ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/287-cutover-prerequisite-completion/data-model.md
ahmido eceeee9c5c Complete Spec 287 prerequisite cutover (#346) 
## Summary
- retire the remaining tenant-scoped provider-connection legacy routes and update canonical verification and link behavior
- complete the provider target-scope fallback cleanup so neutral shared scope data falls back to the managed environment when the raw connection tenant identifier is blank
- stop mirroring workspace roles into managed-environment scope persistence and cut the targeted admin-panel test helpers over to the post-cutover context path
- add and update the Spec 287 artifact package and targeted regression coverage for route retirement, provider-core neutralization, workspace-first RBAC, and helper cutover

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ProviderConnections/TenantlessListRouteTest.php tests/Feature/ProviderConnections/TenantlessListScopingTest.php tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Filament remains on Livewire v4 and provider registration stays unchanged in `apps/platform/bootstrap/providers.php`.
- No new asset registration or deployment-step changes are included in this slice.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #346
2026-05-10 18:22:34 +00:00

49 lines
4.4 KiB
Markdown
Raw Permalink Blame History

# Data Model: Cutover Prerequisite Completion
## Overview
`287` introduces no new persisted entity, table, lifecycle state, or runtime DTO. The "data model" for this package is a derived seam inventory that pins which runtime and test-harness seams must be completed, which canonical replacements are expected, and which validation commands stay aligned across the package.
## Canonical Completion Categories
| Completion Key | Meaning | Primary Targets | Canonical Replacement |
|---|---|---|---|
| `provider_connection_route_contract` | provider-connection runtime no longer accepts tenant-first legacy aliases | `apps/platform/routes/web.php`, `apps/platform/app/Providers/Filament/AdminPanelProvider.php`, `apps/platform/app/Filament/Resources/TenantResource.php`, `apps/platform/app/Filament/Pages/TenantRequiredPermissions.php`, `apps/platform/app/Support/OperationRunLinks.php`, `apps/platform/app/Support/Providers/ProviderReasonTranslator.php`, `apps/platform/app/Support/Verification/VerificationLinkBehavior.php` | canonical `/admin/provider-connections...` route family |
| `provider_target_scope_core_contract` | shared provider target-scope and identity outputs no longer require Microsoft-only core keys | shared provider target-scope and identity seams | neutral target-scope fields with provider-owned nested detail only |
| `workspace_role_authority_contract` | workspace membership remains the only role-bearing truth | access-scope persistence seams and directly affected policy or resolver paths | workspace membership role truth with narrowing-only environment scope |
| `test_harness_context_contract` | the shared test harness no longer boots the retired tenant panel for the changed seams | `apps/platform/tests/Pest.php`, `apps/platform/tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php`, and `apps/platform/tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php` | post-cutover admin or workspace context helper path |
| `targeted_validation_contract` | proof remains limited to the changed seams | targeted feature tests, targeted browser tests, formatting command | exact command set shared across the package |
## Pinned Canonical Replacements
| Completion Key | Retired Pattern | Canonical Replacement |
|---|---|---|
| `provider_connection_route_contract` | `/admin/tenants/{tenant:slug}/provider-connections...` | `/admin/provider-connections...` |
| `provider_target_scope_core_contract` | `entra_tenant_id`, `tenantContext`, `target_scope.entra_tenant_id` as shared primary truth | provider-neutral target-scope fields such as scope kind, scope identifier, and scope display name |
| `workspace_role_authority_contract` | copied role-bearing `ManagedEnvironmentMembership` persistence | workspace membership role truth plus narrowing-only environment scope |
| `test_harness_context_contract` | `setTenantPanelContext()` and related tenant-panel-era setup | admin or workspace context bootstrapping suitable for the completed runtime |
| `targeted_validation_contract` | guard-suite or full-suite proof expectation | targeted feature and browser validation only |
## Allowed Provider-Owned Detail
| Detail Class | Meaning | Examples |
|---|---|---|
| `provider_owned_profile_detail` | provider-specific detail is allowed where the provider is genuinely the subject | Microsoft tenant identifiers, consent URLs, Graph-specific diagnostics |
| `provider_owned_support_detail` | lower-level support or troubleshooting context remains nested provider detail | raw provider metadata, provider-specific error context |
## Invariants
- `287` adds no new runtime state and no new persistence.
- The same completion categories and the same Spec `288` follow-up boundary must appear across `spec.md`, `plan.md`, `tasks.md`, `quickstart.md`, `data-model.md`, and `checklists/requirements.md`.
- The literal proof commands live only in `spec.md`, `plan.md`, `tasks.md`, and `quickstart.md`; the remaining artifacts reference that canonical command set rather than restating another variant.
- Validation remains targeted to the changed seams only.
- Provider-owned Microsoft detail may remain nested, but it must not stay the shared platform-core contract.
- Environment scope must remain narrowing-only after the cleanup.
## Out of Scope Data Changes
- no database migrations
- no new provider profile table or registry
- no new role family or persisted access overlay
- no global no-legacy guard inventory
- no full-suite baseline or lane-wide enforcement artifact
Reference in New Issue View Git Blame Copy Permalink