ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
5f9e6fb04a
TenantAtlas/specs/072-managed-tenants-workspace-enforcement/tasks.md
ahmido 5f9e6fb04a feat: workspace-first managed tenants + RBAC membership UI fixes (072) (#87) 
Implements spec 072 (workspace-first managed tenants enforcement) and follow-up RBAC fixes.

Highlights:
- Workspace-scoped managed tenants landing and enforcement for tenant routes.
- Workspace membership management UI fixed to use workspace capabilities.
- Membership tables now show user email + domain for clearer identification.

Tests:
- Targeted Pest tests for routing/enforcement and RBAC UI enforcement.
- Pint ran on dirty files.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #87
2026-02-02 23:54:22 +00:00

41 lines
2.4 KiB
Markdown
Raw Blame History

# Tasks — 072 Managed Tenants workspace context enforcement
## Setup
- [x] T001 Confirm legacy managed-tenants routes and current workspace middleware behavior.
## Tests (TDD)
- [x] T010 Add regression test: `/admin/managed-tenants` redirects to workspace landing when a workspace is selected.
- [x] T020 Add regression test: `/admin/t/{tenant}` is 404 when workspace context is missing.
- [x] T030 Add regression test: `/admin/t/{tenant}` is 404 when tenant.workspace_id mismatches current workspace.
- [x] T040 Add regression test: `/admin/choose-tenant` redirects to `/admin/choose-workspace` when workspace is not selected.
## Core
- [x] T100 Create workspace-scoped Managed Tenants landing at `/admin/w/{workspace}/managed-tenants`.
- [x] T110 Make unscoped `/admin/managed-tenants/*` legacy-only (redirect to workspace-scoped URLs).
- [x] T120 Implement hard enforcement: tenant routes require workspace context and tenant.workspace_id match.
- [x] T130 Ensure `/admin/choose-tenant` requires selected workspace.
- [x] T140 Move Workspaces UI out of tenant routing (serve at `/admin/workspaces/*`, not `/admin/t/{tenant}/workspaces`).
## UX follow-ups
- [x] T200 Ensure default tenant selection respects current workspace context.
- [x] T210 Add a workspace switcher in the user menu (link to Choose Workspace).
- [x] T220 Add regression tests for workspace switcher + tenant selection.
- [x] T230 Ensure `/admin` lands on workspace-first flow (avoid redirecting to tenant registration).
- [x] T240 After choosing a workspace with zero tenants, route into the workspace Managed Tenants landing (with CTA).
- [x] T250 Allow workspace owners to register the first tenant in a workspace (bootstrap).
## Security hardening (owners / audit / recovery)
- [x] T260 Enforce rule: workspaces can never have 0 owners (block last-owner removal + demotion).
- [x] T270 Audit every blocked last-owner attempt with `workspace_membership.last_owner_blocked` + required metadata.
- [x] T280 Optional: break-glass recovery flow to re-assign a workspace owner (fully audited).
## Follow-up bugfix
- [x] T300 Fix Workspaces → Memberships UI enforcement to use workspace capabilities (not tenant capabilities).
- [x] T310 Add regression tests for WorkspaceMemberships relation manager action enable/disable.
## Validation
- [x] T900 Run Pint on dirty files.
- [x] T910 Run targeted Pest tests.
- [x] T920 Run targeted Pest tests for last-owner + recovery flow.
Reference in New Issue View Git Blame Copy Permalink