# Data Model — Spec 090 (Action Surface Contract Compliance & RBAC Hardening) ## Summary Spec 090 is primarily a UI + authorization + auditability retrofit. **No new tables are required**. The feature standardizes how existing entities are presented and how actions are gated and audited. ## Entities (Existing) ### `AuditLog` - **Purpose**: Durable audit trail for security/ops-relevant actions. - **Key fields (observed from loggers)**: - `tenant_id` (nullable) - `workspace_id` (nullable) - `actor_id`, `actor_email`, `actor_name` - `action` (stable action id string) - `resource_type`, `resource_id` - `status` (`success` for Spec 090 scope) - `metadata` (sanitized) - `recorded_at` - **Writers**: - Tenant-scoped: `App\Services\Intune\AuditLogger` - Workspace-scoped: `App\Services\Audit\WorkspaceAuditLogger` ### `OperationRun` - **Purpose**: Observability record for queued/remote operations. - **Spec 090 usage**: Operation-start actions must enqueue work and link to the run (“View run”). ### Tenant-scoped domain entities - `Tenant` - `Policy` / `PolicyVersion` - `BackupSchedule` (+ executions via `OperationRun` type `backup_schedule_run`) - `ProviderConnection` - `Finding` - `InventoryItem` - `EntraGroup` ### Workspace-scoped domain entities - `Workspace` - workspace memberships (used for isolation boundary) ## Relationships (High-level) - `Workspace` has many `Tenant`. - `Tenant` has many `Policy`, `BackupSchedule`, `ProviderConnection`, `Finding`, `InventoryItem`, `EntraGroup`. - `OperationRun` is scoped by `(workspace_id, tenant_id)` when applicable. - `AuditLog` is scoped either by `tenant_id` (tenant-plane audits) or `workspace_id` (workspace-plane audits). ## Authorization/Capability Model (Existing) - Canonical capability registry: `App\Support\Auth\Capabilities`. - Capability resolution: `App\Services\Auth\CapabilityResolver`. - Filament gating helpers: - `App\Support\Rbac\UiEnforcement` (tenant scope) - `App\Support\Rbac\WorkspaceUiEnforcement` (workspace scope) ## State Transitions (Relevant) - “Side-effect action executed” → writes an `AuditLog` entry (success only for Spec 090). - “Operation start action executed” → creates/reuses an `OperationRun`, enqueues background work, then links user to the run. ## Non-goals / Deferred - BackupSchedule retention (soft delete/restore/force delete) is explicitly deferred. - No schema changes are required for action-surface declarations; these live in code.