ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
55166cf9b8
TenantAtlas/specs/083-required-permissions-hardening/contracts/routes.md
ahmido 55166cf9b8 Spec 083: Required permissions hardening (canonical /admin/tenants, DB-only, 404 semantics) (#101) 
Implements Spec 083 (Canonical Required Permissions manage surface hardening + issues-first UX).

Highlights:
- Enforces canonical route: /admin/tenants/{tenant}/required-permissions
- Legacy tenant-plane URL /admin/t/{tenant}/required-permissions stays non-existent (404)
- Deny-as-not-found (404) for non-workspace members and non-tenant-entitled users
- Strict tenant resolution (no cross-plane fallback)
- DB-only render (no external provider calls on page load)
- Issues-first layout + canonical next-step links (re-run verification -> /admin/onboarding)
- Freshness/stale detection (missing or >30 days -> warning)

Tests (Sail):
- vendor/bin/sail artisan test --compact tests/Feature/RequiredPermissions
- vendor/bin/sail artisan test --compact tests/Unit/TenantRequiredPermissionsFreshnessTest.php tests/Unit/TenantRequiredPermissionsOverallStatusTest.php

Notes:
- Filament v5 / Livewire v4 compliant.
- No destructive actions added in this spec; link-only CTAs.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #101
2026-02-08 23:13:25 +00:00

1.1 KiB
Raw Blame History

Route Contract — Spec 083

This contract defines the Required Permissions routes and their 404/403 semantics.

Canonical management surface (must exist)

  • GET /admin/tenants/{tenant}/required-permissions

Identifier contract:

  • {tenant} is Tenant.external_id (Entra tenant GUID)

Authorization contract:

  • Not authenticated → handled by Filament auth middleware
  • Workspace not selected → 404 (deny-as-not-found)
  • Not a workspace member → 404
  • Workspace member but not tenant-entitled (no tenant_memberships row) → 404
  • Tenant-entitled (including read-only) → 200

Action contract:

  • This page is read-only. Any mutations are only linked to and executed on other surfaces.
  • Mutations on other surfaces must enforce capability checks server-side (missing capability → 403).
  • "Re-run verification" links canonical to the start-verification surface: GET /admin/onboarding (generated via route helper, not hardcoded legacy paths).

Removed tenant-plane route (must 404)

The following route MUST NOT exist and MUST return 404 (no redirects, no aliases):

  • GET /admin/t/{tenant}/required-permissions