ahmido
bd26e209de
Some checks failed
Main Confidence / confidence (push) Failing after 57s
## Summary - add the provider boundary catalog, boundary support types, and guardrails for platform-core versus provider-owned seams - harden provider gateway, identity resolution, operation registry, and start-gate behavior to require explicit provider bindings - add unit and feature coverage for boundary classification, runtime preservation, unsupported paths, and platform-core leakage guards - add the full Spec Kit artifact set for spec 237 and update roadmap/spec-candidate tracking ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderBoundaryClassificationTest.php tests/Unit/Providers/ProviderBoundaryGuardrailTest.php tests/Feature/Providers/ProviderBoundaryHardeningTest.php tests/Feature/Providers/UnsupportedProviderBoundaryPathTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderGatewayTest.php tests/Unit/Providers/ProviderIdentityResolverTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - browser smoke: `http://localhost/admin/provider-connections?tenant_id=18000000-0000-4000-8000-000000000180` loaded with the local smoke user, the empty-state CTA reached the canonical create route, and cancel returned to the scoped list Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #273
76 lines
3.3 KiB
PHP
76 lines
3.3 KiB
PHP
<?php
|
|
|
|
use App\Services\Providers\ProviderOperationRegistry;
|
|
use App\Support\Providers\Boundary\ProviderBoundaryCatalog;
|
|
use App\Support\Providers\Boundary\ProviderBoundaryOwner;
|
|
|
|
it('blocks undocumented provider terms in platform-core seams', function (): void {
|
|
$result = app(ProviderBoundaryCatalog::class)->evaluateChange(
|
|
seamKey: 'provider.identity_resolution',
|
|
filePath: 'app/Services/Providers/ProviderIdentityResolution.php',
|
|
proposedOwner: ProviderBoundaryOwner::PlatformCore,
|
|
providerSpecificTerms: ['client_request_id'],
|
|
);
|
|
|
|
expect($result['status'])->toBe(ProviderBoundaryCatalog::STATUS_BLOCKED)
|
|
->and($result['violation_code'])->toBe(ProviderBoundaryCatalog::VIOLATION_PLATFORM_CORE_PROVIDER_LEAK)
|
|
->and($result['suggested_follow_up'])->toBe('follow-up-spec');
|
|
});
|
|
|
|
it('requires review for documented current-release exceptions on platform-core seams', function (): void {
|
|
$result = app(ProviderBoundaryCatalog::class)->evaluateChange(
|
|
seamKey: 'provider.identity_resolution',
|
|
filePath: 'app/Services/Providers/ProviderIdentityResolver.php',
|
|
proposedOwner: 'platform_core',
|
|
providerSpecificTerms: ['entra_tenant_id'],
|
|
);
|
|
|
|
expect($result['status'])->toBe(ProviderBoundaryCatalog::STATUS_REVIEW_REQUIRED)
|
|
->and($result['violation_code'])->toBe(ProviderBoundaryCatalog::VIOLATION_NONE)
|
|
->and($result['suggested_follow_up'])->toBe('follow-up-spec');
|
|
});
|
|
|
|
it('allows provider-specific terms inside provider-owned seams', function (): void {
|
|
$result = app(ProviderBoundaryCatalog::class)->evaluateChange(
|
|
seamKey: 'provider.gateway_runtime',
|
|
filePath: 'app/Services/Providers/ProviderGateway.php',
|
|
proposedOwner: ProviderBoundaryOwner::ProviderOwned,
|
|
providerSpecificTerms: ['client_request_id', 'client_secret'],
|
|
);
|
|
|
|
expect($result['status'])->toBe(ProviderBoundaryCatalog::STATUS_ALLOWED)
|
|
->and($result['violation_code'])->toBe(ProviderBoundaryCatalog::VIOLATION_NONE);
|
|
});
|
|
|
|
it('keeps operation definitions separate from provider bindings', function (): void {
|
|
$registry = app(ProviderOperationRegistry::class);
|
|
|
|
$definition = $registry->get('provider.connection.check');
|
|
$binding = $registry->bindingFor('provider.connection.check', 'microsoft');
|
|
|
|
expect($definition)->toMatchArray([
|
|
'operation_type' => 'provider.connection.check',
|
|
'module' => 'health_check',
|
|
'label' => 'Provider connection check',
|
|
'required_capability' => \App\Support\Auth\Capabilities::PROVIDER_RUN,
|
|
]);
|
|
|
|
expect($binding)->toMatchArray([
|
|
'provider' => 'microsoft',
|
|
'binding_status' => ProviderOperationRegistry::BINDING_ACTIVE,
|
|
]);
|
|
});
|
|
|
|
it('blocks provider binding metadata when it is proposed as platform-core truth', function (): void {
|
|
$result = app(ProviderBoundaryCatalog::class)->evaluateChange(
|
|
seamKey: 'provider.operation_registry',
|
|
filePath: 'app/Services/Providers/ProviderOperationRegistry.php',
|
|
proposedOwner: ProviderBoundaryOwner::PlatformCore,
|
|
providerSpecificTerms: ['microsoft'],
|
|
introducesNewBinding: true,
|
|
);
|
|
|
|
expect($result['status'])->toBe(ProviderBoundaryCatalog::STATUS_BLOCKED)
|
|
->and($result['violation_code'])->toBe(ProviderBoundaryCatalog::VIOLATION_PROVIDER_BINDING_AS_PRIMARY_TRUTH);
|
|
});
|