ahmido
5ec62cd117
## Summary
- add the shared trusted-state model and resolver helpers for first-slice Livewire and Filament surfaces
- harden managed tenant onboarding, tenant required permissions, and system runbooks against forged or stale public state
- add focused Pest guard and regression coverage plus the complete spec 152 artifact set
## Validation
- `vendor/bin/sail artisan test --compact`
- manual smoke validated on `/admin/onboarding/{onboardingDraft}`
- manual smoke validated on `/admin/tenants/{tenant}/required-permissions`
- manual smoke validated on `/system/ops/runbooks`
## Notes
- Livewire v4.0+ / Filament v5 stack unchanged
- no new panels, routes, assets, or global-search changes
- provider registration remains in `bootstrap/providers.php`
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #182
139 lines
3.1 KiB
JSON
139 lines
3.1 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
"$id": "https://tenantpilot.local/contracts/trusted-state-guard.schema.json",
|
|
"title": "Trusted State Guard Policy",
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": [
|
|
"component",
|
|
"plane",
|
|
"locked_identities",
|
|
"locked_identity_fields",
|
|
"server_derived_authority",
|
|
"server_derived_authority_fields",
|
|
"mutable_selectors",
|
|
"mutable_selector_fields",
|
|
"forbidden_public_authority_fields"
|
|
],
|
|
"properties": {
|
|
"component": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"plane": {
|
|
"type": "string",
|
|
"enum": [
|
|
"admin_workspace",
|
|
"admin_tenant",
|
|
"system_platform"
|
|
]
|
|
},
|
|
"locked_identities": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"locked_identity_fields": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"server_derived_authority": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"server_derived_authority_fields": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"mutable_selectors": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"mutable_selector_fields": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/$defs/trustedField"
|
|
}
|
|
},
|
|
"forbidden_public_authority_fields": {
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
},
|
|
"$defs": {
|
|
"trustedField": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"required": [
|
|
"name",
|
|
"state_class",
|
|
"php_type",
|
|
"source_of_truth",
|
|
"used_for_protected_action",
|
|
"revalidation_required",
|
|
"implementation_markers",
|
|
"notes"
|
|
],
|
|
"properties": {
|
|
"name": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"state_class": {
|
|
"type": "string",
|
|
"enum": [
|
|
"presentation",
|
|
"locked_identity",
|
|
"server_derived_authority"
|
|
]
|
|
},
|
|
"php_type": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"source_of_truth": {
|
|
"type": "string",
|
|
"enum": [
|
|
"route_binding",
|
|
"workspace_context",
|
|
"tenant_panel_context",
|
|
"persisted_onboarding_draft",
|
|
"allowed_tenant_universe",
|
|
"explicit_scoped_query",
|
|
"presentation_only"
|
|
]
|
|
},
|
|
"used_for_protected_action": {
|
|
"type": "boolean"
|
|
},
|
|
"revalidation_required": {
|
|
"type": "boolean"
|
|
},
|
|
"implementation_markers": {
|
|
"type": "array",
|
|
"minItems": 1,
|
|
"items": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"notes": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} |