# Data Model: 106 — Required Permissions Sidebar Context Fix

**Date**: 2026-02-22 | **Branch**: `106-required-permissions-sidebar-context`

## Summary

No data model changes. This feature modifies middleware control flow only.

## Entities Affected

None. No database tables, models, or relationships are created or modified.

## State Transitions

| Component | Before | After |
|---|---|---|
| `EnsureFilamentTenantSelected` middleware | Always calls `Filament::setTenant()` when `{tenant}` route param present | Checks workspace-scoped page allowlist first; skips `setTenant()` for matched pages |
| `Filament::getTenant()` on Required Permissions page | Returns resolved `Tenant` instance (triggers tenant sidebar) | Returns `null` (triggers workspace sidebar) |
| `configureNavigationForRequest()` on Required Permissions page | Renders tenant-scoped sidebar | Renders workspace-scoped sidebar |
| `rememberLastTenantId()` on Required Permissions page | Called (updates session) | Skipped (no session side-effect) |

## Middleware Decision Flow (After Fix)

```
Request arrives
  ├── /livewire/update?
  │   └── Check referer against:
  │       ├── /admin/operations/{run} (existing)
  │       └── /admin/tenants/{tenant}/required-permissions (NEW)
  │           └── Match → workspace nav, return
  │
  ├── /admin/operations/{run} → workspace nav (existing)
  ├── /admin/operations → workspace nav (existing)
  │
  ├── Route has {tenant} param?
  │   ├── Authorization checks (all 8 — unchanged)
  │   ├── Is workspace-scoped page? (NEW check)
  │   │   ├── YES → configureNavigationForRequest() WITHOUT setTenant()
  │   │   └── NO  → Filament::setTenant() + rememberLastTenantId() + configureNavigation (existing)
  │   └── return next
  │
  └── ... existing flow continues
```