TenantAtlas/specs/072-managed-tenants-workspace-enforcement/tasks.md

Tasks — 072 Managed Tenants workspace context enforcement

Setup

• T001 Confirm legacy managed-tenants routes and current workspace middleware behavior.

Tests (TDD)

• T010 Add regression test: /admin/managed-tenants redirects to workspace landing when a workspace is selected.
• T020 Add regression test: /admin/t/{tenant} is 404 when workspace context is missing.
• T030 Add regression test: /admin/t/{tenant} is 404 when tenant.workspace_id mismatches current workspace.
• T040 Add regression test: /admin/choose-tenant redirects to /admin/choose-workspace when workspace is not selected.

Core

• T100 Create workspace-scoped Managed Tenants landing at /admin/w/{workspace}/managed-tenants.
• T110 Make unscoped /admin/managed-tenants/* legacy-only (redirect to workspace-scoped URLs).
• T120 Implement hard enforcement: tenant routes require workspace context and tenant.workspace_id match.
• T130 Ensure /admin/choose-tenant requires selected workspace.
• T140 Move Workspaces UI out of tenant routing (serve at /admin/workspaces/*, not /admin/t/{tenant}/workspaces).

UX follow-ups

• T200 Ensure default tenant selection respects current workspace context.
• T210 Add a workspace switcher in the user menu (link to Choose Workspace).
• T220 Add regression tests for workspace switcher + tenant selection.
• T230 Ensure /admin lands on workspace-first flow (avoid redirecting to tenant registration).
• T240 After choosing a workspace with zero tenants, route into the workspace Managed Tenants landing (with CTA).
• T250 Allow workspace owners to register the first tenant in a workspace (bootstrap).

Security hardening (owners / audit / recovery)

• T260 Enforce rule: workspaces can never have 0 owners (block last-owner removal + demotion).
• T270 Audit every blocked last-owner attempt with workspace_membership.last_owner_blocked + required metadata.
• T280 Optional: break-glass recovery flow to re-assign a workspace owner (fully audited).

Follow-up bugfix

• T300 Fix Workspaces → Memberships UI enforcement to use workspace capabilities (not tenant capabilities).
• T310 Add regression tests for WorkspaceMemberships relation manager action enable/disable.

Validation

• T900 Run Pint on dirty files.

• T910 Run targeted Pest tests.

• T920 Run targeted Pest tests for last-owner + recovery flow.