ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
284-provider-neutral-artifact-source-taxonomy
TenantAtlas/specs/282-governance-artifact-retargeting/research.md
ahmido f50d57370f feat: cut over workspace-first admin environment surfaces (#341) 
## Summary
- cut over the admin runtime to the workspace-first environment and operations routes from spec 280
- retarget governance artifact resources, related navigation, and operation drillthroughs to the surviving admin panel contract from spec 282
- add focused feature and browser coverage plus spec close-out updates for the shipped 280/282 slice

## Validation
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/WorkspaceFoundation tests/Feature/Workspaces tests/Feature/ManagedEnvironment tests/Feature/RequiredPermissions tests/Feature/Operations tests/Feature/MonitoringOperationsTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactAdminPanelRegistrationTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactEnvironmentContextTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactDeepLinkContractTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactLegacyTenantPanelGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec282GovernanceArtifactRetargetingSmokeTest.php`

## Notes
- provider registration remains in `apps/platform/bootstrap/providers.php`
- Filament stays on v5 with Livewire v4 semantics
- touched searchable governance surfaces remain truthful or disabled in the same slice

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #341
2026-05-07 23:50:36 +00:00

6.1 KiB
Raw Permalink Blame History

Research: Governance Artifact Retargeting to ManagedEnvironment

Decision Summary

Decision 1: Treat 282 as a surface-ownership slice, not a schema slice

  • Decision: 282 will retarget existing governance artifact resources and drillthroughs to the workspace-first admin runtime. It will not reopen tenant_id to managed_environment_id persistence work.
  • Why: repo truth already shows managed_environment_id plus workspace_id on the relevant models, and the real remaining gap is surface registration, route ownership, and context resolution.
  • Evidence:
    • OperationRun, Finding, Policy, BackupSet, RestoreRun, EvidenceSnapshot, ReviewPack, TenantReview, and StoredReport already persist managed_environment_id
    • many models use DerivesWorkspaceIdFromTenant or equivalent workspace derivation seams

Decision 2: Scope the implementation around current resource families

  • Decision: the primary implementation unit is the current environment-owned Filament resource families, not a generic artifact abstraction.
  • Why: the route and admin-registration drift is expressed in concrete resources such as FindingResource, PolicyResource, BackupSetResource, RestoreRunResource, EvidenceSnapshotResource, ReviewPackResource, and StoredReportResource.
  • Evidence:
    • several resources still include admin-hide guards through shouldRegisterNavigation() checks against the admin panel
    • read-only artifact resources still use ManagedEnvironment::current() or mixed fallback chains that imply tenant-panel ownership

Decision 3: Reuse shared context and link seams

  • Decision: reuse ResolvesPanelTenantContext, InteractsWithTenantOwnedRecords, RelatedNavigationResolver, CanonicalNavigationContext, and OperationRunLinks instead of creating a new route-helper layer.
  • Why: the repo already has one shared environment-resolution seam and one shared navigation contract; the drift is in how existing resources still call them under tenant-panel assumptions.
  • Evidence:
    • ResolvesPanelTenantContext already branches for admin versus tenant panels
    • OperationRunLinks already owns canonical operations URLs

Decision 4: Keep artifact lifecycle and stored-report productization deferred

  • Decision: defer lifecycle semantics to Spec 267 and broader stored-report surface/productization work to Spec 277.
  • Why: both packages already exist and would broaden 282 beyond route ownership and context resolution.
  • Evidence:
    • specs/267-artifact-lifecycle-retention/spec.md is already Ready for implementation
    • specs/277-stored-reports-surface/spec.md is already Ready for implementation

Decision 5: Keep provider, RBAC, copy, and no-legacy follow-through deferred

  • Decision: defer Specs 283 through 287 unchanged.
  • Why: 282 is already broad enough at the resource-surface layer. Capability registries, taxonomies, RBAC redesign, vocabulary cleanup, and global cutover quality gates belong to the later reserved slots.

Decision 6: Keep adjacent pages out of scope for 282

  • Decision: pages such as TenantDiagnostics, InventoryCoverage, and BaselineCompareLanding remain out of scope for 282 unless a later implementation produces a concrete, isolated follow-up need.
  • Why: repo truth shows these are adjacent seams, not part of the minimum route-ownership contract needed for the current governance artifact resource families.

Touched Resource Inventory

Family Representative resources Current repo issue
Governance registers InventoryItemResource, PolicyResource, PolicyVersionResource, FindingResource, FindingExceptionResource admin-hidden registration or environment-context drift
Recovery and backup BackupScheduleResource, BackupSetResource, RestoreRunResource admin-hidden registration plus many related links and action URLs
Evidence and reporting EvidenceSnapshotResource, TenantReviewResource, ReviewPackResource, StoredReportResource environment resolution still assumes tenant-panel truth in fallbacks

Candidate Deviations From Raw Backlog Text

  • The raw candidate reads like a model and route retarget combined. Repo truth shows the model retarget already happened in Spec 279.
  • The raw candidate mentions renaming review concepts and removing remaining /admin/t links broadly. For 282, this is narrowed to the touched governance artifact surface families only; broader copy cleanup remains Spec 286.
  • The raw candidate's operation_runs move is already satisfied at the persistence layer; 282 only retargets artifact-origin links into the workspace-first operations routes reused from Spec 280.
  • The raw candidate's backup items note remains nested under backup-set and restore-run surfaces and does not become a separate top-level route family in 282.

Implementation Risks To Hold During Tasks Generation

  • Do not widen into lifecycle or reporting semantics just because ReviewPackResource and StoredReportResource are touched.
  • Do not create new route helpers or a generic artifact surface layer.
  • Do not leave any touched family half-migrated, where list pages move but action URLs or related links still emit tenant-panel destinations.

Files Reviewed

  • .specify/memory/constitution.md
  • docs/product/spec-candidates.md
  • docs/product/roadmap.md
  • specs/267-artifact-lifecycle-retention/spec.md
  • specs/277-stored-reports-surface/spec.md
  • specs/279-workspace-managed-environment-core/spec.md
  • specs/280-workspace-tenancy-environment-routing/spec.md
  • specs/281-provider-connection-scope/spec.md
  • apps/platform/app/Models/OperationRun.php
  • apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php
  • apps/platform/app/Filament/Resources/FindingResource.php
  • apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php
  • apps/platform/app/Filament/Resources/ReviewPackResource.php
  • apps/platform/app/Filament/Resources/StoredReportResource.php
  • repo-wide searches for admin-hide guards and environment-context helper usage in Filament resources and pages