ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/313-workspace-environment-context-browser-verification/audit-report.md
ahmido 2f7a521d5f spec: add workspace environment context browser audit (#368) 
## Summary
- add the full workspace/environment context browser verification audit for Spec 313
- include the surface matrix, query and clear-filter inventories, ownership map, and audit report
- attach browser evidence artifacts and screenshots for the current workspace/environment context contract

## Testing
- no automated tests run; this is an analysis-only spec and artifact package with no runtime changes

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #368
2026-05-16 08:51:19 +00:00

217 lines
11 KiB
Markdown
Raw Permalink Blame History

# Audit Report
## 1. Executive Summary
Spec 313 found systemic context contract drift, not an isolated page bug.
The drift is concentrated where workspace hubs accept environment-prefiltered entry points while shell context, query params, table filters, persisted state, and visible clear controls are not governed by one contract. Highest risk pages are Provider Connections, Operations, Customer Review Workspace, Finding Exceptions Queue, Review Register, Decision Register, and Governance Inbox.
No runtime files were modified. No tests were modified. No migrations were modified. No commits were created.
## 2. Verified Surface Inventory Summary
Discovered admin surfaces classified in `surface-inventory.md`: 58.
Counts by final status:
| Status group | Count |
|---|---:|
| Workspace hubs verified | 13 |
| Environment pages verified | 10 |
| System/platform pages verified | 3 |
| Ambiguous/mixed | 7 |
| Unreachable/dead candidates | 5 |
| Blocked by missing seed data | 18 |
| Unresolved | 0 |
| Out of scope with reason | 2 |
Important coverage notes:
- Browser screenshots generated: 74 PNGs under `artifacts/screenshots/`.
- Admin routes discovered: 97 routes in `artifacts/routes-admin.txt`.
- Filament files discovered: 170 entries in `artifacts/filament-files.txt`.
- Context/search hits captured: 8,234 lines in `artifacts/context-search.txt`.
## 3. Workspace Hub Behavior Matrix Summary
Workspace-origin with no active environment was browser verified for:
- Workspace Overview
- Operations
- Provider Connections
- Finding Exceptions Queue
- Evidence Overview
- Review Register
- Customer Review Workspace
- Governance Inbox
- Decision Register
- Audit Log
- Alerts
- Workspace Settings
- Manage Workspaces
Clean workspace-origin behavior was sound for Operations, Provider Connections, Audit Log, Governance Inbox, Workspace Settings, and Manage Workspaces. Data-scope proof was strongest where rows existed across two environments: Operations, Provider Connections, and Audit Log.
Workspace-origin data proof was blocked for Finding Exceptions, Evidence, Reviews, Customer Reviews, and Alerts because the local seed data contains no rows for those surfaces.
Decision Register is mixed: the clean workspace route returned 403 for the audited actor, while a filtered `managed_environment_id=4` URL opened the page.
## 4. Environment Page Behavior Matrix Summary
Environment-owned route pages aligned shell/header/route context:
- Environment Dashboard A and B
- Required Permissions
- Environment Diagnostics
- Inventory / Inventory Coverage
- Policies / Policy Versions
- Findings / Risk Exceptions
- Evidence Snapshots
- Environment Reviews / Review Packs
- Stored Reports
- Backup Schedules / Backup Sets / Restore Runs
- Entra Groups
- Access Scopes
Stored Reports had actual data for env 4. Required Permissions had permission data. Most other environment-owned pages were shell-verified only because local seed rows were absent.
Baseline Profiles, Baseline Snapshots, and Baseline Compare are mixed: they are global routes with `tenant=<slug>` query prefilters but render with environment shell context.
## 5. Mismatched Scope Findings
Critical:
- Provider Connections with `?managed_environment_id=<env slug>` shows shell `No environment selected`, no visible environment filter chip, and a filtered row set.
- Customer Review Workspace with `?tenant=<env slug>` shows shell `No environment selected`; clear temporarily hides the filter but reload restores it because the URL remains filtered.
- Operations CTA URL includes `managed_environment_id=4`, but the page still displays `All environments` and has no `Clear filters` action.
- Finding Exceptions Queue clear action does not remove `?tenant=<env slug>`; reload restores the environment scope.
- Provider Connections from environment-sidebar origin can expose an Integrations link containing `managed_environment_id=<env slug>` even while the page shell says no environment is selected.
High:
- Review Register `?managed_environment_id=4` remained after Clear filters and reload.
- Decision Register access differs between clean workspace route and filtered route.
- Governance Inbox does show `ManagedEnvironment: YPTW2` and a clean clear link, but shell remains `No environment selected`, which may still confuse operators.
## 6. Clear-Filter Findings
Clear behavior is inconsistent:
- Evidence Overview is the best current pattern: Clear filters redirected to clean `/admin/evidence/overview` and reload stayed clean.
- Finding Exceptions Queue clears visible/table state only partially; URL remains `tenant=<slug>` and reload restores filter.
- Customer Review Workspace clears visible/table state only partially; URL remains `tenant=<slug>` and reload restores filter.
- Review Register clears table state only; tested filtered URL remained.
- Operations and Provider Connections did not expose a page-level `Clear filters` action for environment query prefilters.
## 7. Query Parameter Findings
The environment prefilter contract is fragmented:
- `tenant` is used by Finding Exceptions Queue, Customer Review Workspace, Governance Inbox, Baseline pages.
- `managed_environment_id` is used by Operations, Provider Connections, Evidence Overview, Review Register, Decision Register, and Filament table state.
- The same `managed_environment_id` param carries different identifier types: DB id for Operations/Evidence/Reviews/Decision, slug/external id for Provider Connections.
- `tenant_scope=all` exists for Operations but is not consistently surfaced as the clear path from CTA-filtered states.
- `tableFilters` persists tenant-sensitive state in session on multiple pages.
## 8. Persisted Filter Findings
Filament table persistence is a material risk, not harmless state:
- Evidence Overview, Review Register, Customer Review Workspace, Decision Register, Audit Log, Operations, and Finding Exceptions Queue all have session/query/filter interplay.
- Several pages explicitly call `persistFiltersInSession()`.
- Code state contracts mark tenant-sensitive filters as restorable from session.
- Browser findings confirm query state can survive clear/reload on Reviews, Customer Reviews, and Finding Exceptions Queue.
## 9. Code Ownership Map Summary
The main seams are documented in `code-ownership-map.md`.
Primary owners:
- `WorkspaceSidebarNavigation` owns workspace sidebar URLs.
- `ManagedEnvironmentLinks` and `OperationRunLinks` own many environment CTA/link URL shapes.
- `WorkspaceContext` and `OperateHubShell` own remembered tenant and shell resolution.
- `ProviderConnectionResource`, `Operations`, `FindingExceptionsQueue`, `EvidenceOverview`, `ReviewRegister`, and `CustomerReviewWorkspace` each own divergent filter hydration/clear behavior.
- `ClearEnvironmentContextController` clears remembered shell context but does not normalize page-specific URL/table state.
## 10. Risk Ranking
Critical:
- Provider Connections hidden environment filtering without shell/filter agreement.
- Customer Review Workspace clear/reload restores stale environment filter.
- Finding Exceptions Queue clear/reload restores stale environment filter.
- Operations environment CTA query does not match visible "All environments" scope.
High:
- Review Register query remains after clear.
- Decision Register clean workspace route can be 403 while filtered route opens.
- Provider/Integrations sidebar href can regain remembered environment query after shell appears cleared.
Medium:
- Governance Inbox shell says no environment selected while visible filter says ManagedEnvironment.
- Audit Log and Alerts still need persisted-filter regression coverage.
- Baseline global pages use environment query prefilters and environment shell.
Low:
- Environment-owned route pages generally align route/shell/header.
- Workspace Settings, Manage Workspaces, and Workspace Overview are not environment data-scope risks.
## 11. Recommended Follow-Up Specs
Recommended order:
1. `314 - Workspace Hub Navigation Context Contract`
2. `315 - Environment CTA Explicit Filter Contract`
3. `316 - Workspace Hub Clear Filter Contract`
4. `317 - Legacy Tenant / Environment Context Cleanup`
5. `318 - Browser Regression Coverage / No-Drift Guard`
Rationale:
- 314 must first prevent workspace sidebar/global navigation from inheriting remembered environment state.
- 315 should standardize environment CTA query names, identifier types, filter chips, and target ownership.
- 316 should then implement one complete clear-filter contract across URL, Livewire, Filament table/session state, and reload/back behavior.
- 317 should remove or compatibility-wrap legacy `tenant`/`tenant_id`/external-id drift.
- 318 should lock the contract with browser regression coverage.
## 12. Open Questions and Blockers
- Missing seed data blocks row-scope proof for Finding Exceptions, Evidence, Reviews, Customer Reviews, Alerts, Findings, Review Packs, Backup/Restore, Groups, and several environment-owned resources.
- Decision Register clean-route behavior is data-dependent: the page may intentionally hide when there are no visible decisions, but the filtered URL opens. Product intent needs confirmation.
- Support Requests has active modal/action code but no list/index admin page. It is classified as action-only/unreachable as a page.
- Workspace 3 has no slug; the local smoke-login route with `workspace=3` hit a runtime bug (`orWhereKey()` in a query closure). The audit used tenant-based smoke login plus the existing clear-environment endpoint to establish workspace-origin state.
- The in-app Browser client loaded pages and DOM snapshots, but `tab.screenshot()` timed out. PNG artifacts were captured through the available Playwright browser fallback and this tooling limitation is recorded here.
## 13. Test / Browser Execution
Commands and tooling used:
| Command/tool | Result |
|---|---|
| `git status --short --branch` | Branch `313-workspace-environment-context-browser-verification`; only Spec 313 untracked files during audit. |
| `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` | Active feature dir and `tasks.md` found. |
| `cd apps/platform && ./vendor/bin/sail ps` | Sail stack already running; app reachable on `http://localhost`. |
| Laravel Boost `application_info` | Laravel 12.52.0, Filament 5.2.1, Livewire 4.1.4, PostgreSQL. |
| Laravel Boost `get_absolute_url('/admin')` | `http://localhost/admin`. |
| `find app/Filament -type f \| sort > artifacts/filament-files.txt` | 170 Filament entries captured. |
| Required `rg` context search > `artifacts/context-search.txt` | 8,234 context/search lines captured. |
| `./vendor/bin/sail artisan route:list --path=admin > artifacts/routes-admin.txt` | 97 admin routes captured. |
| Laravel Boost DB read queries | Confirmed 3 workspaces, 4 managed environments, and data coverage by table. |
| Browser client via Node REPL | Page navigation and DOM snapshots worked; screenshot CDP command timed out. |
| Playwright browser fallback | 74 screenshots generated under `artifacts/screenshots/`. |
Tests were not run. This spec was a read-only browser/code audit.
No runtime files were modified.
No tests were modified.
No migrations were modified.
No commits were created.
## 14. Acceptance Statement
The audit is complete for the discovered admin surfaces with explicit final statuses in `surface-inventory.md`. Some surfaces are complete only to the permitted blocked status because local seed data or page reachability prevented row-scope proof.
Reference in New Issue View Git Blame Copy Permalink