ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6063f866a9
TenantAtlas/specs/155-tenant-review-layer/quickstart.md
Ahmed Darrazi 6063f866a9 feat: add tenant review layer
2026-03-21 23:02:02 +01:00

2.3 KiB
Raw Blame History

Quickstart: Tenant Review Layer

Goal

Validate the first slice of the Tenant Review Layer locally in Sail using existing evidence snapshots and review-pack infrastructure.

Prerequisites

  1. Start Sail and ensure the application database is migrated.
  2. Seed or create:
    • one workspace
    • one tenant in that workspace
    • one authorized user with tenant access
    • one active evidence snapshot for the tenant
    • findings, permission posture, Entra admin-role report, baseline/drift posture, and operations summary inputs sufficient for review composition

Happy-path walkthrough

  1. Open the tenant admin surface for the target tenant.
  2. Navigate to the tenant review library at /admin/t/{tenant}/reviews.
  3. Create a review from the latest eligible evidence snapshot.
  4. Confirm the created review shows:
    • executive summary
    • open-risk highlights
    • accepted-risk summary
    • permission posture summary
    • baseline/drift posture summary
    • operations health summary
  5. Publish the review once required sections are complete.
  6. Export an executive pack from the published review.
  7. Download the resulting artifact and confirm it matches the review detail summary ordering.

Authorization checks

  1. As a non-member or wrong-tenant user, open the tenant review library URL.
    • Expected: 404
  2. As a tenant member without tenant_review.manage, attempt create/publish/archive/export.
    • Expected: UI disabled where applicable, server returns 403 on execution.
  3. As a workspace-scoped operator entitled to multiple tenants, open /admin/reviews.
    • Expected: only entitled tenant rows and filter values are visible.

Immutability checks

  1. Publish a tenant review.
  2. Change the underlying findings or posture data.
  3. Re-open the published review.
    • Expected: published review remains unchanged.
  4. Create a refreshed successor review.
    • Expected: the successor uses the updated evidence while the published review remains historical.

Export checks

  1. Export the executive pack twice from the same unchanged published review.
    • Expected: duplicate-prevention semantics avoid creating accidental duplicate final artifacts.
  2. Attempt export from a review missing required sections.
    • Expected: export is blocked with a clear readiness reason.