ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
58f9bb7355
TenantAtlas/specs/237-provider-boundary-hardening/data-model.md
ahmido bd26e209de
Some checks failed
Main Confidence / confidence (push) Failing after 57s
Details
feat: harden provider boundaries (#273) 
## Summary
- add the provider boundary catalog, boundary support types, and guardrails for platform-core versus provider-owned seams
- harden provider gateway, identity resolution, operation registry, and start-gate behavior to require explicit provider bindings
- add unit and feature coverage for boundary classification, runtime preservation, unsupported paths, and platform-core leakage guards
- add the full Spec Kit artifact set for spec 237 and update roadmap/spec-candidate tracking

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderBoundaryClassificationTest.php tests/Unit/Providers/ProviderBoundaryGuardrailTest.php tests/Feature/Providers/ProviderBoundaryHardeningTest.php tests/Feature/Providers/UnsupportedProviderBoundaryPathTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Providers/ProviderGatewayTest.php tests/Unit/Providers/ProviderIdentityResolverTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- browser smoke: `http://localhost/admin/provider-connections?tenant_id=18000000-0000-4000-8000-000000000180` loaded with the local smoke user, the empty-state CTA reached the canonical create route, and cancel returned to the scoped list

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #273
2026-04-24 21:05:37 +00:00

5.1 KiB
Raw Blame History

Data Model: Provider Boundary Hardening

Overview

The first slice introduces one explicit seam-ownership catalog with binary ownership plus documented exception metadata, one split between shared operation definition and provider binding, and one deterministic guard result shape. No new database persistence is introduced.

Entity: ProviderBoundarySeam

  • Purpose: Declares whether a touched seam is provider-owned or platform-core, and records any documented current-release exception metadata that remains temporarily allowed.
  • Identity:
    • seam_key — stable catalog key such as provider.gateway_runtime, provider.identity_resolution, or provider.operation_registry
  • Core fields:
    • owner
    • description
    • implementation_paths[]
    • neutral_terms[]
    • retained_provider_semantics[]
    • follow_up_action
  • Owner values:
    • provider_owned
    • platform_core
  • Validation rules:
    • Every first-slice seam must have exactly one owner classification.
    • platform_core seams must list the neutral platform terms they preserve.
    • Any seam that retains provider-specific semantics must list them in retained_provider_semantics[] and pair them with an explicit follow_up_action.
    • implementation_paths[] must reference real code paths used by tests and review guardrails.

Authoritative first-slice seam inventory

  • provider.gateway_runtimeProviderGateway.php, MicrosoftGraphOptionsResolver.php
  • provider.identity_resolutionProviderIdentityResolution.php, ProviderIdentityResolver.php, PlatformProviderIdentityResolver.php
  • provider.connection_resolutionProviderConnectionResolver.php, ProviderConnectionResolution.php
  • provider.operation_registryProviderOperationRegistry.php
  • provider.operation_start_gateProviderOperationStartGate.php

Entity: ProviderOperationDefinition

  • Purpose: Represents the platform-core definition of a provider-backed operation without silently embedding provider truth.
  • Identity:
    • operation_type
  • Core fields:
    • module_key
    • label
    • required_capability
  • Validation rules:
    • The definition must not require a provider field as its primary identity.
    • Labels and module keys remain shared orchestration truth and do not encode Microsoft-specific vocabulary by default.
    • Operation type values remain unchanged in this slice.

Entity: ProviderOperationBinding

  • Purpose: Connects one shared operation definition to the current provider-owned runtime behavior.
  • Fields:
    • operation_type
    • provider
    • binding_status
    • handler_notes
    • exception_notes
  • Binding status values:
    • active
    • unsupported
  • Validation rules:
    • Every binding must reference an existing operation_type.
    • Missing binding is explicit and must not fall back silently to Microsoft behavior.
    • Provider-specific notes remain secondary to the platform-core operation definition.

Entity: ProviderBoundaryCheckResult

  • Purpose: Shared deterministic result used by tests and review guardrails.
  • Fields:
    • status
    • seam_key
    • file_path
    • violation_code
    • message
    • suggested_follow_up
  • Status values:
    • allowed
    • review_required
    • blocked
  • Violation code examples:
    • platform_core_provider_leak
    • undeclared_exception
    • missing_provider_binding
    • provider_binding_as_primary_truth
  • Validation rules:
    • allowed means the touched seam matches its declared ownership.
    • review_required means the seam has documented exception metadata or needs explicit follow-up.
    • blocked means the touched change violates the seam ownership or provider-binding rules.

Relationships

  • One ProviderBoundarySeam may cover multiple implementation paths.
  • One ProviderOperationDefinition may have one current ProviderOperationBinding in the first slice because only Microsoft runtime support exists today.
  • One ProviderBoundaryCheckResult references exactly one seam evaluation, but a review may emit multiple results across multiple touched files.

Lifecycle

Boundary seam lifecycle

  • provider_owned: provider-specific semantics are allowed inside the seam.
  • platform_core: provider-specific semantics are blocked unless explicitly extracted.
  • platform_core with documented exception metadata: named provider-specific details remain temporarily allowed only while the seam records the retained semantics and explicit follow-up action.

Operation binding lifecycle

  • active: current provider runtime is explicitly supported for the operation.
  • unsupported: the operation definition exists, but the current seam must fail explicitly instead of inheriting default provider behavior.

Rollout Model

  • The first slice keeps the catalog in code, not in the database.
  • Existing Microsoft-backed runtime behavior remains the only shipped provider binding.
  • Shared identity resolution and operation registry cleanup happen before any persistence or UI neutrality changes.
  • Deeper target-scope and provider-connection neutrality remain follow-up work.