ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dev
TenantAtlas/specs/152-livewire-context-locking/quickstart.md
ahmido 5ec62cd117 feat: harden livewire trusted state boundaries (#182) 
## Summary
- add the shared trusted-state model and resolver helpers for first-slice Livewire and Filament surfaces
- harden managed tenant onboarding, tenant required permissions, and system runbooks against forged or stale public state
- add focused Pest guard and regression coverage plus the complete spec 152 artifact set

## Validation
- `vendor/bin/sail artisan test --compact`
- manual smoke validated on `/admin/onboarding/{onboardingDraft}`
- manual smoke validated on `/admin/tenants/{tenant}/required-permissions`
- manual smoke validated on `/system/ops/runbooks`

## Notes
- Livewire v4.0+ / Filament v5 stack unchanged
- no new panels, routes, assets, or global-search changes
- provider registration remains in `bootstrap/providers.php`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #182
2026-03-18 23:01:14 +00:00

68 lines
4.2 KiB
Markdown
Raw Permalink Blame History

# Quickstart: Livewire Context Locking and Trusted-State Reduction
## Goal
Harden tier-1 Livewire and Filament surfaces so that public component state supports continuity and UX, but never becomes authority for protected actions.
## Implementation Order
1. Inventory the first-slice component fields and classify them as presentation, locked identity, or server-derived authority.
2. Replace ownership-relevant public model objects on the onboarding wizard with locked scalar IDs or resolver-backed access.
3. Normalize onboarding action methods so each protected action re-resolves draft, tenant, workspace, and selected provider connection before use.
4. Tighten the tenant required permissions page so route-derived tenant scope remains authoritative and filter state remains presentation-only.
5. Tighten the system runbooks page so selected tenant IDs remain validated proposals and cannot bypass `AllowedTenantUniverse`.
6. Extend existing forged-state and resolver guard tests instead of introducing a parallel guard suite.
7. Add or update one lightweight architectural guard for covered public authority fields, implementation markers, and first-slice action-surface status.
8. Add automated non-regression assertions for onboarding continuity and runbook selector query boundaries.
9. Run focused Pest coverage and format changed files with Pint.
## Suggested Code Touches
```text
app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
app/Filament/Pages/TenantRequiredPermissions.php
app/Filament/System/Pages/Ops/Runbooks.php
app/Filament/Concerns/ResolvesPanelTenantContext.php
app/Support/Workspaces/WorkspaceContext.php
app/Services/Onboarding/*
tests/Feature/Onboarding/*
tests/Feature/Guards/*
tests/Feature/Rbac/*
```
## Validation Flow
Run the minimum focused suites first:
```bash
vendor/bin/sail artisan test --compact tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php
vendor/bin/sail artisan test --compact tests/Feature/Onboarding/OnboardingDraftMultiTabTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/LivewireTrustedStateGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php
vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php
vendor/bin/sail artisan test --compact tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php
vendor/bin/sail artisan test --compact tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php
vendor/bin/sail bin pint --dirty --format agent
```
The focused onboarding and runbook suites should include automated assertions that trusted-state hardening does not add broad resolver-query fan-out or break legitimate render and continuity paths.
If the first slice touches additional guard files, run those focused tests before expanding coverage.
## Manual Smoke Checklist
1. Open `/admin/onboarding/{onboardingDraft}` for a valid draft and verify normal resume behavior still works.
2. Change provider connection through the intended UI and confirm verification still uses the selected in-scope connection.
3. Attempt a forged or stale target in a Livewire test or browser devtools scenario and confirm the request fails closed.
4. Open `/admin/tenants/{tenant}/required-permissions` and confirm filters remain usable while tenant scope stays fixed.
5. Open `/system/ops/runbooks`, switch between all-tenant and single-tenant scope, and confirm unauthorized tenant selections are rejected.
6. Re-run the trusted-state and guard suites after any future component adopts this pattern, and update the first-slice policy inventory before expanding exemptions.
## Exit Criteria
1. Tier-1 components no longer depend on mutable public authority state for protected actions.
2. Forged-state regression coverage exists for onboarding, tenant-context, and system-page slices.
3. Existing operator UX and legitimate refresh or resume behavior remain intact.
4. Automated non-regression assertions cover onboarding continuity and runbook selector query boundaries.
5. No new panel, route, asset, or Graph contract change was introduced.
Reference in New Issue View Git Blame Copy Permalink