ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
39298f27f2
TenantAtlas/specs/381-provider-resource-identity-binding/tasks.md
ahmido 04d0d6184f feat(resources): implement provider resource identity binding (#452) 
Added `ProviderResourceBinding` model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381. This provides the structural capability to resolve baseline and posture discrepancies by binding logical entities across source providers to canonical identities.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #452
2026-06-15 18:45:38 +00:00

123 lines
14 KiB
Markdown
Raw Blame History

# Tasks: Spec 381 - Provider Resource Identity and Binding Foundation v1
**Input**: `specs/381-provider-resource-identity-binding/spec.md`, `specs/381-provider-resource-identity-binding/plan.md`
**Prerequisites**: Spec and plan are complete. Spec 163 and Spec 380 are historical/context only and must not be rewritten. This task list is for a later implementation loop, not for this preparation step.
**Tests**: Unit, Feature, PostgreSQL, and targeted no-op baseline/evidence/review regression tests are required. Browser tests are not required because no UI surface changes.
## Test Governance Checklist
- [X] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [X] New tests stay in the smallest honest family; no heavy-governance or browser family is introduced.
- [X] Shared helpers, factories, seeds, fixtures, provider setup, workspace membership context, and fake-provider defaults stay cheap by default.
- [X] PostgreSQL validation is used only for migration/partial unique/composite foreign key/index behavior that SQLite cannot prove.
- [X] Planned validation commands cover identity, binding service behavior, authorization, audit, PostgreSQL uniqueness, workspace/environment integrity, source-reference scoping, and current-runtime no-op behavior.
- [X] Any material budget, baseline, trend, or escalation note is recorded in the implementation close-out.
## Phase 1: Baseline And Guardrail Reconfirmation
**Purpose**: Confirm repo truth and protect completed-spec history before implementation.
- [X] T001 Record current branch, HEAD, dirty state, and intended touched-file set in the implementation close-out notes for `specs/381-provider-resource-identity-binding/`.
- [X] T002 Re-read `specs/381-provider-resource-identity-binding/spec.md`, `specs/381-provider-resource-identity-binding/plan.md`, and `specs/381-provider-resource-identity-binding/tasks.md`.
- [X] T003 Re-read `specs/163-baseline-subject-resolution/spec.md`, `specs/163-baseline-subject-resolution/plan.md`, and `specs/163-baseline-subject-resolution/tasks.md` as completed/historical context without editing Spec 163.
- [X] T004 Re-read `apps/platform/app/Support/Baselines/BaselineSubjectKey.php`, `apps/platform/app/Support/Baselines/SubjectClass.php`, `apps/platform/app/Support/Baselines/ResolutionOutcome.php`, and `apps/platform/app/Support/Baselines/Compare/CompareSubjectIdentity.php`.
- [X] T005 Re-read `apps/platform/app/Models/ProviderConnection.php`, `apps/platform/app/Models/ManagedEnvironment.php`, `apps/platform/app/Models/AuditLog.php`, `apps/platform/app/Support/Auth/Capabilities.php`, and existing provider/baseline policy tests.
- [X] T006 Confirm no Filament resource/page/action, route, Livewire component, Blade view, Graph client, provider adapter, OperationRun type, or evidence/review behavior change is planned; if one appears necessary, stop and update spec/plan before continuing.
## Phase 2: Identity And Canonical Key Foundation
**Purpose**: Represent provider identity and canonical subject keys without display names as primary identity.
- [X] T007 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Resources/ResourceIdentityTest.php` for tenant-owned, built-in, default, virtual, unsupported, and unknown identities.
- [X] T008 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php` proving canonical keys use provider/resource identity or canonical discriminator and do not collapse same-label distinct resources.
- [X] T009 [P] [US1] Add unit coverage in `apps/platform/tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php` for descriptor serialization, source references, last-seen metadata, fingerprints, and fake-provider data.
- [X] T010 [US1] Implement `apps/platform/app/Support/Resources/ResourceIdentity.php` with named constructors for provider resource, canonical built-in/default, virtual target, unsupported, and unknown identities.
- [X] T011 [US1] Extend `apps/platform/app/Support/Baselines/BaselineSubjectKey.php` with canonical provider-resource key helpers rather than creating a parallel `CanonicalSubjectKey` class.
- [X] T012 [US1] Implement `apps/platform/app/Support/Resources/ProviderResourceDescriptor.php` as a small serializable descriptor over `ResourceIdentity`.
- [X] T013 [US1] Run the focused identity unit tests for `ResourceIdentity`, `BaselineSubjectKeyCanonicalIdentity`, and `ProviderResourceDescriptor`.
## Phase 3: Binding Persistence And Integrity
**Purpose**: Persist managed-environment-scoped binding decisions with active uniqueness and no duplicate active truth.
- [X] T014 [P] [US2] Add PostgreSQL migration/index coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php` for active partial unique index, composite `(managed_environment_id, workspace_id)` foreign key integrity, managed-environment non-null scope, enum/check-constraint validity where practical, and index-backed lookup assumptions.
- [X] T015 [P] [US2] Add feature coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php` for create, supersede, revoke, required note, single-active binding behavior, provider-default-as-canonical-built-in behavior, fake-provider service persistence, and every resolution mode listed in `spec.md`.
- [X] T016 [US2] Create `apps/platform/database/migrations/<timestamp>_create_provider_resource_bindings_table.php` with non-null `workspace_id`, non-null `managed_environment_id`, composite `(managed_environment_id, workspace_id)` foreign key to `managed_environments(id, workspace_id)`, provider/subject/resource descriptor fields, binding status, resolution mode, source references, actor fields, timestamps, indexes, and a PostgreSQL partial unique index on active bindings.
- [X] T017 [US2] Implement `apps/platform/app/Support/Resources/ProviderResourceBindingStatus.php` with `active`, `superseded`, and `revoked`.
- [X] T018 [US2] Implement `apps/platform/app/Support/Resources/ProviderResourceResolutionMode.php` with the modes listed in `spec.md`.
- [X] T019 [US2] Implement `apps/platform/app/Models/ProviderResourceBinding.php` with casts, relationships, active lookup scope, `DerivesWorkspaceIdFromTenant` or equivalent workspace-derivation invariant, and managed-environment/workspace helpers.
- [X] T020 [US2] Implement `apps/platform/database/factories/ProviderResourceBindingFactory.php` with cheap defaults and explicit fake-provider/provider-resource states.
- [X] T021 [US2] Run the PostgreSQL binding migration/index test through `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php`.
## Phase 4: Binding Service, RBAC, And Audit
**Purpose**: Make binding decisions safe, authorized, note-backed, and auditable.
- [X] T022 [P] [US2] Add authorization coverage in `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php` for allowed manager, read-only denial, missing capability 403, cross-workspace deny-as-not-found, and cross-managed-environment deny-as-not-found for records and source references.
- [X] T023 [P] [US2] Add audit assertions to `apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php` for create, supersede, exclusion, accepted limitation, unsupported coverage, missing expected, revocation, old binding ID where applicable, new binding ID where applicable, resolution mode, safe source references, and redacted/safe operator note metadata.
- [X] T024 [US2] Implement `apps/platform/app/Policies/ProviderResourceBindingPolicy.php` using existing `workspace_baselines.view` and `workspace_baselines.manage` capability semantics unless the spec is updated first.
- [X] T025 [US2] Register the `ProviderResourceBindingPolicy` in `apps/platform/app/Providers/AuthServiceProvider.php` unless implementation updates `plan.md` with a stronger adjacent provider-registration precedent first.
- [X] T026 [US2] Implement `apps/platform/app/Services/Resources/ProviderResourceBindingService.php` with transactional methods for manual binding, exclusion, accepted limitation, unsupported coverage, missing expected, supersession, and revocation, including provider-connection/provider-key validation and scoped source-reference validation before persistence.
- [X] T027 [US2] Add stable audit action IDs for provider resource binding decisions in `apps/platform/app/Support/Audit/AuditActionId.php`.
- [X] T028 [US2] Ensure service audit metadata excludes secrets, tokens, raw credentials, raw provider payloads, raw Graph response bodies, signed URLs, stack traces, raw sensitive JSON, and unchecked raw operator note text.
- [X] T029 [US2] Run the binding service and authorization feature tests.
## Phase 5: No-Op Runtime Regression
**Purpose**: Prove Spec 381 does not silently change current compare, evidence, review, or report behavior.
- [X] T030 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php` proving existing compare behavior does not automatically consume bindings in v1.
- [X] T031 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/Evidence/BaselineDriftPostureSourceTest.php` or a focused adjacent test proving existing evidence posture output is unchanged when bindings exist.
- [X] T032 [P] [US3] Add no-op regression coverage in `apps/platform/tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php` or a focused adjacent test proving review guidance/readiness does not treat accepted limitation as no-drift in v1.
- [X] T033 [US3] Run targeted existing baseline/evidence/review tests listed in `plan.md`.
- [X] T034 [US3] Confirm the migration does not alter or backfill existing baseline snapshots, baseline snapshot items, inventory items, policy versions, operation runs, evidence snapshots, stored reports, or review packs.
- [X] T035 [US3] Confirm no code path in current baseline compare, evidence readiness, review readiness, or review-pack publication automatically resolves subjects through `ProviderResourceBindingService`; if implementation needs that, stop and prepare Spec 382/385 instead.
## Phase 6: Final Validation And Artifact Hygiene
**Purpose**: Close implementation with bounded proof and no hidden scope.
- [X] T036 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php`.
- [X] T037 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php`.
- [X] T038 Run `cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php`.
- [X] T039 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php`.
- [X] T040 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [X] T041 Run `git diff --check`.
- [X] T042 Scan changed files for secrets, tokens, raw credentials, raw provider payloads, raw Graph payloads, signed URLs, stack traces, SQL errors, and unnecessary customer-sensitive data.
- [X] T043 Complete implementation close-out with Livewire v4 compliance, provider registration location, global-search status, high-impact action handling, asset strategy, validation commands, and deployment impact.
## Non-Goals
- [X] NT001 Do not add a Baseline Subject Resolution UI, Filament resource, route, navigation item, Livewire component, or Blade view.
- [X] NT002 Do not implement baseline matching pipeline consumption, automatic Microsoft built-in mapping, or provider adapter canonicalization.
- [X] NT003 Do not change evidence snapshot readiness, environment review readiness, review-pack publication, or customer-facing output.
- [X] NT004 Do not add Graph calls, provider runtime calls, queued jobs, OperationRun types, terminal notifications, or scheduler behavior.
- [X] NT005 Do not add workspace-level, baseline-profile-specific, or subject-only binding scopes in v1.
- [X] NT006 Do not add an `is_active` column or other duplicate active-binding truth.
- [X] NT007 Do not rewrite completed Spec 163 or Spec 380 artifacts or remove their close-out/completed-task history.
## Dependencies And Ordering
- Phase 1 must complete before code changes.
- Phase 2 identity primitives must exist before descriptors and binding service payloads depend on them.
- Phase 3 migration/model/enums must complete before the service persists decisions.
- Phase 4 policy/service/audit depends on Phase 3 persistence.
- Phase 5 no-op regression runs after bindings can exist.
- Phase 6 runs last.
## Parallel Opportunities
- T007, T008, and T009 can run in parallel.
- T014 and T015 can run in parallel.
- T022 and T023 can run in parallel.
- T030, T031, and T032 can run in parallel.
- Final validation commands T036 through T039 may run in parallel if Sail resources allow.
## Implementation Strategy
1. Prove identity primitives first.
2. Add persistence and PostgreSQL uniqueness.
3. Add authorized/audited service mutations.
4. Prove current compare/evidence/review behavior is unchanged.
5. Run focused validation and stop before follow-up matching/UI/evidence scopes.
Reference in New Issue View Git Blame Copy Permalink