--- description: "Task list for feature implementation" --- # Tasks: Managed Tenant Onboarding Wizard v1 **Input**: Design documents from `specs/069-managed-tenant-onboarding-wizard/` **Prerequisites**: `plan.md` (required), `spec.md` (required), plus `research.md`, `data-model.md`, `contracts/`, `quickstart.md` **Tests**: Required (Pest) — runtime behavior changes. --- ## Phase 1: Setup (Shared Infrastructure) **Purpose**: Confirm repo conventions and entry points before implementation. - [x] T001 Inventory existing tenant-create entry points in app/Filament/Pages/Tenancy/RegisterTenant.php and app/Filament/Resources/TenantResource.php - [x] T002 Confirm tenant-plane routing + membership 404 middleware in app/Providers/Filament/AdminPanelProvider.php - [x] T003 [P] Confirm provider registration location (Laravel 11+) in bootstrap/providers.php - [x] T004 [P] Review Filament v5 page/resource/testing rules in docs/research/filament-v5-notes.md - [x] T051 Map spec conceptual capabilities → App\Support\Auth\Capabilities constants (TENANT_VIEW/TENANT_MANAGE/PROVIDER_RUN/TENANT_INVENTORY_SYNC_RUN) and note the mapping in specs/069-managed-tenant-onboarding-wizard/plan.md --- ## Phase 2: Foundational (Blocking Prerequisites) **Purpose**: Shared data model + operation labeling needed by all user stories. **⚠️ CRITICAL**: No user story work should start until these are done. - [x] T005 Create onboarding sessions migration in database/migrations/*_create_tenant_onboarding_sessions_table.php - [x] T006 Create TenantOnboardingSession model in app/Models/TenantOnboardingSession.php - [x] T007 [P] Create TenantOnboardingSession factory in database/factories/TenantOnboardingSessionFactory.php - [x] T008 Add partial unique index for active sessions in database/migrations/*_create_tenant_onboarding_sessions_table.php - [x] T009 Add onboarding status columns migration in database/migrations/*_add_onboarding_status_to_tenants_table.php - [x] T010 Update Tenant model onboarding casts/accessors in app/Models/Tenant.php - [x] T011 Register OperationCatalog label(s) for any new onboarding verification run type(s) (only if a new type is introduced) in app/Support/OperationCatalog.php - [x] T012 Register expected duration(s) for any new onboarding verification run type(s) (only if a new type is introduced) in app/Support/OperationCatalog.php - [x] T052 Add AuditLog coverage tasks for onboarding-sensitive actions using app/Services/Intune/AuditLogger.php (credentials set/rotate, onboarding completed) and ensure action IDs are stable **Checkpoint**: Foundation ready — user story work can begin. --- ## Phase 3: User Story 1 — Onboard a managed tenant end-to-end (Priority: P1) 🎯 MVP **Goal**: Create a guided, resumable, 5-step wizard that creates/updates a Tenant without external calls. **Independent Test**: Complete the wizard and confirm Tenant + session state are persisted and resumable. ### Tests for User Story 1 (required) - [x] T013 [P] [US1] Add wizard happy-path coverage in tests/Feature/ManagedTenantOnboardingWizardTest.php - [x] T014 [P] [US1] Add resume + dedupe coverage in tests/Feature/ManagedTenantOnboardingWizardResumeTest.php - [x] T015 [P] [US1] Add tenant-duplicate prevention coverage in tests/Feature/ManagedTenantOnboardingWizardDuplicateTest.php ### Implementation for User Story 1 - [x] T016 [US1] Implement session persistence service in app/Services/TenantOnboardingSessionService.php - [x] T017 [P] [US1] Create onboarding wizard page Livewire component in app/Filament/Pages/TenantOnboardingWizard.php - [x] T018 [P] [US1] Create onboarding wizard view in resources/views/filament/pages/tenant-onboarding-wizard.blade.php - [x] T019 [US1] Add step definitions + per-step validation in app/Filament/Pages/TenantOnboardingWizard.php - [x] T020 [US1] Implement start-or-resume behavior in app/Services/TenantOnboardingSessionService.php - [x] T021 [US1] Ensure session payload excludes secrets in app/Services/TenantOnboardingSessionService.php - [x] T022 [US1] Implement tenant creation/update (DB-only) in app/Filament/Pages/TenantOnboardingWizard.php - [x] T023 [US1] Enforce uniqueness by tenant_id (repository “workspace” == Tenant container; tenant_id is the unique external key) in app/Filament/Pages/TenantOnboardingWizard.php - [x] T024 [US1] Add “credentials required” decision rule config in config/tenantpilot.php - [x] T025 [US1] Apply credentials-step conditional rendering in app/Filament/Pages/TenantOnboardingWizard.php - [x] T026 [US1] Ensure secrets never re-render (only “set/missing”) in resources/views/filament/pages/tenant-onboarding-wizard.blade.php - [x] T027 [US1] Add “Resume wizard” action to tenant view in app/Filament/Resources/TenantResource.php - [x] T028 [US1] Remove/disable non-wizard tenant creation entry in app/Filament/Pages/Tenancy/RegisterTenant.php - [x] T029 [US1] Remove/disable TenantResource create flow entry in app/Filament/Resources/TenantResource.php **Checkpoint**: US1 complete — wizard works end-to-end, resumable, DB-only. --- ## Phase 4: User Story 2 — Run verification checks without blocking page loads (Priority: P2) **Goal**: Trigger verification via enqueue-only `OperationRun` and display stored results (no Graph calls during render). **Independent Test**: Load wizard step pages without outbound calls; click Verify → `OperationRun` created and job enqueued. ### Tests for User Story 2 (required) - [x] T030 [P] [US2] Assert wizard render/mount is DB-only by binding a failing fake GraphClientInterface (or equivalent Graph abstraction) in tests/Feature/ManagedTenantOnboardingWizardDbOnlyRenderTest.php - [x] T031 [P] [US2] Assert Verify creates/dedupes OperationRun in tests/Feature/TenantOnboardingVerifyOperationRunTest.php - [x] T032 [P] [US2] Assert permissions step uses stored results in tests/Feature/ManagedTenantOnboardingWizardPermissionsViewTest.php ### Implementation for User Story 2 - [x] T033 [US2] Ensure any wizard-triggered verification action is enqueue-only (creates/reuses OperationRun + dispatches job) and never calls Graph during render/mount in app/Filament/Pages/TenantOnboardingWizard.php - [x] T034 [US2] Wire “Check connection” to the existing provider.connection.check operation (OperationRun type + existing job patterns) and render stored outcome in app/Filament/Pages/TenantOnboardingWizard.php - [x] T035 [US2] Implement run creation + dedupe for onboarding verification (permissions/RBAC) in app/Filament/Pages/TenantOnboardingWizard.php - [x] T036 [US2] Create onboarding verification job (Graph calls allowed only inside job via GraphClientInterface + contracts) in app/Jobs/TenantOnboardingVerifyJob.php - [x] T037 [US2] Dispatch TenantOnboardingVerifyJob only when run is newly created and persist sanitized results to tenant fields in app/Filament/Pages/TenantOnboardingWizard.php - [x] T038 [US2] Render stored “Granted/Missing” status in resources/views/filament/pages/tenant-onboarding-wizard.blade.php - [x] T039 [US2] Implement completion criteria check based on stored results in app/Filament/Pages/TenantOnboardingWizard.php **Checkpoint**: US2 complete — verification is observable + async; UI shows stored results. --- ## Phase 5: User Story 3 — RBAC-UX enforcement and safe access semantics (Priority: P3) **Goal**: Enforce 404 vs 403 semantics and ensure UI is disabled+tooltip for insufficient capabilities. **Independent Test**: Non-member gets 404; member w/out capability sees disabled UI and server rejects with 403. ### Tests for User Story 3 (required) - [x] T040 [P] [US3] Assert non-member wizard access is 404 in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php - [x] T041 [P] [US3] Assert member missing capability is 403 on actions in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php - [x] T042 [P] [US3] Assert disabled UI state is rendered for insufficient capability in tests/Feature/ManagedTenantOnboardingWizardUiEnforcementTest.php ### Implementation for User Story 3 - [x] T043 [US3] Wrap wizard actions with UiEnforcement in app/Filament/Pages/TenantOnboardingWizard.php - [x] T044 [US3] Enforce server-side Gate authorization in app/Filament/Pages/TenantOnboardingWizard.php - [x] T045 [US3] Ensure wizard page is not registered in nav (entry-point only) in app/Filament/Pages/TenantOnboardingWizard.php - [x] T046 [US3] Ensure credential mutation actions require confirmation in app/Filament/Pages/TenantOnboardingWizard.php **Checkpoint**: US3 complete — RBAC semantics are enforced and regression-tested. --- ## Phase 6: Polish & Cross-Cutting Concerns - [x] T047 Add legacy redirect for /admin/new → /admin/choose-tenant in routes/web.php - [x] T048 Add/verify onboarding “single front door” UX copy in resources/views/filament/pages/tenant-onboarding-wizard.blade.php - [x] T049 [P] Run formatter on touched files via `vendor/bin/sail bin pint --dirty` (targets app/ and tests/) - [x] T050 Run focused test suite via `vendor/bin/sail artisan test --compact tests/Feature/ManagedTenantOnboardingWizardTest.php` - [x] T053 Add at least one positive authorization test (member with required capability can start/resume/verify) alongside the negative 404/403 tests in tests/Feature/ManagedTenantOnboardingWizardRbacTest.php --- ## Dependencies & Execution Order ### Phase Dependencies - Phase 1 (Setup) → Phase 2 (Foundational) → User story phases. ### User Story Dependencies (graph) - US1 (P1) → US2 (P2) → US3 (P3) - US2 depends on US1 having the wizard + tenant/session persistence. - US3 can be implemented alongside US1/US2 but must land with tests. ### Parallel opportunities - Setup: T003–T004 can run in parallel. - Foundational: T007 can run in parallel with T005–T006. - US1 tests (T013–T015) can be authored in parallel. - US2 tests (T030–T032) can be authored in parallel. - US3 tests (T040–T042) can be authored in parallel. --- ## Parallel Example: User Story 1 ```bash # Tests in parallel T013 # tests/Feature/ManagedTenantOnboardingWizardTest.php T014 # tests/Feature/ManagedTenantOnboardingWizardResumeTest.php T015 # tests/Feature/ManagedTenantOnboardingWizardDuplicateTest.php # UI + service split T016 # app/Services/TenantOnboardingSessionService.php T017 # app/Filament/Pages/TenantOnboardingWizard.php T018 # resources/views/filament/pages/tenant-onboarding-wizard.blade.php ``` ## Parallel Example: User Story 2 ```bash # Tests in parallel T030 # tests/Feature/ManagedTenantOnboardingWizardDbOnlyRenderTest.php T031 # tests/Feature/TenantOnboardingVerifyOperationRunTest.php T032 # tests/Feature/ManagedTenantOnboardingWizardPermissionsViewTest.php # Job + UI work split T036 # app/Jobs/TenantOnboardingVerifyJob.php T035 # app/Filament/Pages/TenantOnboardingWizard.php T038 # resources/views/filament/pages/tenant-onboarding-wizard.blade.php ``` ## Parallel Example: User Story 3 ```bash # Tests in parallel T040 # tests/Feature/ManagedTenantOnboardingWizardRbacTest.php T042 # tests/Feature/ManagedTenantOnboardingWizardUiEnforcementTest.php # Enforcement T043 # app/Filament/Pages/TenantOnboardingWizard.php ``` --- ## Implementation Strategy ### MVP scope - MVP = US1 only (wizard + session persistence + single front door). ### Incremental delivery 1. Setup + Foundational. 2. Deliver US1 (MVP) and validate independently. 3. Add US2 (enqueue-only verification) and validate independently. 4. Add US3 (RBAC-UX hardening + regression tests).