenantless-canonical
ahmido:077-workspace-nav-monitoring-hub
ahmido:076-permissions-enterprise-ui
ahmido:075-verification-v1_5
ahmido:073-unified-managed-tenant-onboarding-wizard
ahmido:feat/072-managed-tenants-workspace-enforcement
ahmido:feat/999-merge-integration-session-1769990000
ahmido:069-tenant-onboarding-wizard-v2-session-1769905221
ahmido:069-managed-tenant-onboarding-wizard-session-1769903080
ahmido:068-workspaces-v2
ahmido:068-workspace-foundation-v1
ahmido:067-rbac-troubleshooting
ahmido:feat/066-rbac-ui-enforcement-helper-v2
ahmido:spec/066-rbac-ui-enforcement-helper-v2
ahmido:066-rbac-ui-enforcement-helper
ahmido:dev-session-1769637808
ahmido:065-tenant-rbac-v1
ahmido:dev-session-1769551498
ahmido:064-auth-structure
ahmido:063-entra-signin
ahmido:061-provider-foundation
ahmido:060-tag-badge-catalog
ahmido:059-unified-badges
ahmido:058-tenant-ui-polish
ahmido:feat/057-filament-v5-upgrade
ahmido:057-filament-v5-upgrade
ahmido:feat/053-unify-runs-monitoring
ahmido:feat/052-async-add-policies
ahmido:feat/044-drift-mvp
ahmido:051-entra-group-directory-cache
ahmido:feat/049-backup-restore-job-orchestration
ahmido:feat/048-backup-restore-ui-graph-safety
ahmido:feat/000-specify-deprecate
ahmido:feat/047-inventory-foundations-nodes
ahmido:feat/042-inventory-dependencies-graph
ahmido:046-inventory-sync-button
ahmido:feat/045-settingscatalog-classification
ahmido:fix/sail-node-modules-volume
ahmido:fix/pest-uses-cleanup
ahmido:feat/041-inventory-ui
ahmido:feat/040-inventory-core
ahmido:chore/docs-constitution-v1.1.0
ahmido:chore/solo-copilot-workflow
ahmido:feat/011-restore-run-wizard
ahmido:feat/011-restore-run-wizard-session-1767749508
ahmido:feat/011-restore-run-wizard-session-1767749319
ahmido:feat/032-backup-scheduling-mvp
ahmido:fix/032-manual-dispatch-unique-violation-session-1767604982
ahmido:feat/032-next-run-schedule-timezone-session-1767604322
ahmido:feat/032-backup-scheduling-mvp-session-1767583912
ahmido:feat/031-tenant-portfolio-context-switch
ahmido:feat/027-enrollment-config-subtypes
ahmido:feat/024-terms-and-conditions
ahmido:feat/026-custom-compliance-scripts
ahmido:spec/024-additional-intune-types
ahmido:feat/018-driver-updates-wufb
ahmido:feat/023-endpoint-security-restore-into-dev
ahmido:feat/023-endpoint-security-restore
ahmido:feat/017-policy-types-mam-endpoint-security-baselines
ahmido:016-backup-version-reuse
ahmido:015-policy-picker-ux
ahmido:014-enrollment-autopilot
ahmido:014-enrollment-autopilot-session-1767305003
ahmido:013-scripts-management
ahmido:feat/012-windows-update-rings
ahmido:feat/011-restore-run-wizard-session-1767185846
ahmido:feat/010-admin-templates
ahmido:feat/009-app-protection-policy
ahmido:feat/008-apps-app-management
ahmido:feat/007-device-config-compliance
ahmido:spec/007-008-workload-specs
ahmido:feat/005-bulk-operations
ahmido:feat/004-assignments-scope-tags
..
compare: ahmido:dev
Branches Tags
ahmido:dev
ahmido:237-provider-boundary-hardening-session-1777061713
ahmido:236-canonical-control-catalog-foundation
ahmido:235-baseline-capture-truth
ahmido:234-dead-transitional-residue
ahmido:233-stale-run-visibility
ahmido:232-operation-run-link-contract
ahmido:231-finding-outcome-taxonomy
ahmido:chore/spec-kit-migration-20260422
ahmido:230-findings-notification-convergence
ahmido:225-assignment-hygiene
ahmido:226-astrodeck-inventory-planning
ahmido:223-astrodeck-website-rebuild
ahmido:224-findings-notifications-escalation
ahmido:222-findings-intake-team-queue
ahmido:217-homepage-hero-session-1776809852
ahmido:221-findings-operator-inbox
ahmido:220-governance-run-summaries
ahmido:219-finding-ownership-semantics
ahmido:216-provider-dispatch-gate
ahmido:216-homepage-structure
ahmido:214-governance-outcome-compression
ahmido:215-website-core-pages
ahmido:214-website-visual-foundation
ahmido:201-enforcement-review-guardrails
ahmido:213-website-foundation-v0
ahmido:200-filament-surface-rules
ahmido:199-global-context-shell-contract-session-1776515985
ahmido:212-test-authoring-guardrails
ahmido:211-runtime-trend-recalibration
ahmido:210-ci-matrix-budget-enforcement
ahmido:209-heavy-governance-cost
ahmido:208-heavy-suite-segmentation
ahmido:207-shared-test-fixture-slimming
ahmido:206-test-suite-governance
ahmido:198-monitoring-page-state
ahmido:197-shared-detail-contract
ahmido:feat/196-hard-filament-nativity-cleanup
ahmido:205-compare-job-cleanup
ahmido:204-platform-core-vocabulary-hardening
ahmido:203-baseline-compare-strategy
ahmido:202-governance-subject-taxonomy
ahmido:196-hard-filament-nativity-cleanup
ahmido:195-action-surface-closure
ahmido:194-governance-friction-hardening
ahmido:feat/decision-based-operating-foundations
ahmido:191-baseline-compare-operator-mode
ahmido:193-monitoring-action-hierarchy
ahmido:192-record-header-discipline
ahmido:190-baseline-compare-matrix
ahmido:189-portfolio-triage-review-state
ahmido:188-provider-connection-state-cleanup
ahmido:187-portfolio-triage-arrival-context
ahmido:186-tenant-registry-recovery-triage
ahmido:185-workspace-recovery-posture-visibility
ahmido:184-dashboard-recovery-honesty
ahmido:183-website-workspace-foundation
ahmido:182-platform-relocation
ahmido:180-tenant-backup-health
ahmido:176-backup-quality-truth
ahmido:181-restore-safety-integrity
ahmido:178-ops-truth-alignment
ahmido:feat/177-inventory-coverage-truth
ahmido:179-provider-truth-cleanup
ahmido:175-workspace-governance-attention
ahmido:174-evidence-freshness-publication-trust
ahmido:173-tenant-dashboard-truth-alignment
ahmido:172-deferred-operator-surfaces-retrofit
ahmido:171-operations-naming-consolidation
ahmido:170-system-operations-surface-alignment
ahmido:169-action-surface-v11-session-1774840370
ahmido:168-tenant-governance-aggregate-contract
ahmido:167-derived-state-memoization
ahmido:166-finding-governance-health
ahmido:165-baseline-summary-trust
ahmido:164-run-detail-hardening
ahmido:163-baseline-subject-resolution
ahmido:162-baseline-gap-details
ahmido:161-operator-explanation-layer
ahmido:160-operation-lifecycle-guarantees
ahmido:159-baseline-snapshot-truth
ahmido:158-artifact-truth-semantics-session-1774215243
ahmido:157-reason-code-translation
ahmido:156-operator-outcome-taxonomy
ahmido:155-tenant-review-layer
ahmido:154-finding-risk-acceptance
ahmido:153-evidence-domain-foundation
ahmido:152-livewire-context-locking
ahmido:151-findings-workflow-backstop
ahmido:150-tenant-owned-query-canon-and-wrong-tenant-guards
ahmido:149-queued-execution-reauthorization
ahmido:docs/domain-expansion-roadmap-candidates
ahmido:148-central-tenant-operability-policy
ahmido:147-tenant-selector-remembered-context-enforcement
ahmido:146-central-tenant-status-presentation
ahmido:145-tenant-action-taxonomy-lifecycle-safe-visibility
ahmido:144-canonical-operation-viewer-context-decoupling
ahmido:143-tenant-lifecycle-operability-context-semantics
ahmido:142-rbac-role-definition-diff-ux-upgrade
ahmido:141-shared-diff-presentation-foundation
ahmido:140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp
ahmido:139-verify-access-permissions-assist
ahmido:feat/138-managed-tenant-onboarding-draft-identity
ahmido:137-platform-provider-identity
ahmido:136-admin-canonical-tenant
ahmido:135-canonical-tenant-context-resolution
ahmido:codex/134-audit-log-foundation-session-1773186754
ahmido:133-detail-page-template
ahmido:codex/132-guid-context-resolver-session-1773161839
ahmido:131-cross-resource-navigation
ahmido:ui-naming-constitution-session-1773152548
ahmido:131-cross-resource-navigation-session-1773152477
ahmido:130-structured-snapshot-rendering
ahmido:129-workspace-admin-home
ahmido:feat/128-rbac-baseline-compare
ahmido:127-rbac-inventory-backup
ahmido:126-filter-ux-standardization
ahmido:dev-session-1773011801
ahmido:125-table-ux-standardization
ahmido:124-inventory-coverage-table
ahmido:docs/remove-monitoring-hub-candidate
ahmido:123-operations-auto-refresh
ahmido:122-empty-state-consistency
ahmido:121-workspace-switch-fix
ahmido:120-secret-redaction-integrity
ahmido:feat/119-baseline-drift-engine
ahmido:118-baseline-drift-engine
ahmido:117-baseline-drift-engine
ahmido:116-baseline-drift-engine
ahmido:115-baseline-operability-alerts
ahmido:114-system-console-control-tower
ahmido:114-system-console-control-tower-session-1772188674
ahmido:113-platform-ops-runbooks
ahmido:112-list-expand-parity
ahmido:111-findings-workflow-sla
ahmido:feat/110-ops-ux-enforcement
ahmido:110-ops-ux-enforcement
ahmido:109-review-pack-export
ahmido:108-provider-access-hardening
ahmido:107-workspace-chooser
ahmido:fix/pest-makeassignment-collision
ahmido:106-required-permissions-sidebar-context
ahmido:105-entra-admin-roles-evidence-findings
ahmido:104-provider-permission-posture
ahmido:103-ia-scope-filter-semantics
ahmido:feat/700-bugfix
ahmido:feat/102-filament-5-2-1-upgrade
ahmido:101-golden-master-baseline-governance-v1
ahmido:101-golden-master-baseline-governance-v1-session-1771506612
ahmido:feat/100-alert-target-test-actions
ahmido:feat/099-alerts-v1-teams-email
ahmido:098-settings-slices-v1-backup-drift-ops
ahmido:097-settings-foundation
ahmido:fix/tenant-permissions-workspace-id
ahmido:fix/tenant-permissions-workspace-id-session-1771192503
ahmido:096-ops-polish-assignment-dedupe-system-tracking
ahmido:095-graph-contracts-registry-completeness
ahmido:094-assignment-ops-observability-hardening
ahmido:093-scope-001-workspace-id-isolation
ahmido:docs/constitution-scope-1.8.2
ahmido:092-legacy-purge-final
ahmido:091-backupschedule-retention-lifecycle
ahmido:090-action-surface-contract-compliance
ahmido:089-provider-connections-tenantless-ui
ahmido:087-legacy-runs-removal
ahmido:088-remove-tenant-graphoptions-legacy
ahmido:085-tenant-operate-hub
ahmido:084-verification-surfaces-unification
ahmido:083-required-permissions-hardening
ahmido:082-action-surface-contract
ahmido:chore/spec-kit-action-surface-contract
ahmido:081-provider-connection-cutover
ahmido:080-workspace-managed-tenant-admin
ahmido:079-inventory-links-non-uuid-ids
ahmido:078-operations-tenantless-canonical
ahmido:077-workspace-nav-monitoring-hub
ahmido:076-permissions-enterprise-ui
ahmido:075-verification-v1_5
ahmido:073-unified-managed-tenant-onboarding-wizard
ahmido:feat/072-managed-tenants-workspace-enforcement
ahmido:feat/999-merge-integration-session-1769990000
ahmido:069-tenant-onboarding-wizard-v2-session-1769905221
ahmido:069-managed-tenant-onboarding-wizard-session-1769903080
ahmido:068-workspaces-v2
ahmido:068-workspace-foundation-v1
ahmido:067-rbac-troubleshooting
ahmido:feat/066-rbac-ui-enforcement-helper-v2
ahmido:spec/066-rbac-ui-enforcement-helper-v2
ahmido:066-rbac-ui-enforcement-helper
ahmido:dev-session-1769637808
ahmido:065-tenant-rbac-v1
ahmido:dev-session-1769551498
ahmido:064-auth-structure
ahmido:063-entra-signin
ahmido:061-provider-foundation
ahmido:060-tag-badge-catalog
ahmido:059-unified-badges
ahmido:058-tenant-ui-polish
ahmido:feat/057-filament-v5-upgrade
ahmido:057-filament-v5-upgrade
ahmido:feat/053-unify-runs-monitoring
ahmido:feat/052-async-add-policies
ahmido:feat/044-drift-mvp
ahmido:051-entra-group-directory-cache
ahmido:feat/049-backup-restore-job-orchestration
ahmido:feat/048-backup-restore-ui-graph-safety
ahmido:feat/000-specify-deprecate
ahmido:feat/047-inventory-foundations-nodes
ahmido:feat/042-inventory-dependencies-graph
ahmido:046-inventory-sync-button
ahmido:feat/045-settingscatalog-classification
ahmido:fix/sail-node-modules-volume
ahmido:fix/pest-uses-cleanup
ahmido:feat/041-inventory-ui
ahmido:feat/040-inventory-core
ahmido:chore/docs-constitution-v1.1.0
ahmido:chore/solo-copilot-workflow
ahmido:feat/011-restore-run-wizard
ahmido:feat/011-restore-run-wizard-session-1767749508
ahmido:feat/011-restore-run-wizard-session-1767749319
ahmido:feat/032-backup-scheduling-mvp
ahmido:fix/032-manual-dispatch-unique-violation-session-1767604982
ahmido:feat/032-next-run-schedule-timezone-session-1767604322
ahmido:feat/032-backup-scheduling-mvp-session-1767583912
ahmido:feat/031-tenant-portfolio-context-switch
ahmido:feat/027-enrollment-config-subtypes
ahmido:feat/024-terms-and-conditions
ahmido:feat/026-custom-compliance-scripts
ahmido:spec/024-additional-intune-types
ahmido:feat/018-driver-updates-wufb
ahmido:feat/023-endpoint-security-restore-into-dev
ahmido:feat/023-endpoint-security-restore
ahmido:feat/017-policy-types-mam-endpoint-security-baselines
ahmido:016-backup-version-reuse
ahmido:015-policy-picker-ux
ahmido:014-enrollment-autopilot
ahmido:014-enrollment-autopilot-session-1767305003
ahmido:013-scripts-management
ahmido:feat/012-windows-update-rings
ahmido:feat/011-restore-run-wizard-session-1767185846
ahmido:feat/010-admin-templates
ahmido:feat/009-app-protection-policy
ahmido:feat/008-apps-app-management
ahmido:feat/007-device-config-compliance
ahmido:spec/007-008-workload-specs
ahmido:feat/005-bulk-operations
ahmido:feat/004-assignments-scope-tags

5 Commits
233-stale- ... dev

Author SHA1 Message Date
ahmido
bd26e209de feat: harden provider boundaries (#273)
Some checks failed
Main Confidence / confidence (push) Failing after 57s
Details 
## Summary
- add the provider boundary catalog, boundary support types, and guardrails for platform-core versus provider-owned seams
- harden provider gateway, identity resolution, operation registry, and start-gate behavior to require explicit provider bindings
- add unit and feature coverage for boundary classification, runtime preservation, unsupported paths, and platform-core leakage guards
- add the full Spec Kit artifact set for spec 237 and update roadmap/spec-candidate tracking

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderBoundaryClassificationTest.php tests/Unit/Providers/ProviderBoundaryGuardrailTest.php tests/Feature/Providers/ProviderBoundaryHardeningTest.php tests/Feature/Providers/UnsupportedProviderBoundaryPathTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderGatewayTest.php tests/Unit/Providers/ProviderIdentityResolverTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- browser smoke: `http://localhost/admin/provider-connections?tenant_id=18000000-0000-4000-8000-000000000180` loaded with the local smoke user, the empty-state CTA reached the canonical create route, and cancel returned to the scoped list

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #273
 2026-04-24 21:05:37 +00:00
ahmido
6a5b8a3a11 feat: canonical control catalog foundation (#272)
Some checks failed
Main Confidence / confidence (push) Failing after 50s
Details 
## Summary
- add a config-seeded canonical control catalog plus shared resolution primitives and Microsoft subject bindings
- propagate canonical control references into findings-derived evidence snapshots and tenant review composition
- add the feature spec artifacts and focused Pest coverage, plus the supporting workspace and Sail helper adjustments included in this branch

## Testing
- cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Governance/CanonicalControlCatalogTest.php tests/Unit/Governance/CanonicalControlResolverTest.php tests/Feature/Governance/CanonicalControlResolutionIntegrationTest.php tests/Feature/Evidence/EvidenceSnapshotCanonicalControlReferenceTest.php tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php tests/Feature/PlatformRelocation/CommandModelSmokeTest.php
- cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #272
 2026-04-24 12:26:02 +00:00
ahmido
2752515da5 Spec 235: harden baseline truth and onboarding flows (#271)
Some checks failed
Main Confidence / confidence (push) Failing after 54s
Details 
## Summary
- harden baseline capture truth, compare readiness, and monitoring explanations around latest inventory eligibility, blocked prerequisites, and zero-subject outcomes
- improve onboarding verification and bootstrap recovery handling, including admin-consent callback invalidation and queued execution legitimacy/report behavior
- align workspace findings/workspace overview signals and refresh the related spec, roadmap, and spec-candidate artifacts

## Validation
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php tests/Feature/Baselines/BaselineCaptureTest.php tests/Feature/Baselines/BaselineCompareFindingsTest.php tests/Feature/Baselines/BaselineSnapshotBackfillTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Operations/QueuedExecutionAuditTrailTest.php tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php`

## Notes
- browser validation was not re-run in this pass

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #271
 2026-04-24 05:44:54 +00:00
ahmido
603d509b8f cleanup: retire dead transitional residue (#270)
Some checks failed
Main Confidence / confidence (push) Failing after 58s
Details
Heavy Governance Lane / heavy-governance (push) Has been skipped
Details
Browser Lane / browser (push) Has been skipped
Details 
## Summary
- remove deprecated baseline profile status alias constants and keep baseline lifecycle semantics on the canonical enum path
- retire the dead tenant app-status badge/default-fixture residue from the active runtime support path
- add the `234-dead-transitional-residue` spec, plan, research, data-model, quickstart, checklist, and task artifacts plus focused regression assertions

## Validation
- not rerun during this PR creation step

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #270
 2026-04-23 16:54:48 +00:00
ahmido
6fdd45fb02 feat: surface stale active operation runs (#269)
Some checks failed
Main Confidence / confidence (push) Failing after 53s
Details 
## Summary
- keep stale active operation runs visible in the tenant progress overlay and polling state
- align tenant and canonical operation surfaces around the shared stale-active presentation contract
- add Spec 233 artifacts and clean the promoted-candidate backlog entries

## Validation
- browser smoke: `/admin/t/18000000-0000-4000-8000-000000000180` -> stale dashboard CTA -> `/admin/operations?tenant_id=7&activeTab=active_stale_attention&problemClass=active_stale_attention` -> `/admin/operations/15`
- verified healthy vs likely-stale tenant cards, canonical stale list row, and canonical run detail consistency

## Notes
- local smoke fixture seeded with one fresh and one stale running `baseline_compare` operation for browser validation
- Pest suite was not re-run in this session before opening this PR

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #269
 2026-04-23 15:10:06 +00:00
150 changed files with 11268 additions and 335 deletions
Show Stats Expand all files Collapse all files

4
.codex/config.toml
View File

@ -1,4 +1,4 @@
[mcp_servers.laravel-boost]
command = "vendor/bin/sail"
command = "./scripts/platform-sail"
args = ["artisan", "boost:mcp"]
cwd = "/Users/ahmeddarrazi/Documents/projects/TenantAtlas"
cwd = "/Users/ahmeddarrazi/Documents/projects/wt-plattform"

14
.github/agents/copilot-instructions.md vendored
View File

@ -244,6 +244,14 @@ ## Active Technologies
- PostgreSQL-backed existing `operation_runs`, `tenants`, and `workspaces` records plus current session-backed canonical navigation state; no new persistence (232-operation-run-link-contract)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament widgets/resources/pages, Pest v4, `App\Models\OperationRun`, `App\Support\Operations\OperationRunFreshnessState`, `App\Services\Operations\OperationLifecycleReconciler`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\OpsUx\ActiveRuns`, `App\Support\Badges\BadgeCatalog` / `BadgeRenderer`, `App\Support\Workspaces\WorkspaceOverviewBuilder`, `App\Support\OperationRunLinks` (233-stale-run-visibility)
- Existing PostgreSQL `operation_runs` records and current session/query-backed monitoring navigation state; no new persistence (233-stale-run-visibility)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `App\Models\BaselineProfile`, `App\Support\Baselines\BaselineProfileStatus`, `App\Support\Badges\BadgeCatalog`, `App\Support\Badges\BadgeDomain`, `Database\Factories\TenantFactory`, `App\Console\Commands\SeedBackupHealthBrowserFixture`, existing tenant-truth and baseline-profile Pest tests (234-dead-transitional-residue)
- Existing PostgreSQL `baseline_profiles` and `tenants` tables; no new persistence and no schema migration in this slice (234-dead-transitional-residue)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces (235-baseline-capture-truth)
- Existing PostgreSQL tables only; no new table or schema migration is planned in the mainline slice (235-baseline-capture-truth)
- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing governance domain models and builders, existing Evidence Snapshot and Tenant Review infrastructure (236-canonical-control-catalog-foundation)
- PostgreSQL for existing downstream governance artifacts plus a product-seeded in-repo canonical control registry; no new DB-backed control authoring table in the first slice (236-canonical-control-catalog-foundation)
- PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing provider seams under `App\Services\Providers` and `App\Services\Graph`, especially `ProviderGateway`, `ProviderIdentityResolver`, `ProviderIdentityResolution`, `PlatformProviderIdentityResolver`, `ProviderConnectionResolver`, `ProviderConnectionResolution`, `MicrosoftGraphOptionsResolver`, `ProviderOperationRegistry`, `ProviderOperationStartGate`, `GraphClientInterface`, Pest v4 (237-provider-boundary-hardening)
- Existing PostgreSQL tables such as `provider_connections` and `operation_runs`; one new in-repo config catalog for provider-boundary ownership; no new database tables (237-provider-boundary-hardening)
- PHP 8.4.15 (feat/005-bulk-operations)
@ -278,9 +286,9 @@ ## Code Style
PHP 8.4.15: Follow standard conventions
## Recent Changes
- 233-stale-run-visibility: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament widgets/resources/pages, Pest v4, `App\Models\OperationRun`, `App\Support\Operations\OperationRunFreshnessState`, `App\Services\Operations\OperationLifecycleReconciler`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\OpsUx\ActiveRuns`, `App\Support\Badges\BadgeCatalog` / `BadgeRenderer`, `App\Support\Workspaces\WorkspaceOverviewBuilder`, `App\Support\OperationRunLinks`
- 232-operation-run-link-contract: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + Filament Resources/Pages/Widgets, Pest v4, `App\Support\OperationRunLinks`, `App\Support\System\SystemOperationRunLinks`, `App\Support\Navigation\CanonicalNavigationContext`, `App\Support\Navigation\RelatedNavigationResolver`, existing workspace and tenant authorization helpers
- 231-finding-outcome-taxonomy: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4, Blade + `App\Models\Finding`, `App\Filament\Resources\FindingResource`, `App\Services\Findings\FindingWorkflowService`, `App\Services\Baselines\BaselineAutoCloseService`, `App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator`, `App\Services\PermissionPosture\PermissionPostureFindingGenerator`, `App\Jobs\CompareBaselineToTenantJob`, `App\Filament\Pages\Reviews\ReviewRegister`, `App\Filament\Resources\TenantReviewResource`, `BadgeCatalog`, `BadgeRenderer`, `AuditLog` metadata via `AuditLogger`
- 237-provider-boundary-hardening: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing provider seams under `App\Services\Providers` and `App\Services\Graph`, especially `ProviderGateway`, `ProviderIdentityResolver`, `ProviderIdentityResolution`, `PlatformProviderIdentityResolver`, `ProviderConnectionResolver`, `ProviderConnectionResolution`, `MicrosoftGraphOptionsResolver`, `ProviderOperationRegistry`, `ProviderOperationStartGate`, `GraphClientInterface`, Pest v4
- 236-canonical-control-catalog-foundation: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing governance domain models and builders, existing Evidence Snapshot and Tenant Review infrastructure
- 235-baseline-capture-truth: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + `BaselineCaptureService`, `CaptureBaselineSnapshotJob`, `BaselineReasonCodes`, `BaselineCompareStats`, `ReasonTranslator`, `GovernanceRunDiagnosticSummaryBuilder`, `OperationRunService`, `BaselineProfile`, `BaselineSnapshot`, `OperationRunOutcome`, existing Filament capture/compare surfaces
<!-- MANUAL ADDITIONS START -->
### Pre-production compatibility check

104
.specify/memory/constitution.md
View File

@ -1,32 +1,30 @@
<!--
Sync Impact Report
- Version change: 2.7.0 -> 2.8.0
- Modified principles: None
- Version change: 2.9.0 -> 2.10.0
- Modified principles:
- Expanded Operations / Run Observability Standard so OperationRun
start UX is shared-contract-owned instead of surface-owned
- Expanded Governance review expectations for OperationRun-starting
features, explicit queued-notification policy, and bounded
exceptions
- Added sections:
- Pre-Production Lean Doctrine (LEAN-001): forbids legacy aliases,
migration shims, dual-write logic, and compatibility fixtures in a
pre-production codebase; includes AI-agent verification checklist,
review rule, and explicit exit condition at first production deploy
- Shared Pattern First For Cross-Cutting Interaction Classes
(XCUT-001): requires shared contracts/presenters/builders for
notifications, status messaging, action links, dashboard signals,
navigation, and similar interaction classes before any local
domain-specific variant is allowed
- OperationRun Start UX Contract (OPS-UX-START-001): centralizes
queued toast/link/event/message semantics, run/artifact deep links,
queued DB-notification policy, and tenant/workspace-safe operation
URL resolution behind one shared OperationRun UX layer
- Removed sections: None
- Templates requiring updates:
- .specify/templates/spec-template.md: added "Compatibility posture"
default block ✅
- .specify/templates/spec-template.md: add cross-cutting shared-pattern
reuse block ✅
- .specify/templates/plan-template.md: add shared pattern and system
fit section ✅
- .specify/templates/tasks-template.md: add cross-cutting reuse task
requirements ✅
- .specify/templates/checklist-template.md: add shared-pattern reuse
review checks ✅
- .github/agents/copilot-instructions.md: added "Pre-production
compatibility check" agent checklist ✅
- .specify/templates/spec-template.md: add OperationRun UX Impact
section + start-contract prompts ✅
- .specify/templates/plan-template.md: add OperationRun UX Impact
planning section + constitution checks ✅
- .specify/templates/tasks-template.md: add central start-UX reuse,
queued-notification policy, and exception tasks ✅
- .specify/templates/checklist-template.md: add OperationRun start
UX review checks ✅
- docs/product/standards/README.md: refresh constitution index for
the new ops-UX contract ✅
- Commands checked:
- N/A `.specify/templates/commands/*.md` directory is not present
- Follow-up TODOs: None
@ -66,6 +64,15 @@ ### No Premature Abstraction (ABSTR-001)
- Test convenience alone is not sufficient justification for a new abstraction.
- Narrow abstractions are allowed when required for security, tenant isolation, auditability, compliance evidence, or queue/job execution correctness.
### First Provider Is Not Platform Core (PROV-001)
- Microsoft is the current first provider, not the platform core.
- Shared platform-owned contracts, taxonomies, identifiers, compare semantics, and operator vocabulary MUST NOT silently become Microsoft-shaped truth just because Microsoft is the only provider today.
- Shared platform-owned boundaries SHOULD prefer neutral core terms such as `provider`, `connection`, `target scope`, `governed subject`, and `operation` unless the feature is intentionally provider-owned and explicitly bounded.
- Shared core terms at shared boundaries (PROV-002): if a boundary is reused across multiple domains, features, or workflows, the default is neutral platform language rather than provider-specific labels or semantics.
- No accidental deepening of provider coupling (PROV-003): a feature MAY retain provider-specific semantics at a provider-owned seam, but it MUST NOT spread those semantics deeper into platform-core contracts, shared persistence truth, shared taxonomies, or shared UI language without proving that the narrower current-release truth genuinely requires it.
- Shared-boundary review is mandatory (PROV-004): when a feature touches a shared provider/platform seam, the spec, plan, and review MUST state whether the seam is provider-owned or platform-core, what provider-specific semantics remain, and why that choice is the narrowest correct implementation now.
- Prefer bounded extraction over premature generalization (PROV-005): if an existing hotspot is too Microsoft-specific, the default remedy is a bounded normalization or extraction of that hotspot, not a speculative multi-provider framework with unused extension points.
### No New Persisted Truth Without Source-of-Truth Need (PERSIST-001)
- New tables, persisted entities, or stored artifacts MUST represent real product truth that survives independently of the originating request, run, or view.
- Persisted storage is justified only when at least one of these is true: it is a source of truth, has an independent lifecycle, must be audited independently, must outlive its originating run/request, is required for permissions/routing/compliance evidence, or is required for stable operator workflows over time.
@ -302,24 +309,57 @@ ### Operations / Run Observability Standard
even if implemented by multiple jobs/steps (“umbrella run”).
- “Single-row” runs MUST still use consistent counters (e.g., `total=1`, `processed=0|1`) and outcome derived from success/failure.
- Monitoring pages MUST be DB-only at render time (no external calls).
- Start surfaces MUST NOT perform remote work inline; they only: authorize, create/reuse run (dedupe), enqueue work,
confirm + “View run”.
- Start surfaces MUST NOT perform remote work inline and MUST NOT compose OperationRun start UX locally; they only:
authorize, create/reuse run (dedupe), enqueue work, and hand queued/start-state feedback to the shared
OperationRun Start UX Contract.
### OperationRun Start UX Contract (OPS-UX-START-001)
- OperationRun UX MUST be contract-driven, not surface-driven.
- Any feature that creates, queues, deduplicates, resumes, blocks, completes, or links to an `OperationRun` MUST use
the central OperationRun Start UX Contract.
- Filament Pages, Resources, Widgets, Livewire Components, Actions, and Services MUST NOT independently compose
OperationRun start UX from local pieces.
- The shared OperationRun UX layer MUST own:
- local start notification / toast
- `Open operation` / `View run` link
- artifact link such as `View snapshot`, `View pack`, or `View restore`
- run-enqueued browser event
- queued DB-notification decision
- dedupe / already-available / already-running messaging
- blocked / failed-to-start messaging
- tenant/workspace-safe operation URL resolution
- Feature surfaces MAY initiate `OperationRun`s, but they MUST NOT define their own OperationRun UX semantics.
- `OperationRun` lifecycle state remains the canonical execution truth.
- Queued DB notifications MUST remain explicit opt-in unless the active spec defines a different policy.
- Terminal `OperationRun` notifications MUST be emitted through the central OperationRun lifecycle mechanism.
- Any exception MUST include:
1. an explicit spec decision,
2. a documented architecture note,
3. a test or guard-test exception with rationale,
4. a follow-up migration decision if the exception is temporary.
- New OperationRun-starting features MUST include an `OperationRun UX Impact` section in the active spec or plan.
### Operations UX — 3-Surface Feedback (OPS-UX-055) (NON-NEGOTIABLE)
If a feature creates/reuses `OperationRun`, it MUST use exactly three feedback surfaces — no others:
If a feature creates/reuses `OperationRun`, its default feedback contract is exactly three surfaces.
Queued DB notifications are forbidden by default and MAY exist only when the active spec explicitly opts into them
through the OperationRun Start UX Contract:
1) Toast (intent only / queued-only)
- A toast MAY be shown only when the run is accepted/queued (intent feedback).
- The toast MUST use `OperationUxPresenter::queuedToast($operationType)->send()`.
- Feature code MUST NOT craft ad-hoc operation toasts.
- A dedicated dedupe message MUST use the presenter (e.g., `alreadyQueuedToast(...)`), not `Notification::make()`.
- Queued toast copy, action links, artifact links, start-state browser events, and dedupe/start-failure messaging MUST be
produced by the shared OperationRun Start UX Contract, not by local surface code.
2) Progress (active awareness only)
- Live progress MUST exist only in:
- the global active-ops widget, and
- Monitoring → Operation Run Detail.
- These surfaces MUST show only active runs (`queued|running`) and MUST never show terminal runs.
- Running DB notifications are forbidden.
- Determinate progress is allowed ONLY when `summary_counts.total` and `summary_counts.processed` are valid numeric values.
- Determinate progress MUST be clamped to 0100. Otherwise render indeterminate + elapsed time.
- The widget MUST NOT show percentage text (optional `processed/total` is allowed).
@ -360,6 +400,10 @@ ### Ops-UX regression guards are mandatory (OPS-UX-GUARD-001)
The repo MUST include automated guards (Pest) that fail CI if:
- any direct `OperationRun` status/outcome transition occurs outside `OperationRunService`,
- feature code bypasses the central OperationRun Start UX Contract for queued/start-state operation UX where the repo's
guardable patterns can detect it,
- feature code emits queued DB notifications for operations without explicit spec-driven opt-in through the shared
OperationRun UX layer,
- jobs emit DB notifications for operation completion/abort (`OperationRunCompleted` is the single terminal notification),
- deprecated legacy operation notification classes are referenced again.
@ -1608,6 +1652,12 @@ ### Scope, Compliance, and Review Expectations
- Specs and PRs that introduce new persisted truth, abstractions, states, DTO/presenter layers, or taxonomies MUST include the proportionality review required by BLOAT-001.
- Runtime-changing or test-affecting specs and PRs MUST include testing/lane/runtime impact covering actual test-purpose classification, affected lanes, fixture/helper/factory/seed/context cost changes, any heavy-family expansion, expected budget/baseline/trend effect, escalation decisions, and the minimal validation commands.
- Specs, plans, task lists, and review checklists MUST surface the test-governance questions needed to catch lane drift, hidden defaults, and runtime-cost escalation before merge.
- Specs and PRs that touch shared provider/platform seams MUST classify the touched boundary as provider-owned or platform-core, keep provider-specific semantics out of platform-core contracts and vocabulary unless explicitly justified, and record whether any remaining hotspot is resolved in-feature or escalated as a follow-up spec.
- Specs and PRs that create, queue, deduplicate, resume, block, complete, or deep-link to an `OperationRun` MUST reuse the
central OperationRun Start UX Contract, keep queued DB notifications explicit opt-in unless the active spec states a
different policy, route terminal notifications through the lifecycle mechanism, include an `OperationRun UX Impact`
section in the active spec or plan, and document any temporary exception with an architecture note, test rationale,
and migration decision.
- Specs and PRs that change operator-facing surfaces MUST classify each
affected surface under DECIDE-001 and justify any new Primary
Decision Surface or workflow-first navigation change.
@ -1625,4 +1675,4 @@ ### Versioning Policy (SemVer)
- **MINOR**: new principle/section or materially expanded guidance.
- **MAJOR**: removing/redefining principles in a backward-incompatible way.
**Version**: 2.7.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2025-07-19
**Version**: 2.10.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-24

8
.specify/scripts/bash/setup-plan.sh
View File

@ -40,9 +40,13 @@ mkdir -p "$FEATURE_DIR"
TEMPLATE="$REPO_ROOT/.specify/templates/plan-template.md"
if [[ -f "$TEMPLATE" ]]; then
cp "$TEMPLATE" "$IMPL_PLAN"
echo "Copied plan template to $IMPL_PLAN"
if ! $JSON_MODE; then
echo "Copied plan template to $IMPL_PLAN"
fi
else
echo "Warning: Plan template not found at $TEMPLATE"
if ! $JSON_MODE; then
echo "Warning: Plan template not found at $TEMPLATE"
fi
# Create a basic plan file if template doesn't exist
touch "$IMPL_PLAN"
fi

26
.specify/templates/checklist-template.md
View File

@ -32,18 +32,30 @@ ## Shared Pattern Reuse
- [ ] CHK008 The change extends the shared path where it is sufficient, or the deviation is explicitly documented with product reason, preserved consistency, ownership cost, and spread-control.
- [ ] CHK009 The change does not create a parallel operator-facing UX language for the same interaction class unless a bounded exception is recorded.
## OperationRun Start UX Contract
- [ ] CHK019 The change explicitly says whether it creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`, and the required `OperationRun UX Impact` section exists when applicable.
- [ ] CHK020 Queued toast/link/artifact-link/browser-event/dedupe-or-blocked messaging and tenant/workspace-safe operation URL resolution are delegated to the shared OperationRun UX contract instead of local surface code.
- [ ] CHK021 Any queued DB notification is explicit opt-in in the active spec or plan, running DB notifications remain absent, and terminal notifications still flow through the central lifecycle mechanism.
- [ ] CHK022 Any exception records the explicit spec decision, architecture note, test or guard-test rationale, and temporary migration follow-up decision.
## Provider Boundary And Vocabulary
- [ ] CHK010 The change states whether any touched shared seam is provider-owned, platform-core, or mixed, and provider-specific semantics do not silently spread into platform-core contracts, taxonomy, identifiers, compare semantics, or operator vocabulary.
- [ ] CHK011 Any retained provider-specific shared boundary is justified as a bounded current-release exception or an explicit follow-up-spec need instead of becoming permanent platform truth by default.
## Signals, Exceptions, And Test Depth
- [ ] CHK010 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
- [ ] CHK011 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
- [ ] CHK012 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
- [ ] CHK013 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
- [ ] CHK012 Any triggered repository signal is classified with one handling mode: `hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`.
- [ ] CHK013 Any deviation from default rules includes a bounded exception record naming the broken rule, product reason, standardized parts, spread-control rule, and the active feature PR close-out entry.
- [ ] CHK014 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
- [ ] CHK015 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
## Review Outcome
- [ ] CHK014 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
- [ ] CHK015 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
- [ ] CHK016 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
- [ ] CHK016 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
- [ ] CHK017 One workflow outcome is chosen: `keep`, `split`, `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
- [ ] CHK018 The final note location is explicit: the active feature PR close-out entry for guarded work, or a concise `N/A` note for low-impact changes.
## Notes

27
.specify/templates/plan-template.md
View File

@ -54,6 +54,29 @@ ## Shared Pattern & System Fit
- **Why the existing abstraction was sufficient or insufficient**: [Short explanation tied to current-release truth]
- **Bounded deviation / spread control**: [none / describe the exception boundary and containment rule]
## OperationRun UX Impact
> **Fill when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`. Docs-only or template-only work may use concise `N/A`.**
- **Touches OperationRun start/completion/link UX?**: [yes / no / N/A]
- **Central contract reused**: [shared OperationRun UX layer / `N/A`]
- **Delegated UX behaviors**: [queued toast / run link / artifact link / run-enqueued browser event / queued DB-notification decision / dedupe-or-blocked messaging / tenant/workspace-safe URL resolution / `N/A`]
- **Surface-owned behavior kept local**: [initiation inputs only / none / short explanation]
- **Queued DB-notification policy**: [explicit opt-in / spec override / `N/A`]
- **Terminal notification path**: [central lifecycle mechanism / `N/A`]
- **Exception path**: [none / spec decision + architecture note + test rationale + temporary migration follow-up]
## Provider Boundary & Portability Fit
> **Fill when the feature touches shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth. Docs-only or template-only work may use concise `N/A`.**
- **Shared provider/platform boundary touched?**: [yes / no / N/A]
- **Provider-owned seams**: [List or `N/A`]
- **Platform-core seams**: [List or `N/A`]
- **Neutral platform terms / contracts preserved**: [List or `N/A`]
- **Retained provider-specific semantics and why**: [none / short explanation]
- **Bounded extraction or follow-up path**: [none / document-in-feature / follow-up-spec / N/A]
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
@ -68,7 +91,8 @@ ## Constitution Check
- RBAC-UX: global search is tenant-scoped; non-members get no hints; inaccessible results are treated as not found (404 semantics)
- Tenant isolation: all reads/writes tenant-scoped; cross-tenant views are explicit and access-checked
- Run observability: long-running/remote/queued work creates/reuses `OperationRun`; start surfaces enqueue-only; Monitoring is DB-only; DB-only <2s actions may skip runs but security-relevant ones still audit-log; auth handshake exception OPS-EX-AUTH-001 allows synchronous outbound HTTP on `/auth/*` without `OperationRun`
- Ops-UX 3-surface feedback: if `OperationRun` is used, feedback is exactly toast intent-only + progress surfaces + exactly-once terminal `OperationRunCompleted` (initiator-only); no queued/running DB notifications
- OperationRun start UX: any feature that creates, queues, deduplicates, resumes, blocks, completes, or links `OperationRun` reuses the central OperationRun Start UX Contract; no local composition of queued toast/link/event/start-state messaging; `OperationRun UX Impact` is present in the active spec or plan
- Ops-UX 3-surface feedback: if `OperationRun` is used, default feedback is toast intent-only + progress surfaces + exactly-once terminal `OperationRunCompleted` (initiator-only); queued DB notifications remain explicit opt-in through the shared start UX contract; running DB notifications stay disallowed
- Ops-UX lifecycle: `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`); context-only updates allowed outside
- Ops-UX summary counts: `summary_counts` keys come from `OperationSummaryKeys::all()` and values are flat numeric-only
- Ops-UX guards: CI has regression guards that fail with actionable output (file + snippet) when these patterns regress
@ -82,6 +106,7 @@ ## Constitution Check
- Behavioral state (STATE-001): new states/statuses/reason codes change behavior, routing, permissions, lifecycle, audit, retention, or retry handling; presentation-only distinctions stay derived
- UI semantics (UI-SEM-001): avoid turning badges, explanation text, trust/confidence labels, or detail summaries into mandatory interpretation frameworks; prefer direct domain-to-UI mapping
- Shared pattern first (XCUT-001): cross-cutting interaction classes reuse existing shared contracts/presenters/builders/renderers first; any deviation is explicit, bounded, and justified against current-release truth
- Provider boundary (PROV-001): shared provider/platform seams are classified as provider-owned vs platform-core; provider-specific semantics stay out of platform-core contracts, taxonomy, identifiers, compare semantics, and operator vocabulary unless explicitly justified; bounded extraction beats speculative multi-provider frameworks
- V1 explicitness / few layers (V1-EXP-001, LAYER-001): prefer direct implementation, local mappings, and small helpers; any new layer replaces an old one or proves the old one cannot serve
- Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
- Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests

38
.specify/templates/spec-template.md
View File

@ -47,6 +47,26 @@ ## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches not
- **Consistency impact**: [What must stay aligned across interaction structure, copy, status semantics, actions, and deep links]
- **Review focus**: [What reviewers must verify to prevent parallel local patterns]
## OperationRun UX Impact *(mandatory when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`; otherwise write `N/A - no OperationRun start or link semantics touched`)*
- **Touches OperationRun start/completion/link UX?**: [yes/no]
- **Shared OperationRun UX contract/layer reused**: [Name it or `N/A`]
- **Delegated start/completion UX behaviors**: [queued toast / `Open operation` or `View run` link / artifact link / run-enqueued browser event / queued DB-notification decision / dedupe-or-blocked messaging / tenant/workspace-safe URL resolution / `N/A`]
- **Local surface-owned behavior that remains**: [initiation inputs only / none / bounded explanation]
- **Queued DB-notification policy**: [explicit opt-in / spec override / `N/A`]
- **Terminal notification path**: [central lifecycle mechanism / `N/A`]
- **Exception required?**: [none / explicit spec decision + architecture note + test or guard-test rationale + temporary migration follow-up]
## Provider Boundary / Platform Core Check *(mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write `N/A - no shared provider/platform boundary touched`)*
- **Shared provider/platform boundary touched?**: [yes/no]
- **Boundary classification**: [provider-owned / platform-core / mixed / N/A]
- **Seams affected**: [contracts, models, taxonomies, query keys, labels, filters, compare strategy, etc.]
- **Neutral platform terms preserved or introduced**: [List them or `N/A`]
- **Provider-specific semantics retained and why**: [none / bounded current-release necessity]
- **Why this does not deepen provider coupling accidentally**: [Short explanation]
- **Follow-up path**: [none / document-in-feature / follow-up-spec]
## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)*
Use this section to classify UI and surface risk once. If the feature does
@ -234,6 +254,13 @@ ## Requirements *(mandatory)*
- record any allowed deviation, the consistency it must preserve, and its ownership/spread-control cost,
- and make the reviewer focus explicit so parallel local UX paths do not appear silently.
**Constitution alignment (PROV-001):** If this feature touches a shared provider/platform seam, the spec MUST:
- classify each touched seam as provider-owned or platform-core,
- keep provider-specific semantics out of platform-core contracts, taxonomies, identifiers, compare semantics, and operator vocabulary unless explicitly justified,
- name the neutral platform terms or shared contracts being preserved,
- explain why any retained provider-specific semantics are the narrowest current-release truth,
- and state whether the remaining hotspot is resolved in-feature or escalated as a follow-up spec.
**Constitution alignment (TEST-GOV-001):** If this feature changes runtime behavior or tests, the spec MUST describe:
- the actual test-purpose classification (`Unit`, `Feature`, `Heavy-Governance`, or `Browser`) and why that classification matches the real proving purpose,
- the affected validation lane(s) and why they are the narrowest sufficient proof,
@ -246,12 +273,21 @@ ## Requirements *(mandatory)*
- and the exact minimal validation commands reviewers should run.
**Constitution alignment (OPS-UX):** If this feature creates/reuses an `OperationRun`, the spec MUST:
- explicitly state compliance with the Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification),
- explicitly state compliance with the default Ops-UX 3-surface feedback contract (toast intent-only, progress surfaces, terminal DB notification) and whether any queued DB notification is explicitly opted into,
- state that `OperationRun.status` / `OperationRun.outcome` transitions are service-owned (only via `OperationRunService`),
- describe how `summary_counts` keys/values comply with `OperationSummaryKeys::all()` and numeric-only rules,
- clarify scheduled/system-run behavior (initiator null → no terminal DB notification; audit is via Monitoring),
- list which regression guard tests are added/updated to keep these rules enforceable in CI.
**Constitution alignment (OPS-UX-START-001):** If this feature creates, queues, deduplicates, resumes, blocks, completes, or links to an `OperationRun`, the spec MUST:
- include the `OperationRun UX Impact` section,
- name the shared OperationRun UX contract/layer being reused,
- delegate queued toast/link/artifact-link/browser-event/queued-DB-notification/dedupe-or-blocked messaging/tenant-safe URL resolution to that shared path,
- keep local surface code limited to initiation inputs and operation-specific data capture,
- keep queued DB notifications explicit opt-in unless the spec intentionally defines a different policy,
- route terminal notifications through the central lifecycle mechanism,
- and document any exception with an explicit spec decision, architecture note, test or guard-test rationale, and temporary follow-up migration decision.
**Constitution alignment (RBAC-UX):** If this feature introduces or changes authorization behavior, the spec MUST:
- state which authorization plane(s) are involved (tenant/admin `/admin` + tenant-context `/admin/t/{tenant}/...` vs platform `/system`),
- ensure any cross-plane access is deny-as-not-found (404),

16
.specify/templates/tasks-template.md
View File

@ -18,17 +18,22 @@ # Tasks: [FEATURE NAME]
- record budget, baseline, or trend follow-up when runtime cost shifts materially,
- and document whether the change resolves as `document-in-feature`, `follow-up-spec`, or `reject-or-split`.
**Operations**: If this feature introduces long-running/remote/queued/scheduled work, include tasks to create/reuse and update a
canonical `OperationRun`, and ensure “View run” links route to the canonical Monitoring hub.
canonical `OperationRun`, and ensure “View run” links route to the canonical Monitoring hub through the shared OperationRun start UX path rather than local surface composition.
If security-relevant DB-only actions skip `OperationRun`, include tasks for `AuditLog` entries (before/after + actor + tenant).
Auth handshake exception (OPS-EX-AUTH-001): OIDC/SAML login handshakes may perform synchronous outbound HTTP on `/auth/*` endpoints
without an `OperationRun`.
If this feature creates/reuses an `OperationRun`, tasks MUST also include:
- reusing the central OperationRun Start UX Contract instead of composing local queued toast/link/event/dedupe/blocked/start-failure semantics,
- delegating `Open operation` / `View run`, artifact links, run-enqueued browser event, queued DB-notification policy, dedupe / already-available / already-running messaging, blocked / failed-to-start messaging, and tenant/workspace-safe URL resolution to the shared OperationRun UX layer,
- enforcing the Ops-UX 3-surface feedback contract (toast intent-only via `OperationUxPresenter`, progress only in widget + run detail, terminal notification is `OperationRunCompleted` exactly-once, initiator-only),
- ensuring no queued/running DB notifications exist anywhere for operations (no `sendToDatabase()` for queued/running/completion/abort in feature code),
- keeping queued DB notifications explicit opt-in in the active spec unless a different policy is intentionally approved, and ensuring running DB notifications do not exist,
- routing terminal notifications through the central lifecycle mechanism rather than feature-local notification code,
- ensuring `OperationRun.status` / `OperationRun.outcome` transitions happen only via `OperationRunService`,
- ensuring `summary_counts` keys come from `OperationSummaryKeys::all()` and values are flat numeric-only,
- adding/updating Ops-UX regression guards (Pest) that fail CI with actionable output (file + snippet) when these patterns regress,
- clarifying scheduled/system-run behavior (initiator null → no terminal DB notification; audit via Monitoring; tenant-wide alerting via Alerts system).
- clarifying scheduled/system-run behavior (initiator null → no terminal DB notification; audit via Monitoring; tenant-wide alerting via Alerts system),
- documenting any exception with an explicit spec decision, architecture note, test or guard-test rationale, and temporary migration follow-up decision,
- and ensuring the active spec or plan contains an `OperationRun UX Impact` section.
**RBAC**: If this feature introduces or changes authorization, tasks MUST include:
- explicit Gate/Policy enforcement for all mutation endpoints/actions,
- explicit 404 vs 403 semantics:
@ -51,6 +56,11 @@ # Tasks: [FEATURE NAME]
- extending the shared path when it is sufficient for current-release truth,
- or recording a bounded exception task that documents why the shared path is insufficient, what consistency must still be preserved, and how spread is controlled,
- and ensuring reviewer proof covers whether the feature converged on the shared path or knowingly introduced a bounded exception.
**Provider Boundary / Platform Core (PROV-001)**: If this feature touches shared provider/platform seams, tasks MUST include:
- classifying each touched seam as provider-owned or platform-core,
- preventing provider-specific semantics from spreading into platform-core contracts, persistence truth, taxonomies, compare semantics, or operator vocabulary unless explicitly justified,
- implementing bounded normalization or extraction where a current hotspot is too provider-shaped, rather than introducing speculative multi-provider frameworks,
- and recording `document-in-feature` or `follow-up-spec` when a bounded provider-specific hotspot remains.
**UI / Surface Guardrails**: If this feature adds or changes operator-facing surfaces or the workflow that governs them, tasks MUST include:
- carrying forward the spec's native/custom classification, shared-family relevance, state-layer ownership, and exception need into implementation work without renaming the same decision,
- classifying any triggered repository signals with one handling mode (`hard-stop-candidate`, `review-mandatory`, `exception-required`, or `report-only`),

2
apps/platform/.pnpm-store/v10/index/0b/ca168cf47717cd729635bda393b1716cdf87a6af915c030f6558770206a939-playwright@1.59.1.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/1c/157f44983cd73e418a267dc8fcc888295857f40cb0308a532a20c07f69dcc0-playwright-core@1.59.1.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/27/da99c96fbe40aff4f4dc8dff378ed1d1bfd467467f2a7d955f1a8c79d154b7-rollup@4.60.2.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/74/ecbedc0b96ddadb035b64722e319a537208c6b8b53fb812ffb9b71917d3976-color-name@1.1.4.json
View File

@ -1 +1 @@
{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776593337482,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776593337489,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776593337495,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776593337500,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}
{"name":"color-name","version":"1.1.4","requiresBuild":false,"files":{"package.json":{"checkedAt":1776976148151,"integrity":"sha512-E5CrPeTNIaZAftwqMJpkT8PDNamUJUrubHLTZ6Rjn3l9RvJKSLw6MGXT6SAcRHV3ltLOSTOa1HvkQ7/GUOoaHw==","mode":438,"size":607},"index.js":{"checkedAt":1776976148156,"integrity":"sha512-nek+57RYqda5dmQCKQmtJafLicLP3Y7hmqLhJlZrenqTCyQUOip2+D2/8Z8aZ7CnHek+irJIcgwu4kM5boaUUQ==","mode":438,"size":4617},"LICENSE":{"checkedAt":1776976148162,"integrity":"sha512-/B1lNSwRTHWUyb7fW+QyujnUJv6vUL+PfFLTJ4EyPIS/yaaFMa77VYyX6+RucS4dNdhguh4aarSLSnm4lAklQA==","mode":438,"size":1085},"README.md":{"checkedAt":1776976148168,"integrity":"sha512-/hmGUPmp0gXgx/Ov5oGW6DAU3c4h4aLMa/bE1TkpZHPU7dCx5JFS9hoYM4/+919EWCaPtBhWzK+6pG/6xdx+Ng==","mode":438,"size":384}}}

2
apps/platform/.pnpm-store/v10/index/75/61f31dad96a845c8fced44f4e8eba1c313289976992ac4a258752289abbfa5-@types+estree@1.0.8.json
View File

@ -1 +1 @@
{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776593336106,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776593336125,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776593336132,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776593336138,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776593336144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}
{"name":"@types/estree","version":"1.0.8","requiresBuild":false,"files":{"LICENSE":{"checkedAt":1776976148127,"integrity":"sha512-HQaIQk9pwOcyKutyDk4o2a87WnotwYuLGYFW43emGm4FvIJFKPyg+OYaw5sTegKAKf+C5SKa1ACjzCLivbaHrQ==","mode":420,"size":1141},"README.md":{"checkedAt":1776976148139,"integrity":"sha512-alZQw4vOCWtDJlTmYSm+aEvD0weTLtGERCy5tNbpyvPI5F2j9hEWxHuUdwL+TZU2Nhdx7EGRhitAiv0xuSxaeg==","mode":420,"size":458},"flow.d.ts":{"checkedAt":1776976148143,"integrity":"sha512-f3OqA/2H/A62ZLT0qAZlUCUAiI89dMFcY+XrAU08dNgwHhXSQmFeMc7w/Ee7RE8tHU5RXFoQazarmCUsnCvXxg==","mode":420,"size":4801},"index.d.ts":{"checkedAt":1776976148144,"integrity":"sha512-YwR3YirWettZcjZgr7aNimg/ibEuP+6JMqAvL+cT6ubq2ctYKL9Xv+PgBssGCPES01PG5zKTHSvhShXCjXOrDg==","mode":420,"size":18944},"package.json":{"checkedAt":1776976148144,"integrity":"sha512-KaEBTHEFL2oVUvCrjSJR/H812XIaeRGbSZFP8DBb2Hon+IQwND0zz7oRvrXTm2AzzjneqH+pkB2Lusw29yJ/WA==","mode":420,"size":829}}}

2
apps/platform/.pnpm-store/v10/index/76/129ff74dd4fcf41963a6e834db4019d59b1bce5601b8d3ff5c58a19202ec50-rxjs@7.8.2.json
View File

File diff suppressed because one or more lines are too long

2
apps/platform/.pnpm-store/v10/index/a0/916ef781d06fe29576e49440bef09e99aa9df98bb0e03f9c087a6fa107d300-tslib@2.8.1.json
View File

@ -1 +1 @@
{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776593335180,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776593335194,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776593335198,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776593335206,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776593335213,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776593335219,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776593335230,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776593335236,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776593335243,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776593335251,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776593335258,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776593335264,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776593335271,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776593335278,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}
{"name":"tslib","version":"2.8.1","requiresBuild":false,"files":{"tslib.es6.html":{"checkedAt":1776976148162,"integrity":"sha512-aoAR2zaxE9UtcXO4kE9FbPBgIZEVk7u3Z+nEPmDo6rwcYth07KxrVZejVEdy2XmKvkkcb8O/XM9UK3bPc1iMPw==","mode":420,"size":36},"tslib.html":{"checkedAt":1776976148164,"integrity":"sha512-4dCvZ5WYJpcbIJY4RPUhOBbFud1156Rr7RphuR12/+mXKUeIpCxol2/uWL4WDFNNlSH909M2AY4fiLWJo8+fTw==","mode":420,"size":32},"modules/index.js":{"checkedAt":1776976148166,"integrity":"sha512-DqWTtBt/Q47Jm4z8VzCLSiG/2R+Mwqy8uB60ithBWyofDYamF5C4icYdqbq/NP2IE/TefCT/03uAwA5mujzR7A==","mode":420,"size":1416},"tslib.es6.js":{"checkedAt":1776976148173,"integrity":"sha512-FugydTgfIjlaQrbH9gaIh59iXw8keW2311ILz3FBWn1IHLwPcmWte+ZE8UeXXGTQRc2E8NhQSCzYA6/zX36+7w==","mode":420,"size":19215},"tslib.js":{"checkedAt":1776976148180,"integrity":"sha512-7Gj/3vlZdba9iZH2H2up34pBk5UfN1tWQl3/TjsHzw3Oipw/stl6nko8k4jk+MeDeLPJE3rKz3VoQG5XmgwSmg==","mode":420,"size":23382},"modules/package.json":{"checkedAt":1776976148185,"integrity":"sha512-vm8hQn5MuoMkjJYvBBHTAtsdrcuXmVrKZwL3FEq32oGiKFhY562FoUQTbXv24wk0rwJVpgribUCOIU98IaS9Mg==","mode":420,"size":26},"package.json":{"checkedAt":1776976148187,"integrity":"sha512-72peSY+xgEHIo+YSpUbUl6qsExQ5ZlgeiDVDAiy4QdVmmBkK7RAB/07CCX3gg0SyvvQVJiGgAD36ub3rgE4QCg==","mode":420,"size":1219},"README.md":{"checkedAt":1776976148192,"integrity":"sha512-kCH2ENYjhlxwI7ae89ymMIP2tZeNcJJOcqnfifnmHQiHeK4mWnGc4w8ygoiUIpG1qyaurZkRSrYtwHCEIMNhbA==","mode":420,"size":4033},"SECURITY.md":{"checkedAt":1776976148195,"integrity":"sha512-ix30VBNb4RQLa5M2jgfD6IJ9+1XKmeREKrOYv7rDoWGZCin0605vEx3tTAVb5kNvteCwZwBC+nEGfQ4jHLg9Fw==","mode":420,"size":2757},"tslib.es6.mjs":{"checkedAt":1776976148199,"integrity":"sha512-q8VhXPTjmn6KDh3j6Ewn0V3siY1zNdvXvIUNN36llJUtO5cDafldf1Y2zzToBAbgOdh2pjFks7lFDRzZ/LZnDw==","mode":420,"size":17648},"modules/index.d.ts":{"checkedAt":1776976148200,"integrity":"sha512-XcNprVMjDjhbWmH3OTNZV91Uh9sDaCs8oZa3J7g5wMUHsdMJRENmv4XQ/8yqMlTUxKopv8uiztELREI7cw8BDg==","mode":420,"size":801},"tslib.d.ts":{"checkedAt":1776976148210,"integrity":"sha512-kqzM5TLHelP5iJBElSYyBRocQd2XmWsGIzOG6+Mv+CB7KhoZ6BoFioWM3RR2OCm1p96bbSCGnfHo2rozV/WJYQ==","mode":420,"size":18317},"CopyrightNotice.txt":{"checkedAt":1776976148214,"integrity":"sha512-C0myUddnUhhpZ/UcD9yZyMWodQV4fT2wxcfqb/ToD0Z98nB9WfWBl6koNVWJ+8jzeGWP6wQjz9zdX7Unua0/SQ==","mode":420,"size":822},"LICENSE.txt":{"checkedAt":1776976148225,"integrity":"sha512-9cs1Im06/fLAPBpXOY8fHMD2LgUM3kREaKlOX7S6fLWwbG5G+UqlUrqdkTKloRPeDghECezxOiUfzvW6lnEjDg==","mode":420,"size":655}}}

2
apps/platform/.pnpm-store/v10/index/c1/6c890e501ab71937d1925eafe19e0964b6d3db00e365fe3798d4da3cbaa074-axios@1.15.0.json
View File

File diff suppressed because one or more lines are too long

1
apps/platform/app/Console/Commands/SeedBackupHealthBrowserFixture.php
View File

@ -67,7 +67,6 @@ public function handle(): int
'name' => (string) ($scenarioConfig['tenant_name'] ?? 'Spec 180 Blocked Backup Tenant'),
'tenant_id' => $tenantRouteKey,
'app_certificate_thumbprint' => null,
'app_status' => 'ok',
'app_notes' => null,
'status' => Tenant::STATUS_ACTIVE,
'environment' => 'dev',

308
apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
View File

@ -598,7 +598,9 @@ public function content(Schema $schema): Schema
->tooltip(fn (): ?string => $this->canStartAnyBootstrap()
? null
: 'You do not have permission to start bootstrap actions.')
->action(fn () => $this->startBootstrap((array) ($this->data['bootstrap_operation_types'] ?? []))),
->action(fn (Get $get) => $this->startBootstrap(
$this->normalizeBootstrapOperationTypes((array) ($get('bootstrap_operation_types') ?? [])),
)),
]),
Text::make(fn (): string => $this->bootstrapRunsLabel())
->hidden(fn (): bool => $this->bootstrapRunsLabel() === ''),
@ -606,9 +608,11 @@ public function content(Schema $schema): Schema
])
->afterValidation(function (): void {
$types = $this->data['bootstrap_operation_types'] ?? [];
$this->selectedBootstrapOperationTypes = is_array($types)
? array_values(array_filter($types, static fn ($v): bool => is_string($v) && $v !== ''))
: [];
$this->selectedBootstrapOperationTypes = $this->normalizeBootstrapOperationTypes(
is_array($types) ? $types : [],
);
$this->persistBootstrapSelection($this->selectedBootstrapOperationTypes);
$this->touchOnboardingSessionStep('bootstrap');
}),
@ -642,6 +646,10 @@ public function content(Schema $schema): Schema
->badge()
->color(fn (): string => $this->completionSummaryBootstrapColor()),
]),
Callout::make('Bootstrap needs attention')
->description(fn (): string => $this->completionSummaryBootstrapRecoveryMessage())
->warning()
->visible(fn (): bool => $this->showCompletionSummaryBootstrapRecovery()),
Callout::make('After completion')
->description('This action is recorded in the audit log and cannot be undone from this wizard.')
->info()
@ -733,10 +741,111 @@ private function loadOnboardingDraft(User $user, TenantOnboardingSession|int|str
$bootstrapTypes = $draft->state['bootstrap_operation_types'] ?? [];
$this->selectedBootstrapOperationTypes = is_array($bootstrapTypes)
? array_values(array_filter($bootstrapTypes, static fn ($v): bool => is_string($v) && $v !== ''))
? $this->normalizeBootstrapOperationTypes($bootstrapTypes)
: [];
}
/**
* @param array<int|string, mixed> $operationTypes
* @return array<int, string>
*/
private function normalizeBootstrapOperationTypes(array $operationTypes): array
{
$supportedTypes = array_keys($this->supportedBootstrapCapabilities());
$normalized = [];
foreach ($operationTypes as $key => $value) {
if (is_string($value)) {
$normalizedValue = trim($value);
if ($normalizedValue !== '' && in_array($normalizedValue, $supportedTypes, true)) {
$normalized[] = $normalizedValue;
}
continue;
}
if (! is_string($key) || trim($key) === '') {
continue;
}
$isSelected = match (true) {
is_bool($value) => $value,
is_int($value) => $value === 1,
is_string($value) => in_array(strtolower(trim($value)), ['1', 'true', 'on', 'yes'], true),
default => false,
};
$normalizedKey = trim($key);
if ($isSelected && in_array($normalizedKey, $supportedTypes, true)) {
$normalized[] = $normalizedKey;
}
}
return array_values(array_unique($normalized));
}
/**
* @return array<string, string>
*/
private function supportedBootstrapCapabilities(): array
{
return [
'inventory_sync' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
'compliance.snapshot' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
];
}
/**
* @param array<int, string> $operationTypes
*/
private function persistBootstrapSelection(array $operationTypes): void
{
$user = auth()->user();
if (! $user instanceof User) {
abort(403);
}
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return;
}
$normalized = $this->normalizeBootstrapOperationTypes($operationTypes);
$existing = $this->onboardingSession->state['bootstrap_operation_types'] ?? null;
$existing = is_array($existing)
? $this->normalizeBootstrapOperationTypes($existing)
: [];
if ($normalized === $existing) {
return;
}
try {
$this->setOnboardingSession($this->mutationService()->mutate(
draft: $this->onboardingSession,
actor: $user,
expectedVersion: $this->expectedDraftVersion(),
incrementVersion: false,
mutator: function (TenantOnboardingSession $draft) use ($normalized): void {
$state = is_array($draft->state) ? $draft->state : [];
$state['bootstrap_operation_types'] = $normalized;
$draft->state = $state;
},
));
} catch (OnboardingDraftConflictException) {
$this->handleDraftConflict();
return;
} catch (OnboardingDraftImmutableException) {
$this->handleImmutableDraft();
return;
}
}
/**
* @return Collection<int, TenantOnboardingSession>
*/
@ -1464,6 +1573,7 @@ private function initializeWizardData(): void
// Ensure all entangled schema state paths exist at render time.
// Livewire v4 can throw when entangling to missing nested array keys.
$this->data['notes'] ??= '';
$this->data['bootstrap_operation_types'] ??= [];
$this->data['override_blocked'] ??= false;
$this->data['override_reason'] ??= '';
$this->data['new_connection'] ??= [];
@ -1534,7 +1644,7 @@ private function initializeWizardData(): void
$types = $draft->state['bootstrap_operation_types'] ?? null;
if (is_array($types)) {
$this->data['bootstrap_operation_types'] = array_values(array_filter($types, static fn ($v): bool => is_string($v) && $v !== ''));
$this->data['bootstrap_operation_types'] = $this->normalizeBootstrapOperationTypes($types);
}
}
@ -2966,7 +3076,7 @@ public function startBootstrap(array $operationTypes): void
}
$registry = app(ProviderOperationRegistry::class);
$types = array_values(array_unique(array_filter($operationTypes, static fn ($v): bool => is_string($v) && trim($v) !== '')));
$types = $this->normalizeBootstrapOperationTypes($operationTypes);
$types = array_values(array_filter(
$types,
@ -3236,18 +3346,18 @@ private function bootstrapOperationSucceeded(TenantOnboardingSession $draft, str
private function resolveBootstrapCapability(string $operationType): ?string
{
return match ($operationType) {
'inventory_sync' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
'compliance.snapshot' => Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
default => null,
};
return $this->supportedBootstrapCapabilities()[$operationType] ?? null;
}
private function canStartAnyBootstrap(): bool
{
return $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC)
|| $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC)
|| $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP);
foreach ($this->supportedBootstrapCapabilities() as $capability) {
if ($this->currentUserCan($capability)) {
return true;
}
}
return false;
}
private function currentUserCan(string $capability): bool
@ -3498,33 +3608,59 @@ private function completionSummaryVerificationDetail(): string
private function completionSummaryBootstrapLabel(): string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return 'Skipped';
return $this->completionSummarySelectedBootstrapTypes() === []
? 'Skipped'
: 'Selected';
}
if ($this->completionSummaryBootstrapActionRequiredDetail() !== null) {
return 'Action required';
}
$runs = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
$runs = is_array($runs) ? $runs : [];
if ($runs === []) {
return 'Skipped';
if ($runs !== []) {
return 'Started';
}
return 'Started';
return $this->completionSummarySelectedBootstrapTypes() === []
? 'Skipped'
: 'Selected';
}
private function completionSummaryBootstrapDetail(): string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return 'No bootstrap actions selected';
$selectedTypes = $this->completionSummarySelectedBootstrapTypes();
return $selectedTypes === []
? 'No bootstrap actions selected'
: sprintf('%d action(s) selected', count($selectedTypes));
}
$runs = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
$runs = is_array($runs) ? $runs : [];
$selectedTypes = $this->completionSummarySelectedBootstrapTypes();
$actionRequiredDetail = $this->completionSummaryBootstrapActionRequiredDetail();
if ($runs === []) {
if ($selectedTypes === []) {
return 'No bootstrap actions selected';
}
return sprintf('%d operation(s) started', count($runs));
if ($actionRequiredDetail !== null) {
return $actionRequiredDetail;
}
if ($runs === []) {
return sprintf('%d action(s) selected', count($selectedTypes));
}
if (count($runs) < count($selectedTypes)) {
return sprintf('%d of %d action(s) started', count($runs), count($selectedTypes));
}
return sprintf('%d action(s) started', count($runs));
}
private function completionSummaryBootstrapSummary(): string
@ -3536,11 +3672,130 @@ private function completionSummaryBootstrapSummary(): string
);
}
private function showCompletionSummaryBootstrapRecovery(): bool
{
return $this->completionSummaryBootstrapActionRequiredDetail() !== null;
}
private function completionSummaryBootstrapRecoveryMessage(): string
{
return 'Selected bootstrap actions must complete before activation. Return to Bootstrap to remove the selected actions and skip this optional step, or resolve the required permission and start the blocked action again.';
}
private function completionSummaryBootstrapColor(): string
{
return $this->completionSummaryBootstrapLabel() === 'Started'
? 'info'
: 'gray';
return match ($this->completionSummaryBootstrapLabel()) {
'Action required' => 'warning',
'Started' => 'info',
'Selected' => 'warning',
default => 'gray',
};
}
private function completionSummaryBootstrapActionRequiredDetail(): ?string
{
$reasonCode = $this->completionSummaryBootstrapReasonCode();
if (! in_array($reasonCode, ['bootstrap_failed', 'bootstrap_partial_failure'], true)) {
return null;
}
$run = $this->completionSummaryBootstrapFailedRun();
if (! $run instanceof OperationRun) {
return $reasonCode === 'bootstrap_partial_failure'
? 'A bootstrap action needs attention'
: 'A bootstrap action failed';
}
$context = is_array($run->context ?? null) ? $run->context : [];
$operatorLabel = data_get($context, 'reason_translation.operator_label');
if (is_string($operatorLabel) && trim($operatorLabel) !== '') {
return trim($operatorLabel);
}
return match ($run->outcome) {
OperationRunOutcome::PartiallySucceeded->value => 'A bootstrap action needs attention',
OperationRunOutcome::Blocked->value => 'A bootstrap action was blocked',
default => 'A bootstrap action failed',
};
}
private function completionSummaryBootstrapReasonCode(): ?string
{
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return null;
}
$reasonCode = $this->lifecycleService()->snapshot($this->onboardingSession)['reason_code'] ?? null;
return is_string($reasonCode) ? $reasonCode : null;
}
private function completionSummaryBootstrapFailedRun(): ?OperationRun
{
return once(function (): ?OperationRun {
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return null;
}
$runMap = $this->onboardingSession->state['bootstrap_operation_runs'] ?? null;
if (! is_array($runMap)) {
return null;
}
$runIds = array_values(array_filter(array_map(
static fn (mixed $value): ?int => is_numeric($value) ? (int) $value : null,
$runMap,
)));
if ($runIds === []) {
return null;
}
return OperationRun::query()
->whereIn('id', $runIds)
->where('status', OperationRunStatus::Completed->value)
->whereIn('outcome', [
OperationRunOutcome::Blocked->value,
OperationRunOutcome::Failed->value,
OperationRunOutcome::PartiallySucceeded->value,
])
->latest('id')
->first();
});
}
/**
* @return array<int, string>
*/
private function completionSummarySelectedBootstrapTypes(): array
{
$selectedTypes = $this->data['bootstrap_operation_types'] ?? null;
if (is_array($selectedTypes)) {
$normalized = $this->normalizeBootstrapOperationTypes($selectedTypes);
if ($normalized !== []) {
return $normalized;
}
}
if ($this->selectedBootstrapOperationTypes !== []) {
return $this->normalizeBootstrapOperationTypes($this->selectedBootstrapOperationTypes);
}
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
return [];
}
$persistedTypes = $this->onboardingSession->state['bootstrap_operation_types'] ?? null;
return is_array($persistedTypes)
? $this->normalizeBootstrapOperationTypes($persistedTypes)
: [];
}
public function completeOnboarding(): void
@ -4139,9 +4394,10 @@ public function updateSelectedProviderConnectionInline(int $providerConnectionId
private function bootstrapOperationOptions(): array
{
$registry = app(ProviderOperationRegistry::class);
$supportedTypes = array_keys($this->supportedBootstrapCapabilities());
return collect($registry->all())
->reject(fn (array $definition, string $type): bool => $type === 'provider.connection.check')
->filter(fn (array $definition, string $type): bool => in_array($type, $supportedTypes, true))
->mapWithKeys(fn (array $definition, string $type): array => [$type => (string) ($definition['label'] ?? $type)])
->all();
}

37
apps/platform/app/Filament/Resources/BaselineProfileResource.php
View File

@ -9,6 +9,7 @@
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineTenantAssignment;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
@ -840,7 +841,17 @@ private static function compareReadinessIcon(BaselineProfile $profile): ?string
private static function profileNextStep(BaselineProfile $profile): string
{
return match (self::compareAvailabilityReason($profile)) {
$compareAvailabilityReason = self::compareAvailabilityReason($profile);
if ($compareAvailabilityReason === null) {
$latestCaptureEnvelope = self::latestBaselineCaptureEnvelope($profile);
if ($latestCaptureEnvelope instanceof ReasonResolutionEnvelope && trim($latestCaptureEnvelope->shortExplanation) !== '') {
return $latestCaptureEnvelope->shortExplanation;
}
}
return match ($compareAvailabilityReason) {
BaselineReasonCodes::COMPARE_INVALID_SCOPE,
BaselineReasonCodes::COMPARE_MIXED_SCOPE,
BaselineReasonCodes::COMPARE_UNSUPPORTED_SCOPE => 'Review the governed subject selection before starting compare.',
@ -858,6 +869,30 @@ private static function latestAttemptedSnapshot(BaselineProfile $profile): ?Base
return app(BaselineSnapshotTruthResolver::class)->resolveLatestAttemptedSnapshot($profile);
}
private static function latestBaselineCaptureEnvelope(BaselineProfile $profile): ?ReasonResolutionEnvelope
{
$run = OperationRun::query()
->where('workspace_id', (int) $profile->workspace_id)
->where('type', 'baseline_capture')
->where('context->baseline_profile_id', (int) $profile->getKey())
->where('status', 'completed')
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
if (! $run instanceof OperationRun) {
return null;
}
$reasonCode = data_get($run->context, 'reason_code');
if (! is_string($reasonCode) || trim($reasonCode) === '') {
return null;
}
return app(ReasonPresenter::class)->forOperationRun($run, 'artifact_truth');
}
private static function compareAvailabilityReason(BaselineProfile $profile): ?string
{
$status = $profile->status instanceof BaselineProfileStatus

14
apps/platform/app/Filament/Resources/BaselineProfileResource/Pages/ViewBaselineProfile.php
View File

@ -19,6 +19,7 @@
use App\Support\OperationRunLinks;
use App\Support\OpsUx\OperationUxPresenter;
use App\Support\OpsUx\OpsUxBrowserEvents;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\Rbac\WorkspaceUiEnforcement;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Actions\Action;
@ -105,15 +106,10 @@ private function captureAction(): Action
if (! $result['ok']) {
$reasonCode = is_string($result['reason_code'] ?? null) ? (string) $result['reason_code'] : 'unknown';
$message = match ($reasonCode) {
BaselineReasonCodes::CAPTURE_ROLLOUT_DISABLED => 'Full-content baseline capture is currently disabled for controlled rollout.',
BaselineReasonCodes::CAPTURE_PROFILE_NOT_ACTIVE => 'This baseline profile is not active.',
BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT => 'The selected tenant is not available for this baseline profile.',
BaselineReasonCodes::CAPTURE_INVALID_SCOPE => 'This baseline profile has an invalid governed-subject scope. Review the baseline definition before capturing.',
BaselineReasonCodes::CAPTURE_UNSUPPORTED_SCOPE => 'This baseline profile includes governed subjects that are not currently supported for capture.',
default => 'Reason: '.str_replace('.', ' ', $reasonCode),
};
$translation = app(ReasonPresenter::class)->forArtifactTruth($reasonCode, 'artifact_truth');
$message = is_string($translation?->shortExplanation) && trim($translation->shortExplanation) !== ''
? trim($translation->shortExplanation)
: 'Reason: '.str_replace('.', ' ', $reasonCode);
Notification::make()
->title('Cannot start capture')

48
apps/platform/app/Http/Controllers/AdminConsentCallbackController.php
View File

@ -4,6 +4,7 @@
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderConsentStatus;
@ -54,6 +55,8 @@ public function __invoke(
error: $error,
);
$this->invalidateResumableOnboardingVerificationState($tenant, $connection);
$legacyStatus = $status === 'ok' ? 'success' : 'failed';
$auditMetadata = [
'source' => 'admin.consent.callback',
@ -98,6 +101,7 @@ public function __invoke(
'status' => $status,
'error' => $error,
'consentGranted' => $consentGranted,
'verificationStateLabel' => $this->verificationStateLabel($connection),
]);
}
@ -197,4 +201,48 @@ private function parseState(?string $state): ?string
return $state;
}
private function verificationStateLabel(ProviderConnection $connection): string
{
$verificationStatus = $connection->verification_status instanceof ProviderVerificationStatus
? $connection->verification_status
: ProviderVerificationStatus::tryFrom((string) $connection->verification_status);
if ($verificationStatus === ProviderVerificationStatus::Unknown) {
return $connection->consent_status === ProviderConsentStatus::Granted
? 'Needs verification'
: 'Not verified';
}
return ucfirst(str_replace('_', ' ', $verificationStatus?->value ?? 'unknown'));
}
private function invalidateResumableOnboardingVerificationState(Tenant $tenant, ProviderConnection $connection): void
{
TenantOnboardingSession::query()
->where('tenant_id', (int) $tenant->getKey())
->resumable()
->each(function (TenantOnboardingSession $draft) use ($connection): void {
$state = is_array($draft->state) ? $draft->state : [];
$providerConnectionId = $state['provider_connection_id'] ?? null;
$providerConnectionId = is_numeric($providerConnectionId) ? (int) $providerConnectionId : null;
if ($providerConnectionId !== null && $providerConnectionId !== (int) $connection->getKey()) {
return;
}
unset(
$state['verification_operation_run_id'],
$state['verification_run_id'],
$state['bootstrap_operation_runs'],
$state['bootstrap_operation_types'],
$state['bootstrap_run_ids'],
);
$state['connection_recently_updated'] = true;
$draft->state = $state;
$draft->save();
});
}
}

330
apps/platform/app/Jobs/CaptureBaselineSnapshotJob.php
View File

@ -11,6 +11,7 @@
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Baselines\BaselineCaptureService;
use App\Services\Baselines\BaselineContentCapturePhase;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\BaselineSnapshotItemNormalizer;
@ -29,7 +30,6 @@
use App\Support\Inventory\InventoryPolicyTypeMeta;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
@ -71,13 +71,24 @@ public function handle(
InventoryMetaContract $metaContract,
AuditLogger $auditLogger,
OperationRunService $operationRunService,
?CurrentStateHashResolver $hashResolver = null,
?BaselineContentCapturePhase $contentCapturePhase = null,
mixed $arg5 = null,
mixed $arg6 = null,
?BaselineSnapshotItemNormalizer $snapshotItemNormalizer = null,
?BaselineFullContentRolloutGate $rolloutGate = null,
): void {
$hashResolver ??= app(CurrentStateHashResolver::class);
$contentCapturePhase ??= app(BaselineContentCapturePhase::class);
$captureService = $arg5 instanceof BaselineCaptureService
? $arg5
: app(BaselineCaptureService::class);
$hashResolver = $arg5 instanceof CurrentStateHashResolver
? $arg5
: ($arg6 instanceof CurrentStateHashResolver
? $arg6
: app(CurrentStateHashResolver::class));
$contentCapturePhase = $arg5 instanceof BaselineContentCapturePhase
? $arg5
: ($arg6 instanceof BaselineContentCapturePhase
? $arg6
: app(BaselineContentCapturePhase::class));
$snapshotItemNormalizer ??= app(BaselineSnapshotItemNormalizer::class);
$rolloutGate ??= app(BaselineFullContentRolloutGate::class);
@ -118,10 +129,124 @@ public function handle(
$rolloutGate->assertEnabled();
}
$latestInventorySyncRun = $this->resolveLatestInventorySyncRun($sourceTenant);
$latestInventorySyncRunId = $latestInventorySyncRun instanceof OperationRun
? (int) $latestInventorySyncRun->getKey()
$previousCurrentSnapshot = $profile->resolveCurrentConsumableSnapshot();
$previousCurrentSnapshotId = $previousCurrentSnapshot instanceof BaselineSnapshot
? (int) $previousCurrentSnapshot->getKey()
: null;
$previousCurrentSnapshotExists = $previousCurrentSnapshotId !== null;
$preflightEligibility = is_array(data_get($context, 'baseline_capture.eligibility'))
? data_get($context, 'baseline_capture.eligibility')
: [];
$inventoryEligibility = $captureService->latestInventoryEligibilityDecision($sourceTenant, $effectiveScope, $truthfulTypes);
$latestInventorySyncRunId = is_numeric($inventoryEligibility['inventory_sync_run_id'] ?? null)
? (int) $inventoryEligibility['inventory_sync_run_id']
: null;
$eligibilityContext = $captureService->eligibilityContextPayload($inventoryEligibility, phase: 'runtime_recheck');
$eligibilityContext['changed_after_enqueue'] = ($preflightEligibility['ok'] ?? null) === true
&& ! ($inventoryEligibility['ok'] ?? false);
$eligibilityContext['preflight_inventory_sync_run_id'] = is_numeric($preflightEligibility['inventory_sync_run_id'] ?? null)
? (int) $preflightEligibility['inventory_sync_run_id']
: null;
$eligibilityContext['preflight_reason_code'] = is_string($preflightEligibility['reason_code'] ?? null)
? (string) $preflightEligibility['reason_code']
: null;
$context['baseline_capture'] = array_merge(
is_array($context['baseline_capture'] ?? null) ? $context['baseline_capture'] : [],
[
'inventory_sync_run_id' => $latestInventorySyncRunId,
'eligibility' => $eligibilityContext,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$this->operationRun->update(['context' => $context]);
$this->operationRun->refresh();
$context = is_array($this->operationRun->context) ? $this->operationRun->context : [];
if (! ($inventoryEligibility['ok'] ?? false)) {
$reasonCode = is_string($inventoryEligibility['reason_code'] ?? null)
? (string) $inventoryEligibility['reason_code']
: BaselineReasonCodes::CAPTURE_INVENTORY_MISSING;
$summaryCounts = [
'total' => 0,
'processed' => 0,
'succeeded' => 0,
'failed' => 0,
];
$blockedContext = $context;
$blockedContext['reason_code'] = $reasonCode;
$blockedContext['baseline_capture'] = array_merge(
is_array($blockedContext['baseline_capture'] ?? null) ? $blockedContext['baseline_capture'] : [],
[
'reason_code' => $reasonCode,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
);
$blockedContext['result'] = array_merge(
is_array($blockedContext['result'] ?? null) ? $blockedContext['result'] : [],
[
'current_baseline_changed' => false,
],
);
$this->operationRun->update([
'context' => $blockedContext,
'summary_counts' => $summaryCounts,
]);
$this->operationRun->refresh();
$this->auditStarted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
effectiveScope: $effectiveScope,
inventorySyncRunId: $latestInventorySyncRunId,
);
$operationRunService->finalizeBlockedRun(
run: $this->operationRun,
reasonCode: $reasonCode,
message: $this->blockedInventoryMessage(
$reasonCode,
(bool) ($eligibilityContext['changed_after_enqueue'] ?? false),
),
);
$this->operationRun->refresh();
$this->auditCompleted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
snapshot: null,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
inventorySyncRunId: $latestInventorySyncRunId,
wasNewSnapshot: false,
evidenceCaptureStats: [
'requested' => 0,
'succeeded' => 0,
'skipped' => 0,
'failed' => 0,
'throttled' => 0,
],
gaps: [
'count' => 0,
'by_reason' => [],
],
currentBaselineChanged: false,
reasonCode: $reasonCode,
);
return;
}
$inventoryResult = $this->collectInventorySubjects(
sourceTenant: $sourceTenant,
@ -154,6 +279,7 @@ public function handle(
'failed' => 0,
'throttled' => 0,
];
$phaseResult = [];
$phaseGaps = [];
$resumeToken = null;
@ -222,6 +348,91 @@ public function handle(
],
];
if ($subjectsTotal === 0) {
$snapshotResult = $this->captureNoDataSnapshotArtifact(
$profile,
$identityHash,
$snapshotSummary,
);
$snapshot = $snapshotResult['snapshot'];
$wasNewSnapshot = $snapshotResult['was_new_snapshot'];
$summaryCounts = [
'total' => 0,
'processed' => 0,
'succeeded' => 0,
'failed' => 0,
];
$updatedContext = is_array($this->operationRun->context) ? $this->operationRun->context : [];
$updatedContext['reason_code'] = BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS;
$updatedContext['baseline_capture'] = array_merge(
is_array($updatedContext['baseline_capture'] ?? null) ? $updatedContext['baseline_capture'] : [],
[
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'subjects_total' => 0,
'inventory_sync_run_id' => $latestInventorySyncRunId,
'evidence_capture' => $phaseStats,
'gaps' => [
'count' => $gapsCount,
'by_reason' => $gapsByReason,
'subjects' => is_array($phaseResult['gap_subjects'] ?? null) && $phaseResult['gap_subjects'] !== []
? array_values($phaseResult['gap_subjects'])
: null,
],
'resume_token' => $resumeToken,
'current_baseline_changed' => false,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$updatedContext['result'] = array_merge(
is_array($updatedContext['result'] ?? null) ? $updatedContext['result'] : [],
[
'snapshot_id' => (int) $snapshot->getKey(),
'snapshot_identity_hash' => $identityHash,
'was_new_snapshot' => $wasNewSnapshot,
'items_captured' => 0,
'snapshot_lifecycle' => $snapshot->lifecycleState()->value,
'current_baseline_changed' => false,
],
);
$this->operationRun->update([
'context' => $updatedContext,
'summary_counts' => $summaryCounts,
]);
$this->operationRun->refresh();
$operationRunService->updateRun(
$this->operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::PartiallySucceeded->value,
summaryCounts: $summaryCounts,
);
$this->operationRun->refresh();
$this->auditCompleted(
auditLogger: $auditLogger,
tenant: $sourceTenant,
profile: $profile,
snapshot: $snapshot,
initiator: $initiator,
captureMode: $captureMode,
subjectsTotal: 0,
inventorySyncRunId: $latestInventorySyncRunId,
wasNewSnapshot: $wasNewSnapshot,
evidenceCaptureStats: $phaseStats,
gaps: [
'count' => $gapsCount,
'by_reason' => $gapsByReason,
],
currentBaselineChanged: false,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
return;
}
$snapshotResult = $this->captureSnapshotArtifact(
$profile,
$identityHash,
@ -236,6 +447,9 @@ public function handle(
$profile->update(['active_snapshot_id' => $snapshot->getKey()]);
}
$profile->refresh();
$currentBaselineChanged = $this->currentBaselineChanged($profile, $previousCurrentSnapshotId);
$warningsRecorded = $gapsByReason !== [] || $resumeToken !== null;
$warningsRecorded = $warningsRecorded || ($captureMode === BaselineCaptureMode::FullContent && ($snapshotItems['fidelity_counts']['meta'] ?? 0) > 0);
$outcome = $warningsRecorded ? OperationRunOutcome::PartiallySucceeded->value : OperationRunOutcome::Succeeded->value;
@ -269,6 +483,9 @@ public function handle(
: null,
],
'resume_token' => $resumeToken,
'current_baseline_changed' => $currentBaselineChanged,
'previous_current_snapshot_id' => $previousCurrentSnapshotId,
'previous_current_snapshot_exists' => $previousCurrentSnapshotExists,
],
);
$updatedContext['result'] = [
@ -277,6 +494,7 @@ public function handle(
'was_new_snapshot' => $wasNewSnapshot,
'items_captured' => $snapshotItems['items_count'],
'snapshot_lifecycle' => $snapshot->lifecycleState()->value,
'current_baseline_changed' => $currentBaselineChanged,
];
$this->operationRun->update(['context' => $updatedContext]);
@ -295,6 +513,8 @@ public function handle(
'count' => $gapsCount,
'by_reason' => $gapsByReason,
],
currentBaselineChanged: $currentBaselineChanged,
reasonCode: null,
);
}
@ -651,6 +871,51 @@ private function captureSnapshotArtifact(
}
}
/**
* @param array<string, mixed> $summaryJsonb
* @return array{snapshot: BaselineSnapshot, was_new_snapshot: bool}
*/
private function captureNoDataSnapshotArtifact(
BaselineProfile $profile,
string $identityHash,
array $summaryJsonb,
): array {
$snapshot = $this->createBuildingSnapshot($profile, $identityHash, $summaryJsonb, 0);
$this->rememberSnapshotOnRun(
snapshot: $snapshot,
identityHash: $identityHash,
wasNewSnapshot: true,
expectedItems: 0,
persistedItems: 0,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
$snapshot->markIncomplete(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS, [
'expected_identity_hash' => $identityHash,
'expected_items' => 0,
'persisted_items' => 0,
'producer_run_id' => (int) $this->operationRun->getKey(),
'was_empty_capture' => true,
]);
$snapshot->refresh();
$this->rememberSnapshotOnRun(
snapshot: $snapshot,
identityHash: $identityHash,
wasNewSnapshot: true,
expectedItems: 0,
persistedItems: 0,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
);
return [
'snapshot' => $snapshot,
'was_new_snapshot' => true,
];
}
private function findExistingConsumableSnapshot(BaselineProfile $profile, string $identityHash): ?BaselineSnapshot
{
$existing = BaselineSnapshot::query()
@ -783,6 +1048,32 @@ private function countByPolicyType(array $items): array
return $counts;
}
private function currentBaselineChanged(BaselineProfile $profile, ?int $previousCurrentSnapshotId): bool
{
$currentSnapshot = $profile->resolveCurrentConsumableSnapshot();
$currentSnapshotId = $currentSnapshot instanceof BaselineSnapshot
? (int) $currentSnapshot->getKey()
: null;
return $currentSnapshotId !== null && $currentSnapshotId !== $previousCurrentSnapshotId;
}
private function blockedInventoryMessage(string $reasonCode, bool $changedAfterEnqueue): string
{
return match ($reasonCode) {
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED => $changedAfterEnqueue
? 'Capture blocked because the latest inventory sync changed after the run was queued.'
: 'Capture blocked because the latest inventory sync was blocked.',
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED => $changedAfterEnqueue
? 'Capture blocked because the latest inventory sync failed after the run was queued.'
: 'Capture blocked because the latest inventory sync failed.',
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE => $changedAfterEnqueue
? 'Capture blocked because the latest inventory coverage became unusable after the run was queued.'
: 'Capture blocked because the latest inventory coverage was not usable for this baseline scope.',
default => 'Capture blocked because no credible inventory basis was available.',
};
}
private function auditStarted(
AuditLogger $auditLogger,
Tenant $tenant,
@ -820,7 +1111,7 @@ private function auditCompleted(
AuditLogger $auditLogger,
Tenant $tenant,
BaselineProfile $profile,
BaselineSnapshot $snapshot,
?BaselineSnapshot $snapshot,
?User $initiator,
BaselineCaptureMode $captureMode,
int $subjectsTotal,
@ -828,6 +1119,8 @@ private function auditCompleted(
bool $wasNewSnapshot,
array $evidenceCaptureStats,
array $gaps,
bool $currentBaselineChanged,
?string $reasonCode,
): void {
$auditLogger->log(
tenant: $tenant,
@ -841,8 +1134,10 @@ private function auditCompleted(
'capture_mode' => $captureMode->value,
'inventory_sync_run_id' => $inventorySyncRunId,
'subjects_total' => $subjectsTotal,
'snapshot_id' => (int) $snapshot->getKey(),
'snapshot_identity_hash' => (string) $snapshot->snapshot_identity_hash,
'snapshot_id' => $snapshot?->getKey(),
'snapshot_identity_hash' => $snapshot instanceof BaselineSnapshot ? (string) $snapshot->snapshot_identity_hash : null,
'reason_code' => $reasonCode,
'current_baseline_changed' => $currentBaselineChanged,
'was_new_snapshot' => $wasNewSnapshot,
'evidence_capture' => $evidenceCaptureStats,
'gaps' => $gaps,
@ -878,17 +1173,4 @@ private function mergeGapCounts(array ...$gaps): array
return $merged;
}
private function resolveLatestInventorySyncRun(Tenant $tenant): ?OperationRun
{
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', OperationRunType::InventorySync->value)
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
return $run instanceof OperationRun ? $run : null;
}
}

3
apps/platform/app/Livewire/BulkOperationProgress.php
View File

@ -4,7 +4,6 @@
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Support\OpsUx\ActiveRuns;
use App\Support\OpsUx\OpsUxBrowserEvents;
use Filament\Facades\Filament;
use Illuminate\Support\Collection;
@ -92,7 +91,7 @@ public function refreshRuns(): void
$activeCount = (clone $query)->count();
$this->runs = (clone $query)->limit(6)->get();
$this->overflowCount = max(0, $activeCount - 5);
$this->hasActiveRuns = ActiveRuns::existForTenantId($tenantId);
$this->hasActiveRuns = $activeCount > 0;
}
public function render(): \Illuminate\Contracts\View\View

15
apps/platform/app/Models/BaselineProfile.php
View File

@ -20,21 +20,6 @@ class BaselineProfile extends Model
{
use HasFactory;
/**
* @deprecated Use BaselineProfileStatus::Draft instead.
*/
public const string STATUS_DRAFT = 'draft';
/**
* @deprecated Use BaselineProfileStatus::Active instead.
*/
public const string STATUS_ACTIVE = 'active';
/**
* @deprecated Use BaselineProfileStatus::Archived instead.
*/
public const string STATUS_ARCHIVED = 'archived';
/** @var list<string> */
protected $fillable = [
'workspace_id',

13
apps/platform/app/Models/EvidenceSnapshotItem.php
View File

@ -45,4 +45,17 @@ public function tenant(): BelongsTo
{
return $this->belongsTo(Tenant::class);
}
/**
* @return list<array<string, mixed>>
*/
public function canonicalControlReferences(): array
{
$payload = is_array($this->summary_payload) ? $this->summary_payload : [];
$references = $payload['canonical_controls'] ?? [];
return is_array($references)
? array_values(array_filter($references, static fn (mixed $reference): bool => is_array($reference)))
: [];
}
}

13
apps/platform/app/Models/TenantReview.php
View File

@ -192,4 +192,17 @@ public function publishBlockers(): array
return is_array($blockers) ? array_values(array_map('strval', $blockers)) : [];
}
/**
* @return list<array<string, mixed>>
*/
public function canonicalControlReferences(): array
{
$summary = is_array($this->summary) ? $this->summary : [];
$references = $summary['canonical_controls'] ?? [];
return is_array($references)
? array_values(array_filter($references, static fn (mixed $reference): bool => is_array($reference)))
: [];
}
}

5
apps/platform/app/Notifications/OperationRunCompleted.php
View File

@ -25,12 +25,17 @@ public function toDatabase(object $notifiable): array
{
$message = OperationUxPresenter::terminalDatabaseNotificationMessage($this->run, $notifiable);
$reasonEnvelope = app(ReasonPresenter::class)->forOperationRun($this->run, 'notification');
$baselineTruthChanged = data_get($this->run->context, 'baseline_capture.current_baseline_changed');
if ($reasonEnvelope !== null) {
$message['reason_translation'] = $reasonEnvelope->toArray();
$message['diagnostic_reason_code'] = $reasonEnvelope->diagnosticCode();
}
if (is_bool($baselineTruthChanged)) {
$message['baseline_truth_changed'] = $baselineTruthChanged;
}
return $message;
}
}

147
apps/platform/app/Services/Baselines/BaselineCaptureService.php
View File

@ -16,6 +16,9 @@
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Baselines\BaselineScope;
use App\Support\Baselines\BaselineSupportCapabilityGuard;
use App\Support\Inventory\InventoryCoverage;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use InvalidArgumentException;
@ -62,6 +65,16 @@ public function startCapture(
];
}
$truthfulTypes = $effectiveScope->toEffectiveScopeContext($this->capabilityGuard, 'capture')['truthful_types'] ?? null;
$inventoryEligibility = $this->latestInventoryEligibilityDecision($sourceTenant, $effectiveScope, is_array($truthfulTypes) ? $truthfulTypes : null);
if (! $inventoryEligibility['ok']) {
return [
'ok' => false,
'reason_code' => $inventoryEligibility['reason_code'],
];
}
$captureMode = $profile->capture_mode instanceof BaselineCaptureMode
? $profile->capture_mode
: BaselineCaptureMode::Opportunistic;
@ -75,6 +88,10 @@ public function startCapture(
'source_tenant_id' => (int) $sourceTenant->getKey(),
'effective_scope' => $effectiveScope->toEffectiveScopeContext($this->capabilityGuard, 'capture'),
'capture_mode' => $captureMode->value,
'baseline_capture' => [
'inventory_sync_run_id' => $inventoryEligibility['inventory_sync_run_id'],
'eligibility' => $this->eligibilityContextPayload($inventoryEligibility, phase: 'preflight'),
],
];
$run = $this->runs->ensureRunWithIdentity(
@ -114,4 +131,134 @@ private function validatePreconditions(BaselineProfile $profile, Tenant $sourceT
return null;
}
/**
* @param list<string>|null $truthfulTypes
* @return array{
* ok: bool,
* reason_code: ?string,
* inventory_sync_run_id: ?int,
* inventory_outcome: ?string,
* effective_types: list<string>,
* covered_types: list<string>,
* uncovered_types: list<string>
* }
*/
public function latestInventoryEligibilityDecision(
Tenant $sourceTenant,
BaselineScope $effectiveScope,
?array $truthfulTypes = null,
): array {
$effectiveTypes = is_array($truthfulTypes) && $truthfulTypes !== []
? array_values(array_unique(array_filter($truthfulTypes, 'is_string')))
: $effectiveScope->allTypes();
sort($effectiveTypes, SORT_STRING);
$run = OperationRun::query()
->where('tenant_id', (int) $sourceTenant->getKey())
->where('type', OperationRunType::InventorySync->value)
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
if (! $run instanceof OperationRun) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_MISSING,
'inventory_sync_run_id' => null,
'inventory_outcome' => null,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
$outcome = is_string($run->outcome) ? trim($run->outcome) : null;
if ($outcome === OperationRunOutcome::Blocked->value) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
if ($outcome === OperationRunOutcome::Failed->value) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
$coverage = InventoryCoverage::fromContext($run->context);
$coveredTypes = $coverage instanceof InventoryCoverage
? array_values(array_intersect($effectiveTypes, $coverage->coveredTypes()))
: [];
sort($coveredTypes, SORT_STRING);
$uncoveredTypes = array_values(array_diff($effectiveTypes, $coveredTypes));
sort($uncoveredTypes, SORT_STRING);
if ($coveredTypes === []) {
return [
'ok' => false,
'reason_code' => BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => [],
'uncovered_types' => $effectiveTypes,
];
}
return [
'ok' => true,
'reason_code' => null,
'inventory_sync_run_id' => (int) $run->getKey(),
'inventory_outcome' => $outcome,
'effective_types' => $effectiveTypes,
'covered_types' => $coveredTypes,
'uncovered_types' => $uncoveredTypes,
];
}
/**
* @param array{
* ok: bool,
* reason_code: ?string,
* inventory_sync_run_id: ?int,
* inventory_outcome: ?string,
* effective_types: list<string>,
* covered_types: list<string>,
* uncovered_types: list<string>
* } $decision
* @return array<string, mixed>
*/
public function eligibilityContextPayload(array $decision, string $phase): array
{
return [
'phase' => $phase,
'ok' => (bool) ($decision['ok'] ?? false),
'reason_code' => is_string($decision['reason_code'] ?? null) ? $decision['reason_code'] : null,
'inventory_sync_run_id' => is_numeric($decision['inventory_sync_run_id'] ?? null)
? (int) $decision['inventory_sync_run_id']
: null,
'inventory_outcome' => is_string($decision['inventory_outcome'] ?? null) ? $decision['inventory_outcome'] : null,
'effective_types' => array_values(array_filter((array) ($decision['effective_types'] ?? []), 'is_string')),
'covered_types' => array_values(array_filter((array) ($decision['covered_types'] ?? []), 'is_string')),
'uncovered_types' => array_values(array_filter((array) ($decision['uncovered_types'] ?? []), 'is_string')),
];
}
}

3
apps/platform/app/Services/Evidence/EvidenceSnapshotService.php
View File

@ -219,6 +219,9 @@ public function buildSnapshotPayload(Tenant $tenant): array
'finding_report_buckets' => is_array($findingsSummary['report_bucket_counts'] ?? null)
? $findingsSummary['report_bucket_counts']
: [],
'canonical_controls' => is_array($findingsSummary['canonical_controls'] ?? null)
? $findingsSummary['canonical_controls']
: [],
'risk_acceptance' => is_array($findingsSummary['risk_acceptance'] ?? null)
? $findingsSummary['risk_acceptance']
: [

76
apps/platform/app/Services/Evidence/Sources/FindingsSummarySource.php
View File

@ -10,12 +10,15 @@
use App\Services\Findings\FindingRiskGovernanceResolver;
use App\Support\Findings\FindingOutcomeSemantics;
use App\Support\Evidence\EvidenceCompletenessState;
use App\Support\Governance\Controls\CanonicalControlResolutionRequest;
use App\Support\Governance\Controls\CanonicalControlResolver;
final class FindingsSummarySource implements EvidenceSourceProvider
{
public function __construct(
private readonly FindingRiskGovernanceResolver $governanceResolver,
private readonly FindingOutcomeSemantics $findingOutcomeSemantics,
private readonly CanonicalControlResolver $canonicalControlResolver,
) {}
public function key(): string
@ -36,6 +39,7 @@ public function collect(Tenant $tenant): array
$governanceState = $this->governanceResolver->resolveFindingState($finding, $finding->findingException);
$governanceWarning = $this->governanceResolver->resolveWarningMessage($finding, $finding->findingException);
$outcome = $this->findingOutcomeSemantics->describe($finding);
$canonicalControlResolution = $this->canonicalControlResolutionFor($finding);
return [
'id' => (int) $finding->getKey(),
@ -57,6 +61,7 @@ public function collect(Tenant $tenant): array
'report_bucket' => $outcome['report_bucket'],
'governance_state' => $governanceState,
] : null,
'canonical_control_resolution' => $canonicalControlResolution,
'governance_state' => $governanceState,
'governance_warning' => $governanceWarning,
];
@ -81,6 +86,12 @@ public function collect(Tenant $tenant): array
$reportBucketCounts[$reportBucket]++;
}
}
$canonicalControls = $entries
->map(static fn (array $entry): mixed => data_get($entry, 'canonical_control_resolution.control'))
->filter(static fn (mixed $control): bool => is_array($control) && filled($control['control_key'] ?? null))
->unique(static fn (array $control): string => (string) $control['control_key'])
->values()
->all();
$riskAcceptedEntries = $entries->filter(
static fn (array $entry): bool => ($entry['status'] ?? null) === Finding::STATUS_RISK_ACCEPTED,
@ -115,6 +126,7 @@ public function collect(Tenant $tenant): array
],
'outcome_counts' => $outcomeCounts,
'report_bucket_counts' => $reportBucketCounts,
'canonical_controls' => $canonicalControls,
'entries' => $entries->all(),
];
@ -133,4 +145,68 @@ public function collect(Tenant $tenant): array
'sort_order' => 10,
];
}
/**
* @return array<string, mixed>
*/
private function canonicalControlResolutionFor(Finding $finding): array
{
return $this->canonicalControlResolver
->resolve($this->resolutionRequestFor($finding))
->toArray();
}
private function resolutionRequestFor(Finding $finding): CanonicalControlResolutionRequest
{
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
$findingType = (string) $finding->finding_type;
if ($findingType === Finding::FINDING_TYPE_PERMISSION_POSTURE) {
return new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'evidence',
subjectFamilyKey: 'permission_posture',
workload: 'entra',
signalKey: 'permission_posture.required_graph_permission',
);
}
if ($findingType === Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES) {
$roleTemplateId = (string) ($evidence['role_template_id'] ?? '');
return new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'evidence',
subjectFamilyKey: 'entra_admin_roles',
workload: 'entra',
signalKey: $roleTemplateId === '62e90394-69f5-4237-9190-012177145e10'
? 'entra_admin_roles.global_admin_assignment'
: 'entra_admin_roles.privileged_role_assignment',
);
}
if ($findingType === Finding::FINDING_TYPE_DRIFT) {
$policyType = is_string($evidence['policy_type'] ?? null) && trim((string) $evidence['policy_type']) !== ''
? trim((string) $evidence['policy_type'])
: 'drift';
return new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'evidence',
subjectFamilyKey: $policyType,
workload: 'intune',
signalKey: match ($policyType) {
'deviceCompliancePolicy' => 'intune.device_compliance_policy',
'drift' => 'finding.drift',
default => 'intune.device_configuration_drift',
},
);
}
return new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'evidence',
subjectFamilyKey: $findingType,
);
}
}

53
apps/platform/app/Services/Findings/FindingAssignmentHygieneService.php
View File

@ -68,12 +68,27 @@ public function issueQuery(
string $reasonFilter = self::FILTER_ALL,
bool $applyOrdering = true,
): Builder {
$visibleTenants = $this->visibleTenants($workspace, $user);
$visibleTenantIds = array_map(
static fn (Tenant $tenant): int => (int) $tenant->getKey(),
$visibleTenants,
return $this->issueQueryForVisibleTenantIds(
$workspace,
$this->visibleTenantIds($workspace, $user),
$tenantId,
$reasonFilter,
$applyOrdering,
);
}
/**
* @param array<int, int> $visibleTenantIds
* @return Builder<Finding>
*/
private function issueQueryForVisibleTenantIds(
Workspace $workspace,
array $visibleTenantIds,
?int $tenantId = null,
string $reasonFilter = self::FILTER_ALL,
bool $applyOrdering = true,
): Builder {
if ($tenantId !== null && ! in_array($tenantId, $visibleTenantIds, true)) {
$visibleTenantIds = [];
} elseif ($tenantId !== null) {
@ -155,9 +170,22 @@ function ($join): void {
*/
public function summary(Workspace $workspace, User $user, ?int $tenantId = null): array
{
$allIssues = $this->issueQuery($workspace, $user, $tenantId, self::FILTER_ALL, applyOrdering: false);
$brokenAssignments = $this->issueQuery($workspace, $user, $tenantId, self::REASON_BROKEN_ASSIGNMENT, applyOrdering: false);
$staleInProgress = $this->issueQuery($workspace, $user, $tenantId, self::REASON_STALE_IN_PROGRESS, applyOrdering: false);
return $this->summaryForVisibleTenantIds(
$workspace,
$this->visibleTenantIds($workspace, $user),
$tenantId,
);
}
/**
* @param array<int, int> $visibleTenantIds
* @return array{unique_issue_count: int, broken_assignment_count: int, stale_in_progress_count: int}
*/
public function summaryForVisibleTenantIds(Workspace $workspace, array $visibleTenantIds, ?int $tenantId = null): array
{
$allIssues = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::FILTER_ALL, applyOrdering: false);
$brokenAssignments = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::REASON_BROKEN_ASSIGNMENT, applyOrdering: false);
$staleInProgress = $this->issueQueryForVisibleTenantIds($workspace, $visibleTenantIds, $tenantId, self::REASON_STALE_IN_PROGRESS, applyOrdering: false);
return [
'unique_issue_count' => (clone $allIssues)->count(),
@ -166,6 +194,17 @@ public function summary(Workspace $workspace, User $user, ?int $tenantId = null)
];
}
/**
* @return array<int, int>
*/
public function visibleTenantIds(Workspace $workspace, User $user): array
{
return array_map(
static fn (Tenant $tenant): int => (int) $tenant->getKey(),
$this->visibleTenants($workspace, $user),
);
}
/**
* @return array<string, string>
*/

16
apps/platform/app/Services/OperationRunService.php
View File

@ -29,6 +29,8 @@
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
use App\Support\ReasonTranslation\ReasonTranslator;
use App\Support\Tenants\TenantOperabilityReasonCode;
use App\Support\Verification\BlockedVerificationReportFactory;
use App\Support\Verification\VerificationReportWriter;
use Illuminate\Database\QueryException;
use Illuminate\Support\Facades\DB;
use InvalidArgumentException;
@ -942,11 +944,23 @@ public function finalizeExecutionLegitimacyBlockedRun(
'context' => $context,
]);
return $this->finalizeBlockedRun(
$run = $this->finalizeBlockedRun(
run: $run->fresh(),
reasonCode: $decision->reasonCode?->value ?? ExecutionDenialReasonCode::ExecutionPrerequisiteInvalid->value,
message: $decision->reasonCode?->message() ?? 'Operation blocked before queued execution could begin.',
);
if ($run->type === 'provider.connection.check') {
VerificationReportWriter::write(
run: $run,
checks: BlockedVerificationReportFactory::checks($run),
identity: BlockedVerificationReportFactory::identity($run),
);
$run->refresh();
}
return $run;
}
private function invokeDispatcher(callable $dispatcher, OperationRun $run): void

53
apps/platform/app/Services/Operations/QueuedExecutionLegitimacyGate.php
View File

@ -11,6 +11,7 @@
use App\Models\Tenant;
use App\Models\User;
use App\Services\Auth\CapabilityResolver;
use App\Services\Auth\WorkspaceCapabilityResolver;
use App\Services\Tenants\TenantOperabilityService;
use App\Support\Operations\ExecutionAuthorityMode;
use App\Support\Operations\ExecutionDenialReasonCode;
@ -34,6 +35,7 @@ class QueuedExecutionLegitimacyGate
public function __construct(
private readonly OperationRunCapabilityResolver $operationRunCapabilityResolver,
private readonly CapabilityResolver $capabilityResolver,
private readonly WorkspaceCapabilityResolver $workspaceCapabilityResolver,
private readonly TenantOperabilityService $tenantOperabilityService,
private readonly WriteGateInterface $writeGate,
) {}
@ -71,12 +73,8 @@ public function evaluate(OperationRun $run): QueuedExecutionLegitimacyDecision
return QueuedExecutionLegitimacyDecision::deny($context, $checks, ExecutionDenialReasonCode::InitiatorNotEntitled);
}
if ($context->requiredCapability !== null && $context->tenant instanceof Tenant) {
$checks['capability'] = $this->capabilityResolver->can(
$context->initiator,
$context->tenant,
$context->requiredCapability,
) ? 'passed' : 'failed';
if ($context->requiredCapability !== null) {
$checks['capability'] = $this->initiatorHasRequiredCapability($context) ? 'passed' : 'failed';
if ($checks['capability'] === 'failed') {
return QueuedExecutionLegitimacyDecision::deny(
@ -106,7 +104,7 @@ public function evaluate(OperationRun $run): QueuedExecutionLegitimacyDecision
tenant: $context->tenant,
question: $operabilityQuestion,
workspaceId: $context->workspaceId,
lane: TenantInteractionLane::AdministrativeManagement,
lane: $this->laneForContext($context),
);
$checks['tenant_operability'] = $operability->allowed ? 'passed' : 'failed';
@ -228,6 +226,35 @@ private function resolveProviderConnectionId(array $context): ?int
return is_numeric($providerConnectionId) ? (int) $providerConnectionId : null;
}
private function initiatorHasRequiredCapability(QueuedExecutionContext $context): bool
{
if (! $context->initiator instanceof User || ! is_string($context->requiredCapability) || $context->requiredCapability === '') {
return false;
}
if (str_starts_with($context->requiredCapability, 'workspace')) {
if ($context->workspaceId <= 0) {
return false;
}
return $this->workspaceCapabilityResolver->can(
$context->initiator,
$context->run->tenant?->workspace ?? $context->run->workspace()->firstOrFail(),
$context->requiredCapability,
);
}
if (! $context->tenant instanceof Tenant) {
return false;
}
return $this->capabilityResolver->can(
$context->initiator,
$context->tenant,
$context->requiredCapability,
);
}
/**
* @return list<string>
*/
@ -262,4 +289,16 @@ private function requiresWriteGate(QueuedExecutionContext $context): bool
{
return in_array('write_gate', $context->prerequisiteClasses, true);
}
private function laneForContext(QueuedExecutionContext $context): TenantInteractionLane
{
$runContext = is_array($context->run->context) ? $context->run->context : [];
$wizardFlow = data_get($runContext, 'wizard.flow');
if (is_string($wizardFlow) && trim($wizardFlow) === 'managed_tenant_onboarding') {
return TenantInteractionLane::OnboardingWorkflow;
}
return TenantInteractionLane::AdministrativeManagement;
}
}

15
apps/platform/app/Services/Providers/ProviderGateway.php
View File

@ -5,6 +5,8 @@
use App\Models\ProviderConnection;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use Illuminate\Support\Str;
use RuntimeException;
final class ProviderGateway
{
@ -53,6 +55,17 @@ public function request(ProviderConnection $connection, string $method, string $
*/
public function graphOptions(ProviderConnection $connection, array $overrides = []): array
{
return $this->identityResolver->resolve($connection)->graphOptions($overrides);
$resolution = $this->identityResolver->resolve($connection);
if (! $resolution->resolved || $resolution->effectiveClientId === null || $resolution->clientSecret === null) {
throw new RuntimeException($resolution->message ?? 'Provider identity could not be resolved.');
}
return array_merge([
'tenant' => $resolution->tenantContext,
'client_id' => $resolution->effectiveClientId,
'client_secret' => $resolution->clientSecret,
'client_request_id' => (string) Str::uuid(),
], $overrides);
}
}

20
apps/platform/app/Services/Providers/ProviderIdentityResolution.php
View File

@ -4,8 +4,6 @@
use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Support\Str;
use RuntimeException;
final class ProviderIdentityResolution
{
@ -66,24 +64,6 @@ public static function blocked(
);
}
/**
* @param array<string, mixed> $overrides
* @return array<string, mixed>
*/
public function graphOptions(array $overrides = []): array
{
if (! $this->resolved || $this->effectiveClientId === null || $this->clientSecret === null) {
throw new RuntimeException($this->message ?? 'Provider identity could not be resolved.');
}
return array_merge([
'tenant' => $this->tenantContext,
'client_id' => $this->effectiveClientId,
'client_secret' => $this->clientSecret,
'client_request_id' => (string) Str::uuid(),
], $overrides);
}
public function effectiveReasonCode(): string
{
return $this->reasonCode ?? ProviderReasonCodes::UnknownError;

168
apps/platform/app/Services/Providers/ProviderOperationRegistry.php
View File

@ -7,44 +7,48 @@
final class ProviderOperationRegistry
{
public const string BINDING_ACTIVE = 'active';
public const string BINDING_UNSUPPORTED = 'unsupported';
/**
* @return array<string, array{provider: string, module: string, label: string, required_capability: string}>
* @return array<string, array{operation_type: string, module: string, label: string, required_capability: string}>
*/
public function all(): array
public function definitions(): array
{
return [
'provider.connection.check' => [
'provider' => 'microsoft',
'operation_type' => 'provider.connection.check',
'module' => 'health_check',
'label' => 'Provider connection check',
'required_capability' => Capabilities::PROVIDER_RUN,
],
'inventory_sync' => [
'provider' => 'microsoft',
'operation_type' => 'inventory_sync',
'module' => 'inventory',
'label' => 'Inventory sync',
'required_capability' => Capabilities::PROVIDER_RUN,
],
'compliance.snapshot' => [
'provider' => 'microsoft',
'operation_type' => 'compliance.snapshot',
'module' => 'compliance',
'label' => 'Compliance snapshot',
'required_capability' => Capabilities::PROVIDER_RUN,
],
'restore.execute' => [
'provider' => 'microsoft',
'operation_type' => 'restore.execute',
'module' => 'restore',
'label' => 'Restore execution',
'required_capability' => Capabilities::TENANT_MANAGE,
],
'entra_group_sync' => [
'provider' => 'microsoft',
'operation_type' => 'entra_group_sync',
'module' => 'directory_groups',
'label' => 'Directory groups sync',
'required_capability' => Capabilities::TENANT_SYNC,
],
'directory_role_definitions.sync' => [
'provider' => 'microsoft',
'operation_type' => 'directory_role_definitions.sync',
'module' => 'directory_role_definitions',
'label' => 'Role definitions sync',
'required_capability' => Capabilities::TENANT_MANAGE,
@ -52,19 +56,78 @@ public function all(): array
];
}
public function isAllowed(string $operationType): bool
/**
* @return array<string, array{operation_type: string, module: string, label: string, required_capability: string}>
*/
public function all(): array
{
return array_key_exists($operationType, $this->all());
return $this->definitions();
}
/**
* @return array{provider: string, module: string, label: string, required_capability: string}
* @return array<string, array<string, array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}>>
*/
public function providerBindings(): array
{
return [
'provider.connection.check' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'provider.connection.check',
handlerNotes: 'Uses the current Microsoft Graph provider connection health-check workflow.',
exceptionNotes: 'Current-release provider binding remains Microsoft-only until a real second provider case exists.',
),
],
'inventory_sync' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'inventory_sync',
handlerNotes: 'Uses the current Microsoft Intune inventory sync workflow.',
exceptionNotes: 'Inventory collection is currently Microsoft Intune-specific provider behavior.',
),
],
'compliance.snapshot' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'compliance.snapshot',
handlerNotes: 'Uses the current Microsoft compliance snapshot workflow.',
exceptionNotes: 'Compliance snapshot runtime remains bounded to the Microsoft provider.',
),
],
'restore.execute' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'restore.execute',
handlerNotes: 'Uses the current Microsoft restore execution workflow.',
exceptionNotes: 'Restore execution remains Microsoft-only and must preserve dry-run and audit safeguards.',
),
],
'entra_group_sync' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'entra_group_sync',
handlerNotes: 'Uses the current Microsoft Entra group synchronization workflow.',
exceptionNotes: 'The operation type keeps current Entra vocabulary until the identity-neutrality follow-up.',
),
],
'directory_role_definitions.sync' => [
'microsoft' => $this->activeMicrosoftBinding(
operationType: 'directory_role_definitions.sync',
handlerNotes: 'Uses the current Microsoft directory role definition synchronization workflow.',
exceptionNotes: 'Directory role definitions are Microsoft-owned provider semantics.',
),
],
];
}
public function isAllowed(string $operationType): bool
{
return array_key_exists(trim($operationType), $this->definitions());
}
/**
* @return array{operation_type: string, module: string, label: string, required_capability: string}
*/
public function get(string $operationType): array
{
$operationType = trim($operationType);
$definition = $this->all()[$operationType] ?? null;
$definition = $this->definitions()[$operationType] ?? null;
if (! is_array($definition)) {
throw new InvalidArgumentException("Unknown provider operation type: {$operationType}");
@ -72,4 +135,85 @@ public function get(string $operationType): array
return $definition;
}
/**
* @return array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}|null
*/
public function bindingFor(string $operationType, string $provider): ?array
{
$operationType = trim($operationType);
$provider = trim($provider);
if ($operationType === '' || $provider === '') {
return null;
}
$bindings = $this->providerBindings()[$operationType] ?? [];
return $bindings[$provider] ?? null;
}
/**
* @return array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}|null
*/
public function activeBindingFor(string $operationType): ?array
{
$operationType = trim($operationType);
$bindings = $this->providerBindings()[$operationType] ?? [];
foreach ($bindings as $binding) {
if (($binding['binding_status'] ?? null) === self::BINDING_ACTIVE) {
return $binding;
}
}
return null;
}
/**
* @return array{
* definition: array{operation_type: string, module: string, label: string, required_capability: string},
* binding: array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}
* }
*/
public function boundaryOperation(string $operationType, ?string $provider = null): array
{
$definition = $this->get($operationType);
$binding = is_string($provider) && trim($provider) !== ''
? $this->bindingFor($operationType, $provider)
: $this->activeBindingFor($operationType);
return [
'definition' => $definition,
'binding' => $binding ?? $this->unsupportedBinding($operationType, $provider ?? 'unknown'),
];
}
/**
* @return array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}
*/
public function unsupportedBinding(string $operationType, string $provider): array
{
return [
'operation_type' => trim($operationType),
'provider' => trim($provider) !== '' ? trim($provider) : 'unknown',
'binding_status' => self::BINDING_UNSUPPORTED,
'handler_notes' => 'No explicit provider binding exists for this operation/provider combination.',
'exception_notes' => 'Unsupported combinations must block explicitly instead of inheriting Microsoft behavior.',
];
}
/**
* @return array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}
*/
private function activeMicrosoftBinding(string $operationType, string $handlerNotes, string $exceptionNotes): array
{
return [
'operation_type' => $operationType,
'provider' => 'microsoft',
'binding_status' => self::BINDING_ACTIVE,
'handler_notes' => $handlerNotes,
'exception_notes' => $exceptionNotes,
];
}
}

62
apps/platform/app/Services/Providers/ProviderOperationStartGate.php
View File

@ -42,26 +42,47 @@ public function start(
array $extraContext = [],
): ProviderOperationStartResult {
$definition = $this->registry->get($operationType);
$binding = $this->resolveProviderBinding($operationType, $connection);
if (($binding['binding_status'] ?? null) !== ProviderOperationRegistry::BINDING_ACTIVE) {
return $this->startBlocked(
tenant: $tenant,
operationType: $operationType,
provider: (string) ($binding['provider'] ?? 'unknown'),
module: (string) $definition['module'],
reasonCode: ProviderReasonCodes::ProviderBindingUnsupported,
extensionReasonCode: 'ext.provider_binding_missing',
reasonMessage: 'No explicit provider binding supports this operation/provider combination.',
connection: $connection,
initiator: $initiator,
extraContext: array_merge($extraContext, [
'provider_binding' => $this->bindingContext($binding),
]),
);
}
$resolution = $connection instanceof ProviderConnection
? $this->resolver->validateConnection($tenant, (string) $definition['provider'], $connection)
: $this->resolver->resolveDefault($tenant, (string) $definition['provider']);
? $this->resolver->validateConnection($tenant, (string) $binding['provider'], $connection)
: $this->resolver->resolveDefault($tenant, (string) $binding['provider']);
if (! $resolution->resolved || ! $resolution->connection instanceof ProviderConnection) {
return $this->startBlocked(
tenant: $tenant,
operationType: $operationType,
provider: (string) $definition['provider'],
provider: (string) $binding['provider'],
module: (string) $definition['module'],
reasonCode: $resolution->effectiveReasonCode(),
extensionReasonCode: $resolution->extensionReasonCode,
reasonMessage: $resolution->message,
connection: $resolution->connection ?? $connection,
initiator: $initiator,
extraContext: $extraContext,
extraContext: array_merge($extraContext, [
'provider_binding' => $this->bindingContext($binding),
]),
);
}
return DB::transaction(function () use ($tenant, $operationType, $dispatcher, $initiator, $extraContext, $definition, $resolution): ProviderOperationStartResult {
return DB::transaction(function () use ($tenant, $operationType, $dispatcher, $initiator, $extraContext, $definition, $binding, $resolution): ProviderOperationStartResult {
$connection = $resolution->connection;
if (! $connection instanceof ProviderConnection) {
@ -114,6 +135,7 @@ public function start(
'required_capability' => $this->resolveRequiredCapability($operationType, $extraContext),
'provider' => $lockedConnection->provider,
'module' => $definition['module'],
'provider_binding' => $this->bindingContext($binding),
'provider_connection_id' => (int) $lockedConnection->getKey(),
'target_scope' => [
'entra_tenant_id' => $lockedConnection->entra_tenant_id,
@ -235,6 +257,36 @@ private function invokeDispatcher(callable $dispatcher, OperationRun $run): void
$dispatcher();
}
/**
* @return array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string}
*/
private function resolveProviderBinding(string $operationType, ?ProviderConnection $connection): array
{
if ($connection instanceof ProviderConnection) {
$provider = trim((string) $connection->provider);
return $this->registry->bindingFor($operationType, $provider)
?? $this->registry->unsupportedBinding($operationType, $provider);
}
return $this->registry->activeBindingFor($operationType)
?? $this->registry->unsupportedBinding($operationType, 'unknown');
}
/**
* @param array{operation_type: string, provider: string, binding_status: string, handler_notes: string, exception_notes: string} $binding
* @return array{provider: string, binding_status: string, handler_notes: string, exception_notes: string}
*/
private function bindingContext(array $binding): array
{
return [
'provider' => (string) $binding['provider'],
'binding_status' => (string) $binding['binding_status'],
'handler_notes' => (string) $binding['handler_notes'],
'exception_notes' => (string) $binding['exception_notes'],
];
}
/**
* @param array<string, mixed> $extraContext
*/

3
apps/platform/app/Services/TenantReviews/TenantReviewComposer.php
View File

@ -65,6 +65,9 @@ public function compose(EvidenceSnapshot $snapshot, ?TenantReview $review = null
'finding_report_buckets' => is_array(data_get($sections, '0.summary_payload.finding_report_buckets'))
? data_get($sections, '0.summary_payload.finding_report_buckets')
: [],
'canonical_controls' => is_array(data_get($sections, '0.summary_payload.canonical_controls'))
? data_get($sections, '0.summary_payload.canonical_controls')
: [],
'report_count' => 2,
'operation_count' => (int) data_get($sections, '5.summary_payload.operation_count', 0),
'highlights' => data_get($sections, '0.render_payload.highlights', []),

20
apps/platform/app/Services/TenantReviews/TenantReviewSectionFactory.php
View File

@ -55,6 +55,7 @@ private function executiveSummarySection(
$findingOutcomes = is_array($findingsSummary['outcome_counts'] ?? null) ? $findingsSummary['outcome_counts'] : [];
$findingReportBuckets = is_array($findingsSummary['report_bucket_counts'] ?? null) ? $findingsSummary['report_bucket_counts'] : [];
$riskAcceptance = is_array($findingsSummary['risk_acceptance'] ?? null) ? $findingsSummary['risk_acceptance'] : [];
$canonicalControls = is_array($findingsSummary['canonical_controls'] ?? null) ? $findingsSummary['canonical_controls'] : [];
$openCount = (int) ($findingsSummary['open_count'] ?? 0);
$findingCount = (int) ($findingsSummary['count'] ?? 0);
@ -70,6 +71,7 @@ private function executiveSummarySection(
$postureScore !== null ? sprintf('Permission posture score is %s.', $postureScore) : 'Permission posture report is unavailable.',
sprintf('%d baseline drift findings remain open.', $driftCount),
sprintf('%d recent operations failed and %d completed with warnings.', $operationFailures, $partialOperations),
$canonicalControls !== [] ? sprintf('%d canonical controls are referenced by the findings evidence.', count($canonicalControls)) : null,
sprintf('%d risk-accepted findings are currently governed.', (int) ($riskAcceptance['valid_governed_count'] ?? 0)),
sprintf('%d privileged Entra roles are captured in the evidence basis.', (int) ($rolesSummary['role_count'] ?? 0)),
]));
@ -96,6 +98,8 @@ private function executiveSummarySection(
'baseline_drift_count' => $driftCount,
'failed_operation_count' => $operationFailures,
'partial_operation_count' => $partialOperations,
'canonical_control_count' => count($canonicalControls),
'canonical_controls' => $canonicalControls,
'risk_acceptance' => $riskAcceptance,
],
'render_payload' => [
@ -145,6 +149,7 @@ private function openRisksSection(?EvidenceSnapshotItem $findingsItem): array
'summary_payload' => [
'open_count' => (int) ($summary['open_count'] ?? 0),
'severity_counts' => is_array($summary['severity_counts'] ?? null) ? $summary['severity_counts'] : [],
'canonical_controls' => $this->canonicalControlsFromEntries($entries),
],
'render_payload' => [
'entries' => $entries,
@ -178,6 +183,7 @@ private function acceptedRisksSection(?EvidenceSnapshotItem $findingsItem): arra
'expired_count' => (int) ($riskAcceptance['expired_count'] ?? 0),
'revoked_count' => (int) ($riskAcceptance['revoked_count'] ?? 0),
'missing_exception_count' => (int) ($riskAcceptance['missing_exception_count'] ?? 0),
'canonical_controls' => $this->canonicalControlsFromEntries($entries),
],
'render_payload' => [
'entries' => $entries,
@ -293,6 +299,20 @@ private function sourceFingerprint(?EvidenceSnapshotItem $item): ?string
return is_string($fingerprint) && $fingerprint !== '' ? $fingerprint : null;
}
/**
* @param list<array<string, mixed>> $entries
* @return list<array<string, mixed>>
*/
private function canonicalControlsFromEntries(array $entries): array
{
return collect($entries)
->map(static fn (array $entry): mixed => data_get($entry, 'canonical_control_resolution.control'))
->filter(static fn (mixed $control): bool => is_array($control) && filled($control['control_key'] ?? null))
->unique(static fn (array $control): string => (string) $control['control_key'])
->values()
->all();
}
/**
* @param array<int, TenantReviewCompletenessState> $states
*/

1
apps/platform/app/Support/Badges/BadgeCatalog.php
View File

@ -38,7 +38,6 @@ final class BadgeCatalog
BadgeDomain::BooleanEnabled->value => Domains\BooleanEnabledBadge::class,
BadgeDomain::BooleanHasErrors->value => Domains\BooleanHasErrorsBadge::class,
BadgeDomain::TenantStatus->value => Domains\TenantStatusBadge::class,
BadgeDomain::TenantAppStatus->value => Domains\TenantAppStatusBadge::class,
BadgeDomain::TenantRbacStatus->value => Domains\TenantRbacStatusBadge::class,
BadgeDomain::TenantPermissionStatus->value => Domains\TenantPermissionStatusBadge::class,
BadgeDomain::PolicySnapshotMode->value => Domains\PolicySnapshotModeBadge::class,

1
apps/platform/app/Support/Badges/BadgeDomain.php
View File

@ -29,7 +29,6 @@ enum BadgeDomain: string
case BooleanEnabled = 'boolean_enabled';
case BooleanHasErrors = 'boolean_has_errors';
case TenantStatus = 'tenant_status';
case TenantAppStatus = 'tenant_app_status';
case TenantRbacStatus = 'tenant_rbac_status';
case TenantPermissionStatus = 'tenant_permission_status';
case PolicySnapshotMode = 'policy_snapshot_mode';

24
apps/platform/app/Support/Badges/Domains/TenantAppStatusBadge.php
View File

@ -1,24 +0,0 @@
<?php
namespace App\Support\Badges\Domains;
use App\Support\Badges\BadgeCatalog;
use App\Support\Badges\BadgeMapper;
use App\Support\Badges\BadgeSpec;
final class TenantAppStatusBadge implements BadgeMapper
{
public function spec(mixed $value): BadgeSpec
{
$state = BadgeCatalog::normalizeState($value);
return match ($state) {
'ok' => new BadgeSpec('OK', 'success', 'heroicon-m-check-circle'),
'configured' => new BadgeSpec('Configured', 'success', 'heroicon-m-check-circle'),
'pending' => new BadgeSpec('Pending', 'warning', 'heroicon-m-clock'),
'requires_consent', 'consent_required' => new BadgeSpec('Consent required', 'warning', 'heroicon-m-exclamation-triangle'),
'error' => new BadgeSpec('Error', 'danger', 'heroicon-m-x-circle'),
default => BadgeSpec::unknown(),
};
}
}

33
apps/platform/app/Support/Baselines/BaselineCompareStats.php
View File

@ -14,6 +14,7 @@
use App\Services\Baselines\BaselineSnapshotTruthResolver;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\Ui\OperatorExplanation\CountDescriptor;
use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
use Illuminate\Support\Facades\Cache;
@ -120,7 +121,8 @@ public static function forTenant(?Tenant $tenant): self
$effectiveSnapshot = $truthResolution['effective_snapshot'] ?? null;
$snapshotId = $effectiveSnapshot instanceof BaselineSnapshot ? (int) $effectiveSnapshot->getKey() : null;
$snapshotReasonCode = is_string($truthResolution['reason_code'] ?? null) ? (string) $truthResolution['reason_code'] : null;
$snapshotReasonMessage = self::missingSnapshotMessage($snapshotReasonCode);
$latestCaptureRun = self::latestBaselineCaptureRun($profile);
$snapshotReasonMessage = self::missingSnapshotMessage($snapshotReasonCode, $latestCaptureRun);
try {
$profileScope = $profile->normalizedScope();
@ -905,8 +907,35 @@ private static function empty(
);
}
private static function missingSnapshotMessage(?string $reasonCode): ?string
private static function latestBaselineCaptureRun(BaselineProfile $profile): ?OperationRun
{
return OperationRun::query()
->where('workspace_id', (int) $profile->workspace_id)
->where('type', OperationRunType::BaselineCapture->value)
->where('context->baseline_profile_id', (int) $profile->getKey())
->where('status', OperationRunStatus::Completed->value)
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
}
private static function missingSnapshotMessage(?string $reasonCode, ?OperationRun $latestCaptureRun = null): ?string
{
$latestCaptureEnvelope = $latestCaptureRun instanceof OperationRun
? app(ReasonPresenter::class)->forOperationRun($latestCaptureRun, 'artifact_truth')
: null;
if ($latestCaptureEnvelope !== null
&& in_array($latestCaptureEnvelope->internalCode, [
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED,
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE,
BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
], true)
&& trim($latestCaptureEnvelope->shortExplanation) !== '') {
return $latestCaptureEnvelope->shortExplanation;
}
return match ($reasonCode) {
BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => 'The latest baseline capture is still building. Compare becomes available after a complete snapshot is finalized.',
BaselineReasonCodes::COMPARE_SNAPSHOT_INCOMPLETE => 'The latest baseline capture is incomplete and there is no current complete snapshot to compare against.',

27
apps/platform/app/Support/Baselines/BaselineReasonCodes.php
View File

@ -22,6 +22,16 @@ final class BaselineReasonCodes
public const string CAPTURE_UNSUPPORTED_SCOPE = 'baseline.capture.unsupported_scope';
public const string CAPTURE_INVENTORY_MISSING = 'baseline.capture.inventory_missing';
public const string CAPTURE_INVENTORY_BLOCKED = 'baseline.capture.inventory_blocked';
public const string CAPTURE_INVENTORY_FAILED = 'baseline.capture.inventory_failed';
public const string CAPTURE_UNUSABLE_COVERAGE = 'baseline.capture.unusable_coverage';
public const string CAPTURE_ZERO_SUBJECTS = 'baseline.capture.zero_subjects';
public const string SNAPSHOT_BUILDING = 'baseline.snapshot.building';
public const string SNAPSHOT_INCOMPLETE = 'baseline.snapshot.incomplete';
@ -73,6 +83,11 @@ public static function all(): array
self::CAPTURE_ROLLOUT_DISABLED,
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::CAPTURE_ZERO_SUBJECTS,
self::SNAPSHOT_BUILDING,
self::SNAPSHOT_INCOMPLETE,
self::SNAPSHOT_SUPERSEDED,
@ -128,7 +143,12 @@ public static function trustImpact(?string $reasonCode): ?string
self::CAPTURE_MISSING_SOURCE_TENANT,
self::CAPTURE_PROFILE_NOT_ACTIVE,
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE => 'unusable',
self::CAPTURE_UNSUPPORTED_SCOPE,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::CAPTURE_ZERO_SUBJECTS => 'unusable',
default => null,
};
}
@ -148,6 +168,10 @@ public static function absencePattern(?string $reasonCode): ?string
self::CAPTURE_MISSING_SOURCE_TENANT,
self::CAPTURE_PROFILE_NOT_ACTIVE,
self::CAPTURE_ROLLOUT_DISABLED,
self::CAPTURE_INVENTORY_MISSING,
self::CAPTURE_INVENTORY_BLOCKED,
self::CAPTURE_INVENTORY_FAILED,
self::CAPTURE_UNUSABLE_COVERAGE,
self::COMPARE_NO_ASSIGNMENT,
self::COMPARE_PROFILE_NOT_ACTIVE,
self::COMPARE_NO_ELIGIBLE_TARGET,
@ -159,6 +183,7 @@ public static function absencePattern(?string $reasonCode): ?string
self::SNAPSHOT_SUPERSEDED,
self::COMPARE_SNAPSHOT_SUPERSEDED => 'blocked_prerequisite',
self::SNAPSHOT_CAPTURE_FAILED => 'unavailable',
self::CAPTURE_ZERO_SUBJECTS => 'missing_input',
self::CAPTURE_INVALID_SCOPE,
self::CAPTURE_UNSUPPORTED_SCOPE => 'unavailable',
default => null,

66
apps/platform/app/Support/Governance/Controls/ArtifactSuitability.php Normal file
View File

@ -0,0 +1,66 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
use InvalidArgumentException;
final readonly class ArtifactSuitability
{
public function __construct(
public bool $baseline,
public bool $drift,
public bool $finding,
public bool $exception,
public bool $evidence,
public bool $review,
public bool $report,
) {}
/**
* @param array<string, mixed> $data
*/
public static function fromArray(array $data): self
{
foreach (self::requiredKeys() as $key) {
if (! array_key_exists($key, $data)) {
throw new InvalidArgumentException(sprintf('Canonical control artifact suitability is missing [%s].', $key));
}
}
return new self(
baseline: (bool) $data['baseline'],
drift: (bool) $data['drift'],
finding: (bool) $data['finding'],
exception: (bool) $data['exception'],
evidence: (bool) $data['evidence'],
review: (bool) $data['review'],
report: (bool) $data['report'],
);
}
/**
* @return array{baseline: bool, drift: bool, finding: bool, exception: bool, evidence: bool, review: bool, report: bool}
*/
public function toArray(): array
{
return [
'baseline' => $this->baseline,
'drift' => $this->drift,
'finding' => $this->finding,
'exception' => $this->exception,
'evidence' => $this->evidence,
'review' => $this->review,
'report' => $this->report,
];
}
/**
* @return list<string>
*/
public static function requiredKeys(): array
{
return ['baseline', 'drift', 'finding', 'exception', 'evidence', 'review', 'report'];
}
}

126
apps/platform/app/Support/Governance/Controls/CanonicalControlCatalog.php Normal file
View File

@ -0,0 +1,126 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
use InvalidArgumentException;
final class CanonicalControlCatalog
{
/**
* @var list<CanonicalControlDefinition>
*/
private array $definitions;
/**
* @var list<MicrosoftSubjectBinding>
*/
private array $microsoftBindings;
/**
* @param list<array<string, mixed>>|null $controls
*/
public function __construct(?array $controls = null)
{
$controls ??= config('canonical_controls.controls', []);
if (! is_array($controls)) {
throw new InvalidArgumentException('Canonical controls config must define a controls array.');
}
$this->definitions = [];
$this->microsoftBindings = [];
foreach ($controls as $control) {
if (! is_array($control)) {
throw new InvalidArgumentException('Canonical control entries must be arrays.');
}
$definition = CanonicalControlDefinition::fromArray($control);
if ($this->find($definition->controlKey) instanceof CanonicalControlDefinition) {
throw new InvalidArgumentException(sprintf('Duplicate canonical control key [%s].', $definition->controlKey));
}
$this->definitions[] = $definition;
$bindings = is_array($control['microsoft_bindings'] ?? null) ? $control['microsoft_bindings'] : [];
foreach ($bindings as $binding) {
if (! is_array($binding)) {
throw new InvalidArgumentException(sprintf('Microsoft bindings for [%s] must be arrays.', $definition->controlKey));
}
$this->microsoftBindings[] = MicrosoftSubjectBinding::fromArray($definition->controlKey, $binding);
}
}
usort(
$this->definitions,
static fn (CanonicalControlDefinition $left, CanonicalControlDefinition $right): int => $left->controlKey <=> $right->controlKey,
);
}
/**
* @return list<CanonicalControlDefinition>
*/
public function all(): array
{
return $this->definitions;
}
/**
* @return list<CanonicalControlDefinition>
*/
public function active(): array
{
return array_values(array_filter(
$this->definitions,
static fn (CanonicalControlDefinition $definition): bool => ! $definition->isRetired(),
));
}
public function find(string $controlKey): ?CanonicalControlDefinition
{
$controlKey = trim($controlKey);
foreach ($this->definitions as $definition) {
if ($definition->controlKey === $controlKey) {
return $definition;
}
}
return null;
}
/**
* @return list<MicrosoftSubjectBinding>
*/
public function microsoftBindings(): array
{
return $this->microsoftBindings;
}
/**
* @return list<MicrosoftSubjectBinding>
*/
public function microsoftBindingsForControl(string $controlKey): array
{
return array_values(array_filter(
$this->microsoftBindings,
static fn (MicrosoftSubjectBinding $binding): bool => $binding->controlKey === trim($controlKey),
));
}
/**
* @return list<array<string, mixed>>
*/
public function listPayload(): array
{
return array_map(
static fn (CanonicalControlDefinition $definition): array => $definition->toArray(),
$this->all(),
);
}
}

131
apps/platform/app/Support/Governance/Controls/CanonicalControlDefinition.php Normal file
View File

@ -0,0 +1,131 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
use InvalidArgumentException;
final readonly class CanonicalControlDefinition
{
/**
* @param list<EvidenceArchetype> $evidenceArchetypes
*/
public function __construct(
public string $controlKey,
public string $name,
public string $domainKey,
public string $subdomainKey,
public string $controlClass,
public string $summary,
public string $operatorDescription,
public DetectabilityClass $detectabilityClass,
public EvaluationStrategy $evaluationStrategy,
public array $evidenceArchetypes,
public ArtifactSuitability $artifactSuitability,
public string $historicalStatus = 'active',
) {
foreach ([
'control key' => $this->controlKey,
'name' => $this->name,
'domain key' => $this->domainKey,
'subdomain key' => $this->subdomainKey,
'control class' => $this->controlClass,
'summary' => $this->summary,
'operator description' => $this->operatorDescription,
'historical status' => $this->historicalStatus,
] as $label => $value) {
if (trim($value) === '') {
throw new InvalidArgumentException(sprintf('Canonical control definitions require a non-empty %s.', $label));
}
}
if ($this->controlKey !== mb_strtolower($this->controlKey) || preg_match('/^[a-z][a-z0-9_]*$/', $this->controlKey) !== 1) {
throw new InvalidArgumentException(sprintf('Canonical control key [%s] must be a lowercase provider-neutral slug.', $this->controlKey));
}
if (! in_array($this->historicalStatus, ['active', 'retired'], true)) {
throw new InvalidArgumentException(sprintf('Canonical control [%s] has an unsupported historical status.', $this->controlKey));
}
if ($this->evidenceArchetypes === []) {
throw new InvalidArgumentException(sprintf('Canonical control [%s] must declare at least one evidence archetype.', $this->controlKey));
}
}
/**
* @param array<string, mixed> $data
*/
public static function fromArray(array $data): self
{
return new self(
controlKey: (string) ($data['control_key'] ?? ''),
name: (string) ($data['name'] ?? ''),
domainKey: (string) ($data['domain_key'] ?? ''),
subdomainKey: (string) ($data['subdomain_key'] ?? ''),
controlClass: (string) ($data['control_class'] ?? ''),
summary: (string) ($data['summary'] ?? ''),
operatorDescription: (string) ($data['operator_description'] ?? ''),
detectabilityClass: DetectabilityClass::from((string) ($data['detectability_class'] ?? '')),
evaluationStrategy: EvaluationStrategy::from((string) ($data['evaluation_strategy'] ?? '')),
evidenceArchetypes: self::evidenceArchetypes($data['evidence_archetypes'] ?? []),
artifactSuitability: ArtifactSuitability::fromArray(is_array($data['artifact_suitability'] ?? null) ? $data['artifact_suitability'] : []),
historicalStatus: (string) ($data['historical_status'] ?? 'active'),
);
}
/**
* @return array{
* control_key: string,
* name: string,
* domain_key: string,
* subdomain_key: string,
* control_class: string,
* summary: string,
* operator_description: string,
* detectability_class: string,
* evaluation_strategy: string,
* evidence_archetypes: list<string>,
* artifact_suitability: array{baseline: bool, drift: bool, finding: bool, exception: bool, evidence: bool, review: bool, report: bool},
* historical_status: string
* }
*/
public function toArray(): array
{
return [
'control_key' => $this->controlKey,
'name' => $this->name,
'domain_key' => $this->domainKey,
'subdomain_key' => $this->subdomainKey,
'control_class' => $this->controlClass,
'summary' => $this->summary,
'operator_description' => $this->operatorDescription,
'detectability_class' => $this->detectabilityClass->value,
'evaluation_strategy' => $this->evaluationStrategy->value,
'evidence_archetypes' => array_map(
static fn (EvidenceArchetype $archetype): string => $archetype->value,
$this->evidenceArchetypes,
),
'artifact_suitability' => $this->artifactSuitability->toArray(),
'historical_status' => $this->historicalStatus,
];
}
public function isRetired(): bool
{
return $this->historicalStatus === 'retired';
}
/**
* @param iterable<mixed> $values
* @return list<EvidenceArchetype>
*/
private static function evidenceArchetypes(iterable $values): array
{
return collect($values)
->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
->map(static fn (string $value): EvidenceArchetype => EvidenceArchetype::from(trim($value)))
->values()
->all();
}
}

65
apps/platform/app/Support/Governance/Controls/CanonicalControlResolutionRequest.php Normal file
View File

@ -0,0 +1,65 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
final readonly class CanonicalControlResolutionRequest
{
public function __construct(
public string $provider,
public string $consumerContext,
public ?string $subjectFamilyKey = null,
public ?string $workload = null,
public ?string $signalKey = null,
) {}
/**
* @param array<string, mixed> $data
*/
public static function fromArray(array $data): self
{
return new self(
provider: self::normalize((string) ($data['provider'] ?? '')),
consumerContext: self::normalize((string) ($data['consumer_context'] ?? '')),
subjectFamilyKey: self::optionalString($data['subject_family_key'] ?? null),
workload: self::optionalString($data['workload'] ?? null),
signalKey: self::optionalString($data['signal_key'] ?? null),
);
}
public function hasDiscriminator(): bool
{
return $this->subjectFamilyKey !== null || $this->workload !== null || $this->signalKey !== null;
}
/**
* @return array{provider: string, subject_family_key: ?string, workload: ?string, signal_key: ?string, consumer_context: string}
*/
public function bindingContext(): array
{
return [
'provider' => $this->provider,
'subject_family_key' => $this->subjectFamilyKey,
'workload' => $this->workload,
'signal_key' => $this->signalKey,
'consumer_context' => $this->consumerContext,
];
}
private static function optionalString(mixed $value): ?string
{
if (! is_string($value)) {
return null;
}
$normalized = self::normalize($value);
return $normalized === '' ? null : $normalized;
}
private static function normalize(string $value): string
{
return trim($value);
}
}

88
apps/platform/app/Support/Governance/Controls/CanonicalControlResolutionResult.php Normal file
View File

@ -0,0 +1,88 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
final readonly class CanonicalControlResolutionResult
{
/**
* @param list<string> $candidateControlKeys
*/
private function __construct(
public string $status,
public ?CanonicalControlDefinition $control,
public ?string $reasonCode,
public array $bindingContext,
public array $candidateControlKeys = [],
) {}
public static function resolved(CanonicalControlDefinition $definition): self
{
return new self(
status: 'resolved',
control: $definition,
reasonCode: null,
bindingContext: [],
);
}
public static function unresolved(string $reasonCode, CanonicalControlResolutionRequest $request): self
{
return new self(
status: 'unresolved',
control: null,
reasonCode: $reasonCode,
bindingContext: $request->bindingContext(),
);
}
/**
* @param list<string> $candidateControlKeys
*/
public static function ambiguous(array $candidateControlKeys, CanonicalControlResolutionRequest $request): self
{
sort($candidateControlKeys, SORT_STRING);
return new self(
status: 'ambiguous',
control: null,
reasonCode: 'ambiguous_binding',
bindingContext: $request->bindingContext(),
candidateControlKeys: array_values(array_unique($candidateControlKeys)),
);
}
public function isResolved(): bool
{
return $this->status === 'resolved' && $this->control instanceof CanonicalControlDefinition;
}
/**
* @return array<string, mixed>
*/
public function toArray(): array
{
if ($this->isResolved()) {
return [
'status' => 'resolved',
'control' => $this->control?->toArray(),
];
}
if ($this->status === 'ambiguous') {
return [
'status' => 'ambiguous',
'reason_code' => $this->reasonCode,
'candidate_control_keys' => $this->candidateControlKeys,
'binding_context' => $this->bindingContext,
];
}
return [
'status' => 'unresolved',
'reason_code' => $this->reasonCode,
'binding_context' => $this->bindingContext,
];
}
}

69
apps/platform/app/Support/Governance/Controls/CanonicalControlResolver.php Normal file
View File

@ -0,0 +1,69 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
final readonly class CanonicalControlResolver
{
/**
* @var list<string>
*/
private const SUPPORTED_CONTEXTS = ['baseline', 'drift', 'finding', 'evidence', 'exception', 'review', 'report'];
public function __construct(
private CanonicalControlCatalog $catalog,
) {}
public function resolve(CanonicalControlResolutionRequest $request): CanonicalControlResolutionResult
{
if ($request->provider !== 'microsoft') {
return CanonicalControlResolutionResult::unresolved('unsupported_provider', $request);
}
if (! in_array($request->consumerContext, self::SUPPORTED_CONTEXTS, true)) {
return CanonicalControlResolutionResult::unresolved('unsupported_consumer_context', $request);
}
if (! $request->hasDiscriminator()) {
return CanonicalControlResolutionResult::unresolved('insufficient_context', $request);
}
$bindings = array_values(array_filter(
$this->catalog->microsoftBindings(),
static fn (MicrosoftSubjectBinding $binding): bool => $binding->matches($request),
));
if ($bindings === []) {
return CanonicalControlResolutionResult::unresolved('missing_binding', $request);
}
$primaryBindings = array_values(array_filter(
$bindings,
static fn (MicrosoftSubjectBinding $binding): bool => $binding->primary,
));
if ($primaryBindings !== []) {
$bindings = $primaryBindings;
}
$candidateControlKeys = array_values(array_unique(array_map(
static fn (MicrosoftSubjectBinding $binding): string => $binding->controlKey,
$bindings,
)));
sort($candidateControlKeys, SORT_STRING);
if (count($candidateControlKeys) !== 1) {
return CanonicalControlResolutionResult::ambiguous($candidateControlKeys, $request);
}
$definition = $this->catalog->find($candidateControlKeys[0]);
if (! $definition instanceof CanonicalControlDefinition) {
return CanonicalControlResolutionResult::unresolved('missing_binding', $request);
}
return CanonicalControlResolutionResult::resolved($definition);
}
}

13
apps/platform/app/Support/Governance/Controls/DetectabilityClass.php Normal file
View File

@ -0,0 +1,13 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
enum DetectabilityClass: string
{
case DirectTechnical = 'direct_technical';
case IndirectTechnical = 'indirect_technical';
case WorkflowAttested = 'workflow_attested';
case ExternalEvidenceOnly = 'external_evidence_only';
}

13
apps/platform/app/Support/Governance/Controls/EvaluationStrategy.php Normal file
View File

@ -0,0 +1,13 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
enum EvaluationStrategy: string
{
case StateEvaluated = 'state_evaluated';
case SignalInferred = 'signal_inferred';
case WorkflowConfirmed = 'workflow_confirmed';
case ExternallyAttested = 'externally_attested';
}

14
apps/platform/app/Support/Governance/Controls/EvidenceArchetype.php Normal file
View File

@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
enum EvidenceArchetype: string
{
case ConfigurationSnapshot = 'configuration_snapshot';
case ExecutionResult = 'execution_result';
case PolicyOrAssignmentSummary = 'policy_or_assignment_summary';
case OperatorAttestation = 'operator_attestation';
case ExternalArtifactReference = 'external_artifact_reference';
}

132
apps/platform/app/Support/Governance/Controls/MicrosoftSubjectBinding.php Normal file
View File

@ -0,0 +1,132 @@
<?php
declare(strict_types=1);
namespace App\Support\Governance\Controls;
use InvalidArgumentException;
final readonly class MicrosoftSubjectBinding
{
/**
* @param list<string> $signalKeys
* @param list<string> $supportedContexts
*/
public function __construct(
public string $controlKey,
public ?string $subjectFamilyKey,
public ?string $workload,
public array $signalKeys,
public array $supportedContexts,
public bool $primary = false,
public ?string $notes = null,
) {
if (trim($this->controlKey) === '') {
throw new InvalidArgumentException('Microsoft subject bindings require a canonical control key.');
}
if ($this->subjectFamilyKey === null && $this->workload === null && $this->signalKeys === []) {
throw new InvalidArgumentException(sprintf('Microsoft subject binding for [%s] requires at least one discriminator.', $this->controlKey));
}
if ($this->supportedContexts === []) {
throw new InvalidArgumentException(sprintf('Microsoft subject binding for [%s] requires at least one supported context.', $this->controlKey));
}
}
/**
* @param array<string, mixed> $data
*/
public static function fromArray(string $controlKey, array $data): self
{
return new self(
controlKey: $controlKey,
subjectFamilyKey: self::optionalString($data['subject_family_key'] ?? null),
workload: self::optionalString($data['workload'] ?? null),
signalKeys: self::stringList($data['signal_keys'] ?? []),
supportedContexts: self::stringList($data['supported_contexts'] ?? []),
primary: (bool) ($data['primary'] ?? false),
notes: self::optionalString($data['notes'] ?? null),
);
}
public function supportsContext(string $consumerContext): bool
{
return in_array(trim($consumerContext), $this->supportedContexts, true);
}
public function matches(CanonicalControlResolutionRequest $request): bool
{
if ($request->provider !== 'microsoft') {
return false;
}
if (! $this->supportsContext($request->consumerContext)) {
return false;
}
if ($request->subjectFamilyKey !== null && $this->subjectFamilyKey !== $request->subjectFamilyKey) {
return false;
}
if ($request->workload !== null && $this->workload !== $request->workload) {
return false;
}
if ($request->signalKey !== null && ! in_array($request->signalKey, $this->signalKeys, true)) {
return false;
}
return true;
}
/**
* @return array{
* control_key: string,
* provider: string,
* subject_family_key: ?string,
* workload: ?string,
* signal_keys: list<string>,
* supported_contexts: list<string>,
* primary: bool,
* notes: ?string
* }
*/
public function toArray(): array
{
return [
'control_key' => $this->controlKey,
'provider' => 'microsoft',
'subject_family_key' => $this->subjectFamilyKey,
'workload' => $this->workload,
'signal_keys' => $this->signalKeys,
'supported_contexts' => $this->supportedContexts,
'primary' => $this->primary,
'notes' => $this->notes,
];
}
private static function optionalString(mixed $value): ?string
{
if (! is_string($value)) {
return null;
}
$trimmed = trim($value);
return $trimmed === '' ? null : $trimmed;
}
/**
* @param iterable<mixed> $values
* @return list<string>
*/
private static function stringList(iterable $values): array
{
return collect($values)
->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
->map(static fn (string $value): string => trim($value))
->values()
->all();
}
}

2
apps/platform/app/Support/OpsUx/ActiveRuns.php
View File

@ -22,7 +22,7 @@ public static function existForTenantId(?int $tenantId): bool
return OperationRun::query()
->where('tenant_id', $tenantId)
->active()
->healthyActive()
->exists();
}

75
apps/platform/app/Support/OpsUx/GovernanceRunDiagnosticSummaryBuilder.php
View File

@ -8,6 +8,7 @@
use App\Support\Badges\BadgeCatalog;
use App\Support\Badges\BadgeDomain;
use App\Support\Baselines\BaselineCompareReasonCode;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\OperationCatalog;
use App\Support\ReasonTranslation\ReasonPresenter;
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
@ -141,9 +142,37 @@ private function baselineCaptureHeadline(
array $counts,
?OperatorExplanationPattern $operatorExplanation,
): string {
$reasonCode = (string) data_get($context, 'baseline_capture.reason_code', data_get($context, 'reason_code', ''));
$subjectsTotal = $this->intValue(data_get($context, 'baseline_capture.subjects_total'));
$resumeToken = data_get($context, 'baseline_capture.resume_token');
$gapCount = $this->intValue(data_get($context, 'baseline_capture.gaps.count'));
$changedAfterEnqueue = data_get($context, 'baseline_capture.eligibility.changed_after_enqueue') === true;
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_MISSING) {
return 'The baseline capture could not continue because no current inventory basis was available.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory sync changed after the run was queued.'
: 'The baseline capture was blocked because the latest inventory sync was blocked.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_FAILED) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory sync failed after the run was queued.'
: 'The baseline capture was blocked because the latest inventory sync failed.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE) {
return $changedAfterEnqueue
? 'The baseline capture stopped because the latest inventory coverage became unusable after the run was queued.'
: 'The baseline capture could not produce a usable baseline because the latest inventory coverage was not credible.';
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS) {
return 'The baseline capture finished without a usable baseline because no governed subjects were in scope.';
}
if ($subjectsTotal === 0) {
return 'No baseline was captured because no governed subjects were ready.';
@ -629,9 +658,55 @@ private function pushCandidate(array &$candidates, ?string $code, ?string $label
*/
private function baselineCaptureCandidates(array &$candidates, array $context): void
{
$reasonCode = (string) data_get($context, 'baseline_capture.reason_code', data_get($context, 'reason_code', ''));
$subjectsTotal = $this->intValue(data_get($context, 'baseline_capture.subjects_total'));
$gapCount = $this->intValue(data_get($context, 'baseline_capture.gaps.count'));
$resumeToken = data_get($context, 'baseline_capture.resume_token');
$changedAfterEnqueue = data_get($context, 'baseline_capture.eligibility.changed_after_enqueue') === true;
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_MISSING) {
$this->pushCandidate($candidates, $reasonCode, 'Run tenant sync first', 'No current inventory basis was available for this baseline capture.', 95);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory sync was blocked',
$changedAfterEnqueue
? 'The latest inventory sync changed after the run was queued and blocked the capture.'
: 'The latest inventory sync was blocked before this capture could produce a trustworthy baseline.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_INVENTORY_FAILED) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory sync failed',
$changedAfterEnqueue
? 'The latest inventory sync failed after the run was queued, so the capture stopped without refreshing baseline truth.'
: 'The latest inventory sync failed before this capture could produce a trustworthy baseline.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE) {
$this->pushCandidate(
$candidates,
$reasonCode,
'Latest inventory coverage unusable',
$changedAfterEnqueue
? 'The latest inventory coverage became unusable after the run was queued, so the capture stopped without refreshing baseline truth.'
: 'The latest inventory sync did not produce usable governed-subject coverage for this baseline capture.',
95,
);
}
if ($reasonCode === BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS) {
$this->pushCandidate($candidates, $reasonCode, 'No subjects were in scope', 'No governed subjects were available for this baseline capture.', 95);
}
if ($subjectsTotal === 0) {
$this->pushCandidate($candidates, 'no_subjects_in_scope', 'No governed subjects captured', 'No governed subjects were available for this baseline capture.', 95);

24
apps/platform/app/Support/OpsUx/OperationUxPresenter.php
View File

@ -547,6 +547,11 @@ private static function terminalSupportingLines(OperationRun $run): array
$lines[] = $guidance;
}
$baselineTruthChange = self::baselineTruthChangeLine($run);
if ($baselineTruthChange !== null) {
$lines[] = $baselineTruthChange;
}
$summary = SummaryCountsNormalizer::renderSummaryLine(is_array($run->summary_counts) ? $run->summary_counts : []);
if ($summary !== null) {
$lines[] = $summary;
@ -560,6 +565,25 @@ private static function terminalSupportingLines(OperationRun $run): array
return array_values(array_filter($lines, static fn (string $line): bool => trim($line) !== ''));
}
private static function baselineTruthChangeLine(OperationRun $run): ?string
{
if ((string) $run->type !== 'baseline_capture') {
return null;
}
$changed = data_get($run->context, 'baseline_capture.current_baseline_changed');
if ($changed === true) {
return 'Current baseline truth was updated.';
}
if ($changed === false) {
return 'Current baseline truth was unchanged.';
}
return null;
}
/**
* @return array{label:string, url:?string, target:string}
*/

194
apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php Normal file
View File

@ -0,0 +1,194 @@
<?php
namespace App\Support\Providers\Boundary;
use InvalidArgumentException;
final class ProviderBoundaryCatalog
{
public const string STATUS_ALLOWED = 'allowed';
public const string STATUS_REVIEW_REQUIRED = 'review_required';
public const string STATUS_BLOCKED = 'blocked';
public const string VIOLATION_NONE = 'none';
public const string VIOLATION_PLATFORM_CORE_PROVIDER_LEAK = 'platform_core_provider_leak';
public const string VIOLATION_UNDECLARED_EXCEPTION = 'undeclared_exception';
public const string VIOLATION_MISSING_PROVIDER_BINDING = 'missing_provider_binding';
public const string VIOLATION_PROVIDER_BINDING_AS_PRIMARY_TRUTH = 'provider_binding_as_primary_truth';
/**
* @return array<string, ProviderBoundarySeam>
*/
public function all(): array
{
$seams = config('provider_boundaries.seams', []);
if (! is_array($seams)) {
throw new InvalidArgumentException('Provider boundary seam catalog must be an array.');
}
$catalog = [];
foreach ($seams as $key => $attributes) {
if (! is_string($key) || ! is_array($attributes)) {
throw new InvalidArgumentException('Provider boundary seam catalog entries must be keyed arrays.');
}
$catalog[$key] = ProviderBoundarySeam::fromConfig($key, $attributes);
}
ksort($catalog);
return $catalog;
}
public function get(string $key): ProviderBoundarySeam
{
$normalizedKey = trim($key);
$seam = $this->all()[$normalizedKey] ?? null;
if (! $seam instanceof ProviderBoundarySeam) {
throw new InvalidArgumentException("Unknown provider boundary seam: {$normalizedKey}");
}
return $seam;
}
public function has(string $key): bool
{
return array_key_exists(trim($key), $this->all());
}
/**
* @return array{
* status: string,
* seam_key: string,
* file_path: string,
* violation_code: string,
* message: string,
* suggested_follow_up: string
* }
*/
public function evaluateChange(
string $seamKey,
string $filePath,
ProviderBoundaryOwner|string $proposedOwner,
array $providerSpecificTerms = [],
bool $introducesNewBinding = false,
): array {
$seam = $this->get($seamKey);
$owner = is_string($proposedOwner)
? ProviderBoundaryOwner::tryFrom($proposedOwner)
: $proposedOwner;
if (! $owner instanceof ProviderBoundaryOwner) {
throw new InvalidArgumentException('Proposed provider boundary owner is invalid.');
}
$providerSpecificTerms = $this->normalizeTerms($providerSpecificTerms);
if ($introducesNewBinding && $seam->isPlatformCore() && $owner === ProviderBoundaryOwner::PlatformCore) {
return $this->result(
status: self::STATUS_BLOCKED,
seam: $seam,
filePath: $filePath,
violationCode: self::VIOLATION_PROVIDER_BINDING_AS_PRIMARY_TRUTH,
message: 'Provider binding metadata must stay explicit and secondary to the platform-core operation definition.',
suggestedFollowUp: ProviderBoundarySeam::FOLLOW_UP_DOCUMENT_IN_FEATURE,
);
}
if ($seam->isProviderOwned()) {
return $this->result(
status: self::STATUS_ALLOWED,
seam: $seam,
filePath: $filePath,
violationCode: self::VIOLATION_NONE,
message: 'Provider-specific semantics are allowed inside this provider-owned seam.',
suggestedFollowUp: ProviderBoundarySeam::FOLLOW_UP_NONE,
);
}
if ($providerSpecificTerms === []) {
return $this->result(
status: self::STATUS_ALLOWED,
seam: $seam,
filePath: $filePath,
violationCode: self::VIOLATION_NONE,
message: 'The platform-core seam does not introduce provider-specific terms.',
suggestedFollowUp: ProviderBoundarySeam::FOLLOW_UP_NONE,
);
}
$undocumentedTerms = array_values(array_filter(
$providerSpecificTerms,
static fn (string $term): bool => ! $seam->documentsProviderSemantic($term),
));
if ($undocumentedTerms !== []) {
return $this->result(
status: self::STATUS_BLOCKED,
seam: $seam,
filePath: $filePath,
violationCode: self::VIOLATION_PLATFORM_CORE_PROVIDER_LEAK,
message: 'Platform-core seam contains undocumented provider-specific terms: '.implode(', ', $undocumentedTerms).'.',
suggestedFollowUp: ProviderBoundarySeam::FOLLOW_UP_SPEC,
);
}
return $this->result(
status: self::STATUS_REVIEW_REQUIRED,
seam: $seam,
filePath: $filePath,
violationCode: self::VIOLATION_NONE,
message: 'Platform-core seam relies on documented current-release provider exception metadata.',
suggestedFollowUp: $seam->followUpAction,
);
}
/**
* @param array<mixed> $terms
* @return list<string>
*/
private function normalizeTerms(array $terms): array
{
return array_values(array_filter(
array_map(static fn (mixed $term): string => trim((string) $term), $terms),
static fn (string $term): bool => $term !== '',
));
}
/**
* @return array{
* status: string,
* seam_key: string,
* file_path: string,
* violation_code: string,
* message: string,
* suggested_follow_up: string
* }
*/
private function result(
string $status,
ProviderBoundarySeam $seam,
string $filePath,
string $violationCode,
string $message,
string $suggestedFollowUp,
): array {
return [
'status' => $status,
'seam_key' => $seam->key,
'file_path' => $filePath,
'violation_code' => $violationCode,
'message' => $message,
'suggested_follow_up' => $suggestedFollowUp,
];
}
}

17
apps/platform/app/Support/Providers/Boundary/ProviderBoundaryOwner.php Normal file
View File

@ -0,0 +1,17 @@
<?php
namespace App\Support\Providers\Boundary;
enum ProviderBoundaryOwner: string
{
case ProviderOwned = 'provider_owned';
case PlatformCore = 'platform_core';
/**
* @return list<string>
*/
public static function values(): array
{
return array_map(static fn (self $case): string => $case->value, self::cases());
}
}

149
apps/platform/app/Support/Providers/Boundary/ProviderBoundarySeam.php Normal file
View File

@ -0,0 +1,149 @@
<?php
namespace App\Support\Providers\Boundary;
use InvalidArgumentException;
final class ProviderBoundarySeam
{
public const string FOLLOW_UP_NONE = 'none';
public const string FOLLOW_UP_DOCUMENT_IN_FEATURE = 'document-in-feature';
public const string FOLLOW_UP_SPEC = 'follow-up-spec';
/**
* @param list<string> $implementationPaths
* @param list<string> $neutralTerms
* @param list<string> $retainedProviderSemantics
*/
public function __construct(
public readonly string $key,
public readonly ProviderBoundaryOwner $owner,
public readonly string $description,
public readonly array $implementationPaths,
public readonly array $neutralTerms,
public readonly array $retainedProviderSemantics,
public readonly string $followUpAction,
) {
$this->validate();
}
/**
* @param array{
* owner?: string,
* description?: string,
* implementation_paths?: list<string>,
* neutral_terms?: list<string>,
* retained_provider_semantics?: list<string>,
* follow_up_action?: string
* } $attributes
*/
public static function fromConfig(string $key, array $attributes): self
{
$owner = ProviderBoundaryOwner::tryFrom((string) ($attributes['owner'] ?? ''));
if (! $owner instanceof ProviderBoundaryOwner) {
throw new InvalidArgumentException("Provider boundary seam [{$key}] has an invalid owner.");
}
return new self(
key: $key,
owner: $owner,
description: (string) ($attributes['description'] ?? ''),
implementationPaths: self::stringList($attributes['implementation_paths'] ?? []),
neutralTerms: self::stringList($attributes['neutral_terms'] ?? []),
retainedProviderSemantics: self::stringList($attributes['retained_provider_semantics'] ?? []),
followUpAction: (string) ($attributes['follow_up_action'] ?? self::FOLLOW_UP_NONE),
);
}
public function isProviderOwned(): bool
{
return $this->owner === ProviderBoundaryOwner::ProviderOwned;
}
public function isPlatformCore(): bool
{
return $this->owner === ProviderBoundaryOwner::PlatformCore;
}
public function retainsProviderSemantics(): bool
{
return $this->retainedProviderSemantics !== [];
}
public function documentsProviderSemantic(string $term): bool
{
return in_array($term, $this->retainedProviderSemantics, true);
}
public function coversPath(string $path): bool
{
$normalizedPath = $this->normalizePath($path);
foreach ($this->implementationPaths as $implementationPath) {
if ($normalizedPath === $this->normalizePath($implementationPath)) {
return true;
}
}
return false;
}
/**
* @param array<mixed> $values
* @return list<string>
*/
private static function stringList(array $values): array
{
return array_values(array_filter(
array_map(static fn (mixed $value): string => trim((string) $value), $values),
static fn (string $value): bool => $value !== '',
));
}
private function validate(): void
{
if (trim($this->key) === '') {
throw new InvalidArgumentException('Provider boundary seam key cannot be empty.');
}
if (trim($this->description) === '') {
throw new InvalidArgumentException("Provider boundary seam [{$this->key}] must include a description.");
}
if ($this->implementationPaths === []) {
throw new InvalidArgumentException("Provider boundary seam [{$this->key}] must include implementation paths.");
}
if ($this->isPlatformCore() && $this->neutralTerms === []) {
throw new InvalidArgumentException("Platform-core provider boundary seam [{$this->key}] must include neutral terms.");
}
if ($this->retainsProviderSemantics() && $this->followUpAction === self::FOLLOW_UP_NONE) {
throw new InvalidArgumentException("Provider boundary seam [{$this->key}] retains provider semantics without a follow-up action.");
}
if (! in_array($this->followUpAction, $this->validFollowUpActions(), true)) {
throw new InvalidArgumentException("Provider boundary seam [{$this->key}] has an invalid follow-up action.");
}
}
/**
* @return list<string>
*/
private function validFollowUpActions(): array
{
return [
self::FOLLOW_UP_NONE,
self::FOLLOW_UP_DOCUMENT_IN_FEATURE,
self::FOLLOW_UP_SPEC,
];
}
private function normalizePath(string $path): string
{
return trim(str_replace('\\', '/', $path), '/');
}
}

4
apps/platform/app/Support/Providers/ProviderReasonCodes.php
View File

@ -34,6 +34,8 @@ final class ProviderReasonCodes
public const string ProviderConnectionReviewRequired = 'provider_connection_review_required';
public const string ProviderBindingUnsupported = 'provider_binding_unsupported';
public const string ProviderAuthFailed = 'provider_auth_failed';
public const string ProviderPermissionMissing = 'provider_permission_missing';
@ -77,6 +79,7 @@ public static function all(): array
self::ProviderConsentFailed,
self::ProviderConsentRevoked,
self::ProviderConnectionReviewRequired,
self::ProviderBindingUnsupported,
self::ProviderAuthFailed,
self::ProviderPermissionMissing,
self::ProviderPermissionDenied,
@ -139,6 +142,7 @@ public static function platformReasonFamily(string $reasonCode): PlatformReasonF
self::ProviderAuthFailed => PlatformReasonFamily::Availability,
self::ProviderConnectionTypeInvalid,
self::TenantTargetMismatch,
self::ProviderBindingUnsupported,
self::ProviderConnectionReviewRequired => PlatformReasonFamily::Compatibility,
default => PlatformReasonFamily::Prerequisite,
};

10
apps/platform/app/Support/Providers/ProviderReasonTranslator.php
View File

@ -141,6 +141,13 @@ public function translate(string $reasonCode, string $surface = 'detail', array
actionability: 'prerequisite_missing',
nextSteps: $nextSteps,
),
ProviderReasonCodes::ProviderBindingUnsupported => $this->envelope(
reasonCode: $normalizedCode,
operatorLabel: 'Provider binding unsupported',
shortExplanation: 'This operation does not have an explicit provider binding for the selected provider.',
actionability: 'permanent_configuration',
nextSteps: $nextSteps,
),
ProviderReasonCodes::ProviderAuthFailed => $this->envelope(
reasonCode: $normalizedCode,
operatorLabel: 'Provider authentication failed',
@ -284,7 +291,8 @@ private function nextStepsFor(
ProviderReasonCodes::TenantTargetMismatch,
ProviderReasonCodes::PlatformIdentityMissing,
ProviderReasonCodes::PlatformIdentityIncomplete,
ProviderReasonCodes::ProviderConnectionReviewRequired => [
ProviderReasonCodes::ProviderConnectionReviewRequired,
ProviderReasonCodes::ProviderBindingUnsupported => [
NextStepOption::link(
label: $connection instanceof ProviderConnection ? 'Review migration classification' : 'Manage Provider Connections',
destination: $connection instanceof ProviderConnection

1
apps/platform/app/Support/ReasonTranslation/ReasonPresenter.php
View File

@ -44,6 +44,7 @@ public function forOperationRun(OperationRun $run, string $surface = 'detail'):
$contextReasonCode = data_get($context, 'execution_legitimacy.reason_code')
?? data_get($context, 'reason_code')
?? data_get($context, 'baseline_capture.reason_code')
?? data_get($context, 'baseline_compare.reason_code');
if (is_string($contextReasonCode) && trim($contextReasonCode) !== '') {

77
apps/platform/app/Support/ReasonTranslation/ReasonTranslator.php
View File

@ -51,8 +51,8 @@ public function translate(
$artifactKey === null && $this->providerReasonTranslator->canTranslate($reasonCode) => $this->providerReasonTranslator->translate($reasonCode, $surface, $context),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineCompareReasonCode::tryFrom($reasonCode) instanceof BaselineCompareReasonCode => $this->translateBaselineCompareReason($reasonCode),
$artifactKey === null && BaselineCompareReasonCode::tryFrom($reasonCode) instanceof BaselineCompareReasonCode => $this->translateBaselineCompareReason($reasonCode),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode),
$artifactKey === null && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode),
$artifactKey === self::GOVERNANCE_ARTIFACT_TRUTH_ARTIFACT && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode, $context),
$artifactKey === null && BaselineReasonCodes::isKnown($reasonCode) => $this->translateBaselineReason($reasonCode, $context),
$artifactKey === self::EXECUTION_DENIAL_ARTIFACT,
$artifactKey === null && ExecutionDenialReasonCode::tryFrom($reasonCode) instanceof ExecutionDenialReasonCode => ExecutionDenialReasonCode::tryFrom($reasonCode)?->toReasonResolutionEnvelope($surface, $context),
$artifactKey === null && LifecycleReconciliationReason::tryFrom($reasonCode) instanceof LifecycleReconciliationReason => LifecycleReconciliationReason::tryFrom($reasonCode)?->toReasonResolutionEnvelope($surface, $context),
@ -116,7 +116,10 @@ private function fallbackTranslate(
return $this->fallbackReasonTranslator->translate($reasonCode, $surface, $context);
}
private function translateBaselineReason(string $reasonCode): ReasonResolutionEnvelope
/**
* @param array<string, mixed> $context
*/
private function translateBaselineReason(string $reasonCode, array $context = []): ReasonResolutionEnvelope
{
[$operatorLabel, $shortExplanation, $actionability, $nextStep] = match ($reasonCode) {
BaselineReasonCodes::CAPTURE_MISSING_SOURCE_TENANT => [
@ -138,6 +141,51 @@ private function translateBaselineReason(string $reasonCode): ReasonResolutionEn
'prerequisite_missing',
'Enable the rollout before retrying full-content baseline work.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_MISSING => [
'Run tenant sync first',
$this->baselineCaptureTruthImpactExplanation(
'No current inventory basis was available for this baseline capture.',
$context,
),
'prerequisite_missing',
'Run inventory sync for this tenant, then capture the baseline again.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED => [
'Latest inventory sync was blocked',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync was blocked, so this capture could not use a credible upstream basis.',
$context,
),
'prerequisite_missing',
'Review the blocked inventory sync, fix the prerequisite, and rerun sync before capturing again.',
],
BaselineReasonCodes::CAPTURE_INVENTORY_FAILED => [
'Latest inventory sync failed',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync failed, so this capture could not use a credible upstream basis.',
$context,
),
'prerequisite_missing',
'Review the failed inventory sync, fix the error, and rerun sync before capturing again.',
],
BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE => [
'Latest inventory coverage unusable',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory sync did not produce usable governed-subject coverage for this baseline capture.',
$context,
),
'prerequisite_missing',
'Run inventory sync until the governed subject types show current coverage, then capture again.',
],
BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS => [
'No subjects were in scope',
$this->baselineCaptureTruthImpactExplanation(
'The latest inventory basis was credible, but no governed subjects were in scope for this baseline capture.',
$context,
),
'prerequisite_missing',
'Review the baseline scope and tenant inventory, then capture again when governed subjects are available.',
],
BaselineReasonCodes::SNAPSHOT_BUILDING,
BaselineReasonCodes::COMPARE_SNAPSHOT_BUILDING => [
'Baseline still building',
@ -242,6 +290,29 @@ private function translateBaselineReason(string $reasonCode): ReasonResolutionEn
);
}
/**
* @param array<string, mixed> $context
*/
private function baselineCaptureTruthImpactExplanation(string $baseExplanation, array $context): string
{
$changed = data_get($context, 'baseline_capture.current_baseline_changed');
$previousSnapshotExists = data_get($context, 'baseline_capture.previous_current_snapshot_exists');
if ($changed === true) {
return $baseExplanation.' TenantPilot updated the current baseline truth with a new consumable snapshot.';
}
if ($previousSnapshotExists === true) {
return $baseExplanation.' TenantPilot kept the last trustworthy baseline in place.';
}
if ($previousSnapshotExists === false) {
return $baseExplanation.' No current trustworthy baseline is available yet.';
}
return $baseExplanation;
}
private function translateBaselineCompareReason(string $reasonCode): ReasonResolutionEnvelope
{
$enum = BaselineCompareReasonCode::tryFrom($reasonCode);

34
apps/platform/app/Support/Workspaces/WorkspaceOverviewBuilder.php
View File

@ -71,6 +71,7 @@ public function build(Workspace $workspace, User $user): array
->all();
$this->capabilityResolver->primeMemberships($user, $accessibleTenantIds);
$visibleFindingsTenantIds = $this->visibleFindingTenantIds($accessibleTenants, $user);
$canViewAlerts = $this->workspaceCapabilityResolver->can($user, $workspace, Capabilities::ALERTS_VIEW);
$navigationContext = $this->workspaceOverviewNavigationContext();
@ -136,8 +137,8 @@ public function build(Workspace $workspace, User $user): array
'action_url' => $calmness['next_action']['url'] ?? ChooseTenant::getUrl(panel: 'admin'),
];
$myFindingsSignal = $this->myFindingsSignal($workspaceId, $accessibleTenants, $user);
$findingsHygieneSignal = $this->findingsHygieneSignal($workspace, $user);
$myFindingsSignal = $this->myFindingsSignal($workspaceId, $visibleFindingsTenantIds, $user);
$findingsHygieneSignal = $this->findingsHygieneSignal($workspace, $visibleFindingsTenantIds);
$zeroTenantState = null;
@ -210,18 +211,11 @@ private function accessibleTenants(Workspace $workspace, User $user): Collection
}
/**
* @param Collection<int, Tenant> $accessibleTenants
* @param array<int, int> $visibleTenantIds
* @return array<string, mixed>
*/
private function myFindingsSignal(int $workspaceId, Collection $accessibleTenants, User $user): array
private function myFindingsSignal(int $workspaceId, array $visibleTenantIds, User $user): array
{
$visibleTenantIds = $accessibleTenants
->filter(fn (Tenant $tenant): bool => $this->capabilityResolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW))
->pluck('id')
->map(static fn (mixed $id): int => (int) $id)
->values()
->all();
$assignedCounts = $visibleTenantIds === []
? null
: $this->scopeToVisibleTenants(
@ -271,9 +265,9 @@ private function myFindingsSignal(int $workspaceId, Collection $accessibleTenant
/**
* @return array<string, mixed>
*/
private function findingsHygieneSignal(Workspace $workspace, User $user): array
private function findingsHygieneSignal(Workspace $workspace, array $visibleTenantIds): array
{
$summary = $this->findingAssignmentHygieneService->summary($workspace, $user);
$summary = $this->findingAssignmentHygieneService->summaryForVisibleTenantIds($workspace, $visibleTenantIds);
$uniqueIssueCount = $summary['unique_issue_count'];
$brokenAssignmentCount = $summary['broken_assignment_count'];
$staleInProgressCount = $summary['stale_in_progress_count'];
@ -297,6 +291,20 @@ private function findingsHygieneSignal(Workspace $workspace, User $user): array
];
}
/**
* @param Collection<int, Tenant> $accessibleTenants
* @return array<int, int>
*/
private function visibleFindingTenantIds(Collection $accessibleTenants, User $user): array
{
return $accessibleTenants
->filter(fn (Tenant $tenant): bool => $this->capabilityResolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW))
->pluck('id')
->map(static fn (mixed $id): int => (int) $id)
->values()
->all();
}
private function findingsHygieneDescription(int $brokenAssignmentCount, int $staleInProgressCount): string
{
if ($brokenAssignmentCount === 0 && $staleInProgressCount === 0) {

304
apps/platform/config/canonical_controls.php Normal file
View File

@ -0,0 +1,304 @@
<?php
declare(strict_types=1);
return [
'controls' => [
[
'control_key' => 'strong_authentication',
'name' => 'Strong authentication',
'domain_key' => 'identity_access',
'subdomain_key' => 'authentication_assurance',
'control_class' => 'preventive',
'summary' => 'Accounts and privileged actions require strong authentication before access is granted.',
'operator_description' => 'Use this control when the governance objective is proving that access depends on multi-factor or similarly strong authentication.',
'detectability_class' => 'indirect_technical',
'evaluation_strategy' => 'signal_inferred',
'evidence_archetypes' => [
'configuration_snapshot',
'policy_or_assignment_summary',
'execution_result',
],
'artifact_suitability' => [
'baseline' => true,
'drift' => true,
'finding' => true,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'conditional_access_policy',
'workload' => 'entra',
'signal_keys' => [
'conditional_access.require_mfa',
'conditional_access.authentication_strength',
],
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Microsoft conditional access is provider-owned evidence for strong authentication, not the canonical control identity.',
],
[
'subject_family_key' => 'permission_posture',
'workload' => 'entra',
'signal_keys' => [
'permission_posture.required_graph_permission',
],
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
'primary' => false,
'notes' => 'Permission posture can support authentication governance when missing permissions block assessment evidence.',
],
],
],
[
'control_key' => 'conditional_access_enforcement',
'name' => 'Conditional access enforcement',
'domain_key' => 'identity_access',
'subdomain_key' => 'access_policy',
'control_class' => 'preventive',
'summary' => 'Access decisions are governed by explicit policy conditions and assignment boundaries.',
'operator_description' => 'Use this control when evaluating whether access is constrained by conditional policies rather than unmanaged default access.',
'detectability_class' => 'direct_technical',
'evaluation_strategy' => 'state_evaluated',
'evidence_archetypes' => [
'configuration_snapshot',
'policy_or_assignment_summary',
],
'artifact_suitability' => [
'baseline' => true,
'drift' => true,
'finding' => true,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'conditional_access_policy',
'workload' => 'entra',
'signal_keys' => [
'conditional_access.policy_state',
'conditional_access.assignment_scope',
],
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Policy state and assignments are Microsoft-owned signals for the provider-neutral access enforcement objective.',
],
],
],
[
'control_key' => 'privileged_access_governance',
'name' => 'Privileged access governance',
'domain_key' => 'identity_access',
'subdomain_key' => 'privileged_access',
'control_class' => 'preventive',
'summary' => 'Privileged roles are assigned intentionally, reviewed, and limited to accountable identities.',
'operator_description' => 'Use this control when privileged role exposure, ownership, and reviewability are the core governance objective.',
'detectability_class' => 'indirect_technical',
'evaluation_strategy' => 'signal_inferred',
'evidence_archetypes' => [
'policy_or_assignment_summary',
'execution_result',
'operator_attestation',
],
'artifact_suitability' => [
'baseline' => false,
'drift' => false,
'finding' => true,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'entra_admin_roles',
'workload' => 'entra',
'signal_keys' => [
'entra_admin_roles.global_admin_assignment',
'entra_admin_roles.privileged_role_assignment',
],
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Directory role assignment data supports privileged access governance without becoming the control taxonomy.',
],
],
],
[
'control_key' => 'external_sharing_boundaries',
'name' => 'External sharing boundaries',
'domain_key' => 'collaboration_boundary',
'subdomain_key' => 'external_access',
'control_class' => 'preventive',
'summary' => 'External access and sharing are constrained by explicit tenant or workload boundaries.',
'operator_description' => 'Use this control when the product needs to explain whether cross-boundary collaboration is intentionally limited.',
'detectability_class' => 'workflow_attested',
'evaluation_strategy' => 'workflow_confirmed',
'evidence_archetypes' => [
'configuration_snapshot',
'operator_attestation',
'external_artifact_reference',
],
'artifact_suitability' => [
'baseline' => false,
'drift' => false,
'finding' => false,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'sharing_boundary',
'workload' => 'microsoft_365',
'signal_keys' => [
'sharing.external_boundary_attested',
],
'supported_contexts' => ['evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Current release coverage depends on attested configuration evidence rather than direct universal evaluation.',
],
],
],
[
'control_key' => 'endpoint_hardening_compliance',
'name' => 'Endpoint hardening and compliance',
'domain_key' => 'endpoint_security',
'subdomain_key' => 'device_posture',
'control_class' => 'detective',
'summary' => 'Endpoint configuration and compliance policies express the expected device hardening posture.',
'operator_description' => 'Use this control when a finding or review references device configuration, compliance, or hardening drift.',
'detectability_class' => 'direct_technical',
'evaluation_strategy' => 'state_evaluated',
'evidence_archetypes' => [
'configuration_snapshot',
'policy_or_assignment_summary',
'execution_result',
],
'artifact_suitability' => [
'baseline' => true,
'drift' => true,
'finding' => true,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'deviceConfiguration',
'workload' => 'intune',
'signal_keys' => [
'intune.device_configuration_drift',
],
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Intune device configuration drift is a provider signal for the endpoint hardening control.',
],
[
'subject_family_key' => 'deviceCompliancePolicy',
'workload' => 'intune',
'signal_keys' => [
'intune.device_compliance_policy',
],
'supported_contexts' => ['baseline', 'drift', 'finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Device compliance policy data supports the same endpoint hardening objective.',
],
[
'subject_family_key' => 'drift',
'workload' => 'intune',
'signal_keys' => [
'finding.drift',
],
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Legacy drift findings without a policy-family discriminator resolve to the broad endpoint hardening objective.',
],
],
],
[
'control_key' => 'audit_log_retention',
'name' => 'Audit log retention',
'domain_key' => 'auditability',
'subdomain_key' => 'retention',
'control_class' => 'detective',
'summary' => 'Administrative and security-relevant activity remains available for investigation for the required retention period.',
'operator_description' => 'Use this control when evidence depends on retained logs or exported audit artifacts rather than live configuration alone.',
'detectability_class' => 'external_evidence_only',
'evaluation_strategy' => 'externally_attested',
'evidence_archetypes' => [
'external_artifact_reference',
'operator_attestation',
],
'artifact_suitability' => [
'baseline' => false,
'drift' => false,
'finding' => false,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'audit_log_retention',
'workload' => 'microsoft_365',
'signal_keys' => [
'audit.retention_attested',
],
'supported_contexts' => ['evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Current evidence is external or attested until a later slice adds direct provider evaluation.',
],
],
],
[
'control_key' => 'delegated_admin_boundaries',
'name' => 'Delegated admin boundaries',
'domain_key' => 'identity_access',
'subdomain_key' => 'delegated_administration',
'control_class' => 'preventive',
'summary' => 'Delegated administration is constrained by explicit role, tenant, and scope boundaries.',
'operator_description' => 'Use this control when evaluating whether delegated administrative access is bounded and reviewable.',
'detectability_class' => 'workflow_attested',
'evaluation_strategy' => 'workflow_confirmed',
'evidence_archetypes' => [
'policy_or_assignment_summary',
'operator_attestation',
],
'artifact_suitability' => [
'baseline' => false,
'drift' => false,
'finding' => true,
'exception' => true,
'evidence' => true,
'review' => true,
'report' => true,
],
'historical_status' => 'active',
'microsoft_bindings' => [
[
'subject_family_key' => 'delegated_admin_relationship',
'workload' => 'microsoft_365',
'signal_keys' => [
'delegated_admin.relationship_boundary',
],
'supported_contexts' => ['finding', 'evidence', 'review', 'report'],
'primary' => true,
'notes' => 'Delegated admin relationship metadata remains provider-owned and secondary to the platform control.',
],
],
],
],
];

115
apps/platform/config/provider_boundaries.php Normal file
View File

@ -0,0 +1,115 @@
<?php
use App\Support\Providers\Boundary\ProviderBoundaryOwner;
use App\Support\Providers\Boundary\ProviderBoundarySeam;
return [
'seams' => [
'provider.gateway_runtime' => [
'owner' => ProviderBoundaryOwner::ProviderOwned->value,
'description' => 'Provider-owned runtime boundary that translates provider connection identity into Microsoft Graph request options and executes Graph calls.',
'implementation_paths' => [
'app/Services/Providers/ProviderGateway.php',
'app/Services/Providers/MicrosoftGraphOptionsResolver.php',
],
'neutral_terms' => [
'provider',
'provider connection',
'target scope',
'runtime request context',
],
'retained_provider_semantics' => [
'Microsoft Graph option keys',
'client_request_id',
'tenant',
'client_id',
'client_secret',
],
'follow_up_action' => ProviderBoundarySeam::FOLLOW_UP_DOCUMENT_IN_FEATURE,
],
'provider.identity_resolution' => [
'owner' => ProviderBoundaryOwner::PlatformCore->value,
'description' => 'Platform-core identity resolution contract that resolves provider connection identity without owning provider transport option shaping.',
'implementation_paths' => [
'app/Services/Providers/ProviderIdentityResolution.php',
'app/Services/Providers/ProviderIdentityResolver.php',
'app/Services/Providers/PlatformProviderIdentityResolver.php',
],
'neutral_terms' => [
'provider connection',
'target scope',
'credential source',
'effective client identity',
],
'retained_provider_semantics' => [
'entra_tenant_id',
'platform_config',
'graph.tenant_id',
'admin.consent.callback',
],
'follow_up_action' => ProviderBoundarySeam::FOLLOW_UP_SPEC,
],
'provider.connection_resolution' => [
'owner' => ProviderBoundaryOwner::PlatformCore->value,
'description' => 'Platform-core provider connection selection and validation path that keeps current Microsoft connection details as bounded exception metadata.',
'implementation_paths' => [
'app/Services/Providers/ProviderConnectionResolver.php',
'app/Services/Providers/ProviderConnectionResolution.php',
],
'neutral_terms' => [
'provider',
'provider connection',
'tenant scope',
'default binding',
'unsupported combination',
],
'retained_provider_semantics' => [
'microsoft',
'entra_tenant_id',
'consent_status',
],
'follow_up_action' => ProviderBoundarySeam::FOLLOW_UP_SPEC,
],
'provider.operation_registry' => [
'owner' => ProviderBoundaryOwner::PlatformCore->value,
'description' => 'Platform-core operation definition catalog with provider binding metadata kept explicit and secondary.',
'implementation_paths' => [
'app/Services/Providers/ProviderOperationRegistry.php',
],
'neutral_terms' => [
'operation type',
'operation module',
'required capability',
'provider binding',
'unsupported binding',
],
'retained_provider_semantics' => [
'microsoft',
'active provider binding',
'binding_status',
'handler_notes',
'exception_notes',
],
'follow_up_action' => ProviderBoundarySeam::FOLLOW_UP_DOCUMENT_IN_FEATURE,
],
'provider.operation_start_gate' => [
'owner' => ProviderBoundaryOwner::PlatformCore->value,
'description' => 'Platform-core operation start orchestration that consumes explicit provider bindings and records current Microsoft target-scope exceptions.',
'implementation_paths' => [
'app/Services/Providers/ProviderOperationStartGate.php',
],
'neutral_terms' => [
'operation',
'provider binding',
'target scope',
'execution authority',
'required capability',
],
'retained_provider_semantics' => [
'microsoft',
'target_scope.entra_tenant_id',
],
'follow_up_action' => ProviderBoundarySeam::FOLLOW_UP_SPEC,
],
],
];

1
apps/platform/database/factories/TenantFactory.php
View File

@ -42,7 +42,6 @@ public function definition(): array
'app_client_id' => fake()->uuid(),
'app_client_secret' => null, // Skip encryption in tests
'app_certificate_thumbprint' => null,
'app_status' => 'ok',
'app_notes' => null,
'status' => 'active',
'environment' => 'other',

17
apps/platform/database/migrations/2026_03_23_000001_add_lifecycle_state_to_baseline_snapshots_table.php
View File

@ -156,7 +156,9 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
'was_empty_capture' => ($expectedItems ?? $producerExpectedItems ?? $producerSubjectsTotal) === 0 && $persistedItems === 0,
];
if ($expectedItems !== null && $expectedItems === $persistedItems) {
if ($expectedItems !== null
&& $expectedItems === $persistedItems
&& ! ($expectedItems === 0 && $persistedItems === 0)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
@ -167,7 +169,10 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
];
}
if ($producerSucceeded && $producerExpectedItems !== null && $producerExpectedItems === $persistedItems) {
if ($producerSucceeded
&& $producerExpectedItems !== null
&& $producerExpectedItems === $persistedItems
&& ! ($producerExpectedItems === 0 && $persistedItems === 0)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
@ -184,11 +189,11 @@ private function classifyLegacySnapshot(object $row, array $summary, int $persis
$producerSubjectsTotal,
], static fn (?int $value): bool => $value !== null), true)) {
return [
'lifecycle_state' => BaselineSnapshotLifecycleState::Complete->value,
'completed_at' => $producerRun->completed_at ?? $row->captured_at ?? $row->created_at ?? $row->updated_at,
'failed_at' => null,
'lifecycle_state' => BaselineSnapshotLifecycleState::Incomplete->value,
'completed_at' => null,
'failed_at' => $producerRun->completed_at ?? $row->updated_at ?? $row->captured_at ?? $row->created_at,
'completion_meta' => $completionMeta + [
'finalization_reason_code' => 'baseline.snapshot.legacy_empty_capture_proof',
'finalization_reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
],
];
}

2
apps/platform/resources/views/admin-consent-callback.blade.php
View File

@ -20,7 +20,7 @@
<p><strong>Tenant:</strong> {{ $tenant->name }} ({{ $tenant->graphTenantId() }})</p>
@isset($connection)
<p><strong>Connection:</strong> {{ $connection->connection_type->value === 'platform' ? 'Platform connection' : 'Dedicated connection' }}</p>
<p><strong>Verification state:</strong> {{ ucfirst($connection->verification_status->value) }}</p>
<p><strong>Verification state:</strong> {{ $verificationStateLabel ?? ucfirst($connection->verification_status->value) }}</p>
@endisset
<p>
<span class="status {{ $status === 'ok' ? 'ok' : ($status === 'consent_denied' ? 'warning' : 'error') }}">

2
apps/platform/tests/Browser/Spec172DeferredOperatorSurfacesSmokeTest.php
View File

@ -54,7 +54,7 @@
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
$operationsIndexUrl = route('admin.operations.index');
$operationsIndexUrl = OperationRunLinks::index($tenant);
$page = visit(TenantResource::getUrl('view', ['record' => $tenant->getRouteKey()], panel: 'admin'));

57
apps/platform/tests/Feature/AdminConsentCallbackTest.php
View File

@ -2,7 +2,9 @@
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Models\Workspace;
use App\Models\OperationRun;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Foundation\Testing\RefreshDatabase;
@ -20,6 +22,8 @@
]));
$response->assertOk();
$response->assertSeeText('Verification state:');
$response->assertSeeText('Needs verification');
$response->assertSee(
route('filament.admin.resources.tenants.view', ['tenant' => $tenant->external_id, 'record' => $tenant]),
false,
@ -60,6 +64,57 @@
$response->assertSee(route('admin.onboarding'), false);
});
it('invalidates resumable onboarding verification state for the same platform connection after a successful callback', function () {
$tenant = Tenant::factory()->create([
'tenant_id' => 'tenant-verify-reset',
'name' => 'Reset Tenant',
'status' => Tenant::STATUS_ONBOARDING,
]);
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => $tenant->graphTenantId(),
'is_default' => true,
]);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'provider.connection.check',
]);
$draft = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => (string) $tenant->tenant_id,
'current_step' => 'verify',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'verification_run_id' => (int) $run->getKey(),
'bootstrap_operation_runs' => [123, 456],
'bootstrap_operation_types' => ['inventory_sync'],
'bootstrap_run_ids' => [123, 456],
],
]);
$this->get(route('admin.consent.callback', [
'tenant' => $tenant->tenant_id,
'admin_consent' => 'true',
]))->assertOk();
$draft->refresh();
expect($draft->state['verification_operation_run_id'] ?? null)->toBeNull()
->and($draft->state['verification_run_id'] ?? null)->toBeNull()
->and($draft->state['bootstrap_operation_runs'] ?? null)->toBeNull()
->and($draft->state['bootstrap_operation_types'] ?? null)->toBeNull()
->and($draft->state['bootstrap_run_ids'] ?? null)->toBeNull()
->and($draft->state['connection_recently_updated'] ?? null)->toBeTrue();
});
it('creates tenant and provider connection when callback tenant does not exist', function () {
$workspace = Workspace::factory()->create();
@ -101,6 +156,8 @@
]));
$response->assertOk();
$response->assertSeeText('Verification state:');
$response->assertSeeText('Not verified');
$connection = ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())

30
apps/platform/tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php
View File

@ -15,6 +15,7 @@
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\WorkspaceCapabilityResolver;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Livewire\Livewire;
@ -135,6 +136,35 @@
->assertSee('Ambiguous matches');
});
it('allows entitled viewers to open blocked baseline-capture run detail surfaces', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
'completed_at' => now(),
]);
Filament::setTenant(null, true);
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
session([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
Livewire::actingAs($user)
->test(TenantlessOperationRunViewer::class, ['run' => $run])
->assertSee('Latest inventory sync failed');
});
it('keeps governance summary surfaces deny-as-not-found for workspace members without tenant entitlement', function (): void {
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([

4
apps/platform/tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php
View File

@ -18,6 +18,9 @@
'capture_mode' => BaselineCaptureMode::Opportunistic->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -26,6 +29,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Audit Policy A',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_AUDIT'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);

9
apps/platform/tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php
View File

@ -34,12 +34,9 @@
'display_name' => 'Isolated Policy',
]);
$lastSeenRun = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::InventorySync->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
$lastSeenRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
], attributes: [
'completed_at' => now(),
]);

4
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php
View File

@ -20,6 +20,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -41,6 +44,7 @@
'assignment_target_count' => 1,
],
'last_seen_at' => now()->subHour(),
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$snapshotPayload = [

4
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php
View File

@ -29,6 +29,9 @@
'capture_mode' => BaselineCaptureMode::FullContent->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
@ -50,6 +53,7 @@
'assignment_target_count' => 1,
],
'last_seen_at' => now()->subHour(),
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
expect(PolicyVersion::query()->where('policy_id', (int) $policy->getKey())->count())->toBe(0);

9
apps/platform/tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php
View File

@ -34,12 +34,9 @@
'display_name' => 'Policy Capture Meta',
]);
$lastSeenRun = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::InventorySync->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
$lastSeenRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
], attributes: [
'completed_at' => now(),
]);

270
apps/platform/tests/Feature/Baselines/BaselineCaptureTest.php
View File

@ -6,6 +6,7 @@
use App\Models\BaselineSnapshotItem;
use App\Models\InventoryItem;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Services\Baselines\BaselineCaptureService;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\InventoryMetaContract;
@ -18,6 +19,28 @@
use App\Support\Baselines\BaselineSubjectKey;
use Illuminate\Support\Facades\Queue;
function createBaselineCaptureInventoryBasis(
Tenant $tenant,
array $statusByType,
array $attributes = [],
): OperationRun {
return createInventorySyncOperationRunWithCoverage($tenant, $statusByType, [], $attributes);
}
function runBaselineCaptureJob(
OperationRun $run,
?OperationRunService $operationRunService = null,
): void {
$operationRunService ??= app(OperationRunService::class);
(new CaptureBaselineSnapshotJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$operationRunService,
);
}
// --- T031: Capture enqueue + precondition tests ---
it('enqueues capture for an active profile and creates an operation run', function () {
@ -29,6 +52,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
/** @var BaselineCaptureService $service */
$service = app(BaselineCaptureService::class);
@ -53,10 +79,119 @@
expect($effectiveScope['foundation_types'])->toBe([]);
expect($effectiveScope['all_types'])->toBe(['deviceConfiguration']);
expect($effectiveScope['foundations_included'])->toBeFalse();
expect(data_get($context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
expect(data_get($context, 'baseline_capture.eligibility.phase'))->toBe('preflight');
expect(data_get($context, 'baseline_capture.eligibility.ok'))->toBeTrue();
expect(data_get($context, 'baseline_capture.eligibility.covered_types'))->toBe(['deviceConfiguration']);
expect(data_get($context, 'baseline_capture.eligibility.uncovered_types'))->toBe([]);
Queue::assertPushed(CaptureBaselineSnapshotJob::class);
});
it('rejects capture when no current inventory sync exists', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_MISSING);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory sync was blocked', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'blocked',
'completed_at' => now(),
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory sync failed without falling back to an older success', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'failed',
'completed_at' => now(),
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture when the latest inventory coverage is unusable for the baseline scope', function () {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceCompliancePolicy' => 'succeeded',
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeFalse();
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('rejects capture for a draft profile with reason code', function () {
Queue::fake();
@ -126,6 +261,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$service = app(BaselineCaptureService::class);
@ -148,6 +286,9 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$inventoryA = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -156,6 +297,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy A',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E1'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$inventoryB = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -164,6 +306,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy B',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E2'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$inventoryC = InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
@ -172,6 +315,7 @@
'policy_type' => 'deviceConfiguration',
'display_name' => 'Policy C',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E3'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -187,13 +331,7 @@
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');
@ -269,6 +407,14 @@
expect(data_get($meta, 'meta_contract'))->toBeNull();
}
expect(data_get($run->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
expect(data_get($run->context, 'baseline_capture.eligibility.phase'))->toBe('runtime_recheck');
expect(data_get($run->context, 'baseline_capture.eligibility.ok'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.eligibility.changed_after_enqueue'))->toBeFalse();
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.previous_current_snapshot_exists'))->toBeFalse();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeTrue();
$profile->refresh();
expect($profile->active_snapshot_id)->toBe((int) $snapshot->getKey());
});
@ -311,12 +457,16 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->count(2)->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceConfiguration',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'stable_field' => 'value'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -336,8 +486,7 @@
initiator: $user,
);
$job1 = new CaptureBaselineSnapshotJob($run1);
$job1->handle($idService, $metaContract, $auditLogger, $opService);
(new CaptureBaselineSnapshotJob($run1))->handle($idService, $metaContract, $auditLogger, $opService);
$snapshotCountAfterFirst = BaselineSnapshot::query()
->where('baseline_profile_id', $profile->getKey())
@ -361,8 +510,7 @@
],
]);
$job2 = new CaptureBaselineSnapshotJob($run2);
$job2->handle($idService, $metaContract, $auditLogger, $opService);
(new CaptureBaselineSnapshotJob($run2))->handle($idService, $metaContract, $auditLogger, $opService);
$snapshotCountAfterSecond = BaselineSnapshot::query()
->where('baseline_profile_id', $profile->getKey())
@ -371,14 +519,68 @@
expect($snapshotCountAfterSecond)->toBe(1);
});
// --- EC-005: Empty scope produces empty snapshot without errors ---
it('captures an empty snapshot when no inventory items match the scope', function () {
it('blocks a queued capture when the latest inventory basis fails after enqueue and keeps the prior current baseline', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['nonExistentPolicyType'], 'foundation_types' => []],
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$previousSnapshot = BaselineSnapshot::factory()->complete()->create([
'workspace_id' => $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
$profile->update(['active_snapshot_id' => (int) $previousSnapshot->getKey()]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
], [
'completed_at' => now()->subMinute(),
]);
Queue::fake();
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
expect($result['ok'])->toBeTrue();
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'failed',
], [
'outcome' => 'failed',
'completed_at' => now(),
]);
/** @var OperationRun $run */
$run = $result['run'];
runBaselineCaptureJob($run);
$run->refresh();
$profile->refresh();
expect($run->status)->toBe('completed');
expect($run->outcome)->toBe('blocked');
expect($profile->active_snapshot_id)->toBe((int) $previousSnapshot->getKey());
expect(data_get($run->context, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
expect(data_get($run->context, 'baseline_capture.reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'baseline_capture.previous_current_snapshot_exists'))->toBeTrue();
expect(data_get($run->context, 'baseline_capture.eligibility.changed_after_enqueue'))->toBeTrue();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeFalse();
});
// --- EC-005: Zero-subject captures stay visible but non-authoritative ---
it('records a zero-subject capture as partially succeeded with a non-consumable snapshot', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
createBaselineCaptureInventoryBasis($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$opService = app(OperationRunService::class);
@ -389,22 +591,22 @@
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'source_tenant_id' => (int) $tenant->getKey(),
'effective_scope' => ['policy_types' => ['nonExistentPolicyType'], 'foundation_types' => []],
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
],
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');
expect($run->outcome)->toBe('succeeded');
expect($run->outcome)->toBe('partially_succeeded');
expect(data_get($run->context, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($run->context, 'baseline_capture.reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($run->context, 'baseline_capture.subjects_total'))->toBe(0);
expect(data_get($run->context, 'baseline_capture.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'result.current_baseline_changed'))->toBeFalse();
expect(data_get($run->context, 'result.snapshot_lifecycle'))->toBe(BaselineSnapshotLifecycleState::Incomplete->value);
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
expect((int) ($counts['total'] ?? 0))->toBe(0);
@ -415,7 +617,12 @@
->first();
expect($snapshot)->not->toBeNull();
expect($snapshot?->lifecycleState())->toBe(BaselineSnapshotLifecycleState::Incomplete);
expect(data_get($snapshot?->completion_meta_jsonb ?? [], 'finalization_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', $snapshot->getKey())->count())->toBe(0);
$profile->refresh();
expect($profile->active_snapshot_id)->toBeNull();
});
it('captures all inventory items when scope has empty policy_types (all types)', function () {
@ -425,17 +632,23 @@
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => [], 'foundation_types' => []],
]);
$inventorySyncRun = createBaselineCaptureInventoryBasis($tenant, [
'deviceCompliancePolicy' => 'succeeded',
'deviceConfiguration' => 'succeeded',
]);
InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceConfiguration',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
InventoryItem::factory()->create([
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'deviceCompliancePolicy',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
// Foundation types are excluded by default (unless foundation_types is selected).
@ -443,6 +656,7 @@
'tenant_id' => $tenant->getKey(),
'workspace_id' => $tenant->workspace_id,
'policy_type' => 'assignmentFilter',
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
]);
$opService = app(OperationRunService::class);
@ -458,13 +672,7 @@
initiator: $user,
);
$job = new CaptureBaselineSnapshotJob($run);
$job->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$opService,
);
runBaselineCaptureJob($run, $opService);
$run->refresh();
expect($run->status)->toBe('completed');

19
apps/platform/tests/Feature/Baselines/BaselineCompareFindingsTest.php
View File

@ -1335,12 +1335,19 @@
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'policy-a',
'policy_type' => 'deviceConfiguration',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E1'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$operationRuns = app(OperationRunService::class);
@ -1366,18 +1373,6 @@
$captureRun->refresh();
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
InventoryItem::query()
->where('tenant_id', (int) $tenant->getKey())
->update([
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$snapshotId = (int) ($profile->fresh()?->active_snapshot_id ?? 0);
expect($snapshotId)->toBeGreaterThan(0);

4
apps/platform/tests/Feature/Baselines/BaselineProfileArchiveActionTest.php
View File

@ -43,6 +43,10 @@
it('archives baseline profiles for authorized workspace members', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
expect(defined(BaselineProfile::class.'::STATUS_DRAFT'))->toBeFalse()
->and(defined(BaselineProfile::class.'::STATUS_ACTIVE'))->toBeFalse()
->and(defined(BaselineProfile::class.'::STATUS_ARCHIVED'))->toBeFalse();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);

10
apps/platform/tests/Feature/Baselines/BaselineProfileWorkspaceOwnershipTest.php
View File

@ -3,6 +3,8 @@
declare(strict_types=1);
use App\Filament\Resources\BaselineProfileResource;
use App\Models\BaselineProfile;
use App\Support\Baselines\BaselineProfileStatus;
use Filament\Facades\Filament;
it('keeps baseline profiles out of tenant panel registration and tenant navigation URLs', function (): void {
@ -23,6 +25,11 @@
it('keeps baseline profile urls workspace-owned even when a tenant context exists', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'status' => BaselineProfileStatus::Archived->value,
]);
$this->actingAs($user)
->withSession([\App\Support\Workspaces\WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
@ -32,5 +39,8 @@
expect($workspaceUrl)->not->toContain("/admin/t/{$tenant->external_id}/baseline-profiles");
$this->get($workspaceUrl)->assertOk();
$this->get(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin'))->assertOk();
$this->get("/admin/t/{$tenant->external_id}/baseline-profiles")->assertNotFound();
expect($profile->fresh()->status)->toBe(BaselineProfileStatus::Archived);
});

7
apps/platform/tests/Feature/Baselines/BaselineSnapshotBackfillTest.php
View File

@ -60,7 +60,7 @@ function classifyLegacySnapshotForTest(BaselineSnapshot $snapshot): array
->and(data_get($classification, 'completion_meta.persisted_items'))->toBe(2);
});
it('classifies proven empty legacy captures as complete when the producer run confirms zero subjects', function (): void {
it('classifies proven empty legacy captures as incomplete no-data snapshots when the producer run confirms zero subjects', function (): void {
$workspace = Workspace::factory()->create();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $workspace->getKey(),
@ -86,8 +86,9 @@ function classifyLegacySnapshotForTest(BaselineSnapshot $snapshot): array
$classification = classifyLegacySnapshotForTest($snapshot);
expect($classification['lifecycle_state'])->toBe(BaselineSnapshotLifecycleState::Complete->value)
->and(data_get($classification, 'completion_meta.was_empty_capture'))->toBeTrue();
expect($classification['lifecycle_state'])->toBe(BaselineSnapshotLifecycleState::Incomplete->value)
->and(data_get($classification, 'completion_meta.was_empty_capture'))->toBeTrue()
->and(data_get($classification, 'completion_meta.finalization_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
});
it('classifies ambiguous legacy snapshots as incomplete with a conservative reason code', function (): void {

67
apps/platform/tests/Feature/Evidence/EvidenceSnapshotCanonicalControlReferenceTest.php Normal file
View File

@ -0,0 +1,67 @@
<?php
declare(strict_types=1);
use App\Models\Finding;
use App\Services\Evidence\EvidenceSnapshotService;
use App\Services\Evidence\Sources\FindingsSummarySource;
it('adds shared canonical control references to findings-derived evidence summaries', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Finding::factory()->permissionPosture()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
]);
Finding::factory()->entraAdminRoles()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
]);
Finding::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'finding_type' => Finding::FINDING_TYPE_DRIFT,
'evidence_jsonb' => [
'policy_type' => 'deviceConfiguration',
],
]);
$item = app(FindingsSummarySource::class)->collect($tenant);
$summary = $item['summary_payload'];
expect($summary['canonical_controls'])->toHaveCount(3)
->and(collect($summary['canonical_controls'])->pluck('control_key')->all())->toEqualCanonicalizing([
'endpoint_hardening_compliance',
'privileged_access_governance',
'strong_authentication',
]);
foreach ($summary['entries'] as $entry) {
expect($entry['canonical_control_resolution']['status'])->toBe('resolved')
->and($entry['canonical_control_resolution']['control'])->toHaveKey('control_key')
->and($entry)->not->toHaveKey('control_label');
}
$payload = app(EvidenceSnapshotService::class)->buildSnapshotPayload($tenant);
expect($payload['summary']['canonical_controls'])->toHaveCount(3);
});
it('keeps missing bindings explicit instead of inventing evidence fallback labels', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Finding::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'finding_type' => 'unknown_provider_signal',
]);
$summary = app(FindingsSummarySource::class)->collect($tenant)['summary_payload'];
$entry = $summary['entries'][0];
expect($entry['canonical_control_resolution'])->toMatchArray([
'status' => 'unresolved',
'reason_code' => 'missing_binding',
])->and($entry['canonical_control_resolution'])->not->toHaveKey('control')
->and($entry)->not->toHaveKey('control_label');
});

28
apps/platform/tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php
View File

@ -42,3 +42,31 @@
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee($explanation?->nextActionText ?? '');
});
it('renders no-data baseline-capture result surfaces with the shared zero-subject explanation', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);
$snapshot = BaselineSnapshot::factory()->incomplete(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS)->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
setAdminPanelContext();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
$truth = app(ArtifactTruthPresenter::class)->forBaselineSnapshot($snapshot->fresh());
$explanation = $truth->operatorExplanation;
$this->actingAs($user)
->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin'))
->assertOk()
->assertSee('Result meaning')
->assertSee($explanation?->evaluationResultLabel() ?? '')
->assertSee('Result trust')
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee($explanation?->nextActionText ?? '');
});

90
apps/platform/tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php
View File

@ -10,6 +10,7 @@
use App\Models\BaselineSnapshot;
use App\Models\BaselineTenantAssignment;
use App\Models\OperationRun;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Baselines\Compare\CompareStrategyRegistry;
use App\Support\Baselines\Compare\IntuneCompareStrategy;
use App\Support\Governance\GovernanceSubjectTaxonomyRegistry;
@ -407,3 +408,92 @@
->assertSet('uncoveredTypes', ['deviceCompliancePolicy'])
->assertSet('fidelity', 'meta');
});
it('shows the latest blocked capture explanation when no consumable baseline exists yet', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
BaselineTenantAssignment::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'baseline_profile_id' => (int) $profile->getKey(),
]);
OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::BaselineCapture->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Blocked->value,
'completed_at' => now(),
'context' => [
'baseline_profile_id' => (int) $profile->getKey(),
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
]);
Livewire::test(BaselineCompareLanding::class)
->assertSet('state', 'no_snapshot')
->assertSet('snapshotId', null)
->assertSet('message', 'The latest inventory sync failed, so this capture could not use a credible upstream basis.');
});
it('keeps compare available against the prior consumable snapshot after a zero-subject capture', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);
$snapshot = BaselineSnapshot::factory()->complete()->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
]);
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
BaselineTenantAssignment::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'baseline_profile_id' => (int) $profile->getKey(),
]);
OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => OperationRunType::BaselineCapture->value,
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::PartiallySucceeded->value,
'completed_at' => now(),
'context' => [
'baseline_profile_id' => (int) $profile->getKey(),
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'current_baseline_changed' => false,
'previous_current_snapshot_exists' => true,
],
],
]);
Livewire::test(BaselineCompareLanding::class)
->assertSet('state', 'idle')
->assertSet('snapshotId', (int) $snapshot->getKey())
->assertActionEnabled('compareNow');
});

28
apps/platform/tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php
View File

@ -93,6 +93,9 @@ function seedCaptureProfileForTenant(
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = seedCaptureProfileForTenant($tenant);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
@ -124,6 +127,31 @@ function seedCaptureProfileForTenant(
expect($run)->not->toBeNull();
expect($run?->status)->toBe('queued');
expect(data_get($run?->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
});
it('shows the shared capture block on the start surface when no credible inventory basis exists', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = seedCaptureProfileForTenant($tenant, BaselineCaptureMode::Opportunistic, [
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::actingAs($user)
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
->assertActionVisible('capture')
->assertActionHasLabel('capture', 'Capture baseline')
->assertActionEnabled('capture')
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
->assertNotified('Cannot start capture')
->assertStatus(200);
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
});
it('does not start full-content capture when rollout is disabled', function (): void {

2
apps/platform/tests/Feature/Filament/BaselineProfileListFiltersTest.php
View File

@ -14,6 +14,8 @@
it('filters baseline profiles by status inside the current workspace', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
expect(defined(BaselineProfile::class.'::STATUS_ACTIVE'))->toBeFalse();
$active = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);

9
apps/platform/tests/Feature/Filament/BaselineProfileScopeV2PersistenceTest.php
View File

@ -7,6 +7,7 @@
use App\Filament\Resources\BaselineProfileResource\Pages\EditBaselineProfile;
use App\Filament\Resources\BaselineProfileResource\Pages\ViewBaselineProfile;
use App\Models\BaselineProfile;
use App\Support\Baselines\BaselineProfileStatus;
use App\Support\Governance\GovernanceSubjectTaxonomyRegistry;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Validation\ValidationException;
@ -45,7 +46,7 @@
expect($profile->scope_jsonb)->toBe([
'policy_types' => ['deviceConfiguration'],
'foundation_types' => ['assignmentFilter'],
]);
])->and($profile->status)->toBe(BaselineProfileStatus::Draft);
expect($profile->canonicalScopeJsonb())->toBe([
'version' => 2,
@ -83,7 +84,7 @@
'name' => 'Legacy baseline profile',
'description' => null,
'version_label' => null,
'status' => 'active',
'status' => BaselineProfileStatus::Active->value,
'capture_mode' => 'opportunistic',
'scope_jsonb' => json_encode([
'policy_types' => [],
@ -178,7 +179,7 @@
'name' => 'Legacy lineage profile',
'description' => null,
'version_label' => null,
'status' => 'active',
'status' => BaselineProfileStatus::Active->value,
'capture_mode' => 'opportunistic',
'scope_jsonb' => json_encode([
'policy_types' => ['deviceConfiguration'],
@ -224,4 +225,4 @@
]))->toThrow(ValidationException::class, 'Filters are not supported');
expect(BaselineProfile::query()->where('name', 'Invalid filtered baseline')->exists())->toBeFalse();
});
});

46
apps/platform/tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php
View File

@ -93,6 +93,44 @@ function visibleLivewireText(Testable $component): string
->and(mb_strpos($pageText, 'Decision'))->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});
it('shows the shared blocked-inventory explanation for baseline capture runs without a usable snapshot', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'current_baseline_changed' => false,
],
],
'failure_summary' => [
['reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED, 'message' => 'Capture blocked because the latest inventory sync failed.'],
],
'completed_at' => now(),
]);
$truth = app(ArtifactTruthPresenter::class)->forOperationRun($run->fresh());
$explanation = $truth->operatorExplanation;
Filament::setTenant(null, true);
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
session([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]);
Livewire::actingAs($user)
->test(TenantlessOperationRunViewer::class, ['run' => $run])
->assertSee('Blocked by prerequisite')
->assertSee($explanation?->evaluationResultLabel() ?? '')
->assertSee($explanation?->trustworthinessLabel() ?? '')
->assertSee('Latest inventory sync failed')
->assertSee($explanation?->nextActionText ?? '');
});
it('shows operator explanation facts for baseline compare runs with nested compare reason context', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
@ -328,6 +366,9 @@ function visibleLivewireText(Testable $component): string
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$result = app(BaselineCaptureService::class)->startCapture($profile, $tenant, $user);
@ -344,7 +385,10 @@ function visibleLivewireText(Testable $component): string
->and(data_get($effectiveScope, 'legacy_projection.foundation_types'))->toBe([])
->and(data_get($effectiveScope, 'selected_type_keys'))->toBe(['deviceConfiguration'])
->and(data_get($effectiveScope, 'allowed_type_keys'))->toBe(['deviceConfiguration'])
->and(data_get($effectiveScope, 'unsupported_type_keys'))->toBe([]);
->and(data_get($effectiveScope, 'unsupported_type_keys'))->toBe([])
->and(data_get($run->context, 'baseline_capture.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey())
->and(data_get($run->context, 'baseline_capture.eligibility.phase'))->toBe('preflight')
->and(data_get($run->context, 'baseline_capture.eligibility.ok'))->toBeTrue();
});
it('normalizes legacy compare assignment overrides into canonical effective scope without rewriting the override row', function (): void {

5
apps/platform/tests/Feature/Filament/TenantLifecycleStatusDomainSeparationTest.php
View File

@ -25,6 +25,8 @@
role: 'owner',
);
expect($tenant->fresh()->app_status)->toBe('consent_required');
$this->actingAs($user);
Filament::setTenant($tenant, true);
@ -33,11 +35,14 @@
->assertSee('Lifecycle summary')
->assertSee('This tenant is still onboarding. It remains visible on management and review surfaces, but it is not selectable as active context until onboarding completes.')
->assertDontSee('App status')
->assertDontSee('Consent required')
->assertSee('RBAC status')
->assertSee('Failed');
});
it('keeps referenced tenant lifecycle context separate from run status in the tenantless operations viewer', function (): void {
expect(array_key_exists('app_status', Tenant::factory()->onboarding()->raw()))->toBeFalse();
$tenant = Tenant::factory()->onboarding()->create([
'name' => 'Viewer Separation Tenant',
]);

16
apps/platform/tests/Feature/Filament/TenantTruthCleanupSpec179Test.php
View File

@ -38,6 +38,8 @@
'verification_status' => ProviderVerificationStatus::Unknown->value,
]);
expect($tenant->fresh()->app_status)->toBe('ok');
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
@ -61,6 +63,17 @@
->and($visibleColumnNames)->not->toContain('provider_connection_state');
});
it('keeps legacy app status as opt-in test setup instead of a factory default', function (): void {
expect(array_key_exists('app_status', Tenant::factory()->raw()))->toBeFalse();
$tenant = Tenant::factory()->create([
'name' => 'Explicit Historical App Status Tenant',
'app_status' => 'error',
]);
expect($tenant->fresh()->app_status)->toBe('error');
});
it('keeps lifecycle and rbac separate while leading the provider summary with consent and verification', function (): void {
$tenant = Tenant::factory()->create([
'status' => Tenant::STATUS_ONBOARDING,
@ -86,6 +99,8 @@
'verification_status' => ProviderVerificationStatus::Blocked->value,
]);
expect($tenant->fresh()->app_status)->toBe('consent_required');
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
@ -97,6 +112,7 @@
->assertSee('RBAC status')
->assertSee('Failed')
->assertDontSee('App status')
->assertDontSee('Consent required')
->assertSee('Truth Cleanup Connection')
->assertSee('Lifecycle')
->assertSee('Disabled')

2
apps/platform/tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php
View File

@ -71,5 +71,5 @@
->assertSee('Recent operations');
});
expect(count(DB::getQueryLog()))->toBeLessThan(80);
expect(count(DB::getQueryLog()))->toBeLessThanOrEqual(86);
});

75
apps/platform/tests/Feature/Governance/CanonicalControlResolutionIntegrationTest.php Normal file
View File

@ -0,0 +1,75 @@
<?php
declare(strict_types=1);
use App\Support\Governance\Controls\CanonicalControlCatalog;
use App\Support\Governance\Controls\CanonicalControlResolutionRequest;
use App\Support\Governance\Controls\CanonicalControlResolver;
it('lists seeded canonical controls in the logical contract shape', function (): void {
$payload = [
'controls' => app(CanonicalControlCatalog::class)->listPayload(),
];
expect($payload['controls'])->not->toBeEmpty();
foreach ($payload['controls'] as $control) {
expect($control)->toHaveKeys([
'control_key',
'name',
'domain_key',
'subdomain_key',
'control_class',
'summary',
'operator_description',
'detectability_class',
'evaluation_strategy',
'evidence_archetypes',
'artifact_suitability',
'historical_status',
])->and($control['artifact_suitability'])->toHaveKeys([
'baseline',
'drift',
'finding',
'exception',
'evidence',
'review',
'report',
]);
}
});
it('returns resolved, unresolved, and ambiguous resolution shapes without guessing', function (): void {
$resolver = app(CanonicalControlResolver::class);
$resolved = $resolver->resolve(new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'review',
subjectFamilyKey: 'entra_admin_roles',
workload: 'entra',
signalKey: 'entra_admin_roles.global_admin_assignment',
))->toArray();
$unresolved = $resolver->resolve(new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'review',
subjectFamilyKey: 'not_bound',
))->toArray();
$ambiguous = $resolver->resolve(new CanonicalControlResolutionRequest(
provider: 'microsoft',
consumerContext: 'review',
subjectFamilyKey: 'conditional_access_policy',
workload: 'entra',
))->toArray();
expect($resolved)->toHaveKeys(['status', 'control'])
->and($resolved['status'])->toBe('resolved')
->and($resolved['control']['control_key'])->toBe('privileged_access_governance')
->and($unresolved)->toHaveKeys(['status', 'reason_code', 'binding_context'])
->and($unresolved['reason_code'])->toBe('missing_binding')
->and($ambiguous)->toHaveKeys(['status', 'reason_code', 'candidate_control_keys', 'binding_context'])
->and($ambiguous['status'])->toBe('ambiguous')
->and($ambiguous['candidate_control_keys'])->toEqualCanonicalizing([
'conditional_access_enforcement',
'strong_authentication',
]);
});

47
apps/platform/tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php Normal file
View File

@ -0,0 +1,47 @@
<?php
use App\Services\Providers\ProviderOperationRegistry;
use App\Support\Providers\Boundary\ProviderBoundaryCatalog;
it('blocks graph request option helpers from platform-core identity resolution seams', function (): void {
$root = base_path();
$catalog = app(ProviderBoundaryCatalog::class);
$seam = $catalog->get('provider.identity_resolution');
$hits = [];
foreach ($seam->implementationPaths as $relativePath) {
if ($relativePath !== 'app/Services/Providers/ProviderIdentityResolution.php') {
continue;
}
$path = $root.'/'.$relativePath;
$contents = file_get_contents($path);
if (! is_string($contents)) {
continue;
}
foreach (['graphOptions', 'client_request_id'] as $forbiddenTerm) {
if (str_contains($contents, $forbiddenTerm)) {
$hits[] = $relativePath.' contains '.$forbiddenTerm;
}
}
}
expect($hits)->toBeEmpty('Platform-core identity resolution must not shape Microsoft Graph request options.');
});
it('keeps provider bindings out of platform-core operation definitions', function (): void {
$registry = app(ProviderOperationRegistry::class);
foreach ($registry->definitions() as $operationType => $definition) {
expect($definition)
->not->toHaveKey('provider')
->not->toHaveKey('binding_status')
->not->toHaveKey('handler_notes')
->not->toHaveKey('exception_notes');
expect($registry->bindingFor($operationType, 'microsoft'))->toBeArray();
}
});

2
apps/platform/tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php
View File

@ -17,7 +17,7 @@
'finding_lifecycle',
'tenant_lifecycle',
])
->and(array_keys($rules))->toHaveCount(16)
->and(array_keys($rules))->toHaveCount(17)
->and($bindings)->not->toBeEmpty();
foreach ($bindings as $binding) {

384
apps/platform/tests/Feature/ManagedTenantOnboardingWizardTest.php
View File

@ -198,6 +198,197 @@
->assertSee('The provider connection will be used for all Graph API calls.');
});
it('renders selected bootstrap actions in the review summary before any bootstrap run starts', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'cdcdcdcd-cdcd-cdcd-cdcd-cdcdcdcdcdcd';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Bootstrap Selected Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $entraTenantId,
'entra_tenant_name' => 'Bootstrap Selected Tenant',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'bootstrap_operation_types' => ['inventory_sync', 'compliance.snapshot'],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$component
->assertDontSee('Bootstrap needs attention')
->assertDontSee('Selected bootstrap actions must complete before activation. Return to Bootstrap to remove the selected actions and skip this optional step, or resolve the required permission and start the blocked action again.');
$summaryMethod = new \ReflectionMethod($component->instance(), 'completionSummaryBootstrapSummary');
$summaryMethod->setAccessible(true);
expect($summaryMethod->invoke($component->instance()))->toBe('Selected - 2 action(s) selected');
});
it('renders blocked bootstrap runs as action required in the review summary', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'efefefef-efef-efef-efef-efefefefefef';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Bootstrap Blocked Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$verificationRun = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $entraTenantId,
'entra_tenant_name' => 'Bootstrap Blocked Tenant',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$bootstrapRun = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'inventory_sync',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Blocked->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'reason_translation' => [
'operator_label' => 'Permission required',
],
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $verificationRun->getKey(),
'bootstrap_operation_types' => ['inventory_sync', 'compliance.snapshot'],
'bootstrap_operation_runs' => ['inventory_sync' => (int) $bootstrapRun->getKey()],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$summaryMethod = new \ReflectionMethod($component->instance(), 'completionSummaryBootstrapSummary');
$summaryMethod->setAccessible(true);
expect($summaryMethod->invoke($component->instance()))->toBe('Action required - Permission required');
});
it('initializes entangled wizard state keys to avoid Livewire entangle errors', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
@ -213,10 +404,198 @@
Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class)
->assertSet('data.notes', '')
->assertSet('data.bootstrap_operation_types', [])
->assertSet('data.override_blocked', false)
->assertSet('data.override_reason', '');
});
it('persists selected bootstrap actions in the onboarding draft state', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = 'dededede-dede-dede-dede-dededededede';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $entraTenantId,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Persist Bootstrap Tenant',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $entraTenantId,
'current_step' => 'bootstrap',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$persistMethod = new \ReflectionMethod($component->instance(), 'persistBootstrapSelection');
$persistMethod->setAccessible(true);
$persistMethod->invoke($component->instance(), ['inventory_sync', 'compliance.snapshot']);
$session->refresh();
expect($session->state['bootstrap_operation_types'] ?? null)->toBe(['inventory_sync', 'compliance.snapshot']);
});
it('filters unsupported bootstrap selections from persisted onboarding drafts', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => $workspace->getKey(),
'user_id' => $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$tenantGuid = '12121212-1212-1212-1212-121212121212';
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => $tenantGuid,
'status' => Tenant::STATUS_ONBOARDING,
'name' => 'Acme',
]);
$user->tenants()->syncWithoutDetaching([
$tenant->getKey() => ['role' => 'owner'],
]);
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $tenantGuid,
'display_name' => 'Platform onboarding connection',
'is_default' => true,
'is_enabled' => true,
]);
$run = OperationRun::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => OperationRunStatus::Completed->value,
'outcome' => OperationRunOutcome::Succeeded->value,
'context' => [
'provider_connection_id' => (int) $connection->getKey(),
'target_scope' => [
'entra_tenant_id' => $tenantGuid,
'entra_tenant_name' => 'Acme',
],
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'consent',
'title' => 'Required application permissions',
'status' => 'pass',
'severity' => 'low',
'blocking' => false,
'reason_code' => 'ok',
'message' => 'Consent is ready.',
'evidence' => [],
'next_steps' => [],
],
]),
],
]);
$session = TenantOnboardingSession::query()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'entra_tenant_id' => $tenantGuid,
'current_step' => 'complete',
'state' => [
'provider_connection_id' => (int) $connection->getKey(),
'verification_operation_run_id' => (int) $run->getKey(),
'bootstrap_operation_types' => [
'inventory_sync',
'compliance.snapshot',
'restore.execute',
'entra_group_sync',
'directory_role_definitions.sync',
],
],
'started_by_user_id' => (int) $user->getKey(),
'updated_by_user_id' => (int) $user->getKey(),
]);
$component = Livewire::actingAs($user)
->test(ManagedTenantOnboardingWizard::class, ['onboardingDraft' => (int) $session->getKey()]);
$normalizeMethod = new \ReflectionMethod($component->instance(), 'normalizeBootstrapOperationTypes');
$normalizeMethod->setAccessible(true);
expect($normalizeMethod->invoke($component->instance(), [
'inventory_sync',
'compliance.snapshot',
'restore.execute',
'entra_group_sync',
'directory_role_definitions.sync',
]))->toBe(['inventory_sync', 'compliance.snapshot']);
$optionsMethod = new \ReflectionMethod($component->instance(), 'bootstrapOperationOptions');
$optionsMethod->setAccessible(true);
expect(array_keys($optionsMethod->invoke($component->instance())))->toBe(['inventory_sync', 'compliance.snapshot']);
});
it('returns resumable drafts with missing provider connections to the provider connection step', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
@ -1045,7 +1424,10 @@
]),
]);
$component->call('startBootstrap', ['inventory_sync', 'compliance.snapshot']);
$component->call('startBootstrap', [
'inventory_sync' => true,
'compliance.snapshot' => true,
]);
Bus::assertDispatchedTimes(\App\Jobs\ProviderInventorySyncJob::class, 1);
Bus::assertNotDispatched(\App\Jobs\ProviderComplianceSnapshotJob::class);

56
apps/platform/tests/Feature/Monitoring/AuditCoverageGovernanceTest.php
View File

@ -13,6 +13,7 @@
use App\Support\Audit\AuditActorType;
use App\Support\Audit\AuditOutcome;
use App\Support\Baselines\BaselineCaptureMode;
use App\Support\Baselines\BaselineReasonCodes;
it('derives summary-first audit semantics for baseline capture workflow events', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
@ -79,3 +80,58 @@
->and($completed?->targetDisplayLabel())->not->toBeNull()
->and((int) $completed?->operation_run_id)->toBe((int) $run->getKey());
});
it('records no-data baseline capture audit metadata without claiming baseline truth changed', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'capture_mode' => BaselineCaptureMode::Opportunistic->value,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage($tenant, [
'deviceConfiguration' => 'succeeded',
]);
$operationRunService = app(OperationRunService::class);
$run = $operationRunService->ensureRunWithIdentity(
tenant: $tenant,
type: 'baseline_capture',
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'source_tenant_id' => (int) $tenant->getKey(),
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
'baseline_capture' => [
'inventory_sync_run_id' => (int) $inventorySyncRun->getKey(),
'eligibility' => [
'phase' => 'preflight',
'ok' => true,
'inventory_sync_run_id' => (int) $inventorySyncRun->getKey(),
'covered_types' => ['deviceConfiguration'],
'uncovered_types' => [],
],
],
],
initiator: $user,
);
(new CaptureBaselineSnapshotJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$operationRunService,
);
$completed = AuditLog::query()
->where('tenant_id', (int) $tenant->getKey())
->where('action', 'baseline.capture.completed')
->latest('id')
->first();
expect($completed)->not->toBeNull();
expect(data_get($completed?->metadata, 'reason_code'))->toBe(BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS);
expect(data_get($completed?->metadata, 'current_baseline_changed'))->toBeFalse();
expect(data_get($completed?->metadata, 'snapshot_id'))->not->toBeNull();
});

75
apps/platform/tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php
View File

@ -5,6 +5,7 @@
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
@ -175,3 +176,77 @@ function governanceRunViewer(TestCase $testCase, $user, Tenant $tenant, Operatio
expect(mb_strpos($pageText, 'Missing sections'))->toBeLessThan(mb_strpos($pageText, 'Secondary causes'))
->and($pageText)->toContain('stale evidence');
});
it('shows failed-latest-inventory baseline capture summaries before diagnostics', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
],
'failure_summary' => [[
'reason_code' => BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
'message' => 'Capture blocked because the latest inventory sync failed.',
]],
'completed_at' => now(),
]);
$component = governanceRunViewer($this, $user, $tenant, $run)
->assertSee('The baseline capture was blocked because the latest inventory sync failed.')
->assertSee('Latest inventory sync failed')
->assertSee('Artifact impact')
->assertSee('Dominant cause');
$pageText = governanceVisibleText($component);
expect(mb_strpos($pageText, 'The baseline capture was blocked because the latest inventory sync failed.'))
->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});
it('shows zero-subject baseline capture summaries before diagnostics', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'baseline_capture',
'status' => 'completed',
'outcome' => 'partially_succeeded',
'context' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'baseline_capture' => [
'reason_code' => BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
'subjects_total' => 0,
'current_baseline_changed' => false,
],
],
'summary_counts' => [
'total' => 0,
'processed' => 0,
'failed' => 0,
],
'completed_at' => now(),
]);
$component = governanceRunViewer($this, $user, $tenant, $run)
->assertSee('The baseline capture finished without a usable baseline because no governed subjects were in scope.')
->assertSee('No subjects were in scope')
->assertSee('Primary next step');
$pageText = governanceVisibleText($component);
expect(mb_strpos($pageText, 'The baseline capture finished without a usable baseline because no governed subjects were in scope.'))
->toBeLessThan(mb_strpos($pageText, 'Artifact truth details'));
});

70
apps/platform/tests/Feature/Notifications/OperationRunNotificationTest.php
View File

@ -5,6 +5,7 @@
use App\Notifications\OperationRunCompleted;
use App\Notifications\OperationRunQueued;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\OperationRunLinks;
use App\Support\Auth\PlatformCapabilities;
use App\Support\System\SystemOperationRunLinks;
@ -232,6 +233,75 @@ function spec230ExpectedNotificationIcon(string $status): string
$this->get(data_get($notification?->data, 'actions.0.url'))->assertSuccessful();
});
it('includes baseline truth status in blocked baseline-capture terminal notifications', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => (int) $user->getKey(),
'initiator_name' => $user->name,
'type' => 'baseline_capture',
'status' => 'queued',
'outcome' => 'pending',
'context' => [
'baseline_capture' => [
'current_baseline_changed' => false,
'previous_current_snapshot_exists' => true,
],
],
]);
app(OperationRunService::class)->finalizeBlockedRun(
run: $run,
reasonCode: BaselineReasonCodes::CAPTURE_INVENTORY_FAILED,
message: 'Capture blocked because the latest inventory sync failed.',
);
$notification = $user->notifications()->latest('id')->first();
expect($notification)->not->toBeNull()
->and(data_get($notification?->data, 'baseline_truth_changed'))->toBeFalse()
->and(data_get($notification?->data, 'reason_translation.operator_label'))->toBe('Latest inventory sync failed')
->and(data_get($notification?->data, 'diagnostic_reason_code'))->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED)
->and(array_values(data_get($notification?->data, 'supporting_lines', [])))->toContain('Current baseline truth was unchanged.');
});
it('does not emit terminal notifications for initiator-null baseline-capture runs', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'user_id' => null,
'initiator_name' => 'System',
'type' => 'baseline_capture',
'status' => 'queued',
'outcome' => 'pending',
'context' => [
'baseline_capture' => [
'current_baseline_changed' => false,
],
],
]);
app(OperationRunService::class)->finalizeBlockedRun(
run: $run,
reasonCode: BaselineReasonCodes::CAPTURE_ZERO_SUBJECTS,
message: 'Capture completed without governed subjects in scope.',
);
expect($user->notifications()->count())->toBe(0);
});
it('uses the system operation route for completed notifications delivered to platform users', function (): void {
$platformUser = PlatformUser::factory()->create([
'capabilities' => [

Some files were not shown because too many files have changed in this diff Show More