specs/070-workspace-create-membership-fix/plan.md

@@ -0,0 +1,15 @@
+# Plan — 070 Workspace create: ensure creator membership
+
+## Tech
+- Laravel 12
+- Filament v5 + Livewire v4
+
+## Approach
+1. Hook into the Workspaces resource create page lifecycle (CreateRecord) to run post-create logic.
+2. Create (or ensure) a `workspace_memberships` row for the creator with role `owner`.
+3. Set the created workspace as the current workspace in `WorkspaceContext`.
+4. Add a Pest regression test that creates a workspace via the Filament create page and asserts membership exists.
+
+## Files
+- `app/Filament/Resources/Workspaces/Pages/CreateWorkspace.php`
+- `tests/Feature/Workspaces/CreateWorkspaceCreatesMembershipTest.php`

specs/070-workspace-create-membership-fix/spec.md

@@ -0,0 +1,16 @@
+# Spec — 070 Workspace create: ensure creator membership
+
+## Problem
+Creating a workspace via the Filament **Workspaces** Resource can create the `workspaces` row but not grant the creating user a `workspace_memberships` record. Since workspace listings are membership-scoped, the newly created workspace may not appear for the creator.
+
+## Goals
+- When a workspace is created via the Workspaces resource, the creating user becomes an `owner` member of that workspace.
+- The created workspace becomes the current workspace context for the user.
+
+## Non-goals
+- Changing workspace listing scoping rules.
+- Changing roles/permissions beyond assigning `owner` on creation.
+
+## Acceptance criteria
+- Creating a workspace via the Filament Workspaces resource results in a `workspace_memberships` row for the creating user.
+- A regression test covers the behavior.

specs/070-workspace-create-membership-fix/tasks.md

@@ -0,0 +1,11 @@
+# Tasks — 070 Workspace create: ensure creator membership
+
+## Core
+- [x] T020 Ensure creating via Workspaces resource grants creator a workspace membership.
+
+## Tests
+- [x] T010 Add regression test for workspace creation creating membership.
+
+## Validation
+- [x] T900 Run Pint on dirty files.
+- [x] T910 Run targeted Pest test(s).

specs/071-tenant-selection-workspace-scope/plan.md

@@ -0,0 +1,14 @@
+# Plan — 071 Workspace-scoped tenant selection
+
+## Tech
+- Laravel 12
+- Filament v5 + Livewire v4
+
+## Approach
+1. Update the Filament tenant provider on `User` (`getTenants()` and `getDefaultTenant()`) to optionally filter by the current workspace id from `WorkspaceContext`.
+2. Add a feature test asserting `/admin/choose-tenant` only shows tenants from the selected workspace.
+3. Run Pint and targeted tests.
+
+## Files
+- `app/Models/User.php`
+- `tests/Feature/Filament/ChooseTenantIsWorkspaceScopedTest.php`

specs/071-tenant-selection-workspace-scope/spec.md

@@ -0,0 +1,18 @@
+# Spec — 071 Workspace-scoped tenant selection
+
+## Problem
+Tenant selection and the Filament tenant menu were not scoped to the currently selected workspace. As a result, selecting a newly created workspace could still show tenants from a different workspace (e.g. “Entra ID (DEV)”), leading to confusing flows where tenant-scoped pages show empty lists.
+
+## Goals
+- Only show tenants belonging to the currently selected workspace in:
+  - `/admin/choose-tenant`
+  - Filament tenant menu dropdown
+- Keep behavior unchanged when no workspace is selected.
+
+## Non-goals
+- Auto-creating tenants when a workspace is created.
+- Changing authorization rules beyond filtering the selectable tenant list.
+
+## Acceptance criteria
+- With workspace A selected, a user who is a member of tenants in A and B only sees A’s tenants on `/admin/choose-tenant`.
+- Regression test covers the behavior.

specs/071-tenant-selection-workspace-scope/tasks.md

@@ -0,0 +1,11 @@
+# Tasks — 071 Workspace-scoped tenant selection
+
+## Core
+- [x] T020 Scope `User::getTenants()` and `User::getDefaultTenant()` to current workspace when selected.
+
+## Tests
+- [x] T010 Add regression test for workspace-scoped choose-tenant.
+
+## Validation
+- [x] T900 Run Pint on dirty files.
+- [x] T910 Run targeted Pest test(s).

specs/072-managed-tenants-workspace-enforcement/plan.md

@@ -0,0 +1,32 @@
+# Plan — 072 Managed Tenants workspace context enforcement
+
+## Tech
+- Laravel 12
+- Filament v5 + Livewire v4
+- Pest v4
+
+## Approach
+1. Treat `/admin/w/{workspace}/...` as the portfolio / workspace entry space.
+2. Move Managed Tenants list/onboarding UX to workspace-scoped routes.
+3. Make `/admin/managed-tenants/*` legacy-only (redirect to the correct workspace-scoped URL).
+4. Enforce workspace/tenant consistency for all `/admin/t/{tenant}` routes (deny-as-not-found on mismatch).
+
+## Key decisions
+- **Workspace is not Filament tenancy**; it remains session + middleware.
+- Hard enforcement is implemented in middleware that runs on tenant-scoped routes.
+- Prefer redirects over removing routes immediately, to avoid breaking deep links, but ensure they are no longer primary UX.
+
+## Files (expected)
+- `routes/web.php`
+- `app/Providers/Filament/AdminPanelProvider.php`
+- `app/Http/Middleware/EnsureWorkspaceSelected.php`
+- `app/Support/Middleware/DenyNonMemberTenantAccess.php` (or `EnsureFilamentTenantSelected.php`, depending on existing enforcement location)
+- `app/Filament/Pages/ManagedTenants/*` (legacy redirects / removal)
+- New/updated workspace landing page under `app/Filament/Pages/Workspaces/*` (or equivalent)
+- Pest tests in `tests/Feature/Routing/` or `tests/Feature/Filament/`
+
+## Test plan
+- Feature test: `/admin/managed-tenants` redirects to `/admin/w/{workspace}/managed-tenants` when workspace is selected.
+- Feature test: `/admin/t/{tenant}` returns 404 when workspace context missing.
+- Feature test: `/admin/t/{tenant}` returns 404 when tenant.workspace_id != current workspace.
+- Optional: workspace landing lists only workspace tenants.

specs/072-managed-tenants-workspace-enforcement/spec.md

@@ -0,0 +1,34 @@
+# Spec — 072 Managed Tenants workspace context enforcement
+
+## Problem
+Managed Tenant pages exist in an unscoped URL space (`/admin/managed-tenants/*`) while Managed Tenants are product-scoped to a Workspace (MSP portfolio). This makes workspace context feel optional and allows confusing / insecure navigation patterns where tenant context and workspace context can drift.
+
+## Mental model (source of truth)
+- **Managed Tenant** = the Entra/Intune tenant. All policy/backup/drift/inventory features are always scoped to a Managed Tenant.
+  - In code: Filament tenancy (`/admin/t/{tenant_external_id}/...`).
+- **Workspace** = portfolio container. Controls which Managed Tenants a user can see + portfolio-level settings.
+  - In code: session + `last_workspace_id` + middleware (not Filament tenancy).
+
+## Goals
+- Workspace becomes a real, enforced context for all tenant-scoped pages.
+- Keep Filament tenancy URL space unchanged: `/admin/t/{tenant_external_id}/...`.
+- Introduce / use a workspace-scoped landing space for portfolio UX: `/admin/w/{workspace}/...`.
+- Eliminate or redirect legacy unscoped Managed Tenants routes under `/admin/managed-tenants/*`.
+
+## Non-goals
+- Redesigning all navigation IA or introducing a second Filament panel.
+- Migrating existing tenant data beyond enforcing `tenants.workspace_id` consistency.
+
+## Hard rule (security / enterprise)
+When accessing `/admin/t/{tenant}` routes:
+- `current_workspace_id` must be set, and
+- `tenant.workspace_id == current_workspace_id`, and
+- user must be a member of the workspace (and/or tenant, per current auth model).
+Otherwise: **deny as not found** (404).
+
+## Acceptance criteria
+- `/admin/managed-tenants/*` does not act as a primary UX entry point anymore (redirects to workspace-scoped UX).
+- `/admin/w/{workspace}/managed-tenants` exists as the primary portfolio landing for Managed Tenants.
+- Tenant switcher only shows tenants from the current workspace.
+- Visiting `/admin/t/{tenant}` with missing or mismatched workspace context results in 404.
+- Pest tests cover redirects + workspace/tenant mismatch denial.

specs/072-managed-tenants-workspace-enforcement/tasks.md

@@ -0,0 +1,20 @@
+# Tasks — 072 Managed Tenants workspace context enforcement
+
+## Setup
+- [x] T001 Confirm legacy managed-tenants routes and current workspace middleware behavior.
+
+## Tests (TDD)
+- [x] T010 Add regression test: `/admin/managed-tenants` redirects to workspace landing when a workspace is selected.
+- [x] T020 Add regression test: `/admin/t/{tenant}` is 404 when workspace context is missing.
+- [x] T030 Add regression test: `/admin/t/{tenant}` is 404 when tenant.workspace_id mismatches current workspace.
+- [x] T040 Add regression test: `/admin/choose-tenant` redirects to `/admin/choose-workspace` when workspace is not selected.
+
+## Core
+- [x] T100 Create workspace-scoped Managed Tenants landing at `/admin/w/{workspace}/managed-tenants`.
+- [x] T110 Make unscoped `/admin/managed-tenants/*` legacy-only (redirect to workspace-scoped URLs).
+- [x] T120 Implement hard enforcement: tenant routes require workspace context and tenant.workspace_id match.
+- [x] T130 Ensure `/admin/choose-tenant` requires selected workspace.
+
+## Validation
+- [x] T900 Run Pint on dirty files.
+- [x] T910 Run targeted Pest tests.