TenantAtlas/specs/031-tenant-portfolio-context-switch/tasks.md

Tasks: Tenant Portfolio & Context Switch (031)

Branch: feat/031-tenant-portfolio-context-switch
Date: 2026-01-04
Input: spec.md, plan.md

Phase 1: Setup

• T001 Create spec/plan/tasks and checklist.

Phase 2: Research & Design

• T002 Review Filament tenancy support and choose the context mechanism (route vs session).
• T003 Define tenant access roles and mapping (user memberships; future org/group principals).
• T004 Decide how to store environment (column vs JSONB) and whether MSP “customer grouping” is in scope.
• T005 Define context precedence rules (env override, route tenant, session/default tenant) and cross-tab safety expectations.

Phase 3: Tests (TDD)

• T006 Authorization: user cannot access unauthorized tenant (404).
• T007 Authorization: tenant-scoped resources deny cross-tenant access via URL (404).
• T008 Context switching: “Open tenant” navigates into tenant-scoped pages (tenant in URL) and data filters correctly.
• T009 Bulk sync: dispatches one job per selected tenant; readonly role cannot run it.
• T010 UI (optional browser tests): tenant switcher visible and environment badge shown.

Phase 4: Implementation

• T011 Add migrations for tenant memberships/roles and environment attribute (and optional preferences).
• T012 Implement TenantContext + authorization gate/policy (canAccessTenant).
• T013 Integrate tenant switcher into Filament topbar and make Current Tenant always visible.
• T014 Scope tenant resources (Policies/Backups/RestoreRuns/etc.) via TenantContext; replace direct Tenant::current() usage.
• T015 Update TenantResource into a portfolio view: access-scoped query, columns, filters, “Open”, “Sync”, bulk “Sync selected”.
• T016 Add restore guardrails (target tenant header + tenant-aware confirmations).

Phase 5: Verification

• T017 Run targeted tests.
• T018 Run Pint (./vendor/bin/pint --dirty).