Compare commits
4 Commits
251-commer
...
dev
| Author | SHA1 | Date | |
|---|---|---|---|
| 54fb65a63a | |||
| 29ad8852ca | |||
| 7613e339c4 | |||
| 7ee4909212 |
4
.github/agents/copilot-instructions.md
vendored
4
.github/agents/copilot-instructions.md
vendored
@ -264,6 +264,8 @@ ## Active Technologies
|
||||
- PostgreSQL via existing `tenant_reviews`, `review_packs`, `evidence_snapshots`, findings / finding-exception truth, workspace memberships, and `audit_logs`; no new persistence planned (249-customer-review-workspace)
|
||||
- PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page (251-commercial-entitlements-billing-state)
|
||||
- PostgreSQL via existing `workspace_settings` rows plus existing audit log records; no new table or billing/account model (251-commercial-entitlements-billing-state)
|
||||
- PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities` (253-remove-findings-backfill-runtime-surfaces)
|
||||
- PostgreSQL existing `findings`, `operation_runs`, `audit_logs`, and related runtime tables only; no new persistence, migration, or data backfill is planned (253-remove-findings-backfill-runtime-surfaces)
|
||||
|
||||
- PHP 8.4.15 (feat/005-bulk-operations)
|
||||
|
||||
@ -298,9 +300,9 @@ ## Code Style
|
||||
PHP 8.4.15: Follow standard conventions
|
||||
|
||||
## Recent Changes
|
||||
- 253-remove-findings-backfill-runtime-surfaces: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities`
|
||||
- 251-commercial-entitlements-billing-state: Added PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page
|
||||
- 249-customer-review-workspace: Added PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services
|
||||
- 241-support-diagnostic-pack: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger`
|
||||
<!-- MANUAL ADDITIONS START -->
|
||||
|
||||
### Pre-production compatibility check
|
||||
|
||||
@ -6,12 +6,14 @@
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\OperationCatalog;
|
||||
use App\Support\OperationRunType;
|
||||
use Illuminate\Console\Command;
|
||||
|
||||
class PurgeLegacyBaselineGapRuns extends Command
|
||||
{
|
||||
protected $signature = 'tenantpilot:baselines:purge-legacy-gap-runs
|
||||
{--type=* : Limit cleanup to baseline_compare and/or baseline_capture runs}
|
||||
{--type=* : Limit cleanup to baseline.compare and/or baseline.capture runs (legacy aliases also accepted)}
|
||||
{--tenant=* : Limit cleanup to tenant ids or tenant external ids}
|
||||
{--workspace=* : Limit cleanup to workspace ids}
|
||||
{--limit=500 : Maximum candidate runs to inspect}
|
||||
@ -99,21 +101,35 @@ public function handle(): int
|
||||
*/
|
||||
private function normalizedTypes(): array
|
||||
{
|
||||
$types = array_values(array_unique(array_filter(
|
||||
$requestedTypes = array_values(array_unique(array_filter(
|
||||
array_map(
|
||||
static fn (mixed $type): ?string => is_string($type) && trim($type) !== '' ? trim($type) : null,
|
||||
(array) $this->option('type'),
|
||||
),
|
||||
)));
|
||||
|
||||
if ($types === []) {
|
||||
return ['baseline_compare', 'baseline_capture'];
|
||||
$canonicalTypes = array_values(array_unique(array_filter(array_map(
|
||||
static fn (string $type): ?string => match ($type) {
|
||||
OperationRunType::BaselineCompare->value, 'baseline_compare' => OperationRunType::BaselineCompare->value,
|
||||
OperationRunType::BaselineCapture->value, 'baseline_capture' => OperationRunType::BaselineCapture->value,
|
||||
default => null,
|
||||
},
|
||||
$requestedTypes,
|
||||
))));
|
||||
|
||||
if ($canonicalTypes === []) {
|
||||
$canonicalTypes = [
|
||||
OperationRunType::BaselineCompare->value,
|
||||
OperationRunType::BaselineCapture->value,
|
||||
];
|
||||
}
|
||||
|
||||
return array_values(array_filter(
|
||||
$types,
|
||||
static fn (string $type): bool => in_array($type, ['baseline_compare', 'baseline_capture'], true),
|
||||
));
|
||||
return array_values(array_unique(array_merge(
|
||||
...array_map(
|
||||
static fn (string $type): array => OperationCatalog::rawValuesForCanonical($type),
|
||||
$canonicalTypes,
|
||||
),
|
||||
)));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -1,129 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Console\Commands;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillScope;
|
||||
use App\Support\OperationalControls\OperationalControlBlockedException;
|
||||
use Illuminate\Console\Command;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class TenantpilotBackfillFindingLifecycle extends Command
|
||||
{
|
||||
protected $signature = 'tenantpilot:findings:backfill-lifecycle
|
||||
{--tenant=* : Limit to tenant_id/external_id}';
|
||||
|
||||
protected $description = 'Queue tenant-scoped findings lifecycle backfill jobs idempotently.';
|
||||
|
||||
public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
|
||||
{
|
||||
$tenantIdentifiers = array_values(array_filter((array) $this->option('tenant')));
|
||||
|
||||
if ($tenantIdentifiers === []) {
|
||||
$this->error('Provide one or more tenants via --tenant={id|external_id}.');
|
||||
|
||||
return self::FAILURE;
|
||||
}
|
||||
|
||||
$tenants = $this->resolveTenants($tenantIdentifiers);
|
||||
|
||||
if ($tenants->isEmpty()) {
|
||||
$this->info('No tenants matched the provided identifiers.');
|
||||
|
||||
return self::SUCCESS;
|
||||
}
|
||||
|
||||
$queued = 0;
|
||||
$skipped = 0;
|
||||
$nothingToDo = 0;
|
||||
|
||||
foreach ($tenants as $tenant) {
|
||||
if (! $tenant instanceof Tenant) {
|
||||
continue;
|
||||
}
|
||||
|
||||
try {
|
||||
$run = $runbookService->start(
|
||||
scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
|
||||
initiator: null,
|
||||
reason: null,
|
||||
source: 'cli',
|
||||
);
|
||||
} catch (OperationalControlBlockedException $e) {
|
||||
$this->error(sprintf(
|
||||
'Backfill paused for tenant %d: %s',
|
||||
(int) $tenant->getKey(),
|
||||
$e->getMessage(),
|
||||
));
|
||||
|
||||
return self::FAILURE;
|
||||
} catch (ValidationException $e) {
|
||||
$errors = $e->errors();
|
||||
|
||||
if (isset($errors['preflight.affected_count'])) {
|
||||
$nothingToDo++;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->error(sprintf(
|
||||
'Backfill blocked for tenant %d: %s',
|
||||
(int) $tenant->getKey(),
|
||||
$e->getMessage(),
|
||||
));
|
||||
|
||||
return self::FAILURE;
|
||||
}
|
||||
|
||||
if (! $run->wasRecentlyCreated) {
|
||||
$skipped++;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
$queued++;
|
||||
}
|
||||
|
||||
$this->info(sprintf(
|
||||
'Queued %d backfill run(s), skipped %d duplicate run(s), nothing to do %d.',
|
||||
$queued,
|
||||
$skipped,
|
||||
$nothingToDo,
|
||||
));
|
||||
|
||||
return self::SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<int, string> $tenantIdentifiers
|
||||
* @return \Illuminate\Support\Collection<int, Tenant>
|
||||
*/
|
||||
private function resolveTenants(array $tenantIdentifiers)
|
||||
{
|
||||
$tenantIds = [];
|
||||
|
||||
foreach ($tenantIdentifiers as $identifier) {
|
||||
$tenant = Tenant::query()
|
||||
->forTenant($identifier)
|
||||
->first();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
$tenantIds[] = (int) $tenant->getKey();
|
||||
}
|
||||
}
|
||||
|
||||
$tenantIds = array_values(array_unique($tenantIds));
|
||||
|
||||
if ($tenantIds === []) {
|
||||
return collect();
|
||||
}
|
||||
|
||||
return Tenant::query()
|
||||
->whereIn('id', $tenantIds)
|
||||
->orderBy('id')
|
||||
->get();
|
||||
}
|
||||
}
|
||||
@ -1,56 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Console\Commands;
|
||||
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillScope;
|
||||
use App\Services\Runbooks\RunbookReason;
|
||||
use App\Support\OperationalControls\OperationalControlBlockedException;
|
||||
use Illuminate\Console\Command;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class TenantpilotRunDeployRunbooks extends Command
|
||||
{
|
||||
protected $signature = 'tenantpilot:run-deploy-runbooks';
|
||||
|
||||
protected $description = 'Run deploy-time runbooks idempotently.';
|
||||
|
||||
public function handle(FindingsLifecycleBackfillRunbookService $runbookService): int
|
||||
{
|
||||
try {
|
||||
$runbookService->start(
|
||||
scope: FindingsLifecycleBackfillScope::allTenants(),
|
||||
initiator: null,
|
||||
reason: new RunbookReason(
|
||||
reasonCode: RunbookReason::CODE_DATA_REPAIR,
|
||||
reasonText: 'Deploy hook automated runbooks',
|
||||
),
|
||||
source: 'deploy_hook',
|
||||
);
|
||||
|
||||
$this->info('Deploy runbooks started (if needed).');
|
||||
|
||||
return self::SUCCESS;
|
||||
} catch (OperationalControlBlockedException $e) {
|
||||
$this->info('Deploy runbooks paused: '.$e->getMessage());
|
||||
|
||||
return self::SUCCESS;
|
||||
} catch (ValidationException $e) {
|
||||
$errors = $e->errors();
|
||||
|
||||
$skippable = isset($errors['preflight.affected_count']) || isset($errors['scope']);
|
||||
|
||||
if ($skippable) {
|
||||
$this->info('Deploy runbooks skipped (nothing to do or already running).');
|
||||
|
||||
return self::SUCCESS;
|
||||
}
|
||||
|
||||
$this->error('Deploy runbooks blocked by validation errors.');
|
||||
|
||||
return self::FAILURE;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -9,4 +9,9 @@
|
||||
class Login extends BaseLogin
|
||||
{
|
||||
protected string $view = 'filament.pages.auth.login';
|
||||
|
||||
public function getTitle(): string
|
||||
{
|
||||
return __('localization.auth.sign_in_microsoft');
|
||||
}
|
||||
}
|
||||
|
||||
@ -16,6 +16,11 @@
|
||||
use App\Support\Findings\FindingOutcomeSemantics;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceType;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\CompressedGovernanceOutcome;
|
||||
@ -57,6 +62,31 @@ class CustomerReviewWorkspace extends Page implements HasTable
|
||||
|
||||
protected string $view = 'filament.pages.reviews.customer-review-workspace';
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog, ActionSurfaceType::ReadOnlyRegistryReport)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions provide a single Clear filters action for the customer review workspace.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The customer review workspace remains scan-first and does not expose bulk actions.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state keeps exactly one Clear filters CTA when filters are active.')
|
||||
->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation opens the latest published review detail instead of an inline canonical detail panel.');
|
||||
}
|
||||
|
||||
public static function getNavigationGroup(): string
|
||||
{
|
||||
return __('localization.review.reporting');
|
||||
}
|
||||
|
||||
public static function getNavigationLabel(): string
|
||||
{
|
||||
return __('localization.review.customer_reviews');
|
||||
}
|
||||
|
||||
public function getTitle(): string
|
||||
{
|
||||
return __('localization.review.customer_review_workspace');
|
||||
}
|
||||
|
||||
public static function tenantPrefilterUrl(Tenant $tenant): string
|
||||
{
|
||||
$tenantIdentifier = filled($tenant->external_id)
|
||||
@ -84,7 +114,7 @@ protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->label(__('localization.review.clear_filters'))
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveFilters())
|
||||
@ -105,9 +135,9 @@ public function table(Table $table): Table
|
||||
->persistSortInSession()
|
||||
->recordUrl(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
|
||||
->columns([
|
||||
TextColumn::make('name')->label('Tenant')->searchable()->sortable(),
|
||||
TextColumn::make('name')->label(__('localization.review.tenant'))->searchable()->sortable(),
|
||||
TextColumn::make('latest_review')
|
||||
->label('Latest review')
|
||||
->label(__('localization.review.latest_review'))
|
||||
->badge()
|
||||
->getStateUsing(fn (Tenant $record): string => $this->latestReviewStateLabel($record))
|
||||
->color(fn (Tenant $record): string => $this->latestReviewStateColor($record))
|
||||
@ -116,25 +146,25 @@ public function table(Table $table): Table
|
||||
->description(fn (Tenant $record): ?string => $this->reviewOutcomeDescription($record))
|
||||
->wrap(),
|
||||
TextColumn::make('finding_summary')
|
||||
->label('Key findings')
|
||||
->label(__('localization.review.key_findings'))
|
||||
->getStateUsing(fn (Tenant $record): string => $this->findingSummary($record))
|
||||
->wrap(),
|
||||
TextColumn::make('accepted_risk_summary')
|
||||
->label('Accepted risks')
|
||||
->label(__('localization.review.accepted_risks'))
|
||||
->getStateUsing(fn (Tenant $record): string => $this->acceptedRiskSummary($record))
|
||||
->wrap(),
|
||||
TextColumn::make('published_at')
|
||||
->label('Published')
|
||||
->label(__('localization.review.published'))
|
||||
->getStateUsing(fn (Tenant $record): ?string => $this->latestPublishedAt($record)?->toDateTimeString())
|
||||
->dateTime()
|
||||
->placeholder('—'),
|
||||
TextColumn::make('review_pack_state')
|
||||
->label('Review pack')
|
||||
->label(__('localization.review.review_pack'))
|
||||
->getStateUsing(fn (Tenant $record): string => $this->reviewPackAvailability($record)),
|
||||
])
|
||||
->filters([
|
||||
SelectFilter::make('tenant_id')
|
||||
->label('Tenant')
|
||||
->label(__('localization.review.tenant'))
|
||||
->options(fn (): array => $this->tenantFilterOptions())
|
||||
->default(fn (): ?string => $this->defaultTenantFilter())
|
||||
->query(function (Builder $query, array $data): Builder {
|
||||
@ -148,25 +178,25 @@ public function table(Table $table): Table
|
||||
])
|
||||
->actions([
|
||||
Action::make('open_latest_review')
|
||||
->label('Open latest review')
|
||||
->label(__('localization.review.open_latest_review'))
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->url(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
|
||||
->visible(fn (Tenant $record): bool => $this->latestPublishedReview($record) instanceof TenantReview),
|
||||
Action::make('download_review_pack')
|
||||
->label('Download review pack')
|
||||
->label(__('localization.review.download_review_pack'))
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->url(fn (Tenant $record): ?string => $this->latestReviewPackDownloadUrl($record))
|
||||
->openUrlInNewTab()
|
||||
->visible(fn (Tenant $record): bool => is_string($this->latestReviewPackDownloadUrl($record))),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No entitled tenants match this view')
|
||||
->emptyStateHeading(__('localization.review.no_entitled_tenants'))
|
||||
->emptyStateDescription(fn (): string => $this->hasActiveFilters()
|
||||
? 'Clear the current filters to return to the full customer review workspace for your entitled tenants.'
|
||||
: 'Adjust filters to return to the full customer review workspace for your entitled tenants.')
|
||||
? __('localization.review.clear_filters_description')
|
||||
: __('localization.review.adjust_filters_description'))
|
||||
->emptyStateActions([
|
||||
Action::make('clear_filters_empty')
|
||||
->label('Clear filters')
|
||||
->label(__('localization.review.clear_filters'))
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveFilters())
|
||||
@ -387,7 +417,7 @@ private function reviewOutcome(Tenant $tenant): ?CompressedGovernanceOutcome
|
||||
|
||||
private function latestReviewStateLabel(Tenant $tenant): string
|
||||
{
|
||||
return $this->reviewOutcome($tenant)?->primaryLabel ?? 'No published review';
|
||||
return $this->reviewOutcome($tenant)?->primaryLabel ?? __('localization.review.no_published_review');
|
||||
}
|
||||
|
||||
private function latestReviewStateColor(Tenant $tenant): string
|
||||
@ -410,7 +440,7 @@ private function reviewOutcomeDescription(Tenant $tenant): ?string
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
return __('localization.review.no_published_review_available');
|
||||
}
|
||||
|
||||
$primaryReason = $this->reviewOutcome($tenant)?->primaryReason;
|
||||
@ -427,7 +457,7 @@ private function reviewOutcomeDescription(Tenant $tenant): ?string
|
||||
return $primaryReason;
|
||||
}
|
||||
|
||||
return trim($primaryReason.' Terminal outcomes: '.$findingOutcomeSummary.'.');
|
||||
return trim($primaryReason.' '.__('localization.review.terminal_outcomes').': '.$findingOutcomeSummary.'.');
|
||||
}
|
||||
|
||||
private function findingSummary(Tenant $tenant): string
|
||||
@ -435,7 +465,7 @@ private function findingSummary(Tenant $tenant): string
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
return __('localization.review.no_published_review_available');
|
||||
}
|
||||
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
@ -444,14 +474,17 @@ private function findingSummary(Tenant $tenant): string
|
||||
$terminalOutcomes = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
|
||||
|
||||
if ($findingCount === 0) {
|
||||
return 'No findings recorded in the published review.';
|
||||
return __('localization.review.no_findings_recorded');
|
||||
}
|
||||
|
||||
if ($terminalOutcomes === null) {
|
||||
return sprintf('%d findings summarized in the published review.', $findingCount);
|
||||
return __('localization.review.findings_count_summary', ['count' => $findingCount]);
|
||||
}
|
||||
|
||||
return sprintf('%d findings. Terminal outcomes: %s.', $findingCount, $terminalOutcomes);
|
||||
return __('localization.review.findings_count_with_outcomes', [
|
||||
'count' => $findingCount,
|
||||
'outcomes' => $terminalOutcomes,
|
||||
]);
|
||||
}
|
||||
|
||||
private function acceptedRiskSummary(Tenant $tenant): string
|
||||
@ -459,7 +492,7 @@ private function acceptedRiskSummary(Tenant $tenant): string
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
return __('localization.review.no_published_review_available');
|
||||
}
|
||||
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
@ -469,10 +502,10 @@ private function acceptedRiskSummary(Tenant $tenant): string
|
||||
$warningCount = (int) ($riskAcceptance['warning_count'] ?? 0);
|
||||
|
||||
return match (true) {
|
||||
$statusMarkedCount === 0 => 'No accepted risks recorded.',
|
||||
$warningCount > 0 => sprintf('%d accepted risks need governance follow-up (%d total).', $warningCount, $statusMarkedCount),
|
||||
$validGovernedCount > 0 => sprintf('%d accepted risks are governed.', $validGovernedCount),
|
||||
default => sprintf('%d accepted risks are on record.', $statusMarkedCount),
|
||||
$statusMarkedCount === 0 => __('localization.review.no_accepted_risks_recorded'),
|
||||
$warningCount > 0 => __('localization.review.accepted_risks_need_follow_up', ['warnings' => $warningCount, 'total' => $statusMarkedCount]),
|
||||
$validGovernedCount > 0 => __('localization.review.accepted_risks_governed', ['count' => $validGovernedCount]),
|
||||
default => __('localization.review.accepted_risks_on_record', ['count' => $statusMarkedCount]),
|
||||
};
|
||||
}
|
||||
|
||||
@ -481,17 +514,17 @@ private function reviewPackAvailability(Tenant $tenant): string
|
||||
$pack = $this->latestReviewPack($tenant);
|
||||
|
||||
if (! $pack instanceof ReviewPack) {
|
||||
return 'Unavailable';
|
||||
return __('localization.review.unavailable');
|
||||
}
|
||||
|
||||
if ($pack->status !== ReviewPackStatus::Ready->value) {
|
||||
return 'Unavailable';
|
||||
return __('localization.review.unavailable');
|
||||
}
|
||||
|
||||
if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
|
||||
return 'Unavailable';
|
||||
return __('localization.review.unavailable');
|
||||
}
|
||||
|
||||
return 'Available';
|
||||
return __('localization.review.available');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Services\Entitlements\WorkspacePlanProfileCatalog;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Auth\Capabilities;
|
||||
@ -58,6 +59,7 @@ class WorkspaceSettings extends Page
|
||||
*/
|
||||
private const SETTING_FIELDS = [
|
||||
'ai_policy_mode' => ['domain' => 'ai', 'key' => 'policy_mode', 'type' => 'string'],
|
||||
'localization_default_locale' => ['domain' => 'localization', 'key' => 'default_locale', 'type' => 'string'],
|
||||
'backup_retention_keep_last_default' => ['domain' => 'backup', 'key' => 'retention_keep_last_default', 'type' => 'int'],
|
||||
'backup_retention_min_floor' => ['domain' => 'backup', 'key' => 'retention_min_floor', 'type' => 'int'],
|
||||
'drift_severity_mapping' => ['domain' => 'drift', 'key' => 'severity_mapping', 'type' => 'json'],
|
||||
@ -153,17 +155,22 @@ protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('save')
|
||||
->label('Save')
|
||||
->label(__('localization.workspace.save'))
|
||||
->action(function (): void {
|
||||
$this->save();
|
||||
})
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->tooltip(fn (): ?string => $this->currentUserCanManage()
|
||||
? null
|
||||
: 'You do not have permission to manage workspace settings.'),
|
||||
: __('localization.workspace.no_manage_permission')),
|
||||
];
|
||||
}
|
||||
|
||||
public function getTitle(): string
|
||||
{
|
||||
return __('localization.workspace.title');
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
|
||||
@ -208,6 +215,18 @@ public function content(Schema $schema): Schema
|
||||
return $schema
|
||||
->statePath('data')
|
||||
->schema([
|
||||
Section::make(__('localization.workspace.section'))
|
||||
->description($this->sectionDescription('localization', __('localization.workspace.section_description')))
|
||||
->schema([
|
||||
Select::make('localization_default_locale')
|
||||
->label(__('localization.workspace.default_locale_label'))
|
||||
->options(LocaleResolver::localeOptions())
|
||||
->placeholder(__('localization.workspace.default_locale_placeholder'))
|
||||
->native(false)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->localeDefaultHelperText())
|
||||
->hintAction($this->makeResetAction('localization_default_locale')),
|
||||
]),
|
||||
Section::make('Workspace entitlements')
|
||||
->description($this->sectionDescription('entitlements', 'Select a plan profile and optional first-slice overrides for onboarding activation and review pack generation.'))
|
||||
->columns(2)
|
||||
@ -507,7 +526,7 @@ public function save(): void
|
||||
$this->loadFormState();
|
||||
|
||||
Notification::make()
|
||||
->title($changedSettingsCount > 0 ? 'Workspace settings saved' : 'No settings changes to save')
|
||||
->title($changedSettingsCount > 0 ? __('localization.notifications.workspace_settings_saved') : __('localization.notifications.workspace_settings_unchanged'))
|
||||
->success()
|
||||
->send();
|
||||
}
|
||||
@ -526,7 +545,7 @@ public function resetSetting(string $field): void
|
||||
|
||||
if ($this->workspaceOverrideForField($field) === null) {
|
||||
Notification::make()
|
||||
->title('Setting already uses default')
|
||||
->title(__('localization.notifications.setting_already_default'))
|
||||
->success()
|
||||
->send();
|
||||
|
||||
@ -543,7 +562,7 @@ public function resetSetting(string $field): void
|
||||
$this->loadFormState();
|
||||
|
||||
Notification::make()
|
||||
->title('Workspace setting reset to default')
|
||||
->title(__('localization.notifications.workspace_setting_reset'))
|
||||
->success()
|
||||
->send();
|
||||
}
|
||||
@ -692,18 +711,17 @@ private function sectionDescription(string $domain, string $baseDescription): st
|
||||
/** @var Carbon $updatedAt */
|
||||
$updatedAt = $meta['updated_at'];
|
||||
|
||||
return sprintf(
|
||||
'%s — Last modified by %s, %s.',
|
||||
$baseDescription,
|
||||
$meta['user_name'],
|
||||
$updatedAt->diffForHumans(),
|
||||
);
|
||||
return __('localization.workspace.last_modified_by', [
|
||||
'description' => $baseDescription,
|
||||
'user' => $meta['user_name'],
|
||||
'time' => $updatedAt->diffForHumans(),
|
||||
]);
|
||||
}
|
||||
|
||||
private function makeResetAction(string $field): Action
|
||||
{
|
||||
return Action::make('reset_'.$field)
|
||||
->label('Reset')
|
||||
->label(__('localization.workspace.reset'))
|
||||
->color('danger')
|
||||
->requiresConfirmation()
|
||||
->action(function () use ($field): void {
|
||||
@ -718,15 +736,15 @@ private function makeResetAction(string $field): Action
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->canResetField($field))
|
||||
->tooltip(function () use ($field): ?string {
|
||||
if (! $this->currentUserCanManage()) {
|
||||
return 'You do not have permission to manage workspace settings.';
|
||||
return __('localization.workspace.no_manage_permission');
|
||||
}
|
||||
|
||||
if (! $this->canResetField($field)) {
|
||||
if ($this->isEntitlementOverrideValueField($field)) {
|
||||
return 'No workspace override to reset.';
|
||||
return __('localization.workspace.no_workspace_override');
|
||||
}
|
||||
|
||||
return 'No workspace override to reset.';
|
||||
return __('localization.workspace.no_workspace_override');
|
||||
}
|
||||
|
||||
return null;
|
||||
@ -948,6 +966,29 @@ private function helperTextFor(string $field): string
|
||||
return sprintf('Effective value: %s.', $effectiveValue);
|
||||
}
|
||||
|
||||
private function localeDefaultHelperText(): string
|
||||
{
|
||||
$resolved = $this->resolvedSettings['localization_default_locale'] ?? null;
|
||||
|
||||
if (! is_array($resolved)) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$effectiveLocale = LocaleResolver::normalize($resolved['value'] ?? null) ?? 'en';
|
||||
$localeLabel = LocaleResolver::localeOptions()[$effectiveLocale] ?? strtoupper($effectiveLocale);
|
||||
|
||||
if (! $this->hasWorkspaceOverride('localization_default_locale')) {
|
||||
return __('localization.workspace.default_locale_helper_unset', [
|
||||
'locale' => $localeLabel,
|
||||
'source' => $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')),
|
||||
]);
|
||||
}
|
||||
|
||||
return __('localization.workspace.default_locale_helper_set', [
|
||||
'locale' => $localeLabel,
|
||||
]);
|
||||
}
|
||||
|
||||
private function slaFieldHelperText(string $severity): string
|
||||
{
|
||||
$resolved = $this->resolvedSettings['findings_sla_days'] ?? null;
|
||||
@ -1353,9 +1394,9 @@ private function formatValueForDisplay(string $field, mixed $value): string
|
||||
private function sourceLabel(string $source): string
|
||||
{
|
||||
return match ($source) {
|
||||
'workspace_override' => 'workspace override',
|
||||
'workspace_override' => __('localization.source.workspace_override'),
|
||||
'tenant_override' => 'tenant override',
|
||||
default => 'system default',
|
||||
default => __('localization.source.system_default'),
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@ -42,6 +42,11 @@ class TenantDashboard extends Dashboard
|
||||
*/
|
||||
public array $supportDiagnosticsAuditKeys = [];
|
||||
|
||||
public function getTitle(): string
|
||||
{
|
||||
return __('localization.dashboard.tenant_title');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<mixed> $parameters
|
||||
*/
|
||||
@ -90,38 +95,38 @@ public function authorizeTenantSupportRequest(): void
|
||||
private function requestSupportAction(): Action
|
||||
{
|
||||
$action = Action::make('requestSupport')
|
||||
->label('Request support')
|
||||
->label(__('localization.dashboard.request_support'))
|
||||
->icon('heroicon-o-paper-airplane')
|
||||
->color('gray')
|
||||
->slideOver()
|
||||
->stickyModalHeader()
|
||||
->modalHeading('Request support')
|
||||
->modalDescription('Share a concise summary and TenantAtlas will attach redacted context from existing records.')
|
||||
->modalSubmitActionLabel('Submit request')
|
||||
->modalHeading(__('localization.dashboard.support_request_heading'))
|
||||
->modalDescription(__('localization.dashboard.support_request_description'))
|
||||
->modalSubmitActionLabel(__('localization.dashboard.submit_request'))
|
||||
->form([
|
||||
Placeholder::make('included_context')
|
||||
->label('Included context')
|
||||
->label(__('localization.dashboard.included_context'))
|
||||
->content(fn (): string => $this->tenantSupportRequestAttachmentSummary())
|
||||
->columnSpanFull(),
|
||||
Select::make('severity')
|
||||
->label('Severity')
|
||||
->label(__('localization.dashboard.severity'))
|
||||
->options(SupportRequest::severityOptions())
|
||||
->default(SupportRequest::SEVERITY_NORMAL)
|
||||
->required()
|
||||
->native(false),
|
||||
TextInput::make('summary')
|
||||
->label('Summary')
|
||||
->label(__('localization.dashboard.summary'))
|
||||
->required()
|
||||
->columnSpanFull(),
|
||||
Textarea::make('reproduction_notes')
|
||||
->label('Reproduction notes')
|
||||
->label(__('localization.dashboard.reproduction_notes'))
|
||||
->rows(4)
|
||||
->columnSpanFull(),
|
||||
TextInput::make('contact_name')
|
||||
->label('Contact name')
|
||||
->label(__('localization.dashboard.contact_name'))
|
||||
->default(fn (): ?string => $this->resolveDashboardActor()->name),
|
||||
TextInput::make('contact_email')
|
||||
->label('Contact email')
|
||||
->label(__('localization.dashboard.contact_email'))
|
||||
->email()
|
||||
->default(fn (): ?string => $this->resolveDashboardActor()->email),
|
||||
])
|
||||
@ -132,7 +137,7 @@ private function requestSupportAction(): Action
|
||||
$supportRequest = app(SupportRequestSubmissionService::class)->submitForTenant($tenant, $actor, $data);
|
||||
|
||||
Notification::make()
|
||||
->title('Support request submitted')
|
||||
->title(__('localization.dashboard.support_request_submitted'))
|
||||
->body('Reference '.$supportRequest->internal_reference)
|
||||
->success()
|
||||
->send();
|
||||
@ -146,16 +151,16 @@ private function requestSupportAction(): Action
|
||||
private function openSupportDiagnosticsAction(): Action
|
||||
{
|
||||
$action = Action::make('openSupportDiagnostics')
|
||||
->label('Open support diagnostics')
|
||||
->label(__('localization.dashboard.open_support_diagnostics'))
|
||||
->icon('heroicon-o-lifebuoy')
|
||||
->color('gray')
|
||||
->modal()
|
||||
->slideOver()
|
||||
->stickyModalHeader()
|
||||
->modalHeading('Support diagnostics')
|
||||
->modalDescription('Redacted tenant context from existing records.')
|
||||
->modalHeading(__('localization.dashboard.support_diagnostics'))
|
||||
->modalDescription(__('localization.dashboard.support_diagnostics_description'))
|
||||
->modalSubmitAction(false)
|
||||
->modalCancelAction(fn (Action $action): Action => $action->label('Close'))
|
||||
->modalCancelAction(fn (Action $action): Action => $action->label(__('localization.dashboard.close')))
|
||||
->mountUsing(function (): void {
|
||||
$this->auditTenantSupportDiagnosticsOpen();
|
||||
})
|
||||
|
||||
@ -75,8 +75,6 @@ class FindingResource extends Resource
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Governance';
|
||||
|
||||
protected static ?string $navigationLabel = 'Findings';
|
||||
|
||||
public static function shouldRegisterNavigation(): bool
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
@ -86,6 +84,26 @@ public static function shouldRegisterNavigation(): bool
|
||||
return parent::shouldRegisterNavigation();
|
||||
}
|
||||
|
||||
public static function getNavigationLabel(): string
|
||||
{
|
||||
return __('localization.navigation.findings');
|
||||
}
|
||||
|
||||
public static function getNavigationGroup(): string
|
||||
{
|
||||
return __('localization.navigation.governance');
|
||||
}
|
||||
|
||||
public static function getModelLabel(): string
|
||||
{
|
||||
return __('localization.navigation.findings');
|
||||
}
|
||||
|
||||
public static function getPluralModelLabel(): string
|
||||
{
|
||||
return __('localization.navigation.findings');
|
||||
}
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
@ -290,8 +308,6 @@ public static function infolist(Schema $schema): Schema
|
||||
? OperationRunLinks::tenantlessView((int) $record->current_operation_run_id, static::findingRunNavigationContext($record))
|
||||
: null)
|
||||
->openUrlInNewTab(),
|
||||
TextEntry::make('acknowledged_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('acknowledged_by_user_id')->label('Acknowledged by')->placeholder('—'),
|
||||
TextEntry::make('first_seen_at')->label('First seen')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('last_seen_at')->label('Last seen')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('times_seen')->label('Times seen')->placeholder('—'),
|
||||
@ -982,7 +998,6 @@ public static function table(Table $table): Table
|
||||
if (! in_array((string) $record->status, [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_REOPENED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true)) {
|
||||
$skippedCount++;
|
||||
|
||||
@ -1398,7 +1413,6 @@ public static function triageAction(): Actions\Action
|
||||
->visible(fn (Finding $record): bool => in_array((string) $record->status, [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_REOPENED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true))
|
||||
->action(function (Finding $record, FindingWorkflowService $workflow): void {
|
||||
static::runWorkflowMutation(
|
||||
@ -1423,7 +1437,6 @@ public static function startProgressAction(): Actions\Action
|
||||
->color('info')
|
||||
->visible(fn (Finding $record): bool => in_array((string) $record->status, [
|
||||
Finding::STATUS_TRIAGED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true))
|
||||
->action(function (Finding $record, FindingWorkflowService $workflow): void {
|
||||
static::runWorkflowMutation(
|
||||
|
||||
@ -10,14 +10,8 @@
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Findings\FindingWorkflowService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillScope;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Filament\CanonicalAdminTenantFilterState;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OpsUx\OperationUxPresenter;
|
||||
use App\Support\OpsUx\OpsUxBrowserEvents;
|
||||
use App\Support\OperationalControls\OperationalControlBlockedException;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\Rbac\UiTooltips;
|
||||
use Filament\Actions;
|
||||
@ -77,15 +71,15 @@ public function getTabs(): array
|
||||
$stats = FindingResource::findingStatsForCurrentTenant();
|
||||
|
||||
return [
|
||||
'all' => Tab::make('All')
|
||||
'all' => Tab::make(__('localization.findings.all'))
|
||||
->icon('heroicon-m-list-bullet'),
|
||||
'needs_action' => Tab::make('Needs action')
|
||||
'needs_action' => Tab::make(__('localization.findings.needs_action'))
|
||||
->icon('heroicon-m-exclamation-triangle')
|
||||
->modifyQueryUsing(fn (Builder $query): Builder => $query
|
||||
->whereIn('status', Finding::openStatusesForQuery()))
|
||||
->badge($stats['open'] > 0 ? $stats['open'] : null)
|
||||
->badgeColor('warning'),
|
||||
'overdue' => Tab::make('Overdue')
|
||||
'overdue' => Tab::make(__('localization.findings.overdue'))
|
||||
->icon('heroicon-m-clock')
|
||||
->modifyQueryUsing(fn (Builder $query): Builder => $query
|
||||
->whereIn('status', Finding::openStatusesForQuery())
|
||||
@ -93,11 +87,11 @@ public function getTabs(): array
|
||||
->where('due_at', '<', now()))
|
||||
->badge($stats['overdue'] > 0 ? $stats['overdue'] : null)
|
||||
->badgeColor('danger'),
|
||||
'risk_accepted' => Tab::make('Risk accepted')
|
||||
'risk_accepted' => Tab::make(__('localization.findings.risk_accepted'))
|
||||
->icon('heroicon-m-shield-check')
|
||||
->modifyQueryUsing(fn (Builder $query): Builder => $query
|
||||
->where('status', Finding::STATUS_RISK_ACCEPTED)),
|
||||
'resolved' => Tab::make('Resolved')
|
||||
'resolved' => Tab::make(__('localization.findings.resolved'))
|
||||
->icon('heroicon-m-archive-box')
|
||||
->modifyQueryUsing(fn (Builder $query): Builder => $query
|
||||
->whereIn('status', [Finding::STATUS_RESOLVED, Finding::STATUS_CLOSED])),
|
||||
@ -108,77 +102,6 @@ protected function getHeaderActions(): array
|
||||
{
|
||||
$actions = [];
|
||||
|
||||
$actions[] = UiEnforcement::forAction(
|
||||
Actions\Action::make('backfill_lifecycle')
|
||||
->label('Backfill findings lifecycle')
|
||||
->icon('heroicon-o-wrench-screwdriver')
|
||||
->color('gray')
|
||||
->requiresConfirmation()
|
||||
->modalHeading('Backfill findings lifecycle')
|
||||
->modalDescription('This will backfill legacy Findings data (lifecycle fields, SLA due dates, and drift duplicate consolidation) for the current tenant. The operation runs in the background.')
|
||||
->action(function (FindingsLifecycleBackfillRunbookService $runbookService): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
try {
|
||||
$opRun = $runbookService->start(
|
||||
scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
|
||||
initiator: $user,
|
||||
reason: null,
|
||||
source: 'tenant_ui',
|
||||
);
|
||||
} catch (OperationalControlBlockedException $exception) {
|
||||
Notification::make()
|
||||
->title($exception->title())
|
||||
->body($exception->getMessage())
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
throw new \Filament\Support\Exceptions\Halt;
|
||||
}
|
||||
|
||||
$runUrl = OperationRunLinks::view($opRun, $tenant);
|
||||
|
||||
if ($opRun->wasRecentlyCreated === false) {
|
||||
OpsUxBrowserEvents::dispatchRunEnqueued($this);
|
||||
|
||||
OperationUxPresenter::alreadyQueuedToast((string) $opRun->type)
|
||||
->actions([
|
||||
Actions\Action::make('view_run')
|
||||
->label('Open operation')
|
||||
->url($runUrl),
|
||||
])
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
OpsUxBrowserEvents::dispatchRunEnqueued($this);
|
||||
|
||||
OperationUxPresenter::queuedToast((string) $opRun->type)
|
||||
->body('The backfill will run in the background. You can continue working while it completes.')
|
||||
->actions([
|
||||
Actions\Action::make('view_run')
|
||||
->label('Open operation')
|
||||
->url($runUrl),
|
||||
])
|
||||
->send();
|
||||
})
|
||||
)
|
||||
->preserveVisibility()
|
||||
->requireCapability(Capabilities::TENANT_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply();
|
||||
|
||||
$actions[] = UiEnforcement::forAction(
|
||||
Actions\Action::make('triage_all_matching')
|
||||
->label('Triage all matching')
|
||||
@ -248,7 +171,6 @@ protected function getHeaderActions(): array
|
||||
if (! in_array((string) $finding->status, [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_REOPENED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true)) {
|
||||
$skippedCount++;
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ protected function getHeaderActions(): array
|
||||
->primaryListAction(CrossResourceNavigationMatrix::SOURCE_FINDING, $this->getRecord())?->isAvailable() ?? false))
|
||||
->color('gray'),
|
||||
Actions\Action::make('open_approval_queue')
|
||||
->label('Open approval queue')
|
||||
->label(__('localization.findings.open_approval_queue'))
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->visible(function (): bool {
|
||||
@ -61,7 +61,7 @@ protected function getHeaderActions(): array
|
||||
: null;
|
||||
}),
|
||||
Actions\ActionGroup::make(FindingResource::workflowActions())
|
||||
->label('Actions')
|
||||
->label(__('localization.findings.actions'))
|
||||
->icon('heroicon-o-ellipsis-vertical')
|
||||
->color('gray'),
|
||||
]);
|
||||
|
||||
@ -85,6 +85,26 @@ public static function shouldRegisterNavigation(): bool
|
||||
return Filament::getCurrentPanel()?->getId() === 'tenant';
|
||||
}
|
||||
|
||||
public static function getNavigationGroup(): string
|
||||
{
|
||||
return __('localization.review.reporting');
|
||||
}
|
||||
|
||||
public static function getNavigationLabel(): string
|
||||
{
|
||||
return __('localization.review.reviews');
|
||||
}
|
||||
|
||||
public static function getModelLabel(): string
|
||||
{
|
||||
return __('localization.review.review');
|
||||
}
|
||||
|
||||
public static function getPluralModelLabel(): string
|
||||
{
|
||||
return __('localization.review.reviews');
|
||||
}
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
@ -153,7 +173,7 @@ public static function form(Schema $schema): Schema
|
||||
public static function infolist(Schema $schema): Schema
|
||||
{
|
||||
return $schema->schema([
|
||||
Section::make('Outcome summary')
|
||||
Section::make(__('localization.review.outcome_summary'))
|
||||
->schema([
|
||||
ViewEntry::make('artifact_truth')
|
||||
->hiddenLabel()
|
||||
@ -162,7 +182,7 @@ public static function infolist(Schema $schema): Schema
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columnSpanFull(),
|
||||
Section::make('Review')
|
||||
Section::make(__('localization.review.review'))
|
||||
->schema([
|
||||
TextEntry::make('status')
|
||||
->badge()
|
||||
@ -171,23 +191,23 @@ public static function infolist(Schema $schema): Schema
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
|
||||
TextEntry::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->label(__('localization.review.completeness'))
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
|
||||
TextEntry::make('tenant.name')->label('Tenant'),
|
||||
TextEntry::make('tenant.name')->label(__('localization.review.tenant')),
|
||||
TextEntry::make('generated_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('published_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('evidenceSnapshot.id')
|
||||
->label('Evidence snapshot')
|
||||
->label(__('localization.review.evidence_snapshot'))
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (TenantReview $record): ?string => $record->evidenceSnapshot
|
||||
? EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
|
||||
: null),
|
||||
TextEntry::make('currentExportReviewPack.id')
|
||||
->label('Current export')
|
||||
->label(__('localization.review.current_export'))
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (TenantReview $record): ?string => $record->currentExportReviewPack
|
||||
? ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant)
|
||||
@ -201,7 +221,7 @@ public static function infolist(Schema $schema): Schema
|
||||
])
|
||||
->columns(2)
|
||||
->columnSpanFull(),
|
||||
Section::make('Executive posture')
|
||||
Section::make(__('localization.review.executive_posture'))
|
||||
->schema([
|
||||
ViewEntry::make('review_summary')
|
||||
->hiddenLabel()
|
||||
@ -210,21 +230,21 @@ public static function infolist(Schema $schema): Schema
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columnSpanFull(),
|
||||
Section::make('Sections')
|
||||
Section::make(__('localization.review.sections'))
|
||||
->schema([
|
||||
RepeatableEntry::make('sections')
|
||||
->hiddenLabel()
|
||||
->schema([
|
||||
TextEntry::make('title'),
|
||||
TextEntry::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->label(__('localization.review.completeness'))
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
|
||||
TextEntry::make('measured_at')->dateTime()->placeholder('—'),
|
||||
Section::make('Details')
|
||||
Section::make(__('localization.review.details'))
|
||||
->schema([
|
||||
ViewEntry::make('section_payload')
|
||||
->hiddenLabel()
|
||||
@ -246,7 +266,7 @@ public static function table(Table $table): Table
|
||||
{
|
||||
$exportExecutivePackAction = UiEnforcement::forTableAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->label(__('localization.review.export_executive_pack'))
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->visible(fn (TenantReview $record): bool => in_array($record->status, [
|
||||
TenantReviewStatus::Ready->value,
|
||||
@ -278,7 +298,7 @@ public static function table(Table $table): Table
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('outcome')
|
||||
->label('Outcome')
|
||||
->label(__('localization.review.outcome'))
|
||||
->badge()
|
||||
->getStateUsing(fn (TenantReview $record): string => static::compressedOutcome($record)->primaryLabel)
|
||||
->color(fn (TenantReview $record): string => static::compressedOutcome($record)->primaryBadge->color)
|
||||
@ -289,10 +309,10 @@ public static function table(Table $table): Table
|
||||
Tables\Columns\TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
|
||||
Tables\Columns\TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
|
||||
Tables\Columns\IconColumn::make('summary.has_ready_export')
|
||||
->label('Export')
|
||||
->label(__('localization.review.export'))
|
||||
->boolean(),
|
||||
Tables\Columns\TextColumn::make('next_step')
|
||||
->label('Next step')
|
||||
->label(__('localization.review.next_step'))
|
||||
->getStateUsing(fn (TenantReview $record): string => static::compressedOutcome($record)->nextActionText)
|
||||
->wrap(),
|
||||
Tables\Columns\TextColumn::make('fingerprint')
|
||||
@ -306,18 +326,18 @@ public static function table(Table $table): Table
|
||||
->all()),
|
||||
Tables\Filters\SelectFilter::make('completeness_state')
|
||||
->options(BadgeCatalog::options(BadgeDomain::TenantReviewCompleteness, TenantReviewCompletenessState::values())),
|
||||
\App\Support\Filament\FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
|
||||
\App\Support\Filament\FilterPresets::dateRange('review_date', __('localization.review.review_date'), 'generated_at'),
|
||||
])
|
||||
->actions([
|
||||
$exportExecutivePackAction,
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No tenant reviews yet')
|
||||
->emptyStateDescription('Create the first review from an anchored evidence snapshot to start the recurring review history for this tenant.')
|
||||
->emptyStateHeading(__('localization.review.no_tenant_reviews_yet'))
|
||||
->emptyStateDescription(__('localization.review.create_first_review_description'))
|
||||
->emptyStateActions([
|
||||
static::makeCreateReviewAction(
|
||||
name: 'create_first_review',
|
||||
label: 'Create first review',
|
||||
label: __('localization.review.create_first_review'),
|
||||
icon: 'heroicon-o-plus',
|
||||
),
|
||||
]);
|
||||
@ -336,19 +356,23 @@ public static function makeCreateReviewAction(
|
||||
string $label = 'Create review',
|
||||
string $icon = 'heroicon-o-plus',
|
||||
): Actions\Action {
|
||||
$label = $label === 'Create review'
|
||||
? __('localization.review.create_review')
|
||||
: $label;
|
||||
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make($name)
|
||||
->label($label)
|
||||
->icon($icon)
|
||||
->form([
|
||||
Section::make('Evidence basis')
|
||||
Section::make(__('localization.review.evidence_basis'))
|
||||
->schema([
|
||||
Select::make('evidence_snapshot_id')
|
||||
->label('Evidence snapshot')
|
||||
->label(__('localization.review.evidence_snapshot'))
|
||||
->required()
|
||||
->options(fn (): array => static::evidenceSnapshotOptions())
|
||||
->searchable()
|
||||
->helperText('Choose the anchored evidence snapshot for this review.'),
|
||||
->helperText(__('localization.review.evidence_basis_helper')),
|
||||
]),
|
||||
])
|
||||
->action(fn (array $data): mixed => static::executeCreateReview($data)),
|
||||
@ -366,7 +390,7 @@ public static function executeCreateReview(array $data): void
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
Notification::make()->danger()->title('Unable to create review — missing context.')->send();
|
||||
Notification::make()->danger()->title(__('localization.review.unable_create_missing_context'))->send();
|
||||
|
||||
return;
|
||||
}
|
||||
@ -388,7 +412,7 @@ public static function executeCreateReview(array $data): void
|
||||
: null;
|
||||
|
||||
if (! $snapshot instanceof EvidenceSnapshot) {
|
||||
Notification::make()->danger()->title('Select a valid evidence snapshot.')->send();
|
||||
Notification::make()->danger()->title(__('localization.review.select_valid_evidence_snapshot'))->send();
|
||||
|
||||
return;
|
||||
}
|
||||
@ -396,7 +420,7 @@ public static function executeCreateReview(array $data): void
|
||||
try {
|
||||
$review = app(TenantReviewService::class)->create($tenant, $snapshot, $user);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to create review')->body($throwable->getMessage())->send();
|
||||
Notification::make()->danger()->title(__('localization.review.unable_create_review'))->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
@ -406,11 +430,11 @@ public static function executeCreateReview(array $data): void
|
||||
if (! $review->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Review already available')
|
||||
->body('A matching mutable review already exists for this evidence basis.')
|
||||
->title(__('localization.review.review_already_available'))
|
||||
->body(__('localization.review.review_already_available_body'))
|
||||
->actions([
|
||||
Actions\Action::make('view_review')
|
||||
->label('View review')
|
||||
->label(__('localization.review.view_review'))
|
||||
->url(static::tenantScopedUrl('view', ['record' => $review], $tenant)),
|
||||
])
|
||||
->send();
|
||||
@ -419,12 +443,12 @@ public static function executeCreateReview(array $data): void
|
||||
}
|
||||
|
||||
$toast = OperationUxPresenter::queuedToast(OperationRunType::TenantReviewCompose->value)
|
||||
->body('The review is being composed in the background.');
|
||||
->body(__('localization.review.review_composing_background'));
|
||||
|
||||
if ($review->operation_run_id) {
|
||||
$toast->actions([
|
||||
Actions\Action::make('view_run')
|
||||
->label('Open operation')
|
||||
->label(__('localization.review.open_operation'))
|
||||
->url(OperationRunLinks::tenantlessView((int) $review->operation_run_id)),
|
||||
]);
|
||||
}
|
||||
@ -496,7 +520,7 @@ public static function executeExport(TenantReview $review): void
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User || ! $review->tenant instanceof Tenant) {
|
||||
Notification::make()->danger()->title('Unable to export review — missing context.')->send();
|
||||
Notification::make()->danger()->title(__('localization.review.unable_export_missing_context'))->send();
|
||||
|
||||
return;
|
||||
}
|
||||
@ -513,7 +537,7 @@ public static function executeExport(TenantReview $review): void
|
||||
|
||||
if ($service->checkActiveRunForReview($review)) {
|
||||
OperationUxPresenter::alreadyQueuedToast(OperationRunType::ReviewPackGenerate->value)
|
||||
->body('An executive pack export is already queued or running for this review.')
|
||||
->body(__('localization.review.export_already_queued_body'))
|
||||
->send();
|
||||
|
||||
return;
|
||||
@ -525,11 +549,11 @@ public static function executeExport(TenantReview $review): void
|
||||
'include_operations' => true,
|
||||
]);
|
||||
} catch (WorkspaceEntitlementBlockedException $exception) {
|
||||
Notification::make()->warning()->title('Executive pack export unavailable')->body($exception->getMessage())->send();
|
||||
Notification::make()->warning()->title(__('localization.review.executive_pack_export_unavailable'))->body($exception->getMessage())->send();
|
||||
|
||||
return;
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to export executive pack')->body($throwable->getMessage())->send();
|
||||
Notification::make()->danger()->title(__('localization.review.unable_export_executive_pack'))->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
@ -540,11 +564,11 @@ public static function executeExport(TenantReview $review): void
|
||||
if (! $pack->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Executive pack already available')
|
||||
->body('A matching executive pack already exists for this review.')
|
||||
->title(__('localization.review.executive_pack_already_available'))
|
||||
->body(__('localization.review.executive_pack_already_available_body'))
|
||||
->actions([
|
||||
Actions\Action::make('view_pack')
|
||||
->label('View pack')
|
||||
->label(__('localization.review.view_pack'))
|
||||
->url(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $review->tenant)),
|
||||
])
|
||||
->send();
|
||||
@ -553,7 +577,7 @@ public static function executeExport(TenantReview $review): void
|
||||
}
|
||||
|
||||
OperationUxPresenter::queuedToast(OperationRunType::ReviewPackGenerate->value)
|
||||
->body('The executive pack is being generated in the background.')
|
||||
->body(__('localization.review.executive_pack_generating_background'))
|
||||
->send();
|
||||
}
|
||||
|
||||
@ -593,7 +617,7 @@ private static function evidenceSnapshotOptions(): array
|
||||
'#%d · %s · %s',
|
||||
(int) $snapshot->getKey(),
|
||||
BadgeCatalog::spec(BadgeDomain::EvidenceCompleteness, $snapshot->completeness_state)->label,
|
||||
$snapshot->generated_at?->format('Y-m-d H:i') ?? 'Pending'
|
||||
$snapshot->generated_at?->format('Y-m-d H:i') ?? __('localization.review.pending')
|
||||
),
|
||||
])
|
||||
->all();
|
||||
@ -617,7 +641,7 @@ private static function summaryPresentation(TenantReview $record): array
|
||||
$findingOutcomes = is_array($summary['finding_outcomes'] ?? null) ? $summary['finding_outcomes'] : [];
|
||||
|
||||
if ($findingOutcomeSummary !== null) {
|
||||
$highlights[] = 'Terminal outcomes: '.$findingOutcomeSummary.'.';
|
||||
$highlights[] = __('localization.review.terminal_outcomes').': '.$findingOutcomeSummary.'.';
|
||||
}
|
||||
|
||||
return [
|
||||
@ -629,12 +653,12 @@ private static function summaryPresentation(TenantReview $record): array
|
||||
'publish_blockers' => is_array($summary['publish_blockers'] ?? null) ? $summary['publish_blockers'] : [],
|
||||
'context_links' => static::summaryContextLinks($record),
|
||||
'metrics' => [
|
||||
['label' => 'Findings', 'value' => (string) ($summary['finding_count'] ?? 0)],
|
||||
['label' => 'Reports', 'value' => (string) ($summary['report_count'] ?? 0)],
|
||||
['label' => 'Operations', 'value' => (string) ($summary['operation_count'] ?? 0)],
|
||||
['label' => 'Sections', 'value' => (string) ($summary['section_count'] ?? 0)],
|
||||
['label' => 'Pending verification', 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION] ?? 0)],
|
||||
['label' => 'Verified cleared', 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED] ?? 0)],
|
||||
['label' => __('localization.review.findings'), 'value' => (string) ($summary['finding_count'] ?? 0)],
|
||||
['label' => __('localization.review.reports'), 'value' => (string) ($summary['report_count'] ?? 0)],
|
||||
['label' => __('localization.review.operations'), 'value' => (string) ($summary['operation_count'] ?? 0)],
|
||||
['label' => __('localization.review.sections'), 'value' => (string) ($summary['section_count'] ?? 0)],
|
||||
['label' => __('localization.review.pending_verification'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_RESOLVED_PENDING_VERIFICATION] ?? 0)],
|
||||
['label' => __('localization.review.verified_cleared'), 'value' => (string) ($findingOutcomes[FindingOutcomeSemantics::OUTCOME_VERIFIED_CLEARED] ?? 0)],
|
||||
],
|
||||
];
|
||||
}
|
||||
@ -648,37 +672,37 @@ private static function summaryContextLinks(TenantReview $record): array
|
||||
|
||||
if (is_numeric($record->operation_run_id)) {
|
||||
$links[] = [
|
||||
'title' => 'Operation',
|
||||
'label' => 'Open operation',
|
||||
'title' => __('localization.review.operation'),
|
||||
'label' => __('localization.review.open_operation'),
|
||||
'url' => OperationRunLinks::tenantlessView((int) $record->operation_run_id),
|
||||
'description' => 'Inspect the latest review composition or refresh run.',
|
||||
'description' => __('localization.review.operation_description'),
|
||||
];
|
||||
}
|
||||
|
||||
if ($record->currentExportReviewPack && $record->tenant) {
|
||||
$links[] = [
|
||||
'title' => 'Executive pack',
|
||||
'label' => 'View executive pack',
|
||||
'title' => __('localization.review.executive_pack'),
|
||||
'label' => __('localization.review.view_executive_pack'),
|
||||
'url' => ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant),
|
||||
'description' => 'Open the current export that belongs to this review.',
|
||||
'description' => __('localization.review.executive_pack_description'),
|
||||
];
|
||||
}
|
||||
|
||||
if ($record->tenant) {
|
||||
$links[] = [
|
||||
'title' => 'Customer workspace',
|
||||
'label' => 'Open customer workspace',
|
||||
'title' => __('localization.review.customer_workspace'),
|
||||
'label' => __('localization.review.open_customer_workspace'),
|
||||
'url' => CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
|
||||
'description' => 'Open the customer-safe review workspace prefiltered to this tenant.',
|
||||
'description' => __('localization.review.customer_workspace_description'),
|
||||
];
|
||||
}
|
||||
|
||||
if ($record->evidenceSnapshot && $record->tenant) {
|
||||
$links[] = [
|
||||
'title' => 'Evidence snapshot',
|
||||
'label' => 'View evidence snapshot',
|
||||
'title' => __('localization.review.evidence_snapshot'),
|
||||
'label' => __('localization.review.view_evidence_snapshot'),
|
||||
'url' => EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant),
|
||||
'description' => 'Return to the evidence basis behind this review.',
|
||||
'description' => __('localization.review.evidence_snapshot_description'),
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
@ -28,6 +28,11 @@ class Dashboard extends BaseDashboard
|
||||
{
|
||||
public string $window = SystemConsoleWindow::LastDay;
|
||||
|
||||
public function getTitle(): string
|
||||
{
|
||||
return __('localization.dashboard.system_title');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<mixed> $parameters
|
||||
*/
|
||||
@ -109,12 +114,12 @@ protected function getHeaderActions(): array
|
||||
|
||||
return [
|
||||
Action::make('set_window')
|
||||
->label('Time window')
|
||||
->label(__('localization.dashboard.time_window'))
|
||||
->icon('heroicon-o-clock')
|
||||
->color('gray')
|
||||
->form([
|
||||
Select::make('window')
|
||||
->label('Window')
|
||||
->label(__('localization.dashboard.window'))
|
||||
->options(SystemConsoleWindow::options())
|
||||
->default($this->window)
|
||||
->required(),
|
||||
@ -130,7 +135,7 @@ protected function getHeaderActions(): array
|
||||
}),
|
||||
|
||||
Action::make('enter_break_glass')
|
||||
->label('Enter break-glass mode')
|
||||
->label(__('localization.dashboard.enter_break_glass'))
|
||||
->color('danger')
|
||||
->visible(fn (): bool => $canUseBreakGlass && ! $breakGlass->isActive())
|
||||
->requiresConfirmation()
|
||||
@ -158,13 +163,13 @@ protected function getHeaderActions(): array
|
||||
$breakGlass->start($user, (string) ($data['reason'] ?? ''));
|
||||
|
||||
Notification::make()
|
||||
->title('Recovery mode enabled')
|
||||
->title(__('localization.dashboard.recovery_mode_enabled'))
|
||||
->success()
|
||||
->send();
|
||||
}),
|
||||
|
||||
Action::make('exit_break_glass')
|
||||
->label('Exit break-glass')
|
||||
->label(__('localization.dashboard.exit_break_glass'))
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $canUseBreakGlass && $breakGlass->isActive())
|
||||
->requiresConfirmation()
|
||||
@ -180,7 +185,7 @@ protected function getHeaderActions(): array
|
||||
$breakGlass->exit($user);
|
||||
|
||||
Notification::make()
|
||||
->title('Recovery mode ended')
|
||||
->title(__('localization.dashboard.recovery_mode_ended'))
|
||||
->success()
|
||||
->send();
|
||||
}),
|
||||
|
||||
@ -57,11 +57,6 @@ public static function canAccess(): bool
|
||||
&& $user->hasCapability(PlatformCapabilities::OPS_CONTROLS_MANAGE);
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
abort_unless(static::canAccess(), 403);
|
||||
}
|
||||
|
||||
public function getHeader(): ?View
|
||||
{
|
||||
return view('filament.system.pages.ops.partials.controls-header', [
|
||||
|
||||
@ -4,26 +4,9 @@
|
||||
|
||||
namespace App\Filament\System\Pages\Ops;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Tenant;
|
||||
use App\Services\Auth\BreakGlassSession;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillScope;
|
||||
use App\Services\Runbooks\RunbookReason;
|
||||
use App\Services\System\AllowedTenantUniverse;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\OpsUx\OperationUxPresenter;
|
||||
use App\Support\OperationalControls\OperationalControlBlockedException;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Forms\Components\Radio;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Pages\Page;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class Runbooks extends Page
|
||||
{
|
||||
@ -37,53 +20,6 @@ class Runbooks extends Page
|
||||
|
||||
protected string $view = 'filament.system.pages.ops.runbooks';
|
||||
|
||||
public string $findingsScopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;
|
||||
|
||||
public ?int $findingsTenantId = null;
|
||||
|
||||
public string $scopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;
|
||||
|
||||
public ?int $tenantId = null;
|
||||
|
||||
/**
|
||||
* @var array{affected_count: int, total_count: int, estimated_tenants?: int|null}|null
|
||||
*/
|
||||
public ?array $findingsPreflight = null;
|
||||
|
||||
/**
|
||||
* @var array{affected_count: int, total_count: int, estimated_tenants?: int|null}|null
|
||||
*/
|
||||
public ?array $preflight = null;
|
||||
|
||||
public function findingsScopeLabel(): string
|
||||
{
|
||||
if ($this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS) {
|
||||
return 'All tenants';
|
||||
}
|
||||
|
||||
$tenantName = $this->selectedTenantName($this->findingsTenantId);
|
||||
|
||||
if ($tenantName !== null) {
|
||||
return "Single tenant ({$tenantName})";
|
||||
}
|
||||
|
||||
return $this->findingsTenantId !== null ? "Single tenant (#{$this->findingsTenantId})" : 'Single tenant';
|
||||
}
|
||||
|
||||
public function findingsLastRun(): ?OperationRun
|
||||
{
|
||||
return $this->lastRunForType(FindingsLifecycleBackfillRunbookService::RUNBOOK_KEY);
|
||||
}
|
||||
|
||||
public function selectedTenantName(?int $tenantId): ?string
|
||||
{
|
||||
if ($tenantId === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return Tenant::query()->whereKey($tenantId)->value('name');
|
||||
}
|
||||
|
||||
public static function canAccess(): bool
|
||||
{
|
||||
$user = auth('platform')->user();
|
||||
@ -95,231 +31,4 @@ public static function canAccess(): bool
|
||||
return $user->hasCapability(PlatformCapabilities::OPS_VIEW)
|
||||
&& $user->hasCapability(PlatformCapabilities::RUNBOOKS_VIEW);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<Action>
|
||||
*/
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('preflight')
|
||||
->label('Preflight')
|
||||
->color('gray')
|
||||
->icon('heroicon-o-magnifying-glass')
|
||||
->form($this->findingsScopeForm())
|
||||
->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
|
||||
$scope = $this->trustedFindingsScopeFromFormData($data, app(AllowedTenantUniverse::class));
|
||||
|
||||
$this->findingsScopeMode = $scope->mode;
|
||||
$this->findingsTenantId = $scope->tenantId;
|
||||
$this->scopeMode = $scope->mode;
|
||||
$this->tenantId = $scope->tenantId;
|
||||
|
||||
$this->findingsPreflight = $runbookService->preflight($scope);
|
||||
$this->preflight = $this->findingsPreflight;
|
||||
|
||||
Notification::make()
|
||||
->title('Preflight complete')
|
||||
->success()
|
||||
->send();
|
||||
}),
|
||||
|
||||
Action::make('run')
|
||||
->label('Run…')
|
||||
->icon('heroicon-o-play')
|
||||
->color('danger')
|
||||
->requiresConfirmation()
|
||||
->modalHeading('Run: Rebuild Findings Lifecycle')
|
||||
->modalDescription('This operation may modify customer data. Review the preflight and confirm before running.')
|
||||
->form($this->findingsRunForm())
|
||||
->disabled(fn (): bool => ! is_array($this->findingsPreflight) || (int) ($this->findingsPreflight['affected_count'] ?? 0) <= 0)
|
||||
->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
|
||||
if (! is_array($this->findingsPreflight) || (int) ($this->findingsPreflight['affected_count'] ?? 0) <= 0) {
|
||||
throw ValidationException::withMessages([
|
||||
'preflight' => 'Run preflight first.',
|
||||
]);
|
||||
}
|
||||
|
||||
$scope = $this->trustedFindingsScopeFromState(app(AllowedTenantUniverse::class));
|
||||
|
||||
$user = auth('platform')->user();
|
||||
|
||||
if (! $user instanceof PlatformUser) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if (! $user->hasCapability(PlatformCapabilities::RUNBOOKS_RUN)
|
||||
|| ! $user->hasCapability(PlatformCapabilities::RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL)
|
||||
) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if ($scope->isAllTenants()) {
|
||||
$typedConfirmation = (string) ($data['typed_confirmation'] ?? '');
|
||||
|
||||
if ($typedConfirmation !== 'BACKFILL') {
|
||||
throw ValidationException::withMessages([
|
||||
'typed_confirmation' => 'Please type BACKFILL to confirm.',
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
$reason = RunbookReason::fromNullableArray([
|
||||
'reason_code' => $data['reason_code'] ?? null,
|
||||
'reason_text' => $data['reason_text'] ?? null,
|
||||
]);
|
||||
|
||||
try {
|
||||
$run = $runbookService->start(
|
||||
scope: $scope,
|
||||
initiator: $user,
|
||||
reason: $reason,
|
||||
source: 'system_ui',
|
||||
);
|
||||
} catch (OperationalControlBlockedException $exception) {
|
||||
Notification::make()
|
||||
->title($exception->title())
|
||||
->body($exception->getMessage())
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
throw new \Filament\Support\Exceptions\Halt;
|
||||
}
|
||||
|
||||
$viewUrl = SystemOperationRunLinks::view($run);
|
||||
|
||||
$toast = $run->wasRecentlyCreated
|
||||
? OperationUxPresenter::queuedToast((string) $run->type)->body('The runbook will execute in the background.')
|
||||
: OperationUxPresenter::alreadyQueuedToast((string) $run->type);
|
||||
|
||||
$toast
|
||||
->actions([
|
||||
Action::make('view_run')
|
||||
->label('View run')
|
||||
->url($viewUrl),
|
||||
])
|
||||
->send();
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, \Filament\Schemas\Components\Component>
|
||||
*/
|
||||
private function findingsScopeForm(): array
|
||||
{
|
||||
return [
|
||||
Radio::make('scope_mode')
|
||||
->label('Scope')
|
||||
->options([
|
||||
FindingsLifecycleBackfillScope::MODE_ALL_TENANTS => 'All tenants',
|
||||
FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT => 'Single tenant',
|
||||
])
|
||||
->default($this->findingsScopeMode)
|
||||
->live()
|
||||
->required(),
|
||||
|
||||
Select::make('tenant_id')
|
||||
->label('Tenant')
|
||||
->searchable()
|
||||
->visible(fn (callable $get): bool => $get('scope_mode') === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT)
|
||||
->required(fn (callable $get): bool => $get('scope_mode') === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT)
|
||||
->getSearchResultsUsing(function (string $search, AllowedTenantUniverse $universe): array {
|
||||
return $universe
|
||||
->query()
|
||||
->where('name', 'like', "%{$search}%")
|
||||
->orderBy('name')
|
||||
->limit(25)
|
||||
->pluck('name', 'id')
|
||||
->all();
|
||||
})
|
||||
->getOptionLabelUsing(function ($value, AllowedTenantUniverse $universe): ?string {
|
||||
if (! is_numeric($value)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $universe
|
||||
->query()
|
||||
->whereKey((int) $value)
|
||||
->value('name');
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, \Filament\Schemas\Components\Component>
|
||||
*/
|
||||
private function findingsRunForm(): array
|
||||
{
|
||||
return [
|
||||
TextInput::make('typed_confirmation')
|
||||
->label('Type BACKFILL to confirm')
|
||||
->visible(fn (): bool => $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS)
|
||||
->required(fn (): bool => $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS)
|
||||
->in(['BACKFILL'])
|
||||
->validationMessages([
|
||||
'in' => 'Please type BACKFILL to confirm.',
|
||||
]),
|
||||
|
||||
Select::make('reason_code')
|
||||
->label('Reason code')
|
||||
->options(RunbookReason::options())
|
||||
->required(function (BreakGlassSession $breakGlass): bool {
|
||||
return $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS || $breakGlass->isActive();
|
||||
}),
|
||||
|
||||
Textarea::make('reason_text')
|
||||
->label('Reason')
|
||||
->rows(4)
|
||||
->maxLength(500)
|
||||
->required(function (BreakGlassSession $breakGlass): bool {
|
||||
return $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_ALL_TENANTS || $breakGlass->isActive();
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
private function lastRunForType(string $type): ?OperationRun
|
||||
{
|
||||
$platformTenant = Tenant::query()->where('external_id', 'platform')->first();
|
||||
|
||||
if (! $platformTenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return OperationRun::query()
|
||||
->where('workspace_id', (int) $platformTenant->workspace_id)
|
||||
->where('type', $type)
|
||||
->latest('id')
|
||||
->first();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private function trustedFindingsScopeFromFormData(array $data, AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
|
||||
{
|
||||
$scope = FindingsLifecycleBackfillScope::fromArray([
|
||||
'mode' => $data['scope_mode'] ?? null,
|
||||
'tenant_id' => $data['tenant_id'] ?? null,
|
||||
]);
|
||||
|
||||
if (! $scope->isSingleTenant()) {
|
||||
return $scope;
|
||||
}
|
||||
|
||||
$tenant = $allowedTenantUniverse->resolveAllowedOrFail($scope->tenantId);
|
||||
|
||||
return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
|
||||
}
|
||||
|
||||
private function trustedFindingsScopeFromState(AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
|
||||
{
|
||||
if ($this->findingsScopeMode !== FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT) {
|
||||
return FindingsLifecycleBackfillScope::allTenants();
|
||||
}
|
||||
|
||||
$tenant = $allowedTenantUniverse->resolveAllowedOrFail($this->findingsTenantId);
|
||||
|
||||
return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,80 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Models\User;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Http\Response;
|
||||
use Illuminate\Support\Facades\App;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class LocalizationController extends Controller
|
||||
{
|
||||
public function context(Request $request, LocaleResolver $resolver): JsonResponse
|
||||
{
|
||||
$plane = $request->query('plane');
|
||||
$context = $request->attributes->get(LocaleResolver::REQUEST_ATTRIBUTE);
|
||||
|
||||
if (is_string($plane) && $plane !== '') {
|
||||
$context = $resolver->resolve($request, $plane);
|
||||
}
|
||||
|
||||
return response()->json(is_array($context) ? $context : $resolver->resolve($request));
|
||||
}
|
||||
|
||||
public function updateOverride(Request $request): RedirectResponse
|
||||
{
|
||||
$locale = LocaleResolver::normalize($request->input('locale'));
|
||||
|
||||
if ($locale === null) {
|
||||
throw ValidationException::withMessages([
|
||||
'locale' => [__('localization.validation.unsupported_locale')],
|
||||
]);
|
||||
}
|
||||
|
||||
$request->session()->put(LocaleResolver::SESSION_OVERRIDE_KEY, $locale);
|
||||
App::setLocale($locale);
|
||||
|
||||
return back()->with('status', __('localization.notifications.locale_override_saved'));
|
||||
}
|
||||
|
||||
public function clearOverride(Request $request, LocaleResolver $resolver): RedirectResponse
|
||||
{
|
||||
$request->session()->forget(LocaleResolver::SESSION_OVERRIDE_KEY);
|
||||
App::setLocale($resolver->resolve($request)['locale']);
|
||||
|
||||
return back()->with('status', __('localization.notifications.locale_override_cleared'));
|
||||
}
|
||||
|
||||
public function updateUserPreference(Request $request, LocaleResolver $resolver): RedirectResponse
|
||||
{
|
||||
$user = $request->user();
|
||||
|
||||
abort_unless($user instanceof User, Response::HTTP_NOT_FOUND);
|
||||
|
||||
$rawLocale = $request->input('preferred_locale');
|
||||
$locale = $rawLocale === null || $rawLocale === ''
|
||||
? null
|
||||
: LocaleResolver::normalize($rawLocale);
|
||||
|
||||
if ($rawLocale !== null && $rawLocale !== '' && $locale === null) {
|
||||
throw ValidationException::withMessages([
|
||||
'preferred_locale' => [__('localization.validation.unsupported_locale')],
|
||||
]);
|
||||
}
|
||||
|
||||
$user->forceFill(['preferred_locale' => $locale])->save();
|
||||
$user->refresh();
|
||||
|
||||
App::setLocale($resolver->resolve($request)['locale']);
|
||||
|
||||
return back()->with('status', $locale === null
|
||||
? __('localization.notifications.user_preference_cleared')
|
||||
: __('localization.notifications.user_preference_saved'));
|
||||
}
|
||||
}
|
||||
29
apps/platform/app/Http/Middleware/ApplyResolvedLocale.php
Normal file
29
apps/platform/app/Http/Middleware/ApplyResolvedLocale.php
Normal file
@ -0,0 +1,29 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Carbon;
|
||||
use Illuminate\Support\Facades\App;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class ApplyResolvedLocale
|
||||
{
|
||||
public function __construct(private LocaleResolver $resolver) {}
|
||||
|
||||
public function handle(Request $request, Closure $next, ?string $plane = null): Response
|
||||
{
|
||||
$context = $this->resolver->resolve($request, $plane);
|
||||
|
||||
App::setLocale($context['locale']);
|
||||
Carbon::setLocale($context['locale']);
|
||||
|
||||
$request->attributes->set(LocaleResolver::REQUEST_ATTRIBUTE, $context);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@ -1,398 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\Finding;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Findings\FindingSlaPolicy;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OpsUx\RunFailureSanitizer;
|
||||
use Carbon\CarbonImmutable;
|
||||
use Illuminate\Bus\Queueable;
|
||||
use Illuminate\Contracts\Queue\ShouldQueue;
|
||||
use Illuminate\Foundation\Bus\Dispatchable;
|
||||
use Illuminate\Queue\InteractsWithQueue;
|
||||
use Illuminate\Queue\SerializesModels;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Support\Collection;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use Throwable;
|
||||
|
||||
class BackfillFindingLifecycleJob implements ShouldQueue
|
||||
{
|
||||
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
||||
|
||||
public function __construct(
|
||||
public readonly int $tenantId,
|
||||
public readonly int $workspaceId,
|
||||
public readonly ?int $initiatorUserId = null,
|
||||
) {}
|
||||
|
||||
public function handle(
|
||||
OperationRunService $operationRuns,
|
||||
FindingSlaPolicy $slaPolicy,
|
||||
FindingsLifecycleBackfillRunbookService $runbookService,
|
||||
): void {
|
||||
$tenant = Tenant::query()->find($this->tenantId);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
$initiator = $this->initiatorUserId !== null
|
||||
? User::query()->find($this->initiatorUserId)
|
||||
: null;
|
||||
|
||||
$operationRun = $operationRuns->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'findings.lifecycle.backfill',
|
||||
identityInputs: [
|
||||
'tenant_id' => $this->tenantId,
|
||||
'trigger' => 'backfill',
|
||||
],
|
||||
context: [
|
||||
'workspace_id' => $this->workspaceId,
|
||||
'initiator_user_id' => $this->initiatorUserId,
|
||||
],
|
||||
initiator: $initiator instanceof User ? $initiator : null,
|
||||
);
|
||||
|
||||
$lock = Cache::lock(sprintf('tenantpilot:findings:lifecycle_backfill:tenant:%d', $this->tenantId), 900);
|
||||
|
||||
if (! $lock->get()) {
|
||||
if ($operationRun->status !== OperationRunStatus::Completed->value) {
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Blocked->value,
|
||||
failures: [
|
||||
[
|
||||
'code' => 'findings.lifecycle.backfill.lock_busy',
|
||||
'message' => 'Another findings lifecycle backfill is already running for this tenant.',
|
||||
],
|
||||
],
|
||||
);
|
||||
}
|
||||
|
||||
$runbookService->maybeFinalize($operationRun);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$total = (int) Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->count();
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Running->value,
|
||||
outcome: OperationRunOutcome::Pending->value,
|
||||
summaryCounts: [
|
||||
'total' => $total,
|
||||
'processed' => 0,
|
||||
'updated' => 0,
|
||||
'skipped' => 0,
|
||||
'failed' => 0,
|
||||
],
|
||||
);
|
||||
|
||||
$operationRun->refresh();
|
||||
|
||||
$backfillStartedAt = $operationRun->started_at !== null
|
||||
? CarbonImmutable::instance($operationRun->started_at)
|
||||
: CarbonImmutable::now('UTC');
|
||||
|
||||
Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->orderBy('id')
|
||||
->chunkById(200, function (Collection $findings) use ($tenant, $slaPolicy, $operationRuns, $operationRun, $backfillStartedAt): void {
|
||||
$processed = 0;
|
||||
$updated = 0;
|
||||
$skipped = 0;
|
||||
|
||||
foreach ($findings as $finding) {
|
||||
if (! $finding instanceof Finding) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$processed++;
|
||||
|
||||
$originalAttributes = $finding->getAttributes();
|
||||
|
||||
$this->backfillLifecycleFields($finding, $backfillStartedAt);
|
||||
$this->backfillLegacyAcknowledgedStatus($finding);
|
||||
$this->backfillSlaFields($finding, $tenant, $slaPolicy, $backfillStartedAt);
|
||||
$this->backfillDriftRecurrenceKey($finding);
|
||||
|
||||
if ($finding->isDirty()) {
|
||||
$finding->save();
|
||||
$updated++;
|
||||
} else {
|
||||
$finding->setRawAttributes($originalAttributes, sync: true);
|
||||
$skipped++;
|
||||
}
|
||||
}
|
||||
|
||||
$operationRuns->incrementSummaryCounts($operationRun, [
|
||||
'processed' => $processed,
|
||||
'updated' => $updated,
|
||||
'skipped' => $skipped,
|
||||
]);
|
||||
});
|
||||
|
||||
$consolidatedDuplicates = $this->consolidateDriftDuplicates($tenant, $backfillStartedAt);
|
||||
|
||||
if ($consolidatedDuplicates > 0) {
|
||||
$operationRuns->incrementSummaryCounts($operationRun, [
|
||||
'updated' => $consolidatedDuplicates,
|
||||
]);
|
||||
}
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Succeeded->value,
|
||||
);
|
||||
|
||||
$runbookService->maybeFinalize($operationRun);
|
||||
} catch (Throwable $e) {
|
||||
$message = RunFailureSanitizer::sanitizeMessage($e->getMessage());
|
||||
$reasonCode = RunFailureSanitizer::normalizeReasonCode($e->getMessage());
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Failed->value,
|
||||
failures: [[
|
||||
'code' => 'findings.lifecycle.backfill.failed',
|
||||
'reason_code' => $reasonCode,
|
||||
'message' => $message !== '' ? $message : 'Findings lifecycle backfill failed.',
|
||||
]],
|
||||
);
|
||||
|
||||
$runbookService->maybeFinalize($operationRun);
|
||||
|
||||
throw $e;
|
||||
} finally {
|
||||
$lock->release();
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillLifecycleFields(Finding $finding, CarbonImmutable $backfillStartedAt): void
|
||||
{
|
||||
$createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at) : $backfillStartedAt;
|
||||
|
||||
if ($finding->first_seen_at === null) {
|
||||
$finding->first_seen_at = $createdAt;
|
||||
}
|
||||
|
||||
if ($finding->last_seen_at === null) {
|
||||
$finding->last_seen_at = $createdAt;
|
||||
}
|
||||
|
||||
if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
|
||||
$lastSeen = CarbonImmutable::instance($finding->last_seen_at);
|
||||
$firstSeen = CarbonImmutable::instance($finding->first_seen_at);
|
||||
|
||||
if ($lastSeen->lessThan($firstSeen)) {
|
||||
$finding->last_seen_at = $firstSeen;
|
||||
}
|
||||
}
|
||||
|
||||
$timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
|
||||
|
||||
if ($timesSeen < 1) {
|
||||
$finding->times_seen = 1;
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillLegacyAcknowledgedStatus(Finding $finding): void
|
||||
{
|
||||
if ($finding->status !== Finding::STATUS_ACKNOWLEDGED) {
|
||||
return;
|
||||
}
|
||||
|
||||
$finding->status = Finding::STATUS_TRIAGED;
|
||||
|
||||
if ($finding->triaged_at === null) {
|
||||
if ($finding->acknowledged_at !== null) {
|
||||
$finding->triaged_at = CarbonImmutable::instance($finding->acknowledged_at);
|
||||
} elseif ($finding->created_at !== null) {
|
||||
$finding->triaged_at = CarbonImmutable::instance($finding->created_at);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillSlaFields(
|
||||
Finding $finding,
|
||||
Tenant $tenant,
|
||||
FindingSlaPolicy $slaPolicy,
|
||||
CarbonImmutable $backfillStartedAt,
|
||||
): void {
|
||||
if (! Finding::isOpenStatus((string) $finding->status)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($finding->sla_days === null) {
|
||||
$finding->sla_days = $slaPolicy->daysForSeverity((string) $finding->severity, $tenant);
|
||||
}
|
||||
|
||||
if ($finding->due_at === null) {
|
||||
$finding->due_at = $slaPolicy->dueAtForSeverity((string) $finding->severity, $tenant, $backfillStartedAt);
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillDriftRecurrenceKey(Finding $finding): void
|
||||
{
|
||||
if ($finding->finding_type !== Finding::FINDING_TYPE_DRIFT) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($finding->recurrence_key !== null && trim((string) $finding->recurrence_key) !== '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$tenantId = (int) ($finding->tenant_id ?? 0);
|
||||
$scopeKey = (string) ($finding->scope_key ?? '');
|
||||
$subjectType = (string) ($finding->subject_type ?? '');
|
||||
$subjectExternalId = (string) ($finding->subject_external_id ?? '');
|
||||
|
||||
if ($tenantId <= 0 || $scopeKey === '' || $subjectType === '' || $subjectExternalId === '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
|
||||
$kind = Arr::get($evidence, 'summary.kind');
|
||||
$changeType = Arr::get($evidence, 'change_type');
|
||||
|
||||
$kind = is_string($kind) ? $kind : '';
|
||||
$changeType = is_string($changeType) ? $changeType : '';
|
||||
|
||||
if ($kind === '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$dimension = $this->recurrenceDimension($kind, $changeType);
|
||||
|
||||
$finding->recurrence_key = hash('sha256', sprintf(
|
||||
'drift:%d:%s:%s:%s:%s',
|
||||
$tenantId,
|
||||
$scopeKey,
|
||||
$subjectType,
|
||||
$subjectExternalId,
|
||||
$dimension,
|
||||
));
|
||||
}
|
||||
|
||||
private function recurrenceDimension(string $kind, string $changeType): string
|
||||
{
|
||||
$kind = strtolower(trim($kind));
|
||||
$changeType = strtolower(trim($changeType));
|
||||
|
||||
return match ($kind) {
|
||||
'policy_snapshot', 'baseline_compare' => sprintf('%s:%s', $kind, $changeType !== '' ? $changeType : 'modified'),
|
||||
default => $kind,
|
||||
};
|
||||
}
|
||||
|
||||
private function consolidateDriftDuplicates(Tenant $tenant, CarbonImmutable $backfillStartedAt): int
|
||||
{
|
||||
$duplicateKeys = Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->whereNotNull('recurrence_key')
|
||||
->select(['recurrence_key'])
|
||||
->groupBy('recurrence_key')
|
||||
->havingRaw('COUNT(*) > 1')
|
||||
->pluck('recurrence_key')
|
||||
->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
|
||||
->values();
|
||||
|
||||
if ($duplicateKeys->isEmpty()) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
$consolidated = 0;
|
||||
|
||||
foreach ($duplicateKeys as $recurrenceKey) {
|
||||
if (! is_string($recurrenceKey) || $recurrenceKey === '') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$findings = Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->where('recurrence_key', $recurrenceKey)
|
||||
->orderBy('id')
|
||||
->get();
|
||||
|
||||
$canonical = $this->chooseCanonicalDriftFinding($findings, $recurrenceKey);
|
||||
|
||||
foreach ($findings as $finding) {
|
||||
if (! $finding instanceof Finding) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($canonical instanceof Finding && (int) $finding->getKey() === (int) $canonical->getKey()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$finding->forceFill([
|
||||
'status' => Finding::STATUS_CLOSED,
|
||||
'resolved_at' => null,
|
||||
'resolved_reason' => null,
|
||||
'closed_at' => $backfillStartedAt,
|
||||
'closed_reason' => Finding::CLOSE_REASON_DUPLICATE,
|
||||
'closed_by_user_id' => null,
|
||||
'recurrence_key' => null,
|
||||
])->save();
|
||||
|
||||
$consolidated++;
|
||||
}
|
||||
}
|
||||
|
||||
return $consolidated;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, Finding> $findings
|
||||
*/
|
||||
private function chooseCanonicalDriftFinding(Collection $findings, string $recurrenceKey): ?Finding
|
||||
{
|
||||
if ($findings->isEmpty()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$openCandidates = $findings->filter(static fn (Finding $finding): bool => Finding::isOpenStatus((string) $finding->status));
|
||||
|
||||
$candidates = $openCandidates->isNotEmpty() ? $openCandidates : $findings;
|
||||
|
||||
$alreadyCanonical = $candidates->first(static fn (Finding $finding): bool => (string) $finding->fingerprint === $recurrenceKey);
|
||||
|
||||
if ($alreadyCanonical instanceof Finding) {
|
||||
return $alreadyCanonical;
|
||||
}
|
||||
|
||||
/** @var Finding $sorted */
|
||||
$sorted = $candidates
|
||||
->sortByDesc(function (Finding $finding): array {
|
||||
$lastSeen = $finding->last_seen_at !== null ? CarbonImmutable::instance($finding->last_seen_at)->getTimestamp() : 0;
|
||||
$createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at)->getTimestamp() : 0;
|
||||
|
||||
return [
|
||||
max($lastSeen, $createdAt),
|
||||
(int) $finding->getKey(),
|
||||
];
|
||||
})
|
||||
->first();
|
||||
|
||||
return $sorted;
|
||||
}
|
||||
}
|
||||
@ -1,378 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
use App\Services\Findings\FindingSlaPolicy;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Support\OpsUx\RunFailureSanitizer;
|
||||
use Carbon\CarbonImmutable;
|
||||
use Illuminate\Bus\Queueable;
|
||||
use Illuminate\Contracts\Queue\ShouldQueue;
|
||||
use Illuminate\Foundation\Bus\Dispatchable;
|
||||
use Illuminate\Queue\InteractsWithQueue;
|
||||
use Illuminate\Queue\SerializesModels;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Support\Collection;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use Throwable;
|
||||
|
||||
class BackfillFindingLifecycleTenantIntoWorkspaceRunJob implements ShouldQueue
|
||||
{
|
||||
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
||||
|
||||
public function __construct(
|
||||
public readonly int $operationRunId,
|
||||
public readonly int $workspaceId,
|
||||
public readonly int $tenantId,
|
||||
) {}
|
||||
|
||||
public function handle(
|
||||
OperationRunService $operationRunService,
|
||||
FindingSlaPolicy $slaPolicy,
|
||||
FindingsLifecycleBackfillRunbookService $runbookService,
|
||||
): void {
|
||||
$tenant = Tenant::query()->find($this->tenantId);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ((int) $tenant->workspace_id !== $this->workspaceId) {
|
||||
return;
|
||||
}
|
||||
|
||||
$run = OperationRun::query()->find($this->operationRunId);
|
||||
|
||||
if (! $run instanceof OperationRun) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ((int) $run->workspace_id !== $this->workspaceId) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($run->tenant_id !== null) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($run->status === 'queued') {
|
||||
$operationRunService->updateRun($run, status: 'running');
|
||||
}
|
||||
|
||||
$lock = Cache::lock(sprintf('tenantpilot:findings:lifecycle_backfill:tenant:%d', $this->tenantId), 900);
|
||||
|
||||
if (! $lock->get()) {
|
||||
$operationRunService->appendFailures($run, [
|
||||
[
|
||||
'code' => 'findings.lifecycle.backfill.lock_busy',
|
||||
'message' => sprintf('Tenant %d is already running a findings lifecycle backfill.', $this->tenantId),
|
||||
],
|
||||
]);
|
||||
|
||||
$operationRunService->incrementSummaryCounts($run, [
|
||||
'failed' => 1,
|
||||
'processed' => 1,
|
||||
]);
|
||||
|
||||
$operationRunService->maybeCompleteBulkRun($run);
|
||||
$runbookService->maybeFinalize($run);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$backfillStartedAt = $run->started_at !== null
|
||||
? CarbonImmutable::instance($run->started_at)
|
||||
: CarbonImmutable::now('UTC');
|
||||
|
||||
Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->orderBy('id')
|
||||
->chunkById(200, function (Collection $findings) use ($tenant, $slaPolicy, $operationRunService, $run, $backfillStartedAt): void {
|
||||
$updated = 0;
|
||||
$skipped = 0;
|
||||
|
||||
foreach ($findings as $finding) {
|
||||
if (! $finding instanceof Finding) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$originalAttributes = $finding->getAttributes();
|
||||
|
||||
$this->backfillLifecycleFields($finding, $backfillStartedAt);
|
||||
$this->backfillLegacyAcknowledgedStatus($finding);
|
||||
$this->backfillSlaFields($finding, $tenant, $slaPolicy, $backfillStartedAt);
|
||||
$this->backfillDriftRecurrenceKey($finding);
|
||||
|
||||
if ($finding->isDirty()) {
|
||||
$finding->save();
|
||||
$updated++;
|
||||
} else {
|
||||
$finding->setRawAttributes($originalAttributes, sync: true);
|
||||
$skipped++;
|
||||
}
|
||||
}
|
||||
|
||||
if ($updated > 0 || $skipped > 0) {
|
||||
$operationRunService->incrementSummaryCounts($run, [
|
||||
'updated' => $updated,
|
||||
'skipped' => $skipped,
|
||||
]);
|
||||
}
|
||||
});
|
||||
|
||||
$consolidatedDuplicates = $this->consolidateDriftDuplicates($tenant, $backfillStartedAt);
|
||||
|
||||
if ($consolidatedDuplicates > 0) {
|
||||
$operationRunService->incrementSummaryCounts($run, [
|
||||
'updated' => $consolidatedDuplicates,
|
||||
]);
|
||||
}
|
||||
|
||||
$operationRunService->incrementSummaryCounts($run, [
|
||||
'processed' => 1,
|
||||
]);
|
||||
|
||||
$operationRunService->maybeCompleteBulkRun($run);
|
||||
$runbookService->maybeFinalize($run);
|
||||
} catch (Throwable $e) {
|
||||
$message = RunFailureSanitizer::sanitizeMessage($e->getMessage());
|
||||
$reasonCode = RunFailureSanitizer::normalizeReasonCode($e->getMessage());
|
||||
|
||||
$operationRunService->appendFailures($run, [[
|
||||
'code' => 'findings.lifecycle.backfill.failed',
|
||||
'reason_code' => $reasonCode,
|
||||
'message' => $message !== '' ? $message : sprintf('Tenant %d findings lifecycle backfill failed.', $this->tenantId),
|
||||
]]);
|
||||
|
||||
$operationRunService->incrementSummaryCounts($run, [
|
||||
'failed' => 1,
|
||||
'processed' => 1,
|
||||
]);
|
||||
|
||||
$operationRunService->maybeCompleteBulkRun($run);
|
||||
$runbookService->maybeFinalize($run);
|
||||
|
||||
throw $e;
|
||||
} finally {
|
||||
$lock->release();
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillLifecycleFields(Finding $finding, CarbonImmutable $backfillStartedAt): void
|
||||
{
|
||||
$createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at) : $backfillStartedAt;
|
||||
|
||||
if ($finding->first_seen_at === null) {
|
||||
$finding->first_seen_at = $createdAt;
|
||||
}
|
||||
|
||||
if ($finding->last_seen_at === null) {
|
||||
$finding->last_seen_at = $createdAt;
|
||||
}
|
||||
|
||||
if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
|
||||
$lastSeen = CarbonImmutable::instance($finding->last_seen_at);
|
||||
$firstSeen = CarbonImmutable::instance($finding->first_seen_at);
|
||||
|
||||
if ($lastSeen->lessThan($firstSeen)) {
|
||||
$finding->last_seen_at = $firstSeen;
|
||||
}
|
||||
}
|
||||
|
||||
$timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
|
||||
|
||||
if ($timesSeen < 1) {
|
||||
$finding->times_seen = 1;
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillLegacyAcknowledgedStatus(Finding $finding): void
|
||||
{
|
||||
if ($finding->status !== Finding::STATUS_ACKNOWLEDGED) {
|
||||
return;
|
||||
}
|
||||
|
||||
$finding->status = Finding::STATUS_TRIAGED;
|
||||
|
||||
if ($finding->triaged_at === null) {
|
||||
if ($finding->acknowledged_at !== null) {
|
||||
$finding->triaged_at = CarbonImmutable::instance($finding->acknowledged_at);
|
||||
} elseif ($finding->created_at !== null) {
|
||||
$finding->triaged_at = CarbonImmutable::instance($finding->created_at);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillSlaFields(
|
||||
Finding $finding,
|
||||
Tenant $tenant,
|
||||
FindingSlaPolicy $slaPolicy,
|
||||
CarbonImmutable $backfillStartedAt,
|
||||
): void {
|
||||
if (! Finding::isOpenStatus((string) $finding->status)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($finding->sla_days === null) {
|
||||
$finding->sla_days = $slaPolicy->daysForSeverity((string) $finding->severity, $tenant);
|
||||
}
|
||||
|
||||
if ($finding->due_at === null) {
|
||||
$finding->due_at = $slaPolicy->dueAtForSeverity((string) $finding->severity, $tenant, $backfillStartedAt);
|
||||
}
|
||||
}
|
||||
|
||||
private function backfillDriftRecurrenceKey(Finding $finding): void
|
||||
{
|
||||
if ($finding->finding_type !== Finding::FINDING_TYPE_DRIFT) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($finding->recurrence_key !== null && trim((string) $finding->recurrence_key) !== '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$tenantId = (int) ($finding->tenant_id ?? 0);
|
||||
$scopeKey = (string) ($finding->scope_key ?? '');
|
||||
$subjectType = (string) ($finding->subject_type ?? '');
|
||||
$subjectExternalId = (string) ($finding->subject_external_id ?? '');
|
||||
|
||||
if ($tenantId <= 0 || $scopeKey === '' || $subjectType === '' || $subjectExternalId === '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
|
||||
$kind = Arr::get($evidence, 'summary.kind');
|
||||
$changeType = Arr::get($evidence, 'change_type');
|
||||
|
||||
$kind = is_string($kind) ? $kind : '';
|
||||
$changeType = is_string($changeType) ? $changeType : '';
|
||||
|
||||
if ($kind === '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$dimension = $this->recurrenceDimension($kind, $changeType);
|
||||
|
||||
$finding->recurrence_key = hash('sha256', sprintf(
|
||||
'drift:%d:%s:%s:%s:%s',
|
||||
$tenantId,
|
||||
$scopeKey,
|
||||
$subjectType,
|
||||
$subjectExternalId,
|
||||
$dimension,
|
||||
));
|
||||
}
|
||||
|
||||
private function recurrenceDimension(string $kind, string $changeType): string
|
||||
{
|
||||
$kind = strtolower(trim($kind));
|
||||
$changeType = strtolower(trim($changeType));
|
||||
|
||||
return match ($kind) {
|
||||
'policy_snapshot', 'baseline_compare' => sprintf('%s:%s', $kind, $changeType !== '' ? $changeType : 'modified'),
|
||||
default => $kind,
|
||||
};
|
||||
}
|
||||
|
||||
private function consolidateDriftDuplicates(Tenant $tenant, CarbonImmutable $backfillStartedAt): int
|
||||
{
|
||||
$duplicateKeys = Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->whereNotNull('recurrence_key')
|
||||
->select(['recurrence_key'])
|
||||
->groupBy('recurrence_key')
|
||||
->havingRaw('COUNT(*) > 1')
|
||||
->pluck('recurrence_key')
|
||||
->filter(static fn (mixed $value): bool => is_string($value) && trim($value) !== '')
|
||||
->values();
|
||||
|
||||
if ($duplicateKeys->isEmpty()) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
$consolidated = 0;
|
||||
|
||||
foreach ($duplicateKeys as $recurrenceKey) {
|
||||
if (! is_string($recurrenceKey) || $recurrenceKey === '') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$findings = Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->where('recurrence_key', $recurrenceKey)
|
||||
->orderBy('id')
|
||||
->get();
|
||||
|
||||
$canonical = $this->chooseCanonicalDriftFinding($findings, $recurrenceKey);
|
||||
|
||||
foreach ($findings as $finding) {
|
||||
if (! $finding instanceof Finding) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($canonical instanceof Finding && (int) $finding->getKey() === (int) $canonical->getKey()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$finding->forceFill([
|
||||
'status' => Finding::STATUS_CLOSED,
|
||||
'resolved_at' => null,
|
||||
'resolved_reason' => null,
|
||||
'closed_at' => $backfillStartedAt,
|
||||
'closed_reason' => Finding::CLOSE_REASON_DUPLICATE,
|
||||
'closed_by_user_id' => null,
|
||||
'recurrence_key' => null,
|
||||
])->save();
|
||||
|
||||
$consolidated++;
|
||||
}
|
||||
}
|
||||
|
||||
return $consolidated;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, Finding> $findings
|
||||
*/
|
||||
private function chooseCanonicalDriftFinding(Collection $findings, string $recurrenceKey): ?Finding
|
||||
{
|
||||
if ($findings->isEmpty()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$openCandidates = $findings->filter(static fn (Finding $finding): bool => Finding::isOpenStatus((string) $finding->status));
|
||||
|
||||
$candidates = $openCandidates->isNotEmpty() ? $openCandidates : $findings;
|
||||
|
||||
$alreadyCanonical = $candidates->first(static fn (Finding $finding): bool => (string) $finding->fingerprint === $recurrenceKey);
|
||||
|
||||
if ($alreadyCanonical instanceof Finding) {
|
||||
return $alreadyCanonical;
|
||||
}
|
||||
|
||||
/** @var Finding $sorted */
|
||||
$sorted = $candidates
|
||||
->sortByDesc(function (Finding $finding): array {
|
||||
$lastSeen = $finding->last_seen_at !== null ? CarbonImmutable::instance($finding->last_seen_at)->getTimestamp() : 0;
|
||||
$createdAt = $finding->created_at !== null ? CarbonImmutable::instance($finding->created_at)->getTimestamp() : 0;
|
||||
|
||||
return [
|
||||
max($lastSeen, $createdAt),
|
||||
(int) $finding->getKey(),
|
||||
];
|
||||
})
|
||||
->first();
|
||||
|
||||
return $sorted;
|
||||
}
|
||||
}
|
||||
@ -1,95 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\System\AllowedTenantUniverse;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use Illuminate\Bus\Queueable;
|
||||
use Illuminate\Contracts\Queue\ShouldQueue;
|
||||
use Illuminate\Foundation\Bus\Dispatchable;
|
||||
use Illuminate\Queue\InteractsWithQueue;
|
||||
use Illuminate\Queue\SerializesModels;
|
||||
|
||||
class BackfillFindingLifecycleWorkspaceJob implements ShouldQueue
|
||||
{
|
||||
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
||||
|
||||
public function __construct(
|
||||
public readonly int $operationRunId,
|
||||
public readonly int $workspaceId,
|
||||
) {}
|
||||
|
||||
public function handle(
|
||||
OperationRunService $operationRunService,
|
||||
AllowedTenantUniverse $allowedTenantUniverse,
|
||||
FindingsLifecycleBackfillRunbookService $runbookService,
|
||||
): void {
|
||||
$run = OperationRun::query()->find($this->operationRunId);
|
||||
|
||||
if (! $run instanceof OperationRun) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ((int) $run->workspace_id !== $this->workspaceId) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($run->tenant_id !== null) {
|
||||
return;
|
||||
}
|
||||
|
||||
$tenantIds = $allowedTenantUniverse
|
||||
->query()
|
||||
->where('workspace_id', $this->workspaceId)
|
||||
->orderBy('id')
|
||||
->pluck('id')
|
||||
->map(static fn (mixed $id): int => (int) $id)
|
||||
->all();
|
||||
|
||||
$tenantCount = count($tenantIds);
|
||||
|
||||
$operationRunService->updateRun(
|
||||
$run,
|
||||
status: OperationRunStatus::Running->value,
|
||||
outcome: OperationRunOutcome::Pending->value,
|
||||
summaryCounts: [
|
||||
'tenants' => $tenantCount,
|
||||
'total' => $tenantCount,
|
||||
'processed' => 0,
|
||||
'updated' => 0,
|
||||
'skipped' => 0,
|
||||
'failed' => 0,
|
||||
],
|
||||
);
|
||||
|
||||
if ($tenantCount === 0) {
|
||||
$operationRunService->updateRun(
|
||||
$run,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Succeeded->value,
|
||||
);
|
||||
|
||||
$runbookService->maybeFinalize($run);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($tenantIds as $tenantId) {
|
||||
if ($tenantId <= 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
BackfillFindingLifecycleTenantIntoWorkspaceRunJob::dispatch(
|
||||
operationRunId: (int) $run->getKey(),
|
||||
workspaceId: $this->workspaceId,
|
||||
tenantId: $tenantId,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -33,8 +33,6 @@ class Finding extends Model
|
||||
|
||||
public const string STATUS_NEW = 'new';
|
||||
|
||||
public const string STATUS_ACKNOWLEDGED = 'acknowledged';
|
||||
|
||||
public const string STATUS_TRIAGED = 'triaged';
|
||||
|
||||
public const string STATUS_IN_PROGRESS = 'in_progress';
|
||||
@ -169,10 +167,7 @@ public static function terminalStatuses(): array
|
||||
*/
|
||||
public static function openStatusesForQuery(): array
|
||||
{
|
||||
return [
|
||||
...self::openStatuses(),
|
||||
self::STATUS_ACKNOWLEDGED,
|
||||
];
|
||||
return self::openStatuses();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -295,10 +290,6 @@ public static function isReopenReason(?string $reason): bool
|
||||
|
||||
public static function canonicalizeStatus(?string $status): ?string
|
||||
{
|
||||
if ($status === self::STATUS_ACKNOWLEDGED) {
|
||||
return self::STATUS_TRIAGED;
|
||||
}
|
||||
|
||||
return $status;
|
||||
}
|
||||
|
||||
@ -324,23 +315,6 @@ public function isRiskAccepted(): bool
|
||||
return (string) $this->status === self::STATUS_RISK_ACCEPTED;
|
||||
}
|
||||
|
||||
public function acknowledge(User $user): self
|
||||
{
|
||||
if ($this->status === self::STATUS_ACKNOWLEDGED) {
|
||||
return $this;
|
||||
}
|
||||
|
||||
$this->forceFill([
|
||||
'status' => self::STATUS_ACKNOWLEDGED,
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
]);
|
||||
|
||||
$this->save();
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function resolve(string $reason): self
|
||||
{
|
||||
$this->forceFill([
|
||||
|
||||
@ -39,6 +39,7 @@ class User extends Authenticatable implements FilamentUser, HasDefaultTenant, Ha
|
||||
'password',
|
||||
'entra_tenant_id',
|
||||
'entra_object_id',
|
||||
'preferred_locale',
|
||||
];
|
||||
|
||||
/**
|
||||
|
||||
@ -49,10 +49,7 @@ public function update(User $user, Finding $finding): Response|bool
|
||||
|
||||
public function triage(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithAnyCapability($user, $finding, [
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
]);
|
||||
return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_TRIAGE);
|
||||
}
|
||||
|
||||
public function assign(User $user, Finding $finding): Response|bool
|
||||
|
||||
@ -79,16 +79,16 @@ public function panel(Panel $panel): Panel
|
||||
])
|
||||
->navigationItems([
|
||||
WorkspaceOverview::navigationItem(),
|
||||
NavigationItem::make('Integrations')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.integrations'))
|
||||
->url(fn (): string => route('filament.admin.resources.provider-connections.index'))
|
||||
->icon('heroicon-o-link')
|
||||
->group('Settings')
|
||||
->group(fn (): string => __('localization.navigation.settings'))
|
||||
->sort(15)
|
||||
->visible(fn (): bool => ProviderConnectionResource::canViewAny()),
|
||||
NavigationItem::make('Settings')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.settings'))
|
||||
->url(fn (): string => WorkspaceSettings::getUrl(panel: 'admin'))
|
||||
->icon('heroicon-o-cog-6-tooth')
|
||||
->group('Settings')
|
||||
->group(fn (): string => __('localization.navigation.settings'))
|
||||
->sort(20)
|
||||
->visible(function (): bool {
|
||||
$user = auth()->user();
|
||||
@ -115,12 +115,12 @@ public function panel(Panel $panel): Panel
|
||||
return $resolver->isMember($user, $workspace)
|
||||
&& $resolver->can($user, $workspace, Capabilities::WORKSPACE_SETTINGS_VIEW);
|
||||
}),
|
||||
NavigationItem::make('Manage workspaces')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.manage_workspaces'))
|
||||
->url(function (): string {
|
||||
return route('filament.admin.resources.workspaces.index');
|
||||
})
|
||||
->icon('heroicon-o-squares-2x2')
|
||||
->group('Settings')
|
||||
->group(fn (): string => __('localization.navigation.settings'))
|
||||
->sort(10)
|
||||
->visible(function (): bool {
|
||||
$user = auth()->user();
|
||||
@ -136,15 +136,15 @@ public function panel(Panel $panel): Panel
|
||||
->whereIn('role', $roles)
|
||||
->exists();
|
||||
}),
|
||||
NavigationItem::make('Operations')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.operations'))
|
||||
->url(fn (): string => route('admin.operations.index'))
|
||||
->icon('heroicon-o-queue-list')
|
||||
->group('Monitoring')
|
||||
->group(fn (): string => __('localization.navigation.monitoring'))
|
||||
->sort(10),
|
||||
NavigationItem::make('Audit Log')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.audit_log'))
|
||||
->url(fn (): string => route('admin.monitoring.audit-log'))
|
||||
->icon('heroicon-o-clipboard-document-list')
|
||||
->group('Monitoring')
|
||||
->group(fn (): string => __('localization.navigation.monitoring'))
|
||||
->sort(30),
|
||||
])
|
||||
->renderHook(
|
||||
@ -210,6 +210,7 @@ public function panel(Panel $panel): Panel
|
||||
DisableBladeIconComponents::class,
|
||||
DispatchServingFilamentEvent::class,
|
||||
])
|
||||
->middleware(['apply-resolved-locale:admin'], isPersistent: true)
|
||||
->authMiddleware([
|
||||
Authenticate::class,
|
||||
]);
|
||||
|
||||
@ -42,6 +42,14 @@ public function panel(Panel $panel): Panel
|
||||
PanelsRenderHook::BODY_START,
|
||||
fn () => view('filament.system.components.break-glass-banner')->render(),
|
||||
)
|
||||
->renderHook(
|
||||
PanelsRenderHook::TOPBAR_START,
|
||||
fn () => view('filament.partials.locale-switcher', [
|
||||
'plane' => 'system',
|
||||
'showPreference' => false,
|
||||
'embedded' => false,
|
||||
])->render(),
|
||||
)
|
||||
->discoverPages(in: app_path('Filament/System/Pages'), for: 'App\\Filament\\System\\Pages')
|
||||
->pages([
|
||||
Dashboard::class,
|
||||
@ -59,6 +67,7 @@ public function panel(Panel $panel): Panel
|
||||
DisableBladeIconComponents::class,
|
||||
DispatchServingFilamentEvent::class,
|
||||
])
|
||||
->middleware(['apply-resolved-locale:system'], isPersistent: true)
|
||||
->authMiddleware([
|
||||
Authenticate::class,
|
||||
'ensure-platform-capability:'.PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
|
||||
@ -50,20 +50,20 @@ public function panel(Panel $panel): Panel
|
||||
'primary' => Color::Indigo,
|
||||
])
|
||||
->navigationItems([
|
||||
NavigationItem::make(OperationRunLinks::collectionLabel())
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.operations'))
|
||||
->url(fn (): string => route('admin.operations.index'))
|
||||
->icon('heroicon-o-queue-list')
|
||||
->group('Monitoring')
|
||||
->group(fn (): string => __('localization.navigation.monitoring'))
|
||||
->sort(10),
|
||||
NavigationItem::make('Alerts')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.alerts'))
|
||||
->url(fn (): string => url('/admin/alerts'))
|
||||
->icon('heroicon-o-bell-alert')
|
||||
->group('Monitoring')
|
||||
->group(fn (): string => __('localization.navigation.monitoring'))
|
||||
->sort(20),
|
||||
NavigationItem::make('Audit Log')
|
||||
NavigationItem::make(fn (): string => __('localization.navigation.audit_log'))
|
||||
->url(fn (): string => route('admin.monitoring.audit-log'))
|
||||
->icon('heroicon-o-clipboard-document-list')
|
||||
->group('Monitoring')
|
||||
->group(fn (): string => __('localization.navigation.monitoring'))
|
||||
->sort(30),
|
||||
])
|
||||
->renderHook(
|
||||
@ -111,6 +111,7 @@ public function panel(Panel $panel): Panel
|
||||
DisableBladeIconComponents::class,
|
||||
DispatchServingFilamentEvent::class,
|
||||
])
|
||||
->middleware(['apply-resolved-locale:tenant'], isPersistent: true)
|
||||
->authMiddleware([
|
||||
Authenticate::class,
|
||||
]);
|
||||
|
||||
@ -28,7 +28,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_FINDINGS_RESOLVE,
|
||||
Capabilities::TENANT_FINDINGS_CLOSE,
|
||||
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
Capabilities::FINDING_EXCEPTION_VIEW,
|
||||
Capabilities::FINDING_EXCEPTION_MANAGE,
|
||||
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
||||
@ -74,7 +73,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_FINDINGS_RESOLVE,
|
||||
Capabilities::TENANT_FINDINGS_CLOSE,
|
||||
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
Capabilities::FINDING_EXCEPTION_VIEW,
|
||||
Capabilities::FINDING_EXCEPTION_MANAGE,
|
||||
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
||||
@ -112,7 +110,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
||||
Capabilities::TENANT_FINDINGS_VIEW,
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
Capabilities::FINDING_EXCEPTION_VIEW,
|
||||
|
||||
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
||||
|
||||
@ -46,17 +46,13 @@ public static function meaningfulActivityActionValues(): array
|
||||
|
||||
public function triage(Finding $finding, Tenant $tenant, User $actor): Finding
|
||||
{
|
||||
$this->authorize($finding, $tenant, $actor, [
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
]);
|
||||
$this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
|
||||
|
||||
$currentStatus = (string) $finding->status;
|
||||
|
||||
if (! in_array($currentStatus, [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_REOPENED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true)) {
|
||||
throw new InvalidArgumentException('Finding cannot be triaged from the current status.');
|
||||
}
|
||||
@ -82,12 +78,9 @@ public function triage(Finding $finding, Tenant $tenant, User $actor): Finding
|
||||
|
||||
public function startProgress(Finding $finding, Tenant $tenant, User $actor): Finding
|
||||
{
|
||||
$this->authorize($finding, $tenant, $actor, [
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
]);
|
||||
$this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
|
||||
|
||||
if (! in_array((string) $finding->status, [Finding::STATUS_TRIAGED, Finding::STATUS_ACKNOWLEDGED], true)) {
|
||||
if ((string) $finding->status !== Finding::STATUS_TRIAGED) {
|
||||
throw new InvalidArgumentException('Finding cannot be moved to in-progress from the current status.');
|
||||
}
|
||||
|
||||
@ -369,10 +362,7 @@ private function riskAcceptWithoutAuthorization(Finding $finding, Tenant $tenant
|
||||
|
||||
public function reopen(Finding $finding, Tenant $tenant, User $actor, string $reason): Finding
|
||||
{
|
||||
$this->authorize($finding, $tenant, $actor, [
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
||||
]);
|
||||
$this->authorize($finding, $tenant, $actor, [Capabilities::TENANT_FINDINGS_TRIAGE]);
|
||||
|
||||
if (! in_array((string) $finding->status, Finding::terminalStatuses(), true)) {
|
||||
throw new InvalidArgumentException('Only terminal findings can be reopened.');
|
||||
|
||||
215
apps/platform/app/Services/Localization/LocaleResolver.php
Normal file
215
apps/platform/app/Services/Localization/LocaleResolver.php
Normal file
@ -0,0 +1,215 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Services\Localization;
|
||||
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
class LocaleResolver
|
||||
{
|
||||
public const SESSION_OVERRIDE_KEY = 'tenantpilot.locale_override';
|
||||
|
||||
public const REQUEST_ATTRIBUTE = 'tenantpilot.resolved_locale';
|
||||
|
||||
public const SETTING_DOMAIN = 'localization';
|
||||
|
||||
public const SETTING_DEFAULT_LOCALE = 'default_locale';
|
||||
|
||||
public const SOURCE_EXPLICIT_OVERRIDE = 'explicit_override';
|
||||
|
||||
public const SOURCE_USER_PREFERENCE = 'user_preference';
|
||||
|
||||
public const SOURCE_WORKSPACE_DEFAULT = 'workspace_default';
|
||||
|
||||
public const SOURCE_SYSTEM_DEFAULT = 'system_default';
|
||||
|
||||
/**
|
||||
* @var list<string>
|
||||
*/
|
||||
private const SUPPORTED_LOCALES = ['en', 'de'];
|
||||
|
||||
public function __construct(
|
||||
private SettingsResolver $settingsResolver,
|
||||
private WorkspaceContext $workspaceContext,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public static function supportedLocales(): array
|
||||
{
|
||||
return self::SUPPORTED_LOCALES;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public static function localeOptions(): array
|
||||
{
|
||||
return [
|
||||
'en' => __('localization.locales.en'),
|
||||
'de' => __('localization.locales.de'),
|
||||
];
|
||||
}
|
||||
|
||||
public static function isSupported(mixed $locale): bool
|
||||
{
|
||||
return self::normalize($locale) !== null;
|
||||
}
|
||||
|
||||
public static function normalize(mixed $locale): ?string
|
||||
{
|
||||
if (! is_string($locale)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = strtolower(trim($locale));
|
||||
|
||||
return in_array($normalized, self::SUPPORTED_LOCALES, true) ? $normalized : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* locale: string,
|
||||
* source: string,
|
||||
* fallback_locale: string,
|
||||
* user_preference_locale: ?string,
|
||||
* workspace_default_locale: ?string,
|
||||
* machine_artifacts_invariant: true
|
||||
* }
|
||||
*/
|
||||
public function resolve(Request $request, ?string $plane = null): array
|
||||
{
|
||||
$plane = $this->normalizePlane($plane, $request);
|
||||
|
||||
$explicitOverride = $this->explicitOverride($request);
|
||||
$systemDefault = (string) config('app.fallback_locale', 'en');
|
||||
|
||||
if ($plane === 'system') {
|
||||
return $this->resolveFromSources(
|
||||
explicitOverride: $explicitOverride,
|
||||
userPreference: null,
|
||||
workspaceDefault: null,
|
||||
systemDefault: $systemDefault,
|
||||
includeUserPreference: false,
|
||||
includeWorkspaceDefault: false,
|
||||
);
|
||||
}
|
||||
|
||||
$user = $request->user();
|
||||
$userPreference = $user instanceof User ? $user->preferred_locale : null;
|
||||
$workspaceDefault = $this->workspaceDefault($request);
|
||||
|
||||
return $this->resolveFromSources(
|
||||
explicitOverride: $explicitOverride,
|
||||
userPreference: $userPreference,
|
||||
workspaceDefault: $workspaceDefault,
|
||||
systemDefault: $systemDefault,
|
||||
includeUserPreference: true,
|
||||
includeWorkspaceDefault: true,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* locale: string,
|
||||
* source: string,
|
||||
* fallback_locale: string,
|
||||
* user_preference_locale: ?string,
|
||||
* workspace_default_locale: ?string,
|
||||
* machine_artifacts_invariant: true
|
||||
* }
|
||||
*/
|
||||
public function resolveFromSources(
|
||||
mixed $explicitOverride,
|
||||
mixed $userPreference,
|
||||
mixed $workspaceDefault,
|
||||
mixed $systemDefault,
|
||||
bool $includeUserPreference = true,
|
||||
bool $includeWorkspaceDefault = true,
|
||||
): array {
|
||||
$fallbackLocale = self::normalize(config('app.fallback_locale', 'en')) ?? 'en';
|
||||
|
||||
$candidates = [
|
||||
self::SOURCE_EXPLICIT_OVERRIDE => self::normalize($explicitOverride),
|
||||
];
|
||||
|
||||
if ($includeUserPreference) {
|
||||
$candidates[self::SOURCE_USER_PREFERENCE] = self::normalize($userPreference);
|
||||
}
|
||||
|
||||
if ($includeWorkspaceDefault) {
|
||||
$candidates[self::SOURCE_WORKSPACE_DEFAULT] = self::normalize($workspaceDefault);
|
||||
}
|
||||
|
||||
$candidates[self::SOURCE_SYSTEM_DEFAULT] = self::normalize($systemDefault) ?? $fallbackLocale;
|
||||
|
||||
foreach ($candidates as $source => $locale) {
|
||||
if ($locale !== null) {
|
||||
return [
|
||||
'locale' => $locale,
|
||||
'source' => $source,
|
||||
'fallback_locale' => $fallbackLocale,
|
||||
'user_preference_locale' => $includeUserPreference ? self::normalize($userPreference) : null,
|
||||
'workspace_default_locale' => $includeWorkspaceDefault ? self::normalize($workspaceDefault) : null,
|
||||
'machine_artifacts_invariant' => true,
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
return [
|
||||
'locale' => $fallbackLocale,
|
||||
'source' => self::SOURCE_SYSTEM_DEFAULT,
|
||||
'fallback_locale' => $fallbackLocale,
|
||||
'user_preference_locale' => $includeUserPreference ? self::normalize($userPreference) : null,
|
||||
'workspace_default_locale' => $includeWorkspaceDefault ? self::normalize($workspaceDefault) : null,
|
||||
'machine_artifacts_invariant' => true,
|
||||
];
|
||||
}
|
||||
|
||||
private function explicitOverride(Request $request): ?string
|
||||
{
|
||||
$queryLocale = self::normalize($request->query('locale'));
|
||||
|
||||
if ($queryLocale !== null) {
|
||||
return $queryLocale;
|
||||
}
|
||||
|
||||
if (! $request->hasSession()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return self::normalize($request->session()->get(self::SESSION_OVERRIDE_KEY));
|
||||
}
|
||||
|
||||
private function workspaceDefault(Request $request): ?string
|
||||
{
|
||||
$workspace = $this->workspaceContext->currentWorkspace($request);
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return self::normalize($this->settingsResolver->resolveValue(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_DEFAULT_LOCALE,
|
||||
));
|
||||
}
|
||||
|
||||
private function normalizePlane(?string $plane, Request $request): string
|
||||
{
|
||||
$plane = strtolower(trim((string) $plane));
|
||||
|
||||
if (in_array($plane, ['admin', 'tenant', 'system'], true)) {
|
||||
return $plane;
|
||||
}
|
||||
|
||||
return $request->is('system', 'system/*') ? 'system' : 'admin';
|
||||
}
|
||||
}
|
||||
@ -1,739 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Services\Runbooks;
|
||||
|
||||
use App\Jobs\BackfillFindingLifecycleJob;
|
||||
use App\Jobs\BackfillFindingLifecycleWorkspaceJob;
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Notifications\OperationRunCompleted;
|
||||
use App\Services\Alerts\AlertDispatchService;
|
||||
use App\Services\Audit\AuditRecorder;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Services\Auth\BreakGlassSession;
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\System\AllowedTenantUniverse;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\Audit\AuditActorSnapshot;
|
||||
use App\Support\Audit\AuditTargetSnapshot;
|
||||
use App\Support\OperationCatalog;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationalControls\OperationalControlBlockedException;
|
||||
use App\Support\OperationalControls\OperationalControlEvaluator;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use Illuminate\Support\Facades\Cache;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use Throwable;
|
||||
|
||||
class FindingsLifecycleBackfillRunbookService
|
||||
{
|
||||
public const string RUNBOOK_KEY = 'findings.lifecycle.backfill';
|
||||
|
||||
public function __construct(
|
||||
private readonly AllowedTenantUniverse $allowedTenantUniverse,
|
||||
private readonly BreakGlassSession $breakGlassSession,
|
||||
private readonly OperationRunService $operationRunService,
|
||||
private readonly AuditLogger $auditLogger,
|
||||
private readonly AlertDispatchService $alertDispatchService,
|
||||
private readonly OperationalControlEvaluator $operationalControls,
|
||||
private readonly AuditRecorder $auditRecorder,
|
||||
private readonly WorkspaceAuditLogger $workspaceAuditLogger,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @return array{affected_count: int, total_count: int, estimated_tenants?: int|null}
|
||||
*/
|
||||
public function preflight(FindingsLifecycleBackfillScope $scope): array
|
||||
{
|
||||
$result = $this->computePreflight($scope);
|
||||
|
||||
$this->auditSafely(
|
||||
action: 'platform.ops.runbooks.preflight',
|
||||
scope: $scope,
|
||||
operationRunId: null,
|
||||
initiator: null,
|
||||
context: [
|
||||
'preflight' => $result,
|
||||
],
|
||||
);
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
public function start(
|
||||
FindingsLifecycleBackfillScope $scope,
|
||||
User|PlatformUser|null $initiator,
|
||||
?RunbookReason $reason,
|
||||
string $source,
|
||||
): OperationRun {
|
||||
$source = trim($source);
|
||||
|
||||
if ($source === '') {
|
||||
throw ValidationException::withMessages([
|
||||
'source' => 'A run source is required.',
|
||||
]);
|
||||
}
|
||||
|
||||
$isBreakGlassActive = $this->breakGlassSession->isActive();
|
||||
|
||||
if ($scope->isAllTenants() || $isBreakGlassActive) {
|
||||
if (! $reason instanceof RunbookReason) {
|
||||
throw ValidationException::withMessages([
|
||||
'reason' => 'A reason is required for this run.',
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
$preflight = $this->computePreflight($scope);
|
||||
|
||||
if (($preflight['affected_count'] ?? 0) <= 0) {
|
||||
throw ValidationException::withMessages([
|
||||
'preflight.affected_count' => 'Nothing to do for this scope.',
|
||||
]);
|
||||
}
|
||||
|
||||
$workspace = null;
|
||||
$tenant = null;
|
||||
|
||||
if ($scope->isSingleTenant()) {
|
||||
$tenant = Tenant::query()->whereKey((int) $scope->tenantId)->firstOrFail();
|
||||
$this->allowedTenantUniverse->ensureAllowed($tenant);
|
||||
|
||||
$workspace = $tenant->workspace;
|
||||
} else {
|
||||
$platformTenant = $this->platformTenant();
|
||||
$workspace = $platformTenant->workspace;
|
||||
}
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
throw new \RuntimeException('Platform tenant is missing its workspace.');
|
||||
}
|
||||
|
||||
$decision = $this->operationalControls->evaluate(self::RUNBOOK_KEY, $workspace);
|
||||
|
||||
if ($decision->isPaused()) {
|
||||
$this->auditBlockedStart(
|
||||
decision: $decision,
|
||||
scope: $scope,
|
||||
workspace: $workspace,
|
||||
tenant: $tenant,
|
||||
initiator: $initiator,
|
||||
source: $source,
|
||||
);
|
||||
|
||||
throw OperationalControlBlockedException::forDecision(
|
||||
decision: $decision,
|
||||
actionLabel: OperationCatalog::label(self::RUNBOOK_KEY),
|
||||
);
|
||||
}
|
||||
|
||||
if ($scope->isAllTenants()) {
|
||||
$lockKey = sprintf('tenantpilot:runbooks:%s:workspace:%d', self::RUNBOOK_KEY, (int) $workspace->getKey());
|
||||
$lock = Cache::lock($lockKey, 900);
|
||||
|
||||
if (! $lock->get()) {
|
||||
throw ValidationException::withMessages([
|
||||
'scope' => 'Another run is already in progress for this scope.',
|
||||
]);
|
||||
}
|
||||
|
||||
try {
|
||||
return $this->startAllTenants(
|
||||
workspace: $workspace,
|
||||
initiator: $initiator,
|
||||
reason: $reason,
|
||||
preflight: $preflight,
|
||||
source: $source,
|
||||
isBreakGlassActive: $isBreakGlassActive,
|
||||
);
|
||||
} finally {
|
||||
$lock->release();
|
||||
}
|
||||
}
|
||||
|
||||
return $this->startSingleTenant(
|
||||
tenant: $tenant,
|
||||
initiator: $initiator,
|
||||
reason: $reason,
|
||||
preflight: $preflight,
|
||||
source: $source,
|
||||
isBreakGlassActive: $isBreakGlassActive,
|
||||
);
|
||||
}
|
||||
|
||||
public function maybeFinalize(OperationRun $run): void
|
||||
{
|
||||
$run->refresh();
|
||||
|
||||
if ($run->status !== OperationRunStatus::Completed->value) {
|
||||
return;
|
||||
}
|
||||
|
||||
$context = is_array($run->context) ? $run->context : [];
|
||||
|
||||
if ((string) data_get($context, 'runbook.key') !== self::RUNBOOK_KEY) {
|
||||
return;
|
||||
}
|
||||
|
||||
$lockKey = sprintf('tenantpilot:runbooks:%s:finalize:%d', self::RUNBOOK_KEY, (int) $run->getKey());
|
||||
$lock = Cache::lock($lockKey, 86400);
|
||||
|
||||
if (! $lock->get()) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$this->auditSafely(
|
||||
action: $run->outcome === OperationRunOutcome::Failed->value
|
||||
? 'platform.ops.runbooks.failed'
|
||||
: 'platform.ops.runbooks.completed',
|
||||
scope: $this->scopeFromRunContext($context),
|
||||
operationRunId: (int) $run->getKey(),
|
||||
context: [
|
||||
'status' => (string) $run->status,
|
||||
'outcome' => (string) $run->outcome,
|
||||
'is_break_glass' => (bool) data_get($context, 'platform_initiator.is_break_glass', false),
|
||||
'reason_code' => data_get($context, 'reason.reason_code'),
|
||||
'reason_text' => data_get($context, 'reason.reason_text'),
|
||||
],
|
||||
);
|
||||
|
||||
$this->notifyInitiatorSafely($run);
|
||||
|
||||
if ($run->outcome === OperationRunOutcome::Failed->value) {
|
||||
$this->dispatchFailureAlertSafely($run);
|
||||
}
|
||||
} finally {
|
||||
$lock->release();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{affected_count: int, total_count: int, estimated_tenants?: int|null}
|
||||
*/
|
||||
private function computePreflight(FindingsLifecycleBackfillScope $scope): array
|
||||
{
|
||||
if ($scope->isSingleTenant()) {
|
||||
$tenant = Tenant::query()->whereKey((int) $scope->tenantId)->firstOrFail();
|
||||
$this->allowedTenantUniverse->ensureAllowed($tenant);
|
||||
|
||||
return $this->computeTenantPreflight($tenant);
|
||||
}
|
||||
|
||||
$platformTenant = $this->platformTenant();
|
||||
$workspaceId = (int) ($platformTenant->workspace_id ?? 0);
|
||||
|
||||
$tenants = $this->allowedTenantUniverse
|
||||
->query()
|
||||
->where('workspace_id', $workspaceId)
|
||||
->orderBy('id')
|
||||
->get();
|
||||
|
||||
$affected = 0;
|
||||
$total = 0;
|
||||
|
||||
foreach ($tenants as $tenant) {
|
||||
if (! $tenant instanceof Tenant) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$counts = $this->computeTenantPreflight($tenant);
|
||||
|
||||
$affected += (int) ($counts['affected_count'] ?? 0);
|
||||
$total += (int) ($counts['total_count'] ?? 0);
|
||||
}
|
||||
|
||||
return [
|
||||
'affected_count' => $affected,
|
||||
'total_count' => $total,
|
||||
'estimated_tenants' => $tenants->count(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{affected_count: int, total_count: int}
|
||||
*/
|
||||
private function computeTenantPreflight(Tenant $tenant): array
|
||||
{
|
||||
$query = Finding::query()->where('tenant_id', (int) $tenant->getKey());
|
||||
|
||||
$total = (int) (clone $query)->count();
|
||||
|
||||
$affected = 0;
|
||||
|
||||
(clone $query)
|
||||
->orderBy('id')
|
||||
->chunkById(500, function ($findings) use (&$affected): void {
|
||||
foreach ($findings as $finding) {
|
||||
if (! $finding instanceof Finding) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($this->findingNeedsBackfill($finding)) {
|
||||
$affected++;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
$affected += $this->countDriftDuplicateConsolidations($tenant);
|
||||
|
||||
return [
|
||||
'affected_count' => $affected,
|
||||
'total_count' => $total,
|
||||
];
|
||||
}
|
||||
|
||||
private function findingNeedsBackfill(Finding $finding): bool
|
||||
{
|
||||
if ($finding->first_seen_at === null || $finding->last_seen_at === null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($finding->last_seen_at !== null && $finding->first_seen_at !== null) {
|
||||
if ($finding->last_seen_at->lt($finding->first_seen_at)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
$timesSeen = is_numeric($finding->times_seen) ? (int) $finding->times_seen : 0;
|
||||
|
||||
if ($timesSeen < 1) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($finding->status === Finding::STATUS_ACKNOWLEDGED) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (Finding::isOpenStatus((string) $finding->status)) {
|
||||
if ($finding->sla_days === null || $finding->due_at === null) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
if ($finding->finding_type === Finding::FINDING_TYPE_DRIFT) {
|
||||
$recurrenceKey = $finding->recurrence_key !== null ? trim((string) $finding->recurrence_key) : '';
|
||||
|
||||
if ($recurrenceKey === '') {
|
||||
$scopeKey = trim((string) ($finding->scope_key ?? ''));
|
||||
$subjectType = trim((string) ($finding->subject_type ?? ''));
|
||||
$subjectExternalId = trim((string) ($finding->subject_external_id ?? ''));
|
||||
|
||||
if ($scopeKey !== '' && $subjectType !== '' && $subjectExternalId !== '') {
|
||||
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
|
||||
$kind = data_get($evidence, 'summary.kind');
|
||||
|
||||
if (is_string($kind) && trim($kind) !== '') {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private function countDriftDuplicateConsolidations(Tenant $tenant): int
|
||||
{
|
||||
$rows = Finding::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->whereNotNull('recurrence_key')
|
||||
->select(['recurrence_key', DB::raw('COUNT(*) as count')])
|
||||
->groupBy('recurrence_key')
|
||||
->havingRaw('COUNT(*) > 1')
|
||||
->get();
|
||||
|
||||
$duplicates = 0;
|
||||
|
||||
foreach ($rows as $row) {
|
||||
$count = is_numeric($row->count ?? null) ? (int) $row->count : 0;
|
||||
|
||||
if ($count > 1) {
|
||||
$duplicates += ($count - 1);
|
||||
}
|
||||
}
|
||||
|
||||
return $duplicates;
|
||||
}
|
||||
|
||||
private function startAllTenants(
|
||||
Workspace $workspace,
|
||||
User|PlatformUser|null $initiator,
|
||||
?RunbookReason $reason,
|
||||
array $preflight,
|
||||
string $source,
|
||||
bool $isBreakGlassActive,
|
||||
): OperationRun {
|
||||
$run = $this->operationRunService->ensureWorkspaceRunWithIdentity(
|
||||
workspace: $workspace,
|
||||
type: self::RUNBOOK_KEY,
|
||||
identityInputs: [
|
||||
'runbook' => self::RUNBOOK_KEY,
|
||||
'scope' => FindingsLifecycleBackfillScope::MODE_ALL_TENANTS,
|
||||
],
|
||||
context: $this->buildRunContext(
|
||||
workspaceId: (int) $workspace->getKey(),
|
||||
scope: FindingsLifecycleBackfillScope::allTenants(),
|
||||
initiator: $initiator,
|
||||
reason: $reason,
|
||||
preflight: $preflight,
|
||||
source: $source,
|
||||
isBreakGlassActive: $isBreakGlassActive,
|
||||
),
|
||||
initiator: $initiator instanceof User ? $initiator : null,
|
||||
);
|
||||
|
||||
if ($initiator instanceof PlatformUser && $run->wasRecentlyCreated) {
|
||||
$run->update(['initiator_name' => $initiator->name ?: $initiator->email]);
|
||||
$run->refresh();
|
||||
}
|
||||
|
||||
$this->auditSafely(
|
||||
action: 'platform.ops.runbooks.start',
|
||||
scope: FindingsLifecycleBackfillScope::allTenants(),
|
||||
operationRunId: (int) $run->getKey(),
|
||||
initiator: $initiator,
|
||||
context: [
|
||||
'preflight' => $preflight,
|
||||
'is_break_glass' => $isBreakGlassActive,
|
||||
] + ($reason instanceof RunbookReason ? $reason->toArray() : []),
|
||||
);
|
||||
|
||||
if (! $run->wasRecentlyCreated) {
|
||||
return $run;
|
||||
}
|
||||
|
||||
$this->operationRunService->dispatchOrFail($run, function () use ($run, $workspace): void {
|
||||
BackfillFindingLifecycleWorkspaceJob::dispatch(
|
||||
operationRunId: (int) $run->getKey(),
|
||||
workspaceId: (int) $workspace->getKey(),
|
||||
);
|
||||
});
|
||||
|
||||
return $run;
|
||||
}
|
||||
|
||||
private function startSingleTenant(
|
||||
?Tenant $tenant,
|
||||
User|PlatformUser|null $initiator,
|
||||
?RunbookReason $reason,
|
||||
array $preflight,
|
||||
string $source,
|
||||
bool $isBreakGlassActive,
|
||||
): OperationRun {
|
||||
if (! $tenant instanceof Tenant) {
|
||||
throw new \RuntimeException('Target tenant is required for single-tenant runs.');
|
||||
}
|
||||
|
||||
$run = $this->operationRunService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: self::RUNBOOK_KEY,
|
||||
identityInputs: [
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'trigger' => 'backfill',
|
||||
],
|
||||
context: $this->buildRunContext(
|
||||
workspaceId: (int) $tenant->workspace_id,
|
||||
scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
|
||||
initiator: $initiator,
|
||||
reason: $reason,
|
||||
preflight: $preflight,
|
||||
source: $source,
|
||||
isBreakGlassActive: $isBreakGlassActive,
|
||||
),
|
||||
initiator: $initiator instanceof User ? $initiator : null,
|
||||
);
|
||||
|
||||
if ($initiator instanceof PlatformUser && $run->wasRecentlyCreated) {
|
||||
$run->update(['initiator_name' => $initiator->name ?: $initiator->email]);
|
||||
$run->refresh();
|
||||
}
|
||||
|
||||
$this->auditSafely(
|
||||
action: 'platform.ops.runbooks.start',
|
||||
scope: FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey()),
|
||||
operationRunId: (int) $run->getKey(),
|
||||
initiator: $initiator,
|
||||
context: [
|
||||
'preflight' => $preflight,
|
||||
'is_break_glass' => $isBreakGlassActive,
|
||||
] + ($reason instanceof RunbookReason ? $reason->toArray() : []),
|
||||
);
|
||||
|
||||
if (! $run->wasRecentlyCreated) {
|
||||
return $run;
|
||||
}
|
||||
|
||||
$this->operationRunService->dispatchOrFail($run, function () use ($tenant): void {
|
||||
BackfillFindingLifecycleJob::dispatch(
|
||||
tenantId: (int) $tenant->getKey(),
|
||||
workspaceId: (int) $tenant->workspace_id,
|
||||
initiatorUserId: null,
|
||||
);
|
||||
});
|
||||
|
||||
return $run;
|
||||
}
|
||||
|
||||
private function platformTenant(): Tenant
|
||||
{
|
||||
$tenant = Tenant::query()->where('external_id', 'platform')->first();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
throw new \RuntimeException('Platform tenant is missing.');
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private function buildRunContext(
|
||||
int $workspaceId,
|
||||
FindingsLifecycleBackfillScope $scope,
|
||||
User|PlatformUser|null $initiator,
|
||||
?RunbookReason $reason,
|
||||
array $preflight,
|
||||
string $source,
|
||||
bool $isBreakGlassActive,
|
||||
): array {
|
||||
$context = [
|
||||
'workspace_id' => $workspaceId,
|
||||
'runbook' => [
|
||||
'key' => self::RUNBOOK_KEY,
|
||||
'scope' => $scope->mode,
|
||||
'target_tenant_id' => $scope->tenantId,
|
||||
'source' => $source,
|
||||
],
|
||||
'preflight' => [
|
||||
'affected_count' => (int) ($preflight['affected_count'] ?? 0),
|
||||
'total_count' => (int) ($preflight['total_count'] ?? 0),
|
||||
'estimated_tenants' => $preflight['estimated_tenants'] ?? null,
|
||||
],
|
||||
];
|
||||
|
||||
if ($reason instanceof RunbookReason) {
|
||||
$context['reason'] = $reason->toArray();
|
||||
}
|
||||
|
||||
if ($initiator instanceof PlatformUser) {
|
||||
$context['platform_initiator'] = [
|
||||
'platform_user_id' => (int) $initiator->getKey(),
|
||||
'email' => (string) $initiator->email,
|
||||
'name' => (string) $initiator->name,
|
||||
'is_break_glass' => $isBreakGlassActive,
|
||||
];
|
||||
} elseif ($initiator instanceof User) {
|
||||
$context['tenant_initiator'] = [
|
||||
'user_id' => (int) $initiator->getKey(),
|
||||
'email' => (string) $initiator->email,
|
||||
'name' => (string) $initiator->name,
|
||||
];
|
||||
}
|
||||
|
||||
return $context;
|
||||
}
|
||||
|
||||
private function scopeFromRunContext(array $context): FindingsLifecycleBackfillScope
|
||||
{
|
||||
$scope = data_get($context, 'runbook.scope');
|
||||
$tenantId = data_get($context, 'runbook.target_tenant_id');
|
||||
|
||||
if ($scope === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT && is_numeric($tenantId)) {
|
||||
return FindingsLifecycleBackfillScope::singleTenant((int) $tenantId);
|
||||
}
|
||||
|
||||
return FindingsLifecycleBackfillScope::allTenants();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
private function auditSafely(
|
||||
string $action,
|
||||
FindingsLifecycleBackfillScope $scope,
|
||||
?int $operationRunId,
|
||||
User|PlatformUser|null $initiator,
|
||||
array $context = [],
|
||||
): void {
|
||||
try {
|
||||
$metadata = [
|
||||
'runbook_key' => self::RUNBOOK_KEY,
|
||||
'scope' => $scope->mode,
|
||||
'target_tenant_id' => $scope->tenantId,
|
||||
'operation_run_id' => $operationRunId,
|
||||
'ip' => request()->ip(),
|
||||
'user_agent' => request()->userAgent(),
|
||||
];
|
||||
|
||||
if ($initiator instanceof User && $scope->isSingleTenant()) {
|
||||
$tenant = Tenant::query()->whereKey((int) $scope->tenantId)->first();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
$this->auditLogger->log(
|
||||
tenant: $tenant,
|
||||
action: $action,
|
||||
context: [
|
||||
'metadata' => array_filter($metadata, static fn (mixed $value): bool => $value !== null),
|
||||
] + $context,
|
||||
actorId: (int) $initiator->getKey(),
|
||||
actorEmail: (string) $initiator->email,
|
||||
actorName: (string) $initiator->name,
|
||||
status: 'success',
|
||||
resourceType: 'operation_run',
|
||||
resourceId: $operationRunId !== null ? (string) $operationRunId : null,
|
||||
);
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
$platformTenant = $this->platformTenant();
|
||||
$platformActor = $initiator instanceof PlatformUser
|
||||
? $initiator
|
||||
: auth('platform')->user();
|
||||
|
||||
$actorId = $platformActor instanceof PlatformUser ? (int) $platformActor->getKey() : null;
|
||||
$actorEmail = $platformActor instanceof PlatformUser ? (string) $platformActor->email : null;
|
||||
$actorName = $platformActor instanceof PlatformUser ? (string) $platformActor->name : null;
|
||||
|
||||
$this->auditLogger->log(
|
||||
tenant: $platformTenant,
|
||||
action: $action,
|
||||
context: [
|
||||
'metadata' => array_filter($metadata, static fn (mixed $value): bool => $value !== null),
|
||||
] + $context,
|
||||
actorId: $actorId,
|
||||
actorEmail: $actorEmail,
|
||||
actorName: $actorName,
|
||||
status: 'success',
|
||||
resourceType: 'operation_run',
|
||||
resourceId: $operationRunId !== null ? (string) $operationRunId : null,
|
||||
);
|
||||
} catch (Throwable) {
|
||||
// Audit is fail-safe (must not crash runbooks).
|
||||
}
|
||||
}
|
||||
|
||||
private function auditBlockedStart(
|
||||
\App\Support\OperationalControls\OperationalControlDecision $decision,
|
||||
FindingsLifecycleBackfillScope $scope,
|
||||
Workspace $workspace,
|
||||
?Tenant $tenant,
|
||||
User|PlatformUser|null $initiator,
|
||||
string $source,
|
||||
): void {
|
||||
try {
|
||||
$metadata = array_filter([
|
||||
'control_key' => $decision->controlKey,
|
||||
'scope_type' => $decision->matchedScopeType,
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'reason_text' => $decision->reasonText,
|
||||
'expires_at' => $decision->expiresAt?->toIso8601String(),
|
||||
'actor_id' => $initiator instanceof User || $initiator instanceof PlatformUser ? (int) $initiator->getKey() : null,
|
||||
'requested_scope' => $scope->mode,
|
||||
'target_tenant_id' => $scope->tenantId,
|
||||
'source' => $source,
|
||||
'runbook_key' => self::RUNBOOK_KEY,
|
||||
], static fn (mixed $value): bool => $value !== null && $value !== '');
|
||||
|
||||
$summary = sprintf('%s blocked by operational control', OperationCatalog::label(self::RUNBOOK_KEY));
|
||||
|
||||
if ($scope->isAllTenants()) {
|
||||
$this->auditRecorder->record(
|
||||
action: AuditActionId::OperationalControlExecutionBlocked,
|
||||
context: ['metadata' => $metadata],
|
||||
actor: $initiator instanceof PlatformUser ? AuditActorSnapshot::platform($initiator) : null,
|
||||
target: new AuditTargetSnapshot(
|
||||
type: 'operational_control',
|
||||
id: $decision->sourceActivationId,
|
||||
label: OperationCatalog::label(self::RUNBOOK_KEY),
|
||||
),
|
||||
outcome: 'blocked',
|
||||
summary: $summary,
|
||||
);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->workspaceAuditLogger->log(
|
||||
workspace: $workspace,
|
||||
action: AuditActionId::OperationalControlExecutionBlocked,
|
||||
context: ['metadata' => $metadata],
|
||||
actor: $initiator,
|
||||
status: 'blocked',
|
||||
resourceType: 'operational_control',
|
||||
resourceId: $decision->sourceActivationId !== null ? (string) $decision->sourceActivationId : null,
|
||||
targetLabel: OperationCatalog::label(self::RUNBOOK_KEY),
|
||||
summary: $summary,
|
||||
tenant: $tenant,
|
||||
);
|
||||
} catch (Throwable) {
|
||||
// Audit is fail-safe (must not crash runbooks).
|
||||
}
|
||||
}
|
||||
|
||||
private function notifyInitiatorSafely(OperationRun $run): void
|
||||
{
|
||||
try {
|
||||
$platformUserId = data_get($run->context, 'platform_initiator.platform_user_id');
|
||||
|
||||
if (! is_numeric($platformUserId)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$platformUser = PlatformUser::query()->whereKey((int) $platformUserId)->first();
|
||||
|
||||
if (! $platformUser instanceof PlatformUser) {
|
||||
return;
|
||||
}
|
||||
|
||||
$platformUser->notify(new OperationRunCompleted($run));
|
||||
} catch (Throwable) {
|
||||
// Notifications must not crash the runbook.
|
||||
}
|
||||
}
|
||||
|
||||
private function dispatchFailureAlertSafely(OperationRun $run): void
|
||||
{
|
||||
try {
|
||||
$platformTenant = $this->platformTenant();
|
||||
$workspace = $platformTenant->workspace;
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->alertDispatchService->dispatchEvent($workspace, [
|
||||
'tenant_id' => (int) $platformTenant->getKey(),
|
||||
'event_type' => 'operations.run.failed',
|
||||
'severity' => 'high',
|
||||
'title' => 'Operation failed: Findings lifecycle backfill',
|
||||
'body' => 'A findings lifecycle backfill run failed.',
|
||||
'metadata' => [
|
||||
'operation_run_id' => (int) $run->getKey(),
|
||||
'operation_type' => $run->canonicalOperationType(),
|
||||
'scope' => (string) data_get($run->context, 'runbook.scope', ''),
|
||||
'view_run_url' => SystemOperationRunLinks::view($run),
|
||||
],
|
||||
]);
|
||||
} catch (Throwable) {
|
||||
// Alerts must not crash the runbook.
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,81 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Services\Runbooks;
|
||||
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
final readonly class FindingsLifecycleBackfillScope
|
||||
{
|
||||
public const string MODE_ALL_TENANTS = 'all_tenants';
|
||||
|
||||
public const string MODE_SINGLE_TENANT = 'single_tenant';
|
||||
|
||||
private function __construct(
|
||||
public string $mode,
|
||||
public ?int $tenantId,
|
||||
) {}
|
||||
|
||||
public static function allTenants(): self
|
||||
{
|
||||
return new self(
|
||||
mode: self::MODE_ALL_TENANTS,
|
||||
tenantId: null,
|
||||
);
|
||||
}
|
||||
|
||||
public static function singleTenant(int $tenantId): self
|
||||
{
|
||||
$tenantId = (int) $tenantId;
|
||||
|
||||
if ($tenantId <= 0) {
|
||||
throw ValidationException::withMessages([
|
||||
'scope.tenant_id' => 'Select a valid tenant.',
|
||||
]);
|
||||
}
|
||||
|
||||
return new self(
|
||||
mode: self::MODE_SINGLE_TENANT,
|
||||
tenantId: $tenantId,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
public static function fromArray(array $data): self
|
||||
{
|
||||
$mode = trim((string) ($data['mode'] ?? ''));
|
||||
|
||||
if ($mode === '' || $mode === self::MODE_ALL_TENANTS) {
|
||||
return self::allTenants();
|
||||
}
|
||||
|
||||
if ($mode !== self::MODE_SINGLE_TENANT) {
|
||||
throw ValidationException::withMessages([
|
||||
'scope.mode' => 'Select a valid scope mode.',
|
||||
]);
|
||||
}
|
||||
|
||||
$tenantId = $data['tenant_id'] ?? null;
|
||||
|
||||
if (! is_numeric($tenantId)) {
|
||||
throw ValidationException::withMessages([
|
||||
'scope.tenant_id' => 'Select a tenant.',
|
||||
]);
|
||||
}
|
||||
|
||||
return self::singleTenant((int) $tenantId);
|
||||
}
|
||||
|
||||
public function isAllTenants(): bool
|
||||
{
|
||||
return $this->mode === self::MODE_ALL_TENANTS;
|
||||
}
|
||||
|
||||
public function isSingleTenant(): bool
|
||||
{
|
||||
return $this->mode === self::MODE_SINGLE_TENANT;
|
||||
}
|
||||
}
|
||||
@ -17,7 +17,6 @@ final class OperationRunTriageService
|
||||
'inventory.sync',
|
||||
'policy.sync',
|
||||
'directory.groups.sync',
|
||||
'findings.lifecycle.backfill',
|
||||
'rbac.health_check',
|
||||
'entra.admin_roles.scan',
|
||||
'tenant.review_pack.generate',
|
||||
@ -28,7 +27,6 @@ final class OperationRunTriageService
|
||||
'inventory.sync',
|
||||
'policy.sync',
|
||||
'directory.groups.sync',
|
||||
'findings.lifecycle.backfill',
|
||||
'rbac.health_check',
|
||||
'entra.admin_roles.scan',
|
||||
'tenant.review_pack.generate',
|
||||
|
||||
@ -128,7 +128,7 @@ private function openRisksSection(?EvidenceSnapshotItem $findingsItem): array
|
||||
{
|
||||
$summary = $this->summary($findingsItem);
|
||||
$entries = collect(Arr::wrap($summary['entries'] ?? []))
|
||||
->filter(static fn (mixed $entry): bool => is_array($entry) && in_array((string) ($entry['status'] ?? ''), ['open', 'in_progress', 'acknowledged'], true))
|
||||
->filter(static fn (mixed $entry): bool => is_array($entry) && in_array((string) ($entry['status'] ?? ''), ['open', 'new', 'triaged', 'in_progress', 'reopened'], true))
|
||||
->sortByDesc(static fn (array $entry): int => match ((string) ($entry['severity'] ?? 'low')) {
|
||||
'critical' => 4,
|
||||
'high' => 3,
|
||||
|
||||
@ -91,8 +91,6 @@ class Capabilities
|
||||
|
||||
public const TENANT_FINDINGS_RISK_ACCEPT = 'tenant_findings.risk_accept';
|
||||
|
||||
public const TENANT_FINDINGS_ACKNOWLEDGE = 'tenant_findings.acknowledge';
|
||||
|
||||
public const FINDING_EXCEPTION_VIEW = 'finding_exception.view';
|
||||
|
||||
public const FINDING_EXCEPTION_MANAGE = 'finding_exception.manage';
|
||||
|
||||
@ -30,8 +30,6 @@ class PlatformCapabilities
|
||||
|
||||
public const RUNBOOKS_RUN = 'platform.runbooks.run';
|
||||
|
||||
public const RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL = 'platform.runbooks.findings.lifecycle_backfill';
|
||||
|
||||
public const OPS_CONTROLS_MANAGE = 'platform.ops.controls.manage';
|
||||
|
||||
/**
|
||||
|
||||
@ -796,7 +796,6 @@ private static function findingAttentionCounts(Tenant $tenant): array
|
||||
$activeNonNewFindingsCount = Finding::query()
|
||||
->where('tenant_id', $tenantId)
|
||||
->whereIn('status', [
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
Finding::STATUS_TRIAGED,
|
||||
Finding::STATUS_IN_PROGRESS,
|
||||
Finding::STATUS_REOPENED,
|
||||
|
||||
@ -99,7 +99,7 @@ private static function resolveTenantWorkspaceId(Model $model, int $tenantId): i
|
||||
$tenant = $model->relationLoaded('tenant') ? $model->getRelation('tenant') : null;
|
||||
|
||||
if (! $tenant instanceof Tenant || (int) $tenant->getKey() !== $tenantId) {
|
||||
$tenant = Tenant::query()->find($tenantId);
|
||||
$tenant = Tenant::query()->withTrashed()->find($tenantId);
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
|
||||
@ -103,9 +103,9 @@ public static function baselineProfileStatuses(): array
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public static function findingStatuses(bool $includeLegacyAcknowledged = true): array
|
||||
public static function findingStatuses(): array
|
||||
{
|
||||
$options = self::badgeOptions(BadgeDomain::FindingStatus, [
|
||||
return self::badgeOptions(BadgeDomain::FindingStatus, [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_TRIAGED,
|
||||
Finding::STATUS_IN_PROGRESS,
|
||||
@ -114,21 +114,6 @@ public static function findingStatuses(bool $includeLegacyAcknowledged = true):
|
||||
Finding::STATUS_CLOSED,
|
||||
Finding::STATUS_RISK_ACCEPTED,
|
||||
]);
|
||||
|
||||
if (! $includeLegacyAcknowledged) {
|
||||
return $options;
|
||||
}
|
||||
|
||||
return [
|
||||
Finding::STATUS_NEW => $options[Finding::STATUS_NEW],
|
||||
Finding::STATUS_TRIAGED => $options[Finding::STATUS_TRIAGED],
|
||||
Finding::STATUS_ACKNOWLEDGED => self::legacyFindingAcknowledgedLabel(),
|
||||
Finding::STATUS_IN_PROGRESS => $options[Finding::STATUS_IN_PROGRESS],
|
||||
Finding::STATUS_REOPENED => $options[Finding::STATUS_REOPENED],
|
||||
Finding::STATUS_RESOLVED => $options[Finding::STATUS_RESOLVED],
|
||||
Finding::STATUS_CLOSED => $options[Finding::STATUS_CLOSED],
|
||||
Finding::STATUS_RISK_ACCEPTED => $options[Finding::STATUS_RISK_ACCEPTED],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
@ -312,11 +297,6 @@ private static function badgeOptions(BadgeDomain $domain, array $values): array
|
||||
->all();
|
||||
}
|
||||
|
||||
private static function legacyFindingAcknowledgedLabel(): string
|
||||
{
|
||||
return BadgeCatalog::spec(BadgeDomain::FindingStatus, Finding::STATUS_ACKNOWLEDGED)->label.' (legacy acknowledged)';
|
||||
}
|
||||
|
||||
private static function platformLabel(string $platform): string
|
||||
{
|
||||
return match (Str::of($platform)
|
||||
|
||||
@ -12,8 +12,6 @@ final class TrustedStatePolicy
|
||||
|
||||
public const TENANT_REQUIRED_PERMISSIONS = 'tenant_required_permissions';
|
||||
|
||||
public const SYSTEM_RUNBOOKS = 'system_runbooks';
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* name: string,
|
||||
@ -329,92 +327,6 @@ public function firstSlice(): array
|
||||
'scopedTenant',
|
||||
],
|
||||
],
|
||||
self::SYSTEM_RUNBOOKS => [
|
||||
'component_name' => 'System runbooks',
|
||||
'plane' => 'system_platform',
|
||||
'route_anchor' => null,
|
||||
'authority_sources' => [
|
||||
'allowed_tenant_universe',
|
||||
'explicit_scoped_query',
|
||||
],
|
||||
'locked_identities' => [],
|
||||
'locked_identity_fields' => [],
|
||||
'mutable_selectors' => [
|
||||
'findingsTenantId',
|
||||
'tenantId',
|
||||
'findingsScopeMode',
|
||||
'scopeMode',
|
||||
],
|
||||
'mutable_selector_fields' => [
|
||||
$this->field(
|
||||
name: 'findingsTenantId',
|
||||
stateClass: TrustedStateClass::Presentation,
|
||||
phpType: '?int',
|
||||
sourceOfTruth: 'allowed_tenant_universe',
|
||||
usedForProtectedAction: true,
|
||||
revalidationRequired: true,
|
||||
implementationMarkers: [
|
||||
'public ?int $findingsTenantId = null;',
|
||||
'resolveAllowedOrFail($this->findingsTenantId)',
|
||||
],
|
||||
notes: 'Single-tenant runbook proposal only; it must be validated against the operator allowed-tenant universe.',
|
||||
),
|
||||
$this->field(
|
||||
name: 'tenantId',
|
||||
stateClass: TrustedStateClass::Presentation,
|
||||
phpType: '?int',
|
||||
sourceOfTruth: 'allowed_tenant_universe',
|
||||
usedForProtectedAction: false,
|
||||
revalidationRequired: false,
|
||||
implementationMarkers: [
|
||||
'public ?int $tenantId = null;',
|
||||
],
|
||||
notes: 'Mirrored display state for the last trusted preflight result.',
|
||||
),
|
||||
$this->field(
|
||||
name: 'findingsScopeMode',
|
||||
stateClass: TrustedStateClass::Presentation,
|
||||
phpType: 'string',
|
||||
sourceOfTruth: 'presentation_only',
|
||||
usedForProtectedAction: true,
|
||||
revalidationRequired: true,
|
||||
implementationMarkers: [
|
||||
'public string $findingsScopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;',
|
||||
'trustedFindingsScopeFromState(',
|
||||
],
|
||||
notes: 'Scope mode remains mutable UI state but protected actions re-normalize it into a trusted scope DTO.',
|
||||
),
|
||||
$this->field(
|
||||
name: 'scopeMode',
|
||||
stateClass: TrustedStateClass::Presentation,
|
||||
phpType: 'string',
|
||||
sourceOfTruth: 'presentation_only',
|
||||
usedForProtectedAction: false,
|
||||
revalidationRequired: false,
|
||||
implementationMarkers: [
|
||||
'public string $scopeMode = FindingsLifecycleBackfillScope::MODE_ALL_TENANTS;',
|
||||
],
|
||||
notes: 'Mirrored display state for the last trusted preflight result.',
|
||||
),
|
||||
],
|
||||
'server_derived_authority_fields' => [
|
||||
$this->field(
|
||||
name: 'findingsScope',
|
||||
stateClass: TrustedStateClass::ServerDerivedAuthority,
|
||||
phpType: 'FindingsLifecycleBackfillScope',
|
||||
sourceOfTruth: 'allowed_tenant_universe',
|
||||
usedForProtectedAction: true,
|
||||
revalidationRequired: true,
|
||||
implementationMarkers: [
|
||||
'trustedFindingsScopeFromFormData(',
|
||||
'trustedFindingsScopeFromState(',
|
||||
'resolveAllowedOrFail(',
|
||||
],
|
||||
notes: 'Protected actions must convert mutable selector state into a trusted scope DTO via AllowedTenantUniverse.',
|
||||
),
|
||||
],
|
||||
'forbidden_public_authority_fields' => [],
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
@ -278,7 +278,6 @@ private static function canonicalDefinitions(): array
|
||||
'tenant.review.compose' => new CanonicalOperationType('tenant.review.compose', 'platform_foundation', 'tenant_review', 'Review composition', true, 60),
|
||||
'tenant.evidence.snapshot.generate' => new CanonicalOperationType('tenant.evidence.snapshot.generate', 'platform_foundation', 'evidence_snapshot', 'Evidence snapshot generation', true, 120),
|
||||
'rbac.health_check' => new CanonicalOperationType('rbac.health_check', 'intune', null, 'RBAC health check', false, 30),
|
||||
'findings.lifecycle.backfill' => new CanonicalOperationType('findings.lifecycle.backfill', 'platform_foundation', null, 'Findings lifecycle backfill', false, 300),
|
||||
];
|
||||
}
|
||||
|
||||
@ -290,27 +289,36 @@ private static function operationAliases(): array
|
||||
return [
|
||||
new OperationTypeAlias('policy.sync', 'policy.sync', 'canonical', true),
|
||||
new OperationTypeAlias('policy.sync_one', 'policy.sync', 'legacy_alias', false, 'Legacy single-policy sync values resolve to the canonical policy.sync operation.', 'Prefer policy.sync on platform-owned read paths.'),
|
||||
new OperationTypeAlias('policy.snapshot', 'policy.snapshot', 'canonical', true),
|
||||
new OperationTypeAlias('policy.capture_snapshot', 'policy.snapshot', 'canonical', true),
|
||||
new OperationTypeAlias('policy.delete', 'policy.delete', 'canonical', true),
|
||||
new OperationTypeAlias('policy.restore', 'policy.restore', 'canonical', true),
|
||||
new OperationTypeAlias('policy.unignore', 'policy.restore', 'legacy_alias', false, 'Legacy policy.unignore values resolve to policy.restore for operator-facing wording.', 'Prefer policy.restore on new platform-owned read models.'),
|
||||
new OperationTypeAlias('policy.export', 'policy.export', 'canonical', true),
|
||||
new OperationTypeAlias('provider.connection.check', 'provider.connection.check', 'canonical', true),
|
||||
new OperationTypeAlias('inventory.sync', 'inventory.sync', 'canonical', true),
|
||||
new OperationTypeAlias('inventory_sync', 'inventory.sync', 'legacy_alias', false, 'Legacy inventory_sync storage values resolve to the canonical inventory.sync operation.', 'Preserve stored values during rollout while showing inventory.sync semantics on read paths.'),
|
||||
new OperationTypeAlias('provider.inventory.sync', 'inventory.sync', 'legacy_alias', false, 'Provider-prefixed historical inventory sync values share the same operator meaning as inventory sync.', 'Avoid emitting provider.inventory.sync on new platform-owned surfaces.'),
|
||||
new OperationTypeAlias('compliance.snapshot', 'compliance.snapshot', 'canonical', true),
|
||||
new OperationTypeAlias('provider.compliance.snapshot', 'compliance.snapshot', 'legacy_alias', false, 'Provider-prefixed compliance snapshot values resolve to the canonical compliance.snapshot operation.', 'Avoid emitting provider.compliance.snapshot on new platform-owned surfaces.'),
|
||||
new OperationTypeAlias('directory.groups.sync', 'directory.groups.sync', 'canonical', true),
|
||||
new OperationTypeAlias('entra_group_sync', 'directory.groups.sync', 'legacy_alias', false, 'Historical entra_group_sync values resolve to directory.groups.sync.', 'Prefer directory.groups.sync on new platform-owned read models.'),
|
||||
new OperationTypeAlias('backup_set.update', 'backup_set.update', 'canonical', true),
|
||||
new OperationTypeAlias('backup_set.archive', 'backup_set.archive', 'canonical', true),
|
||||
new OperationTypeAlias('backup_set.delete', 'backup_set.archive', 'canonical', true),
|
||||
new OperationTypeAlias('backup_set.restore', 'backup_set.restore', 'canonical', true),
|
||||
new OperationTypeAlias('backup_set.force_delete', 'backup_set.delete', 'legacy_alias', false, 'Force-delete wording is normalized to the canonical delete label.', 'Use backup_set.delete for new platform-owned summaries.'),
|
||||
new OperationTypeAlias('backup.schedule.execute', 'backup.schedule.execute', 'canonical', true),
|
||||
new OperationTypeAlias('backup_schedule_run', 'backup.schedule.execute', 'legacy_alias', false, 'Historical backup_schedule_run values resolve to backup.schedule.execute.', 'Prefer backup.schedule.execute on canonical read paths.'),
|
||||
new OperationTypeAlias('backup.schedule.retention', 'backup.schedule.retention', 'canonical', true),
|
||||
new OperationTypeAlias('backup_schedule_retention', 'backup.schedule.retention', 'legacy_alias', false, 'Legacy backup schedule retention values resolve to backup.schedule.retention.', 'Prefer dotted canonical backup schedule naming on new read paths.'),
|
||||
new OperationTypeAlias('backup.schedule.purge', 'backup.schedule.purge', 'canonical', true),
|
||||
new OperationTypeAlias('backup_schedule_purge', 'backup.schedule.purge', 'legacy_alias', false, 'Legacy backup schedule purge values resolve to backup.schedule.purge.', 'Prefer dotted canonical backup schedule naming on new read paths.'),
|
||||
new OperationTypeAlias('restore.execute', 'restore.execute', 'canonical', true),
|
||||
new OperationTypeAlias('assignments.fetch', 'assignments.fetch', 'canonical', true),
|
||||
new OperationTypeAlias('assignments.restore', 'assignments.restore', 'canonical', true),
|
||||
new OperationTypeAlias('ops.reconcile_adapter_runs', 'ops.reconcile_adapter_runs', 'canonical', true),
|
||||
new OperationTypeAlias('directory.role_definitions.sync', 'directory.role_definitions.sync', 'canonical', true),
|
||||
new OperationTypeAlias('directory_role_definitions.sync', 'directory.role_definitions.sync', 'legacy_alias', false, 'Legacy directory_role_definitions.sync values resolve to directory.role_definitions.sync.', 'Prefer dotted role-definition naming on new read paths.'),
|
||||
new OperationTypeAlias('restore_run.delete', 'restore_run.delete', 'canonical', true),
|
||||
new OperationTypeAlias('restore_run.restore', 'restore_run.restore', 'canonical', true),
|
||||
@ -325,13 +333,13 @@ private static function operationAliases(): array
|
||||
new OperationTypeAlias('baseline.compare', 'baseline.compare', 'canonical', true),
|
||||
new OperationTypeAlias('baseline_capture', 'baseline.capture', 'legacy_alias', false, 'Historical baseline_capture values resolve to baseline.capture.', 'Prefer baseline.capture on canonical read paths.'),
|
||||
new OperationTypeAlias('baseline_compare', 'baseline.compare', 'legacy_alias', false, 'Historical baseline_compare values resolve to baseline.compare.', 'Prefer baseline.compare on canonical read paths.'),
|
||||
new OperationTypeAlias('permission.posture.check', 'permission.posture.check', 'canonical', true),
|
||||
new OperationTypeAlias('permission_posture_check', 'permission.posture.check', 'legacy_alias', false, 'Historical permission_posture_check values resolve to permission.posture.check.', 'Prefer dotted permission posture naming on new read paths.'),
|
||||
new OperationTypeAlias('entra.admin_roles.scan', 'entra.admin_roles.scan', 'canonical', true),
|
||||
new OperationTypeAlias('tenant.review_pack.generate', 'tenant.review_pack.generate', 'canonical', true),
|
||||
new OperationTypeAlias('tenant.review.compose', 'tenant.review.compose', 'canonical', true),
|
||||
new OperationTypeAlias('tenant.evidence.snapshot.generate', 'tenant.evidence.snapshot.generate', 'canonical', true),
|
||||
new OperationTypeAlias('rbac.health_check', 'rbac.health_check', 'canonical', true),
|
||||
new OperationTypeAlias('findings.lifecycle.backfill', 'findings.lifecycle.backfill', 'canonical', true),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,8 +4,9 @@
|
||||
|
||||
namespace App\Support\Settings;
|
||||
|
||||
use App\Support\Ai\AiPolicyMode;
|
||||
use App\Models\Finding;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Support\Ai\AiPolicyMode;
|
||||
use App\Services\Entitlements\WorkspaceCommercialLifecycleResolver;
|
||||
use App\Services\Entitlements\WorkspacePlanProfileCatalog;
|
||||
|
||||
@ -29,6 +30,25 @@ public function __construct()
|
||||
normalizer: static fn (mixed $value): string => strtolower(trim((string) $value)),
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: LocaleResolver::SETTING_DOMAIN,
|
||||
key: LocaleResolver::SETTING_DEFAULT_LOCALE,
|
||||
type: 'string',
|
||||
systemDefault: null,
|
||||
rules: [
|
||||
'nullable',
|
||||
'string',
|
||||
'in:'.implode(',', LocaleResolver::supportedLocales()),
|
||||
],
|
||||
normalizer: static function (mixed $value): ?string {
|
||||
if ($value === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return LocaleResolver::normalize($value);
|
||||
},
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'backup',
|
||||
key: 'retention_keep_last_default',
|
||||
|
||||
@ -640,23 +640,18 @@ public static function spec195ResidualSurfaceInventory(): array
|
||||
'discoveryState' => 'outside_primary_discovery',
|
||||
'closureDecision' => 'separately_governed',
|
||||
'reasonCategory' => 'workflow_specific_governance',
|
||||
'explicitReason' => 'Runbooks is a workflow utility hub with its own trusted-state, authorization, and confirmation semantics rather than a declaration-backed record or table surface.',
|
||||
'explicitReason' => 'Runbooks remains a system utility shell outside the declaration-backed record or table surface; it currently exposes no supported launch action after lifecycle-backfill removal.',
|
||||
'evidence' => [
|
||||
[
|
||||
'kind' => 'feature_livewire_test',
|
||||
'reference' => 'tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php',
|
||||
'proves' => 'The runbooks shell enforces preflight-first execution, typed confirmation, and capability-gated run behavior.',
|
||||
'reference' => 'tests/Feature/System/OpsRunbooks/RemoveFindingsLifecycleBackfillRunbookSurfaceTest.php',
|
||||
'proves' => 'The runbooks shell stays accessible to authorized platform operators while exposing no findings lifecycle backfill launch action.',
|
||||
],
|
||||
[
|
||||
'kind' => 'authorization_test',
|
||||
'reference' => 'tests/Feature/System/Spec113/AuthorizationSemanticsTest.php',
|
||||
'proves' => 'The system plane still returns 403 when runbook-view capabilities are missing.',
|
||||
],
|
||||
[
|
||||
'kind' => 'guard_test',
|
||||
'reference' => 'tests/Feature/Guards/LivewireTrustedStateGuardTest.php',
|
||||
'proves' => 'Runbooks keeps its trusted-state policy under explicit guard coverage.',
|
||||
],
|
||||
],
|
||||
'followUpAction' => 'add_guard_only',
|
||||
'mustRemainBaselineExempt' => false,
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
use Illuminate\Foundation\Configuration\Exceptions;
|
||||
use Illuminate\Foundation\Configuration\Middleware;
|
||||
|
||||
use App\Http\Middleware\ApplyResolvedLocale;
|
||||
use App\Http\Middleware\SuppressDebugbarForSmokeRequests;
|
||||
use App\Http\Middleware\UseSystemSessionCookieForLivewireRequests;
|
||||
|
||||
@ -24,7 +25,12 @@
|
||||
UseSystemSessionCookieForLivewireRequests::class,
|
||||
]);
|
||||
|
||||
$middleware->web(append: [
|
||||
ApplyResolvedLocale::class,
|
||||
]);
|
||||
|
||||
$middleware->alias([
|
||||
'apply-resolved-locale' => ApplyResolvedLocale::class,
|
||||
'ensure-correct-guard' => \App\Http\Middleware\EnsureCorrectGuard::class,
|
||||
'ensure-platform-capability' => \App\Http\Middleware\EnsurePlatformCapability::class,
|
||||
'ensure-workspace-member' => \App\Http\Middleware\EnsureWorkspaceMember::class,
|
||||
|
||||
@ -73,18 +73,6 @@ public function permissionPosture(): static
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* State for legacy acknowledged findings.
|
||||
*/
|
||||
public function acknowledged(): static
|
||||
{
|
||||
return $this->state(fn (array $attributes): array => [
|
||||
'status' => Finding::STATUS_ACKNOWLEDGED,
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => null,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* State for triaged findings.
|
||||
*/
|
||||
|
||||
@ -0,0 +1,25 @@
|
||||
<?php
|
||||
|
||||
use Illuminate\Database\Migrations\Migration;
|
||||
use Illuminate\Database\Schema\Blueprint;
|
||||
use Illuminate\Support\Facades\Schema;
|
||||
|
||||
return new class extends Migration
|
||||
{
|
||||
public function up(): void
|
||||
{
|
||||
Schema::table('users', function (Blueprint $table): void {
|
||||
$table->string('preferred_locale', 8)
|
||||
->nullable()
|
||||
->after('last_workspace_id')
|
||||
->index();
|
||||
});
|
||||
}
|
||||
|
||||
public function down(): void
|
||||
{
|
||||
Schema::table('users', function (Blueprint $table): void {
|
||||
$table->dropColumn('preferred_locale');
|
||||
});
|
||||
}
|
||||
};
|
||||
@ -41,7 +41,6 @@ public function run(): void
|
||||
PlatformCapabilities::OPS_VIEW,
|
||||
PlatformCapabilities::RUNBOOKS_VIEW,
|
||||
PlatformCapabilities::RUNBOOKS_RUN,
|
||||
PlatformCapabilities::RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL,
|
||||
PlatformCapabilities::OPS_CONTROLS_MANAGE,
|
||||
],
|
||||
'is_active' => true,
|
||||
|
||||
88
apps/platform/lang/de/baseline-compare.php
Normal file
88
apps/platform/lang/de/baseline-compare.php
Normal file
@ -0,0 +1,88 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
return [
|
||||
'duplicate_warning_title' => 'Warnung',
|
||||
'duplicate_warning_body_plural' => ':count Policies in diesem Tenant verwenden generische Anzeigenamen, dadurch entstehen :ambiguous_count mehrdeutige Subjekte. :app kann sie nicht sicher mit der Baseline abgleichen.',
|
||||
'duplicate_warning_body_singular' => ':count Policy in diesem Tenant verwendet einen generischen Anzeigenamen, dadurch entsteht :ambiguous_count mehrdeutiges Subjekt. :app kann es nicht sicher mit der Baseline abgleichen.',
|
||||
'stat_assigned_baseline' => 'Zugewiesene Baseline',
|
||||
'stat_total_findings' => 'Findings gesamt',
|
||||
'stat_last_compared' => 'Zuletzt verglichen',
|
||||
'stat_last_compared_never' => 'Nie',
|
||||
'stat_error' => 'Fehler',
|
||||
'badge_snapshot' => 'Snapshot #:id',
|
||||
'badge_coverage_ok' => 'Abdeckung: OK',
|
||||
'badge_coverage_warnings' => 'Abdeckung: Warnungen',
|
||||
'badge_fidelity' => 'Fidelity: :level',
|
||||
'badge_evidence_gaps' => 'Evidence Gaps: :count',
|
||||
'evidence_gaps_tooltip' => 'Wichtigste Gaps: :summary',
|
||||
'evidence_gap_details_heading' => 'Evidence-Gap-Details',
|
||||
'evidence_gap_details_description' => 'Durchsuchen Sie aufgezeichnete Gap-Subjekte nach Grund, Governed Subject, Subjektklasse, Ergebnis, nächster Aktion oder Subject Key, bevor Sie Rohdiagnosen verwenden.',
|
||||
'evidence_gap_search_label' => 'Gap-Details suchen',
|
||||
'evidence_gap_search_placeholder' => 'Nach Grund, Typ, Klasse, Ergebnis, Aktion oder Subject Key suchen',
|
||||
'evidence_gap_search_help' => 'Filtert über Grund, Governed Subject, Subjektklasse, Ergebnis, nächste Aktion und Subject Key.',
|
||||
'evidence_gap_bucket_help_ambiguous_match' => 'Mehrere Inventory-Datensätze passten zum gleichen Policy-Subjekt. Prüfen Sie das Mapping.',
|
||||
'evidence_gap_bucket_help_policy_record_missing' => 'Der erwartete Policy-Datensatz wurde im Baseline-Snapshot nicht gefunden. Prüfen Sie, ob die Policy im Tenant noch existiert.',
|
||||
'evidence_gap_bucket_help_inventory_record_missing' => 'Für diese Subjekte konnte kein Inventory-Datensatz gefunden werden. Prüfen Sie, ob der Inventory Sync aktuell ist.',
|
||||
'evidence_gap_bucket_help_foundation_not_policy_backed' => 'Diese Subjekte existieren in der Foundation-Schicht, sind aber nicht durch eine verwaltete Policy abgedeckt. Prüfen Sie, ob eine Policy erstellt werden sollte.',
|
||||
'evidence_gap_bucket_help_capture_failed' => 'Evidence Capture ist für diese Subjekte fehlgeschlagen. Wiederholen Sie den Vergleich oder prüfen Sie die Graph-Konnektivität.',
|
||||
'evidence_gap_bucket_help_default' => 'Diese Subjekte wurden beim Vergleich markiert. Prüfen Sie die betroffenen Zeilen.',
|
||||
'evidence_gap_reason' => 'Grund',
|
||||
'evidence_gap_reason_affected' => ':count betroffen',
|
||||
'evidence_gap_reason_recorded' => ':count aufgezeichnet',
|
||||
'evidence_gap_reason_missing_detail' => ':count ohne Detail',
|
||||
'evidence_gap_structural' => 'Strukturell: :count',
|
||||
'evidence_gap_operational' => 'Operativ: :count',
|
||||
'evidence_gap_transient' => 'Temporär: :count',
|
||||
'evidence_gap_bucket_structural' => ':count strukturell',
|
||||
'evidence_gap_bucket_operational' => ':count operativ',
|
||||
'evidence_gap_bucket_transient' => ':count temporär',
|
||||
'evidence_gap_missing_details_title' => 'Für diesen Run wurden keine Detailzeilen aufgezeichnet',
|
||||
'evidence_gap_missing_details_body' => 'Evidence Gaps wurden für diesen Compare Run gezählt, aber Details auf Subjektebene wurden nicht gespeichert. Prüfen Sie Rohdiagnosen oder wiederholen Sie den Vergleich.',
|
||||
'evidence_gap_missing_reason_body' => ':count betroffene Subjekte wurden für diesen Grund gezählt, aber Detailzeilen wurden nicht aufgezeichnet.',
|
||||
'evidence_gap_legacy_title' => 'Legacy-Development-Gap-Payload erkannt',
|
||||
'evidence_gap_legacy_body' => 'Dieser Run verwendet noch die retired breite Grundform. Erzeugen Sie den Run neu oder bereinigen Sie alte lokale Development-Payloads.',
|
||||
'evidence_gap_diagnostics_heading' => 'Baseline-Compare-Evidence',
|
||||
'evidence_gap_diagnostics_description' => 'Rohdiagnosen bleiben für Support und tiefere Fehlersuche nach Operator-Zusammenfassung und Detailansicht verfügbar.',
|
||||
'evidence_gap_policy_type' => 'Governed Subject',
|
||||
'evidence_gap_subject_class' => 'Subjektklasse',
|
||||
'evidence_gap_outcome' => 'Ergebnis',
|
||||
'evidence_gap_next_action' => 'Nächste Aktion',
|
||||
'evidence_gap_subject_key' => 'Subject Key',
|
||||
'evidence_gap_table_empty_heading' => 'Keine aufgezeichneten Gap-Zeilen passen zu dieser Ansicht',
|
||||
'evidence_gap_table_empty_description' => 'Passen Sie Suche oder Filter an, um andere betroffene Subjekte zu prüfen.',
|
||||
'comparing_indicator' => 'Vergleich läuft...',
|
||||
'no_findings_all_clear' => 'Kein bestätigter Drift im letzten Vergleich',
|
||||
'no_findings_coverage_warnings' => 'Kein Drift angezeigt, aber Coverage limitiert diesen Vergleich',
|
||||
'no_findings_evidence_gaps' => 'Kein Drift angezeigt, aber Evidence Gaps müssen geprüft werden',
|
||||
'no_findings_default' => 'Aktuell sind keine Drift Findings sichtbar',
|
||||
'coverage_warning_title' => 'Vergleich mit Warnungen abgeschlossen',
|
||||
'coverage_unproven_body' => 'Coverage Proof fehlte oder war nicht lesbar. Findings wurden aus Sicherheitsgründen unterdrückt.',
|
||||
'coverage_incomplete_body' => 'Findings wurden für :count Policy :types wegen unvollständiger Coverage übersprungen.',
|
||||
'coverage_uncovered_label' => 'Nicht abgedeckt: :list',
|
||||
'failed_title' => 'Vergleich fehlgeschlagen',
|
||||
'failed_body_default' => 'Der letzte Baseline-Vergleich ist fehlgeschlagen. Prüfen Sie die Run-Details oder wiederholen Sie ihn.',
|
||||
'critical_drift_title' => 'Kritischer Drift erkannt',
|
||||
'critical_drift_body' => 'Der aktuelle Tenant-Zustand weicht von Baseline :profile ab. :count High-Severity :findings erfordern sofortige Aufmerksamkeit.',
|
||||
'empty_no_tenant' => 'Kein Tenant ausgewählt',
|
||||
'empty_no_assignment' => 'Keine Baseline zugewiesen',
|
||||
'empty_no_snapshot' => 'Kein Snapshot verfügbar',
|
||||
'findings_description' => 'Die Tenant-Konfiguration weicht vom Baseline-Profil ab.',
|
||||
'rbac_summary_title' => 'Intune-RBAC-Rollendefinitionen',
|
||||
'rbac_summary_description' => 'Rollenzuweisungen sind in diesem Baseline-Compare-Release nicht enthalten.',
|
||||
'rbac_summary_compared' => 'Verglichen',
|
||||
'rbac_summary_unchanged' => 'Unverändert',
|
||||
'rbac_summary_modified' => 'Geändert',
|
||||
'rbac_summary_missing' => 'Fehlend',
|
||||
'rbac_summary_unexpected' => 'Unerwartet',
|
||||
'no_drift_title' => 'Kein Drift erkannt',
|
||||
'no_drift_body' => 'Der letzte Vergleich hat keinen bestätigten Drift für das zugewiesene Baseline-Profil aufgezeichnet.',
|
||||
'coverage_warnings_title' => 'Coverage-Warnungen',
|
||||
'coverage_warnings_body' => 'Der letzte Vergleich wurde mit Warnungen abgeschlossen und erzeugte keine bestätigten Drift Findings. Aktualisieren Sie Evidence, bevor Sie dies als Entwarnung werten.',
|
||||
'idle_title' => 'Bereit zum Vergleich',
|
||||
'button_view_run' => 'Run anzeigen',
|
||||
'button_view_failed_run' => 'Fehlgeschlagenen Run anzeigen',
|
||||
'button_view_findings' => 'Alle Findings anzeigen',
|
||||
'button_review_last_run' => 'Letzten Run prüfen',
|
||||
];
|
||||
31
apps/platform/lang/de/findings.php
Normal file
31
apps/platform/lang/de/findings.php
Normal file
@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
return [
|
||||
'drift' => [
|
||||
'rbac_role_definition' => 'Intune-RBAC-Rollendefinitions-Drift',
|
||||
],
|
||||
'subject_types' => [
|
||||
'policy' => 'Policy',
|
||||
'intuneRoleDefinition' => 'Intune-RBAC-Rollendefinition',
|
||||
],
|
||||
'rbac' => [
|
||||
'detail_heading' => 'Intune-RBAC-Rollendefinitions-Drift',
|
||||
'detail_subheading' => 'Rollenzuweisungen sind nicht enthalten. RBAC-Restore wird nicht unterstützt.',
|
||||
'metadata_only' => 'Nur Metadaten geändert',
|
||||
'permission_change' => 'Berechtigung geändert',
|
||||
'missing' => 'Im aktuellen Tenant fehlend',
|
||||
'unexpected' => 'Unerwartet im aktuellen Tenant',
|
||||
'changed_fields' => 'Geänderte Felder',
|
||||
'baseline' => 'Baseline',
|
||||
'current' => 'Aktuell',
|
||||
'absent' => 'Nicht vorhanden',
|
||||
'role_source' => 'Rollenquelle',
|
||||
'permission_blocks' => 'Berechtigungsblöcke',
|
||||
'built_in' => 'Integriert',
|
||||
'custom' => 'Benutzerdefiniert',
|
||||
'assignments_excluded' => 'Rollenzuweisungen sind in diesem Baseline-Compare-Release nicht enthalten.',
|
||||
'restore_unsupported' => 'RBAC-Restore wird in diesem Release nicht unterstützt.',
|
||||
],
|
||||
];
|
||||
230
apps/platform/lang/de/localization.php
Normal file
230
apps/platform/lang/de/localization.php
Normal file
@ -0,0 +1,230 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
return [
|
||||
'locales' => [
|
||||
'en' => 'Englisch',
|
||||
'de' => 'Deutsch',
|
||||
],
|
||||
'source' => [
|
||||
'explicit_override' => 'Sitzungsüberschreibung',
|
||||
'user_preference' => 'persönliche Einstellung',
|
||||
'workspace_default' => 'Workspace-Standard',
|
||||
'workspace_override' => 'Workspace-Überschreibung',
|
||||
'system_default' => 'Systemstandard',
|
||||
],
|
||||
'shell' => [
|
||||
'language' => 'Sprache',
|
||||
'current_language' => 'Aktuelle Sprache',
|
||||
'language_source' => 'Quelle: :source',
|
||||
'temporary_override' => 'Temporäre Überschreibung',
|
||||
'switch_language' => 'Sprache wechseln',
|
||||
'clear_override' => 'Geerbte Sprache verwenden',
|
||||
'personal_preference' => 'Persönliche Einstellung',
|
||||
'save_preference' => 'Einstellung speichern',
|
||||
'inherit_workspace' => 'Workspace-Standard verwenden',
|
||||
'workspace' => 'Workspace',
|
||||
'choose_workspace' => 'Workspace auswählen',
|
||||
'switch_workspace' => 'Workspace wechseln',
|
||||
'workspace_home' => 'Workspace-Start',
|
||||
'tenant_scope' => 'Tenant-Kontext',
|
||||
'select_tenant' => 'Tenant auswählen',
|
||||
'selected_tenant' => 'Ausgewählter Tenant',
|
||||
'no_tenant_selected' => 'Kein Tenant ausgewählt',
|
||||
'switch_tenant' => 'Tenant wechseln',
|
||||
'clear_tenant_scope' => 'Tenant-Kontext löschen',
|
||||
'context_unavailable' => 'Kontext nicht verfügbar',
|
||||
'context_unavailable_workspace' => 'Der angeforderte Kontext konnte nicht wiederhergestellt werden. Die Shell zeigt stattdessen einen gültigen Workspace-Kontext.',
|
||||
'context_unavailable_no_workspace' => 'Wählen Sie einen Workspace aus, um mit einem gültigen Admin-Kontext fortzufahren.',
|
||||
'no_active_tenants' => 'In diesem Workspace sind keine aktiven Tenants für den Standardbetrieb verfügbar.',
|
||||
'view_managed_tenants' => 'Managed Tenants anzeigen',
|
||||
'workspace_wide_available' => 'Kein Tenant ausgewählt. Workspace-weite Seiten bleiben verfügbar; ein Tenant setzt nur den normalen aktiven Betriebskontext.',
|
||||
'search_tenants' => 'Tenants suchen...',
|
||||
'choose_workspace_first' => 'Wählen Sie zuerst einen Workspace aus.',
|
||||
],
|
||||
'workspace' => [
|
||||
'title' => 'Workspace-Einstellungen',
|
||||
'save' => 'Speichern',
|
||||
'reset' => 'Zurücksetzen',
|
||||
'no_manage_permission' => 'Sie haben keine Berechtigung zum Verwalten der Workspace-Einstellungen.',
|
||||
'no_workspace_override' => 'Keine Workspace-Überschreibung zum Zurücksetzen vorhanden.',
|
||||
'last_modified_by' => ':description - Zuletzt geändert von :user, :time.',
|
||||
'section' => 'Lokalisierung',
|
||||
'section_description' => 'Workspace-Standard für Benutzer ohne persönliche Spracheinstellung.',
|
||||
'default_locale_label' => 'Standardsprache',
|
||||
'default_locale_placeholder' => 'Nicht gesetzt (verwendet Systemstandard)',
|
||||
'default_locale_helper_unset' => 'Nicht gesetzt. Effektive Sprache: :locale (:source).',
|
||||
'default_locale_helper_set' => 'Effektive Sprache: :locale.',
|
||||
],
|
||||
'auth' => [
|
||||
'microsoft_not_configured' => 'Microsoft-Anmeldung ist nicht konfiguriert.',
|
||||
'sign_in_microsoft' => 'Mit Microsoft anmelden',
|
||||
'tenant_admin_membership_required' => 'Tenant-Admin-Zugriff erfordert eine Tenant-Mitgliedschaft.',
|
||||
],
|
||||
'navigation' => [
|
||||
'findings' => 'Findings',
|
||||
'settings' => 'Einstellungen',
|
||||
'integrations' => 'Integrationen',
|
||||
'manage_workspaces' => 'Workspaces verwalten',
|
||||
'operations' => 'Operationen',
|
||||
'audit_log' => 'Audit-Log',
|
||||
'alerts' => 'Alerts',
|
||||
'governance' => 'Governance',
|
||||
'monitoring' => 'Monitoring',
|
||||
'dashboard' => 'Dashboard',
|
||||
],
|
||||
'dashboard' => [
|
||||
'tenant_title' => 'Tenant-Dashboard',
|
||||
'system_title' => 'System-Dashboard',
|
||||
'request_support' => 'Support anfragen',
|
||||
'support_request_heading' => 'Support anfragen',
|
||||
'support_request_description' => 'Teilen Sie eine kurze Zusammenfassung. TenantAtlas fügt redaktionell bereinigten Kontext aus bestehenden Datensätzen hinzu.',
|
||||
'submit_request' => 'Anfrage senden',
|
||||
'included_context' => 'Enthaltener Kontext',
|
||||
'severity' => 'Schweregrad',
|
||||
'summary' => 'Zusammenfassung',
|
||||
'reproduction_notes' => 'Reproduktionshinweise',
|
||||
'contact_name' => 'Kontaktname',
|
||||
'contact_email' => 'Kontakt-E-Mail',
|
||||
'support_request_submitted' => 'Supportanfrage gesendet',
|
||||
'open_support_diagnostics' => 'Supportdiagnosen öffnen',
|
||||
'support_diagnostics' => 'Supportdiagnosen',
|
||||
'support_diagnostics_description' => 'Redaktionell bereinigter Tenant-Kontext aus bestehenden Datensätzen.',
|
||||
'close' => 'Schließen',
|
||||
'time_window' => 'Zeitfenster',
|
||||
'window' => 'Fenster',
|
||||
'enter_break_glass' => 'Break-Glass-Modus aktivieren',
|
||||
'exit_break_glass' => 'Break-Glass beenden',
|
||||
'recovery_mode_enabled' => 'Wiederherstellungsmodus aktiviert',
|
||||
'recovery_mode_ended' => 'Wiederherstellungsmodus beendet',
|
||||
],
|
||||
'review' => [
|
||||
'reporting' => 'Berichte',
|
||||
'customer_reviews' => 'Kundenreviews',
|
||||
'customer_review_workspace' => 'Kundenreview-Workspace',
|
||||
'customer_safe_review_workspace' => 'Kundensicherer Review-Workspace',
|
||||
'customer_workspace_intro' => 'Prüfen Sie den zuletzt veröffentlichten kundensicheren Status für jeden berechtigten Tenant, ohne den aktuellen Workspace-Kontext zu verlassen.',
|
||||
'customer_workspace_canonical_note' => 'Eine Zeile öffnet die bestehende Tenant-Review-Detailseite, damit Evidence, Review-Packs und auditfähige Nachweise auf ihren kanonischen tenantbezogenen Oberflächen bleiben.',
|
||||
'reviews' => 'Reviews',
|
||||
'clear_filters' => 'Filter löschen',
|
||||
'tenant' => 'Tenant',
|
||||
'latest_review' => 'Letztes Review',
|
||||
'key_findings' => 'Wichtige Findings',
|
||||
'accepted_risks' => 'Akzeptierte Risiken',
|
||||
'published' => 'Veröffentlicht',
|
||||
'review_pack' => 'Review-Pack',
|
||||
'open_latest_review' => 'Letztes Review öffnen',
|
||||
'download_review_pack' => 'Review-Pack herunterladen',
|
||||
'no_entitled_tenants' => 'Keine berechtigten Tenants passen zu dieser Ansicht',
|
||||
'clear_filters_description' => 'Löschen Sie die aktuellen Filter, um zum vollständigen Kundenreview-Workspace für Ihre berechtigten Tenants zurückzukehren.',
|
||||
'adjust_filters_description' => 'Passen Sie die Filter an, um zum vollständigen Kundenreview-Workspace für Ihre berechtigten Tenants zurückzukehren.',
|
||||
'no_published_review' => 'Kein veröffentlichtes Review',
|
||||
'no_published_review_available' => 'Noch kein veröffentlichtes Review verfügbar',
|
||||
'no_findings_recorded' => 'Im veröffentlichten Review sind keine Findings erfasst.',
|
||||
'findings_count_summary' => ':count Findings im veröffentlichten Review zusammengefasst.',
|
||||
'findings_count_with_outcomes' => ':count Findings. Terminale Ergebnisse: :outcomes.',
|
||||
'no_accepted_risks_recorded' => 'Keine akzeptierten Risiken erfasst.',
|
||||
'accepted_risks_need_follow_up' => ':warnings akzeptierte Risiken benötigen Governance-Nacharbeit (:total gesamt).',
|
||||
'accepted_risks_governed' => ':count akzeptierte Risiken sind governed.',
|
||||
'accepted_risks_on_record' => ':count akzeptierte Risiken sind erfasst.',
|
||||
'unavailable' => 'Nicht verfügbar',
|
||||
'available' => 'Verfügbar',
|
||||
'outcome_summary' => 'Ergebniszusammenfassung',
|
||||
'review' => 'Review',
|
||||
'review_date' => 'Review-Datum',
|
||||
'completeness' => 'Vollständigkeit',
|
||||
'evidence_snapshot' => 'Evidence-Snapshot',
|
||||
'current_export' => 'Aktueller Export',
|
||||
'executive_posture' => 'Executive-Status',
|
||||
'sections' => 'Abschnitte',
|
||||
'details' => 'Details',
|
||||
'export_executive_pack' => 'Executive-Pack exportieren',
|
||||
'outcome' => 'Ergebnis',
|
||||
'export' => 'Export',
|
||||
'next_step' => 'Nächster Schritt',
|
||||
'no_tenant_reviews_yet' => 'Noch keine Tenant-Reviews',
|
||||
'create_first_review_description' => 'Erstellen Sie das erste Review aus einem verankerten Evidence-Snapshot, um die wiederkehrende Review-Historie für diesen Tenant zu starten.',
|
||||
'create_first_review' => 'Erstes Review erstellen',
|
||||
'create_review' => 'Review erstellen',
|
||||
'evidence_basis' => 'Evidence-Basis',
|
||||
'evidence_basis_helper' => 'Wählen Sie den verankerten Evidence-Snapshot für dieses Review.',
|
||||
'unable_create_missing_context' => 'Review kann nicht erstellt werden - Kontext fehlt.',
|
||||
'select_valid_evidence_snapshot' => 'Wählen Sie einen gültigen Evidence-Snapshot aus.',
|
||||
'unable_create_review' => 'Review kann nicht erstellt werden',
|
||||
'review_already_available' => 'Review bereits verfügbar',
|
||||
'review_already_available_body' => 'Ein passendes veränderbares Review ist für diese Evidence-Basis bereits vorhanden.',
|
||||
'view_review' => 'Review anzeigen',
|
||||
'open_operation' => 'Operation öffnen',
|
||||
'review_composing_background' => 'Das Review wird im Hintergrund zusammengestellt.',
|
||||
'unable_export_missing_context' => 'Review kann nicht exportiert werden - Kontext fehlt.',
|
||||
'export_already_queued_body' => 'Ein Executive-Pack-Export ist für dieses Review bereits eingereiht oder läuft.',
|
||||
'executive_pack_export_unavailable' => 'Executive-Pack-Export nicht verfügbar',
|
||||
'unable_export_executive_pack' => 'Executive-Pack kann nicht exportiert werden',
|
||||
'executive_pack_already_available' => 'Executive-Pack bereits verfügbar',
|
||||
'executive_pack_already_available_body' => 'Ein passendes Executive-Pack ist für dieses Review bereits vorhanden.',
|
||||
'view_pack' => 'Pack anzeigen',
|
||||
'executive_pack_generating_background' => 'Das Executive-Pack wird im Hintergrund erstellt.',
|
||||
'review_explanation' => 'Review-Erklärung',
|
||||
'reason_owner' => 'Reason Owner',
|
||||
'platform_core' => 'Platform Core',
|
||||
'platform_reason_family' => 'Platform-Reason-Familie',
|
||||
'compatibility' => 'Kompatibilität',
|
||||
'highlights' => 'Highlights',
|
||||
'next_actions' => 'Nächste Aktionen',
|
||||
'related_context' => 'Verwandter Kontext',
|
||||
'publication_readiness' => 'Veröffentlichungsreife',
|
||||
'ready_for_publication' => 'Dieses Review ist bereit für Veröffentlichung und Executive-Pack-Export.',
|
||||
'internal_only' => 'Dieses Review ist aktuell nur für interne Nutzung geeignet.',
|
||||
'needs_follow_up' => 'Dieses Review benötigt vor der Veröffentlichung noch Nacharbeit.',
|
||||
'key_entries' => 'Wichtige Einträge',
|
||||
'entry' => 'Eintrag',
|
||||
'follow_up' => 'Follow-up',
|
||||
'diagnostics' => 'Diagnosen',
|
||||
'result_meaning' => 'Ergebnisbedeutung',
|
||||
'result_trust' => 'Ergebnisvertrauen',
|
||||
'artifact_truth' => 'Artifact Truth',
|
||||
'no_action_needed' => 'Keine Aktion erforderlich',
|
||||
'count' => 'Anzahl',
|
||||
'guidance' => 'Orientierung',
|
||||
'findings' => 'Findings',
|
||||
'reports' => 'Berichte',
|
||||
'operations' => 'Operationen',
|
||||
'pending_verification' => 'Verifizierung ausstehend',
|
||||
'verified_cleared' => 'Verifiziert bereinigt',
|
||||
'terminal_outcomes' => 'Terminale Ergebnisse',
|
||||
'pending' => 'Ausstehend',
|
||||
'operation' => 'Operation',
|
||||
'operation_description' => 'Prüfen Sie die letzte Review-Zusammenstellung oder den Aktualisierungslauf.',
|
||||
'executive_pack' => 'Executive-Pack',
|
||||
'view_executive_pack' => 'Executive-Pack anzeigen',
|
||||
'executive_pack_description' => 'Öffnet den aktuellen Export, der zu diesem Review gehört.',
|
||||
'customer_workspace' => 'Kunden-Workspace',
|
||||
'open_customer_workspace' => 'Kunden-Workspace öffnen',
|
||||
'customer_workspace_description' => 'Öffnet den kundensicheren Review-Workspace mit Filter auf diesen Tenant.',
|
||||
'view_evidence_snapshot' => 'Evidence-Snapshot anzeigen',
|
||||
'evidence_snapshot_description' => 'Zur Evidence-Basis hinter diesem Review zurückkehren.',
|
||||
],
|
||||
'findings' => [
|
||||
'all' => 'Alle',
|
||||
'needs_action' => 'Handlungsbedarf',
|
||||
'overdue' => 'Überfällig',
|
||||
'risk_accepted' => 'Risiko akzeptiert',
|
||||
'resolved' => 'Gelöst',
|
||||
'actions' => 'Aktionen',
|
||||
'open_approval_queue' => 'Freigabewarteschlange öffnen',
|
||||
],
|
||||
'notifications' => [
|
||||
'locale_override_saved' => 'Sprachüberschreibung angewendet.',
|
||||
'locale_override_cleared' => 'Sprachüberschreibung gelöscht.',
|
||||
'user_preference_saved' => 'Spracheinstellung gespeichert.',
|
||||
'user_preference_cleared' => 'Spracheinstellung gelöscht.',
|
||||
'workspace_settings_saved' => 'Workspace-Einstellungen gespeichert',
|
||||
'workspace_settings_unchanged' => 'Keine Einstellungsänderungen zu speichern',
|
||||
'workspace_setting_reset' => 'Workspace-Einstellung auf Standard zurückgesetzt',
|
||||
'setting_already_default' => 'Einstellung verwendet bereits den Standard',
|
||||
],
|
||||
'validation' => [
|
||||
'unsupported_locale' => 'Wählen Sie eine unterstützte Sprache.',
|
||||
],
|
||||
];
|
||||
230
apps/platform/lang/en/localization.php
Normal file
230
apps/platform/lang/en/localization.php
Normal file
@ -0,0 +1,230 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
return [
|
||||
'locales' => [
|
||||
'en' => 'English',
|
||||
'de' => 'German',
|
||||
],
|
||||
'source' => [
|
||||
'explicit_override' => 'session override',
|
||||
'user_preference' => 'personal preference',
|
||||
'workspace_default' => 'workspace default',
|
||||
'workspace_override' => 'workspace override',
|
||||
'system_default' => 'system default',
|
||||
],
|
||||
'shell' => [
|
||||
'language' => 'Language',
|
||||
'current_language' => 'Current language',
|
||||
'language_source' => 'Source: :source',
|
||||
'temporary_override' => 'Temporary override',
|
||||
'switch_language' => 'Switch language',
|
||||
'clear_override' => 'Use inherited language',
|
||||
'personal_preference' => 'Personal preference',
|
||||
'save_preference' => 'Save preference',
|
||||
'inherit_workspace' => 'Use workspace default',
|
||||
'workspace' => 'Workspace',
|
||||
'choose_workspace' => 'Choose workspace',
|
||||
'switch_workspace' => 'Switch workspace',
|
||||
'workspace_home' => 'Workspace Home',
|
||||
'tenant_scope' => 'Tenant scope',
|
||||
'select_tenant' => 'Select tenant',
|
||||
'selected_tenant' => 'Selected tenant',
|
||||
'no_tenant_selected' => 'No tenant selected',
|
||||
'switch_tenant' => 'Switch tenant',
|
||||
'clear_tenant_scope' => 'Clear tenant scope',
|
||||
'context_unavailable' => 'Context unavailable',
|
||||
'context_unavailable_workspace' => 'The requested scope could not be restored. The shell is showing a valid workspace state instead.',
|
||||
'context_unavailable_no_workspace' => 'Choose a workspace to continue with a valid admin context.',
|
||||
'no_active_tenants' => 'No active tenants are available for the standard operating context in this workspace.',
|
||||
'view_managed_tenants' => 'View managed tenants',
|
||||
'workspace_wide_available' => 'No tenant selected. Workspace-wide pages remain available, and choosing a tenant only sets the normal active operating context.',
|
||||
'search_tenants' => 'Search tenants...',
|
||||
'choose_workspace_first' => 'Choose a workspace first.',
|
||||
],
|
||||
'workspace' => [
|
||||
'title' => 'Workspace settings',
|
||||
'save' => 'Save',
|
||||
'reset' => 'Reset',
|
||||
'no_manage_permission' => 'You do not have permission to manage workspace settings.',
|
||||
'no_workspace_override' => 'No workspace override to reset.',
|
||||
'last_modified_by' => ':description - Last modified by :user, :time.',
|
||||
'section' => 'Localization settings',
|
||||
'section_description' => 'Workspace default used by users without a personal language preference.',
|
||||
'default_locale_label' => 'Default language',
|
||||
'default_locale_placeholder' => 'Unset (uses system default)',
|
||||
'default_locale_helper_unset' => 'Unset. Effective language: :locale (:source).',
|
||||
'default_locale_helper_set' => 'Effective language: :locale.',
|
||||
],
|
||||
'auth' => [
|
||||
'microsoft_not_configured' => 'Microsoft sign-in is not configured.',
|
||||
'sign_in_microsoft' => 'Sign in with Microsoft',
|
||||
'tenant_admin_membership_required' => 'Tenant Admin access requires a tenant membership.',
|
||||
],
|
||||
'navigation' => [
|
||||
'findings' => 'Findings',
|
||||
'settings' => 'Settings',
|
||||
'integrations' => 'Integrations',
|
||||
'manage_workspaces' => 'Manage workspaces',
|
||||
'operations' => 'Operations',
|
||||
'audit_log' => 'Audit Log',
|
||||
'alerts' => 'Alerts',
|
||||
'governance' => 'Governance',
|
||||
'monitoring' => 'Monitoring',
|
||||
'dashboard' => 'Dashboard',
|
||||
],
|
||||
'dashboard' => [
|
||||
'tenant_title' => 'Tenant dashboard',
|
||||
'system_title' => 'System dashboard',
|
||||
'request_support' => 'Request support',
|
||||
'support_request_heading' => 'Request support',
|
||||
'support_request_description' => 'Share a concise summary and TenantAtlas will attach redacted context from existing records.',
|
||||
'submit_request' => 'Submit request',
|
||||
'included_context' => 'Included context',
|
||||
'severity' => 'Severity',
|
||||
'summary' => 'Summary',
|
||||
'reproduction_notes' => 'Reproduction notes',
|
||||
'contact_name' => 'Contact name',
|
||||
'contact_email' => 'Contact email',
|
||||
'support_request_submitted' => 'Support request submitted',
|
||||
'open_support_diagnostics' => 'Open support diagnostics',
|
||||
'support_diagnostics' => 'Support diagnostics',
|
||||
'support_diagnostics_description' => 'Redacted tenant context from existing records.',
|
||||
'close' => 'Close',
|
||||
'time_window' => 'Time window',
|
||||
'window' => 'Window',
|
||||
'enter_break_glass' => 'Enter break-glass mode',
|
||||
'exit_break_glass' => 'Exit break-glass',
|
||||
'recovery_mode_enabled' => 'Recovery mode enabled',
|
||||
'recovery_mode_ended' => 'Recovery mode ended',
|
||||
],
|
||||
'review' => [
|
||||
'reporting' => 'Reporting',
|
||||
'customer_reviews' => 'Customer reviews',
|
||||
'customer_review_workspace' => 'Customer Review Workspace',
|
||||
'customer_safe_review_workspace' => 'Customer-safe review workspace',
|
||||
'customer_workspace_intro' => 'Review the latest published customer-safe posture for each entitled tenant without leaving the current workspace context.',
|
||||
'customer_workspace_canonical_note' => 'Opening a row returns to the existing tenant review detail so evidence, review packs, and audit-aware proof remain on their canonical tenant-scoped surfaces.',
|
||||
'reviews' => 'Reviews',
|
||||
'clear_filters' => 'Clear filters',
|
||||
'tenant' => 'Tenant',
|
||||
'latest_review' => 'Latest review',
|
||||
'key_findings' => 'Key findings',
|
||||
'accepted_risks' => 'Accepted risks',
|
||||
'published' => 'Published',
|
||||
'review_pack' => 'Review pack',
|
||||
'open_latest_review' => 'Open latest review',
|
||||
'download_review_pack' => 'Download review pack',
|
||||
'no_entitled_tenants' => 'No entitled tenants match this view',
|
||||
'clear_filters_description' => 'Clear the current filters to return to the full customer review workspace for your entitled tenants.',
|
||||
'adjust_filters_description' => 'Adjust filters to return to the full customer review workspace for your entitled tenants.',
|
||||
'no_published_review' => 'No published review',
|
||||
'no_published_review_available' => 'No published review available yet',
|
||||
'no_findings_recorded' => 'No findings recorded in the published review.',
|
||||
'findings_count_summary' => ':count findings summarized in the published review.',
|
||||
'findings_count_with_outcomes' => ':count findings. Terminal outcomes: :outcomes.',
|
||||
'no_accepted_risks_recorded' => 'No accepted risks recorded.',
|
||||
'accepted_risks_need_follow_up' => ':warnings accepted risks need governance follow-up (:total total).',
|
||||
'accepted_risks_governed' => ':count accepted risks are governed.',
|
||||
'accepted_risks_on_record' => ':count accepted risks are on record.',
|
||||
'unavailable' => 'Unavailable',
|
||||
'available' => 'Available',
|
||||
'outcome_summary' => 'Outcome summary',
|
||||
'review' => 'Review',
|
||||
'review_date' => 'Review date',
|
||||
'completeness' => 'Completeness',
|
||||
'evidence_snapshot' => 'Evidence snapshot',
|
||||
'current_export' => 'Current export',
|
||||
'executive_posture' => 'Executive posture',
|
||||
'sections' => 'Sections',
|
||||
'details' => 'Details',
|
||||
'export_executive_pack' => 'Export executive pack',
|
||||
'outcome' => 'Outcome',
|
||||
'export' => 'Export',
|
||||
'next_step' => 'Next step',
|
||||
'no_tenant_reviews_yet' => 'No tenant reviews yet',
|
||||
'create_first_review_description' => 'Create the first review from an anchored evidence snapshot to start the recurring review history for this tenant.',
|
||||
'create_first_review' => 'Create first review',
|
||||
'create_review' => 'Create review',
|
||||
'evidence_basis' => 'Evidence basis',
|
||||
'evidence_basis_helper' => 'Choose the anchored evidence snapshot for this review.',
|
||||
'unable_create_missing_context' => 'Unable to create review - missing context.',
|
||||
'select_valid_evidence_snapshot' => 'Select a valid evidence snapshot.',
|
||||
'unable_create_review' => 'Unable to create review',
|
||||
'review_already_available' => 'Review already available',
|
||||
'review_already_available_body' => 'A matching mutable review already exists for this evidence basis.',
|
||||
'view_review' => 'View review',
|
||||
'open_operation' => 'Open operation',
|
||||
'review_composing_background' => 'The review is being composed in the background.',
|
||||
'unable_export_missing_context' => 'Unable to export review - missing context.',
|
||||
'export_already_queued_body' => 'An executive pack export is already queued or running for this review.',
|
||||
'executive_pack_export_unavailable' => 'Executive pack export unavailable',
|
||||
'unable_export_executive_pack' => 'Unable to export executive pack',
|
||||
'executive_pack_already_available' => 'Executive pack already available',
|
||||
'executive_pack_already_available_body' => 'A matching executive pack already exists for this review.',
|
||||
'view_pack' => 'View pack',
|
||||
'executive_pack_generating_background' => 'The executive pack is being generated in the background.',
|
||||
'review_explanation' => 'Review explanation',
|
||||
'reason_owner' => 'Reason owner',
|
||||
'platform_core' => 'Platform core',
|
||||
'platform_reason_family' => 'Platform reason family',
|
||||
'compatibility' => 'Compatibility',
|
||||
'highlights' => 'Highlights',
|
||||
'next_actions' => 'Next actions',
|
||||
'related_context' => 'Related context',
|
||||
'publication_readiness' => 'Publication readiness',
|
||||
'ready_for_publication' => 'This review is ready for publication and executive-pack export.',
|
||||
'internal_only' => 'This review is currently safe for internal use only.',
|
||||
'needs_follow_up' => 'This review still needs follow-up before publication.',
|
||||
'key_entries' => 'Key entries',
|
||||
'entry' => 'Entry',
|
||||
'follow_up' => 'Follow-up',
|
||||
'diagnostics' => 'Diagnostics',
|
||||
'result_meaning' => 'Result meaning',
|
||||
'result_trust' => 'Result trust',
|
||||
'artifact_truth' => 'Artifact truth',
|
||||
'no_action_needed' => 'No action needed',
|
||||
'count' => 'Count',
|
||||
'guidance' => 'Guidance',
|
||||
'findings' => 'Findings',
|
||||
'reports' => 'Reports',
|
||||
'operations' => 'Operations',
|
||||
'pending_verification' => 'Pending verification',
|
||||
'verified_cleared' => 'Verified cleared',
|
||||
'terminal_outcomes' => 'Terminal outcomes',
|
||||
'pending' => 'Pending',
|
||||
'operation' => 'Operation',
|
||||
'operation_description' => 'Inspect the latest review composition or refresh run.',
|
||||
'executive_pack' => 'Executive pack',
|
||||
'view_executive_pack' => 'View executive pack',
|
||||
'executive_pack_description' => 'Open the current export that belongs to this review.',
|
||||
'customer_workspace' => 'Customer workspace',
|
||||
'open_customer_workspace' => 'Open customer workspace',
|
||||
'customer_workspace_description' => 'Open the customer-safe review workspace prefiltered to this tenant.',
|
||||
'view_evidence_snapshot' => 'View evidence snapshot',
|
||||
'evidence_snapshot_description' => 'Return to the evidence basis behind this review.',
|
||||
],
|
||||
'findings' => [
|
||||
'all' => 'All',
|
||||
'needs_action' => 'Needs action',
|
||||
'overdue' => 'Overdue',
|
||||
'risk_accepted' => 'Risk accepted',
|
||||
'resolved' => 'Resolved',
|
||||
'actions' => 'Actions',
|
||||
'open_approval_queue' => 'Open approval queue',
|
||||
],
|
||||
'notifications' => [
|
||||
'locale_override_saved' => 'Language override applied.',
|
||||
'locale_override_cleared' => 'Language override cleared.',
|
||||
'user_preference_saved' => 'Language preference saved.',
|
||||
'user_preference_cleared' => 'Language preference cleared.',
|
||||
'workspace_settings_saved' => 'Workspace settings saved',
|
||||
'workspace_settings_unchanged' => 'No settings changes to save',
|
||||
'workspace_setting_reset' => 'Workspace setting reset to default',
|
||||
'setting_already_default' => 'Setting already uses default',
|
||||
],
|
||||
'validation' => [
|
||||
'unsupported_locale' => 'Choose a supported language.',
|
||||
],
|
||||
];
|
||||
@ -1,7 +1,10 @@
|
||||
@php
|
||||
use App\Support\Verification\VerificationLinkBehavior;
|
||||
|
||||
$help = is_array($help ?? null) ? $help : [];
|
||||
$links = is_array($help['docs_links'] ?? null) ? $help['docs_links'] : [];
|
||||
$steps = is_array($help['troubleshooting_steps'] ?? null) ? $help['troubleshooting_steps'] : [];
|
||||
$linkBehavior = app(VerificationLinkBehavior::class);
|
||||
$headline = is_string($help['headline'] ?? null) && trim((string) ($help['headline'] ?? '')) !== ''
|
||||
? (string) ($help['headline'])
|
||||
: 'Contextual help';
|
||||
@ -57,9 +60,16 @@
|
||||
<div class="flex flex-wrap gap-2">
|
||||
@foreach ($links as $link)
|
||||
@php
|
||||
$linkLabel = is_string($link['label'] ?? null) && trim((string) ($link['label'] ?? '')) !== ''
|
||||
? (string) $link['label']
|
||||
: 'Open';
|
||||
$linkUrl = is_string($link['url'] ?? null) && trim((string) ($link['url'] ?? '')) !== ''
|
||||
? (string) $link['url']
|
||||
: null;
|
||||
$behavior = $linkUrl !== null
|
||||
? $linkBehavior->describe($linkLabel, $linkUrl)
|
||||
: null;
|
||||
$testId = 'contextual-help-link-'.\Illuminate\Support\Str::slug($linkLabel);
|
||||
@endphp
|
||||
|
||||
@if ($linkUrl)
|
||||
@ -68,8 +78,11 @@
|
||||
:href="$linkUrl"
|
||||
size="sm"
|
||||
color="primary"
|
||||
:target="(bool) ($behavior['opens_in_new_tab'] ?? false) ? '_blank' : null"
|
||||
:rel="(bool) ($behavior['opens_in_new_tab'] ?? false) ? 'noopener noreferrer' : null"
|
||||
:data-testid="$testId"
|
||||
>
|
||||
{{ (string) ($link['label'] ?? 'Open') }}
|
||||
{{ $linkLabel }}
|
||||
</x-filament::button>
|
||||
@endif
|
||||
@endforeach
|
||||
|
||||
@ -37,7 +37,7 @@
|
||||
$compressedOutcome['primaryLabel'] ?? null,
|
||||
$state['primaryLabel'] ?? null,
|
||||
$operatorExplanation['headline'] ?? null,
|
||||
'Artifact truth',
|
||||
__('localization.review.artifact_truth'),
|
||||
]);
|
||||
$primaryReason = $firstArtifactTruthText([
|
||||
$compressedOutcome['primaryReason'] ?? null,
|
||||
@ -49,7 +49,7 @@
|
||||
$compressedOutcome['nextActionText'] ?? null,
|
||||
data_get($operatorExplanation, 'nextAction.text'),
|
||||
$state['nextActionLabel'] ?? null,
|
||||
'No action needed',
|
||||
__('localization.review.no_action_needed'),
|
||||
]);
|
||||
$diagnosticsSummary = $firstArtifactTruthText([
|
||||
$compressedOutcome['diagnosticsSummary'] ?? null,
|
||||
@ -81,7 +81,7 @@
|
||||
|
||||
if ($evaluationSpec && $evaluationSpec->label !== 'Unknown') {
|
||||
$summaryFacts->push([
|
||||
'label' => 'Result meaning',
|
||||
'label' => __('localization.review.result_meaning'),
|
||||
'value' => $evaluationSpec->label,
|
||||
'badge' => BadgeCatalog::summaryData($evaluationSpec),
|
||||
]);
|
||||
@ -89,7 +89,7 @@
|
||||
|
||||
if ($trustSpec && $trustSpec->label !== 'Unknown') {
|
||||
$summaryFacts->push([
|
||||
'label' => 'Result trust',
|
||||
'label' => __('localization.review.result_trust'),
|
||||
'value' => $trustSpec->label,
|
||||
'badge' => BadgeCatalog::summaryData($trustSpec),
|
||||
]);
|
||||
@ -133,7 +133,7 @@
|
||||
|
||||
<div class="rounded-xl border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-800 dark:bg-gray-900">
|
||||
<div class="text-xs font-semibold uppercase tracking-[0.16em] text-gray-500 dark:text-gray-400">
|
||||
Diagnostics
|
||||
{{ __('localization.review.diagnostics') }}
|
||||
</div>
|
||||
|
||||
<div class="mt-3 space-y-2">
|
||||
@ -164,7 +164,7 @@
|
||||
|
||||
<div class="rounded-md border border-gray-100 bg-gray-50 px-3 py-2 dark:border-gray-800 dark:bg-gray-950/60">
|
||||
<div class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">
|
||||
{{ $count['label'] ?? 'Count' }}
|
||||
{{ $count['label'] ?? __('localization.review.count') }}
|
||||
</div>
|
||||
<div class="mt-1 text-lg font-semibold text-gray-900 dark:text-gray-100">
|
||||
{{ (int) ($count['value'] ?? 0) }}
|
||||
@ -211,7 +211,7 @@
|
||||
|
||||
<dl class="grid gap-3 sm:grid-cols-2 xl:grid-cols-4">
|
||||
<div class="rounded-md border border-gray-100 bg-gray-50 px-3 py-2 dark:border-gray-800 dark:bg-gray-950/60">
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Next step</dt>
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.next_step') }}</dt>
|
||||
<dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">
|
||||
{{ $nextActionText }}
|
||||
</dd>
|
||||
@ -237,7 +237,7 @@
|
||||
|
||||
@if ($nextSteps !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Guidance</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.guidance') }}</div>
|
||||
<ul class="space-y-1 text-sm text-gray-700 dark:text-gray-300">
|
||||
@foreach ($nextSteps as $step)
|
||||
@continue(! is_string($step) || trim($step) === '')
|
||||
|
||||
@ -42,14 +42,14 @@
|
||||
|
||||
@if ($entries !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Key entries</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.key_entries') }}</div>
|
||||
<div class="space-y-2">
|
||||
@foreach ($entries as $entry)
|
||||
@continue(! is_array($entry))
|
||||
|
||||
<div class="rounded-md border border-gray-100 bg-gray-50 px-3 py-3 text-sm dark:border-gray-800 dark:bg-gray-950/60">
|
||||
<div class="font-medium text-gray-900 dark:text-gray-100">
|
||||
{{ $entry['title'] ?? $entry['displayName'] ?? $entry['type'] ?? 'Entry' }}
|
||||
{{ $entry['title'] ?? $entry['displayName'] ?? $entry['type'] ?? __('localization.review.entry') }}
|
||||
</div>
|
||||
|
||||
@php
|
||||
@ -82,7 +82,7 @@
|
||||
|
||||
@if ($nextActions !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Follow-up</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.follow_up') }}</div>
|
||||
<ul class="space-y-1 text-sm text-gray-700 dark:text-gray-300">
|
||||
@foreach ($nextActions as $action)
|
||||
@continue(! is_string($action) || trim($action) === '')
|
||||
|
||||
@ -25,7 +25,7 @@
|
||||
@if ($operatorExplanation !== [])
|
||||
<div class="rounded-lg border border-gray-200 bg-white px-4 py-3 shadow-sm dark:border-gray-800 dark:bg-gray-900/70">
|
||||
<div class="text-sm font-semibold text-gray-950 dark:text-white">
|
||||
{{ $operatorExplanation['headline'] ?? 'Review explanation' }}
|
||||
{{ $operatorExplanation['headline'] ?? __('localization.review.review_explanation') }}
|
||||
</div>
|
||||
|
||||
@if (filled($operatorExplanation['reliabilityStatement'] ?? null))
|
||||
@ -45,13 +45,13 @@
|
||||
@if ($reasonSemantics !== [])
|
||||
<dl class="grid grid-cols-1 gap-3 md:grid-cols-2">
|
||||
<div class="rounded-md border border-gray-100 bg-gray-50 px-3 py-2 dark:border-gray-800 dark:bg-gray-950/60">
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Reason owner</dt>
|
||||
<dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">{{ $reasonSemantics['owner_label'] ?? 'Platform core' }}</dd>
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.reason_owner') }}</dt>
|
||||
<dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">{{ $reasonSemantics['owner_label'] ?? __('localization.review.platform_core') }}</dd>
|
||||
</div>
|
||||
|
||||
<div class="rounded-md border border-gray-100 bg-gray-50 px-3 py-2 dark:border-gray-800 dark:bg-gray-950/60">
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Platform reason family</dt>
|
||||
<dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">{{ $reasonSemantics['family_label'] ?? 'Compatibility' }}</dd>
|
||||
<dt class="text-[11px] font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.platform_reason_family') }}</dt>
|
||||
<dd class="mt-1 text-sm text-gray-900 dark:text-gray-100">{{ $reasonSemantics['family_label'] ?? __('localization.review.compatibility') }}</dd>
|
||||
</div>
|
||||
</dl>
|
||||
@endif
|
||||
@ -74,7 +74,7 @@
|
||||
|
||||
@if ($highlights !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Highlights</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.highlights') }}</div>
|
||||
<ul class="space-y-1 text-sm text-gray-700 dark:text-gray-300">
|
||||
@foreach ($highlights as $highlight)
|
||||
@continue(! is_string($highlight) || trim($highlight) === '')
|
||||
@ -87,7 +87,7 @@
|
||||
|
||||
@if ($nextActions !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Next actions</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.next_actions') }}</div>
|
||||
<ul class="space-y-1 text-sm text-gray-700 dark:text-gray-300">
|
||||
@foreach ($nextActions as $action)
|
||||
@continue(! is_string($action) || trim($action) === '')
|
||||
@ -100,7 +100,7 @@
|
||||
|
||||
@if ($contextLinks !== [])
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Related context</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.related_context') }}</div>
|
||||
<div class="grid gap-3 md:grid-cols-3">
|
||||
@foreach ($contextLinks as $link)
|
||||
@php
|
||||
@ -130,11 +130,11 @@
|
||||
@endif
|
||||
|
||||
<div class="space-y-2">
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">Publication readiness</div>
|
||||
<div class="text-xs font-semibold uppercase tracking-wide text-gray-500 dark:text-gray-400">{{ __('localization.review.publication_readiness') }}</div>
|
||||
|
||||
@if ($publishBlockers === [] && $decisionDirection === 'publishable')
|
||||
<div class="rounded-md border border-emerald-100 bg-emerald-50 px-3 py-2 text-sm text-emerald-800 dark:border-emerald-900/40 dark:bg-emerald-950/30 dark:text-emerald-200">
|
||||
This review is ready for publication and executive-pack export.
|
||||
{{ __('localization.review.ready_for_publication') }}
|
||||
</div>
|
||||
@elseif ($publishBlockers !== [])
|
||||
<ul class="space-y-1 text-sm text-amber-800 dark:text-amber-200">
|
||||
@ -146,7 +146,7 @@
|
||||
</ul>
|
||||
@elseif ($decisionDirection === 'internal_only')
|
||||
<div class="rounded-md border border-amber-100 bg-amber-50 px-3 py-2 text-sm text-amber-800 dark:border-amber-900/40 dark:bg-amber-950/30 dark:text-amber-200">
|
||||
<div>This review is currently safe for internal use only.</div>
|
||||
<div>{{ __('localization.review.internal_only') }}</div>
|
||||
|
||||
@if ($publicationNextAction !== null)
|
||||
<div class="mt-1">{{ $publicationNextAction }}</div>
|
||||
@ -154,7 +154,7 @@
|
||||
</div>
|
||||
@else
|
||||
<div class="rounded-md border border-amber-100 bg-amber-50 px-3 py-2 text-sm text-amber-800 dark:border-amber-900/40 dark:bg-amber-950/30 dark:text-amber-200">
|
||||
{{ $publicationNextAction ?? $publicationReason ?? 'This review still needs follow-up before publication.' }}
|
||||
{{ $publicationNextAction ?? $publicationReason ?? __('localization.review.needs_follow_up') }}
|
||||
</div>
|
||||
@endif
|
||||
</div>
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
@if (! $isConfigured)
|
||||
<div class="rounded-md bg-amber-50 p-4 text-sm text-amber-900 dark:bg-amber-950/30 dark:text-amber-200">
|
||||
Microsoft sign-in is not configured.
|
||||
{{ __('localization.auth.microsoft_not_configured') }}
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@ -25,11 +25,11 @@
|
||||
:disabled="! $isConfigured"
|
||||
color="primary"
|
||||
>
|
||||
Sign in with Microsoft
|
||||
{{ __('localization.auth.sign_in_microsoft') }}
|
||||
</x-filament::button>
|
||||
|
||||
<div class="text-center text-sm text-gray-500 dark:text-gray-400">
|
||||
Tenant Admin access requires a tenant membership.
|
||||
{{ __('localization.auth.tenant_admin_membership_required') }}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@ -2,18 +2,18 @@
|
||||
<x-filament::section>
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="text-lg font-semibold text-gray-900 dark:text-gray-100">
|
||||
Customer-safe review workspace
|
||||
{{ __('localization.review.customer_safe_review_workspace') }}
|
||||
</div>
|
||||
|
||||
<div class="text-sm text-gray-600 dark:text-gray-300">
|
||||
Review the latest published customer-safe posture for each entitled tenant without leaving the current workspace context.
|
||||
{{ __('localization.review.customer_workspace_intro') }}
|
||||
</div>
|
||||
|
||||
<div class="text-sm text-gray-600 dark:text-gray-300">
|
||||
Opening a row returns to the existing tenant review detail so evidence, review packs, and audit-aware proof remain on their canonical tenant-scoped surfaces.
|
||||
{{ __('localization.review.customer_workspace_canonical_note') }}
|
||||
</div>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
{{ $this->table }}
|
||||
</x-filament-panels::page>
|
||||
</x-filament-panels::page>
|
||||
|
||||
@ -31,8 +31,8 @@
|
||||
@endphp
|
||||
|
||||
@php
|
||||
$tenantLabel = $currentTenantName ?? 'No tenant selected';
|
||||
$workspaceLabel = $workspace?->name ?? 'Choose workspace';
|
||||
$tenantLabel = $currentTenantName ?? __('localization.shell.no_tenant_selected');
|
||||
$workspaceLabel = $workspace?->name ?? __('localization.shell.choose_workspace');
|
||||
$hasActiveTenant = $currentTenantName !== null;
|
||||
$managedTenantsUrl = $workspace
|
||||
? route('admin.workspace.managed-tenants.index', ['workspace' => $workspace])
|
||||
@ -40,7 +40,8 @@
|
||||
$workspaceUrl = $workspace
|
||||
? route('admin.home')
|
||||
: ChooseWorkspace::getUrl(panel: 'admin');
|
||||
$tenantTriggerLabel = $workspace ? $tenantLabel : 'Choose workspace';
|
||||
$tenantTriggerLabel = $workspace ? $tenantLabel : __('localization.shell.choose_workspace');
|
||||
$localePlane = Filament::getCurrentPanel()?->getId() === 'tenant' ? 'tenant' : 'admin';
|
||||
@endphp
|
||||
|
||||
<div class="inline-flex items-center gap-0 rounded-lg border border-gray-200 bg-white text-sm dark:border-white/10 dark:bg-white/5">
|
||||
@ -63,7 +64,7 @@ class="inline-flex items-center gap-1.5 rounded-l-lg px-2.5 py-1.5 font-medium t
|
||||
<x-slot name="trigger">
|
||||
<button
|
||||
type="button"
|
||||
aria-label="{{ $workspace ? 'Tenant scope' : 'Select tenant' }}"
|
||||
aria-label="{{ $workspace ? __('localization.shell.tenant_scope') : __('localization.shell.select_tenant') }}"
|
||||
class="inline-flex items-center gap-1.5 rounded-r-lg px-2 py-1.5 transition hover:bg-gray-50 dark:hover:bg-white/10"
|
||||
>
|
||||
<span class="{{ $workspace && $hasActiveTenant ? 'font-medium text-primary-600 dark:text-primary-400' : 'text-gray-500 dark:text-gray-400' }}">
|
||||
@ -78,12 +79,12 @@ class="inline-flex items-center gap-1.5 rounded-r-lg px-2 py-1.5 transition hove
|
||||
<div class="space-y-3 px-3 py-2" x-data="{ query: '' }">
|
||||
@if ($resolvedContext->showsRecoveryNotice())
|
||||
<div class="rounded-lg border border-amber-200 bg-amber-50 px-3 py-2 text-xs text-amber-800 dark:border-amber-500/30 dark:bg-amber-500/10 dark:text-amber-200">
|
||||
<div class="font-semibold">Context unavailable</div>
|
||||
<div class="font-semibold">{{ __('localization.shell.context_unavailable') }}</div>
|
||||
|
||||
@if ($workspace)
|
||||
<div>The requested scope could not be restored. The shell is showing a valid workspace state instead.</div>
|
||||
<div>{{ __('localization.shell.context_unavailable_workspace') }}</div>
|
||||
@else
|
||||
<div>Choose a workspace to continue with a valid admin context.</div>
|
||||
<div>{{ __('localization.shell.context_unavailable_no_workspace') }}</div>
|
||||
@endif
|
||||
</div>
|
||||
@endif
|
||||
@ -91,7 +92,7 @@ class="inline-flex items-center gap-1.5 rounded-r-lg px-2 py-1.5 transition hove
|
||||
{{-- Workspace section --}}
|
||||
<div class="space-y-1">
|
||||
<div class="text-xs font-semibold uppercase tracking-wider text-gray-400 dark:text-gray-500">
|
||||
Workspace
|
||||
{{ __('localization.shell.workspace') }}
|
||||
</div>
|
||||
|
||||
<div class="flex items-center justify-between rounded-lg bg-gray-50 px-3 py-2 dark:bg-white/5">
|
||||
@ -104,7 +105,7 @@ class="inline-flex items-center gap-1.5 rounded-r-lg px-2 py-1.5 transition hove
|
||||
href="{{ ChooseWorkspace::getUrl(panel: 'admin').'?choose=1' }}"
|
||||
class="text-xs font-medium text-primary-600 hover:text-primary-500 dark:text-primary-400 dark:hover:text-primary-300"
|
||||
>
|
||||
Switch workspace
|
||||
{{ __('localization.shell.switch_workspace') }}
|
||||
</a>
|
||||
</div>
|
||||
|
||||
@ -113,7 +114,7 @@ class="text-xs font-medium text-primary-600 hover:text-primary-500 dark:text-pri
|
||||
class="flex items-center gap-2 rounded-lg px-3 py-2 text-sm text-gray-700 transition hover:bg-gray-50 dark:text-gray-300 dark:hover:bg-white/5"
|
||||
>
|
||||
<x-filament::icon icon="heroicon-o-home" class="h-4 w-4 text-gray-400 dark:text-gray-500" />
|
||||
Workspace Home
|
||||
{{ __('localization.shell.workspace_home') }}
|
||||
</a>
|
||||
</div>
|
||||
|
||||
@ -124,7 +125,7 @@ class="flex items-center gap-2 rounded-lg px-3 py-2 text-sm text-gray-700 transi
|
||||
<div class="space-y-2">
|
||||
<div class="flex items-center justify-between">
|
||||
<div class="text-xs font-semibold uppercase tracking-wider text-gray-400 dark:text-gray-500">
|
||||
Selected tenant
|
||||
{{ __('localization.shell.selected_tenant') }}
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@ -137,7 +138,7 @@ class="flex items-center gap-2 rounded-lg px-3 py-2 text-sm text-gray-700 transi
|
||||
href="{{ ChooseTenant::getUrl(panel: 'admin') }}"
|
||||
class="ml-auto text-xs font-medium text-primary-600 hover:text-primary-500 dark:text-primary-400 dark:hover:text-primary-300"
|
||||
>
|
||||
Switch tenant
|
||||
{{ __('localization.shell.switch_tenant') }}
|
||||
</a>
|
||||
</div>
|
||||
|
||||
@ -146,7 +147,7 @@ class="ml-auto text-xs font-medium text-primary-600 hover:text-primary-500 dark:
|
||||
@csrf
|
||||
|
||||
<button type="submit" class="w-full rounded-lg px-3 py-1.5 text-left text-xs font-medium text-gray-500 transition hover:bg-gray-50 hover:text-gray-700 dark:text-gray-400 dark:hover:bg-white/5 dark:hover:text-gray-200">
|
||||
Clear tenant scope
|
||||
{{ __('localization.shell.clear_tenant_scope') }}
|
||||
</button>
|
||||
</form>
|
||||
@endif
|
||||
@ -154,23 +155,23 @@ class="ml-auto text-xs font-medium text-primary-600 hover:text-primary-500 dark:
|
||||
@else
|
||||
@if ($tenants->isEmpty())
|
||||
<div class="space-y-2 rounded-lg border border-dashed border-gray-300 px-3 py-3 text-center text-xs text-gray-500 dark:border-gray-600 dark:text-gray-400">
|
||||
<div>No active tenants are available for the standard operating context in this workspace.</div>
|
||||
<div>{{ __('localization.shell.no_active_tenants') }}</div>
|
||||
<a href="{{ $managedTenantsUrl }}" class="inline-flex items-center gap-1 text-primary-600 hover:text-primary-500 dark:text-primary-400 dark:hover:text-primary-300">
|
||||
<x-filament::icon icon="heroicon-o-arrow-top-right-on-square" class="h-3.5 w-3.5" />
|
||||
View managed tenants
|
||||
{{ __('localization.shell.view_managed_tenants') }}
|
||||
</a>
|
||||
</div>
|
||||
@else
|
||||
@if (! $hasActiveTenant)
|
||||
<div class="rounded-lg bg-gray-50 px-3 py-2 text-xs text-gray-600 dark:bg-white/5 dark:text-gray-400">
|
||||
No tenant selected. Workspace-wide pages remain available, and choosing a tenant only sets the normal active operating context.
|
||||
{{ __('localization.shell.workspace_wide_available') }}
|
||||
</div>
|
||||
@endif
|
||||
|
||||
<input
|
||||
type="text"
|
||||
class="fi-input fi-text-input w-full"
|
||||
placeholder="Search tenants…"
|
||||
placeholder="{{ __('localization.shell.search_tenants') }}"
|
||||
x-model="query"
|
||||
/>
|
||||
|
||||
@ -207,7 +208,7 @@ class="flex w-full items-center gap-2 px-3 py-2 text-left text-sm transition {{
|
||||
@csrf
|
||||
|
||||
<button type="submit" class="w-full rounded-lg px-3 py-1.5 text-left text-xs font-medium text-gray-500 transition hover:bg-gray-50 hover:text-gray-700 dark:text-gray-400 dark:hover:bg-white/5 dark:hover:text-gray-200">
|
||||
Clear tenant scope
|
||||
{{ __('localization.shell.clear_tenant_scope') }}
|
||||
</button>
|
||||
</form>
|
||||
@endif
|
||||
@ -216,10 +217,12 @@ class="flex w-full items-center gap-2 px-3 py-2 text-left text-sm transition {{
|
||||
</div>
|
||||
@else
|
||||
<div class="rounded-lg border border-dashed border-gray-300 px-3 py-3 text-center text-xs text-gray-500 dark:border-gray-600 dark:text-gray-400">
|
||||
Choose a workspace first.
|
||||
{{ __('localization.shell.choose_workspace_first') }}
|
||||
</div>
|
||||
@endif
|
||||
</div>
|
||||
</x-filament::dropdown.list>
|
||||
</x-filament::dropdown>
|
||||
|
||||
@include('filament.partials.locale-switcher', ['plane' => $localePlane, 'showPreference' => true, 'embedded' => true])
|
||||
</div>
|
||||
|
||||
@ -0,0 +1,110 @@
|
||||
@php
|
||||
use App\Models\User;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
|
||||
$plane = $plane ?? 'admin';
|
||||
$showPreference = (bool) ($showPreference ?? true);
|
||||
$embedded = (bool) ($embedded ?? false);
|
||||
|
||||
/** @var LocaleResolver $localeResolver */
|
||||
$localeResolver = app(LocaleResolver::class);
|
||||
$localeContext = request()->attributes->get(LocaleResolver::REQUEST_ATTRIBUTE);
|
||||
$localeContext = is_array($localeContext) ? $localeContext : $localeResolver->resolve(request(), $plane);
|
||||
$localeOptions = LocaleResolver::localeOptions();
|
||||
$currentLocale = (string) ($localeContext['locale'] ?? 'en');
|
||||
$source = (string) ($localeContext['source'] ?? LocaleResolver::SOURCE_SYSTEM_DEFAULT);
|
||||
$sourceLabel = __('localization.source.'.$source);
|
||||
$user = auth()->user();
|
||||
$preferredLocale = $user instanceof User ? $user->preferred_locale : null;
|
||||
@endphp
|
||||
|
||||
<div class="{{ $embedded ? 'border-l border-gray-200 dark:border-white/10' : 'inline-flex rounded-lg border border-gray-200 bg-white text-sm dark:border-white/10 dark:bg-white/5' }}">
|
||||
<x-filament::dropdown placement="bottom-end" teleport width="sm">
|
||||
<x-slot name="trigger">
|
||||
<button
|
||||
type="button"
|
||||
aria-label="{{ __('localization.shell.language') }}"
|
||||
class="inline-flex items-center gap-1.5 rounded-r-lg px-2 py-1.5 text-sm transition hover:bg-gray-50 dark:hover:bg-white/10"
|
||||
>
|
||||
<x-filament::icon icon="heroicon-o-language" class="h-4 w-4 text-gray-400 dark:text-gray-500" />
|
||||
<span class="font-medium text-gray-700 dark:text-gray-200">{{ strtoupper($currentLocale) }}</span>
|
||||
<x-filament::icon icon="heroicon-m-chevron-down" class="h-3.5 w-3.5 text-gray-400 dark:text-gray-500" />
|
||||
</button>
|
||||
</x-slot>
|
||||
|
||||
<x-filament::dropdown.list>
|
||||
<div class="space-y-3 px-3 py-2">
|
||||
<div class="space-y-1">
|
||||
<div class="text-xs font-semibold uppercase tracking-wider text-gray-400 dark:text-gray-500">
|
||||
{{ __('localization.shell.current_language') }}
|
||||
</div>
|
||||
<div class="rounded-lg bg-gray-50 px-3 py-2 dark:bg-white/5">
|
||||
<div class="text-sm font-medium text-gray-950 dark:text-white">
|
||||
{{ $localeOptions[$currentLocale] ?? strtoupper($currentLocale) }}
|
||||
</div>
|
||||
<div class="text-xs text-gray-500 dark:text-gray-400">
|
||||
{{ __('localization.shell.language_source', ['source' => $sourceLabel]) }}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="border-t border-gray-200 dark:border-white/10"></div>
|
||||
|
||||
<form method="POST" action="{{ route('localization.override.update') }}" class="space-y-2">
|
||||
@csrf
|
||||
<label class="text-xs font-semibold uppercase tracking-wider text-gray-400 dark:text-gray-500" for="tenantpilot-locale-override-{{ $plane }}">
|
||||
{{ __('localization.shell.temporary_override') }}
|
||||
</label>
|
||||
<x-filament::input.wrapper class="w-full">
|
||||
<x-filament::input.select
|
||||
id="tenantpilot-locale-override-{{ $plane }}"
|
||||
name="locale"
|
||||
>
|
||||
@foreach ($localeOptions as $locale => $label)
|
||||
<option value="{{ $locale }}" @selected($currentLocale === $locale)>{{ $label }}</option>
|
||||
@endforeach
|
||||
</x-filament::input.select>
|
||||
</x-filament::input.wrapper>
|
||||
<button type="submit" class="w-full rounded-lg bg-primary-600 px-3 py-1.5 text-sm font-medium text-white transition hover:bg-primary-500">
|
||||
{{ __('localization.shell.switch_language') }}
|
||||
</button>
|
||||
</form>
|
||||
|
||||
@if ($source === LocaleResolver::SOURCE_EXPLICIT_OVERRIDE)
|
||||
<form method="POST" action="{{ route('localization.override.clear') }}">
|
||||
@csrf
|
||||
@method('DELETE')
|
||||
<button type="submit" class="w-full rounded-lg px-3 py-1.5 text-left text-xs font-medium text-gray-500 transition hover:bg-gray-50 hover:text-gray-700 dark:text-gray-400 dark:hover:bg-white/5 dark:hover:text-gray-200">
|
||||
{{ __('localization.shell.clear_override') }}
|
||||
</button>
|
||||
</form>
|
||||
@endif
|
||||
|
||||
@if ($showPreference && $user instanceof User)
|
||||
<div class="border-t border-gray-200 dark:border-white/10"></div>
|
||||
|
||||
<form method="POST" action="{{ route('localization.preference.update') }}" class="space-y-2">
|
||||
@csrf
|
||||
<label class="text-xs font-semibold uppercase tracking-wider text-gray-400 dark:text-gray-500" for="tenantpilot-locale-preference-{{ $plane }}">
|
||||
{{ __('localization.shell.personal_preference') }}
|
||||
</label>
|
||||
<x-filament::input.wrapper class="w-full">
|
||||
<x-filament::input.select
|
||||
id="tenantpilot-locale-preference-{{ $plane }}"
|
||||
name="preferred_locale"
|
||||
>
|
||||
<option value="" @selected($preferredLocale === null)>{{ __('localization.shell.inherit_workspace') }}</option>
|
||||
@foreach ($localeOptions as $locale => $label)
|
||||
<option value="{{ $locale }}" @selected($preferredLocale === $locale)>{{ $label }}</option>
|
||||
@endforeach
|
||||
</x-filament::input.select>
|
||||
</x-filament::input.wrapper>
|
||||
<button type="submit" class="w-full rounded-lg px-3 py-1.5 text-sm font-medium text-primary-600 transition hover:bg-primary-50 hover:text-primary-500 dark:text-primary-400 dark:hover:bg-primary-500/10 dark:hover:text-primary-300">
|
||||
{{ __('localization.shell.save_preference') }}
|
||||
</button>
|
||||
</form>
|
||||
@endif
|
||||
</div>
|
||||
</x-filament::dropdown.list>
|
||||
</x-filament::dropdown>
|
||||
</div>
|
||||
@ -1,13 +1,3 @@
|
||||
@php
|
||||
$findingsLastRun = $this->findingsLastRun();
|
||||
$findingsLastRunStatusSpec = $findingsLastRun
|
||||
? \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::OperationRunStatus, (string) $findingsLastRun->status)
|
||||
: null;
|
||||
$findingsLastRunOutcomeSpec = $findingsLastRun && (string) $findingsLastRun->status === 'completed'
|
||||
? \App\Support\Badges\BadgeRenderer::spec(\App\Support\Badges\BadgeDomain::OperationRunOutcome, (string) $findingsLastRun->outcome)
|
||||
: null;
|
||||
@endphp
|
||||
|
||||
<x-filament-panels::page>
|
||||
<div class="space-y-6">
|
||||
<x-filament::section>
|
||||
@ -17,7 +7,7 @@
|
||||
<div>
|
||||
<p class="text-sm font-semibold text-amber-700 dark:text-amber-300">Operator warning</p>
|
||||
<p class="mt-1 text-sm text-gray-600 dark:text-gray-300">
|
||||
Runbooks can modify or assess customer data across tenants. Always run preflight first, and ensure you have the correct scope selected.
|
||||
Runbooks can modify or assess customer data across tenants. When supported runbooks are available, verify scope and confirmation requirements before execution.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
@ -25,100 +15,17 @@
|
||||
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Rebuild Findings Lifecycle
|
||||
No supported runbooks
|
||||
</x-slot>
|
||||
|
||||
<x-slot name="description">
|
||||
Backfills legacy findings lifecycle fields, SLA due dates, and consolidates drift duplicate findings.
|
||||
Supported platform runbooks will appear here when they are part of current product truth.
|
||||
</x-slot>
|
||||
|
||||
<x-slot name="afterHeader">
|
||||
<x-filament::badge color="info" size="sm">
|
||||
{{ $this->findingsScopeLabel() }}
|
||||
</x-filament::badge>
|
||||
</x-slot>
|
||||
|
||||
<div class="space-y-4">
|
||||
@if ($findingsLastRun)
|
||||
<div class="flex flex-wrap items-center gap-x-4 gap-y-2 rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
|
||||
<span class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Last run</span>
|
||||
|
||||
<span class="text-sm text-gray-700 dark:text-gray-300">
|
||||
{{ $findingsLastRun->created_at?->diffForHumans() ?? '—' }}
|
||||
</span>
|
||||
|
||||
@if ($findingsLastRunStatusSpec)
|
||||
<x-filament::badge
|
||||
:color="$findingsLastRunStatusSpec->color"
|
||||
:icon="$findingsLastRunStatusSpec->icon"
|
||||
size="sm"
|
||||
>
|
||||
{{ $findingsLastRunStatusSpec->label }}
|
||||
</x-filament::badge>
|
||||
@endif
|
||||
|
||||
@if ($findingsLastRunOutcomeSpec)
|
||||
<x-filament::badge
|
||||
:color="$findingsLastRunOutcomeSpec->color"
|
||||
:icon="$findingsLastRunOutcomeSpec->icon"
|
||||
size="sm"
|
||||
>
|
||||
{{ $findingsLastRunOutcomeSpec->label }}
|
||||
</x-filament::badge>
|
||||
@endif
|
||||
|
||||
@if ($findingsLastRun->initiator_name)
|
||||
<span class="text-xs text-gray-500 dark:text-gray-400">
|
||||
by {{ $findingsLastRun->initiator_name }}
|
||||
</span>
|
||||
@endif
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if (is_array($this->findingsPreflight))
|
||||
<div class="grid grid-cols-1 gap-4 sm:grid-cols-3">
|
||||
<x-filament::section>
|
||||
<div class="text-center">
|
||||
<p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Affected</p>
|
||||
<p class="mt-2 text-3xl font-bold tabular-nums text-gray-950 dark:text-white">
|
||||
{{ number_format((int) ($this->findingsPreflight['affected_count'] ?? 0)) }}
|
||||
</p>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
<x-filament::section>
|
||||
<div class="text-center">
|
||||
<p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Total scanned</p>
|
||||
<p class="mt-2 text-3xl font-bold tabular-nums text-gray-950 dark:text-white">
|
||||
{{ number_format((int) ($this->findingsPreflight['total_count'] ?? 0)) }}
|
||||
</p>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
<x-filament::section>
|
||||
<div class="text-center">
|
||||
<p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Estimated tenants</p>
|
||||
<p class="mt-2 text-3xl font-bold tabular-nums text-gray-950 dark:text-white">
|
||||
{{ is_numeric($this->findingsPreflight['estimated_tenants'] ?? null) ? number_format((int) $this->findingsPreflight['estimated_tenants']) : '—' }}
|
||||
</p>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
</div>
|
||||
|
||||
@if ((int) ($this->findingsPreflight['affected_count'] ?? 0) <= 0)
|
||||
<div class="flex items-center gap-2 text-sm text-gray-500 dark:text-gray-400">
|
||||
<x-heroicon-m-check-circle class="h-5 w-5 text-success-500" />
|
||||
Nothing to do for the current scope.
|
||||
</div>
|
||||
@endif
|
||||
@else
|
||||
<div class="flex items-center gap-2 text-sm text-gray-500 dark:text-gray-400">
|
||||
<x-heroicon-m-magnifying-glass class="h-5 w-5" />
|
||||
Run <span class="mx-1 font-semibold text-gray-700 dark:text-gray-200">Preflight</span> to see how many findings would change for the selected scope.
|
||||
</div>
|
||||
@endif
|
||||
<div class="flex items-center gap-2 text-sm text-gray-500 dark:text-gray-400">
|
||||
<x-heroicon-m-check-circle class="h-5 w-5 text-success-500" />
|
||||
There are no operator-run repair runbooks exposed on this surface.
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
</div>
|
||||
</x-filament-panels::page>
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
use App\Http\Controllers\AdminConsentCallbackController;
|
||||
use App\Http\Controllers\Auth\EntraController;
|
||||
use App\Http\Controllers\ClearTenantContextController;
|
||||
use App\Http\Controllers\LocalizationController;
|
||||
use App\Http\Controllers\OpenFindingExceptionsQueueController;
|
||||
use App\Http\Controllers\RbacDelegatedAuthController;
|
||||
use App\Http\Controllers\ReviewPackDownloadController;
|
||||
@ -67,6 +68,21 @@
|
||||
->middleware('throttle:entra-callback')
|
||||
->name('auth.entra.callback');
|
||||
|
||||
Route::middleware(['web'])->group(function (): void {
|
||||
Route::get('/localization/context', [LocalizationController::class, 'context'])
|
||||
->name('localization.context');
|
||||
|
||||
Route::post('/localization/override', [LocalizationController::class, 'updateOverride'])
|
||||
->name('localization.override.update');
|
||||
|
||||
Route::delete('/localization/override', [LocalizationController::class, 'clearOverride'])
|
||||
->name('localization.override.clear');
|
||||
});
|
||||
|
||||
Route::middleware(['web', 'auth', 'ensure-correct-guard:web'])
|
||||
->post('/users/me/locale-preference', [LocalizationController::class, 'updateUserPreference'])
|
||||
->name('localization.preference.update');
|
||||
|
||||
$makeSmokeCookie = static fn () => cookie()->make(
|
||||
SuppressDebugbarForSmokeRequests::COOKIE_NAME,
|
||||
SuppressDebugbarForSmokeRequests::COOKIE_VALUE,
|
||||
|
||||
@ -61,18 +61,6 @@
|
||||
]);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
$visibleSelectValue = <<<'JS'
|
||||
(() => {
|
||||
const select = [...document.querySelectorAll('select')].find((element) => {
|
||||
const style = window.getComputedStyle(element);
|
||||
|
||||
return style.display !== 'none' && style.visibility !== 'hidden';
|
||||
});
|
||||
|
||||
return select?.value ?? null;
|
||||
})()
|
||||
JS;
|
||||
|
||||
$page = visit(route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]));
|
||||
|
||||
$page
|
||||
@ -87,8 +75,8 @@
|
||||
->assertRoute('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()])
|
||||
->assertSee('Verify access')
|
||||
->assertSee('Status: Not started')
|
||||
->click('Provider connection')
|
||||
->assertScript($visibleSelectValue, (string) $connection->getKey())
|
||||
->click('Select an existing connection or create a new one.')
|
||||
->assertSee('Edit selected connection')
|
||||
->click('Create new connection')
|
||||
->check('internal:label="Dedicated override"s')
|
||||
->fill('[type="password"]', 'browser-only-secret')
|
||||
@ -97,8 +85,8 @@
|
||||
->waitForText('Status: Not started')
|
||||
->assertRoute('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()])
|
||||
->assertSee('Verify access')
|
||||
->click('Provider connection')
|
||||
->assertScript($visibleSelectValue, (string) $connection->getKey())
|
||||
->click('Select an existing connection or create a new one.')
|
||||
->assertSee('Edit selected connection')
|
||||
->click('Create new connection')
|
||||
->check('internal:label="Dedicated override"s')
|
||||
->assertValue('[type="password"]', '');
|
||||
|
||||
@ -86,18 +86,6 @@
|
||||
]);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
$visibleSelectValue = <<<'JS'
|
||||
(() => {
|
||||
const select = [...document.querySelectorAll('select')].find((element) => {
|
||||
const style = window.getComputedStyle(element);
|
||||
|
||||
return style.display !== 'none' && style.visibility !== 'hidden';
|
||||
});
|
||||
|
||||
return select?.value ?? null;
|
||||
})()
|
||||
JS;
|
||||
|
||||
$page = visit(route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]));
|
||||
|
||||
$page
|
||||
@ -113,8 +101,8 @@
|
||||
->assertRoute('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()])
|
||||
->assertSee('Status: Needs attention')
|
||||
->assertSee('Start verification')
|
||||
->click('Provider connection')
|
||||
->assertScript($visibleSelectValue, (string) $selectedConnection->getKey());
|
||||
->click('Select an existing connection or create a new one.')
|
||||
->assertSee('Edit selected connection');
|
||||
});
|
||||
|
||||
it('preserves bootstrap revisit state and blocked activation guards after refresh', function (): void {
|
||||
@ -328,32 +316,14 @@
|
||||
->assertNoJavaScriptErrors()
|
||||
->assertRoute('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()])
|
||||
->wait(1)
|
||||
->assertScript("document.querySelector('[data-testid=\"verification-assist-trigger\"]') !== null", true)
|
||||
->click('[data-testid="verification-assist-trigger"]')
|
||||
->assertScript("document.querySelector('[data-testid=\"verification-assist-root\"]') !== null", true)
|
||||
->assertAttribute('[data-testid="verification-assist-full-page"]', 'target', '_blank');
|
||||
|
||||
$page->script(<<<'JS'
|
||||
Object.defineProperty(navigator, 'clipboard', {
|
||||
configurable: true,
|
||||
value: {
|
||||
writeText: async () => Promise.resolve(),
|
||||
},
|
||||
});
|
||||
|
||||
document.querySelector('[data-testid="verification-assist-copy-application"]')?.click();
|
||||
JS);
|
||||
|
||||
$page
|
||||
->waitForText('Copied')
|
||||
->assertAttribute('[data-testid="verification-assist-full-page"]', 'rel', 'noopener noreferrer')
|
||||
->click('[data-testid="verification-assist-full-page"]')
|
||||
->assertScript("document.querySelector('[data-testid=\"contextual-help-link-open-required-permissions\"]') !== null", true)
|
||||
->assertAttribute('[data-testid="contextual-help-link-open-required-permissions"]', 'target', '_blank')
|
||||
->assertAttribute('[data-testid="contextual-help-link-open-required-permissions"]', 'rel', 'noopener noreferrer')
|
||||
->click('[data-testid="contextual-help-link-open-required-permissions"]')
|
||||
->wait(1)
|
||||
->assertRoute('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()])
|
||||
->assertScript("document.querySelector('[data-testid=\"verification-assist-root\"]') !== null", true)
|
||||
->click('Close')
|
||||
->click('Provider connection')
|
||||
->assertSee('Select an existing connection or create a new one.');
|
||||
->click('Select an existing connection or create a new one.')
|
||||
->assertSee('Edit selected connection');
|
||||
});
|
||||
|
||||
it('opens the permissions assist from report remediation steps without leaving onboarding', function (): void {
|
||||
|
||||
@ -0,0 +1,23 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Services\Auth\RoleCapabilityMap;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\TenantRole;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('removes the acknowledged findings capability alias from shared RBAC truth', function (): void {
|
||||
expect(Capabilities::isKnown('tenant_findings.acknowledge'))->toBeFalse();
|
||||
expect(RoleCapabilityMap::rolesWithCapability('tenant_findings.acknowledge'))->toBe([]);
|
||||
});
|
||||
|
||||
it('keeps the canonical findings triage capability available to operators', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'operator');
|
||||
|
||||
expect(RoleCapabilityMap::hasCapability(TenantRole::Operator, Capabilities::TENANT_FINDINGS_TRIAGE))->toBeTrue();
|
||||
expect(Gate::forUser($user)->allows(Capabilities::TENANT_FINDINGS_TRIAGE, $tenant))->toBeTrue();
|
||||
});
|
||||
@ -9,6 +9,7 @@
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\Baselines\BaselineCaptureMode;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('writes audit events for baseline capture start and completion with scope + gap summary', function () {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
@ -35,7 +36,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -58,7 +58,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\Baselines\BaselineSubjectKey;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('Baseline capture stores content fidelity hash when PolicyVersion evidence exists', function () {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
@ -73,7 +74,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
use App\Support\Baselines\BaselineCaptureMode;
|
||||
use App\Support\Baselines\BaselineSubjectKey;
|
||||
use App\Support\Baselines\PolicyVersionCapturePurpose;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('Baseline capture (full content) captures evidence on demand when missing', function () {
|
||||
config()->set('tenantpilot.baselines.full_content_capture.enabled', true);
|
||||
@ -119,7 +120,7 @@ public function capture(
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -64,7 +64,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\Baselines\BaselineSubjectKey;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('captures intune role definitions with identity metadata and excludes role assignments from the baseline snapshot', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
@ -104,7 +105,7 @@
|
||||
$operationRuns = app(OperationRunService::class);
|
||||
$run = $operationRuns->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -17,6 +17,7 @@
|
||||
use App\Support\Baselines\BaselineReasonCodes;
|
||||
use App\Support\Baselines\BaselineSnapshotLifecycleState;
|
||||
use App\Support\Baselines\BaselineSubjectKey;
|
||||
use App\Support\OperationRunType;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
|
||||
function createBaselineCaptureInventoryBasis(
|
||||
@ -65,7 +66,7 @@ function runBaselineCaptureJob(
|
||||
|
||||
/** @var OperationRun $run */
|
||||
$run = $result['run'];
|
||||
expect($run->type)->toBe('baseline_capture');
|
||||
expect($run->type)->toBe(OperationRunType::BaselineCapture->value);
|
||||
expect($run->status)->toBe('queued');
|
||||
expect($run->tenant_id)->toBe((int) $tenant->getKey());
|
||||
|
||||
@ -104,7 +105,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_MISSING);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture when the latest inventory sync was blocked', function () {
|
||||
@ -135,7 +136,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_BLOCKED);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture when the latest inventory sync failed without falling back to an older success', function () {
|
||||
@ -166,7 +167,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_INVENTORY_FAILED);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture when the latest inventory coverage is unusable for the baseline scope', function () {
|
||||
@ -189,7 +190,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe(BaselineReasonCodes::CAPTURE_UNUSABLE_COVERAGE);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture for a draft profile with reason code', function () {
|
||||
@ -209,7 +210,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe('baseline.capture.profile_not_active');
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture for an archived profile with reason code', function () {
|
||||
@ -228,7 +229,7 @@ function runBaselineCaptureJob(
|
||||
expect($result['reason_code'])->toBe('baseline.capture.profile_not_active');
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('rejects capture for a tenant from a different workspace', function () {
|
||||
@ -274,7 +275,7 @@ function runBaselineCaptureJob(
|
||||
expect($result2['ok'])->toBeTrue();
|
||||
|
||||
expect($result1['run']->getKey())->toBe($result2['run']->getKey());
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(1);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(1);
|
||||
});
|
||||
|
||||
// --- Snapshot dedupe + capture job execution ---
|
||||
@ -321,7 +322,7 @@ function runBaselineCaptureJob(
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
@ -476,7 +477,7 @@ function runBaselineCaptureJob(
|
||||
|
||||
$run1 = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
@ -499,7 +500,7 @@ function runBaselineCaptureJob(
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'initiator_name' => $user->name,
|
||||
'type' => 'baseline_capture',
|
||||
'type' => OperationRunType::BaselineCapture->value,
|
||||
'status' => 'queued',
|
||||
'outcome' => 'pending',
|
||||
'run_identity_hash' => hash('sha256', 'second-run-'.now()->timestamp),
|
||||
@ -586,7 +587,7 @@ function runBaselineCaptureJob(
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
@ -662,7 +663,7 @@ function runBaselineCaptureJob(
|
||||
$opService = app(OperationRunService::class);
|
||||
$run = $opService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -15,6 +15,7 @@
|
||||
use App\Support\Governance\GovernanceSubjectTaxonomyRegistry;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
use Livewire\Livewire;
|
||||
@ -69,14 +70,14 @@
|
||||
|
||||
$activeRuns = OperationRun::query()
|
||||
->where('workspace_id', (int) $fixture['workspace']->getKey())
|
||||
->where('type', 'baseline_compare')
|
||||
->where('type', OperationRunType::BaselineCompare->value)
|
||||
->get();
|
||||
|
||||
expect($activeRuns)->toHaveCount(2)
|
||||
->and($activeRuns->every(static fn (OperationRun $run): bool => $run->tenant_id !== null))->toBeTrue()
|
||||
->and($activeRuns->every(static fn (OperationRun $run): bool => (string) $run->status === OperationRunStatus::Queued->value))->toBeTrue()
|
||||
->and($activeRuns->every(static fn (OperationRun $run): bool => (string) $run->outcome === OperationRunOutcome::Pending->value))->toBeTrue()
|
||||
->and(OperationRun::query()->whereNull('tenant_id')->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
->and(OperationRun::query()->whereNull('tenant_id')->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('runs compare assigned tenants from the matrix page and keeps feedback on tenant-owned runs', function (): void {
|
||||
@ -97,7 +98,7 @@
|
||||
|
||||
expect(OperationRun::query()
|
||||
->where('workspace_id', (int) $fixture['workspace']->getKey())
|
||||
->where('type', 'baseline_compare')
|
||||
->where('type', OperationRunType::BaselineCompare->value)
|
||||
->whereNull('tenant_id')
|
||||
->count())->toBe(0);
|
||||
});
|
||||
|
||||
@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Artisan;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('does not register findings lifecycle backfill or deploy-runbook commands', function (): void {
|
||||
$commands = array_keys(Artisan::all());
|
||||
|
||||
expect($commands)
|
||||
->not->toContain('tenantpilot:findings:backfill-lifecycle')
|
||||
->not->toContain('tenantpilot:run-deploy-runbooks');
|
||||
|
||||
expect((string) file_get_contents(base_path('routes/console.php')))
|
||||
->not->toContain('tenantpilot:findings:backfill-lifecycle')
|
||||
->not->toContain('tenantpilot:run-deploy-runbooks');
|
||||
});
|
||||
@ -1,31 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillRunbookService;
|
||||
use App\Services\Runbooks\FindingsLifecycleBackfillScope;
|
||||
use App\Services\Runbooks\RunbookReason;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('delegates deploy-time runbooks to the shared runbook service', function () {
|
||||
$run = OperationRun::factory()->create();
|
||||
|
||||
$this->mock(FindingsLifecycleBackfillRunbookService::class, function ($mock) use ($run): void {
|
||||
$mock->shouldReceive('start')
|
||||
->once()
|
||||
->withArgs(function ($scope, $initiator, $reason, $source): bool {
|
||||
return $scope instanceof FindingsLifecycleBackfillScope
|
||||
&& $scope->isAllTenants()
|
||||
&& $initiator === null
|
||||
&& $reason instanceof RunbookReason
|
||||
&& $source === 'deploy_hook';
|
||||
})
|
||||
->andReturn($run);
|
||||
});
|
||||
|
||||
$this->artisan('tenantpilot:run-deploy-runbooks')
|
||||
->assertExitCode(0);
|
||||
});
|
||||
@ -3,6 +3,7 @@
|
||||
use App\Jobs\EntraGroupSyncJob;
|
||||
use App\Services\Directory\EntraGroupSyncService;
|
||||
use App\Services\Providers\ProviderOperationStartResult;
|
||||
use App\Support\OperationRunType;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
|
||||
it('starts a manual group sync by creating a run and dispatching a job', function () {
|
||||
@ -21,7 +22,7 @@
|
||||
expect($run)
|
||||
->and($run->tenant_id)->toBe($tenant->getKey())
|
||||
->and($run->user_id)->toBe($user->getKey())
|
||||
->and($run->type)->toBe('entra_group_sync')
|
||||
->and($run->type)->toBe(OperationRunType::DirectoryGroupsSync->value)
|
||||
->and($run->status)->toBe('queued')
|
||||
->and($run->context['selection_key'] ?? null)->toBe('groups-v1:all')
|
||||
->and($run->context['provider_connection_id'] ?? null)->toBeInt();
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
use App\Services\Graph\GraphResponse;
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('sync job upserts groups and updates run counters', function () {
|
||||
|
||||
@ -54,7 +55,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$opRun = $opService->ensureRun(
|
||||
tenant: $tenant,
|
||||
type: 'entra_group_sync',
|
||||
type: OperationRunType::DirectoryGroupsSync->value,
|
||||
inputs: ['selection_key' => 'groups-v1:all'],
|
||||
initiator: $user,
|
||||
);
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
use App\Services\Graph\GraphResponse;
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\OperationRunType;
|
||||
use Illuminate\Support\Facades\Config;
|
||||
|
||||
it('purges cached groups older than the retention window', function () {
|
||||
@ -34,7 +35,7 @@
|
||||
$opService = app(OperationRunService::class);
|
||||
$opRun = $opService->ensureRun(
|
||||
tenant: $tenant,
|
||||
type: 'entra_group_sync',
|
||||
type: OperationRunType::DirectoryGroupsSync->value,
|
||||
inputs: ['selection_key' => 'groups-v1:all'],
|
||||
initiator: $user,
|
||||
);
|
||||
|
||||
@ -444,7 +444,7 @@ function makeGenerator(): EntraAdminRolesFindingGenerator
|
||||
->and($finding->subject_external_id)->toBe('user-1:def-ga');
|
||||
});
|
||||
|
||||
it('auto-resolve applies to acknowledged findings too', function (): void {
|
||||
it('auto-resolve applies to triaged findings too', function (): void {
|
||||
[$user, $tenant] = createMinimalUserWithTenant();
|
||||
|
||||
$generator = makeGenerator();
|
||||
@ -456,20 +456,19 @@ function makeGenerator(): EntraAdminRolesFindingGenerator
|
||||
);
|
||||
$generator->generate($tenant, $payload);
|
||||
|
||||
// Acknowledge the finding
|
||||
// Triage the finding
|
||||
$finding = Finding::query()
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->where('subject_external_id', 'user-1:def-ga')
|
||||
->first();
|
||||
$finding->forceFill([
|
||||
'status' => Finding::STATUS_ACKNOWLEDGED,
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
'status' => Finding::STATUS_TRIAGED,
|
||||
'triaged_at' => now(),
|
||||
])->save();
|
||||
|
||||
expect($finding->fresh()->status)->toBe(Finding::STATUS_ACKNOWLEDGED);
|
||||
expect($finding->fresh()->status)->toBe(Finding::STATUS_TRIAGED);
|
||||
|
||||
// Scan 2: remove → should auto-resolve even though acknowledged
|
||||
// Scan 2: remove -> should auto-resolve even though triaged
|
||||
$payload2 = buildPayload([gaRoleDef()], []);
|
||||
$result = $generator->generate($tenant, $payload2);
|
||||
|
||||
|
||||
@ -115,7 +115,7 @@
|
||||
|
||||
$run = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', 'baseline_compare')
|
||||
->where('type', OperationRunType::BaselineCompare->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
@ -192,7 +192,7 @@
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CompareBaselineToTenantJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('shows mixed-strategy compare rejection truth on the tenant landing surface', function (): void {
|
||||
@ -250,7 +250,7 @@
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CompareBaselineToTenantJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('can refresh stats without calling mount directly', function (): void {
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\Baselines\BaselineCaptureMode;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
@ -121,7 +122,7 @@ function seedCaptureProfileForTenant(
|
||||
|
||||
$run = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', 'baseline_capture')
|
||||
->where('type', OperationRunType::BaselineCapture->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
@ -151,7 +152,7 @@ function seedCaptureProfileForTenant(
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('does not start full-content capture when rollout is disabled', function (): void {
|
||||
@ -174,7 +175,7 @@ function seedCaptureProfileForTenant(
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('shows readiness copy without exposing raw canonical scope json on the capture start surface', function (): void {
|
||||
@ -228,5 +229,5 @@ function seedCaptureProfileForTenant(
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCapture->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
use App\Support\Baselines\Compare\CompareStrategyRegistry;
|
||||
use App\Support\Baselines\Compare\IntuneCompareStrategy;
|
||||
use App\Support\Governance\GovernanceSubjectTaxonomyRegistry;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
@ -92,7 +93,7 @@ function seedComparableBaselineProfileForTenant(Tenant $tenant, BaselineCaptureM
|
||||
|
||||
$run = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', 'baseline_compare')
|
||||
->where('type', OperationRunType::BaselineCompare->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
@ -120,7 +121,7 @@ function seedComparableBaselineProfileForTenant(Tenant $tenant, BaselineCaptureM
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CompareBaselineToTenantJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('shows mixed-strategy compare rejection truth on the workspace start surface', function (): void {
|
||||
@ -167,7 +168,7 @@ function seedComparableBaselineProfileForTenant(Tenant $tenant, BaselineCaptureM
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CompareBaselineToTenantJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('moves compare-matrix navigation into related context while keeping compare-assigned-tenants secondary', function (): void {
|
||||
@ -275,5 +276,5 @@ function seedComparableBaselineProfileForTenant(Tenant $tenant, BaselineCaptureM
|
||||
->assertStatus(200);
|
||||
|
||||
Queue::assertNotPushed(CompareBaselineToTenantJob::class);
|
||||
expect(OperationRun::query()->where('type', 'baseline_compare')->count())->toBe(0);
|
||||
expect(OperationRun::query()->where('type', OperationRunType::BaselineCompare->value)->count())->toBe(0);
|
||||
});
|
||||
|
||||
@ -0,0 +1,16 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Resources\FindingResource;
|
||||
use Illuminate\Support\Facades\App;
|
||||
|
||||
it('resolves first-wave governance labels from the active locale', function (): void {
|
||||
App::setLocale('de');
|
||||
|
||||
expect(__('localization.dashboard.tenant_title'))->toBe('Tenant-Dashboard')
|
||||
->and(FindingResource::getNavigationGroup())->toBe('Governance')
|
||||
->and(__('localization.findings.needs_action'))->toBe('Handlungsbedarf')
|
||||
->and(__('baseline-compare.stat_total_findings'))->toBe('Findings gesamt')
|
||||
->and(__('findings.rbac.detail_heading'))->toBe('Intune-RBAC-Rollendefinitions-Drift');
|
||||
});
|
||||
@ -1,21 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Resources\FindingResource\Pages\ListFindings;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('exposes the findings lifecycle backfill action for entitled tenant operators', function () {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$this->actingAs($user);
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
Livewire::test(ListFindings::class)
|
||||
->assertActionExists('backfill_lifecycle')
|
||||
->assertActionEnabled('backfill_lifecycle');
|
||||
});
|
||||
@ -34,7 +34,6 @@ protected function makeFindingForWorkflow(Tenant $tenant, string $status = Findi
|
||||
$factory = Finding::factory()->for($tenant);
|
||||
|
||||
$factory = match ($status) {
|
||||
Finding::STATUS_ACKNOWLEDGED => $factory->acknowledged(),
|
||||
Finding::STATUS_TRIAGED => $factory->triaged(),
|
||||
Finding::STATUS_IN_PROGRESS => $factory->inProgress(),
|
||||
Finding::STATUS_REOPENED => $factory->reopened(),
|
||||
|
||||
@ -1,136 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Jobs\BackfillFindingLifecycleJob;
|
||||
use App\Models\Finding;
|
||||
use Carbon\CarbonImmutable;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('backfills legacy findings (ack → triaged, lifecycle fields, due_at from backfill time)', function (): void {
|
||||
CarbonImmutable::setTestNow(CarbonImmutable::parse('2026-02-24T10:00:00Z'));
|
||||
|
||||
[$user, $tenant] = createUserWithTenant(role: 'manager');
|
||||
|
||||
$finding = Finding::factory()->for($tenant)->create([
|
||||
'severity' => Finding::SEVERITY_MEDIUM,
|
||||
'status' => Finding::STATUS_ACKNOWLEDGED,
|
||||
'acknowledged_at' => CarbonImmutable::parse('2026-02-20T00:00:00Z'),
|
||||
'acknowledged_by_user_id' => (int) $user->getKey(),
|
||||
'first_seen_at' => null,
|
||||
'last_seen_at' => null,
|
||||
'times_seen' => null,
|
||||
'sla_days' => null,
|
||||
'due_at' => null,
|
||||
'triaged_at' => null,
|
||||
'created_at' => CarbonImmutable::parse('2026-02-10T00:00:00Z'),
|
||||
'updated_at' => CarbonImmutable::parse('2026-02-10T00:00:00Z'),
|
||||
]);
|
||||
|
||||
BackfillFindingLifecycleJob::dispatchSync(
|
||||
tenantId: (int) $tenant->getKey(),
|
||||
workspaceId: (int) $tenant->workspace_id,
|
||||
initiatorUserId: (int) $user->getKey(),
|
||||
);
|
||||
|
||||
$finding->refresh();
|
||||
|
||||
expect($finding->status)->toBe(Finding::STATUS_TRIAGED)
|
||||
->and($finding->triaged_at?->toIso8601String())->toBe('2026-02-20T00:00:00+00:00')
|
||||
->and($finding->first_seen_at?->toIso8601String())->toBe('2026-02-10T00:00:00+00:00')
|
||||
->and($finding->last_seen_at?->toIso8601String())->toBe('2026-02-10T00:00:00+00:00')
|
||||
->and($finding->times_seen)->toBe(1)
|
||||
->and($finding->sla_days)->toBe(14)
|
||||
->and($finding->due_at?->toIso8601String())->toBe('2026-03-10T10:00:00+00:00')
|
||||
->and($finding->acknowledged_at?->toIso8601String())->toBe('2026-02-20T00:00:00+00:00')
|
||||
->and((int) $finding->acknowledged_by_user_id)->toBe((int) $user->getKey());
|
||||
|
||||
CarbonImmutable::setTestNow();
|
||||
});
|
||||
|
||||
it('computes drift recurrence keys and consolidates drift duplicates', function (): void {
|
||||
CarbonImmutable::setTestNow(CarbonImmutable::parse('2026-02-24T10:00:00Z'));
|
||||
|
||||
[$user, $tenant] = createUserWithTenant(role: 'manager');
|
||||
|
||||
$scopeKey = hash('sha256', 'scope-drift-backfill-duplicate');
|
||||
|
||||
$evidence = [
|
||||
'change_type' => 'modified',
|
||||
'summary' => [
|
||||
'kind' => 'policy_snapshot',
|
||||
'changed_fields' => ['snapshot_hash'],
|
||||
],
|
||||
'baseline' => ['policy_id' => 'policy-dupe'],
|
||||
'current' => ['policy_id' => 'policy-dupe'],
|
||||
];
|
||||
|
||||
$open = Finding::factory()->for($tenant)->create([
|
||||
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
||||
'scope_key' => $scopeKey,
|
||||
'subject_type' => 'policy',
|
||||
'subject_external_id' => 'policy-dupe',
|
||||
'status' => Finding::STATUS_NEW,
|
||||
'recurrence_key' => null,
|
||||
'evidence_jsonb' => $evidence,
|
||||
'first_seen_at' => null,
|
||||
'last_seen_at' => null,
|
||||
'times_seen' => null,
|
||||
'sla_days' => null,
|
||||
'due_at' => null,
|
||||
'created_at' => CarbonImmutable::parse('2026-02-20T00:00:00Z'),
|
||||
'updated_at' => CarbonImmutable::parse('2026-02-20T00:00:00Z'),
|
||||
]);
|
||||
|
||||
$duplicate = Finding::factory()->for($tenant)->create([
|
||||
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
||||
'scope_key' => $scopeKey,
|
||||
'subject_type' => 'policy',
|
||||
'subject_external_id' => 'policy-dupe',
|
||||
'status' => Finding::STATUS_RESOLVED,
|
||||
'resolved_at' => CarbonImmutable::parse('2026-02-21T00:00:00Z'),
|
||||
'resolved_reason' => Finding::RESOLVE_REASON_REMEDIATED,
|
||||
'recurrence_key' => null,
|
||||
'evidence_jsonb' => $evidence,
|
||||
'first_seen_at' => null,
|
||||
'last_seen_at' => null,
|
||||
'times_seen' => null,
|
||||
'created_at' => CarbonImmutable::parse('2026-02-18T00:00:00Z'),
|
||||
'updated_at' => CarbonImmutable::parse('2026-02-18T00:00:00Z'),
|
||||
]);
|
||||
|
||||
BackfillFindingLifecycleJob::dispatchSync(
|
||||
tenantId: (int) $tenant->getKey(),
|
||||
workspaceId: (int) $tenant->workspace_id,
|
||||
initiatorUserId: (int) $user->getKey(),
|
||||
);
|
||||
|
||||
$tenantId = (int) $tenant->getKey();
|
||||
$expectedRecurrenceKey = hash(
|
||||
'sha256',
|
||||
sprintf('drift:%d:%s:policy:%s:policy_snapshot:modified', $tenantId, $scopeKey, 'policy-dupe'),
|
||||
);
|
||||
|
||||
expect(Finding::query()
|
||||
->where('tenant_id', $tenantId)
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->where('recurrence_key', $expectedRecurrenceKey)
|
||||
->count())->toBe(1);
|
||||
|
||||
$open->refresh();
|
||||
$duplicate->refresh();
|
||||
|
||||
expect($open->recurrence_key)->toBe($expectedRecurrenceKey)
|
||||
->and($open->status)->toBe(Finding::STATUS_NEW);
|
||||
|
||||
expect($duplicate->recurrence_key)->toBeNull()
|
||||
->and($duplicate->status)->toBe(Finding::STATUS_CLOSED)
|
||||
->and($duplicate->resolved_reason)->toBeNull()
|
||||
->and($duplicate->resolved_at)->toBeNull()
|
||||
->and($duplicate->closed_reason)->toBe(Finding::CLOSE_REASON_DUPLICATE)
|
||||
->and($duplicate->closed_at?->toIso8601String())->toBe('2026-02-24T10:00:00+00:00');
|
||||
|
||||
CarbonImmutable::setTestNow();
|
||||
});
|
||||
@ -22,9 +22,8 @@
|
||||
->toContain(AuditActionId::FindingReopened->value);
|
||||
});
|
||||
|
||||
it('keeps only legacy compatibility lifecycle helpers on the model', function (): void {
|
||||
expect(method_exists(Finding::class, 'acknowledge'))->toBeTrue()
|
||||
->and(method_exists(Finding::class, 'resolve'))->toBeTrue()
|
||||
it('keeps only the surviving model lifecycle helpers', function (): void {
|
||||
expect(method_exists(Finding::class, 'resolve'))->toBeTrue()
|
||||
->and(method_exists(Finding::class, 'reopen'))->toBeTrue()
|
||||
->and(method_exists(Finding::class, 'triage'))->toBeFalse()
|
||||
->and(method_exists(Finding::class, 'startProgress'))->toBeFalse()
|
||||
|
||||
@ -0,0 +1,61 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\Finding;
|
||||
use App\Models\User;
|
||||
use App\Services\Findings\FindingWorkflowService;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('keeps canonical findings workflow behavior after removing the backfill runtime surfaces', function (): void {
|
||||
[$owner, $tenant] = createUserWithTenant(role: 'owner');
|
||||
$assignee = User::factory()->create();
|
||||
createUserWithTenant(tenant: $tenant, user: $assignee, role: 'operator');
|
||||
|
||||
$service = app(FindingWorkflowService::class);
|
||||
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW, [
|
||||
'owner_user_id' => null,
|
||||
'assignee_user_id' => null,
|
||||
'sla_days' => 14,
|
||||
'due_at' => now()->addDays(14),
|
||||
]);
|
||||
|
||||
$triaged = $service->triage($finding, $tenant, $owner);
|
||||
$assigned = $service->assign(
|
||||
finding: $triaged,
|
||||
tenant: $tenant,
|
||||
actor: $owner,
|
||||
assigneeUserId: (int) $assignee->getKey(),
|
||||
ownerUserId: (int) $owner->getKey(),
|
||||
);
|
||||
$inProgress = $service->startProgress($assigned, $tenant, $owner);
|
||||
$resolved = $service->resolve($inProgress, $tenant, $owner, Finding::RESOLVE_REASON_REMEDIATED);
|
||||
$riskAccepted = $service->riskAccept(
|
||||
$this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW),
|
||||
$tenant,
|
||||
$owner,
|
||||
Finding::CLOSE_REASON_ACCEPTED_RISK,
|
||||
);
|
||||
|
||||
expect($triaged->status)->toBe(Finding::STATUS_TRIAGED)
|
||||
->and($triaged->triaged_at)->not->toBeNull()
|
||||
->and((int) $assigned->owner_user_id)->toBe((int) $owner->getKey())
|
||||
->and((int) $assigned->assignee_user_id)->toBe((int) $assignee->getKey())
|
||||
->and($assigned->sla_days)->toBe(14)
|
||||
->and($assigned->due_at)->not->toBeNull()
|
||||
->and($inProgress->status)->toBe(Finding::STATUS_IN_PROGRESS)
|
||||
->and($inProgress->in_progress_at)->not->toBeNull()
|
||||
->and($resolved->status)->toBe(Finding::STATUS_RESOLVED)
|
||||
->and($resolved->resolved_reason)->toBe(Finding::RESOLVE_REASON_REMEDIATED)
|
||||
->and($riskAccepted->status)->toBe(Finding::STATUS_RISK_ACCEPTED)
|
||||
->and($riskAccepted->closed_reason)->toBe(Finding::CLOSE_REASON_ACCEPTED_RISK);
|
||||
|
||||
expect($this->latestFindingAudit($triaged, AuditActionId::FindingTriaged))->not->toBeNull()
|
||||
->and($this->latestFindingAudit($assigned, AuditActionId::FindingAssigned))->not->toBeNull()
|
||||
->and($this->latestFindingAudit($inProgress, AuditActionId::FindingInProgress))->not->toBeNull()
|
||||
->and($this->latestFindingAudit($resolved, AuditActionId::FindingResolved))->not->toBeNull()
|
||||
->and($this->latestFindingAudit($riskAccepted, AuditActionId::FindingRiskAccepted))->not->toBeNull();
|
||||
});
|
||||
@ -101,8 +101,10 @@ function makeIntakeFinding(Tenant $tenant, array $attributes = []): Finding
|
||||
'assignee_user_id' => (int) $otherAssignee->getKey(),
|
||||
]);
|
||||
|
||||
$acknowledged = Finding::factory()->for($tenantA)->acknowledged()->create([
|
||||
$acknowledged = Finding::factory()->for($tenantA)->create([
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'status' => 'acknowledged',
|
||||
'acknowledged_at' => now(),
|
||||
'assignee_user_id' => null,
|
||||
'subject_external_id' => 'acknowledged',
|
||||
]);
|
||||
|
||||
@ -1,101 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Resources\FindingResource\Pages\ListFindings;
|
||||
use App\Jobs\BackfillFindingLifecycleJob;
|
||||
use App\Models\AuditLog;
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationalControlActivation;
|
||||
use App\Models\OperationRun;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('keeps the findings backfill action visible but blocks execution when a control is active', function (): void {
|
||||
Queue::fake();
|
||||
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
Finding::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'due_at' => null,
|
||||
]);
|
||||
|
||||
OperationalControlActivation::factory()->workspaceScoped()->create([
|
||||
'control_key' => 'findings.lifecycle.backfill',
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'reason_text' => 'Workspace-specific pause.',
|
||||
]);
|
||||
|
||||
$this->actingAs($user);
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
Livewire::test(ListFindings::class)
|
||||
->assertActionExists('backfill_lifecycle')
|
||||
->assertActionEnabled('backfill_lifecycle')
|
||||
->callAction('backfill_lifecycle')
|
||||
->assertNotified('Findings lifecycle backfill paused');
|
||||
|
||||
expect(OperationRun::query()->where('type', 'findings.lifecycle.backfill')->count())->toBe(0);
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::OperationalControlExecutionBlocked->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->workspace_id)->toBe((int) $tenant->workspace_id)
|
||||
->and($audit?->tenant_id)->toBe((int) $tenant->getKey())
|
||||
->and($audit?->status)->toBe('blocked')
|
||||
->and($audit?->metadata['control_key'] ?? null)->toBe('findings.lifecycle.backfill')
|
||||
->and($audit?->metadata['workspace_id'] ?? null)->toBe((int) $tenant->workspace_id);
|
||||
});
|
||||
|
||||
it('does not block findings backfill for a different workspace when the pause is workspace-scoped', function (): void {
|
||||
Queue::fake();
|
||||
|
||||
[$blockedUser, $blockedTenant] = createUserWithTenant(role: 'owner');
|
||||
[$allowedUser, $allowedTenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
Finding::factory()->create([
|
||||
'tenant_id' => (int) $allowedTenant->getKey(),
|
||||
'due_at' => null,
|
||||
]);
|
||||
|
||||
OperationalControlActivation::factory()->workspaceScoped()->create([
|
||||
'control_key' => 'findings.lifecycle.backfill',
|
||||
'workspace_id' => (int) $blockedTenant->workspace_id,
|
||||
'reason_text' => 'Paused only for the blocked workspace.',
|
||||
]);
|
||||
|
||||
$this->actingAs($allowedUser);
|
||||
Filament::setTenant($allowedTenant, true);
|
||||
|
||||
Livewire::test(ListFindings::class)
|
||||
->assertActionExists('backfill_lifecycle')
|
||||
->assertActionEnabled('backfill_lifecycle')
|
||||
->callAction('backfill_lifecycle');
|
||||
|
||||
$run = OperationRun::query()
|
||||
->where('type', 'findings.lifecycle.backfill')
|
||||
->where('tenant_id', (int) $allowedTenant->getKey())
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($run)->not->toBeNull();
|
||||
|
||||
Queue::assertPushed(BackfillFindingLifecycleJob::class, function (BackfillFindingLifecycleJob $job) use ($allowedTenant): bool {
|
||||
return $job->tenantId === (int) $allowedTenant->getKey()
|
||||
&& $job->workspaceId === (int) $allowedTenant->workspace_id;
|
||||
});
|
||||
|
||||
expect(AuditLog::query()
|
||||
->where('action', AuditActionId::OperationalControlExecutionBlocked->value)
|
||||
->where('tenant_id', (int) $allowedTenant->getKey())
|
||||
->exists())->toBeFalse();
|
||||
});
|
||||
@ -0,0 +1,36 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\Finding;
|
||||
use App\Services\Findings\FindingWorkflowService;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('rejects triage from the removed acknowledged status', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$finding = Finding::factory()->for($tenant)->create([
|
||||
'status' => 'acknowledged',
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
]);
|
||||
|
||||
expect(fn () => app(FindingWorkflowService::class)->triage($finding, $tenant, $user))
|
||||
->toThrow(\InvalidArgumentException::class, 'Finding cannot be triaged from the current status.');
|
||||
});
|
||||
|
||||
it('rejects start progress from the removed acknowledged status', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$finding = Finding::factory()->for($tenant)->create([
|
||||
'status' => 'acknowledged',
|
||||
'triaged_at' => now()->subMinute(),
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
]);
|
||||
|
||||
expect(fn () => app(FindingWorkflowService::class)->startProgress($finding, $tenant, $user))
|
||||
->toThrow(\InvalidArgumentException::class, 'Finding cannot be moved to in-progress from the current status.');
|
||||
});
|
||||
@ -0,0 +1,33 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Resources\FindingResource\Pages\ListFindings;
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationRun;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('removes the tenant findings lifecycle backfill header action without removing canonical workflow actions', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$finding = Finding::factory()->for($tenant)->create([
|
||||
'status' => Finding::STATUS_NEW,
|
||||
]);
|
||||
|
||||
$this->actingAs($user);
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
Livewire::test(ListFindings::class)
|
||||
->assertActionDoesNotExist('backfill_lifecycle')
|
||||
->assertActionExists('triage_all_matching')
|
||||
->assertTableActionVisible('triage', $finding)
|
||||
->assertTableActionVisible('assign', $finding)
|
||||
->assertTableActionVisible('resolve', $finding)
|
||||
->assertTableActionVisible('request_exception', $finding);
|
||||
|
||||
expect(OperationRun::query()->where('type', 'findings.lifecycle.backfill')->exists())->toBeFalse();
|
||||
});
|
||||
@ -12,7 +12,6 @@ function livewireTrustedStateFirstSliceFixtures(): array
|
||||
return [
|
||||
TrustedStatePolicy::MANAGED_TENANT_ONBOARDING_WIZARD => 'app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php',
|
||||
TrustedStatePolicy::TENANT_REQUIRED_PERMISSIONS => 'app/Filament/Pages/TenantRequiredPermissions.php',
|
||||
TrustedStatePolicy::SYSTEM_RUNBOOKS => 'app/Filament/System/Pages/Ops/Runbooks.php',
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
@ -0,0 +1,43 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
|
||||
it('renders the admin auth surface in the explicit locale override', function (): void {
|
||||
$this->withSession([LocaleResolver::SESSION_OVERRIDE_KEY => 'de'])
|
||||
->get('/admin/login')
|
||||
->assertSuccessful()
|
||||
->assertSee('Mit Microsoft anmelden')
|
||||
->assertSee('Tenant-Admin-Zugriff erfordert eine Tenant-Mitgliedschaft');
|
||||
});
|
||||
|
||||
it('keeps system plane resolution independent from user and workspace preferences', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
$user->forceFill(['preferred_locale' => 'de'])->save();
|
||||
session()->forget(LocaleResolver::SESSION_OVERRIDE_KEY);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => null,
|
||||
])
|
||||
->getJson('/localization/context?plane=system')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'en')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_SYSTEM_DEFAULT)
|
||||
->assertJsonPath('user_preference_locale', null)
|
||||
->assertJsonPath('workspace_default_locale', null);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => 'de',
|
||||
])
|
||||
->getJson('/localization/context?plane=system')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'de')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_EXPLICIT_OVERRIDE);
|
||||
});
|
||||
@ -0,0 +1,87 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
|
||||
it('allows users to save and clear a personal locale preference over workspace default', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: LocaleResolver::SETTING_DOMAIN,
|
||||
key: LocaleResolver::SETTING_DEFAULT_LOCALE,
|
||||
value: 'de',
|
||||
);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->getJson('/localization/context')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'de')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_WORKSPACE_DEFAULT);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->post(route('localization.preference.update'), ['preferred_locale' => 'en'])
|
||||
->assertRedirect();
|
||||
|
||||
expect($user->refresh()->preferred_locale)->toBe('en');
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->getJson('/localization/context')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'en')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_USER_PREFERENCE);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->post(route('localization.preference.update'), ['preferred_locale' => ''])
|
||||
->assertRedirect();
|
||||
|
||||
expect($user->refresh()->preferred_locale)->toBeNull();
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->getJson('/localization/context')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'de')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_WORKSPACE_DEFAULT);
|
||||
});
|
||||
|
||||
it('allows temporary overrides to win until cleared', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
$user->forceFill(['preferred_locale' => 'en'])->save();
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->post(route('localization.override.update'), ['locale' => 'de'])
|
||||
->assertRedirect();
|
||||
|
||||
expect(session(LocaleResolver::SESSION_OVERRIDE_KEY))->toBe('de');
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => 'de',
|
||||
])
|
||||
->getJson('/localization/context')
|
||||
->assertSuccessful()
|
||||
->assertJsonPath('locale', 'de')
|
||||
->assertJsonPath('source', LocaleResolver::SOURCE_EXPLICIT_OVERRIDE);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => 'de',
|
||||
])
|
||||
->delete(route('localization.override.clear'))
|
||||
->assertRedirect();
|
||||
|
||||
expect(session(LocaleResolver::SESSION_OVERRIDE_KEY))->toBeNull();
|
||||
});
|
||||
@ -0,0 +1,47 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
|
||||
it('formats locale preference feedback in the resolved locale', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => 'de',
|
||||
])
|
||||
->post(route('localization.preference.update'), ['preferred_locale' => 'de'])
|
||||
->assertRedirect()
|
||||
->assertSessionHas('status', 'Spracheinstellung gespeichert.');
|
||||
});
|
||||
|
||||
it('formats override feedback in the newly effective locale', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: LocaleResolver::SETTING_DOMAIN,
|
||||
key: LocaleResolver::SETTING_DEFAULT_LOCALE,
|
||||
value: 'de',
|
||||
);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->post(route('localization.override.update'), ['locale' => 'de'])
|
||||
->assertRedirect()
|
||||
->assertSessionHas('status', 'Sprachüberschreibung angewendet.');
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
||||
LocaleResolver::SESSION_OVERRIDE_KEY => 'en',
|
||||
])
|
||||
->delete(route('localization.override.clear'))
|
||||
->assertRedirect()
|
||||
->assertSessionHas('status', 'Sprachüberschreibung gelöscht.');
|
||||
});
|
||||
@ -0,0 +1,31 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\AuditLog;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use Illuminate\Support\Facades\App;
|
||||
|
||||
it('keeps audit action identifiers and machine values invariant while UI locale is German', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
App::setLocale('de');
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: LocaleResolver::SETTING_DOMAIN,
|
||||
key: LocaleResolver::SETTING_DEFAULT_LOCALE,
|
||||
value: 'de',
|
||||
);
|
||||
|
||||
$audit = AuditLog::query()->latest('id')->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit->action)->toBe(AuditActionId::WorkspaceSettingUpdated->value)
|
||||
->and(data_get($audit->metadata, 'domain'))->toBe(LocaleResolver::SETTING_DOMAIN)
|
||||
->and(data_get($audit->metadata, 'key'))->toBe(LocaleResolver::SETTING_DEFAULT_LOCALE)
|
||||
->and(data_get($audit->metadata, 'after_value'))->toBe('de');
|
||||
});
|
||||
@ -0,0 +1,23 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use Illuminate\Support\Facades\App;
|
||||
use Illuminate\Support\Facades\Lang;
|
||||
|
||||
it('falls back to English for missing German translation lines', function (): void {
|
||||
Lang::addLines(['localization.fallback_probe' => 'English fallback probe'], 'en');
|
||||
|
||||
App::setFallbackLocale('en');
|
||||
App::setLocale('de');
|
||||
|
||||
expect(__('localization.fallback_probe'))->toBe('English fallback probe');
|
||||
});
|
||||
|
||||
it('does not expose raw translation keys for supported first-wave catalogs', function (): void {
|
||||
App::setLocale('de');
|
||||
|
||||
expect(__('localization.auth.sign_in_microsoft'))->not->toBe('localization.auth.sign_in_microsoft')
|
||||
->and(__('baseline-compare.button_view_findings'))->not->toBe('baseline-compare.button_view_findings')
|
||||
->and(__('findings.rbac.restore_unsupported'))->not->toBe('findings.rbac.restore_unsupported');
|
||||
});
|
||||
@ -0,0 +1,50 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Settings\WorkspaceSettings;
|
||||
use App\Models\WorkspaceSetting;
|
||||
use App\Services\Localization\LocaleResolver;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use Livewire\Livewire;
|
||||
|
||||
it('persists workspace default locale through the existing workspace settings page', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember();
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(WorkspaceSettings::getUrl(panel: 'admin'))
|
||||
->assertSuccessful();
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.localization_default_locale', null)
|
||||
->set('data.localization_default_locale', 'de')
|
||||
->callAction('save')
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.localization_default_locale', 'de');
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, LocaleResolver::SETTING_DOMAIN, LocaleResolver::SETTING_DEFAULT_LOCALE))
|
||||
->toBe('de');
|
||||
|
||||
expect(WorkspaceSetting::query()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->where('domain', LocaleResolver::SETTING_DOMAIN)
|
||||
->where('key', LocaleResolver::SETTING_DEFAULT_LOCALE)
|
||||
->exists())->toBeTrue();
|
||||
});
|
||||
|
||||
it('keeps workspace default locale authorization aligned to settings capabilities', function (): void {
|
||||
[$workspace, $user] = localizationWorkspaceMember('readonly');
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(WorkspaceSettings::getUrl(panel: 'admin'))
|
||||
->assertSuccessful();
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.localization_default_locale', null)
|
||||
->assertActionVisible('save')
|
||||
->assertActionDisabled('save')
|
||||
->call('save')
|
||||
->assertStatus(403);
|
||||
});
|
||||
@ -59,15 +59,18 @@
|
||||
]);
|
||||
});
|
||||
|
||||
it('supports legacy model helper compatibility for acknowledge', function (): void {
|
||||
it('keeps stale acknowledged metadata as passive data only', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
$finding = Finding::factory()->for($tenant)->permissionPosture()->create();
|
||||
$finding = Finding::factory()->for($tenant)->permissionPosture()->create([
|
||||
'status' => 'acknowledged',
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
]);
|
||||
|
||||
$finding->acknowledge($user);
|
||||
|
||||
expect($finding->status)->toBe(Finding::STATUS_ACKNOWLEDGED)
|
||||
expect($finding->status)->toBe('acknowledged')
|
||||
->and($finding->acknowledged_at)->not->toBeNull()
|
||||
->and($finding->acknowledged_by_user_id)->toBe($user->getKey());
|
||||
->and($finding->acknowledged_by_user_id)->toBe($user->getKey())
|
||||
->and($finding->hasOpenStatus())->toBeFalse();
|
||||
});
|
||||
|
||||
it('exposes v2 open and terminal status helpers', function (): void {
|
||||
@ -84,31 +87,26 @@
|
||||
Finding::STATUS_RISK_ACCEPTED,
|
||||
]);
|
||||
|
||||
expect(Finding::openStatusesForQuery())->toContain(Finding::STATUS_ACKNOWLEDGED);
|
||||
expect(Finding::openStatusesForQuery())->toBe(Finding::openStatuses());
|
||||
});
|
||||
|
||||
it('maps legacy acknowledged status to triaged in v2 helpers', function (): void {
|
||||
expect(Finding::canonicalizeStatus(Finding::STATUS_ACKNOWLEDGED))
|
||||
->toBe(Finding::STATUS_TRIAGED);
|
||||
it('does not treat acknowledged as canonical in v2 helpers', function (): void {
|
||||
expect(Finding::canonicalizeStatus('acknowledged'))->toBe('acknowledged');
|
||||
|
||||
expect(Finding::isOpenStatus(Finding::STATUS_ACKNOWLEDGED))->toBeTrue();
|
||||
expect(Finding::isTerminalStatus(Finding::STATUS_ACKNOWLEDGED))->toBeFalse();
|
||||
expect(Finding::isOpenStatus('acknowledged'))->toBeFalse();
|
||||
expect(Finding::isTerminalStatus('acknowledged'))->toBeFalse();
|
||||
});
|
||||
|
||||
it('preserves acknowledged metadata when resolving an acknowledged finding', function (): void {
|
||||
it('rejects resolving a stale acknowledged finding', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
$finding = Finding::factory()->for($tenant)->permissionPosture()->acknowledged()->create([
|
||||
$finding = Finding::factory()->for($tenant)->permissionPosture()->create([
|
||||
'status' => 'acknowledged',
|
||||
'acknowledged_at' => now(),
|
||||
'acknowledged_by_user_id' => $user->getKey(),
|
||||
]);
|
||||
|
||||
expect($finding->status)->toBe(Finding::STATUS_ACKNOWLEDGED);
|
||||
|
||||
$finding = app(FindingWorkflowService::class)->resolve($finding, $tenant, $user, Finding::RESOLVE_REASON_REMEDIATED);
|
||||
|
||||
expect($finding->status)->toBe(Finding::STATUS_RESOLVED)
|
||||
->and($finding->acknowledged_at)->not->toBeNull()
|
||||
->and($finding->acknowledged_by_user_id)->toBe($user->getKey())
|
||||
->and($finding->resolved_at)->not->toBeNull();
|
||||
expect(fn () => app(FindingWorkflowService::class)->resolve($finding, $tenant, $user, Finding::RESOLVE_REASON_REMEDIATED))
|
||||
->toThrow(\InvalidArgumentException::class, 'Only open findings can be resolved.');
|
||||
});
|
||||
|
||||
it('has STATUS_RESOLVED constant', function (): void {
|
||||
|
||||
@ -14,6 +14,7 @@
|
||||
use App\Support\Audit\AuditOutcome;
|
||||
use App\Support\Baselines\BaselineCaptureMode;
|
||||
use App\Support\Baselines\BaselineReasonCodes;
|
||||
use App\Support\OperationRunType;
|
||||
|
||||
it('derives summary-first audit semantics for baseline capture workflow events', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
@ -36,7 +37,7 @@
|
||||
$operationRunService = app(OperationRunService::class);
|
||||
$run = $operationRunService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
@ -97,7 +98,7 @@
|
||||
$operationRunService = app(OperationRunService::class);
|
||||
$run = $operationRunService->ensureRunWithIdentity(
|
||||
tenant: $tenant,
|
||||
type: 'baseline_capture',
|
||||
type: OperationRunType::BaselineCapture->value,
|
||||
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
||||
context: [
|
||||
'baseline_profile_id' => (int) $profile->getKey(),
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
->get('/admin/operations')
|
||||
->assertOk()
|
||||
->assertSee($workspaceName ?? 'Select workspace')
|
||||
->assertSee('Search tenants…')
|
||||
->assertSee(__('localization.shell.search_tenants'))
|
||||
->assertSee('Switch workspace')
|
||||
->assertSee('admin/select-tenant')
|
||||
->assertSee('Clear tenant scope')
|
||||
@ -66,7 +66,7 @@
|
||||
->get('/admin/workspaces')
|
||||
->assertOk()
|
||||
->assertSee('Choose a workspace first.')
|
||||
->assertDontSee('Search tenants…');
|
||||
->assertDontSee(__('localization.shell.search_tenants'));
|
||||
});
|
||||
|
||||
it('keeps tenant-scoped pages selector read-only while exposing the clear tenant scope action', function (): void {
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user