# Tasks: Admin Directory Groups Cutover **Input**: Design documents from `/specs/303-admin-directory-groups-cutover/` **Prerequisites**: `spec.md`, `plan.md`, `checklists/requirements.md` **Tests**: Tests are required. This is a runtime behavior change for Filament navigation, scoped access, and global-search destinations. ## Test Governance Checklist - [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [x] New or changed tests stay in the smallest honest family; one focused browser smoke was added because rendered Filament sidebar navigation was the changed behavior and feature tests did not prove the real sidebar link. - [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default. - [x] Planned validation commands cover the change without pulling unrelated lane cost. - [x] The declared surface test profile is `standard-native-filament` plus focused browser-smoke verification for rendered navigation. - [x] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR. ## Phase 1: Preparation and Scope Lock **Purpose**: Confirm repo truth and keep implementation limited to Entra Groups. - [x] T001 Review `specs/303-admin-directory-groups-cutover/spec.md`, `specs/303-admin-directory-groups-cutover/plan.md`, `specs/303-admin-directory-groups-cutover/tasks.md`, and `specs/303-admin-directory-groups-cutover/checklists/requirements.md`. - [x] T002 Review completed context in `specs/301-admin-inventory-navigation-cutover/` and `specs/302-tenant-owned-surface-route-audit/` without modifying those completed specs. - [x] T003 Inspect `apps/platform/app/Filament/Resources/EntraGroupResource.php`, `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php`, `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php`, `apps/platform/app/Support/Navigation/NavigationScope.php`, `apps/platform/app/Support/OperateHub/OperateHubShell.php`, `apps/platform/app/Filament/Concerns/ScopesGlobalSearchToTenant.php`, and `apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php`. - [x] T004 Confirm no implementation task introduces migrations, assets, provider registration changes, Graph adapter changes, tenant-panel dead-code deletion, or new group mutation/admin actions. --- ## Phase 2: User Story 1 - Groups are visible inside an active environment context (Priority: P1) **Goal**: Entra Groups appears as a secondary Directory surface only inside the active Managed Environment context. **Independent Test**: The environment-bound admin context registers and renders Groups navigation while workspace-home/no-context checks remain false. - [x] T005 [P] [US1] Update `apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` so `EntraGroupResource` is removed from the blanket admin-hidden dataset and covered by environment-visible navigation assertions. - [x] T006 [P] [US1] Update `apps/platform/tests/Feature/DirectoryGroups/BrowseGroupsTest.php` to replace the stale "keeps Entra groups out of admin sidebar navigation" assertion with the new workspace-home-hidden and environment-visible contract. - [x] T007 [US1] Update `apps/platform/app/Filament/Resources/EntraGroupResource.php` so `shouldRegisterNavigation()` uses the shared environment-navigation rule for the admin panel and still returns false on workspace-home/no-context surfaces. - [x] T008 [US1] Verify `Directory` / `Groups` navigation labels remain secondary and do not introduce a top-level Identity Center or M365 Admin mirror. --- ## Phase 3: User Story 2 - Workspace home remains clean (Priority: P2) **Goal**: Workspace-home navigation stays free of environment-owned Directory Groups entries, even with remembered environment context. **Independent Test**: Workspace-home response assertions prove Groups is absent, while environment route assertions prove it is present when allowed. - [x] T009 [P] [US2] Extend `apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` to assert the workspace-home sidebar does not render `Groups` or a Directory Groups entry when `WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY` is set. - [x] T010 [P] [US2] Extend `apps/platform/tests/Feature/Filament/EntraGroupAdminScopeTest.php` to cover no-context list access and cross-workspace or invalid remembered-environment denial as not found. - [x] T011 [US2] Preserve `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php` no-context abort behavior and avoid adding workspace-home recovery shortcuts that reveal group data. - [x] T012 [US2] If list empty-state copy is touched in `apps/platform/app/Filament/Resources/EntraGroupResource.php`, change stale "tenant" wording to managed-environment-safe Directory inventory copy without inventing a refresh operation. --- ## Phase 4: User Story 3 - Global search stays scoped and lands on valid View pages (Priority: P3) **Goal**: Global search returns only active-environment group records and opens valid canonical admin View destinations. **Independent Test**: Seed groups across environments/workspaces, run global search, and assert result titles and URLs. - [x] T013 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert no-context admin search returns no results. - [x] T014 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert cross-environment and cross-workspace matches are excluded. - [x] T015 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert each result URL resolves to `EntraGroupResource` View and does not contain `/admin/t`. - [x] T016 [P] [US3] Existing Entra group reference-link tests already cover canonical links; reran them with the Spec 303 suite and did not need additional assertions. - [x] T017 [US3] Verify `apps/platform/app/Filament/Resources/EntraGroupResource.php::getGlobalSearchResultUrl()` still passes the correct Managed Environment context and does not generate tenant-panel URLs. --- ## Phase 5: Route Posture and Scoped Detail Safety **Purpose**: Keep route/context changes minimal while making View destinations truthful. - [x] T018 Inspect whether adding `WorkspaceScopedTenantRoutes` to `apps/platform/app/Filament/Resources/EntraGroupResource.php` is safe with focused URL, list, View, global-search, and resolved-reference tests. - [x] T019 Applied `WorkspaceScopedTenantRoutes` to `apps/platform/app/Filament/Resources/EntraGroupResource.php` so Groups list/detail URLs use the workspace/environment admin context. - [x] T020 Added the bounded explicit `Groups` navigation item in `apps/platform/app/Providers/Filament/AdminPanelProvider.php` after browser smoke showed the rendered sidebar did not receive the resource auto-navigation entry. - [x] T021 Preserve or extend `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php` authorization so cross-environment and cross-workspace records deny as not found. - [x] T022 Confirm `apps/platform/app/Filament/Resources/EntraGroupResource.php` keeps `actions([])` and `bulkActions([])` and does not add create/edit/delete/membership/destructive actions. --- ## Phase 6: Regression and Validation **Purpose**: Prove the Groups cutover did not regress adjacent migrated surfaces. - [x] T023 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Filament/AdminTenantSurfaceParityTest.php tests/Feature/Filament/AdminSharedSurfacePanelParityTest.php tests/Feature/Filament/TenantOwnedResourceScopeParityTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/Filament/PolicyResourceAdminSearchParityTest.php tests/Feature/Filament/PolicyVersionAdminSearchParityTest.php`. - [x] T024 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Browser/Spec303AdminDirectoryGroupsCutoverSmokeTest.php`. - [x] T025 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php tests/Feature/Filament/InventoryHubDbOnlyTest.php tests/Feature/Filament/InventoryPagesTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactAdminPanelRegistrationTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactEnvironmentContextTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactLegacyTenantPanelGuardTest.php tests/Feature/Operations/LegacyRunRoutesNotFoundTest.php`. - [x] T026 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`. - [x] T027 Run `git diff --check` from `/Users/ahmeddarrazi/Documents/projects/wt-plattform`. - [x] T028 Confirm `git status --short` includes only the intended Spec 303 package, Entra Groups implementation files, AdminPanelProvider navigation item, and focused tests. ## Dependencies - Phase 1 must complete before test or implementation changes. - Phase 2 test updates should be written before the navigation implementation in T007. - Phase 3 and Phase 4 can proceed in parallel after T007 if different files are owned. - Phase 5 route posture must be settled before final global-search URL assertions are considered complete. - Phase 6 runs after all implementation tasks are complete. ## Parallel Execution Examples - T005, T006, T010, T013, T014, T015, and T016 can run in parallel if each worker owns a distinct test file. - T011, T017, T021, and T022 can run in parallel after route posture is clear because they touch separate behavior checks. - T023, T024, and T025 should run after implementation; they may run independently if the Sail stack is available. ## Implementation Strategy 1. Make tests describe the new admin role contract first. 2. Change navigation through the smallest existing shared helper path. 3. Keep route changes minimal and evidence-backed. 4. Preserve scoped query/search/detail behavior. 5. Validate adjacent migrated surfaces before handoff. ## Explicit Non-Goals - [x] Do not create a generic M365 Admin mirror. - [x] Do not create a broad Identity Center or Directory suite. - [x] Do not add group create/edit/delete, membership mutation, sync mutation, or destructive actions. - [x] Do not delete tenant-panel dead code. - [x] Do not revive `/admin/t` routes or add compatibility aliases. - [x] Do not introduce migrations, models, jobs, Graph adapters, provider registration changes, or assets. - [x] Do not split the navigation contract beyond the minimal test changes needed for Groups.