ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
0e2adeab71
TenantAtlas/specs/084-verification-surfaces-unification/contracts/verification-surfaces.routes.md
ahmido 0e2adeab71 feat(verification): unify verification surfaces (Spec 084) (#102) 
Implements Spec 084 (verification-surfaces-unification).

Highlights
- Unifies tenant + onboarding verification start on `provider.connection.check` (OperationRun-based, enqueue-only).
- Ensures completed blocked runs persist a schema-valid `context.verification_report` stub (DB-only viewers never show “unavailable”).
- Adds tenant embedded verification report widget with DB-only rendering + canonical tenantless “View run” links.
- Enforces 404/403 semantics for tenantless run viewing (workspace membership + tenant entitlement required; otherwise 404).
- Fixes admin panel widgets to resolve tenant from record context so Owners can start verification and recent operations renders correctly.

Tests
- Ran: `vendor/bin/sail artisan test --compact tests/Feature/Verification/ tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php tests/Feature/Filament/TenantVerificationReportWidgetTest.php tests/Feature/Filament/RecentOperationsSummaryWidgetTest.php`

Notes
- Filament v5 / Livewire v4 compatible.
- No new assets; no changes to provider registration.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #102
2026-02-09 11:28:09 +00:00

58 lines
1.8 KiB
Markdown
Raw Blame History

# Contracts — Verification Surfaces Unification (Spec 084)
This document describes the user action surfaces and canonical linking rules.
## Canonical run link
- Canonical run viewer route: `/admin/operations/{runId}`
- Helper: `OperationRunLinks::tenantlessView($runId)`
Rule:
- All verification surfaces MUST link to the canonical tenantless viewer.
- Tenantless run viewing MUST still enforce:
- workspace membership AND
- tenant entitlement (when the run is tenant-associated)
Missing either MUST be deny-as-not-found (404).
## Start surfaces
### Tenant detail — “Verify configuration”
- Trigger: Filament action on tenant view page.
- Behavior:
- Authorize capability.
- Start/dedupe `OperationRun` with `type = provider.connection.check`.
- Dispatch `ProviderConnectionHealthCheckJob` when newly created.
- Notify with “View run” (canonical URL).
### Onboarding — “Verify access”
- Trigger: Filament wizard action.
- Behavior:
- Authorize onboarding capability.
- Start/dedupe the same run type.
- Notify with “View run” (canonical URL).
## Viewer surfaces (DB-only)
### Tenant embedded viewer
- Select latest `provider.connection.check` run attempt for the tenant.
- States:
- Empty (no run yet): shows “Start verification” CTA.
- In progress (active run; no report yet): shows DB-only in-progress UI.
- Completed: shows stored `verification_report`.
### Operations run viewer
- Uses `OperationRun` as the source of truth.
- Verification report rendered from `context.verification_report` only.
## Blocked completion invariant
For `provider.connection.check` runs:
- If the run is completed with outcome `blocked`, `context.verification_report` MUST exist and be schema-valid.
- Viewers MUST NOT fabricate a report at render time.
Reference in New Issue View Git Blame Copy Permalink