ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: ahmido:dev
Branches Tags
ahmido:dev
ahmido:084-verification-surfaces-unification
ahmido:083-required-permissions-hardening
ahmido:082-action-surface-contract
ahmido:chore/spec-kit-action-surface-contract
ahmido:081-provider-connection-cutover
ahmido:080-workspace-managed-tenant-admin
ahmido:079-inventory-links-non-uuid-ids
ahmido:078-operations-tenantless-canonical
ahmido:077-workspace-nav-monitoring-hub
ahmido:076-permissions-enterprise-ui
ahmido:075-verification-v1_5
ahmido:073-unified-managed-tenant-onboarding-wizard
ahmido:feat/072-managed-tenants-workspace-enforcement
ahmido:feat/999-merge-integration-session-1769990000
ahmido:069-tenant-onboarding-wizard-v2-session-1769905221
ahmido:069-managed-tenant-onboarding-wizard-session-1769903080
ahmido:068-workspaces-v2
ahmido:068-workspace-foundation-v1
ahmido:067-rbac-troubleshooting
ahmido:feat/066-rbac-ui-enforcement-helper-v2
ahmido:spec/066-rbac-ui-enforcement-helper-v2
ahmido:066-rbac-ui-enforcement-helper
ahmido:dev-session-1769637808
ahmido:065-tenant-rbac-v1
ahmido:dev-session-1769551498
ahmido:064-auth-structure
ahmido:063-entra-signin
ahmido:061-provider-foundation
ahmido:060-tag-badge-catalog
ahmido:059-unified-badges
ahmido:058-tenant-ui-polish
ahmido:feat/057-filament-v5-upgrade
ahmido:057-filament-v5-upgrade
ahmido:feat/053-unify-runs-monitoring
ahmido:feat/052-async-add-policies
ahmido:feat/044-drift-mvp
ahmido:051-entra-group-directory-cache
ahmido:feat/049-backup-restore-job-orchestration
ahmido:feat/048-backup-restore-ui-graph-safety
ahmido:feat/000-specify-deprecate
ahmido:feat/047-inventory-foundations-nodes
ahmido:feat/042-inventory-dependencies-graph
ahmido:046-inventory-sync-button
ahmido:feat/045-settingscatalog-classification
ahmido:fix/sail-node-modules-volume
ahmido:fix/pest-uses-cleanup
ahmido:feat/041-inventory-ui
ahmido:feat/040-inventory-core
ahmido:chore/docs-constitution-v1.1.0
ahmido:chore/solo-copilot-workflow
ahmido:feat/011-restore-run-wizard
ahmido:feat/011-restore-run-wizard-session-1767749508
ahmido:feat/011-restore-run-wizard-session-1767749319
ahmido:feat/032-backup-scheduling-mvp
ahmido:fix/032-manual-dispatch-unique-violation-session-1767604982
ahmido:feat/032-next-run-schedule-timezone-session-1767604322
ahmido:feat/032-backup-scheduling-mvp-session-1767583912
ahmido:feat/031-tenant-portfolio-context-switch
ahmido:feat/027-enrollment-config-subtypes
ahmido:feat/024-terms-and-conditions
ahmido:feat/026-custom-compliance-scripts
ahmido:spec/024-additional-intune-types
ahmido:feat/018-driver-updates-wufb
ahmido:feat/023-endpoint-security-restore-into-dev
ahmido:feat/023-endpoint-security-restore
ahmido:feat/017-policy-types-mam-endpoint-security-baselines
ahmido:016-backup-version-reuse
ahmido:015-policy-picker-ux
ahmido:014-enrollment-autopilot
ahmido:014-enrollment-autopilot-session-1767305003
ahmido:013-scripts-management
ahmido:feat/012-windows-update-rings
ahmido:feat/011-restore-run-wizard-session-1767185846
ahmido:feat/010-admin-templates
ahmido:feat/009-app-protection-policy
ahmido:feat/008-apps-app-management
ahmido:feat/007-device-config-compliance
ahmido:spec/007-008-workload-specs
ahmido:feat/005-bulk-operations
ahmido:feat/004-assignments-scope-tags
..
compare: ahmido:083-required-permissions-hardening
Branches Tags
ahmido:dev
ahmido:084-verification-surfaces-unification
ahmido:083-required-permissions-hardening
ahmido:082-action-surface-contract
ahmido:chore/spec-kit-action-surface-contract
ahmido:081-provider-connection-cutover
ahmido:080-workspace-managed-tenant-admin
ahmido:079-inventory-links-non-uuid-ids
ahmido:078-operations-tenantless-canonical
ahmido:077-workspace-nav-monitoring-hub
ahmido:076-permissions-enterprise-ui
ahmido:075-verification-v1_5
ahmido:073-unified-managed-tenant-onboarding-wizard
ahmido:feat/072-managed-tenants-workspace-enforcement
ahmido:feat/999-merge-integration-session-1769990000
ahmido:069-tenant-onboarding-wizard-v2-session-1769905221
ahmido:069-managed-tenant-onboarding-wizard-session-1769903080
ahmido:068-workspaces-v2
ahmido:068-workspace-foundation-v1
ahmido:067-rbac-troubleshooting
ahmido:feat/066-rbac-ui-enforcement-helper-v2
ahmido:spec/066-rbac-ui-enforcement-helper-v2
ahmido:066-rbac-ui-enforcement-helper
ahmido:dev-session-1769637808
ahmido:065-tenant-rbac-v1
ahmido:dev-session-1769551498
ahmido:064-auth-structure
ahmido:063-entra-signin
ahmido:061-provider-foundation
ahmido:060-tag-badge-catalog
ahmido:059-unified-badges
ahmido:058-tenant-ui-polish
ahmido:feat/057-filament-v5-upgrade
ahmido:057-filament-v5-upgrade
ahmido:feat/053-unify-runs-monitoring
ahmido:feat/052-async-add-policies
ahmido:feat/044-drift-mvp
ahmido:051-entra-group-directory-cache
ahmido:feat/049-backup-restore-job-orchestration
ahmido:feat/048-backup-restore-ui-graph-safety
ahmido:feat/000-specify-deprecate
ahmido:feat/047-inventory-foundations-nodes
ahmido:feat/042-inventory-dependencies-graph
ahmido:046-inventory-sync-button
ahmido:feat/045-settingscatalog-classification
ahmido:fix/sail-node-modules-volume
ahmido:fix/pest-uses-cleanup
ahmido:feat/041-inventory-ui
ahmido:feat/040-inventory-core
ahmido:chore/docs-constitution-v1.1.0
ahmido:chore/solo-copilot-workflow
ahmido:feat/011-restore-run-wizard
ahmido:feat/011-restore-run-wizard-session-1767749508
ahmido:feat/011-restore-run-wizard-session-1767749319
ahmido:feat/032-backup-scheduling-mvp
ahmido:fix/032-manual-dispatch-unique-violation-session-1767604982
ahmido:feat/032-next-run-schedule-timezone-session-1767604322
ahmido:feat/032-backup-scheduling-mvp-session-1767583912
ahmido:feat/031-tenant-portfolio-context-switch
ahmido:feat/027-enrollment-config-subtypes
ahmido:feat/024-terms-and-conditions
ahmido:feat/026-custom-compliance-scripts
ahmido:spec/024-additional-intune-types
ahmido:feat/018-driver-updates-wufb
ahmido:feat/023-endpoint-security-restore-into-dev
ahmido:feat/023-endpoint-security-restore
ahmido:feat/017-policy-types-mam-endpoint-security-baselines
ahmido:016-backup-version-reuse
ahmido:015-policy-picker-ux
ahmido:014-enrollment-autopilot
ahmido:014-enrollment-autopilot-session-1767305003
ahmido:013-scripts-management
ahmido:feat/012-windows-update-rings
ahmido:feat/011-restore-run-wizard-session-1767185846
ahmido:feat/010-admin-templates
ahmido:feat/009-app-protection-policy
ahmido:feat/008-apps-app-management
ahmido:feat/007-device-config-compliance
ahmido:spec/007-008-workload-specs
ahmido:feat/005-bulk-operations
ahmido:feat/004-assignments-scope-tags

4 Commits
dev ... 083-requir

Author SHA1 Message Date
Ahmed Darrazi
3c8f633c4c merge: agent session work 2026-02-08 23:16:38 +01:00
Ahmed Darrazi
b990181bab test: cover required permissions hardening routes and freshness 2026-02-08 23:16:14 +01:00
Ahmed Darrazi
43dff0f2f4 feat: harden canonical required permissions surface and issues-first UX 2026-02-08 23:16:06 +01:00
Ahmed Darrazi
96760c65e6 spec: resolve consistency and acceptance gaps for spec 083 2026-02-08 23:16:01 +01:00
35 changed files with 313 additions and 2258 deletions
Show Stats Expand all files Collapse all files

5
.github/agents/copilot-instructions.md vendored
View File

@ -22,8 +22,6 @@ ## Active Technologies
- PostgreSQL (via Sail) (080-workspace-managed-tenant-admin)
- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Socialite v5 (081-provider-connection-cutover)
- PHP 8.4.x + Laravel 12, Filament v5, Livewire v4 (082-action-surface-contract)
- PHP 8.4 (Laravel 12) + Filament v5 (Livewire v4), Queue/Jobs (Laravel), Microsoft Graph via `GraphClientInterface` (084-verification-surfaces-unification)
- PostgreSQL (JSONB-backed `OperationRun.context`) (084-verification-surfaces-unification)
- PHP 8.4.15 (feat/005-bulk-operations)
@ -43,8 +41,9 @@ ## Code Style
PHP 8.4.15: Follow standard conventions
## Recent Changes
- 084-verification-surfaces-unification: Added PHP 8.4 (Laravel 12) + Filament v5 (Livewire v4), Queue/Jobs (Laravel), Microsoft Graph via `GraphClientInterface`
- 082-action-surface-contract: Added PHP 8.4.x + Laravel 12, Filament v5, Livewire v4
- 081-provider-connection-cutover: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Socialite v5
- 080-workspace-managed-tenant-admin: Added PHP 8.4.15 (Laravel 12) + Filament v5, Livewire v4, Tailwind v4
<!-- MANUAL ADDITIONS START -->

35
.specify/memory/constitution.md
View File

@ -1,14 +1,10 @@
<!--
Sync Impact Report
- Version change: 1.8.0 → 1.8.1
- Version change: 1.7.0 → 1.8.0
- Modified principles:
- Workspace Isolation is Non-negotiable (new core principle)
- Tenant Isolation is Non-negotiable (clarified tenant-plane scope + canonical tenantless views)
- RBAC-UX-002 / RBAC-UX-003 (clarified workspace + tenant membership semantics)
- Filament UI — Action Surface Contract (NON-NEGOTIABLE) (added micro-rules + clarified CI enforcement phrasing)
- Added sections:
- Workspace Isolation is Non-negotiable
- Filament UI — Action Surface Contract (NON-NEGOTIABLE) (added List/Table inspection affordance rule)
- Added sections: None
- Removed sections: None
- Templates requiring updates:
- ✅ .specify/templates/plan-template.md
@ -42,16 +38,9 @@ ### Deterministic Capabilities
- Backup/restore/risk/support flags MUST be derived deterministically from config/contracts via a Capabilities Resolver.
- The resolver output MUST be programmatically testable (snapshot/golden tests) so config changes cannot silently break behavior.
### Workspace Isolation is Non-negotiable
- Workspace membership is an isolation boundary. If the actor is not entitled to the workspace scope, the system MUST respond as
deny-as-not-found (404).
- Workspace is the primary session context. Tenant-scoped routes/resources MUST require an established workspace context.
- Workspace context switching is separate from Filament Tenancy (Managed Tenant switching).
### Tenant Isolation is Non-negotiable
- Every tenant-plane read/write MUST be tenant-scoped.
- Every read/write MUST be tenant-scoped.
- Cross-tenant views (MSP/Platform) MUST be explicit, access-checked, and aggregation-based (no ID-based shortcuts).
- Tenantless canonical views (e.g., Monitoring/Operations) MUST enforce tenant entitlement before revealing records.
- Prefer least-privilege roles/scopes; surface warnings when higher privileges are selected.
- Tenant membership is an isolation boundary. If the actor is not entitled to the tenant scope, the system MUST respond as
deny-as-not-found (404).
@ -78,15 +67,15 @@ ### RBAC & UI Enforcement Standards (RBAC-UX)
- Any missing server-side authorization is a P0 security bug.
RBAC-UX-002 — Deny-as-not-found for non-members
- Tenant and workspace membership (and plane membership) are isolation boundaries.
- If the current actor is not a member of the current workspace OR the current tenant (or otherwise not entitled to the
workspace/tenant scope), the system MUST respond as 404 (deny-as-not-found) for tenant-scoped routes/actions/resources.
- Tenant membership (and plane membership) is an isolation boundary.
- If the current actor is not a member of the current tenant (or otherwise not entitled to the tenant scope), the system MUST
respond as 404 (deny-as-not-found) for tenant-scoped routes/actions/resources.
- This applies to Filament resources/pages under tenant routing (`/admin/t/{tenant}/...`), Global Search results, and all
action endpoints (Livewire calls included).
RBAC-UX-003 — Capability denial is 403 (after membership is established)
- Within an established workspace + tenant scope, missing permissions are authorization failures.
- If the actor is a workspace + tenant member, but lacks the required capability for an action, the server MUST fail with 403.
- Within an established tenant scope, missing permissions are authorization failures.
- If the actor is a tenant member, but lacks the required capability for an action, the server MUST fail with 403.
- The UI may render disabled actions, but the server MUST still enforce 403 on execution.
RBAC-UX-004 — Visible vs disabled UX rule
@ -158,13 +147,11 @@ ### Filament UI — Action Surface Contract (NON-NEGOTIABLE)
- Accepted forms: clickable rows via `recordUrl()` (preferred), a dedicated row “View” action, or a primary linked column.
- Rule: Do NOT render a lone “View” row action button. If View is the only row action, prefer clickable rows.
- View/Detail MUST define Header Actions (Edit + “More” group when applicable).
- View/Detail SHOULD be sectioned (e.g., Infolist Sections / Cards); avoid long ungrouped field lists.
- Create/Edit MUST provide consistent Save/Cancel UX.
Grouping & safety
- Max 2 visible Row Actions (typically View/Edit). Everything else MUST be in an ActionGroup “More”.
- Bulk actions MUST be grouped via BulkActionGroup.
- RelationManagers MUST follow the same action surface rules (grouped row actions, bulk actions where applicable, inspection affordance).
- Destructive actions MUST NOT be primary and MUST require confirmation; typed confirmation MAY be required for large/bulk changes.
- Relevant mutations MUST write an audit log entry.
@ -176,7 +163,7 @@ ### Filament UI — Action Surface Contract (NON-NEGOTIABLE)
Spec / DoD gates
- Every spec MUST include a “UI Action Matrix”.
- A change is not “Done” unless the Action Surface Contract is met OR an explicit exemption exists with documented reason.
- CI MUST run an automated Action Surface Contract check (test suite and/or command) that fails when required surfaces are missing.
- CI MUST enforce the contract (test/command) and block merges on violations.
### Data Minimization & Safe Logging
- Inventory MUST store only metadata + whitelisted `meta_jsonb`.
@ -213,4 +200,4 @@ ### Versioning Policy (SemVer)
- **MINOR**: new principle/section or materially expanded guidance.
- **MAJOR**: removing/redefining principles in a backward-incompatible way.
**Version**: 1.8.1 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-02-09
**Version**: 1.8.0 | **Ratified**: 2026-01-03 | **Last Amended**: 2026-02-08

1
.specify/templates/plan-template.md
View File

@ -36,7 +36,6 @@ ## Constitution Check
- Graph contract path: Graph calls only via `GraphClientInterface` + `config/graph_contracts.php`
- Deterministic capabilities: capability derivation is testable (snapshot/golden tests)
- RBAC-UX: two planes (/admin vs /system) remain separated; cross-plane is 404; non-member tenant access is 404; member-but-missing-capability is 403; authorization checks use Gates/Policies + capability registries (no raw strings, no role-string checks)
- Workspace isolation: non-member workspace access is 404; tenant-plane routes require an established workspace context; workspace context switching is separate from Filament Tenancy
- RBAC-UX: destructive-like actions require `->requiresConfirmation()` and clear warning text
- RBAC-UX: global search is tenant-scoped; non-members get no hints; inaccessible results are treated as not found (404 semantics)
- Tenant isolation: all reads/writes tenant-scoped; cross-tenant views are explicit and access-checked

2
.specify/templates/spec-template.md
View File

@ -86,7 +86,7 @@ ## Requirements *(mandatory)*
- state which authorization plane(s) are involved (tenant `/admin/t/{tenant}` vs platform `/system`),
- ensure any cross-plane access is deny-as-not-found (404),
- explicitly define 404 vs 403 semantics:
- non-member / not entitled to workspace scope OR tenant scope → 404 (deny-as-not-found)
- non-member / not entitled to tenant scope → 404 (deny-as-not-found)
- member but missing capability → 403
- describe how authorization is enforced server-side (Gates/Policies) for every mutation/operation-start/credential change,
- reference the canonical capability registry (no raw capability strings; no role-string checks in feature code),

2
.specify/templates/tasks-template.md
View File

@ -17,7 +17,7 @@ # Tasks: [FEATURE NAME]
**RBAC**: If this feature introduces or changes authorization, tasks MUST include:
- explicit Gate/Policy enforcement for all mutation endpoints/actions,
- explicit 404 vs 403 semantics:
- non-member / not entitled to workspace scope OR tenant scope → 404 (deny-as-not-found)
- non-member / not entitled to tenant scope → 404 (deny-as-not-found)
- member but missing capability → 403,
- capability registry usage (no raw capability strings; no role-string checks in feature code),
- tenant-safe global search scoping (no hints; inaccessible results treated as 404 semantics),

17
app/Filament/Pages/Operations/TenantlessOperationRunViewer.php
View File

@ -8,6 +8,7 @@
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Models\WorkspaceMembership;
use App\Services\Auth\CapabilityResolver;
use App\Support\OperationRunLinks;
use Filament\Actions\Action;
@ -15,7 +16,6 @@
use Filament\Pages\Page;
use Filament\Schemas\Components\EmbeddedSchema;
use Filament\Schemas\Schema;
use Illuminate\Support\Facades\Gate;
use Illuminate\Support\Str;
class TenantlessOperationRunViewer extends Page
@ -87,7 +87,20 @@ public function mount(OperationRun $run): void
abort(403);
}
Gate::forUser($user)->authorize('view', $run);
$workspaceId = (int) ($run->workspace_id ?? 0);
if ($workspaceId <= 0) {
abort(404);
}
$isMember = WorkspaceMembership::query()
->where('workspace_id', $workspaceId)
->where('user_id', (int) $user->getKey())
->exists();
if (! $isMember) {
abort(404);
}
$this->run = $run->loadMissing(['workspace', 'tenant', 'user']);
}

57
app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
View File

@ -1436,66 +1436,15 @@ public function startVerification(): void
return;
}
if ($result->status === 'blocked') {
$reasonCode = is_string($result->run->context['reason_code'] ?? null)
? (string) $result->run->context['reason_code']
: 'unknown_error';
$actions = [
Action::make('view_run')
->label('View run')
->url($this->tenantlessOperationRunUrl((int) $result->run->getKey())),
];
$nextSteps = $result->run->context['next_steps'] ?? [];
$nextSteps = is_array($nextSteps) ? $nextSteps : [];
foreach ($nextSteps as $index => $step) {
if (! is_array($step)) {
continue;
}
$label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
$url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
if ($label === '' || $url === '') {
continue;
}
$actions[] = Action::make('next_step_'.$index)
->label($label)
->url($url);
break;
}
Notification::make()
->title('Verification blocked')
->body("Blocked by provider configuration ({$reasonCode}).")
->warning()
->actions($actions)
->send();
return;
}
$notification = Notification::make()
->title($result->status === 'deduped' ? 'Verification already running' : 'Verification started')
->success()
->actions([
Action::make('view_run')
->label('View run')
->url($this->tenantlessOperationRunUrl((int) $result->run->getKey())),
]);
if ($result->status === 'deduped') {
$notification
->body('A verification run is already queued or running.')
->warning();
} else {
$notification->success();
}
$notification->send();
])
->send();
}
public function refreshVerificationStatus(): void

204
app/Filament/Resources/TenantResource.php
View File

@ -15,10 +15,12 @@
use App\Services\Directory\EntraGroupLabelResolver;
use App\Services\Graph\GraphClientInterface;
use App\Services\Intune\AuditLogger;
use App\Services\Intune\RbacHealthService;
use App\Services\Intune\RbacOnboardingService;
use App\Services\Intune\TenantConfigService;
use App\Services\Intune\TenantPermissionService;
use App\Services\OperationRunService;
use App\Services\Operations\BulkSelectionIdentity;
use App\Services\Verification\StartVerification;
use App\Support\Auth\Capabilities;
use App\Support\Auth\UiTooltips;
use App\Support\Badges\BadgeDomain;
@ -469,7 +471,10 @@ public static function table(Table $table): Table
->visible(fn (Tenant $record): bool => $record->isActive())
->action(function (
Tenant $record,
StartVerification $verification,
TenantConfigService $configService,
TenantPermissionService $permissionService,
RbacHealthService $rbacHealthService,
AuditLogger $auditLogger
): void {
$user = auth()->user();
@ -477,108 +482,18 @@ public static function table(Table $table): Table
abort(403);
}
if (! $user->canAccessTenant($record)) {
abort(404);
/** @var CapabilityResolver $resolver */
$resolver = app(CapabilityResolver::class);
if (! $resolver->can($user, $record, Capabilities::TENANT_MANAGE)) {
abort(403);
}
$result = $verification->providerConnectionCheckForTenant(
tenant: $record,
initiator: $user,
extraContext: [
'surface' => [
'kind' => 'tenant_list_row',
],
],
);
$runUrl = OperationRunLinks::tenantlessView($result->run);
if ($result->status === 'scope_busy') {
Notification::make()
->title('Another operation is already running')
->body('Please wait for the active run to finish.')
->warning()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'deduped') {
Notification::make()
->title('Verification already running')
->body('A verification run is already queued or running.')
->warning()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'blocked') {
$reasonCode = is_string($result->run->context['reason_code'] ?? null)
? (string) $result->run->context['reason_code']
: 'unknown_error';
$actions = [
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
];
$nextSteps = $result->run->context['next_steps'] ?? [];
$nextSteps = is_array($nextSteps) ? $nextSteps : [];
foreach ($nextSteps as $index => $step) {
if (! is_array($step)) {
continue;
}
$label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
$url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
if ($label === '' || $url === '') {
continue;
}
$actions[] = Actions\Action::make('next_step_'.$index)
->label($label)
->url($url);
break;
}
Notification::make()
->title('Verification blocked')
->body("Blocked by provider configuration ({$reasonCode}).")
->warning()
->actions($actions)
->send();
return;
}
Notification::make()
->title('Verification started')
->success()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
static::verifyTenant($record, $configService, $permissionService, $rbacHealthService, $auditLogger);
}),
)
->preserveVisibility()
->requireCapability(Capabilities::PROVIDER_RUN)
->requireCapability(Capabilities::TENANT_MANAGE)
->apply(),
static::rbacAction(),
UiEnforcement::forAction(
@ -1490,4 +1405,95 @@ private static function resolveGroupLabel(?Tenant $tenant, ?string $groupId): ?s
$response->data['id'] ?? $groupId
);
}
public static function verifyTenant(
Tenant $tenant,
TenantConfigService $configService,
TenantPermissionService $permissionService,
RbacHealthService $rbacHealthService,
AuditLogger $auditLogger
): void {
$configResult = $configService->testConnectivity($tenant);
// Fetch actual permissions from Graph API with liveCheck=true
$permissions = $permissionService->compare($tenant, null, true, true);
$rbac = $rbacHealthService->check($tenant);
$appStatus = $configResult['success']
? 'ok'
: ($configResult['requires_consent'] ? 'consent_required' : 'error');
$tenant->update([
'app_status' => $appStatus,
'app_notes' => $configResult['error_message'],
]);
$user = auth()->user();
$auditLogger->log(
tenant: $tenant,
action: 'tenant.config.verified',
context: [
'metadata' => [
'app_status' => $appStatus,
'error' => $configResult['error_message'],
],
],
actorId: $user?->id,
actorEmail: $user?->email,
actorName: $user?->name,
status: $appStatus === 'ok' ? 'success' : 'error',
resourceType: 'tenant',
resourceId: (string) $tenant->id,
);
$auditLogger->log(
tenant: $tenant,
action: 'tenant.permissions.checked',
context: [
'metadata' => [
'overall_status' => $permissions['overall_status'],
],
],
actorId: $user?->id,
actorEmail: $user?->email,
actorName: $user?->name,
status: match ($permissions['overall_status']) {
'granted' => 'success',
'error' => 'error',
default => 'partial',
},
resourceType: 'tenant',
resourceId: (string) $tenant->id,
);
$auditLogger->log(
tenant: $tenant,
action: 'tenant.rbac.checked',
context: [
'metadata' => [
'status' => $rbac['status'],
'reason' => $rbac['reason'] ?? null,
],
],
status: $rbac['status'] === 'ok' ? 'success' : 'error',
resourceType: 'tenant',
resourceId: (string) $tenant->id,
);
$notification = Notification::make()
->title($configResult['success'] ? 'Configuration verified' : 'Verification failed')
->body($configResult['success']
? 'Graph connectivity confirmed. Permission status: '.$permissions['overall_status']
: ($configResult['error_message'] ?? 'Graph connectivity failed'));
if ($configResult['success']) {
$notification->success();
} elseif ($configResult['requires_consent']) {
$notification->warning();
} else {
$notification->danger();
}
$notification->send();
}
}

125
app/Filament/Resources/TenantResource/Pages/ViewTenant.php
View File

@ -6,13 +6,14 @@
use App\Filament\Resources\TenantResource;
use App\Filament\Widgets\Tenant\RecentOperationsSummary;
use App\Filament\Widgets\Tenant\TenantArchivedBanner;
use App\Filament\Widgets\Tenant\TenantVerificationReport;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Intune\AuditLogger;
use App\Services\Verification\StartVerification;
use App\Services\Intune\RbacHealthService;
use App\Services\Intune\TenantConfigService;
use App\Services\Intune\TenantPermissionService;
use App\Services\Providers\ProviderConnectionResolver;
use App\Support\Auth\Capabilities;
use App\Support\OperationRunLinks;
use App\Support\Providers\ProviderNextStepsRegistry;
use App\Support\Rbac\UiEnforcement;
use Filament\Actions;
use Filament\Notifications\Notification;
@ -27,7 +28,6 @@ protected function getHeaderWidgets(): array
return [
TenantArchivedBanner::class,
RecentOperationsSummary::class,
TenantVerificationReport::class,
];
}
@ -63,126 +63,59 @@ protected function getHeaderActions(): array
->url(fn (Tenant $record) => TenantResource::entraUrl($record))
->visible(fn (Tenant $record) => TenantResource::entraUrl($record) !== null)
->openUrlInNewTab(),
UiEnforcement::forAction(
Actions\Action::make('verify')
->label('Verify configuration')
->icon('heroicon-o-check-badge')
->color('primary')
->requiresConfirmation()
->visible(fn (Tenant $record): bool => $record->isActive())
->action(function (
Tenant $record,
StartVerification $verification,
): void {
$user = auth()->user();
TenantConfigService $configService,
TenantPermissionService $permissionService,
RbacHealthService $rbacHealthService,
AuditLogger $auditLogger,
ProviderConnectionResolver $connectionResolver,
ProviderNextStepsRegistry $nextStepsRegistry,
) {
$resolution = $connectionResolver->resolveDefault($record, 'microsoft');
if (! $user instanceof User) {
abort(403);
}
if (! $resolution->resolved) {
$reasonCode = $resolution->effectiveReasonCode();
$nextSteps = $nextStepsRegistry->forReason($record, $reasonCode, $resolution->connection);
if (! $user->canAccessTenant($record)) {
abort(404);
}
$result = $verification->providerConnectionCheckForTenant(
tenant: $record,
initiator: $user,
extraContext: [
'surface' => [
'kind' => 'tenant_view_header',
],
],
);
$runUrl = OperationRunLinks::tenantlessView($result->run);
if ($result->status === 'scope_busy') {
Notification::make()
->title('Another operation is already running')
->body('Please wait for the active run to finish.')
->warning()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'deduped') {
Notification::make()
->title('Verification already running')
->body('A verification run is already queued or running.')
->warning()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'blocked') {
$reasonCode = is_string($result->run->context['reason_code'] ?? null)
? (string) $result->run->context['reason_code']
: 'unknown_error';
$actions = [
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
];
$nextSteps = $result->run->context['next_steps'] ?? [];
$nextSteps = is_array($nextSteps) ? $nextSteps : [];
$notification = Notification::make()
->title('Verification blocked')
->body("Blocked by provider configuration ({$reasonCode}).")
->warning();
foreach ($nextSteps as $index => $step) {
if (! is_array($step)) {
continue;
}
$label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
$url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
$label = is_string($step['label'] ?? null) ? $step['label'] : null;
$url = is_string($step['url'] ?? null) ? $step['url'] : null;
if ($label === '' || $url === '') {
if ($label === null || $url === null) {
continue;
}
$actions[] = Actions\Action::make('next_step_'.$index)
$notification->actions([
Actions\Action::make('next_step_'.$index)
->label($label)
->url($url);
->url($url),
]);
break;
}
Notification::make()
->title('Verification blocked')
->body("Blocked by provider configuration ({$reasonCode}).")
->warning()
->actions($actions)
->send();
$notification->send();
return;
}
Notification::make()
->title('Verification started')
->success()
->actions([
Actions\Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
TenantResource::verifyTenant($record, $configService, $permissionService, $rbacHealthService, $auditLogger);
}),
)
->preserveVisibility()
->requireCapability(Capabilities::PROVIDER_RUN)
->apply(),
TenantResource::rbacAction(),
UiEnforcement::forAction(
Actions\Action::make('archive')

15
app/Filament/Widgets/Tenant/RecentOperationsSummary.php
View File

@ -16,25 +16,12 @@ class RecentOperationsSummary extends Widget
protected string $view = 'filament.widgets.tenant.recent-operations-summary';
public ?Tenant $record = null;
private function resolveTenant(): ?Tenant
{
$tenant = Filament::getTenant();
if ($tenant instanceof Tenant) {
return $tenant;
}
return $this->record instanceof Tenant ? $this->record : null;
}
/**
* @return array<string, mixed>
*/
protected function getViewData(): array
{
$tenant = $this->resolveTenant();
$tenant = Filament::getTenant();
if (! $tenant instanceof Tenant) {
return [

223
app/Filament/Widgets/Tenant/TenantVerificationReport.php
View File

@ -1,223 +0,0 @@
<?php
declare(strict_types=1);
namespace App\Filament\Widgets\Tenant;
use App\Filament\Support\VerificationReportViewer;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Verification\StartVerification;
use App\Support\Auth\Capabilities;
use App\Support\Auth\UiTooltips;
use App\Support\OperationRunLinks;
use App\Support\OperationRunStatus;
use Filament\Actions\Action;
use Filament\Facades\Filament;
use Filament\Notifications\Notification;
use Filament\Widgets\Widget;
class TenantVerificationReport extends Widget
{
protected static bool $isLazy = false;
protected string $view = 'filament.widgets.tenant.tenant-verification-report';
public ?Tenant $record = null;
private function resolveTenant(): ?Tenant
{
$tenant = Filament::getTenant();
if ($tenant instanceof Tenant) {
return $tenant;
}
return $this->record instanceof Tenant ? $this->record : null;
}
public function startVerification(StartVerification $verification): void
{
$user = auth()->user();
if (! $user instanceof User) {
abort(403);
}
$tenant = $this->resolveTenant();
if (! $tenant instanceof Tenant) {
abort(404);
}
if (! $user->canAccessTenant($tenant)) {
abort(404);
}
$result = $verification->providerConnectionCheckForTenant(
tenant: $tenant,
initiator: $user,
extraContext: [
'surface' => [
'kind' => 'tenant_verification_widget',
],
],
);
$runUrl = OperationRunLinks::tenantlessView($result->run);
if ($result->status === 'scope_busy') {
Notification::make()
->title('Another operation is already running')
->body('Please wait for the active run to finish.')
->warning()
->actions([
Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'deduped') {
Notification::make()
->title('Verification already running')
->body('A verification run is already queued or running.')
->warning()
->actions([
Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
return;
}
if ($result->status === 'blocked') {
$reasonCode = is_string($result->run->context['reason_code'] ?? null)
? (string) $result->run->context['reason_code']
: 'unknown_error';
$actions = [
Action::make('view_run')
->label('View run')
->url($runUrl),
];
$nextSteps = $result->run->context['next_steps'] ?? [];
$nextSteps = is_array($nextSteps) ? $nextSteps : [];
foreach ($nextSteps as $index => $step) {
if (! is_array($step)) {
continue;
}
$label = is_string($step['label'] ?? null) ? trim((string) $step['label']) : '';
$url = is_string($step['url'] ?? null) ? trim((string) $step['url']) : '';
if ($label === '' || $url === '') {
continue;
}
$actions[] = Action::make('next_step_'.$index)
->label($label)
->url($url);
break;
}
Notification::make()
->title('Verification blocked')
->body("Blocked by provider configuration ({$reasonCode}).")
->warning()
->actions($actions)
->send();
return;
}
Notification::make()
->title('Verification started')
->success()
->actions([
Action::make('view_run')
->label('View run')
->url($runUrl),
])
->send();
}
/**
* @return array<string, mixed>
*/
protected function getViewData(): array
{
$tenant = $this->resolveTenant();
if (! $tenant instanceof Tenant) {
return [
'tenant' => null,
'run' => null,
'runData' => null,
'runUrl' => null,
'report' => null,
'isInProgress' => false,
'canStart' => false,
'startTooltip' => null,
];
}
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->orderByDesc('id')
->first();
$report = $run instanceof OperationRun
? VerificationReportViewer::report($run)
: null;
$isInProgress = $run instanceof OperationRun
&& (string) $run->status !== OperationRunStatus::Completed->value;
$user = auth()->user();
$isTenantMember = $user instanceof User && $user->canAccessTenant($tenant);
$canStart = $isTenantMember
&& $user->can(Capabilities::PROVIDER_RUN, $tenant);
$runData = null;
if ($run instanceof OperationRun) {
$context = is_array($run->context ?? null) ? $run->context : [];
$targetScope = $context['target_scope'] ?? [];
$targetScope = is_array($targetScope) ? $targetScope : [];
$runData = [
'id' => (int) $run->getKey(),
'type' => (string) $run->type,
'status' => (string) $run->status,
'outcome' => (string) $run->outcome,
'initiator_name' => (string) $run->initiator_name,
'started_at' => $run->started_at?->toJSON(),
'completed_at' => $run->completed_at?->toJSON(),
'target_scope' => $targetScope,
'failures' => is_array($run->failure_summary ?? null) ? $run->failure_summary : [],
];
}
return [
'tenant' => $tenant,
'run' => $run,
'runData' => $runData,
'runUrl' => $run instanceof OperationRun ? OperationRunLinks::tenantlessView($run) : null,
'report' => $report,
'isInProgress' => $isInProgress,
'canStart' => $canStart,
'startTooltip' => $isTenantMember && ! $canStart ? UiTooltips::insufficientPermission() : null,
];
}
}

18
app/Policies/OperationRunPolicy.php
View File

@ -40,22 +40,6 @@ public function view(User $user, OperationRun $run): Response|bool
->where('user_id', (int) $user->getKey())
->exists();
if (! $isMember) {
return Response::denyAsNotFound();
}
$tenantId = (int) ($run->tenant_id ?? 0);
if ($tenantId > 0) {
$hasTenantEntitlement = $user->tenantMemberships()
->where('tenant_id', $tenantId)
->exists();
if (! $hasTenantEntitlement) {
return Response::denyAsNotFound();
}
}
return true;
return $isMember ? true : Response::denyAsNotFound();
}
}

12
app/Services/Providers/ProviderOperationStartGate.php
View File

@ -9,8 +9,6 @@
use App\Services\OperationRunService;
use App\Support\Providers\ProviderNextStepsRegistry;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\BlockedVerificationReportFactory;
use App\Support\Verification\VerificationReportWriter;
use Illuminate\Support\Facades\DB;
use InvalidArgumentException;
use ReflectionFunction;
@ -166,16 +164,6 @@ private function startBlocked(
message: $reasonMessage,
);
if ($operationType === 'provider.connection.check') {
VerificationReportWriter::write(
run: $run,
checks: BlockedVerificationReportFactory::checks($run),
identity: BlockedVerificationReportFactory::identity($run),
);
$run->refresh();
}
return ProviderOperationStartResult::blocked($run);
}

70
app/Services/Verification/StartVerification.php
View File

@ -13,7 +13,6 @@
use App\Services\Providers\ProviderOperationStartResult;
use App\Support\Auth\Capabilities;
use Illuminate\Support\Facades\Gate;
use InvalidArgumentException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
final class StartVerification
@ -32,51 +31,6 @@ public function providerConnectionCheck(
ProviderConnection $connection,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
return $this->providerConnectionCheckUsingConnection(
tenant: $tenant,
connection: $connection,
initiator: $initiator,
extraContext: $extraContext,
);
}
/**
* Start (or dedupe) a provider-connection verification run for the tenant default connection.
*
* @param array<string, mixed> $extraContext
*/
public function providerConnectionCheckForTenant(
Tenant $tenant,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
if (! $initiator->canAccessTenant($tenant)) {
throw new NotFoundHttpException;
}
Gate::forUser($initiator)->authorize(Capabilities::PROVIDER_RUN, $tenant);
return $this->providers->start(
tenant: $tenant,
connection: null,
operationType: 'provider.connection.check',
dispatcher: fn (OperationRun $run): mixed => $this->dispatchConnectionHealthCheck($run, $tenant, $initiator),
initiator: $initiator,
extraContext: $extraContext,
);
}
/**
* Start (or dedupe) a provider-connection verification run for an explicit connection.
*
* @param array<string, mixed> $extraContext
*/
public function providerConnectionCheckUsingConnection(
Tenant $tenant,
ProviderConnection $connection,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
if (! $initiator->canAccessTenant($tenant)) {
throw new NotFoundHttpException;
@ -88,26 +42,16 @@ public function providerConnectionCheckUsingConnection(
tenant: $tenant,
connection: $connection,
operationType: 'provider.connection.check',
dispatcher: fn (OperationRun $run): mixed => $this->dispatchConnectionHealthCheck($run, $tenant, $initiator),
initiator: $initiator,
extraContext: $extraContext,
);
}
private function dispatchConnectionHealthCheck(OperationRun $run, Tenant $tenant, User $initiator): mixed
{
$context = is_array($run->context ?? null) ? $run->context : [];
$providerConnectionId = $context['provider_connection_id'] ?? null;
if (! is_numeric($providerConnectionId)) {
throw new InvalidArgumentException('Provider connection id is missing from run context.');
}
return ProviderConnectionHealthCheckJob::dispatch(
dispatcher: function (OperationRun $run) use ($tenant, $initiator, $connection): void {
ProviderConnectionHealthCheckJob::dispatch(
tenantId: (int) $tenant->getKey(),
userId: (int) $initiator->getKey(),
providerConnectionId: (int) $providerConnectionId,
providerConnectionId: (int) $connection->getKey(),
operationRun: $run,
);
},
initiator: $initiator,
extraContext: $extraContext,
);
}
}

119
app/Support/Verification/BlockedVerificationReportFactory.php
View File

@ -1,119 +0,0 @@
<?php
declare(strict_types=1);
namespace App\Support\Verification;
use App\Models\OperationRun;
use App\Support\OpsUx\RunFailureSanitizer;
use App\Support\Providers\ProviderReasonCodes;
final class BlockedVerificationReportFactory
{
/**
* @return array<int, array<string, mixed>>
*/
public static function checks(OperationRun $run): array
{
$context = is_array($run->context ?? null) ? $run->context : [];
$reasonCode = self::normalizedReasonCode($context['reason_code'] ?? null);
$message = self::blockedMessage($run);
$nextSteps = $context['next_steps'] ?? [];
$nextSteps = VerificationReportSanitizer::sanitizeNextStepsPayload($nextSteps);
return [[
'key' => 'provider.connection.check',
'title' => 'Provider connection preflight',
'status' => 'fail',
'severity' => 'critical',
'blocking' => true,
'reason_code' => $reasonCode,
'message' => $message,
'evidence' => self::evidence($run, $context),
'next_steps' => $nextSteps,
]];
}
/**
* @return array<string, mixed>
*/
public static function identity(OperationRun $run): array
{
$context = is_array($run->context ?? null) ? $run->context : [];
$identity = [];
$providerConnectionId = $context['provider_connection_id'] ?? null;
if (is_numeric($providerConnectionId)) {
$identity['provider_connection_id'] = (int) $providerConnectionId;
}
$targetScope = $context['target_scope'] ?? [];
$targetScope = is_array($targetScope) ? $targetScope : [];
$entraTenantId = $targetScope['entra_tenant_id'] ?? null;
if (is_string($entraTenantId) && trim($entraTenantId) !== '') {
$identity['entra_tenant_id'] = trim($entraTenantId);
}
return $identity;
}
private static function normalizedReasonCode(mixed $reasonCode): string
{
if (! is_string($reasonCode)) {
return ProviderReasonCodes::UnknownError;
}
return RunFailureSanitizer::normalizeReasonCode($reasonCode);
}
private static function blockedMessage(OperationRun $run): string
{
$failures = is_array($run->failure_summary ?? null) ? $run->failure_summary : [];
$firstFailure = $failures[0] ?? null;
if (is_array($firstFailure) && is_string($firstFailure['message'] ?? null) && trim((string) $firstFailure['message']) !== '') {
return trim((string) $firstFailure['message']);
}
return 'Operation blocked due to provider configuration.';
}
/**
* @param array<string, mixed> $context
* @return array<int, array{kind: string, value: int|string}>
*/
private static function evidence(OperationRun $run, array $context): array
{
$evidence = [];
$providerConnectionId = $context['provider_connection_id'] ?? null;
if (is_numeric($providerConnectionId)) {
$evidence[] = [
'kind' => 'provider_connection_id',
'value' => (int) $providerConnectionId,
];
}
$targetScope = $context['target_scope'] ?? [];
$targetScope = is_array($targetScope) ? $targetScope : [];
$entraTenantId = $targetScope['entra_tenant_id'] ?? null;
if (is_string($entraTenantId) && trim($entraTenantId) !== '') {
$evidence[] = [
'kind' => 'entra_tenant_id',
'value' => trim($entraTenantId),
];
}
$evidence[] = [
'kind' => 'operation_run_id',
'value' => (int) $run->getKey(),
];
return $evidence;
}
}

150
resources/views/filament/widgets/tenant/tenant-verification-report.blade.php
View File

@ -1,150 +0,0 @@
@php
$run = $run ?? null;
$run = $run instanceof \App\Models\OperationRun ? $run : null;
$runData = $runData ?? null;
$runData = is_array($runData) ? $runData : null;
$runUrl = $runUrl ?? null;
$runUrl = is_string($runUrl) && trim($runUrl) !== '' ? trim($runUrl) : null;
$report = $report ?? null;
$report = is_array($report) ? $report : null;
$isInProgress = (bool) ($isInProgress ?? false);
$canStart = (bool) ($canStart ?? false);
$startTooltip = $startTooltip ?? null;
$startTooltip = is_string($startTooltip) && trim($startTooltip) !== '' ? trim($startTooltip) : null;
@endphp
<x-filament::section
heading="Verification report"
description="Latest verification state for this tenant (DB-only rendering)."
>
<div class="space-y-4">
@if ($run === null)
<div class="rounded-lg border border-gray-200 bg-white p-4 text-sm text-gray-600 shadow-sm dark:border-gray-800 dark:bg-gray-900 dark:text-gray-300">
No verification run has been started yet.
</div>
<div class="flex items-center gap-2">
@if ($canStart)
<x-filament::button
color="primary"
size="sm"
wire:click="startVerification"
>
Start verification
</x-filament::button>
@else
<div class="flex flex-col gap-1">
<x-filament::button
color="gray"
size="sm"
disabled
:title="$startTooltip"
>
Start verification
</x-filament::button>
@if ($startTooltip)
<div class="text-xs text-gray-500 dark:text-gray-400">
{{ $startTooltip }}
</div>
@endif
</div>
@endif
</div>
@elseif ($isInProgress)
<div class="rounded-lg border border-gray-200 bg-white p-4 text-sm text-gray-600 shadow-sm dark:border-gray-800 dark:bg-gray-900 dark:text-gray-300">
Verification is currently in progress. This section reads only stored run state and does not call external services.
</div>
<div class="flex flex-wrap items-center gap-2">
@if ($runUrl)
<x-filament::button
tag="a"
:href="$runUrl"
color="gray"
size="sm"
>
View run
</x-filament::button>
@endif
@if ($canStart)
<x-filament::button
color="primary"
size="sm"
wire:click="startVerification"
>
Start verification
</x-filament::button>
@else
<div class="flex flex-col gap-1">
<x-filament::button
color="gray"
size="sm"
disabled
:title="$startTooltip"
>
Start verification
</x-filament::button>
@if ($startTooltip)
<div class="text-xs text-gray-500 dark:text-gray-400">
{{ $startTooltip }}
</div>
@endif
</div>
@endif
</div>
@else
@include('filament.components.verification-report-viewer', [
'run' => $runData,
'report' => $report,
])
<div class="flex flex-wrap items-center gap-2">
@if ($runUrl)
<x-filament::button
tag="a"
:href="$runUrl"
color="gray"
size="sm"
>
View run
</x-filament::button>
@endif
@if ($canStart)
<x-filament::button
color="primary"
size="sm"
wire:click="startVerification"
>
Start verification
</x-filament::button>
@else
<div class="flex flex-col gap-1">
<x-filament::button
color="gray"
size="sm"
disabled
:title="$startTooltip"
>
Start verification
</x-filament::button>
@if ($startTooltip)
<div class="text-xs text-gray-500 dark:text-gray-400">
{{ $startTooltip }}
</div>
@endif
</div>
@endif
</div>
@endif
</div>
</x-filament::section>

35
specs/084-verification-surfaces-unification/checklists/requirements.md
View File

@ -1,35 +0,0 @@
# Specification Quality Checklist: Verification Surfaces Unification
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2026-02-09
**Feature**: [specs/084-verification-surfaces-unification/spec.md](../spec.md)
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Notes
- The spec references “Filament” only to satisfy the required UI Action Matrix section; it does not prescribe implementation details beyond user-visible actions and authorization semantics.
- Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`

40
specs/084-verification-surfaces-unification/contracts/operation-run-context.provider-connection-check.schema.json
View File

@ -1,40 +0,0 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "operation-run-context.provider-connection-check.schema.json",
"title": "OperationRun Context — provider.connection.check",
"type": "object",
"additionalProperties": true,
"properties": {
"provider": { "type": "string", "minLength": 1 },
"module": { "type": "string", "minLength": 1 },
"provider_connection_id": { "type": "integer", "minimum": 1 },
"target_scope": {
"type": "object",
"additionalProperties": true,
"properties": {
"entra_tenant_id": { "type": "string", "minLength": 1 },
"entra_tenant_name": { "type": "string", "minLength": 1 }
},
"required": ["entra_tenant_id"]
},
"reason_code": { "type": "string", "minLength": 1 },
"next_steps": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["label", "url"],
"properties": {
"label": { "type": "string", "minLength": 1 },
"url": { "type": "string", "minLength": 1 }
}
}
},
"verification_report": {
"description": "Stored verification report document. For completed blocked runs, this MUST be present and schema-valid per verification-report.v1_5 schema.",
"type": "object",
"additionalProperties": true
}
},
"required": ["provider", "module", "target_scope"]
}

57
specs/084-verification-surfaces-unification/contracts/verification-surfaces.routes.md
View File

@ -1,57 +0,0 @@
# Contracts — Verification Surfaces Unification (Spec 084)
This document describes the user action surfaces and canonical linking rules.
## Canonical run link
- Canonical run viewer route: `/admin/operations/{runId}`
- Helper: `OperationRunLinks::tenantlessView($runId)`
Rule:
- All verification surfaces MUST link to the canonical tenantless viewer.
- Tenantless run viewing MUST still enforce:
- workspace membership AND
- tenant entitlement (when the run is tenant-associated)
Missing either MUST be deny-as-not-found (404).
## Start surfaces
### Tenant detail — “Verify configuration”
- Trigger: Filament action on tenant view page.
- Behavior:
- Authorize capability.
- Start/dedupe `OperationRun` with `type = provider.connection.check`.
- Dispatch `ProviderConnectionHealthCheckJob` when newly created.
- Notify with “View run” (canonical URL).
### Onboarding — “Verify access”
- Trigger: Filament wizard action.
- Behavior:
- Authorize onboarding capability.
- Start/dedupe the same run type.
- Notify with “View run” (canonical URL).
## Viewer surfaces (DB-only)
### Tenant embedded viewer
- Select latest `provider.connection.check` run attempt for the tenant.
- States:
- Empty (no run yet): shows “Start verification” CTA.
- In progress (active run; no report yet): shows DB-only in-progress UI.
- Completed: shows stored `verification_report`.
### Operations run viewer
- Uses `OperationRun` as the source of truth.
- Verification report rendered from `context.verification_report` only.
## Blocked completion invariant
For `provider.connection.check` runs:
- If the run is completed with outcome `blocked`, `context.verification_report` MUST exist and be schema-valid.
- Viewers MUST NOT fabricate a report at render time.

82
specs/084-verification-surfaces-unification/data-model.md
View File

@ -1,82 +0,0 @@
# Data Model — Verification Surfaces Unification (Spec 084)
This feature reuses existing persisted entities. The main change is a stronger invariant about `OperationRun.context.verification_report` for blocked verification completions.
## Entities
### OperationRun
Source of truth for observability and verification report storage.
- Table: `operation_runs`
- Key fields (existing):
- `id` (int)
- `workspace_id` (int)
- `tenant_id` (int, nullable for some platform runs; verification is tenant-associated)
- `type` (string) — verification uses `provider.connection.check`
- `status` (string) — includes active vs completed
- `outcome` (string) — includes `succeeded`, `failed`, `blocked`
- `context` (json/jsonb) — stores `verification_report` and run metadata
- `failure_summary` (array/json)
- timestamps: `created_at`, `started_at`, `completed_at`
#### Verification context (provider connection check)
For `OperationRun.type = provider.connection.check`, the context is expected to include:
- `provider` (string)
- `module` (string)
- `provider_connection_id` (int)
- `target_scope` (object):
- `entra_tenant_id` (string)
- optionally `entra_tenant_name` (string)
- `verification_report` (object) — see “VerificationReport” below
Additionally, for blocked starts (preflight):
- `reason_code` (string)
- `next_steps` (array of `{label, url}`)
- `verification_report` MUST exist once the run is completed as `blocked`.
### VerificationReport (stored document)
A stored document under `operation_runs.context.verification_report`.
- Schema: `specs/075-verification-v1-5/contracts/verification-report.v1_5.schema.json`
- Key properties:
- `schema_version`
- `flow` (aligns with `OperationRun.type`)
- `generated_at`
- `fingerprint`
- `previous_report_id`
- `summary.overall`, `summary.counts`
- `checks[]`
#### Invariant introduced by this feature
- If a verification run completes with outcome `blocked`, `verification_report` MUST be present and schema-valid.
- For in-progress runs, `verification_report` may be absent until the job writes it.
### TenantOnboardingSession (existing)
Onboarding stores pointers to the current verification run.
- `state.verification_operation_run_id` (int)
- `state.provider_connection_id` (int)
## Relationships
- `OperationRun` belongs to `Tenant` (tenant-scoped verification)
- `VerificationCheckAcknowledgement` belongs to `OperationRun` (acknowledgements enrich viewer; unchanged)
## State transitions
For `provider.connection.check`:
- `queued/running``completed`
- Outcomes:
- `succeeded` when provider connection is healthy and permission inventory refresh succeeds
- `failed` when provider check fails (with `failure_summary`)
- `blocked` when prerequisites prevent starting (preflight), still with a stub report
No database schema migrations are expected for this feature.

131
specs/084-verification-surfaces-unification/plan.md
View File

@ -1,131 +0,0 @@
# Implementation Plan: Verification Surfaces Unification
**Branch**: `084-verification-surfaces-unification` | **Date**: 2026-02-09 | **Spec**: `specs/084-verification-surfaces-unification/spec.md`
**Input**: Feature specification from `specs/084-verification-surfaces-unification/spec.md`
## Summary
Unify tenant “Verify configuration” and onboarding “Verify access” to the same `OperationRun`-based flow (`provider.connection.check`), with DB-only viewing and canonical tenantless run links. Ensure any **completed blocked** verification run persists a **schema-valid** `context.verification_report` stub so viewers never show “report unavailable” for blocked completions.
## Technical Context
**Language/Version**: PHP 8.4 (Laravel 12)
**Primary Dependencies**: Filament v5 (Livewire v4), Queue/Jobs (Laravel), Microsoft Graph via `GraphClientInterface`
**Storage**: PostgreSQL (JSONB-backed `OperationRun.context`)
**Testing**: Pest v4 (Feature tests), Filament/Livewire component testing where applicable
**Target Platform**: Web application (Sail-first local dev)
**Performance Goals**:
- Tenant detail + onboarding verification surfaces render DB-only with no external provider/Graph calls.
- Start action returns quickly (authorize → create/dedupe run → enqueue job → notify + “View run”).
**Constraints**:
- RBAC isolation: non-members are deny-as-not-found (404); members missing capability are 403 on execution.
- `OperationRun` active dedupe enforced (already handled via `OperationRunService::ensureRunWithIdentity()` + active-run checks).
**Scale/Scope**: Tenant-scoped verification for provider connection health + permission inventory refresh (existing behavior).
## Constitution Check
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
- Inventory-first / Read-write separation: PASS (verification is an explicit user-triggered operation; viewing is read-only).
- Graph contract path: PASS (provider verification uses `ProviderGateway` + `GraphClientInterface`; no render-time Graph calls).
- Workspace/Tenant isolation: PASS (tenantless canonical views must still enforce workspace + tenant entitlement; missing either is 404).
- RBAC-UX 404/403 split: PASS (start is 403 for members missing capability; non-members 404; Livewire calls included).
- Run observability: PASS (verification is queued and tracked as `OperationRun`; start surfaces enqueue-only; Monitoring is DB-only).
- Data minimization/safe logging: PASS (verification report stored in `OperationRun.context`; no secrets; next steps are link-only).
- Filament action safety: PASS (verification start uses `->action(...)`; any destructive action confirmations remain required).
No constitution violations are required for this feature.
## Project Structure
### Documentation (this feature)
```text
specs/084-verification-surfaces-unification/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
└── contracts/
├── operation-run-context.provider-connection-check.schema.json
└── verification-surfaces.routes.md
```
### Source Code (existing, relevant)
```text
app/
├── Filament/
│ ├── Resources/
│ │ ├── TenantResource.php
│ │ └── TenantResource/Pages/ViewTenant.php
│ ├── Pages/Workspaces/ManagedTenantOnboardingWizard.php
│ └── Support/VerificationReportViewer.php
├── Jobs/ProviderConnectionHealthCheckJob.php
├── Services/
│ ├── Providers/ProviderOperationStartGate.php
│ ├── OperationRunService.php
│ └── Verification/StartVerification.php
└── Support/
├── OperationRunLinks.php
└── Verification/VerificationReportWriter.php
resources/views/filament/components/verification-report-viewer.blade.php
resources/views/filament/forms/components/managed-tenant-onboarding-verification-report.blade.php
```
## Phase 0 — Outline & Research
### Key decisions (grounded in current code)
- Use `provider.connection.check` as the unified verification run type.
- Already used by onboarding (`ManagedTenantOnboardingWizard::startVerification()`) and by `StartVerification::providerConnectionCheck()`.
- Tenant verification start surfaces (tenant detail and tenant list actions) will be refactored to start/dedupe `provider.connection.check` via `StartVerification`, always resolve the tenant's default provider connection, and always offer a canonical “View run” link.
- `StartVerification` API changes remain non-breaking in this feature (keep existing explicit-connection method; add a tenant-default start helper rather than replacing signatures).
- Blocked runs must write a schema-valid stub report:
- Implement stub generation immediately after `OperationRunService::finalizeBlockedRun()` for the `provider.connection.check` operation type, using `VerificationReportWriter::write(...)`.
- Tenantless canonical run viewing for tenant-associated runs is a foundational blocker and must enforce workspace membership + tenant entitlement with deny-as-not-found semantics before user-story completion.
### Outputs
- `research.md` records decisions + rationale + alternatives.
## Phase 1 — Design & Contracts
### Data model (no DB migration expected)
- Store verification report exclusively in `operation_runs.context.verification_report` (existing pattern).
- Enforce: when a `provider.connection.check` run completes with outcome `blocked`, `context.verification_report` is present and schema-valid.
### Contracts
- `contracts/operation-run-context.provider-connection-check.schema.json`
- Documents expected `OperationRun.context` keys for the verification run type.
- `contracts/verification-surfaces.routes.md`
- Documents user actions → routes/surfaces and the canonical run viewer URL.
### Outputs
- `data-model.md`, `contracts/*`, `quickstart.md`.
## Phase 2 — Implementation Planning (for `/speckit.tasks`)
Planned work items to convert into `tasks.md`:
1. Refactor tenant verification actions (tenant detail + tenant list) to use the unified start path (`provider.connection.check`) with default connection resolution, returning started/deduped/busy outcomes with a canonical run URL.
2. Add tenant embedded verification viewer:
- Select latest `provider.connection.check` run attempt for the tenant.
- Show DB-only empty state when none exists.
- Show DB-only “in progress” state when active with no report yet.
3. Ensure blocked verification runs always store a schema-valid stub report:
- Post-`finalizeBlockedRun()` write via `VerificationReportWriter` for `provider.connection.check`.
4. Authorization + isolation (blocking):
- Non-members: 404 for tenant routes and tenantless operations viewer of tenant-associated runs.
- Members missing capability: UI visible-but-disabled; server returns 403.
5. Tests (Pest):
- Blocked start produces a completed blocked run with a schema-valid `verification_report`.
- Tenant page and onboarding viewer render from stored report only (no external calls during render).
- Tenant render path never persists permission inventory updates and never uses synchronous verification paths.
- Canonical run links point to `admin.operations.view` (tenantless).

57
specs/084-verification-surfaces-unification/quickstart.md
View File

@ -1,57 +0,0 @@
# Quickstart — Verification Surfaces Unification (Spec 084)
## Local setup
- Start containers: `vendor/bin/sail up -d`
- Run tests (targeted): `vendor/bin/sail artisan test --compact`
## Manual verification (UI)
### 1) Tenant detail: start verification
1. Open a tenant record in the admin panel.
2. Use the header action: “Verify configuration”.
3. Confirm the action.
Expected:
- A queued `OperationRun` of type `provider.connection.check` is created or deduped.
- A notification includes “View run”, linking to the canonical tenantless route `/admin/operations/{run}`.
### 1b) Tenant list: row action verify
1. Open the tenant list in the admin panel.
2. On any active tenant row, choose “Verify configuration”.
Expected:
- Uses the same `provider.connection.check` start/dedupe semantics as tenant detail.
- Notification “View run” links to `/admin/operations/{run}`.
### 2) Tenant detail: embedded viewer
Expected:
- The tenant page shows the latest verification run attempt.
- If no run exists yet, it shows an empty state with “Start verification”.
- If a run is active and no report exists yet, it shows a DB-only “in progress” state.
- When completed, the viewer shows the stored report.
### 3) Blocked run report stub
Create a situation where verification is blocked (e.g., missing provider connection / consent).
Expected:
- A completed blocked `OperationRun` exists.
- The embedded viewer (and the operations run viewer) renders a stub report (no “report unavailable” state for completed blocked runs).
### 4) Onboarding: verify access
1. Go to managed tenant onboarding.
2. In the “Verify access” step, click “Start verification”.
Expected:
- Same semantics: run started/deduped/busy and “View run” links to `/admin/operations/{run}`.
## Authorization checks
Expected:
- Missing workspace membership or tenant entitlement: 404 (deny-as-not-found) for tenant routes and canonical run viewer of tenant-associated runs.
- Member without capability: action visible-but-disabled with helper text; server enforces 403 if invoked.

70
specs/084-verification-surfaces-unification/research.md
View File

@ -1,70 +0,0 @@
# Research — Verification Surfaces Unification (Spec 084)
Date: 2026-02-09
## Decision 1: Unify on `provider.connection.check` OperationRun type
- Decision: Use the existing `OperationRun.type = provider.connection.check` as the single verification run type for both:
- Tenant detail “Verify configuration”
- Onboarding “Verify access”
- Rationale:
- This run type already exists and is used by onboarding (`ManagedTenantOnboardingWizard::startVerification()`).
- The job (`ProviderConnectionHealthCheckJob`) already produces a schema-valid verification report via `VerificationReportWriter::write(...)`.
- Dedupe and “scope busy” semantics are already implemented in `ProviderOperationStartGate`.
- Alternatives considered:
- Create a new run type (e.g., `tenant.verification`). Rejected because it would duplicate existing job logic and complicate dedupe and viewer behavior.
## Decision 2: Tenant verification start uses `StartVerification` / `ProviderOperationStartGate` (enqueue-only)
- Decision: Replace the tenant detail synchronous verification (`TenantResource::verifyTenant()`) with an enqueue-only start that:
1) authorizes,
2) creates/dedupes an `OperationRun`,
3) dispatches `ProviderConnectionHealthCheckJob`,
4) returns a canonical “View run” link.
- Rationale:
- Constitution requires external calls be observable and performed asynchronously via `OperationRun`.
- The current tenant action performs Graph calls inline; onboarding already uses the queued run model.
- Unifies UX and operational auditability.
- Alternatives considered:
- Keep tenant verification synchronous and only add a “view last run” viewer. Rejected because it preserves inconsistency and violates run observability for remote calls.
## Decision 3: Completed blocked verification runs MUST always have a schema-valid stub report
- Decision: When a verification run is finalized as blocked (outcome `blocked`) for `provider.connection.check`, immediately write a stub `context.verification_report` using `VerificationReportWriter`.
- Rationale:
- Both verification viewers render DB-only and expect a report for completed runs.
- `OperationRunService::finalizeBlockedRun()` currently sets `context.reason_code` and `context.next_steps` but does not write a report, which produces a “report unavailable” state.
- A stub report can encode the reason code and next steps in a consistent, schema-valid format.
- Alternatives considered:
- Modify `VerificationReportViewer` to fabricate a report at render time if blocked. Rejected because rendering must be DB-only and deterministic, and should not create derived data in the UI layer.
- Add report writing inside `OperationRunService::finalizeBlockedRun()` for all operations. Rejected because not all blocked operations are “verification” and we should not inject verification reports into unrelated runs.
## Decision 4: Embedded tenant viewer selects latest run attempt for tenant + type
- Decision: In the tenant view, select the latest `OperationRun` attempt by:
- `tenant_id = current tenant`,
- `type = provider.connection.check`,
- ordered by `id desc`.
- Rationale:
- Matches the clarified spec requirement: latest attempt even if queued/running.
- Avoids coupling selection to provider connection id.
- Alternatives considered:
- Select by `context.provider_connection_id` and only show the default connections run. Rejected because it can hide recent verification attempts started against a different (now selected) connection.
## Decision 5: Canonical tenantless run links are mandatory
- Decision: All “View run” CTAs use `OperationRunLinks::tenantlessView($runId)` (route `admin.operations.view`).
- Rationale:
- Canonical URL improves supportability and reduces ambiguity.
- Tenantless views must still enforce workspace + tenant entitlement (404 if missing).
- Alternatives considered:
- Use tenant-scoped run URLs for tenant pages. Rejected because canonical linking is a core requirement.
## Decision 6: Authorization semantics follow RBAC-UX 404/403 split
- Decision:
- Non-members (missing workspace membership or tenant entitlement): deny-as-not-found (404) for tenant routes and tenantless operation views of tenant-associated runs.
- Members without capability: show action visible-but-disabled (UX), but server enforces 403 on attempt.
- Rationale:
- Matches constitution RBAC-UX-002 and RBAC-UX-003.

173
specs/084-verification-surfaces-unification/spec.md
View File

@ -1,173 +0,0 @@
# Feature Specification: Verification Surfaces Unification
**Feature Branch**: `084-verification-surfaces-unification`
**Created**: 2026-02-09
**Status**: Draft
**Input**: User description: "Unify tenant + onboarding verification so all verification uses the same run-based mechanism with DB-only viewing and always-available reports (including blocked)."
## Clarifications
### Session 2026-02-09
- Q: For tenant members who are in-scope but lack the capability to start verification, how should the “Verify configuration” action behave in the UI? → A: Visible but disabled, with helper text explaining the missing capability (server still enforces 403 if invoked).
- Q: When rendering the embedded verification viewer on the tenant detail page, which run should be selected as “the last relevant run”? → A: Latest run attempt for that tenant+type (even if queued/running); if active and no report yet, show a DB-only “in progress” state.
- Q: On the tenant detail page, when no verification run exists yet, what should the embedded verification section do? → A: Show a DB-only empty state with a “Start verification” CTA.
- Q: For the canonical tenantless run viewer (/admin/operations/{run}), what should be required to view a run that is associated with a tenant? → A: Require both workspace membership AND tenant entitlement; missing either is deny-as-not-found (404).
## User Scenarios & Testing *(mandatory)*
<!--
IMPORTANT: User stories should be PRIORITIZED as user journeys ordered by importance.
Each user story/journey must be INDEPENDENTLY TESTABLE - meaning if you implement just ONE of them,
you should still have a viable MVP (Minimum Viable Product) that delivers value.
Assign priorities (P1, P2, P3, etc.) to each story, where P1 is the most critical.
Think of each story as a standalone slice of functionality that can be:
- Developed independently
- Tested independently
- Deployed independently
- Demonstrated to users independently
-->
### User Story 1 - Verify tenant configuration consistently (Priority: P1)
As a workspace member with the appropriate permission, I can start a tenant verification from the tenant detail view and immediately see the latest stored verification results, without the page performing external provider calls during rendering.
**Why this priority**: This is the primary operational entry-point and must be fast, safe, and predictable.
**Independent Test**: Can be fully tested by starting verification from the tenant detail view, asserting a run record exists, and asserting the embedded viewer renders using stored data.
**Acceptance Scenarios**:
1. **Given** a tenant with an eligible provider connection, **When** I click “Verify configuration”, **Then** a verification run is started or deduped, and the tenant page renders the report viewer using stored data only.
2. **Given** a tenant where verification cannot proceed (e.g., missing consent/credentials), **When** I click “Verify configuration”, **Then** a completed “blocked” run exists and the embedded viewer shows a stub/preflight report (not an “unavailable” state).
### User Story 2 - Onboarding verify access behaves identically (Priority: P2)
As a workspace member with onboarding verification capability, I can start onboarding verification and receive the same run, dedupe/busy, blocked-report, and canonical link behavior as the tenant verification surfaces.
**Why this priority**: Removes confusion and reduces operational variance between onboarding and day-2 operations.
**Independent Test**: Can be tested by starting verification in onboarding and asserting identical run outcomes and viewer behavior to the tenant surface.
**Acceptance Scenarios**:
1. **Given** onboarding verification is started while another verification run is already active for the same target, **When** I start verification again, **Then** I receive a busy/deduped result that points to the existing active run.
---
### User Story 3 - Use canonical run links everywhere (Priority: P3)
As a workspace member, I can open the canonical run viewer link from any verification surface and it consistently resolves to the same “tenantless” run route.
**Why this priority**: Improves supportability and prevents broken/ambiguous deep links.
**Independent Test**: Can be tested by starting verification, then asserting all “View run” links point to the canonical run route and the page is accessible only to authorized members.
**Acceptance Scenarios**:
1. **Given** a verification run exists, **When** I click “View run”, **Then** I am taken to the canonical run viewer route for that run.
---
### Edge Cases
- Verification is started while an existing run is queued/running for the same target (dedupe/busy behavior must be consistent across surfaces).
- Verification cannot proceed due to missing consent/credentials (a completed blocked run must still have a schema-valid report).
- Viewer is opened by a non-member (deny-as-not-found behavior).
- Stored report data is present but incomplete/invalid (viewer must fail safe with a clear non-leaky message and no external calls).
## Non-Functional Requirements
- **NFR-001 (DB-only render)**: Tenant detail, onboarding verification display, and canonical run viewer rendering MUST be DB-only, with no external provider or Graph calls during mount/render/poll/refresh interactions.
- **NFR-002 (start path latency)**: Verification start interactions (`started`, `deduped`, `scope_busy`, `blocked`) SHOULD complete request handling in under 1 second under normal local/staging conditions because they only authorize, create/dedupe run state, enqueue, and notify.
- **NFR-003 (refresh/polling discipline)**: Verification UI refresh behavior MUST read persisted `OperationRun` state only and MUST NOT trigger inventory refresh or Graph permission reconciliation during display refresh.
## Requirements *(mandatory)*
**Constitution alignment (required):** If this feature introduces any Microsoft Graph calls, any write/change behavior,
or any long-running/queued/scheduled work, the spec MUST describe contract registry updates, safety gates
(preview/confirmation/audit), tenant isolation, run observability (`OperationRun` type/identity/visibility), and tests.
If security-relevant DB-only actions intentionally skip `OperationRun`, the spec MUST describe `AuditLog` entries.
**Constitution alignment (RBAC-UX):** If this feature introduces or changes authorization behavior, the spec MUST:
- state which authorization plane(s) are involved (tenant `/admin/t/{tenant}` vs platform `/system`),
- ensure any cross-plane access is deny-as-not-found (404),
- explicitly define 404 vs 403 semantics:
- non-member / not entitled to tenant scope → 404 (deny-as-not-found)
- member but missing capability → 403
- describe how authorization is enforced server-side (Gates/Policies) for every mutation/operation-start/credential change,
- reference the canonical capability registry (no raw capability strings; no role-string checks in feature code),
- ensure global search is tenant-scoped and non-member-safe (no hints; inaccessible results treated as 404 semantics),
- ensure destructive-like actions require confirmation (`->requiresConfirmation()`),
- include at least one positive and one negative authorization test, and note any RBAC regression tests added/updated.
**Constitution alignment (OPS-EX-AUTH-001):** OIDC/SAML login handshakes may perform synchronous outbound HTTP (e.g., token exchange)
on `/auth/*` endpoints without an `OperationRun`. This MUST NOT be used for Monitoring/Operations pages.
**Constitution alignment (BADGE-001):** If this feature changes status-like badges (status/outcome/severity/risk/availability/boolean),
the spec MUST describe how badge semantics stay centralized (no ad-hoc mappings) and which tests cover any new/changed values.
**Constitution alignment (Filament Action Surfaces):** If this feature adds or modifies any Filament Resource / RelationManager / Page,
the spec MUST include a “UI Action Matrix” (see below) and explicitly state whether the Action Surface Contract is satisfied.
If the contract is not satisfied, the spec MUST include an explicit exemption with rationale.
<!--
ACTION REQUIRED: The content in this section represents placeholders.
Fill them out with the right functional requirements.
-->
### Functional Requirements
- **FR-001**: System MUST provide a single, unified verification start mechanism used by both the tenant detail “Verify configuration” and onboarding “Verify access” surfaces.
- **FR-002**: Starting verification MUST create (or dedupe to) a single “verification run” record for the target, and surface a stable link to view that run.
- **FR-003**: When a verification run cannot proceed due to missing prerequisites, the system MUST finalize the run as completed “blocked” and persist a schema-valid stub/preflight verification report.
- **DB-only render invariant**: Verification viewers are read-only projections of persisted run/report data; they MUST NOT perform provider/Graph calls and MUST NOT persist permission inventory updates.
- **FR-004**: For any verification run that is completed (including blocked), the embedded/onboarding viewers MUST render the verification report using stored data only.
- **FR-004a**: The tenant detail embedded viewer MUST select the latest verification run attempt for the tenant and verification type; if that run is active (queued/running) and no report is yet available, the UI MUST render a DB-only “in progress” state.
- **FR-004b**: If no verification run exists yet for the tenant and verification type, the tenant detail embedded section MUST show a DB-only empty state with a “Start verification” CTA.
- **FR-005**: UI page rendering (including mount/load/summary components) MUST NOT trigger external provider calls directly or indirectly.
- **FR-006**: Dedupe rules MUST ensure at most one active run (queued/running) exists per target and verification type; repeated starts during an active run MUST return a busy/deduped outcome.
- **FR-007**: The system MUST persist any permissions inventory updates only as part of the verification jobs execution, and MUST NOT persist these updates during page rendering.
- **FR-008**: All “View run” links exposed by verification surfaces MUST use the canonical tenantless run viewer route.
- **FR-009**: Authorization MUST be enforced server-side:
- missing workspace membership OR missing tenant entitlement MUST be deny-as-not-found (404) for tenant-scoped routes/actions and tenantless canonical views of tenant-associated records,
- members lacking the required capability to start verification MUST see the action visible-but-disabled with helper text, and MUST receive a forbidden response (403) if invoked.
- **FR-010**: The system MUST emit run observability sufficient for operations (run type, outcome, timestamps, target scope) and MUST be test-covered.
### Assumptions & Dependencies
- This change unifies surfaces and report availability; it does not expand the set of verification checks beyond what is already produced today.
- For tenant verification surfaces (`ViewTenant` header action, tenant embedded CTA, and tenant list verify action), “eligible provider connection” means the resolved **default** provider connection for provider `microsoft`.
- Onboarding verification continues to use the session-selected provider connection, and still runs through the same unified operation type and run orchestration.
- Verification reports are stored with the verification run record and are treated as the sole source for UI rendering.
- External provider calls are permitted only as part of explicit user-triggered verification runs and their execution (never during page rendering).
- Existing authorization capabilities and membership rules remain the source of truth; this feature standardizes how they apply across surfaces.
## UI Action Matrix *(mandatory when Filament is changed)*
If this feature adds/modifies any Filament Resource / RelationManager / Page, fill out the matrix below.
For each surface, list the exact action labels, whether they are destructive (confirmation? typed confirmation?),
RBAC gating (capability + enforcement helper), and whether the mutation writes an audit log.
| Surface | Location | Header Actions | Inspect Affordance (List/Table) | Row Actions (max 2 visible) | Bulk Actions (grouped) | Empty-State CTA(s) | View Header Actions | Create/Edit Save+Cancel | Audit log? | Notes / Exemptions |
|---|---|---|---|---|---|---|---|---|---|---|
| Tenant detail view | Tenant admin area | Verify configuration | Embedded viewer + View run link | n/a | n/a | Start verification (empty state) | n/a | n/a | Yes | DB-only render; starts/dupes run; if missing capability: visible but disabled with helper |
| Tenant list (Tenants table) | Tenant admin area | n/a | Clickable row + View action | Verify configuration (grouped action) | grouped | n/a | n/a | n/a | Yes | Uses same unified start path and canonical run links as tenant detail |
| Onboarding verification step | Onboarding wizard | Start verification | Embedded viewer + View run link | n/a | n/a | n/a | n/a | n/a | Yes | Same semantics as tenant surface |
| Tenantless run viewer | Operations area | n/a | n/a | n/a | n/a | n/a | n/a | n/a | Yes | Requires workspace membership + tenant entitlement; otherwise 404 |
### Key Entities *(include if feature involves data)*
- **Verification Run**: An immutable operational record representing one attempt to verify access/configuration for a target scope. It captures status/outcome and a canonical link for viewing.
- **Verification Report**: A schema-valid, stored report attached to a verification run. It is always present for completed runs, including blocked runs (stub/preflight).
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: 100% of completed blocked verification runs display a usable stub report (no "report unavailable" state for completed blocked runs).
- **SC-002**: Tenant detail pages render without any external provider calls; verification-related external calls occur only after an explicit start action.
- **SC-003**: When a verification run is already active for the same target and type, repeated starts return a busy/deduped response in under 1 second.
- **SC-004**: All verification surfaces provide a canonical "View run" link, and support can use that single URL to review outcomes.

160
specs/084-verification-surfaces-unification/tasks.md
View File

@ -1,160 +0,0 @@
---
description: "Task list for Spec 084 implementation"
---
# Tasks: Verification Surfaces Unification
**Input**: Design documents from `/specs/084-verification-surfaces-unification/`
**Tests**: REQUIRED (Pest) — this feature changes runtime behavior.
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Establish a safe baseline and align on touched surfaces.
- [X] T001 Capture baseline behavior by running existing verification tests in tests/Feature/Verification/VerificationStartDedupeTest.php and tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php
- [X] T002 Identify current tenant “Verify configuration” surface implementation in app/Filament/Resources/TenantResource/Pages/ViewTenant.php and document expected deltas in specs/084-verification-surfaces-unification/quickstart.md
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Shared primitives required by ALL user stories.
**⚠️ CRITICAL**: No user story work should begin until this phase is complete.
- [X] T003 Add schema-valid stub verification report for blocked provider.connection.check runs in app/Services/Providers/ProviderOperationStartGate.php (write context.verification_report after finalizeBlockedRun)
- [X] T004 [P] Add helper to build blocked/preflight verification checks payload in app/Support/Verification/ (e.g., new BlockedVerificationReportFactory.php used by ProviderOperationStartGate)
- [X] T005 Add a non-breaking tenant-default start helper in app/Services/Verification/StartVerification.php (keep existing explicit-connection API; delegate default-connection resolution to ProviderOperationStartGate)
- [X] T006 Ensure blocked stub report includes next steps links from context.next_steps and normalized reason_code from context.reason_code in app/Support/Verification/BlockedVerificationReportFactory.php
- [X] T007 Add Pest coverage for blocked stub report invariant in tests/Feature/Verification/ (new test file asserting completed blocked provider.connection.check has context.verification_report and it validates via VerificationReportSchema)
- [X] T027 Enforce tenant entitlement for tenant-associated runs in app/Policies/OperationRunPolicy.php and app/Filament/Pages/Operations/TenantlessOperationRunViewer.php (deny-as-not-found when workspace membership or tenant entitlement is missing)
**Checkpoint**: A blocked provider.connection.check run always has a schema-valid stored report.
---
## Phase 3: User Story 1 — Verify tenant configuration consistently (Priority: P1) 🎯 MVP
**Goal**: Start verification from tenant detail view and render the latest stored report DB-only.
**Independent Test**: Trigger the tenant verify action and confirm it creates/dedupes an OperationRun and the tenant embedded viewer renders from stored run context only.
### Tests (write first)
- [X] T008 [P] [US1] Update tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php to assert tenant verify start now creates a blocked OperationRun and includes a schema-valid verification_report stub
- [X] T009 [P] [US1] Add tenant verify happy-path test in tests/Feature/Filament/ (new test file calling ViewTenant action and asserting ProviderConnectionHealthCheckJob dispatch + canonical view-run link)
- [X] T010 [P] [US1] Add tenant embedded viewer DB-only test in tests/Feature/Filament/ (new test asserting the widget/view reads OperationRun.context only; no provider calls during render)
- [X] T032 [P] [US1] Add FR-007 regression test in tests/Feature/Filament/ asserting tenant view render path never triggers synchronous verification or permission inventory persistence
### Implementation
- [X] T011 [US1] Refactor “Verify configuration” action in app/Filament/Resources/TenantResource/Pages/ViewTenant.php to start/dedupe provider.connection.check via app/Services/Verification/StartVerification.php (no synchronous Graph work)
- [X] T012 [US1] Apply UI enforcement to the tenant verify action in app/Filament/Resources/TenantResource/Pages/ViewTenant.php using App\Support\Rbac\UiEnforcement with Capabilities::PROVIDER_RUN (visible-but-disabled; server still 403)
- [X] T013 [US1] Ensure tenant verify notifications include a canonical tenantless “View run” link using App\Support\OperationRunLinks::tenantlessView in app/Filament/Resources/TenantResource/Pages/ViewTenant.php
- [X] T033 [US1] Refactor tenant list “Verify configuration” action in app/Filament/Resources/TenantResource.php to the same unified provider.connection.check start path + canonical tenantless run links
- [X] T014 [P] [US1] Create a tenant verification viewer widget class in app/Filament/Widgets/Tenant/TenantVerificationReport.php (select latest provider.connection.check run for the current tenant)
- [X] T015 [P] [US1] Create widget view resources/views/filament/widgets/tenant/tenant-verification-report.blade.php with states: empty (Start verification CTA), in-progress, completed (render filament.components.verification-report-viewer)
- [X] T016 [US1] Register the tenant verification viewer widget on the tenant view page by updating app/Filament/Resources/TenantResource/Pages/ViewTenant.php getHeaderWidgets() to include TenantVerificationReport
- [X] T017 [US1] Implement the embedded viewer “Start verification” CTA to invoke the same unified start path (StartVerification) in app/Filament/Widgets/Tenant/TenantVerificationReport.php
- [X] T018 [US1] Ensure the embedded viewer “View run” link uses OperationRunLinks::tenantlessView in app/Filament/Widgets/Tenant/TenantVerificationReport.php and resources/views/filament/widgets/tenant/tenant-verification-report.blade.php
**Checkpoint**: US1 works end-to-end using queued OperationRun and DB-only rendering.
---
## Phase 4: User Story 2 — Onboarding verify access behaves identically (Priority: P2)
**Goal**: Onboarding verification uses the same run type, dedupe/busy semantics, and viewer behavior.
**Independent Test**: Start verification in onboarding twice and assert dedupe/busy behavior and canonical links match tenant surface.
### Tests
- [X] T019 [P] [US2] Update tests/Feature/Onboarding/OnboardingVerificationTest.php to assert busy/deduped notifications link to the canonical tenantless operations viewer route
- [X] T020 [P] [US2] Add regression test ensuring onboarding verification uses provider.connection.check and stores verification_report in tests/Feature/Onboarding/OnboardingVerificationTest.php
### Implementation
- [X] T021 [US2] Ensure app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php startVerification() uses the same unified provider.connection.check start mechanism (ProviderOperationStartGate) and remains enqueue-only
- [X] T022 [US2] Ensure onboarding “View run” links remain canonical via OperationRunLinks::tenantlessView (or equivalent tenantlessOperationRunUrl) in app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
- [X] T023 [US2] Confirm onboarding verification report rendering uses App\Filament\Support\VerificationReportViewer only (no external calls) in app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
---
## Phase 5: User Story 3 — Use canonical run links everywhere (Priority: P3)
**Goal**: Every verification surface links to the same tenantless run viewer route, and tenantless viewing enforces workspace + tenant entitlement (404 when missing).
**Independent Test**: From both tenant and onboarding surfaces, follow “View run” and confirm it resolves to the same canonical route and is deny-as-not-found for non-entitled actors.
### Tests
- [X] T024 [P] [US3] Add canonical link assertions for tenant verify notifications in tests/Feature/Filament/ (update test from T009 to assert route name admin.operations.view)
- [X] T025 [P] [US3] Add canonical link assertions for onboarding notifications in tests/Feature/Onboarding/OnboardingVerificationTest.php
- [X] T026 [P] [US3] Add authorization test for tenantless run viewer requiring workspace membership + tenant entitlement (404 semantics) in tests/Feature/RunAuthorizationTenantIsolationTest.php
### Implementation
- [X] T028 [US3] Ensure all verification surfaces use OperationRunLinks::tenantlessView (or identical canonical route helper) in app/Filament/Resources/TenantResource/Pages/ViewTenant.php and app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
---
## Phase 6: Polish & Cross-Cutting Concerns
**Purpose**: Formatting, stability, and quickstart validation.
- [X] T034 Fix tenant page widgets to resolve tenant from record context (Admin panel) and add regression coverage for Recent operations + Start verification disabled state
- [X] T029 Run formatting on changed files using vendor/bin/sail bin pint --dirty (e.g., app/Filament/Resources/TenantResource/Pages/ViewTenant.php, app/Services/Providers/ProviderOperationStartGate.php, tests/Feature/Verification/*)
- [X] T030 Run targeted Pest suite for this feature using vendor/bin/sail artisan test --compact tests/Feature/Verification/ tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php
- [X] T031 Validate manual flows in specs/084-verification-surfaces-unification/quickstart.md and update it if any step text is now inaccurate
---
## Dependencies & Execution Order
- Phase 1 (Setup) → Phase 2 (Foundational) → user stories.
- User stories after Phase 2:
- **US1 (P1)** can proceed immediately after Phase 2.
- **US2 (P2)** can proceed after Phase 2 (independent of US1).
- **US3 (P3)** should run after US1 + US2 (to validate “every surface”).
### Dependency Graph (stories)
- Foundation → US1
- Foundation → US2
- US1 + US2 → US3
---
## Parallel Execution Examples
### US1 parallelizable tasks
- T008, T009, T010, and T032 can be developed in parallel (separate test files).
- T014 and T015 can be developed in parallel (widget class vs Blade view).
### US2 parallelizable tasks
- T019 and T020 can be developed in parallel within tests/Feature/Onboarding/.
### US3 parallelizable tasks
- T024, T025, T026 can be developed in parallel (different test targets).
---
## Implementation Strategy
### MVP First (US1)
1. Complete Phase 12.
2. Implement US1 tests (T008T010, T032) → ensure they fail.
3. Implement US1 code (T011T018, T033) → ensure tests pass.
4. Run Phase 6 tasks to format + verify.
### Incremental Delivery
- Add US2 next to remove onboarding/tenant variance.
- Finish with US3 to unify canonical links + tenantless authorization guarantees across all surfaces.

27
tests/Feature/Filament/RecentOperationsSummaryWidgetTest.php
View File

@ -1,27 +0,0 @@
<?php
declare(strict_types=1);
use App\Filament\Widgets\Tenant\RecentOperationsSummary;
use App\Models\OperationRun;
use Livewire\Livewire;
it('renders recent operations from the record tenant in admin panel context', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
OperationRun::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => 'completed',
'outcome' => 'success',
]);
Livewire::actingAs($user)
->test(RecentOperationsSummary::class, ['record' => $tenant])
->assertSee('Recent operations')
->assertSee('Provider connection check')
->assertDontSee('No operations yet.');
});

149
tests/Feature/Filament/TenantSetupTest.php
View File

@ -2,25 +2,57 @@
use App\Filament\Resources\TenantResource\Pages\CreateTenant;
use App\Filament\Resources\TenantResource\Pages\ViewTenant;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Models\Tenant;
use App\Models\TenantPermission;
use App\Models\User;
use App\Support\OperationRunLinks;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationReportSchema;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
uses(RefreshDatabase::class);
test('tenant can be created via filament and verification start enqueues an operation run', function () {
Queue::fake();
bindFailHardGraphClient();
test('tenant can be created via filament and verified successfully', function () {
app()->bind(GraphClientInterface::class, fn () => new class implements GraphClientInterface
{
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(true, ['value' => [['id' => $options['tenant'] ?? 'tenant']]], 200);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
// Return all required permissions as granted
return new GraphResponse(true, [
'permissions' => collect(config('intune_permissions.permissions', []))
->pluck('key')
->toArray(),
]);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
});
$user = User::factory()->create();
$this->actingAs($user);
@ -67,38 +99,56 @@
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
->callAction('verify');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
$tenant->refresh();
expect($run)->not->toBeNull()
->and($run?->status)->toBe('queued')
->and($run?->outcome)->toBe('pending')
->and($run?->context['provider_connection_id'] ?? null)->toBe((int) $connection->getKey());
expect($tenant->app_status)->toBe('ok');
$notificationActionUrls = collect(session('filament.notifications', []))
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
? $notification['actions']
: [])
->pluck('url')
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
->values()
->all();
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView($run));
Queue::assertPushed(\App\Jobs\ProviderConnectionHealthCheckJob::class, 1);
$this->assertDatabaseMissing('audit_logs', [
$this->assertDatabaseHas('audit_logs', [
'tenant_id' => $tenant->id,
'action' => 'tenant.config.verified',
'status' => 'success',
]);
$this->assertDatabaseHas('tenant_permissions', [
'tenant_id' => $tenant->id,
'status' => 'granted',
]);
});
test('verify configuration creates a blocked run when default connection credentials are missing', function () {
Queue::fake();
test('verify configuration records error when graph fails', function () {
app()->bind(GraphClientInterface::class, fn () => new class implements GraphClientInterface
{
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(false, [], 401, ['auth failed']);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
// Return error for permissions check
return new GraphResponse(false, [], 403, ['Permission denied']);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
});
$user = User::factory()->create();
@ -118,26 +168,35 @@
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
'is_default' => true,
'status' => 'connected',
'status' => 'enabled',
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
'type' => 'client_secret',
'payload' => [
'client_id' => 'client-id',
'client_secret' => 'client-secret',
],
]);
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
->callAction('verify');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
$tenant->refresh();
expect($run)->not->toBeNull()
->and($run?->outcome)->toBe('blocked')
->and($run?->context['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
->and($run?->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderCredentialMissing);
expect($tenant->app_status)->toBe('error');
expect(VerificationReportSchema::isValidReport($run?->context['verification_report'] ?? []))->toBeTrue();
$this->assertDatabaseHas('audit_logs', [
'tenant_id' => $tenant->id,
'action' => 'tenant.config.verified',
'status' => 'error',
]);
Queue::assertNothingPushed();
$this->assertDatabaseHas('tenant_permissions', [
'tenant_id' => $tenant->id,
'status' => 'error',
]);
});
test('tenant detail shows required permissions with statuses', function () {

244
tests/Feature/Filament/TenantVerificationReportWidgetTest.php
View File

@ -1,244 +0,0 @@
<?php
declare(strict_types=1);
use App\Filament\Resources\TenantResource\Pages\ListTenants;
use App\Filament\Resources\TenantResource\Pages\ViewTenant;
use App\Filament\Widgets\Tenant\TenantVerificationReport;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Services\Intune\RbacHealthService;
use App\Services\Intune\TenantConfigService;
use App\Services\Intune\TenantPermissionService;
use App\Support\OperationRunLinks;
use App\Support\Verification\VerificationReportWriter;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
it('starts tenant verification from header action and links to the canonical run viewer', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'operator');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
'is_default' => true,
'status' => 'connected',
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
'type' => 'client_secret',
'payload' => [
'client_id' => 'client-id',
'client_secret' => 'client-secret',
],
]);
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
->callAction('verify');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
expect($run)->not->toBeNull();
$notifications = collect(session('filament.notifications', []));
expect($notifications)->not->toBeEmpty();
$last = $notifications->last();
$actionUrls = collect($last['actions'] ?? [])->pluck('url')->filter()->values()->all();
expect($actionUrls)->toContain(OperationRunLinks::tenantlessView($run));
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, function (ProviderConnectionHealthCheckJob $job) use ($run, $connection): bool {
return (int) $job->providerConnectionId === (int) $connection->getKey()
&& (int) ($job->operationRun?->getKey() ?? 0) === (int) ($run?->getKey() ?? 0);
});
});
it('renders the tenant verification widget from stored run context only', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
Filament::setTenant($tenant, true);
$report = VerificationReportWriter::build('provider.connection.check', [
[
'key' => 'provider.connection.check',
'title' => 'Provider connection preflight',
'status' => 'fail',
'severity' => 'critical',
'blocking' => true,
'reason_code' => 'provider_connection_missing',
'message' => 'No provider connection configured.',
'evidence' => [],
'next_steps' => [],
],
]);
OperationRun::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'type' => 'provider.connection.check',
'status' => 'completed',
'outcome' => 'blocked',
'context' => [
'target_scope' => [
'entra_tenant_id' => (string) $tenant->tenant_id,
],
'verification_report' => $report,
],
]);
bindFailHardGraphClient();
assertNoOutboundHttp(function () use ($user): void {
Livewire::actingAs($user)
->test(TenantVerificationReport::class)
->assertSee('Provider connection preflight')
->assertSee('Read-only:')
->assertSee('Insufficient permission — ask a tenant Owner.');
});
});
it('renders tenant detail without invoking synchronous verification or permission persistence services', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
$this->mock(TenantConfigService::class, function ($mock): void {
$mock->shouldReceive('testConnectivity')->never();
});
$this->mock(TenantPermissionService::class, function ($mock): void {
$mock->shouldReceive('compare')->never();
});
$this->mock(RbacHealthService::class, function ($mock): void {
$mock->shouldReceive('check')->never();
});
bindFailHardGraphClient();
assertNoOutboundHttp(function () use ($user, $tenant): void {
$this->actingAs($user)
->get(route('filament.admin.resources.tenants.view', array_merge(
filamentTenantRouteParams($tenant),
['record' => $tenant]
)))
->assertOk()
->assertSee('Verification report');
});
});
it('starts verification from the embedded widget CTA and uses canonical view-run links', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'operator');
$this->actingAs($user);
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
'is_default' => true,
'status' => 'connected',
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
'type' => 'client_secret',
'payload' => [
'client_id' => 'client-id',
'client_secret' => 'client-secret',
],
]);
Livewire::test(TenantVerificationReport::class, ['record' => $tenant])
->assertSee('No verification run has been started yet.')
->call('startVerification');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
expect($run)->not->toBeNull();
$notifications = collect(session('filament.notifications', []));
expect($notifications)->not->toBeEmpty();
$last = $notifications->last();
$actionUrls = collect($last['actions'] ?? [])->pluck('url')->filter()->values()->all();
expect($actionUrls)->toContain(OperationRunLinks::tenantlessView($run));
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, 1);
});
it('starts tenant verification from the tenant list row action via the unified run path', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'operator');
$this->actingAs($user);
Filament::setTenant($tenant, true);
$connection = ProviderConnection::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'provider' => 'microsoft',
'entra_tenant_id' => (string) $tenant->tenant_id,
'is_default' => true,
'status' => 'connected',
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
'type' => 'client_secret',
'payload' => [
'client_id' => 'client-id',
'client_secret' => 'client-secret',
],
]);
Livewire::test(ListTenants::class)
->callTableAction('verify', $tenant);
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
expect($run)->not->toBeNull()
->and($run?->context['surface']['kind'] ?? null)->toBe('tenant_list_row');
$notificationActionUrls = collect(session('filament.notifications', []))
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
? $notification['actions']
: [])
->pluck('url')
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
->values()
->all();
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView($run));
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, 1);
});

95
tests/Feature/Onboarding/OnboardingVerificationTest.php
View File

@ -3,15 +3,14 @@
declare(strict_types=1);
use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Models\User;
use App\Models\ProviderConnection;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\OperationRunLinks;
use App\Support\Verification\VerificationReportSchema;
use App\Support\Verification\VerificationReportWriter;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Support\Facades\Queue;
@ -48,15 +47,13 @@
'is_default' => true,
]);
$component->call('startVerification');
$component->call('startVerification');
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, 1);
$tenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())
->update(['status' => 'connected']);
$component->call('startVerification');
$component->call('startVerification');
expect(OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
@ -67,17 +64,6 @@
->where('type', 'provider.connection.check')
->value('id');
$notificationActionUrls = collect(session('filament.notifications', []))
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
? $notification['actions']
: [])
->pluck('url')
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
->values()
->all();
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView($runId));
$session = TenantOnboardingSession::query()
->where('workspace_id', (int) $workspace->getKey())
->where('entra_tenant_id', $entraTenantId)
@ -87,73 +73,6 @@
expect($session->state['verification_operation_run_id'] ?? null)->toBe($runId);
});
it('stores a blocked verification report and canonical link when onboarding verification cannot proceed', function (): void {
Queue::fake();
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$entraTenantId = '72727272-7272-7272-7272-727272727272';
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
$component->call('identifyManagedTenant', [
'entra_tenant_id' => $entraTenantId,
'environment' => 'prod',
'name' => 'Blocked Tenant',
]);
$tenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => $entraTenantId,
'display_name' => 'Blocked connection',
'is_default' => true,
'status' => 'connected',
]);
$component->call('selectProviderConnection', (int) $connection->getKey());
$component->call('startVerification');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
expect($run)->not->toBeNull()
->and($run?->outcome)->toBe('blocked');
$report = $run?->context['verification_report'] ?? null;
expect($report)->toBeArray();
expect(VerificationReportSchema::isValidReport($report))->toBeTrue();
$notificationActionUrls = collect(session('filament.notifications', []))
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
? $notification['actions']
: [])
->pluck('url')
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
->values()
->all();
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView((int) $run?->getKey()));
Queue::assertNothingPushed();
});
it('renders stored verification findings in the wizard report section', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();

10
tests/Feature/ProviderConnections/ProviderConnectionCutoverSpec081Test.php
View File

@ -9,7 +9,6 @@
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationReportSchema;
use Illuminate\Support\Facades\DB;
it('Spec081 blocks provider operation starts when default connection is missing', function (): void {
@ -30,8 +29,7 @@
->and($result->run->status)->toBe(OperationRunStatus::Completed->value)
->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionMissing)
->and($result->run->context['next_steps'] ?? [])->not->toBeEmpty()
->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
->and($result->run->context['next_steps'] ?? [])->not->toBeEmpty();
});
it('Spec081 blocks provider operation starts when default connection has no credential', function (): void {
@ -54,8 +52,7 @@
expect($result->status)->toBe('blocked')
->and($result->run->context['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderCredentialMissing)
->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value);
});
it('Spec081 returns deterministic invalid reason when data corruption creates multiple defaults', function (): void {
@ -93,6 +90,5 @@
expect($result->status)->toBe('blocked')
->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionInvalid)
->and($result->run->context['reason_code_extension'] ?? null)->toBe('ext.multiple_defaults_detected')
->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value);
});

19
tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php
View File

@ -8,7 +8,6 @@
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationReportSchema;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
@ -42,10 +41,6 @@
->and($run?->outcome)->toBe('blocked')
->and($run?->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderCredentialMissing);
$report = $run?->context['verification_report'] ?? null;
expect($report)->toBeArray();
expect(VerificationReportSchema::isValidReport($report))->toBeTrue();
$notifications = collect(session('filament.notifications', []));
expect($notifications)->not->toBeEmpty();
@ -69,20 +64,6 @@
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
->callAction('verify');
$run = OperationRun::query()
->where('tenant_id', (int) $tenant->getKey())
->where('type', 'provider.connection.check')
->latest('id')
->first();
expect($run)->not->toBeNull()
->and($run?->outcome)->toBe('blocked')
->and($run?->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionMissing);
$report = $run?->context['verification_report'] ?? null;
expect($report)->toBeArray();
expect(VerificationReportSchema::isValidReport($report))->toBeTrue();
$notifications = collect(session('filament.notifications', []));
expect($notifications)->not->toBeEmpty();

29
tests/Feature/RunAuthorizationTenantIsolationTest.php
View File

@ -109,32 +109,3 @@
->assertOk()
->assertSee('Operation run');
});
test('tenant-associated run viewer requires tenant entitlement even for workspace members', function (): void {
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'status' => 'active',
]);
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $workspace->getKey(),
'type' => 'provider.connection.check',
'status' => 'queued',
'outcome' => 'pending',
]);
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
$this->actingAs($user)
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
->assertNotFound();
});

43
tests/Feature/Verification/BlockedVerificationReportStubTest.php
View File

@ -1,43 +0,0 @@
<?php
declare(strict_types=1);
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Services\Providers\ProviderOperationStartGate;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\Verification\VerificationReportSchema;
it('stores a schema-valid blocked verification report stub for blocked provider connection checks', function (): void {
$tenant = Tenant::factory()->create();
$result = app(ProviderOperationStartGate::class)->start(
tenant: $tenant,
connection: null,
operationType: 'provider.connection.check',
dispatcher: static function (): void {},
);
/** @var OperationRun $run */
$run = $result->run->refresh();
$context = is_array($run->context ?? null) ? $run->context : [];
$report = $context['verification_report'] ?? null;
expect($result->status)->toBe('blocked')
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Blocked->value)
->and($report)->toBeArray();
/** @var array<string, mixed> $report */
expect(VerificationReportSchema::isValidReport($report))->toBeTrue();
$checks = $report['checks'] ?? null;
$checks = is_array($checks) ? $checks : [];
expect($checks)->toHaveCount(1)
->and($checks[0]['key'] ?? null)->toBe('provider.connection.check')
->and($checks[0]['reason_code'] ?? null)->toBe($context['reason_code'] ?? null)
->and($checks[0]['next_steps'] ?? null)->toBe($context['next_steps'] ?? null);
});

46
tests/Feature/Verification/VerificationStartDedupeTest.php
View File

@ -56,49 +56,3 @@
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, 1);
});
it('dedupes tenant-default verification starts while a run is active', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'operator');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
$connection = ProviderConnection::factory()->create([
'tenant_id' => $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => fake()->uuid(),
'status' => 'connected',
'is_default' => true,
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
]);
$starter = app(StartVerification::class);
$first = $starter->providerConnectionCheckForTenant(
tenant: $tenant,
initiator: $user,
extraContext: ['surface' => ['kind' => 'tenant_view_header']],
);
$second = $starter->providerConnectionCheckForTenant(
tenant: $tenant,
initiator: $user,
extraContext: ['surface' => ['kind' => 'tenant_view_header']],
);
expect($first->run->getKey())->toBe($second->run->getKey());
expect($first->status)->toBe('started');
expect($second->status)->toBe('deduped');
expect(OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'provider.connection.check')
->count())->toBe(1);
Queue::assertPushed(ProviderConnectionHealthCheckJob::class, 1);
});

3
tests/Unit/Providers/ProviderOperationStartGateTest.php
View File

@ -8,7 +8,6 @@
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationReportSchema;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
@ -154,6 +153,4 @@
expect($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value);
expect($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionMissing);
expect($result->run->context['next_steps'] ?? [])->not->toBeEmpty();
expect($result->run->context['verification_report'] ?? null)->toBeArray();
expect(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
});