ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
0b578dc1aa
TenantAtlas/specs/073-unified-managed-tenant-onboarding-wizard/contracts/onboarding-actions.md
ahmido 8e34b6084f 073-unified-managed-tenant-onboarding-wizard (#90) 
Kontext / Ziel
Diese PR liefert den einzigen kanonischen Onboarding-Entry unter /admin/onboarding (workspace-first, tenantless bis zur Aktivierung) und ergänzt einen tenantless OperationRun-Viewer unter /admin/operations/{run} mit membership→404 Semantik.

Was ist enthalten?
Single entry point: /admin/onboarding ist der einzige Einstieg; Legacy Entry Points liefern echte 404 (keine Redirects).
Wizard v1 (Enterprise): idempotentes Identifizieren eines Managed Tenants (per Entra Tenant ID), resumable Session-Flow.
Provider Connection Step: Auswahl oder Erstellung, Secrets werden nie erneut gerendert / nicht in Session-State persistiert.
Verification als OperationRun: async/queued, DB-only Rendering im Wizard (keine Graph-Calls beim Rendern).
Tenantless Run Viewing: /admin/operations/{run} funktioniert ohne ausgewählten Workspace/Tenant, aber bleibt über Workspace-Mitgliedschaft autorisiert (non-member → 404).
RBAC-UX Semantik: non-member → 404, member ohne Capability → UI disabled + tooltip, server-side Action → 403.
Auditability: Aktivierung/Overrides sind auditierbar, stable action IDs, keine Secrets.
Tech / Version-Safety
Filament v5 / Livewire v4.0+ kompatibel.
Laravel 11+: Panel Provider Registrierung in providers.php (unverändert).
Tests / Format
vendor/bin/sail bin pint --dirty
Full suite: vendor/bin/sail artisan test --no-ansi → 984 passed, 5 skipped (exit 0)
Ops / Deployment Notes
Keine zusätzlichen Services vorausgesetzt.
Falls Assets registriert wurden: Deployment weiterhin mit php artisan filament:assets (wie üblich im Projekt).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.fritz.box>
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #90
2026-02-04 23:30:55 +00:00

3.0 KiB
Raw Blame History

Onboarding Wizard — Action Contracts (073)

These are conceptual contracts for the wizards server-side actions (Filament / Livewire). They define inputs/outputs and authorization semantics.

Identify tenant

  • Purpose: Upsert or resume onboarding and ensure the managed tenant identity (Entra Tenant ID) is globally unique and bound to a single workspace.
  • Inputs:
    • entra_tenant_id (string)
    • environment (string)
    • name (string)
    • primary_domain (string|null)
    • notes (string|null)
  • Outputs:
    • managed_tenant_id (internal DB id)
    • onboarding_session_id
    • current_step
  • Errors:
    • 404: workspace not found, actor not a workspace member, or Entra Tenant ID exists in a different workspace (deny-as-not-found)
    • 403: actor is a workspace member but lacks onboarding capability

Select or create Provider Connection

  • Purpose: Select an existing provider connection in the workspace or create a new one (secrets captured safely).
  • Inputs:
    • provider_connection_id (int|null)
    • (optional) connection creation fields (non-secret identifiers only)
  • Outputs:
    • provider_connection_id
    • is_default (bool)
  • Errors:
    • 404: connection/tenant not in workspace scope
    • 403: member missing capability

Start verification

  • Purpose: Start provider connection verification asynchronously.
  • Mechanism: Create/reuse OperationRun of type provider.connection.check, enqueue ProviderConnectionHealthCheckJob.
  • Inputs: none (uses selected connection)
  • Outputs:
    • operation_run_id
    • status (queued/running/succeeded/failed)
  • Errors:
    • 404: tenant/connection not in workspace scope
    • 403: member missing capability

View run link contract:

  • The UI must expose a tenantless “View run” URL: /admin/operations/{run}.
  • Access is granted only if the actor is a member of the runs workspace; otherwise 404 (deny-as-not-found).

Optional bootstrap actions

  • Purpose: Start selected post-verify operations as separate runs.
  • Inputs: list of operation types (must exist in registry)
  • Outputs: list of operation_run_id
  • Errors:
    • 403/404 semantics as above

Activate (Complete)

  • Purpose: Activate the managed tenant, making it available in the tenant switcher.
  • Preconditions: Provider connection exists; verification is not Blocked unless overridden by an owner.
  • Inputs:
    • override_blocked (bool, optional)
    • override_reason (string, required if override)
  • Outputs:
    • managed_tenant_id
    • status (active)
  • Errors:
    • 404: managed tenant not in workspace scope / actor not a member
    • 403: actor is a member but not an owner (owner-only activation); or missing capability

Audit requirement:

  • Any override must record an audit event including the human-entered reason.

Security & data minimization

  • Stored secrets must never be returned.
  • Failures are stored as stable reason codes + sanitized messages.