ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
53dc89e6ef
TenantAtlas/specs/073-unified-managed-tenant-onboarding-wizard/contracts/onboarding-actions.md
ahmido 8e34b6084f 073-unified-managed-tenant-onboarding-wizard (#90) 
Kontext / Ziel
Diese PR liefert den einzigen kanonischen Onboarding-Entry unter /admin/onboarding (workspace-first, tenantless bis zur Aktivierung) und ergänzt einen tenantless OperationRun-Viewer unter /admin/operations/{run} mit membership→404 Semantik.

Was ist enthalten?
Single entry point: /admin/onboarding ist der einzige Einstieg; Legacy Entry Points liefern echte 404 (keine Redirects).
Wizard v1 (Enterprise): idempotentes Identifizieren eines Managed Tenants (per Entra Tenant ID), resumable Session-Flow.
Provider Connection Step: Auswahl oder Erstellung, Secrets werden nie erneut gerendert / nicht in Session-State persistiert.
Verification als OperationRun: async/queued, DB-only Rendering im Wizard (keine Graph-Calls beim Rendern).
Tenantless Run Viewing: /admin/operations/{run} funktioniert ohne ausgewählten Workspace/Tenant, aber bleibt über Workspace-Mitgliedschaft autorisiert (non-member → 404).
RBAC-UX Semantik: non-member → 404, member ohne Capability → UI disabled + tooltip, server-side Action → 403.
Auditability: Aktivierung/Overrides sind auditierbar, stable action IDs, keine Secrets.
Tech / Version-Safety
Filament v5 / Livewire v4.0+ kompatibel.
Laravel 11+: Panel Provider Registrierung in providers.php (unverändert).
Tests / Format
vendor/bin/sail bin pint --dirty
Full suite: vendor/bin/sail artisan test --no-ansi → 984 passed, 5 skipped (exit 0)
Ops / Deployment Notes
Keine zusätzlichen Services vorausgesetzt.
Falls Assets registriert wurden: Deployment weiterhin mit php artisan filament:assets (wie üblich im Projekt).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.fritz.box>
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #90
2026-02-04 23:30:55 +00:00

81 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Onboarding Wizard — Action Contracts (073)
These are conceptual contracts for the wizards server-side actions (Filament / Livewire).
They define inputs/outputs and authorization semantics.
## Identify tenant
- **Purpose:** Upsert or resume onboarding and ensure the managed tenant identity (Entra Tenant ID) is globally unique and bound to a single workspace.
- **Inputs:**
- `entra_tenant_id` (string)
- `environment` (string)
- `name` (string)
- `primary_domain` (string|null)
- `notes` (string|null)
- **Outputs:**
- `managed_tenant_id` (internal DB id)
- `onboarding_session_id`
- `current_step`
- **Errors:**
- 404: workspace not found, actor not a workspace member, or Entra Tenant ID exists in a different workspace (deny-as-not-found)
- 403: actor is a workspace member but lacks onboarding capability
## Select or create Provider Connection
- **Purpose:** Select an existing provider connection in the workspace or create a new one (secrets captured safely).
- **Inputs:**
- `provider_connection_id` (int|null)
- (optional) connection creation fields (non-secret identifiers only)
- **Outputs:**
- `provider_connection_id`
- `is_default` (bool)
- **Errors:**
- 404: connection/tenant not in workspace scope
- 403: member missing capability
## Start verification
- **Purpose:** Start provider connection verification asynchronously.
- **Mechanism:** Create/reuse `OperationRun` of type `provider.connection.check`, enqueue `ProviderConnectionHealthCheckJob`.
- **Inputs:** none (uses selected connection)
- **Outputs:**
- `operation_run_id`
- `status` (queued/running/succeeded/failed)
- **Errors:**
- 404: tenant/connection not in workspace scope
- 403: member missing capability
**View run link contract:**
- The UI must expose a tenantless “View run” URL: `/admin/operations/{run}`.
- Access is granted only if the actor is a member of the runs workspace; otherwise 404 (deny-as-not-found).
## Optional bootstrap actions
- **Purpose:** Start selected post-verify operations as separate runs.
- **Inputs:** list of operation types (must exist in registry)
- **Outputs:** list of `operation_run_id`
- **Errors:**
- 403/404 semantics as above
## Activate (Complete)
- **Purpose:** Activate the managed tenant, making it available in the tenant switcher.
- **Preconditions:** Provider connection exists; verification is not Blocked unless overridden by an owner.
- **Inputs:**
- `override_blocked` (bool, optional)
- `override_reason` (string, required if override)
- **Outputs:**
- `managed_tenant_id`
- `status` (active)
- **Errors:**
- 404: managed tenant not in workspace scope / actor not a member
- 403: actor is a member but not an owner (owner-only activation); or missing capability
**Audit requirement:**
- Any override must record an audit event including the human-entered reason.
## Security & data minimization
- Stored secrets must never be returned.
- Failures are stored as stable reason codes + sanitized messages.
Reference in New Issue View Git Blame Copy Permalink