ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/287-cutover-prerequisite-completion/research.md
ahmido eceeee9c5c Complete Spec 287 prerequisite cutover (#346) 
## Summary
- retire the remaining tenant-scoped provider-connection legacy routes and update canonical verification and link behavior
- complete the provider target-scope fallback cleanup so neutral shared scope data falls back to the managed environment when the raw connection tenant identifier is blank
- stop mirroring workspace roles into managed-environment scope persistence and cut the targeted admin-panel test helpers over to the post-cutover context path
- add and update the Spec 287 artifact package and targeted regression coverage for route retirement, provider-core neutralization, workspace-first RBAC, and helper cutover

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ProviderConnections/TenantlessListRouteTest.php tests/Feature/ProviderConnections/TenantlessListScopingTest.php tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Filament remains on Livewire v4 and provider registration stays unchanged in `apps/platform/bootstrap/providers.php`.
- No new asset registration or deployment-step changes are included in this slice.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #346
2026-05-10 18:22:34 +00:00

68 lines
4.3 KiB
Markdown
Raw Permalink Blame History

# Research: Cutover Prerequisite Completion
## Decision 1: Spec `287` now completes prerequisites; Spec `288` owns enforcement
- Use this package to finish the remaining runtime and test-harness seams that still block quality-gates / no-legacy enforcement.
- Do not add a guard suite, a full-suite baseline, or global quality gates here.
- Keep the follow-up boundary explicit: Spec `288` starts after this runtime baseline exists.
## Decision 2: Retire the provider-connection legacy route family instead of guarding it
- The provider-connection legacy alias family in `apps/platform/routes/web.php` is a runtime seam, not an enforcement-only concern.
- Remove it in this slice so later enforcement can guard the completed route truth instead of compensating for it.
## Decision 3: Finish provider target-scope core neutralization on shared seams only
- Neutralize the shared provider-core contract where repo truth still depends on Microsoft-shaped identity or target-scope fields.
- Keep Microsoft-specific tenant/profile, consent, and support detail nested under provider-owned seams only.
- Do not add a new provider profile table, registry, or framework.
## Decision 4: Complete workspace-first access persistence instead of layering more RBAC logic
- Treat workspace membership as the only role-bearing truth.
- Finish the cleanup that keeps managed-environment scope narrowing-only.
- Do not introduce a second role system, a compatibility shim, or a new role family.
## Decision 5: Replace tenant-panel-era test helpers with post-cutover admin or workspace helpers
- `apps/platform/tests/Pest.php` still carries tenant-panel-era setup such as `setTenantPanelContext()` and related legacy profile alias helpers.
- Replace the retired panel assumption on the shared helper path and the in-slice direct consumers `tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php` plus `tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php`.
- Do not turn this into a broad test-suite rewrite; keep it to the helpers and direct consumers needed by this slice.
## Decision 6: Validation must stay targeted
- Use focused feature tests and targeted browser validation for the changed seams only.
- Do not add a global guard family, broad source-scan package, or full-suite baseline under this spec.
## Rejected Alternatives
### Rejected: keep `287` as a blocked no-legacy guard package
That would force the later enforcement slice to compete with unfinished runtime work and would keep the package blocked for the wrong reason.
### Rejected: solve the route and helper drift with compatibility aliases
That would preserve the same ambiguity that Spec `288` is supposed to eliminate.
### Rejected: introduce a new provider profile or access-scope framework
The existing seams are already sufficient; they need completion, not a second architectural layer.
### Rejected: use a full-suite baseline as the proof requirement
The slice is bounded and should prove only the changed seams.
## Evidence Anchors
- `apps/platform/routes/web.php` still contains `/admin/tenants/{tenant:slug}/provider-connections` redirect routes.
- `apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeNormalizer.php` and related provider-core seams still participate in the shared target-scope contract that this slice completes.
- `apps/platform/app/Services/Auth/TenantMembershipManager.php` still persists managed-environment membership records with copied workspace role values.
- `apps/platform/tests/Pest.php` still contains `setTenantPanelContext()` and `createUserWithTenantLegacyProfileAliases()`.
- The in-slice direct consumer tests `tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php` and `tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php` still depend on the retired tenant-panel helper path.
## Implementation Boundary Summary
- The package is implementation-ready as a bounded prerequisite-completion slice.
- It is no longer a blocked-by-prerequisites guard package.
- If implementation starts adding guard suites, full-suite baselines, or adjacent feature work, stop and split that work out of `287`.
- The canonical executable command set lives only in `spec.md`, `plan.md`, `tasks.md`, and `quickstart.md`; this artifact intentionally references that command authority without restating a second command set.
Reference in New Issue View Git Blame Copy Permalink