# Quickstart: 106 — Required Permissions Sidebar Context Fix

**Branch**: `106-required-permissions-sidebar-context`

## What This Changes

The `EnsureFilamentTenantSelected` middleware is updated to recognize the Required Permissions page (`/admin/tenants/{tenant}/required-permissions`) as a workspace-scoped page. The page retains its `{tenant}` route parameter for data display and authorization, but the middleware no longer sets Filament's tenant context when serving this page. This causes the sidebar to render workspace-level navigation instead of tenant-level navigation.

## Files Modified

| File | Change |
|---|---|
| `app/Support/Middleware/EnsureFilamentTenantSelected.php` | Add workspace-scoped page allowlist check; add Livewire referer check |
| `tests/Feature/RequiredPermissions/RequiredPermissionsSidebarTest.php` | New test file — sidebar context assertions |

## Implementation Steps

### 1. Add workspace-scoped page path helper

In `EnsureFilamentTenantSelected`, add a private method:

```php
private function isWorkspaceScopedPageWithTenant(string $path): bool
{
    return preg_match('#^/admin/tenants/[^/]+/required-permissions$#', $path) === 1;
}
```

### 2. Add Livewire referer check (before existing checks)

In the `/livewire/update` block, add:

```php
if (preg_match('#^/admin/tenants/[^/]+/required-permissions$#', $refererPath) === 1) {
    $this->configureNavigationForRequest($panel);
    return $next($request);
}
```

### 3. Split `{tenant}` param handling

In the `$tenantParameter !== null` block, after all 8 authorization checks pass, add:

```php
if ($this->isWorkspaceScopedPageWithTenant($path)) {
    // Workspace-scoped page: authorize but do NOT set Filament tenant context.
    // This preserves workspace sidebar while still validating tenant access.
    $this->configureNavigationForRequest($panel);
    return $next($request);
}
```

Place this **before** `Filament::setTenant($tenant, true)`.

### 4. Write tests

Create `tests/Feature/RequiredPermissions/RequiredPermissionsSidebarTest.php` with assertions:
- Sidebar shows workspace navigation items (Operations, Manage workspaces)
- Sidebar does NOT show tenant navigation items (Inventory, Backups & Restore)
- Livewire updates preserve workspace sidebar
- Other `{tenant}` pages still get tenant sidebar

## Verification

```bash
vendor/bin/sail artisan test --compact --filter=RequiredPermissionsSidebar
vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions/
vendor/bin/sail bin pint --dirty --format agent
```