feat/047-inventory-foundations-nodes #52

Closed

ahmido wants to merge 6 commits from feat/047-inventory-foundations-nodes into dev

pull from: feat/047-inventory-foundations-nodes

merge into: ahmido:dev

ahmido:dev

ahmido:155-tenant-review-layer

ahmido:154-finding-risk-acceptance

ahmido:153-evidence-domain-foundation

ahmido:152-livewire-context-locking

ahmido:151-findings-workflow-backstop

ahmido:150-tenant-owned-query-canon-and-wrong-tenant-guards

ahmido:149-queued-execution-reauthorization

ahmido:docs/domain-expansion-roadmap-candidates

ahmido:148-central-tenant-operability-policy

ahmido:147-tenant-selector-remembered-context-enforcement

ahmido:146-central-tenant-status-presentation

ahmido:145-tenant-action-taxonomy-lifecycle-safe-visibility

ahmido:144-canonical-operation-viewer-context-decoupling

ahmido:143-tenant-lifecycle-operability-context-semantics

ahmido:142-rbac-role-definition-diff-ux-upgrade

ahmido:141-shared-diff-presentation-foundation

ahmido:140-onboarding-lifecycle-operation-checkpoints-concurrency-mvp

ahmido:139-verify-access-permissions-assist

ahmido:feat/138-managed-tenant-onboarding-draft-identity

ahmido:137-platform-provider-identity

ahmido:136-admin-canonical-tenant

ahmido:135-canonical-tenant-context-resolution

ahmido:codex/134-audit-log-foundation-session-1773186754

ahmido:133-detail-page-template

ahmido:codex/132-guid-context-resolver-session-1773161839

ahmido:131-cross-resource-navigation

ahmido:ui-naming-constitution-session-1773152548

ahmido:131-cross-resource-navigation-session-1773152477

ahmido:130-structured-snapshot-rendering

ahmido:129-workspace-admin-home

ahmido:feat/128-rbac-baseline-compare

ahmido:127-rbac-inventory-backup

ahmido:126-filter-ux-standardization

ahmido:dev-session-1773011801

ahmido:125-table-ux-standardization

ahmido:124-inventory-coverage-table

ahmido:docs/remove-monitoring-hub-candidate

ahmido:123-operations-auto-refresh

ahmido:122-empty-state-consistency

ahmido:121-workspace-switch-fix

ahmido:120-secret-redaction-integrity

ahmido:feat/119-baseline-drift-engine

ahmido:118-baseline-drift-engine

ahmido:117-baseline-drift-engine

ahmido:116-baseline-drift-engine

ahmido:115-baseline-operability-alerts

ahmido:114-system-console-control-tower

ahmido:114-system-console-control-tower-session-1772188674

ahmido:113-platform-ops-runbooks

ahmido:112-list-expand-parity

ahmido:111-findings-workflow-sla

ahmido:feat/110-ops-ux-enforcement

ahmido:110-ops-ux-enforcement

ahmido:109-review-pack-export

ahmido:108-provider-access-hardening

ahmido:107-workspace-chooser

ahmido:fix/pest-makeassignment-collision

ahmido:106-required-permissions-sidebar-context

ahmido:105-entra-admin-roles-evidence-findings

ahmido:104-provider-permission-posture

ahmido:103-ia-scope-filter-semantics

ahmido:feat/700-bugfix

ahmido:feat/102-filament-5-2-1-upgrade

ahmido:101-golden-master-baseline-governance-v1

ahmido:101-golden-master-baseline-governance-v1-session-1771506612

ahmido:feat/100-alert-target-test-actions

ahmido:feat/099-alerts-v1-teams-email

ahmido:098-settings-slices-v1-backup-drift-ops

ahmido:097-settings-foundation

ahmido:fix/tenant-permissions-workspace-id

ahmido:fix/tenant-permissions-workspace-id-session-1771192503

ahmido:096-ops-polish-assignment-dedupe-system-tracking

ahmido:095-graph-contracts-registry-completeness

ahmido:094-assignment-ops-observability-hardening

ahmido:093-scope-001-workspace-id-isolation

ahmido:docs/constitution-scope-1.8.2

ahmido:092-legacy-purge-final

ahmido:091-backupschedule-retention-lifecycle

ahmido:090-action-surface-contract-compliance

ahmido:089-provider-connections-tenantless-ui

ahmido:087-legacy-runs-removal

ahmido:088-remove-tenant-graphoptions-legacy

ahmido:085-tenant-operate-hub

ahmido:084-verification-surfaces-unification

ahmido:083-required-permissions-hardening

ahmido:082-action-surface-contract

ahmido:chore/spec-kit-action-surface-contract

ahmido:081-provider-connection-cutover

ahmido:080-workspace-managed-tenant-admin

ahmido:079-inventory-links-non-uuid-ids

ahmido:078-operations-tenantless-canonical

ahmido:077-workspace-nav-monitoring-hub

ahmido:076-permissions-enterprise-ui

ahmido:075-verification-v1_5

ahmido:073-unified-managed-tenant-onboarding-wizard

ahmido:feat/072-managed-tenants-workspace-enforcement

ahmido:feat/999-merge-integration-session-1769990000

ahmido:069-tenant-onboarding-wizard-v2-session-1769905221

ahmido:069-managed-tenant-onboarding-wizard-session-1769903080

ahmido:068-workspaces-v2

ahmido:068-workspace-foundation-v1

ahmido:067-rbac-troubleshooting

ahmido:feat/066-rbac-ui-enforcement-helper-v2

ahmido:spec/066-rbac-ui-enforcement-helper-v2

ahmido:066-rbac-ui-enforcement-helper

ahmido:dev-session-1769637808

ahmido:065-tenant-rbac-v1

ahmido:dev-session-1769551498

ahmido:064-auth-structure

ahmido:063-entra-signin

ahmido:061-provider-foundation

ahmido:060-tag-badge-catalog

ahmido:059-unified-badges

ahmido:058-tenant-ui-polish

ahmido:feat/057-filament-v5-upgrade

ahmido:057-filament-v5-upgrade

ahmido:feat/053-unify-runs-monitoring

ahmido:feat/052-async-add-policies

ahmido:feat/044-drift-mvp

ahmido:051-entra-group-directory-cache

ahmido:feat/049-backup-restore-job-orchestration

ahmido:feat/048-backup-restore-ui-graph-safety

ahmido:feat/000-specify-deprecate

ahmido:feat/042-inventory-dependencies-graph

ahmido:046-inventory-sync-button

ahmido:feat/045-settingscatalog-classification

ahmido:fix/sail-node-modules-volume

ahmido:fix/pest-uses-cleanup

ahmido:feat/041-inventory-ui

ahmido:feat/040-inventory-core

ahmido:chore/docs-constitution-v1.1.0

ahmido:chore/solo-copilot-workflow

ahmido:feat/011-restore-run-wizard

ahmido:feat/011-restore-run-wizard-session-1767749508

ahmido:feat/011-restore-run-wizard-session-1767749319

ahmido:feat/032-backup-scheduling-mvp

ahmido:fix/032-manual-dispatch-unique-violation-session-1767604982

ahmido:feat/032-next-run-schedule-timezone-session-1767604322

ahmido:feat/032-backup-scheduling-mvp-session-1767583912

ahmido:feat/031-tenant-portfolio-context-switch

ahmido:feat/027-enrollment-config-subtypes

ahmido:feat/024-terms-and-conditions

ahmido:feat/026-custom-compliance-scripts

ahmido:spec/024-additional-intune-types

ahmido:feat/018-driver-updates-wufb

ahmido:feat/023-endpoint-security-restore-into-dev

ahmido:feat/023-endpoint-security-restore

ahmido:feat/017-policy-types-mam-endpoint-security-baselines

ahmido:016-backup-version-reuse

ahmido:015-policy-picker-ux

ahmido:014-enrollment-autopilot

ahmido:014-enrollment-autopilot-session-1767305003

ahmido:013-scripts-management

ahmido:feat/012-windows-update-rings

ahmido:feat/011-restore-run-wizard-session-1767185846

ahmido:feat/010-admin-templates

ahmido:feat/009-app-protection-policy

ahmido:feat/008-apps-app-management

ahmido:feat/007-device-config-compliance

ahmido:spec/007-008-workload-specs

ahmido:feat/005-bulk-operations

ahmido:feat/004-assignments-scope-tags

Conversation 1 Commits 6 Files Changed -

ahmido commented 2026-01-10 20:50:50 +00:00

Owner

Copy Link

Summary

Dieses PR erweitert den Inventory-Sync um Foundation Nodes (Intune “Foundations”), damit Abhängigkeiten (Dependencies) lokal und deterministisch aufgelöst werden können – ohne UI-Graph-Lookups.

Kernidee: Foundations werden (optional) als InventoryItem-Rows gespeichert, damit Dependencies UI z.B. Scope Tags und Assignment Filters mit Namen anzeigen kann.

⸻

Scope / What’s included

Inventory Sync: Foundations als Inventory Items
• Foundations werden nur synchronisiert, wenn include_foundations=true.
• Foundations werden nicht gelöscht, wenn sie später nicht mehr gesehen werden → sie werden über last_seen_* implizit stale.
• Run-Counts sind deterministisch:
• include_foundations=true ⇒ items_observed_count/items_upserted_count beinhalten Foundations
• include_foundations=false ⇒ Counts enthalten nur Policies

Data minimization / Safety
• Foundation meta_jsonb bleibt sanitized:
• Invariant: meta_jsonb == InventoryMetaSanitizer::sanitize(meta_jsonb)
• Guard: json_encode(meta_jsonb) enthält kein Bearer / Token-Artefakte

UI: Inventory Sync Button / Toggles
• Inventory Sync UI enthält jetzt include_foundations Toggle (Default: true)
• (include_dependencies bleibt optional wie bisher)

Dependencies UI: DB-only Name Resolution (keine UI-Graph Calls)
• Dependencies UI löst Foundation-Targets nur via DB auf (z.B. Scope Tag / Assignment Filter)
• Entra Group Name Resolution bleibt out of scope (external groups bleiben maskiert, z.B. Group (external): abcd12…)
• Guardrail: Es existiert ein Test, der hart fehlschlägt, wenn beim UI-Rendering ein Graph Call erfolgt

⸻

Out of scope / Non-Goals
• Keine Entra /groups Lookups für Gruppennamen (separates “Group Inventory” Feature)
• Kein Purge/Hard-Delete von Foundation Inventory Items
• Kein UI-Polish/Redesign (Landingpage etc.) – bewusst getrennt

⸻

Tests & Verification

Ran locally
• ./vendor/bin/pint --dirty ✅
• ./vendor/bin/sail test tests/Feature/Inventory/InventorySyncServiceTest.php ✅
• ./vendor/bin/sail test tests/Feature/InventoryItemDependenciesTest.php ✅
• (falls vorhanden) ./vendor/bin/sail test tests/Feature/Filament/InventoryPagesTest.php ✅

Key test coverage
• include_foundations true/false (Upserts + Counts)
• meta_jsonb sanitizer equality + “Bearer ” guard
• FR-006 guard: UI rendering does not call GraphClientInterface

⸻

Manual UI testing (quick)
1. Inventory → Run Inventory Sync
• Run mit include_foundations=true
• Erwartung: Foundations erscheinen (Category “Foundations”), Dependencies zeigen Namen wo möglich
2. Run erneut mit include_foundations=false
• Erwartung: Foundations bleiben sichtbar (stale via last_seen), aber Run-Counts enthalten sie nicht
3. Open Inventory Item → Dependencies
• Erwartung: Scope Tags / Assignment Filters werden als Name oder “Unresolved (…)” angezeigt, externe Gruppen bleiben maskiert.

⸻

Notes
• Dieses PR ist “Spec-first” (Specs/Plan/Tasks/Checklist vorhanden und abgehakt).
• Keine neuen DB-Tabellen nötig; nutzt bestehende Inventory-Struktur und Sanitizer-Regeln.

Summary Dieses PR erweitert den Inventory-Sync um Foundation Nodes (Intune “Foundations”), damit Abhängigkeiten (Dependencies) lokal und deterministisch aufgelöst werden können – ohne UI-Graph-Lookups. Kernidee: Foundations werden (optional) als InventoryItem-Rows gespeichert, damit Dependencies UI z.B. Scope Tags und Assignment Filters mit Namen anzeigen kann. ⸻ Scope / What’s included Inventory Sync: Foundations als Inventory Items • Foundations werden nur synchronisiert, wenn include_foundations=true. • Foundations werden nicht gelöscht, wenn sie später nicht mehr gesehen werden → sie werden über last_seen_* implizit stale. • Run-Counts sind deterministisch: • include_foundations=true ⇒ items_observed_count/items_upserted_count beinhalten Foundations • include_foundations=false ⇒ Counts enthalten nur Policies Data minimization / Safety • Foundation meta_jsonb bleibt sanitized: • Invariant: meta_jsonb == InventoryMetaSanitizer::sanitize(meta_jsonb) • Guard: json_encode(meta_jsonb) enthält kein Bearer / Token-Artefakte UI: Inventory Sync Button / Toggles • Inventory Sync UI enthält jetzt include_foundations Toggle (Default: true) • (include_dependencies bleibt optional wie bisher) Dependencies UI: DB-only Name Resolution (keine UI-Graph Calls) • Dependencies UI löst Foundation-Targets nur via DB auf (z.B. Scope Tag / Assignment Filter) • Entra Group Name Resolution bleibt out of scope (external groups bleiben maskiert, z.B. Group (external): abcd12…) • Guardrail: Es existiert ein Test, der hart fehlschlägt, wenn beim UI-Rendering ein Graph Call erfolgt ⸻ Out of scope / Non-Goals • Keine Entra /groups Lookups für Gruppennamen (separates “Group Inventory” Feature) • Kein Purge/Hard-Delete von Foundation Inventory Items • Kein UI-Polish/Redesign (Landingpage etc.) – bewusst getrennt ⸻ Tests & Verification Ran locally • ./vendor/bin/pint --dirty ✅ • ./vendor/bin/sail test tests/Feature/Inventory/InventorySyncServiceTest.php ✅ • ./vendor/bin/sail test tests/Feature/InventoryItemDependenciesTest.php ✅ • (falls vorhanden) ./vendor/bin/sail test tests/Feature/Filament/InventoryPagesTest.php ✅ Key test coverage • include_foundations true/false (Upserts + Counts) • meta_jsonb sanitizer equality + “Bearer ” guard • FR-006 guard: UI rendering does not call GraphClientInterface ⸻ Manual UI testing (quick) 1. Inventory → Run Inventory Sync • Run mit include_foundations=true • Erwartung: Foundations erscheinen (Category “Foundations”), Dependencies zeigen Namen wo möglich 2. Run erneut mit include_foundations=false • Erwartung: Foundations bleiben sichtbar (stale via last_seen), aber Run-Counts enthalten sie nicht 3. Open Inventory Item → Dependencies • Erwartung: Scope Tags / Assignment Filters werden als Name oder “Unresolved (…)” angezeigt, externe Gruppen bleiben maskiert. ⸻ Notes • Dieses PR ist “Spec-first” (Specs/Plan/Tasks/Checklist vorhanden und abgehakt). • Keine neuen DB-Tabellen nötig; nutzt bestehende Inventory-Struktur und Sanitizer-Regeln.

ahmido added 5 commits 2026-01-10 20:50:50 +00:00

spec: close 047 gates (checklist + tests) a3dc5f499b

ui: add include_foundations toggle to inventory sync 5699510c9e

test: persist include_foundations false 646510ebe9

feat: show dependency support in coverage 71996083aa

spec: align tasks with resolver classes 634f1b0df7

ahmido added 1 commit 2026-01-10 20:51:32 +00:00

Merge remote-tracking branch 'origin/dev' into feat/047-inventory-foundations-nodes 6d5dbc0065

ahmido commented 2026-01-10 20:52:56 +00:00

Author

Owner

Copy Link

“Already merged via #51 / already in dev”.

“Already merged via #51 / already in dev”.

ahmido closed this pull request 2026-01-10 20:52:56 +00:00

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ahmido/TenantAtlas#52

No description provided.