ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/303-admin-directory-groups-cutover/tasks.md
ahmido 1cd8d48474 feat: cut over admin directory groups (#358) 
## Summary
- cut over `EntraGroupResource` to an environment-bound admin Directory Groups surface in the workspace-first runtime
- adopt workspace-scoped admin list/detail URLs and add the bounded `Directory > Groups` navigation entry in the admin panel
- keep workspace-home navigation clean while preserving existing scoped list, detail, and global-search behavior
- update focused feature coverage and add a browser smoke for the rendered sidebar drilldown path
- include the Spec 303 package under `specs/303-admin-directory-groups-cutover/`

## Testing
- updated focused Pest coverage for admin navigation segregation, Entra group admin scoping, Entra group global search scoping, and directory group browsing
- added browser smoke coverage in `apps/platform/tests/Browser/Spec303AdminDirectoryGroupsCutoverSmokeTest.php`

## Filament / Runtime Notes
- remains compliant with Filament v5 on Livewire v4
- no provider registration changes; provider registration location remains `apps/platform/bootstrap/providers.php`
- `EntraGroupResource` remains eligible for global search because it has a View page
- no destructive actions were added or changed; confirmation and authorization behavior is unchanged
- no asset registration changes; existing `cd apps/platform && php artisan filament:assets` deploy posture is unchanged

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #358
2026-05-14 22:44:44 +00:00

122 lines
11 KiB
Markdown
Raw Permalink Blame History

# Tasks: Admin Directory Groups Cutover
**Input**: Design documents from `/specs/303-admin-directory-groups-cutover/`
**Prerequisites**: `spec.md`, `plan.md`, `checklists/requirements.md`
**Tests**: Tests are required. This is a runtime behavior change for Filament navigation, scoped access, and global-search destinations.
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [x] New or changed tests stay in the smallest honest family; one focused browser smoke was added because rendered Filament sidebar navigation was the changed behavior and feature tests did not prove the real sidebar link.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
- [x] Planned validation commands cover the change without pulling unrelated lane cost.
- [x] The declared surface test profile is `standard-native-filament` plus focused browser-smoke verification for rendered navigation.
- [x] Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.
## Phase 1: Preparation and Scope Lock
**Purpose**: Confirm repo truth and keep implementation limited to Entra Groups.
- [x] T001 Review `specs/303-admin-directory-groups-cutover/spec.md`, `specs/303-admin-directory-groups-cutover/plan.md`, `specs/303-admin-directory-groups-cutover/tasks.md`, and `specs/303-admin-directory-groups-cutover/checklists/requirements.md`.
- [x] T002 Review completed context in `specs/301-admin-inventory-navigation-cutover/` and `specs/302-tenant-owned-surface-route-audit/` without modifying those completed specs.
- [x] T003 Inspect `apps/platform/app/Filament/Resources/EntraGroupResource.php`, `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php`, `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php`, `apps/platform/app/Support/Navigation/NavigationScope.php`, `apps/platform/app/Support/OperateHub/OperateHubShell.php`, `apps/platform/app/Filament/Concerns/ScopesGlobalSearchToTenant.php`, and `apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php`.
- [x] T004 Confirm no implementation task introduces migrations, assets, provider registration changes, Graph adapter changes, tenant-panel dead-code deletion, or new group mutation/admin actions.
---
## Phase 2: User Story 1 - Groups are visible inside an active environment context (Priority: P1)
**Goal**: Entra Groups appears as a secondary Directory surface only inside the active Managed Environment context.
**Independent Test**: The environment-bound admin context registers and renders Groups navigation while workspace-home/no-context checks remain false.
- [x] T005 [P] [US1] Update `apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` so `EntraGroupResource` is removed from the blanket admin-hidden dataset and covered by environment-visible navigation assertions.
- [x] T006 [P] [US1] Update `apps/platform/tests/Feature/DirectoryGroups/BrowseGroupsTest.php` to replace the stale "keeps Entra groups out of admin sidebar navigation" assertion with the new workspace-home-hidden and environment-visible contract.
- [x] T007 [US1] Update `apps/platform/app/Filament/Resources/EntraGroupResource.php` so `shouldRegisterNavigation()` uses the shared environment-navigation rule for the admin panel and still returns false on workspace-home/no-context surfaces.
- [x] T008 [US1] Verify `Directory` / `Groups` navigation labels remain secondary and do not introduce a top-level Identity Center or M365 Admin mirror.
---
## Phase 3: User Story 2 - Workspace home remains clean (Priority: P2)
**Goal**: Workspace-home navigation stays free of environment-owned Directory Groups entries, even with remembered environment context.
**Independent Test**: Workspace-home response assertions prove Groups is absent, while environment route assertions prove it is present when allowed.
- [x] T009 [P] [US2] Extend `apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php` to assert the workspace-home sidebar does not render `Groups` or a Directory Groups entry when `WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY` is set.
- [x] T010 [P] [US2] Extend `apps/platform/tests/Feature/Filament/EntraGroupAdminScopeTest.php` to cover no-context list access and cross-workspace or invalid remembered-environment denial as not found.
- [x] T011 [US2] Preserve `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php` no-context abort behavior and avoid adding workspace-home recovery shortcuts that reveal group data.
- [x] T012 [US2] If list empty-state copy is touched in `apps/platform/app/Filament/Resources/EntraGroupResource.php`, change stale "tenant" wording to managed-environment-safe Directory inventory copy without inventing a refresh operation.
---
## Phase 4: User Story 3 - Global search stays scoped and lands on valid View pages (Priority: P3)
**Goal**: Global search returns only active-environment group records and opens valid canonical admin View destinations.
**Independent Test**: Seed groups across environments/workspaces, run global search, and assert result titles and URLs.
- [x] T013 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert no-context admin search returns no results.
- [x] T014 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert cross-environment and cross-workspace matches are excluded.
- [x] T015 [P] [US3] Extend `apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php` to assert each result URL resolves to `EntraGroupResource` View and does not contain `/admin/t`.
- [x] T016 [P] [US3] Existing Entra group reference-link tests already cover canonical links; reran them with the Spec 303 suite and did not need additional assertions.
- [x] T017 [US3] Verify `apps/platform/app/Filament/Resources/EntraGroupResource.php::getGlobalSearchResultUrl()` still passes the correct Managed Environment context and does not generate tenant-panel URLs.
---
## Phase 5: Route Posture and Scoped Detail Safety
**Purpose**: Keep route/context changes minimal while making View destinations truthful.
- [x] T018 Inspect whether adding `WorkspaceScopedTenantRoutes` to `apps/platform/app/Filament/Resources/EntraGroupResource.php` is safe with focused URL, list, View, global-search, and resolved-reference tests.
- [x] T019 Applied `WorkspaceScopedTenantRoutes` to `apps/platform/app/Filament/Resources/EntraGroupResource.php` so Groups list/detail URLs use the workspace/environment admin context.
- [x] T020 Added the bounded explicit `Groups` navigation item in `apps/platform/app/Providers/Filament/AdminPanelProvider.php` after browser smoke showed the rendered sidebar did not receive the resource auto-navigation entry.
- [x] T021 Preserve or extend `apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php` authorization so cross-environment and cross-workspace records deny as not found.
- [x] T022 Confirm `apps/platform/app/Filament/Resources/EntraGroupResource.php` keeps `actions([])` and `bulkActions([])` and does not add create/edit/delete/membership/destructive actions.
---
## Phase 6: Regression and Validation
**Purpose**: Prove the Groups cutover did not regress adjacent migrated surfaces.
- [x] T023 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Filament/AdminTenantSurfaceParityTest.php tests/Feature/Filament/AdminSharedSurfacePanelParityTest.php tests/Feature/Filament/TenantOwnedResourceScopeParityTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/Filament/PolicyResourceAdminSearchParityTest.php tests/Feature/Filament/PolicyVersionAdminSearchParityTest.php`.
- [x] T024 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Browser/Spec303AdminDirectoryGroupsCutoverSmokeTest.php`.
- [x] T025 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php tests/Feature/Filament/InventoryHubDbOnlyTest.php tests/Feature/Filament/InventoryPagesTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactAdminPanelRegistrationTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactEnvironmentContextTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactLegacyTenantPanelGuardTest.php tests/Feature/Operations/LegacyRunRoutesNotFoundTest.php`.
- [x] T026 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [x] T027 Run `git diff --check` from `/Users/ahmeddarrazi/Documents/projects/wt-plattform`.
- [x] T028 Confirm `git status --short` includes only the intended Spec 303 package, Entra Groups implementation files, AdminPanelProvider navigation item, and focused tests.
## Dependencies
- Phase 1 must complete before test or implementation changes.
- Phase 2 test updates should be written before the navigation implementation in T007.
- Phase 3 and Phase 4 can proceed in parallel after T007 if different files are owned.
- Phase 5 route posture must be settled before final global-search URL assertions are considered complete.
- Phase 6 runs after all implementation tasks are complete.
## Parallel Execution Examples
- T005, T006, T010, T013, T014, T015, and T016 can run in parallel if each worker owns a distinct test file.
- T011, T017, T021, and T022 can run in parallel after route posture is clear because they touch separate behavior checks.
- T023, T024, and T025 should run after implementation; they may run independently if the Sail stack is available.
## Implementation Strategy
1. Make tests describe the new admin role contract first.
2. Change navigation through the smallest existing shared helper path.
3. Keep route changes minimal and evidence-backed.
4. Preserve scoped query/search/detail behavior.
5. Validate adjacent migrated surfaces before handoff.
## Explicit Non-Goals
- [x] Do not create a generic M365 Admin mirror.
- [x] Do not create a broad Identity Center or Directory suite.
- [x] Do not add group create/edit/delete, membership mutation, sync mutation, or destructive actions.
- [x] Do not delete tenant-panel dead code.
- [x] Do not revive `/admin/t` routes or add compatibility aliases.
- [x] Do not introduce migrations, models, jobs, Graph adapters, provider registration changes, or assets.
- [x] Do not split the navigation contract beyond the minimal test changes needed for Groups.
Reference in New Issue View Git Blame Copy Permalink