Compare commits
No commits in common. "4ae4c2ee954fe8285a324db8b444dd190e49c972" and "9f5d3293c5924bf5a9ffa15d99595dd6b48f4770" have entirely different histories.
4ae4c2ee95
...
9f5d3293c5
4
.github/agents/copilot-instructions.md
vendored
4
.github/agents/copilot-instructions.md
vendored
@ -260,8 +260,6 @@ ## Active Technologies
|
||||
- PostgreSQL via existing `managed_tenant_onboarding_sessions`, `provider_connections`, `operation_runs`, and stored permission-posture data; no new persistence planned (240-tenant-onboarding-readiness)
|
||||
- PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger` (241-support-diagnostic-pack)
|
||||
- PostgreSQL via existing `operation_runs`, `provider_connections`, `findings`, `stored_reports`, `tenant_reviews`, `review_packs`, and `audit_logs`; no new persistence planned (241-support-diagnostic-pack)
|
||||
- PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services (249-customer-review-workspace)
|
||||
- PostgreSQL via existing `tenant_reviews`, `review_packs`, `evidence_snapshots`, findings / finding-exception truth, workspace memberships, and `audit_logs`; no new persistence planned (249-customer-review-workspace)
|
||||
|
||||
- PHP 8.4.15 (feat/005-bulk-operations)
|
||||
|
||||
@ -296,9 +294,9 @@ ## Code Style
|
||||
PHP 8.4.15: Follow standard conventions
|
||||
|
||||
## Recent Changes
|
||||
- 249-customer-review-workspace: Added PHP 8.4, Laravel 12 + Filament v5, Livewire v4, Pest v4, existing review/evidence/review-pack/audit/RBAC support services
|
||||
- 241-support-diagnostic-pack: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `OperationRunLinks`, `GovernanceRunDiagnosticSummaryBuilder`, `ProviderReasonTranslator`, `RelatedNavigationResolver`, `RedactionIntegrity`, `WorkspaceAuditLogger`
|
||||
- 240-tenant-onboarding-readiness: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing onboarding services (`OnboardingLifecycleService`, `OnboardingDraftStageResolver`), provider connection summary, verification assist, and Ops-UX helpers
|
||||
- 239-canonical-operation-type-source-of-truth: Added PHP 8.4.15, Laravel 12, Filament v5, Livewire v4 + existing `App\Support\OperationCatalog`, `App\Support\OperationRunType`, `App\Services\OperationRunService`, `App\Services\Providers\ProviderOperationRegistry`, `App\Services\Providers\ProviderOperationStartGate`, `App\Filament\Resources\OperationRunResource`, `App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard`, `App\Support\Filament\FilterOptionCatalog`, `App\Support\OpsUx\OperationUxPresenter`, `App\Support\References\Resolvers\OperationRunReferenceResolver`, `App\Services\Audit\AuditEventBuilder`, Pest v4
|
||||
<!-- MANUAL ADDITIONS START -->
|
||||
|
||||
### Pre-production compatibility check
|
||||
|
||||
@ -1,34 +1,30 @@
|
||||
<!--
|
||||
Sync Impact Report
|
||||
|
||||
- Version change: 2.10.0 -> 2.11.0
|
||||
- Version change: 2.9.0 -> 2.10.0
|
||||
- Modified principles:
|
||||
- Expanded decision-first and operator-surface rules so operational,
|
||||
governance, evidence, onboarding, review, and support-facing
|
||||
detail/status surfaces separate decision content, operator
|
||||
diagnostics, and support/raw evidence
|
||||
- Expanded review and enforcement expectations so specs, plans,
|
||||
tasks, and checklists must make audience modes, raw/support
|
||||
gating, one dominant next action, and duplicate-truth prevention
|
||||
explicit
|
||||
- Expanded Operations / Run Observability Standard so OperationRun
|
||||
start UX is shared-contract-owned instead of surface-owned
|
||||
- Expanded Governance review expectations for OperationRun-starting
|
||||
features, explicit queued-notification policy, and bounded
|
||||
exceptions
|
||||
- Added sections:
|
||||
- Audience-Aware Decision Surfaces & Disclosure Ladder
|
||||
(DECIDE-AUD-001): requires customer-readable default paths,
|
||||
operator diagnostics as progressive disclosure, support/raw
|
||||
evidence gating, one dominant next action, and no duplicate truth
|
||||
across equal-priority cards
|
||||
- OperationRun Start UX Contract (OPS-UX-START-001): centralizes
|
||||
queued toast/link/event/message semantics, run/artifact deep links,
|
||||
queued DB-notification policy, and tenant/workspace-safe operation
|
||||
URL resolution behind one shared OperationRun UX layer
|
||||
- Removed sections: None
|
||||
- Templates requiring updates:
|
||||
- .specify/templates/spec-template.md: add audience-aware disclosure
|
||||
section + constitution prompts ✅
|
||||
- .specify/templates/plan-template.md: add audience/disclosure
|
||||
planning prompts + constitution checks ✅
|
||||
- .specify/templates/tasks-template.md: add decision/disclosure
|
||||
implementation + test tasks ✅
|
||||
- .specify/templates/checklist-template.md: add disclosure, raw-gating,
|
||||
one-primary-action, and duplicate-truth review checks ✅
|
||||
- .specify/templates/spec-template.md: add OperationRun UX Impact
|
||||
section + start-contract prompts ✅
|
||||
- .specify/templates/plan-template.md: add OperationRun UX Impact
|
||||
planning section + constitution checks ✅
|
||||
- .specify/templates/tasks-template.md: add central start-UX reuse,
|
||||
queued-notification policy, and exception tasks ✅
|
||||
- .specify/templates/checklist-template.md: add OperationRun start
|
||||
UX review checks ✅
|
||||
- docs/product/standards/README.md: refresh constitution index for
|
||||
the new audience-aware disclosure contract ✅
|
||||
the new ops-UX contract ✅
|
||||
- Commands checked:
|
||||
- N/A `.specify/templates/commands/*.md` directory is not present
|
||||
- Follow-up TODOs: None
|
||||
@ -598,109 +594,6 @@ ##### Review gate
|
||||
8. Does this reduce search, review, or click work?
|
||||
9. Does this make the product calmer and clearer instead of louder?
|
||||
|
||||
#### Audience-Aware Decision Surfaces & Disclosure Ladder (DECIDE-AUD-001)
|
||||
|
||||
Goal: every operational, governance, evidence, onboarding, review, and
|
||||
support-facing detail or status surface MUST keep customer-readable
|
||||
decision content, operator diagnostics, and support/raw evidence
|
||||
intentionally separated while preserving full depth through progressive
|
||||
disclosure.
|
||||
|
||||
##### Audience ladder is explicit
|
||||
|
||||
- In-scope detail and status surfaces MUST define their content using
|
||||
this three-tier hierarchy when applicable:
|
||||
- decision content
|
||||
- operator diagnostics
|
||||
- support / raw evidence
|
||||
- Surfaces that are reachable by more than one audience class MUST
|
||||
define their default-visible content for at least these layers when
|
||||
applicable:
|
||||
- customer / read-only default
|
||||
- operator / MSP diagnostics
|
||||
- platform / support raw evidence
|
||||
- The surface contract MUST state which capabilities unlock each deeper
|
||||
layer.
|
||||
- Support/raw evidence MUST NOT become the default first-read
|
||||
experience on customer-readable or ordinary operator-facing
|
||||
surfaces.
|
||||
|
||||
##### Customer-readable default path
|
||||
|
||||
- The default reading path for customer/read-only users MUST optimize
|
||||
for status, reason, impact, one dominant next action, and a short
|
||||
result or artifact summary.
|
||||
- Internal lifecycle wording, debug semantics, implementation field
|
||||
names, raw payload fragments, and support-oriented context MUST NOT
|
||||
appear in the default customer-readable path unless they are the only
|
||||
way to understand the first decision.
|
||||
- Default-visible customer/read-only content is responsible for status,
|
||||
reason, impact, the dominant next action, and a concise supporting
|
||||
summary only.
|
||||
|
||||
##### Diagnostics are secondary by default
|
||||
|
||||
- Diagnostics such as lifecycle, timings, verification detail, drift
|
||||
detail, permission detail, provider summaries, or related-operation
|
||||
context MUST be lower-priority than the decision surface and MUST be
|
||||
collapsed, tabbed, grouped, or otherwise progressively disclosed when
|
||||
the first decision does not require them.
|
||||
- Authorized operators MAY expand diagnostics, but diagnostics MUST NOT
|
||||
visually compete with the primary decision block.
|
||||
- Where no support/raw tier is exposed, diagnostics still remain below
|
||||
the decision tier and MUST NOT restate the same decision summary at
|
||||
equal weight.
|
||||
|
||||
##### Raw/support evidence is gated
|
||||
|
||||
- Raw/support evidence such as JSON, raw context payloads,
|
||||
fingerprints, internal reason ownership, platform reason families,
|
||||
monitoring detail, viewer context, or copy/show-raw actions MUST NOT
|
||||
appear in the default decision path.
|
||||
- These details MUST live behind explicit reveal affordances and MUST
|
||||
be capability-gated wherever the audience model distinguishes support
|
||||
or platform users from ordinary operators.
|
||||
- Capability-gated support/raw disclosure MUST fail closed when the
|
||||
actor lacks the required scope or capability.
|
||||
|
||||
##### One dominant next action
|
||||
|
||||
- A decision surface MUST expose exactly one dominant next action in
|
||||
the default-visible region.
|
||||
- Optional secondary actions MAY exist, but they MUST NOT compete with
|
||||
the primary remediation or decision action in prominence.
|
||||
- Contextual navigation such as opening a related run, tenant, report,
|
||||
or technical detail remains secondary.
|
||||
|
||||
##### No duplicate truth across equal-priority cards
|
||||
|
||||
- The same blocker, reason, or next action MUST NOT be repeated across
|
||||
multiple equal-priority cards, sections, or summary blocks on the
|
||||
same default-visible surface.
|
||||
- Supporting evidence MAY restate the underlying proof, but the
|
||||
dominant decision message appears once and diagnostics elaborate
|
||||
beneath it.
|
||||
|
||||
##### Required tests
|
||||
|
||||
- New or materially changed customer/operator-facing detail surfaces
|
||||
MUST include focused tests proving:
|
||||
- default-visible content shows status, reason, impact, and next
|
||||
action,
|
||||
- exactly one dominant next action is primary,
|
||||
- diagnostics are secondary or collapsed,
|
||||
- raw/support evidence is not default-visible,
|
||||
- support/raw sections are capability-gated where applicable,
|
||||
- and duplicate visible decision summaries are absent.
|
||||
|
||||
##### Stored evidence wins over fallback diagnostics
|
||||
|
||||
- When a stored verification or report artifact exists, fallback
|
||||
technical diagnostics SHOULD demote behind supporting evidence or
|
||||
technical details instead of remaining peer-level default content.
|
||||
- Fallback diagnostics MAY become temporarily prominent only when the
|
||||
higher-level artifact does not yet exist or is unavailable.
|
||||
|
||||
#### Surface Taxonomy (UI-SURF-001)
|
||||
|
||||
Every new admin surface MUST be assigned exactly one broad action-surface
|
||||
@ -1424,22 +1317,11 @@ #### Operator Surface Principles (OPSURF-001)
|
||||
- Diagnostic detail MAY exist, but it MUST be secondary and explicitly revealed.
|
||||
- JSON payloads, raw IDs, internal field names, provider error details, and low-level technical metadata belong in diagnostics surfaces rather than the primary content region.
|
||||
- Operators MUST NOT need to parse raw payloads to understand current state or next action.
|
||||
- Detail/status surfaces MUST satisfy DECIDE-AUD-001: decision content
|
||||
first, operator diagnostics second, support/raw evidence third.
|
||||
|
||||
Distinct truth dimensions
|
||||
- When the domain has execution outcome, data completeness, governance result, lifecycle or readiness state, operability truth, health truth, trust/confidence, or next action semantics, the surface MUST keep them explicit instead of collapsing them into one ambiguous status.
|
||||
- If multiple truth dimensions are summarized, the default-visible UI MUST label each dimension clearly.
|
||||
|
||||
Dominant next action and duplicate-truth control
|
||||
- Default-visible decision content MUST include status, reason,
|
||||
impact, and one dominant next action where those concepts exist.
|
||||
- Secondary navigation or debug helpers MUST remain lower-priority
|
||||
than the dominant decision action.
|
||||
- The same blocker, reason, impact, or next action MUST NOT be
|
||||
repeated across multiple default-visible cards, sections, tabs, or
|
||||
summaries.
|
||||
|
||||
Explicit mutation scope
|
||||
- Every state-changing action MUST communicate before execution whether it affects TenantPilot only, the Microsoft tenant, or simulation only.
|
||||
- Mutation scope MUST be understandable from nearby action copy, helper text, preview, or confirmation.
|
||||
@ -1460,13 +1342,6 @@ #### Operator Surface Principles (OPSURF-001)
|
||||
Page contract requirement
|
||||
- Every new or materially refactored operator-facing page MUST define the primary persona, surface type, primary operator question, default-visible information, diagnostics-only information, status dimensions used, mutation scope, primary actions, and dangerous actions.
|
||||
- The page contract MUST live in the governing spec and stay in sync with implementation.
|
||||
- Where multiple audience classes share the page, the contract MUST
|
||||
explicitly define the customer/read-only default path, operator
|
||||
diagnostics path, support/raw-evidence path, and the capabilities
|
||||
that unlock each layer.
|
||||
- The page contract MUST also make the dominant next action,
|
||||
duplicate-truth prevention, and raw/support gating explicit for
|
||||
changed detail/status surfaces.
|
||||
|
||||
#### Spec Scope Fields (SCOPE-002)
|
||||
|
||||
@ -1491,11 +1366,8 @@ #### Enforcement Model (UI-REVIEW-001)
|
||||
native, custom, or a shared detail family, what shared core vs host
|
||||
variation exists if relevant, which layer owns the relevant shell,
|
||||
page, and detail truth, which requested/active/draft/inspect/
|
||||
restorable roles exist, which audience ladder and disclosure
|
||||
boundaries exist, what the dominant next action is, how raw/support
|
||||
evidence is gated, how duplicate truth is prevented, whether any
|
||||
fake-native or host-drift risk is present, and whether an exception
|
||||
type is used.
|
||||
restorable roles exist, whether any fake-native or host-drift risk is
|
||||
present, and whether an exception type is used.
|
||||
- Missing any of those answers makes the spec incomplete.
|
||||
|
||||
PR review requirements
|
||||
@ -1510,12 +1382,7 @@ #### Enforcement Model (UI-REVIEW-001)
|
||||
promoted into primary navigation without justification, one case
|
||||
fragmented across multiple equal-rank pages, new automation that adds
|
||||
attention surfaces without reducing operator work, noisy default
|
||||
surfaces with no action/watch/reference hierarchy, duplicate visible
|
||||
blocker/reason/next-action summaries, customer/operator default paths
|
||||
that expose raw JSON, fingerprints, reason ownership, platform reason
|
||||
families, or monitoring detail, helper actions such as `Open
|
||||
operation`, `Technical details`, or `Show JSON` competing with the
|
||||
dominant decision action, `Filament Costume`,
|
||||
surfaces with no action/watch/reference hierarchy, `Filament Costume`,
|
||||
`Blade Request UI`, `Hand-Rolled Simple Overview`, `Hidden Exception`,
|
||||
`Host Drift`, `State Layer Collapse`, `Parallel Inspect Worlds`, or
|
||||
undocumented exceptions without dedicated tests.
|
||||
@ -1527,15 +1394,11 @@ #### Enforcement Model (UI-REVIEW-001)
|
||||
presence of explicit Inspect on Queue / Review and History / Audit
|
||||
surfaces, absence of empty `ActionGroup` or `BulkActionGroup`,
|
||||
correct placement of destructive actions, truthful scope signals,
|
||||
stable canonical nouns across shells, presence of a single dominant
|
||||
next action where surface metadata exposes one, absence of duplicate
|
||||
visible decision summaries, explicit raw/support gating or secondary
|
||||
placement where the surface serves multiple audience classes,
|
||||
absence of fake-native primary controls where metadata says the
|
||||
surface is native, bounded shared family contracts where metadata
|
||||
says a family is reused, explicit state ownership where specs or
|
||||
metadata expose it, and dedicated tests for every approved
|
||||
exception.
|
||||
stable canonical nouns across shells, absence of fake-native primary
|
||||
controls where metadata says the surface is native, bounded shared
|
||||
family contracts where metadata says a family is reused, explicit
|
||||
state ownership where specs or metadata expose it, and dedicated
|
||||
tests for every approved exception.
|
||||
|
||||
#### Immediate Retrofit Priorities
|
||||
|
||||
@ -1602,10 +1465,6 @@ #### Appendix A - One-page Condensed Constitution
|
||||
- Scope chips must be truthful.
|
||||
- Domain nouns are canonical and stable.
|
||||
- Critical operational truth is default-visible.
|
||||
- Multi-audience detail/status surfaces keep customer-readable decision
|
||||
content above operator diagnostics and support/raw evidence.
|
||||
- One dominant next action stays visually primary.
|
||||
- Duplicate visible decision truth is forbidden.
|
||||
- Semantic truth dimensions are not collapsed into a generic status.
|
||||
- Standard lists stay scanable.
|
||||
- Exceptions are catalogued, justified, and tested.
|
||||
@ -1618,8 +1477,6 @@ #### Appendix B - Feature Review Checklist
|
||||
- The human-in-the-loop moment is explicit.
|
||||
- Immediate-visible decision information is explicit.
|
||||
- On-demand evidence / diagnostics boundaries are explicit.
|
||||
- Audience-aware default visibility and raw-evidence boundaries are
|
||||
explicit where the page serves more than one audience class.
|
||||
- Any new primary surface is justified against an existing decision
|
||||
context.
|
||||
- Navigation reflects a workflow rather than storage structure.
|
||||
@ -1629,8 +1486,6 @@ #### Appendix B - Feature Review Checklist
|
||||
- Broad action-surface class is declared.
|
||||
- Detailed surface type is declared.
|
||||
- The one most likely next operator action is explicit.
|
||||
- One dominant next action stays primary.
|
||||
- Duplicate visible decision truth is absent.
|
||||
- The surface is classified correctly as native, custom, or shared
|
||||
family.
|
||||
- Primary inspect/open model is defined.
|
||||
@ -1712,10 +1567,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
|
||||
- Admin and operator-facing surfaces MUST use native Filament components, existing shared UI primitives, and centralized design patterns first.
|
||||
- If Filament already provides the required semantic element, feature code MUST use the Filament-native component instead of a locally assembled replacement.
|
||||
- Preferred native elements include `x-filament::badge`, `x-filament::button`, `x-filament::icon`, and Filament Forms, Infolists, Tables, Sections, Tabs, Grids, and Actions.
|
||||
- Local Blade/Tailwind cards are allowed only when they preserve dark
|
||||
mode correctness, spacing consistency, badge semantics, action
|
||||
hierarchy, progressive disclosure, accessibility, and overall
|
||||
Filament visual language.
|
||||
|
||||
Native-by-default classification
|
||||
- `Native Surface` means the primary interaction contract is built from
|
||||
@ -1747,8 +1598,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
|
||||
more than one host, it becomes a `Shared Detail Micro-UI` and MUST
|
||||
define shared core vs host variation before another host reassembles
|
||||
it locally.
|
||||
- Local one-off markup MUST NOT recreate decision/diagnostics/raw
|
||||
layering when an existing shared detail family is sufficient.
|
||||
|
||||
Upgrade-safe preference
|
||||
- Update-safe, framework-native implementations take priority over page-local styling shortcuts.
|
||||
@ -1762,9 +1611,7 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
|
||||
- and the deviation is justified briefly in code and in the governing spec or PR.
|
||||
- Approved exceptions MUST stay layout-neutral, use the minimum local
|
||||
classes necessary, MUST NOT invent a new page-local status language,
|
||||
MUST preserve dark mode correctness, spacing consistency,
|
||||
badge semantics, action hierarchy, progressive disclosure,
|
||||
accessibility, and MUST say what remains standardized.
|
||||
and MUST say what remains standardized.
|
||||
- `Hidden Exception` is forbidden. Historical accident or local
|
||||
implementation convenience is not a valid substitute for UI-EX-001.
|
||||
|
||||
@ -1773,8 +1620,6 @@ ### Filament Native First / No Ad-hoc Styling (UI-FIL-001)
|
||||
- which native Filament element or shared primitive was used,
|
||||
- why an existing component was insufficient if an exception was taken,
|
||||
- whether the surface is native, custom, or a shared detail family,
|
||||
- whether any local Blade/Tailwind card still preserves Filament
|
||||
visual language and disclosure semantics,
|
||||
- and whether any ad-hoc status, emphasis styling, or fake-native
|
||||
contract was introduced.
|
||||
- UI work is not Done if it introduces ad-hoc status styling or framework-foreign replacement components where a native Filament or shared UI solution was viable.
|
||||
@ -1813,11 +1658,6 @@ ### Scope, Compliance, and Review Expectations
|
||||
different policy, route terminal notifications through the lifecycle mechanism, include an `OperationRun UX Impact`
|
||||
section in the active spec or plan, and document any temporary exception with an architecture note, test rationale,
|
||||
and migration decision.
|
||||
- Specs and PRs that change detail or status surfaces MUST explicitly
|
||||
document how they satisfy customer-readable decision-first content,
|
||||
diagnostics-secondary disclosure, support/raw-evidence gating, one
|
||||
dominant next action, duplicate-truth prevention, and shared-pattern
|
||||
reuse.
|
||||
- Specs and PRs that change operator-facing surfaces MUST classify each
|
||||
affected surface under DECIDE-001 and justify any new Primary
|
||||
Decision Surface or workflow-first navigation change.
|
||||
@ -1835,4 +1675,4 @@ ### Versioning Policy (SemVer)
|
||||
- **MINOR**: new principle/section or materially expanded guidance.
|
||||
- **MAJOR**: removing/redefining principles in a backward-incompatible way.
|
||||
|
||||
**Version**: 2.11.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-27
|
||||
**Version**: 2.10.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-04-24
|
||||
|
||||
@ -51,14 +51,6 @@ ## Signals, Exceptions, And Test Depth
|
||||
- [ ] CHK014 The required surface test profile is explicit: `shared-detail-family`, `monitoring-state-page`, `global-context-shell`, `exception-coded-surface`, or `standard-native-filament`.
|
||||
- [ ] CHK015 The chosen test family/lane and any manual smoke are the narrowest honest proof for the declared surface class, and `standard-native-filament` relief is used when no special contract exists.
|
||||
|
||||
## Audience-Aware Disclosure And Decision Hierarchy
|
||||
|
||||
- [ ] CHK023 Default-visible content is decision-first and clearly separated from operator diagnostics and support/raw evidence.
|
||||
- [ ] CHK024 Customer/read-only default paths do not expose raw JSON, copied context payloads, fingerprints, internal reason ownership, platform reason families, monitoring detail, or other debug semantics by default.
|
||||
- [ ] CHK025 Exactly one dominant next action is primary; navigation or debug helpers such as `Open operation`, `Technical details`, or `Show JSON` do not compete at equal weight.
|
||||
- [ ] CHK026 Duplicate visible status, blocker, reason, impact, or next-action summaries are removed or explicitly justified as non-duplicative evidence.
|
||||
- [ ] CHK027 Support/raw sections are collapsed, lower-priority, or capability-gated where applicable, and any local Blade/Tailwind surface still preserves Filament visual language, dark mode correctness, progressive disclosure, and accessibility.
|
||||
|
||||
## Review Outcome
|
||||
|
||||
- [ ] CHK016 One review outcome class is chosen: `blocker`, `strong-warning`, `documentation-required-exception`, or `acceptable-special-case`.
|
||||
|
||||
@ -36,10 +36,6 @@ ## UI / Surface Guardrail Plan
|
||||
- **Native vs custom classification summary**: [native / custom / mixed / N/A]
|
||||
- **Shared-family relevance**: [none / list affected shared families]
|
||||
- **State layers in scope**: [shell / page / detail / URL-query / none]
|
||||
- **Audience modes in scope**: [customer/read-only / operator-MSP / support-platform / N/A]
|
||||
- **Decision/diagnostic/raw hierarchy plan**: [decision-first / diagnostics-second / support-raw-third / N/A]
|
||||
- **Raw/support gating plan**: [collapsed / capability-gated / role-gated / N/A]
|
||||
- **One-primary-action / duplicate-truth control**: [how one dominant next action is preserved and repeated blockers are removed]
|
||||
- **Handling modes by drift class or surface**: [hard-stop-candidate / review-mandatory / exception-required / report-only / N/A]
|
||||
- **Repository-signal treatment**: [report-only / review-mandatory / exception-required / future hard-stop candidate / N/A]
|
||||
- **Special surface test profiles**: [standard-native-filament / shared-detail-family / monitoring-state-page / global-context-shell / exception-coded-surface / N/A]
|
||||
@ -115,10 +111,6 @@ ## Constitution Check
|
||||
- Spec discipline / bloat check (SPEC-DISC-001, BLOAT-001): related semantic changes are grouped coherently, and any new enum, DTO/presenter, persisted entity, interface/registry/resolver, or taxonomy includes a proportionality review covering operator problem, insufficiency, narrowness, ownership cost, rejected alternative, and whether it is current-release truth
|
||||
- Badge semantics (BADGE-001): status-like badges use `BadgeCatalog` / `BadgeRenderer`; no ad-hoc mappings; new values include tests
|
||||
- Filament-native UI (UI-FIL-001): admin/operator surfaces use native Filament components or shared primitives first; no ad-hoc status UI, local semantic color/border decisions, or hand-built replacements when native/shared semantics exist; any exception is explicitly justified
|
||||
- Filament-native UI (UI-FIL-001): if local Blade/Tailwind cards are
|
||||
still necessary, they preserve dark mode correctness, spacing
|
||||
consistency, badge semantics, action hierarchy, progressive
|
||||
disclosure, accessibility, and Filament visual language
|
||||
- UI/UX surface taxonomy (UI-CONST-001 / UI-SURF-001): every changed operator-facing surface is classified as exactly one allowed surface type; ad-hoc interaction models are forbidden
|
||||
- Decision-first operating model (DECIDE-001): each changed
|
||||
operator-facing surface is classified as Primary Decision,
|
||||
@ -128,13 +120,6 @@ ## Constitution Check
|
||||
disclosed, one governance case stays decidable in one context where
|
||||
practical, navigation follows workflows not storage structures, and
|
||||
automation / alerts reduce attention load instead of adding noise
|
||||
- Audience-aware disclosure (DECIDE-AUD-001 / OPSURF-001): detail or
|
||||
status surfaces separate customer-readable decision content,
|
||||
operator diagnostics, and support/raw evidence; customer-readable
|
||||
default paths hide raw JSON, copied context, fingerprints, internal
|
||||
reason ownership, platform reason families, and debug semantics;
|
||||
one dominant next action is explicit; duplicate visible truth is
|
||||
removed
|
||||
- UI/UX inspect model (UI-HARD-001): each list surface has exactly one primary inspect/open model; redundant View beside row click or identifier click is forbidden; edit-as-inspect is limited to Config-lite resources
|
||||
- UI/UX action hierarchy (UI-HARD-001 / UI-EX-001): standard CRUD and Registry rows expose at most one inline safe shortcut; destructive actions are grouped or in the detail header; queue exceptions are catalogued, justified, and tested
|
||||
- UI/UX scope, truth, and naming (UI-HARD-001 / UI-NAMING-001 / OPSURF-001): scope signals are truthful, canonical nouns stay stable across shells, critical operational truth is default-visible, and standard lists remain scanable
|
||||
|
||||
@ -89,17 +89,6 @@ ## Decision-First Surface Role *(mandatory when operator-facing surfaces are cha
|
||||
|---|---|---|---|---|---|---|---|
|
||||
| e.g. Review inbox | Primary Decision Surface | Review and release queued governance work | Case summary, severity, recommendation, required action | Full evidence, raw payloads, audit trail, provider diagnostics | Primary because it is the queue where operators decide and clear work | Follows pending-decisions workflow, not storage objects | Removes search across runs, findings, and audit pages |
|
||||
|
||||
## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)*
|
||||
|
||||
If this feature adds or materially changes a detail or status surface,
|
||||
fill out one row per affected surface. Reuse the same surface names
|
||||
used above and make the disclosure hierarchy explicit instead of
|
||||
assuming it.
|
||||
|
||||
| Surface | Audience Modes In Scope | Decision-First Default-Visible Content | Operator Diagnostics | Support / Raw Evidence | One Dominant Next Action | Hidden / Gated By Default | Duplicate-Truth Prevention |
|
||||
|---|---|---|---|---|---|---|---|
|
||||
| e.g. Review inbox | customer-read-only, operator-MSP, support-platform | Current status, why it matters, impact, recommendation, next action | Review history, lifecycle, related evidence, related runs | Raw payloads, fingerprints, reason ownership, platform reason family | `Review evidence` | Raw/support detail hidden or capability-gated outside support mode | The top summary states the blocker once; later sections add evidence rather than restating it |
|
||||
|
||||
## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)*
|
||||
|
||||
If this feature adds or materially changes an operator-facing list, detail, queue, audit, config, or report surface,
|
||||
@ -265,13 +254,6 @@ ## Requirements *(mandatory)*
|
||||
- record any allowed deviation, the consistency it must preserve, and its ownership/spread-control cost,
|
||||
- and make the reviewer focus explicit so parallel local UX paths do not appear silently.
|
||||
|
||||
**Constitution alignment (DECIDE-AUD-001 / OPSURF-001):** If this feature changes a detail or status surface, the spec MUST describe:
|
||||
- how the surface separates customer-readable decision content, operator diagnostics, and support/raw evidence,
|
||||
- which audience modes are in scope (`customer/read-only`, `operator/MSP`, `support/platform`),
|
||||
- which content is hidden, collapsed, or capability-gated by default,
|
||||
- how one dominant next action is preserved,
|
||||
- and how duplicate visible truth is prevented.
|
||||
|
||||
**Constitution alignment (PROV-001):** If this feature touches a shared provider/platform seam, the spec MUST:
|
||||
- classify each touched seam as provider-owned or platform-core,
|
||||
- keep provider-specific semantics out of platform-core contracts, taxonomies, identifiers, compare semantics, and operator vocabulary unless explicitly justified,
|
||||
@ -328,7 +310,6 @@ ## Requirements *(mandatory)*
|
||||
- which native Filament components or shared UI primitives are used,
|
||||
- whether any local replacement markup was avoided for badges, alerts, buttons, or status surfaces,
|
||||
- how semantic emphasis is expressed through Filament props or central primitives rather than page-local color/border classes,
|
||||
- how any required local Blade/Tailwind cards still preserve dark mode correctness, spacing consistency, badge semantics, action hierarchy, progressive disclosure, accessibility, and Filament visual language,
|
||||
- and any exception where Filament or a shared primitive was insufficient, including why the exception is necessary and how it avoids introducing a new local status language.
|
||||
|
||||
**Constitution alignment (UI-NAMING-001):** If this feature adds or changes operator-facing buttons, header actions, run titles,
|
||||
@ -386,7 +367,6 @@ ## Requirements *(mandatory)*
|
||||
**Constitution alignment (OPSURF-001):** If this feature adds or materially refactors an operator-facing surface, the spec MUST describe:
|
||||
- how the default-visible content stays operator-first on `/admin` and avoids raw implementation detail,
|
||||
- which diagnostics are secondary and how they are explicitly revealed,
|
||||
- how the dominant next action stays primary and how duplicate visible truth is avoided,
|
||||
- which status dimensions are shown separately (execution outcome, data completeness, governance result, lifecycle/readiness) and why,
|
||||
- how each mutating action communicates its mutation scope before execution (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
|
||||
- how dangerous actions follow the safe-execution pattern (configuration, safety checks/simulation, preview, hard confirmation where required, execute),
|
||||
|
||||
@ -78,21 +78,9 @@ # Tasks: [FEATURE NAME]
|
||||
- filling the spec’s Operator Surface Contract for every affected page,
|
||||
- keeping default-visible content limited to first-decision needs and
|
||||
moving proof, payloads, and diagnostics into progressive disclosure,
|
||||
- implementing the three-tier disclosure hierarchy where applicable:
|
||||
customer-readable decision content first, operator diagnostics
|
||||
second, support/raw evidence third,
|
||||
- making default-visible content operator-first and moving JSON payloads, raw IDs, internal field names, provider error details, and low-level metadata into explicitly revealed diagnostics surfaces,
|
||||
- ensuring customer/read-only default paths do not expose raw JSON,
|
||||
copied context payloads, fingerprints, internal reason ownership,
|
||||
platform reason families, or debug semantics,
|
||||
- keeping each governance case decidable in one focused context where
|
||||
practical instead of forcing cross-page reconstruction,
|
||||
- keeping exactly one dominant next action primary and demoting
|
||||
navigation/debug helpers such as `Open operation`, `Technical
|
||||
details`, or `Show JSON`,
|
||||
- removing duplicate visible status, blocker, reason, impact, or
|
||||
next-action summaries so later sections add evidence instead of
|
||||
restating the same decision truth,
|
||||
- modeling execution outcome, data completeness, governance result, and lifecycle/readiness as distinct status dimensions when applicable,
|
||||
- making mutation scope legible before execution for every state-changing action (`TenantPilot only`, `Microsoft tenant`, or `simulation only`),
|
||||
- implementing the safe-execution flow for dangerous actions (configuration, safety checks/simulation, preview, hard confirmation where required, execute) or documenting an approved exemption,
|
||||
@ -140,12 +128,6 @@ # Tasks: [FEATURE NAME]
|
||||
- documenting any catalogued UI exception in the spec/PR and adding dedicated test coverage,
|
||||
- documenting any UI-FIL-001 exception with rationale in the spec/PR,
|
||||
- adding/updated tests that enforce the contract and block merge on violations, OR documenting an explicit exemption with rationale.
|
||||
- For any new or modified customer/operator-facing detail surface,
|
||||
tests MUST prove default-visible status/reason/impact/next-action
|
||||
content, exactly one dominant next action, diagnostics-secondary
|
||||
ordering, hidden raw/support detail by default, capability-gated
|
||||
support/raw sections where applicable, and the absence of duplicate
|
||||
visible decision summaries.
|
||||
**Filament UI UX-001 (Layout & IA)**: If this feature adds/modifies any Filament screen, tasks MUST include:
|
||||
- ensuring Create/Edit pages use Main/Aside layout (3-col grid, Main=columnSpan(2), Aside=columnSpan(1)),
|
||||
- ensuring all form fields are inside Sections/Cards (no naked inputs at root schema level),
|
||||
|
||||
@ -1,24 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Exceptions\Entitlements;
|
||||
|
||||
final class WorkspaceEntitlementBlockedException extends \RuntimeException
|
||||
{
|
||||
/**
|
||||
* @param array<string, mixed> $decision
|
||||
*/
|
||||
public function __construct(private readonly array $decision)
|
||||
{
|
||||
parent::__construct((string) ($decision['block_reason'] ?? 'Workspace entitlement currently blocks this action.'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function decision(): array
|
||||
{
|
||||
return $this->decision;
|
||||
}
|
||||
}
|
||||
@ -6,7 +6,6 @@
|
||||
|
||||
use App\Filament\Resources\OperationRunResource;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
@ -31,7 +30,6 @@
|
||||
use App\Support\RestoreSafety\RestoreSafetyCopy;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
|
||||
use App\Support\SupportRequests\SupportRequestSubmissionService;
|
||||
use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
@ -42,10 +40,6 @@
|
||||
use App\Support\Ui\OperatorExplanation\OperatorExplanationPattern;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
use Filament\Forms\Components\Placeholder;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Pages\Page;
|
||||
use Filament\Schemas\Components\EmbeddedSchema;
|
||||
@ -147,6 +141,10 @@ protected function getHeaderActions(): array
|
||||
? OperationRunLinks::tenantlessView($this->run, $navigationContext)
|
||||
: OperationRunLinks::index());
|
||||
|
||||
if (isset($this->run)) {
|
||||
$actions[] = $this->openSupportDiagnosticsAction();
|
||||
}
|
||||
|
||||
if (! isset($this->run)) {
|
||||
return $actions;
|
||||
}
|
||||
@ -169,14 +167,6 @@ protected function getHeaderActions(): array
|
||||
->color('gray');
|
||||
}
|
||||
|
||||
$actions[] = ActionGroup::make([
|
||||
$this->openSupportDiagnosticsAction(),
|
||||
$this->requestSupportAction(),
|
||||
])
|
||||
->label('More')
|
||||
->icon('heroicon-o-ellipsis-horizontal')
|
||||
->color('gray');
|
||||
|
||||
$actions[] = $this->resumeCaptureAction();
|
||||
|
||||
return $actions;
|
||||
@ -238,6 +228,8 @@ private function openSupportDiagnosticsAction(): Action
|
||||
$action = Action::make('openSupportDiagnostics')
|
||||
->label('Open support diagnostics')
|
||||
->icon('heroicon-o-lifebuoy')
|
||||
->iconButton()
|
||||
->tooltip('Open support diagnostics')
|
||||
->color('gray')
|
||||
->record($this->run)
|
||||
->modal()
|
||||
@ -259,85 +251,39 @@ private function openSupportDiagnosticsAction(): Action
|
||||
->apply();
|
||||
}
|
||||
|
||||
public function authorizeOperationRunSupportRequest(): void
|
||||
{
|
||||
$this->resolveRunTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
|
||||
}
|
||||
|
||||
private function requestSupportAction(): Action
|
||||
{
|
||||
$action = Action::make('requestSupport')
|
||||
->label('Request support')
|
||||
->icon('heroicon-o-paper-airplane')
|
||||
->record($this->run)
|
||||
->slideOver()
|
||||
->stickyModalHeader()
|
||||
->modalHeading('Request support')
|
||||
->modalDescription('Share a concise summary and TenantAtlas will attach redacted context from the current run.')
|
||||
->modalSubmitActionLabel('Submit support request')
|
||||
->form([
|
||||
Placeholder::make('primary_context')
|
||||
->label('Primary context')
|
||||
->content(fn (): string => OperationRunLinks::identifier($this->run))
|
||||
->columnSpanFull(),
|
||||
Placeholder::make('included_context')
|
||||
->label('Included context')
|
||||
->content(fn (): string => $this->operationSupportRequestAttachmentSummary())
|
||||
->columnSpanFull(),
|
||||
Select::make('severity')
|
||||
->label('Severity')
|
||||
->options(SupportRequest::severityOptions())
|
||||
->default(SupportRequest::SEVERITY_NORMAL)
|
||||
->required()
|
||||
->native(false),
|
||||
TextInput::make('summary')
|
||||
->label('Summary')
|
||||
->required()
|
||||
->columnSpanFull(),
|
||||
Textarea::make('reproduction_notes')
|
||||
->label('Reproduction notes')
|
||||
->rows(4)
|
||||
->columnSpanFull(),
|
||||
TextInput::make('contact_name')
|
||||
->label('Contact name')
|
||||
->default(fn (): ?string => $this->resolveViewerActor()->name),
|
||||
TextInput::make('contact_email')
|
||||
->label('Contact email')
|
||||
->email()
|
||||
->default(fn (): ?string => $this->resolveViewerActor()->email),
|
||||
])
|
||||
->action(function (array $data): void {
|
||||
$actor = $this->resolveViewerActor();
|
||||
|
||||
$supportRequest = app(SupportRequestSubmissionService::class)->submitForOperationRun($this->run, $actor, $data);
|
||||
|
||||
Notification::make()
|
||||
->title('Support request submitted')
|
||||
->body('Reference '.$supportRequest->internal_reference)
|
||||
->success()
|
||||
->send();
|
||||
});
|
||||
|
||||
return UiEnforcement::forAction($action)
|
||||
->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
|
||||
->apply();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function operationRunSupportDiagnosticBundle(): array
|
||||
{
|
||||
$user = $this->resolveViewerActor();
|
||||
$tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
|
||||
$user = auth()->user();
|
||||
$tenant = $this->supportDiagnosticsTenant();
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
return app(SupportDiagnosticBundleBuilder::class)->forOperationRun($this->run, $user);
|
||||
}
|
||||
|
||||
private function auditOperationSupportDiagnosticsOpen(): void
|
||||
{
|
||||
$user = $this->resolveViewerActor();
|
||||
$tenant = $this->resolveRunTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
|
||||
$user = auth()->user();
|
||||
$tenant = $this->supportDiagnosticsTenant();
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->recordSupportDiagnosticsOpened(
|
||||
tenant: $tenant,
|
||||
@ -361,59 +307,6 @@ private function supportDiagnosticsTenant(): ?Tenant
|
||||
return $this->run->loadMissing('tenant')->tenant;
|
||||
}
|
||||
|
||||
private function resolveViewerActor(): User
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
private function resolveRunTenantForCapability(string $capability): Tenant
|
||||
{
|
||||
$tenant = $this->supportDiagnosticsTenant();
|
||||
$user = $this->resolveViewerActor();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $resolver->can($user, $tenant, $capability)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
private function operationSupportRequestAttachmentSummary(): string
|
||||
{
|
||||
$tenant = $this->supportDiagnosticsTenant();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return 'Only canonical redacted run context will be attached.';
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
return 'Only canonical redacted run context will be attached.';
|
||||
}
|
||||
|
||||
return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
|
||||
? 'A redacted diagnostic snapshot and the canonical run context will be attached.'
|
||||
: 'Only the canonical redacted run context will be attached because you cannot view support diagnostics.';
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $bundle
|
||||
*/
|
||||
|
||||
@ -1,497 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Pages\Reviews;
|
||||
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\TenantReviews\TenantReviewRegisterService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Findings\FindingOutcomeSemantics;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthPresenter;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\CompressedGovernanceOutcome;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\SurfaceCompressionContext;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Pages\Page;
|
||||
use Filament\Tables\Columns\TextColumn;
|
||||
use Filament\Tables\Concerns\InteractsWithTable;
|
||||
use Filament\Tables\Contracts\HasTable;
|
||||
use Filament\Tables\Filters\SelectFilter;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use UnitEnum;
|
||||
|
||||
class CustomerReviewWorkspace extends Page implements HasTable
|
||||
{
|
||||
use InteractsWithTable;
|
||||
|
||||
public const string DETAIL_CONTEXT_QUERY_KEY = 'customer_workspace';
|
||||
|
||||
private const string SOURCE_SURFACE = 'customer_review_workspace';
|
||||
|
||||
protected static bool $isDiscovered = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-text';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Reporting';
|
||||
|
||||
protected static ?string $navigationLabel = 'Customer reviews';
|
||||
|
||||
protected static ?int $navigationSort = 44;
|
||||
|
||||
protected static ?string $title = 'Customer Review Workspace';
|
||||
|
||||
protected static ?string $slug = 'reviews/workspace';
|
||||
|
||||
protected string $view = 'filament.pages.reviews.customer-review-workspace';
|
||||
|
||||
public static function tenantPrefilterUrl(Tenant $tenant): string
|
||||
{
|
||||
$tenantIdentifier = filled($tenant->external_id)
|
||||
? (string) $tenant->external_id
|
||||
: (string) $tenant->getKey();
|
||||
|
||||
return static::getUrl(panel: 'admin').'?'.http_build_query([
|
||||
'tenant' => $tenantIdentifier,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @var array<int, Tenant>|null
|
||||
*/
|
||||
private ?array $authorizedTenants = null;
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
$this->authorizePageAccess();
|
||||
$this->applyRequestedTenantPrefilter();
|
||||
$this->mountInteractsWithTable();
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveFilters())
|
||||
->action(function (): void {
|
||||
$this->clearWorkspaceFilters();
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
public function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->query(fn (): Builder => $this->workspaceQuery())
|
||||
->defaultSort('name')
|
||||
->paginated(TablePaginationProfiles::customPage())
|
||||
->persistFiltersInSession()
|
||||
->persistSearchInSession()
|
||||
->persistSortInSession()
|
||||
->recordUrl(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
|
||||
->columns([
|
||||
TextColumn::make('name')->label('Tenant')->searchable()->sortable(),
|
||||
TextColumn::make('latest_review')
|
||||
->label('Latest review')
|
||||
->badge()
|
||||
->getStateUsing(fn (Tenant $record): string => $this->latestReviewStateLabel($record))
|
||||
->color(fn (Tenant $record): string => $this->latestReviewStateColor($record))
|
||||
->icon(fn (Tenant $record): ?string => $this->latestReviewStateIcon($record))
|
||||
->iconColor(fn (Tenant $record): ?string => $this->latestReviewStateIconColor($record))
|
||||
->description(fn (Tenant $record): ?string => $this->reviewOutcomeDescription($record))
|
||||
->wrap(),
|
||||
TextColumn::make('finding_summary')
|
||||
->label('Key findings')
|
||||
->getStateUsing(fn (Tenant $record): string => $this->findingSummary($record))
|
||||
->wrap(),
|
||||
TextColumn::make('accepted_risk_summary')
|
||||
->label('Accepted risks')
|
||||
->getStateUsing(fn (Tenant $record): string => $this->acceptedRiskSummary($record))
|
||||
->wrap(),
|
||||
TextColumn::make('published_at')
|
||||
->label('Published')
|
||||
->getStateUsing(fn (Tenant $record): ?string => $this->latestPublishedAt($record)?->toDateTimeString())
|
||||
->dateTime()
|
||||
->placeholder('—'),
|
||||
TextColumn::make('review_pack_state')
|
||||
->label('Review pack')
|
||||
->getStateUsing(fn (Tenant $record): string => $this->reviewPackAvailability($record)),
|
||||
])
|
||||
->filters([
|
||||
SelectFilter::make('tenant_id')
|
||||
->label('Tenant')
|
||||
->options(fn (): array => $this->tenantFilterOptions())
|
||||
->default(fn (): ?string => $this->defaultTenantFilter())
|
||||
->query(function (Builder $query, array $data): Builder {
|
||||
$tenantId = $data['value'] ?? null;
|
||||
|
||||
return is_numeric($tenantId)
|
||||
? $query->whereKey((int) $tenantId)
|
||||
: $query;
|
||||
})
|
||||
->searchable(),
|
||||
])
|
||||
->actions([
|
||||
Action::make('open_latest_review')
|
||||
->label('Open latest review')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->url(fn (Tenant $record): ?string => $this->latestReviewUrl($record))
|
||||
->visible(fn (Tenant $record): bool => $this->latestPublishedReview($record) instanceof TenantReview),
|
||||
Action::make('download_review_pack')
|
||||
->label('Download review pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->url(fn (Tenant $record): ?string => $this->latestReviewPackDownloadUrl($record))
|
||||
->openUrlInNewTab()
|
||||
->visible(fn (Tenant $record): bool => is_string($this->latestReviewPackDownloadUrl($record))),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No entitled tenants match this view')
|
||||
->emptyStateDescription(fn (): string => $this->hasActiveFilters()
|
||||
? 'Clear the current filters to return to the full customer review workspace for your entitled tenants.'
|
||||
: 'Adjust filters to return to the full customer review workspace for your entitled tenants.')
|
||||
->emptyStateActions([
|
||||
Action::make('clear_filters_empty')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveFilters())
|
||||
->action(fn (): mixed => $this->clearWorkspaceFilters()),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, Tenant>
|
||||
*/
|
||||
public function authorizedTenants(): array
|
||||
{
|
||||
if ($this->authorizedTenants !== null) {
|
||||
return $this->authorizedTenants;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User || ! $workspace instanceof Workspace) {
|
||||
return $this->authorizedTenants = [];
|
||||
}
|
||||
|
||||
return $this->authorizedTenants = app(TenantReviewRegisterService::class)->authorizedTenants($user, $workspace);
|
||||
}
|
||||
|
||||
private function authorizePageAccess(): void
|
||||
{
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
$service = app(TenantReviewRegisterService::class);
|
||||
|
||||
if (! $service->canAccessWorkspace($user, $workspace)) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
if ($this->authorizedTenants() === []) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
}
|
||||
|
||||
private function workspaceQuery(): Builder
|
||||
{
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User || ! $workspace instanceof Workspace) {
|
||||
return Tenant::query()->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
return app(TenantReviewRegisterService::class)->customerWorkspaceTenantQuery($user, $workspace);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function tenantFilterOptions(): array
|
||||
{
|
||||
return collect($this->authorizedTenants())
|
||||
->mapWithKeys(static fn (Tenant $tenant): array => [
|
||||
(string) $tenant->getKey() => $tenant->name,
|
||||
])
|
||||
->all();
|
||||
}
|
||||
|
||||
private function defaultTenantFilter(): ?string
|
||||
{
|
||||
$tenantId = app(WorkspaceContext::class)->lastTenantId(request());
|
||||
|
||||
return is_int($tenantId) && array_key_exists($tenantId, $this->authorizedTenants())
|
||||
? (string) $tenantId
|
||||
: null;
|
||||
}
|
||||
|
||||
private function applyRequestedTenantPrefilter(): void
|
||||
{
|
||||
$requestedTenant = request()->query('tenant', request()->query('tenant_id'));
|
||||
|
||||
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($this->authorizedTenants() as $tenant) {
|
||||
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
$this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
private function hasActiveFilters(): bool
|
||||
{
|
||||
return $this->currentTenantFilterId() !== null;
|
||||
}
|
||||
|
||||
private function clearWorkspaceFilters(): void
|
||||
{
|
||||
app(WorkspaceContext::class)->clearLastTenantId(request());
|
||||
$this->removeTableFilters();
|
||||
}
|
||||
|
||||
private function currentTenantFilterId(): ?int
|
||||
{
|
||||
$tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
|
||||
|
||||
if (! is_numeric($tenantFilter)) {
|
||||
$tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
|
||||
}
|
||||
|
||||
return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
|
||||
}
|
||||
|
||||
private function workspace(): ?Workspace
|
||||
{
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
return is_numeric($workspaceId)
|
||||
? Workspace::query()->whereKey((int) $workspaceId)->first()
|
||||
: null;
|
||||
}
|
||||
|
||||
private function latestPublishedReview(Tenant $tenant): ?TenantReview
|
||||
{
|
||||
$review = $tenant->tenantReviews->first();
|
||||
|
||||
return $review instanceof TenantReview ? $review : null;
|
||||
}
|
||||
|
||||
private function latestReviewUrl(Tenant $tenant): ?string
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant, 'tenant').'?'.http_build_query([
|
||||
self::DETAIL_CONTEXT_QUERY_KEY => 1,
|
||||
]);
|
||||
}
|
||||
|
||||
private function latestReviewPack(Tenant $tenant): ?ReviewPack
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
$pack = $review?->currentExportReviewPack;
|
||||
|
||||
return $pack instanceof ReviewPack ? $pack : null;
|
||||
}
|
||||
|
||||
private function latestReviewPackDownloadUrl(Tenant $tenant): ?string
|
||||
{
|
||||
$user = auth()->user();
|
||||
$pack = $this->latestReviewPack($tenant);
|
||||
|
||||
if (! $user instanceof User || ! $pack instanceof ReviewPack) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ($pack->status !== ReviewPackStatus::Ready->value) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return app(ReviewPackService::class)->generateDownloadUrl($pack, [
|
||||
'source_surface' => self::SOURCE_SURFACE,
|
||||
]);
|
||||
}
|
||||
|
||||
private function latestPublishedAt(Tenant $tenant): ?\Illuminate\Support\Carbon
|
||||
{
|
||||
return $this->latestPublishedReview($tenant)?->published_at;
|
||||
}
|
||||
|
||||
private function reviewTruth(Tenant $tenant): ?ArtifactTruthEnvelope
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
return $review instanceof TenantReview
|
||||
? app(ArtifactTruthPresenter::class)->forTenantReview($review)
|
||||
: null;
|
||||
}
|
||||
|
||||
private function reviewOutcome(Tenant $tenant): ?CompressedGovernanceOutcome
|
||||
{
|
||||
$presenter = app(ArtifactTruthPresenter::class);
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
$truth = $this->reviewTruth($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview || ! $truth instanceof ArtifactTruthEnvelope) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $presenter->compressedOutcomeFor($review, SurfaceCompressionContext::reviewRegister())
|
||||
?? $presenter->compressedOutcomeFromEnvelope($truth, SurfaceCompressionContext::reviewRegister());
|
||||
}
|
||||
|
||||
private function latestReviewStateLabel(Tenant $tenant): string
|
||||
{
|
||||
return $this->reviewOutcome($tenant)?->primaryLabel ?? 'No published review';
|
||||
}
|
||||
|
||||
private function latestReviewStateColor(Tenant $tenant): string
|
||||
{
|
||||
return $this->reviewOutcome($tenant)?->primaryBadge->color ?? 'gray';
|
||||
}
|
||||
|
||||
private function latestReviewStateIcon(Tenant $tenant): ?string
|
||||
{
|
||||
return $this->reviewOutcome($tenant)?->primaryBadge->icon;
|
||||
}
|
||||
|
||||
private function latestReviewStateIconColor(Tenant $tenant): ?string
|
||||
{
|
||||
return $this->reviewOutcome($tenant)?->primaryBadge->iconColor;
|
||||
}
|
||||
|
||||
private function reviewOutcomeDescription(Tenant $tenant): ?string
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
}
|
||||
|
||||
$primaryReason = $this->reviewOutcome($tenant)?->primaryReason;
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
$findingOutcomes = $summary['finding_outcomes'] ?? null;
|
||||
|
||||
if (! is_array($findingOutcomes)) {
|
||||
return $primaryReason;
|
||||
}
|
||||
|
||||
$findingOutcomeSummary = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
|
||||
|
||||
if ($findingOutcomeSummary === null) {
|
||||
return $primaryReason;
|
||||
}
|
||||
|
||||
return trim($primaryReason.' Terminal outcomes: '.$findingOutcomeSummary.'.');
|
||||
}
|
||||
|
||||
private function findingSummary(Tenant $tenant): string
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
}
|
||||
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
$findingCount = (int) ($summary['finding_count'] ?? 0);
|
||||
$findingOutcomes = is_array($summary['finding_outcomes'] ?? null) ? $summary['finding_outcomes'] : [];
|
||||
$terminalOutcomes = app(FindingOutcomeSemantics::class)->compactOutcomeSummary($findingOutcomes);
|
||||
|
||||
if ($findingCount === 0) {
|
||||
return 'No findings recorded in the published review.';
|
||||
}
|
||||
|
||||
if ($terminalOutcomes === null) {
|
||||
return sprintf('%d findings summarized in the published review.', $findingCount);
|
||||
}
|
||||
|
||||
return sprintf('%d findings. Terminal outcomes: %s.', $findingCount, $terminalOutcomes);
|
||||
}
|
||||
|
||||
private function acceptedRiskSummary(Tenant $tenant): string
|
||||
{
|
||||
$review = $this->latestPublishedReview($tenant);
|
||||
|
||||
if (! $review instanceof TenantReview) {
|
||||
return 'No published review available yet';
|
||||
}
|
||||
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
$riskAcceptance = is_array($summary['risk_acceptance'] ?? null) ? $summary['risk_acceptance'] : [];
|
||||
$statusMarkedCount = (int) ($riskAcceptance['status_marked_count'] ?? 0);
|
||||
$validGovernedCount = (int) ($riskAcceptance['valid_governed_count'] ?? 0);
|
||||
$warningCount = (int) ($riskAcceptance['warning_count'] ?? 0);
|
||||
|
||||
return match (true) {
|
||||
$statusMarkedCount === 0 => 'No accepted risks recorded.',
|
||||
$warningCount > 0 => sprintf('%d accepted risks need governance follow-up (%d total).', $warningCount, $statusMarkedCount),
|
||||
$validGovernedCount > 0 => sprintf('%d accepted risks are governed.', $validGovernedCount),
|
||||
default => sprintf('%d accepted risks are on record.', $statusMarkedCount),
|
||||
};
|
||||
}
|
||||
|
||||
private function reviewPackAvailability(Tenant $tenant): string
|
||||
{
|
||||
$pack = $this->latestReviewPack($tenant);
|
||||
|
||||
if (! $pack instanceof ReviewPack) {
|
||||
return 'Unavailable';
|
||||
}
|
||||
|
||||
if ($pack->status !== ReviewPackStatus::Ready->value) {
|
||||
return 'Unavailable';
|
||||
}
|
||||
|
||||
if ($pack->expires_at !== null && $pack->expires_at->isPast()) {
|
||||
return 'Unavailable';
|
||||
}
|
||||
|
||||
return 'Available';
|
||||
}
|
||||
}
|
||||
@ -9,7 +9,6 @@
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\TenantReviews\TenantReviewRegisterService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeCatalog;
|
||||
@ -177,10 +176,6 @@ public function table(Table $table): Table
|
||||
->visible(fn (TenantReview $record): bool => auth()->user() instanceof User
|
||||
&& auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
|
||||
&& in_array($record->status, ['ready', 'published'], true))
|
||||
->disabled(fn (TenantReview $record): bool => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false))
|
||||
->tooltip(fn (TenantReview $record): ?string => (bool) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['is_blocked'] ?? false)
|
||||
? (string) (app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($record->tenant)['block_reason'] ?? '')
|
||||
: null)
|
||||
->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
|
||||
])
|
||||
->bulkActions([])
|
||||
|
||||
@ -7,11 +7,7 @@
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceSetting;
|
||||
use App\Support\Ai\AiPolicyMode;
|
||||
use App\Support\Ai\AiUseCaseCatalog;
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Services\Entitlements\WorkspacePlanProfileCatalog;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Auth\Capabilities;
|
||||
@ -24,9 +20,7 @@
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Forms\Components\KeyValue;
|
||||
use Filament\Forms\Components\Placeholder;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Pages\Page;
|
||||
@ -57,7 +51,6 @@ class WorkspaceSettings extends Page
|
||||
* @var array<string, array{domain: string, key: string, type: 'int'|'json'|'string'|'bool'}>
|
||||
*/
|
||||
private const SETTING_FIELDS = [
|
||||
'ai_policy_mode' => ['domain' => 'ai', 'key' => 'policy_mode', 'type' => 'string'],
|
||||
'backup_retention_keep_last_default' => ['domain' => 'backup', 'key' => 'retention_keep_last_default', 'type' => 'int'],
|
||||
'backup_retention_min_floor' => ['domain' => 'backup', 'key' => 'retention_min_floor', 'type' => 'int'],
|
||||
'drift_severity_mapping' => ['domain' => 'drift', 'key' => 'severity_mapping', 'type' => 'json'],
|
||||
@ -65,23 +58,10 @@ class WorkspaceSettings extends Page
|
||||
'baseline_alert_min_severity' => ['domain' => 'baseline', 'key' => 'alert_min_severity', 'type' => 'string'],
|
||||
'baseline_auto_close_enabled' => ['domain' => 'baseline', 'key' => 'auto_close_enabled', 'type' => 'bool'],
|
||||
'findings_sla_days' => ['domain' => 'findings', 'key' => 'sla_days', 'type' => 'json'],
|
||||
'entitlements_plan_profile' => ['domain' => 'entitlements', 'key' => 'plan_profile', 'type' => 'string'],
|
||||
'entitlements_managed_tenant_limit_override_value' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_value', 'type' => 'int'],
|
||||
'entitlements_managed_tenant_limit_override_reason' => ['domain' => 'entitlements', 'key' => 'managed_tenant_limit_override_reason', 'type' => 'string'],
|
||||
'entitlements_review_pack_generation_override_value' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_value', 'type' => 'bool'],
|
||||
'entitlements_review_pack_generation_override_reason' => ['domain' => 'entitlements', 'key' => 'review_pack_generation_override_reason', 'type' => 'string'],
|
||||
'operations_operation_run_retention_days' => ['domain' => 'operations', 'key' => 'operation_run_retention_days', 'type' => 'int'],
|
||||
'operations_stuck_run_threshold_minutes' => ['domain' => 'operations', 'key' => 'stuck_run_threshold_minutes', 'type' => 'int'],
|
||||
];
|
||||
|
||||
/**
|
||||
* @var array<string, string>
|
||||
*/
|
||||
private const ENTITLEMENT_OVERRIDE_REASON_FIELDS = [
|
||||
'entitlements_managed_tenant_limit_override_value' => 'entitlements_managed_tenant_limit_override_reason',
|
||||
'entitlements_review_pack_generation_override_value' => 'entitlements_review_pack_generation_override_reason',
|
||||
];
|
||||
|
||||
/**
|
||||
* Fields rendered as Filament KeyValue components (array state, not JSON string).
|
||||
*
|
||||
@ -131,14 +111,6 @@ class WorkspaceSettings extends Page
|
||||
*/
|
||||
public array $resolvedSettings = [];
|
||||
|
||||
/**
|
||||
* @var array{
|
||||
* plan_profile?: array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool},
|
||||
* decisions?: array<string, array<string, mixed>>
|
||||
* }
|
||||
*/
|
||||
public array $entitlementSummary = [];
|
||||
|
||||
/**
|
||||
* Per-domain "last modified" metadata: domain => {user_name, updated_at}.
|
||||
*
|
||||
@ -208,71 +180,6 @@ public function content(Schema $schema): Schema
|
||||
return $schema
|
||||
->statePath('data')
|
||||
->schema([
|
||||
Section::make('Workspace entitlements')
|
||||
->description($this->sectionDescription('entitlements', 'Select a plan profile and optional first-slice overrides for onboarding activation and review pack generation.'))
|
||||
->columns(2)
|
||||
->schema([
|
||||
Select::make('entitlements_plan_profile')
|
||||
->label('Plan profile')
|
||||
->options(app(WorkspacePlanProfileCatalog::class)->optionLabels())
|
||||
->placeholder(sprintf('Use default profile (%s)', app(WorkspacePlanProfileCatalog::class)->default()['label']))
|
||||
->native(false)
|
||||
->columnSpanFull()
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->planProfileFieldHelperText()),
|
||||
TextInput::make('entitlements_managed_tenant_limit_override_value')
|
||||
->label('Managed tenant activation limit override')
|
||||
->placeholder('Unset (uses plan profile default)')
|
||||
->suffix('tenants')
|
||||
->hint('0 or greater')
|
||||
->numeric()
|
||||
->integer()
|
||||
->minValue(0)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->managedTenantLimitHelperText())
|
||||
->hintAction($this->makeResetAction('entitlements_managed_tenant_limit_override_value')),
|
||||
Textarea::make('entitlements_managed_tenant_limit_override_reason')
|
||||
->label('Managed tenant activation override reason')
|
||||
->rows(3)
|
||||
->maxLength(500)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->managedTenantLimitReasonHelperText()),
|
||||
Select::make('entitlements_review_pack_generation_override_value')
|
||||
->label('Review pack generation override')
|
||||
->options(self::booleanOptions())
|
||||
->placeholder('Unset (uses plan profile default)')
|
||||
->native(false)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->reviewPackGenerationHelperText())
|
||||
->hintAction($this->makeResetAction('entitlements_review_pack_generation_override_value')),
|
||||
Textarea::make('entitlements_review_pack_generation_override_reason')
|
||||
->label('Review pack generation override reason')
|
||||
->rows(3)
|
||||
->maxLength(500)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->reviewPackGenerationReasonHelperText()),
|
||||
]),
|
||||
Section::make('Workspace AI policy')
|
||||
->description($this->sectionDescription('ai', 'Control whether the workspace disables AI entirely or allows approved internal-only drafts on private-only infrastructure.'))
|
||||
->schema([
|
||||
Select::make('ai_policy_mode')
|
||||
->label('AI posture')
|
||||
->options(AiPolicyMode::optionLabels())
|
||||
->placeholder('Unset (uses default)')
|
||||
->native(false)
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage())
|
||||
->helperText(fn (): string => $this->aiPolicyModeHelperText())
|
||||
->hintAction($this->makeResetAction('ai_policy_mode')),
|
||||
Placeholder::make('ai_approved_use_cases')
|
||||
->label('Approved use cases')
|
||||
->content(fn (): string => $this->aiApprovedUseCasesText()),
|
||||
Placeholder::make('ai_allowed_provider_classes')
|
||||
->label('Allowed provider classes')
|
||||
->content(fn (): string => $this->aiAllowedProviderClassesText()),
|
||||
Placeholder::make('ai_blocked_data_classifications')
|
||||
->label('Blocked data classifications')
|
||||
->content(fn (): string => $this->aiBlockedDataClassificationsText()),
|
||||
]),
|
||||
Section::make('Backup settings')
|
||||
->description($this->sectionDescription('backup', 'Workspace defaults used when a schedule has no explicit value.'))
|
||||
->schema([
|
||||
@ -548,56 +455,6 @@ public function resetSetting(string $field): void
|
||||
->send();
|
||||
}
|
||||
|
||||
private function resetEntitlementOverridePair(string $field): void
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$this->authorizeWorkspaceManage($user);
|
||||
|
||||
if (! $this->hasEntitlementOverridePair($field)) {
|
||||
Notification::make()
|
||||
->title('Entitlement already uses plan profile default')
|
||||
->success()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$writer = app(SettingsWriter::class);
|
||||
$valueSetting = $this->settingForField($field);
|
||||
$reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
|
||||
$reasonSetting = $this->settingForField($reasonField);
|
||||
|
||||
if ($this->workspaceOverrideForField($field) !== null) {
|
||||
$writer->resetWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $this->workspace,
|
||||
domain: $valueSetting['domain'],
|
||||
key: $valueSetting['key'],
|
||||
);
|
||||
}
|
||||
|
||||
if ($this->workspaceOverrideForField($reasonField) !== null) {
|
||||
$writer->resetWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $this->workspace,
|
||||
domain: $reasonSetting['domain'],
|
||||
key: $reasonSetting['key'],
|
||||
);
|
||||
}
|
||||
|
||||
$this->loadFormState();
|
||||
|
||||
Notification::make()
|
||||
->title('Workspace entitlement override reset')
|
||||
->success()
|
||||
->send();
|
||||
}
|
||||
|
||||
private function loadFormState(): void
|
||||
{
|
||||
$resolver = app(SettingsResolver::class);
|
||||
@ -633,7 +490,6 @@ private function loadFormState(): void
|
||||
$this->data = $data;
|
||||
$this->workspaceOverrides = $workspaceOverrides;
|
||||
$this->resolvedSettings = $resolvedSettings;
|
||||
$this->entitlementSummary = app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
|
||||
|
||||
$this->loadDomainLastModified();
|
||||
}
|
||||
@ -707,25 +563,15 @@ private function makeResetAction(string $field): Action
|
||||
->color('danger')
|
||||
->requiresConfirmation()
|
||||
->action(function () use ($field): void {
|
||||
if ($this->isEntitlementOverrideValueField($field)) {
|
||||
$this->resetEntitlementOverridePair($field);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$this->resetSetting($field);
|
||||
})
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->canResetField($field))
|
||||
->disabled(fn (): bool => ! $this->currentUserCanManage() || ! $this->hasWorkspaceOverride($field))
|
||||
->tooltip(function () use ($field): ?string {
|
||||
if (! $this->currentUserCanManage()) {
|
||||
return 'You do not have permission to manage workspace settings.';
|
||||
}
|
||||
|
||||
if (! $this->canResetField($field)) {
|
||||
if ($this->isEntitlementOverrideValueField($field)) {
|
||||
return 'No workspace override to reset.';
|
||||
}
|
||||
|
||||
if (! $this->hasWorkspaceOverride($field)) {
|
||||
return 'No workspace override to reset.';
|
||||
}
|
||||
|
||||
@ -733,200 +579,6 @@ private function makeResetAction(string $field): Action
|
||||
});
|
||||
}
|
||||
|
||||
private function canResetField(string $field): bool
|
||||
{
|
||||
if ($this->isEntitlementOverrideValueField($field)) {
|
||||
return $this->hasEntitlementOverridePair($field);
|
||||
}
|
||||
|
||||
return $this->hasWorkspaceOverride($field);
|
||||
}
|
||||
|
||||
private function isEntitlementOverrideValueField(string $field): bool
|
||||
{
|
||||
return array_key_exists($field, self::ENTITLEMENT_OVERRIDE_REASON_FIELDS);
|
||||
}
|
||||
|
||||
private function hasEntitlementOverridePair(string $field): bool
|
||||
{
|
||||
if (! $this->isEntitlementOverrideValueField($field)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$reasonField = self::ENTITLEMENT_OVERRIDE_REASON_FIELDS[$field];
|
||||
|
||||
return $this->workspaceOverrideForField($field) !== null
|
||||
|| $this->workspaceOverrideForField($reasonField) !== null;
|
||||
}
|
||||
|
||||
private function planProfileFieldHelperText(): string
|
||||
{
|
||||
$profile = $this->resolvedPlanProfile();
|
||||
$selectedProfile = $this->workspaceOverrideForField('entitlements_plan_profile');
|
||||
|
||||
if (! is_string($selectedProfile) || $selectedProfile === '') {
|
||||
return sprintf('Default profile: %s. %s', $profile['label'], $profile['description']);
|
||||
}
|
||||
|
||||
return sprintf('Effective profile: %s. %s', $profile['label'], $profile['description']);
|
||||
}
|
||||
|
||||
private function managedTenantLimitHelperText(): string
|
||||
{
|
||||
$decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT);
|
||||
$effectiveValue = (int) ($decision['effective_value'] ?? 0);
|
||||
$currentUsage = (int) ($decision['current_usage'] ?? 0);
|
||||
$remainingCapacity = (int) ($decision['remaining_capacity'] ?? 0);
|
||||
|
||||
$capacityText = $remainingCapacity < 0
|
||||
? sprintf('Over limit by %d.', abs($remainingCapacity))
|
||||
: sprintf('%d remaining.', $remainingCapacity);
|
||||
|
||||
return sprintf(
|
||||
'Effective limit: %d active managed tenants. Current usage: %d. %s Source: %s.',
|
||||
$effectiveValue,
|
||||
$currentUsage,
|
||||
$capacityText,
|
||||
$this->entitlementSourceLabel($decision),
|
||||
);
|
||||
}
|
||||
|
||||
private function managedTenantLimitReasonHelperText(): string
|
||||
{
|
||||
return $this->entitlementReasonHelperText(
|
||||
valueField: 'entitlements_managed_tenant_limit_override_value',
|
||||
key: WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
|
||||
);
|
||||
}
|
||||
|
||||
private function reviewPackGenerationHelperText(): string
|
||||
{
|
||||
$decision = $this->entitlementDecision(WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED);
|
||||
|
||||
return sprintf(
|
||||
'Effective state: %s. Source: %s.',
|
||||
(bool) ($decision['effective_value'] ?? false) ? 'enabled' : 'disabled',
|
||||
$this->entitlementSourceLabel($decision),
|
||||
);
|
||||
}
|
||||
|
||||
private function reviewPackGenerationReasonHelperText(): string
|
||||
{
|
||||
return $this->entitlementReasonHelperText(
|
||||
valueField: 'entitlements_review_pack_generation_override_value',
|
||||
key: WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
|
||||
);
|
||||
}
|
||||
|
||||
private function aiPolicyModeHelperText(): string
|
||||
{
|
||||
$resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
|
||||
|
||||
if (! is_array($resolved)) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$mode = AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
|
||||
?? AiPolicyMode::Disabled;
|
||||
|
||||
$prefix = ! $this->hasWorkspaceOverride('ai_policy_mode')
|
||||
? sprintf('Effective posture: %s. Source: %s.', $mode->label(), $this->sourceLabel((string) ($resolved['source'] ?? 'system_default')))
|
||||
: sprintf('Effective posture: %s.', $mode->label());
|
||||
|
||||
return sprintf('%s %s', $prefix, $mode->summary());
|
||||
}
|
||||
|
||||
private function aiApprovedUseCasesText(): string
|
||||
{
|
||||
return implode('; ', app(AiUseCaseCatalog::class)->labels()).'.';
|
||||
}
|
||||
|
||||
private function aiAllowedProviderClassesText(): string
|
||||
{
|
||||
$labels = app(AiUseCaseCatalog::class)->allowedProviderClassLabelsForMode($this->effectiveAiPolicyMode());
|
||||
|
||||
if ($labels === []) {
|
||||
return 'No provider classes are allowed while AI is disabled.';
|
||||
}
|
||||
|
||||
return implode(', ', $labels).'.';
|
||||
}
|
||||
|
||||
private function aiBlockedDataClassificationsText(): string
|
||||
{
|
||||
return implode(', ', app(AiUseCaseCatalog::class)->blockedDataClassificationLabels()).'.';
|
||||
}
|
||||
|
||||
private function effectiveAiPolicyMode(): AiPolicyMode
|
||||
{
|
||||
$resolved = $this->resolvedSettings['ai_policy_mode'] ?? null;
|
||||
|
||||
if (! is_array($resolved)) {
|
||||
return AiPolicyMode::Disabled;
|
||||
}
|
||||
|
||||
return AiPolicyMode::tryFrom((string) ($resolved['value'] ?? AiPolicyMode::Disabled->value))
|
||||
?? AiPolicyMode::Disabled;
|
||||
}
|
||||
|
||||
private function entitlementReasonHelperText(string $valueField, string $key): string
|
||||
{
|
||||
$decision = $this->entitlementDecision($key);
|
||||
$rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
|
||||
|
||||
if ($this->workspaceOverrideForField($valueField) === null) {
|
||||
return 'Required when an explicit override value is set.';
|
||||
}
|
||||
|
||||
if ($rationale === null || $rationale === '') {
|
||||
return 'Required when an explicit override value is set.';
|
||||
}
|
||||
|
||||
return sprintf('Current rationale: %s', $rationale);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
|
||||
*/
|
||||
private function resolvedPlanProfile(): array
|
||||
{
|
||||
$profile = $this->entitlementSummary['plan_profile'] ?? null;
|
||||
|
||||
if (is_array($profile)) {
|
||||
return $profile;
|
||||
}
|
||||
|
||||
return app(WorkspacePlanProfileCatalog::class)->default();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private function entitlementDecision(string $key): array
|
||||
{
|
||||
$decision = $this->entitlementSummary['decisions'][$key] ?? null;
|
||||
|
||||
return is_array($decision) ? $decision : [];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $decision
|
||||
*/
|
||||
private function entitlementSourceLabel(array $decision): string
|
||||
{
|
||||
if (($decision['source'] ?? null) === 'workspace_override') {
|
||||
return 'workspace override';
|
||||
}
|
||||
|
||||
$planProfileLabel = $decision['plan_profile_label'] ?? null;
|
||||
|
||||
if (is_string($planProfileLabel) && $planProfileLabel !== '') {
|
||||
return sprintf('%s plan profile', $planProfileLabel);
|
||||
}
|
||||
|
||||
return 'plan profile default';
|
||||
}
|
||||
|
||||
private function helperTextFor(string $field): string
|
||||
{
|
||||
$resolved = $this->resolvedSettings[$field] ?? null;
|
||||
@ -1069,27 +721,6 @@ private function normalizedInputValues(): array
|
||||
}
|
||||
}
|
||||
|
||||
foreach (self::ENTITLEMENT_OVERRIDE_REASON_FIELDS as $valueField => $reasonField) {
|
||||
if (($normalizedValues[$valueField] ?? null) === null) {
|
||||
$normalizedValues[$reasonField] = null;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
if (($normalizedValues[$reasonField] ?? null) !== null) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$message = match ($valueField) {
|
||||
'entitlements_managed_tenant_limit_override_value' => 'Override reason is required when a managed tenant activation limit override is set.',
|
||||
'entitlements_review_pack_generation_override_value' => 'Override reason is required when a review pack generation override is set.',
|
||||
default => 'Override reason is required when an explicit override is set.',
|
||||
};
|
||||
|
||||
$validationErrors['data.'.$reasonField] ??= [];
|
||||
$validationErrors['data.'.$reasonField][] = $message;
|
||||
}
|
||||
|
||||
return [$normalizedValues, $validationErrors];
|
||||
}
|
||||
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
use App\Filament\Widgets\Dashboard\RecentDriftFindings;
|
||||
use App\Filament\Widgets\Dashboard\RecentOperations;
|
||||
use App\Filament\Widgets\Dashboard\RecoveryReadiness;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
@ -21,14 +20,8 @@
|
||||
use App\Support\ProductTelemetry\ProductUsageEventCatalog;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
|
||||
use App\Support\SupportRequests\SupportRequestSubmissionService;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Forms\Components\Placeholder;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Pages\Dashboard;
|
||||
use Filament\Widgets\Widget;
|
||||
use Filament\Widgets\WidgetConfiguration;
|
||||
@ -77,72 +70,10 @@ public function getColumns(): int|array
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
$this->requestSupportAction(),
|
||||
$this->openSupportDiagnosticsAction(),
|
||||
];
|
||||
}
|
||||
|
||||
public function authorizeTenantSupportRequest(): void
|
||||
{
|
||||
$this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
|
||||
}
|
||||
|
||||
private function requestSupportAction(): Action
|
||||
{
|
||||
$action = Action::make('requestSupport')
|
||||
->label('Request support')
|
||||
->icon('heroicon-o-paper-airplane')
|
||||
->color('gray')
|
||||
->slideOver()
|
||||
->stickyModalHeader()
|
||||
->modalHeading('Request support')
|
||||
->modalDescription('Share a concise summary and TenantAtlas will attach redacted context from existing records.')
|
||||
->modalSubmitActionLabel('Submit request')
|
||||
->form([
|
||||
Placeholder::make('included_context')
|
||||
->label('Included context')
|
||||
->content(fn (): string => $this->tenantSupportRequestAttachmentSummary())
|
||||
->columnSpanFull(),
|
||||
Select::make('severity')
|
||||
->label('Severity')
|
||||
->options(SupportRequest::severityOptions())
|
||||
->default(SupportRequest::SEVERITY_NORMAL)
|
||||
->required()
|
||||
->native(false),
|
||||
TextInput::make('summary')
|
||||
->label('Summary')
|
||||
->required()
|
||||
->columnSpanFull(),
|
||||
Textarea::make('reproduction_notes')
|
||||
->label('Reproduction notes')
|
||||
->rows(4)
|
||||
->columnSpanFull(),
|
||||
TextInput::make('contact_name')
|
||||
->label('Contact name')
|
||||
->default(fn (): ?string => $this->resolveDashboardActor()->name),
|
||||
TextInput::make('contact_email')
|
||||
->label('Contact email')
|
||||
->email()
|
||||
->default(fn (): ?string => $this->resolveDashboardActor()->email),
|
||||
])
|
||||
->action(function (array $data): void {
|
||||
$actor = $this->resolveDashboardActor();
|
||||
$tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_REQUESTS_CREATE);
|
||||
|
||||
$supportRequest = app(SupportRequestSubmissionService::class)->submitForTenant($tenant, $actor, $data);
|
||||
|
||||
Notification::make()
|
||||
->title('Support request submitted')
|
||||
->body('Reference '.$supportRequest->internal_reference)
|
||||
->success()
|
||||
->send();
|
||||
});
|
||||
|
||||
return UiEnforcement::forAction($action)
|
||||
->requireCapability(Capabilities::SUPPORT_REQUESTS_CREATE)
|
||||
->apply();
|
||||
}
|
||||
|
||||
private function openSupportDiagnosticsAction(): Action
|
||||
{
|
||||
$action = Action::make('openSupportDiagnostics')
|
||||
@ -173,16 +104,34 @@ private function openSupportDiagnosticsAction(): Action
|
||||
*/
|
||||
public function tenantSupportDiagnosticBundle(): array
|
||||
{
|
||||
$user = $this->resolveDashboardActor();
|
||||
$tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
|
||||
$user = auth()->user();
|
||||
$tenant = Filament::getTenant();
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
return app(SupportDiagnosticBundleBuilder::class)->forTenant($tenant, $user);
|
||||
}
|
||||
|
||||
private function auditTenantSupportDiagnosticsOpen(): void
|
||||
{
|
||||
$user = $this->resolveDashboardActor();
|
||||
$tenant = $this->resolveCurrentTenantForCapability(Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
|
||||
$user = auth()->user();
|
||||
$tenant = Filament::getTenant();
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->recordSupportDiagnosticsOpened(
|
||||
tenant: $tenant,
|
||||
@ -223,57 +172,4 @@ private function recordSupportDiagnosticsOpened(Tenant $tenant, array $bundle, U
|
||||
|
||||
$this->supportDiagnosticsAuditKeys[] = $auditKey;
|
||||
}
|
||||
|
||||
private function resolveDashboardActor(): User
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
private function resolveCurrentTenantForCapability(string $capability): Tenant
|
||||
{
|
||||
$user = $this->resolveDashboardActor();
|
||||
$tenant = Filament::getTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $resolver->can($user, $tenant, $capability)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
private function tenantSupportRequestAttachmentSummary(): string
|
||||
{
|
||||
$tenant = Filament::getTenant();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return 'Only canonical redacted tenant context will be attached.';
|
||||
}
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $tenant)) {
|
||||
return 'Only canonical redacted tenant context will be attached.';
|
||||
}
|
||||
|
||||
return $resolver->can($user, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW)
|
||||
? 'A redacted diagnostic snapshot and the canonical tenant context will be attached.'
|
||||
: 'Only the canonical redacted tenant context will be attached because you cannot view support diagnostics.';
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
|
||||
namespace App\Filament\Pages\Workspaces;
|
||||
|
||||
use BackedEnum;
|
||||
use App\Exceptions\Onboarding\OnboardingDraftConflictException;
|
||||
use App\Exceptions\Onboarding\OnboardingDraftImmutableException;
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
@ -30,7 +29,6 @@
|
||||
use App\Services\Onboarding\OnboardingDraftResolver;
|
||||
use App\Services\Onboarding\OnboardingDraftStageResolver;
|
||||
use App\Services\Onboarding\OnboardingLifecycleService;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\Providers\ProviderConnectionMutationService;
|
||||
use App\Services\Providers\ProviderOperationRegistry;
|
||||
@ -53,7 +51,6 @@
|
||||
use App\Support\OpsUx\OperationUxPresenter;
|
||||
use App\Support\OpsUx\ProviderOperationStartResultPresenter;
|
||||
use App\Support\OpsUx\OpsUxBrowserEvents;
|
||||
use App\Support\ProductKnowledge\ContextualHelpResolver;
|
||||
use App\Support\Providers\ProviderConnectionType;
|
||||
use App\Support\Providers\ProviderConsentStatus;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
@ -663,16 +660,7 @@ public function content(Schema $schema): Schema
|
||||
Text::make(fn (): string => $this->completionSummaryBootstrapSummary())
|
||||
->badge()
|
||||
->color(fn (): string => $this->completionSummaryBootstrapColor()),
|
||||
Text::make('Activation entitlement')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $this->completionSummaryEntitlementSummary())
|
||||
->badge()
|
||||
->color(fn (): string => $this->completionSummaryEntitlementColor()),
|
||||
]),
|
||||
Callout::make('Activation entitlement')
|
||||
->description(fn (): string => $this->completionSummaryEntitlementDetail())
|
||||
->warning()
|
||||
->visible(fn (): bool => $this->completionSummaryEntitlementBlocked()),
|
||||
Callout::make('Bootstrap needs attention')
|
||||
->description(fn (): string => $this->completionSummaryBootstrapRecoveryMessage())
|
||||
->warning()
|
||||
@ -710,7 +698,9 @@ public function content(Schema $schema): Schema
|
||||
->modalSubmitActionLabel('Yes, complete onboarding')
|
||||
->disabled(fn (): bool => ! $this->canCompleteOnboarding()
|
||||
|| ! $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE))
|
||||
->tooltip(fn (): ?string => $this->completionActionTooltip())
|
||||
->tooltip(fn (): ?string => $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE)
|
||||
? null
|
||||
: 'Owner required to complete onboarding.')
|
||||
->action(fn () => $this->completeOnboarding()),
|
||||
]),
|
||||
]),
|
||||
@ -1004,7 +994,6 @@ private function routeBoundReadinessSchema(): array
|
||||
}
|
||||
|
||||
$payload = $this->onboardingReadinessPayload($draft);
|
||||
$primaryNextAction = $this->readinessPrimaryNextActionComponent($payload, 'route_bound_readiness');
|
||||
|
||||
$schema = [
|
||||
Section::make('Onboarding readiness')
|
||||
@ -1012,7 +1001,7 @@ private function routeBoundReadinessSchema(): array
|
||||
->compact()
|
||||
->columns(2)
|
||||
->schema([
|
||||
Text::make('Step')
|
||||
Text::make('Current checkpoint')
|
||||
->color('gray'),
|
||||
Text::make($payload['checkpoint']['current_checkpoint_label'] ?? '—')
|
||||
->badge()
|
||||
@ -1032,7 +1021,9 @@ private function routeBoundReadinessSchema(): array
|
||||
Text::make($payload['freshness']['note']),
|
||||
Text::make('Primary next action')
|
||||
->color('gray'),
|
||||
$primaryNextAction,
|
||||
Text::make($payload['next_action']['label'])
|
||||
->badge()
|
||||
->color($this->readinessNextActionColor($payload['next_action']['kind'])),
|
||||
]),
|
||||
];
|
||||
|
||||
@ -1073,14 +1064,8 @@ private function draftCompactReadinessSchema(TenantOnboardingSession $draft): ar
|
||||
private function readinessSupportingEvidenceSchema(array $payload, string $keyPrefix): array
|
||||
{
|
||||
$links = is_array($payload['supporting_links'] ?? null) ? $payload['supporting_links'] : [];
|
||||
$assist = is_array($payload['verification_assist'] ?? null) ? $payload['verification_assist'] : [];
|
||||
$showAssist = (bool) ($assist['is_visible'] ?? false);
|
||||
$permissions = is_array($payload['permissions'] ?? null) ? $payload['permissions'] : [];
|
||||
$requiredPermissionsUrl = is_string($permissions['required_permissions_url'] ?? null)
|
||||
? $permissions['required_permissions_url']
|
||||
: null;
|
||||
|
||||
if ($links === [] && ! ($showAssist && $requiredPermissionsUrl !== null && $requiredPermissionsUrl !== '')) {
|
||||
if ($links === []) {
|
||||
return [];
|
||||
}
|
||||
|
||||
@ -1104,20 +1089,13 @@ private function readinessSupportingEvidenceSchema(array $payload, string $keyPr
|
||||
->url($url);
|
||||
}
|
||||
|
||||
if ($showAssist && $requiredPermissionsUrl !== null && $requiredPermissionsUrl !== '') {
|
||||
$actions[] = Action::make($keyPrefix.'_required_permissions_assist')
|
||||
->label('View required permissions')
|
||||
->color('gray')
|
||||
->url($requiredPermissionsUrl);
|
||||
}
|
||||
|
||||
if ($actions === []) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return [
|
||||
Section::make('Supporting evidence')
|
||||
->description('Open canonical operation detail or secondary permission evidence when deeper diagnostics are needed.')
|
||||
->description('Open canonical operation detail when deeper diagnostics are needed.')
|
||||
->compact()
|
||||
->schema([
|
||||
SchemaActions::make($actions)->key($keyPrefix.'_supporting_evidence_actions'),
|
||||
@ -1137,16 +1115,14 @@ private function readinessPermissionDiagnosticsSchema(array $payload, string $ke
|
||||
return [];
|
||||
}
|
||||
|
||||
if ((bool) ($payload['verification']['has_report'] ?? false)) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$counts = is_array($permissions['counts'] ?? null) ? $permissions['counts'] : [];
|
||||
$missingApplication = (int) ($counts['missing_application'] ?? 0);
|
||||
$missingDelegated = (int) ($counts['missing_delegated'] ?? 0);
|
||||
$errors = (int) ($counts['error'] ?? 0);
|
||||
$assist = is_array($payload['verification_assist'] ?? null) ? $payload['verification_assist'] : [];
|
||||
$isVisible = (bool) ($assist['is_visible'] ?? false);
|
||||
|
||||
if ($missingApplication + $missingDelegated + $errors === 0) {
|
||||
if ($missingApplication + $missingDelegated + $errors === 0 && ! $isVisible) {
|
||||
return [];
|
||||
}
|
||||
|
||||
@ -1201,7 +1177,7 @@ private function readinessPermissionDiagnosticsSchema(array $payload, string $ke
|
||||
* draft: array{id: int, tenant_name: string, stage_label: string, draft_status_label: string, started_by: string, updated_by: string, last_updated_human: string},
|
||||
* checkpoint: array{current_checkpoint: string|null, current_checkpoint_label: string|null, last_completed_checkpoint: string|null, lifecycle_state: string, lifecycle_label: string},
|
||||
* provider_summary: array<string, mixed>|null,
|
||||
* verification: array{status: string, status_label: string, run_id: int|null, run_url: string|null, is_active: bool, has_report: bool, matches_selected_connection: bool|null, overall: string|null},
|
||||
* verification: array{status: string, status_label: string, run_id: int|null, run_url: string|null, is_active: bool, matches_selected_connection: bool|null, overall: string|null},
|
||||
* verification_assist: array{is_visible: bool, reason: string},
|
||||
* permissions: array{overall: string|null, counts: array<string, int>, freshness: array{last_refreshed_at: string|null, is_stale: bool}, missing_permissions: array{application: list<string>, delegated: list<string>}, required_permissions_url: string|null}|null,
|
||||
* freshness: array{connection_recently_updated: bool, verification_mismatch: bool, permission_last_refreshed_at: string|null, permission_data_is_stale: bool, note: string},
|
||||
@ -1242,9 +1218,6 @@ private function onboardingReadinessPayload(TenantOnboardingSession $draft): arr
|
||||
$permissions = $tenant instanceof Tenant ? $this->readinessPermissionOverview($tenant) : null;
|
||||
$verificationReport = $verificationRun instanceof OperationRun ? VerificationReportViewer::report($verificationRun) : null;
|
||||
$verificationReport = is_array($verificationReport) ? $verificationReport : null;
|
||||
$verificationPrimaryReasonCode = $verificationReport !== null
|
||||
? app(ContextualHelpResolver::class)->primaryReasonCodeFromVerificationReport($verificationReport)
|
||||
: null;
|
||||
$permissionFreshness = is_array($permissions['freshness'] ?? null) ? $permissions['freshness'] : [
|
||||
'last_refreshed_at' => null,
|
||||
'is_stale' => true,
|
||||
@ -1264,9 +1237,6 @@ private function onboardingReadinessPayload(TenantOnboardingSession $draft): arr
|
||||
verificationMismatch: $verificationMismatch,
|
||||
);
|
||||
|
||||
$reasonCode = is_string($snapshot['reason_code'] ?? null) ? $snapshot['reason_code'] : null;
|
||||
$blockingReasonCode = is_string($snapshot['blocking_reason_code'] ?? null) ? $snapshot['blocking_reason_code'] : null;
|
||||
|
||||
return [
|
||||
'draft' => [
|
||||
'id' => (int) $draft->getKey(),
|
||||
@ -1293,7 +1263,6 @@ private function onboardingReadinessPayload(TenantOnboardingSession $draft): arr
|
||||
? OperationRunLinks::tenantlessView($verificationRun)
|
||||
: null,
|
||||
'is_active' => $verificationRun instanceof OperationRun && $verificationRun->status !== OperationRunStatus::Completed->value,
|
||||
'has_report' => $verificationReport !== null,
|
||||
'matches_selected_connection' => $verificationMatchesSelectedConnection,
|
||||
'overall' => $verificationRun instanceof OperationRun
|
||||
? $this->readinessVerificationOverall($verificationRun, $verificationReport)
|
||||
@ -1317,8 +1286,8 @@ private function onboardingReadinessPayload(TenantOnboardingSession $draft): arr
|
||||
),
|
||||
],
|
||||
'blocker' => [
|
||||
'reason_code' => $reasonCode,
|
||||
'blocking_reason_code' => $blockingReasonCode,
|
||||
'reason_code' => is_string($snapshot['reason_code'] ?? null) ? $snapshot['reason_code'] : null,
|
||||
'blocking_reason_code' => is_string($snapshot['blocking_reason_code'] ?? null) ? $snapshot['blocking_reason_code'] : null,
|
||||
'operator_summary' => $readinessSummary,
|
||||
],
|
||||
'next_action' => $this->readinessNextAction(
|
||||
@ -1328,7 +1297,6 @@ private function onboardingReadinessPayload(TenantOnboardingSession $draft): arr
|
||||
verificationRun: $verificationRun,
|
||||
verificationStatus: $verificationStatus,
|
||||
permissions: $permissions,
|
||||
blockerReasonCode: $verificationPrimaryReasonCode ?? $blockingReasonCode ?? $reasonCode,
|
||||
connectionRecentlyUpdated: $connectionRecentlyUpdated,
|
||||
verificationMismatch: $verificationMismatch,
|
||||
supportingLinks: $supportingLinks,
|
||||
@ -1406,35 +1374,6 @@ private function readinessNextActionColor(string $kind): string
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
*/
|
||||
private function readinessPrimaryNextActionComponent(array $payload, string $keyPrefix): \Filament\Schemas\Components\Component
|
||||
{
|
||||
$nextAction = is_array($payload['next_action'] ?? null) ? $payload['next_action'] : [];
|
||||
$label = is_string($nextAction['label'] ?? null) && trim((string) $nextAction['label']) !== ''
|
||||
? trim((string) $nextAction['label'])
|
||||
: 'Continue onboarding';
|
||||
$kind = is_string($nextAction['kind'] ?? null) ? $nextAction['kind'] : 'gray';
|
||||
$url = is_string($nextAction['url'] ?? null) && trim((string) $nextAction['url']) !== ''
|
||||
? trim((string) $nextAction['url'])
|
||||
: null;
|
||||
|
||||
if ($url !== null) {
|
||||
return SchemaActions::make([
|
||||
Action::make($keyPrefix.'_primary_next_action')
|
||||
->label($label)
|
||||
->color($this->readinessNextActionColor($kind))
|
||||
->url($url)
|
||||
->openUrlInNewTab(str_starts_with($url, 'http://') || str_starts_with($url, 'https://')),
|
||||
])->key($keyPrefix.'_primary_next_action');
|
||||
}
|
||||
|
||||
return Text::make($label)
|
||||
->badge()
|
||||
->color($this->readinessNextActionColor($kind));
|
||||
}
|
||||
|
||||
private function readinessProviderConnection(TenantOnboardingSession $draft): ?ProviderConnection
|
||||
{
|
||||
$state = is_array($draft->state) ? $draft->state : [];
|
||||
@ -1468,8 +1407,8 @@ private function readinessProviderSummary(?ProviderConnection $connection): ?arr
|
||||
return [
|
||||
'provider' => (string) $connection->provider,
|
||||
'target_scope' => [],
|
||||
'consent_state' => $this->stringValue($connection->consent_status),
|
||||
'verification_state' => $this->stringValue($connection->verification_status),
|
||||
'consent_state' => (string) $connection->consent_status,
|
||||
'verification_state' => (string) $connection->verification_status,
|
||||
'readiness_summary' => 'Target scope needs review',
|
||||
'target_scope_summary' => 'Target scope needs review',
|
||||
'contextual_identity_line' => null,
|
||||
@ -1675,7 +1614,6 @@ private function readinessNextAction(
|
||||
?OperationRun $verificationRun,
|
||||
string $verificationStatus,
|
||||
?array $permissions,
|
||||
?string $blockerReasonCode,
|
||||
bool $connectionRecentlyUpdated,
|
||||
bool $verificationMismatch,
|
||||
array $supportingLinks,
|
||||
@ -1701,7 +1639,7 @@ private function readinessNextAction(
|
||||
|
||||
if ($consentState !== ProviderConsentStatus::Granted->value) {
|
||||
return $this->readinessAction(
|
||||
label: 'Grant admin consent',
|
||||
label: 'Grant consent',
|
||||
kind: 'grant_consent',
|
||||
url: $draft->tenant instanceof Tenant ? RequiredPermissionsLinks::adminConsentPrimaryUrl($draft->tenant) : null,
|
||||
);
|
||||
@ -1709,18 +1647,6 @@ private function readinessNextAction(
|
||||
|
||||
$permissionOverall = is_string($permissions['overall'] ?? null) ? $permissions['overall'] : null;
|
||||
|
||||
if (in_array($blockerReasonCode, [
|
||||
ProviderReasonCodes::ProviderConsentMissing,
|
||||
ProviderReasonCodes::ProviderConsentFailed,
|
||||
ProviderReasonCodes::ProviderConsentRevoked,
|
||||
], true)) {
|
||||
return $this->readinessAction(
|
||||
label: 'Grant admin consent',
|
||||
kind: 'grant_consent',
|
||||
url: $draft->tenant instanceof Tenant ? RequiredPermissionsLinks::adminConsentPrimaryUrl($draft->tenant) : null,
|
||||
);
|
||||
}
|
||||
|
||||
if ($permissionOverall === VerificationReportOverall::Blocked->value) {
|
||||
return $this->readinessAction(
|
||||
label: 'Review permissions',
|
||||
@ -2851,7 +2777,6 @@ private function verificationReportViewData(): array
|
||||
'acknowledgements' => [],
|
||||
'surface' => [],
|
||||
'redactionNotes' => [],
|
||||
'contextualHelp' => null,
|
||||
'assistVisibility' => $assistVisibility,
|
||||
'assistActionName' => 'wizardVerificationRequiredPermissionsAssist',
|
||||
'technicalDetailsActionName' => 'wizardVerificationTechnicalDetails',
|
||||
@ -2861,7 +2786,6 @@ private function verificationReportViewData(): array
|
||||
|
||||
$report = VerificationReportViewer::report($run);
|
||||
$fingerprint = is_array($report) ? VerificationReportViewer::fingerprint($report) : null;
|
||||
$contextualHelp = is_array($report) ? $this->verificationContextualHelp($report, $run) : null;
|
||||
|
||||
$changeIndicator = VerificationReportChangeIndicator::forRun($run);
|
||||
$previousRunUrl = $this->verificationPreviousRunUrl($changeIndicator);
|
||||
@ -2948,7 +2872,6 @@ private function verificationReportViewData(): array
|
||||
'acknowledgements' => $acknowledgements,
|
||||
'surface' => $surface,
|
||||
'redactionNotes' => VerificationReportViewer::redactionNotes($report),
|
||||
'contextualHelp' => $contextualHelp,
|
||||
'assistVisibility' => $assistVisibility,
|
||||
'assistActionName' => 'wizardVerificationRequiredPermissionsAssist',
|
||||
'technicalDetailsActionName' => 'wizardVerificationTechnicalDetails',
|
||||
@ -2956,40 +2879,6 @@ private function verificationReportViewData(): array
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $verificationReport
|
||||
* @return array<string, mixed>|null
|
||||
*/
|
||||
private function verificationContextualHelp(array $verificationReport, OperationRun $run): ?array
|
||||
{
|
||||
$tenant = $this->managedTenant;
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$resolver = app(ContextualHelpResolver::class);
|
||||
$reasonCode = $resolver->primaryReasonCodeFromVerificationReport($verificationReport);
|
||||
$topicKey = $resolver->topicKeyForOnboardingVerification(
|
||||
reasonCode: $reasonCode,
|
||||
isVerificationStale: $this->verificationRunIsStaleForSelectedConnection(),
|
||||
verificationOverall: is_string(data_get($verificationReport, 'summary.overall'))
|
||||
? (string) data_get($verificationReport, 'summary.overall')
|
||||
: null,
|
||||
runOutcome: is_string($run->outcome) ? (string) $run->outcome : null,
|
||||
);
|
||||
|
||||
if ($topicKey === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $resolver->tryResolve($topicKey, [
|
||||
'tenant' => $tenant,
|
||||
'reason_code' => $reasonCode,
|
||||
'surface' => 'onboarding',
|
||||
]);
|
||||
}
|
||||
|
||||
public function wizardVerificationRequiredPermissionsAssistAction(): Action
|
||||
{
|
||||
return Action::make('wizardVerificationRequiredPermissionsAssist')
|
||||
@ -4506,10 +4395,6 @@ private function canCompleteOnboarding(): bool
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($this->completionSummaryEntitlementBlocked()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$user = $this->currentUser();
|
||||
|
||||
if (! app(TenantOperabilityService::class)->outcomeFor(
|
||||
@ -4542,111 +4427,6 @@ private function canCompleteOnboarding(): bool
|
||||
return trim((string) ($this->data['override_reason'] ?? '')) !== '';
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private function completionSummaryEntitlementDecision(): array
|
||||
{
|
||||
if (! isset($this->workspace) || ! $this->workspace instanceof Workspace) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return app(WorkspaceEntitlementResolver::class)->resolve(
|
||||
$this->workspace,
|
||||
WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
|
||||
);
|
||||
}
|
||||
|
||||
private function completionSummaryEntitlementBlocked(): bool
|
||||
{
|
||||
return (bool) ($this->completionSummaryEntitlementDecision()['is_blocked'] ?? false);
|
||||
}
|
||||
|
||||
private function completionSummaryEntitlementSummary(): string
|
||||
{
|
||||
$decision = $this->completionSummaryEntitlementDecision();
|
||||
$currentUsage = (int) ($decision['current_usage'] ?? 0);
|
||||
$effectiveValue = (int) ($decision['effective_value'] ?? 0);
|
||||
$sourceLabel = $this->completionSummaryEntitlementSourceLabel($decision);
|
||||
|
||||
return sprintf(
|
||||
'%s - %d active of %d allowed (%s)',
|
||||
$this->completionSummaryEntitlementBlocked() ? 'Blocked' : 'Allowed',
|
||||
$currentUsage,
|
||||
$effectiveValue,
|
||||
$sourceLabel,
|
||||
);
|
||||
}
|
||||
|
||||
private function completionSummaryEntitlementDetail(): string
|
||||
{
|
||||
$decision = $this->completionSummaryEntitlementDecision();
|
||||
$currentUsage = (int) ($decision['current_usage'] ?? 0);
|
||||
$effectiveValue = (int) ($decision['effective_value'] ?? 0);
|
||||
$remainingCapacity = (int) ($decision['remaining_capacity'] ?? 0);
|
||||
$sourceLabel = $this->completionSummaryEntitlementSourceLabel($decision);
|
||||
$rationale = is_string($decision['rationale'] ?? null) ? $decision['rationale'] : null;
|
||||
$message = sprintf(
|
||||
'Current usage is %d active managed tenant%s out of %d allowed. Source: %s.',
|
||||
$currentUsage,
|
||||
$currentUsage === 1 ? '' : 's',
|
||||
$effectiveValue,
|
||||
$sourceLabel,
|
||||
);
|
||||
|
||||
if ($remainingCapacity >= 0) {
|
||||
$message .= sprintf(' Remaining capacity: %d.', $remainingCapacity);
|
||||
}
|
||||
|
||||
if ($this->completionSummaryEntitlementBlocked()) {
|
||||
$blockReason = is_string($decision['block_reason'] ?? null) ? $decision['block_reason'] : null;
|
||||
|
||||
if ($blockReason !== null && $blockReason !== '') {
|
||||
$message = $blockReason;
|
||||
}
|
||||
}
|
||||
|
||||
if ($rationale !== null && $rationale !== '' && ($decision['source'] ?? null) === 'workspace_override') {
|
||||
$message .= ' Rationale: '.$rationale;
|
||||
}
|
||||
|
||||
return $message;
|
||||
}
|
||||
|
||||
private function completionSummaryEntitlementColor(): string
|
||||
{
|
||||
return $this->completionSummaryEntitlementBlocked() ? 'warning' : 'success';
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $decision
|
||||
*/
|
||||
private function completionSummaryEntitlementSourceLabel(array $decision): string
|
||||
{
|
||||
if (($decision['source'] ?? null) === 'workspace_override') {
|
||||
return 'workspace override';
|
||||
}
|
||||
|
||||
$label = $decision['plan_profile_label'] ?? null;
|
||||
|
||||
return is_string($label) && $label !== ''
|
||||
? sprintf('%s plan profile', $label)
|
||||
: 'plan profile default';
|
||||
}
|
||||
|
||||
private function completionActionTooltip(): ?string
|
||||
{
|
||||
if (! $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE)) {
|
||||
return 'Owner required to complete onboarding.';
|
||||
}
|
||||
|
||||
if ($this->completionSummaryEntitlementBlocked()) {
|
||||
return $this->completionSummaryEntitlementDetail();
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private function completionSummaryTenantLine(): string
|
||||
{
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
@ -4727,19 +4507,6 @@ private function completionSummaryConnectionSummary(): string
|
||||
return sprintf('%s - %s', $label, $detail);
|
||||
}
|
||||
|
||||
private function stringValue(mixed $value): string
|
||||
{
|
||||
if ($value instanceof BackedEnum) {
|
||||
return (string) $value->value;
|
||||
}
|
||||
|
||||
if (is_string($value) || is_int($value) || is_float($value) || is_bool($value)) {
|
||||
return (string) $value;
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
private function completionSummaryVerificationDetail(): string
|
||||
{
|
||||
$counts = $this->verificationReportCounts();
|
||||
@ -4980,16 +4747,6 @@ public function completeOnboarding(): void
|
||||
return;
|
||||
}
|
||||
|
||||
if ($this->completionSummaryEntitlementBlocked()) {
|
||||
Notification::make()
|
||||
->title('Activation limit reached')
|
||||
->body($this->completionSummaryEntitlementDetail())
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$run = $this->verificationRun();
|
||||
$verificationSucceeded = $this->verificationHasSucceeded();
|
||||
$verificationCanProceed = $this->verificationCanProceed();
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\EvidenceSnapshotResource\Pages;
|
||||
use App\Filament\Resources\ReviewPackResource;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
@ -268,20 +267,6 @@ public static function relatedContextEntries(EvidenceSnapshot $record): array
|
||||
)->toArray();
|
||||
}
|
||||
|
||||
if ($record->tenant instanceof Tenant) {
|
||||
$entries[] = RelatedContextEntry::available(
|
||||
key: 'customer_review_workspace',
|
||||
label: 'Customer workspace',
|
||||
value: $record->tenant->name,
|
||||
secondaryValue: 'Open the customer-safe review workspace prefiltered to this tenant.',
|
||||
targetUrl: CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
|
||||
targetKind: 'canonical_page',
|
||||
priority: 30,
|
||||
actionLabel: 'Open customer workspace',
|
||||
contextBadge: 'Reporting',
|
||||
)->toArray();
|
||||
}
|
||||
|
||||
return $entries;
|
||||
}
|
||||
|
||||
|
||||
@ -2,10 +2,7 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
|
||||
use App\Exceptions\ReviewPackEvidenceResolutionException;
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\EvidenceSnapshotResource as TenantEvidenceSnapshotResource;
|
||||
use App\Filament\Resources\ReviewPackResource\Pages;
|
||||
use App\Models\ReviewPack;
|
||||
@ -13,7 +10,6 @@
|
||||
use App\Models\User;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Auth\UiTooltips as AuthUiTooltips;
|
||||
use App\Support\Badges\BadgeCatalog;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
@ -49,8 +45,6 @@
|
||||
|
||||
class ReviewPackResource extends Resource
|
||||
{
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = ReviewPack::class;
|
||||
|
||||
protected static ?string $tenantOwnershipRelationshipName = 'tenant';
|
||||
@ -108,9 +102,9 @@ public static function canView(Model $record): bool
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView, ActionSurfaceType::ReadOnlyRegistryReport)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Generate Pack action appears in the list header once review packs exist.')
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Generate Pack action available in list header.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state carries the single Generate CTA while the registry is empty.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes Generate CTA.')
|
||||
->satisfy(ActionSurfaceSlot::ListRowMoreMenu, 'Clickable-row inspection stays primary while Download remains the only direct row shortcut and Expire is grouped under More.')
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'No bulk operations are supported for review packs.')
|
||||
->satisfy(ActionSurfaceSlot::DetailHeader, 'Download and Regenerate actions in ViewReviewPack header.');
|
||||
@ -196,13 +190,6 @@ public static function infolist(Schema $schema): Schema
|
||||
? TenantReviewResource::tenantScopedUrl('view', ['record' => $record->tenantReview], $record->tenant)
|
||||
: null)
|
||||
->placeholder('—'),
|
||||
TextEntry::make('customer_workspace')
|
||||
->label('Customer workspace')
|
||||
->state(fn (): string => 'Open workspace')
|
||||
->url(fn (ReviewPack $record): ?string => $record->tenant instanceof Tenant
|
||||
? CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant)
|
||||
: null)
|
||||
->placeholder('—'),
|
||||
TextEntry::make('summary.review_status')
|
||||
->label('Review status')
|
||||
->badge()
|
||||
@ -363,37 +350,14 @@ public static function table(Table $table): Table
|
||||
->emptyStateDescription('Generate a review pack to export tenant data for external review.')
|
||||
->emptyStateIcon('heroicon-o-document-arrow-down')
|
||||
->emptyStateActions([
|
||||
static::generatePackAction(name: 'generate_first', label: 'Generate first pack'),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function generatePackAction(string $name = 'generate_pack', string $label = 'Generate Pack'): Actions\Action
|
||||
{
|
||||
$action = UiEnforcement::forAction(
|
||||
Actions\Action::make($name)
|
||||
->label($label)
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('generate_first')
|
||||
->label('Generate first pack')
|
||||
->icon('heroicon-o-plus')
|
||||
->disabled(fn (): bool => static::reviewPackGenerationBlocked())
|
||||
->action(function (array $data): void {
|
||||
static::executeGeneration($data);
|
||||
})
|
||||
->form(static::reviewPackGenerationFormSchema())
|
||||
)
|
||||
->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
|
||||
->preserveDisabled()
|
||||
->apply();
|
||||
|
||||
$action->tooltip(fn (): ?string => static::reviewPackGenerationActionTooltip());
|
||||
|
||||
return $action;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, Section>
|
||||
*/
|
||||
public static function reviewPackGenerationFormSchema(): array
|
||||
{
|
||||
return [
|
||||
->form([
|
||||
Section::make('Pack options')
|
||||
->schema([
|
||||
Toggle::make('include_pii')
|
||||
@ -405,20 +369,22 @@ public static function reviewPackGenerationFormSchema(): array
|
||||
->helperText('Include recent operation history in the export.')
|
||||
->default(config('tenantpilot.review_pack.include_operations_default', true)),
|
||||
]),
|
||||
];
|
||||
])
|
||||
)
|
||||
->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
|
||||
->apply(),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenant = Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
|
||||
$tenant = Filament::getTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return parent::getEloquentQuery()->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->with(['tenant', 'operationRun', 'evidenceSnapshot', 'tenantReview'])
|
||||
->where('tenant_id', (int) $tenant->getKey());
|
||||
return parent::getEloquentQuery()->where('tenant_id', (int) $tenant->getKey());
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
@ -492,14 +458,6 @@ public static function executeGeneration(array $data): void
|
||||
|
||||
try {
|
||||
$reviewPack = $service->generate($tenant, $user, $options);
|
||||
} catch (WorkspaceEntitlementBlockedException $exception) {
|
||||
Notification::make()
|
||||
->warning()
|
||||
->title('Review pack generation unavailable')
|
||||
->body($exception->getMessage())
|
||||
->send();
|
||||
|
||||
return;
|
||||
} catch (ReviewPackEvidenceResolutionException $exception) {
|
||||
$reasons = $exception->result->reasons;
|
||||
|
||||
@ -535,55 +493,4 @@ public static function executeGeneration(array $data): void
|
||||
|
||||
OperationUxPresenter::queuedToast('tenant.review_pack.generate')->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public static function reviewPackGenerationDecision(?Tenant $tenant = null): array
|
||||
{
|
||||
$tenant ??= Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($tenant);
|
||||
}
|
||||
|
||||
public static function currentTenantContext(): ?Tenant
|
||||
{
|
||||
$tenant = Tenant::current() ?? static::resolveTenantContextForCurrentPanel() ?? Filament::getTenant();
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationBlocked(?Tenant $tenant = null): bool
|
||||
{
|
||||
return (bool) (static::reviewPackGenerationDecision($tenant)['is_blocked'] ?? false);
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationBlockReason(?Tenant $tenant = null): ?string
|
||||
{
|
||||
$decision = static::reviewPackGenerationDecision($tenant);
|
||||
|
||||
if (! (bool) ($decision['is_blocked'] ?? false)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$reason = $decision['block_reason'] ?? null;
|
||||
|
||||
return is_string($reason) && $reason !== '' ? $reason : null;
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
|
||||
{
|
||||
$tenant ??= static::currentTenantContext();
|
||||
$user = auth()->user();
|
||||
|
||||
if ($tenant instanceof Tenant && $user instanceof User && ! $user->can(Capabilities::REVIEW_PACK_MANAGE, $tenant)) {
|
||||
return AuthUiTooltips::insufficientPermission();
|
||||
}
|
||||
|
||||
return static::reviewPackGenerationBlockReason($tenant);
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,7 +3,12 @@
|
||||
namespace App\Filament\Resources\ReviewPackResource\Pages;
|
||||
|
||||
use App\Filament\Resources\ReviewPackResource;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use Filament\Actions;
|
||||
use Filament\Forms\Components\Toggle;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
use Filament\Schemas\Components\Section;
|
||||
|
||||
class ListReviewPacks extends ListRecords
|
||||
{
|
||||
@ -12,13 +17,29 @@ class ListReviewPacks extends ListRecords
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
ReviewPackResource::generatePackAction()
|
||||
->visible(fn (): bool => $this->tableHasRecords()),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('generate_pack')
|
||||
->label('Generate Pack')
|
||||
->icon('heroicon-o-plus')
|
||||
->action(function (array $data): void {
|
||||
ReviewPackResource::executeGeneration($data);
|
||||
})
|
||||
->form([
|
||||
Section::make('Pack options')
|
||||
->schema([
|
||||
Toggle::make('include_pii')
|
||||
->label('Include PII')
|
||||
->helperText('Include personally identifiable information in the export.')
|
||||
->default(config('tenantpilot.review_pack.include_pii_default', true)),
|
||||
Toggle::make('include_operations')
|
||||
->label('Include operations')
|
||||
->helperText('Include recent operation history in the export.')
|
||||
->default(config('tenantpilot.review_pack.include_operations_default', true)),
|
||||
]),
|
||||
])
|
||||
)
|
||||
->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
|
||||
->apply(),
|
||||
];
|
||||
}
|
||||
|
||||
private function tableHasRecords(): bool
|
||||
{
|
||||
return $this->getTableRecords()->count() > 0;
|
||||
}
|
||||
}
|
||||
|
||||
@ -19,12 +19,20 @@ class ViewReviewPack extends ViewRecord
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
$regenerateAction = UiEnforcement::forAction(
|
||||
return [
|
||||
Actions\Action::make('download')
|
||||
->label('Download')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->color('success')
|
||||
->visible(fn (): bool => $this->record->status === ReviewPackStatus::Ready->value)
|
||||
->url(fn (): string => app(ReviewPackService::class)->generateDownloadUrl($this->record))
|
||||
->openUrlInNewTab(),
|
||||
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('regenerate')
|
||||
->label('Regenerate')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->color('primary')
|
||||
->disabled(fn (): bool => ReviewPackResource::reviewPackGenerationBlocked($this->record->tenant))
|
||||
->requiresConfirmation()
|
||||
->modalDescription('This will generate a new review pack with the same options. The current pack will remain available until it expires.')
|
||||
->action(function (array $data): void {
|
||||
@ -59,21 +67,7 @@ protected function getHeaderActions(): array
|
||||
})
|
||||
)
|
||||
->requireCapability(Capabilities::REVIEW_PACK_MANAGE)
|
||||
->preserveDisabled()
|
||||
->apply();
|
||||
|
||||
$regenerateAction->tooltip(fn (): ?string => ReviewPackResource::reviewPackGenerationActionTooltip($this->record->tenant));
|
||||
|
||||
return [
|
||||
Actions\Action::make('download')
|
||||
->label('Download')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->color('success')
|
||||
->visible(fn (): bool => $this->record->status === ReviewPackStatus::Ready->value)
|
||||
->url(fn (): string => app(ReviewPackService::class)->generateDownloadUrl($this->record))
|
||||
->openUrlInNewTab(),
|
||||
|
||||
$regenerateAction,
|
||||
->apply(),
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,9 +6,7 @@
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\TenantReviewResource\Pages;
|
||||
use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
@ -17,7 +15,6 @@
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\TenantReviews\TenantReviewService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Auth\UiTooltips as AuthUiTooltips;
|
||||
use App\Support\Badges\BadgeCatalog;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
@ -244,25 +241,6 @@ public static function infolist(Schema $schema): Schema
|
||||
|
||||
public static function table(Table $table): Table
|
||||
{
|
||||
$exportExecutivePackAction = UiEnforcement::forTableAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->visible(fn (TenantReview $record): bool => in_array($record->status, [
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Published->value,
|
||||
], true))
|
||||
->disabled(fn (TenantReview $record): bool => static::reviewPackGenerationBlocked($record->tenant))
|
||||
->action(fn (TenantReview $record): mixed => static::executeExport($record)),
|
||||
fn (TenantReview $record): TenantReview => $record,
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->preserveDisabled()
|
||||
->apply();
|
||||
|
||||
$exportExecutivePackAction->tooltip(fn (TenantReview $record): ?string => static::reviewPackGenerationActionTooltip($record->tenant));
|
||||
|
||||
return $table
|
||||
->defaultSort('generated_at', 'desc')
|
||||
->persistFiltersInSession()
|
||||
@ -309,7 +287,20 @@ public static function table(Table $table): Table
|
||||
\App\Support\Filament\FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
|
||||
])
|
||||
->actions([
|
||||
$exportExecutivePackAction,
|
||||
UiEnforcement::forTableAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->visible(fn (TenantReview $record): bool => in_array($record->status, [
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Published->value,
|
||||
], true))
|
||||
->action(fn (TenantReview $record): mixed => static::executeExport($record)),
|
||||
fn (TenantReview $record): TenantReview => $record,
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No tenant reviews yet')
|
||||
@ -432,50 +423,6 @@ public static function executeCreateReview(array $data): void
|
||||
$toast->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public static function reviewPackGenerationDecision(?Tenant $tenant = null): array
|
||||
{
|
||||
$tenant ??= Filament::getTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return app(ReviewPackService::class)->reviewPackGenerationDecisionForTenant($tenant);
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationBlocked(?Tenant $tenant = null): bool
|
||||
{
|
||||
return (bool) (static::reviewPackGenerationDecision($tenant)['is_blocked'] ?? false);
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationBlockReason(?Tenant $tenant = null): ?string
|
||||
{
|
||||
$decision = static::reviewPackGenerationDecision($tenant);
|
||||
|
||||
if (! (bool) ($decision['is_blocked'] ?? false)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$reason = $decision['block_reason'] ?? null;
|
||||
|
||||
return is_string($reason) && $reason !== '' ? $reason : null;
|
||||
}
|
||||
|
||||
public static function reviewPackGenerationActionTooltip(?Tenant $tenant = null): ?string
|
||||
{
|
||||
$tenant ??= static::panelTenantContext();
|
||||
$user = auth()->user();
|
||||
|
||||
if ($tenant instanceof Tenant && $user instanceof User && ! $user->can(Capabilities::TENANT_REVIEW_MANAGE, $tenant)) {
|
||||
return AuthUiTooltips::insufficientPermission();
|
||||
}
|
||||
|
||||
return static::reviewPackGenerationBlockReason($tenant);
|
||||
}
|
||||
|
||||
public static function executeExport(TenantReview $review): void
|
||||
{
|
||||
$review->loadMissing(['tenant', 'currentExportReviewPack']);
|
||||
@ -510,10 +457,6 @@ public static function executeExport(TenantReview $review): void
|
||||
'include_pii' => true,
|
||||
'include_operations' => true,
|
||||
]);
|
||||
} catch (WorkspaceEntitlementBlockedException $exception) {
|
||||
Notification::make()->warning()->title('Executive pack export unavailable')->body($exception->getMessage())->send();
|
||||
|
||||
return;
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to export executive pack')->body($throwable->getMessage())->send();
|
||||
|
||||
@ -650,15 +593,6 @@ private static function summaryContextLinks(TenantReview $record): array
|
||||
];
|
||||
}
|
||||
|
||||
if ($record->tenant) {
|
||||
$links[] = [
|
||||
'title' => 'Customer workspace',
|
||||
'label' => 'Open customer workspace',
|
||||
'url' => CustomerReviewWorkspace::tenantPrefilterUrl($record->tenant),
|
||||
'description' => 'Open the customer-safe review workspace prefiltered to this tenant.',
|
||||
];
|
||||
}
|
||||
|
||||
if ($record->evidenceSnapshot && $record->tenant) {
|
||||
$links[] = [
|
||||
'title' => 'Evidence snapshot',
|
||||
|
||||
@ -4,15 +4,12 @@
|
||||
|
||||
namespace App\Filament\Resources\TenantReviewResource\Pages;
|
||||
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Services\TenantReviews\TenantReviewLifecycleService;
|
||||
use App\Services\TenantReviews\TenantReviewService;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\TenantReviewStatus;
|
||||
@ -27,13 +24,6 @@ class ViewTenantReview extends ViewRecord
|
||||
{
|
||||
protected static string $resource = TenantReviewResource::class;
|
||||
|
||||
public function mount(int|string $record): void
|
||||
{
|
||||
parent::mount($record);
|
||||
|
||||
$this->auditCustomerWorkspaceOpen();
|
||||
}
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return TenantReviewResource::resolveScopedRecordOrFail($key);
|
||||
@ -79,7 +69,7 @@ protected function getHeaderActions(): array
|
||||
->label('Danger')
|
||||
->icon('heroicon-o-archive-box')
|
||||
->color('danger')
|
||||
->visible(fn (): bool => ! $this->isCustomerWorkspaceView() && ! $this->record->statusEnum()->isTerminal()),
|
||||
->visible(fn (): bool => ! $this->record->statusEnum()->isTerminal()),
|
||||
]));
|
||||
}
|
||||
|
||||
@ -95,10 +85,6 @@ private function primaryLifecycleAction(): ?Actions\Action
|
||||
|
||||
private function primaryLifecycleActionName(): ?string
|
||||
{
|
||||
if ($this->isCustomerWorkspaceView()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((string) $this->record->status === TenantReviewStatus::Published->value) {
|
||||
return 'export_executive_pack';
|
||||
}
|
||||
@ -136,10 +122,6 @@ private function secondaryLifecycleActions(): array
|
||||
*/
|
||||
private function secondaryLifecycleActionNames(): array
|
||||
{
|
||||
if ($this->isCustomerWorkspaceView()) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$names = [];
|
||||
|
||||
if ($this->record->isMutable()) {
|
||||
@ -196,6 +178,7 @@ private function refreshReviewAction(): Actions\Action
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply();
|
||||
}
|
||||
|
||||
@ -249,7 +232,7 @@ private function publishReviewAction(): Actions\Action
|
||||
|
||||
private function exportExecutivePackAction(): Actions\Action
|
||||
{
|
||||
$action = UiEnforcement::forAction(
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
@ -258,17 +241,11 @@ private function exportExecutivePackAction(): Actions\Action
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Published->value,
|
||||
], true))
|
||||
->disabled(fn (): bool => TenantReviewResource::reviewPackGenerationBlocked($this->record->tenant))
|
||||
->action(fn (): mixed => TenantReviewResource::executeExport($this->record)),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->preserveDisabled()
|
||||
->apply();
|
||||
|
||||
$action->tooltip(fn (): ?string => TenantReviewResource::reviewPackGenerationActionTooltip($this->record->tenant));
|
||||
|
||||
return $action;
|
||||
}
|
||||
|
||||
private function createNextReviewAction(): Actions\Action
|
||||
@ -342,39 +319,4 @@ private function archiveReviewAction(): Actions\Action
|
||||
->preserveVisibility()
|
||||
->apply();
|
||||
}
|
||||
|
||||
private function isCustomerWorkspaceView(): bool
|
||||
{
|
||||
return request()->boolean(CustomerReviewWorkspace::DETAIL_CONTEXT_QUERY_KEY);
|
||||
}
|
||||
|
||||
private function auditCustomerWorkspaceOpen(): void
|
||||
{
|
||||
if (! $this->isCustomerWorkspaceView()) {
|
||||
return;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
$tenant = $this->record->tenant;
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
app(WorkspaceAuditLogger::class)->log(
|
||||
workspace: $tenant->workspace,
|
||||
action: AuditActionId::TenantReviewOpened,
|
||||
context: [
|
||||
'metadata' => [
|
||||
'review_id' => (int) $this->record->getKey(),
|
||||
'source_surface' => 'customer_review_workspace',
|
||||
],
|
||||
],
|
||||
actor: $user,
|
||||
resourceType: 'tenant_review',
|
||||
resourceId: (string) $this->record->getKey(),
|
||||
targetLabel: sprintf('Tenant review #%d', (int) $this->record->getKey()),
|
||||
tenant: $tenant,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,8 +6,6 @@
|
||||
|
||||
use App\Filament\System\Widgets\ControlTowerHealthIndicator;
|
||||
use App\Filament\System\Widgets\ControlTowerKpis;
|
||||
use App\Filament\System\Widgets\CustomerHealthKpis;
|
||||
use App\Filament\System\Widgets\CustomerHealthTopWorkspaces;
|
||||
use App\Filament\System\Widgets\ProductTelemetryKpis;
|
||||
use App\Filament\System\Widgets\ControlTowerRecentFailures;
|
||||
use App\Filament\System\Widgets\ControlTowerTopOffenders;
|
||||
@ -64,12 +62,6 @@ public function getWidgets(): array
|
||||
{
|
||||
return [
|
||||
ControlTowerHealthIndicator::class,
|
||||
new WidgetConfiguration(CustomerHealthKpis::class, [
|
||||
'window' => $this->window,
|
||||
]),
|
||||
new WidgetConfiguration(CustomerHealthTopWorkspaces::class, [
|
||||
'window' => $this->window,
|
||||
]),
|
||||
new WidgetConfiguration(ControlTowerKpis::class, [
|
||||
'window' => $this->window,
|
||||
]),
|
||||
|
||||
@ -1,144 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\System\Pages\Directory\Concerns;
|
||||
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\CustomerHealth\CustomerHealthDimensionCatalog;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
|
||||
trait BuildsCustomerHealthDecisionData
|
||||
{
|
||||
/**
|
||||
* @param array{
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>
|
||||
* } $summary
|
||||
* @return array{
|
||||
* overall: array{label: string, color: string, icon: string|null},
|
||||
* reason: string,
|
||||
* impact: string,
|
||||
* recommended_action: string,
|
||||
* dominant_dimensions: list<array{label: string, color: string, icon: string|null}>,
|
||||
* window_label: string
|
||||
* }
|
||||
*/
|
||||
protected function buildCustomerHealthDecision(array $summary, SystemConsoleWindow $window, string $surface): array
|
||||
{
|
||||
$overallBadge = BadgeRenderer::spec(BadgeDomain::SystemHealth, $summary['overall_level']);
|
||||
|
||||
$dominantDimensions = collect($summary['dominant_dimension_keys'])
|
||||
->map(function (string $dimensionKey) use ($summary): ?array {
|
||||
$dimension = $summary['dimensions'][$dimensionKey] ?? null;
|
||||
|
||||
if (! is_array($dimension)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$badge = BadgeRenderer::spec(BadgeDomain::SystemHealth, $dimension['level']);
|
||||
|
||||
return [
|
||||
'label' => $dimension['label'],
|
||||
'color' => $badge->color,
|
||||
'icon' => $badge->icon,
|
||||
];
|
||||
})
|
||||
->filter()
|
||||
->take(2)
|
||||
->values()
|
||||
->all();
|
||||
|
||||
$dominantLabels = array_map(static fn (array $dimension): string => $dimension['label'], $dominantDimensions);
|
||||
$primaryDimension = $summary['dominant_dimension_keys'][0] ?? null;
|
||||
|
||||
return [
|
||||
'overall' => [
|
||||
'label' => $overallBadge->label,
|
||||
'color' => $overallBadge->color,
|
||||
'icon' => $overallBadge->icon,
|
||||
],
|
||||
'reason' => $this->customerHealthReason($dominantLabels),
|
||||
'impact' => $this->customerHealthImpact($summary['overall_level'], $primaryDimension),
|
||||
'recommended_action' => $this->customerHealthRecommendedAction($summary['overall_level'], $primaryDimension, $surface),
|
||||
'dominant_dimensions' => $dominantDimensions,
|
||||
'window_label' => SystemConsoleWindow::options()[$window->value] ?? 'Last 24 hours',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $dominantLabels
|
||||
*/
|
||||
protected function customerHealthReason(array $dominantLabels): string
|
||||
{
|
||||
if ($dominantLabels === []) {
|
||||
return 'No active health drivers are pressuring this workspace right now.';
|
||||
}
|
||||
|
||||
$labelPrefix = count($dominantLabels) === 1 ? 'Top driver' : 'Top drivers';
|
||||
|
||||
return $labelPrefix.': '.implode(', ', $dominantLabels);
|
||||
}
|
||||
|
||||
protected function customerHealthImpact(string $overallLevel, ?string $primaryDimension): string
|
||||
{
|
||||
if ($overallLevel === 'ok') {
|
||||
return 'Tracked onboarding, provider, operational, governance, review-pack, and engagement signals are currently stable.';
|
||||
}
|
||||
|
||||
if ($overallLevel === 'unknown') {
|
||||
return 'Some required health truth is missing or stale, so this workspace cannot be treated as healthy yet.';
|
||||
}
|
||||
|
||||
return match ($primaryDimension) {
|
||||
CustomerHealthDimensionCatalog::ONBOARDING_READINESS => $overallLevel === 'critical'
|
||||
? 'Onboarding readiness is blocked, so this workspace cannot be treated as operationally ready.'
|
||||
: 'Onboarding readiness still needs follow-up before this workspace can be treated as fully stable.',
|
||||
CustomerHealthDimensionCatalog::PROVIDER_CONNECTION_HEALTH => $overallLevel === 'critical'
|
||||
? 'Default provider consent or verification is blocking reliable tenant management.'
|
||||
: 'Provider connectivity has degraded and may impact reliable tenant management.',
|
||||
CustomerHealthDimensionCatalog::OPERATIONAL_STABILITY => $overallLevel === 'critical'
|
||||
? 'Failed or stuck operations are actively putting delivery at risk.'
|
||||
: 'Recent operational noise is starting to erode delivery confidence.',
|
||||
CustomerHealthDimensionCatalog::GOVERNANCE_PRESSURE => $overallLevel === 'critical'
|
||||
? 'High-severity or expired governance pressure needs immediate review.'
|
||||
: 'Governance pressure is active and should be reviewed before it escalates.',
|
||||
CustomerHealthDimensionCatalog::REVIEW_PACK_READINESS => $overallLevel === 'critical'
|
||||
? 'Recent review-pack work is unusable or expired, so review readiness is blocked.'
|
||||
: 'Review-pack readiness is incomplete, so recent review evidence may not be usable yet.',
|
||||
CustomerHealthDimensionCatalog::ENGAGEMENT_FRESHNESS => $overallLevel === 'critical'
|
||||
? 'Recent product activity is missing, which suggests active usage may be deteriorating.'
|
||||
: 'Recent product activity is thinning out and may indicate adoption drift.',
|
||||
default => $overallLevel === 'critical'
|
||||
? 'This workspace needs immediate operator follow-up.'
|
||||
: 'This workspace needs follow-up soon to prevent further drift.',
|
||||
};
|
||||
}
|
||||
|
||||
protected function customerHealthRecommendedAction(string $overallLevel, ?string $primaryDimension, string $surface): string
|
||||
{
|
||||
if ($overallLevel === 'ok') {
|
||||
return 'Continue normal monitoring from the system dashboard.';
|
||||
}
|
||||
|
||||
return match ($primaryDimension) {
|
||||
CustomerHealthDimensionCatalog::ONBOARDING_READINESS => $surface === 'tenant'
|
||||
? 'Confirm the tenant onboarding state with the responsible tenant admin and clear the blocking step.'
|
||||
: 'Open the affected tenant below and confirm which onboarding step is blocked.',
|
||||
CustomerHealthDimensionCatalog::PROVIDER_CONNECTION_HEALTH => $surface === 'tenant'
|
||||
? 'Review connectivity signals below and confirm the default provider consent and verification state.'
|
||||
: 'Open the affected tenant below and review the default provider connection state.',
|
||||
CustomerHealthDimensionCatalog::OPERATIONAL_STABILITY => 'Review recent operations below and triage failed or stuck runs first.',
|
||||
CustomerHealthDimensionCatalog::GOVERNANCE_PRESSURE => $surface === 'tenant'
|
||||
? 'Review governance findings or exception pressure for this tenant before proceeding.'
|
||||
: 'Open the affected tenant below and review governance findings or exceptions.',
|
||||
CustomerHealthDimensionCatalog::REVIEW_PACK_READINESS => 'Check recent review-pack activity and confirm that a usable pack exists for the current window.',
|
||||
CustomerHealthDimensionCatalog::ENGAGEMENT_FRESHNESS => $surface === 'tenant'
|
||||
? 'Confirm whether missing recent product activity is expected for this tenant.'
|
||||
: 'Confirm whether missing recent product activity is expected across this workspace.',
|
||||
default => 'Review the diagnostics below to confirm which source truth needs operator follow-up.',
|
||||
};
|
||||
}
|
||||
}
|
||||
@ -4,25 +4,20 @@
|
||||
|
||||
namespace App\Filament\System\Pages\Directory;
|
||||
|
||||
use App\Filament\System\Pages\Directory\Concerns\BuildsCustomerHealthDecisionData;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantPermission;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
|
||||
use App\Support\OperationCatalog;
|
||||
use App\Support\System\SystemDirectoryLinks;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
use Filament\Pages\Page;
|
||||
use Illuminate\Support\Collection;
|
||||
|
||||
class ViewTenant extends Page
|
||||
{
|
||||
use BuildsCustomerHealthDecisionData;
|
||||
|
||||
protected static bool $shouldRegisterNavigation = false;
|
||||
|
||||
protected static ?string $slug = 'directory/tenants/{tenant}';
|
||||
@ -107,26 +102,4 @@ public function runsUrl(): string
|
||||
{
|
||||
return SystemOperationRunLinks::index();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* overall: array{label: string, color: string, icon: string|null},
|
||||
* reason: string,
|
||||
* impact: string,
|
||||
* recommended_action: string,
|
||||
* dominant_dimensions: list<array{label: string, color: string, icon: string|null}>,
|
||||
* window_label: string
|
||||
* }|null
|
||||
*/
|
||||
public function customerHealthDecision(): ?array
|
||||
{
|
||||
$window = SystemConsoleWindow::fromNullable(request()->query('window'));
|
||||
$summary = app(WorkspaceHealthSummaryQuery::class)->summaryForWorkspace((int) $this->tenant->workspace_id, $window);
|
||||
|
||||
if (! is_array($summary)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $this->buildCustomerHealthDecision($summary, $window, 'tenant');
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,25 +4,19 @@
|
||||
|
||||
namespace App\Filament\System\Pages\Directory;
|
||||
|
||||
use App\Filament\System\Pages\Directory\Concerns\BuildsCustomerHealthDecisionData;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
|
||||
use App\Support\OperationCatalog;
|
||||
use App\Support\System\SystemDirectoryLinks;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
use Filament\Pages\Page;
|
||||
use Illuminate\Support\Collection;
|
||||
|
||||
class ViewWorkspace extends Page
|
||||
{
|
||||
use BuildsCustomerHealthDecisionData;
|
||||
|
||||
protected static bool $shouldRegisterNavigation = false;
|
||||
|
||||
protected static ?string $slug = 'directory/workspaces/{workspace}';
|
||||
@ -85,34 +79,4 @@ public function runsUrl(): string
|
||||
{
|
||||
return SystemOperationRunLinks::index();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function workspaceEntitlementSummary(): array
|
||||
{
|
||||
return app(WorkspaceEntitlementResolver::class)->summary($this->workspace);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* overall: array{label: string, color: string, icon: string|null},
|
||||
* reason: string,
|
||||
* impact: string,
|
||||
* recommended_action: string,
|
||||
* dominant_dimensions: list<array{label: string, color: string, icon: string|null}>,
|
||||
* window_label: string
|
||||
* }|null
|
||||
*/
|
||||
public function customerHealthDecision(): ?array
|
||||
{
|
||||
$window = SystemConsoleWindow::fromNullable(request()->query('window'));
|
||||
$summary = app(WorkspaceHealthSummaryQuery::class)->summaryForWorkspace($this->workspace, $window);
|
||||
|
||||
if (! is_array($summary)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $this->buildCustomerHealthDecision($summary, $window, 'workspace');
|
||||
}
|
||||
}
|
||||
|
||||
@ -80,9 +80,6 @@ protected function getHeaderActions(): array
|
||||
$this->pauseRestoreExecuteAction(),
|
||||
$this->resumeRestoreExecuteAction(),
|
||||
$this->viewHistoryRestoreExecuteAction(),
|
||||
$this->pauseAiExecutionAction(),
|
||||
$this->resumeAiExecutionAction(),
|
||||
$this->viewHistoryAiExecutionAction(),
|
||||
];
|
||||
}
|
||||
|
||||
@ -202,21 +199,6 @@ public function viewHistoryRestoreExecuteAction(): Action
|
||||
return $this->historyActionFor('restore.execute');
|
||||
}
|
||||
|
||||
public function pauseAiExecutionAction(): Action
|
||||
{
|
||||
return $this->pauseActionFor('ai.execution');
|
||||
}
|
||||
|
||||
public function resumeAiExecutionAction(): Action
|
||||
{
|
||||
return $this->resumeActionFor('ai.execution');
|
||||
}
|
||||
|
||||
public function viewHistoryAiExecutionAction(): Action
|
||||
{
|
||||
return $this->historyActionFor('ai.execution');
|
||||
}
|
||||
|
||||
private function pauseActionFor(string $controlKey): Action
|
||||
{
|
||||
$label = app(OperationalControlCatalog::class)->label($controlKey);
|
||||
@ -231,7 +213,7 @@ private function pauseActionFor(string $controlKey): Action
|
||||
->form($this->pauseFormSchema($controlKey))
|
||||
->action(function (array $data, AuditRecorder $auditRecorder, WorkspaceAuditLogger $workspaceAuditLogger) use ($controlKey, $label): void {
|
||||
$actor = $this->controlsActor();
|
||||
[$scopeType, $workspace, $reasonText, $expiresAt] = $this->normalizePauseInput($controlKey, $data);
|
||||
[$scopeType, $workspace, $reasonText, $expiresAt] = $this->normalizePauseInput($data);
|
||||
|
||||
$scopeQuery = $this->activationScopeQuery($controlKey, $scopeType, $workspace);
|
||||
|
||||
@ -291,7 +273,7 @@ private function resumeActionFor(string $controlKey): Action
|
||||
->form($this->resumeFormSchema($controlKey))
|
||||
->action(function (array $data, AuditRecorder $auditRecorder, WorkspaceAuditLogger $workspaceAuditLogger) use ($controlKey, $label): void {
|
||||
$actor = $this->controlsActor();
|
||||
[$scopeType, $workspace] = $this->normalizeResumeInput($controlKey, $data);
|
||||
[$scopeType, $workspace] = $this->normalizeResumeInput($data);
|
||||
|
||||
$activation = $this->activationScopeQuery($controlKey, $scopeType, $workspace)
|
||||
->notExpired()
|
||||
@ -349,8 +331,11 @@ private function pauseFormSchema(string $controlKey): array
|
||||
return [
|
||||
Radio::make('scope_type')
|
||||
->label('Scope')
|
||||
->options($this->scopeOptions($controlKey))
|
||||
->default($this->defaultScopeFor($controlKey))
|
||||
->options([
|
||||
'global' => 'Global',
|
||||
'workspace' => 'One workspace',
|
||||
])
|
||||
->default('global')
|
||||
->live()
|
||||
->required(),
|
||||
|
||||
@ -410,8 +395,11 @@ private function resumeFormSchema(string $controlKey): array
|
||||
return [
|
||||
Radio::make('scope_type')
|
||||
->label('Scope')
|
||||
->options($this->scopeOptions($controlKey))
|
||||
->default($this->defaultScopeFor($controlKey))
|
||||
->options([
|
||||
'global' => 'Global',
|
||||
'workspace' => 'One workspace',
|
||||
])
|
||||
->default('global')
|
||||
->live()
|
||||
->required(),
|
||||
|
||||
@ -468,9 +456,9 @@ private function controlsActor(): PlatformUser
|
||||
/**
|
||||
* @return array{0: string, 1: ?Workspace, 2: string, 3: ?CarbonInterface}
|
||||
*/
|
||||
private function normalizePauseInput(string $controlKey, array $data): array
|
||||
private function normalizePauseInput(array $data): array
|
||||
{
|
||||
[$scopeType, $workspace] = $this->resolveScopeInput($controlKey, $data);
|
||||
[$scopeType, $workspace] = $this->resolveScopeInput($data);
|
||||
$reasonText = trim((string) ($data['reason_text'] ?? ''));
|
||||
|
||||
if ($reasonText === '') {
|
||||
@ -497,20 +485,19 @@ private function normalizePauseInput(string $controlKey, array $data): array
|
||||
/**
|
||||
* @return array{0: string, 1: ?Workspace}
|
||||
*/
|
||||
private function normalizeResumeInput(string $controlKey, array $data): array
|
||||
private function normalizeResumeInput(array $data): array
|
||||
{
|
||||
return $this->resolveScopeInput($controlKey, $data);
|
||||
return $this->resolveScopeInput($data);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{0: string, 1: ?Workspace}
|
||||
*/
|
||||
private function resolveScopeInput(string $controlKey, array $data): array
|
||||
private function resolveScopeInput(array $data): array
|
||||
{
|
||||
$scopeType = (string) ($data['scope_type'] ?? 'global');
|
||||
$supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'] ?? ['global'];
|
||||
|
||||
if (! in_array($scopeType, $supportedScopes, true)) {
|
||||
if (! in_array($scopeType, ['global', 'workspace'], true)) {
|
||||
throw ValidationException::withMessages([
|
||||
'scope_type' => 'Invalid scope selected.',
|
||||
]);
|
||||
@ -539,26 +526,6 @@ private function resolveScopeInput(string $controlKey, array $data): array
|
||||
return [$scopeType, $workspace];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function scopeOptions(string $controlKey): array
|
||||
{
|
||||
$supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'];
|
||||
|
||||
return Arr::only([
|
||||
'global' => 'Global',
|
||||
'workspace' => 'One workspace',
|
||||
], $supportedScopes);
|
||||
}
|
||||
|
||||
private function defaultScopeFor(string $controlKey): string
|
||||
{
|
||||
$supportedScopes = app(OperationalControlCatalog::class)->definition($controlKey)['supported_scopes'];
|
||||
|
||||
return $supportedScopes[0] ?? 'global';
|
||||
}
|
||||
|
||||
private function activationScopeQuery(string $controlKey, string $scopeType, ?Workspace $workspace): \Illuminate\Database\Eloquent\Builder
|
||||
{
|
||||
$query = OperationalControlActivation::query()
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\System\Widgets;
|
||||
|
||||
use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
use Filament\Widgets\StatsOverviewWidget;
|
||||
use Filament\Widgets\StatsOverviewWidget\Stat;
|
||||
|
||||
class CustomerHealthKpis extends StatsOverviewWidget
|
||||
{
|
||||
protected static bool $isLazy = false;
|
||||
|
||||
protected ?string $heading = 'Customer health';
|
||||
|
||||
protected int|string|array $columnSpan = 'full';
|
||||
|
||||
public ?string $window = null;
|
||||
|
||||
/**
|
||||
* @return array<Stat>
|
||||
*/
|
||||
protected function getStats(): array
|
||||
{
|
||||
$window = SystemConsoleWindow::fromNullable($this->window ?? (string) request()->query('window'));
|
||||
$windowLabel = SystemConsoleWindow::options()[$window->value] ?? 'Last 24 hours';
|
||||
$counts = app(WorkspaceHealthSummaryQuery::class)->healthCounts($window);
|
||||
|
||||
return [
|
||||
Stat::make('Healthy', $counts['ok'])
|
||||
->description(sprintf('Operational stability, review-pack readiness, and engagement freshness honor %s.', $windowLabel))
|
||||
->color($counts['ok'] > 0 ? 'success' : 'gray'),
|
||||
Stat::make('Warning', $counts['warn'])
|
||||
->description('Onboarding readiness, provider health, and governance pressure stay point-in-time.')
|
||||
->color($counts['warn'] > 0 ? 'warning' : 'gray'),
|
||||
Stat::make('Critical', $counts['critical'])
|
||||
->description('Overall workspace health is derived from existing system truth only.')
|
||||
->color($counts['critical'] > 0 ? 'danger' : 'gray'),
|
||||
Stat::make('Unknown', $counts['unknown'])
|
||||
->description('Missing or stale inputs stay explicit instead of silently reading healthy.')
|
||||
->color('gray'),
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -1,137 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\System\Widgets;
|
||||
|
||||
use App\Models\PlatformUser;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\CustomerHealth\WorkspaceHealthSummaryQuery;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use Filament\Widgets\Widget;
|
||||
|
||||
class CustomerHealthTopWorkspaces extends Widget
|
||||
{
|
||||
protected static bool $isLazy = false;
|
||||
|
||||
protected int|string|array $columnSpan = 'full';
|
||||
|
||||
protected string $view = 'filament.system.widgets.customer-health-top-workspaces';
|
||||
|
||||
public ?string $window = null;
|
||||
|
||||
public static function canView(): bool
|
||||
{
|
||||
$user = auth('platform')->user();
|
||||
|
||||
if (! $user instanceof PlatformUser) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($user->hasCapability(PlatformCapabilities::DIRECTORY_VIEW)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (! static::canOpenRuns($user)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$window = SystemConsoleWindow::fromNullable((string) request()->query('window'));
|
||||
|
||||
return app(WorkspaceHealthSummaryQuery::class)
|
||||
->attentionNeeded($window, 10)
|
||||
->contains(fn (array $summary): bool => static::canAccessNextLink($summary['next_link'], $user));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
protected function getViewData(): array
|
||||
{
|
||||
$window = SystemConsoleWindow::fromNullable($this->window ?? (string) request()->query('window'));
|
||||
$windowLabel = SystemConsoleWindow::options()[$window->value] ?? 'Last 24 hours';
|
||||
$user = auth('platform')->user();
|
||||
|
||||
return [
|
||||
'windowLabel' => $windowLabel,
|
||||
'rows' => app(WorkspaceHealthSummaryQuery::class)
|
||||
->attentionNeeded($window, 10)
|
||||
->filter(fn (array $summary): bool => $user instanceof PlatformUser && static::canAccessNextLink($summary['next_link'], $user))
|
||||
->map(fn (array $summary): array => $this->presentSummary($summary)),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{label: string, url: string} $nextLink
|
||||
*/
|
||||
private static function canAccessNextLink(array $nextLink, PlatformUser $user): bool
|
||||
{
|
||||
if ($user->hasCapability(PlatformCapabilities::DIRECTORY_VIEW)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return static::canOpenRuns($user)
|
||||
&& $nextLink['url'] === SystemOperationRunLinks::index();
|
||||
}
|
||||
|
||||
private static function canOpenRuns(PlatformUser $user): bool
|
||||
{
|
||||
return $user->hasCapability(PlatformCapabilities::OPERATIONS_VIEW)
|
||||
|| ($user->hasCapability(PlatformCapabilities::OPS_VIEW) && $user->hasCapability(PlatformCapabilities::RUNBOOKS_VIEW));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{
|
||||
* workspace_id: int,
|
||||
* workspace_name: string,
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>,
|
||||
* non_ok_dimension_count: int,
|
||||
* next_link: array{label: string, url: string}
|
||||
* } $summary
|
||||
* @return array{
|
||||
* workspace_id: int,
|
||||
* workspace_label: string,
|
||||
* overall: array{label: string, color: string, icon: ?string},
|
||||
* dominant_copy: string,
|
||||
* dominant_dimensions: list<array{label: string, color: string, icon: ?string}>,
|
||||
* next_link: array{label: string, url: string}
|
||||
* }
|
||||
*/
|
||||
private function presentSummary(array $summary): array
|
||||
{
|
||||
$dominantDimensions = collect($summary['dominant_dimension_keys'])
|
||||
->take(2)
|
||||
->map(function (string $dimensionKey) use ($summary): array {
|
||||
$dimension = $summary['dimensions'][$dimensionKey];
|
||||
$badge = BadgeRenderer::spec(BadgeDomain::SystemHealth, $dimension['level']);
|
||||
|
||||
return [
|
||||
'label' => $dimension['label'],
|
||||
'color' => $badge->color,
|
||||
'icon' => $badge->icon,
|
||||
];
|
||||
})
|
||||
->values()
|
||||
->all();
|
||||
|
||||
$overallBadge = BadgeRenderer::spec(BadgeDomain::SystemHealth, $summary['overall_level']);
|
||||
|
||||
return [
|
||||
'workspace_id' => $summary['workspace_id'],
|
||||
'workspace_label' => $summary['workspace_name'],
|
||||
'overall' => [
|
||||
'label' => $overallBadge->label,
|
||||
'color' => $overallBadge->color,
|
||||
'icon' => $overallBadge->icon,
|
||||
],
|
||||
'dominant_copy' => implode(', ', array_column($dominantDimensions, 'label')),
|
||||
'dominant_dimensions' => $dominantDimensions,
|
||||
'next_link' => $summary['next_link'],
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -4,8 +4,6 @@
|
||||
|
||||
namespace App\Filament\Widgets\Tenant;
|
||||
|
||||
use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
@ -20,7 +18,6 @@
|
||||
use App\Support\ReviewPackStatus;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Widgets\Widget;
|
||||
|
||||
class TenantReviewPackCard extends Widget
|
||||
@ -69,18 +66,6 @@ public function generatePack(bool $includePii = true, bool $includeOperations =
|
||||
/** @var ReviewPackService $service */
|
||||
$service = app(ReviewPackService::class);
|
||||
|
||||
$decision = $service->reviewPackGenerationDecisionForTenant($tenant);
|
||||
|
||||
if ((bool) ($decision['is_blocked'] ?? false)) {
|
||||
Notification::make()
|
||||
->title('Review pack generation unavailable')
|
||||
->body((string) ($decision['block_reason'] ?? 'Workspace entitlement currently blocks review pack generation.'))
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$activeRun = $service->checkActiveRun($tenant)
|
||||
? OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
@ -105,20 +90,10 @@ public function generatePack(bool $includePii = true, bool $includeOperations =
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$reviewPack = $service->generate($tenant, $user, [
|
||||
'include_pii' => $includePii,
|
||||
'include_operations' => $includeOperations,
|
||||
]);
|
||||
} catch (WorkspaceEntitlementBlockedException $exception) {
|
||||
Notification::make()
|
||||
->title('Review pack generation unavailable')
|
||||
->body($exception->getMessage())
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$runUrl = $reviewPack->operationRun
|
||||
? OperationRunLinks::tenantlessView($reviewPack->operationRun)
|
||||
@ -155,14 +130,6 @@ protected function getViewData(): array
|
||||
$isTenantMember = $user instanceof User && $user->canAccessTenant($tenant);
|
||||
$canView = $isTenantMember && $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant);
|
||||
$canManage = $isTenantMember && $user->can(Capabilities::REVIEW_PACK_MANAGE, $tenant);
|
||||
$service = app(ReviewPackService::class);
|
||||
$generationEntitlement = $canManage
|
||||
? $service->reviewPackGenerationDecisionForTenant($tenant)
|
||||
: null;
|
||||
$generationBlocked = (bool) ($generationEntitlement['is_blocked'] ?? false);
|
||||
$generationBlockReason = is_string($generationEntitlement['block_reason'] ?? null)
|
||||
? $generationEntitlement['block_reason']
|
||||
: null;
|
||||
|
||||
$latestPack = ReviewPack::query()
|
||||
->with(['tenantReview', 'operationRun'])
|
||||
@ -179,9 +146,6 @@ protected function getViewData(): array
|
||||
'pollingInterval' => null,
|
||||
'canView' => $canView,
|
||||
'canManage' => $canManage,
|
||||
'generationBlocked' => $generationBlocked,
|
||||
'generationBlockReason' => $generationBlockReason,
|
||||
'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
|
||||
'downloadUrl' => null,
|
||||
'failedReason' => null,
|
||||
'reviewUrl' => null,
|
||||
@ -230,9 +194,6 @@ protected function getViewData(): array
|
||||
'pollingInterval' => self::resolvePollingInterval($latestPack),
|
||||
'canView' => $canView,
|
||||
'canManage' => $canManage,
|
||||
'generationBlocked' => $generationBlocked,
|
||||
'generationBlockReason' => $generationBlockReason,
|
||||
'customerWorkspaceUrl' => $canView ? CustomerReviewWorkspace::tenantPrefilterUrl($tenant) : null,
|
||||
'downloadUrl' => $downloadUrl,
|
||||
'failedReason' => $failedReason,
|
||||
'failedReasonDetail' => $failedReasonDetail,
|
||||
@ -263,9 +224,6 @@ private function emptyState(): array
|
||||
'pollingInterval' => null,
|
||||
'canView' => false,
|
||||
'canManage' => false,
|
||||
'generationBlocked' => false,
|
||||
'generationBlockReason' => null,
|
||||
'customerWorkspaceUrl' => null,
|
||||
'downloadUrl' => null,
|
||||
'failedReason' => null,
|
||||
'failedReasonDetail' => null,
|
||||
|
||||
@ -4,12 +4,7 @@
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
@ -20,21 +15,6 @@ class ReviewPackDownloadController extends Controller
|
||||
{
|
||||
public function __invoke(Request $request, ReviewPack $reviewPack): StreamedResponse
|
||||
{
|
||||
$user = $request->user();
|
||||
$tenant = $reviewPack->tenant;
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
if (! $user->can(Capabilities::REVIEW_PACK_VIEW, $tenant)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if ($reviewPack->status !== ReviewPackStatus::Ready->value) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
@ -49,26 +29,7 @@ public function __invoke(Request $request, ReviewPack $reviewPack): StreamedResp
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
app(WorkspaceAuditLogger::class)->log(
|
||||
workspace: $tenant->workspace,
|
||||
action: AuditActionId::ReviewPackDownloaded,
|
||||
context: [
|
||||
'metadata' => [
|
||||
'review_pack_id' => (int) $reviewPack->getKey(),
|
||||
'tenant_review_id' => $reviewPack->tenant_review_id !== null
|
||||
? (int) $reviewPack->tenant_review_id
|
||||
: null,
|
||||
'source_surface' => (string) $request->query('source_surface', 'review_pack'),
|
||||
],
|
||||
],
|
||||
actor: $user,
|
||||
resourceType: 'review_pack',
|
||||
resourceId: (string) $reviewPack->getKey(),
|
||||
targetLabel: sprintf('Review pack #%d', (int) $reviewPack->getKey()),
|
||||
tenant: $tenant,
|
||||
operationRunId: $reviewPack->operation_run_id,
|
||||
);
|
||||
|
||||
$tenant = $reviewPack->tenant;
|
||||
$filename = sprintf(
|
||||
'review-pack-%s-%s.zip',
|
||||
$tenant?->external_id ?? 'unknown',
|
||||
|
||||
@ -1,121 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
|
||||
class SupportRequest extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
|
||||
/** @use HasFactory<\Database\Factories\SupportRequestFactory> */
|
||||
use HasFactory;
|
||||
|
||||
public const string PRIMARY_CONTEXT_TENANT = 'tenant';
|
||||
|
||||
public const string PRIMARY_CONTEXT_OPERATION_RUN = 'operation_run';
|
||||
|
||||
public const string ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED = 'diagnostic_snapshot_attached';
|
||||
|
||||
public const string ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY = 'canonical_context_only';
|
||||
|
||||
public const string SEVERITY_LOW = 'low';
|
||||
|
||||
public const string SEVERITY_NORMAL = 'normal';
|
||||
|
||||
public const string SEVERITY_HIGH = 'high';
|
||||
|
||||
public const string SEVERITY_BLOCKING = 'blocking';
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'context_envelope' => 'array',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public static function severityOptions(): array
|
||||
{
|
||||
return [
|
||||
self::SEVERITY_LOW => 'Low',
|
||||
self::SEVERITY_NORMAL => 'Normal',
|
||||
self::SEVERITY_HIGH => 'High',
|
||||
self::SEVERITY_BLOCKING => 'Blocking',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public static function severityValues(): array
|
||||
{
|
||||
return array_keys(self::severityOptions());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public static function primaryContextTypes(): array
|
||||
{
|
||||
return [
|
||||
self::PRIMARY_CONTEXT_TENANT,
|
||||
self::PRIMARY_CONTEXT_OPERATION_RUN,
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public static function attachmentModes(): array
|
||||
{
|
||||
return [
|
||||
self::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED,
|
||||
self::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY,
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Workspace, $this>
|
||||
*/
|
||||
public function workspace(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Workspace::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<OperationRun, $this>
|
||||
*/
|
||||
public function operationRun(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(OperationRun::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function initiator(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'initiated_by_user_id');
|
||||
}
|
||||
}
|
||||
@ -12,7 +12,6 @@
|
||||
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
|
||||
use App\Filament\Pages\NoAccess;
|
||||
use App\Filament\Pages\Reviews\ReviewRegister;
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Pages\Settings\WorkspaceSettings;
|
||||
use App\Filament\Pages\TenantRequiredPermissions;
|
||||
use App\Filament\Pages\WorkspaceOverview;
|
||||
@ -184,7 +183,6 @@ public function panel(Panel $panel): Panel
|
||||
FindingsIntakeQueue::class,
|
||||
MyFindingsInbox::class,
|
||||
FindingExceptionsQueue::class,
|
||||
CustomerReviewWorkspace::class,
|
||||
ReviewRegister::class,
|
||||
])
|
||||
->widgets([
|
||||
|
||||
@ -4,10 +4,9 @@
|
||||
|
||||
namespace App\Services\Audit;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
@ -15,7 +14,6 @@
|
||||
use App\Support\Audit\AuditActorType;
|
||||
use App\Support\Audit\AuditTargetSnapshot;
|
||||
use Carbon\CarbonImmutable;
|
||||
use InvalidArgumentException;
|
||||
|
||||
class WorkspaceAuditLogger
|
||||
{
|
||||
@ -138,39 +136,4 @@ public function logSupportDiagnosticsOpened(
|
||||
tenant: $tenant,
|
||||
);
|
||||
}
|
||||
|
||||
public function logSupportRequestCreated(
|
||||
SupportRequest $supportRequest,
|
||||
User|PlatformUser|null $actor = null,
|
||||
): \App\Models\AuditLog {
|
||||
$supportRequest->loadMissing(['tenant.workspace']);
|
||||
|
||||
$tenant = $supportRequest->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
throw new InvalidArgumentException('Support requests must belong to a tenant.');
|
||||
}
|
||||
|
||||
return $this->log(
|
||||
workspace: $tenant->workspace,
|
||||
action: AuditActionId::SupportRequestCreated,
|
||||
context: [
|
||||
'internal_reference' => $supportRequest->internal_reference,
|
||||
'primary_context_type' => $supportRequest->primary_context_type,
|
||||
'primary_context_id' => $supportRequest->primary_context_type === SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN
|
||||
? (string) $supportRequest->operation_run_id
|
||||
: (string) $tenant->getKey(),
|
||||
'attachment_mode' => $supportRequest->attachment_mode,
|
||||
'redaction_mode' => (string) data_get($supportRequest->context_envelope, 'redaction_mode', 'default_redacted'),
|
||||
],
|
||||
actor: $actor,
|
||||
status: 'success',
|
||||
resourceType: 'support_request',
|
||||
resourceId: (string) $supportRequest->getKey(),
|
||||
targetLabel: $supportRequest->internal_reference,
|
||||
summary: 'Support request created for '.$supportRequest->internal_reference,
|
||||
operationRunId: $supportRequest->operation_run_id !== null ? (int) $supportRequest->operation_run_id : null,
|
||||
tenant: $tenant,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,7 +20,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_DELETE,
|
||||
Capabilities::TENANT_SYNC,
|
||||
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
||||
Capabilities::SUPPORT_REQUESTS_CREATE,
|
||||
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
||||
Capabilities::TENANT_FINDINGS_VIEW,
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
@ -66,7 +65,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_MANAGE,
|
||||
Capabilities::TENANT_SYNC,
|
||||
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
||||
Capabilities::SUPPORT_REQUESTS_CREATE,
|
||||
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
||||
Capabilities::TENANT_FINDINGS_VIEW,
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
@ -108,7 +106,6 @@ class RoleCapabilityMap
|
||||
Capabilities::TENANT_VIEW,
|
||||
Capabilities::TENANT_SYNC,
|
||||
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
||||
Capabilities::SUPPORT_REQUESTS_CREATE,
|
||||
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
||||
Capabilities::TENANT_FINDINGS_VIEW,
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
|
||||
@ -1,327 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Services\Entitlements;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceSetting;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use Carbon\CarbonInterface;
|
||||
|
||||
final class WorkspaceEntitlementResolver
|
||||
{
|
||||
public const SETTING_DOMAIN = 'entitlements';
|
||||
|
||||
public const SETTING_PLAN_PROFILE = 'plan_profile';
|
||||
|
||||
public const SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE = 'managed_tenant_limit_override_value';
|
||||
|
||||
public const SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON = 'managed_tenant_limit_override_reason';
|
||||
|
||||
public const SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE = 'review_pack_generation_override_value';
|
||||
|
||||
public const SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON = 'review_pack_generation_override_reason';
|
||||
|
||||
public const KEY_MANAGED_TENANT_ACTIVATION_LIMIT = 'managed_tenant_activation_limit';
|
||||
|
||||
public const KEY_REVIEW_PACK_GENERATION_ENABLED = 'review_pack_generation_enabled';
|
||||
|
||||
public function __construct(
|
||||
private SettingsResolver $settingsResolver,
|
||||
private WorkspacePlanProfileCatalog $planProfileCatalog,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* plan_profile: array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool},
|
||||
* decisions: array<string, array{
|
||||
* workspace_id: int,
|
||||
* plan_profile_id: string,
|
||||
* plan_profile_label: string,
|
||||
* plan_profile_description: string,
|
||||
* key: string,
|
||||
* effective_value: int|bool,
|
||||
* source: 'plan_profile_default'|'workspace_override',
|
||||
* rationale: string|null,
|
||||
* current_usage: int|null,
|
||||
* remaining_capacity: int|null,
|
||||
* is_blocked: bool,
|
||||
* block_reason: string|null,
|
||||
* last_changed_at: CarbonInterface|null,
|
||||
* last_changed_by: string|null
|
||||
* }>
|
||||
* }
|
||||
*/
|
||||
public function summary(Workspace $workspace): array
|
||||
{
|
||||
$planProfile = $this->resolvePlanProfile($workspace);
|
||||
|
||||
return [
|
||||
'plan_profile' => $planProfile,
|
||||
'decisions' => [
|
||||
self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT => $this->resolve($workspace, self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT, $planProfile),
|
||||
self::KEY_REVIEW_PACK_GENERATION_ENABLED => $this->resolve($workspace, self::KEY_REVIEW_PACK_GENERATION_ENABLED, $planProfile),
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
|
||||
*/
|
||||
public function resolvePlanProfile(Workspace $workspace): array
|
||||
{
|
||||
$planProfileId = $this->settingsResolver->resolveValue(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_PLAN_PROFILE,
|
||||
);
|
||||
|
||||
return $this->planProfileCatalog->resolve(is_string($planProfileId) ? $planProfileId : null);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}|null $planProfile
|
||||
* @return array{
|
||||
* workspace_id: int,
|
||||
* plan_profile_id: string,
|
||||
* plan_profile_label: string,
|
||||
* plan_profile_description: string,
|
||||
* key: string,
|
||||
* effective_value: int|bool,
|
||||
* source: 'plan_profile_default'|'workspace_override',
|
||||
* rationale: string|null,
|
||||
* current_usage: int|null,
|
||||
* remaining_capacity: int|null,
|
||||
* is_blocked: bool,
|
||||
* block_reason: string|null,
|
||||
* last_changed_at: CarbonInterface|null,
|
||||
* last_changed_by: string|null
|
||||
* }
|
||||
*/
|
||||
public function resolve(Workspace $workspace, string $key, ?array $planProfile = null): array
|
||||
{
|
||||
$planProfile ??= $this->resolvePlanProfile($workspace);
|
||||
$lastChanged = $this->lastChangedMetadata($workspace);
|
||||
|
||||
return match ($key) {
|
||||
self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT => $this->resolveManagedTenantActivationLimitDecision($workspace, $planProfile, $lastChanged),
|
||||
self::KEY_REVIEW_PACK_GENERATION_ENABLED => $this->resolveReviewPackGenerationDecision($workspace, $planProfile, $lastChanged),
|
||||
default => throw new \InvalidArgumentException(sprintf('Unknown workspace entitlement key: %s', $key)),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool} $planProfile
|
||||
* @param array{last_changed_at: CarbonInterface|null, last_changed_by: string|null} $lastChanged
|
||||
* @return array{
|
||||
* workspace_id: int,
|
||||
* plan_profile_id: string,
|
||||
* plan_profile_label: string,
|
||||
* plan_profile_description: string,
|
||||
* key: string,
|
||||
* effective_value: int,
|
||||
* source: 'plan_profile_default'|'workspace_override',
|
||||
* rationale: string|null,
|
||||
* current_usage: int,
|
||||
* remaining_capacity: int,
|
||||
* is_blocked: bool,
|
||||
* block_reason: string|null,
|
||||
* last_changed_at: CarbonInterface|null,
|
||||
* last_changed_by: string|null
|
||||
* }
|
||||
*/
|
||||
private function resolveManagedTenantActivationLimitDecision(Workspace $workspace, array $planProfile, array $lastChanged): array
|
||||
{
|
||||
$overrideValue = $this->settingsResolver->resolveDetailed(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
|
||||
);
|
||||
|
||||
$overrideReason = $this->settingsResolver->resolveValue(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON,
|
||||
);
|
||||
|
||||
$effectiveValue = is_int($overrideValue['value'])
|
||||
? $overrideValue['value']
|
||||
: (int) $planProfile['managed_tenant_limit_default'];
|
||||
|
||||
$source = $overrideValue['source'] === 'workspace_override'
|
||||
? 'workspace_override'
|
||||
: 'plan_profile_default';
|
||||
|
||||
$currentUsage = Tenant::activeQuery()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->count();
|
||||
|
||||
$remainingCapacity = $effectiveValue - $currentUsage;
|
||||
$isBlocked = $currentUsage >= $effectiveValue;
|
||||
$rationale = $source === 'workspace_override'
|
||||
? (is_string($overrideReason) && $overrideReason !== '' ? $overrideReason : null)
|
||||
: (string) $planProfile['description'];
|
||||
|
||||
return [
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'plan_profile_id' => (string) $planProfile['id'],
|
||||
'plan_profile_label' => (string) $planProfile['label'],
|
||||
'plan_profile_description' => (string) $planProfile['description'],
|
||||
'key' => self::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
|
||||
'effective_value' => $effectiveValue,
|
||||
'source' => $source,
|
||||
'rationale' => $rationale,
|
||||
'current_usage' => $currentUsage,
|
||||
'remaining_capacity' => $remainingCapacity,
|
||||
'is_blocked' => $isBlocked,
|
||||
'block_reason' => $isBlocked
|
||||
? $this->managedTenantLimitBlockReason($currentUsage, $effectiveValue, $source, $planProfile, $rationale)
|
||||
: null,
|
||||
'last_changed_at' => $lastChanged['last_changed_at'],
|
||||
'last_changed_by' => $lastChanged['last_changed_by'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool} $planProfile
|
||||
* @param array{last_changed_at: CarbonInterface|null, last_changed_by: string|null} $lastChanged
|
||||
* @return array{
|
||||
* workspace_id: int,
|
||||
* plan_profile_id: string,
|
||||
* plan_profile_label: string,
|
||||
* plan_profile_description: string,
|
||||
* key: string,
|
||||
* effective_value: bool,
|
||||
* source: 'plan_profile_default'|'workspace_override',
|
||||
* rationale: string|null,
|
||||
* current_usage: null,
|
||||
* remaining_capacity: null,
|
||||
* is_blocked: bool,
|
||||
* block_reason: string|null,
|
||||
* last_changed_at: CarbonInterface|null,
|
||||
* last_changed_by: string|null
|
||||
* }
|
||||
*/
|
||||
private function resolveReviewPackGenerationDecision(Workspace $workspace, array $planProfile, array $lastChanged): array
|
||||
{
|
||||
$overrideValue = $this->settingsResolver->resolveDetailed(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE,
|
||||
);
|
||||
|
||||
$overrideReason = $this->settingsResolver->resolveValue(
|
||||
workspace: $workspace,
|
||||
domain: self::SETTING_DOMAIN,
|
||||
key: self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON,
|
||||
);
|
||||
|
||||
$effectiveValue = is_bool($overrideValue['value'])
|
||||
? $overrideValue['value']
|
||||
: (bool) $planProfile['review_pack_generation_default'];
|
||||
|
||||
$source = $overrideValue['source'] === 'workspace_override'
|
||||
? 'workspace_override'
|
||||
: 'plan_profile_default';
|
||||
|
||||
$rationale = $source === 'workspace_override'
|
||||
? (is_string($overrideReason) && $overrideReason !== '' ? $overrideReason : null)
|
||||
: (string) $planProfile['description'];
|
||||
|
||||
return [
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'plan_profile_id' => (string) $planProfile['id'],
|
||||
'plan_profile_label' => (string) $planProfile['label'],
|
||||
'plan_profile_description' => (string) $planProfile['description'],
|
||||
'key' => self::KEY_REVIEW_PACK_GENERATION_ENABLED,
|
||||
'effective_value' => $effectiveValue,
|
||||
'source' => $source,
|
||||
'rationale' => $rationale,
|
||||
'current_usage' => null,
|
||||
'remaining_capacity' => null,
|
||||
'is_blocked' => ! $effectiveValue,
|
||||
'block_reason' => $effectiveValue
|
||||
? null
|
||||
: $this->reviewPackGenerationBlockReason($source, $planProfile, $rationale),
|
||||
'last_changed_at' => $lastChanged['last_changed_at'],
|
||||
'last_changed_by' => $lastChanged['last_changed_by'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{last_changed_at: CarbonInterface|null, last_changed_by: string|null}
|
||||
*/
|
||||
private function lastChangedMetadata(Workspace $workspace): array
|
||||
{
|
||||
$record = WorkspaceSetting::query()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->where('domain', self::SETTING_DOMAIN)
|
||||
->whereIn('key', [
|
||||
self::SETTING_PLAN_PROFILE,
|
||||
self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
|
||||
self::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON,
|
||||
self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_VALUE,
|
||||
self::SETTING_REVIEW_PACK_GENERATION_OVERRIDE_REASON,
|
||||
])
|
||||
->whereNotNull('updated_by_user_id')
|
||||
->with('updatedByUser:id,name')
|
||||
->latest('updated_at')
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
if (! $record instanceof WorkspaceSetting) {
|
||||
return [
|
||||
'last_changed_at' => null,
|
||||
'last_changed_by' => null,
|
||||
];
|
||||
}
|
||||
|
||||
return [
|
||||
'last_changed_at' => $record->updated_at,
|
||||
'last_changed_by' => $record->updatedByUser?->name,
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool} $planProfile
|
||||
*/
|
||||
private function managedTenantLimitBlockReason(int $currentUsage, int $effectiveValue, string $source, array $planProfile, ?string $rationale): string
|
||||
{
|
||||
$prefix = $source === 'workspace_override'
|
||||
? 'This workspace override currently allows'
|
||||
: sprintf('The %s plan profile currently allows', $planProfile['label']);
|
||||
|
||||
$message = sprintf(
|
||||
'%s %d active managed tenant%s, and this workspace already has %d active managed tenant%s.',
|
||||
$prefix,
|
||||
$effectiveValue,
|
||||
$effectiveValue === 1 ? '' : 's',
|
||||
$currentUsage,
|
||||
$currentUsage === 1 ? '' : 's',
|
||||
);
|
||||
|
||||
if ($source === 'workspace_override' && $rationale !== null) {
|
||||
$message .= ' Reason: '.$rationale;
|
||||
}
|
||||
|
||||
return $message;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool} $planProfile
|
||||
*/
|
||||
private function reviewPackGenerationBlockReason(string $source, array $planProfile, ?string $rationale): string
|
||||
{
|
||||
$message = $source === 'workspace_override'
|
||||
? 'Review pack generation is disabled by workspace override.'
|
||||
: sprintf('Review pack generation is disabled by the %s plan profile.', $planProfile['label']);
|
||||
|
||||
if ($source === 'workspace_override' && $rationale !== null) {
|
||||
$message .= ' Reason: '.$rationale;
|
||||
}
|
||||
|
||||
return $message;
|
||||
}
|
||||
}
|
||||
@ -1,104 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Services\Entitlements;
|
||||
|
||||
final class WorkspacePlanProfileCatalog
|
||||
{
|
||||
/**
|
||||
* @var array<string, array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}>
|
||||
*/
|
||||
private const PROFILES = [
|
||||
'starter' => [
|
||||
'id' => 'starter',
|
||||
'label' => 'Starter',
|
||||
'description' => 'Minimal allowance for early workspace access and low-volume operations.',
|
||||
'managed_tenant_limit_default' => 1,
|
||||
'review_pack_generation_default' => false,
|
||||
'is_default' => false,
|
||||
],
|
||||
'standard' => [
|
||||
'id' => 'standard',
|
||||
'label' => 'Standard',
|
||||
'description' => 'Balanced defaults for most managed workspaces.',
|
||||
'managed_tenant_limit_default' => 25,
|
||||
'review_pack_generation_default' => true,
|
||||
'is_default' => true,
|
||||
],
|
||||
'scale' => [
|
||||
'id' => 'scale',
|
||||
'label' => 'Scale',
|
||||
'description' => 'Higher managed-tenant capacity for larger workspace portfolios.',
|
||||
'managed_tenant_limit_default' => 100,
|
||||
'review_pack_generation_default' => true,
|
||||
'is_default' => false,
|
||||
],
|
||||
];
|
||||
|
||||
/**
|
||||
* @return list<array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}>
|
||||
*/
|
||||
public function all(): array
|
||||
{
|
||||
return array_values(self::PROFILES);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
|
||||
*/
|
||||
public function default(): array
|
||||
{
|
||||
return self::PROFILES[self::defaultProfileId()];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}|null
|
||||
*/
|
||||
public function find(?string $id): ?array
|
||||
{
|
||||
if ($id === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return self::PROFILES[$id] ?? null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{id: string, label: string, description: string, managed_tenant_limit_default: int, review_pack_generation_default: bool, is_default: bool}
|
||||
*/
|
||||
public function resolve(?string $id): array
|
||||
{
|
||||
return $this->find($id) ?? $this->default();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public function optionLabels(): array
|
||||
{
|
||||
return array_map(
|
||||
static fn (array $profile): string => $profile['label'],
|
||||
self::PROFILES,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public static function profileIds(): array
|
||||
{
|
||||
return array_keys(self::PROFILES);
|
||||
}
|
||||
|
||||
public static function defaultProfileId(): string
|
||||
{
|
||||
foreach (self::PROFILES as $id => $profile) {
|
||||
if ($profile['is_default']) {
|
||||
return $id;
|
||||
}
|
||||
}
|
||||
|
||||
throw new \RuntimeException('Workspace plan profile catalog is missing a default profile.');
|
||||
}
|
||||
}
|
||||
@ -4,7 +4,6 @@
|
||||
|
||||
namespace App\Services;
|
||||
|
||||
use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
|
||||
use App\Exceptions\ReviewPackEvidenceResolutionException;
|
||||
use App\Jobs\GenerateReviewPackJob;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
@ -14,7 +13,6 @@
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Services\Evidence\EvidenceResolutionRequest;
|
||||
use App\Services\Evidence\EvidenceSnapshotResolver;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
@ -30,7 +28,6 @@ public function __construct(
|
||||
private OperationRunService $operationRunService,
|
||||
private EvidenceSnapshotResolver $snapshotResolver,
|
||||
private WorkspaceAuditLogger $auditLogger,
|
||||
private WorkspaceEntitlementResolver $workspaceEntitlementResolver,
|
||||
private ProductTelemetryRecorder $productTelemetryRecorder,
|
||||
) {}
|
||||
|
||||
@ -52,8 +49,6 @@ public function __construct(
|
||||
*/
|
||||
public function generate(Tenant $tenant, User $user, array $options = []): ReviewPack
|
||||
{
|
||||
$this->assertReviewPackGenerationAllowed($tenant);
|
||||
|
||||
$options = $this->normalizeOptions($options);
|
||||
$snapshot = $this->resolveSnapshot($tenant);
|
||||
$fingerprint = $this->computeFingerprintForSnapshot($snapshot, $options);
|
||||
@ -143,8 +138,6 @@ public function generateFromReview(TenantReview $review, User $user, array $opti
|
||||
throw new \InvalidArgumentException('Review exports require an anchored evidence snapshot.');
|
||||
}
|
||||
|
||||
$this->assertReviewPackGenerationAllowed($tenant);
|
||||
|
||||
$options = $this->normalizeOptions($options);
|
||||
$fingerprint = $this->computeFingerprintForReview($review, $options);
|
||||
$existing = $this->findExistingPackForReview($review, $fingerprint);
|
||||
@ -234,31 +227,18 @@ public function computeFingerprint(Tenant $tenant, array $options): string
|
||||
|
||||
/**
|
||||
* Generate a signed download URL for a review pack.
|
||||
*
|
||||
* @param array<string, scalar|null> $parameters
|
||||
*/
|
||||
public function generateDownloadUrl(ReviewPack $pack, array $parameters = []): string
|
||||
public function generateDownloadUrl(ReviewPack $pack): string
|
||||
{
|
||||
$ttlMinutes = (int) config('tenantpilot.review_pack.download_url_ttl_minutes', 60);
|
||||
|
||||
return URL::signedRoute(
|
||||
'admin.review-packs.download',
|
||||
array_merge(['reviewPack' => $pack->getKey()], $parameters),
|
||||
['reviewPack' => $pack->getKey()],
|
||||
now()->addMinutes($ttlMinutes),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function reviewPackGenerationDecisionForTenant(Tenant $tenant): array
|
||||
{
|
||||
return $this->workspaceEntitlementResolver->resolve(
|
||||
$tenant->workspace,
|
||||
WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED,
|
||||
);
|
||||
}
|
||||
|
||||
private function recordReviewPackRequestTelemetry(ReviewPack $reviewPack, User $user, string $sourceSurface): void
|
||||
{
|
||||
$this->productTelemetryRecorder->record(
|
||||
@ -334,17 +314,6 @@ private function normalizeOptions(array $options): array
|
||||
];
|
||||
}
|
||||
|
||||
private function assertReviewPackGenerationAllowed(Tenant $tenant): void
|
||||
{
|
||||
$decision = $this->reviewPackGenerationDecisionForTenant($tenant);
|
||||
|
||||
if (! (bool) ($decision['is_blocked'] ?? false)) {
|
||||
return;
|
||||
}
|
||||
|
||||
throw new WorkspaceEntitlementBlockedException($decision);
|
||||
}
|
||||
|
||||
private function computeFingerprintForSnapshot(EvidenceSnapshot $snapshot, array $options): string
|
||||
{
|
||||
$data = [
|
||||
|
||||
@ -12,7 +12,6 @@
|
||||
use App\Services\Auth\RoleCapabilityMap;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
|
||||
final class TenantReviewRegisterService
|
||||
{
|
||||
@ -44,55 +43,6 @@ public function query(User $user, Workspace $workspace): Builder
|
||||
->latest('id');
|
||||
}
|
||||
|
||||
public function latestPublishedQuery(User $user, Workspace $workspace): Builder
|
||||
{
|
||||
$tenantIds = array_keys($this->authorizedTenants($user, $workspace));
|
||||
|
||||
$rankedReviews = TenantReview::query()
|
||||
->select([
|
||||
'tenant_reviews.id',
|
||||
'tenant_reviews.tenant_id',
|
||||
'tenant_reviews.published_at',
|
||||
'tenant_reviews.generated_at',
|
||||
])
|
||||
->selectRaw('ROW_NUMBER() OVER (PARTITION BY tenant_id ORDER BY published_at DESC, generated_at DESC, id DESC) as rn')
|
||||
->forWorkspace((int) $workspace->getKey())
|
||||
->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds)
|
||||
->published();
|
||||
|
||||
$latestPublishedIds = DB::query()
|
||||
->fromSub($rankedReviews, 'ranked_tenant_reviews')
|
||||
->where('rn', 1)
|
||||
->select('id');
|
||||
|
||||
return TenantReview::query()
|
||||
->with(['tenant', 'evidenceSnapshot', 'currentExportReviewPack'])
|
||||
->forWorkspace((int) $workspace->getKey())
|
||||
->whereIn('tenant_reviews.id', $latestPublishedIds)
|
||||
->orderByDesc('published_at')
|
||||
->orderByDesc('generated_at')
|
||||
->orderByDesc('id');
|
||||
}
|
||||
|
||||
public function customerWorkspaceTenantQuery(User $user, Workspace $workspace): Builder
|
||||
{
|
||||
$tenantIds = array_keys($this->authorizedTenants($user, $workspace));
|
||||
|
||||
return Tenant::query()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->whereIn('id', $tenantIds === [] ? [-1] : $tenantIds)
|
||||
->with([
|
||||
'tenantReviews' => fn ($query) => $query
|
||||
->with(['tenant', 'evidenceSnapshot', 'currentExportReviewPack'])
|
||||
->published()
|
||||
->orderByDesc('published_at')
|
||||
->orderByDesc('generated_at')
|
||||
->orderByDesc('id')
|
||||
->limit(1),
|
||||
])
|
||||
->orderBy('name');
|
||||
}
|
||||
|
||||
public function canAccessWorkspace(User $user, Workspace $workspace): bool
|
||||
{
|
||||
return WorkspaceMembership::query()
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
enum AiDataClassification: string
|
||||
{
|
||||
case ProductKnowledge = 'product_knowledge';
|
||||
case OperationalMetadata = 'operational_metadata';
|
||||
case RedactedSupportSummary = 'redacted_support_summary';
|
||||
case PersonalData = 'personal_data';
|
||||
case CustomerConfidential = 'customer_confidential';
|
||||
case RawProviderPayload = 'raw_provider_payload';
|
||||
|
||||
public function label(): string
|
||||
{
|
||||
return match ($this) {
|
||||
self::ProductKnowledge => 'Product knowledge',
|
||||
self::OperationalMetadata => 'Operational metadata',
|
||||
self::RedactedSupportSummary => 'Redacted support summary',
|
||||
self::PersonalData => 'Personal data',
|
||||
self::CustomerConfidential => 'Customer confidential',
|
||||
self::RawProviderPayload => 'Raw provider payload',
|
||||
};
|
||||
}
|
||||
}
|
||||
@ -1,39 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
final class AiDecisionAuditMetadataFactory
|
||||
{
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function make(AiExecutionRequest $request, AiExecutionDecision $decision): array
|
||||
{
|
||||
return array_filter([
|
||||
'use_case_key' => $decision->useCaseKey,
|
||||
'decision_outcome' => $decision->outcome,
|
||||
'decision_reason' => $decision->reasonCode->value,
|
||||
'workspace_ai_policy_mode' => $decision->workspaceAiPolicyMode,
|
||||
'requested_provider_class' => $decision->requestedProviderClass,
|
||||
'data_classifications' => $decision->dataClassifications,
|
||||
'source_family' => $decision->sourceFamily,
|
||||
'workspace_id' => $request->workspace?->getKey(),
|
||||
'tenant_id' => $request->tenant?->getKey(),
|
||||
'context_fingerprint' => $this->normalizedFingerprint($request->contextFingerprint),
|
||||
'matched_operational_control_scope' => $decision->matchedOperationalControlScope,
|
||||
], static fn (mixed $value): bool => $value !== null);
|
||||
}
|
||||
|
||||
private function normalizedFingerprint(?string $contextFingerprint): ?string
|
||||
{
|
||||
if (! is_string($contextFingerprint)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = trim($contextFingerprint);
|
||||
|
||||
return $normalized === '' ? null : $normalized;
|
||||
}
|
||||
}
|
||||
@ -1,18 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
enum AiDecisionReasonCode: string
|
||||
{
|
||||
case Allowed = 'allowed';
|
||||
case MissingWorkspaceContext = 'missing_workspace_context';
|
||||
case TenantOutsideWorkspace = 'tenant_outside_workspace';
|
||||
case OperationalControlPaused = 'operational_control_paused';
|
||||
case WorkspacePolicyDisabled = 'workspace_policy_disabled';
|
||||
case UnregisteredUseCase = 'unregistered_use_case';
|
||||
case ProviderClassBlocked = 'provider_class_blocked';
|
||||
case DataClassificationBlocked = 'data_classification_blocked';
|
||||
case SourceFamilyMismatch = 'source_family_mismatch';
|
||||
}
|
||||
@ -1,37 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
use App\Support\Audit\AuditActionId;
|
||||
|
||||
final readonly class AiExecutionDecision
|
||||
{
|
||||
/**
|
||||
* @param list<string> $dataClassifications
|
||||
* @param array<string, mixed> $auditMetadata
|
||||
*/
|
||||
public function __construct(
|
||||
public string $outcome,
|
||||
public AiDecisionReasonCode $reasonCode,
|
||||
public string $workspaceAiPolicyMode,
|
||||
public ?string $matchedOperationalControlScope,
|
||||
public string $useCaseKey,
|
||||
public string $requestedProviderClass,
|
||||
public array $dataClassifications,
|
||||
public string $sourceFamily,
|
||||
public AuditActionId $auditAction,
|
||||
public array $auditMetadata,
|
||||
) {}
|
||||
|
||||
public function isAllowed(): bool
|
||||
{
|
||||
return $this->outcome === 'allowed';
|
||||
}
|
||||
|
||||
public function isBlocked(): bool
|
||||
{
|
||||
return $this->outcome === 'blocked';
|
||||
}
|
||||
}
|
||||
@ -1,28 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
|
||||
final readonly class AiExecutionRequest
|
||||
{
|
||||
/**
|
||||
* @param list<string> $dataClassifications
|
||||
*/
|
||||
public function __construct(
|
||||
public ?Workspace $workspace,
|
||||
public ?Tenant $tenant,
|
||||
public User|PlatformUser|null $actor,
|
||||
public string $useCaseKey,
|
||||
public string $requestedProviderClass,
|
||||
public array $dataClassifications,
|
||||
public string $sourceFamily,
|
||||
public ?string $callerSurface = null,
|
||||
public ?string $contextFingerprint = null,
|
||||
) {}
|
||||
}
|
||||
@ -1,43 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
enum AiPolicyMode: string
|
||||
{
|
||||
case Disabled = 'disabled';
|
||||
case PrivateOnly = 'private_only';
|
||||
|
||||
public function label(): string
|
||||
{
|
||||
return match ($this) {
|
||||
self::Disabled => 'Disabled',
|
||||
self::PrivateOnly => 'Private only',
|
||||
};
|
||||
}
|
||||
|
||||
public function summary(): string
|
||||
{
|
||||
return match ($this) {
|
||||
self::Disabled => 'No AI execution is allowed for this workspace.',
|
||||
self::PrivateOnly => 'Only approved internal drafts may use private-only AI for approved use cases.',
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public static function optionLabels(): array
|
||||
{
|
||||
return array_reduce(
|
||||
self::cases(),
|
||||
static function (array $labels, self $mode): array {
|
||||
$labels[$mode->value] = $mode->label();
|
||||
|
||||
return $labels;
|
||||
},
|
||||
[],
|
||||
);
|
||||
}
|
||||
}
|
||||
@ -1,19 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
enum AiProviderClass: string
|
||||
{
|
||||
case LocalPrivate = 'local_private';
|
||||
case ExternalPublic = 'external_public';
|
||||
|
||||
public function label(): string
|
||||
{
|
||||
return match ($this) {
|
||||
self::LocalPrivate => 'Local private',
|
||||
self::ExternalPublic => 'External public',
|
||||
};
|
||||
}
|
||||
}
|
||||
@ -1,126 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
final class AiUseCaseCatalog
|
||||
{
|
||||
/**
|
||||
* @var array<string, array{
|
||||
* key: string,
|
||||
* label: string,
|
||||
* future_consumer: string,
|
||||
* visibility: string,
|
||||
* allowed_provider_classes: list<string>,
|
||||
* allowed_data_classifications: list<string>,
|
||||
* source_family: string,
|
||||
* tenant_context_permitted: bool
|
||||
* }>
|
||||
*/
|
||||
private const USE_CASES = [
|
||||
'product_knowledge.answer_draft' => [
|
||||
'key' => 'product_knowledge.answer_draft',
|
||||
'label' => 'Product knowledge answer draft',
|
||||
'future_consumer' => 'ContextualHelpResolver',
|
||||
'visibility' => 'internal_only_draft',
|
||||
'allowed_provider_classes' => [AiProviderClass::LocalPrivate->value],
|
||||
'allowed_data_classifications' => [
|
||||
AiDataClassification::ProductKnowledge->value,
|
||||
AiDataClassification::OperationalMetadata->value,
|
||||
],
|
||||
'source_family' => 'product_knowledge',
|
||||
'tenant_context_permitted' => false,
|
||||
],
|
||||
'support_diagnostics.summary_draft' => [
|
||||
'key' => 'support_diagnostics.summary_draft',
|
||||
'label' => 'Support diagnostics summary draft',
|
||||
'future_consumer' => 'SupportDiagnosticBundleBuilder',
|
||||
'visibility' => 'internal_only_draft',
|
||||
'allowed_provider_classes' => [AiProviderClass::LocalPrivate->value],
|
||||
'allowed_data_classifications' => [AiDataClassification::RedactedSupportSummary->value],
|
||||
'source_family' => 'support_diagnostics',
|
||||
'tenant_context_permitted' => true,
|
||||
],
|
||||
];
|
||||
|
||||
/**
|
||||
* @return list<array{
|
||||
* key: string,
|
||||
* label: string,
|
||||
* future_consumer: string,
|
||||
* visibility: string,
|
||||
* allowed_provider_classes: list<string>,
|
||||
* allowed_data_classifications: list<string>,
|
||||
* source_family: string,
|
||||
* tenant_context_permitted: bool
|
||||
* }>
|
||||
*/
|
||||
public function all(): array
|
||||
{
|
||||
return array_values(self::USE_CASES);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* key: string,
|
||||
* label: string,
|
||||
* future_consumer: string,
|
||||
* visibility: string,
|
||||
* allowed_provider_classes: list<string>,
|
||||
* allowed_data_classifications: list<string>,
|
||||
* source_family: string,
|
||||
* tenant_context_permitted: bool
|
||||
* }|null
|
||||
*/
|
||||
public function find(string $key): ?array
|
||||
{
|
||||
return self::USE_CASES[$key] ?? null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function labels(): array
|
||||
{
|
||||
return array_map(
|
||||
static fn (array $definition): string => $definition['label'],
|
||||
$this->all(),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function allowedProviderClassLabelsForMode(AiPolicyMode $mode): array
|
||||
{
|
||||
if ($mode === AiPolicyMode::Disabled) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$labels = [];
|
||||
|
||||
foreach ($this->all() as $definition) {
|
||||
foreach ($definition['allowed_provider_classes'] as $providerClass) {
|
||||
$labels[$providerClass] = AiProviderClass::from($providerClass)->label();
|
||||
}
|
||||
}
|
||||
|
||||
return array_values($labels);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function blockedDataClassificationLabels(): array
|
||||
{
|
||||
return array_map(
|
||||
static fn (AiDataClassification $classification): string => $classification->label(),
|
||||
[
|
||||
AiDataClassification::PersonalData,
|
||||
AiDataClassification::CustomerConfidential,
|
||||
AiDataClassification::RawProviderPayload,
|
||||
],
|
||||
);
|
||||
}
|
||||
}
|
||||
@ -1,181 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\Ai;
|
||||
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\OperationalControls\OperationalControlEvaluator;
|
||||
|
||||
final class GovernedAiExecutionBoundary
|
||||
{
|
||||
public function __construct(
|
||||
private readonly AiUseCaseCatalog $useCaseCatalog,
|
||||
private readonly SettingsResolver $settingsResolver,
|
||||
private readonly OperationalControlEvaluator $operationalControls,
|
||||
private readonly AiDecisionAuditMetadataFactory $auditMetadataFactory,
|
||||
private readonly WorkspaceAuditLogger $workspaceAuditLogger,
|
||||
) {}
|
||||
|
||||
public function evaluate(AiExecutionRequest $request): AiExecutionDecision
|
||||
{
|
||||
$decision = $this->decisionFor($request);
|
||||
$metadata = $this->auditMetadataFactory->make($request, $decision);
|
||||
|
||||
$decision = new AiExecutionDecision(
|
||||
outcome: $decision->outcome,
|
||||
reasonCode: $decision->reasonCode,
|
||||
workspaceAiPolicyMode: $decision->workspaceAiPolicyMode,
|
||||
matchedOperationalControlScope: $decision->matchedOperationalControlScope,
|
||||
useCaseKey: $decision->useCaseKey,
|
||||
requestedProviderClass: $decision->requestedProviderClass,
|
||||
dataClassifications: $decision->dataClassifications,
|
||||
sourceFamily: $decision->sourceFamily,
|
||||
auditAction: $decision->auditAction,
|
||||
auditMetadata: $metadata,
|
||||
);
|
||||
|
||||
if ($request->workspace !== null) {
|
||||
$definition = $this->useCaseCatalog->find($request->useCaseKey);
|
||||
|
||||
$this->workspaceAuditLogger->log(
|
||||
workspace: $request->workspace,
|
||||
action: $decision->auditAction,
|
||||
context: ['metadata' => $decision->auditMetadata],
|
||||
actor: $request->actor,
|
||||
status: $decision->isAllowed() ? 'success' : 'blocked',
|
||||
resourceType: 'ai_use_case',
|
||||
resourceId: $request->useCaseKey,
|
||||
targetLabel: $definition['label'] ?? $request->useCaseKey,
|
||||
summary: 'AI execution decision evaluated',
|
||||
tenant: $request->tenant,
|
||||
);
|
||||
}
|
||||
|
||||
return $decision;
|
||||
}
|
||||
|
||||
private function decisionFor(AiExecutionRequest $request): AiExecutionDecision
|
||||
{
|
||||
if ($request->workspace === null) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::MissingWorkspaceContext,
|
||||
workspaceAiPolicyMode: AiPolicyMode::Disabled->value,
|
||||
);
|
||||
}
|
||||
|
||||
if ($request->tenant !== null && (int) $request->tenant->workspace_id !== (int) $request->workspace->getKey()) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::TenantOutsideWorkspace,
|
||||
workspaceAiPolicyMode: AiPolicyMode::Disabled->value,
|
||||
);
|
||||
}
|
||||
|
||||
$controlDecision = $this->operationalControls->evaluate('ai.execution', $request->workspace);
|
||||
|
||||
if ($controlDecision->isPaused()) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::OperationalControlPaused,
|
||||
workspaceAiPolicyMode: $this->resolvedPolicyMode($request),
|
||||
matchedOperationalControlScope: $controlDecision->matchedScopeType,
|
||||
);
|
||||
}
|
||||
|
||||
$policyMode = $this->resolvedPolicyMode($request);
|
||||
|
||||
if ($policyMode === AiPolicyMode::Disabled->value) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::WorkspacePolicyDisabled,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
);
|
||||
}
|
||||
|
||||
$definition = $this->useCaseCatalog->find($request->useCaseKey);
|
||||
|
||||
if ($definition === null) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::UnregisteredUseCase,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
);
|
||||
}
|
||||
|
||||
if ($definition['source_family'] !== $request->sourceFamily) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::SourceFamilyMismatch,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
);
|
||||
}
|
||||
|
||||
if (! in_array($request->requestedProviderClass, $definition['allowed_provider_classes'], true)) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::ProviderClassBlocked,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
);
|
||||
}
|
||||
|
||||
foreach ($request->dataClassifications as $classification) {
|
||||
if (! in_array($classification, $definition['allowed_data_classifications'], true)) {
|
||||
return $this->blockedDecision(
|
||||
request: $request,
|
||||
reasonCode: AiDecisionReasonCode::DataClassificationBlocked,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return new AiExecutionDecision(
|
||||
outcome: 'allowed',
|
||||
reasonCode: AiDecisionReasonCode::Allowed,
|
||||
workspaceAiPolicyMode: $policyMode,
|
||||
matchedOperationalControlScope: null,
|
||||
useCaseKey: $request->useCaseKey,
|
||||
requestedProviderClass: $request->requestedProviderClass,
|
||||
dataClassifications: $request->dataClassifications,
|
||||
sourceFamily: $request->sourceFamily,
|
||||
auditAction: AuditActionId::AiExecutionDecisionEvaluated,
|
||||
auditMetadata: [],
|
||||
);
|
||||
}
|
||||
|
||||
private function resolvedPolicyMode(AiExecutionRequest $request): string
|
||||
{
|
||||
if ($request->workspace === null) {
|
||||
return AiPolicyMode::Disabled->value;
|
||||
}
|
||||
|
||||
$resolved = $this->settingsResolver->resolveValue($request->workspace, 'ai', 'policy_mode');
|
||||
|
||||
return is_string($resolved) && $resolved !== ''
|
||||
? $resolved
|
||||
: AiPolicyMode::Disabled->value;
|
||||
}
|
||||
|
||||
private function blockedDecision(
|
||||
AiExecutionRequest $request,
|
||||
AiDecisionReasonCode $reasonCode,
|
||||
string $workspaceAiPolicyMode,
|
||||
?string $matchedOperationalControlScope = null,
|
||||
): AiExecutionDecision {
|
||||
return new AiExecutionDecision(
|
||||
outcome: 'blocked',
|
||||
reasonCode: $reasonCode,
|
||||
workspaceAiPolicyMode: $workspaceAiPolicyMode,
|
||||
matchedOperationalControlScope: $matchedOperationalControlScope,
|
||||
useCaseKey: $request->useCaseKey,
|
||||
requestedProviderClass: $request->requestedProviderClass,
|
||||
dataClassifications: $request->dataClassifications,
|
||||
sourceFamily: $request->sourceFamily,
|
||||
auditAction: AuditActionId::AiExecutionDecisionEvaluated,
|
||||
auditMetadata: [],
|
||||
);
|
||||
}
|
||||
}
|
||||
@ -94,16 +94,12 @@ enum AuditActionId: string
|
||||
case TenantReviewRefreshed = 'tenant_review.refreshed';
|
||||
case TenantReviewPublished = 'tenant_review.published';
|
||||
case TenantReviewArchived = 'tenant_review.archived';
|
||||
case TenantReviewOpened = 'tenant_review.opened';
|
||||
case TenantReviewExported = 'tenant_review.exported';
|
||||
case TenantReviewSuccessorCreated = 'tenant_review.successor_created';
|
||||
case ReviewPackDownloaded = 'review_pack.downloaded';
|
||||
case TenantTriageReviewMarkedReviewed = 'tenant_triage_review.marked_reviewed';
|
||||
case TenantTriageReviewMarkedFollowUpNeeded = 'tenant_triage_review.marked_follow_up_needed';
|
||||
|
||||
case SupportDiagnosticsOpened = 'support_diagnostics.opened';
|
||||
case SupportRequestCreated = 'support_request.created';
|
||||
case AiExecutionDecisionEvaluated = 'ai_execution.decision_evaluated';
|
||||
case OperationalControlPaused = 'operational_control.paused';
|
||||
case OperationalControlUpdated = 'operational_control.updated';
|
||||
case OperationalControlResumed = 'operational_control.resumed';
|
||||
@ -240,15 +236,11 @@ private static function labels(): array
|
||||
self::TenantReviewRefreshed->value => 'Tenant review refreshed',
|
||||
self::TenantReviewPublished->value => 'Tenant review published',
|
||||
self::TenantReviewArchived->value => 'Tenant review archived',
|
||||
self::TenantReviewOpened->value => 'Tenant review opened',
|
||||
self::TenantReviewExported->value => 'Tenant review exported',
|
||||
self::TenantReviewSuccessorCreated->value => 'Tenant review next cycle created',
|
||||
self::ReviewPackDownloaded->value => 'Review pack downloaded',
|
||||
self::TenantTriageReviewMarkedReviewed->value => 'Triage review marked reviewed',
|
||||
self::TenantTriageReviewMarkedFollowUpNeeded->value => 'Triage review marked follow-up needed',
|
||||
self::SupportDiagnosticsOpened->value => 'Support diagnostics opened',
|
||||
self::SupportRequestCreated->value => 'Support request created',
|
||||
self::AiExecutionDecisionEvaluated->value => 'AI execution decision evaluated',
|
||||
self::OperationalControlPaused->value => 'Operational control paused',
|
||||
self::OperationalControlUpdated->value => 'Operational control updated',
|
||||
self::OperationalControlResumed->value => 'Operational control resumed',
|
||||
@ -332,13 +324,9 @@ private static function summaries(): array
|
||||
self::TenantReviewRefreshed->value => 'Tenant review refreshed',
|
||||
self::TenantReviewPublished->value => 'Tenant review published',
|
||||
self::TenantReviewArchived->value => 'Tenant review archived',
|
||||
self::TenantReviewOpened->value => 'Tenant review opened',
|
||||
self::TenantReviewExported->value => 'Tenant review exported',
|
||||
self::TenantReviewSuccessorCreated->value => 'Tenant review next cycle created',
|
||||
self::ReviewPackDownloaded->value => 'Review pack downloaded',
|
||||
self::SupportDiagnosticsOpened->value => 'Support diagnostics opened',
|
||||
self::SupportRequestCreated->value => 'Support request created',
|
||||
self::AiExecutionDecisionEvaluated->value => 'AI execution decision evaluated',
|
||||
self::OperationalControlPaused->value => 'Operational control paused',
|
||||
self::OperationalControlUpdated->value => 'Operational control updated',
|
||||
self::OperationalControlResumed->value => 'Operational control resumed',
|
||||
|
||||
@ -72,9 +72,6 @@ class Capabilities
|
||||
// Support diagnostics
|
||||
public const SUPPORT_DIAGNOSTICS_VIEW = 'support_diagnostics.view';
|
||||
|
||||
// Support requests
|
||||
public const SUPPORT_REQUESTS_CREATE = 'support_requests.create';
|
||||
|
||||
// Inventory
|
||||
public const TENANT_INVENTORY_SYNC_RUN = 'tenant_inventory_sync.run';
|
||||
|
||||
|
||||
@ -1,112 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\CustomerHealth;
|
||||
|
||||
use InvalidArgumentException;
|
||||
|
||||
final class CustomerHealthDimensionCatalog
|
||||
{
|
||||
public const string ONBOARDING_READINESS = 'onboarding_readiness';
|
||||
|
||||
public const string PROVIDER_CONNECTION_HEALTH = 'provider_connection_health';
|
||||
|
||||
public const string OPERATIONAL_STABILITY = 'operational_stability';
|
||||
|
||||
public const string GOVERNANCE_PRESSURE = 'governance_pressure';
|
||||
|
||||
public const string REVIEW_PACK_READINESS = 'review_pack_readiness';
|
||||
|
||||
public const string ENGAGEMENT_FRESHNESS = 'engagement_freshness';
|
||||
|
||||
/**
|
||||
* @var array<string, array{label: string, windowed: bool}>
|
||||
*/
|
||||
private const DEFINITIONS = [
|
||||
self::ONBOARDING_READINESS => [
|
||||
'label' => 'Onboarding readiness',
|
||||
'windowed' => false,
|
||||
],
|
||||
self::PROVIDER_CONNECTION_HEALTH => [
|
||||
'label' => 'Provider connection health',
|
||||
'windowed' => false,
|
||||
],
|
||||
self::OPERATIONAL_STABILITY => [
|
||||
'label' => 'Operational stability',
|
||||
'windowed' => true,
|
||||
],
|
||||
self::GOVERNANCE_PRESSURE => [
|
||||
'label' => 'Governance pressure',
|
||||
'windowed' => false,
|
||||
],
|
||||
self::REVIEW_PACK_READINESS => [
|
||||
'label' => 'Review-pack readiness',
|
||||
'windowed' => true,
|
||||
],
|
||||
self::ENGAGEMENT_FRESHNESS => [
|
||||
'label' => 'Engagement freshness',
|
||||
'windowed' => true,
|
||||
],
|
||||
];
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function names(): array
|
||||
{
|
||||
return array_keys(self::DEFINITIONS);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{label: string, windowed: bool}
|
||||
*/
|
||||
public function definition(string $dimension): array
|
||||
{
|
||||
$definition = self::DEFINITIONS[$dimension] ?? null;
|
||||
|
||||
if (! is_array($definition)) {
|
||||
throw new InvalidArgumentException("Unknown customer health dimension [{$dimension}].");
|
||||
}
|
||||
|
||||
return $definition;
|
||||
}
|
||||
|
||||
public function label(string $dimension): string
|
||||
{
|
||||
return $this->definition($dimension)['label'];
|
||||
}
|
||||
|
||||
public function isWindowed(string $dimension): bool
|
||||
{
|
||||
return $this->definition($dimension)['windowed'];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
public function visibleDimensions(): array
|
||||
{
|
||||
$dimensions = [];
|
||||
|
||||
foreach ($this->names() as $dimension) {
|
||||
$dimensions[$dimension] = $this->label($dimension);
|
||||
}
|
||||
|
||||
return $dimensions;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $levels
|
||||
*/
|
||||
public function resolveOverallLevel(array $levels): string
|
||||
{
|
||||
foreach (['critical', 'warn', 'unknown'] as $level) {
|
||||
if (in_array($level, $levels, true)) {
|
||||
return $level;
|
||||
}
|
||||
}
|
||||
|
||||
return 'ok';
|
||||
}
|
||||
}
|
||||
@ -1,766 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\CustomerHealth;
|
||||
|
||||
use App\Models\Finding;
|
||||
use App\Models\FindingException;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\ProductUsageEvent;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantOnboardingSession;
|
||||
use App\Models\Workspace;
|
||||
use App\Support\Onboarding\OnboardingLifecycleState;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\ProductTelemetry\ProductUsageEventCatalog;
|
||||
use App\Support\Providers\ProviderConsentStatus;
|
||||
use App\Support\Providers\ProviderVerificationStatus;
|
||||
use App\Support\System\SystemDirectoryLinks;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use App\Support\SystemConsole\StuckRunClassifier;
|
||||
use App\Support\SystemConsole\SystemConsoleWindow;
|
||||
use Carbon\CarbonImmutable;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Support\Collection;
|
||||
|
||||
final class WorkspaceHealthSummaryQuery
|
||||
{
|
||||
public function __construct(
|
||||
private readonly CustomerHealthDimensionCatalog $dimensionCatalog,
|
||||
private readonly StuckRunClassifier $stuckRunClassifier,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @return Collection<int, array{
|
||||
* workspace_id: int,
|
||||
* workspace_name: string,
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>,
|
||||
* non_ok_dimension_count: int,
|
||||
* next_link: array{label: string, url: string}
|
||||
* }>
|
||||
*/
|
||||
public function summaries(SystemConsoleWindow|string|null $window = null, ?CarbonImmutable $now = null): Collection
|
||||
{
|
||||
$resolvedWindow = $this->resolveWindow($window);
|
||||
$now ??= CarbonImmutable::now();
|
||||
$startAt = $resolvedWindow->startAt($now);
|
||||
|
||||
$workspaces = Workspace::query()
|
||||
->whereNull('archived_at')
|
||||
->orderBy('name')
|
||||
->orderBy('id')
|
||||
->get(['id', 'name']);
|
||||
|
||||
if ($workspaces->isEmpty()) {
|
||||
return collect();
|
||||
}
|
||||
|
||||
$workspaceIds = $workspaces
|
||||
->pluck('id')
|
||||
->map(static fn (mixed $workspaceId): int => (int) $workspaceId)
|
||||
->all();
|
||||
|
||||
$activeTenants = Tenant::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->whereNull('deleted_at')
|
||||
->where('status', '!=', Tenant::STATUS_ARCHIVED)
|
||||
->orderBy('name')
|
||||
->orderBy('id')
|
||||
->get(['id', 'workspace_id', 'external_id', 'name', 'status']);
|
||||
|
||||
$tenantsByWorkspace = $activeTenants->groupBy(static fn (Tenant $tenant): int => (int) $tenant->workspace_id);
|
||||
|
||||
$latestOnboardingSessions = TenantOnboardingSession::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
->orderByDesc('updated_at')
|
||||
->orderByDesc('id')
|
||||
->get(['id', 'workspace_id', 'tenant_id', 'lifecycle_state', 'updated_at', 'created_at'])
|
||||
->groupBy(static fn (TenantOnboardingSession $session): int => (int) $session->workspace_id)
|
||||
->map(static fn (Collection $sessions): ?TenantOnboardingSession => $sessions->first());
|
||||
|
||||
$providerConnectionsByWorkspace = ProviderConnection::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('is_default', true)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
->orderByDesc('is_enabled')
|
||||
->orderBy('id')
|
||||
->get([
|
||||
'id',
|
||||
'workspace_id',
|
||||
'tenant_id',
|
||||
'is_enabled',
|
||||
'consent_status',
|
||||
'verification_status',
|
||||
])
|
||||
->groupBy(static fn (ProviderConnection $connection): int => (int) $connection->workspace_id);
|
||||
|
||||
$recentRunCounts = $this->groupedCounts(
|
||||
OperationRun::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('created_at', '>=', $startAt)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$recentFailedRunCounts = $this->groupedCounts(
|
||||
OperationRun::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('created_at', '>=', $startAt)
|
||||
->where('status', OperationRunStatus::Completed->value)
|
||||
->where('outcome', OperationRunOutcome::Failed->value)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$recentStuckRunCounts = $this->groupedCounts(
|
||||
$this->stuckRunClassifier->apply(
|
||||
OperationRun::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('created_at', '>=', $startAt)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
}),
|
||||
$now,
|
||||
)
|
||||
);
|
||||
|
||||
$activeHighSeverityFindingCounts = $this->groupedCounts(
|
||||
Finding::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->whereIn('severity', Finding::highSeverityValues())
|
||||
->whereIn('status', Finding::openStatusesForQuery())
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$anyGovernanceFindingCounts = $this->groupedCounts(
|
||||
Finding::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$overdueHighSeverityFindingCounts = $this->groupedCounts(
|
||||
Finding::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->whereIn('severity', Finding::highSeverityValues())
|
||||
->whereIn('status', Finding::openStatusesForQuery())
|
||||
->whereNotNull('due_at')
|
||||
->where('due_at', '<', $now)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$warningExceptionCounts = $this->groupedCounts(
|
||||
FindingException::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where(function (Builder $query): void {
|
||||
$query
|
||||
->whereIn('status', [
|
||||
FindingException::STATUS_PENDING,
|
||||
FindingException::STATUS_EXPIRING,
|
||||
])
|
||||
->orWhere('current_validity_state', FindingException::VALIDITY_EXPIRING);
|
||||
})
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$criticalExceptionCounts = $this->groupedCounts(
|
||||
FindingException::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where(function (Builder $query): void {
|
||||
$query
|
||||
->whereIn('status', [
|
||||
FindingException::STATUS_EXPIRED,
|
||||
FindingException::STATUS_REVOKED,
|
||||
])
|
||||
->orWhereIn('current_validity_state', [
|
||||
FindingException::VALIDITY_EXPIRED,
|
||||
FindingException::VALIDITY_REVOKED,
|
||||
FindingException::VALIDITY_REJECTED,
|
||||
FindingException::VALIDITY_MISSING_SUPPORT,
|
||||
]);
|
||||
})
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$reviewPackRequestCounts = $this->groupedCounts(
|
||||
ProductUsageEvent::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('event_name', ProductUsageEventCatalog::REVIEW_PACK_REQUESTED)
|
||||
->where('occurred_at', '>=', $startAt)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$recentReviewPacks = ReviewPack::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('created_at', '>=', $startAt)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
->orderByDesc('created_at')
|
||||
->orderByDesc('id')
|
||||
->get(['id', 'workspace_id', 'tenant_id', 'status', 'expires_at', 'created_at'])
|
||||
->groupBy(static fn (ReviewPack $reviewPack): int => (int) $reviewPack->workspace_id)
|
||||
->map(static fn (Collection $reviewPacks): ?ReviewPack => $reviewPacks->first());
|
||||
|
||||
$recentUsageEventCounts = $this->groupedCounts(
|
||||
ProductUsageEvent::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where('occurred_at', '>=', $startAt)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
$historicalUsageEventCounts = $this->groupedCounts(
|
||||
ProductUsageEvent::query()
|
||||
->whereIn('workspace_id', $workspaceIds)
|
||||
->where(function (Builder $query): void {
|
||||
$this->constrainToActiveTenantTruth($query);
|
||||
})
|
||||
);
|
||||
|
||||
return $workspaces
|
||||
->map(function (Workspace $workspace) use (
|
||||
$tenantsByWorkspace,
|
||||
$latestOnboardingSessions,
|
||||
$providerConnectionsByWorkspace,
|
||||
$recentRunCounts,
|
||||
$recentFailedRunCounts,
|
||||
$recentStuckRunCounts,
|
||||
$activeHighSeverityFindingCounts,
|
||||
$anyGovernanceFindingCounts,
|
||||
$overdueHighSeverityFindingCounts,
|
||||
$warningExceptionCounts,
|
||||
$criticalExceptionCounts,
|
||||
$reviewPackRequestCounts,
|
||||
$recentReviewPacks,
|
||||
$recentUsageEventCounts,
|
||||
$historicalUsageEventCounts,
|
||||
$resolvedWindow,
|
||||
$now,
|
||||
): array {
|
||||
$workspaceId = (int) $workspace->getKey();
|
||||
/** @var Collection<int, Tenant> $workspaceTenants */
|
||||
$workspaceTenants = $tenantsByWorkspace->get($workspaceId, collect());
|
||||
/** @var TenantOnboardingSession|null $latestOnboardingSession */
|
||||
$latestOnboardingSession = $latestOnboardingSessions->get($workspaceId);
|
||||
/** @var Collection<int, ProviderConnection> $providerConnections */
|
||||
$providerConnections = $providerConnectionsByWorkspace->get($workspaceId, collect());
|
||||
/** @var ReviewPack|null $latestReviewPack */
|
||||
$latestReviewPack = $recentReviewPacks->get($workspaceId);
|
||||
|
||||
$dimensions = $this->buildDimensions(
|
||||
tenants: $workspaceTenants,
|
||||
latestOnboardingSession: $latestOnboardingSession,
|
||||
providerConnections: $providerConnections,
|
||||
recentRunCount: $this->countForWorkspace($recentRunCounts, $workspaceId),
|
||||
recentFailedRunCount: $this->countForWorkspace($recentFailedRunCounts, $workspaceId),
|
||||
recentStuckRunCount: $this->countForWorkspace($recentStuckRunCounts, $workspaceId),
|
||||
activeHighSeverityFindingCount: $this->countForWorkspace($activeHighSeverityFindingCounts, $workspaceId),
|
||||
anyGovernanceFindingCount: $this->countForWorkspace($anyGovernanceFindingCounts, $workspaceId),
|
||||
overdueHighSeverityFindingCount: $this->countForWorkspace($overdueHighSeverityFindingCounts, $workspaceId),
|
||||
warningExceptionCount: $this->countForWorkspace($warningExceptionCounts, $workspaceId),
|
||||
criticalExceptionCount: $this->countForWorkspace($criticalExceptionCounts, $workspaceId),
|
||||
reviewPackRequestCount: $this->countForWorkspace($reviewPackRequestCounts, $workspaceId),
|
||||
latestReviewPack: $latestReviewPack,
|
||||
recentUsageEventCount: $this->countForWorkspace($recentUsageEventCounts, $workspaceId),
|
||||
historicalUsageEventCount: $this->countForWorkspace($historicalUsageEventCounts, $workspaceId),
|
||||
now: $now,
|
||||
);
|
||||
|
||||
$overallLevel = $this->dimensionCatalog->resolveOverallLevel(
|
||||
array_map(static fn (array $dimension): string => $dimension['level'], $dimensions),
|
||||
);
|
||||
|
||||
$dominantDimensionKeys = $this->dominantDimensionKeys($dimensions);
|
||||
|
||||
return [
|
||||
'workspace_id' => $workspaceId,
|
||||
'workspace_name' => (string) $workspace->name,
|
||||
'overall_level' => $overallLevel,
|
||||
'dimensions' => $dimensions,
|
||||
'dominant_dimension_keys' => $dominantDimensionKeys,
|
||||
'non_ok_dimension_count' => count(array_filter(
|
||||
$dimensions,
|
||||
static fn (array $dimension): bool => $dimension['level'] !== 'ok',
|
||||
)),
|
||||
'next_link' => $this->nextLink(
|
||||
workspace: $workspace,
|
||||
tenants: $workspaceTenants,
|
||||
dominantDimensionKeys: $dominantDimensionKeys,
|
||||
window: $resolvedWindow,
|
||||
),
|
||||
];
|
||||
})
|
||||
->values();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* workspace_id: int,
|
||||
* workspace_name: string,
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>,
|
||||
* non_ok_dimension_count: int,
|
||||
* next_link: array{label: string, url: string}
|
||||
* }|null
|
||||
*/
|
||||
public function summaryForWorkspace(Workspace|int $workspace, SystemConsoleWindow|string|null $window = null, ?CarbonImmutable $now = null): ?array
|
||||
{
|
||||
$workspaceId = $workspace instanceof Workspace ? (int) $workspace->getKey() : (int) $workspace;
|
||||
|
||||
/** @var array{
|
||||
* workspace_id: int,
|
||||
* workspace_name: string,
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>,
|
||||
* non_ok_dimension_count: int,
|
||||
* next_link: array{label: string, url: string}
|
||||
* }|null $summary
|
||||
*/
|
||||
$summary = $this->summaries($window, $now)->firstWhere('workspace_id', $workspaceId);
|
||||
|
||||
return $summary;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{ok: int, warn: int, critical: int, unknown: int}
|
||||
*/
|
||||
public function healthCounts(SystemConsoleWindow|string|null $window = null, ?CarbonImmutable $now = null): array
|
||||
{
|
||||
$counts = [
|
||||
'ok' => 0,
|
||||
'warn' => 0,
|
||||
'critical' => 0,
|
||||
'unknown' => 0,
|
||||
];
|
||||
|
||||
foreach ($this->summaries($window, $now) as $summary) {
|
||||
$counts[$summary['overall_level']]++;
|
||||
}
|
||||
|
||||
return $counts;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return Collection<int, array{
|
||||
* workspace_id: int,
|
||||
* workspace_name: string,
|
||||
* overall_level: string,
|
||||
* dimensions: array<string, array{label: string, level: string, windowed: bool}>,
|
||||
* dominant_dimension_keys: list<string>,
|
||||
* non_ok_dimension_count: int,
|
||||
* next_link: array{label: string, url: string}
|
||||
* }>
|
||||
*/
|
||||
public function attentionNeeded(SystemConsoleWindow|string|null $window = null, int $limit = 10, ?CarbonImmutable $now = null): Collection
|
||||
{
|
||||
return $this->summaries($window, $now)
|
||||
->filter(static fn (array $summary): bool => $summary['overall_level'] !== 'ok')
|
||||
->sort(function (array $left, array $right): int {
|
||||
$severityComparison = $this->levelRank($right['overall_level']) <=> $this->levelRank($left['overall_level']);
|
||||
|
||||
if ($severityComparison !== 0) {
|
||||
return $severityComparison;
|
||||
}
|
||||
|
||||
$nonOkComparison = $right['non_ok_dimension_count'] <=> $left['non_ok_dimension_count'];
|
||||
|
||||
if ($nonOkComparison !== 0) {
|
||||
return $nonOkComparison;
|
||||
}
|
||||
|
||||
$nameComparison = strcasecmp($left['workspace_name'], $right['workspace_name']);
|
||||
|
||||
if ($nameComparison !== 0) {
|
||||
return $nameComparison;
|
||||
}
|
||||
|
||||
return $left['workspace_id'] <=> $right['workspace_id'];
|
||||
})
|
||||
->values()
|
||||
->take(max(1, $limit));
|
||||
}
|
||||
|
||||
private function resolveWindow(SystemConsoleWindow|string|null $window): SystemConsoleWindow
|
||||
{
|
||||
if ($window instanceof SystemConsoleWindow) {
|
||||
return $window;
|
||||
}
|
||||
|
||||
return SystemConsoleWindow::fromNullable(is_string($window) ? $window : null);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, Tenant> $tenants
|
||||
* @param Collection<int, ProviderConnection> $providerConnections
|
||||
* @return array<string, array{label: string, level: string, windowed: bool}>
|
||||
*/
|
||||
private function buildDimensions(
|
||||
Collection $tenants,
|
||||
?TenantOnboardingSession $latestOnboardingSession,
|
||||
Collection $providerConnections,
|
||||
int $recentRunCount,
|
||||
int $recentFailedRunCount,
|
||||
int $recentStuckRunCount,
|
||||
int $activeHighSeverityFindingCount,
|
||||
int $anyGovernanceFindingCount,
|
||||
int $overdueHighSeverityFindingCount,
|
||||
int $warningExceptionCount,
|
||||
int $criticalExceptionCount,
|
||||
int $reviewPackRequestCount,
|
||||
?ReviewPack $latestReviewPack,
|
||||
int $recentUsageEventCount,
|
||||
int $historicalUsageEventCount,
|
||||
CarbonImmutable $now,
|
||||
): array {
|
||||
$levels = [
|
||||
CustomerHealthDimensionCatalog::ONBOARDING_READINESS => $this->onboardingReadinessLevel($tenants, $latestOnboardingSession),
|
||||
CustomerHealthDimensionCatalog::PROVIDER_CONNECTION_HEALTH => $this->providerConnectionHealthLevel($providerConnections),
|
||||
CustomerHealthDimensionCatalog::OPERATIONAL_STABILITY => $this->operationalStabilityLevel($recentRunCount, $recentFailedRunCount, $recentStuckRunCount),
|
||||
CustomerHealthDimensionCatalog::GOVERNANCE_PRESSURE => $this->governancePressureLevel(
|
||||
activeHighSeverityFindingCount: $activeHighSeverityFindingCount,
|
||||
anyGovernanceFindingCount: $anyGovernanceFindingCount,
|
||||
overdueHighSeverityFindingCount: $overdueHighSeverityFindingCount,
|
||||
warningExceptionCount: $warningExceptionCount,
|
||||
criticalExceptionCount: $criticalExceptionCount,
|
||||
),
|
||||
CustomerHealthDimensionCatalog::REVIEW_PACK_READINESS => $this->reviewPackReadinessLevel($reviewPackRequestCount, $latestReviewPack, $now),
|
||||
CustomerHealthDimensionCatalog::ENGAGEMENT_FRESHNESS => $this->engagementFreshnessLevel($recentUsageEventCount, $historicalUsageEventCount),
|
||||
];
|
||||
|
||||
$dimensions = [];
|
||||
|
||||
foreach ($this->dimensionCatalog->visibleDimensions() as $dimensionKey => $label) {
|
||||
$dimensions[$dimensionKey] = [
|
||||
'label' => $label,
|
||||
'level' => $levels[$dimensionKey],
|
||||
'windowed' => $this->dimensionCatalog->isWindowed($dimensionKey),
|
||||
];
|
||||
}
|
||||
|
||||
return $dimensions;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, Tenant> $tenants
|
||||
*/
|
||||
private function onboardingReadinessLevel(Collection $tenants, ?TenantOnboardingSession $latestOnboardingSession): string
|
||||
{
|
||||
if ($latestOnboardingSession instanceof TenantOnboardingSession) {
|
||||
return match ($latestOnboardingSession->lifecycleState()) {
|
||||
OnboardingLifecycleState::ReadyForActivation,
|
||||
OnboardingLifecycleState::Completed => 'ok',
|
||||
OnboardingLifecycleState::Cancelled => 'critical',
|
||||
OnboardingLifecycleState::Draft,
|
||||
OnboardingLifecycleState::Verifying,
|
||||
OnboardingLifecycleState::ActionRequired,
|
||||
OnboardingLifecycleState::Bootstrapping => 'warn',
|
||||
};
|
||||
}
|
||||
|
||||
if ($tenants->isEmpty()) {
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
if ($tenants->contains(static fn (Tenant $tenant): bool => (string) $tenant->status === Tenant::STATUS_ACTIVE)) {
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, ProviderConnection> $providerConnections
|
||||
*/
|
||||
private function providerConnectionHealthLevel(Collection $providerConnections): string
|
||||
{
|
||||
if ($providerConnections->isEmpty()) {
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
if ($providerConnections->contains(function (ProviderConnection $connection): bool {
|
||||
if (! $connection->is_enabled) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$consentStatus = $this->normalizeBackedEnumValue($connection->consent_status);
|
||||
$verificationStatus = $this->normalizeBackedEnumValue($connection->verification_status);
|
||||
|
||||
return in_array($consentStatus, [
|
||||
ProviderConsentStatus::Required->value,
|
||||
ProviderConsentStatus::Failed->value,
|
||||
ProviderConsentStatus::Revoked->value,
|
||||
], true) || in_array($verificationStatus, [
|
||||
ProviderVerificationStatus::Blocked->value,
|
||||
ProviderVerificationStatus::Error->value,
|
||||
], true);
|
||||
})) {
|
||||
return 'critical';
|
||||
}
|
||||
|
||||
if ($providerConnections->contains(function (ProviderConnection $connection): bool {
|
||||
if (! $connection->is_enabled) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$consentStatus = $this->normalizeBackedEnumValue($connection->consent_status);
|
||||
$verificationStatus = $this->normalizeBackedEnumValue($connection->verification_status);
|
||||
|
||||
return in_array($consentStatus, [
|
||||
ProviderConsentStatus::Unknown->value,
|
||||
], true) || in_array($verificationStatus, [
|
||||
ProviderVerificationStatus::Unknown->value,
|
||||
ProviderVerificationStatus::Pending->value,
|
||||
ProviderVerificationStatus::Degraded->value,
|
||||
], true);
|
||||
})) {
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
if ($providerConnections->contains(function (ProviderConnection $connection): bool {
|
||||
return $connection->is_enabled
|
||||
&& $this->normalizeBackedEnumValue($connection->consent_status) === ProviderConsentStatus::Granted->value
|
||||
&& $this->normalizeBackedEnumValue($connection->verification_status) === ProviderVerificationStatus::Healthy->value;
|
||||
})) {
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
private function operationalStabilityLevel(int $recentRunCount, int $recentFailedRunCount, int $recentStuckRunCount): string
|
||||
{
|
||||
if ($recentFailedRunCount > 0 || $recentStuckRunCount > 0) {
|
||||
return 'critical';
|
||||
}
|
||||
|
||||
if ($recentRunCount > 0) {
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
private function governancePressureLevel(
|
||||
int $activeHighSeverityFindingCount,
|
||||
int $anyGovernanceFindingCount,
|
||||
int $overdueHighSeverityFindingCount,
|
||||
int $warningExceptionCount,
|
||||
int $criticalExceptionCount,
|
||||
): string {
|
||||
if ($overdueHighSeverityFindingCount > 0 || $criticalExceptionCount > 0) {
|
||||
return 'critical';
|
||||
}
|
||||
|
||||
if ($activeHighSeverityFindingCount > 0 || $warningExceptionCount > 0) {
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
if ($anyGovernanceFindingCount === 0 && $warningExceptionCount === 0 && $criticalExceptionCount === 0) {
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
private function reviewPackReadinessLevel(int $reviewPackRequestCount, ?ReviewPack $latestReviewPack, CarbonImmutable $now): string
|
||||
{
|
||||
if ($reviewPackRequestCount === 0 && ! $latestReviewPack instanceof ReviewPack) {
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
if (! $latestReviewPack instanceof ReviewPack) {
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
if (
|
||||
(string) $latestReviewPack->status === ReviewPack::STATUS_READY
|
||||
&& (! $latestReviewPack->expires_at instanceof CarbonImmutable || $latestReviewPack->expires_at->gt($now))
|
||||
) {
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
if (
|
||||
in_array((string) $latestReviewPack->status, [
|
||||
ReviewPack::STATUS_FAILED,
|
||||
ReviewPack::STATUS_EXPIRED,
|
||||
], true)
|
||||
|| ($latestReviewPack->expires_at !== null && $latestReviewPack->expires_at->lte($now))
|
||||
) {
|
||||
return 'critical';
|
||||
}
|
||||
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
private function engagementFreshnessLevel(int $recentUsageEventCount, int $historicalUsageEventCount): string
|
||||
{
|
||||
if ($recentUsageEventCount > 0) {
|
||||
return 'ok';
|
||||
}
|
||||
|
||||
if ($historicalUsageEventCount > 0) {
|
||||
return 'warn';
|
||||
}
|
||||
|
||||
return 'unknown';
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, array{label: string, level: string, windowed: bool}> $dimensions
|
||||
* @return list<string>
|
||||
*/
|
||||
private function dominantDimensionKeys(array $dimensions): array
|
||||
{
|
||||
$catalogOrder = array_flip($this->dimensionCatalog->names());
|
||||
|
||||
return collect($dimensions)
|
||||
->reject(static fn (array $dimension): bool => $dimension['level'] === 'ok')
|
||||
->keys()
|
||||
->sort(function (string $left, string $right) use ($dimensions, $catalogOrder): int {
|
||||
$severityComparison = $this->levelRank($dimensions[$right]['level']) <=> $this->levelRank($dimensions[$left]['level']);
|
||||
|
||||
if ($severityComparison !== 0) {
|
||||
return $severityComparison;
|
||||
}
|
||||
|
||||
return ($catalogOrder[$left] ?? PHP_INT_MAX) <=> ($catalogOrder[$right] ?? PHP_INT_MAX);
|
||||
})
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Collection<int, Tenant> $tenants
|
||||
* @param list<string> $dominantDimensionKeys
|
||||
* @return array{label: string, url: string}
|
||||
*/
|
||||
private function nextLink(Workspace $workspace, Collection $tenants, array $dominantDimensionKeys, SystemConsoleWindow $window): array
|
||||
{
|
||||
$dominantDimension = $dominantDimensionKeys[0] ?? null;
|
||||
|
||||
if ($dominantDimension === CustomerHealthDimensionCatalog::OPERATIONAL_STABILITY && $this->canOpenRunsLink()) {
|
||||
return [
|
||||
'label' => 'Open runs',
|
||||
'url' => SystemOperationRunLinks::index(),
|
||||
];
|
||||
}
|
||||
|
||||
/** @var Tenant|null $tenant */
|
||||
$tenant = $tenants->first();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
return [
|
||||
'label' => 'Review health details',
|
||||
'url' => $this->withWindowQuery(SystemDirectoryLinks::tenantDetail($tenant), $window),
|
||||
];
|
||||
}
|
||||
|
||||
return [
|
||||
'label' => 'Review health details',
|
||||
'url' => $this->withWindowQuery(SystemDirectoryLinks::workspaceDetail($workspace), $window),
|
||||
];
|
||||
}
|
||||
|
||||
private function withWindowQuery(string $url, SystemConsoleWindow $window): string
|
||||
{
|
||||
$separator = str_contains($url, '?') ? '&' : '?';
|
||||
|
||||
return $url.$separator.http_build_query(['window' => $window->value]);
|
||||
}
|
||||
|
||||
private function canOpenRunsLink(): bool
|
||||
{
|
||||
$user = auth('platform')->user();
|
||||
|
||||
if (! $user instanceof PlatformUser) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->hasCapability(PlatformCapabilities::OPERATIONS_VIEW)
|
||||
|| ($user->hasCapability(PlatformCapabilities::OPS_VIEW) && $user->hasCapability(PlatformCapabilities::RUNBOOKS_VIEW));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<OperationRun>|Builder<ProductUsageEvent>|Builder<ReviewPack>|Builder<Finding>|Builder<FindingException> $query
|
||||
* @return array<int, int>
|
||||
*/
|
||||
private function groupedCounts(Builder $query): array
|
||||
{
|
||||
return $query
|
||||
->selectRaw('workspace_id, COUNT(*) as aggregate')
|
||||
->groupBy('workspace_id')
|
||||
->pluck('aggregate', 'workspace_id')
|
||||
->mapWithKeys(static fn (mixed $count, mixed $workspaceId): array => [
|
||||
(int) $workspaceId => (int) $count,
|
||||
])
|
||||
->all();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<int, int> $counts
|
||||
*/
|
||||
private function countForWorkspace(array $counts, int $workspaceId): int
|
||||
{
|
||||
return (int) ($counts[$workspaceId] ?? 0);
|
||||
}
|
||||
|
||||
private function levelRank(string $level): int
|
||||
{
|
||||
return match ($level) {
|
||||
'critical' => 4,
|
||||
'warn' => 3,
|
||||
'unknown' => 2,
|
||||
default => 1,
|
||||
};
|
||||
}
|
||||
|
||||
private function normalizeBackedEnumValue(mixed $value): string
|
||||
{
|
||||
if (is_object($value) && property_exists($value, 'value')) {
|
||||
return (string) $value->value;
|
||||
}
|
||||
|
||||
return (string) $value;
|
||||
}
|
||||
|
||||
private function constrainToActiveTenantTruth(Builder $query): void
|
||||
{
|
||||
$query
|
||||
->whereNull('tenant_id')
|
||||
->orWhereHas('tenant', function (Builder $tenantQuery): void {
|
||||
$tenantQuery
|
||||
->whereNull('deleted_at')
|
||||
->where('status', '!=', Tenant::STATUS_ARCHIVED);
|
||||
});
|
||||
}
|
||||
}
|
||||
@ -17,13 +17,6 @@ final class OperationalControlCatalog
|
||||
'operation_types' => ['restore.execute'],
|
||||
'affected_surfaces' => ['tenant.restore_runs.create'],
|
||||
],
|
||||
'ai.execution' => [
|
||||
'key' => 'ai.execution',
|
||||
'label' => 'AI execution',
|
||||
'supported_scopes' => ['global'],
|
||||
'operation_types' => ['ai.execution'],
|
||||
'affected_surfaces' => ['governed_ai.execution'],
|
||||
],
|
||||
];
|
||||
|
||||
/**
|
||||
|
||||
@ -1,263 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\ProductKnowledge;
|
||||
|
||||
use App\Support\Links\RequiredPermissionsLinks;
|
||||
use InvalidArgumentException;
|
||||
|
||||
final class ContextualHelpCatalog
|
||||
{
|
||||
public const string ADMIN_CONSENT_REQUIRED = 'admin-consent-required';
|
||||
|
||||
public const string REQUIRED_PERMISSIONS_MISSING = 'required-permissions-missing';
|
||||
|
||||
public const string CONNECTION_UNHEALTHY = 'connection-unhealthy';
|
||||
|
||||
public const string VERIFICATION_STALE = 'verification-stale';
|
||||
|
||||
public const string VERIFICATION_FAILED = 'verification-failed';
|
||||
|
||||
public const string DIAGNOSTIC_EVIDENCE_INCOMPLETE = 'diagnostic-evidence-incomplete';
|
||||
|
||||
public const string RETRYABLE_PROVIDER_FAILURE = 'retryable-provider-failure';
|
||||
|
||||
public const string MANUAL_HANDOFF_REQUIRED = 'manual-handoff-required';
|
||||
|
||||
public const string LINK_RESOLVER_ADMIN_CONSENT_PRIMARY = 'admin_consent_primary';
|
||||
|
||||
public const string LINK_RESOLVER_REQUIRED_PERMISSIONS = 'required_permissions';
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function keys(): array
|
||||
{
|
||||
return array_keys($this->definitions());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* glossary_terms: list<string>,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url?: string,
|
||||
* resolver?: string
|
||||
* }>
|
||||
* }>
|
||||
*/
|
||||
public function definitions(): array
|
||||
{
|
||||
return [
|
||||
self::ADMIN_CONSENT_REQUIRED => [
|
||||
'topic_key' => self::ADMIN_CONSENT_REQUIRED,
|
||||
'surface_families' => ['onboarding', 'support_diagnostics'],
|
||||
'headline' => 'Admin consent required',
|
||||
'short_explanation' => 'This workflow is blocked until admin consent is granted for the current provider connection.',
|
||||
'troubleshooting_steps' => [
|
||||
'Grant admin consent for the current provider connection.',
|
||||
'Re-run verification or reopen support diagnostics after consent completes.',
|
||||
],
|
||||
'safe_next_action' => 'Grant admin consent and re-run verification.',
|
||||
'glossary_terms' => ['tenant', 'workspace', 'provider connection'],
|
||||
'docs_links' => [
|
||||
[
|
||||
'label' => 'Grant admin consent',
|
||||
'kind' => 'action',
|
||||
'resolver' => self::LINK_RESOLVER_ADMIN_CONSENT_PRIMARY,
|
||||
],
|
||||
[
|
||||
'label' => 'Admin consent guide',
|
||||
'kind' => 'docs',
|
||||
'url' => RequiredPermissionsLinks::adminConsentGuideUrl(),
|
||||
],
|
||||
],
|
||||
],
|
||||
self::REQUIRED_PERMISSIONS_MISSING => [
|
||||
'topic_key' => self::REQUIRED_PERMISSIONS_MISSING,
|
||||
'surface_families' => ['onboarding', 'support_diagnostics'],
|
||||
'headline' => 'Required permissions missing',
|
||||
'short_explanation' => 'The provider app is missing one or more required permissions for the current workflow.',
|
||||
'troubleshooting_steps' => [
|
||||
'Review the required permissions matrix for the current tenant.',
|
||||
'Refresh verification after the missing permissions are granted.',
|
||||
],
|
||||
'safe_next_action' => 'Open required permissions and confirm the missing grants.',
|
||||
'glossary_terms' => ['tenant', 'workspace', 'provider connection'],
|
||||
'docs_links' => [
|
||||
[
|
||||
'label' => 'Open required permissions',
|
||||
'kind' => 'action',
|
||||
'resolver' => self::LINK_RESOLVER_REQUIRED_PERMISSIONS,
|
||||
],
|
||||
],
|
||||
],
|
||||
self::CONNECTION_UNHEALTHY => [
|
||||
'topic_key' => self::CONNECTION_UNHEALTHY,
|
||||
'surface_families' => ['onboarding', 'support_diagnostics'],
|
||||
'headline' => 'Provider connection needs review',
|
||||
'short_explanation' => 'The provider connection is degraded or unavailable, so the current result cannot be treated as healthy.',
|
||||
'troubleshooting_steps' => [
|
||||
'Review the latest provider connection health signal.',
|
||||
'Retry the workflow after the provider connection is healthy again.',
|
||||
],
|
||||
'safe_next_action' => 'Review the provider connection before retrying.',
|
||||
'glossary_terms' => ['tenant', 'workspace', 'provider connection'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
self::VERIFICATION_STALE => [
|
||||
'topic_key' => self::VERIFICATION_STALE,
|
||||
'surface_families' => ['onboarding'],
|
||||
'headline' => 'Verification result is stale',
|
||||
'short_explanation' => 'The most recent verification result is too old or mismatched to trust for the current onboarding decision.',
|
||||
'troubleshooting_steps' => [
|
||||
'Run verification again for the currently selected provider connection.',
|
||||
'Use the refreshed result before continuing onboarding.',
|
||||
],
|
||||
'safe_next_action' => 'Refresh verification before continuing onboarding.',
|
||||
'glossary_terms' => ['tenant', 'workspace', 'verification'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
self::VERIFICATION_FAILED => [
|
||||
'topic_key' => self::VERIFICATION_FAILED,
|
||||
'surface_families' => ['onboarding', 'support_diagnostics'],
|
||||
'headline' => 'Verification failed',
|
||||
'short_explanation' => 'The latest verification run did not produce a decision-grade result for the current tenant context.',
|
||||
'troubleshooting_steps' => [
|
||||
'Review the blocking reason before retrying verification.',
|
||||
'Confirm the prerequisite is fixed, then run verification again.',
|
||||
],
|
||||
'safe_next_action' => 'Review the blocking reason and retry verification.',
|
||||
'glossary_terms' => ['tenant', 'workspace', 'verification'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
self::DIAGNOSTIC_EVIDENCE_INCOMPLETE => [
|
||||
'topic_key' => self::DIAGNOSTIC_EVIDENCE_INCOMPLETE,
|
||||
'surface_families' => ['support_diagnostics'],
|
||||
'headline' => 'Diagnostic evidence is incomplete',
|
||||
'short_explanation' => 'Support diagnostics can summarize the issue, but the available evidence is not complete enough for a final conclusion.',
|
||||
'troubleshooting_steps' => [
|
||||
'Review the available evidence and supporting references in the current support context.',
|
||||
'Collect a fresh verification or operation result before making a final decision.',
|
||||
],
|
||||
'safe_next_action' => 'Collect a fresher or more complete diagnostic signal.',
|
||||
'glossary_terms' => ['support diagnostics', 'evidence', 'workspace'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
self::RETRYABLE_PROVIDER_FAILURE => [
|
||||
'topic_key' => self::RETRYABLE_PROVIDER_FAILURE,
|
||||
'surface_families' => ['support_diagnostics'],
|
||||
'headline' => 'Provider failure looks retryable',
|
||||
'short_explanation' => 'The current provider issue appears temporary, so the next safe step is to retry once the dependency recovers.',
|
||||
'troubleshooting_steps' => [
|
||||
'Confirm the provider dependency has recovered.',
|
||||
'Retry the workflow after the provider-side issue clears.',
|
||||
],
|
||||
'safe_next_action' => 'Retry after the provider dependency recovers.',
|
||||
'glossary_terms' => ['support diagnostics', 'provider connection', 'workspace'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
self::MANUAL_HANDOFF_REQUIRED => [
|
||||
'topic_key' => self::MANUAL_HANDOFF_REQUIRED,
|
||||
'surface_families' => ['support_diagnostics'],
|
||||
'headline' => 'Manual support handoff required',
|
||||
'short_explanation' => 'TenantPilot can summarize the current issue, but a human support handoff is still required for the next step.',
|
||||
'troubleshooting_steps' => [
|
||||
'Review the current references before handing off the case.',
|
||||
'Capture the safe next step and the supporting evidence for the receiving operator.',
|
||||
],
|
||||
'safe_next_action' => 'Hand off the case with the current diagnostic summary and supporting references.',
|
||||
'glossary_terms' => ['support diagnostics', 'tenant', 'workspace'],
|
||||
'docs_links' => [],
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* glossary_terms: list<string>,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url?: string,
|
||||
* resolver?: string
|
||||
* }>
|
||||
* }
|
||||
*/
|
||||
public function definition(string $topicKey): array
|
||||
{
|
||||
$definition = $this->definitions()[trim($topicKey)] ?? null;
|
||||
|
||||
if (! is_array($definition)) {
|
||||
throw new InvalidArgumentException('Unknown contextual help topic');
|
||||
}
|
||||
|
||||
return $definition;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* version: int,
|
||||
* topic_count: int,
|
||||
* topics: list<array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* glossary_terms: list<string>,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url: ?string,
|
||||
* resolver: ?string
|
||||
* }>
|
||||
* }>
|
||||
* }
|
||||
*/
|
||||
public function knowledgeSource(): array
|
||||
{
|
||||
$topics = array_values(array_map(
|
||||
fn (array $definition): array => [
|
||||
'topic_key' => $definition['topic_key'],
|
||||
'surface_families' => $definition['surface_families'],
|
||||
'headline' => $definition['headline'],
|
||||
'short_explanation' => $definition['short_explanation'],
|
||||
'troubleshooting_steps' => $definition['troubleshooting_steps'],
|
||||
'safe_next_action' => $definition['safe_next_action'],
|
||||
'glossary_terms' => $definition['glossary_terms'],
|
||||
'docs_links' => array_values(array_map(
|
||||
static fn (array $link): array => [
|
||||
'label' => (string) $link['label'],
|
||||
'kind' => (string) ($link['kind'] ?? 'url'),
|
||||
'url' => isset($link['url']) && is_string($link['url']) ? $link['url'] : null,
|
||||
'resolver' => isset($link['resolver']) && is_string($link['resolver']) ? $link['resolver'] : null,
|
||||
],
|
||||
$definition['docs_links'],
|
||||
)),
|
||||
],
|
||||
$this->definitions(),
|
||||
));
|
||||
|
||||
return [
|
||||
'version' => 1,
|
||||
'topic_count' => count($topics),
|
||||
'topics' => $topics,
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -1,465 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\ProductKnowledge;
|
||||
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\Ai\AiDataClassification;
|
||||
use App\Support\Governance\PlatformVocabularyGlossary;
|
||||
use App\Support\Links\RequiredPermissionsLinks;
|
||||
use App\Support\ReasonTranslation\ReasonPresenter;
|
||||
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\Ui\GovernanceArtifactTruth\ArtifactTruthEnvelope;
|
||||
use App\Support\Ui\OperatorExplanation\OperatorExplanationBuilder;
|
||||
use InvalidArgumentException;
|
||||
|
||||
final class ContextualHelpResolver
|
||||
{
|
||||
public function __construct(
|
||||
private readonly ContextualHelpCatalog $catalog,
|
||||
private readonly PlatformVocabularyGlossary $glossary,
|
||||
private readonly ReasonPresenter $reasonPresenter,
|
||||
private readonly OperatorExplanationBuilder $operatorExplanationBuilder,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $context
|
||||
* @return array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url: ?string,
|
||||
* resolver: ?string
|
||||
* }>,
|
||||
* canonical_terms: list<string>,
|
||||
* reason_label: ?string,
|
||||
* diagnostic_code: ?string,
|
||||
* operator_summary: ?array{
|
||||
* primaryReason: string,
|
||||
* nextActionText: string,
|
||||
* diagnosticsAvailable: bool,
|
||||
* diagnosticsSummary: ?string
|
||||
* }
|
||||
* }
|
||||
*/
|
||||
public function resolve(string $topicKey, array $context = []): array
|
||||
{
|
||||
$definition = $this->catalog->definition($topicKey);
|
||||
$reasonEnvelope = $this->providerReasonEnvelope($context);
|
||||
$operatorSummary = $this->operatorSummary($context);
|
||||
|
||||
return [
|
||||
'topic_key' => $definition['topic_key'],
|
||||
'surface_families' => $definition['surface_families'],
|
||||
'headline' => $this->firstNonEmpty(
|
||||
$this->stringOrNull($context['headline'] ?? null),
|
||||
$definition['headline'],
|
||||
),
|
||||
'short_explanation' => $this->firstNonEmpty(
|
||||
$this->stringOrNull($context['short_explanation'] ?? null),
|
||||
$this->reasonPresenter->shortExplanation($reasonEnvelope),
|
||||
$definition['short_explanation'],
|
||||
),
|
||||
'troubleshooting_steps' => $this->troubleshootingSteps($definition['troubleshooting_steps'], $context),
|
||||
'safe_next_action' => $this->firstNonEmpty(
|
||||
$this->stringOrNull($context['safe_next_action'] ?? null),
|
||||
$operatorSummary['nextActionText'] ?? null,
|
||||
$definition['safe_next_action'],
|
||||
),
|
||||
'docs_links' => $this->resolveLinks($definition['docs_links'], $context),
|
||||
'canonical_terms' => $this->canonicalTerms($definition['glossary_terms']),
|
||||
'reason_label' => $this->reasonPresenter->primaryLabel($reasonEnvelope),
|
||||
'diagnostic_code' => $this->reasonPresenter->diagnosticCode($reasonEnvelope),
|
||||
'operator_summary' => $operatorSummary,
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $context
|
||||
* @return array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url: ?string,
|
||||
* resolver: ?string
|
||||
* }>,
|
||||
* canonical_terms: list<string>,
|
||||
* reason_label: ?string,
|
||||
* diagnostic_code: ?string,
|
||||
* operator_summary: ?array{
|
||||
* primaryReason: string,
|
||||
* nextActionText: string,
|
||||
* diagnosticsAvailable: bool,
|
||||
* diagnosticsSummary: ?string
|
||||
* }
|
||||
* }|null
|
||||
*/
|
||||
public function tryResolve(?string $topicKey, array $context = []): ?array
|
||||
{
|
||||
if (! is_string($topicKey) || trim($topicKey) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
try {
|
||||
return $this->resolve($topicKey, $context);
|
||||
} catch (InvalidArgumentException) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* version: int,
|
||||
* topic_count: int,
|
||||
* topics: list<array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* glossary_terms: list<string>,
|
||||
* docs_links: list<array{
|
||||
* label: string,
|
||||
* kind: string,
|
||||
* url: ?string,
|
||||
* resolver: ?string
|
||||
* }>
|
||||
* }>
|
||||
* }
|
||||
*/
|
||||
public function knowledgeSource(): array
|
||||
{
|
||||
return $this->catalog->knowledgeSource();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* use_case_key: string,
|
||||
* source_family: string,
|
||||
* data_classifications: list<string>,
|
||||
* operational_metadata: array{version: int, topic_count: int},
|
||||
* topics: list<array{
|
||||
* topic_key: string,
|
||||
* surface_families: list<string>,
|
||||
* headline: string,
|
||||
* short_explanation: string,
|
||||
* troubleshooting_steps: list<string>,
|
||||
* safe_next_action: string,
|
||||
* glossary_terms: list<string>,
|
||||
* docs_links: list<array{label: string, kind: string, url: ?string, resolver: ?string}>
|
||||
* }>
|
||||
* }
|
||||
*/
|
||||
public function aiProductKnowledgeAnswerDraftSource(): array
|
||||
{
|
||||
$source = $this->knowledgeSource();
|
||||
|
||||
return [
|
||||
'use_case_key' => 'product_knowledge.answer_draft',
|
||||
'source_family' => 'product_knowledge',
|
||||
'data_classifications' => [
|
||||
AiDataClassification::ProductKnowledge->value,
|
||||
AiDataClassification::OperationalMetadata->value,
|
||||
],
|
||||
'operational_metadata' => [
|
||||
'version' => (int) $source['version'],
|
||||
'topic_count' => (int) $source['topic_count'],
|
||||
],
|
||||
'topics' => $source['topics'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed>|null $verificationReport
|
||||
*/
|
||||
public function primaryReasonCodeFromVerificationReport(?array $verificationReport): ?string
|
||||
{
|
||||
foreach ($this->relevantChecks($verificationReport) as $check) {
|
||||
$reasonCode = $check['reason_code'] ?? null;
|
||||
|
||||
if (is_string($reasonCode) && trim($reasonCode) !== '') {
|
||||
return trim($reasonCode);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public function topicKeyForOnboardingVerification(
|
||||
?string $reasonCode,
|
||||
bool $isVerificationStale,
|
||||
?string $verificationOverall,
|
||||
?string $runOutcome,
|
||||
): ?string {
|
||||
if ($isVerificationStale) {
|
||||
return ContextualHelpCatalog::VERIFICATION_STALE;
|
||||
}
|
||||
|
||||
$reasonTopicKey = $this->onboardingTopicKeyForReason($reasonCode);
|
||||
|
||||
if ($reasonTopicKey !== null) {
|
||||
return $reasonTopicKey;
|
||||
}
|
||||
|
||||
return $this->isVerificationFailure($verificationOverall, $runOutcome)
|
||||
? ContextualHelpCatalog::VERIFICATION_FAILED
|
||||
: null;
|
||||
}
|
||||
|
||||
public function topicKeyForSupportDiagnostics(
|
||||
?string $reasonCode,
|
||||
bool $hasIncompleteEvidence,
|
||||
?string $runOutcome,
|
||||
): ?string {
|
||||
$reasonTopicKey = $this->supportDiagnosticsTopicKeyForReason($reasonCode);
|
||||
|
||||
if ($reasonTopicKey !== null) {
|
||||
return $reasonTopicKey;
|
||||
}
|
||||
|
||||
if (is_string($reasonCode) && trim($reasonCode) !== '') {
|
||||
return $reasonCode === ProviderReasonCodes::UnknownError
|
||||
? ContextualHelpCatalog::MANUAL_HANDOFF_REQUIRED
|
||||
: null;
|
||||
}
|
||||
|
||||
if ($this->isVerificationFailure(null, $runOutcome)) {
|
||||
return ContextualHelpCatalog::VERIFICATION_FAILED;
|
||||
}
|
||||
|
||||
return $hasIncompleteEvidence
|
||||
? ContextualHelpCatalog::DIAGNOSTIC_EVIDENCE_INCOMPLETE
|
||||
: null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
private function providerReasonEnvelope(array $context): ?ReasonResolutionEnvelope
|
||||
{
|
||||
$tenant = $context['tenant'] ?? null;
|
||||
$reasonCode = $context['reason_code'] ?? null;
|
||||
$connection = $context['connection'] ?? null;
|
||||
$surface = $this->stringOrNull($context['surface'] ?? null) ?? 'detail';
|
||||
|
||||
if (! $tenant instanceof Tenant || ! is_string($reasonCode) || trim($reasonCode) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $this->reasonPresenter->forProviderReason(
|
||||
tenant: $tenant,
|
||||
reasonCode: trim($reasonCode),
|
||||
connection: $connection instanceof ProviderConnection ? $connection : null,
|
||||
surface: $surface,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $context
|
||||
* @return array{
|
||||
* primaryReason: string,
|
||||
* nextActionText: string,
|
||||
* diagnosticsAvailable: bool,
|
||||
* diagnosticsSummary: ?string
|
||||
* }|null
|
||||
*/
|
||||
private function operatorSummary(array $context): ?array
|
||||
{
|
||||
$truth = $context['artifact_truth'] ?? null;
|
||||
|
||||
if (! $truth instanceof ArtifactTruthEnvelope) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $this->operatorExplanationBuilder->compressionSummaryInputs($truth);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed>|null $verificationReport
|
||||
* @return list<array<string, mixed>>
|
||||
*/
|
||||
private function relevantChecks(?array $verificationReport): array
|
||||
{
|
||||
$checks = is_array($verificationReport['checks'] ?? null)
|
||||
? $verificationReport['checks']
|
||||
: [];
|
||||
|
||||
return array_values(array_filter($checks, static function (mixed $check): bool {
|
||||
if (! is_array($check)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$status = $check['status'] ?? null;
|
||||
|
||||
return is_string($status)
|
||||
&& ! in_array($status, ['pass', 'skip', 'running'], true);
|
||||
}));
|
||||
}
|
||||
|
||||
private function onboardingTopicKeyForReason(?string $reasonCode): ?string
|
||||
{
|
||||
return match ($reasonCode) {
|
||||
ProviderReasonCodes::ProviderConsentMissing,
|
||||
ProviderReasonCodes::ProviderConsentFailed,
|
||||
ProviderReasonCodes::ProviderConsentRevoked => ContextualHelpCatalog::ADMIN_CONSENT_REQUIRED,
|
||||
ProviderReasonCodes::ProviderPermissionMissing,
|
||||
ProviderReasonCodes::ProviderPermissionDenied,
|
||||
ProviderReasonCodes::IntuneRbacPermissionMissing => ContextualHelpCatalog::REQUIRED_PERMISSIONS_MISSING,
|
||||
ProviderReasonCodes::ProviderConnectionMissing,
|
||||
ProviderReasonCodes::ProviderConnectionInvalid,
|
||||
ProviderReasonCodes::ProviderCredentialMissing,
|
||||
ProviderReasonCodes::ProviderCredentialInvalid,
|
||||
ProviderReasonCodes::ProviderConnectionTypeInvalid,
|
||||
ProviderReasonCodes::DedicatedCredentialMissing,
|
||||
ProviderReasonCodes::DedicatedCredentialInvalid,
|
||||
ProviderReasonCodes::ProviderAuthFailed,
|
||||
ProviderReasonCodes::ProviderConnectionReviewRequired,
|
||||
ProviderReasonCodes::ProviderBindingUnsupported,
|
||||
ProviderReasonCodes::TenantTargetMismatch,
|
||||
ProviderReasonCodes::PlatformIdentityMissing,
|
||||
ProviderReasonCodes::PlatformIdentityIncomplete,
|
||||
ProviderReasonCodes::IntuneRbacNotConfigured,
|
||||
ProviderReasonCodes::IntuneRbacUnhealthy,
|
||||
ProviderReasonCodes::IntuneRbacStale => ContextualHelpCatalog::CONNECTION_UNHEALTHY,
|
||||
default => null,
|
||||
};
|
||||
}
|
||||
|
||||
private function supportDiagnosticsTopicKeyForReason(?string $reasonCode): ?string
|
||||
{
|
||||
if ($reasonCode === ProviderReasonCodes::ProviderPermissionRefreshFailed
|
||||
|| $reasonCode === ProviderReasonCodes::NetworkUnreachable
|
||||
|| $reasonCode === ProviderReasonCodes::RateLimited) {
|
||||
return ContextualHelpCatalog::RETRYABLE_PROVIDER_FAILURE;
|
||||
}
|
||||
|
||||
return $this->onboardingTopicKeyForReason($reasonCode);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $defaultSteps
|
||||
* @param array<string, mixed> $context
|
||||
* @return list<string>
|
||||
*/
|
||||
private function troubleshootingSteps(array $defaultSteps, array $context): array
|
||||
{
|
||||
$contextSteps = $context['troubleshooting_steps'] ?? [];
|
||||
|
||||
if (! is_array($contextSteps)) {
|
||||
return $defaultSteps;
|
||||
}
|
||||
|
||||
$normalizedContextSteps = array_values(array_filter(array_map(
|
||||
fn (mixed $step): ?string => $this->stringOrNull($step),
|
||||
$contextSteps,
|
||||
)));
|
||||
|
||||
if ($normalizedContextSteps === []) {
|
||||
return $defaultSteps;
|
||||
}
|
||||
|
||||
return array_values(array_unique([...$defaultSteps, ...$normalizedContextSteps]));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<array{label: string, kind: string, url?: string, resolver?: string}> $links
|
||||
* @param array<string, mixed> $context
|
||||
* @return list<array{label: string, kind: string, url: ?string, resolver: ?string}>
|
||||
*/
|
||||
private function resolveLinks(array $links, array $context): array
|
||||
{
|
||||
return array_values(array_filter(array_map(
|
||||
fn (array $link): ?array => $this->resolveLink($link, $context['tenant'] ?? null),
|
||||
$links,
|
||||
)));
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array{label: string, kind: string, url?: string, resolver?: string} $link
|
||||
* @return array{label: string, kind: string, url: ?string, resolver: ?string}|null
|
||||
*/
|
||||
private function resolveLink(array $link, mixed $tenant): ?array
|
||||
{
|
||||
$label = $this->stringOrNull($link['label'] ?? null);
|
||||
|
||||
if ($label === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$resolved = [
|
||||
'label' => $label,
|
||||
'kind' => $this->stringOrNull($link['kind'] ?? null) ?? 'url',
|
||||
'url' => $this->stringOrNull($link['url'] ?? null),
|
||||
'resolver' => $this->stringOrNull($link['resolver'] ?? null),
|
||||
];
|
||||
|
||||
if (! $tenant instanceof Tenant || $resolved['resolver'] === null) {
|
||||
return $resolved;
|
||||
}
|
||||
|
||||
$resolved['url'] = match ($resolved['resolver']) {
|
||||
ContextualHelpCatalog::LINK_RESOLVER_ADMIN_CONSENT_PRIMARY => RequiredPermissionsLinks::adminConsentPrimaryUrl($tenant),
|
||||
ContextualHelpCatalog::LINK_RESOLVER_REQUIRED_PERMISSIONS => RequiredPermissionsLinks::requiredPermissions($tenant),
|
||||
default => $resolved['url'],
|
||||
};
|
||||
|
||||
return $resolved;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $terms
|
||||
* @return list<string>
|
||||
*/
|
||||
private function canonicalTerms(array $terms): array
|
||||
{
|
||||
return array_values(array_unique(array_filter(array_map(function (string $term): ?string {
|
||||
$canonical = $this->glossary->canonicalName($term);
|
||||
|
||||
return $canonical !== null ? trim($canonical) : $this->stringOrNull($term);
|
||||
}, $terms))));
|
||||
}
|
||||
|
||||
private function isVerificationFailure(?string $verificationOverall, ?string $runOutcome): bool
|
||||
{
|
||||
return in_array($verificationOverall, ['blocked', 'needs_attention'], true)
|
||||
|| in_array($runOutcome, ['failed', 'blocked', 'partially_succeeded'], true);
|
||||
}
|
||||
|
||||
private function stringOrNull(mixed $value): ?string
|
||||
{
|
||||
if (! is_string($value)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$trimmed = trim($value);
|
||||
|
||||
return $trimmed === '' ? null : $trimmed;
|
||||
}
|
||||
|
||||
private function firstNonEmpty(?string ...$values): string
|
||||
{
|
||||
foreach ($values as $value) {
|
||||
if ($value !== null && trim($value) !== '') {
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
}
|
||||
@ -4,9 +4,7 @@
|
||||
|
||||
namespace App\Support\Settings;
|
||||
|
||||
use App\Support\Ai\AiPolicyMode;
|
||||
use App\Models\Finding;
|
||||
use App\Services\Entitlements\WorkspacePlanProfileCatalog;
|
||||
|
||||
final class SettingsRegistry
|
||||
{
|
||||
@ -19,15 +17,6 @@ public function __construct()
|
||||
{
|
||||
$this->definitions = [];
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'ai',
|
||||
key: 'policy_mode',
|
||||
type: 'string',
|
||||
systemDefault: AiPolicyMode::Disabled->value,
|
||||
rules: ['required', 'string', 'in:disabled,private_only'],
|
||||
normalizer: static fn (mixed $value): string => strtolower(trim((string) $value)),
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'backup',
|
||||
key: 'retention_keep_last_default',
|
||||
@ -229,91 +218,6 @@ static function (string $attribute, mixed $value, \Closure $fail): void {
|
||||
rules: ['required', 'integer', 'min:0', 'max:10080'],
|
||||
normalizer: static fn (mixed $value): int => (int) $value,
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'entitlements',
|
||||
key: 'plan_profile',
|
||||
type: 'string',
|
||||
systemDefault: WorkspacePlanProfileCatalog::defaultProfileId(),
|
||||
rules: [
|
||||
'nullable',
|
||||
'string',
|
||||
'in:'.implode(',', WorkspacePlanProfileCatalog::profileIds()),
|
||||
],
|
||||
normalizer: static function (mixed $value): ?string {
|
||||
if ($value === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = trim((string) $value);
|
||||
|
||||
return $normalized === '' ? null : $normalized;
|
||||
},
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'entitlements',
|
||||
key: 'managed_tenant_limit_override_value',
|
||||
type: 'int',
|
||||
systemDefault: null,
|
||||
rules: ['nullable', 'integer', 'min:0'],
|
||||
normalizer: static function (mixed $value): ?int {
|
||||
if ($value === null || $value === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return (int) $value;
|
||||
},
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'entitlements',
|
||||
key: 'managed_tenant_limit_override_reason',
|
||||
type: 'string',
|
||||
systemDefault: null,
|
||||
rules: ['nullable', 'string', 'max:500'],
|
||||
normalizer: static function (mixed $value): ?string {
|
||||
if ($value === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = trim((string) $value);
|
||||
|
||||
return $normalized === '' ? null : $normalized;
|
||||
},
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_value',
|
||||
type: 'bool',
|
||||
systemDefault: null,
|
||||
rules: ['nullable', 'boolean'],
|
||||
normalizer: static function (mixed $value): ?bool {
|
||||
if ($value === null || $value === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return filter_var($value, FILTER_VALIDATE_BOOL);
|
||||
},
|
||||
));
|
||||
|
||||
$this->register(new SettingDefinition(
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_reason',
|
||||
type: 'string',
|
||||
systemDefault: null,
|
||||
rules: ['nullable', 'string', 'max:500'],
|
||||
normalizer: static function (mixed $value): ?string {
|
||||
if ($value === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = trim((string) $value);
|
||||
|
||||
return $normalized === '' ? null : $normalized;
|
||||
},
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -19,11 +19,9 @@
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Support\Ai\AiDataClassification;
|
||||
use App\Support\Navigation\RelatedNavigationResolver;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OpsUx\GovernanceRunDiagnosticSummaryBuilder;
|
||||
use App\Support\ProductKnowledge\ContextualHelpResolver;
|
||||
use App\Support\Providers\ProviderReasonTranslator;
|
||||
use App\Support\Providers\TargetScope\ProviderConnectionSurfaceSummary;
|
||||
use App\Support\RedactionIntegrity;
|
||||
@ -49,7 +47,6 @@ public function __construct(
|
||||
private readonly GovernanceRunDiagnosticSummaryBuilder $runSummaryBuilder,
|
||||
private readonly ProviderReasonTranslator $providerReasonTranslator,
|
||||
private readonly RelatedNavigationResolver $relatedNavigationResolver,
|
||||
private readonly ContextualHelpResolver $contextualHelpResolver,
|
||||
) {}
|
||||
|
||||
/**
|
||||
@ -72,7 +69,6 @@ public function forTenant(Tenant $tenant, ?User $actor = null): array
|
||||
contextType: 'tenant',
|
||||
workspace: $workspace,
|
||||
tenant: $tenant,
|
||||
providerConnection: $providerConnection,
|
||||
operationRun: $operationRun,
|
||||
headline: 'Support diagnostics for '.$tenant->name,
|
||||
dominantIssue: $this->tenantDominantIssue($providerConnection, $operationRun, $findings),
|
||||
@ -113,7 +109,6 @@ public function forOperationRun(OperationRun $run, ?User $actor = null): array
|
||||
contextType: 'operation_run',
|
||||
workspace: $workspace,
|
||||
tenant: $tenant,
|
||||
providerConnection: $providerConnection,
|
||||
operationRun: $run,
|
||||
headline: $runSummaryArray['headline'] ?? OperationRunLinks::identifier($run).' support diagnostics',
|
||||
dominantIssue: (string) data_get(
|
||||
@ -134,39 +129,6 @@ public function forOperationRun(OperationRun $run, ?User $actor = null): array
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{
|
||||
* use_case_key: string,
|
||||
* source_family: string,
|
||||
* data_classifications: list<string>,
|
||||
* summary: array{
|
||||
* headline: string,
|
||||
* dominant_issue: string,
|
||||
* freshness_state: string,
|
||||
* completeness_note: ?string,
|
||||
* redaction_note: string,
|
||||
* generated_from: string
|
||||
* },
|
||||
* redaction: array{mode: string, markers: list<string>},
|
||||
* notes: list<string>
|
||||
* }
|
||||
*/
|
||||
public function aiSupportDiagnosticsSummaryDraftSource(Tenant $tenant, ?User $actor = null): array
|
||||
{
|
||||
$bundle = $this->forTenant($tenant, $actor);
|
||||
|
||||
return [
|
||||
'use_case_key' => 'support_diagnostics.summary_draft',
|
||||
'source_family' => 'support_diagnostics',
|
||||
'data_classifications' => [
|
||||
AiDataClassification::RedactedSupportSummary->value,
|
||||
],
|
||||
'summary' => $bundle['summary'],
|
||||
'redaction' => $bundle['redaction'],
|
||||
'notes' => $bundle['notes'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<array<string, mixed>> $sections
|
||||
* @return array<string, mixed>
|
||||
@ -175,7 +137,6 @@ private function bundle(
|
||||
string $contextType,
|
||||
?Workspace $workspace,
|
||||
?Tenant $tenant,
|
||||
?ProviderConnection $providerConnection,
|
||||
?OperationRun $operationRun,
|
||||
string $headline,
|
||||
string $dominantIssue,
|
||||
@ -183,7 +144,6 @@ private function bundle(
|
||||
): array {
|
||||
$sections = $this->sortSections($sections);
|
||||
$redactionMarkers = RedactionIntegrity::supportDiagnosticsMarkers();
|
||||
$contextualHelp = $this->contextualHelp($tenant, $providerConnection, $operationRun, $sections);
|
||||
|
||||
return [
|
||||
'context_type' => $contextType,
|
||||
@ -213,7 +173,6 @@ private function bundle(
|
||||
'redaction_note' => RedactionIntegrity::supportDiagnosticsNote(),
|
||||
'generated_from' => 'derived_existing_truth',
|
||||
],
|
||||
'contextual_help' => $contextualHelp,
|
||||
'sections' => $sections,
|
||||
'redaction' => [
|
||||
'mode' => 'default_redacted',
|
||||
@ -226,60 +185,6 @@ private function bundle(
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<array<string, mixed>> $sections
|
||||
* @return array<string, mixed>|null
|
||||
*/
|
||||
private function contextualHelp(
|
||||
?Tenant $tenant,
|
||||
?ProviderConnection $providerConnection,
|
||||
?OperationRun $operationRun,
|
||||
array $sections,
|
||||
): ?array {
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$reasonCode = $this->supportDiagnosticReasonCode($providerConnection, $operationRun);
|
||||
$topicKey = $this->contextualHelpResolver->topicKeyForSupportDiagnostics(
|
||||
reasonCode: $reasonCode,
|
||||
hasIncompleteEvidence: $this->completenessNote($sections) !== null,
|
||||
runOutcome: $operationRun instanceof OperationRun && is_string($operationRun->outcome)
|
||||
? (string) $operationRun->outcome
|
||||
: null,
|
||||
);
|
||||
|
||||
if ($topicKey === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $this->contextualHelpResolver->tryResolve($topicKey, [
|
||||
'tenant' => $tenant,
|
||||
'connection' => $providerConnection,
|
||||
'reason_code' => $reasonCode,
|
||||
'surface' => 'support_diagnostics',
|
||||
]);
|
||||
}
|
||||
|
||||
private function supportDiagnosticReasonCode(?ProviderConnection $providerConnection, ?OperationRun $operationRun): ?string
|
||||
{
|
||||
$providerReasonCode = is_string($providerConnection?->last_error_reason_code)
|
||||
? trim((string) $providerConnection->last_error_reason_code)
|
||||
: '';
|
||||
|
||||
if ($providerReasonCode !== '') {
|
||||
return $providerReasonCode;
|
||||
}
|
||||
|
||||
$failureReasonCode = data_get($operationRun?->failure_summary, '0.reason_code');
|
||||
|
||||
if (is_string($failureReasonCode) && trim($failureReasonCode) !== '') {
|
||||
return trim($failureReasonCode);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private function tenantProviderConnection(Tenant $tenant): ?ProviderConnection
|
||||
{
|
||||
return ProviderConnection::query()
|
||||
|
||||
@ -1,129 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\SupportRequests;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\SupportDiagnostics\SupportDiagnosticBundleBuilder;
|
||||
|
||||
final class SupportRequestContextBuilder
|
||||
{
|
||||
public const ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED = 'diagnostic_snapshot_attached';
|
||||
|
||||
public const ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY = 'canonical_context_only';
|
||||
|
||||
public function __construct(
|
||||
private readonly SupportDiagnosticBundleBuilder $supportDiagnosticBundleBuilder,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function forTenant(Tenant $tenant, User $actor, bool $attachDiagnosticSnapshot): array
|
||||
{
|
||||
return $this->buildEnvelope(
|
||||
bundle: $this->supportDiagnosticBundleBuilder->forTenant($tenant, $actor),
|
||||
attachDiagnosticSnapshot: $attachDiagnosticSnapshot,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function forOperationRun(OperationRun $run, User $actor, bool $attachDiagnosticSnapshot): array
|
||||
{
|
||||
return $this->buildEnvelope(
|
||||
bundle: $this->supportDiagnosticBundleBuilder->forOperationRun($run, $actor),
|
||||
attachDiagnosticSnapshot: $attachDiagnosticSnapshot,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $bundle
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private function buildEnvelope(array $bundle, bool $attachDiagnosticSnapshot): array
|
||||
{
|
||||
$attachmentMode = $attachDiagnosticSnapshot
|
||||
? self::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED
|
||||
: self::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY;
|
||||
|
||||
return [
|
||||
'schema_version' => 1,
|
||||
'generated_from' => 'support_diagnostics_bundle',
|
||||
'attachment_mode' => $attachmentMode,
|
||||
'redaction_mode' => (string) data_get($bundle, 'redaction.mode', 'default_redacted'),
|
||||
'primary_context' => [
|
||||
'type' => (string) data_get($bundle, 'context.type'),
|
||||
'workspace_id' => data_get($bundle, 'context.workspace_id'),
|
||||
'tenant_id' => data_get($bundle, 'context.tenant_id'),
|
||||
'operation_run_id' => data_get($bundle, 'context.operation_run_id'),
|
||||
'workspace_label' => data_get($bundle, 'context.workspace_label'),
|
||||
'tenant_label' => data_get($bundle, 'context.tenant_label'),
|
||||
],
|
||||
'canonical_context' => [
|
||||
'headline' => (string) data_get($bundle, 'summary.headline', data_get($bundle, 'headline')),
|
||||
'dominant_issue' => (string) data_get($bundle, 'summary.dominant_issue', data_get($bundle, 'dominant_issue')),
|
||||
'freshness_state' => (string) data_get($bundle, 'freshness_state'),
|
||||
'completeness_note' => data_get($bundle, 'summary.completeness_note'),
|
||||
'redaction_note' => data_get($bundle, 'summary.redaction_note'),
|
||||
'context' => data_get($bundle, 'context', []),
|
||||
'tenant' => data_get($bundle, 'tenant'),
|
||||
'operation_run' => data_get($bundle, 'operation_run'),
|
||||
'sections' => $this->canonicalSections($bundle),
|
||||
'notes' => is_array($bundle['notes'] ?? null)
|
||||
? array_values($bundle['notes'])
|
||||
: [],
|
||||
],
|
||||
'diagnostic_snapshot' => $attachDiagnosticSnapshot
|
||||
? [
|
||||
'contextual_help' => data_get($bundle, 'contextual_help'),
|
||||
'sections' => is_array($bundle['sections'] ?? null)
|
||||
? array_values($bundle['sections'])
|
||||
: [],
|
||||
'redaction' => is_array($bundle['redaction'] ?? null)
|
||||
? $bundle['redaction']
|
||||
: [],
|
||||
'notes' => is_array($bundle['notes'] ?? null)
|
||||
? array_values($bundle['notes'])
|
||||
: [],
|
||||
]
|
||||
: null,
|
||||
'omissions' => $attachDiagnosticSnapshot
|
||||
? []
|
||||
: [[
|
||||
'type' => 'diagnostic_snapshot',
|
||||
'reason' => 'omitted_without_support_diagnostics_view',
|
||||
'message' => 'Redacted diagnostic evidence was omitted because the creator could not view support diagnostics.',
|
||||
]],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $bundle
|
||||
* @return list<array<string, mixed>>
|
||||
*/
|
||||
private function canonicalSections(array $bundle): array
|
||||
{
|
||||
if (! is_array($bundle['sections'] ?? null)) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return array_values(array_map(
|
||||
static fn (array $section): array => [
|
||||
'key' => (string) ($section['key'] ?? ''),
|
||||
'label' => (string) ($section['label'] ?? ''),
|
||||
'availability' => (string) ($section['availability'] ?? 'missing'),
|
||||
'summary' => (string) ($section['summary'] ?? ''),
|
||||
'freshness_note' => $section['freshness_note'] ?? null,
|
||||
'references' => is_array($section['references'] ?? null)
|
||||
? array_values($section['references'])
|
||||
: [],
|
||||
],
|
||||
$bundle['sections'],
|
||||
));
|
||||
}
|
||||
}
|
||||
@ -1,15 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\SupportRequests;
|
||||
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
final class SupportRequestReferenceGenerator
|
||||
{
|
||||
public function generate(): string
|
||||
{
|
||||
return 'SR-'.strtoupper((string) Str::ulid());
|
||||
}
|
||||
}
|
||||
@ -1,186 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Support\SupportRequests;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Audit\WorkspaceAuditLogger;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use Illuminate\Validation\Rule;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
final class SupportRequestSubmissionService
|
||||
{
|
||||
public function __construct(
|
||||
private readonly CapabilityResolver $capabilityResolver,
|
||||
private readonly SupportRequestContextBuilder $supportRequestContextBuilder,
|
||||
private readonly SupportRequestReferenceGenerator $supportRequestReferenceGenerator,
|
||||
private readonly WorkspaceAuditLogger $workspaceAuditLogger,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
public function submitForTenant(Tenant $tenant, User $actor, array $data): SupportRequest
|
||||
{
|
||||
$this->authorizeCreation($tenant, $actor);
|
||||
|
||||
return $this->submit(
|
||||
tenant: $tenant,
|
||||
actor: $actor,
|
||||
data: $data,
|
||||
primaryContextType: SupportRequest::PRIMARY_CONTEXT_TENANT,
|
||||
operationRun: null,
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
public function submitForOperationRun(OperationRun $run, User $actor, array $data): SupportRequest
|
||||
{
|
||||
$run->loadMissing('tenant.workspace');
|
||||
|
||||
$tenant = $run->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->authorizeCreation($tenant, $actor);
|
||||
|
||||
return $this->submit(
|
||||
tenant: $tenant,
|
||||
actor: $actor,
|
||||
data: $data,
|
||||
primaryContextType: SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN,
|
||||
operationRun: $run,
|
||||
);
|
||||
}
|
||||
|
||||
private function authorizeCreation(Tenant $tenant, User $actor): void
|
||||
{
|
||||
if (! $this->capabilityResolver->isMember($actor, $tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $this->capabilityResolver->can($actor, $tenant, Capabilities::SUPPORT_REQUESTS_CREATE)) {
|
||||
abort(403);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private function submit(
|
||||
Tenant $tenant,
|
||||
User $actor,
|
||||
array $data,
|
||||
string $primaryContextType,
|
||||
?OperationRun $operationRun,
|
||||
): SupportRequest {
|
||||
$validated = $this->validate($data);
|
||||
$attachDiagnosticSnapshot = $this->capabilityResolver->can($actor, $tenant, Capabilities::SUPPORT_DIAGNOSTICS_VIEW);
|
||||
|
||||
$contextEnvelope = $operationRun instanceof OperationRun
|
||||
? $this->supportRequestContextBuilder->forOperationRun($operationRun, $actor, $attachDiagnosticSnapshot)
|
||||
: $this->supportRequestContextBuilder->forTenant($tenant, $actor, $attachDiagnosticSnapshot);
|
||||
|
||||
$contactName = $validated['contact_name'] ?? $this->normalizeNullableString($actor->name) ?? $this->normalizeNullableString($actor->email);
|
||||
$contactEmail = $validated['contact_email'] ?? $this->normalizeNullableString($actor->email);
|
||||
$connection = SupportRequest::query()->getModel()->getConnection();
|
||||
|
||||
return $connection->transaction(function () use (
|
||||
$actor,
|
||||
$contactEmail,
|
||||
$contactName,
|
||||
$contextEnvelope,
|
||||
$operationRun,
|
||||
$primaryContextType,
|
||||
$tenant,
|
||||
$validated,
|
||||
): SupportRequest {
|
||||
$supportRequest = SupportRequest::query()->create([
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'operation_run_id' => $operationRun instanceof OperationRun ? (int) $operationRun->getKey() : null,
|
||||
'initiated_by_user_id' => (int) $actor->getKey(),
|
||||
'internal_reference' => $this->supportRequestReferenceGenerator->generate(),
|
||||
'primary_context_type' => $primaryContextType,
|
||||
'attachment_mode' => (string) data_get($contextEnvelope, 'attachment_mode', SupportRequest::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY),
|
||||
'severity' => $validated['severity'],
|
||||
'summary' => $validated['summary'],
|
||||
'reproduction_notes' => $validated['reproduction_notes'],
|
||||
'contact_name' => $contactName,
|
||||
'contact_email' => $contactEmail,
|
||||
'context_envelope' => $contextEnvelope,
|
||||
]);
|
||||
|
||||
$supportRequest->loadMissing(['tenant.workspace']);
|
||||
|
||||
$this->workspaceAuditLogger->logSupportRequestCreated($supportRequest, $actor);
|
||||
|
||||
return $supportRequest;
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
* @return array{
|
||||
* severity: string,
|
||||
* summary: string,
|
||||
* reproduction_notes: ?string,
|
||||
* contact_name: ?string,
|
||||
* contact_email: ?string,
|
||||
* }
|
||||
*/
|
||||
private function validate(array $data): array
|
||||
{
|
||||
$validated = validator(
|
||||
[
|
||||
'severity' => $data['severity'] ?? SupportRequest::SEVERITY_NORMAL,
|
||||
'summary' => $data['summary'] ?? null,
|
||||
'reproduction_notes' => $data['reproduction_notes'] ?? null,
|
||||
'contact_name' => $data['contact_name'] ?? null,
|
||||
'contact_email' => $data['contact_email'] ?? null,
|
||||
],
|
||||
[
|
||||
'severity' => ['required', 'string', Rule::in(SupportRequest::severityValues())],
|
||||
'summary' => ['required', 'string'],
|
||||
'reproduction_notes' => ['nullable', 'string'],
|
||||
'contact_name' => ['nullable', 'string'],
|
||||
'contact_email' => ['nullable', 'email'],
|
||||
],
|
||||
)->validate();
|
||||
|
||||
$validated['summary'] = trim((string) $validated['summary']);
|
||||
|
||||
if ($validated['summary'] === '') {
|
||||
throw ValidationException::withMessages([
|
||||
'summary' => 'The summary field is required.',
|
||||
]);
|
||||
}
|
||||
|
||||
$validated['reproduction_notes'] = $this->normalizeNullableString($validated['reproduction_notes'] ?? null);
|
||||
$validated['contact_name'] = $this->normalizeNullableString($validated['contact_name'] ?? null);
|
||||
$validated['contact_email'] = $this->normalizeNullableString($validated['contact_email'] ?? null);
|
||||
|
||||
return $validated;
|
||||
}
|
||||
|
||||
private function normalizeNullableString(mixed $value): ?string
|
||||
{
|
||||
if (! is_string($value)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$normalized = trim($value);
|
||||
|
||||
return $normalized === '' ? null : $normalized;
|
||||
}
|
||||
}
|
||||
@ -39,7 +39,6 @@
|
||||
use App\Filament\System\Pages\Dashboard as SystemDashboard;
|
||||
use App\Filament\System\Pages\Directory\ViewTenant as SystemDirectoryViewTenant;
|
||||
use App\Filament\System\Pages\Directory\ViewWorkspace as SystemDirectoryViewWorkspace;
|
||||
use App\Filament\System\Pages\Ops\Controls;
|
||||
use App\Filament\System\Pages\Ops\Runbooks;
|
||||
use App\Filament\System\Pages\Ops\ViewRun;
|
||||
use App\Filament\System\Pages\RepairWorkspaceOwners;
|
||||
@ -662,32 +661,6 @@ public static function spec195ResidualSurfaceInventory(): array
|
||||
'mustRemainBaselineExempt' => false,
|
||||
'mustNotRemainBaselineExempt' => true,
|
||||
],
|
||||
Controls::class => [
|
||||
'surfaceKey' => 'system_ops_controls',
|
||||
'surfaceName' => 'System Ops Controls',
|
||||
'pageClass' => Controls::class,
|
||||
'panelPlane' => 'system',
|
||||
'surfaceKind' => 'system_utility',
|
||||
'discoveryState' => 'outside_primary_discovery',
|
||||
'closureDecision' => 'separately_governed',
|
||||
'reasonCategory' => 'workflow_specific_governance',
|
||||
'explicitReason' => 'Operational controls is a dedicated system control workbench with confirmation-backed pause, resume, and history actions plus restore-gate coupling, so it remains governed by focused workflow tests instead of the generic declaration-backed contract.',
|
||||
'evidence' => [
|
||||
[
|
||||
'kind' => 'feature_livewire_test',
|
||||
'reference' => 'tests/Feature/System/OpsControls/OperationalControlManagementTest.php',
|
||||
'proves' => 'The controls page keeps capability-gated operational-control actions, confirmation semantics, scope previews, and audited pause or resume behavior under dedicated coverage.',
|
||||
],
|
||||
[
|
||||
'kind' => 'feature_livewire_test',
|
||||
'reference' => 'tests/Feature/Restore/OperationalControlRestoreExecutionGateTest.php',
|
||||
'proves' => 'Restore execution stays coupled to the shared operational-control workflow, including blocked execution and non-retroactive pause behavior after acceptance.',
|
||||
],
|
||||
],
|
||||
'followUpAction' => 'add_guard_only',
|
||||
'mustRemainBaselineExempt' => false,
|
||||
'mustNotRemainBaselineExempt' => true,
|
||||
],
|
||||
RepairWorkspaceOwners::class => [
|
||||
'surfaceKey' => 'repair_workspace_owners',
|
||||
'surfaceName' => 'Repair Workspace Owners',
|
||||
|
||||
@ -1,98 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Database\Factories;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use Illuminate\Database\Eloquent\Factories\Factory;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
/**
|
||||
* @extends \Illuminate\Database\Eloquent\Factories\Factory<\App\Models\SupportRequest>
|
||||
*/
|
||||
class SupportRequestFactory extends Factory
|
||||
{
|
||||
protected $model = SupportRequest::class;
|
||||
|
||||
/**
|
||||
* Define the model's default state.
|
||||
*
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
public function definition(): array
|
||||
{
|
||||
return [
|
||||
'tenant_id' => Tenant::factory(),
|
||||
'initiated_by_user_id' => User::factory(),
|
||||
'internal_reference' => 'SR-'.strtoupper((string) Str::ulid()),
|
||||
'primary_context_type' => SupportRequest::PRIMARY_CONTEXT_TENANT,
|
||||
'attachment_mode' => SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED,
|
||||
'severity' => SupportRequest::SEVERITY_NORMAL,
|
||||
'summary' => fake()->sentence(),
|
||||
'reproduction_notes' => fake()->optional()->paragraph(),
|
||||
'contact_name' => fake()->name(),
|
||||
'contact_email' => fake()->safeEmail(),
|
||||
'context_envelope' => [
|
||||
'schema_version' => 1,
|
||||
'generated_from' => 'factory',
|
||||
'attachment_mode' => SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED,
|
||||
'primary_context' => [
|
||||
'type' => SupportRequest::PRIMARY_CONTEXT_TENANT,
|
||||
],
|
||||
'canonical_context' => [
|
||||
'sections' => [],
|
||||
],
|
||||
'diagnostic_snapshot' => [
|
||||
'sections' => [],
|
||||
],
|
||||
'omissions' => [],
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
public function canonicalContextOnly(): static
|
||||
{
|
||||
return $this->state(fn (array $attributes): array => [
|
||||
'attachment_mode' => SupportRequest::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY,
|
||||
'context_envelope' => array_replace_recursive($attributes['context_envelope'] ?? [], [
|
||||
'attachment_mode' => SupportRequest::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY,
|
||||
'diagnostic_snapshot' => null,
|
||||
'omissions' => [[
|
||||
'type' => 'diagnostic_snapshot',
|
||||
'reason' => 'omitted_without_support_diagnostics_view',
|
||||
]],
|
||||
]),
|
||||
]);
|
||||
}
|
||||
|
||||
public function forOperationRun(OperationRun $operationRun): static
|
||||
{
|
||||
return $this->state(fn (): array => [
|
||||
'tenant_id' => (int) $operationRun->tenant_id,
|
||||
'workspace_id' => (int) $operationRun->workspace_id,
|
||||
'operation_run_id' => (int) $operationRun->getKey(),
|
||||
'primary_context_type' => SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN,
|
||||
'context_envelope' => [
|
||||
'schema_version' => 1,
|
||||
'generated_from' => 'factory',
|
||||
'attachment_mode' => SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED,
|
||||
'primary_context' => [
|
||||
'type' => SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN,
|
||||
'tenant_id' => (int) $operationRun->tenant_id,
|
||||
'operation_run_id' => (int) $operationRun->getKey(),
|
||||
],
|
||||
'canonical_context' => [
|
||||
'sections' => [],
|
||||
],
|
||||
'diagnostic_snapshot' => [
|
||||
'sections' => [],
|
||||
],
|
||||
'omissions' => [],
|
||||
],
|
||||
]);
|
||||
}
|
||||
}
|
||||
@ -1,46 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use Illuminate\Database\Migrations\Migration;
|
||||
use Illuminate\Database\Schema\Blueprint;
|
||||
use Illuminate\Support\Facades\Schema;
|
||||
|
||||
return new class extends Migration
|
||||
{
|
||||
/**
|
||||
* Run the migrations.
|
||||
*/
|
||||
public function up(): void
|
||||
{
|
||||
Schema::create('support_requests', function (Blueprint $table): void {
|
||||
$table->id();
|
||||
$table->foreignId('workspace_id')->constrained('workspaces')->cascadeOnDelete();
|
||||
$table->foreignId('tenant_id')->constrained('tenants')->cascadeOnDelete();
|
||||
$table->foreignId('operation_run_id')->nullable()->constrained('operation_runs')->nullOnDelete();
|
||||
$table->foreignId('initiated_by_user_id')->nullable()->constrained('users')->nullOnDelete();
|
||||
$table->string('internal_reference')->unique();
|
||||
$table->string('primary_context_type');
|
||||
$table->string('attachment_mode');
|
||||
$table->string('severity');
|
||||
$table->text('summary');
|
||||
$table->text('reproduction_notes')->nullable();
|
||||
$table->string('contact_name')->nullable();
|
||||
$table->string('contact_email')->nullable();
|
||||
$table->jsonb('context_envelope')->default('{}');
|
||||
$table->timestamps();
|
||||
|
||||
$table->index(['workspace_id', 'tenant_id']);
|
||||
$table->index(['tenant_id', 'created_at']);
|
||||
$table->index(['operation_run_id', 'created_at']);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Reverse the migrations.
|
||||
*/
|
||||
public function down(): void
|
||||
{
|
||||
Schema::dropIfExists('support_requests');
|
||||
}
|
||||
};
|
||||
@ -1,80 +0,0 @@
|
||||
@php
|
||||
$help = is_array($help ?? null) ? $help : [];
|
||||
$links = is_array($help['docs_links'] ?? null) ? $help['docs_links'] : [];
|
||||
$steps = is_array($help['troubleshooting_steps'] ?? null) ? $help['troubleshooting_steps'] : [];
|
||||
$headline = is_string($help['headline'] ?? null) && trim((string) ($help['headline'] ?? '')) !== ''
|
||||
? (string) ($help['headline'])
|
||||
: 'Contextual help';
|
||||
$reasonLabel = is_string($help['reason_label'] ?? null) && trim((string) ($help['reason_label'] ?? '')) !== ''
|
||||
? (string) $help['reason_label']
|
||||
: null;
|
||||
$showReasonLabel = $reasonLabel !== null && trim(mb_strtolower($reasonLabel)) !== trim(mb_strtolower($headline));
|
||||
@endphp
|
||||
|
||||
@if ($help !== [])
|
||||
<div class="rounded-lg border border-gray-200 bg-white p-4 shadow-sm dark:border-gray-700 dark:bg-gray-900/80" data-testid="contextual-help-block">
|
||||
<div class="space-y-3">
|
||||
<div class="flex flex-wrap items-center gap-2">
|
||||
<x-filament::badge color="info" size="sm">
|
||||
Contextual help
|
||||
</x-filament::badge>
|
||||
|
||||
@if ($showReasonLabel)
|
||||
<x-filament::badge color="gray" size="sm">
|
||||
{{ $reasonLabel }}
|
||||
</x-filament::badge>
|
||||
@endif
|
||||
</div>
|
||||
|
||||
<div class="space-y-1">
|
||||
<div class="text-sm font-semibold text-gray-950 dark:text-white">
|
||||
{{ $headline }}
|
||||
</div>
|
||||
<div class="text-sm text-gray-700 dark:text-gray-200">
|
||||
{{ (string) ($help['short_explanation'] ?? '') }}
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@if (is_string($help['safe_next_action'] ?? null) && trim((string) ($help['safe_next_action'] ?? '')) !== '')
|
||||
<x-filament::callout
|
||||
color="info"
|
||||
heading="Safe next action"
|
||||
:description="(string) $help['safe_next_action']"
|
||||
/>
|
||||
@endif
|
||||
|
||||
@if ($steps !== [])
|
||||
<ul class="list-disc space-y-1 pl-5 text-sm text-gray-700 dark:text-gray-200">
|
||||
@foreach ($steps as $step)
|
||||
@if (is_string($step) && trim($step) !== '')
|
||||
<li>{{ $step }}</li>
|
||||
@endif
|
||||
@endforeach
|
||||
</ul>
|
||||
@endif
|
||||
|
||||
@if ($links !== [])
|
||||
<div class="flex flex-wrap gap-2">
|
||||
@foreach ($links as $link)
|
||||
@php
|
||||
$linkUrl = is_string($link['url'] ?? null) && trim((string) ($link['url'] ?? '')) !== ''
|
||||
? (string) $link['url']
|
||||
: null;
|
||||
@endphp
|
||||
|
||||
@if ($linkUrl)
|
||||
<x-filament::button
|
||||
tag="a"
|
||||
:href="$linkUrl"
|
||||
size="sm"
|
||||
color="primary"
|
||||
>
|
||||
{{ (string) ($link['label'] ?? 'Open') }}
|
||||
</x-filament::button>
|
||||
@endif
|
||||
@endforeach
|
||||
</div>
|
||||
@endif
|
||||
</div>
|
||||
</div>
|
||||
@endif
|
||||
@ -6,7 +6,6 @@
|
||||
$redactionNotes = is_array($redactionNotes ?? null)
|
||||
? array_values(array_filter($redactionNotes, 'is_string'))
|
||||
: [];
|
||||
$contextualHelp = is_array($contextualHelp ?? null) ? $contextualHelp : null;
|
||||
$assistVisibility = is_array($assistVisibility ?? null) ? $assistVisibility : [];
|
||||
$assistActionName = is_string($assistActionName ?? null) && trim((string) $assistActionName) !== ''
|
||||
? trim((string) $assistActionName)
|
||||
@ -15,6 +14,12 @@
|
||||
? trim((string) $technicalDetailsActionName)
|
||||
: 'wizardVerificationTechnicalDetails';
|
||||
$showAssist = (bool) ($assistVisibility['is_visible'] ?? false);
|
||||
$assistReason = is_string($assistVisibility['reason'] ?? null) ? (string) $assistVisibility['reason'] : 'hidden_irrelevant';
|
||||
$assistDescription = match ($assistReason) {
|
||||
'permission_blocked' => 'Stored permission diagnostics show blockers. Review them without leaving onboarding.',
|
||||
'permission_attention' => 'Stored permission diagnostics need attention before you rerun verification.',
|
||||
default => 'Review required permissions without leaving onboarding.',
|
||||
};
|
||||
$completedAt = is_string($run['completed_at'] ?? null) && trim((string) $run['completed_at']) !== '' ? (string) $run['completed_at'] : null;
|
||||
$completedAtLabel = null;
|
||||
|
||||
@ -47,7 +52,7 @@
|
||||
<x-dynamic-component :component="$fieldWrapperView" :field="$field">
|
||||
<div class="space-y-4">
|
||||
<x-filament::section
|
||||
heading="Stored verification details"
|
||||
heading="Verification report"
|
||||
:description="$completedAtLabel ? ('Completed: ' . $completedAtLabel) : 'Stored details for the latest verification operation.'"
|
||||
>
|
||||
@if ($runState === 'no_run')
|
||||
@ -108,8 +113,28 @@
|
||||
</x-filament::button>
|
||||
</div>
|
||||
|
||||
@if ($contextualHelp !== null)
|
||||
@include('filament.components.product-knowledge.contextual-help', ['help' => $contextualHelp])
|
||||
@if ($showAssist)
|
||||
<div class="rounded-lg border border-warning-300 bg-warning-50 p-4 shadow-sm dark:border-warning-700 dark:bg-warning-950/40">
|
||||
<div class="flex flex-wrap items-start justify-between gap-3">
|
||||
<div class="space-y-1">
|
||||
<div class="text-sm font-semibold text-warning-950 dark:text-warning-50">
|
||||
Required permissions assist
|
||||
</div>
|
||||
<div class="text-sm text-warning-900 dark:text-warning-100">
|
||||
{{ $assistDescription }}
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<x-filament::button
|
||||
size="sm"
|
||||
color="warning"
|
||||
data-testid="verification-assist-trigger"
|
||||
wire:click="mountAction('{{ $assistActionName }}')"
|
||||
>
|
||||
View required permissions
|
||||
</x-filament::button>
|
||||
</div>
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@include('filament.components.verification-report-viewer', [
|
||||
|
||||
@ -66,10 +66,6 @@
|
||||
</dl>
|
||||
</x-filament::section>
|
||||
|
||||
@if (is_array($bundle['contextual_help'] ?? null))
|
||||
@include('filament.components.product-knowledge.contextual-help', ['help' => $bundle['contextual_help']])
|
||||
@endif
|
||||
|
||||
@if ($notes !== [])
|
||||
<x-filament::section
|
||||
heading="Support notes"
|
||||
@ -164,4 +160,3 @@
|
||||
@endforeach
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
@ -1,19 +0,0 @@
|
||||
<x-filament-panels::page>
|
||||
<x-filament::section>
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="text-lg font-semibold text-gray-900 dark:text-gray-100">
|
||||
Customer-safe review workspace
|
||||
</div>
|
||||
|
||||
<div class="text-sm text-gray-600 dark:text-gray-300">
|
||||
Review the latest published customer-safe posture for each entitled tenant without leaving the current workspace context.
|
||||
</div>
|
||||
|
||||
<div class="text-sm text-gray-600 dark:text-gray-300">
|
||||
Opening a row returns to the existing tenant review detail so evidence, review packs, and audit-aware proof remain on their canonical tenant-scoped surfaces.
|
||||
</div>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
{{ $this->table }}
|
||||
</x-filament-panels::page>
|
||||
@ -1,59 +0,0 @@
|
||||
@php
|
||||
/** @var array{
|
||||
* overall: array{label: string, color: string, icon: string|null},
|
||||
* reason: string,
|
||||
* impact: string,
|
||||
* recommended_action: string,
|
||||
* dominant_dimensions: list<array{label: string, color: string, icon: string|null}>,
|
||||
* window_label: string
|
||||
* } $decision */
|
||||
@endphp
|
||||
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Customer health decision
|
||||
</x-slot>
|
||||
|
||||
<x-slot name="description">
|
||||
Decision-first summary. Operational stability, review-pack readiness, and engagement freshness honor {{ $decision['window_label'] }}.
|
||||
</x-slot>
|
||||
|
||||
<div class="space-y-5">
|
||||
<div class="flex flex-wrap items-center gap-3">
|
||||
<div>
|
||||
<p class="text-sm font-medium text-gray-950 dark:text-white">Overall health</p>
|
||||
</div>
|
||||
|
||||
<x-filament::badge :color="$decision['overall']['color']" :icon="$decision['overall']['icon']">
|
||||
{{ $decision['overall']['label'] }}
|
||||
</x-filament::badge>
|
||||
</div>
|
||||
|
||||
<div class="space-y-2">
|
||||
<p class="text-sm font-medium text-gray-950 dark:text-white">Reason</p>
|
||||
<p class="text-sm leading-6 text-gray-600 dark:text-gray-300">{{ $decision['reason'] }}</p>
|
||||
|
||||
@if ($decision['dominant_dimensions'] !== [])
|
||||
<div class="flex flex-wrap gap-2">
|
||||
@foreach ($decision['dominant_dimensions'] as $dimension)
|
||||
<x-filament::badge :color="$dimension['color']" :icon="$dimension['icon']">
|
||||
{{ $dimension['label'] }}
|
||||
</x-filament::badge>
|
||||
@endforeach
|
||||
</div>
|
||||
@endif
|
||||
</div>
|
||||
|
||||
<div class="grid grid-cols-1 gap-5 lg:grid-cols-2">
|
||||
<div class="space-y-2">
|
||||
<p class="text-sm font-medium text-gray-950 dark:text-white">Impact</p>
|
||||
<p class="text-sm leading-6 text-gray-600 dark:text-gray-300">{{ $decision['impact'] }}</p>
|
||||
</div>
|
||||
|
||||
<div class="space-y-2">
|
||||
<p class="text-sm font-medium text-gray-950 dark:text-white">Recommended next action</p>
|
||||
<p class="text-sm leading-6 text-gray-600 dark:text-gray-300">{{ $decision['recommended_action'] }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
@ -1,7 +1,6 @@
|
||||
@php
|
||||
/** @var \App\Models\Tenant $tenant */
|
||||
$tenant = $this->tenant;
|
||||
$customerHealthDecision = $this->customerHealthDecision();
|
||||
$providerConnections = $this->providerConnections();
|
||||
$permissions = $this->tenantPermissions();
|
||||
$runs = $this->recentRuns();
|
||||
@ -33,19 +32,11 @@
|
||||
|
||||
<div class="mt-4">
|
||||
<x-filament::link :href="$this->adminTenantUrl()" icon="heroicon-m-arrow-top-right-on-square">
|
||||
Open in tenant admin
|
||||
Open in /admin
|
||||
</x-filament::link>
|
||||
|
||||
<p class="mt-2 text-xs text-gray-500 dark:text-gray-400">
|
||||
Requires tenant admin membership.
|
||||
</p>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
@if ($customerHealthDecision)
|
||||
@include('filament.system.pages.directory.partials.customer-health-decision-card', ['decision' => $customerHealthDecision])
|
||||
@endif
|
||||
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Connectivity signals
|
||||
|
||||
@ -1,14 +1,8 @@
|
||||
@php
|
||||
/** @var \App\Models\Workspace $workspace */
|
||||
$workspace = $this->workspace;
|
||||
$customerHealthDecision = $this->customerHealthDecision();
|
||||
$tenants = $this->workspaceTenants();
|
||||
$runs = $this->recentRuns();
|
||||
$workspaceEntitlementSummary = $this->workspaceEntitlementSummary();
|
||||
$planProfile = $workspaceEntitlementSummary['plan_profile'] ?? null;
|
||||
$entitlementDecisions = $workspaceEntitlementSummary['decisions'] ?? [];
|
||||
$managedTenantDecision = $entitlementDecisions['managed_tenant_activation_limit'] ?? null;
|
||||
$reviewPackDecision = $entitlementDecisions['review_pack_generation_enabled'] ?? null;
|
||||
@endphp
|
||||
|
||||
<x-filament-panels::page>
|
||||
@ -36,62 +30,6 @@
|
||||
</div>
|
||||
</x-filament::section>
|
||||
|
||||
@if ($customerHealthDecision)
|
||||
@include('filament.system.pages.directory.partials.customer-health-decision-card', ['decision' => $customerHealthDecision])
|
||||
@endif
|
||||
|
||||
@if (is_array($planProfile) && is_array($managedTenantDecision) && is_array($reviewPackDecision))
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Workspace entitlements
|
||||
</x-slot>
|
||||
|
||||
<div class="grid grid-cols-1 gap-4 sm:grid-cols-2">
|
||||
<div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
|
||||
<p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Plan profile</p>
|
||||
<p class="mt-1 text-base font-semibold text-gray-950 dark:text-white">{{ $planProfile['label'] }}</p>
|
||||
<p class="mt-1 text-sm text-gray-500 dark:text-gray-400">{{ $planProfile['description'] }}</p>
|
||||
</div>
|
||||
|
||||
<div class="rounded-lg bg-gray-50 px-4 py-3 dark:bg-white/5">
|
||||
<p class="text-xs font-semibold uppercase tracking-wider text-gray-500 dark:text-gray-400">Last changed</p>
|
||||
<p class="mt-1 text-base font-semibold text-gray-950 dark:text-white">{{ $managedTenantDecision['last_changed_by'] ?? 'Not set' }}</p>
|
||||
<p class="mt-1 text-sm text-gray-500 dark:text-gray-400">{{ $managedTenantDecision['last_changed_at']?->diffForHumans() ?? 'No entitlement override recorded yet.' }}</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="mt-4 space-y-3">
|
||||
<div class="rounded-lg border border-gray-200 px-4 py-3 dark:border-white/10">
|
||||
<div class="flex items-center justify-between gap-4">
|
||||
<div>
|
||||
<p class="text-sm font-semibold text-gray-950 dark:text-white">Managed tenant activation limit</p>
|
||||
<p class="text-sm text-gray-500 dark:text-gray-400">{{ $managedTenantDecision['current_usage'] }} active of {{ $managedTenantDecision['effective_value'] }} allowed</p>
|
||||
</div>
|
||||
<x-filament::badge :color="$managedTenantDecision['source'] === 'workspace_override' ? 'warning' : 'gray'">
|
||||
{{ $managedTenantDecision['source'] === 'workspace_override' ? 'workspace override' : ($managedTenantDecision['plan_profile_label'].' plan profile') }}
|
||||
</x-filament::badge>
|
||||
</div>
|
||||
|
||||
<p class="mt-2 text-sm text-gray-500 dark:text-gray-400">{{ $managedTenantDecision['rationale'] }}</p>
|
||||
</div>
|
||||
|
||||
<div class="rounded-lg border border-gray-200 px-4 py-3 dark:border-white/10">
|
||||
<div class="flex items-center justify-between gap-4">
|
||||
<div>
|
||||
<p class="text-sm font-semibold text-gray-950 dark:text-white">Review pack generation</p>
|
||||
<p class="text-sm text-gray-500 dark:text-gray-400">{{ $reviewPackDecision['effective_value'] ? 'Enabled' : 'Disabled' }}</p>
|
||||
</div>
|
||||
<x-filament::badge :color="$reviewPackDecision['source'] === 'workspace_override' ? 'warning' : 'gray'">
|
||||
{{ $reviewPackDecision['source'] === 'workspace_override' ? 'workspace override' : ($reviewPackDecision['plan_profile_label'].' plan profile') }}
|
||||
</x-filament::badge>
|
||||
</div>
|
||||
|
||||
<p class="mt-2 text-sm text-gray-500 dark:text-gray-400">{{ $reviewPackDecision['rationale'] }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</x-filament::section>
|
||||
@endif
|
||||
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Tenants summary
|
||||
|
||||
@ -1,53 +0,0 @@
|
||||
<x-filament-widgets::widget>
|
||||
<x-filament::section>
|
||||
<x-slot name="heading">
|
||||
Attention-needed workspaces
|
||||
</x-slot>
|
||||
|
||||
<x-slot name="description">
|
||||
Worst derived workspace health first. Operational stability, review-pack readiness, and engagement freshness honor {{ $windowLabel }}.
|
||||
</x-slot>
|
||||
|
||||
@if ($rows->isEmpty())
|
||||
<div class="rounded-lg border border-dashed border-gray-300 px-4 py-6 text-sm text-gray-500 dark:border-white/15 dark:text-gray-400">
|
||||
No workspaces need attention in the selected view.
|
||||
</div>
|
||||
@else
|
||||
<div class="space-y-3">
|
||||
@foreach ($rows as $row)
|
||||
<article class="rounded-xl border border-gray-200 bg-white/70 p-4 dark:border-white/10 dark:bg-white/5">
|
||||
<div class="flex flex-col gap-3 md:flex-row md:items-start md:justify-between">
|
||||
<div class="space-y-2">
|
||||
<div class="flex flex-wrap items-center gap-2">
|
||||
<h3 class="text-sm font-semibold text-gray-950 dark:text-white">{{ $row['workspace_label'] }}</h3>
|
||||
|
||||
<x-filament::badge :color="$row['overall']['color']" :icon="$row['overall']['icon']">
|
||||
{{ $row['overall']['label'] }}
|
||||
</x-filament::badge>
|
||||
</div>
|
||||
|
||||
<p class="text-sm text-gray-600 dark:text-gray-300">
|
||||
Top drivers: {{ $row['dominant_copy'] }}
|
||||
</p>
|
||||
|
||||
<div class="flex flex-wrap gap-2">
|
||||
@foreach ($row['dominant_dimensions'] as $dimension)
|
||||
<x-filament::badge :color="$dimension['color']" :icon="$dimension['icon']">
|
||||
{{ $dimension['label'] }}
|
||||
</x-filament::badge>
|
||||
@endforeach
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div>
|
||||
<x-filament::link :href="$row['next_link']['url']" icon="heroicon-m-arrow-top-right-on-square">
|
||||
{{ $row['next_link']['label'] }}
|
||||
</x-filament::link>
|
||||
</div>
|
||||
</div>
|
||||
</article>
|
||||
@endforeach
|
||||
</div>
|
||||
@endif
|
||||
</x-filament::section>
|
||||
</x-filament-widgets::widget>
|
||||
@ -9,9 +9,6 @@
|
||||
/** @var ?string $pollingInterval */
|
||||
/** @var bool $canView */
|
||||
/** @var bool $canManage */
|
||||
/** @var bool $generationBlocked */
|
||||
/** @var ?string $generationBlockReason */
|
||||
/** @var ?string $customerWorkspaceUrl */
|
||||
/** @var ?string $downloadUrl */
|
||||
/** @var ?string $failedReason */
|
||||
/** @var ?string $failedReasonDetail */
|
||||
@ -27,12 +24,6 @@
|
||||
@endif
|
||||
>
|
||||
<x-filament::section heading="Review Pack">
|
||||
@if ($canManage && $generationBlocked && $generationBlockReason)
|
||||
<div class="mb-3 rounded-lg border border-warning-200 bg-warning-50 px-3 py-2 text-sm text-warning-800 dark:border-warning-500/30 dark:bg-warning-500/10 dark:text-warning-200">
|
||||
{{ $generationBlockReason }}
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if (! $pack)
|
||||
{{-- State 1: No pack --}}
|
||||
<div class="flex flex-col items-center gap-3 py-4 text-center">
|
||||
@ -46,15 +37,12 @@
|
||||
size="sm"
|
||||
wire:click="generatePack"
|
||||
wire:loading.attr="disabled"
|
||||
:disabled="$generationBlocked"
|
||||
>
|
||||
Generate pack
|
||||
</x-filament::button>
|
||||
@endif
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if ($pack && ($statusEnum === ReviewPackStatus::Queued || $statusEnum === ReviewPackStatus::Generating))
|
||||
@elseif ($statusEnum === ReviewPackStatus::Queued || $statusEnum === ReviewPackStatus::Generating)
|
||||
{{-- State 2: Queued / Generating --}}
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="flex items-center gap-2">
|
||||
@ -75,9 +63,7 @@
|
||||
Started {{ $pack->created_at?->diffForHumans() ?? '—' }}
|
||||
</div>
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if ($pack && $statusEnum === ReviewPackStatus::Ready)
|
||||
@elseif ($statusEnum === ReviewPackStatus::Ready)
|
||||
{{-- State 3: Ready --}}
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="flex items-center gap-2">
|
||||
@ -130,16 +116,13 @@
|
||||
color="gray"
|
||||
wire:click="generatePack"
|
||||
wire:loading.attr="disabled"
|
||||
:disabled="$generationBlocked"
|
||||
>
|
||||
Generate new
|
||||
</x-filament::button>
|
||||
@endif
|
||||
</div>
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if ($pack && $statusEnum === ReviewPackStatus::Failed)
|
||||
@elseif ($statusEnum === ReviewPackStatus::Failed)
|
||||
{{-- State 4: Failed --}}
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="flex items-center gap-2">
|
||||
@ -180,15 +163,12 @@
|
||||
size="sm"
|
||||
wire:click="generatePack"
|
||||
wire:loading.attr="disabled"
|
||||
:disabled="$generationBlocked"
|
||||
>
|
||||
Retry
|
||||
</x-filament::button>
|
||||
@endif
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if ($pack && $statusEnum === ReviewPackStatus::Expired)
|
||||
@elseif ($statusEnum === ReviewPackStatus::Expired)
|
||||
{{-- State 5: Expired --}}
|
||||
<div class="flex flex-col gap-3">
|
||||
<div class="flex items-center gap-2">
|
||||
@ -209,25 +189,11 @@
|
||||
size="sm"
|
||||
wire:click="generatePack"
|
||||
wire:loading.attr="disabled"
|
||||
:disabled="$generationBlocked"
|
||||
>
|
||||
Generate new
|
||||
</x-filament::button>
|
||||
@endif
|
||||
</div>
|
||||
@endif
|
||||
|
||||
@if ($canView && $customerWorkspaceUrl)
|
||||
<div class="mt-3 flex items-center gap-2">
|
||||
<x-filament::button
|
||||
size="sm"
|
||||
color="gray"
|
||||
tag="a"
|
||||
:href="$customerWorkspaceUrl"
|
||||
>
|
||||
Customer workspace
|
||||
</x-filament::button>
|
||||
</div>
|
||||
@endif
|
||||
</x-filament::section>
|
||||
</div>
|
||||
|
||||
@ -1,100 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
pest()->browser()->timeout(20_000);
|
||||
|
||||
beforeEach(function (): void {
|
||||
Storage::fake('exports');
|
||||
});
|
||||
|
||||
it('smokes the customer review workspace handoff from tenant review detail', function (): void {
|
||||
$tenantPublished = Tenant::factory()->create(['name' => 'Published Tenant']);
|
||||
[$user, $tenantPublished] = createUserWithTenant(
|
||||
tenant: $tenantPublished,
|
||||
role: 'owner',
|
||||
workspaceRole: 'manager',
|
||||
);
|
||||
|
||||
$tenantWithoutPublished = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantPublished->workspace_id,
|
||||
'name' => 'No Published Tenant',
|
||||
]);
|
||||
|
||||
createUserWithTenant(
|
||||
tenant: $tenantWithoutPublished,
|
||||
user: $user,
|
||||
role: 'owner',
|
||||
workspaceRole: 'manager',
|
||||
);
|
||||
|
||||
$publishedSnapshot = seedTenantReviewEvidence($tenantPublished);
|
||||
$noPublishedSnapshot = seedTenantReviewEvidence($tenantWithoutPublished);
|
||||
|
||||
$publishedReview = composeTenantReviewForTest($tenantPublished, $user, $publishedSnapshot);
|
||||
$publishedReview->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$internalOnlyReview = composeTenantReviewForTest($tenantWithoutPublished, $user, $noPublishedSnapshot);
|
||||
$internalOnlyReview->forceFill([
|
||||
'status' => TenantReviewStatus::Ready->value,
|
||||
'published_at' => null,
|
||||
'published_by_user_id' => null,
|
||||
])->save();
|
||||
|
||||
Storage::disk('exports')->put('review-packs/customer-review-workspace-smoke.zip', 'PK-test');
|
||||
|
||||
ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenantPublished->getKey(),
|
||||
'workspace_id' => (int) $tenantPublished->workspace_id,
|
||||
'tenant_review_id' => (int) $publishedReview->getKey(),
|
||||
'evidence_snapshot_id' => (int) $publishedSnapshot->getKey(),
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
'file_path' => 'review-packs/customer-review-workspace-smoke.zip',
|
||||
'file_disk' => 'exports',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)->withSession([
|
||||
WorkspaceContext::SESSION_KEY => (int) $tenantPublished->workspace_id,
|
||||
WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
|
||||
(string) $tenantPublished->workspace_id => (int) $tenantPublished->getKey(),
|
||||
],
|
||||
]);
|
||||
|
||||
visit(TenantReviewResource::tenantScopedUrl('view', ['record' => $publishedReview], $tenantPublished))
|
||||
->waitForText('Related context')
|
||||
->assertSee('Open customer workspace')
|
||||
->assertNoJavaScriptErrors()
|
||||
->assertNoConsoleLogs()
|
||||
->click('Open customer workspace')
|
||||
->waitForText('Customer-safe review workspace')
|
||||
->assertSee('Clear filters')
|
||||
->assertSee('Open latest review')
|
||||
->assertDontSee('Publish review')
|
||||
->assertDontSee('Refresh review')
|
||||
->click('Clear filters')
|
||||
->waitForText('No published review available yet')
|
||||
->assertSee('No published review available yet')
|
||||
->click('Open latest review')
|
||||
->waitForText('Outcome summary')
|
||||
->assertDontSee('Publish review')
|
||||
->assertDontSee('Refresh review')
|
||||
->assertDontSee('Create next review')
|
||||
->assertDontSee('Export executive pack')
|
||||
->assertDontSee('Archive review')
|
||||
->assertNoJavaScriptErrors()
|
||||
->assertNoConsoleLogs();
|
||||
});
|
||||
@ -5,14 +5,12 @@
|
||||
use App\Filament\Resources\BackupScheduleResource\Pages\ListBackupSchedules;
|
||||
use App\Filament\Resources\BackupSetResource\Pages\ListBackupSets;
|
||||
use App\Filament\Resources\ProviderConnectionResource\Pages\ListProviderConnections;
|
||||
use App\Filament\Resources\ReviewPackResource\Pages\ListReviewPacks;
|
||||
use App\Filament\Resources\RestoreRunResource\Pages\ListRestoreRuns;
|
||||
use App\Filament\Resources\TenantResource\Pages\ListTenants;
|
||||
use App\Filament\Resources\Workspaces\Pages\ListWorkspaces;
|
||||
use App\Models\BackupSchedule;
|
||||
use App\Models\BackupSet;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\RestoreRun;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
@ -242,47 +240,6 @@ function getPlacementEmptyStateAction(Testable $component, string $name): ?Actio
|
||||
expect($headerCreate?->isVisible())->toBeTrue();
|
||||
});
|
||||
|
||||
it('shows generate only in empty state when review packs table is empty', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$this->actingAs($user);
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
$component = Livewire::test(ListReviewPacks::class)
|
||||
->assertTableEmptyStateActionsExistInOrder(['generate_first']);
|
||||
|
||||
$emptyStateGenerate = getPlacementEmptyStateAction($component, 'generate_first');
|
||||
expect($emptyStateGenerate)->not->toBeNull();
|
||||
expect($emptyStateGenerate?->getLabel())->toBe('Generate first pack');
|
||||
|
||||
$headerGenerate = getHeaderAction($component, 'generate_pack');
|
||||
expect($headerGenerate)->not->toBeNull();
|
||||
expect($headerGenerate?->isVisible())->toBeFalse();
|
||||
});
|
||||
|
||||
it('shows generate only in header when review packs table is not empty', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
|
||||
$this->actingAs($user);
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
]);
|
||||
|
||||
$component = Livewire::test(ListReviewPacks::class)
|
||||
->assertCountTableRecords(1);
|
||||
|
||||
$headerGenerate = getHeaderAction($component, 'generate_pack');
|
||||
expect($headerGenerate)->not->toBeNull();
|
||||
expect($headerGenerate?->isVisible())->toBeTrue();
|
||||
expect($headerGenerate?->getLabel())->toBe('Generate Pack');
|
||||
});
|
||||
|
||||
it('shows create only in empty state when tenants table is empty', function (): void {
|
||||
$workspace = Workspace::factory()->create([
|
||||
'archived_at' => now(),
|
||||
|
||||
@ -1,111 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Settings\WorkspaceSettings;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Livewire\Livewire;
|
||||
|
||||
/**
|
||||
* @return array{0: Workspace, 1: User}
|
||||
*/
|
||||
function entitlementSettingsManager(): array
|
||||
{
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
return [$workspace, $user];
|
||||
}
|
||||
|
||||
it('saves entitlement plan profile and override pairs through the workspace settings page', function (): void {
|
||||
[$workspace, $user] = entitlementSettingsManager();
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(WorkspaceSettings::getUrl(panel: 'admin'))
|
||||
->assertSuccessful()
|
||||
->assertSee('Workspace entitlements');
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.entitlements_plan_profile', null)
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_value', null)
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_reason', null)
|
||||
->assertSet('data.entitlements_review_pack_generation_override_value', null)
|
||||
->assertSet('data.entitlements_review_pack_generation_override_reason', null)
|
||||
->set('data.entitlements_plan_profile', 'starter')
|
||||
->set('data.entitlements_managed_tenant_limit_override_value', 2)
|
||||
->set('data.entitlements_managed_tenant_limit_override_reason', 'Temporary support-approved exception')
|
||||
->set('data.entitlements_review_pack_generation_override_value', '0')
|
||||
->set('data.entitlements_review_pack_generation_override_reason', 'Workspace is temporarily limited to manual reporting only')
|
||||
->callAction('save')
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.entitlements_plan_profile', 'starter')
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_value', 2)
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_reason', 'Temporary support-approved exception')
|
||||
->assertSet('data.entitlements_review_pack_generation_override_value', '0')
|
||||
->assertSet('data.entitlements_review_pack_generation_override_reason', 'Workspace is temporarily limited to manual reporting only');
|
||||
|
||||
$summary = app(WorkspaceEntitlementResolver::class)->summary($workspace);
|
||||
|
||||
expect($summary['plan_profile']['id'])->toBe('starter')
|
||||
->and($summary['decisions'][WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT])
|
||||
->toMatchArray([
|
||||
'effective_value' => 2,
|
||||
'source' => 'workspace_override',
|
||||
'rationale' => 'Temporary support-approved exception',
|
||||
'last_changed_by' => $user->name,
|
||||
])
|
||||
->and($summary['decisions'][WorkspaceEntitlementResolver::KEY_REVIEW_PACK_GENERATION_ENABLED])
|
||||
->toMatchArray([
|
||||
'effective_value' => false,
|
||||
'source' => 'workspace_override',
|
||||
'rationale' => 'Workspace is temporarily limited to manual reporting only',
|
||||
'last_changed_by' => $user->name,
|
||||
]);
|
||||
|
||||
$component
|
||||
->mountFormComponentAction('entitlements_managed_tenant_limit_override_value', 'reset_entitlements_managed_tenant_limit_override_value', [], 'content')
|
||||
->callMountedFormComponentAction()
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_value', null)
|
||||
->assertSet('data.entitlements_managed_tenant_limit_override_reason', null);
|
||||
|
||||
$summary = app(WorkspaceEntitlementResolver::class)->summary($workspace);
|
||||
|
||||
expect($summary['decisions'][WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT])
|
||||
->toMatchArray([
|
||||
'effective_value' => 1,
|
||||
'source' => 'plan_profile_default',
|
||||
'rationale' => 'Minimal allowance for early workspace access and low-volume operations.',
|
||||
]);
|
||||
});
|
||||
|
||||
it('requires an override reason when a workspace entitlement override value is set', function (): void {
|
||||
[, $user] = entitlementSettingsManager();
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->set('data.entitlements_managed_tenant_limit_override_value', 3)
|
||||
->set('data.entitlements_managed_tenant_limit_override_reason', '')
|
||||
->callAction('save')
|
||||
->assertHasErrors(['data.entitlements_managed_tenant_limit_override_reason']);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->set('data.entitlements_review_pack_generation_override_value', '0')
|
||||
->set('data.entitlements_review_pack_generation_override_reason', '')
|
||||
->callAction('save')
|
||||
->assertHasErrors(['data.entitlements_review_pack_generation_override_reason']);
|
||||
});
|
||||
@ -950,7 +950,6 @@ function actionSurfaceSystemPanelContext(array $capabilities): PlatformUser
|
||||
\App\Filament\System\Pages\Dashboard::class,
|
||||
\App\Filament\System\Pages\Ops\ViewRun::class,
|
||||
\App\Filament\System\Pages\Ops\Runbooks::class,
|
||||
\App\Filament\System\Pages\Ops\Controls::class,
|
||||
\App\Filament\System\Pages\RepairWorkspaceOwners::class,
|
||||
\App\Filament\System\Pages\Directory\ViewTenant::class,
|
||||
\App\Filament\System\Pages\Directory\ViewWorkspace::class,
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use Illuminate\Support\Facades\File;
|
||||
|
||||
it('prevents ai governance surfaces from declaring direct outbound or vendor-specific provider runtime code', function (): void {
|
||||
$root = app_path();
|
||||
|
||||
$files = collect(File::allFiles($root))
|
||||
->map(fn (\SplFileInfo $file): string => str_replace($root.'/', '', $file->getPathname()))
|
||||
->filter(fn (string $relativePath): bool => str_starts_with($relativePath, 'Support/Ai/')
|
||||
|| $relativePath === 'Support/ProductKnowledge/ContextualHelpResolver.php'
|
||||
|| $relativePath === 'Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php')
|
||||
->values();
|
||||
|
||||
$patterns = [
|
||||
'outbound_http' => '/\bHttp::/',
|
||||
'guzzle_client' => '/\bnew\s+Client\b/',
|
||||
'curl_runtime' => '/\bcurl_/i',
|
||||
'openai_vendor' => '/\bOpenAI\b/i',
|
||||
'anthropic_vendor' => '/\bAnthropic\b/i',
|
||||
'gemini_vendor' => '/\bGemini\b/i',
|
||||
'openrouter_vendor' => '/\bOpenRouter\b/i',
|
||||
'chat_completions_runtime' => '/\bChatCompletion\b/i',
|
||||
];
|
||||
|
||||
$hits = [];
|
||||
|
||||
foreach ($files as $relativePath) {
|
||||
$contents = file_get_contents($root.'/'.$relativePath);
|
||||
|
||||
if (! is_string($contents) || $contents === '') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$lines = preg_split('/\R/', $contents) ?: [];
|
||||
|
||||
foreach ($patterns as $label => $pattern) {
|
||||
foreach ($lines as $index => $line) {
|
||||
if (preg_match($pattern, $line) === 1) {
|
||||
$hits[] = $relativePath.':'.($index + 1).' ['.$label.'] '.trim($line);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
expect($hits)->toBeEmpty("AI governance surfaces must stay vendor-neutral and must not perform outbound provider runtime calls directly:\n".implode("\n", $hits));
|
||||
});
|
||||
@ -35,7 +35,6 @@ function spec195FormattedIssues(array $issues): string
|
||||
\App\Filament\System\Pages\Dashboard::class,
|
||||
\App\Filament\System\Pages\Ops\ViewRun::class,
|
||||
\App\Filament\System\Pages\Ops\Runbooks::class,
|
||||
\App\Filament\System\Pages\Ops\Controls::class,
|
||||
\App\Filament\System\Pages\RepairWorkspaceOwners::class,
|
||||
\App\Filament\System\Pages\Directory\ViewTenant::class,
|
||||
\App\Filament\System\Pages\Directory\ViewWorkspace::class,
|
||||
@ -68,7 +67,6 @@ function spec195FormattedIssues(array $issues): string
|
||||
|
||||
expect($inventory[\App\Filament\System\Pages\Ops\ViewRun::class]['closureDecision'] ?? null)->toBe('separately_governed')
|
||||
->and($inventory[\App\Filament\System\Pages\Ops\Runbooks::class]['closureDecision'] ?? null)->toBe('separately_governed')
|
||||
->and($inventory[\App\Filament\System\Pages\Ops\Controls::class]['closureDecision'] ?? null)->toBe('separately_governed')
|
||||
->and($inventory[\App\Filament\System\Pages\RepairWorkspaceOwners::class]['closureDecision'] ?? null)->toBe('separately_governed')
|
||||
->and($inventory[\App\Filament\System\Pages\Directory\ViewTenant::class]['closureDecision'] ?? null)->toBe('harmless_special_case')
|
||||
->and($inventory[\App\Filament\System\Pages\Directory\ViewWorkspace::class]['closureDecision'] ?? null)->toBe('harmless_special_case')
|
||||
@ -78,7 +76,6 @@ function spec195FormattedIssues(array $issues): string
|
||||
\App\Filament\System\Pages\Dashboard::class,
|
||||
\App\Filament\System\Pages\Ops\ViewRun::class,
|
||||
\App\Filament\System\Pages\Ops\Runbooks::class,
|
||||
\App\Filament\System\Pages\Ops\Controls::class,
|
||||
\App\Filament\System\Pages\RepairWorkspaceOwners::class,
|
||||
\App\Filament\System\Pages\Directory\ViewTenant::class,
|
||||
\App\Filament\System\Pages\Directory\ViewWorkspace::class,
|
||||
|
||||
@ -1063,8 +1063,7 @@ function createManagedReadinessBlockerDraft(string $state): array
|
||||
->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()]))
|
||||
->assertSuccessful()
|
||||
->assertSee('Onboarding readiness')
|
||||
->assertSee('Step')
|
||||
->assertDontSee('Current checkpoint')
|
||||
->assertSee('Current checkpoint')
|
||||
->assertSee('Verify access')
|
||||
->assertSee('Verification has not run yet')
|
||||
->assertSee('Provider connection')
|
||||
@ -1166,46 +1165,28 @@ function createManagedReadinessBlockerDraft(string $state): array
|
||||
->assertSee($summary)
|
||||
->assertSee($nextAction);
|
||||
})->with([
|
||||
'missing consent' => ['missing_consent', 'Provider consent required', 'Grant admin consent'],
|
||||
'revoked consent' => ['revoked_consent', 'Provider consent revoked', 'Grant admin consent'],
|
||||
'missing consent' => ['missing_consent', 'Provider consent required', 'Grant consent'],
|
||||
'revoked consent' => ['revoked_consent', 'Provider consent revoked', 'Grant consent'],
|
||||
'disabled connection' => ['disabled_connection', 'Provider connection disabled', 'Review provider connection'],
|
||||
'blocked verification' => ['blocked_verification', 'Permission or consent blocker needs attention', 'Review permissions'],
|
||||
]);
|
||||
|
||||
it('keeps permission gap detail out of the top-level page once a verification report is present', function (): void {
|
||||
it('keeps permission gap diagnostics provider-owned while top-level readiness stays neutral', function (): void {
|
||||
[$user, $draft, , , $missingKey] = createManagedReadinessBlockerDraft('permission_gap');
|
||||
|
||||
$response = $this->actingAs($user)
|
||||
->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()]))
|
||||
->assertSuccessful()
|
||||
->assertSee('Permission or consent blocker needs attention')
|
||||
->assertDontSee('Permission diagnostics')
|
||||
->assertSee('Supporting evidence')
|
||||
->assertSee('View required permissions')
|
||||
->assertSee('Review permissions');
|
||||
|
||||
if (is_string($missingKey) && $missingKey !== '') {
|
||||
$response->assertDontSee($missingKey);
|
||||
}
|
||||
|
||||
$response->assertDontSee('Microsoft Graph readiness');
|
||||
});
|
||||
|
||||
it('shows permission diagnostics as a fallback when no verification report is present', function (): void {
|
||||
[$user, $draft] = createManagedReadinessBlockerDraft('missing_consent');
|
||||
|
||||
$tenant = $draft->tenant()->firstOrFail();
|
||||
$missingKey = seedManagedReadinessPermissions($tenant);
|
||||
|
||||
$response = $this->actingAs($user)
|
||||
->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()]))
|
||||
->assertSuccessful()
|
||||
->assertSee('Permission diagnostics')
|
||||
->assertDontSee('Supporting evidence');
|
||||
->assertSee('Missing application permissions')
|
||||
->assertSee('Review permissions');
|
||||
|
||||
if (is_string($missingKey) && $missingKey !== '') {
|
||||
$response->assertSee($missingKey);
|
||||
}
|
||||
|
||||
$response->assertDontSee('Microsoft Graph readiness');
|
||||
});
|
||||
|
||||
it('downgrades route-bound readiness when permission evidence is stale and keeps the operation link canonical', function (): void {
|
||||
|
||||
@ -1,190 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
|
||||
use App\Models\AuditLog;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantOnboardingSession;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Entitlements\WorkspaceEntitlementResolver;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
use Livewire\Livewire;
|
||||
|
||||
/**
|
||||
* @return array{workspace: Workspace, user: User, tenant: Tenant, draft: TenantOnboardingSession, component: \Livewire\Features\SupportTesting\Testable}
|
||||
*/
|
||||
function readyOnboardingEntitlementContext(int $activeTenantCount = 0, ?int $limitOverride = null, ?string $overrideReason = null): array
|
||||
{
|
||||
Queue::fake();
|
||||
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
$tenant = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'status' => Tenant::STATUS_ONBOARDING,
|
||||
]);
|
||||
|
||||
createUserWithTenant(
|
||||
tenant: $tenant,
|
||||
user: $user,
|
||||
role: 'owner',
|
||||
workspaceRole: 'owner',
|
||||
ensureDefaultMicrosoftProviderConnection: false,
|
||||
);
|
||||
|
||||
if ($activeTenantCount > 0) {
|
||||
Tenant::factory()->count($activeTenantCount)->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'status' => Tenant::STATUS_ACTIVE,
|
||||
]);
|
||||
}
|
||||
|
||||
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'provider' => 'microsoft',
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'display_name' => 'Ready connection',
|
||||
'is_default' => true,
|
||||
'consent_status' => 'granted',
|
||||
]);
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'type' => 'provider.connection.check',
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'context' => [
|
||||
'provider' => 'microsoft',
|
||||
'module' => 'health_check',
|
||||
'provider_connection_id' => (int) $connection->getKey(),
|
||||
'target_scope' => [
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
],
|
||||
],
|
||||
]);
|
||||
|
||||
$draft = createOnboardingDraft([
|
||||
'workspace' => $workspace,
|
||||
'tenant' => $tenant,
|
||||
'started_by' => $user,
|
||||
'updated_by' => $user,
|
||||
'current_step' => 'bootstrap',
|
||||
'state' => [
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'tenant_name' => (string) $tenant->name,
|
||||
'provider_connection_id' => (int) $connection->getKey(),
|
||||
'verification_operation_run_id' => (int) $run->getKey(),
|
||||
],
|
||||
]);
|
||||
|
||||
if ($limitOverride !== null) {
|
||||
$writer = app(SettingsWriter::class);
|
||||
$writer->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: WorkspaceEntitlementResolver::SETTING_DOMAIN,
|
||||
key: WorkspaceEntitlementResolver::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_VALUE,
|
||||
value: $limitOverride,
|
||||
);
|
||||
|
||||
if ($overrideReason !== null) {
|
||||
$writer->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: WorkspaceEntitlementResolver::SETTING_DOMAIN,
|
||||
key: WorkspaceEntitlementResolver::SETTING_MANAGED_TENANT_LIMIT_OVERRIDE_REASON,
|
||||
value: $overrideReason,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
|
||||
'onboardingDraft' => (int) $draft->getKey(),
|
||||
]);
|
||||
|
||||
return compact('workspace', 'user', 'tenant', 'draft', 'component');
|
||||
}
|
||||
|
||||
it('allows onboarding activation when the workspace is within its managed tenant limit', function (): void {
|
||||
$context = readyOnboardingEntitlementContext(activeTenantCount: 0);
|
||||
|
||||
$context['component']->call('completeOnboarding');
|
||||
|
||||
$context['tenant']->refresh();
|
||||
|
||||
expect($context['tenant']->status)->toBe(Tenant::STATUS_ACTIVE)
|
||||
->and(AuditLog::query()
|
||||
->where('workspace_id', (int) $context['workspace']->getKey())
|
||||
->where('action', 'managed_tenant_onboarding.activation')
|
||||
->exists())->toBeTrue();
|
||||
});
|
||||
|
||||
it('blocks onboarding activation with a business-state reason when the workspace is at limit', function (): void {
|
||||
$context = readyOnboardingEntitlementContext(
|
||||
activeTenantCount: 1,
|
||||
limitOverride: 1,
|
||||
overrideReason: 'Customer currently allows one active tenant',
|
||||
);
|
||||
|
||||
$decision = app(WorkspaceEntitlementResolver::class)->resolve(
|
||||
$context['workspace'],
|
||||
WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
|
||||
);
|
||||
|
||||
expect($decision['is_blocked'])->toBeTrue();
|
||||
|
||||
$context['component']
|
||||
->assertSee('Activation entitlement')
|
||||
->assertSee('Blocked')
|
||||
->call('completeOnboarding');
|
||||
|
||||
$context['tenant']->refresh();
|
||||
|
||||
expect($context['tenant']->status)->toBe(Tenant::STATUS_ONBOARDING)
|
||||
->and(AuditLog::query()
|
||||
->where('workspace_id', (int) $context['workspace']->getKey())
|
||||
->where('action', 'managed_tenant_onboarding.activation')
|
||||
->exists())->toBeFalse();
|
||||
});
|
||||
|
||||
it('allows onboarding activation when a workspace override raises the limit above current usage', function (): void {
|
||||
$context = readyOnboardingEntitlementContext(
|
||||
activeTenantCount: 1,
|
||||
limitOverride: 2,
|
||||
overrideReason: 'Temporary support-approved exception',
|
||||
);
|
||||
|
||||
$decision = app(WorkspaceEntitlementResolver::class)->resolve(
|
||||
$context['workspace'],
|
||||
WorkspaceEntitlementResolver::KEY_MANAGED_TENANT_ACTIVATION_LIMIT,
|
||||
);
|
||||
|
||||
expect($decision)
|
||||
->toMatchArray([
|
||||
'source' => 'workspace_override',
|
||||
'effective_value' => 2,
|
||||
'current_usage' => 1,
|
||||
'is_blocked' => false,
|
||||
'rationale' => 'Temporary support-approved exception',
|
||||
]);
|
||||
|
||||
$context['component']->call('completeOnboarding');
|
||||
|
||||
$context['tenant']->refresh();
|
||||
|
||||
expect($context['tenant']->status)->toBe(Tenant::STATUS_ACTIVE);
|
||||
});
|
||||
@ -1,265 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantOnboardingSession;
|
||||
use App\Models\User;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\ProductKnowledge\ContextualHelpCatalog;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\Verification\VerificationReportWriter;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
/**
|
||||
* @return array{0: User, 1: Tenant, 2: TenantOnboardingSession}
|
||||
*/
|
||||
function createProductKnowledgeOnboardingDraft(string $state, string $workspaceRole = 'owner', string $tenantRole = 'owner'): array
|
||||
{
|
||||
$tenant = Tenant::factory()->onboarding()->create();
|
||||
|
||||
[$user, $tenant] = createUserWithTenant(
|
||||
tenant: $tenant,
|
||||
role: $tenantRole,
|
||||
workspaceRole: $workspaceRole,
|
||||
ensureDefaultMicrosoftProviderConnection: false,
|
||||
);
|
||||
|
||||
$workspace = $tenant->workspace()->firstOrFail();
|
||||
|
||||
$verificationConnection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'provider' => 'microsoft',
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'display_name' => 'Verification connection',
|
||||
'is_default' => true,
|
||||
'consent_status' => 'granted',
|
||||
]);
|
||||
|
||||
$selectedConnection = $verificationConnection;
|
||||
$checks = [];
|
||||
$outcome = OperationRunOutcome::Blocked->value;
|
||||
|
||||
if ($state === 'admin_consent') {
|
||||
$checks[] = [
|
||||
'key' => 'permissions.admin_consent',
|
||||
'title' => 'Admin consent',
|
||||
'status' => 'fail',
|
||||
'severity' => 'critical',
|
||||
'blocking' => true,
|
||||
'reason_code' => ProviderReasonCodes::ProviderConsentMissing,
|
||||
'message' => 'Admin consent is required before verification can proceed.',
|
||||
'evidence' => [],
|
||||
'next_steps' => [],
|
||||
];
|
||||
} elseif ($state === 'required_permissions') {
|
||||
$checks[] = [
|
||||
'key' => 'permissions.required',
|
||||
'title' => 'Required application permissions',
|
||||
'status' => 'fail',
|
||||
'severity' => 'critical',
|
||||
'blocking' => true,
|
||||
'reason_code' => ProviderReasonCodes::ProviderPermissionMissing,
|
||||
'message' => 'Missing required application permissions.',
|
||||
'evidence' => [],
|
||||
'next_steps' => [],
|
||||
];
|
||||
} elseif ($state === 'connection_unhealthy') {
|
||||
$checks[] = [
|
||||
'key' => 'provider.connection.check',
|
||||
'title' => 'Provider connection check',
|
||||
'status' => 'fail',
|
||||
'severity' => 'critical',
|
||||
'blocking' => true,
|
||||
'reason_code' => ProviderReasonCodes::ProviderAuthFailed,
|
||||
'message' => 'Stored provider credentials are no longer valid.',
|
||||
'evidence' => [],
|
||||
'next_steps' => [],
|
||||
];
|
||||
} elseif ($state === 'verification_stale') {
|
||||
$selectedConnection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'provider' => 'dummy',
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'display_name' => 'Currently selected connection',
|
||||
'is_default' => false,
|
||||
'consent_status' => 'granted',
|
||||
]);
|
||||
|
||||
$checks[] = [
|
||||
'key' => 'provider.connection.check',
|
||||
'title' => 'Provider connection check',
|
||||
'status' => 'pass',
|
||||
'severity' => 'info',
|
||||
'blocking' => false,
|
||||
'reason_code' => 'ok',
|
||||
'message' => 'Connection is healthy.',
|
||||
'evidence' => [],
|
||||
'next_steps' => [],
|
||||
];
|
||||
|
||||
$outcome = OperationRunOutcome::Succeeded->value;
|
||||
} elseif ($state === 'verification_failed') {
|
||||
$checks[] = [
|
||||
'key' => 'provider.connection.check',
|
||||
'title' => 'Provider connection check',
|
||||
'status' => 'fail',
|
||||
'severity' => 'critical',
|
||||
'blocking' => true,
|
||||
'reason_code' => '',
|
||||
'message' => 'Verification failed after the prerequisite checks ran.',
|
||||
'evidence' => [],
|
||||
'next_steps' => [],
|
||||
];
|
||||
|
||||
$outcome = OperationRunOutcome::Failed->value;
|
||||
}
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'type' => 'provider.connection.check',
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => $outcome,
|
||||
'context' => [
|
||||
'provider_connection_id' => (int) $verificationConnection->getKey(),
|
||||
'target_scope' => [
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'entra_tenant_name' => (string) $tenant->name,
|
||||
],
|
||||
'verification_report' => VerificationReportWriter::build('provider.connection.check', $checks),
|
||||
],
|
||||
]);
|
||||
|
||||
$draft = createOnboardingDraft([
|
||||
'workspace' => $workspace,
|
||||
'tenant' => $tenant,
|
||||
'started_by' => $user,
|
||||
'updated_by' => $user,
|
||||
'current_step' => 'verify',
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'state' => [
|
||||
'entra_tenant_id' => (string) $tenant->tenant_id,
|
||||
'tenant_name' => (string) $tenant->name,
|
||||
'provider_connection_id' => (int) $selectedConnection->getKey(),
|
||||
'verification_operation_run_id' => (int) $run->getKey(),
|
||||
],
|
||||
]);
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
return [$user, $tenant, $draft];
|
||||
}
|
||||
|
||||
it('renders onboarding contextual help for each in-scope verification topic', function (
|
||||
string $state,
|
||||
string $headline,
|
||||
string $safeNextAction,
|
||||
?string $linkLabel,
|
||||
): void {
|
||||
[$user, , $draft] = createProductKnowledgeOnboardingDraft($state);
|
||||
|
||||
$response = $this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $user->last_workspace_id])
|
||||
->followingRedirects()
|
||||
->get(route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]));
|
||||
|
||||
$response->assertSuccessful()
|
||||
->assertSee('Verification report')
|
||||
->assertSee('Stored verification details')
|
||||
->assertSee($headline)
|
||||
->assertDontSee('Permission diagnostics')
|
||||
->assertSee($safeNextAction);
|
||||
|
||||
$dom = new \DOMDocument();
|
||||
@$dom->loadHTML($response->getContent());
|
||||
|
||||
$xpath = new \DOMXPath($dom);
|
||||
|
||||
$headlineNodes = $xpath->query(sprintf(
|
||||
'//*[@data-testid="contextual-help-block"]//*[normalize-space(text())="%s"]',
|
||||
$headline,
|
||||
));
|
||||
|
||||
$storedVerificationDetailsHeadings = $xpath->query(
|
||||
'//*[self::h1 or self::h2 or self::h3 or self::h4 or self::h5 or self::h6][normalize-space(text())="Stored verification details"]',
|
||||
);
|
||||
|
||||
$verificationReportHeadings = $xpath->query(
|
||||
'//*[self::h1 or self::h2 or self::h3 or self::h4 or self::h5 or self::h6][normalize-space(text())="Verification report"]',
|
||||
);
|
||||
|
||||
expect($headlineNodes?->length)->toBe(1);
|
||||
expect($storedVerificationDetailsHeadings?->length)->toBe(1);
|
||||
expect($verificationReportHeadings?->length)->toBeLessThanOrEqual(1);
|
||||
|
||||
if ($state === 'admin_consent') {
|
||||
$primaryNextActionNode = $xpath->query(
|
||||
'//*[normalize-space(text())="Primary next action"]/following::*[(self::a or self::button) and normalize-space(text())!=""][1]',
|
||||
);
|
||||
|
||||
expect(trim((string) $primaryNextActionNode?->item(0)?->textContent))->toContain('Grant admin consent');
|
||||
}
|
||||
|
||||
if ($linkLabel !== null) {
|
||||
$response->assertSee($linkLabel);
|
||||
}
|
||||
})->with([
|
||||
'admin consent required' => [
|
||||
'admin_consent',
|
||||
'Admin consent required',
|
||||
'Grant admin consent and re-run verification.',
|
||||
'Grant admin consent',
|
||||
],
|
||||
'required permissions missing' => [
|
||||
'required_permissions',
|
||||
'Required permissions missing',
|
||||
'Open required permissions and confirm the missing grants.',
|
||||
'Open required permissions',
|
||||
],
|
||||
'connection unhealthy' => [
|
||||
'connection_unhealthy',
|
||||
'Provider connection needs review',
|
||||
'Review the provider connection before retrying.',
|
||||
null,
|
||||
],
|
||||
'verification stale' => [
|
||||
'verification_stale',
|
||||
'Verification result is stale',
|
||||
'Refresh verification before continuing onboarding.',
|
||||
null,
|
||||
],
|
||||
'verification failed' => [
|
||||
'verification_failed',
|
||||
'Verification failed',
|
||||
'Review the blocking reason and retry verification.',
|
||||
null,
|
||||
],
|
||||
]);
|
||||
|
||||
it('keeps onboarding contextual help deny-as-not-found for workspace members outside the tenant scope', function (): void {
|
||||
[$authorizedUser, $tenant, $draft] = createProductKnowledgeOnboardingDraft('admin_consent');
|
||||
|
||||
$workspace = $tenant->workspace()->firstOrFail();
|
||||
$outOfScopeUser = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::query()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $outOfScopeUser->getKey(),
|
||||
'role' => 'owner',
|
||||
]);
|
||||
|
||||
$this->actingAs($outOfScopeUser)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->get(route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]))
|
||||
->assertNotFound();
|
||||
});
|
||||
@ -2,17 +2,14 @@
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\System\Pages\Ops\Controls;
|
||||
use App\Filament\Resources\RestoreRunResource;
|
||||
use App\Filament\Resources\RestoreRunResource\Pages\CreateRestoreRun;
|
||||
use App\Models\BackupItem;
|
||||
use App\Models\BackupSet;
|
||||
use App\Models\OperationalControlActivation;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Policy;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Livewire\Livewire;
|
||||
@ -134,49 +131,3 @@ function seedRestoreAuthorizationContext(): array
|
||||
->call('create')
|
||||
->assertNotified('Restore execution paused');
|
||||
});
|
||||
|
||||
it('forbids ai execution controls for platform users missing system panel access', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::OPS_CONTROLS_MANAGE,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Controls::getUrl(panel: 'system'))
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
it('forbids ai execution controls for platform users missing ops controls manage', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Controls::getUrl(panel: 'system'))
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
it('shows ai execution controls only to platform users with the existing system control capabilities', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::OPS_CONTROLS_MANAGE,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Controls::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSee('AI execution');
|
||||
|
||||
Livewire::actingAs($user, 'platform')
|
||||
->test(Controls::class)
|
||||
->assertActionVisible('pause_ai_execution')
|
||||
->assertActionVisible('resume_ai_execution');
|
||||
});
|
||||
@ -3,9 +3,7 @@
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\AuditLog;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
@ -43,25 +41,13 @@ function createReadyPackWithFile(?array $packOverrides = []): array
|
||||
it('downloads a ready pack via signed URL with correct headers', function (): void {
|
||||
[$user, $tenant, $pack] = createReadyPackWithFile();
|
||||
|
||||
$signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack, [
|
||||
'source_surface' => 'customer_review_workspace',
|
||||
]);
|
||||
$signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack);
|
||||
|
||||
$response = $this->actingAs($user)->get($signedUrl);
|
||||
|
||||
$response->assertOk();
|
||||
$response->assertHeader('X-Review-Pack-SHA256', $pack->sha256);
|
||||
$response->assertDownload();
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::ReviewPackDownloaded->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->resource_type)->toBe('review_pack')
|
||||
->and(data_get($audit?->metadata, 'review_pack_id'))->toBe((int) $pack->getKey())
|
||||
->and(data_get($audit?->metadata, 'source_surface'))->toBe('customer_review_workspace');
|
||||
});
|
||||
|
||||
// ─── Expired Signature → 403 ────────────────────────────────
|
||||
|
||||
@ -1,190 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Exceptions\Entitlements\WorkspaceEntitlementBlockedException;
|
||||
use App\Filament\Resources\ReviewPackResource;
|
||||
use App\Filament\Widgets\Tenant\TenantReviewPackCard;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\StoredReport;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
use Livewire\Livewire;
|
||||
|
||||
beforeEach(function (): void {
|
||||
Storage::fake('exports');
|
||||
});
|
||||
|
||||
function seedEntitlementReviewPackSnapshot(Tenant $tenant): EvidenceSnapshot
|
||||
{
|
||||
StoredReport::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
|
||||
'payload' => ['required_count' => 1, 'granted_count' => 1],
|
||||
]);
|
||||
|
||||
StoredReport::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
|
||||
'payload' => ['roles' => [['displayName' => 'Global Administrator']]],
|
||||
]);
|
||||
|
||||
Finding::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
]);
|
||||
|
||||
Finding::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
||||
]);
|
||||
|
||||
OperationRun::factory()->forTenant($tenant)->create();
|
||||
|
||||
/** @var EvidenceSnapshotService $service */
|
||||
$service = app(EvidenceSnapshotService::class);
|
||||
$payload = $service->buildSnapshotPayload($tenant);
|
||||
|
||||
$snapshot = EvidenceSnapshot::query()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'status' => EvidenceSnapshotStatus::Active->value,
|
||||
'fingerprint' => $payload['fingerprint'],
|
||||
'completeness_state' => $payload['completeness'],
|
||||
'summary' => $payload['summary'],
|
||||
'generated_at' => now(),
|
||||
]);
|
||||
|
||||
foreach ($payload['items'] as $item) {
|
||||
$snapshot->items()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'dimension_key' => $item['dimension_key'],
|
||||
'state' => $item['state'],
|
||||
'required' => $item['required'],
|
||||
'source_kind' => $item['source_kind'],
|
||||
'source_record_type' => $item['source_record_type'],
|
||||
'source_record_id' => $item['source_record_id'],
|
||||
'source_fingerprint' => $item['source_fingerprint'],
|
||||
'measured_at' => $item['measured_at'],
|
||||
'freshness_at' => $item['freshness_at'],
|
||||
'summary_payload' => $item['summary_payload'],
|
||||
'sort_order' => $item['sort_order'],
|
||||
]);
|
||||
}
|
||||
|
||||
return $snapshot;
|
||||
}
|
||||
|
||||
function disableReviewPackGenerationForWorkspace(Tenant $tenant, User $user, string $reason): void
|
||||
{
|
||||
$writer = app(SettingsWriter::class);
|
||||
|
||||
$writer->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $tenant->workspace,
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_value',
|
||||
value: false,
|
||||
);
|
||||
|
||||
$writer->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $tenant->workspace,
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_reason',
|
||||
value: $reason,
|
||||
);
|
||||
}
|
||||
|
||||
it('blocks new review pack generation before creating a review pack or operation run when the workspace is not entitled', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
seedEntitlementReviewPackSnapshot($tenant);
|
||||
disableReviewPackGenerationForWorkspace($tenant, $user, 'Workspace is temporarily limited to manual reporting only');
|
||||
$initialRunCount = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count();
|
||||
|
||||
expect(fn (): ReviewPack => app(ReviewPackService::class)->generate($tenant, $user))
|
||||
->toThrow(WorkspaceEntitlementBlockedException::class, 'Workspace is temporarily limited to manual reporting only');
|
||||
|
||||
expect(ReviewPack::query()->count())->toBe(0)
|
||||
->and(OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count())->toBe($initialRunCount);
|
||||
});
|
||||
|
||||
it('blocks executive pack export before creating a review pack or operation run when the workspace is not entitled', function (): void {
|
||||
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
||||
$snapshot = seedEntitlementReviewPackSnapshot($tenant);
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
disableReviewPackGenerationForWorkspace($tenant, $user, 'Workspace is temporarily limited to manual reporting only');
|
||||
$initialRunCount = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count();
|
||||
|
||||
expect(fn (): ReviewPack => app(ReviewPackService::class)->generateFromReview($review, $user))
|
||||
->toThrow(WorkspaceEntitlementBlockedException::class, 'Workspace is temporarily limited to manual reporting only');
|
||||
|
||||
expect(ReviewPack::query()->count())->toBe(0)
|
||||
->and(OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count())->toBe($initialRunCount);
|
||||
});
|
||||
|
||||
it('shows the blocked reason on the review pack card and keeps existing pack downloads accessible', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
disableReviewPackGenerationForWorkspace($tenant, $user, 'Workspace is temporarily limited to manual reporting only');
|
||||
$initialRunCount = OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count();
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(TenantReviewPackCard::class, ['record' => $tenant])
|
||||
->assertSee('Workspace is temporarily limited to manual reporting only')
|
||||
->assertSee('Generate pack')
|
||||
->call('generatePack', true, true)
|
||||
->assertHasNoErrors();
|
||||
|
||||
expect(ReviewPack::query()->count())->toBe(0)
|
||||
->and(OperationRun::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->where('type', OperationRunType::ReviewPackGenerate->value)
|
||||
->count())->toBe($initialRunCount);
|
||||
|
||||
$filePath = 'review-packs/entitlement-download-test.zip';
|
||||
Storage::disk('exports')->put($filePath, 'PK-test');
|
||||
|
||||
$pack = ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
'file_path' => $filePath,
|
||||
'file_disk' => 'exports',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant, panel: 'tenant'))
|
||||
->assertOk()
|
||||
->assertSee('Download');
|
||||
});
|
||||
@ -9,13 +9,11 @@
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Support\Auth\UiTooltips;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
use Illuminate\Support\Facades\URL;
|
||||
use Livewire\Livewire;
|
||||
use Livewire\Features\SupportTesting\Testable;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
@ -23,17 +21,6 @@
|
||||
Storage::fake('exports');
|
||||
});
|
||||
|
||||
function getReviewPackRbacEmptyStateAction(Testable $component, string $name): ?Action
|
||||
{
|
||||
foreach ($component->instance()->getTable()->getEmptyStateActions() as $action) {
|
||||
if ($action instanceof Action && $action->getName() === $name) {
|
||||
return $action;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
// ─── Non-Member Access ───────────────────────────────────────
|
||||
|
||||
it('returns 404 for non-member on list page', function (): void {
|
||||
@ -77,9 +64,11 @@ function getReviewPackRbacEmptyStateAction(Testable $component, string $name): ?
|
||||
'file_disk' => 'exports',
|
||||
]);
|
||||
|
||||
// Note: download route uses signed middleware, not tenant-scoped RBAC.
|
||||
// Any user with a valid signature can download. This is by design.
|
||||
$signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack);
|
||||
|
||||
$this->actingAs($user)->get($signedUrl)->assertNotFound();
|
||||
$this->actingAs($user)->get($signedUrl)->assertOk();
|
||||
});
|
||||
|
||||
// ─── REVIEW_PACK_VIEW Member ────────────────────────────────
|
||||
@ -135,15 +124,11 @@ function getReviewPackRbacEmptyStateAction(Testable $component, string $name): ?
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
->assertTableEmptyStateActionsExistInOrder(['generate_first']);
|
||||
|
||||
$emptyStateAction = getReviewPackRbacEmptyStateAction($component, 'generate_first');
|
||||
|
||||
expect($emptyStateAction)->not->toBeNull()
|
||||
->and($emptyStateAction?->isDisabled())->toBeTrue()
|
||||
->and($emptyStateAction?->getTooltip())->toBe(UiTooltips::insufficientPermission());
|
||||
->assertActionVisible('generate_pack')
|
||||
->assertActionDisabled('generate_pack')
|
||||
->assertActionExists('generate_pack', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
|
||||
});
|
||||
|
||||
// ─── REVIEW_PACK_MANAGE Member ──────────────────────────────
|
||||
@ -152,12 +137,6 @@ function getReviewPackRbacEmptyStateAction(Testable $component, string $name): ?
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
]);
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
|
||||
@ -13,19 +13,16 @@
|
||||
use App\Models\Tenant;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\Settings\SettingsWriter;
|
||||
use App\Support\Auth\UiTooltips;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\ReviewPackStatus;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Queue;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
use Livewire\Livewire;
|
||||
use Livewire\Features\SupportTesting\Testable;
|
||||
use Tests\Feature\Concerns\BuildsGovernanceArtifactTruthFixtures;
|
||||
|
||||
uses(RefreshDatabase::class, BuildsGovernanceArtifactTruthFixtures::class);
|
||||
@ -34,31 +31,6 @@
|
||||
Storage::fake('exports');
|
||||
});
|
||||
|
||||
function getReviewPackEmptyStateAction(Testable $component, string $name): ?Action
|
||||
{
|
||||
foreach ($component->instance()->getTable()->getEmptyStateActions() as $action) {
|
||||
if ($action instanceof Action && $action->getName() === $name) {
|
||||
return $action;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
function getReviewPackHeaderAction(Testable $component, string $name): ?Action
|
||||
{
|
||||
$instance = $component->instance();
|
||||
$instance->cacheInteractsWithHeaderActions();
|
||||
|
||||
foreach ($instance->getCachedHeaderActions() as $action) {
|
||||
if ($action instanceof Action && $action->getName() === $name) {
|
||||
return $action;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
||||
{
|
||||
StoredReport::factory()->create([
|
||||
@ -158,7 +130,8 @@ function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
||||
'tenant_id' => (int) $otherTenant->getKey(),
|
||||
]);
|
||||
|
||||
setTenantPanelContext($tenant);
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
@ -177,112 +150,32 @@ function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
||||
->assertSee('No review packs yet');
|
||||
});
|
||||
|
||||
// ─── List Page Start CTA Placement ───────────────────────────
|
||||
// ─── List Page Header Action ─────────────────────────────────
|
||||
|
||||
it('shows generate only in the empty state when no review packs exist', function (): void {
|
||||
it('shows the generate_pack header action for a MANAGE user', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
->assertTableEmptyStateActionsExistInOrder(['generate_first']);
|
||||
|
||||
$emptyStateAction = getReviewPackEmptyStateAction($component, 'generate_first');
|
||||
$headerAction = getReviewPackHeaderAction($component, 'generate_pack');
|
||||
|
||||
expect($emptyStateAction)->not->toBeNull()
|
||||
->and($emptyStateAction?->getLabel())->toBe('Generate first pack')
|
||||
->and($headerAction)->not->toBeNull()
|
||||
->and($headerAction?->isVisible())->toBeFalse();
|
||||
});
|
||||
|
||||
it('shows generate in the header once review packs exist', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
]);
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
->assertActionVisible('generate_pack');
|
||||
});
|
||||
|
||||
it('disables the generate_first action for a readonly user in the empty state', function (): void {
|
||||
it('disables the generate_pack action for a readonly user', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
->assertTableEmptyStateActionsExistInOrder(['generate_first']);
|
||||
|
||||
$emptyStateAction = getReviewPackEmptyStateAction($component, 'generate_first');
|
||||
|
||||
expect($emptyStateAction)->not->toBeNull()
|
||||
->and($emptyStateAction?->isDisabled())->toBeTrue()
|
||||
->and($emptyStateAction?->getTooltip())->toBe(UiTooltips::insufficientPermission());
|
||||
});
|
||||
|
||||
it('disables review pack generation actions when the workspace entitlement blocks them', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $tenant->workspace,
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_value',
|
||||
value: false,
|
||||
);
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $tenant->workspace,
|
||||
domain: 'entitlements',
|
||||
key: 'review_pack_generation_override_reason',
|
||||
value: 'Workspace is temporarily limited to manual reporting only',
|
||||
);
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
expect(ReviewPackResource::reviewPackGenerationActionTooltip($tenant))
|
||||
->toBe('Review pack generation is disabled by workspace override. Reason: Workspace is temporarily limited to manual reporting only');
|
||||
|
||||
$listPage = Livewire::actingAs($user)
|
||||
->test(ListReviewPacks::class)
|
||||
->assertTableEmptyStateActionsExistInOrder(['generate_first']);
|
||||
|
||||
$emptyStateAction = getReviewPackEmptyStateAction($listPage, 'generate_first');
|
||||
$headerAction = getReviewPackHeaderAction($listPage, 'generate_pack');
|
||||
|
||||
expect($emptyStateAction)->not->toBeNull()
|
||||
->and($emptyStateAction?->isDisabled())->toBeTrue()
|
||||
->and($headerAction)->not->toBeNull()
|
||||
->and($headerAction?->isVisible())->toBeFalse();
|
||||
|
||||
$pack = ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
]);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(ViewReviewPack::class, ['record' => $pack->getKey()])
|
||||
->assertActionVisible('regenerate')
|
||||
->assertActionDisabled('regenerate');
|
||||
->test(ListReviewPacks::class)
|
||||
->assertActionVisible('generate_pack')
|
||||
->assertActionDisabled('generate_pack')
|
||||
->assertActionExists('generate_pack', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
|
||||
});
|
||||
|
||||
it('reuses an existing ready pack instead of starting a new run', function (): void {
|
||||
@ -332,12 +225,6 @@ function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
ReviewPack::factory()->failed()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
]);
|
||||
|
||||
$tenant->makeCurrent();
|
||||
Filament::setTenant($tenant, true);
|
||||
|
||||
@ -349,7 +236,7 @@ function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
||||
])
|
||||
->assertNotified();
|
||||
|
||||
expect(ReviewPack::query()->count())->toBe(1);
|
||||
expect(ReviewPack::query()->count())->toBe(0);
|
||||
Queue::assertNothingPushed();
|
||||
});
|
||||
|
||||
|
||||
@ -11,9 +11,6 @@
|
||||
use App\Models\Tenant;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\ReasonTranslation\ReasonPresenter;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
@ -51,13 +48,7 @@ function seedWidgetReviewPackSnapshot(Tenant $tenant): EvidenceSnapshot
|
||||
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
||||
]);
|
||||
|
||||
OperationRun::factory()->forTenant($tenant)->create([
|
||||
'type' => OperationRunType::TenantReviewCompose->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'started_at' => now()->subMinute(),
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
OperationRun::factory()->forTenant($tenant)->create();
|
||||
|
||||
/** @var EvidenceSnapshotService $service */
|
||||
$service = app(EvidenceSnapshotService::class);
|
||||
|
||||
@ -1,66 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('returns 404 for users outside the active workspace on the customer review workspace', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->get(CustomerReviewWorkspace::getUrl(panel: 'admin'))
|
||||
->assertNotFound();
|
||||
});
|
||||
|
||||
it('returns 404 for workspace members that have no tenant review visibility in the active workspace', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'owner',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->get(CustomerReviewWorkspace::getUrl(panel: 'admin'))
|
||||
->assertNotFound();
|
||||
});
|
||||
|
||||
it('allows entitled workspace members to access the customer review workspace', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
||||
->get(CustomerReviewWorkspace::getUrl(panel: 'admin'))
|
||||
->assertOk();
|
||||
});
|
||||
|
||||
it('returns 404 for explicit out-of-scope tenant targeting on the customer review workspace', function (): void {
|
||||
$tenantAllowed = Tenant::factory()->create(['name' => 'Allowed Tenant']);
|
||||
[$user, $tenantAllowed] = createUserWithTenant(tenant: $tenantAllowed, role: 'readonly');
|
||||
|
||||
$tenantDenied = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantAllowed->workspace_id,
|
||||
'name' => 'Denied Tenant',
|
||||
]);
|
||||
$otherOwner = User::factory()->create();
|
||||
createUserWithTenant(tenant: $tenantDenied, user: $otherOwner, role: 'owner');
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantAllowed->workspace_id])
|
||||
->get(CustomerReviewWorkspace::getUrl(panel: 'admin').'?tenant='.(string) $tenantDenied->getKey())
|
||||
->assertNotFound();
|
||||
});
|
||||
@ -1,160 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\EvidenceSnapshotResource;
|
||||
use App\Filament\Resources\ReviewPackResource;
|
||||
use App\Filament\Resources\TenantReviewResource\Pages\ViewTenantReview;
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Filament\Widgets\Tenant\TenantReviewPackCard;
|
||||
use App\Models\AuditLog;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Storage;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
beforeEach(function (): void {
|
||||
Storage::fake('exports');
|
||||
});
|
||||
|
||||
it('renders a customer workspace link from tenant review detail context', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant))
|
||||
->assertOk()
|
||||
->assertSee(CustomerReviewWorkspace::tenantPrefilterUrl($tenant), false);
|
||||
});
|
||||
|
||||
it('adds a customer workspace entry to evidence snapshot related context', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
|
||||
$snapshot = EvidenceSnapshot::query()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'status' => EvidenceSnapshotStatus::Active->value,
|
||||
'summary' => [],
|
||||
'generated_at' => now(),
|
||||
]);
|
||||
|
||||
$entry = collect(EvidenceSnapshotResource::relatedContextEntries($snapshot))
|
||||
->firstWhere('key', 'customer_review_workspace');
|
||||
|
||||
expect($entry)->not->toBeNull()
|
||||
->and($entry['targetUrl'] ?? null)->toBe(CustomerReviewWorkspace::tenantPrefilterUrl($tenant));
|
||||
});
|
||||
|
||||
it('renders a customer workspace link from review pack detail context', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
Storage::disk('exports')->put('review-packs/customer-workspace-link.zip', 'PK-test');
|
||||
|
||||
$pack = ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'tenant_review_id' => (int) $review->getKey(),
|
||||
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
'file_path' => 'review-packs/customer-workspace-link.zip',
|
||||
'file_disk' => 'exports',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant, panel: 'tenant'))
|
||||
->assertOk()
|
||||
->assertSee(CustomerReviewWorkspace::tenantPrefilterUrl($tenant), false);
|
||||
});
|
||||
|
||||
it('renders a customer workspace launch button on the tenant review pack widget', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
Storage::disk('exports')->put('review-packs/widget-customer-workspace.zip', 'PK-test');
|
||||
|
||||
ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'tenant_review_id' => (int) $review->getKey(),
|
||||
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
'file_path' => 'review-packs/widget-customer-workspace.zip',
|
||||
'file_disk' => 'exports',
|
||||
]);
|
||||
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(TenantReviewPackCard::class, ['record' => $tenant])
|
||||
->assertSee('Customer workspace')
|
||||
->assertSee(CustomerReviewWorkspace::tenantPrefilterUrl($tenant), false);
|
||||
});
|
||||
|
||||
it('keeps the linked tenant review detail read-only for a readonly-capable actor', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
Livewire::withQueryParams([CustomerReviewWorkspace::DETAIL_CONTEXT_QUERY_KEY => 1])
|
||||
->actingAs($user)
|
||||
->test(ViewTenantReview::class, ['record' => $review->getKey()])
|
||||
->assertSee('Outcome summary')
|
||||
->assertActionDoesNotExist('publish_review')
|
||||
->assertActionDoesNotExist('refresh_review')
|
||||
->assertActionDoesNotExist('create_next_review')
|
||||
->assertActionDoesNotExist('export_executive_pack')
|
||||
->assertActionHidden('archive_review');
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::TenantReviewOpened->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->resource_type)->toBe('tenant_review')
|
||||
->and(data_get($audit?->metadata, 'review_id'))->toBe((int) $review->getKey())
|
||||
->and(data_get($audit?->metadata, 'source_surface'))->toBe('customer_review_workspace');
|
||||
});
|
||||
@ -1,97 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('shows the ready review-pack action for the latest published review', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$pack = ReviewPack::factory()->ready()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'tenant_review_id' => (int) $review->getKey(),
|
||||
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
||||
'initiated_by_user_id' => (int) $user->getKey(),
|
||||
'expires_at' => now()->addDay(),
|
||||
]);
|
||||
|
||||
$review->forceFill([
|
||||
'current_export_review_pack_id' => (int) $pack->getKey(),
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertTableActionVisible('open_latest_review', $tenant)
|
||||
->assertTableActionVisible('download_review_pack', $tenant)
|
||||
->assertSee('Available');
|
||||
});
|
||||
|
||||
it('shows an unavailable pack state and hides the download action when no current review pack exists', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
'current_export_review_pack_id' => null,
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertTableActionVisible('open_latest_review', $tenant)
|
||||
->assertTableActionHidden('download_review_pack', $tenant)
|
||||
->assertSee('Unavailable');
|
||||
});
|
||||
|
||||
it('hides review and pack actions for tenants without a published review', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
$snapshot = seedTenantReviewEvidence($tenant);
|
||||
|
||||
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
||||
$review->forceFill([
|
||||
'status' => TenantReviewStatus::Ready->value,
|
||||
'published_at' => null,
|
||||
'published_by_user_id' => null,
|
||||
'current_export_review_pack_id' => null,
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertTableActionHidden('open_latest_review', $tenant)
|
||||
->assertTableActionHidden('download_review_pack', $tenant)
|
||||
->assertSee('No published review available yet');
|
||||
});
|
||||
@ -1,222 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Reviews\CustomerReviewWorkspace;
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
it('lists only the latest published review per entitled tenant on the customer review workspace', function (): void {
|
||||
$tenantA = Tenant::factory()->create(['name' => 'Alpha Tenant']);
|
||||
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'readonly');
|
||||
|
||||
$tenantB = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'name' => 'Beta Tenant',
|
||||
]);
|
||||
createUserWithTenant(tenant: $tenantB, user: $user, role: 'readonly');
|
||||
|
||||
$tenantDenied = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'name' => 'Denied Tenant',
|
||||
]);
|
||||
$otherOwner = User::factory()->create();
|
||||
createUserWithTenant(tenant: $tenantDenied, user: $otherOwner, role: 'owner');
|
||||
|
||||
$tenantASnapshot = seedTenantReviewEvidence($tenantA);
|
||||
$tenantBSnapshot = seedTenantReviewEvidence($tenantB);
|
||||
$tenantDeniedSnapshot = seedTenantReviewEvidence($tenantDenied);
|
||||
|
||||
$olderPublishedReview = composeTenantReviewForTest($tenantA, $user, $tenantASnapshot);
|
||||
$olderPublishedReview->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'generated_at' => now()->subDays(3),
|
||||
'published_at' => now()->subDays(3),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$newerInternalReview = $olderPublishedReview->replicate();
|
||||
$newerInternalReview->forceFill([
|
||||
'tenant_id' => (int) $tenantA->getKey(),
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'evidence_snapshot_id' => (int) $tenantASnapshot->getKey(),
|
||||
'status' => TenantReviewStatus::Ready->value,
|
||||
'generated_at' => now()->subDay(),
|
||||
'published_at' => null,
|
||||
'published_by_user_id' => null,
|
||||
])->save();
|
||||
|
||||
$latestPublishedReview = $olderPublishedReview->replicate();
|
||||
$latestPublishedReview->forceFill([
|
||||
'tenant_id' => (int) $tenantA->getKey(),
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'evidence_snapshot_id' => (int) $tenantASnapshot->getKey(),
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'generated_at' => now(),
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$betaPublishedReview = composeTenantReviewForTest($tenantB, $user, $tenantBSnapshot);
|
||||
$betaPublishedReview->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'generated_at' => now()->subHours(2),
|
||||
'published_at' => now()->subHours(2),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$deniedPublishedReview = composeTenantReviewForTest($tenantDenied, $otherOwner, $tenantDeniedSnapshot);
|
||||
$deniedPublishedReview->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'generated_at' => now()->subHours(3),
|
||||
'published_at' => now()->subHours(3),
|
||||
'published_by_user_id' => (int) $otherOwner->getKey(),
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertCanSeeTableRecords([$tenantA->fresh(), $tenantB->fresh()])
|
||||
->assertCanNotSeeTableRecords([$tenantDenied->fresh()])
|
||||
->assertSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $latestPublishedReview->fresh()], $tenantA), false)
|
||||
->assertSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $betaPublishedReview->fresh()], $tenantB), false)
|
||||
->assertDontSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $olderPublishedReview->fresh()], $tenantA), false)
|
||||
->assertDontSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $newerInternalReview->fresh()], $tenantA), false)
|
||||
->assertDontSee('Publish review')
|
||||
->assertDontSee('Refresh review')
|
||||
->assertDontSee('Create next review')
|
||||
->assertDontSee('Regenerate')
|
||||
->assertDontSee('Expire snapshot')
|
||||
->assertDontSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $deniedPublishedReview->fresh()], $tenantDenied), false);
|
||||
});
|
||||
|
||||
it('shows entitled tenants without a published review as calm absence rows', function (): void {
|
||||
$tenantPublished = Tenant::factory()->create(['name' => 'Published Tenant']);
|
||||
[$user, $tenantPublished] = createUserWithTenant(tenant: $tenantPublished, role: 'readonly');
|
||||
|
||||
$tenantWithoutPublished = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantPublished->workspace_id,
|
||||
'name' => 'No Published Tenant',
|
||||
]);
|
||||
createUserWithTenant(tenant: $tenantWithoutPublished, user: $user, role: 'readonly');
|
||||
|
||||
$publishedSnapshot = seedTenantReviewEvidence($tenantPublished);
|
||||
$noPublishedSnapshot = seedTenantReviewEvidence($tenantWithoutPublished);
|
||||
|
||||
$publishedReview = composeTenantReviewForTest($tenantPublished, $user, $publishedSnapshot);
|
||||
$publishedReview->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now()->subHour(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$internalOnlyReview = composeTenantReviewForTest($tenantWithoutPublished, $user, $noPublishedSnapshot);
|
||||
$internalOnlyReview->forceFill([
|
||||
'status' => TenantReviewStatus::Ready->value,
|
||||
'published_at' => null,
|
||||
'published_by_user_id' => null,
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantPublished->workspace_id);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertCanSeeTableRecords([$tenantPublished->fresh(), $tenantWithoutPublished->fresh()])
|
||||
->assertSee('No published review')
|
||||
->assertSee('No published review available yet')
|
||||
->assertDontSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $internalOnlyReview->fresh()], $tenantWithoutPublished), false)
|
||||
->assertSee(TenantReviewResource::tenantScopedUrl('view', ['record' => $publishedReview->fresh()], $tenantPublished), false);
|
||||
});
|
||||
|
||||
it('defaults the customer review workspace to the remembered tenant when tenant context is available', function (): void {
|
||||
$tenantA = Tenant::factory()->create(['name' => 'Alpha Tenant']);
|
||||
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'readonly');
|
||||
|
||||
$tenantB = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'name' => 'Beta Tenant',
|
||||
]);
|
||||
createUserWithTenant(tenant: $tenantB, user: $user, role: 'readonly');
|
||||
|
||||
$snapshotA = seedTenantReviewEvidence($tenantA);
|
||||
$snapshotB = seedTenantReviewEvidence($tenantB);
|
||||
|
||||
$reviewA = composeTenantReviewForTest($tenantA, $user, $snapshotA);
|
||||
$reviewA->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now()->subDay(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$reviewB = composeTenantReviewForTest($tenantB, $user, $snapshotB);
|
||||
$reviewB->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
||||
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
|
||||
(string) $tenantA->workspace_id => (int) $tenantB->getKey(),
|
||||
]);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertSet('tableFilters.tenant_id.value', (string) $tenantB->getKey())
|
||||
->filterTable('tenant_id', (string) $tenantB->getKey())
|
||||
->assertCanSeeTableRecords([$tenantB->fresh()])
|
||||
->assertCanNotSeeTableRecords([$tenantA->fresh()]);
|
||||
});
|
||||
|
||||
it('prefilters the customer review workspace from an explicit tenant query parameter and accepts external tenant identifiers', function (): void {
|
||||
$tenantA = Tenant::factory()->create(['name' => 'Alpha Tenant']);
|
||||
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'readonly');
|
||||
|
||||
$tenantB = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $tenantA->workspace_id,
|
||||
'name' => 'Beta Tenant',
|
||||
]);
|
||||
createUserWithTenant(tenant: $tenantB, user: $user, role: 'readonly');
|
||||
|
||||
$snapshotA = seedTenantReviewEvidence($tenantA);
|
||||
$snapshotB = seedTenantReviewEvidence($tenantB);
|
||||
|
||||
$reviewA = composeTenantReviewForTest($tenantA, $user, $snapshotA);
|
||||
$reviewA->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$reviewB = composeTenantReviewForTest($tenantB, $user, $snapshotB);
|
||||
$reviewB->forceFill([
|
||||
'status' => TenantReviewStatus::Published->value,
|
||||
'published_at' => now()->subDay(),
|
||||
'published_by_user_id' => (int) $user->getKey(),
|
||||
])->save();
|
||||
|
||||
$this->actingAs($user);
|
||||
setAdminPanelContext();
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
||||
|
||||
Livewire::withQueryParams(['tenant' => (string) $tenantA->external_id])
|
||||
->test(CustomerReviewWorkspace::class)
|
||||
->assertSet('tableFilters.tenant_id.value', (string) $tenantA->getKey())
|
||||
->filterTable('tenant_id', (string) $tenantA->getKey())
|
||||
->assertCanSeeTableRecords([$tenantA->fresh()])
|
||||
->assertCanNotSeeTableRecords([$tenantB->fresh()]);
|
||||
});
|
||||
@ -1,66 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Settings\WorkspaceSettings;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Services\Settings\SettingsResolver;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Livewire\Livewire;
|
||||
|
||||
/**
|
||||
* @return array{0: Workspace, 1: User}
|
||||
*/
|
||||
function workspaceAiPolicyManager(): array
|
||||
{
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
return [$workspace, $user];
|
||||
}
|
||||
|
||||
it('renders the workspace ai policy section and lets managers save and reset the ai posture', function (): void {
|
||||
[$workspace, $user] = workspaceAiPolicyManager();
|
||||
|
||||
$this->actingAs($user)
|
||||
->get(WorkspaceSettings::getUrl(panel: 'admin'))
|
||||
->assertSuccessful()
|
||||
->assertSee('Workspace AI policy')
|
||||
->assertSee('Disabled')
|
||||
->assertSee('Private only')
|
||||
->assertSee('Approved use cases')
|
||||
->assertSee('Blocked data classifications');
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'ai', 'policy_mode'))
|
||||
->toBe('disabled');
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.ai_policy_mode', null)
|
||||
->set('data.ai_policy_mode', 'private_only')
|
||||
->callAction('save')
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.ai_policy_mode', 'private_only');
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'ai', 'policy_mode'))
|
||||
->toBe('private_only');
|
||||
|
||||
$component
|
||||
->mountFormComponentAction('ai_policy_mode', 'reset_ai_policy_mode', [], 'content')
|
||||
->callMountedFormComponentAction()
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.ai_policy_mode', null);
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'ai', 'policy_mode'))
|
||||
->toBe('disabled');
|
||||
});
|
||||
@ -79,76 +79,3 @@
|
||||
->and(data_get($audit?->metadata, 'before_value'))->toBe(48)
|
||||
->and(data_get($audit?->metadata, 'after_value'))->toBe(30);
|
||||
});
|
||||
|
||||
it('writes a workspace-scoped audit entry when ai policy mode is updated', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
app(SettingsWriter::class)->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: 'ai',
|
||||
key: 'policy_mode',
|
||||
value: 'private_only',
|
||||
);
|
||||
|
||||
$audit = AuditLog::query()->latest('id')->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->workspace_id)->toBe((int) $workspace->getKey())
|
||||
->and($audit?->tenant_id)->toBeNull()
|
||||
->and($audit?->action)->toBe(AuditActionId::WorkspaceSettingUpdated->value)
|
||||
->and(data_get($audit?->metadata, 'domain'))->toBe('ai')
|
||||
->and(data_get($audit?->metadata, 'key'))->toBe('policy_mode')
|
||||
->and(data_get($audit?->metadata, 'scope'))->toBe('workspace')
|
||||
->and(data_get($audit?->metadata, 'before_value'))->toBeNull()
|
||||
->and(data_get($audit?->metadata, 'after_value'))->toBe('private_only');
|
||||
});
|
||||
|
||||
it('writes a workspace-scoped audit entry when ai policy mode is reset', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$writer = app(SettingsWriter::class);
|
||||
|
||||
$writer->updateWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: 'ai',
|
||||
key: 'policy_mode',
|
||||
value: 'private_only',
|
||||
);
|
||||
|
||||
$writer->resetWorkspaceSetting(
|
||||
actor: $user,
|
||||
workspace: $workspace,
|
||||
domain: 'ai',
|
||||
key: 'policy_mode',
|
||||
);
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::WorkspaceSettingReset->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->workspace_id)->toBe((int) $workspace->getKey())
|
||||
->and($audit?->tenant_id)->toBeNull()
|
||||
->and(data_get($audit?->metadata, 'domain'))->toBe('ai')
|
||||
->and(data_get($audit?->metadata, 'key'))->toBe('policy_mode')
|
||||
->and(data_get($audit?->metadata, 'scope'))->toBe('workspace')
|
||||
->and(data_get($audit?->metadata, 'before_value'))->toBe('private_only')
|
||||
->and(data_get($audit?->metadata, 'after_value'))->toBe('disabled');
|
||||
});
|
||||
|
||||
@ -44,7 +44,6 @@ function workspaceManagerUser(): array
|
||||
|
||||
$component = Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.ai_policy_mode', null)
|
||||
->assertSet('data.backup_retention_keep_last_default', null)
|
||||
->assertSet('data.backup_retention_min_floor', null)
|
||||
->assertSet('data.drift_severity_mapping', [])
|
||||
@ -59,7 +58,6 @@ function workspaceManagerUser(): array
|
||||
->assertSet('data.findings_sla_low', null)
|
||||
->assertSet('data.operations_operation_run_retention_days', null)
|
||||
->assertSet('data.operations_stuck_run_threshold_minutes', null)
|
||||
->set('data.ai_policy_mode', 'private_only')
|
||||
->set('data.backup_retention_keep_last_default', 55)
|
||||
->set('data.backup_retention_min_floor', 12)
|
||||
->set('data.drift_severity_mapping', ['drift' => 'critical'])
|
||||
@ -76,7 +74,6 @@ function workspaceManagerUser(): array
|
||||
->set('data.operations_stuck_run_threshold_minutes', 60)
|
||||
->callAction('save')
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.ai_policy_mode', 'private_only')
|
||||
->assertSet('data.backup_retention_keep_last_default', 55)
|
||||
->assertSet('data.backup_retention_min_floor', 12)
|
||||
->assertSet('data.baseline_severity_missing_policy', 'critical')
|
||||
@ -100,9 +97,6 @@ function workspaceManagerUser(): array
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'backup', 'retention_keep_last_default'))
|
||||
->toBe(55);
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'ai', 'policy_mode'))
|
||||
->toBe('private_only');
|
||||
|
||||
expect(app(SettingsResolver::class)->resolveValue($workspace, 'backup', 'retention_min_floor'))
|
||||
->toBe(12);
|
||||
|
||||
@ -148,18 +142,6 @@ function workspaceManagerUser(): array
|
||||
->where('key', 'retention_keep_last_default')
|
||||
->exists())->toBeFalse();
|
||||
|
||||
$component
|
||||
->mountFormComponentAction('ai_policy_mode', 'reset_ai_policy_mode', [], 'content')
|
||||
->callMountedFormComponentAction()
|
||||
->assertHasNoErrors()
|
||||
->assertSet('data.ai_policy_mode', null);
|
||||
|
||||
expect(WorkspaceSetting::query()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->where('domain', 'ai')
|
||||
->where('key', 'policy_mode')
|
||||
->exists())->toBeFalse();
|
||||
|
||||
$component
|
||||
->mountFormComponentAction('operations_operation_run_retention_days', 'reset_operations_operation_run_retention_days', [], 'content')
|
||||
->callMountedFormComponentAction()
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
use App\Filament\Pages\Settings\WorkspaceSettings;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceSetting;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Livewire\Livewire;
|
||||
|
||||
@ -13,14 +12,6 @@
|
||||
$workspace = Workspace::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceSetting::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'domain' => 'ai',
|
||||
'key' => 'policy_mode',
|
||||
'value' => 'private_only',
|
||||
'updated_by_user_id' => null,
|
||||
]);
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
$this->actingAs($user)
|
||||
|
||||
@ -30,14 +30,6 @@
|
||||
'updated_by_user_id' => null,
|
||||
]);
|
||||
|
||||
WorkspaceSetting::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'domain' => 'ai',
|
||||
'key' => 'policy_mode',
|
||||
'value' => 'private_only',
|
||||
'updated_by_user_id' => null,
|
||||
]);
|
||||
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
||||
|
||||
$this->actingAs($user)
|
||||
@ -46,7 +38,6 @@
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->assertSet('data.ai_policy_mode', 'private_only')
|
||||
->assertSet('data.backup_retention_keep_last_default', 27)
|
||||
->assertSet('data.backup_retention_min_floor', null)
|
||||
->assertSet('data.drift_severity_mapping', [])
|
||||
@ -65,8 +56,6 @@
|
||||
->assertActionDisabled('save')
|
||||
->assertFormComponentActionVisible('backup_retention_keep_last_default', 'reset_backup_retention_keep_last_default', [], 'content')
|
||||
->assertFormComponentActionDisabled('backup_retention_keep_last_default', 'reset_backup_retention_keep_last_default', [], 'content')
|
||||
->assertFormComponentActionVisible('ai_policy_mode', 'reset_ai_policy_mode', [], 'content')
|
||||
->assertFormComponentActionDisabled('ai_policy_mode', 'reset_ai_policy_mode', [], 'content')
|
||||
->assertFormComponentActionVisible('backup_retention_min_floor', 'reset_backup_retention_min_floor', [], 'content')
|
||||
->assertFormComponentActionDisabled('backup_retention_min_floor', 'reset_backup_retention_min_floor', [], 'content')
|
||||
->assertFormComponentActionVisible('drift_severity_mapping', 'reset_drift_severity_mapping', [], 'content')
|
||||
@ -86,11 +75,6 @@
|
||||
->call('save')
|
||||
->assertStatus(403);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->call('resetSetting', 'ai_policy_mode')
|
||||
->assertStatus(403);
|
||||
|
||||
Livewire::actingAs($user)
|
||||
->test(WorkspaceSettings::class)
|
||||
->call('resetSetting', 'backup_retention_keep_last_default')
|
||||
@ -104,12 +88,5 @@
|
||||
->where('key', 'retention_keep_last_default')
|
||||
->first();
|
||||
|
||||
$aiSetting = WorkspaceSetting::query()
|
||||
->where('workspace_id', (int) $workspace->getKey())
|
||||
->where('domain', 'ai')
|
||||
->where('key', 'policy_mode')
|
||||
->first();
|
||||
|
||||
expect($setting)->not->toBeNull()
|
||||
->and($aiSetting)->not->toBeNull();
|
||||
expect($setting)->not->toBeNull();
|
||||
});
|
||||
|
||||
@ -1,133 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Livewire\Livewire;
|
||||
|
||||
function productKnowledgeSupportDiagnosticsTenantAuthorizationComponent(User $user, Tenant $tenant): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantDashboard::class);
|
||||
}
|
||||
|
||||
function productKnowledgeSupportDiagnosticsOperationAuthorizationComponent(User $user, OperationRun $run): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
Filament::setTenant(null, true);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $run->workspace_id);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantlessOperationRunViewer::class, ['run' => $run]);
|
||||
}
|
||||
|
||||
it('keeps tenant support diagnostics contextual help deny-as-not-found for workspace members without tenant entitlement', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'operator',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
||||
->get(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant))
|
||||
->assertNotFound();
|
||||
});
|
||||
|
||||
it('returns forbidden for entitled run viewers without support diagnostics capability when requesting the contextual-help bundle', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
productKnowledgeSupportDiagnosticsOperationAuthorizationComponent($user, $run)
|
||||
->assertActionVisible('openSupportDiagnostics')
|
||||
->assertActionDisabled('openSupportDiagnostics')
|
||||
->call('operationRunSupportDiagnosticBundle')
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
it('omits support diagnostics contextual help when the dominant issue does not map to a catalog topic', function (): void {
|
||||
$tenant = Tenant::factory()->create(['name' => 'Fallback Support Tenant']);
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'operator');
|
||||
|
||||
$connection = ProviderConnection::factory()
|
||||
->withCredential()
|
||||
->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'display_name' => 'Fallback connection',
|
||||
'last_error_reason_code' => 'ext.support.manual_lookup_needed',
|
||||
'last_health_check_at' => now()->subMinutes(5),
|
||||
]);
|
||||
|
||||
$run = OperationRun::factory()
|
||||
->forTenant($tenant)
|
||||
->create([
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'context' => [
|
||||
'provider_connection_id' => (int) $connection->getKey(),
|
||||
],
|
||||
'completed_at' => now()->subMinutes(3),
|
||||
]);
|
||||
|
||||
productKnowledgeSupportDiagnosticsOperationAuthorizationComponent($user, $run)
|
||||
->mountAction('openSupportDiagnostics')
|
||||
->assertMountedActionModalDontSee('Contextual help')
|
||||
->assertMountedActionModalDontSee('ext.support.manual_lookup_needed');
|
||||
});
|
||||
|
||||
it('keeps operation-run support diagnostics deny-as-not-found for workspace members without tenant entitlement', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$tenant = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
]);
|
||||
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'owner',
|
||||
]);
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
||||
->assertNotFound();
|
||||
});
|
||||
@ -1,162 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\Providers\ProviderVerificationStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Livewire\Livewire;
|
||||
|
||||
function productKnowledgeTenantSupportDiagnosticsComponent(User $user, Tenant $tenant): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantDashboard::class);
|
||||
}
|
||||
|
||||
function productKnowledgeOperationSupportDiagnosticsComponent(User $user, OperationRun $run): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
Filament::setTenant(null, true);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $run->workspace_id);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantlessOperationRunViewer::class, ['run' => $run]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{0: User, 1: Tenant, 2: OperationRun}
|
||||
*/
|
||||
function createProductKnowledgeSupportDiagnosticScenario(string $state): array
|
||||
{
|
||||
$tenant = Tenant::factory()->create(['name' => 'Contoso Support Tenant']);
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'operator');
|
||||
|
||||
$reasonCode = match ($state) {
|
||||
'admin_consent' => ProviderReasonCodes::ProviderConsentMissing,
|
||||
'required_permissions' => ProviderReasonCodes::ProviderPermissionMissing,
|
||||
'connection_unhealthy' => ProviderReasonCodes::ProviderAuthFailed,
|
||||
'retryable_provider_failure' => ProviderReasonCodes::RateLimited,
|
||||
'manual_handoff_required' => ProviderReasonCodes::UnknownError,
|
||||
default => null,
|
||||
};
|
||||
|
||||
$connection = $reasonCode !== null
|
||||
? ProviderConnection::factory()->withCredential()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'display_name' => 'Contoso Microsoft connection',
|
||||
'verification_status' => $reasonCode === ProviderReasonCodes::UnknownError
|
||||
? ProviderVerificationStatus::Blocked->value
|
||||
: ProviderVerificationStatus::Healthy->value,
|
||||
'last_error_reason_code' => $reasonCode,
|
||||
'last_health_check_at' => now()->subMinutes(15),
|
||||
])
|
||||
: null;
|
||||
|
||||
$runOutcome = match ($state) {
|
||||
'verification_failed', 'manual_handoff_required' => OperationRunOutcome::Failed->value,
|
||||
default => OperationRunOutcome::Succeeded->value,
|
||||
};
|
||||
|
||||
$failureSummary = match ($state) {
|
||||
'verification_failed' => [[
|
||||
'message' => 'The operation failed and needs follow-up.',
|
||||
]],
|
||||
'manual_handoff_required' => [[
|
||||
'message' => 'A human support handoff is required for the next step.',
|
||||
'reason_code' => ProviderReasonCodes::UnknownError,
|
||||
]],
|
||||
default => [],
|
||||
};
|
||||
|
||||
$context = [];
|
||||
|
||||
if ($connection instanceof ProviderConnection) {
|
||||
$context['provider_connection_id'] = (int) $connection->getKey();
|
||||
}
|
||||
|
||||
$run = OperationRun::factory()
|
||||
->forTenant($tenant)
|
||||
->create([
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => $runOutcome,
|
||||
'summary_counts' => [
|
||||
'total' => 0,
|
||||
'processed' => 0,
|
||||
],
|
||||
'context' => $context,
|
||||
'failure_summary' => $failureSummary,
|
||||
'completed_at' => now()->subMinutes(10),
|
||||
]);
|
||||
|
||||
return [$user, $tenant, $run];
|
||||
}
|
||||
|
||||
it('renders shared product knowledge in tenant support diagnostics', function (
|
||||
string $state,
|
||||
string $headline,
|
||||
string $safeNextAction,
|
||||
?string $linkLabel,
|
||||
): void {
|
||||
[$user, $tenant] = createProductKnowledgeSupportDiagnosticScenario($state);
|
||||
|
||||
$component = productKnowledgeTenantSupportDiagnosticsComponent($user, $tenant);
|
||||
|
||||
$component->mountAction('openSupportDiagnostics')
|
||||
->assertMountedActionModalSee('Contextual help')
|
||||
->assertMountedActionModalSee($headline)
|
||||
->assertMountedActionModalSee($safeNextAction);
|
||||
|
||||
if ($linkLabel !== null) {
|
||||
$component->assertMountedActionModalSee($linkLabel);
|
||||
}
|
||||
})->with([
|
||||
'tenant admin consent required' => ['admin_consent', 'Admin consent required', 'Grant admin consent and re-run verification.', 'Grant admin consent'],
|
||||
'tenant required permissions missing' => ['required_permissions', 'Required permissions missing', 'Open required permissions and confirm the missing grants.', 'Open required permissions'],
|
||||
'tenant connection unhealthy' => ['connection_unhealthy', 'Provider connection needs review', 'Review the provider connection before retrying.', null],
|
||||
'tenant verification failed' => ['verification_failed', 'Verification failed', 'Review the blocking reason and retry verification.', null],
|
||||
'tenant diagnostic evidence incomplete' => ['diagnostic_evidence_incomplete', 'Diagnostic evidence is incomplete', 'Collect a fresher or more complete diagnostic signal.', null],
|
||||
'tenant retryable provider failure' => ['retryable_provider_failure', 'Provider failure looks retryable', 'Retry after the provider dependency recovers.', null],
|
||||
'tenant manual handoff required' => ['manual_handoff_required', 'Manual support handoff required', 'Hand off the case with the current diagnostic summary and supporting references.', null],
|
||||
]);
|
||||
|
||||
it('renders shared product knowledge in operation support diagnostics', function (
|
||||
string $state,
|
||||
string $headline,
|
||||
string $safeNextAction,
|
||||
?string $linkLabel,
|
||||
): void {
|
||||
[$user, , $run] = createProductKnowledgeSupportDiagnosticScenario($state);
|
||||
|
||||
$component = productKnowledgeOperationSupportDiagnosticsComponent($user, $run);
|
||||
|
||||
$component->mountAction('openSupportDiagnostics')
|
||||
->assertMountedActionModalSee('Contextual help')
|
||||
->assertMountedActionModalSee($headline)
|
||||
->assertMountedActionModalSee($safeNextAction);
|
||||
|
||||
if ($linkLabel !== null) {
|
||||
$component->assertMountedActionModalSee($linkLabel);
|
||||
}
|
||||
})->with([
|
||||
'operation admin consent required' => ['admin_consent', 'Admin consent required', 'Grant admin consent and re-run verification.', 'Grant admin consent'],
|
||||
'operation required permissions missing' => ['required_permissions', 'Required permissions missing', 'Open required permissions and confirm the missing grants.', 'Open required permissions'],
|
||||
'operation connection unhealthy' => ['connection_unhealthy', 'Provider connection needs review', 'Review the provider connection before retrying.', null],
|
||||
'operation verification failed' => ['verification_failed', 'Verification failed', 'Review the blocking reason and retry verification.', null],
|
||||
'operation diagnostic evidence incomplete' => ['diagnostic_evidence_incomplete', 'Diagnostic evidence is incomplete', 'Collect a fresher or more complete diagnostic signal.', null],
|
||||
'operation retryable provider failure' => ['retryable_provider_failure', 'Provider failure looks retryable', 'Retry after the provider dependency recovers.', null],
|
||||
'operation manual handoff required' => ['manual_handoff_required', 'Manual support handoff required', 'Hand off the case with the current diagnostic summary and supporting references.', null],
|
||||
]);
|
||||
@ -1,166 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
use Filament\Facades\Filament;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
|
||||
|
||||
function operationSupportRequestComponent(User $user, OperationRun $run): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
Filament::setTenant(null, true);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $run->workspace_id);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantlessOperationRunViewer::class, ['run' => $run]);
|
||||
}
|
||||
|
||||
function operationSupportRequestHeaderActions(\Livewire\Features\SupportTesting\Testable $component): array
|
||||
{
|
||||
$instance = $component->instance();
|
||||
|
||||
if ($instance->getCachedHeaderActions() === []) {
|
||||
$instance->cacheInteractsWithHeaderActions();
|
||||
}
|
||||
|
||||
return $instance->getCachedHeaderActions();
|
||||
}
|
||||
|
||||
function operationSupportRequestHeaderPrimaryNames(\Livewire\Features\SupportTesting\Testable $component): array
|
||||
{
|
||||
return collect(operationSupportRequestHeaderActions($component))
|
||||
->reject(static fn ($action): bool => $action instanceof ActionGroup)
|
||||
->map(static fn ($action): ?string => $action instanceof Action ? $action->getName() : null)
|
||||
->filter()
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
|
||||
function operationSupportRequestHeaderMoreActionNames(\Livewire\Features\SupportTesting\Testable $component): array
|
||||
{
|
||||
$moreGroup = collect(operationSupportRequestHeaderActions($component))
|
||||
->first(static fn ($action): bool => $action instanceof ActionGroup && $action->getLabel() === 'More');
|
||||
|
||||
return collect($moreGroup?->getActions() ?? [])
|
||||
->map(static fn ($action): ?string => $action instanceof Action ? $action->getName() : null)
|
||||
->filter()
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
|
||||
function operationSupportRequestHeaderMoreAction(\Livewire\Features\SupportTesting\Testable $component, string $name): ?Action
|
||||
{
|
||||
$moreGroup = collect(operationSupportRequestHeaderActions($component))
|
||||
->first(static fn ($action): bool => $action instanceof ActionGroup && $action->getLabel() === 'More');
|
||||
|
||||
$action = collect($moreGroup?->getActions() ?? [])
|
||||
->first(static fn ($action): bool => $action instanceof Action && $action->getName() === $name);
|
||||
|
||||
return $action instanceof Action ? $action : null;
|
||||
}
|
||||
|
||||
it('creates a run-scoped support request from the tenantless operation viewer', function (): void {
|
||||
$tenant = Tenant::factory()->create(['name' => 'Contoso Support Tenant']);
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'operator');
|
||||
|
||||
$run = OperationRun::factory()
|
||||
->forTenant($tenant)
|
||||
->create([
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Failed->value,
|
||||
'summary_counts' => [
|
||||
'total' => 0,
|
||||
'processed' => 0,
|
||||
],
|
||||
'failure_summary' => [[
|
||||
'message' => 'Run failed after provider validation.',
|
||||
]],
|
||||
'completed_at' => now()->subMinutes(10),
|
||||
]);
|
||||
|
||||
$component = operationSupportRequestComponent($user, $run);
|
||||
|
||||
expect(operationSupportRequestHeaderPrimaryNames($component))
|
||||
->not->toContain('openSupportDiagnostics')
|
||||
->not->toContain('requestSupport')
|
||||
->and(operationSupportRequestHeaderMoreActionNames($component))
|
||||
->toEqualCanonicalizing(['openSupportDiagnostics', 'requestSupport'])
|
||||
->and(operationSupportRequestHeaderMoreAction($component, 'openSupportDiagnostics')?->isIconButton())
|
||||
->toBeFalse();
|
||||
|
||||
$component
|
||||
->assertActionVisible('openSupportDiagnostics')
|
||||
->assertActionEnabled('openSupportDiagnostics')
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionEnabled('requestSupport')
|
||||
->assertActionExists('requestSupport', fn (Action $action): bool => $action->getLabel() === 'Request support')
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_BLOCKING,
|
||||
'summary' => 'This failed operation needs support escalation.',
|
||||
'reproduction_notes' => 'Open the canonical run detail and submit the request from the grouped secondary action.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors()
|
||||
->assertNotified('Support request submitted');
|
||||
|
||||
$supportRequest = SupportRequest::query()->sole();
|
||||
|
||||
expect($supportRequest->internal_reference)->toMatch('/^SR-[0-9A-HJKMNP-TV-Z]{26}$/')
|
||||
->and($supportRequest->workspace_id)->toBe((int) $tenant->workspace_id)
|
||||
->and($supportRequest->tenant_id)->toBe((int) $tenant->getKey())
|
||||
->and($supportRequest->initiated_by_user_id)->toBe((int) $user->getKey())
|
||||
->and($supportRequest->primary_context_type)->toBe(SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN)
|
||||
->and($supportRequest->operation_run_id)->toBe((int) $run->getKey())
|
||||
->and($supportRequest->attachment_mode)->toBe(SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED)
|
||||
->and($supportRequest->severity)->toBe(SupportRequest::SEVERITY_BLOCKING)
|
||||
->and($supportRequest->summary)->toBe('This failed operation needs support escalation.')
|
||||
->and(data_get($supportRequest->context_envelope, 'primary_context.type'))->toBe('operation_run')
|
||||
->and(data_get($supportRequest->context_envelope, 'primary_context.operation_run_id'))->toBe((int) $run->getKey())
|
||||
->and(data_get($supportRequest->context_envelope, 'diagnostic_snapshot'))->toBeArray();
|
||||
});
|
||||
|
||||
it('keeps tenantless operation detail deny-as-not-found for workspace members without tenant entitlement', function (): void {
|
||||
$workspace = Workspace::factory()->create();
|
||||
$tenant = Tenant::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
]);
|
||||
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'owner',
|
||||
]);
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
||||
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
||||
->assertNotFound();
|
||||
});
|
||||
@ -1,204 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
use App\Models\AuditLog;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\Audit\AuditActionId;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\Providers\ProviderVerificationStatus;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
|
||||
|
||||
function supportRequestAuditTenantComponent(User $user, Tenant $tenant): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantDashboard::class);
|
||||
}
|
||||
|
||||
function supportRequestAuditOperationComponent(User $user, OperationRun $run): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
Filament::setTenant(null, true);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $run->workspace_id);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantlessOperationRunViewer::class, ['run' => $run]);
|
||||
}
|
||||
|
||||
it('records a redacted audit entry for tenant-scoped support requests', function (): void {
|
||||
$tenant = Tenant::factory()->create(['name' => 'Audit Support Tenant']);
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
ProviderConnection::factory()
|
||||
->withCredential()
|
||||
->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'display_name' => 'Audit Microsoft connection',
|
||||
'verification_status' => ProviderVerificationStatus::Blocked->value,
|
||||
'last_error_reason_code' => ProviderReasonCodes::ProviderPermissionMissing,
|
||||
'last_error_message' => 'tenant-provider-secret',
|
||||
]);
|
||||
|
||||
supportRequestAuditTenantComponent($user, $tenant)
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_HIGH,
|
||||
'summary' => 'Need tenant support audit proof.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors();
|
||||
|
||||
$supportRequest = SupportRequest::query()->sole();
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::SupportRequestCreated->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->workspace_id)->toBe((int) $tenant->workspace_id)
|
||||
->and($audit?->tenant_id)->toBe((int) $tenant->getKey())
|
||||
->and($audit?->resource_type)->toBe('support_request')
|
||||
->and($audit?->resource_id)->toBe((string) $supportRequest->getKey())
|
||||
->and($audit?->target_label)->toBe($supportRequest->internal_reference)
|
||||
->and($audit?->operation_run_id)->toBeNull()
|
||||
->and(data_get($audit?->metadata, 'internal_reference'))->toBe($supportRequest->internal_reference)
|
||||
->and(data_get($audit?->metadata, 'primary_context_type'))->toBe(SupportRequest::PRIMARY_CONTEXT_TENANT)
|
||||
->and(data_get($audit?->metadata, 'primary_context_id'))->toBe((string) $tenant->getKey())
|
||||
->and(data_get($audit?->metadata, 'attachment_mode'))->toBe(SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED)
|
||||
->and(data_get($audit?->metadata, 'redaction_mode'))->toBe('default_redacted')
|
||||
->and((string) json_encode($audit?->metadata))->not->toContain('tenant-provider-secret');
|
||||
});
|
||||
|
||||
it('records a redacted audit entry for run-scoped support requests', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'operator');
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Failed->value,
|
||||
'summary_counts' => [
|
||||
'total' => 0,
|
||||
'processed' => 0,
|
||||
],
|
||||
'context' => [
|
||||
'raw_response_body' => 'run-provider-secret',
|
||||
],
|
||||
'failure_summary' => [[
|
||||
'message' => 'Run failed after provider validation.',
|
||||
]],
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
supportRequestAuditOperationComponent($user, $run)
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_BLOCKING,
|
||||
'summary' => 'Need run support audit proof.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors();
|
||||
|
||||
$supportRequest = SupportRequest::query()->sole();
|
||||
|
||||
$audit = AuditLog::query()
|
||||
->where('action', AuditActionId::SupportRequestCreated->value)
|
||||
->latest('id')
|
||||
->first();
|
||||
|
||||
expect($audit)->not->toBeNull()
|
||||
->and($audit?->workspace_id)->toBe((int) $tenant->workspace_id)
|
||||
->and($audit?->tenant_id)->toBe((int) $tenant->getKey())
|
||||
->and($audit?->resource_type)->toBe('support_request')
|
||||
->and($audit?->resource_id)->toBe((string) $supportRequest->getKey())
|
||||
->and($audit?->target_label)->toBe($supportRequest->internal_reference)
|
||||
->and($audit?->operation_run_id)->toBe((int) $run->getKey())
|
||||
->and(data_get($audit?->metadata, 'internal_reference'))->toBe($supportRequest->internal_reference)
|
||||
->and(data_get($audit?->metadata, 'primary_context_type'))->toBe(SupportRequest::PRIMARY_CONTEXT_OPERATION_RUN)
|
||||
->and(data_get($audit?->metadata, 'primary_context_id'))->toBe((string) $run->getKey())
|
||||
->and(data_get($audit?->metadata, 'attachment_mode'))->toBe(SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED)
|
||||
->and(data_get($audit?->metadata, 'redaction_mode'))->toBe('default_redacted')
|
||||
->and((string) json_encode($audit?->metadata))->not->toContain('run-provider-secret');
|
||||
});
|
||||
|
||||
it('creates distinct support references for duplicate submissions without outbound http or operation-run side effects', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'operator');
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Failed->value,
|
||||
'summary_counts' => [
|
||||
'total' => 0,
|
||||
'processed' => 0,
|
||||
],
|
||||
'failure_summary' => [[
|
||||
'message' => 'Run failed after provider validation.',
|
||||
]],
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
$component = supportRequestAuditOperationComponent($user, $run);
|
||||
$existingRunCount = OperationRun::query()->count();
|
||||
|
||||
assertNoOutboundHttp(function () use ($component): void {
|
||||
$component
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_HIGH,
|
||||
'summary' => 'Duplicate run support request.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors()
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_HIGH,
|
||||
'summary' => 'Duplicate run support request.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors();
|
||||
});
|
||||
|
||||
$supportRequests = SupportRequest::query()
|
||||
->orderBy('id')
|
||||
->get();
|
||||
|
||||
$auditReferences = AuditLog::query()
|
||||
->where('action', AuditActionId::SupportRequestCreated->value)
|
||||
->orderBy('id')
|
||||
->pluck('target_label');
|
||||
|
||||
expect($supportRequests)->toHaveCount(2)
|
||||
->and($supportRequests->pluck('summary')->all())->toBe([
|
||||
'Duplicate run support request.',
|
||||
'Duplicate run support request.',
|
||||
])
|
||||
->and($supportRequests->pluck('internal_reference')->unique())->toHaveCount(2)
|
||||
->and($supportRequests->pluck('operation_run_id')->unique()->all())->toBe([(int) $run->getKey()])
|
||||
->and($auditReferences->all())->toBe($supportRequests->pluck('internal_reference')->all())
|
||||
->and(OperationRun::query()->count())->toBe($existingRunCount)
|
||||
->and($run->fresh()?->status)->toBe(OperationRunStatus::Completed->value)
|
||||
->and($run->fresh()?->outcome)->toBe(OperationRunOutcome::Failed->value);
|
||||
});
|
||||
@ -1,75 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\Operations\TenantlessOperationRunViewer;
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Livewire\Livewire;
|
||||
|
||||
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
|
||||
|
||||
function supportRequestAuthorizationTenantComponent(User $user, Tenant $tenant): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantDashboard::class);
|
||||
}
|
||||
|
||||
function supportRequestAuthorizationOperationComponent(User $user, OperationRun $run): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
Filament::setTenant(null, true);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $run->workspace_id);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantlessOperationRunViewer::class, ['run' => $run]);
|
||||
}
|
||||
|
||||
it('returns forbidden for entitled tenant members without support request capability', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
supportRequestAuthorizationTenantComponent($user, $tenant)
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionDisabled('requestSupport')
|
||||
->call('authorizeTenantSupportRequest')
|
||||
->assertForbidden();
|
||||
|
||||
expect(SupportRequest::query()->count())->toBe(0);
|
||||
});
|
||||
|
||||
it('returns forbidden for entitled run viewers without support request capability', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
$run = OperationRun::factory()->create([
|
||||
'tenant_id' => (int) $tenant->getKey(),
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'type' => OperationRunType::BaselineCompare->value,
|
||||
'status' => OperationRunStatus::Completed->value,
|
||||
'outcome' => OperationRunOutcome::Succeeded->value,
|
||||
'summary_counts' => [
|
||||
'total' => 0,
|
||||
'processed' => 0,
|
||||
],
|
||||
'completed_at' => now(),
|
||||
]);
|
||||
|
||||
supportRequestAuthorizationOperationComponent($user, $run)
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionDisabled('requestSupport')
|
||||
->call('authorizeOperationRunSupportRequest')
|
||||
->assertForbidden();
|
||||
|
||||
expect(SupportRequest::query()->count())->toBe(0);
|
||||
});
|
||||
@ -1,137 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\Pages\TenantDashboard;
|
||||
use App\Models\SupportRequest;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\WorkspaceMembership;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Actions\Action;
|
||||
use Livewire\Livewire;
|
||||
|
||||
use function Pest\Laravel\mock;
|
||||
|
||||
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
|
||||
|
||||
function tenantSupportRequestComponent(User $user, Tenant $tenant): \Livewire\Features\SupportTesting\Testable
|
||||
{
|
||||
test()->actingAs($user);
|
||||
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
||||
setTenantPanelContext($tenant);
|
||||
|
||||
return Livewire::actingAs($user)->test(TenantDashboard::class);
|
||||
}
|
||||
|
||||
it('creates a tenant support request from the dashboard', function (): void {
|
||||
$tenant = Tenant::factory()->create(['name' => 'Contoso Support Tenant']);
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
tenantSupportRequestComponent($user, $tenant)
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionEnabled('requestSupport')
|
||||
->assertActionExists('requestSupport', fn (Action $action): bool => $action->getLabel() === 'Request support')
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'severity' => SupportRequest::SEVERITY_HIGH,
|
||||
'summary' => 'Policy sync failed after the latest tenant refresh.',
|
||||
'reproduction_notes' => 'Open the tenant dashboard after a failed sync and request support from the header action.',
|
||||
'contact_name' => 'Ops On Call',
|
||||
'contact_email' => 'ops@example.test',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors()
|
||||
->assertNotified('Support request submitted');
|
||||
|
||||
$supportRequest = SupportRequest::query()->sole();
|
||||
|
||||
expect($supportRequest->internal_reference)->toMatch('/^SR-[0-9A-HJKMNP-TV-Z]{26}$/')
|
||||
->and($supportRequest->workspace_id)->toBe((int) $tenant->workspace_id)
|
||||
->and($supportRequest->tenant_id)->toBe((int) $tenant->getKey())
|
||||
->and($supportRequest->initiated_by_user_id)->toBe((int) $user->getKey())
|
||||
->and($supportRequest->primary_context_type)->toBe(SupportRequest::PRIMARY_CONTEXT_TENANT)
|
||||
->and($supportRequest->operation_run_id)->toBeNull()
|
||||
->and($supportRequest->attachment_mode)->toBe(SupportRequest::ATTACHMENT_MODE_DIAGNOSTIC_SNAPSHOT_ATTACHED)
|
||||
->and($supportRequest->severity)->toBe(SupportRequest::SEVERITY_HIGH)
|
||||
->and($supportRequest->summary)->toBe('Policy sync failed after the latest tenant refresh.')
|
||||
->and($supportRequest->reproduction_notes)->toContain('failed sync')
|
||||
->and($supportRequest->contact_name)->toBe('Ops On Call')
|
||||
->and($supportRequest->contact_email)->toBe('ops@example.test')
|
||||
->and(data_get($supportRequest->context_envelope, 'primary_context.type'))->toBe('tenant')
|
||||
->and(data_get($supportRequest->context_envelope, 'primary_context.tenant_id'))->toBe((int) $tenant->getKey())
|
||||
->and(data_get($supportRequest->context_envelope, 'diagnostic_snapshot'))->toBeArray();
|
||||
});
|
||||
|
||||
it('stores canonical context only when the creator cannot view support diagnostics', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
||||
|
||||
mock(CapabilityResolver::class, function ($mock) use ($tenant): void {
|
||||
$mock->shouldReceive('primeMemberships')->andReturnNull();
|
||||
$mock->shouldReceive('isMember')
|
||||
->andReturnUsing(static fn ($user, Tenant $resolvedTenant): bool => (int) $resolvedTenant->getKey() === (int) $tenant->getKey());
|
||||
|
||||
$mock->shouldReceive('can')
|
||||
->andReturnUsing(static function ($user, Tenant $resolvedTenant, string $capability) use ($tenant): bool {
|
||||
expect((int) $resolvedTenant->getKey())->toBe((int) $tenant->getKey());
|
||||
|
||||
return match ($capability) {
|
||||
Capabilities::SUPPORT_REQUESTS_CREATE => true,
|
||||
Capabilities::SUPPORT_DIAGNOSTICS_VIEW => false,
|
||||
default => true,
|
||||
};
|
||||
});
|
||||
});
|
||||
|
||||
tenantSupportRequestComponent($user, $tenant)
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionEnabled('requestSupport')
|
||||
->mountAction('requestSupport')
|
||||
->setActionData([
|
||||
'summary' => 'Need help reviewing the latest tenant support context.',
|
||||
])
|
||||
->callMountedAction()
|
||||
->assertHasNoActionErrors()
|
||||
->assertNotified('Support request submitted');
|
||||
|
||||
$supportRequest = SupportRequest::query()->sole();
|
||||
|
||||
expect($supportRequest->severity)->toBe(SupportRequest::SEVERITY_NORMAL)
|
||||
->and($supportRequest->contact_name)->toBe($user->name)
|
||||
->and($supportRequest->contact_email)->toBe($user->email)
|
||||
->and($supportRequest->attachment_mode)->toBe(SupportRequest::ATTACHMENT_MODE_CANONICAL_CONTEXT_ONLY)
|
||||
->and(data_get($supportRequest->context_envelope, 'diagnostic_snapshot'))->toBeNull()
|
||||
->and(data_get($supportRequest->context_envelope, 'omissions.0.reason'))->toBe('omitted_without_support_diagnostics_view');
|
||||
});
|
||||
|
||||
it('keeps tenant dashboard support requests deny-as-not-found for workspace members without tenant entitlement', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
$user = User::factory()->create();
|
||||
|
||||
WorkspaceMembership::factory()->create([
|
||||
'workspace_id' => (int) $tenant->workspace_id,
|
||||
'user_id' => (int) $user->getKey(),
|
||||
'role' => 'operator',
|
||||
]);
|
||||
|
||||
$this->actingAs($user)
|
||||
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
||||
->get(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant))
|
||||
->assertNotFound();
|
||||
});
|
||||
|
||||
it('returns forbidden for entitled tenant members without support request capability', function (): void {
|
||||
$tenant = Tenant::factory()->create();
|
||||
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
||||
|
||||
tenantSupportRequestComponent($user, $tenant)
|
||||
->assertActionVisible('requestSupport')
|
||||
->assertActionDisabled('requestSupport')
|
||||
->call('authorizeTenantSupportRequest')
|
||||
->assertForbidden();
|
||||
|
||||
expect(SupportRequest::query()->count())->toBe(0);
|
||||
});
|
||||
@ -1,171 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Filament\System\Pages\Dashboard;
|
||||
use App\Filament\System\Widgets\CustomerHealthKpis;
|
||||
use App\Filament\System\Widgets\CustomerHealthTopWorkspaces;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\Workspace;
|
||||
use App\Support\Auth\PlatformCapabilities;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\Providers\ProviderConsentStatus;
|
||||
use App\Support\Providers\ProviderVerificationStatus;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
|
||||
uses(RefreshDatabase::class);
|
||||
|
||||
beforeEach(function (): void {
|
||||
Filament::setCurrentPanel('system');
|
||||
Filament::bootCurrentPanel();
|
||||
});
|
||||
|
||||
it('shows customer health widgets to authorized system users', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::CONSOLE_VIEW,
|
||||
PlatformCapabilities::DIRECTORY_VIEW,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSeeLivewire(CustomerHealthKpis::class)
|
||||
->assertSeeLivewire(CustomerHealthTopWorkspaces::class);
|
||||
});
|
||||
|
||||
it('keeps the attention-needed widget hidden when no linked system detail surface is accessible', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::CONSOLE_VIEW,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSeeLivewire(CustomerHealthKpis::class)
|
||||
->assertDontSeeLivewire(CustomerHealthTopWorkspaces::class);
|
||||
});
|
||||
|
||||
it('shows the attention-needed widget to operations-only users when operational rows are accessible', function (): void {
|
||||
seedOperationalAttentionWorkspace('Ops Only Workspace');
|
||||
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::CONSOLE_VIEW,
|
||||
PlatformCapabilities::OPERATIONS_VIEW,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSeeLivewire(CustomerHealthKpis::class)
|
||||
->assertSeeLivewire(CustomerHealthTopWorkspaces::class);
|
||||
});
|
||||
|
||||
it('shows the attention-needed widget to ops and runbooks users when operational rows are accessible', function (): void {
|
||||
seedOperationalAttentionWorkspace('Runbooks Ops Workspace');
|
||||
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::CONSOLE_VIEW,
|
||||
PlatformCapabilities::OPS_VIEW,
|
||||
PlatformCapabilities::RUNBOOKS_VIEW,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSeeLivewire(CustomerHealthKpis::class)
|
||||
->assertSeeLivewire(CustomerHealthTopWorkspaces::class);
|
||||
});
|
||||
|
||||
it('filters directory-only attention rows out for operations-only users', function (): void {
|
||||
seedOperationalAttentionWorkspace('Accessible Ops Workspace');
|
||||
seedProviderAttentionWorkspace('Directory Only Workspace');
|
||||
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
PlatformCapabilities::CONSOLE_VIEW,
|
||||
PlatformCapabilities::OPERATIONS_VIEW,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertSuccessful()
|
||||
->assertSeeLivewire(CustomerHealthKpis::class)
|
||||
->assertSeeLivewire(CustomerHealthTopWorkspaces::class)
|
||||
->assertSee('Accessible Ops Workspace')
|
||||
->assertDontSee('Directory Only Workspace');
|
||||
});
|
||||
|
||||
it('forbids customer health widgets when system dashboard access is denied', function (): void {
|
||||
$user = PlatformUser::factory()->create([
|
||||
'capabilities' => [
|
||||
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
||||
],
|
||||
'is_active' => true,
|
||||
]);
|
||||
|
||||
$this->actingAs($user, 'platform')
|
||||
->get(Dashboard::getUrl(panel: 'system'))
|
||||
->assertForbidden();
|
||||
});
|
||||
|
||||
function seedOperationalAttentionWorkspace(string $workspaceName): void
|
||||
{
|
||||
$workspace = Workspace::factory()->create(['name' => $workspaceName]);
|
||||
$tenant = Tenant::factory()->for($workspace)->create([
|
||||
'name' => $workspaceName.' Tenant',
|
||||
'status' => Tenant::STATUS_ACTIVE,
|
||||
]);
|
||||
|
||||
OperationRun::factory()
|
||||
->forTenant($tenant)
|
||||
->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'status' => OperationRunStatus::Queued->value,
|
||||
'outcome' => OperationRunOutcome::Pending->value,
|
||||
'created_at' => now()->subHours(2),
|
||||
'started_at' => null,
|
||||
]);
|
||||
}
|
||||
|
||||
function seedProviderAttentionWorkspace(string $workspaceName): void
|
||||
{
|
||||
$workspace = Workspace::factory()->create(['name' => $workspaceName]);
|
||||
$tenant = Tenant::factory()->for($workspace)->create([
|
||||
'name' => $workspaceName.' Tenant',
|
||||
'status' => Tenant::STATUS_ACTIVE,
|
||||
]);
|
||||
|
||||
ProviderConnection::factory()
|
||||
->for($tenant)
|
||||
->create([
|
||||
'workspace_id' => (int) $workspace->getKey(),
|
||||
'is_default' => true,
|
||||
'is_enabled' => true,
|
||||
'consent_status' => ProviderConsentStatus::Granted->value,
|
||||
'verification_status' => ProviderVerificationStatus::Blocked->value,
|
||||
]);
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user