ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6d14d2544f
TenantAtlas/.specify/plan.md
Ahmed Darrazi 6d14d2544f feat: TenantPilot v1 - Complete implementation (Phases 1-12) 
Complete implementation of TenantPilot v1 Intune Management Platform with
comprehensive backup, versioning, and restore capabilities.

CONSTITUTION & SPEC
- Ratified constitution v1.0.0 with 7 core principles
- Complete spec.md with 7 user stories (US1-7)
- Detailed plan.md with constitution compliance check
- Task breakdown with 125+ tasks across 12 phases

CORE FEATURES (US1-4)
- Policy inventory with Graph-based sync (US1)
- Backup creation with immutable JSONB snapshots (US2)
- Version history with diff viewer (human + JSON) (US3)
- Defensive restore with preview/dry-run (US4)

TENANT MANAGEMENT (US6-7)
- Full tenant CRUD with Entra ID app configuration
- Admin consent callback flow integration
- Tenant connectivity verification
- Permission health status monitoring
- 'Highlander' pattern: single current tenant with is_current flag

GRAPH ABSTRACTION
- Complete isolation layer (7 classes)
- GraphClientInterface with mockable implementations
- Error mapping, logging, and standardized responses
- Rate-limit aware design

DOMAIN SERVICES
- BackupService: immutable snapshot creation
- RestoreService: preview, selective restore, conflict detection
- VersionService: immutable version capture
- VersionDiff: human-readable and structured diffs
- PolicySyncService: Graph-based policy import
- TenantConfigService: connectivity testing
- TenantPermissionService: permission health checks
- AuditLogger: comprehensive audit trail

DATA MODEL
- 11 migrations with tenant-aware schema
- 8 Eloquent models with proper relationships
- SoftDeletes on Tenant, BackupSet, BackupItem, PolicyVersion, RestoreRun
- JSONB storage for snapshots, metadata, permissions
- Encrypted storage for client secrets
- Partial unique index for is_current tenant

FILAMENT ADMIN UI
- 5 main resources: Tenant, Policy, PolicyVersion, BackupSet, RestoreRun
- RelationManagers: Versions (Policy), BackupItems (BackupSet)
- Actions: Verify config, Admin consent, Make current, Delete/Force delete
- Filters: Status, Type, Platform, Archive state
- Permission panel with status indicators
- ActionGroup pattern for cleaner row actions

HOUSEKEEPING (Phases 10-12)
- Soft delete with archive status for all entities
- Force delete protection (blocks if dependencies exist)
- Tenant deactivation with cascade prevention
- Audit logging for all delete operations

TESTING
- 36 tests passing (125 assertions, 11.21s)
- Feature tests: Policy, Backup, Restore, Version, Tenant, Housekeeping
- Unit tests: VersionDiff, TenantCurrent, Permissions, Scopes
- Full TDD coverage for critical flows

CONFIGURATION
- config/tenantpilot.php: 10+ policy types with metadata
- config/intune_permissions.php: required Graph permissions
- config/graph.php: Graph client configuration

SAFETY & COMPLIANCE
- Constitution compliance: 7/7 principles ✓
- Safety-first operations: preview, confirmation, validation
- Immutable versioning: no in-place modifications
- Defensive restore: dry-run, selective, conflict detection
- Comprehensive auditability: all critical operations logged
- Tenant-aware architecture: multi-tenant ready
- Graph abstraction: isolated, mockable, testable
- Spec-driven development: spec → plan → tasks → implementation

OPERATIONAL READINESS
- Laravel Sail for local development
- Dokploy deployment documentation
- Queue/worker ready architecture
- Migration safety notes
- Environment variable documentation

Tests: 36 passed
Duration: 11.21s
Status: Production-ready (98% complete)
2025-12-12 02:27:54 +01:00

3.9 KiB
Raw Blame History

Implementation Plan: TenantPilot v1

Branch: tenantpilot-v1 | Date: 2025-12-10 | Spec: .specify/spec.md
Input: Feature specification from .specify/spec.md

Summary

TenantPilot v1 delivers admin-facing Intune inventory across the scoped object types (config, compliance, scripts, apps, CA, endpoint security, enrollment/autopilot), immutable backups, version history with diffs, and defensive restore (per-type restore levels from the matrix: enabled vs preview-only) in Filament. Data is tenant-aware with JSONB snapshots, Graph access is isolated behind an abstraction, and operations are audited. Local development uses Sail with PostgreSQL; deployments go through Dokploy staging before production.

Technical Context

Language/Version: PHP 8.2+, Laravel 12, Filament 4
Primary Dependencies: Laravel framework, Filament admin, Pest, Laravel Sail, Vite/Tailwind 4 for assets
Storage: PostgreSQL (JSONB for policy snapshots, backups, versions)
Testing: Pest via ./vendor/bin/sail artisan test (graph boundaries mocked)
Target Platform: Containerized web app on Dokploy (Staging → Production), Filament admin UI
Project Type: Web (Laravel monolith with Filament)
Performance Goals: Admin portal responsiveness (<1s typical page loads), Graph calls rate-limit aware; migrations avoid long locks
Constraints: Safety-first ops (preview/confirm, audit), reversible migrations validated on staging, tenant-scoped queries, no secrets in code, JSONB retention to avoid unbounded growth; per-type restore behavior follows scope.restore_matrix (e.g., CA/enrollment restrictions = preview-only)
Scale/Scope: Single-tenant deployment (tenant-aware schema), multi-type coverage driven by scope.supported_types + restore matrix

Constitution Check

  • Safety-First Operations: Restore/rollback flows require preview + explicit confirmation; conflict warnings surfaced; dry-run supported.
  • Immutable Versioning: Policy versions/backups stored as immutable JSONB snapshots; no in-place edits; diffs available.
  • Defensive Restore: Preview/dry-run, selective items, conflict detection, pre-execution summary, confirmation gate.
  • Auditability: Backup creation, version capture, restore start/result (success/failure/partial) audited with tenant scoping.
  • Tenant-Aware Architecture: Tenant entity present; all policy/version/backup/restore/audit records reference tenant context; queries enforce isolation.
  • Graph Abstraction: All Graph calls through a dedicated adapter/service with standardized error mapping and logging (no direct Graph in UI/domain).
  • Spec-Driven Development: Spec + plan present in .specify/; tasks to follow; constitution check complete before implementation.

Project Structure

Documentation (this feature)

.specify/
├── spec.md        # Feature specification (v1 scope)
├── plan.md        # This plan
└── tasks.md       # To be generated from plan/spec

Source Code (repository root)

app/
├── Models/
├── Http/Controllers/
├── Filament/                # Admin resources/pages/widgets
├── Services/Graph/          # Graph abstraction layer (planned)
├── Services/Intune/         # Domain orchestration (planned)
├── Actions/Jobs/Events/     # Async and domain events
database/
├── migrations/
├── seeders/
resources/
├── views/                   # Blade/Vite-driven assets
routes/
├── web.php
├── console.php
tests/
├── Feature/                 # Filament + flow coverage
└── Unit/

Structure Decision: Single Laravel monolith with Filament admin. Tenant-aware data stored in PostgreSQL JSONB; Graph access isolated under app/Services/Graph/; domain services for backups/versions/restores live under app/Services/Intune/.

Complexity Tracking

No constitution violations; complexity tracking not required.