ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
39298f27f2
TenantAtlas/specs/381-provider-resource-identity-binding/implementation-close-out.md
ahmido 04d0d6184f feat(resources): implement provider resource identity binding (#452) 
Added `ProviderResourceBinding` model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381. This provides the structural capability to resolve baseline and posture discrepancies by binding logical entities across source providers to canonical identities.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #452
2026-06-15 18:45:38 +00:00

102 lines
4.8 KiB
Markdown
Raw Blame History

# Implementation Close-Out: Spec 381 - Provider Resource Identity and Binding Foundation v1
Date: 2026-06-15
Branch: `381-provider-resource-identity-binding`
Base HEAD observed during close-out: `d52b674f spec: record management report pdf staging validation gate (#451)`
## Scope
Implemented backend-only provider resource identity and managed-environment-scoped binding foundation.
No Filament Resource, page, route, Livewire component, Blade view, navigation item, Graph client, queued job, scheduler behavior, OperationRun type, or customer-facing output was added.
## Repo-Truth Notes
- `provider_resource_bindings` is tenant-owned operational truth and remains scoped by `workspace_id` and `managed_environment_id`.
- Baseline snapshots are workspace-owned through baseline profiles, not directly tenant-owned. For `source_baseline_snapshot_id`, managed-environment validity is enforced through `baseline_tenant_assignments` for the snapshot's `baseline_profile_id`.
- No workspace-level, baseline-profile-specific, or subject-only binding scope was introduced.
- No duplicate active-state truth was introduced; `binding_status = active` remains the active-binding truth.
## Livewire / Filament Contract
- Livewire v4.0+ compliance: unchanged. No Livewire code changed.
- Provider registration location: unchanged. Laravel panel providers remain in `apps/platform/bootstrap/providers.php`.
- Global search: no Filament Resource was added; `ProviderResourceBinding` is not globally searchable.
- Destructive/high-impact actions: no Filament action was added. Backend supersede/revoke decisions require policy authorization and audit logging. Future UI confirmation belongs to Spec 384.
- Assets: no assets were registered. No Spec 381-specific `filament:assets` deployment concern beyond normal Filament deploy procedure.
## RBAC, Isolation, And Audit
- Reads and mutations use `ProviderResourceBindingPolicy` with existing baseline capabilities:
- view: `workspace_baselines.view`
- create/supersede/revoke: `workspace_baselines.manage`
- Non-members are denied as not found through managed-environment entitlement checks.
- Entitled members without manage capability receive forbidden for mutations.
- Provider connections and source references are validated against the binding workspace and managed environment before persistence.
- Binding create/supersede/revoke actions write `AuditLog` records with safe identifiers and hashed/length-only operator note metadata.
## OperationRun Semantics
No OperationRun is created, queued, updated, or completed by Spec 381. Binding decisions are DB-only, security-relevant mutations that are audited directly.
## Browser Smoke
Not applicable. Spec 381 has no UI, user-facing flow, route, navigation, Filament, Livewire, or asset surface impact.
## Validation Commands
Executed during final review and finding fix loop:
```bash
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php
```
Result: passed, 5 tests / 45 assertions.
```bash
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php
```
Result after finding fix: passed, 19 tests / 72 assertions.
```bash
cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php
```
Result: passed, 4 tests / 7 assertions.
```bash
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php
```
Result: passed, 11 tests / 83 assertions.
```bash
cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent
```
Result: passed.
```bash
git diff --check
```
Result: passed.
## Deployment Impact
- Additive migration only: `provider_resource_bindings`.
- Staging must run the migration and the PostgreSQL lane before Production promotion.
- No environment variable, queue, scheduler, storage, reverse-proxy, or asset change is required.
- Rollback before follow-up specs consume the table is dropping the new table. After follow-up specs consume bindings, rollback must be redesigned.
## Residual Risks / Follow-Up
No confirmed in-scope findings remain after the final fix loop.
Follow-up specs remain as planned:
- Spec 382: matching pipeline consumption.
- Spec 384: operator resolution UI and destructive/high-impact UI confirmations.
- Spec 385: evidence/review readiness consumption.
Reference in New Issue View Git Blame Copy Permalink