# Tasks: Spec 381 - Provider Resource Identity and Binding Foundation v1 **Input**: `specs/381-provider-resource-identity-binding/spec.md`, `specs/381-provider-resource-identity-binding/plan.md` **Prerequisites**: Spec and plan are complete. Spec 163 and Spec 380 are historical/context only and must not be rewritten. This task list is for a later implementation loop, not for this preparation step. **Tests**: Unit, Feature, PostgreSQL, and targeted no-op baseline/evidence/review regression tests are required. Browser tests are not required because no UI surface changes. ## Test Governance Checklist - [X] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. - [X] New tests stay in the smallest honest family; no heavy-governance or browser family is introduced. - [X] Shared helpers, factories, seeds, fixtures, provider setup, workspace membership context, and fake-provider defaults stay cheap by default. - [X] PostgreSQL validation is used only for migration/partial unique/composite foreign key/index behavior that SQLite cannot prove. - [X] Planned validation commands cover identity, binding service behavior, authorization, audit, PostgreSQL uniqueness, workspace/environment integrity, source-reference scoping, and current-runtime no-op behavior. - [X] Any material budget, baseline, trend, or escalation note is recorded in the implementation close-out. ## Phase 1: Baseline And Guardrail Reconfirmation **Purpose**: Confirm repo truth and protect completed-spec history before implementation. - [X] T001 Record current branch, HEAD, dirty state, and intended touched-file set in the implementation close-out notes for `specs/381-provider-resource-identity-binding/`. - [X] T002 Re-read `specs/381-provider-resource-identity-binding/spec.md`, `specs/381-provider-resource-identity-binding/plan.md`, and `specs/381-provider-resource-identity-binding/tasks.md`. - [X] T003 Re-read `specs/163-baseline-subject-resolution/spec.md`, `specs/163-baseline-subject-resolution/plan.md`, and `specs/163-baseline-subject-resolution/tasks.md` as completed/historical context without editing Spec 163. - [X] T004 Re-read `apps/platform/app/Support/Baselines/BaselineSubjectKey.php`, `apps/platform/app/Support/Baselines/SubjectClass.php`, `apps/platform/app/Support/Baselines/ResolutionOutcome.php`, and `apps/platform/app/Support/Baselines/Compare/CompareSubjectIdentity.php`. - [X] T005 Re-read `apps/platform/app/Models/ProviderConnection.php`, `apps/platform/app/Models/ManagedEnvironment.php`, `apps/platform/app/Models/AuditLog.php`, `apps/platform/app/Support/Auth/Capabilities.php`, and existing provider/baseline policy tests. - [X] T006 Confirm no Filament resource/page/action, route, Livewire component, Blade view, Graph client, provider adapter, OperationRun type, or evidence/review behavior change is planned; if one appears necessary, stop and update spec/plan before continuing. ## Phase 2: Identity And Canonical Key Foundation **Purpose**: Represent provider identity and canonical subject keys without display names as primary identity. - [X] T007 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Resources/ResourceIdentityTest.php` for tenant-owned, built-in, default, virtual, unsupported, and unknown identities. - [X] T008 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php` proving canonical keys use provider/resource identity or canonical discriminator and do not collapse same-label distinct resources. - [X] T009 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php` for descriptor serialization, source references, last-seen metadata, fingerprints, and fake-provider data. - [X] T010 [US1] Implement `apps/platform/app/Support/Resources/ResourceIdentity.php` with named constructors for provider resource, canonical built-in/default, virtual target, unsupported, and unknown identities. - [X] T011 [US1] Extend `apps/platform/app/Support/Baselines/BaselineSubjectKey.php` with canonical provider-resource key helpers rather than creating a parallel `CanonicalSubjectKey` class. - [X] T012 [US1] Implement `apps/platform/app/Support/Resources/ProviderResourceDescriptor.php` as a small serializable descriptor over `ResourceIdentity`. - [X] T013 [US1] Run the focused identity unit tests for `ResourceIdentity`, `BaselineSubjectKeyCanonicalIdentity`, and `ProviderResourceDescriptor`. ## Phase 3: Binding Persistence And Integrity **Purpose**: Persist managed-environment-scoped binding decisions with active uniqueness and no duplicate active truth. - [X] T014 [P] [US2] Add PostgreSQL migration/index coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php` for active partial unique index, composite `(managed_environment_id, workspace_id)` foreign key integrity, managed-environment non-null scope, enum/check-constraint validity where practical, and index-backed lookup assumptions. - [X] T015 [P] [US2] Add feature coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php` for create, supersede, revoke, required note, single-active binding behavior, provider-default-as-canonical-built-in behavior, fake-provider service persistence, and every resolution mode listed in `spec.md`. - [X] T016 [US2] Create `apps/platform/database/migrations/_create_provider_resource_bindings_table.php` with non-null `workspace_id`, non-null `managed_environment_id`, composite `(managed_environment_id, workspace_id)` foreign key to `managed_environments(id, workspace_id)`, provider/subject/resource descriptor fields, binding status, resolution mode, source references, actor fields, timestamps, indexes, and a PostgreSQL partial unique index on active bindings. - [X] T017 [US2] Implement `apps/platform/app/Support/Resources/ProviderResourceBindingStatus.php` with `active`, `superseded`, and `revoked`. - [X] T018 [US2] Implement `apps/platform/app/Support/Resources/ProviderResourceResolutionMode.php` with the modes listed in `spec.md`. - [X] T019 [US2] Implement `apps/platform/app/Models/ProviderResourceBinding.php` with casts, relationships, active lookup scope, `DerivesWorkspaceIdFromTenant` or equivalent workspace-derivation invariant, and managed-environment/workspace helpers. - [X] T020 [US2] Implement `apps/platform/database/factories/ProviderResourceBindingFactory.php` with cheap defaults and explicit fake-provider/provider-resource states. - [X] T021 [US2] Run the PostgreSQL binding migration/index test through `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php`. ## Phase 4: Binding Service, RBAC, And Audit **Purpose**: Make binding decisions safe, authorized, note-backed, and auditable. - [X] T022 [P] [US2] Add authorization coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php` for allowed manager, read-only denial, missing capability 403, cross-workspace deny-as-not-found, and cross-managed-environment deny-as-not-found for records and source references. - [X] T023 [P] [US2] Add audit assertions to `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php` for create, supersede, exclusion, accepted limitation, unsupported coverage, missing expected, revocation, old binding ID where applicable, new binding ID where applicable, resolution mode, safe source references, and redacted/safe operator note metadata. - [X] T024 [US2] Implement `apps/platform/app/Policies/ProviderResourceBindingPolicy.php` using existing `workspace_baselines.view` and `workspace_baselines.manage` capability semantics unless the spec is updated first. - [X] T025 [US2] Register the `ProviderResourceBindingPolicy` in `apps/platform/app/Providers/AuthServiceProvider.php` unless implementation updates `plan.md` with a stronger adjacent provider-registration precedent first. - [X] T026 [US2] Implement `apps/platform/app/Services/Resources/ProviderResourceBindingService.php` with transactional methods for manual binding, exclusion, accepted limitation, unsupported coverage, missing expected, supersession, and revocation, including provider-connection/provider-key validation and scoped source-reference validation before persistence. - [X] T027 [US2] Add stable audit action IDs for provider resource binding decisions in `apps/platform/app/Support/Audit/AuditActionId.php`. - [X] T028 [US2] Ensure service audit metadata excludes secrets, tokens, raw credentials, raw provider payloads, raw Graph response bodies, signed URLs, stack traces, raw sensitive JSON, and unchecked raw operator note text. - [X] T029 [US2] Run the binding service and authorization feature tests. ## Phase 5: No-Op Runtime Regression **Purpose**: Prove Spec 381 does not silently change current compare, evidence, review, or report behavior. - [X] T030 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php` proving existing compare behavior does not automatically consume bindings in v1. - [X] T031 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/Evidence/BaselineDriftPostureSourceTest.php` or a focused adjacent test proving existing evidence posture output is unchanged when bindings exist. - [X] T032 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php` or a focused adjacent test proving review guidance/readiness does not treat accepted limitation as no-drift in v1. - [X] T033 [US3] Run targeted existing baseline/evidence/review tests listed in `plan.md`. - [X] T034 [US3] Confirm the migration does not alter or backfill existing baseline snapshots, baseline snapshot items, inventory items, policy versions, operation runs, evidence snapshots, stored reports, or review packs. - [X] T035 [US3] Confirm no code path in current baseline compare, evidence readiness, review readiness, or review-pack publication automatically resolves subjects through `ProviderResourceBindingService`; if implementation needs that, stop and prepare Spec 382/385 instead. ## Phase 6: Final Validation And Artifact Hygiene **Purpose**: Close implementation with bounded proof and no hidden scope. - [X] T036 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php`. - [X] T037 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php`. - [X] T038 Run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php`. - [X] T039 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php`. - [X] T040 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`. - [X] T041 Run `git diff --check`. - [X] T042 Scan changed files for secrets, tokens, raw credentials, raw provider payloads, raw Graph payloads, signed URLs, stack traces, SQL errors, and unnecessary customer-sensitive data. - [X] T043 Complete implementation close-out with Livewire v4 compliance, provider registration location, global-search status, high-impact action handling, asset strategy, validation commands, and deployment impact. ## Non-Goals - [X] NT001 Do not add a Baseline Subject Resolution UI, Filament resource, route, navigation item, Livewire component, or Blade view. - [X] NT002 Do not implement baseline matching pipeline consumption, automatic Microsoft built-in mapping, or provider adapter canonicalization. - [X] NT003 Do not change evidence snapshot readiness, environment review readiness, review-pack publication, or customer-facing output. - [X] NT004 Do not add Graph calls, provider runtime calls, queued jobs, OperationRun types, terminal notifications, or scheduler behavior. - [X] NT005 Do not add workspace-level, baseline-profile-specific, or subject-only binding scopes in v1. - [X] NT006 Do not add an `is_active` column or other duplicate active-binding truth. - [X] NT007 Do not rewrite completed Spec 163 or Spec 380 artifacts or remove their close-out/completed-task history. ## Dependencies And Ordering - Phase 1 must complete before code changes. - Phase 2 identity primitives must exist before descriptors and binding service payloads depend on them. - Phase 3 migration/model/enums must complete before the service persists decisions. - Phase 4 policy/service/audit depends on Phase 3 persistence. - Phase 5 no-op regression runs after bindings can exist. - Phase 6 runs last. ## Parallel Opportunities - T007, T008, and T009 can run in parallel. - T014 and T015 can run in parallel. - T022 and T023 can run in parallel. - T030, T031, and T032 can run in parallel. - Final validation commands T036 through T039 may run in parallel if Sail resources allow. ## Implementation Strategy 1. Prove identity primitives first. 2. Add persistence and PostgreSQL uniqueness. 3. Add authorized/audited service mutations. 4. Prove current compare/evidence/review behavior is unchanged. 5. Run focused validation and stop before follow-up matching/UI/evidence scopes.