# Tasks — 072 Managed Tenants workspace context enforcement ## Setup - [x] T001 Confirm legacy managed-tenants routes and current workspace middleware behavior. ## Tests (TDD) - [x] T010 Add regression test: `/admin/managed-tenants` redirects to workspace landing when a workspace is selected. - [x] T020 Add regression test: `/admin/t/{tenant}` is 404 when workspace context is missing. - [x] T030 Add regression test: `/admin/t/{tenant}` is 404 when tenant.workspace_id mismatches current workspace. - [x] T040 Add regression test: `/admin/choose-tenant` redirects to `/admin/choose-workspace` when workspace is not selected. ## Core - [x] T100 Create workspace-scoped Managed Tenants landing at `/admin/w/{workspace}/managed-tenants`. - [x] T110 Make unscoped `/admin/managed-tenants/*` legacy-only (redirect to workspace-scoped URLs). - [x] T120 Implement hard enforcement: tenant routes require workspace context and tenant.workspace_id match. - [x] T130 Ensure `/admin/choose-tenant` requires selected workspace. - [x] T140 Move Workspaces UI out of tenant routing (serve at `/admin/workspaces/*`, not `/admin/t/{tenant}/workspaces`). ## UX follow-ups - [x] T200 Ensure default tenant selection respects current workspace context. - [x] T210 Add a workspace switcher in the user menu (link to Choose Workspace). - [x] T220 Add regression tests for workspace switcher + tenant selection. - [x] T230 Ensure `/admin` lands on workspace-first flow (avoid redirecting to tenant registration). - [x] T240 After choosing a workspace with zero tenants, route into the workspace Managed Tenants landing (with CTA). - [x] T250 Allow workspace owners to register the first tenant in a workspace (bootstrap). ## Security hardening (owners / audit / recovery) - [x] T260 Enforce rule: workspaces can never have 0 owners (block last-owner removal + demotion). - [x] T270 Audit every blocked last-owner attempt with `workspace_membership.last_owner_blocked` + required metadata. - [x] T280 Optional: break-glass recovery flow to re-assign a workspace owner (fully audited). ## Validation - [x] T900 Run Pint on dirty files. - [x] T910 Run targeted Pest tests. - [x] T920 Run targeted Pest tests for last-owner + recovery flow.