ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/313-workspace-environment-context-browser-verification/surface-inventory.md
ahmido 2f7a521d5f spec: add workspace environment context browser audit (#368) 
## Summary
- add the full workspace/environment context browser verification audit for Spec 313
- include the surface matrix, query and clear-filter inventories, ownership map, and audit report
- attach browser evidence artifacts and screenshots for the current workspace/environment context contract

## Testing
- no automated tests run; this is an analysis-only spec and artifact package with no runtime changes

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #368
2026-05-16 08:51:19 +00:00

65 lines
18 KiB
Markdown
Raw Permalink Blame History

# Surface Inventory
Final statuses use only the allowed Spec 313 status vocabulary. "Browser verified" means the surface was opened in the local admin UI on 2026-05-16 against `http://localhost/admin`; "repo only" means classified from route/resource code and not deeply browser-tested because the surface is system, auth, modal-only, or not context-bearing.
| Surface | Type | Class/resource/component | Route | Sidebar visible? | Dashboard/card/action linked? | Workspace-scoped? | Environment-scoped? | System/platform scoped? | Ambiguous? | Browser verified? | Final status | Notes |
|---|---|---|---|---|---|---:|---:|---:|---:|---|---|---|
| Workspace Overview | Filament page | `App\Filament\Pages\WorkspaceOverview` | `/admin`, `/admin/workspaces/{workspace}/overview` | Yes | Home | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Shell shows workspace and no environment after clear; screenshot `workspace-origin--workspace-overview.png`. |
| Operations | Filament page | `App\Filament\Pages\Monitoring\Operations` | `/admin/workspaces/{workspace}/operations` | Yes | Environment dashboard CTA | Yes | Explicit filter only | No | No | Yes | `verified_workspace_scoped_hub` | Workspace origin shows 9 rows across 2 environments. CTA query `managed_environment_id=4` was not visibly applied in shell/title and had no `Clear filters` action. |
| Operation detail | Filament page | `App\Filament\Pages\Operations\TenantlessOperationRunViewer` | `/admin/workspaces/{workspace}/operations/{run}` | Row/action only | Environment dashboard recent operation links | Yes | Record-owned tenant context | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Support request modal exists here; not deeply tested to avoid mutation flows. |
| Provider Connections / Integrations | Filament resource | `App\Filament\Resources\ProviderConnectionResource` | `/admin/provider-connections` | Yes | Link helper from operations/provider actions | Yes | Explicit filter query | No | Yes | Yes | `verified_workspace_scoped_hub` | Workspace origin showed both provider rows. Query prefilter `managed_environment_id=<slug>` filters rows but no page-level clear exists; sidebar link can regain query from remembered environment. |
| Finding Exceptions Queue | Filament page | `App\Filament\Pages\Monitoring\FindingExceptionsQueue` | `/admin/finding-exceptions/queue` | Yes | Open queue helper | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Shell/query behavior verified; no `finding_exceptions` rows in seed data, so row-scope correctness is unproven. |
| Alerts landing | Filament cluster page | `App\Filament\Pages\Monitoring\Alerts` | `/admin/alerts` redirects to alert deliveries | Yes | No | Yes | Table filters | No | No | Yes | `blocked_missing_seed_data` | No alert delivery rows; shell and filter behavior verified only. |
| Alert Deliveries | Filament resource | `App\Filament\Resources\AlertDeliveryResource` | `/admin/alerts/alert-deliveries` | Child | No | Yes | Optional environment table filter | No | No | Yes | `blocked_missing_seed_data` | No rows. |
| Alert Rules | Filament resource | `App\Filament\Resources\AlertRuleResource` | `/admin/alerts/alert-rules` | Child | No | Yes | No | No | No | Repo only | `verified_workspace_scoped_hub` | Navigation child under Alerts; not high-risk for environment inheritance. |
| Alert Destinations | Filament resource | `App\Filament\Resources\AlertDestinationResource` | `/admin/alerts/alert-destinations` | Child | No | Yes | No | No | No | Repo only | `verified_workspace_scoped_hub` | Navigation child under Alerts; not high-risk for environment inheritance. |
| Audit Log | Filament page | `App\Filament\Pages\Monitoring\AuditLog` | `/admin/audit-log` | Yes | No | Yes | Optional environment table filter | No | No | Yes | `verified_workspace_scoped_hub` | Workspace origin shows 61 rows across 2 environments; shell clean from sidebar. |
| Evidence Overview | Filament page | `App\Filament\Pages\Monitoring\EvidenceOverview` | `/admin/evidence/overview` | No direct sidebar item | Environment/prefilter links | Yes | Explicit `managed_environment_id` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Clear filter worked for query prefilter, but no evidence rows exist. |
| Review Register | Filament page | `App\Filament\Pages\Reviews\ReviewRegister` | `/admin/reviews` | Yes | Prefilter URL/action | Yes | Explicit prefilter | No | Yes | Yes | `blocked_missing_seed_data` | `managed_environment_id=4` query remained after clicking Clear filters; no environment review rows exist. |
| Customer Review Workspace | Filament page | `App\Filament\Pages\Reviews\CustomerReviewWorkspace` | `/admin/reviews/workspace` | Yes | Environment dashboard export artifacts | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `blocked_missing_seed_data` | Query remained after clear and reload reintroduced visible filter; no review-pack/review data exists. |
| Governance Inbox | Filament page | `App\Filament\Pages\Governance\GovernanceInbox` | `/admin/governance/inbox` | Yes | Environment sidebar/action links | Yes | Explicit `tenant` prefilter | No | Yes | Yes | `verified_workspace_scoped_hub` | Filtered URL shows `ManagedEnvironment: YPTW2` with clear environment filter link; shell still says no environment selected. |
| Decision Register | Filament page | `App\Filament\Pages\Governance\DecisionRegister` | `/admin/governance/decisions` | Conditional | Prefilter URL | Yes | Explicit `managed_environment_id` prefilter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Clean workspace URL returned 403 for this actor, while `?managed_environment_id=4` opened the page. Access is data/query dependent. |
| Workspace Settings | Filament page | `App\Filament\Pages\Settings\WorkspaceSettings` | `/admin/settings/workspace` | Yes | No | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Workspace admin surface; no environment query observed. |
| Manage Workspaces | Filament resource | `App\Filament\Resources\Workspaces\WorkspaceResource` | `/admin/workspaces` | Yes | Topbar/switcher | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Workspace management list opened cleanly. |
| Managed Environments Landing | Filament page/resource | `ManagedEnvironmentResource`, `ManagedEnvironmentsLanding` | `/admin/workspaces/{workspace}/environments` | Via environment clear/switch | Workspace overview/context bar | Workspace list of environments | No | No | No | Yes | `verified_workspace_scoped_hub` | Environment catalog for current workspace; screenshot `environment-page--managed-environments-landing.png`. |
| Choose Workspace | Filament page | `App\Filament\Pages\ChooseWorkspace` | `/admin/choose-workspace` | Topbar | Topbar | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Selection surface, not data hub. |
| Choose Environment | Filament page | `App\Filament\Pages\ChooseEnvironment` | `/admin/choose-environment` | Topbar | Topbar | Yes | No | No | No | Yes | `verified_workspace_scoped_hub` | Environment selection surface. |
| Environment Dashboard | Filament page | `App\Filament\Pages\EnvironmentDashboard` | `/admin/workspaces/{workspace}/environments/{environment}` | Environment nav | Environment entry point | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell shows `YPTW2 (DEV)`; CTAs include Operations, required permissions, reviews, backup, evidence, risks. |
| Environment Onboarding | Filament page | `ManagedEnvironmentOnboardingWizard` | `/admin/onboarding`, `/admin/onboarding/{draft}` | No | Onboarding CTA | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Browser redirected `/admin/onboarding` to draft `/admin/onboarding/1`. |
| Required Permissions | Filament page | `App\Filament\Pages\EnvironmentRequiredPermissions` | `/admin/workspaces/{workspace}/environments/{environment}/required-permissions` | Environment nav/card | Dashboard card | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
| Environment Diagnostics | Filament page | `App\Filament\Pages\EnvironmentDiagnostics` | `/admin/workspaces/{workspace}/environments/{environment}/diagnostics` | Route/action | Dashboard/action | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
| Inventory Cluster | Filament cluster | `App\Filament\Clusters\Inventory\InventoryCluster` | `/admin/workspaces/{workspace}/environments/{environment}/inventory` | Environment nav | Dashboard/sidebar | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Redirected to inventory items with environment shell. |
| Inventory Items | Filament resource | `App\Filament\Resources\InventoryItemResource` | `/admin/workspaces/{workspace}/environments/{environment}/inventory-items` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No inventory rows for audited environment. |
| Inventory Coverage | Filament page | `App\Filament\Pages\InventoryCoverage` | `/admin/workspaces/{workspace}/environments/{environment}/inventory/inventory-coverage` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Shell/header environment aligned. |
| Policies | Filament resource | `App\Filament\Resources\PolicyResource` | `/admin/workspaces/{workspace}/environments/{environment}/policies` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | Policies rows exist only in workspace 1/env 1, not in audited workspace 3/env 4. |
| Policy Versions | Filament resource | `App\Filament\Resources\PolicyVersionResource` | `/admin/workspaces/{workspace}/environments/{environment}/policy-versions` | Environment nav | Inventory cluster | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No policy version rows. |
| Findings | Filament resource | `App\Filament\Resources\FindingResource` | `/admin/workspaces/{workspace}/environments/{environment}/findings` | Environment nav | Dashboard cards | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No finding rows. |
| Risk Exceptions | Filament resource | `App\Filament\Resources\FindingExceptionResource` | `/admin/workspaces/{workspace}/environments/{environment}/finding-exceptions` | Environment nav | Dashboard card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No finding exception rows. |
| Evidence Snapshots | Filament resource | `App\Filament\Resources\EvidenceSnapshotResource` | `/admin/workspaces/{workspace}/environments/{environment}/evidence` | Environment nav | Dashboard card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No evidence snapshot rows. |
| Environment Reviews | Filament resource | `App\Filament\Resources\EnvironmentReviewResource` | `/admin/workspaces/{workspace}/environments/{environment}/environment-reviews` | Environment nav | Dashboard cards | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No environment review rows. |
| Review Packs | Filament resource | `App\Filament\Resources\ReviewPackResource` | `/admin/workspaces/{workspace}/environments/{environment}/review-packs` | Environment nav | Dashboard/export card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No review pack rows. |
| Stored Reports | Filament resource | `App\Filament\Resources\StoredReportResource` | `/admin/workspaces/{workspace}/environments/{environment}/stored-reports` | Environment nav | Evidence/reports links | No | Yes | No | No | Yes | `verified_environment_scoped_page` | 2 stored report rows exist for env 4. No workspace-wide reports hub discovered. |
| Backup Schedules | Filament resource | `App\Filament\Resources\BackupScheduleResource` | `/admin/workspaces/{workspace}/environments/{environment}/backup-schedules` | Environment nav | Dashboard backup card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No backup schedules. |
| Backup Sets | Filament resource | `App\Filament\Resources\BackupSetResource` | `/admin/workspaces/{workspace}/environments/{environment}/backup-sets` | Environment nav | Dashboard backup card | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No backup sets. |
| Restore Runs | Filament resource | `App\Filament\Resources\RestoreRunResource` | `/admin/workspaces/{workspace}/environments/{environment}/restore-runs` | Environment nav | Backup flow | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No restore runs. |
| Entra Groups | Filament resource | `App\Filament\Resources\EntraGroupResource` | `/admin/workspaces/{workspace}/environments/{environment}/entra-groups` | Environment nav | Directory group | No | Yes | No | No | Yes | `blocked_missing_seed_data` | No group rows. |
| Access Scopes | Filament resource page | `ManagedEnvironmentResource\Pages\ManageEnvironmentAccessScopes` | `/admin/workspaces/{workspace}/environments/{environment}/access-scopes` | Environment route | View/manage environment | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Environment ownership clear. |
| Baseline Compare Landing | Filament page | `App\Filament\Pages\BaselineCompareLanding` | `/admin/baseline-compare-landing?tenant=...` | Environment nav | Dashboard card | No | Yes | No | Yes | Yes | `verified_ambiguous_or_mixed` | Environment query uses `tenant`, not route tenant; shell shows environment. |
| Baseline Compare Matrix | Filament page/resource child | `App\Filament\Pages\BaselineCompareMatrix` | `/admin/baseline-profiles/{record}/compare-matrix` | Row/action | Baseline profile action | No | Mixed | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Record-bound compare surface; not opened because no usable baseline assignment. |
| Baseline Profiles | Filament resource | `App\Filament\Resources\BaselineProfileResource` | `/admin/baseline-profiles?tenant=...` | Environment nav | Baseline card | Workspace-owned baseline library | Environment query filter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Global resource with environment query prefilter. |
| Baseline Snapshots | Filament resource | `App\Filament\Resources\BaselineSnapshotResource` | `/admin/baseline-snapshots?tenant=...` | Environment nav | Baseline card | Workspace-owned artifact library | Environment query filter | No | Yes | Yes | `verified_ambiguous_or_mixed` | Global resource with environment query prefilter. |
| Cross Environment Compare | Filament page | `App\Filament\Pages\CrossEnvironmentComparePage` | `/admin/cross-environment-compare` | No | Compare workflows | Yes | Compares environments | No | Yes | Repo only | `verified_ambiguous_or_mixed` | Not visible in sidebar during audited flow. |
| Support Request action | Modal/action surface | `EnvironmentDashboard`, `TenantlessOperationRunViewer`, support services | No list route | Modal only | Header/action | No | Context-bound | No | Yes | Repo only | `verified_unreachable` | No Support Requests index/resource/route discovered. Existing surfaces create support requests through modals only; not submitted in this audit. |
| Product Knowledge / Help | Not discovered | None | None | No | No | No | No | No | No | Repo only | `verified_unreachable` | No admin route/resource/navigation entry found. |
| Operational Controls | System page | `App\Filament\System\Pages\Ops\Controls` | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | System panel only. |
| Customer Health | System page/widgets | `System\Pages\Directory\Tenants`, customer health widgets | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | System platform surface. |
| Provider Health | Workspace/provider rows | Provider connection health columns | `/admin/provider-connections` | Integrated | Provider resource | Yes | Explicit filter | No | No | Yes | `verified_workspace_scoped_hub` | No separate provider-health page discovered. |
| Permission Posture | Environment/report surface | Required permissions + StoredReportResource | Required permissions, stored reports | Environment nav | Dashboard card | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Environment-owned. |
| Entra Admin Roles | Environment/report surface | StoredReportResource, AdminRolesSummaryWidget | Stored reports/widget | Environment nav/card | Dashboard widget | No | Yes | No | No | Yes | `verified_environment_scoped_page` | Stored report exists for env 4. |
| Auth Login | Auth page | `App\Filament\Pages\Auth\Login` | `/admin/login` | No | Auth only | No | No | No | No | Repo only | `out_of_scope_with_reason` | Auth surface, not workspace/environment data scope. |
| No Access | Utility page | `App\Filament\Pages\NoAccess` | `/admin/no-access` | No | Error/guard | No | No | No | No | Repo only | `out_of_scope_with_reason` | Guard/error surface. |
| Break Glass Recovery | Utility page | `App\Filament\Pages\BreakGlassRecovery` | Not in admin route list | No | Emergency only | No | No | System-like | No | Repo only | `verified_legacy_or_dead_surface_candidate` | Class exists but no admin route was listed. |
| Tenancy RegisterTenant | Utility page | `App\Filament\Pages\Tenancy\RegisterTenant` | Not in admin route list | No | Legacy tenancy | No | No | No | Yes | Repo only | `verified_legacy_or_dead_surface_candidate` | Legacy tenancy artifact in workspace-first app. |
| OperationRunResource | Resource shell | `App\Filament\Resources\OperationRunResource` | No resource routes in route list | No | Replaced by Operations page | Yes | Record-owned | No | Yes | Repo only | `verified_legacy_or_dead_surface_candidate` | Resource class exists without surfaced resource routes. |
| System Control Tower | System panel group | `System\Pages\Dashboard`, `Ops\*`, `Security\AccessLogs`, `Directory\*`, widgets | System panel | No admin sidebar | No | No | No | Yes | No | Repo only | `verified_system_or_platform_scoped_page` | Classified only; outside admin workspace/environment contract unless linked back into admin. |
Reference in New Issue View Git Blame Copy Permalink