feat(104): Provider Permission Posture #127

ahmido · 2026-02-21T22:32:36Z

ahmido commented

2026-02-21 22:32:36 +00:00

Implements Spec 104: Provider Permission Posture.

What changed

Generates permission posture findings after each tenant permission compare (queued)
Stores immutable posture snapshots as StoredReports (JSONB payload)
Adds global Finding resolved lifecycle (resolved_at, resolved_reason) with resolve() / reopen()
Adds alert pipeline event type permission_missing (Alerts v1) and Filament option for Alert Rules
Adds retention pruning command + daily schedule for StoredReports
Adds badge mappings for resolved finding status and permission_posture finding type

UX fixes discovered during manual verification

Hide “Diff” section for non-drift findings (only drift findings show diff)
Required Permissions page: “Re-run verification” now links to Tenant view (not onboarding)
Preserve Technical Details <details> open state across Livewire re-renders (Alpine state)

Verification

Ran vendor/bin/sail artisan test --compact --filter=PermissionPosture (50 tests)
Ran vendor/bin/sail artisan test --compact --filter="FindingResolved|FindingBadge|PermissionMissingAlert" (20 tests)
Ran vendor/bin/sail bin pint --dirty

Filament v5 / Livewire v4 compliance

Filament v5 + Livewire v4: no Livewire v3 usage.

Panel provider registration (Laravel 11+)

No new panels added. Existing panel providers remain registered via bootstrap/providers.php.

Global search rule

No changes to global-searchable resources.

Destructive actions

No new destructive Filament actions were added in this PR.

Assets / deploy notes

No new Filament assets registered. Existing deploy step php artisan filament:assets remains unchanged.

Test coverage

New/updated Pest feature tests cover generator behavior, job integration, alerting, retention pruning, and resolved lifecycle.

Implements Spec 104: Provider Permission Posture. What changed - Generates permission posture findings after each tenant permission compare (queued) - Stores immutable posture snapshots as StoredReports (JSONB payload) - Adds global Finding resolved lifecycle (`resolved_at`, `resolved_reason`) with `resolve()` / `reopen()` - Adds alert pipeline event type `permission_missing` (Alerts v1) and Filament option for Alert Rules - Adds retention pruning command + daily schedule for StoredReports - Adds badge mappings for `resolved` finding status and `permission_posture` finding type UX fixes discovered during manual verification - Hide “Diff” section for non-drift findings (only drift findings show diff) - Required Permissions page: “Re-run verification” now links to Tenant view (not onboarding) - Preserve Technical Details `<details>` open state across Livewire re-renders (Alpine state) Verification - Ran `vendor/bin/sail artisan test --compact --filter=PermissionPosture` (50 tests) - Ran `vendor/bin/sail artisan test --compact --filter="FindingResolved|FindingBadge|PermissionMissingAlert"` (20 tests) - Ran `vendor/bin/sail bin pint --dirty` Filament v5 / Livewire v4 compliance - Filament v5 + Livewire v4: no Livewire v3 usage. Panel provider registration (Laravel 11+) - No new panels added. Existing panel providers remain registered via `bootstrap/providers.php`. Global search rule - No changes to global-searchable resources. Destructive actions - No new destructive Filament actions were added in this PR. Assets / deploy notes - No new Filament assets registered. Existing deploy step `php artisan filament:assets` remains unchanged. Test coverage - New/updated Pest feature tests cover generator behavior, job integration, alerting, retention pruning, and resolved lifecycle.

ahmido added 2 commits 2026-02-21 22:32:37 +00:00

spec: 104 Provider Permission Posture - initial spec dced3f1ed2

- StoredReports foundation (generic table, polymorphic report_type)
- Permission Posture Findings generation (fingerprint-based, auto-resolve)
- Alerts integration (EVENT_PERMISSION_MISSING event type)
- Posture score calculation (0-100 normalized)
- 18 functional requirements, 7 success criteria
- 4 user stories (P1-P3), 5 edge cases
- Full constitution alignment documented
- Quality checklist: all items pass

feat(104): implement Provider Permission Posture 222a7e0a97

- T001-T014: Foundation - StoredReport model/migration, Finding resolved
  lifecycle, badge mappings (resolved status, permission_posture type),
  OperationCatalog + AlertRule constants
- T015-T022: US1 - PermissionPostureFindingGenerator with fingerprint-based
  idempotent upsert, severity from feature-impact count, auto-resolve on
  grant, auto-reopen on revoke, error findings (FR-015), stale finding
  cleanup; GeneratePermissionPostureFindingsJob dispatched from health check;
  PostureResult VO + PostureScoreCalculator
- T023-T026: US2+US4 - Stored report payload validation, temporal ordering,
  polymorphic reusability, score accuracy acceptance tests
- T027-T029: US3 - EvaluateAlertsJob.permissionMissingEvents() wired into
  alert pipeline, AlertRuleResource event type option, cooldown/dedupe tests
- T030-T034: Polish - PruneStoredReportsCommand with config retention,
  scheduled daily, end-to-end integration test, Pint clean

UI bug fixes found during testing:
- FindingResource: hide Diff section for non-drift findings
- TenantRequiredPermissions: fix re-run verification link
- tenant-required-permissions.blade.php: preserve details open state

70 tests (50 PermissionPosture + 20 FindingResolved/Badge/Alert), 216 assertions

ahmido merged commit ef380b67d1 into dev

2026-02-21 22:32:54 +00:00

ahmido referenced this issue from a commit

2026-02-21 22:32:55 +00:00

feat(104): Provider Permission Posture (#127)

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ahmido/TenantAtlas#127