Spec 076: Tenant Required Permissions (enterprise remediation UX) (#92)

Implements Spec 076 enterprise remediation UX for tenant required permissions.

Highlights
- Above-the-fold overview (impact + counts) with missing-first experience
- Feature-based grouping, filters/search, copy-to-clipboard for missing app/delegated permissions
- Tenant-scoped deny-as-not-found semantics; DB-only viewing
- Centralized badge semantics (no ad-hoc status mapping)

Testing
- Feature tests for default filters, grouping, copy output, and non-member 404 behavior.

Integration
- Adds deep links from verification checks to the Required permissions page.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #92

.dockerignore

@@ -1,5 +1,6 @@
 node_modules/
 vendor/
+coverage/
 .git/
 .DS_Store
 Thumbs.db

.github/agents/copilot-instructions.md

@@ -12,6 +12,10 @@ ## Active Technologies
 - PostgreSQL (JSONB for `InventoryItem.meta_jsonb`) (feat/047-inventory-foundations-nodes)
 - PostgreSQL (JSONB in `operation_runs.context`, `operation_runs.summary_counts`) (056-remove-legacy-bulkops)
 - PHP 8.4.15 (Laravel 12.47.0) + Filament v5.0.0, Livewire v4.0.1 (058-tenant-ui-polish)
+- PHP 8.4 (per repo guidelines) + Laravel 12, Filament v5, Livewire v4 (067-rbac-troubleshooting)
+- PostgreSQL (via Laravel Sail) (067-rbac-troubleshooting)
+- PHP 8.4.x (Composer constraint: `^8.2`) + Laravel 12, Filament 5, Livewire 4+, Pest 4, Sail 1.x (073-unified-managed-tenant-onboarding-wizard)
+- PostgreSQL (Sail) + SQLite in tests where applicable (073-unified-managed-tenant-onboarding-wizard)
 
 - PHP 8.4.15 (feat/005-bulk-operations)
 
@@ -31,9 +35,9 @@ ## Code Style
 PHP 8.4.15: Follow standard conventions
 
 ## Recent Changes
+- 073-unified-managed-tenant-onboarding-wizard: Added PHP 8.4.x (Composer constraint: `^8.2`) + Laravel 12, Filament 5, Livewire 4+, Pest 4, Sail 1.x
+- 067-rbac-troubleshooting: Added PHP 8.4 (per repo guidelines) + Laravel 12, Filament v5, Livewire v4
 - 058-tenant-ui-polish: Added PHP 8.4.15 (Laravel 12.47.0) + Filament v5.0.0, Livewire v4.0.1
-- 058-tenant-ui-polish: Added [if applicable, e.g., PostgreSQL, CoreData, files or N/A]
-- 056-remove-legacy-bulkops: Added PHP 8.4.x + Laravel 12, Filament v4, Livewire v3
 
 
 <!-- MANUAL ADDITIONS START -->

app/Console/Commands/SyncPolicies.php

@@ -34,6 +34,6 @@ private function resolveTenant(): Tenant
                 ->firstOrFail();
         }
 
-        return Tenant::current();
+        return Tenant::currentOrFail();
     }
 }

app/Console/Commands/TenantpilotPurgeNonPersistentData.php

@@ -138,7 +138,7 @@ private function resolveTenants()
         }
 
         try {
-            return collect([Tenant::current()]);
+            return collect([Tenant::currentOrFail()]);
         } catch (RuntimeException) {
             return collect();
         }

app/Filament/Pages/ChooseWorkspace.php

@@ -0,0 +1,172 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Support\Workspaces\WorkspaceContext;
+use Filament\Actions\Action;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Illuminate\Database\Eloquent\Collection;
+
+class ChooseWorkspace extends Page
+{
+    protected static string $layout = 'filament-panels::components.layout.simple';
+
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static bool $isDiscovered = false;
+
+    protected static ?string $slug = 'choose-workspace';
+
+    protected static ?string $title = 'Choose workspace';
+
+    protected string $view = 'filament.pages.choose-workspace';
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('createWorkspace')
+                ->label('Create workspace')
+                ->modalHeading('Create workspace')
+                ->form([
+                    TextInput::make('name')
+                        ->required()
+                        ->maxLength(255),
+                    TextInput::make('slug')
+                        ->helperText('Optional. Used in URLs if set.')
+                        ->maxLength(255)
+                        ->rules(['nullable', 'string', 'max:255', 'alpha_dash', 'unique:workspaces,slug'])
+                        ->dehydrateStateUsing(fn ($state) => filled($state) ? $state : null)
+                        ->dehydrated(fn ($state) => filled($state)),
+                ])
+                ->action(fn (array $data) => $this->createWorkspace($data)),
+        ];
+    }
+
+    /**
+     * @return Collection<int, Workspace>
+     */
+    public function getWorkspaces(): Collection
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return Workspace::query()->whereRaw('1 = 0')->get();
+        }
+
+        return Workspace::query()
+            ->whereIn('id', function ($query) use ($user): void {
+                $query->from('workspace_memberships')
+                    ->select('workspace_id')
+                    ->where('user_id', $user->getKey());
+            })
+            ->whereNull('archived_at')
+            ->orderBy('name')
+            ->get();
+    }
+
+    public function selectWorkspace(int $workspaceId): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $workspace = Workspace::query()->whereKey($workspaceId)->first();
+
+        if (! $workspace instanceof Workspace) {
+            abort(404);
+        }
+
+        if (! empty($workspace->archived_at)) {
+            abort(404);
+        }
+
+        $context = app(WorkspaceContext::class);
+
+        if (! $context->isMember($user, $workspace)) {
+            abort(404);
+        }
+
+        $context->setCurrentWorkspace($workspace, $user, request());
+
+        $this->redirect($this->redirectAfterWorkspaceSelected($user));
+    }
+
+    /**
+     * @param  array{name: string, slug?: string|null}  $data
+     */
+    public function createWorkspace(array $data): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $workspace = Workspace::query()->create([
+            'name' => $data['name'],
+            'slug' => $data['slug'] ?? null,
+        ]);
+
+        WorkspaceMembership::query()->create([
+            'workspace_id' => $workspace->getKey(),
+            'user_id' => $user->getKey(),
+            'role' => 'owner',
+        ]);
+
+        app(WorkspaceContext::class)->setCurrentWorkspace($workspace, $user, request());
+
+        Notification::make()
+            ->title('Workspace created')
+            ->success()
+            ->send();
+
+        $this->redirect($this->redirectAfterWorkspaceSelected($user));
+    }
+
+    private function redirectAfterWorkspaceSelected(User $user): string
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
+        if ($workspaceId === null) {
+            return self::getUrl();
+        }
+
+        $workspace = Workspace::query()->whereKey($workspaceId)->first();
+
+        if (! $workspace instanceof Workspace) {
+            return self::getUrl();
+        }
+
+        $tenantsQuery = $user->tenants()
+            ->where('workspace_id', $workspace->getKey())
+            ->where('status', 'active');
+
+        $tenantCount = (int) $tenantsQuery->count();
+
+        if ($tenantCount === 0) {
+            return route('admin.workspace.managed-tenants.index', ['workspace' => $workspace->slug ?? $workspace->getKey()]);
+        }
+
+        if ($tenantCount === 1) {
+            $tenant = $tenantsQuery->first();
+
+            if ($tenant !== null) {
+                return TenantDashboard::getUrl(tenant: $tenant);
+            }
+        }
+
+        return ChooseTenant::getUrl();
+    }
+}

app/Filament/Pages/NoAccess.php

@@ -4,6 +4,13 @@
 
 namespace App\Filament\Pages;
 
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Support\Workspaces\WorkspaceContext;
+use Filament\Actions\Action;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
 use Filament\Pages\Page;
 
 class NoAccess extends Page
@@ -19,4 +26,60 @@ class NoAccess extends Page
     protected static ?string $title = 'No access';
 
     protected string $view = 'filament.pages.no-access';
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('createWorkspace')
+                ->label('Create workspace')
+                ->modalHeading('Create workspace')
+                ->form([
+                    TextInput::make('name')
+                        ->required()
+                        ->maxLength(255),
+                    TextInput::make('slug')
+                        ->helperText('Optional. Used in URLs if set.')
+                        ->maxLength(255)
+                        ->rules(['nullable', 'string', 'max:255', 'alpha_dash', 'unique:workspaces,slug'])
+                        ->dehydrateStateUsing(fn ($state) => filled($state) ? $state : null)
+                        ->dehydrated(fn ($state) => filled($state)),
+                ])
+                ->action(fn (array $data) => $this->createWorkspace($data)),
+        ];
+    }
+
+    /**
+     * @param  array{name: string, slug?: string|null}  $data
+     */
+    public function createWorkspace(array $data): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $workspace = Workspace::query()->create([
+            'name' => $data['name'],
+            'slug' => $data['slug'] ?? null,
+        ]);
+
+        WorkspaceMembership::query()->create([
+            'workspace_id' => $workspace->getKey(),
+            'user_id' => $user->getKey(),
+            'role' => 'owner',
+        ]);
+
+        app(WorkspaceContext::class)->setCurrentWorkspace($workspace, $user, request());
+
+        Notification::make()
+            ->title('Workspace created')
+            ->success()
+            ->send();
+
+        $this->redirect(ChooseTenant::getUrl());
+    }
 }

app/Filament/Pages/Operations/TenantlessOperationRunViewer.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages\Operations;
+
+use App\Models\OperationRun;
+use App\Models\User;
+use App\Models\WorkspaceMembership;
+use Filament\Actions\Action;
+use Filament\Pages\Page;
+
+class TenantlessOperationRunViewer extends Page
+{
+    protected static string $layout = 'filament-panels::components.layout.simple';
+
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static bool $isDiscovered = false;
+
+    protected static ?string $title = 'Operation run';
+
+    protected string $view = 'filament.pages.operations.tenantless-operation-run-viewer';
+
+    public OperationRun $run;
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('refresh')
+                ->label('Refresh')
+                ->icon('heroicon-o-arrow-path')
+                ->color('gray')
+                ->url(fn (): string => url()->current()),
+        ];
+    }
+
+    public function mount(OperationRun $run): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $workspaceId = (int) ($run->workspace_id ?? 0);
+
+        if ($workspaceId <= 0) {
+            abort(404);
+        }
+
+        $isMember = WorkspaceMembership::query()
+            ->where('workspace_id', $workspaceId)
+            ->where('user_id', (int) $user->getKey())
+            ->exists();
+
+        if (! $isMember) {
+            abort(404);
+        }
+
+        $this->run = $run->loadMissing(['workspace', 'tenant', 'user']);
+    }
+}

app/Filament/Pages/Tenancy/RegisterTenant.php

@@ -4,9 +4,11 @@
 
 use App\Models\Tenant;
 use App\Models\User;
+use App\Models\WorkspaceMembership;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Intune\AuditLogger;
 use App\Support\Auth\Capabilities;
+use App\Support\Workspaces\WorkspaceContext;
 use Filament\Forms;
 use Filament\Pages\Tenancy\RegisterTenant as BaseRegisterTenant;
 use Filament\Schemas\Schema;
@@ -27,6 +29,20 @@ public static function canView(): bool
             return false;
         }
 
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
+        if ($workspaceId !== null) {
+            $canRegisterInWorkspace = WorkspaceMembership::query()
+                ->where('workspace_id', $workspaceId)
+                ->where('user_id', $user->getKey())
+                ->whereIn('role', ['owner', 'manager'])
+                ->exists();
+
+            if ($canRegisterInWorkspace) {
+                return true;
+            }
+        }
+
         $tenantIds = $user->tenants()->withTrashed()->pluck('tenants.id');
 
         if ($tenantIds->isEmpty()) {
@@ -95,6 +111,12 @@ protected function handleRegistration(array $data): Model
             abort(403);
         }
 
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
+        if ($workspaceId !== null) {
+            $data['workspace_id'] = $workspaceId;
+        }
+
         $tenant = Tenant::create($data);
 
         $user = auth()->user();

app/Filament/Pages/TenantDiagnostics.php

@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages;
+
+use App\Models\Tenant;
+use App\Models\TenantMembership;
+use App\Models\User;
+use App\Services\Auth\TenantDiagnosticsService;
+use App\Services\Auth\TenantMembershipManager;
+use App\Support\Auth\Capabilities;
+use App\Support\Rbac\UiEnforcement;
+use App\Support\Rbac\UiTooltips;
+use Filament\Actions\Action;
+use Filament\Pages\Page;
+
+class TenantDiagnostics extends Page
+{
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static ?string $slug = 'diagnostics';
+
+    protected string $view = 'filament.pages.tenant-diagnostics';
+
+    public bool $missingOwner = false;
+
+    public bool $hasDuplicateMembershipsForCurrentUser = false;
+
+    public function mount(): void
+    {
+        $tenant = Tenant::current();
+        $tenantId = (int) $tenant->getKey();
+
+        $this->missingOwner = ! TenantMembership::query()
+            ->where('tenant_id', $tenantId)
+            ->where('role', 'owner')
+            ->exists();
+
+        $user = auth()->user();
+        if (! $user instanceof User) {
+            abort(403, 'Not allowed');
+        }
+
+        $this->hasDuplicateMembershipsForCurrentUser = app(TenantDiagnosticsService::class)
+            ->userHasDuplicateMemberships($tenant, $user);
+    }
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        return [
+            UiEnforcement::forAction(
+                Action::make('bootstrapOwner')
+                    ->label('Bootstrap owner')
+                    ->requiresConfirmation()
+                    ->action(fn () => $this->bootstrapOwner()),
+            )
+                ->requireCapability(Capabilities::TENANT_MANAGE)
+                ->destructive()
+                ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
+                ->apply()
+                ->visible(fn (): bool => $this->missingOwner),
+
+            UiEnforcement::forAction(
+                Action::make('mergeDuplicateMemberships')
+                    ->label('Merge duplicate memberships')
+                    ->requiresConfirmation()
+                    ->action(fn () => $this->mergeDuplicateMemberships()),
+            )
+                ->requireCapability(Capabilities::TENANT_MANAGE)
+                ->destructive()
+                ->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
+                ->apply()
+                ->visible(fn (): bool => $this->hasDuplicateMembershipsForCurrentUser),
+        ];
+    }
+
+    public function bootstrapOwner(): void
+    {
+        $tenant = Tenant::current();
+
+        $user = auth()->user();
+        if (! $user instanceof User) {
+            abort(403, 'Not allowed');
+        }
+
+        app(TenantMembershipManager::class)->bootstrapRecover($tenant, $user, $user);
+
+        $this->mount();
+    }
+
+    public function mergeDuplicateMemberships(): void
+    {
+        $tenant = Tenant::current();
+
+        $user = auth()->user();
+        if (! $user instanceof User) {
+            abort(403, 'Not allowed');
+        }
+
+        app(TenantDiagnosticsService::class)->mergeDuplicateMembershipsForUser($tenant, $user, $user);
+
+        $this->mount();
+    }
+}

app/Filament/Pages/TenantRequiredPermissions.php

@@ -0,0 +1,184 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages;
+
+use App\Filament\Resources\ProviderConnectionResource;
+use App\Models\ProviderConnection;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Auth\CapabilityResolver;
+use App\Services\Intune\TenantRequiredPermissionsViewModelBuilder;
+use App\Support\Auth\Capabilities;
+use Filament\Pages\Page;
+
+class TenantRequiredPermissions extends Page
+{
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static ?string $slug = 'required-permissions';
+
+    protected static ?string $title = 'Required permissions';
+
+    protected string $view = 'filament.pages.tenant-required-permissions';
+
+    public string $status = 'missing';
+
+    public string $type = 'all';
+
+    /**
+     * @var array<int, string>
+     */
+    public array $features = [];
+
+    public string $search = '';
+
+    /**
+     * @var array<string, mixed>
+     */
+    public array $viewModel = [];
+
+    public static function canAccess(): bool
+    {
+        $tenant = Tenant::current();
+        $user = auth()->user();
+
+        if (! $tenant instanceof Tenant || ! $user instanceof User) {
+            return false;
+        }
+
+        /** @var CapabilityResolver $resolver */
+        $resolver = app(CapabilityResolver::class);
+
+        return $resolver->can($user, $tenant, Capabilities::TENANT_VIEW);
+    }
+
+    public function mount(): void
+    {
+        $queryFeatures = request()->query('features', $this->features);
+
+        $state = TenantRequiredPermissionsViewModelBuilder::normalizeFilterState([
+            'status' => request()->query('status', $this->status),
+            'type' => request()->query('type', $this->type),
+            'features' => is_array($queryFeatures) ? $queryFeatures : [],
+            'search' => request()->query('search', $this->search),
+        ]);
+
+        $this->status = $state['status'];
+        $this->type = $state['type'];
+        $this->features = $state['features'];
+        $this->search = $state['search'];
+
+        $this->refreshViewModel();
+    }
+
+    public function updatedStatus(): void
+    {
+        $this->refreshViewModel();
+    }
+
+    public function updatedType(): void
+    {
+        $this->refreshViewModel();
+    }
+
+    public function updatedFeatures(): void
+    {
+        $this->refreshViewModel();
+    }
+
+    public function updatedSearch(): void
+    {
+        $this->refreshViewModel();
+    }
+
+    public function applyFeatureFilter(string $feature): void
+    {
+        $feature = trim($feature);
+
+        if ($feature === '') {
+            return;
+        }
+
+        if (in_array($feature, $this->features, true)) {
+            $this->features = array_values(array_filter(
+                $this->features,
+                static fn (string $value): bool => $value !== $feature,
+            ));
+        } else {
+            $this->features[] = $feature;
+        }
+
+        $this->features = array_values(array_unique($this->features));
+
+        $this->refreshViewModel();
+    }
+
+    public function clearFeatureFilter(): void
+    {
+        $this->features = [];
+
+        $this->refreshViewModel();
+    }
+
+    public function resetFilters(): void
+    {
+        $this->status = 'missing';
+        $this->type = 'all';
+        $this->features = [];
+        $this->search = '';
+
+        $this->refreshViewModel();
+    }
+
+    private function refreshViewModel(): void
+    {
+        $tenant = Tenant::current();
+
+        if (! $tenant instanceof Tenant) {
+            $this->viewModel = [];
+
+            return;
+        }
+
+        $builder = app(TenantRequiredPermissionsViewModelBuilder::class);
+
+        $this->viewModel = $builder->build($tenant, [
+            'status' => $this->status,
+            'type' => $this->type,
+            'features' => $this->features,
+            'search' => $this->search,
+        ]);
+
+        $filters = $this->viewModel['filters'] ?? null;
+
+        if (is_array($filters)) {
+            $this->status = (string) ($filters['status'] ?? $this->status);
+            $this->type = (string) ($filters['type'] ?? $this->type);
+            $this->features = is_array($filters['features'] ?? null) ? $filters['features'] : $this->features;
+            $this->search = (string) ($filters['search'] ?? $this->search);
+        }
+    }
+
+    public function reRunVerificationUrl(): ?string
+    {
+        $tenant = Tenant::current();
+
+        if (! $tenant instanceof Tenant) {
+            return null;
+        }
+
+        $connectionId = ProviderConnection::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->orderByDesc('is_default')
+            ->orderByDesc('id')
+            ->value('id');
+
+        if (! is_int($connectionId)) {
+            return ProviderConnectionResource::getUrl('index', tenant: $tenant);
+        }
+
+        return ProviderConnectionResource::getUrl('edit', ['record' => $connectionId], tenant: $tenant);
+    }
+}

app/Filament/Pages/Workspaces/ManagedTenantsLanding.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Pages\Workspaces;
+
+use App\Filament\Pages\ChooseTenant;
+use App\Filament\Pages\TenantDashboard;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use Filament\Pages\Page;
+use Illuminate\Database\Eloquent\Collection;
+
+class ManagedTenantsLanding extends Page
+{
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static bool $isDiscovered = false;
+
+    protected static ?string $title = 'Managed tenants';
+
+    protected string $view = 'filament.pages.workspaces.managed-tenants-landing';
+
+    public Workspace $workspace;
+
+    public function mount(Workspace $workspace): void
+    {
+        $this->workspace = $workspace;
+    }
+
+    /**
+     * @return Collection<int, Tenant>
+     */
+    public function getTenants(): Collection
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return Tenant::query()->whereRaw('1 = 0')->get();
+        }
+
+        return $user->tenants()
+            ->where('workspace_id', $this->workspace->getKey())
+            ->where('status', 'active')
+            ->orderBy('name')
+            ->get();
+    }
+
+    public function goToChooseTenant(): void
+    {
+        $this->redirect(ChooseTenant::getUrl());
+    }
+
+    public function openTenant(int $tenantId): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $tenant = Tenant::query()
+            ->where('status', 'active')
+            ->where('workspace_id', $this->workspace->getKey())
+            ->whereKey($tenantId)
+            ->first();
+
+        if (! $tenant instanceof Tenant) {
+            abort(404);
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            abort(404);
+        }
+
+        $this->redirect(TenantDashboard::getUrl(tenant: $tenant));
+    }
+}

app/Filament/Resources/BackupScheduleResource.php

@@ -938,7 +938,7 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::current()->getKey();
+        $tenantId = Tenant::currentOrFail()->getKey();
 
         return parent::getEloquentQuery()
             ->where('tenant_id', $tenantId)
@@ -1054,7 +1054,7 @@ public static function ensurePolicyTypes(array $data): array
 
     public static function assignTenant(array $data): array
     {
-        $data['tenant_id'] = Tenant::current()->getKey();
+        $data['tenant_id'] = Tenant::currentOrFail()->getKey();
 
         return $data;
     }

app/Filament/Resources/BackupScheduleResource/RelationManagers/BackupScheduleRunsRelationManager.php

@@ -21,7 +21,7 @@ class BackupScheduleRunsRelationManager extends RelationManager
     public function table(Table $table): Table
     {
         return $table
-            ->modifyQueryUsing(fn (Builder $query) => $query->where('tenant_id', Tenant::current()->getKey())->with('backupSet'))
+            ->modifyQueryUsing(fn (Builder $query) => $query->where('tenant_id', Tenant::currentOrFail()->getKey())->with('backupSet'))
             ->defaultSort('scheduled_for', 'desc')
             ->columns([
                 Tables\Columns\TextColumn::make('scheduled_for')

app/Filament/Resources/OperationRunResource.php

@@ -3,11 +3,16 @@
 namespace App\Filament\Resources;
 
 use App\Filament\Resources\OperationRunResource\Pages;
+use App\Filament\Support\VerificationReportChangeIndicator;
+use App\Filament\Support\VerificationReportViewer;
 use App\Models\OperationRun;
 use App\Models\Tenant;
+use App\Models\User;
+use App\Models\VerificationCheckAcknowledgement;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\OperationCatalog;
+use App\Support\OperationRunLinks;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
 use App\Support\OpsUx\RunDetailPolling;
@@ -136,12 +141,92 @@ public static function infolist(Schema $schema): Schema
                     ->visible(fn (OperationRun $record): bool => ! empty($record->failure_summary))
                     ->columnSpanFull(),
 
+                Section::make('Verification report')
+                    ->schema([
+                        ViewEntry::make('verification_report')
+                            ->label('')
+                            ->view('filament.components.verification-report-viewer')
+                            ->state(fn (OperationRun $record): ?array => VerificationReportViewer::report($record))
+                            ->viewData(function (OperationRun $record): array {
+                                $report = VerificationReportViewer::report($record);
+                                $fingerprint = is_array($report) ? VerificationReportViewer::fingerprint($report) : null;
+
+                                $changeIndicator = VerificationReportChangeIndicator::forRun($record);
+
+                                $previousRunUrl = null;
+
+                                if ($changeIndicator !== null) {
+                                    $tenant = Tenant::current();
+
+                                    $previousRunUrl = $tenant instanceof Tenant
+                                        ? OperationRunLinks::view($changeIndicator['previous_report_id'], $tenant)
+                                        : OperationRunLinks::tenantlessView($changeIndicator['previous_report_id']);
+                                }
+
+                                $acknowledgements = VerificationCheckAcknowledgement::query()
+                                    ->where('tenant_id', (int) ($record->tenant_id ?? 0))
+                                    ->where('workspace_id', (int) ($record->workspace_id ?? 0))
+                                    ->where('operation_run_id', (int) $record->getKey())
+                                    ->with('acknowledgedByUser')
+                                    ->get()
+                                    ->mapWithKeys(static function (VerificationCheckAcknowledgement $ack): array {
+                                        $user = $ack->acknowledgedByUser;
+
+                                        return [
+                                            (string) $ack->check_key => [
+                                                'check_key' => (string) $ack->check_key,
+                                                'ack_reason' => (string) $ack->ack_reason,
+                                                'acknowledged_at' => $ack->acknowledged_at?->toJSON(),
+                                                'expires_at' => $ack->expires_at?->toJSON(),
+                                                'acknowledged_by' => $user instanceof User
+                                                    ? [
+                                                        'id' => (int) $user->getKey(),
+                                                        'name' => (string) $user->name,
+                                                    ]
+                                                    : null,
+                                            ],
+                                        ];
+                                    })
+                                    ->all();
+
+                                return [
+                                    'run' => [
+                                        'id' => (int) $record->getKey(),
+                                        'type' => (string) $record->type,
+                                        'status' => (string) $record->status,
+                                        'outcome' => (string) $record->outcome,
+                                        'started_at' => $record->started_at?->toJSON(),
+                                        'completed_at' => $record->completed_at?->toJSON(),
+                                    ],
+                                    'fingerprint' => $fingerprint,
+                                    'changeIndicator' => $changeIndicator,
+                                    'previousRunUrl' => $previousRunUrl,
+                                    'acknowledgements' => $acknowledgements,
+                                ];
+                            })
+                            ->columnSpanFull(),
+                    ])
+                    ->visible(fn (OperationRun $record): bool => VerificationReportViewer::shouldRenderForRun($record))
+                    ->columnSpanFull(),
+
                 Section::make('Context')
                     ->schema([
                         ViewEntry::make('context')
                             ->label('')
                             ->view('filament.infolists.entries.snapshot-json')
-                            ->state(fn (OperationRun $record): array => $record->context ?? [])
+                            ->state(function (OperationRun $record): array {
+                                $context = $record->context ?? [];
+                                $context = is_array($context) ? $context : [];
+
+                                if (array_key_exists('verification_report', $context)) {
+                                    $context['verification_report'] = [
+                                        'redacted' => true,
+                                        'note' => 'Rendered in the Verification report section.',
+                                    ];
+                                }
+
+                                return $context;
+                            })
                             ->columnSpanFull(),
                     ])
                     ->columnSpanFull(),

app/Filament/Resources/PolicyResource.php

@@ -894,7 +894,7 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::current()->getKey();
+        $tenantId = Tenant::currentOrFail()->getKey();
 
         return parent::getEloquentQuery()
             ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))

app/Filament/Resources/PolicyVersionResource.php

@@ -815,7 +815,7 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
-        $tenantId = Tenant::current()->getKey();
+        $tenantId = Tenant::currentOrFail()->getKey();
 
         return parent::getEloquentQuery()
             ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))

app/Filament/Resources/ProviderConnectionResource.php

@@ -5,7 +5,6 @@
 use App\Filament\Concerns\ScopesGlobalSearchToTenant;
 use App\Filament\Resources\ProviderConnectionResource\Pages;
 use App\Jobs\ProviderComplianceSnapshotJob;
-use App\Jobs\ProviderConnectionHealthCheckJob;
 use App\Jobs\ProviderInventorySyncJob;
 use App\Models\OperationRun;
 use App\Models\ProviderConnection;
@@ -15,11 +14,13 @@
 use App\Services\Intune\AuditLogger;
 use App\Services\Providers\CredentialManager;
 use App\Services\Providers\ProviderOperationStartGate;
+use App\Services\Verification\StartVerification;
 use App\Support\Auth\Capabilities;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\OperationRunLinks;
 use App\Support\Rbac\UiEnforcement;
+use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions;
 use Filament\Forms\Components\TextInput;
@@ -99,9 +100,16 @@ public static function table(Table $table): Table
     {
         return $table
             ->modifyQueryUsing(function (Builder $query): Builder {
+                $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
                 $tenantId = Tenant::current()?->getKey();
 
-                return $query->when($tenantId, fn (Builder $q) => $q->where('tenant_id', $tenantId));
+                if ($workspaceId === null) {
+                    return $query->whereRaw('1 = 0');
+                }
+
+                return $query
+                    ->where('workspace_id', (int) $workspaceId)
+                    ->when($tenantId, fn (Builder $q) => $q->where('tenant_id', $tenantId));
             })
             ->defaultSort('display_name')
             ->columns([
@@ -175,29 +183,22 @@ public static function table(Table $table): Table
                             ->icon('heroicon-o-check-badge')
                             ->color('success')
                             ->visible(fn (ProviderConnection $record): bool => $record->status !== 'disabled')
-                            ->action(function (ProviderConnection $record, ProviderOperationStartGate $gate): void {
+                            ->action(function (ProviderConnection $record, StartVerification $verification): void {
                                 $tenant = Tenant::current();
                                 $user = auth()->user();
 
-                                if (! $tenant instanceof Tenant || ! $user instanceof User) {
+                                if (! $tenant instanceof Tenant) {
-                                    return;
+                                    abort(404);
                                 }
 
-                                $initiator = $user;
+                                if (! $user instanceof User) {
+                                    abort(403);
+                                }
 
-                                $result = $gate->start(
+                                $result = $verification->providerConnectionCheck(
                                     tenant: $tenant,
                                     connection: $record,
-                                    operationType: 'provider.connection.check',
+                                    initiator: $user,
-                                    dispatcher: function (OperationRun $operationRun) use ($tenant, $initiator, $record): void {
-                                        ProviderConnectionHealthCheckJob::dispatch(
-                                            tenantId: (int) $tenant->getKey(),
-                                            userId: (int) $initiator->getKey(),
-                                            providerConnectionId: (int) $record->getKey(),
-                                            operationRun: $operationRun,
-                                        );
-                                    },
-                                    initiator: $initiator,
                                 );
 
                                 if ($result->status === 'scope_busy') {
@@ -640,9 +641,17 @@ public static function table(Table $table): Table
 
     public static function getEloquentQuery(): Builder
     {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
         $tenantId = Tenant::current()?->getKey();
 
-        return parent::getEloquentQuery()
+        $query = parent::getEloquentQuery();
+
+        if ($workspaceId === null) {
+            return $query->whereRaw('1 = 0');
+        }
+
+        return $query
+            ->where('workspace_id', (int) $workspaceId)
             ->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
             ->latest('id');
     }

app/Filament/Resources/ProviderConnectionResource/Pages/CreateProviderConnection.php

@@ -22,6 +22,7 @@ protected function mutateFormDataBeforeCreate(array $data): array
         $this->shouldMakeDefault = (bool) ($data['is_default'] ?? false);
 
         return [
+            'workspace_id' => (int) $tenant->workspace_id,
             'tenant_id' => $tenant->getKey(),
             'provider' => 'microsoft',
             'entra_tenant_id' => $data['entra_tenant_id'],

app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php

@@ -4,7 +4,6 @@
 
 use App\Filament\Resources\ProviderConnectionResource;
 use App\Jobs\ProviderComplianceSnapshotJob;
-use App\Jobs\ProviderConnectionHealthCheckJob;
 use App\Jobs\ProviderInventorySyncJob;
 use App\Models\OperationRun;
 use App\Models\ProviderConnection;
@@ -14,6 +13,7 @@
 use App\Services\Intune\AuditLogger;
 use App\Services\Providers\CredentialManager;
 use App\Services\Providers\ProviderOperationStartGate;
+use App\Services\Verification\StartVerification;
 use App\Support\Auth\Capabilities;
 use App\Support\OperationRunLinks;
 use App\Support\Rbac\UiEnforcement;
@@ -167,7 +167,7 @@ protected function getHeaderActions(): array
                                 && $user->canAccessTenant($tenant)
                                 && $record->status !== 'disabled';
                         })
-                        ->action(function (ProviderConnection $record, ProviderOperationStartGate $gate): void {
+                        ->action(function (ProviderConnection $record, StartVerification $verification): void {
                             $tenant = Tenant::current();
                             $user = auth()->user();
 
@@ -185,18 +185,9 @@ protected function getHeaderActions(): array
 
                             $initiator = $user;
 
-                            $result = $gate->start(
+                            $result = $verification->providerConnectionCheck(
                                 tenant: $tenant,
                                 connection: $record,
-                                operationType: 'provider.connection.check',
-                                dispatcher: function (OperationRun $operationRun) use ($tenant, $initiator, $record): void {
-                                    ProviderConnectionHealthCheckJob::dispatch(
-                                        tenantId: (int) $tenant->getKey(),
-                                        userId: (int) $initiator->getKey(),
-                                        providerConnectionId: (int) $record->getKey(),
-                                        operationRun: $operationRun,
-                                    );
-                                },
                                 initiator: $initiator,
                             );
 
@@ -242,9 +233,8 @@ protected function getHeaderActions(): array
                                 ->send();
                         })
                 )
-                    ->requireCapability(Capabilities::PROVIDER_RUN)
-                    ->tooltip('You do not have permission to run provider operations.')
                     ->preserveVisibility()
+                    ->requireCapability(Capabilities::PROVIDER_RUN)
                     ->apply(),
 
                 UiEnforcement::forAction(

app/Filament/Resources/RestoreRunResource.php

@@ -87,7 +87,7 @@ public static function form(Schema $schema): Schema
                 Forms\Components\Select::make('backup_set_id')
                     ->label('Backup set')
                     ->options(function () {
-                        $tenantId = Tenant::current()->getKey();
+                        $tenantId = Tenant::currentOrFail()->getKey();
 
                         return BackupSet::query()
                             ->when($tenantId, fn ($query) => $query->where('tenant_id', $tenantId))
@@ -219,7 +219,7 @@ public static function getWizardSteps(): array
                     Forms\Components\Select::make('backup_set_id')
                         ->label('Backup set')
                         ->options(function () {
-                            $tenantId = Tenant::current()->getKey();
+                            $tenantId = Tenant::currentOrFail()->getKey();
 
                             return BackupSet::query()
                                 ->when($tenantId, fn ($query) => $query->where('tenant_id', $tenantId))

app/Filament/Resources/TenantResource.php

@@ -9,6 +9,7 @@
 use App\Jobs\SyncPoliciesJob;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Models\WorkspaceMembership;
 use App\Services\Auth\CapabilityResolver;
 use App\Services\Auth\RoleCapabilityMap;
 use App\Services\Directory\EntraGroupLabelResolver;
@@ -21,6 +22,7 @@
 use App\Services\OperationRunService;
 use App\Services\Operations\BulkSelectionIdentity;
 use App\Support\Auth\Capabilities;
+use App\Support\Auth\UiTooltips;
 use App\Support\Badges\BadgeDomain;
 use App\Support\Badges\BadgeRenderer;
 use App\Support\Badges\TagBadgeDomain;
@@ -28,6 +30,8 @@
 use App\Support\OperationRunLinks;
 use App\Support\OpsUx\OperationUxPresenter;
 use App\Support\OpsUx\OpsUxBrowserEvents;
+use App\Support\Rbac\UiEnforcement;
+use App\Support\Workspaces\WorkspaceContext;
 use BackedEnum;
 use Filament\Actions;
 use Filament\Actions\ActionGroup;
@@ -68,7 +72,21 @@ public static function canCreate(): bool
             return false;
         }
 
-        return static::userCanManageAnyTenant($user);
+        if (static::userCanManageAnyTenant($user)) {
+            return true;
+        }
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
+        if ($workspaceId === null) {
+            return false;
+        }
+
+        return WorkspaceMembership::query()
+            ->where('workspace_id', $workspaceId)
+            ->where('user_id', $user->getKey())
+            ->whereIn('role', ['owner', 'manager'])
+            ->exists();
     }
 
     public static function canEdit(Model $record): bool
@@ -177,8 +195,15 @@ public static function getEloquentQuery(): Builder
             return parent::getEloquentQuery()->whereRaw('1 = 0');
         }
 
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        if ($workspaceId === null) {
+            return parent::getEloquentQuery()->whereRaw('1 = 0');
+        }
+
         $tenantIds = $user->tenants()
             ->withTrashed()
+            ->where('workspace_id', $workspaceId)
             ->pluck('tenants.id');
 
         return parent::getEloquentQuery()
@@ -262,6 +287,7 @@ public static function table(Table $table): Table
                         ->label('View')
                         ->icon('heroicon-o-eye')
                         ->url(fn (Tenant $record) => static::getUrl('view', ['record' => $record], tenant: $record)),
+                    UiEnforcement::forAction(
                         Actions\Action::make('syncTenant')
                             ->label('Sync')
                             ->icon('heroicon-o-arrow-path')
@@ -280,32 +306,6 @@ public static function table(Table $table): Table
 
                                 return $user->canAccessTenant($record);
                             })
-                        ->disabled(function (Tenant $record): bool {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_SYNC);
-                        })
-                        ->tooltip(function (Tenant $record): ?string {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return null;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return $resolver->can($user, $record, Capabilities::TENANT_SYNC)
-                                ? null
-                                : 'You do not have permission to sync this tenant.';
-                        })
                             ->action(function (Tenant $record, AuditLogger $auditLogger, \Filament\Tables\Contracts\HasTable $livewire): void {
                                 $user = auth()->user();
 
@@ -396,37 +396,33 @@ public static function table(Table $table): Table
                                             ->url(OperationRunLinks::view($opRun, $record)),
                                     ])
                                     ->send();
-                        }),
+                            })
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_SYNC)
+                        ->apply(),
                     Actions\Action::make('openTenant')
                         ->label('Open')
                         ->icon('heroicon-o-arrow-right')
                         ->color('primary')
                         ->url(fn (Tenant $record) => \App\Filament\Resources\PolicyResource::getUrl('index', tenant: $record))
                         ->visible(fn (Tenant $record) => $record->isActive()),
+                    UiEnforcement::forAction(
                         Actions\Action::make('edit')
                             ->label('Edit')
                             ->icon('heroicon-o-pencil-square')
                             ->url(fn (Tenant $record) => static::getUrl('edit', ['record' => $record], tenant: $record))
-                        ->disabled(fn (Tenant $record): bool => ! static::canEdit($record))
+                    )
-                        ->tooltip(fn (Tenant $record): ?string => static::canEdit($record) ? null : 'You do not have permission to edit this tenant.'),
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
+                    UiEnforcement::forAction(
                         Actions\Action::make('restore')
                             ->label('Restore')
                             ->color('success')
+                            ->icon('heroicon-o-arrow-uturn-left')
                             ->successNotificationTitle('Tenant reactivated')
                             ->requiresConfirmation()
                             ->visible(fn (Tenant $record): bool => $record->trashed())
-                        ->disabled(function (Tenant $record): bool {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_DELETE);
-                        })
                             ->action(function (Tenant $record, AuditLogger $auditLogger): void {
                                 $user = auth()->user();
 
@@ -451,70 +447,42 @@ public static function table(Table $table): Table
                                     status: 'success',
                                     context: ['metadata' => ['tenant_id' => $record->tenant_id]]
                                 );
-                        }),
+                            })
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_DELETE)
+                        ->apply(),
+                    UiEnforcement::forAction(
                         Actions\Action::make('admin_consent')
                             ->label('Admin consent')
                             ->icon('heroicon-o-clipboard-document')
                             ->url(fn (Tenant $record) => static::adminConsentUrl($record))
                             ->visible(fn (Tenant $record) => static::adminConsentUrl($record) !== null)
-                        ->disabled(function (Tenant $record): bool {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_MANAGE);
-                        })
-                        ->tooltip(function (Tenant $record): ?string {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return null;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return $resolver->can($user, $record, Capabilities::TENANT_MANAGE)
-                                ? null
-                                : 'You do not have permission to manage tenant consent.';
-                        })
                             ->openUrlInNewTab(),
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
                     Actions\Action::make('open_in_entra')
                         ->label('Open in Entra')
                         ->icon('heroicon-o-arrow-top-right-on-square')
                         ->url(fn (Tenant $record) => static::entraUrl($record))
                         ->visible(fn (Tenant $record) => static::entraUrl($record) !== null)
                         ->openUrlInNewTab(),
+                    UiEnforcement::forAction(
                         Actions\Action::make('verify')
                             ->label('Verify configuration')
                             ->icon('heroicon-o-check-badge')
                             ->color('primary')
                             ->requiresConfirmation()
                             ->visible(fn (Tenant $record): bool => $record->isActive())
-                        ->disabled(function (Tenant $record): bool {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_MANAGE);
-                        })
                             ->action(function (
                                 Tenant $record,
                                 TenantConfigService $configService,
                                 TenantPermissionService $permissionService,
                                 RbacHealthService $rbacHealthService,
                                 AuditLogger $auditLogger
-                        ) {
+                            ): void {
                                 $user = auth()->user();
 
                                 if (! $user instanceof User) {
@@ -530,26 +498,19 @@ public static function table(Table $table): Table
 
                                 static::verifyTenant($record, $configService, $permissionService, $rbacHealthService, $auditLogger);
                             }),
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_MANAGE)
+                        ->apply(),
                     static::rbacAction(),
+                    UiEnforcement::forAction(
                         Actions\Action::make('archive')
                             ->label('Deactivate')
                             ->color('danger')
                             ->icon('heroicon-o-archive-box-x-mark')
                             ->requiresConfirmation()
                             ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                        ->disabled(function (Tenant $record): bool {
+                            ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_DELETE);
-                        })
-                        ->action(function (Tenant $record, AuditLogger $auditLogger) {
                                 $user = auth()->user();
 
                                 if (! $user instanceof User) {
@@ -580,29 +541,18 @@ public static function table(Table $table): Table
                                     ->success()
                                     ->send();
                             }),
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_DELETE)
+                        ->apply(),
+                    UiEnforcement::forAction(
                         Actions\Action::make('forceDelete')
                             ->label('Force delete')
                             ->color('danger')
                             ->icon('heroicon-o-trash')
                             ->requiresConfirmation()
                             ->visible(fn (?Tenant $record): bool => (bool) $record?->trashed())
-                        ->disabled(function (?Tenant $record): bool {
+                            ->action(function (?Tenant $record, AuditLogger $auditLogger): void {
-                            if (! $record instanceof Tenant) {
-                                return true;
-                            }
-
-                            $user = auth()->user();
-
-                            if (! $user instanceof User) {
-                                return true;
-                            }
-
-                            /** @var CapabilityResolver $resolver */
-                            $resolver = app(CapabilityResolver::class);
-
-                            return ! $resolver->can($user, $record, Capabilities::TENANT_DELETE);
-                        })
-                        ->action(function (?Tenant $record, AuditLogger $auditLogger) {
                                 if ($record === null) {
                                     return;
                                 }
@@ -647,6 +597,10 @@ public static function table(Table $table): Table
                                     ->success()
                                     ->send();
                             }),
+                    )
+                        ->preserveVisibility()
+                        ->requireCapability(Capabilities::TENANT_DELETE)
+                        ->apply(),
                 ]),
             ])
             ->bulkActions([
@@ -655,27 +609,45 @@ public static function table(Table $table): Table
                     ->icon('heroicon-o-arrow-path')
                     ->color('warning')
                     ->requiresConfirmation()
-                    ->visible(function (): bool {
+                    ->visible(fn (): bool => auth()->user() instanceof User)
+                    ->authorize(fn (): bool => auth()->user() instanceof User)
+                    ->disabled(function (Collection $records): bool {
                         $user = auth()->user();
 
                         if (! $user instanceof User) {
-                            return false;
+                            return true;
                         }
 
-                        return $user->tenants()
+                        if ($records->isEmpty()) {
-                            ->whereIn('role', RoleCapabilityMap::rolesWithCapability(Capabilities::TENANT_SYNC))
+                            return true;
-                            ->exists();
+                        }
+
+                        /** @var CapabilityResolver $resolver */
+                        $resolver = app(CapabilityResolver::class);
+
+                        return $records
+                            ->filter(fn ($record) => $record instanceof Tenant)
+                            ->contains(fn (Tenant $tenant): bool => ! $resolver->can($user, $tenant, Capabilities::TENANT_SYNC));
                     })
-                    ->authorize(function (): bool {
+                    ->tooltip(function (Collection $records): ?string {
                         $user = auth()->user();
 
                         if (! $user instanceof User) {
-                            return false;
+                            return UiTooltips::insufficientPermission();
                         }
 
-                        return $user->tenants()
+                        if ($records->isEmpty()) {
-                            ->whereIn('role', RoleCapabilityMap::rolesWithCapability(Capabilities::TENANT_SYNC))
+                            return null;
-                            ->exists();
+                        }
+
+                        /** @var CapabilityResolver $resolver */
+                        $resolver = app(CapabilityResolver::class);
+
+                        $isDenied = $records
+                            ->filter(fn ($record) => $record instanceof Tenant)
+                            ->contains(fn (Tenant $tenant): bool => ! $resolver->can($user, $tenant, Capabilities::TENANT_SYNC));
+
+                        return $isDenied ? UiTooltips::insufficientPermission() : null;
                     })
                     ->action(function (Collection $records, AuditLogger $auditLogger): void {
                         $user = auth()->user();
@@ -982,9 +954,7 @@ public static function rbacAction(): Actions\Action
                     return;
                 }
 
-                $actor = auth()->user();
+                $result = $service->run($record, $data, $user, $token);
-
-                $result = $service->run($record, $data, $actor, $token);
 
                 Cache::forget($cacheKey);
 

app/Filament/Resources/TenantResource/Pages/CreateTenant.php

@@ -4,12 +4,28 @@
 
 use App\Filament\Resources\TenantResource;
 use App\Models\User;
+use App\Support\Workspaces\WorkspaceContext;
 use Filament\Resources\Pages\CreateRecord;
 
 class CreateTenant extends CreateRecord
 {
     protected static string $resource = TenantResource::class;
 
+    /**
+     * @param  array<string, mixed>  $data
+     * @return array<string, mixed>
+     */
+    protected function mutateFormDataBeforeCreate(array $data): array
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
+        if ($workspaceId !== null) {
+            $data['workspace_id'] = $workspaceId;
+        }
+
+        return $data;
+    }
+
     protected function afterCreate(): void
     {
         $user = auth()->user();

app/Filament/Resources/TenantResource/Pages/ViewTenant.php

@@ -3,11 +3,14 @@
 namespace App\Filament\Resources\TenantResource\Pages;
 
 use App\Filament\Resources\TenantResource;
+use App\Filament\Widgets\Tenant\TenantArchivedBanner;
 use App\Models\Tenant;
 use App\Services\Intune\AuditLogger;
 use App\Services\Intune\RbacHealthService;
 use App\Services\Intune\TenantConfigService;
 use App\Services\Intune\TenantPermissionService;
+use App\Support\Auth\Capabilities;
+use App\Support\Rbac\UiEnforcement;
 use Filament\Actions;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\ViewRecord;
@@ -16,11 +19,25 @@ class ViewTenant extends ViewRecord
 {
     protected static string $resource = TenantResource::class;
 
+    protected function getHeaderWidgets(): array
+    {
+        return [
+            TenantArchivedBanner::class,
+        ];
+    }
+
     protected function getHeaderActions(): array
     {
         return [
             Actions\ActionGroup::make([
-                Actions\EditAction::make(),
+                UiEnforcement::forAction(
+                    Actions\Action::make('edit')
+                        ->label('Edit')
+                        ->icon('heroicon-o-pencil-square')
+                        ->url(fn (Tenant $record): string => TenantResource::getUrl('edit', ['record' => $record]))
+                )
+                    ->requireCapability(Capabilities::TENANT_MANAGE)
+                    ->apply(),
                 Actions\Action::make('admin_consent')
                     ->label('Admin consent')
                     ->icon('heroicon-o-clipboard-document')
@@ -48,22 +65,27 @@ protected function getHeaderActions(): array
                         TenantResource::verifyTenant($record, $configService, $permissionService, $rbacHealthService, $auditLogger);
                     }),
                 TenantResource::rbacAction(),
+                UiEnforcement::forAction(
                     Actions\Action::make('archive')
                         ->label('Deactivate')
                         ->color('danger')
                         ->icon('heroicon-o-archive-box-x-mark')
-                    ->requiresConfirmation()
+                        ->visible(fn (Tenant $record): bool => ! $record->trashed())
-                    ->visible(fn (Tenant $record) => ! $record->trashed())
+                        ->action(function (Tenant $record, AuditLogger $auditLogger): void {
-                    ->action(function (Tenant $record, AuditLogger $auditLogger) {
                             $record->delete();
 
                             $auditLogger->log(
                                 tenant: $record,
                                 action: 'tenant.archived',
                                 resourceType: 'tenant',
-                            resourceId: (string) $record->id,
+                                resourceId: (string) $record->getKey(),
                                 status: 'success',
-                            context: ['metadata' => ['tenant_id' => $record->tenant_id]]
+                                context: [
+                                    'metadata' => [
+                                        'internal_tenant_id' => (int) $record->getKey(),
+                                        'tenant_guid' => (string) $record->tenant_id,
+                                    ],
+                                ]
                             );
 
                             Notification::make()
@@ -71,7 +93,12 @@ protected function getHeaderActions(): array
                                 ->body('The tenant has been archived and hidden from lists.')
                                 ->success()
                                 ->send();
-                    }),
+                        })
+                )
+                    ->preserveVisibility()
+                    ->requireCapability(Capabilities::TENANT_DELETE)
+                    ->destructive()
+                    ->apply(),
             ])
                 ->label('Actions')
                 ->icon('heroicon-o-ellipsis-vertical')

app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php

@@ -25,11 +25,22 @@ public function table(Table $table): Table
         return $table
             ->modifyQueryUsing(fn (Builder $query) => $query->with('user'))
             ->columns([
-                Tables\Columns\TextColumn::make('user.name')
+                Tables\Columns\TextColumn::make('user.email')
                     ->label(__('User'))
                     ->searchable(),
-                Tables\Columns\TextColumn::make('user.email')
+                Tables\Columns\TextColumn::make('user_domain')
-                    ->label(__('Email'))
+                    ->label(__('Domain'))
+                    ->getStateUsing(function (TenantMembership $record): ?string {
+                        $email = $record->user?->email;
+
+                        if (! is_string($email) || $email === '' || ! str_contains($email, '@')) {
+                            return null;
+                        }
+
+                        return (string) str($email)->after('@')->lower();
+                    }),
+                Tables\Columns\TextColumn::make('user.name')
+                    ->label(__('Name'))
                     ->toggleable(isToggledHiddenByDefault: true),
                 Tables\Columns\TextColumn::make('role')
                     ->badge()
@@ -49,7 +60,13 @@ public function table(Table $table): Table
                                 ->label(__('User'))
                                 ->required()
                                 ->searchable()
-                                ->options(fn () => User::query()->orderBy('name')->pluck('name', 'id')->all()),
+                                ->options(fn () => User::query()
+                                    ->orderBy('email')
+                                    ->get(['id', 'name', 'email'])
+                                    ->mapWithKeys(fn (User $user): array => [
+                                        (string) $user->id => trim((string) ($user->name ? "{$user->name} ({$user->email})" : $user->email)),
+                                    ])
+                                    ->all()),
                             Forms\Components\Select::make('role')
                                 ->label(__('Role'))
                                 ->required()

app/Filament/Resources/Workspaces/Pages/CreateWorkspace.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces\Pages;
+
+use App\Filament\Resources\Workspaces\WorkspaceResource;
+use App\Models\User;
+use App\Models\WorkspaceMembership;
+use App\Support\Workspaces\WorkspaceContext;
+use Filament\Resources\Pages\CreateRecord;
+
+class CreateWorkspace extends CreateRecord
+{
+    protected static string $resource = WorkspaceResource::class;
+
+    protected function afterCreate(): void
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            return;
+        }
+
+        WorkspaceMembership::query()->firstOrCreate(
+            [
+                'workspace_id' => $this->record->getKey(),
+                'user_id' => $user->getKey(),
+            ],
+            [
+                'role' => 'owner',
+            ],
+        );
+
+        app(WorkspaceContext::class)->setCurrentWorkspace($this->record, $user, request());
+    }
+}

app/Filament/Resources/Workspaces/Pages/EditWorkspace.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces\Pages;
+
+use App\Filament\Resources\Workspaces\WorkspaceResource;
+use Filament\Resources\Pages\EditRecord;
+
+class EditWorkspace extends EditRecord
+{
+    protected static string $resource = WorkspaceResource::class;
+}

app/Filament/Resources/Workspaces/Pages/ListWorkspaces.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces\Pages;
+
+use App\Filament\Resources\Workspaces\WorkspaceResource;
+use Filament\Actions;
+use Filament\Resources\Pages\ListRecords;
+
+class ListWorkspaces extends ListRecords
+{
+    protected static string $resource = WorkspaceResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\CreateAction::make(),
+        ];
+    }
+}

app/Filament/Resources/Workspaces/Pages/ViewWorkspace.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces\Pages;
+
+use App\Filament\Resources\Workspaces\WorkspaceResource;
+use Filament\Actions;
+use Filament\Resources\Pages\ViewRecord;
+
+class ViewWorkspace extends ViewRecord
+{
+    protected static string $resource = WorkspaceResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\EditAction::make(),
+        ];
+    }
+}

app/Filament/Resources/Workspaces/RelationManagers/WorkspaceMembershipsRelationManager.php

@@ -0,0 +1,221 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces\RelationManagers;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Services\Auth\WorkspaceMembershipManager;
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\WorkspaceRole;
+use App\Support\Rbac\WorkspaceUiEnforcement;
+use Filament\Actions\Action;
+use Filament\Forms;
+use Filament\Notifications\Notification;
+use Filament\Resources\RelationManagers\RelationManager;
+use Filament\Tables;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+
+class WorkspaceMembershipsRelationManager extends RelationManager
+{
+    protected static string $relationship = 'memberships';
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->modifyQueryUsing(fn (Builder $query) => $query->with('user'))
+            ->columns([
+                Tables\Columns\TextColumn::make('user.email')
+                    ->label(__('User'))
+                    ->searchable(),
+                Tables\Columns\TextColumn::make('user_domain')
+                    ->label(__('Domain'))
+                    ->getStateUsing(function (WorkspaceMembership $record): ?string {
+                        $email = $record->user?->email;
+
+                        if (! is_string($email) || $email === '' || ! str_contains($email, '@')) {
+                            return null;
+                        }
+
+                        return (string) str($email)->after('@')->lower();
+                    }),
+                Tables\Columns\TextColumn::make('user.name')
+                    ->label(__('Name'))
+                    ->toggleable(isToggledHiddenByDefault: true),
+                Tables\Columns\TextColumn::make('role')
+                    ->badge()
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('created_at')->since(),
+            ])
+            ->headerActions([
+                WorkspaceUiEnforcement::forTableAction(
+                    Action::make('add_member')
+                        ->label(__('Add member'))
+                        ->icon('heroicon-o-plus')
+                        ->form([
+                            Forms\Components\Select::make('user_id')
+                                ->label(__('User'))
+                                ->required()
+                                ->searchable()
+                                ->options(fn () => User::query()
+                                    ->orderBy('email')
+                                    ->get(['id', 'name', 'email'])
+                                    ->mapWithKeys(fn (User $user): array => [
+                                        (string) $user->id => trim((string) ($user->name ? "{$user->name} ({$user->email})" : $user->email)),
+                                    ])
+                                    ->all()),
+                            Forms\Components\Select::make('role')
+                                ->label(__('Role'))
+                                ->required()
+                                ->options([
+                                    WorkspaceRole::Owner->value => __('Owner'),
+                                    WorkspaceRole::Manager->value => __('Manager'),
+                                    WorkspaceRole::Operator->value => __('Operator'),
+                                    WorkspaceRole::Readonly->value => __('Readonly'),
+                                ]),
+                        ])
+                        ->action(function (array $data, WorkspaceMembershipManager $manager): void {
+                            $workspace = $this->getOwnerRecord();
+
+                            if (! $workspace instanceof Workspace) {
+                                abort(404);
+                            }
+
+                            $actor = auth()->user();
+                            if (! $actor instanceof User) {
+                                abort(403);
+                            }
+
+                            $member = User::query()->find((int) $data['user_id']);
+                            if (! $member) {
+                                Notification::make()->title(__('User not found'))->danger()->send();
+
+                                return;
+                            }
+
+                            try {
+                                $manager->addMember(
+                                    workspace: $workspace,
+                                    actor: $actor,
+                                    member: $member,
+                                    role: (string) $data['role'],
+                                    source: 'manual',
+                                );
+                            } catch (\Throwable $throwable) {
+                                Notification::make()
+                                    ->title(__('Failed to add member'))
+                                    ->body($throwable->getMessage())
+                                    ->danger()
+                                    ->send();
+
+                                return;
+                            }
+
+                            Notification::make()->title(__('Member added'))->success()->send();
+                            $this->resetTable();
+                        }),
+                    fn () => $this->getOwnerRecord(),
+                )
+                    ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
+                    ->tooltip('You do not have permission to manage workspace memberships.')
+                    ->apply(),
+            ])
+            ->actions([
+                WorkspaceUiEnforcement::forTableAction(
+                    Action::make('change_role')
+                        ->label(__('Change role'))
+                        ->icon('heroicon-o-pencil')
+                        ->requiresConfirmation()
+                        ->form([
+                            Forms\Components\Select::make('role')
+                                ->label(__('Role'))
+                                ->required()
+                                ->options([
+                                    WorkspaceRole::Owner->value => __('Owner'),
+                                    WorkspaceRole::Manager->value => __('Manager'),
+                                    WorkspaceRole::Operator->value => __('Operator'),
+                                    WorkspaceRole::Readonly->value => __('Readonly'),
+                                ]),
+                        ])
+                        ->action(function (WorkspaceMembership $record, array $data, WorkspaceMembershipManager $manager): void {
+                            $workspace = $this->getOwnerRecord();
+
+                            if (! $workspace instanceof Workspace) {
+                                abort(404);
+                            }
+
+                            $actor = auth()->user();
+                            if (! $actor instanceof User) {
+                                abort(403);
+                            }
+
+                            try {
+                                $manager->changeRole(
+                                    workspace: $workspace,
+                                    actor: $actor,
+                                    membership: $record,
+                                    newRole: (string) $data['role'],
+                                );
+                            } catch (\Throwable $throwable) {
+                                Notification::make()
+                                    ->title(__('Failed to change role'))
+                                    ->body($throwable->getMessage())
+                                    ->danger()
+                                    ->send();
+
+                                return;
+                            }
+
+                            Notification::make()->title(__('Role updated'))->success()->send();
+                            $this->resetTable();
+                        }),
+                    fn () => $this->getOwnerRecord(),
+                )
+                    ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
+                    ->tooltip('You do not have permission to manage workspace memberships.')
+                    ->apply(),
+
+                WorkspaceUiEnforcement::forTableAction(
+                    Action::make('remove')
+                        ->label(__('Remove'))
+                        ->color('danger')
+                        ->icon('heroicon-o-x-mark')
+                        ->requiresConfirmation()
+                        ->action(function (WorkspaceMembership $record, WorkspaceMembershipManager $manager): void {
+                            $workspace = $this->getOwnerRecord();
+
+                            if (! $workspace instanceof Workspace) {
+                                abort(404);
+                            }
+
+                            $actor = auth()->user();
+                            if (! $actor instanceof User) {
+                                abort(403);
+                            }
+
+                            try {
+                                $manager->removeMember(workspace: $workspace, actor: $actor, membership: $record);
+                            } catch (\Throwable $throwable) {
+                                Notification::make()
+                                    ->title(__('Failed to remove member'))
+                                    ->body($throwable->getMessage())
+                                    ->danger()
+                                    ->send();
+
+                                return;
+                            }
+
+                            Notification::make()->title(__('Member removed'))->success()->send();
+                            $this->resetTable();
+                        }),
+                    fn () => $this->getOwnerRecord(),
+                )
+                    ->requireCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)
+                    ->tooltip('You do not have permission to manage workspace memberships.')
+                    ->destructive()
+                    ->apply(),
+            ])
+            ->bulkActions([]);
+    }
+}

app/Filament/Resources/Workspaces/WorkspaceResource.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace App\Filament\Resources\Workspaces;
+
+use App\Filament\Resources\Workspaces\RelationManagers\WorkspaceMembershipsRelationManager;
+use App\Models\Workspace;
+use BackedEnum;
+use Filament\Actions;
+use Filament\Forms;
+use Filament\Resources\Resource;
+use Filament\Schemas\Schema;
+use Filament\Tables;
+use Filament\Tables\Table;
+use UnitEnum;
+
+class WorkspaceResource extends Resource
+{
+    protected static ?string $model = Workspace::class;
+
+    protected static bool $isDiscovered = false;
+
+    protected static bool $isScopedToTenant = false;
+
+    protected static ?string $recordTitleAttribute = 'name';
+
+    protected static bool $shouldRegisterNavigation = false;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-squares-2x2';
+
+    protected static string|UnitEnum|null $navigationGroup = 'Settings';
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema
+            ->schema([
+                Forms\Components\TextInput::make('name')
+                    ->required()
+                    ->maxLength(255),
+                Forms\Components\TextInput::make('slug')
+                    ->required()
+                    ->maxLength(255)
+                    ->unique(ignoreRecord: true),
+            ]);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->columns([
+                Tables\Columns\TextColumn::make('name')
+                    ->searchable()
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('slug')
+                    ->searchable()
+                    ->sortable(),
+            ])
+            ->actions([
+                Actions\ViewAction::make(),
+                Actions\EditAction::make(),
+            ]);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => Pages\ListWorkspaces::route('/'),
+            'create' => Pages\CreateWorkspace::route('/create'),
+            'view' => Pages\ViewWorkspace::route('/{record}'),
+            'edit' => Pages\EditWorkspace::route('/{record}/edit'),
+        ];
+    }
+
+    public static function getRelations(): array
+    {
+        return [
+            WorkspaceMembershipsRelationManager::class,
+        ];
+    }
+}

app/Filament/Support/VerificationReportChangeIndicator.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Support;
+
+use App\Models\OperationRun;
+
+final class VerificationReportChangeIndicator
+{
+    /**
+     * @return array{state: 'no_changes'|'changed', previous_report_id: int}|null
+     */
+    public static function forRun(OperationRun $run): ?array
+    {
+        $report = VerificationReportViewer::report($run);
+
+        if ($report === null) {
+            return null;
+        }
+
+        $previousRun = VerificationReportViewer::previousRun($run, $report);
+
+        if ($previousRun === null) {
+            return null;
+        }
+
+        $previousReport = VerificationReportViewer::report($previousRun);
+
+        if ($previousReport === null) {
+            return null;
+        }
+
+        $currentFingerprint = VerificationReportViewer::fingerprint($report);
+        $previousFingerprint = VerificationReportViewer::fingerprint($previousReport);
+
+        if ($currentFingerprint === null || $previousFingerprint === null) {
+            return null;
+        }
+
+        return [
+            'state' => $currentFingerprint === $previousFingerprint ? 'no_changes' : 'changed',
+            'previous_report_id' => (int) $previousRun->getKey(),
+        ];
+    }
+}
+

app/Filament/Support/VerificationReportViewer.php

@@ -0,0 +1,92 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Support;
+
+use App\Models\OperationRun;
+use App\Support\Verification\VerificationReportFingerprint;
+use App\Support\Verification\VerificationReportSanitizer;
+use App\Support\Verification\VerificationReportSchema;
+
+final class VerificationReportViewer
+{
+    /**
+     * @return array<string, mixed>|null
+     */
+    public static function report(OperationRun $run): ?array
+    {
+        $context = is_array($run->context) ? $run->context : [];
+        $report = $context['verification_report'] ?? null;
+
+        if (! is_array($report)) {
+            return null;
+        }
+
+        $report = VerificationReportSanitizer::sanitizeReport($report);
+
+        if (! VerificationReportSchema::isValidReport($report)) {
+            return null;
+        }
+
+        return $report;
+    }
+
+    public static function previousReportId(array $report): ?int
+    {
+        $previousReportId = $report['previous_report_id'] ?? null;
+
+        if (is_int($previousReportId) && $previousReportId > 0) {
+            return $previousReportId;
+        }
+
+        if (is_string($previousReportId) && ctype_digit(trim($previousReportId))) {
+            return (int) trim($previousReportId);
+        }
+
+        return null;
+    }
+
+    public static function fingerprint(array $report): ?string
+    {
+        $fingerprint = $report['fingerprint'] ?? null;
+
+        if (is_string($fingerprint)) {
+            $fingerprint = strtolower(trim($fingerprint));
+
+            if (preg_match('/^[a-f0-9]{64}$/', $fingerprint)) {
+                return $fingerprint;
+            }
+        }
+
+        return VerificationReportFingerprint::forReport($report);
+    }
+
+    public static function previousRun(OperationRun $run, array $report): ?OperationRun
+    {
+        $previousReportId = self::previousReportId($report);
+
+        if ($previousReportId === null) {
+            return null;
+        }
+
+        $previous = OperationRun::query()
+            ->whereKey($previousReportId)
+            ->where('tenant_id', (int) $run->tenant_id)
+            ->where('workspace_id', (int) $run->workspace_id)
+            ->first();
+
+        return $previous instanceof OperationRun ? $previous : null;
+    }
+
+    public static function shouldRenderForRun(OperationRun $run): bool
+    {
+        $context = is_array($run->context) ? $run->context : [];
+
+        if (array_key_exists('verification_report', $context)) {
+            return true;
+        }
+
+        return in_array((string) $run->type, ['provider.connection.check'], true);
+    }
+}

app/Filament/System/Pages/RepairWorkspaceOwners.php

@@ -0,0 +1,169 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\System\Pages;
+
+use App\Models\PlatformUser;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Services\Audit\WorkspaceAuditLogger;
+use App\Services\Auth\BreakGlassSession;
+use App\Support\Audit\AuditActionId;
+use App\Support\Auth\PlatformCapabilities;
+use App\Support\Auth\WorkspaceRole;
+use Filament\Actions\Action;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+
+class RepairWorkspaceOwners extends Page
+{
+    protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-wrench-screwdriver';
+
+    protected static ?string $navigationLabel = 'Repair workspace owners';
+
+    protected static string|\UnitEnum|null $navigationGroup = 'Recovery';
+
+    protected string $view = 'filament.system.pages.repair-workspace-owners';
+
+    public static function canAccess(): bool
+    {
+        $user = auth('platform')->user();
+
+        if (! $user instanceof PlatformUser) {
+            return false;
+        }
+
+        return $user->hasCapability(PlatformCapabilities::USE_BREAK_GLASS);
+    }
+
+    /**
+     * @return array<Action>
+     */
+    protected function getHeaderActions(): array
+    {
+        $breakGlass = app(BreakGlassSession::class);
+
+        return [
+            Action::make('assign_owner')
+                ->label('Assign owner (break-glass)')
+                ->color('danger')
+                ->requiresConfirmation()
+                ->modalHeading('Assign workspace owner')
+                ->modalDescription('This is a recovery action. It is audited and should only be used when the workspace owner set is broken.')
+                ->form([
+                    Select::make('workspace_id')
+                        ->label('Workspace')
+                        ->required()
+                        ->searchable()
+                        ->getSearchResultsUsing(function (string $search): array {
+                            return Workspace::query()
+                                ->where('name', 'like', "%{$search}%")
+                                ->orderBy('name')
+                                ->limit(25)
+                                ->pluck('name', 'id')
+                                ->all();
+                        })
+                        ->getOptionLabelUsing(function ($value): ?string {
+                            if (! is_numeric($value)) {
+                                return null;
+                            }
+
+                            return Workspace::query()->whereKey((int) $value)->value('name');
+                        }),
+
+                    Select::make('target_user_id')
+                        ->label('User')
+                        ->required()
+                        ->searchable()
+                        ->getSearchResultsUsing(function (string $search): array {
+                            return User::query()
+                                ->where('email', 'like', "%{$search}%")
+                                ->orderBy('email')
+                                ->limit(25)
+                                ->pluck('email', 'id')
+                                ->all();
+                        })
+                        ->getOptionLabelUsing(function ($value): ?string {
+                            if (! is_numeric($value)) {
+                                return null;
+                            }
+
+                            return User::query()->whereKey((int) $value)->value('email');
+                        }),
+
+                    Textarea::make('reason')
+                        ->label('Reason')
+                        ->required()
+                        ->minLength(5)
+                        ->maxLength(500)
+                        ->rows(4),
+                ])
+                ->action(function (array $data, BreakGlassSession $breakGlass, WorkspaceAuditLogger $auditLogger): void {
+                    $platformUser = auth('platform')->user();
+
+                    if (! $platformUser instanceof PlatformUser) {
+                        abort(403);
+                    }
+
+                    if (! $platformUser->hasCapability(PlatformCapabilities::USE_BREAK_GLASS)) {
+                        abort(403);
+                    }
+
+                    if (! $breakGlass->isActive()) {
+                        abort(403);
+                    }
+
+                    $workspaceId = (int) ($data['workspace_id'] ?? 0);
+                    $targetUserId = (int) ($data['target_user_id'] ?? 0);
+                    $reason = (string) ($data['reason'] ?? '');
+
+                    $workspace = Workspace::query()->whereKey($workspaceId)->firstOrFail();
+                    $targetUser = User::query()->whereKey($targetUserId)->firstOrFail();
+
+                    $membership = WorkspaceMembership::query()->firstOrNew([
+                        'workspace_id' => (int) $workspace->getKey(),
+                        'user_id' => (int) $targetUser->getKey(),
+                    ]);
+
+                    $fromRole = $membership->exists ? (string) $membership->role : null;
+
+                    $membership->forceFill([
+                        'role' => WorkspaceRole::Owner->value,
+                    ])->save();
+
+                    $auditLogger->log(
+                        workspace: $workspace,
+                        action: AuditActionId::WorkspaceMembershipBreakGlassAssignOwner->value,
+                        context: [
+                            'metadata' => [
+                                'workspace_id' => (int) $workspace->getKey(),
+                                'actor_user_id' => (int) $platformUser->getKey(),
+                                'target_user_id' => (int) $targetUser->getKey(),
+                                'attempted_role' => WorkspaceRole::Owner->value,
+                                'from_role' => $fromRole,
+                                'reason' => trim($reason),
+                                'source' => 'break_glass',
+                            ],
+                        ],
+                        actor: null,
+                        status: 'success',
+                        resourceType: 'workspace',
+                        resourceId: (string) $workspace->getKey(),
+                        actorId: (int) $platformUser->getKey(),
+                        actorEmail: $platformUser->email,
+                        actorName: $platformUser->name,
+                    );
+
+                    Notification::make()
+                        ->title('Owner assigned')
+                        ->success()
+                        ->send();
+                })
+                ->disabled(fn (): bool => ! $breakGlass->isActive()),
+        ];
+    }
+}

app/Filament/Widgets/Tenant/TenantArchivedBanner.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Widgets\Tenant;
+
+use App\Models\Tenant;
+use Filament\Facades\Filament;
+use Filament\Widgets\Widget;
+
+class TenantArchivedBanner extends Widget
+{
+    protected static bool $isLazy = false;
+
+    protected string $view = 'filament.widgets.tenant.tenant-archived-banner';
+
+    /**
+     * @return array<string, mixed>
+     */
+    protected function getViewData(): array
+    {
+        $tenant = Filament::getTenant();
+
+        return [
+            'tenant' => $tenant instanceof Tenant ? $tenant : null,
+        ];
+    }
+}

app/Http/Controllers/SelectTenantController.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers;
+
+use App\Filament\Pages\TenantDashboard;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\UserTenantPreference;
+use App\Support\Workspaces\WorkspaceContext;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Schema;
+
+final class SelectTenantController
+{
+    public function __invoke(Request $request): RedirectResponse
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId($request);
+
+        if ($workspaceId === null) {
+            return redirect()->to('/admin/choose-workspace');
+        }
+
+        $validated = $request->validate([
+            'tenant_id' => ['required', 'integer'],
+        ]);
+
+        $tenant = Tenant::query()
+            ->where('status', 'active')
+            ->where('workspace_id', $workspaceId)
+            ->whereKey($validated['tenant_id'])
+            ->first();
+
+        if (! $tenant instanceof Tenant) {
+            abort(404);
+        }
+
+        if (! $user->canAccessTenant($tenant)) {
+            abort(404);
+        }
+
+        $this->persistLastTenant($user, $tenant);
+
+        return redirect()->to(TenantDashboard::getUrl(tenant: $tenant));
+    }
+
+    private function persistLastTenant(User $user, Tenant $tenant): void
+    {
+        if (Schema::hasColumn('users', 'last_tenant_id')) {
+            $user->forceFill(['last_tenant_id' => $tenant->getKey()])->save();
+
+            return;
+        }
+
+        if (! Schema::hasTable('user_tenant_preferences')) {
+            return;
+        }
+
+        UserTenantPreference::query()->updateOrCreate(
+            ['user_id' => $user->getKey(), 'tenant_id' => $tenant->getKey()],
+            ['last_used_at' => now()]
+        );
+    }
+}

app/Http/Controllers/SwitchWorkspaceController.php

@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers;
+
+use App\Filament\Pages\ChooseTenant;
+use App\Filament\Pages\TenantDashboard;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Support\Workspaces\WorkspaceContext;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+
+final class SwitchWorkspaceController
+{
+    public function __invoke(Request $request): RedirectResponse
+    {
+        $user = auth()->user();
+
+        if (! $user instanceof User) {
+            abort(403);
+        }
+
+        $validated = $request->validate([
+            'workspace_id' => ['required', 'integer'],
+        ]);
+
+        $workspace = Workspace::query()->whereKey($validated['workspace_id'])->first();
+
+        if (! $workspace instanceof Workspace) {
+            abort(404);
+        }
+
+        if (! empty($workspace->archived_at)) {
+            abort(404);
+        }
+
+        $context = app(WorkspaceContext::class);
+
+        if (! $context->isMember($user, $workspace)) {
+            abort(404);
+        }
+
+        $context->setCurrentWorkspace($workspace, $user, $request);
+
+        $tenantsQuery = $user->tenants()
+            ->where('workspace_id', $workspace->getKey())
+            ->where('status', 'active');
+
+        $tenantCount = (int) $tenantsQuery->count();
+
+        if ($tenantCount === 0) {
+            return redirect()->route('admin.onboarding');
+        }
+
+        if ($tenantCount === 1) {
+            $tenant = $tenantsQuery->first();
+
+            if ($tenant !== null) {
+                return redirect()->to(TenantDashboard::getUrl(tenant: $tenant));
+            }
+        }
+
+        return redirect()->to(ChooseTenant::getUrl());
+    }
+}

app/Http/Middleware/EnsureWorkspaceMember.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Support\Workspaces\WorkspaceContext;
+use App\Support\Workspaces\WorkspaceResolver;
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureWorkspaceMember
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = $request->user();
+
+        if (! $user instanceof User) {
+            return $next($request);
+        }
+
+        $workspaceParam = $request->route()?->parameter('workspace');
+
+        $workspace = $workspaceParam instanceof Workspace
+            ? $workspaceParam
+            : (is_scalar($workspaceParam)
+                ? app(WorkspaceResolver::class)->resolve((string) $workspaceParam)
+                : null);
+
+        if (! $workspace instanceof Workspace) {
+            abort(404);
+        }
+
+        /** @var WorkspaceContext $context */
+        $context = app(WorkspaceContext::class);
+
+        if (! $context->isMember($user, $workspace)) {
+            abort(404);
+        }
+
+        $context->setCurrentWorkspace($workspace, $user, $request);
+
+        return $next($request);
+    }
+}

app/Http/Middleware/EnsureWorkspaceSelected.php

@@ -0,0 +1,80 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\User;
+use App\Models\WorkspaceMembership;
+use App\Support\Workspaces\WorkspaceContext;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response as HttpResponse;
+use Illuminate\Support\Facades\Schema;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureWorkspaceSelected
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $routeName = $request->route()?->getName();
+
+        if (is_string($routeName) && str_contains($routeName, '.auth.')) {
+            return $next($request);
+        }
+
+        $path = '/'.ltrim($request->path(), '/');
+
+        if (str_starts_with($path, '/admin/t/')) {
+            return $next($request);
+        }
+
+        if ($path === '/livewire/update') {
+            $refererPath = parse_url((string) $request->headers->get('referer', ''), PHP_URL_PATH) ?? '';
+            $refererPath = '/'.ltrim((string) $refererPath, '/');
+
+            if (preg_match('#^/admin/operations/[^/]+$#', $refererPath) === 1) {
+                return $next($request);
+            }
+        }
+
+        if (preg_match('#^/admin/operations/[^/]+$#', $path) === 1) {
+            return $next($request);
+        }
+
+        if (in_array($path, ['/admin/no-access', '/admin/choose-workspace'], true)) {
+            return $next($request);
+        }
+
+        $user = $request->user();
+
+        if (! $user instanceof User) {
+            return $next($request);
+        }
+
+        /** @var WorkspaceContext $context */
+        $context = app(WorkspaceContext::class);
+
+        $workspace = $context->resolveInitialWorkspaceFor($user, $request);
+
+        if ($workspace !== null) {
+            return $next($request);
+        }
+
+        $membershipQuery = WorkspaceMembership::query()->where('user_id', $user->getKey());
+
+        $hasAnyActiveMembership = Schema::hasColumn('workspaces', 'archived_at')
+            ? $membershipQuery
+                ->join('workspaces', 'workspace_memberships.workspace_id', '=', 'workspaces.id')
+                ->whereNull('workspaces.archived_at')
+                ->exists()
+            : $membershipQuery->exists();
+
+        $target = $hasAnyActiveMembership ? '/admin/choose-workspace' : '/admin/no-access';
+
+        return new HttpResponse('', 302, ['Location' => $target]);
+    }
+}

app/Jobs/ProviderConnectionHealthCheckJob.php

@@ -7,11 +7,17 @@
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Services\Audit\WorkspaceAuditLogger;
+use App\Services\Intune\TenantPermissionService;
 use App\Services\OperationRunService;
+use App\Services\Providers\ProviderGateway;
 use App\Services\Providers\Contracts\HealthResult;
 use App\Services\Providers\MicrosoftProviderHealthCheck;
+use App\Support\Audit\AuditActionId;
 use App\Support\OperationRunOutcome;
 use App\Support\OperationRunStatus;
+use App\Support\Verification\TenantPermissionCheckClusters;
+use App\Support\Verification\VerificationReportWriter;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
@@ -83,17 +89,146 @@ public function handle(
 
         $this->updateRunTargetScope($this->operationRun, $connection, $entraTenantName);
 
+        $permissionService = app(TenantPermissionService::class);
+
+            $graphOptions = null;
+
             if ($result->healthy) {
-            $runs->updateRun(
+                try {
+                    $graphOptions = app(ProviderGateway::class)->graphOptions($connection);
+                } catch (\Throwable) {
+                    $graphOptions = null;
+                }
+            }
+
+        $permissionComparison = $result->healthy
+                ? ($graphOptions === null
+                    ? $permissionService->compare(
+                        $tenant,
+                        persist: false,
+                        liveCheck: false,
+                        useConfiguredStub: false,
+                    )
+                    : $permissionService->compare(
+                        $tenant,
+                        persist: true,
+                        liveCheck: true,
+                        useConfiguredStub: false,
+                        graphOptions: $graphOptions,
+                    ))
+                : $permissionService->compare(
+                    $tenant,
+                    persist: false,
+                    liveCheck: false,
+                    useConfiguredStub: false,
+                );
+
+        $permissionRows = $permissionComparison['permissions'] ?? [];
+        $permissionRows = is_array($permissionRows) ? $permissionRows : [];
+
+        $inventory = null;
+
+        if (! $result->healthy) {
+            $inventory = [
+                'fresh' => false,
+                'reason_code' => $result->reasonCode ?? 'dependency_unreachable',
+                'message' => 'Provider connection check failed; permissions were not refreshed during this run.',
+            ];
+        } elseif ($graphOptions === null) {
+            $inventory = [
+                'fresh' => false,
+                'reason_code' => 'provider_credential_missing',
+                'message' => 'Provider credentials were unavailable; observed permissions inventory was not refreshed during this run.',
+            ];
+        } else {
+            $liveCheck = $permissionComparison['live_check'] ?? null;
+            $liveCheck = is_array($liveCheck) ? $liveCheck : [];
+
+            $reasonCode = is_string($liveCheck['reason_code'] ?? null) ? (string) $liveCheck['reason_code'] : 'dependency_unreachable';
+            $appId = is_string($liveCheck['app_id'] ?? null) && $liveCheck['app_id'] !== '' ? (string) $liveCheck['app_id'] : null;
+            $observedCount = is_numeric($liveCheck['observed_permissions_count'] ?? null)
+                ? (int) $liveCheck['observed_permissions_count']
+                : null;
+
+            $message = ($liveCheck['succeeded'] ?? false) === true
+                ? 'Observed permissions inventory refreshed successfully.'
+                : match ($reasonCode) {
+                    'permissions_inventory_empty' => $appId !== null
+                        ? sprintf('No application permissions were detected for app id %s. Verify admin consent was granted for this exact app registration, then retry verification.', $appId)
+                        : 'No application permissions were detected. Verify admin consent was granted for the configured app registration, then retry verification.',
+                    default => 'Unable to refresh observed permissions inventory during this run. Retry verification.',
+                };
+
+            $inventory = [
+                'fresh' => ($liveCheck['succeeded'] ?? false) === true,
+                'reason_code' => $reasonCode,
+                'message' => $message,
+                'app_id' => $appId,
+                'observed_permissions_count' => $observedCount,
+            ];
+        }
+
+        $permissionChecks = TenantPermissionCheckClusters::buildChecks($tenant, $permissionRows, $inventory);
+
+        $report = VerificationReportWriter::write(
+            run: $this->operationRun,
+            checks: [
+                [
+                    'key' => 'provider.connection.check',
+                    'title' => 'Provider connection check',
+                    'status' => $result->healthy ? 'pass' : 'fail',
+                    'severity' => $result->healthy ? 'info' : 'critical',
+                    'blocking' => ! $result->healthy,
+                    'reason_code' => $result->healthy ? 'ok' : ($result->reasonCode ?? 'unknown_error'),
+                    'message' => $result->healthy ? 'Connection is healthy.' : ($result->message ?? 'Health check failed.'),
+                    'evidence' => array_values(array_filter([
+                        [
+                            'kind' => 'provider_connection_id',
+                            'value' => (int) $connection->getKey(),
+                        ],
+                        [
+                            'kind' => 'entra_tenant_id',
+                            'value' => (string) $connection->entra_tenant_id,
+                        ],
+                        is_numeric($result->meta['http_status'] ?? null) ? [
+                            'kind' => 'http_status',
+                            'value' => (int) $result->meta['http_status'],
+                        ] : null,
+                        is_string($result->meta['organization_id'] ?? null) ? [
+                            'kind' => 'organization_id',
+                            'value' => (string) $result->meta['organization_id'],
+                        ] : null,
+                    ])),
+                    'next_steps' => $result->healthy
+                        ? []
+                        : [[
+                            'label' => 'Review provider connection',
+                            'url' => \App\Filament\Resources\ProviderConnectionResource::getUrl('edit', [
+                                'record' => (int) $connection->getKey(),
+                            ], tenant: $tenant),
+                        ]],
+                ],
+                ...$permissionChecks,
+            ],
+            identity: [
+                'provider_connection_id' => (int) $connection->getKey(),
+                'entra_tenant_id' => (string) $connection->entra_tenant_id,
+            ],
+        );
+
+        if ($result->healthy) {
+            $run = $runs->updateRun(
                 $this->operationRun,
                 status: OperationRunStatus::Completed->value,
                 outcome: OperationRunOutcome::Succeeded->value,
             );
 
+            $this->logVerificationCompletion($tenant, $user, $run, $report);
+
             return;
         }
 
-        $runs->updateRun(
+        $run = $runs->updateRun(
             $this->operationRun,
             status: OperationRunStatus::Completed->value,
             outcome: OperationRunOutcome::Failed->value,
@@ -103,6 +238,8 @@ public function handle(
                 'message' => $result->message ?? 'Health check failed.',
             ]],
         );
+
+        $this->logVerificationCompletion($tenant, $user, $run, $report);
     }
 
     private function resolveEntraTenantName(ProviderConnection $connection, HealthResult $result): ?string
@@ -145,4 +282,34 @@ private function applyHealthResult(ProviderConnection $connection, HealthResult
             'last_error_message' => $result->healthy ? null : $result->message,
         ]);
     }
+
+    /**
+     * @param  array<string, mixed>  $report
+     */
+    private function logVerificationCompletion(Tenant $tenant, User $actor, OperationRun $run, array $report): void
+    {
+        $workspace = $tenant->workspace;
+
+        if (! $workspace) {
+            return;
+        }
+
+        $counts = $report['summary']['counts'] ?? [];
+        $counts = is_array($counts) ? $counts : [];
+
+        app(WorkspaceAuditLogger::class)->log(
+            workspace: $workspace,
+            action: AuditActionId::VerificationCompleted->value,
+            context: [
+                'metadata' => [
+                    'operation_run_id' => (int) $run->getKey(),
+                    'counts' => $counts,
+                ],
+            ],
+            actor: $actor,
+            status: $run->outcome === OperationRunOutcome::Succeeded->value ? 'success' : 'failed',
+            resourceType: 'operation_run',
+            resourceId: (string) $run->getKey(),
+        );
+    }
 }

app/Livewire/BackupSetPolicyPickerTable.php

@@ -61,7 +61,7 @@ public static function externalIdShort(?string $externalId): string
     public function table(Table $table): Table
     {
         $backupSet = BackupSet::query()->find($this->backupSetId);
-        $tenantId = $backupSet?->tenant_id ?? Tenant::current()->getKey();
+        $tenantId = $backupSet?->tenant_id ?? Tenant::currentOrFail()->getKey();
         $existingPolicyIds = $backupSet
             ? $backupSet->items()->pluck('policy_id')->filter()->all()
             : [];

app/Models/OperationRun.php

@@ -21,11 +21,41 @@ class OperationRun extends Model
         'completed_at' => 'datetime',
     ];
 
+    protected static function booted(): void
+    {
+        static::creating(function (self $operationRun): void {
+            if ($operationRun->workspace_id !== null) {
+                return;
+            }
+
+            if ($operationRun->tenant_id === null) {
+                return;
+            }
+
+            $tenant = Tenant::query()->whereKey((int) $operationRun->tenant_id)->first();
+
+            if (! $tenant instanceof Tenant) {
+                return;
+            }
+
+            if ($tenant->workspace_id === null) {
+                return;
+            }
+
+            $operationRun->workspace_id = (int) $tenant->workspace_id;
+        });
+    }
+
     public function tenant(): BelongsTo
     {
         return $this->belongsTo(Tenant::class);
     }
 
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
     public function user(): BelongsTo
     {
         return $this->belongsTo(User::class);

app/Models/ProviderConnection.php

@@ -26,6 +26,11 @@ public function tenant(): BelongsTo
         return $this->belongsTo(Tenant::class);
     }
 
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
     public function credential(): HasOne
     {
         return $this->hasOne(ProviderCredential::class, 'provider_connection_id');

app/Models/Tenant.php

@@ -7,6 +7,7 @@
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Relations\HasManyThrough;
@@ -20,6 +21,14 @@ class Tenant extends Model implements HasName
     use HasFactory;
     use SoftDeletes;
 
+    public const STATUS_DRAFT = 'draft';
+
+    public const STATUS_ONBOARDING = 'onboarding';
+
+    public const STATUS_ACTIVE = 'active';
+
+    public const STATUS_ARCHIVED = 'archived';
+
     protected $guarded = [];
 
     protected $casts = [
@@ -68,7 +77,16 @@ protected static function booted(): void
             }
 
             if (empty($tenant->status)) {
-                $tenant->status = 'active';
+                $tenant->status = self::STATUS_ACTIVE;
+            }
+
+            if ($tenant->workspace_id === null && app()->runningUnitTests()) {
+                $workspace = Workspace::query()->create([
+                    'name' => 'Test Workspace',
+                    'slug' => 'test-'.Str::lower(Str::random(10)),
+                ]);
+
+                $tenant->workspace_id = (int) $workspace->getKey();
             }
         });
 
@@ -83,12 +101,12 @@ protected static function booted(): void
                 return;
             }
 
-            $tenant->status = 'archived';
+            $tenant->status = self::STATUS_ARCHIVED;
             $tenant->saveQuietly();
         });
 
         static::restored(function (Tenant $tenant) {
-            $tenant->forceFill(['status' => 'active'])->saveQuietly();
+            $tenant->forceFill(['status' => self::STATUS_ACTIVE])->saveQuietly();
         });
     }
 
@@ -96,12 +114,12 @@ public static function activeQuery(): Builder
     {
         return static::query()
             ->whereNull('deleted_at')
-            ->where('status', 'active');
+            ->where('status', self::STATUS_ACTIVE);
     }
 
     public function makeCurrent(): void
     {
-        if ($this->trashed() || $this->status !== 'active') {
+        if ($this->trashed() || $this->status !== self::STATUS_ACTIVE) {
             throw new RuntimeException('Only active tenants can be made current.');
         }
 
@@ -116,7 +134,7 @@ public function makeCurrent(): void
         $this->forceFill(['is_current' => true]);
     }
 
-    public static function current(): self
+    public static function current(): ?self
     {
         $filamentTenant = Filament::getTenant();
 
@@ -145,6 +163,13 @@ public static function current(): self
             ->where('is_current', true)
             ->first();
 
+        return $tenant;
+    }
+
+    public static function currentOrFail(): self
+    {
+        $tenant = static::current();
+
         if (! $tenant) {
             throw new RuntimeException('No current tenant selected.');
         }
@@ -152,11 +177,29 @@ public static function current(): self
         return $tenant;
     }
 
+    public function resolveRouteBinding($value, $field = null): ?Model
+    {
+        $field ??= $this->getRouteKeyName();
+
+        $query = static::query();
+
+        if ($field === 'external_id') {
+            $query = $query->withTrashed();
+        }
+
+        return $query->where($field, $value)->first();
+    }
+
     public function memberships(): HasMany
     {
         return $this->hasMany(TenantMembership::class);
     }
 
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
     public function roleMappings(): HasMany
     {
         return $this->hasMany(TenantRoleMapping::class);

app/Models/TenantOnboardingSession.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class TenantOnboardingSession extends Model
+{
+    /** @use HasFactory<\Database\Factories\TenantOnboardingSessionFactory> */
+    use HasFactory;
+
+    protected $table = 'managed_tenant_onboarding_sessions';
+
+    /**
+     * @var array<int, string>
+     */
+    public const STATE_ALLOWED_KEYS = [
+        'entra_tenant_id',
+        'tenant_id',
+        'tenant_name',
+        'environment',
+        'primary_domain',
+        'notes',
+        'provider_connection_id',
+        'selected_provider_connection_id',
+        'verification_operation_run_id',
+        'verification_run_id',
+        'bootstrap_operation_types',
+        'bootstrap_operation_runs',
+        'bootstrap_run_ids',
+        'connection_recently_updated',
+    ];
+
+    protected $guarded = [];
+
+    protected $casts = [
+        'state' => 'array',
+        'completed_at' => 'datetime',
+    ];
+
+    /**
+     * @param  array<string, mixed>|null  $value
+     */
+    public function setStateAttribute(?array $value): void
+    {
+        if ($value === null) {
+            $this->attributes['state'] = null;
+
+            return;
+        }
+
+        $allowed = array_intersect_key($value, array_flip(self::STATE_ALLOWED_KEYS));
+
+        $encoded = json_encode($allowed, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+
+        $this->attributes['state'] = $encoded !== false ? $encoded : json_encode([], JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+    }
+
+    /**
+     * @return BelongsTo<Workspace, $this>
+     */
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
+    /**
+     * @return BelongsTo<Tenant, $this>
+     */
+    public function tenant(): BelongsTo
+    {
+        return $this->belongsTo(Tenant::class);
+    }
+
+    /**
+     * @return BelongsTo<User, $this>
+     */
+    public function startedByUser(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'started_by_user_id');
+    }
+
+    /**
+     * @return BelongsTo<User, $this>
+     */
+    public function updatedByUser(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'updated_by_user_id');
+    }
+}

app/Models/User.php

@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Support\Auth\Capabilities;
+use App\Support\Workspaces\WorkspaceContext;
 use Filament\Models\Contracts\FilamentUser;
 use Filament\Models\Contracts\HasDefaultTenant;
 use Filament\Models\Contracts\HasTenants;
@@ -130,8 +131,8 @@ public function canAccessTenant(Model $tenant): bool
             return false;
         }
 
-        return $this->tenants()
+        return $this->tenantMemberships()
-            ->whereKey($tenant->getKey())
+            ->where('tenant_id', $tenant->getKey())
             ->exists();
     }
 
@@ -141,7 +142,10 @@ public function getTenants(Panel $panel): array|Collection
             return collect();
         }
 
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
         return $this->tenants()
+            ->when($workspaceId !== null, fn ($query) => $query->where('tenants.workspace_id', $workspaceId))
             ->where('status', 'active')
             ->orderBy('name')
             ->get();
@@ -153,6 +157,8 @@ public function getDefaultTenant(Panel $panel): ?Model
             return null;
         }
 
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
+
         $tenantId = null;
 
         if ($this->tenantPreferencesTableExists()) {
@@ -164,6 +170,7 @@ public function getDefaultTenant(Panel $panel): ?Model
 
         if ($tenantId !== null) {
             $tenant = $this->tenants()
+                ->when($workspaceId !== null, fn ($query) => $query->where('tenants.workspace_id', $workspaceId))
                 ->where('status', 'active')
                 ->whereKey($tenantId)
                 ->first();
@@ -174,6 +181,7 @@ public function getDefaultTenant(Panel $panel): ?Model
         }
 
         return $this->tenants()
+            ->when($workspaceId !== null, fn ($query) => $query->where('tenants.workspace_id', $workspaceId))
             ->where('status', 'active')
             ->orderBy('name')
             ->first();

app/Models/VerificationCheckAcknowledgement.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class VerificationCheckAcknowledgement extends Model
+{
+    /** @use HasFactory<\Database\Factories\VerificationCheckAcknowledgementFactory> */
+    use HasFactory;
+
+    protected $guarded = [];
+
+    protected $casts = [
+        'expires_at' => 'datetime',
+        'acknowledged_at' => 'datetime',
+    ];
+
+    public function tenant(): BelongsTo
+    {
+        return $this->belongsTo(Tenant::class);
+    }
+
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
+    public function operationRun(): BelongsTo
+    {
+        return $this->belongsTo(OperationRun::class);
+    }
+
+    public function acknowledgedByUser(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'acknowledged_by_user_id');
+    }
+}
+

app/Models/Workspace.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsToMany;
+use Illuminate\Database\Eloquent\Relations\HasMany;
+
+class Workspace extends Model
+{
+    /** @use HasFactory<\Database\Factories\WorkspaceFactory> */
+    use HasFactory;
+
+    protected $guarded = [];
+
+    /**
+     * @return HasMany<WorkspaceMembership, $this>
+     */
+    public function memberships(): HasMany
+    {
+        return $this->hasMany(WorkspaceMembership::class);
+    }
+
+    /**
+     * @return BelongsToMany<User, $this>
+     */
+    public function users(): BelongsToMany
+    {
+        return $this->belongsToMany(User::class, 'workspace_memberships')
+            ->using(WorkspaceMembership::class)
+            ->withPivot(['id', 'role'])
+            ->withTimestamps();
+    }
+
+    /**
+     * @return HasMany<Tenant, $this>
+     */
+    public function tenants(): HasMany
+    {
+        return $this->hasMany(Tenant::class);
+    }
+}

app/Models/WorkspaceMembership.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class WorkspaceMembership extends Model
+{
+    /** @use HasFactory<\Database\Factories\WorkspaceMembershipFactory> */
+    use HasFactory;
+
+    protected $guarded = [];
+
+    /**
+     * @return BelongsTo<Workspace, $this>
+     */
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
+    /**
+     * @return BelongsTo<User, $this>
+     */
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

app/Notifications/OperationRunQueued.php

@@ -33,8 +33,20 @@ public function toDatabase(object $notifiable): array
     {
         $tenant = $this->run->tenant;
 
+        $context = is_array($this->run->context) ? $this->run->context : [];
+        $wizard = $context['wizard'] ?? null;
+
+        $isManagedTenantOnboardingWizardRun = is_array($wizard)
+            && ($wizard['flow'] ?? null) === 'managed_tenant_onboarding';
+
         $operationLabel = OperationCatalog::label((string) $this->run->type);
 
+        $runUrl = match (true) {
+            $isManagedTenantOnboardingWizardRun => OperationRunLinks::tenantlessView($this->run),
+            $tenant instanceof Tenant => OperationRunLinks::view($this->run, $tenant),
+            default => null,
+        };
+
         return FilamentNotification::make()
             ->title("{$operationLabel} queued")
             ->body('Queued. Monitor progress in Monitoring → Operations.')
@@ -42,7 +54,7 @@ public function toDatabase(object $notifiable): array
             ->actions([
                 \Filament\Actions\Action::make('view_run')
                     ->label('View run')
-                    ->url($tenant instanceof Tenant ? OperationRunLinks::view($this->run, $tenant) : null),
+                    ->url($runUrl),
             ])
             ->getDatabaseMessage();
     }

app/Policies/OperationRunPolicy.php

@@ -3,8 +3,9 @@
 namespace App\Policies;
 
 use App\Models\OperationRun;
-use App\Models\Tenant;
 use App\Models\User;
+use App\Models\WorkspaceMembership;
+use App\Support\Workspaces\WorkspaceContext;
 use Illuminate\Auth\Access\HandlesAuthorization;
 use Illuminate\Auth\Access\Response;
 
@@ -14,31 +15,31 @@ class OperationRunPolicy
 
     public function viewAny(User $user): bool
     {
-        $tenant = Tenant::current();
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
 
-        if (! $tenant) {
+        if ($workspaceId === null) {
             return false;
         }
 
-        return $user->canAccessTenant($tenant);
+        return WorkspaceMembership::query()
+            ->where('workspace_id', (int) $workspaceId)
+            ->where('user_id', (int) $user->getKey())
+            ->exists();
     }
 
     public function view(User $user, OperationRun $run): Response|bool
     {
-        $tenant = Tenant::current();
+        $workspaceId = (int) ($run->workspace_id ?? 0);
 
-        if (! $tenant) {
+        if ($workspaceId <= 0) {
-            return false;
-        }
-
-        if (! $user->canAccessTenant($tenant)) {
-            return false;
-        }
-
-        if ((int) $run->tenant_id !== (int) $tenant->getKey()) {
             return Response::denyAsNotFound();
         }
 
-        return true;
+        $isMember = WorkspaceMembership::query()
+            ->where('workspace_id', $workspaceId)
+            ->where('user_id', (int) $user->getKey())
+            ->exists();
+
+        return $isMember ? true : Response::denyAsNotFound();
     }
 }

app/Policies/ProviderConnectionPolicy.php

@@ -5,6 +5,8 @@
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Models\Workspace;
+use App\Support\Workspaces\WorkspaceContext;
 use Illuminate\Auth\Access\HandlesAuthorization;
 use Illuminate\Auth\Access\Response;
 use Illuminate\Support\Facades\Gate;
@@ -15,15 +17,31 @@ class ProviderConnectionPolicy
 
     public function viewAny(User $user): bool
     {
+        $workspace = $this->currentWorkspace();
+        if (! $workspace instanceof Workspace) {
+            return false;
+        }
+
         $tenant = Tenant::current();
 
-        return Gate::forUser($user)->allows('provider.view', $tenant);
+        return $tenant instanceof Tenant
+            && (int) $tenant->workspace_id === (int) $workspace->getKey()
+            && Gate::forUser($user)->allows('provider.view', $tenant);
     }
 
     public function view(User $user, ProviderConnection $connection): Response|bool
     {
+        $workspace = $this->currentWorkspace();
+        if (! $workspace instanceof Workspace) {
+            return Response::denyAsNotFound();
+        }
+
         $tenant = Tenant::current();
 
+        if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         if (! Gate::forUser($user)->allows('provider.view', $tenant)) {
             return false;
         }
@@ -32,20 +50,40 @@ public function view(User $user, ProviderConnection $connection): Response|bool
             return Response::denyAsNotFound();
         }
 
+        if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         return true;
     }
 
     public function create(User $user): bool
     {
+        $workspace = $this->currentWorkspace();
+        if (! $workspace instanceof Workspace) {
+            return false;
+        }
+
         $tenant = Tenant::current();
 
-        return Gate::forUser($user)->allows('provider.manage', $tenant);
+        return $tenant instanceof Tenant
+            && (int) $tenant->workspace_id === (int) $workspace->getKey()
+            && Gate::forUser($user)->allows('provider.manage', $tenant);
     }
 
     public function update(User $user, ProviderConnection $connection): Response|bool
     {
+        $workspace = $this->currentWorkspace();
+        if (! $workspace instanceof Workspace) {
+            return Response::denyAsNotFound();
+        }
+
         $tenant = Tenant::current();
 
+        if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         if (! Gate::forUser($user)->allows('provider.view', $tenant)) {
             return false;
         }
@@ -54,13 +92,26 @@ public function update(User $user, ProviderConnection $connection): Response|boo
             return Response::denyAsNotFound();
         }
 
+        if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         return true;
     }
 
     public function delete(User $user, ProviderConnection $connection): Response|bool
     {
+        $workspace = $this->currentWorkspace();
+        if (! $workspace instanceof Workspace) {
+            return Response::denyAsNotFound();
+        }
+
         $tenant = Tenant::current();
 
+        if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         if (! Gate::forUser($user)->allows('provider.manage', $tenant)) {
             return false;
         }
@@ -69,6 +120,19 @@ public function delete(User $user, ProviderConnection $connection): Response|boo
             return Response::denyAsNotFound();
         }
 
+        if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
+            return Response::denyAsNotFound();
+        }
+
         return false;
     }
+
+    private function currentWorkspace(): ?Workspace
+    {
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
+
+        return is_int($workspaceId)
+            ? Workspace::query()->whereKey($workspaceId)->first()
+            : null;
+    }
 }

app/Policies/WorkspaceMembershipPolicy.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\WorkspaceRole;
+
+class WorkspaceMembershipPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, WorkspaceMembership $workspaceMembership): bool
+    {
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_VIEW);
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, WorkspaceMembership $workspaceMembership): bool
+    {
+        if ($this->isLastOwner($workspaceMembership)) {
+            return false;
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, WorkspaceMembership $workspaceMembership): bool
+    {
+        if ($this->isLastOwner($workspaceMembership)) {
+            return false;
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->can($user, $workspaceMembership->workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, WorkspaceMembership $workspaceMembership): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, WorkspaceMembership $workspaceMembership): bool
+    {
+        return false;
+    }
+
+    public function manageForWorkspace(User $user, Workspace $workspace): bool
+    {
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->can($user, $workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE);
+    }
+
+    private function isLastOwner(WorkspaceMembership $membership): bool
+    {
+        if ($membership->role !== WorkspaceRole::Owner->value) {
+            return false;
+        }
+
+        $ownerCount = WorkspaceMembership::query()
+            ->where('workspace_id', $membership->workspace_id)
+            ->where('role', WorkspaceRole::Owner->value)
+            ->count();
+
+        return $ownerCount <= 1;
+    }
+}

app/Policies/WorkspacePolicy.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Support\Auth\Capabilities;
+
+class WorkspacePolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(User $user, Workspace $workspace): bool
+    {
+        return WorkspaceMembership::query()
+            ->where('user_id', $user->getKey())
+            ->where('workspace_id', $workspace->getKey())
+            ->exists();
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(User $user, Workspace $workspace): bool
+    {
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        return $resolver->can($user, $workspace, Capabilities::WORKSPACE_MANAGE);
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(User $user, Workspace $workspace): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     */
+    public function restore(User $user, Workspace $workspace): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     */
+    public function forceDelete(User $user, Workspace $workspace): bool
+    {
+        return false;
+    }
+}

app/Providers/AuthServiceProvider.php

@@ -6,8 +6,10 @@
 use App\Models\ProviderConnection;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Models\Workspace;
 use App\Policies\ProviderConnectionPolicy;
 use App\Services\Auth\CapabilityResolver;
+use App\Services\Auth\WorkspaceCapabilityResolver;
 use App\Support\Auth\Capabilities;
 use App\Support\Auth\PlatformCapabilities;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
@@ -23,15 +25,36 @@ public function boot(): void
     {
         $this->registerPolicies();
 
-        $resolver = app(CapabilityResolver::class);
+        $tenantResolver = app(CapabilityResolver::class);
+        $workspaceResolver = app(WorkspaceCapabilityResolver::class);
 
-        $defineTenantCapability = function (string $capability) use ($resolver): void {
+        $defineTenantCapability = function (string $capability) use ($tenantResolver): void {
-            Gate::define($capability, function (User $user, Tenant $tenant) use ($resolver, $capability): bool {
+            Gate::define($capability, function (User $user, ?Tenant $tenant = null) use ($tenantResolver, $capability): bool {
-                return $resolver->can($user, $tenant, $capability);
+                if (! $tenant instanceof Tenant) {
+                    return false;
+                }
+
+                return $tenantResolver->can($user, $tenant, $capability);
+            });
+        };
+
+        $defineWorkspaceCapability = function (string $capability) use ($workspaceResolver): void {
+            Gate::define($capability, function (User $user, ?Workspace $workspace = null) use ($workspaceResolver, $capability): bool {
+                if (! $workspace instanceof Workspace) {
+                    return false;
+                }
+
+                return $workspaceResolver->can($user, $workspace, $capability);
             });
         };
 
         foreach (Capabilities::all() as $capability) {
+            if (str_starts_with($capability, 'workspace')) {
+                $defineWorkspaceCapability($capability);
+
+                continue;
+            }
+
             $defineTenantCapability($capability);
         }
 

app/Providers/Filament/AdminPanelProvider.php

@@ -4,9 +4,10 @@
 
 use App\Filament\Pages\Auth\Login;
 use App\Filament\Pages\ChooseTenant;
+use App\Filament\Pages\ChooseWorkspace;
 use App\Filament\Pages\NoAccess;
-use App\Filament\Pages\Tenancy\RegisterTenant;
 use App\Filament\Pages\TenantDashboard;
+use App\Filament\Resources\Workspaces\WorkspaceResource;
 use App\Models\Tenant;
 use App\Support\Middleware\DenyNonMemberTenantAccess;
 use Filament\Facades\Filament;
@@ -14,6 +15,7 @@
 use Filament\Http\Middleware\AuthenticateSession;
 use Filament\Http\Middleware\DisableBladeIconComponents;
 use Filament\Http\Middleware\DispatchServingFilamentEvent;
+use Filament\Navigation\NavigationItem;
 use Filament\Panel;
 use Filament\PanelProvider;
 use Filament\Support\Colors\Color;
@@ -37,21 +39,36 @@ public function panel(Panel $panel): Panel
             ->path('admin')
             ->login(Login::class)
             ->authenticatedRoutes(function (Panel $panel): void {
+                ChooseWorkspace::registerRoutes($panel);
                 ChooseTenant::registerRoutes($panel);
                 NoAccess::registerRoutes($panel);
+
+                WorkspaceResource::registerRoutes($panel);
             })
             ->tenant(Tenant::class, slugAttribute: 'external_id')
             ->tenantRoutePrefix('t')
             ->tenantMenu(fn (): bool => filled(Filament::getTenant()))
             ->searchableTenantMenu()
-            ->tenantRegistration(RegisterTenant::class)
             ->colors([
                 'primary' => Color::Amber,
             ])
+            ->navigationItems([
+                NavigationItem::make('Workspaces')
+                    ->url(function (): string {
+                        return route('filament.admin.resources.workspaces.index');
+                    })
+                    ->icon('heroicon-o-squares-2x2')
+                    ->group('Settings')
+                    ->sort(10),
+            ])
             ->renderHook(
                 PanelsRenderHook::HEAD_END,
                 fn () => view('filament.partials.livewire-intercept-shim')->render()
             )
+            ->renderHook(
+                PanelsRenderHook::USER_MENU_PROFILE_AFTER,
+                fn () => view('filament.partials.workspace-switcher')->render()
+            )
             ->renderHook(
                 PanelsRenderHook::BODY_END,
                 fn () => (bool) config('tenantpilot.bulk_operations.progress_widget_enabled', true)
@@ -79,6 +96,8 @@ public function panel(Panel $panel): Panel
                 VerifyCsrfToken::class,
                 SubstituteBindings::class,
                 'ensure-correct-guard:web',
+                'ensure-workspace-selected',
+                'ensure-filament-tenant-selected',
                 DenyNonMemberTenantAccess::class,
                 DisableBladeIconComponents::class,
                 DispatchServingFilamentEvent::class,

app/Services/Audit/WorkspaceAuditLogger.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Audit;
+
+use App\Models\AuditLog;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Support\Audit\AuditContextSanitizer;
+use Carbon\CarbonImmutable;
+
+class WorkspaceAuditLogger
+{
+    public function log(
+        Workspace $workspace,
+        string $action,
+        array $context = [],
+        ?User $actor = null,
+        string $status = 'success',
+        ?string $resourceType = null,
+        ?string $resourceId = null,
+        ?int $actorId = null,
+        ?string $actorEmail = null,
+        ?string $actorName = null,
+    ): AuditLog {
+        $metadata = $context['metadata'] ?? [];
+        unset($context['metadata']);
+
+        $metadata = is_array($metadata) ? $metadata : [];
+
+        $sanitizedMetadata = AuditContextSanitizer::sanitize($metadata + $context);
+
+        return AuditLog::create([
+            'tenant_id' => null,
+            'workspace_id' => (int) $workspace->getKey(),
+            'actor_id' => $actor?->getKey() ?? $actorId,
+            'actor_email' => $actor?->email ?? $actorEmail,
+            'actor_name' => $actor?->name ?? $actorName,
+            'action' => $action,
+            'resource_type' => $resourceType,
+            'resource_id' => $resourceId,
+            'status' => $status,
+            'metadata' => $sanitizedMetadata,
+            'recorded_at' => CarbonImmutable::now(),
+        ]);
+    }
+}

app/Services/Auth/PostLoginRedirectResolver.php

@@ -4,39 +4,27 @@
 
 namespace App\Services\Auth;
 
-use App\Filament\Pages\TenantDashboard;
-use App\Models\Tenant;
 use App\Models\User;
-use Illuminate\Support\Collection;
+use App\Models\WorkspaceMembership;
+use Illuminate\Support\Facades\Schema;
 
 class PostLoginRedirectResolver
 {
     public function resolve(User $user): string
     {
-        $tenants = $this->getActiveTenants($user);
+        $membershipQuery = WorkspaceMembership::query()->where('user_id', $user->getKey());
 
-        if ($tenants->isEmpty()) {
+        $hasAnyActiveMembership = Schema::hasColumn('workspaces', 'archived_at')
+            ? $membershipQuery
+                ->join('workspaces', 'workspace_memberships.workspace_id', '=', 'workspaces.id')
+                ->whereNull('workspaces.archived_at')
+                ->exists()
+            : $membershipQuery->exists();
+
+        if (! $hasAnyActiveMembership) {
             return '/admin/no-access';
         }
 
-        if ($tenants->count() === 1) {
+        return '/admin';
-            /** @var Tenant $tenant */
-            $tenant = $tenants->first();
-
-            return TenantDashboard::getUrl(tenant: $tenant);
-        }
-
-        return '/admin/choose-tenant';
-    }
-
-    /**
-     * @return Collection<int, Tenant>
-     */
-    private function getActiveTenants(User $user): Collection
-    {
-        return $user->tenants()
-            ->where('status', 'active')
-            ->orderBy('name')
-            ->get();
     }
 }

app/Services/Auth/RoleCapabilityMap.php

@@ -21,6 +21,7 @@ class RoleCapabilityMap
             Capabilities::TENANT_SYNC,
             Capabilities::TENANT_INVENTORY_SYNC_RUN,
             Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+            Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
 
             Capabilities::TENANT_MEMBERSHIP_VIEW,
             Capabilities::TENANT_MEMBERSHIP_MANAGE,
@@ -44,6 +45,7 @@ class RoleCapabilityMap
             Capabilities::TENANT_SYNC,
             Capabilities::TENANT_INVENTORY_SYNC_RUN,
             Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
+            Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
 
             Capabilities::TENANT_MEMBERSHIP_VIEW,
 

app/Services/Auth/TenantDiagnosticsService.php

@@ -0,0 +1,114 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Auth;
+
+use App\Models\Tenant;
+use App\Models\TenantMembership;
+use App\Models\User;
+use App\Services\Intune\AuditLogger;
+use App\Support\Audit\AuditActionId;
+use Illuminate\Support\Facades\DB;
+
+class TenantDiagnosticsService
+{
+    public function __construct(public AuditLogger $auditLogger) {}
+
+    public function tenantHasNoOwners(Tenant $tenant): bool
+    {
+        return ! TenantMembership::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->where('role', 'owner')
+            ->exists();
+    }
+
+    public function userHasDuplicateMemberships(Tenant $tenant, User $user): bool
+    {
+        return TenantMembership::query()
+            ->where('tenant_id', (int) $tenant->getKey())
+            ->where('user_id', (int) $user->getKey())
+            ->count() > 1;
+    }
+
+    public function mergeDuplicateMembershipsForUser(Tenant $tenant, User $actor, User $member): void
+    {
+        DB::transaction(function () use ($tenant, $actor, $member): void {
+            $memberships = TenantMembership::query()
+                ->where('tenant_id', (int) $tenant->getKey())
+                ->where('user_id', (int) $member->getKey())
+                ->orderBy('created_at')
+                ->get();
+
+            if ($memberships->count() <= 1) {
+                return;
+            }
+
+            $roles = $memberships->pluck('role')->all();
+            $roleToKeep = $this->highestRole($roles);
+
+            $membershipToKeep = $memberships->firstWhere('role', $roleToKeep) ?? $memberships->first();
+            if (! $membershipToKeep instanceof TenantMembership) {
+                return;
+            }
+
+            $idsToDelete = $memberships
+                ->reject(fn (TenantMembership $m): bool => $m->getKey() === $membershipToKeep->getKey())
+                ->pluck($membershipToKeep->getKeyName())
+                ->all();
+
+            $membershipToKeep->forceFill([
+                'role' => $roleToKeep,
+            ])->save();
+
+            TenantMembership::query()
+                ->whereIn($membershipToKeep->getKeyName(), $idsToDelete)
+                ->delete();
+
+            $this->auditLogger->log(
+                tenant: $tenant,
+                action: AuditActionId::TenantMembershipDuplicatesMerged->value,
+                context: [
+                    'metadata' => [
+                        'member_user_id' => (int) $member->getKey(),
+                        'kept_membership_id' => (string) $membershipToKeep->getKey(),
+                        'deleted_membership_ids' => array_values(array_map('strval', $idsToDelete)),
+                        'result_role' => $roleToKeep,
+                        'source_roles' => $roles,
+                    ],
+                ],
+                actorId: (int) $actor->getKey(),
+                actorEmail: $actor->email,
+                actorName: $actor->name,
+                status: 'success',
+                resourceType: 'tenant',
+                resourceId: (string) $tenant->getKey(),
+            );
+        });
+    }
+
+    /**
+     * @param  array<int, string|null>  $roles
+     */
+    private function highestRole(array $roles): string
+    {
+        $priority = [
+            'owner' => 3,
+            'manager' => 2,
+            'readonly' => 1,
+        ];
+
+        $bestRole = 'readonly';
+        $bestScore = 0;
+
+        foreach ($roles as $role) {
+            $score = $priority[$role] ?? 0;
+            if ($score > $bestScore) {
+                $bestScore = $score;
+                $bestRole = (string) $role;
+            }
+        }
+
+        return $bestRole;
+    }
+}

app/Services/Auth/WorkspaceCapabilityResolver.php

@@ -0,0 +1,100 @@
+<?php
+
+namespace App\Services\Auth;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\WorkspaceRole;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Workspace Capability Resolver
+ *
+ * Resolves user memberships and capabilities for a given workspace.
+ * Caches results per request to avoid N+1 queries.
+ */
+class WorkspaceCapabilityResolver
+{
+    private array $resolvedMemberships = [];
+
+    private array $loggedDenials = [];
+
+    public function getRole(User $user, Workspace $workspace): ?WorkspaceRole
+    {
+        $membership = $this->getMembership($user, $workspace);
+
+        if ($membership === null) {
+            return null;
+        }
+
+        return WorkspaceRole::tryFrom($membership['role']);
+    }
+
+    public function can(User $user, Workspace $workspace, string $capability): bool
+    {
+        if (! Capabilities::isKnown($capability)) {
+            throw new \InvalidArgumentException("Unknown capability: {$capability}");
+        }
+
+        $role = $this->getRole($user, $workspace);
+
+        if ($role === null) {
+            $this->logDenial($user, $workspace, $capability);
+
+            return false;
+        }
+
+        $allowed = WorkspaceRoleCapabilityMap::hasCapability($role, $capability);
+
+        if (! $allowed) {
+            $this->logDenial($user, $workspace, $capability);
+        }
+
+        return $allowed;
+    }
+
+    public function isMember(User $user, Workspace $workspace): bool
+    {
+        return $this->getMembership($user, $workspace) !== null;
+    }
+
+    public function clearCache(): void
+    {
+        $this->resolvedMemberships = [];
+    }
+
+    private function logDenial(User $user, Workspace $workspace, string $capability): void
+    {
+        $key = implode(':', [(string) $user->getKey(), (string) $workspace->getKey(), $capability]);
+
+        if (isset($this->loggedDenials[$key])) {
+            return;
+        }
+
+        $this->loggedDenials[$key] = true;
+
+        Log::warning('rbac.workspace.denied', [
+            'capability' => $capability,
+            'workspace_id' => (int) $workspace->getKey(),
+            'actor_user_id' => (int) $user->getKey(),
+        ]);
+    }
+
+    private function getMembership(User $user, Workspace $workspace): ?array
+    {
+        $cacheKey = "workspace_membership_{$user->id}_{$workspace->id}";
+
+        if (! isset($this->resolvedMemberships[$cacheKey])) {
+            $membership = WorkspaceMembership::query()
+                ->where('user_id', $user->id)
+                ->where('workspace_id', $workspace->id)
+                ->first(['role']);
+
+            $this->resolvedMemberships[$cacheKey] = $membership?->toArray();
+        }
+
+        return $this->resolvedMemberships[$cacheKey];
+    }
+}

app/Services/Auth/WorkspaceMembershipManager.php

@@ -0,0 +1,303 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Auth;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use App\Services\Audit\WorkspaceAuditLogger;
+use App\Support\Audit\AuditActionId;
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\WorkspaceRole;
+use DomainException;
+use Illuminate\Support\Facades\DB;
+
+class WorkspaceMembershipManager
+{
+    public function __construct(public WorkspaceAuditLogger $auditLogger) {}
+
+    public function addMember(
+        Workspace $workspace,
+        User $actor,
+        User $member,
+        string $role,
+        string $source = 'manual',
+    ): WorkspaceMembership {
+        $this->assertValidRole($role);
+        $this->assertActorCanManage($actor, $workspace);
+
+        try {
+            return DB::transaction(function () use ($workspace, $actor, $member, $role, $source): WorkspaceMembership {
+                $existing = WorkspaceMembership::query()
+                    ->where('workspace_id', (int) $workspace->getKey())
+                    ->where('user_id', (int) $member->getKey())
+                    ->first();
+
+                if ($existing) {
+                    if ($existing->role !== $role) {
+                        $fromRole = (string) $existing->role;
+
+                        $this->guardLastOwnerDemotion($workspace, $existing, $role);
+
+                        $existing->forceFill([
+                            'role' => $role,
+                        ])->save();
+
+                        $this->auditLogger->log(
+                            workspace: $workspace,
+                            action: AuditActionId::WorkspaceMembershipRoleChange->value,
+                            context: [
+                                'metadata' => [
+                                    'member_user_id' => (int) $member->getKey(),
+                                    'from_role' => $fromRole,
+                                    'to_role' => $role,
+                                    'source' => $source,
+                                ],
+                            ],
+                            actor: $actor,
+                            status: 'success',
+                            resourceType: 'workspace',
+                            resourceId: (string) $workspace->getKey(),
+                        );
+                    }
+
+                    return $existing->refresh();
+                }
+
+                $membership = WorkspaceMembership::query()->create([
+                    'workspace_id' => (int) $workspace->getKey(),
+                    'user_id' => (int) $member->getKey(),
+                    'role' => $role,
+                ]);
+
+                $this->auditLogger->log(
+                    workspace: $workspace,
+                    action: AuditActionId::WorkspaceMembershipAdd->value,
+                    context: [
+                        'metadata' => [
+                            'member_user_id' => (int) $member->getKey(),
+                            'role' => $role,
+                            'source' => $source,
+                        ],
+                    ],
+                    actor: $actor,
+                    status: 'success',
+                    resourceType: 'workspace',
+                    resourceId: (string) $workspace->getKey(),
+                );
+
+                return $membership;
+            });
+        } catch (DomainException $exception) {
+            if ($exception->getMessage() === 'You cannot demote the last remaining owner.') {
+                $this->auditLastOwnerBlocked(
+                    workspace: $workspace,
+                    actor: $actor,
+                    targetUserId: (int) $member->getKey(),
+                    attemptedRole: $role,
+                    currentRole: WorkspaceRole::Owner->value,
+                    attemptedAction: 'role_change',
+                );
+            }
+
+            throw $exception;
+        }
+    }
+
+    public function changeRole(Workspace $workspace, User $actor, WorkspaceMembership $membership, string $newRole): WorkspaceMembership
+    {
+        $this->assertValidRole($newRole);
+        $this->assertActorCanManage($actor, $workspace);
+
+        try {
+            return DB::transaction(function () use ($workspace, $actor, $membership, $newRole): WorkspaceMembership {
+                $membership->refresh();
+
+                if ($membership->workspace_id !== (int) $workspace->getKey()) {
+                    throw new DomainException('Membership belongs to a different workspace.');
+                }
+
+                $oldRole = (string) $membership->role;
+
+                if ($oldRole === $newRole) {
+                    return $membership;
+                }
+
+                $this->guardLastOwnerDemotion($workspace, $membership, $newRole);
+
+                $membership->forceFill([
+                    'role' => $newRole,
+                ])->save();
+
+                $this->auditLogger->log(
+                    workspace: $workspace,
+                    action: AuditActionId::WorkspaceMembershipRoleChange->value,
+                    context: [
+                        'metadata' => [
+                            'member_user_id' => (int) $membership->user_id,
+                            'from_role' => $oldRole,
+                            'to_role' => $newRole,
+                        ],
+                    ],
+                    actor: $actor,
+                    status: 'success',
+                    resourceType: 'workspace',
+                    resourceId: (string) $workspace->getKey(),
+                );
+
+                return $membership->refresh();
+            });
+        } catch (DomainException $exception) {
+            if ($exception->getMessage() === 'You cannot demote the last remaining owner.') {
+                $this->auditLastOwnerBlocked(
+                    workspace: $workspace,
+                    actor: $actor,
+                    targetUserId: (int) $membership->user_id,
+                    attemptedRole: $newRole,
+                    currentRole: (string) $membership->role,
+                    attemptedAction: 'role_change',
+                );
+            }
+
+            throw $exception;
+        }
+    }
+
+    public function removeMember(Workspace $workspace, User $actor, WorkspaceMembership $membership): void
+    {
+        $this->assertActorCanManage($actor, $workspace);
+
+        try {
+            DB::transaction(function () use ($workspace, $actor, $membership): void {
+                $membership->refresh();
+
+                if ($membership->workspace_id !== (int) $workspace->getKey()) {
+                    throw new DomainException('Membership belongs to a different workspace.');
+                }
+
+                $this->guardLastOwnerRemoval($workspace, $membership);
+
+                $memberUserId = (int) $membership->user_id;
+                $oldRole = (string) $membership->role;
+
+                $membership->delete();
+
+                $this->auditLogger->log(
+                    workspace: $workspace,
+                    action: AuditActionId::WorkspaceMembershipRemove->value,
+                    context: [
+                        'metadata' => [
+                            'member_user_id' => $memberUserId,
+                            'role' => $oldRole,
+                        ],
+                    ],
+                    actor: $actor,
+                    status: 'success',
+                    resourceType: 'workspace',
+                    resourceId: (string) $workspace->getKey(),
+                );
+            });
+        } catch (DomainException $exception) {
+            if ($exception->getMessage() === 'You cannot remove the last remaining owner.') {
+                $this->auditLastOwnerBlocked(
+                    workspace: $workspace,
+                    actor: $actor,
+                    targetUserId: (int) $membership->user_id,
+                    attemptedRole: (string) $membership->role,
+                    currentRole: (string) $membership->role,
+                    attemptedAction: 'remove',
+                );
+            }
+
+            throw $exception;
+        }
+    }
+
+    private function assertActorCanManage(User $actor, Workspace $workspace): void
+    {
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        if (! $resolver->can($actor, $workspace, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE)) {
+            throw new DomainException('Forbidden.');
+        }
+    }
+
+    private function assertValidRole(string $role): void
+    {
+        $valid = array_map(
+            static fn (WorkspaceRole $workspaceRole): string => $workspaceRole->value,
+            WorkspaceRole::cases(),
+        );
+
+        if (! in_array($role, $valid, true)) {
+            throw new DomainException('Invalid role.');
+        }
+    }
+
+    private function guardLastOwnerDemotion(Workspace $workspace, WorkspaceMembership $membership, string $newRole): void
+    {
+        if ($membership->role !== WorkspaceRole::Owner->value) {
+            return;
+        }
+
+        if ($newRole === WorkspaceRole::Owner->value) {
+            return;
+        }
+
+        $owners = WorkspaceMembership::query()
+            ->where('workspace_id', (int) $workspace->getKey())
+            ->where('role', WorkspaceRole::Owner->value)
+            ->count();
+
+        if ($owners <= 1) {
+            throw new DomainException('You cannot demote the last remaining owner.');
+        }
+    }
+
+    private function guardLastOwnerRemoval(Workspace $workspace, WorkspaceMembership $membership): void
+    {
+        if ($membership->role !== WorkspaceRole::Owner->value) {
+            return;
+        }
+
+        $owners = WorkspaceMembership::query()
+            ->where('workspace_id', (int) $workspace->getKey())
+            ->where('role', WorkspaceRole::Owner->value)
+            ->count();
+
+        if ($owners <= 1) {
+            throw new DomainException('You cannot remove the last remaining owner.');
+        }
+    }
+
+    private function auditLastOwnerBlocked(
+        Workspace $workspace,
+        User $actor,
+        int $targetUserId,
+        string $attemptedRole,
+        string $currentRole,
+        string $attemptedAction,
+    ): void {
+        $this->auditLogger->log(
+            workspace: $workspace,
+            action: AuditActionId::WorkspaceMembershipLastOwnerBlocked->value,
+            context: [
+                'metadata' => [
+                    'workspace_id' => (int) $workspace->getKey(),
+                    'actor_user_id' => (int) $actor->getKey(),
+                    'target_user_id' => $targetUserId,
+                    'attempted_role' => $attemptedRole,
+                    'current_role' => $currentRole,
+                    'attempted_action' => $attemptedAction,
+                ],
+            ],
+            actor: $actor,
+            status: 'blocked',
+            resourceType: 'workspace',
+            resourceId: (string) $workspace->getKey(),
+        );
+    }
+}

app/Services/Auth/WorkspaceRoleCapabilityMap.php

@@ -0,0 +1,96 @@
+<?php
+
+namespace App\Services\Auth;
+
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\WorkspaceRole;
+
+/**
+ * Workspace Role to Capability Mapping (Single Source of Truth)
+ *
+ * This class defines which capabilities each workspace role has.
+ * All capability strings MUST be references from the Capabilities registry.
+ */
+class WorkspaceRoleCapabilityMap
+{
+    /**
+     * @var array<string, array<int, string>>
+     */
+    private static array $roleCapabilities = [
+        WorkspaceRole::Owner->value => [
+            Capabilities::WORKSPACE_VIEW,
+            Capabilities::WORKSPACE_MANAGE,
+            Capabilities::WORKSPACE_ARCHIVE,
+            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
+            Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE,
+        ],
+
+        WorkspaceRole::Manager->value => [
+            Capabilities::WORKSPACE_VIEW,
+            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
+            Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
+        ],
+
+        WorkspaceRole::Operator->value => [
+            Capabilities::WORKSPACE_VIEW,
+            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
+            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
+        ],
+
+        WorkspaceRole::Readonly->value => [
+            Capabilities::WORKSPACE_VIEW,
+        ],
+    ];
+
+    /**
+     * @return array<string>
+     */
+    public static function getCapabilities(WorkspaceRole|string $role): array
+    {
+        $roleValue = $role instanceof WorkspaceRole ? $role->value : $role;
+
+        return self::$roleCapabilities[$roleValue] ?? [];
+    }
+
+    /**
+     * @return array<string>
+     */
+    public static function rolesWithCapability(string $capability): array
+    {
+        $roles = [];
+
+        foreach (self::$roleCapabilities as $role => $capabilities) {
+            if (in_array($capability, $capabilities, true)) {
+                $roles[] = $role;
+            }
+        }
+
+        return $roles;
+    }
+
+    public static function hasCapability(WorkspaceRole|string $role, string $capability): bool
+    {
+        return in_array($capability, self::getCapabilities($role), true);
+    }
+}

app/Services/Graph/GraphContractRegistry.php

@@ -6,6 +6,25 @@
 
 class GraphContractRegistry
 {
+    public function probePath(string $key, array $replacements = []): ?string
+    {
+        $path = config("graph_contracts.probes.$key.path");
+
+        if (! is_string($path) || $path === '') {
+            return null;
+        }
+
+        foreach ($replacements as $placeholder => $value) {
+            if (! is_string($placeholder) || $placeholder === '') {
+                continue;
+            }
+
+            $path = str_replace($placeholder, urlencode((string) $value), $path);
+        }
+
+        return '/'.ltrim($path, '/');
+    }
+
     public function directoryGroupsPolicyType(): string
     {
         return 'directoryGroups';

app/Services/Graph/MicrosoftGraphClient.php

@@ -409,7 +409,20 @@ private function shouldApplySelectFallback(GraphResponse $graphResponse, array $
     public function getOrganization(array $options = []): GraphResponse
     {
         $context = $this->resolveContext($options);
-        $endpoint = 'organization';
+        $endpoint = $this->contracts->probePath('organization');
+
+        if (! is_string($endpoint) || $endpoint === '') {
+            return new GraphResponse(
+                success: false,
+                data: [],
+                status: 500,
+                errors: [[
+                    'message' => 'Graph contract missing for probe: organization',
+                ]],
+            );
+        }
+
+        $endpoint = ltrim($endpoint, '/');
         $clientRequestId = $options['client_request_id'] ?? (string) Str::uuid();
         $fullPath = $this->buildFullPath($endpoint);
 
@@ -479,14 +492,27 @@ public function getServicePrincipalPermissions(array $options = []): GraphRespon
         $clientRequestId = $options['client_request_id'] ?? (string) Str::uuid();
 
         // First, get the service principal object by clientId (appId)
-        $endpoint = "servicePrincipals?\$filter=appId eq '{$clientId}'";
+        $endpoint = $this->contracts->probePath('service_principal_by_app_id', ['{appId}' => $clientId]);
+
+        if (! is_string($endpoint) || $endpoint === '') {
+            return new GraphResponse(
+                success: false,
+                data: [],
+                status: 500,
+                errors: [[
+                    'message' => 'Graph contract missing for probe: service_principal_by_app_id',
+                ]],
+            );
+        }
+
+        $endpoint = ltrim($endpoint, '/');
 
         $this->logger->logRequest('get_service_principal', [
             'endpoint' => $endpoint,
             'client_id' => $clientId,
             'tenant' => $context['tenant'],
             'method' => 'GET',
-            'full_path' => $endpoint,
+            'full_path' => $this->buildFullPath($endpoint),
             'client_request_id' => $clientRequestId,
         ]);
 
@@ -528,14 +554,30 @@ public function getServicePrincipalPermissions(array $options = []): GraphRespon
         }
 
         // Now get the app role assignments (application permissions)
-        $assignmentsEndpoint = "servicePrincipals/{$servicePrincipalId}/appRoleAssignments";
+        $assignmentsEndpoint = $this->contracts->probePath(
+            'service_principal_app_role_assignments',
+            ['{servicePrincipalId}' => $servicePrincipalId],
+        );
+
+        if (! is_string($assignmentsEndpoint) || $assignmentsEndpoint === '') {
+            return new GraphResponse(
+                success: false,
+                data: [],
+                status: 500,
+                errors: [[
+                    'message' => 'Graph contract missing for probe: service_principal_app_role_assignments',
+                ]],
+            );
+        }
+
+        $assignmentsEndpoint = ltrim($assignmentsEndpoint, '/');
 
         $this->logger->logRequest('get_app_role_assignments', [
             'endpoint' => $assignmentsEndpoint,
             'service_principal_id' => $servicePrincipalId,
             'tenant' => $context['tenant'],
             'method' => 'GET',
-            'full_path' => $assignmentsEndpoint,
+            'full_path' => $this->buildFullPath($assignmentsEndpoint),
             'client_request_id' => $clientRequestId,
         ]);
 
@@ -545,29 +587,68 @@ public function getServicePrincipalPermissions(array $options = []): GraphRespon
             action: 'get_service_principal_permissions',
             response: $assignmentsResponse,
             transform: function (array $json) use ($context) {
-                $assignments = $json['value'] ?? [];
+                $assignments = is_array($json['value'] ?? null) ? $json['value'] : [];
+                $assignmentsTotal = count($assignments);
                 $permissions = [];
 
                 // Get Microsoft Graph service principal to map role IDs to permission names
-                $graphSpEndpoint = "servicePrincipals?\$filter=appId eq '00000003-0000-0000-c000-000000000000'";
+                $graphSpEndpoint = $this->contracts->probePath(
-                $graphSpResponse = $this->send('GET', $graphSpEndpoint, [], $context);
+                    'service_principal_by_app_id',
-                $graphSps = $graphSpResponse->json('value', []);
+                    ['{appId}' => '00000003-0000-0000-c000-000000000000'],
-                $appRoles = $graphSps[0]['appRoles'] ?? [];
+                );
+
+                $graphSpResponse = null;
+
+                if (is_string($graphSpEndpoint) && $graphSpEndpoint !== '') {
+                    $graphSpResponse = $this->send('GET', ltrim($graphSpEndpoint, '/'), [], $context);
+                }
+
+                $graphSps = $graphSpResponse instanceof Response
+                    ? $graphSpResponse->json('value', [])
+                    : [];
+                $appRoles = is_array($graphSps[0]['appRoles'] ?? null) ? $graphSps[0]['appRoles'] : [];
 
                 // Map role IDs to permission names
                 $roleMap = [];
                 foreach ($appRoles as $role) {
-                    $roleMap[$role['id']] = $role['value'];
+                    $roleId = $role['id'] ?? null;
+                    $value = $role['value'] ?? null;
+
+                    if (! is_string($roleId) || $roleId === '') {
+                        continue;
+                    }
+
+                    if (! is_string($value) || $value === '') {
+                        continue;
+                    }
+
+                    $roleMap[strtolower($roleId)] = $value;
                 }
 
                 foreach ($assignments as $assignment) {
                     $roleId = $assignment['appRoleId'] ?? null;
-                    if ($roleId && isset($roleMap[$roleId])) {
+
-                        $permissions[] = $roleMap[$roleId];
+                    if (! is_string($roleId) || $roleId === '') {
+                        continue;
+                    }
+
+                    $normalizedRoleId = strtolower($roleId);
+
+                    if (isset($roleMap[$normalizedRoleId])) {
+                        $permissions[] = $roleMap[$normalizedRoleId];
                     }
                 }
 
-                return ['permissions' => $permissions];
+                $permissions = array_values(array_unique($permissions));
+
+                return [
+                    'permissions' => $permissions,
+                    'diagnostics' => [
+                        'assignments_total' => $assignmentsTotal,
+                        'mapped_total' => count($permissions),
+                        'graph_roles_total' => count($roleMap),
+                    ],
+                ];
             },
             meta: [
                 'tenant' => $context['tenant'] ?? null,

app/Services/Intune/AuditLogger.php

@@ -4,6 +4,7 @@
 
 use App\Models\AuditLog;
 use App\Models\Tenant;
+use App\Support\Audit\AuditContextSanitizer;
 use Carbon\CarbonImmutable;
 
 class AuditLogger
@@ -22,6 +23,10 @@ public function log(
         $metadata = $context['metadata'] ?? [];
         unset($context['metadata']);
 
+        $metadata = is_array($metadata) ? $metadata : [];
+
+        $sanitizedMetadata = AuditContextSanitizer::sanitize($metadata + $context);
+
         return AuditLog::create([
             'tenant_id' => $tenant->id,
             'actor_id' => $actorId,
@@ -31,7 +36,7 @@ public function log(
             'resource_type' => $resourceType,
             'resource_id' => $resourceId,
             'status' => $status,
-            'metadata' => $metadata + $context,
+            'metadata' => $sanitizedMetadata,
             'recorded_at' => CarbonImmutable::now(),
         ]);
     }

app/Services/Intune/TenantPermissionService.php

@@ -40,27 +40,79 @@ public function getGrantedPermissions(Tenant $tenant): array
      * @param  bool  $persist  Persist comparison results to tenant_permissions
      * @param  bool  $liveCheck  If true, fetch actual permissions from Graph API
      * @param  bool  $useConfiguredStub  Include configured stub permissions when no live check is used
-     * @return array{overall_status:string,permissions:array<int,array{key:string,type:string,description:?string,features:array<int,string>,status:string,details:array<string,mixed>|null}>}
+     * @param  array{tenant?:string|null,client_id?:string|null,client_secret?:string|null,client_request_id?:string|null}|null  $graphOptions
+     * @return array{
+     *   overall_status:string,
+     *   permissions:array<int,array{key:string,type:string,description:?string,features:array<int,string>,status:string,details:array<string,mixed>|null}>,
+     *   live_check?: array{attempted:bool,succeeded:bool,http_status:?int,reason_code:?string}
+     * }
      */
     public function compare(
         Tenant $tenant,
         ?array $grantedStatuses = null,
         bool $persist = true,
         bool $liveCheck = false,
-        bool $useConfiguredStub = true
+        bool $useConfiguredStub = true,
+        ?array $graphOptions = null,
     ): array {
         $required = $this->getRequiredPermissions();
+        $liveCheckMeta = [
+            'attempted' => false,
+            'succeeded' => false,
+            'http_status' => null,
+            'reason_code' => null,
+        ];
+
         $liveCheckFailed = false;
         $liveCheckDetails = null;
 
         // If liveCheck is requested, fetch actual permissions from Graph
         if ($liveCheck && $grantedStatuses === null) {
-            $grantedStatuses = $this->fetchLivePermissions($tenant);
+            $liveCheckMeta['attempted'] = true;
+
+            $appId = null;
+            if (is_array($graphOptions) && is_string($graphOptions['client_id'] ?? null) && $graphOptions['client_id'] !== '') {
+                $appId = (string) $graphOptions['client_id'];
+            } elseif (is_string($tenant->graphOptions()['client_id'] ?? null) && $tenant->graphOptions()['client_id'] !== '') {
+                $appId = (string) $tenant->graphOptions()['client_id'];
+            }
+
+            if ($appId !== null) {
+                $liveCheckMeta['app_id'] = $appId;
+            }
+
+            $grantedStatuses = $this->fetchLivePermissions($tenant, $graphOptions);
 
             if (isset($grantedStatuses['__error'])) {
                 $liveCheckFailed = true;
-                $liveCheckDetails = $grantedStatuses['__error']['details'] ?? null;
+                $liveCheckError = is_array($grantedStatuses['__error'] ?? null) ? $grantedStatuses['__error'] : null;
+                $liveCheckDetails = is_array($liveCheckError['details'] ?? null)
+                    ? $liveCheckError['details']
+                    : (is_array($liveCheckError) ? $liveCheckError : null);
+
+                $httpStatus = $liveCheckDetails['status'] ?? null;
+                $liveCheckMeta['http_status'] = is_int($httpStatus) ? $httpStatus : null;
+                $liveCheckMeta['reason_code'] = $this->deriveLiveCheckReasonCode(
+                    $liveCheckMeta['http_status'],
+                    is_array($liveCheckDetails) ? $liveCheckDetails : null,
+                );
+
                 unset($grantedStatuses['__error']);
+                $grantedStatuses = null;
+            } else {
+                $observedCount = is_array($grantedStatuses) ? count($grantedStatuses) : 0;
+                $liveCheckMeta['observed_permissions_count'] = $observedCount;
+
+                if ($observedCount === 0) {
+                    // Enterprise-safe: if the live refresh produced an empty inventory, treat it as non-fresh.
+                    // This prevents false "missing" findings due to partial/misconfigured verification context.
+                    $liveCheckMeta['succeeded'] = false;
+                    $liveCheckMeta['reason_code'] = 'permissions_inventory_empty';
+                    $grantedStatuses = null;
+                } else {
+                    $liveCheckMeta['succeeded'] = true;
+                    $liveCheckMeta['reason_code'] = 'ok';
+                }
             }
         }
 
@@ -81,16 +133,29 @@ public function compare(
         $hasErrors = false;
         $checkedAt = now();
 
+        $canPersist = $persist;
+
+        if ($liveCheckMeta['attempted'] === true && $liveCheckMeta['succeeded'] === false) {
+            // Enterprise-safe: never overwrite stored inventory when we could not refresh it.
+            $canPersist = false;
+        }
+
         foreach ($required as $permission) {
             $key = $permission['key'];
             $status = $liveCheckFailed
                 ? 'error'
                 : ($granted[$key]['status'] ?? 'missing');
+
             $details = $liveCheckFailed
-                ? ($liveCheckDetails ?? ['source' => 'graph_api'])
+                ? array_filter([
+                    'source' => 'graph_api',
+                    'status' => $liveCheckMeta['http_status'],
+                    'reason_code' => $liveCheckMeta['reason_code'],
+                    'message' => is_array($liveCheckDetails) ? ($liveCheckDetails['message'] ?? null) : null,
+                ], fn (mixed $value): bool => $value !== null)
                 : ($granted[$key]['details'] ?? null);
 
-            if ($persist) {
+            if ($canPersist) {
                 TenantPermission::updateOrCreate(
                     [
                         'tenant_id' => $tenant->id,
@@ -123,10 +188,36 @@ public function compare(
             default => 'granted',
         };
 
-        return [
+        $payload = [
             'overall_status' => $overall,
             'permissions' => $results,
         ];
+
+        if ($liveCheckMeta['attempted'] === true) {
+            $payload['live_check'] = $liveCheckMeta;
+        }
+
+        return $payload;
+    }
+
+    /**
+     * @param  array<string, mixed>|null  $details
+     */
+    private function deriveLiveCheckReasonCode(?int $httpStatus, ?array $details = null): string
+    {
+        if (is_array($details) && is_string($details['reason_code'] ?? null)) {
+            return (string) $details['reason_code'];
+        }
+
+        return match (true) {
+            $httpStatus === 401 => 'authentication_failed',
+            $httpStatus === 403 => 'permission_denied',
+            $httpStatus === 408 => 'dependency_unreachable',
+            $httpStatus === 429 => 'throttled',
+            is_int($httpStatus) && $httpStatus >= 500 => 'dependency_unreachable',
+            is_int($httpStatus) && $httpStatus >= 400 => 'unknown_error',
+            default => is_array($details) && is_string($details['message'] ?? null) ? 'dependency_unreachable' : 'unknown_error',
+        };
     }
 
     /**
@@ -211,11 +302,11 @@ private function configuredGrantedKeys(): array
      *
      * @return array<string, array{status:string,details:array<string,mixed>|null}>
      */
-    private function fetchLivePermissions(Tenant $tenant): array
+    private function fetchLivePermissions(Tenant $tenant, ?array $graphOptions = null): array
     {
         try {
             $response = $this->graphClient->getServicePrincipalPermissions(
-                $tenant->graphOptions()
+                $graphOptions ?? $tenant->graphOptions()
             );
 
             if (! $response->success) {
@@ -232,6 +323,25 @@ private function fetchLivePermissions(Tenant $tenant): array
             }
 
             $grantedPermissions = $response->data['permissions'] ?? [];
+            $diagnostics = is_array($response->data['diagnostics'] ?? null) ? $response->data['diagnostics'] : null;
+            $assignmentsTotal = is_array($diagnostics) ? (int) ($diagnostics['assignments_total'] ?? 0) : 0;
+            $mappedTotal = is_array($diagnostics) ? (int) ($diagnostics['mapped_total'] ?? 0) : null;
+
+            if ($assignmentsTotal > 0 && $mappedTotal === 0) {
+                return [
+                    '__error' => [
+                        'status' => 'error',
+                        'details' => [
+                            'source' => 'graph_api',
+                            'status' => $response->status,
+                            'reason_code' => 'permission_mapping_failed',
+                            'message' => 'Graph returned app role assignments, but the system could not map them to permission values.',
+                            'diagnostics' => $diagnostics,
+                        ],
+                    ],
+                ];
+            }
+
             $normalized = [];
 
             foreach ($grantedPermissions as $permission) {

app/Services/Intune/TenantRequiredPermissionsViewModelBuilder.php

@@ -0,0 +1,389 @@
+<?php
+
+namespace App\Services\Intune;
+
+use App\Models\Tenant;
+use App\Support\Verification\VerificationReportOverall;
+
+class TenantRequiredPermissionsViewModelBuilder
+{
+    /**
+     * @phpstan-type TenantPermissionRow array{key:string,type:'application'|'delegated',description:?string,features:array<int,string>,status:'granted'|'missing'|'error',details:array<string,mixed>|null}
+     * @phpstan-type FeatureImpact array{feature:string,missing:int,required_application:int,required_delegated:int,blocked:bool}
+     * @phpstan-type FilterState array{status:'missing'|'present'|'all',type:'application'|'delegated'|'all',features:array<int,string>,search:string}
+     * @phpstan-type ViewModel array{
+     *   tenant: array{id:int,external_id:string,name:string},
+     *   overview: array{
+     *     overall: string,
+     *     counts: array{missing_application:int,missing_delegated:int,present:int,error:int},
+     *     feature_impacts: array<int, FeatureImpact>
+     *   },
+     *   permissions: array<int, TenantPermissionRow>,
+     *   filters: FilterState,
+     *   copy: array{application:string,delegated:string}
+     * }
+     */
+    public function __construct(private readonly TenantPermissionService $permissionService) {}
+
+    /**
+     * @param  array<string, mixed>  $filters
+     * @return ViewModel
+     */
+    public function build(Tenant $tenant, array $filters = []): array
+    {
+        $comparison = $this->permissionService->compare(
+            $tenant,
+            persist: false,
+            liveCheck: false,
+            useConfiguredStub: false,
+        );
+
+        /** @var array<int, TenantPermissionRow> $allPermissions */
+        $allPermissions = collect($comparison['permissions'] ?? [])
+            ->filter(fn (mixed $row): bool => is_array($row))
+            ->map(fn (array $row): array => self::normalizePermissionRow($row))
+            ->values()
+            ->all();
+
+        $state = self::normalizeFilterState($filters);
+
+        $filteredPermissions = self::applyFilterState($allPermissions, $state);
+
+        return [
+            'tenant' => [
+                'id' => (int) $tenant->getKey(),
+                'external_id' => (string) $tenant->external_id,
+                'name' => (string) $tenant->name,
+            ],
+            'overview' => [
+                'overall' => self::deriveOverallStatus($allPermissions),
+                'counts' => self::deriveCounts($allPermissions),
+                'feature_impacts' => self::deriveFeatureImpacts($allPermissions),
+            ],
+            'permissions' => $filteredPermissions,
+            'filters' => $state,
+            'copy' => [
+                'application' => self::deriveCopyPayload($allPermissions, 'application', $state['features']),
+                'delegated' => self::deriveCopyPayload($allPermissions, 'delegated', $state['features']),
+            ],
+        ];
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $permissions
+     */
+    public static function deriveOverallStatus(array $permissions): string
+    {
+        $hasMissingApplication = collect($permissions)->contains(
+            fn (array $row): bool => $row['status'] === 'missing' && $row['type'] === 'application',
+        );
+
+        if ($hasMissingApplication) {
+            return VerificationReportOverall::Blocked->value;
+        }
+
+        $hasErrors = collect($permissions)->contains(
+            fn (array $row): bool => $row['status'] === 'error',
+        );
+
+        $hasMissingDelegated = collect($permissions)->contains(
+            fn (array $row): bool => $row['status'] === 'missing' && $row['type'] === 'delegated',
+        );
+
+        if ($hasErrors || $hasMissingDelegated) {
+            return VerificationReportOverall::NeedsAttention->value;
+        }
+
+        return VerificationReportOverall::Ready->value;
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $permissions
+     * @return array{missing_application:int,missing_delegated:int,present:int,error:int}
+     */
+    public static function deriveCounts(array $permissions): array
+    {
+        $counts = [
+            'missing_application' => 0,
+            'missing_delegated' => 0,
+            'present' => 0,
+            'error' => 0,
+        ];
+
+        foreach ($permissions as $row) {
+            if (($row['status'] ?? null) === 'missing') {
+                if (($row['type'] ?? null) === 'delegated') {
+                    $counts['missing_delegated'] += 1;
+                } else {
+                    $counts['missing_application'] += 1;
+                }
+
+                continue;
+            }
+
+            if (($row['status'] ?? null) === 'granted') {
+                $counts['present'] += 1;
+
+                continue;
+            }
+
+            if (($row['status'] ?? null) === 'error') {
+                $counts['error'] += 1;
+            }
+        }
+
+        return $counts;
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $permissions
+     * @return array<int, FeatureImpact>
+     */
+    public static function deriveFeatureImpacts(array $permissions): array
+    {
+        /** @var array<string, FeatureImpact> $impacts */
+        $impacts = [];
+
+        foreach ($permissions as $row) {
+            $features = array_values(array_unique($row['features'] ?? []));
+
+            foreach ($features as $feature) {
+                if (! isset($impacts[$feature])) {
+                    $impacts[$feature] = [
+                        'feature' => $feature,
+                        'missing' => 0,
+                        'required_application' => 0,
+                        'required_delegated' => 0,
+                        'blocked' => false,
+                    ];
+                }
+
+                if (($row['type'] ?? null) === 'delegated') {
+                    $impacts[$feature]['required_delegated'] += 1;
+                } else {
+                    $impacts[$feature]['required_application'] += 1;
+                }
+
+                if (($row['status'] ?? null) === 'missing') {
+                    $impacts[$feature]['missing'] += 1;
+
+                    if (($row['type'] ?? null) === 'application') {
+                        $impacts[$feature]['blocked'] = true;
+                    }
+                }
+            }
+        }
+
+        $values = array_values($impacts);
+
+        usort($values, static function (array $a, array $b): int {
+            $blocked = (int) ($b['blocked'] <=> $a['blocked']);
+            if ($blocked !== 0) {
+                return $blocked;
+            }
+
+            $missing = (int) (($b['missing'] ?? 0) <=> ($a['missing'] ?? 0));
+            if ($missing !== 0) {
+                return $missing;
+            }
+
+            return strcmp((string) ($a['feature'] ?? ''), (string) ($b['feature'] ?? ''));
+        });
+
+        return $values;
+    }
+
+    /**
+     * Copy payload semantics:
+     * - Always Missing-only
+     * - Always Type fixed by button (application vs delegated)
+     * - Respects Feature filter only
+     * - Ignores Search
+     *
+     * @param  array<int, TenantPermissionRow>  $permissions
+     * @param  'application'|'delegated'  $type
+     * @param  array<int, string>  $featureFilter
+     */
+    public static function deriveCopyPayload(array $permissions, string $type, array $featureFilter = []): string
+    {
+        $featureFilter = array_values(array_unique(array_filter(array_map('strval', $featureFilter))));
+
+        $payload = collect($permissions)
+            ->filter(function (array $row) use ($type, $featureFilter): bool {
+                if (($row['status'] ?? null) !== 'missing') {
+                    return false;
+                }
+
+                if (($row['type'] ?? null) !== $type) {
+                    return false;
+                }
+
+                if ($featureFilter === []) {
+                    return true;
+                }
+
+                $rowFeatures = $row['features'] ?? [];
+
+                return count(array_intersect($featureFilter, $rowFeatures)) > 0;
+            })
+            ->pluck('key')
+            ->map(fn (mixed $key): string => (string) $key)
+            ->filter()
+            ->unique()
+            ->sort()
+            ->values()
+            ->all();
+
+        return implode("\n", $payload);
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $permissions
+     * @return array<int, TenantPermissionRow>
+     */
+    public static function applyFilterState(array $permissions, array $state): array
+    {
+        $status = $state['status'] ?? 'missing';
+        $type = $state['type'] ?? 'all';
+        $features = $state['features'] ?? [];
+        $search = $state['search'] ?? '';
+
+        $search = is_string($search) ? trim($search) : '';
+        $searchLower = strtolower($search);
+
+        $features = array_values(array_unique(array_filter(array_map('strval', $features))));
+
+        $filtered = collect($permissions)
+            ->filter(function (array $row) use ($status, $type, $features): bool {
+                $rowStatus = $row['status'] ?? null;
+                $rowType = $row['type'] ?? null;
+
+                if ($status === 'missing' && ! in_array($rowStatus, ['missing', 'error'], true)) {
+                    return false;
+                }
+
+                if ($status === 'present' && $rowStatus !== 'granted') {
+                    return false;
+                }
+
+                if ($type !== 'all' && $rowType !== $type) {
+                    return false;
+                }
+
+                if ($features === []) {
+                    return true;
+                }
+
+                $rowFeatures = $row['features'] ?? [];
+
+                return count(array_intersect($features, $rowFeatures)) > 0;
+            })
+            ->when($searchLower !== '', function ($collection) use ($searchLower) {
+                return $collection->filter(function (array $row) use ($searchLower): bool {
+                    $key = strtolower((string) ($row['key'] ?? ''));
+                    $description = strtolower((string) ($row['description'] ?? ''));
+
+                    return str_contains($key, $searchLower) || ($description !== '' && str_contains($description, $searchLower));
+                });
+            })
+            ->values()
+            ->all();
+
+        usort($filtered, static function (array $a, array $b): int {
+            $weight = static function (array $row): int {
+                return match ($row['status'] ?? null) {
+                    'missing' => 0,
+                    'error' => 1,
+                    default => 2,
+                };
+            };
+
+            $cmp = $weight($a) <=> $weight($b);
+            if ($cmp !== 0) {
+                return $cmp;
+            }
+
+            return strcmp((string) ($a['key'] ?? ''), (string) ($b['key'] ?? ''));
+        });
+
+        return $filtered;
+    }
+
+    /**
+     * @param  array<string, mixed>  $filters
+     * @return FilterState
+     */
+    public static function normalizeFilterState(array $filters): array
+    {
+        $status = (string) ($filters['status'] ?? 'missing');
+        $type = (string) ($filters['type'] ?? 'all');
+        $features = $filters['features'] ?? [];
+        $search = (string) ($filters['search'] ?? '');
+
+        if (! in_array($status, ['missing', 'present', 'all'], true)) {
+            $status = 'missing';
+        }
+
+        if (! in_array($type, ['application', 'delegated', 'all'], true)) {
+            $type = 'all';
+        }
+
+        if (! is_array($features)) {
+            $features = [];
+        }
+
+        $features = array_values(array_unique(array_filter(array_map('strval', $features))));
+
+        return [
+            'status' => $status,
+            'type' => $type,
+            'features' => $features,
+            'search' => $search,
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $row
+     * @return TenantPermissionRow
+     */
+    private static function normalizePermissionRow(array $row): array
+    {
+        $key = (string) ($row['key'] ?? '');
+        $type = (string) ($row['type'] ?? 'application');
+        $description = $row['description'] ?? null;
+        $features = $row['features'] ?? [];
+        $status = (string) ($row['status'] ?? 'missing');
+        $details = $row['details'] ?? null;
+
+        if (! in_array($type, ['application', 'delegated'], true)) {
+            $type = 'application';
+        }
+
+        if (! is_string($description) || $description === '') {
+            $description = null;
+        }
+
+        if (! is_array($features)) {
+            $features = [];
+        }
+
+        $features = array_values(array_unique(array_filter(array_map('strval', $features))));
+
+        if (! in_array($status, ['granted', 'missing', 'error'], true)) {
+            $status = 'missing';
+        }
+
+        if (! is_array($details)) {
+            $details = null;
+        }
+
+        return [
+            'key' => $key,
+            'type' => $type,
+            'description' => $description,
+            'features' => $features,
+            'status' => $status,
+            'details' => $details,
+        ];
+    }
+}

app/Services/OperationRunService.php

@@ -5,6 +5,7 @@
 use App\Models\OperationRun;
 use App\Models\Tenant;
 use App\Models\User;
+use App\Models\Workspace;
 use App\Notifications\OperationRunCompleted as OperationRunCompletedNotification;
 use App\Notifications\OperationRunQueued as OperationRunQueuedNotification;
 use App\Services\Operations\BulkIdempotencyFingerprint;
@@ -60,12 +61,19 @@ public function ensureRun(
         array $inputs,
         ?User $initiator = null
     ): OperationRun {
+        $workspaceId = (int) ($tenant->workspace_id ?? 0);
+
+        if ($workspaceId <= 0) {
+            throw new InvalidArgumentException('Tenant must belong to a workspace to start an operation run.');
+        }
+
         $hash = $this->calculateHash($tenant->id, $type, $inputs);
 
         // Idempotency Check (Fast Path)
         // We check specific status to match the partial unique index
         $existing = OperationRun::query()
             ->where('tenant_id', $tenant->id)
+            ->where('workspace_id', $workspaceId)
             ->where('run_identity_hash', $hash)
             ->whereIn('status', OperationRunStatus::values())
             ->where('status', '!=', OperationRunStatus::Completed->value)
@@ -78,6 +86,7 @@ public function ensureRun(
         // Create new run (race-safe via partial unique index)
         try {
             return OperationRun::create([
+                'workspace_id' => $workspaceId,
                 'tenant_id' => $tenant->id,
                 'user_id' => $initiator?->id,
                 'initiator_name' => $initiator?->name ?? 'System',
@@ -97,6 +106,7 @@ public function ensureRun(
 
             $existing = OperationRun::query()
                 ->where('tenant_id', $tenant->id)
+                ->where('workspace_id', $workspaceId)
                 ->where('run_identity_hash', $hash)
                 ->whereIn('status', [OperationRunStatus::Queued->value, OperationRunStatus::Running->value])
                 ->first();
@@ -116,12 +126,19 @@ public function ensureRunWithIdentity(
         array $context,
         ?User $initiator = null
     ): OperationRun {
+        $workspaceId = (int) ($tenant->workspace_id ?? 0);
+
+        if ($workspaceId <= 0) {
+            throw new InvalidArgumentException('Tenant must belong to a workspace to start an operation run.');
+        }
+
         $hash = $this->calculateHash($tenant->id, $type, $identityInputs);
 
         // Idempotency Check (Fast Path)
         // We check specific status to match the partial unique index
         $existing = OperationRun::query()
             ->where('tenant_id', $tenant->id)
+            ->where('workspace_id', $workspaceId)
             ->where('run_identity_hash', $hash)
             ->whereIn('status', OperationRunStatus::values())
             ->where('status', '!=', OperationRunStatus::Completed->value)
@@ -134,6 +151,7 @@ public function ensureRunWithIdentity(
         // Create new run (race-safe via partial unique index)
         try {
             return OperationRun::create([
+                'workspace_id' => $workspaceId,
                 'tenant_id' => $tenant->id,
                 'user_id' => $initiator?->id,
                 'initiator_name' => $initiator?->name ?? 'System',
@@ -153,6 +171,7 @@ public function ensureRunWithIdentity(
 
             $existing = OperationRun::query()
                 ->where('tenant_id', $tenant->id)
+                ->where('workspace_id', $workspaceId)
                 ->where('run_identity_hash', $hash)
                 ->whereIn('status', [OperationRunStatus::Queued->value, OperationRunStatus::Running->value])
                 ->first();
@@ -227,6 +246,59 @@ public function enqueueBulkOperation(
         return $run;
     }
 
+    public function ensureWorkspaceRunWithIdentity(
+        Workspace $workspace,
+        string $type,
+        array $identityInputs,
+        array $context,
+        ?User $initiator = null,
+    ): OperationRun {
+        $hash = $this->calculateWorkspaceHash((int) $workspace->getKey(), $type, $identityInputs);
+
+        $existing = OperationRun::query()
+            ->where('workspace_id', (int) $workspace->getKey())
+            ->whereNull('tenant_id')
+            ->where('run_identity_hash', $hash)
+            ->whereIn('status', OperationRunStatus::values())
+            ->where('status', '!=', OperationRunStatus::Completed->value)
+            ->first();
+
+        if ($existing) {
+            return $existing;
+        }
+
+        try {
+            return OperationRun::create([
+                'workspace_id' => (int) $workspace->getKey(),
+                'tenant_id' => null,
+                'user_id' => $initiator?->id,
+                'initiator_name' => $initiator?->name ?? 'System',
+                'type' => $type,
+                'status' => OperationRunStatus::Queued->value,
+                'outcome' => OperationRunOutcome::Pending->value,
+                'run_identity_hash' => $hash,
+                'context' => $context,
+            ]);
+        } catch (QueryException $e) {
+            if (! in_array(($e->errorInfo[0] ?? null), ['23505', '23000'], true)) {
+                throw $e;
+            }
+
+            $existing = OperationRun::query()
+                ->where('workspace_id', (int) $workspace->getKey())
+                ->whereNull('tenant_id')
+                ->where('run_identity_hash', $hash)
+                ->whereIn('status', [OperationRunStatus::Queued->value, OperationRunStatus::Running->value])
+                ->first();
+
+            if ($existing) {
+                return $existing;
+            }
+
+            throw $e;
+        }
+    }
+
     public function updateRun(
         OperationRun $run,
         string $status,
@@ -518,6 +590,15 @@ protected function calculateHash(int $tenantId, string $type, array $inputs): st
         return hash('sha256', $tenantId.'|'.$type.'|'.$json);
     }
 
+    protected function calculateWorkspaceHash(int $workspaceId, string $type, array $inputs): string
+    {
+        $normalizedInputs = $this->normalizeInputs($inputs);
+
+        $json = json_encode($normalizedInputs, JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+
+        return hash('sha256', 'workspace|'.$workspaceId.'|'.$type.'|'.$json);
+    }
+
     /**
      * Normalize inputs for stable identity hashing.
      *

app/Services/Providers/CredentialManager.php

@@ -74,4 +74,21 @@ public function upsertClientSecretCredential(
             ],
         );
     }
+
+    public function updateClientIdPreservingSecret(ProviderConnection $connection, string $clientId): ProviderCredential
+    {
+        $clientId = trim($clientId);
+
+        if ($clientId === '') {
+            throw new InvalidArgumentException('client_id is required.');
+        }
+
+        $existing = $this->getClientCredentials($connection);
+
+        return $this->upsertClientSecretCredential(
+            connection: $connection,
+            clientId: $clientId,
+            clientSecret: (string) $existing['client_secret'],
+        );
+    }
 }

app/Services/Verification/StartVerification.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Verification;
+
+use App\Jobs\ProviderConnectionHealthCheckJob;
+use App\Models\OperationRun;
+use App\Models\ProviderConnection;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Services\Providers\ProviderOperationStartGate;
+use App\Services\Providers\ProviderOperationStartResult;
+use App\Support\Auth\Capabilities;
+use Illuminate\Support\Facades\Gate;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+final class StartVerification
+{
+    public function __construct(
+        private readonly ProviderOperationStartGate $providers,
+    ) {}
+
+    /**
+     * Start (or dedupe) a provider-connection verification run.
+     *
+     * @param  array<string, mixed>  $extraContext
+     */
+    public function providerConnectionCheck(
+        Tenant $tenant,
+        ProviderConnection $connection,
+        User $initiator,
+        array $extraContext = [],
+    ): ProviderOperationStartResult {
+        if (! $initiator->canAccessTenant($tenant)) {
+            throw new NotFoundHttpException;
+        }
+
+        Gate::forUser($initiator)->authorize(Capabilities::PROVIDER_RUN, $tenant);
+
+        return $this->providers->start(
+            tenant: $tenant,
+            connection: $connection,
+            operationType: 'provider.connection.check',
+            dispatcher: function (OperationRun $run) use ($tenant, $initiator, $connection): void {
+                ProviderConnectionHealthCheckJob::dispatch(
+                    tenantId: (int) $tenant->getKey(),
+                    userId: (int) $initiator->getKey(),
+                    providerConnectionId: (int) $connection->getKey(),
+                    operationRun: $run,
+                );
+            },
+            initiator: $initiator,
+            extraContext: $extraContext,
+        );
+    }
+}

app/Services/Verification/VerificationCheckAcknowledgementService.php

@@ -0,0 +1,187 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\Verification;
+
+use App\Models\OperationRun;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\VerificationCheckAcknowledgement;
+use App\Services\Audit\WorkspaceAuditLogger;
+use App\Support\Audit\AuditActionId;
+use App\Support\Auth\Capabilities;
+use App\Support\Verification\VerificationReportSanitizer;
+use App\Support\Verification\VerificationReportSchema;
+use App\Support\Verification\VerificationCheckStatus;
+use Carbon\CarbonImmutable;
+use Illuminate\Database\QueryException;
+use Illuminate\Support\Facades\Gate;
+use InvalidArgumentException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+final class VerificationCheckAcknowledgementService
+{
+    public function __construct(
+        private readonly WorkspaceAuditLogger $audit,
+    ) {}
+
+    public function acknowledge(
+        Tenant $tenant,
+        OperationRun $run,
+        string $checkKey,
+        string $ackReason,
+        ?string $expiresAt,
+        User $actor,
+    ): VerificationCheckAcknowledgement {
+        if (! $actor->canAccessTenant($tenant)) {
+            throw new NotFoundHttpException;
+        }
+
+        Gate::forUser($actor)->authorize(Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE, $tenant);
+
+        if ((int) $run->tenant_id !== (int) $tenant->getKey()) {
+            throw new NotFoundHttpException;
+        }
+
+        if ((int) $run->workspace_id !== (int) $tenant->workspace_id) {
+            throw new NotFoundHttpException;
+        }
+
+        $checkKey = trim($checkKey);
+        if ($checkKey === '') {
+            throw new InvalidArgumentException('check_key is required.');
+        }
+
+        $ackReason = trim($ackReason);
+        if ($ackReason === '') {
+            throw new InvalidArgumentException('ack_reason is required.');
+        }
+
+        if (mb_strlen($ackReason) > 160) {
+            throw new InvalidArgumentException('ack_reason must be at most 160 characters.');
+        }
+
+        $report = $this->reportForRun($run);
+        $check = $this->findCheckByKey($report, $checkKey);
+
+        $status = $check['status'] ?? null;
+
+        if (! is_string($status) || ! in_array($status, [VerificationCheckStatus::Fail->value, VerificationCheckStatus::Warn->value], true)) {
+            throw new InvalidArgumentException('Only failing or warning checks can be acknowledged.');
+        }
+
+        $reasonCode = $check['reason_code'] ?? null;
+        if (! is_string($reasonCode) || trim($reasonCode) === '') {
+            throw new InvalidArgumentException('Check reason_code is required.');
+        }
+
+        $expiresAtParsed = null;
+
+        if ($expiresAt !== null && trim($expiresAt) !== '') {
+            try {
+                $expiresAtParsed = CarbonImmutable::parse($expiresAt);
+            } catch (\Throwable) {
+                throw new InvalidArgumentException('expires_at must be a valid date-time.');
+            }
+
+            if ($expiresAtParsed->isBefore(CarbonImmutable::now())) {
+                throw new InvalidArgumentException('expires_at must be in the future.');
+            }
+        }
+
+        $acknowledgedAt = CarbonImmutable::now();
+
+        try {
+            $ack = VerificationCheckAcknowledgement::create([
+                'tenant_id' => (int) $tenant->getKey(),
+                'workspace_id' => (int) $tenant->workspace_id,
+                'operation_run_id' => (int) $run->getKey(),
+                'check_key' => $checkKey,
+                'ack_reason' => $ackReason,
+                'expires_at' => $expiresAtParsed,
+                'acknowledged_at' => $acknowledgedAt,
+                'acknowledged_by_user_id' => (int) $actor->getKey(),
+            ]);
+        } catch (QueryException $e) {
+            $ack = VerificationCheckAcknowledgement::query()
+                ->where('operation_run_id', (int) $run->getKey())
+                ->where('check_key', $checkKey)
+                ->first();
+
+            if (! $ack instanceof VerificationCheckAcknowledgement) {
+                throw $e;
+            }
+
+            return $ack;
+        }
+
+        if ($ack->wasRecentlyCreated) {
+            $workspace = $tenant->workspace;
+
+            if ($workspace !== null) {
+                $this->audit->log(
+                    workspace: $workspace,
+                    action: AuditActionId::VerificationCheckAcknowledged->value,
+                    context: [
+                        'tenant_id' => (int) $tenant->getKey(),
+                        'operation_run_id' => (int) $run->getKey(),
+                        'report_id' => (int) $run->getKey(),
+                        'flow' => (string) $run->type,
+                        'check_key' => $checkKey,
+                        'reason_code' => $reasonCode,
+                    ],
+                    actor: $actor,
+                    resourceType: 'operation_run',
+                    resourceId: (string) $run->getKey(),
+                );
+            }
+        }
+
+        return $ack;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function reportForRun(OperationRun $run): array
+    {
+        $context = is_array($run->context) ? $run->context : [];
+        $report = $context['verification_report'] ?? null;
+
+        if (! is_array($report)) {
+            throw new InvalidArgumentException('Verification report is missing.');
+        }
+
+        $report = VerificationReportSanitizer::sanitizeReport($report);
+
+        if (! VerificationReportSchema::isValidReport($report)) {
+            throw new InvalidArgumentException('Verification report is invalid.');
+        }
+
+        return $report;
+    }
+
+    /**
+     * @param  array<string, mixed>  $report
+     * @return array<string, mixed>
+     */
+    private function findCheckByKey(array $report, string $checkKey): array
+    {
+        $checks = $report['checks'] ?? null;
+        $checks = is_array($checks) ? $checks : [];
+
+        foreach ($checks as $check) {
+            if (! is_array($check)) {
+                continue;
+            }
+
+            if (($check['key'] ?? null) === $checkKey) {
+                return $check;
+            }
+        }
+
+        throw new InvalidArgumentException('Check not found in verification report.');
+    }
+}
+

app/Support/Audit/AuditActionId.php

@@ -6,6 +6,12 @@
 
 enum AuditActionId: string
 {
+    case WorkspaceMembershipAdd = 'workspace_membership.add';
+    case WorkspaceMembershipRoleChange = 'workspace_membership.role_change';
+    case WorkspaceMembershipRemove = 'workspace_membership.remove';
+    case WorkspaceMembershipLastOwnerBlocked = 'workspace_membership.last_owner_blocked';
+    case WorkspaceMembershipBreakGlassAssignOwner = 'workspace_membership.break_glass.assign_owner';
+
     case TenantMembershipAdd = 'tenant_membership.add';
     case TenantMembershipRoleChange = 'tenant_membership.role_change';
     case TenantMembershipRemove = 'tenant_membership.remove';
@@ -13,4 +19,15 @@ enum AuditActionId: string
 
     // Not part of the v1 contract, but used in codebase.
     case TenantMembershipBootstrapRecover = 'tenant_membership.bootstrap_recover';
+
+    // Diagnostics / repair actions.
+    case TenantMembershipDuplicatesMerged = 'tenant_membership.duplicates_merged';
+
+    // Managed tenant onboarding wizard.
+    case ManagedTenantOnboardingStart = 'managed_tenant_onboarding.start';
+    case ManagedTenantOnboardingResume = 'managed_tenant_onboarding.resume';
+    case ManagedTenantOnboardingVerificationStart = 'managed_tenant_onboarding.verification_start';
+    case ManagedTenantOnboardingActivation = 'managed_tenant_onboarding.activation';
+    case VerificationCompleted = 'verification.completed';
+    case VerificationCheckAcknowledged = 'verification.check_acknowledged';
 }

app/Support/Audit/AuditContextSanitizer.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Audit;
+
+final class AuditContextSanitizer
+{
+    private const REDACTED = '[REDACTED]';
+
+    public static function sanitize(mixed $value): mixed
+    {
+        if (is_array($value)) {
+            $sanitized = [];
+
+            foreach ($value as $key => $item) {
+                if (is_string($key) && self::shouldRedactKey($key)) {
+                    $sanitized[$key] = self::REDACTED;
+
+                    continue;
+                }
+
+                $sanitized[$key] = self::sanitize($item);
+            }
+
+            return $sanitized;
+        }
+
+        if (is_string($value)) {
+            return self::sanitizeString($value);
+        }
+
+        return $value;
+    }
+
+    private static function shouldRedactKey(string $key): bool
+    {
+        $key = strtolower(trim($key));
+
+        return str_contains($key, 'token')
+            || str_contains($key, 'secret')
+            || str_contains($key, 'password')
+            || str_contains($key, 'authorization')
+            || str_contains($key, 'private_key')
+            || str_contains($key, 'client_secret');
+    }
+
+    private static function sanitizeString(string $value): string
+    {
+        $candidate = trim($value);
+
+        if ($candidate === '') {
+            return $value;
+        }
+
+        if (preg_match('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', $candidate)) {
+            return self::REDACTED;
+        }
+
+        if (preg_match('/\b[A-Za-z0-9\-_]{20,}\.[A-Za-z0-9\-_]{20,}\.[A-Za-z0-9\-_]{20,}\b/', $candidate)) {
+            return self::REDACTED;
+        }
+
+        return $value;
+    }
+}

app/Support/Auth/Capabilities.php

@@ -15,6 +15,37 @@ class Capabilities
      */
     private static ?array $all = null;
 
+    // Workspaces
+    public const WORKSPACE_VIEW = 'workspace.view';
+
+    public const WORKSPACE_MANAGE = 'workspace.manage';
+
+    public const WORKSPACE_ARCHIVE = 'workspace.archive';
+
+    // Workspace memberships
+    public const WORKSPACE_MEMBERSHIP_VIEW = 'workspace_membership.view';
+
+    public const WORKSPACE_MEMBERSHIP_MANAGE = 'workspace_membership.manage';
+
+    // Managed tenant onboarding
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD = 'workspace_managed_tenant.onboard';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY = 'workspace_managed_tenant.onboard.identify';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW = 'workspace_managed_tenant.onboard.connection.view';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE = 'workspace_managed_tenant.onboard.connection.manage';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START = 'workspace_managed_tenant.onboard.verification.start';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC = 'workspace_managed_tenant.onboard.bootstrap.inventory_sync';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC = 'workspace_managed_tenant.onboard.bootstrap.policy_sync';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP = 'workspace_managed_tenant.onboard.bootstrap.backup_bootstrap';
+
+    public const WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE = 'workspace_managed_tenant.onboard.activate';
+
     // Tenants
     public const TENANT_VIEW = 'tenant.view';
 
@@ -30,6 +61,9 @@ class Capabilities
     // Findings
     public const TENANT_FINDINGS_ACKNOWLEDGE = 'tenant_findings.acknowledge';
 
+    // Verification
+    public const TENANT_VERIFICATION_ACKNOWLEDGE = 'tenant_verification.acknowledge';
+
     // Tenant memberships
     public const TENANT_MEMBERSHIP_VIEW = 'tenant_membership.view';
 

app/Support/Auth/WorkspaceRole.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Support\Auth;
+
+enum WorkspaceRole: string
+{
+    case Owner = 'owner';
+    case Manager = 'manager';
+    case Operator = 'operator';
+    case Readonly = 'readonly';
+}

app/Support/Badges/BadgeCatalog.php

@@ -36,6 +36,10 @@ final class BadgeCatalog
         BadgeDomain::RestoreResultStatus->value => Domains\RestoreResultStatusBadge::class,
         BadgeDomain::ProviderConnectionStatus->value => Domains\ProviderConnectionStatusBadge::class,
         BadgeDomain::ProviderConnectionHealth->value => Domains\ProviderConnectionHealthBadge::class,
+        BadgeDomain::ManagedTenantOnboardingVerificationStatus->value => Domains\ManagedTenantOnboardingVerificationStatusBadge::class,
+        BadgeDomain::VerificationCheckStatus->value => Domains\VerificationCheckStatusBadge::class,
+        BadgeDomain::VerificationCheckSeverity->value => Domains\VerificationCheckSeverityBadge::class,
+        BadgeDomain::VerificationReportOverall->value => Domains\VerificationReportOverallBadge::class,
     ];
 
     /**

app/Support/Badges/BadgeDomain.php

@@ -28,4 +28,8 @@ enum BadgeDomain: string
     case RestoreResultStatus = 'restore_result_status';
     case ProviderConnectionStatus = 'provider_connection.status';
     case ProviderConnectionHealth = 'provider_connection.health';
+    case ManagedTenantOnboardingVerificationStatus = 'managed_tenant_onboarding.verification_status';
+    case VerificationCheckStatus = 'verification_check_status';
+    case VerificationCheckSeverity = 'verification_check_severity';
+    case VerificationReportOverall = 'verification_report_overall';
 }

app/Support/Badges/Domains/ManagedTenantOnboardingVerificationStatusBadge.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+
+final class ManagedTenantOnboardingVerificationStatusBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeState($value);
+
+        return match ($state) {
+            'not_started' => new BadgeSpec('Not started', 'gray', 'heroicon-m-minus-circle'),
+            'in_progress' => new BadgeSpec('In progress', 'info', 'heroicon-m-arrow-path'),
+            'needs_attention' => new BadgeSpec('Needs attention', 'warning', 'heroicon-m-exclamation-triangle'),
+            'blocked' => new BadgeSpec('Blocked', 'danger', 'heroicon-m-x-circle'),
+            'ready' => new BadgeSpec('Ready', 'success', 'heroicon-m-check-circle'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/TenantStatusBadge.php

@@ -13,6 +13,7 @@ public function spec(mixed $value): BadgeSpec
         $state = BadgeCatalog::normalizeState($value);
 
         return match ($state) {
+            'pending' => new BadgeSpec('Pending', 'warning', 'heroicon-m-clock'),
             'active' => new BadgeSpec('Active', 'success', 'heroicon-m-check-circle'),
             'inactive' => new BadgeSpec('Inactive', 'gray', 'heroicon-m-minus-circle'),
             'archived' => new BadgeSpec('Archived', 'gray', 'heroicon-m-minus-circle'),

app/Support/Badges/Domains/VerificationCheckSeverityBadge.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+use App\Support\Verification\VerificationCheckSeverity;
+
+final class VerificationCheckSeverityBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeState($value);
+
+        return match ($state) {
+            VerificationCheckSeverity::Info->value => new BadgeSpec('Info', 'gray', 'heroicon-m-information-circle'),
+            VerificationCheckSeverity::Low->value => new BadgeSpec('Low', 'info', 'heroicon-m-arrow-down'),
+            VerificationCheckSeverity::Medium->value => new BadgeSpec('Medium', 'warning', 'heroicon-m-exclamation-triangle'),
+            VerificationCheckSeverity::High->value => new BadgeSpec('High', 'danger', 'heroicon-m-exclamation-triangle'),
+            VerificationCheckSeverity::Critical->value => new BadgeSpec('Critical', 'danger', 'heroicon-m-x-circle'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/VerificationCheckStatusBadge.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+use App\Support\Verification\VerificationCheckStatus;
+
+final class VerificationCheckStatusBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeState($value);
+
+        return match ($state) {
+            VerificationCheckStatus::Pass->value => new BadgeSpec('Pass', 'success', 'heroicon-m-check-circle'),
+            VerificationCheckStatus::Fail->value => new BadgeSpec('Fail', 'danger', 'heroicon-m-x-circle'),
+            VerificationCheckStatus::Warn->value => new BadgeSpec('Warn', 'warning', 'heroicon-m-exclamation-triangle'),
+            VerificationCheckStatus::Skip->value => new BadgeSpec('Skipped', 'gray', 'heroicon-m-minus-circle'),
+            VerificationCheckStatus::Running->value => new BadgeSpec('Running', 'info', 'heroicon-m-arrow-path'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Badges/Domains/VerificationReportOverallBadge.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Support\Badges\Domains;
+
+use App\Support\Badges\BadgeCatalog;
+use App\Support\Badges\BadgeMapper;
+use App\Support\Badges\BadgeSpec;
+use App\Support\Verification\VerificationReportOverall;
+
+final class VerificationReportOverallBadge implements BadgeMapper
+{
+    public function spec(mixed $value): BadgeSpec
+    {
+        $state = BadgeCatalog::normalizeState($value);
+
+        return match ($state) {
+            VerificationReportOverall::Ready->value => new BadgeSpec('Ready', 'success', 'heroicon-m-check-circle'),
+            VerificationReportOverall::NeedsAttention->value => new BadgeSpec('Needs attention', 'warning', 'heroicon-m-exclamation-triangle'),
+            VerificationReportOverall::Blocked->value => new BadgeSpec('Blocked', 'danger', 'heroicon-m-x-circle'),
+            VerificationReportOverall::Running->value => new BadgeSpec('Running', 'info', 'heroicon-m-arrow-path'),
+            default => BadgeSpec::unknown(),
+        };
+    }
+}

app/Support/Links/RequiredPermissionsLinks.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace App\Support\Links;
+
+use App\Filament\Resources\TenantResource;
+use App\Models\Tenant;
+
+final class RequiredPermissionsLinks
+{
+    private const ADMIN_CONSENT_GUIDE_URL = 'https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent';
+
+    /**
+     * @param  array<string, mixed>  $filters
+     */
+    public static function requiredPermissions(Tenant $tenant, array $filters = []): string
+    {
+        $base = sprintf('/admin/t/%s/required-permissions', urlencode((string) $tenant->external_id));
+
+        if ($filters === []) {
+            return $base;
+        }
+
+        $query = http_build_query($filters);
+
+        return $query !== '' ? "{$base}?{$query}" : $base;
+    }
+
+    public static function adminConsentUrl(Tenant $tenant): ?string
+    {
+        return TenantResource::adminConsentUrl($tenant);
+    }
+
+    public static function adminConsentGuideUrl(): string
+    {
+        return self::ADMIN_CONSENT_GUIDE_URL;
+    }
+
+    public static function adminConsentPrimaryUrl(Tenant $tenant): string
+    {
+        return self::adminConsentUrl($tenant) ?? self::adminConsentGuideUrl();
+    }
+}

app/Support/Middleware/EnsureFilamentTenantSelected.php

@@ -0,0 +1,206 @@
+<?php
+
+namespace App\Support\Middleware;
+
+use App\Filament\Pages\ChooseWorkspace;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Auth\CapabilityResolver;
+use App\Support\Workspaces\WorkspaceContext;
+use Closure;
+use Filament\Facades\Filament;
+use Filament\Models\Contracts\HasTenants;
+use Filament\Navigation\NavigationBuilder;
+use Filament\Navigation\NavigationItem;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureFilamentTenantSelected
+{
+    /**
+     * @param  Closure(Request): Response  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $panel = Filament::getCurrentOrDefaultPanel();
+
+        $path = '/'.ltrim($request->path(), '/');
+
+        if ($path === '/livewire/update') {
+            $refererPath = parse_url((string) $request->headers->get('referer', ''), PHP_URL_PATH) ?? '';
+            $refererPath = '/'.ltrim((string) $refererPath, '/');
+
+            if (preg_match('#^/admin/operations/[^/]+$#', $refererPath) === 1) {
+                $this->configureNavigationForRequest($panel);
+
+                return $next($request);
+            }
+        }
+
+        if (preg_match('#^/admin/operations/[^/]+$#', $path) === 1) {
+            $this->configureNavigationForRequest($panel);
+
+            return $next($request);
+        }
+
+        if ($request->route()?->hasParameter('tenant')) {
+            $user = $request->user();
+
+            if ($user === null) {
+                return $next($request);
+            }
+
+            if (! $user instanceof HasTenants) {
+                abort(404);
+            }
+
+            if (! $panel->hasTenancy()) {
+                return $next($request);
+            }
+
+            $tenantParameter = $request->route()->parameter('tenant');
+            $tenant = $panel->getTenant($tenantParameter);
+
+            if (! $tenant instanceof Tenant) {
+                abort(404);
+            }
+
+            $workspaceContext = app(WorkspaceContext::class);
+            $workspaceId = $workspaceContext->currentWorkspaceId($request);
+
+            if ($workspaceId === null) {
+                abort(404);
+            }
+
+            if ((int) $tenant->workspace_id !== (int) $workspaceId) {
+                abort(404);
+            }
+
+            $workspace = Workspace::query()->whereKey($workspaceId)->first();
+
+            if (! $workspace instanceof Workspace) {
+                abort(404);
+            }
+
+            if (! $user instanceof User || ! $workspaceContext->isMember($user, $workspace)) {
+                abort(404);
+            }
+
+            if (! $user->canAccessTenant($tenant)) {
+                abort(404);
+            }
+
+            Filament::setTenant($tenant, true);
+            $this->configureNavigationForRequest($panel);
+
+            return $next($request);
+        }
+
+        if (
+            str_starts_with($path, '/admin/w/')
+            || str_starts_with($path, '/admin/workspaces')
+            || in_array($path, ['/admin/choose-workspace', '/admin/choose-tenant', '/admin/no-access'], true)
+        ) {
+            $this->configureNavigationForRequest($panel);
+
+            return $next($request);
+        }
+
+        if (filled(Filament::getTenant())) {
+            $this->configureNavigationForRequest($panel);
+
+            return $next($request);
+        }
+
+        $user = $request->user();
+
+        if (! $user instanceof User) {
+            $this->configureNavigationForRequest($panel);
+
+            return $next($request);
+        }
+
+        $tenant = null;
+
+        $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId($request);
+
+        if ($workspaceId !== null) {
+            $tenant = $user->tenants()
+                ->where('workspace_id', $workspaceId)
+                ->where('status', 'active')
+                ->first();
+
+            if (! $tenant) {
+                $tenant = $user->tenants()
+                    ->where('workspace_id', $workspaceId)
+                    ->first();
+            }
+
+            if (! $tenant) {
+                $tenant = $user->tenants()
+                    ->withTrashed()
+                    ->where('workspace_id', $workspaceId)
+                    ->first();
+            }
+        }
+
+        if (! $tenant) {
+            try {
+                $tenant = Tenant::current();
+            } catch (\RuntimeException) {
+                $tenant = null;
+            }
+
+            if ($tenant instanceof Tenant && ! app(CapabilityResolver::class)->isMember($user, $tenant)) {
+                $tenant = null;
+            }
+        }
+
+        if (! $tenant) {
+            $tenant = $user->tenants()
+                ->where('status', 'active')
+                ->first();
+        }
+
+        if (! $tenant) {
+            $tenant = $user->tenants()->first();
+        }
+
+        if (! $tenant) {
+            $tenant = $user->tenants()->withTrashed()->first();
+        }
+
+        if ($tenant) {
+            Filament::setTenant($tenant, true);
+        }
+
+        $this->configureNavigationForRequest($panel);
+
+        return $next($request);
+    }
+
+    private function configureNavigationForRequest(\Filament\Panel $panel): void
+    {
+        if (! $panel->hasTenancy()) {
+            return;
+        }
+
+        if (filled(Filament::getTenant())) {
+            $panel->navigation(true);
+
+            return;
+        }
+
+        $panel->navigation(function (): NavigationBuilder {
+            return app(NavigationBuilder::class)
+                ->item(
+                    NavigationItem::make('Workspaces')
+                        ->url(fn (): string => ChooseWorkspace::getUrl())
+                        ->icon('heroicon-o-squares-2x2')
+                        ->group('Settings')
+                        ->sort(10),
+                );
+        });
+    }
+}

app/Support/OperationRunLinks.php

@@ -21,6 +21,13 @@ public static function index(Tenant $tenant): string
         return OperationRunResource::getUrl('index', tenant: $tenant);
     }
 
+    public static function tenantlessView(OperationRun|int $run): string
+    {
+        $runId = $run instanceof OperationRun ? (int) $run->getKey() : (int) $run;
+
+        return route('admin.operations.view', ['run' => $runId]);
+    }
+
     public static function view(OperationRun|int $run, Tenant $tenant): string
     {
         return OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant);

app/Support/Rbac/UiEnforcement.php

@@ -8,6 +8,7 @@
 use App\Models\User;
 use App\Services\Auth\CapabilityResolver;
 use App\Support\Auth\Capabilities;
+use App\Support\Auth\UiTooltips as AuthUiTooltips;
 use Closure;
 use Filament\Actions\Action;
 use Filament\Actions\BulkAction;
@@ -282,7 +283,7 @@ private function applyDisabledState(): void
             return;
         }
 
-        $tooltip = $this->customTooltip ?? UiTooltips::INSUFFICIENT_PERMISSION;
+        $tooltip = $this->customTooltip ?? AuthUiTooltips::insufficientPermission();
 
         $this->action->disabled(function (?Model $record = null) {
             $context = $this->resolveContextWithRecord($record);

app/Support/Rbac/UiTooltips.php

@@ -30,4 +30,14 @@ final class UiTooltips
      * Modal description for destructive action confirmation.
      */
     public const DESTRUCTIVE_CONFIRM_DESCRIPTION = 'This action cannot be undone.';
+
+    /**
+     * Tooltip for actions that are unavailable because the tenant is archived.
+     */
+    public const TENANT_ARCHIVED = 'This tenant is archived.';
+
+    /**
+     * Tooltip for actions that are unavailable because a tenant must always have an owner.
+     */
+    public const TENANT_OWNER_REQUIRED = 'This tenant must have at least one Owner.';
 }

app/Support/Rbac/WorkspaceAccessContext.php

@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Rbac;
+
+use App\Models\User;
+use App\Models\Workspace;
+
+/**
+ * DTO representing the access context for a workspace-scoped UI action.
+ */
+final readonly class WorkspaceAccessContext
+{
+    public function __construct(
+        public ?User $user,
+        public ?Workspace $workspace,
+        public bool $isMember,
+        public bool $hasCapability,
+    ) {}
+
+    /**
+     * Non-members should receive 404 (deny-as-not-found).
+     */
+    public function shouldDenyAsNotFound(): bool
+    {
+        return ! $this->isMember;
+    }
+
+    /**
+     * Members without capability should receive 403 (forbidden).
+     */
+    public function shouldDenyAsForbidden(): bool
+    {
+        return $this->isMember && ! $this->hasCapability;
+    }
+
+    /**
+     * User is authorized to perform the action.
+     */
+    public function isAuthorized(): bool
+    {
+        return $this->isMember && $this->hasCapability;
+    }
+}

app/Support/Rbac/WorkspaceUiEnforcement.php

@@ -0,0 +1,230 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Rbac;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Services\Auth\WorkspaceCapabilityResolver;
+use App\Support\Auth\Capabilities;
+use App\Support\Auth\UiTooltips as AuthUiTooltips;
+use Closure;
+use Filament\Actions\Action;
+use Illuminate\Database\Eloquent\Model;
+use Throwable;
+
+/**
+ * Central workspace-scoped RBAC UI Enforcement Helper for Filament Actions.
+ *
+ * Mirrors the tenant-scoped UiEnforcement semantics, but uses WorkspaceMembership
+ * + WorkspaceCapabilityResolver.
+ *
+ * Rules:
+ * - Non-member → hidden UI + 404 server-side
+ * - Member without capability → visible-but-disabled + tooltip + 403 server-side
+ * - Member with capability → enabled
+ */
+final class WorkspaceUiEnforcement
+{
+    private Action $action;
+
+    private bool $requireMembership = true;
+
+    private ?string $capability = null;
+
+    private bool $isDestructive = false;
+
+    private ?string $customTooltip = null;
+
+    private Model|Closure|null $record = null;
+
+    private function __construct(Action $action)
+    {
+        $this->action = $action;
+    }
+
+    /**
+     * Create enforcement for a table action.
+     *
+     * @param  Action  $action  The Filament action to wrap
+     * @param  Model|Closure  $record  The owner record or a closure that returns it
+     */
+    public static function forTableAction(Action $action, Model|Closure $record): self
+    {
+        $instance = new self($action);
+        $instance->record = $record;
+
+        return $instance;
+    }
+
+    public function requireMembership(bool $require = true): self
+    {
+        $this->requireMembership = $require;
+
+        return $this;
+    }
+
+    /**
+     * @throws \InvalidArgumentException If capability is not in the canonical registry
+     */
+    public function requireCapability(string $capability): self
+    {
+        if (! Capabilities::isKnown($capability)) {
+            throw new \InvalidArgumentException(
+                "Unknown capability: {$capability}. Use constants from ".Capabilities::class
+            );
+        }
+
+        $this->capability = $capability;
+
+        return $this;
+    }
+
+    public function destructive(): self
+    {
+        $this->isDestructive = true;
+
+        return $this;
+    }
+
+    public function tooltip(string $message): self
+    {
+        $this->customTooltip = $message;
+
+        return $this;
+    }
+
+    public function apply(): Action
+    {
+        $this->applyVisibility();
+        $this->applyDisabledState();
+        $this->applyDestructiveConfirmation();
+        $this->applyServerSideGuard();
+
+        return $this->action;
+    }
+
+    private function applyVisibility(): void
+    {
+        if (! $this->requireMembership) {
+            return;
+        }
+
+        $this->action->visible(function (?Model $record = null): bool {
+            $context = $this->resolveContextWithRecord($record);
+
+            return $context->isMember;
+        });
+    }
+
+    private function applyDisabledState(): void
+    {
+        if ($this->capability === null) {
+            return;
+        }
+
+        $tooltip = $this->customTooltip ?? AuthUiTooltips::insufficientPermission();
+
+        $this->action->disabled(function (?Model $record = null): bool {
+            $context = $this->resolveContextWithRecord($record);
+
+            if (! $context->isMember) {
+                return true;
+            }
+
+            return ! $context->hasCapability;
+        });
+
+        $this->action->tooltip(function (?Model $record = null) use ($tooltip): ?string {
+            $context = $this->resolveContextWithRecord($record);
+
+            if ($context->isMember && ! $context->hasCapability) {
+                return $tooltip;
+            }
+
+            return null;
+        });
+    }
+
+    private function applyDestructiveConfirmation(): void
+    {
+        if (! $this->isDestructive) {
+            return;
+        }
+
+        $this->action->requiresConfirmation();
+        $this->action->modalHeading(UiTooltips::DESTRUCTIVE_CONFIRM_TITLE);
+        $this->action->modalDescription(UiTooltips::DESTRUCTIVE_CONFIRM_DESCRIPTION);
+    }
+
+    private function applyServerSideGuard(): void
+    {
+        $this->action->before(function (?Model $record = null): void {
+            $context = $this->resolveContextWithRecord($record);
+
+            if ($context->shouldDenyAsNotFound()) {
+                abort(404);
+            }
+
+            if ($context->shouldDenyAsForbidden()) {
+                abort(403);
+            }
+        });
+    }
+
+    private function resolveContextWithRecord(?Model $record = null): WorkspaceAccessContext
+    {
+        $user = auth()->user();
+        $workspace = $this->resolveWorkspaceWithRecord($record);
+
+        if (! $user instanceof User || ! $workspace instanceof Workspace) {
+            return new WorkspaceAccessContext(
+                user: null,
+                workspace: null,
+                isMember: false,
+                hasCapability: false,
+            );
+        }
+
+        /** @var WorkspaceCapabilityResolver $resolver */
+        $resolver = app(WorkspaceCapabilityResolver::class);
+
+        $isMember = $resolver->isMember($user, $workspace);
+
+        $hasCapability = true;
+        if ($this->capability !== null && $isMember) {
+            $hasCapability = $resolver->can($user, $workspace, $this->capability);
+        }
+
+        return new WorkspaceAccessContext(
+            user: $user,
+            workspace: $workspace,
+            isMember: $isMember,
+            hasCapability: $hasCapability,
+        );
+    }
+
+    private function resolveWorkspaceWithRecord(?Model $record = null): ?Workspace
+    {
+        if ($record instanceof Workspace) {
+            return $record;
+        }
+
+        if ($this->record !== null) {
+            try {
+                $resolved = $this->record instanceof Closure
+                    ? ($this->record)()
+                    : $this->record;
+
+                if ($resolved instanceof Workspace) {
+                    return $resolved;
+                }
+            } catch (Throwable) {
+                return null;
+            }
+        }
+
+        return null;
+    }
+}

app/Support/Verification/PreviousVerificationReportResolver.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Verification;
+
+use App\Models\OperationRun;
+use App\Support\OperationRunStatus;
+
+final class PreviousVerificationReportResolver
+{
+    public static function resolvePreviousReportId(OperationRun $run): ?int
+    {
+        $runId = $run->getKey();
+
+        if (! is_int($runId) || $runId <= 0) {
+            return null;
+        }
+
+        $providerConnectionId = self::providerConnectionId($run);
+
+        $query = OperationRun::query()
+            ->where('tenant_id', (int) $run->tenant_id)
+            ->where('workspace_id', (int) $run->workspace_id)
+            ->where('type', (string) $run->type)
+            ->where('run_identity_hash', (string) $run->run_identity_hash)
+            ->where('status', OperationRunStatus::Completed->value)
+            ->where('id', '<', $runId)
+            ->orderByDesc('id');
+
+        if ($providerConnectionId !== null) {
+            $query->where('context->provider_connection_id', $providerConnectionId);
+        } else {
+            $query->whereNull('context->provider_connection_id');
+        }
+
+        $previousId = $query->value('id');
+
+        return is_int($previousId) ? $previousId : null;
+    }
+
+    private static function providerConnectionId(OperationRun $run): ?int
+    {
+        $context = $run->context;
+
+        if (! is_array($context)) {
+            return null;
+        }
+
+        $providerConnectionId = $context['provider_connection_id'] ?? null;
+
+        if (is_int($providerConnectionId)) {
+            return $providerConnectionId;
+        }
+
+        if (is_string($providerConnectionId) && ctype_digit(trim($providerConnectionId))) {
+            return (int) trim($providerConnectionId);
+        }
+
+        return null;
+    }
+}
+

app/Support/Verification/TenantPermissionCheckClusters.php

@@ -0,0 +1,415 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Verification;
+
+use App\Models\Tenant;
+use App\Support\Links\RequiredPermissionsLinks;
+
+final class TenantPermissionCheckClusters
+{
+    /**
+     * @phpstan-type TenantPermissionRow array{
+     *   key:string,
+     *   type:'application'|'delegated',
+     *   description:?string,
+     *   features:array<int,string>,
+     *   status:'granted'|'missing'|'error',
+     *   details:array<string,mixed>|null
+     * }
+     *
+     * @param  array<int, array<string, mixed>>  $permissions
+     * @param  array{fresh?:bool,reason_code?:string,message?:string}|null  $inventory
+     * @return array<int, array<string, mixed>>
+     */
+    public static function buildChecks(Tenant $tenant, array $permissions, ?array $inventory = null): array
+    {
+        $inventory = is_array($inventory) ? $inventory : [];
+
+        $inventoryFresh = $inventory['fresh'] ?? true;
+        $inventoryFresh = is_bool($inventoryFresh) ? $inventoryFresh : true;
+
+        $inventoryReasonCode = $inventory['reason_code'] ?? null;
+        $inventoryReasonCode = is_string($inventoryReasonCode) && $inventoryReasonCode !== ''
+            ? $inventoryReasonCode
+            : 'dependency_unreachable';
+
+        $inventoryMessage = $inventory['message'] ?? null;
+        $inventoryMessage = is_string($inventoryMessage) && trim($inventoryMessage) !== ''
+            ? trim($inventoryMessage)
+            : 'Unable to refresh observed permissions inventory during this run. Retry verification.';
+
+        $inventoryEvidence = self::inventoryEvidence($inventory);
+
+        /** @var array<int, TenantPermissionRow> $rows */
+        $rows = collect($permissions)
+            ->filter(fn (mixed $row): bool => is_array($row))
+            ->map(fn (array $row): array => self::normalizePermissionRow($row))
+            ->values()
+            ->all();
+
+        $checks = [];
+
+        foreach (self::definitions() as $definition) {
+            $key = (string) ($definition['key'] ?? 'unknown');
+            $title = (string) ($definition['title'] ?? 'Check');
+
+            $clusterRows = array_values(array_filter($rows, fn (array $row): bool => self::matches($definition, $row)));
+
+            $checks[] = self::buildCheck(
+                tenant: $tenant,
+                key: $key,
+                title: $title,
+                clusterRows: $clusterRows,
+                inventoryFresh: $inventoryFresh,
+                inventoryReasonCode: $inventoryReasonCode,
+                inventoryMessage: $inventoryMessage,
+                inventoryEvidence: $inventoryEvidence,
+            );
+        }
+
+        return $checks;
+    }
+
+    /**
+     * @return array<int, array{key:string,title:string,mode:string,prefixes?:array<int,string>,keys?:array<int,string>}>
+     */
+    private static function definitions(): array
+    {
+        return [
+            [
+                'key' => 'permissions.admin_consent',
+                'title' => 'Admin consent granted',
+                'mode' => 'type',
+                'type' => 'application',
+            ],
+            [
+                'key' => 'permissions.directory_groups',
+                'title' => 'Directory & group read access',
+                'mode' => 'keys',
+                'keys' => [
+                    'Directory.Read.All',
+                    'Group.Read.All',
+                ],
+            ],
+            [
+                'key' => 'permissions.intune_configuration',
+                'title' => 'Intune configuration access',
+                'mode' => 'prefixes',
+                'prefixes' => [
+                    'DeviceManagementConfiguration.',
+                    'DeviceManagementServiceConfig.',
+                ],
+            ],
+            [
+                'key' => 'permissions.intune_apps',
+                'title' => 'Intune apps access',
+                'mode' => 'prefixes',
+                'prefixes' => [
+                    'DeviceManagementApps.',
+                ],
+            ],
+            [
+                'key' => 'permissions.intune_rbac_assignments',
+                'title' => 'Intune RBAC & assignments prerequisites',
+                'mode' => 'prefixes',
+                'prefixes' => [
+                    'DeviceManagementRBAC.',
+                ],
+            ],
+            [
+                'key' => 'permissions.scripts_remediations',
+                'title' => 'Scripts/remediations access',
+                'mode' => 'prefixes',
+                'prefixes' => [
+                    'DeviceManagementScripts.',
+                ],
+            ],
+        ];
+    }
+
+    /**
+     * @param  array{mode:string,prefixes?:array<int,string>,keys?:array<int,string>,type?:string}  $definition
+     * @param  TenantPermissionRow  $row
+     */
+    private static function matches(array $definition, array $row): bool
+    {
+        $mode = (string) ($definition['mode'] ?? '');
+        $key = (string) ($row['key'] ?? '');
+
+        if ($mode === 'type') {
+            return ($row['type'] ?? null) === ($definition['type'] ?? null);
+        }
+
+        if ($mode === 'keys') {
+            $keys = $definition['keys'] ?? [];
+
+            return is_array($keys) && in_array($key, $keys, true);
+        }
+
+        if ($mode === 'prefixes') {
+            $prefixes = $definition['prefixes'] ?? [];
+
+            if (! is_array($prefixes)) {
+                return false;
+            }
+
+            foreach ($prefixes as $prefix) {
+                if (is_string($prefix) && $prefix !== '' && str_starts_with($key, $prefix)) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+        return false;
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $clusterRows
+     * @return array<string, mixed>
+     */
+    private static function buildCheck(
+        Tenant $tenant,
+        string $key,
+        string $title,
+        array $clusterRows,
+        bool $inventoryFresh,
+        string $inventoryReasonCode,
+        string $inventoryMessage,
+        array $inventoryEvidence,
+    ): array
+    {
+        if (! $inventoryFresh) {
+            return [
+                'key' => $key,
+                'title' => $title,
+                'status' => VerificationCheckStatus::Warn->value,
+                'severity' => VerificationCheckSeverity::Medium->value,
+                'blocking' => false,
+                'reason_code' => $inventoryReasonCode,
+                'message' => $inventoryMessage,
+                'evidence' => $inventoryEvidence,
+                'next_steps' => [
+                    [
+                        'label' => 'Open required permissions',
+                        'url' => RequiredPermissionsLinks::requiredPermissions($tenant),
+                    ],
+                ],
+            ];
+        }
+
+        if ($clusterRows === []) {
+            return [
+                'key' => $key,
+                'title' => $title,
+                'status' => VerificationCheckStatus::Skip->value,
+                'severity' => VerificationCheckSeverity::Info->value,
+                'blocking' => false,
+                'reason_code' => 'not_applicable',
+                'message' => 'Not applicable for this tenant.',
+                'evidence' => [],
+                'next_steps' => [],
+            ];
+        }
+
+        $missingApplication = array_values(array_filter(
+            $clusterRows,
+            static fn (array $row): bool => $row['status'] === 'missing' && $row['type'] === 'application',
+        ));
+
+        $missingDelegated = array_values(array_filter(
+            $clusterRows,
+            static fn (array $row): bool => $row['status'] === 'missing' && $row['type'] === 'delegated',
+        ));
+
+        $errored = array_values(array_filter(
+            $clusterRows,
+            static fn (array $row): bool => $row['status'] === 'error',
+        ));
+
+        $evidence = array_values(array_unique(array_merge(
+            self::evidence($missingApplication, $missingDelegated, $errored),
+            $inventoryEvidence,
+        ), SORT_REGULAR));
+
+        if ($missingApplication !== [] || $errored !== []) {
+            $missingKeys = array_values(array_unique(array_merge(
+                array_map(static fn (array $row): string => $row['key'], $missingApplication),
+                array_map(static fn (array $row): string => $row['key'], $errored),
+            )));
+
+            $message = $missingKeys !== []
+                ? sprintf('Missing required application permission(s): %s', implode(', ', array_slice($missingKeys, 0, 6)))
+                : 'Missing required permissions.';
+
+            return [
+                'key' => $key,
+                'title' => $title,
+                'status' => VerificationCheckStatus::Fail->value,
+                'severity' => VerificationCheckSeverity::Critical->value,
+                'blocking' => true,
+                'reason_code' => 'ext.missing_permission',
+                'message' => $message,
+                'evidence' => $evidence,
+                'next_steps' => [
+                    [
+                        'label' => 'Open required permissions',
+                        'url' => RequiredPermissionsLinks::requiredPermissions($tenant),
+                    ],
+                ],
+            ];
+        }
+
+        if ($missingDelegated !== []) {
+            $missingKeys = array_values(array_unique(array_map(static fn (array $row): string => $row['key'], $missingDelegated)));
+            $message = sprintf('Missing delegated permission(s): %s', implode(', ', array_slice($missingKeys, 0, 6)));
+
+            return [
+                'key' => $key,
+                'title' => $title,
+                'status' => VerificationCheckStatus::Warn->value,
+                'severity' => VerificationCheckSeverity::Medium->value,
+                'blocking' => false,
+                'reason_code' => 'ext.missing_delegated_permission',
+                'message' => $message,
+                'evidence' => $evidence,
+                'next_steps' => [
+                    [
+                        'label' => 'Open required permissions',
+                        'url' => RequiredPermissionsLinks::requiredPermissions($tenant),
+                    ],
+                ],
+            ];
+        }
+
+        return [
+            'key' => $key,
+            'title' => $title,
+            'status' => VerificationCheckStatus::Pass->value,
+            'severity' => VerificationCheckSeverity::Info->value,
+            'blocking' => false,
+            'reason_code' => 'ok',
+            'message' => 'All required permissions are granted.',
+            'evidence' => [],
+            'next_steps' => [],
+        ];
+    }
+
+    /**
+     * @param  array<int, TenantPermissionRow>  $missingApplication
+     * @param  array<int, TenantPermissionRow>  $missingDelegated
+     * @param  array<int, TenantPermissionRow>  $errored
+     * @return array<int, array{kind:string,value:int|string}>
+     */
+    private static function evidence(array $missingApplication, array $missingDelegated, array $errored): array
+    {
+        $pointers = [];
+
+        foreach (array_merge($missingApplication, $missingDelegated, $errored) as $row) {
+            $pointers[] = [
+                'kind' => 'missing_permission',
+                'value' => (string) ($row['key'] ?? ''),
+            ];
+
+            $pointers[] = [
+                'kind' => 'permission_type',
+                'value' => (string) ($row['type'] ?? 'application'),
+            ];
+
+            foreach (($row['features'] ?? []) as $feature) {
+                if (! is_string($feature) || $feature === '') {
+                    continue;
+                }
+
+                $pointers[] = [
+                    'kind' => 'feature',
+                    'value' => $feature,
+                ];
+            }
+        }
+
+        $unique = [];
+
+        foreach ($pointers as $pointer) {
+            $key = $pointer['kind'].':'.(string) $pointer['value'];
+            $unique[$key] = $pointer;
+        }
+
+        return array_values($unique);
+    }
+
+    /**
+     * @param  array<string, mixed>  $inventory
+     * @return array<int, array{kind:string,value:int|string}>
+     */
+    private static function inventoryEvidence(array $inventory): array
+    {
+        $pointers = [];
+
+        $appId = $inventory['app_id'] ?? null;
+        if (is_string($appId) && $appId !== '') {
+            $pointers[] = [
+                'kind' => 'app_id',
+                'value' => $appId,
+            ];
+        }
+
+        $observedCount = $inventory['observed_permissions_count'] ?? null;
+        if (is_int($observedCount) || (is_numeric($observedCount) && (string) (int) $observedCount === (string) $observedCount)) {
+            $pointers[] = [
+                'kind' => 'observed_permissions_count',
+                'value' => (int) $observedCount,
+            ];
+        }
+
+        return $pointers;
+    }
+
+    /**
+     * @param  array<string, mixed>  $row
+     * @return TenantPermissionRow
+     */
+    private static function normalizePermissionRow(array $row): array
+    {
+        $key = (string) ($row['key'] ?? '');
+        $type = (string) ($row['type'] ?? 'application');
+        $status = (string) ($row['status'] ?? 'missing');
+        $description = $row['description'] ?? null;
+        $features = $row['features'] ?? [];
+        $details = $row['details'] ?? null;
+
+        if (! in_array($type, ['application', 'delegated'], true)) {
+            $type = 'application';
+        }
+
+        if (! in_array($status, ['granted', 'missing', 'error'], true)) {
+            $status = 'missing';
+        }
+
+        if (! is_string($description) || $description === '') {
+            $description = null;
+        }
+
+        if (! is_array($features)) {
+            $features = [];
+        }
+
+        $features = array_values(array_unique(array_filter(array_map('strval', $features))));
+
+        if (! is_array($details)) {
+            $details = null;
+        }
+
+        return [
+            'key' => $key,
+            'type' => $type,
+            'description' => $description,
+            'features' => $features,
+            'status' => $status,
+            'details' => $details,
+        ];
+    }
+}

app/Support/Verification/VerificationCheckSeverity.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace App\Support\Verification;
+
+enum VerificationCheckSeverity: string
+{
+    case Info = 'info';
+    case Low = 'low';
+    case Medium = 'medium';
+    case High = 'high';
+    case Critical = 'critical';
+
+    /**
+     * @return array<int, string>
+     */
+    public static function values(): array
+    {
+        return array_map(static fn (self $case): string => $case->value, self::cases());
+    }
+}

app/Support/Verification/VerificationCheckStatus.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace App\Support\Verification;
+
+enum VerificationCheckStatus: string
+{
+    case Pass = 'pass';
+    case Fail = 'fail';
+    case Warn = 'warn';
+    case Skip = 'skip';
+    case Running = 'running';
+
+    /**
+     * @return array<int, string>
+     */
+    public static function values(): array
+    {
+        return array_map(static fn (self $case): string => $case->value, self::cases());
+    }
+}

app/Support/Verification/VerificationReportFingerprint.php

@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Verification;
+
+final class VerificationReportFingerprint
+{
+    /**
+     * @param  array<int, array<string, mixed>>  $checks
+     */
+    public static function forChecks(array $checks): string
+    {
+        $tuples = [];
+
+        foreach ($checks as $check) {
+            if (! is_array($check)) {
+                continue;
+            }
+
+            $key = self::normalizeKey($check['key'] ?? null);
+            $status = self::normalizeEnumString($check['status'] ?? null);
+            $reasonCode = self::normalizeEnumString($check['reason_code'] ?? null);
+
+            $blocking = is_bool($check['blocking'] ?? null) ? (bool) $check['blocking'] : false;
+
+            $severity = $check['severity'] ?? null;
+            $severity = is_string($severity) ? trim($severity) : '';
+
+            if ($severity === '') {
+                $severity = '';
+            } else {
+                $severity = strtolower($severity);
+            }
+
+            $tuples[] = [
+                'key' => $key,
+                'tuple' => implode('|', [
+                    $key,
+                    $status,
+                    $blocking ? '1' : '0',
+                    $reasonCode,
+                    $severity,
+                ]),
+            ];
+        }
+
+        usort($tuples, static function (array $a, array $b): int {
+            $keyComparison = $a['key'] <=> $b['key'];
+
+            if ($keyComparison !== 0) {
+                return $keyComparison;
+            }
+
+            return $a['tuple'] <=> $b['tuple'];
+        });
+
+        $payload = implode("\n", array_map(static fn (array $item): string => (string) $item['tuple'], $tuples));
+
+        return hash('sha256', $payload);
+    }
+
+    /**
+     * @param  array<string, mixed>  $report
+     */
+    public static function forReport(array $report): string
+    {
+        $checks = $report['checks'] ?? null;
+        $checks = is_array($checks) ? $checks : [];
+
+        /** @var array<int, array<string, mixed>> $checks */
+        return self::forChecks($checks);
+    }
+
+    private static function normalizeKey(mixed $value): string
+    {
+        if (! is_string($value)) {
+            return '';
+        }
+
+        $value = trim($value);
+
+        return $value === '' ? '' : $value;
+    }
+
+    private static function normalizeEnumString(mixed $value): string
+    {
+        if (! is_string($value)) {
+            return '';
+        }
+
+        $value = trim($value);
+
+        return $value === '' ? '' : strtolower($value);
+    }
+}

app/Support/Verification/VerificationReportOverall.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Support\Verification;
+
+enum VerificationReportOverall: string
+{
+    case Ready = 'ready';
+    case NeedsAttention = 'needs_attention';
+    case Blocked = 'blocked';
+    case Running = 'running';
+
+    /**
+     * @return array<int, string>
+     */
+    public static function values(): array
+    {
+        return array_map(static fn (self $case): string => $case->value, self::cases());
+    }
+}

app/Support/Verification/VerificationReportSanitizer.php

@@ -0,0 +1,421 @@
+<?php
+
+namespace App\Support\Verification;
+
+final class VerificationReportSanitizer
+{
+    /**
+     * @var array<int, string>
+     */
+    private const FORBIDDEN_KEY_SUBSTRINGS = [
+        'access_token',
+        'refresh_token',
+        'client_secret',
+        'authorization',
+        'password',
+        'cookie',
+        'set-cookie',
+    ];
+
+    /**
+     * Evidence pointers must remain pointer-only. This allowlist is intentionally strict.
+     *
+     * @var array<int, string>
+     */
+    private const ALLOWED_EVIDENCE_KINDS = [
+        'provider_connection_id',
+        'entra_tenant_id',
+        'organization_id',
+        'http_status',
+        'app_id',
+        'observed_permissions_count',
+        'missing_permission',
+        'permission_type',
+        'feature',
+    ];
+
+    /**
+     * @return array<string, mixed>
+     */
+    public static function sanitizeReport(array $report): array
+    {
+        $sanitized = [];
+
+        $schemaVersion = self::sanitizeShortString($report['schema_version'] ?? null, fallback: null);
+        if ($schemaVersion !== null) {
+            $sanitized['schema_version'] = $schemaVersion;
+        }
+
+        $flow = self::sanitizeShortString($report['flow'] ?? null, fallback: null);
+        if ($flow !== null) {
+            $sanitized['flow'] = $flow;
+        }
+
+        $generatedAt = self::sanitizeShortString($report['generated_at'] ?? null, fallback: null);
+        if ($generatedAt !== null) {
+            $sanitized['generated_at'] = $generatedAt;
+        }
+
+        if (array_key_exists('fingerprint', $report)) {
+            $fingerprint = $report['fingerprint'];
+
+            if (is_string($fingerprint)) {
+                $fingerprint = strtolower(trim($fingerprint));
+
+                if (preg_match('/^[a-f0-9]{64}$/', $fingerprint)) {
+                    $sanitized['fingerprint'] = $fingerprint;
+                }
+            }
+        }
+
+        if (array_key_exists('previous_report_id', $report)) {
+            $previousReportId = $report['previous_report_id'];
+
+            if ($previousReportId === null || is_int($previousReportId)) {
+                $sanitized['previous_report_id'] = $previousReportId;
+            } elseif (is_string($previousReportId)) {
+                $previousReportId = trim($previousReportId);
+
+                if ($previousReportId === '') {
+                    $sanitized['previous_report_id'] = null;
+                } elseif (ctype_digit($previousReportId)) {
+                    $sanitized['previous_report_id'] = (int) $previousReportId;
+                } else {
+                    $previousReportId = self::sanitizeShortString($previousReportId, fallback: null);
+
+                    if ($previousReportId !== null) {
+                        $sanitized['previous_report_id'] = $previousReportId;
+                    }
+                }
+            }
+        }
+
+        if (is_array($report['identity'] ?? null)) {
+            $identity = self::sanitizeIdentity((array) $report['identity']);
+
+            if ($identity !== []) {
+                $sanitized['identity'] = $identity;
+            }
+        }
+
+        $summary = is_array($report['summary'] ?? null) ? (array) $report['summary'] : [];
+        $summary = self::sanitizeSummary($summary);
+
+        if ($summary !== null) {
+            $sanitized['summary'] = $summary;
+        }
+
+        $checks = is_array($report['checks'] ?? null) ? (array) $report['checks'] : [];
+        $checks = self::sanitizeChecks($checks);
+
+        if ($checks !== null) {
+            $sanitized['checks'] = $checks;
+        }
+
+        return $sanitized;
+    }
+
+    /**
+     * @param  array<string, mixed>  $identity
+     * @return array<string, int|string>
+     */
+    private static function sanitizeIdentity(array $identity): array
+    {
+        $sanitized = [];
+
+        foreach ($identity as $key => $value) {
+            if (! is_string($key) || trim($key) === '') {
+                continue;
+            }
+
+            if (self::containsForbiddenKeySubstring($key)) {
+                continue;
+            }
+
+            if (is_int($value)) {
+                $sanitized[$key] = $value;
+
+                continue;
+            }
+
+            if (! is_string($value)) {
+                continue;
+            }
+
+            $value = self::sanitizeValueString($value);
+
+            if ($value !== null) {
+                $sanitized[$key] = $value;
+            }
+        }
+
+        return $sanitized;
+    }
+
+    /**
+     * @param  array<string, mixed>  $summary
+     * @return array{overall: string, counts: array{total: int, pass: int, fail: int, warn: int, skip: int, running: int}}|null
+     */
+    private static function sanitizeSummary(array $summary): ?array
+    {
+        $overall = $summary['overall'] ?? null;
+
+        if (! is_string($overall) || ! in_array($overall, VerificationReportOverall::values(), true)) {
+            return null;
+        }
+
+        $counts = is_array($summary['counts'] ?? null) ? (array) $summary['counts'] : [];
+
+        foreach (['total', 'pass', 'fail', 'warn', 'skip', 'running'] as $key) {
+            if (! is_int($counts[$key] ?? null) || $counts[$key] < 0) {
+                return null;
+            }
+        }
+
+        return [
+            'overall' => $overall,
+            'counts' => [
+                'total' => $counts['total'],
+                'pass' => $counts['pass'],
+                'fail' => $counts['fail'],
+                'warn' => $counts['warn'],
+                'skip' => $counts['skip'],
+                'running' => $counts['running'],
+            ],
+        ];
+    }
+
+    /**
+     * @param  array<int, mixed>  $checks
+     * @return array<int, array<string, mixed>>|null
+     */
+    private static function sanitizeChecks(array $checks): ?array
+    {
+        if ($checks === []) {
+            return [];
+        }
+
+        $sanitized = [];
+
+        foreach ($checks as $check) {
+            if (! is_array($check)) {
+                continue;
+            }
+
+            $key = self::sanitizeShortString($check['key'] ?? null, fallback: null);
+            $title = self::sanitizeShortString($check['title'] ?? null, fallback: null);
+            $reasonCode = self::sanitizeShortString($check['reason_code'] ?? null, fallback: null);
+
+            if ($key === null || $title === null || $reasonCode === null) {
+                continue;
+            }
+
+            $status = $check['status'] ?? null;
+            if (! is_string($status) || ! in_array($status, VerificationCheckStatus::values(), true)) {
+                continue;
+            }
+
+            $severityRaw = $check['severity'] ?? null;
+            if (! is_string($severityRaw)) {
+                continue;
+            }
+
+            $severity = strtolower(trim($severityRaw));
+
+            if ($severity !== '' && ! in_array($severity, VerificationCheckSeverity::values(), true)) {
+                continue;
+            }
+
+            $messageRaw = $check['message'] ?? null;
+            if (! is_string($messageRaw) || trim($messageRaw) === '') {
+                continue;
+            }
+
+            $blocking = is_bool($check['blocking'] ?? null) ? (bool) $check['blocking'] : false;
+
+            $sanitized[] = [
+                'key' => $key,
+                'title' => $title,
+                'status' => $status,
+                'severity' => $severity,
+                'blocking' => $blocking,
+                'reason_code' => $reasonCode,
+                'message' => self::sanitizeMessage($messageRaw),
+                'evidence' => self::sanitizeEvidence(is_array($check['evidence'] ?? null) ? (array) $check['evidence'] : []),
+                'next_steps' => self::sanitizeNextSteps(is_array($check['next_steps'] ?? null) ? (array) $check['next_steps'] : []),
+            ];
+        }
+
+        return $sanitized;
+    }
+
+    /**
+     * @param  array<int, mixed>  $evidence
+     * @return array<int, array{kind: string, value: int|string}>
+     */
+    private static function sanitizeEvidence(array $evidence): array
+    {
+        $sanitized = [];
+
+        foreach ($evidence as $pointer) {
+            if (! is_array($pointer)) {
+                continue;
+            }
+
+            $kind = $pointer['kind'] ?? null;
+            if (! is_string($kind) || trim($kind) === '') {
+                continue;
+            }
+
+            $kind = trim($kind);
+
+            if (! in_array($kind, self::ALLOWED_EVIDENCE_KINDS, true)) {
+                continue;
+            }
+
+            if (self::containsForbiddenKeySubstring($kind)) {
+                continue;
+            }
+
+            $value = $pointer['value'] ?? null;
+
+            if (is_int($value)) {
+                $sanitized[] = ['kind' => $kind, 'value' => $value];
+
+                continue;
+            }
+
+            if (! is_string($value)) {
+                continue;
+            }
+
+            $sanitizedValue = self::sanitizeValueString($value);
+
+            if ($sanitizedValue === null) {
+                continue;
+            }
+
+            $sanitized[] = ['kind' => $kind, 'value' => $sanitizedValue];
+        }
+
+        return $sanitized;
+    }
+
+    /**
+     * @param  array<int, mixed>  $nextSteps
+     * @return array<int, array{label: string, url: string}>
+     */
+    private static function sanitizeNextSteps(array $nextSteps): array
+    {
+        $sanitized = [];
+
+        foreach ($nextSteps as $step) {
+            if (! is_array($step)) {
+                continue;
+            }
+
+            $label = self::sanitizeShortString($step['label'] ?? null, fallback: null);
+            $url = self::sanitizeShortString($step['url'] ?? null, fallback: null);
+
+            if ($label === null || $url === null) {
+                continue;
+            }
+
+            $sanitized[] = [
+                'label' => $label,
+                'url' => $url,
+            ];
+        }
+
+        return $sanitized;
+    }
+
+    private static function sanitizeMessage(mixed $message): string
+    {
+        if (! is_string($message)) {
+            return '—';
+        }
+
+        $message = trim(str_replace(["\r", "\n"], ' ', $message));
+
+        $message = preg_replace('/\bAuthorization\s*:\s*[^\s]+(?:\s+[^\s]+)?/i', '[REDACTED_AUTH]', $message) ?? $message;
+        $message = preg_replace('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', '[REDACTED_AUTH]', $message) ?? $message;
+
+        $message = preg_replace('/\b(access_token|refresh_token|client_secret|password)\b\s*[:=]\s*[^\s,;]+/i', '[REDACTED_SECRET]', $message) ?? $message;
+        $message = preg_replace('/"(access_token|refresh_token|client_secret|password)"\s*:\s*"[^"]*"/i', '"[REDACTED]":"[REDACTED]"', $message) ?? $message;
+
+        $message = preg_replace('/\b[A-Za-z0-9\-\._~\+\/]{64,}\b/', '[REDACTED]', $message) ?? $message;
+
+        $message = str_ireplace(
+            ['client_secret', 'access_token', 'refresh_token', 'authorization', 'bearer '],
+            '[REDACTED]',
+            $message,
+        );
+
+        $message = trim($message);
+
+        return $message === '' ? '—' : substr($message, 0, 240);
+    }
+
+    private static function sanitizeShortString(mixed $value, ?string $fallback): ?string
+    {
+        if (! is_string($value)) {
+            return $fallback;
+        }
+
+        $value = trim($value);
+
+        if ($value === '') {
+            return $fallback;
+        }
+
+        if (self::containsForbiddenKeySubstring($value)) {
+            return $fallback;
+        }
+
+        return substr($value, 0, 200);
+    }
+
+    private static function sanitizeValueString(string $value): ?string
+    {
+        $value = trim($value);
+
+        if ($value === '') {
+            return null;
+        }
+
+        if (preg_match('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', $value)) {
+            return null;
+        }
+
+        if (strlen($value) > 512) {
+            return null;
+        }
+
+        if (preg_match('/\b[A-Za-z0-9\-\._~\+\/]{128,}\b/', $value)) {
+            return null;
+        }
+
+        $lower = strtolower($value);
+        foreach (self::FORBIDDEN_KEY_SUBSTRINGS as $needle) {
+            if (str_contains($lower, $needle)) {
+                return null;
+            }
+        }
+
+        return $value;
+    }
+
+    private static function containsForbiddenKeySubstring(string $value): bool
+    {
+        $lower = strtolower($value);
+
+        foreach (self::FORBIDDEN_KEY_SUBSTRINGS as $needle) {
+            if (str_contains($lower, $needle)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

app/Support/Verification/VerificationReportSchema.php

@@ -0,0 +1,257 @@
+<?php
+
+namespace App\Support\Verification;
+
+use DateTimeImmutable;
+
+final class VerificationReportSchema
+{
+    public const string CURRENT_SCHEMA_VERSION = '1.5.0';
+
+    /**
+     * @return array<string, mixed>|null
+     */
+    public static function normalizeReport(mixed $report): ?array
+    {
+        if (! is_array($report)) {
+            return null;
+        }
+
+        if (! self::isValidReport($report)) {
+            return null;
+        }
+
+        return $report;
+    }
+
+    /**
+     * @param  array<string, mixed>  $report
+     */
+    public static function isValidReport(array $report): bool
+    {
+        $schemaVersion = self::schemaVersion($report);
+        if ($schemaVersion === null || ! self::isSupportedSchemaVersion($schemaVersion)) {
+            return false;
+        }
+
+        if (! self::isNonEmptyString($report['flow'] ?? null)) {
+            return false;
+        }
+
+        if (! self::isIsoDateTimeString($report['generated_at'] ?? null)) {
+            return false;
+        }
+
+        if (array_key_exists('identity', $report) && ! is_array($report['identity'])) {
+            return false;
+        }
+
+        $summary = $report['summary'] ?? null;
+        if (! is_array($summary)) {
+            return false;
+        }
+
+        $overall = $summary['overall'] ?? null;
+        if (! is_string($overall) || ! in_array($overall, VerificationReportOverall::values(), true)) {
+            return false;
+        }
+
+        $counts = $summary['counts'] ?? null;
+        if (! is_array($counts)) {
+            return false;
+        }
+
+        foreach (['total', 'pass', 'fail', 'warn', 'skip', 'running'] as $key) {
+            if (! self::isNonNegativeInt($counts[$key] ?? null)) {
+                return false;
+            }
+        }
+
+        $checks = $report['checks'] ?? null;
+        if (! is_array($checks)) {
+            return false;
+        }
+
+        foreach ($checks as $check) {
+            if (! is_array($check) || ! self::isValidCheckResult($check)) {
+                return false;
+            }
+        }
+
+        if (array_key_exists('fingerprint', $report)) {
+            $fingerprint = $report['fingerprint'];
+
+            if (! is_string($fingerprint) || ! preg_match('/^[a-f0-9]{64}$/', $fingerprint)) {
+                return false;
+            }
+        }
+
+        if (array_key_exists('previous_report_id', $report)) {
+            $previousReportId = $report['previous_report_id'];
+
+            if ($previousReportId !== null && ! is_int($previousReportId) && ! self::isNonEmptyString($previousReportId)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param  array<string, mixed>  $report
+     */
+    public static function schemaVersion(array $report): ?string
+    {
+        $candidate = $report['schema_version'] ?? null;
+
+        if (! is_string($candidate)) {
+            return null;
+        }
+
+        $candidate = trim($candidate);
+
+        if ($candidate === '') {
+            return null;
+        }
+
+        if (! preg_match('/^\d+\.\d+\.\d+$/', $candidate)) {
+            return null;
+        }
+
+        return $candidate;
+    }
+
+    public static function isSupportedSchemaVersion(string $schemaVersion): bool
+    {
+        $parts = explode('.', $schemaVersion, 3);
+
+        if (count($parts) !== 3) {
+            return false;
+        }
+
+        $major = (int) $parts[0];
+
+        return $major === 1;
+    }
+
+    /**
+     * @param  array<string, mixed>  $check
+     */
+    private static function isValidCheckResult(array $check): bool
+    {
+        if (! self::isNonEmptyString($check['key'] ?? null)) {
+            return false;
+        }
+
+        if (! self::isNonEmptyString($check['title'] ?? null)) {
+            return false;
+        }
+
+        $status = $check['status'] ?? null;
+        if (! is_string($status) || ! in_array($status, VerificationCheckStatus::values(), true)) {
+            return false;
+        }
+
+        $severity = $check['severity'] ?? null;
+        if (! is_string($severity)) {
+            return false;
+        }
+
+        $severity = trim($severity);
+
+        if ($severity !== '' && ! in_array($severity, VerificationCheckSeverity::values(), true)) {
+            return false;
+        }
+
+        if (! is_bool($check['blocking'] ?? null)) {
+            return false;
+        }
+
+        if (! self::isNonEmptyString($check['reason_code'] ?? null)) {
+            return false;
+        }
+
+        if (! self::isNonEmptyString($check['message'] ?? null)) {
+            return false;
+        }
+
+        $evidence = $check['evidence'] ?? null;
+        if (! is_array($evidence)) {
+            return false;
+        }
+
+        foreach ($evidence as $pointer) {
+            if (! is_array($pointer) || ! self::isValidEvidencePointer($pointer)) {
+                return false;
+            }
+        }
+
+        $nextSteps = $check['next_steps'] ?? null;
+        if (! is_array($nextSteps)) {
+            return false;
+        }
+
+        foreach ($nextSteps as $step) {
+            if (! is_array($step) || ! self::isValidNextStep($step)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param  array<string, mixed>  $pointer
+     */
+    private static function isValidEvidencePointer(array $pointer): bool
+    {
+        if (! self::isNonEmptyString($pointer['kind'] ?? null)) {
+            return false;
+        }
+
+        $value = $pointer['value'] ?? null;
+
+        return is_int($value) || self::isNonEmptyString($value);
+    }
+
+    /**
+     * @param  array<string, mixed>  $step
+     */
+    private static function isValidNextStep(array $step): bool
+    {
+        if (! self::isNonEmptyString($step['label'] ?? null)) {
+            return false;
+        }
+
+        if (! self::isNonEmptyString($step['url'] ?? null)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private static function isNonEmptyString(mixed $value): bool
+    {
+        return is_string($value) && trim($value) !== '';
+    }
+
+    private static function isNonNegativeInt(mixed $value): bool
+    {
+        return is_int($value) && $value >= 0;
+    }
+
+    private static function isIsoDateTimeString(mixed $value): bool
+    {
+        if (! self::isNonEmptyString($value)) {
+            return false;
+        }
+
+        try {
+            new DateTimeImmutable((string) $value);
+
+            return true;
+        } catch (\Throwable) {
+            return false;
+        }
+    }
+}

app/Support/Verification/VerificationReportWriter.php

@@ -0,0 +1,347 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Support\Verification;
+
+use App\Models\OperationRun;
+
+final class VerificationReportWriter
+{
+    /**
+     * Baseline reason code taxonomy (v1).
+     *
+     * @var array<int, string>
+     */
+    private const array BASELINE_REASON_CODES = [
+        'ok',
+        'not_applicable',
+        'missing_configuration',
+        'permission_denied',
+        'authentication_failed',
+        'throttled',
+        'dependency_unreachable',
+        'invalid_state',
+        'unknown_error',
+    ];
+
+    /**
+     * @param  array<int, array<string, mixed>>  $checks
+     * @param  array<string, mixed>  $identity
+     * @return array<string, mixed>
+     */
+    public static function write(OperationRun $run, array $checks, array $identity = []): array
+    {
+        $flow = is_string($run->type) && trim($run->type) !== '' ? (string) $run->type : 'unknown';
+
+        $report = self::build($flow, $checks, $identity);
+        $report['previous_report_id'] = PreviousVerificationReportResolver::resolvePreviousReportId($run);
+
+        $report = VerificationReportSanitizer::sanitizeReport($report);
+
+        if (! VerificationReportSchema::isValidReport($report)) {
+            $report = VerificationReportSanitizer::sanitizeReport(self::buildFallbackReport($flow));
+        }
+
+        $context = is_array($run->context) ? $run->context : [];
+        $context['verification_report'] = $report;
+
+        $run->update(['context' => $context]);
+
+        return $report;
+    }
+
+    /**
+     * @param  array<int, array<string, mixed>>  $checks
+     * @param  array<string, mixed>  $identity
+     * @return array<string, mixed>
+     */
+    public static function build(string $flow, array $checks, array $identity = []): array
+    {
+        $flow = trim($flow);
+        $flow = $flow !== '' ? $flow : 'unknown';
+
+        $normalizedChecks = [];
+
+        foreach ($checks as $check) {
+            if (! is_array($check)) {
+                continue;
+            }
+
+            $normalizedChecks[] = self::normalizeCheckResult($check);
+        }
+
+        $counts = self::deriveCounts($normalizedChecks);
+
+        $report = [
+            'schema_version' => VerificationReportSchema::CURRENT_SCHEMA_VERSION,
+            'flow' => $flow,
+            'generated_at' => now()->toISOString(),
+            'fingerprint' => VerificationReportFingerprint::forChecks($normalizedChecks),
+            'previous_report_id' => null,
+            'summary' => [
+                'overall' => self::deriveOverall($normalizedChecks, $counts),
+                'counts' => $counts,
+            ],
+            'checks' => $normalizedChecks,
+        ];
+
+        if ($identity !== []) {
+            $report['identity'] = $identity;
+        }
+
+        return $report;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private static function buildFallbackReport(string $flow): array
+    {
+        return [
+            'schema_version' => VerificationReportSchema::CURRENT_SCHEMA_VERSION,
+            'flow' => $flow !== '' ? $flow : 'unknown',
+            'generated_at' => now()->toISOString(),
+            'fingerprint' => VerificationReportFingerprint::forChecks([]),
+            'previous_report_id' => null,
+            'summary' => [
+                'overall' => VerificationReportOverall::NeedsAttention->value,
+                'counts' => [
+                    'total' => 0,
+                    'pass' => 0,
+                    'fail' => 0,
+                    'warn' => 0,
+                    'skip' => 0,
+                    'running' => 0,
+                ],
+            ],
+            'checks' => [],
+        ];
+    }
+
+    /**
+     * @param  array<string, mixed>  $check
+     * @return array{
+     *   key: string,
+     *   title: string,
+     *   status: string,
+     *   severity: string,
+     *   blocking: bool,
+     *   reason_code: string,
+     *   message: string,
+     *   evidence: array<int, array{kind: string, value: int|string}>,
+     *   next_steps: array<int, array{label: string, url: string}>
+     * }
+     */
+    private static function normalizeCheckResult(array $check): array
+    {
+        $key = self::normalizeNonEmptyString($check['key'] ?? null, fallback: 'unknown_check');
+        $title = self::normalizeNonEmptyString($check['title'] ?? null, fallback: 'Check');
+
+        return [
+            'key' => $key,
+            'title' => $title,
+            'status' => self::normalizeCheckStatus($check['status'] ?? null),
+            'severity' => self::normalizeCheckSeverity($check['severity'] ?? null),
+            'blocking' => is_bool($check['blocking'] ?? null) ? (bool) $check['blocking'] : false,
+            'reason_code' => self::normalizeReasonCode($check['reason_code'] ?? null),
+            'message' => self::normalizeNonEmptyString($check['message'] ?? null, fallback: '—'),
+            'evidence' => self::normalizeEvidence($check['evidence'] ?? null),
+            'next_steps' => self::normalizeNextSteps($check['next_steps'] ?? null),
+        ];
+    }
+
+    private static function normalizeCheckStatus(mixed $status): string
+    {
+        if (! is_string($status)) {
+            return VerificationCheckStatus::Fail->value;
+        }
+
+        $status = strtolower(trim($status));
+
+        return in_array($status, VerificationCheckStatus::values(), true)
+            ? $status
+            : VerificationCheckStatus::Fail->value;
+    }
+
+    private static function normalizeCheckSeverity(mixed $severity): string
+    {
+        if (! is_string($severity)) {
+            return '';
+        }
+
+        $severity = strtolower(trim($severity));
+
+        return in_array($severity, VerificationCheckSeverity::values(), true) ? $severity : '';
+    }
+
+    private static function normalizeReasonCode(mixed $reasonCode): string
+    {
+        if (! is_string($reasonCode)) {
+            return 'unknown_error';
+        }
+
+        $reasonCode = strtolower(trim($reasonCode));
+
+        if ($reasonCode === '') {
+            return 'unknown_error';
+        }
+
+        if (str_starts_with($reasonCode, 'ext.')) {
+            return $reasonCode;
+        }
+
+        $reasonCode = match ($reasonCode) {
+            'graph_throttled' => 'throttled',
+            'graph_timeout', 'provider_outage' => 'dependency_unreachable',
+            'provider_auth_failed' => 'authentication_failed',
+            'validation_error', 'conflict_detected' => 'invalid_state',
+            'unknown' => 'unknown_error',
+            default => $reasonCode,
+        };
+
+        return in_array($reasonCode, self::BASELINE_REASON_CODES, true) ? $reasonCode : 'unknown_error';
+    }
+
+    /**
+     * @return array<int, array{kind: string, value: int|string}>
+     */
+    private static function normalizeEvidence(mixed $evidence): array
+    {
+        if (! is_array($evidence)) {
+            return [];
+        }
+
+        $normalized = [];
+
+        foreach ($evidence as $pointer) {
+            if (! is_array($pointer)) {
+                continue;
+            }
+
+            $kind = self::normalizeNonEmptyString($pointer['kind'] ?? null, fallback: null);
+            $value = $pointer['value'] ?? null;
+
+            if ($kind === null) {
+                continue;
+            }
+
+            if (! is_int($value) && ! is_string($value)) {
+                continue;
+            }
+
+            if (is_string($value) && trim($value) === '') {
+                continue;
+            }
+
+            $normalized[] = [
+                'kind' => $kind,
+                'value' => is_int($value) ? $value : trim($value),
+            ];
+        }
+
+        return $normalized;
+    }
+
+    /**
+     * @return array<int, array{label: string, url: string}>
+     */
+    private static function normalizeNextSteps(mixed $steps): array
+    {
+        if (! is_array($steps)) {
+            return [];
+        }
+
+        $normalized = [];
+
+        foreach ($steps as $step) {
+            if (! is_array($step)) {
+                continue;
+            }
+
+            $label = self::normalizeNonEmptyString($step['label'] ?? null, fallback: null);
+            $url = self::normalizeNonEmptyString($step['url'] ?? null, fallback: null);
+
+            if ($label === null || $url === null) {
+                continue;
+            }
+
+            $normalized[] = [
+                'label' => $label,
+                'url' => $url,
+            ];
+        }
+
+        return $normalized;
+    }
+
+    /**
+     * @param  array<int, array{status: string, blocking: bool}>  $checks
+     * @return array{total: int, pass: int, fail: int, warn: int, skip: int, running: int}
+     */
+    private static function deriveCounts(array $checks): array
+    {
+        $counts = [
+            'total' => count($checks),
+            'pass' => 0,
+            'fail' => 0,
+            'warn' => 0,
+            'skip' => 0,
+            'running' => 0,
+        ];
+
+        foreach ($checks as $check) {
+            $status = $check['status'] ?? null;
+
+            if (! is_string($status) || ! array_key_exists($status, $counts)) {
+                continue;
+            }
+
+            $counts[$status] += 1;
+        }
+
+        return $counts;
+    }
+
+    /**
+     * @param  array<int, array{status: string, blocking: bool}>  $checks
+     * @param  array{total: int, pass: int, fail: int, warn: int, skip: int, running: int}  $counts
+     */
+    private static function deriveOverall(array $checks, array $counts): string
+    {
+        if (($counts['running'] ?? 0) > 0) {
+            return VerificationReportOverall::Running->value;
+        }
+
+        if (($counts['total'] ?? 0) === 0) {
+            return VerificationReportOverall::NeedsAttention->value;
+        }
+
+        foreach ($checks as $check) {
+            if (($check['status'] ?? null) === VerificationCheckStatus::Fail->value && ($check['blocking'] ?? false) === true) {
+                return VerificationReportOverall::Blocked->value;
+            }
+        }
+
+        if (($counts['fail'] ?? 0) > 0 || ($counts['warn'] ?? 0) > 0) {
+            return VerificationReportOverall::NeedsAttention->value;
+        }
+
+        return VerificationReportOverall::Ready->value;
+    }
+
+    private static function normalizeNonEmptyString(mixed $value, ?string $fallback): ?string
+    {
+        if (! is_string($value)) {
+            return $fallback;
+        }
+
+        $value = trim($value);
+
+        if ($value === '') {
+            return $fallback;
+        }
+
+        return $value;
+    }
+}

app/Support/Workspaces/WorkspaceContext.php

@@ -0,0 +1,129 @@
+<?php
+
+namespace App\Support\Workspaces;
+
+use App\Models\User;
+use App\Models\Workspace;
+use App\Models\WorkspaceMembership;
+use Illuminate\Http\Request;
+
+final class WorkspaceContext
+{
+    public const SESSION_KEY = 'current_workspace_id';
+
+    public function __construct(private WorkspaceResolver $resolver) {}
+
+    public function currentWorkspaceId(?Request $request = null): ?int
+    {
+        $session = ($request && $request->hasSession()) ? $request->session() : session();
+
+        $id = $session->get(self::SESSION_KEY);
+
+        return is_int($id) ? $id : (is_numeric($id) ? (int) $id : null);
+    }
+
+    public function currentWorkspace(?Request $request = null): ?Workspace
+    {
+        $id = $this->currentWorkspaceId($request);
+
+        if (! $id) {
+            return null;
+        }
+
+        $workspace = Workspace::query()->whereKey($id)->first();
+
+        if (! $workspace) {
+            return null;
+        }
+
+        if (! $this->isWorkspaceSelectable($workspace)) {
+            return null;
+        }
+
+        return $workspace;
+    }
+
+    public function setCurrentWorkspace(Workspace $workspace, ?User $user = null, ?Request $request = null): void
+    {
+        $session = ($request && $request->hasSession()) ? $request->session() : session();
+        $session->put(self::SESSION_KEY, (int) $workspace->getKey());
+
+        if ($user !== null) {
+            $user->forceFill(['last_workspace_id' => (int) $workspace->getKey()])->save();
+        }
+    }
+
+    public function clearCurrentWorkspace(?User $user = null, ?Request $request = null): void
+    {
+        $session = ($request && $request->hasSession()) ? $request->session() : session();
+        $session->forget(self::SESSION_KEY);
+
+        if ($user !== null && $user->last_workspace_id !== null) {
+            $user->forceFill(['last_workspace_id' => null])->save();
+        }
+    }
+
+    public function resolveInitialWorkspaceFor(User $user, ?Request $request = null): ?Workspace
+    {
+        $session = ($request && $request->hasSession()) ? $request->session() : session();
+
+        $currentId = $this->currentWorkspaceId($request);
+
+        if ($currentId) {
+            $current = Workspace::query()->whereKey($currentId)->first();
+
+            if (! $current instanceof Workspace || ! $this->isWorkspaceSelectable($current) || ! $this->isMember($user, $current)) {
+                $session->forget(self::SESSION_KEY);
+
+                if ((int) $user->last_workspace_id === (int) $currentId) {
+                    $user->forceFill(['last_workspace_id' => null])->save();
+                }
+            } else {
+                return $current;
+            }
+        }
+
+        if ($user->last_workspace_id !== null) {
+            $workspace = Workspace::query()->whereKey($user->last_workspace_id)->first();
+
+            if (! $workspace instanceof Workspace || ! $this->isWorkspaceSelectable($workspace) || ! $this->isMember($user, $workspace)) {
+                $user->forceFill(['last_workspace_id' => null])->save();
+            }
+        }
+
+        $memberships = WorkspaceMembership::query()
+            ->where('user_id', $user->getKey())
+            ->with('workspace')
+            ->get();
+
+        $selectableWorkspaces = $memberships
+            ->map(fn (WorkspaceMembership $membership) => $membership->workspace)
+            ->filter(fn (?Workspace $workspace) => $workspace instanceof Workspace && $this->isWorkspaceSelectable($workspace))
+            ->values();
+
+        if ($selectableWorkspaces->count() === 1) {
+            /** @var Workspace $workspace */
+            $workspace = $selectableWorkspaces->first();
+
+            $session->put(self::SESSION_KEY, (int) $workspace->getKey());
+            $user->forceFill(['last_workspace_id' => (int) $workspace->getKey()])->save();
+
+            return $workspace;
+        }
+
+        return null;
+    }
+
+    public function isMember(User $user, Workspace $workspace): bool
+    {
+        return WorkspaceMembership::query()
+            ->where('user_id', $user->getKey())
+            ->where('workspace_id', $workspace->getKey())
+            ->exists();
+    }
+
+    private function isWorkspaceSelectable(Workspace $workspace): bool
+    {
+        return empty($workspace->archived_at);
+    }
+}