ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity
548a37c888
TenantAtlas/specs/303-admin-directory-groups-cutover/tasks.md
ahmido 1cd8d48474 feat: cut over admin directory groups (#358) 
## Summary
- cut over `EntraGroupResource` to an environment-bound admin Directory Groups surface in the workspace-first runtime
- adopt workspace-scoped admin list/detail URLs and add the bounded `Directory > Groups` navigation entry in the admin panel
- keep workspace-home navigation clean while preserving existing scoped list, detail, and global-search behavior
- update focused feature coverage and add a browser smoke for the rendered sidebar drilldown path
- include the Spec 303 package under `specs/303-admin-directory-groups-cutover/`

## Testing
- updated focused Pest coverage for admin navigation segregation, Entra group admin scoping, Entra group global search scoping, and directory group browsing
- added browser smoke coverage in `apps/platform/tests/Browser/Spec303AdminDirectoryGroupsCutoverSmokeTest.php`

## Filament / Runtime Notes
- remains compliant with Filament v5 on Livewire v4
- no provider registration changes; provider registration location remains `apps/platform/bootstrap/providers.php`
- `EntraGroupResource` remains eligible for global search because it has a View page
- no destructive actions were added or changed; confirmation and authorization behavior is unchanged
- no asset registration changes; existing `cd apps/platform && php artisan filament:assets` deploy posture is unchanged

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #358
2026-05-14 22:44:44 +00:00

11 KiB
Raw Blame History

Tasks: Admin Directory Groups Cutover

Input: Design documents from /specs/303-admin-directory-groups-cutover/ Prerequisites: spec.md, plan.md, checklists/requirements.md

Tests: Tests are required. This is a runtime behavior change for Filament navigation, scoped access, and global-search destinations.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New or changed tests stay in the smallest honest family; one focused browser smoke was added because rendered Filament sidebar navigation was the changed behavior and feature tests did not prove the real sidebar link.
  • Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
  • Planned validation commands cover the change without pulling unrelated lane cost.
  • The declared surface test profile is standard-native-filament plus focused browser-smoke verification for rendered navigation.
  • Any material budget, baseline, trend, or escalation note is recorded in the active spec or PR.

Phase 1: Preparation and Scope Lock

Purpose: Confirm repo truth and keep implementation limited to Entra Groups.

  • T001 Review specs/303-admin-directory-groups-cutover/spec.md, specs/303-admin-directory-groups-cutover/plan.md, specs/303-admin-directory-groups-cutover/tasks.md, and specs/303-admin-directory-groups-cutover/checklists/requirements.md.
  • T002 Review completed context in specs/301-admin-inventory-navigation-cutover/ and specs/302-tenant-owned-surface-route-audit/ without modifying those completed specs.
  • T003 Inspect apps/platform/app/Filament/Resources/EntraGroupResource.php, apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php, apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php, apps/platform/app/Support/Navigation/NavigationScope.php, apps/platform/app/Support/OperateHub/OperateHubShell.php, apps/platform/app/Filament/Concerns/ScopesGlobalSearchToTenant.php, and apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php.
  • T004 Confirm no implementation task introduces migrations, assets, provider registration changes, Graph adapter changes, tenant-panel dead-code deletion, or new group mutation/admin actions.

Phase 2: User Story 1 - Groups are visible inside an active environment context (Priority: P1)

Goal: Entra Groups appears as a secondary Directory surface only inside the active Managed Environment context.

Independent Test: The environment-bound admin context registers and renders Groups navigation while workspace-home/no-context checks remain false.

  • T005 [P] [US1] Update apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php so EntraGroupResource is removed from the blanket admin-hidden dataset and covered by environment-visible navigation assertions.
  • T006 [P] [US1] Update apps/platform/tests/Feature/DirectoryGroups/BrowseGroupsTest.php to replace the stale "keeps Entra groups out of admin sidebar navigation" assertion with the new workspace-home-hidden and environment-visible contract.
  • T007 [US1] Update apps/platform/app/Filament/Resources/EntraGroupResource.php so shouldRegisterNavigation() uses the shared environment-navigation rule for the admin panel and still returns false on workspace-home/no-context surfaces.
  • T008 [US1] Verify Directory / Groups navigation labels remain secondary and do not introduce a top-level Identity Center or M365 Admin mirror.

Phase 3: User Story 2 - Workspace home remains clean (Priority: P2)

Goal: Workspace-home navigation stays free of environment-owned Directory Groups entries, even with remembered environment context.

Independent Test: Workspace-home response assertions prove Groups is absent, while environment route assertions prove it is present when allowed.

  • T009 [P] [US2] Extend apps/platform/tests/Feature/Filament/PanelNavigationSegregationTest.php to assert the workspace-home sidebar does not render Groups or a Directory Groups entry when WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY is set.
  • T010 [P] [US2] Extend apps/platform/tests/Feature/Filament/EntraGroupAdminScopeTest.php to cover no-context list access and cross-workspace or invalid remembered-environment denial as not found.
  • T011 [US2] Preserve apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ListEntraGroups.php no-context abort behavior and avoid adding workspace-home recovery shortcuts that reveal group data.
  • T012 [US2] If list empty-state copy is touched in apps/platform/app/Filament/Resources/EntraGroupResource.php, change stale "tenant" wording to managed-environment-safe Directory inventory copy without inventing a refresh operation.

Phase 4: User Story 3 - Global search stays scoped and lands on valid View pages (Priority: P3)

Goal: Global search returns only active-environment group records and opens valid canonical admin View destinations.

Independent Test: Seed groups across environments/workspaces, run global search, and assert result titles and URLs.

  • T013 [P] [US3] Extend apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php to assert no-context admin search returns no results.
  • T014 [P] [US3] Extend apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php to assert cross-environment and cross-workspace matches are excluded.
  • T015 [P] [US3] Extend apps/platform/tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php to assert each result URL resolves to EntraGroupResource View and does not contain /admin/t.
  • T016 [P] [US3] Existing Entra group reference-link tests already cover canonical links; reran them with the Spec 303 suite and did not need additional assertions.
  • T017 [US3] Verify apps/platform/app/Filament/Resources/EntraGroupResource.php::getGlobalSearchResultUrl() still passes the correct Managed Environment context and does not generate tenant-panel URLs.

Phase 5: Route Posture and Scoped Detail Safety

Purpose: Keep route/context changes minimal while making View destinations truthful.

  • T018 Inspect whether adding WorkspaceScopedTenantRoutes to apps/platform/app/Filament/Resources/EntraGroupResource.php is safe with focused URL, list, View, global-search, and resolved-reference tests.
  • T019 Applied WorkspaceScopedTenantRoutes to apps/platform/app/Filament/Resources/EntraGroupResource.php so Groups list/detail URLs use the workspace/environment admin context.
  • T020 Added the bounded explicit Groups navigation item in apps/platform/app/Providers/Filament/AdminPanelProvider.php after browser smoke showed the rendered sidebar did not receive the resource auto-navigation entry.
  • T021 Preserve or extend apps/platform/app/Filament/Resources/EntraGroupResource/Pages/ViewEntraGroup.php authorization so cross-environment and cross-workspace records deny as not found.
  • T022 Confirm apps/platform/app/Filament/Resources/EntraGroupResource.php keeps actions([]) and bulkActions([]) and does not add create/edit/delete/membership/destructive actions.

Phase 6: Regression and Validation

Purpose: Prove the Groups cutover did not regress adjacent migrated surfaces.

  • T023 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/PanelNavigationSegregationTest.php tests/Feature/Filament/AdminTenantSurfaceParityTest.php tests/Feature/Filament/AdminSharedSurfacePanelParityTest.php tests/Feature/Filament/TenantOwnedResourceScopeParityTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/Filament/PolicyResourceAdminSearchParityTest.php tests/Feature/Filament/PolicyVersionAdminSearchParityTest.php.
  • T024 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Browser/Spec303AdminDirectoryGroupsCutoverSmokeTest.php.
  • T025 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/InventoryCoverageAdminTenantParityTest.php tests/Feature/Filament/InventoryHubDbOnlyTest.php tests/Feature/Filament/InventoryPagesTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactAdminPanelRegistrationTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactEnvironmentContextTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactLegacyTenantPanelGuardTest.php tests/Feature/Operations/LegacyRunRoutesNotFoundTest.php.
  • T026 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T027 Run git diff --check from /Users/ahmeddarrazi/Documents/projects/wt-plattform.
  • T028 Confirm git status --short includes only the intended Spec 303 package, Entra Groups implementation files, AdminPanelProvider navigation item, and focused tests.

Dependencies

  • Phase 1 must complete before test or implementation changes.
  • Phase 2 test updates should be written before the navigation implementation in T007.
  • Phase 3 and Phase 4 can proceed in parallel after T007 if different files are owned.
  • Phase 5 route posture must be settled before final global-search URL assertions are considered complete.
  • Phase 6 runs after all implementation tasks are complete.

Parallel Execution Examples

  • T005, T006, T010, T013, T014, T015, and T016 can run in parallel if each worker owns a distinct test file.
  • T011, T017, T021, and T022 can run in parallel after route posture is clear because they touch separate behavior checks.
  • T023, T024, and T025 should run after implementation; they may run independently if the Sail stack is available.

Implementation Strategy

  1. Make tests describe the new admin role contract first.
  2. Change navigation through the smallest existing shared helper path.
  3. Keep route changes minimal and evidence-backed.
  4. Preserve scoped query/search/detail behavior.
  5. Validate adjacent migrated surfaces before handoff.

Explicit Non-Goals

  • Do not create a generic M365 Admin mirror.
  • Do not create a broad Identity Center or Directory suite.
  • Do not add group create/edit/delete, membership mutation, sync mutation, or destructive actions.
  • Do not delete tenant-panel dead code.
  • Do not revive /admin/t routes or add compatibility aliases.
  • Do not introduce migrations, models, jobs, Graph adapters, provider registration changes, or assets.
  • Do not split the navigation contract beyond the minimal test changes needed for Groups.