## Summary - retire legacy `/admin/t` and active `/admin/tenants` product surfaces in favor of canonical workspace-scoped managed-environment routes - centralize runtime URL generation through `ManagedEnvironmentLinks` and update intended URL handling to reject legacy tenant paths - remove dormant tenant panel runtime, rename test helpers to the admin environment context, and add guard coverage for route/helper regressions ## Validation - targeted Feature guard, workspace, provider connection, required permissions, and Filament test lanes run under Sail - browser smoke coverage run for provider connection and workspace RBAC environment access flows - formatting and diff checks completed with Pint and `git diff --check` ## Notes - Filament remains on v5 with Livewire v4 - provider registration stays in `apps/platform/bootstrap/providers.php` - retired tenant resource global search is disabled and destructive action confirmation rules remain unchanged Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #352
3.5 KiB
3.5 KiB
Contract: Managed Environment Canonical Route Cutover
Status: Logical route/link contract
Runtime persistence: none
Compatibility: no broad compatibility surface
Canonical Route Families
| Product case | Canonical route family | Notes |
|---|---|---|
| Environment index | /admin/workspaces/{workspace}/environments |
Workspace context required |
| Environment detail | /admin/workspaces/{workspace}/environments/{environment} |
Environment must belong to workspace |
| Required permissions / readiness | /admin/workspaces/{workspace}/environments/{environment}/required-permissions |
Existing repo-real route preferred |
| Diagnostics / provider health | /admin/workspaces/{workspace}/environments/{environment}/diagnostics or repo-real equivalent |
If no route exists, implementation must document canonical equivalent |
| Access scopes / memberships | /admin/workspaces/{workspace}/environments/{environment}/access-scopes or repo-real equivalent |
If no route exists, implementation must document canonical equivalent |
| Provider connections | /admin/provider-connections... |
Tenantless admin resource with neutral scope context |
| Operations index | /admin/workspaces/{workspace}/operations |
Workspace context required |
| Operation detail | /admin/workspaces/{workspace}/operations/{run} |
Run entitlement required |
Retired Route Families
| Route family | Contract |
|---|---|
/admin/t |
Absent or 404 |
/admin/t/* |
Absent or 404 |
/admin/tenants |
Not active product surface; 404 or documented safe canonical resolution only |
/admin/tenants/{environment} |
Not active product surface; 404 or documented safe canonical resolution only |
/admin/tenants/{environment}/edit |
404 |
/admin/tenants/{environment}/memberships |
404 or documented safe canonical access-scope resolution only |
/admin/tenants/{environment}/required-permissions |
404 or documented safe canonical required-permissions resolution only |
/admin/tenants/{environment}/provider-connections... |
404 |
/admin/operations |
Not final intended URL; normalize to workspace operations if workspace known |
Link Helper Contract
If ManagedEnvironmentLinks is introduced or extended, it must provide or delegate these behaviors:
ManagedEnvironmentLinks::indexUrl($workspace)
ManagedEnvironmentLinks::viewUrl($environment)
ManagedEnvironmentLinks::requiredPermissionsUrl($environment)
ManagedEnvironmentLinks::diagnosticsUrl($environment)
ManagedEnvironmentLinks::accessScopesUrl($environment)
ManagedEnvironmentLinks::operationsUrl($workspace, ?ManagedEnvironment $environment = null)
The exact method names may differ if the repo already has a canonical helper. The behavior must remain equivalent.
Authorization Contract
- Link generation does not grant authorization.
- Page/action owners still enforce workspace membership and managed-environment entitlement.
- Non-member/out-of-scope access returns 404.
- Established member missing capability returns 403.
- Managed-environment scope cannot grant role/capability authority.
Intended URL Contract
Rejected as final destination:
/admin/t
/admin/t/*
/admin/tenants
/admin/tenants/*
/admin/tenants/*/required-permissions
/admin/tenants/*/provider-connections
external URLs
Normalized when safe:
/admin/operations -> /admin/workspaces/{workspace}/operations
Fallback when unsafe:
/admin/workspaces/{workspace}/overview
or:
/admin/workspaces/{workspace}/environments