ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/313-workspace-environment-context-browser-verification/audit-report.md
ahmido 2f7a521d5f spec: add workspace environment context browser audit (#368) 
## Summary
- add the full workspace/environment context browser verification audit for Spec 313
- include the surface matrix, query and clear-filter inventories, ownership map, and audit report
- attach browser evidence artifacts and screenshots for the current workspace/environment context contract

## Testing
- no automated tests run; this is an analysis-only spec and artifact package with no runtime changes

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #368
2026-05-16 08:51:19 +00:00

11 KiB
Raw Permalink Blame History

Audit Report

1. Executive Summary

Spec 313 found systemic context contract drift, not an isolated page bug.

The drift is concentrated where workspace hubs accept environment-prefiltered entry points while shell context, query params, table filters, persisted state, and visible clear controls are not governed by one contract. Highest risk pages are Provider Connections, Operations, Customer Review Workspace, Finding Exceptions Queue, Review Register, Decision Register, and Governance Inbox.

No runtime files were modified. No tests were modified. No migrations were modified. No commits were created.

2. Verified Surface Inventory Summary

Discovered admin surfaces classified in surface-inventory.md: 58.

Counts by final status:

Status group Count
Workspace hubs verified 13
Environment pages verified 10
System/platform pages verified 3
Ambiguous/mixed 7
Unreachable/dead candidates 5
Blocked by missing seed data 18
Unresolved 0
Out of scope with reason 2

Important coverage notes:

  • Browser screenshots generated: 74 PNGs under artifacts/screenshots/.
  • Admin routes discovered: 97 routes in artifacts/routes-admin.txt.
  • Filament files discovered: 170 entries in artifacts/filament-files.txt.
  • Context/search hits captured: 8,234 lines in artifacts/context-search.txt.

3. Workspace Hub Behavior Matrix Summary

Workspace-origin with no active environment was browser verified for:

  • Workspace Overview
  • Operations
  • Provider Connections
  • Finding Exceptions Queue
  • Evidence Overview
  • Review Register
  • Customer Review Workspace
  • Governance Inbox
  • Decision Register
  • Audit Log
  • Alerts
  • Workspace Settings
  • Manage Workspaces

Clean workspace-origin behavior was sound for Operations, Provider Connections, Audit Log, Governance Inbox, Workspace Settings, and Manage Workspaces. Data-scope proof was strongest where rows existed across two environments: Operations, Provider Connections, and Audit Log.

Workspace-origin data proof was blocked for Finding Exceptions, Evidence, Reviews, Customer Reviews, and Alerts because the local seed data contains no rows for those surfaces.

Decision Register is mixed: the clean workspace route returned 403 for the audited actor, while a filtered managed_environment_id=4 URL opened the page.

4. Environment Page Behavior Matrix Summary

Environment-owned route pages aligned shell/header/route context:

  • Environment Dashboard A and B
  • Required Permissions
  • Environment Diagnostics
  • Inventory / Inventory Coverage
  • Policies / Policy Versions
  • Findings / Risk Exceptions
  • Evidence Snapshots
  • Environment Reviews / Review Packs
  • Stored Reports
  • Backup Schedules / Backup Sets / Restore Runs
  • Entra Groups
  • Access Scopes

Stored Reports had actual data for env 4. Required Permissions had permission data. Most other environment-owned pages were shell-verified only because local seed rows were absent.

Baseline Profiles, Baseline Snapshots, and Baseline Compare are mixed: they are global routes with tenant=<slug> query prefilters but render with environment shell context.

5. Mismatched Scope Findings

Critical:

  • Provider Connections with ?managed_environment_id=<env slug> shows shell No environment selected, no visible environment filter chip, and a filtered row set.
  • Customer Review Workspace with ?tenant=<env slug> shows shell No environment selected; clear temporarily hides the filter but reload restores it because the URL remains filtered.
  • Operations CTA URL includes managed_environment_id=4, but the page still displays All environments and has no Clear filters action.
  • Finding Exceptions Queue clear action does not remove ?tenant=<env slug>; reload restores the environment scope.
  • Provider Connections from environment-sidebar origin can expose an Integrations link containing managed_environment_id=<env slug> even while the page shell says no environment is selected.

High:

  • Review Register ?managed_environment_id=4 remained after Clear filters and reload.
  • Decision Register access differs between clean workspace route and filtered route.
  • Governance Inbox does show ManagedEnvironment: YPTW2 and a clean clear link, but shell remains No environment selected, which may still confuse operators.

6. Clear-Filter Findings

Clear behavior is inconsistent:

  • Evidence Overview is the best current pattern: Clear filters redirected to clean /admin/evidence/overview and reload stayed clean.
  • Finding Exceptions Queue clears visible/table state only partially; URL remains tenant=<slug> and reload restores filter.
  • Customer Review Workspace clears visible/table state only partially; URL remains tenant=<slug> and reload restores filter.
  • Review Register clears table state only; tested filtered URL remained.
  • Operations and Provider Connections did not expose a page-level Clear filters action for environment query prefilters.

7. Query Parameter Findings

The environment prefilter contract is fragmented:

  • tenant is used by Finding Exceptions Queue, Customer Review Workspace, Governance Inbox, Baseline pages.
  • managed_environment_id is used by Operations, Provider Connections, Evidence Overview, Review Register, Decision Register, and Filament table state.
  • The same managed_environment_id param carries different identifier types: DB id for Operations/Evidence/Reviews/Decision, slug/external id for Provider Connections.
  • tenant_scope=all exists for Operations but is not consistently surfaced as the clear path from CTA-filtered states.
  • tableFilters persists tenant-sensitive state in session on multiple pages.

8. Persisted Filter Findings

Filament table persistence is a material risk, not harmless state:

  • Evidence Overview, Review Register, Customer Review Workspace, Decision Register, Audit Log, Operations, and Finding Exceptions Queue all have session/query/filter interplay.
  • Several pages explicitly call persistFiltersInSession().
  • Code state contracts mark tenant-sensitive filters as restorable from session.
  • Browser findings confirm query state can survive clear/reload on Reviews, Customer Reviews, and Finding Exceptions Queue.

9. Code Ownership Map Summary

The main seams are documented in code-ownership-map.md.

Primary owners:

  • WorkspaceSidebarNavigation owns workspace sidebar URLs.
  • ManagedEnvironmentLinks and OperationRunLinks own many environment CTA/link URL shapes.
  • WorkspaceContext and OperateHubShell own remembered tenant and shell resolution.
  • ProviderConnectionResource, Operations, FindingExceptionsQueue, EvidenceOverview, ReviewRegister, and CustomerReviewWorkspace each own divergent filter hydration/clear behavior.
  • ClearEnvironmentContextController clears remembered shell context but does not normalize page-specific URL/table state.

10. Risk Ranking

Critical:

  • Provider Connections hidden environment filtering without shell/filter agreement.
  • Customer Review Workspace clear/reload restores stale environment filter.
  • Finding Exceptions Queue clear/reload restores stale environment filter.
  • Operations environment CTA query does not match visible "All environments" scope.

High:

  • Review Register query remains after clear.
  • Decision Register clean workspace route can be 403 while filtered route opens.
  • Provider/Integrations sidebar href can regain remembered environment query after shell appears cleared.

Medium:

  • Governance Inbox shell says no environment selected while visible filter says ManagedEnvironment.
  • Audit Log and Alerts still need persisted-filter regression coverage.
  • Baseline global pages use environment query prefilters and environment shell.

Low:

  • Environment-owned route pages generally align route/shell/header.
  • Workspace Settings, Manage Workspaces, and Workspace Overview are not environment data-scope risks.

11. Recommended Follow-Up Specs

Recommended order:

  1. 314 - Workspace Hub Navigation Context Contract
  2. 315 - Environment CTA Explicit Filter Contract
  3. 316 - Workspace Hub Clear Filter Contract
  4. 317 - Legacy Tenant / Environment Context Cleanup
  5. 318 - Browser Regression Coverage / No-Drift Guard

Rationale:

  • 314 must first prevent workspace sidebar/global navigation from inheriting remembered environment state.
  • 315 should standardize environment CTA query names, identifier types, filter chips, and target ownership.
  • 316 should then implement one complete clear-filter contract across URL, Livewire, Filament table/session state, and reload/back behavior.
  • 317 should remove or compatibility-wrap legacy tenant/tenant_id/external-id drift.
  • 318 should lock the contract with browser regression coverage.

12. Open Questions and Blockers

  • Missing seed data blocks row-scope proof for Finding Exceptions, Evidence, Reviews, Customer Reviews, Alerts, Findings, Review Packs, Backup/Restore, Groups, and several environment-owned resources.
  • Decision Register clean-route behavior is data-dependent: the page may intentionally hide when there are no visible decisions, but the filtered URL opens. Product intent needs confirmation.
  • Support Requests has active modal/action code but no list/index admin page. It is classified as action-only/unreachable as a page.
  • Workspace 3 has no slug; the local smoke-login route with workspace=3 hit a runtime bug (orWhereKey() in a query closure). The audit used tenant-based smoke login plus the existing clear-environment endpoint to establish workspace-origin state.
  • The in-app Browser client loaded pages and DOM snapshots, but tab.screenshot() timed out. PNG artifacts were captured through the available Playwright browser fallback and this tooling limitation is recorded here.

13. Test / Browser Execution

Commands and tooling used:

Command/tool Result
git status --short --branch Branch 313-workspace-environment-context-browser-verification; only Spec 313 untracked files during audit.
.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks Active feature dir and tasks.md found.
cd apps/platform && ./vendor/bin/sail ps Sail stack already running; app reachable on http://localhost.
Laravel Boost application_info Laravel 12.52.0, Filament 5.2.1, Livewire 4.1.4, PostgreSQL.
Laravel Boost get_absolute_url('/admin') http://localhost/admin.
find app/Filament -type f | sort > artifacts/filament-files.txt 170 Filament entries captured.
Required rg context search > artifacts/context-search.txt 8,234 context/search lines captured.
./vendor/bin/sail artisan route:list --path=admin > artifacts/routes-admin.txt 97 admin routes captured.
Laravel Boost DB read queries Confirmed 3 workspaces, 4 managed environments, and data coverage by table.
Browser client via Node REPL Page navigation and DOM snapshots worked; screenshot CDP command timed out.
Playwright browser fallback 74 screenshots generated under artifacts/screenshots/.

Tests were not run. This spec was a read-only browser/code audit.

No runtime files were modified. No tests were modified. No migrations were modified. No commits were created.

14. Acceptance Statement

The audit is complete for the discovered admin surfaces with explicit final statuses in surface-inventory.md. Some surfaces are complete only to the permitted blocked status because local seed data or page reachability prevented row-scope proof.