ahmido
5bcb4f6ab8
## Summary
- add a canonical queued execution legitimacy contract for actor-bound and system-authority operation runs
- enforce legitimacy before queued jobs transition runs to running across provider, inventory, restore, bulk, sync, and scheduled backup flows
- surface blocked execution outcomes consistently in Monitoring, notifications, audit data, and the tenantless operation viewer
- add Spec 149 artifacts and focused Pest coverage for legitimacy decisions, middleware ordering, blocked presentation, retry behavior, and cross-family adoption
## Testing
- vendor/bin/sail artisan test --compact tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionMiddlewareOrderingTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/RunInventorySyncExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/ExecuteRestoreRunExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/SystemRunBlockedExecutionNotificationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/BulkOperationExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionRetryReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionContractMatrixTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionAuditTrailTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/TenantlessOperationRunViewerTest.php
- vendor/bin/sail bin pint --dirty --format agent
## Manual validation
- validated queued provider execution blocking for tenant operability drift in the integrated browser on /admin/operations and /admin/operations/{run}
- validated 404 vs 403 route behavior for non-membership vs in-scope capability denial
- validated initiator-null blocked system-run behavior without creating a user terminal notification
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #179
47 lines
2.6 KiB
PHP
47 lines
2.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Support\Operations;
|
|
|
|
enum ExecutionDenialReasonCode: string
|
|
{
|
|
case WorkspaceMismatch = 'workspace_mismatch';
|
|
case TenantNotEntitled = 'tenant_not_entitled';
|
|
case MissingCapability = 'missing_capability';
|
|
case TenantNotOperable = 'tenant_not_operable';
|
|
case TenantMissing = 'tenant_missing';
|
|
case InitiatorMissing = 'initiator_missing';
|
|
case InitiatorNotEntitled = 'initiator_not_entitled';
|
|
case ProviderConnectionInvalid = 'provider_connection_invalid';
|
|
case WriteGateBlocked = 'write_gate_blocked';
|
|
case ExecutionPrerequisiteInvalid = 'execution_prerequisite_invalid';
|
|
|
|
public function denialClass(): ExecutionDenialClass
|
|
{
|
|
return match ($this) {
|
|
self::WorkspaceMismatch, self::TenantNotEntitled, self::TenantMissing => ExecutionDenialClass::ScopeDenied,
|
|
self::MissingCapability => ExecutionDenialClass::CapabilityDenied,
|
|
self::TenantNotOperable => ExecutionDenialClass::TenantNotOperable,
|
|
self::ProviderConnectionInvalid, self::WriteGateBlocked, self::ExecutionPrerequisiteInvalid => ExecutionDenialClass::PrerequisiteInvalid,
|
|
self::InitiatorMissing, self::InitiatorNotEntitled => ExecutionDenialClass::InitiatorInvalid,
|
|
};
|
|
}
|
|
|
|
public function message(): string
|
|
{
|
|
return match ($this) {
|
|
self::WorkspaceMismatch => 'Operation blocked because the queued run no longer matches the current workspace scope.',
|
|
self::TenantNotEntitled => 'Operation blocked because the target tenant is no longer entitled for this run.',
|
|
self::MissingCapability => 'Operation blocked because the initiating actor no longer has the required capability.',
|
|
self::TenantNotOperable => 'Operation blocked because the target tenant is not currently operable for this action.',
|
|
self::TenantMissing => 'Operation blocked because the target tenant could not be resolved at execution time.',
|
|
self::InitiatorMissing => 'Operation blocked because the initiating actor could not be resolved at execution time.',
|
|
self::InitiatorNotEntitled => 'Operation blocked because the initiating actor is no longer entitled to the tenant.',
|
|
self::ProviderConnectionInvalid => 'Operation blocked because the provider connection is no longer valid for the queued scope.',
|
|
self::WriteGateBlocked => 'Operation blocked because write hardening currently refuses execution for this tenant.',
|
|
self::ExecutionPrerequisiteInvalid => 'Operation blocked because the queued execution prerequisites are no longer satisfied.',
|
|
};
|
|
}
|
|
}
|