ahmido 1f3619bd16 feat: tenant-owned query canon and wrong-tenant guards (#180 )

## Summary
- introduce a shared tenant-owned query and record-resolution canon for first-slice Filament resources
- harden direct views, row actions, bulk actions, relation managers, and workspace-admin canonical viewers against wrong-tenant access
- add registry-backed rollout metadata, search posture handling, architectural guards, and focused Pest coverage for scope parity and 404/403 semantics

## Included
- Spec 150 package under `specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/`
- shared support classes: `TenantOwnedModelFamilies`, `TenantOwnedQueryScope`, `TenantOwnedRecordResolver`
- shared Filament concern: `InteractsWithTenantOwnedRecords`
- resource/page/policy hardening across findings, policies, policy versions, backup schedules, backup sets, restore runs, inventory items, and Entra groups
- additional regression coverage for canonical tenant state, wrong-tenant record resolution, relation-manager congruence, and action-surface guardrails

## Validation
- `vendor/bin/sail artisan test --compact` passed
- full suite result: `2733 passed, 8 skipped`
- formatting applied with `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Livewire v4.0+ compliant via existing Filament v5 stack
- provider registration remains in `bootstrap/providers.php`
- globally searchable first-slice posture: Entra groups scoped; policies and policy versions explicitly disabled
- destructive actions continue to use confirmation and policy authorization
- no new Filament assets added; existing deployment flow remains unchanged, including `php artisan filament:assets` when registered assets are used

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #180

2026-03-18 08:33:13 +00:00

2.2 KiB

Raw Permalink Blame History

Quickstart: Tenant-Owned Query Canon and Wrong-Tenant Guards

Goal

Implement a reusable tenant-owned query contract that keeps list, detail, search, relation-manager, and protected action paths aligned to the same tenant boundary.

Suggested Implementation Order

Identify the first-slice family inventory from TenantOwnedTables and map each family to its primary Filament surface.
Introduce the shared tenant-owned query and explicit record-resolution helper(s) for representative families.
Migrate representative resources to the shared helper, starting with EntraGroupResource, PolicyResource, PolicyVersionResource, BackupScheduleResource, BackupSetResource, RestoreRunResource, FindingResource, and InventoryItemResource.
Update relation managers in the first slice so their action targets prove owner-record and tenant congruence.
Align global search posture per family: keep it scoped where parity exists, disable it deliberately where parity still does not exist.
Add the wrong-tenant regression matrix and the lightweight architectural guard.

Expected Code Areas

app/Filament/Concerns/
app/Filament/Resources/
app/Policies/
app/Support/WorkspaceIsolation/
routes/web.php
tests/Feature/Filament/
tests/Feature/Rbac/
tests/Feature/Guards/

Verification Flow

Run the minimum relevant checks through Sail:

vendor/bin/sail artisan test --compact tests/Feature/Filament/EntraGroupAdminScopeTest.php
vendor/bin/sail artisan test --compact tests/Feature/BackupScheduling/BackupScheduleAdminTenantParityTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php
vendor/bin/sail artisan test --compact tests/Feature/Rbac
vendor/bin/sail bin pint --dirty --format agent

Completion Criteria

Representative tenant-owned families share one canonical query and lookup pattern.
Wrong-tenant index, detail, relation-manager, and protected action regressions are covered.
Global search is either safely scoped or explicitly disabled per family.
Guard coverage prevents new forbidden query patterns on covered surfaces.

2.2 KiB Raw Permalink Blame History