ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
4db8030f2a
TenantAtlas/specs/080-workspace-managed-tenant-admin/contracts/routes.md
ahmido 3f09fd50f6 feat(spec-080): workspace-managed tenant administration migration (#97) 
Implements Spec 080: split Filament into workspace-managed `/admin/*` (manage) vs tenant operations `/admin/t/{tenant}/*` (operate).

Highlights:
- Adds tenant operations panel (`tenant`) at `/admin/t` with tenancy by `Tenant.external_id`
- Keeps management resources in workspace panel (`admin`) under `/admin/tenants/*`
- Moves Provider Connections to workspace-managed routes: `/admin/tenants/{tenant}/provider-connections`
- Adds discoverability CTA on tenant view (Actions → Provider connections)
- Adds/updates Pest regression tests for routing boundaries, 404/403 RBAC-UX semantics, and global search isolation
- Includes full Spec Kit artifacts under `specs/080-workspace-managed-tenant-admin/`

Validation:
- `vendor/bin/sail bin pint --dirty`
- `vendor/bin/sail artisan test --compact tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php`

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #97
2026-02-07 19:45:13 +00:00

1.6 KiB
Raw Blame History

Route Contract — Spec 080

This document defines the expected user-facing route surfaces and the required 404/403 semantics.

Canonical Management (workspace-scoped)

All of the following are under /admin/* and require:

  • selected workspace context
  • workspace membership (non-member → 404)

Routes:

  • GET /admin/tenants
  • GET /admin/tenants/{tenant}
  • GET /admin/tenants/{tenant}/memberships
  • GET /admin/tenants/{tenant}/provider-connections
  • GET /admin/tenants/{tenant}/provider-connections/{connection}/edit
  • GET /admin/tenants/{tenant}/required-permissions
  • (optional) GET /admin/tenants/{tenant}/onboarding

Identifier contract:

  • {tenant} MUST be Tenant.external_id (Entra tenant GUID)

Authorization contract:

  • member without capability:
    • viewing pages: allowed
    • mutating actions: 403

Canonical Operate (tenant-scoped)

All of the following are under /admin/t/{tenant}/* and require:

  • selected workspace context
  • workspace membership
  • tenant entitlement (non-entitled → 404)

Routes (contract targets for US2 tests):

  • GET /admin/t/{tenant} (tenant dashboard root)
  • GET /admin/t/{tenant}/diagnostics (operational diagnostics page)

Removed Tenant-Scoped Management (must 404)

The following routes MUST NOT exist (no redirects in dev stage):

  • GET /admin/t/{tenant}/provider-connections*
  • GET /admin/t/{tenant}/required-permissions*
  • GET /admin/t/{tenant}/memberships*
  • GET /admin/t/{tenant}/tenants*

Monitoring

  • GET /admin/operations
  • GET /admin/operations/{run}

Monitoring pages are DB-only at render time.