# Implementation Close-Out: Spec 381 - Provider Resource Identity and Binding Foundation v1 Date: 2026-06-15 Branch: `381-provider-resource-identity-binding` Base HEAD observed during close-out: `d52b674f spec: record management report pdf staging validation gate (#451)` ## Scope Implemented backend-only provider resource identity and managed-environment-scoped binding foundation. No Filament Resource, page, route, Livewire component, Blade view, navigation item, Graph client, queued job, scheduler behavior, OperationRun type, or customer-facing output was added. ## Repo-Truth Notes - `provider_resource_bindings` is tenant-owned operational truth and remains scoped by `workspace_id` and `managed_environment_id`. - Baseline snapshots are workspace-owned through baseline profiles, not directly tenant-owned. For `source_baseline_snapshot_id`, managed-environment validity is enforced through `baseline_tenant_assignments` for the snapshot's `baseline_profile_id`. - No workspace-level, baseline-profile-specific, or subject-only binding scope was introduced. - No duplicate active-state truth was introduced; `binding_status = active` remains the active-binding truth. ## Livewire / Filament Contract - Livewire v4.0+ compliance: unchanged. No Livewire code changed. - Provider registration location: unchanged. Laravel panel providers remain in `apps/platform/bootstrap/providers.php`. - Global search: no Filament Resource was added; `ProviderResourceBinding` is not globally searchable. - Destructive/high-impact actions: no Filament action was added. Backend supersede/revoke decisions require policy authorization and audit logging. Future UI confirmation belongs to Spec 384. - Assets: no assets were registered. No Spec 381-specific `filament:assets` deployment concern beyond normal Filament deploy procedure. ## RBAC, Isolation, And Audit - Reads and mutations use `ProviderResourceBindingPolicy` with existing baseline capabilities: - view: `workspace_baselines.view` - create/supersede/revoke: `workspace_baselines.manage` - Non-members are denied as not found through managed-environment entitlement checks. - Entitled members without manage capability receive forbidden for mutations. - Provider connections and source references are validated against the binding workspace and managed environment before persistence. - Binding create/supersede/revoke actions write `AuditLog` records with safe identifiers and hashed/length-only operator note metadata. ## OperationRun Semantics No OperationRun is created, queued, updated, or completed by Spec 381. Binding decisions are DB-only, security-relevant mutations that are audited directly. ## Browser Smoke Not applicable. Spec 381 has no UI, user-facing flow, route, navigation, Filament, Livewire, or asset surface impact. ## Validation Commands Executed during final review and finding fix loop: ```bash cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php ``` Result: passed, 5 tests / 45 assertions. ```bash cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php ``` Result after finding fix: passed, 19 tests / 72 assertions. ```bash cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php ``` Result: passed, 4 tests / 7 assertions. ```bash cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php ``` Result: passed, 11 tests / 83 assertions. ```bash cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent ``` Result: passed. ```bash git diff --check ``` Result: passed. ## Deployment Impact - Additive migration only: `provider_resource_bindings`. - Staging must run the migration and the PostgreSQL lane before Production promotion. - No environment variable, queue, scheduler, storage, reverse-proxy, or asset change is required. - Rollback before follow-up specs consume the table is dropping the new table. After follow-up specs consume bindings, rollback must be redesigned. ## Residual Risks / Follow-Up No confirmed in-scope findings remain after the final fix loop. Follow-up specs remain as planned: - Spec 382: matching pipeline consumption. - Spec 384: operator resolution UI and destructive/high-impact UI confirmations. - Spec 385: evidence/review readiness consumption.