ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
41672c9a79
TenantAtlas/specs/072-managed-tenants-workspace-enforcement/tasks.md
Ahmed Darrazi 41672c9a79 feat: workspace-first admin landing 
Route /admin based on tenant count in current workspace; add managed-tenants landing; keep tenant selection workspace-scoped; update tests.
2026-02-02 23:58:11 +01:00

2.2 KiB
Raw Blame History

Tasks — 072 Managed Tenants workspace context enforcement

Setup

  • T001 Confirm legacy managed-tenants routes and current workspace middleware behavior.

Tests (TDD)

  • T010 Add regression test: /admin/managed-tenants redirects to workspace landing when a workspace is selected.
  • T020 Add regression test: /admin/t/{tenant} is 404 when workspace context is missing.
  • T030 Add regression test: /admin/t/{tenant} is 404 when tenant.workspace_id mismatches current workspace.
  • T040 Add regression test: /admin/choose-tenant redirects to /admin/choose-workspace when workspace is not selected.

Core

  • T100 Create workspace-scoped Managed Tenants landing at /admin/w/{workspace}/managed-tenants.
  • T110 Make unscoped /admin/managed-tenants/* legacy-only (redirect to workspace-scoped URLs).
  • T120 Implement hard enforcement: tenant routes require workspace context and tenant.workspace_id match.
  • T130 Ensure /admin/choose-tenant requires selected workspace.
  • T140 Move Workspaces UI out of tenant routing (serve at /admin/workspaces/*, not /admin/t/{tenant}/workspaces).

UX follow-ups

  • T200 Ensure default tenant selection respects current workspace context.
  • T210 Add a workspace switcher in the user menu (link to Choose Workspace).
  • T220 Add regression tests for workspace switcher + tenant selection.
  • T230 Ensure /admin lands on workspace-first flow (avoid redirecting to tenant registration).
  • T240 After choosing a workspace with zero tenants, route into the workspace Managed Tenants landing (with CTA).
  • T250 Allow workspace owners to register the first tenant in a workspace (bootstrap).

Security hardening (owners / audit / recovery)

  • T260 Enforce rule: workspaces can never have 0 owners (block last-owner removal + demotion).
  • T270 Audit every blocked last-owner attempt with workspace_membership.last_owner_blocked + required metadata.
  • T280 Optional: break-glass recovery flow to re-assign a workspace owner (fully audited).

Validation

  • T900 Run Pint on dirty files.

  • T910 Run targeted Pest tests.

  • T920 Run targeted Pest tests for last-owner + recovery flow.