41 lines
1.7 KiB
Markdown
41 lines
1.7 KiB
Markdown
# Data Model — Remove Legacy Tenant Graph Options
|
|
|
|
## Summary
|
|
This feature is a behavioral refactor only. It changes **how Graph credentials/options are sourced** (provider connection only) and adds a CI guardrail. No schema changes are included.
|
|
|
|
## Entities (existing)
|
|
|
|
### Tenant (`app/Models/Tenant.php`)
|
|
- **Relevant fields (legacy)**: `app_client_id`, `app_client_secret`, `tenant_id`, `external_id`
|
|
- **Relevant method (deprecated)**: `graphOptions(): array`
|
|
- **Planned behavior**: `graphOptions()` remains but throws (kill-switch) to prevent legacy use.
|
|
|
|
### ProviderConnection (`app/Models/ProviderConnection.php`)
|
|
- **Used by**: `ProviderConnectionResolver::resolveDefault($tenant, 'microsoft')`
|
|
- **Key fields**: `tenant_id`, `provider`, `is_default`, `status`, `entra_tenant_id`
|
|
|
|
### ProviderCredential (`app/Models/ProviderCredential.php`)
|
|
- **Used by**: `CredentialManager::getClientCredentials($connection)` via `ProviderGateway::graphOptions()`
|
|
- **Expected payload**: `['client_id' => string, 'client_secret' => string]`
|
|
|
|
## Relationships (existing)
|
|
- `Tenant::providerConnections()` → hasMany `ProviderConnection`
|
|
- `ProviderConnection::credential()` → hasOne/hasMany `ProviderCredential` (via relationship method in model)
|
|
|
|
## Validation / Constraints
|
|
- Provider connection resolution must fail deterministically when:
|
|
- No default connection exists for tenant/provider
|
|
- Multiple defaults exist
|
|
- Connection is disabled / needs consent
|
|
- Missing `entra_tenant_id`
|
|
- Missing/invalid credential payload
|
|
|
|
(These rules are currently enforced by `ProviderConnectionResolver`.)
|
|
|
|
## State Transitions
|
|
- None added by this feature.
|
|
|
|
## Out of Scope
|
|
- Dropping / migrating tenant credential columns.
|
|
- Changing provider resolution semantics.
|