ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
153-evidence-domain-foundation
TenantAtlas/specs/152-livewire-context-locking/quickstart.md
ahmido 5ec62cd117 feat: harden livewire trusted state boundaries (#182) 
## Summary
- add the shared trusted-state model and resolver helpers for first-slice Livewire and Filament surfaces
- harden managed tenant onboarding, tenant required permissions, and system runbooks against forged or stale public state
- add focused Pest guard and regression coverage plus the complete spec 152 artifact set

## Validation
- `vendor/bin/sail artisan test --compact`
- manual smoke validated on `/admin/onboarding/{onboardingDraft}`
- manual smoke validated on `/admin/tenants/{tenant}/required-permissions`
- manual smoke validated on `/system/ops/runbooks`

## Notes
- Livewire v4.0+ / Filament v5 stack unchanged
- no new panels, routes, assets, or global-search changes
- provider registration remains in `bootstrap/providers.php`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #182
2026-03-18 23:01:14 +00:00

4.2 KiB
Raw Permalink Blame History

Quickstart: Livewire Context Locking and Trusted-State Reduction

Goal

Harden tier-1 Livewire and Filament surfaces so that public component state supports continuity and UX, but never becomes authority for protected actions.

Implementation Order

  1. Inventory the first-slice component fields and classify them as presentation, locked identity, or server-derived authority.
  2. Replace ownership-relevant public model objects on the onboarding wizard with locked scalar IDs or resolver-backed access.
  3. Normalize onboarding action methods so each protected action re-resolves draft, tenant, workspace, and selected provider connection before use.
  4. Tighten the tenant required permissions page so route-derived tenant scope remains authoritative and filter state remains presentation-only.
  5. Tighten the system runbooks page so selected tenant IDs remain validated proposals and cannot bypass AllowedTenantUniverse.
  6. Extend existing forged-state and resolver guard tests instead of introducing a parallel guard suite.
  7. Add or update one lightweight architectural guard for covered public authority fields, implementation markers, and first-slice action-surface status.
  8. Add automated non-regression assertions for onboarding continuity and runbook selector query boundaries.
  9. Run focused Pest coverage and format changed files with Pint.

Suggested Code Touches

app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
app/Filament/Pages/TenantRequiredPermissions.php
app/Filament/System/Pages/Ops/Runbooks.php
app/Filament/Concerns/ResolvesPanelTenantContext.php
app/Support/Workspaces/WorkspaceContext.php
app/Services/Onboarding/*
tests/Feature/Onboarding/*
tests/Feature/Guards/*
tests/Feature/Rbac/*

Validation Flow

Run the minimum focused suites first:

vendor/bin/sail artisan test --compact tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php
vendor/bin/sail artisan test --compact tests/Feature/Onboarding/OnboardingDraftMultiTabTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/LivewireTrustedStateGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php
vendor/bin/sail artisan test --compact tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php
vendor/bin/sail artisan test --compact tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php
vendor/bin/sail bin pint --dirty --format agent

The focused onboarding and runbook suites should include automated assertions that trusted-state hardening does not add broad resolver-query fan-out or break legitimate render and continuity paths.

If the first slice touches additional guard files, run those focused tests before expanding coverage.

Manual Smoke Checklist

  1. Open /admin/onboarding/{onboardingDraft} for a valid draft and verify normal resume behavior still works.
  2. Change provider connection through the intended UI and confirm verification still uses the selected in-scope connection.
  3. Attempt a forged or stale target in a Livewire test or browser devtools scenario and confirm the request fails closed.
  4. Open /admin/tenants/{tenant}/required-permissions and confirm filters remain usable while tenant scope stays fixed.
  5. Open /system/ops/runbooks, switch between all-tenant and single-tenant scope, and confirm unauthorized tenant selections are rejected.
  6. Re-run the trusted-state and guard suites after any future component adopts this pattern, and update the first-slice policy inventory before expanding exemptions.

Exit Criteria

  1. Tier-1 components no longer depend on mutable public authority state for protected actions.
  2. Forged-state regression coverage exists for onboarding, tenant-context, and system-page slices.
  3. Existing operator UX and legitimate refresh or resume behavior remain intact.
  4. Automated non-regression assertions cover onboarding continuity and runbook selector query boundaries.
  5. No new panel, route, asset, or Graph contract change was introduced.