ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
788efee1c2
TenantAtlas/specs/381-provider-resource-identity-binding/implementation-close-out.md
ahmido 04d0d6184f feat(resources): implement provider resource identity binding (#452) 
Added `ProviderResourceBinding` model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381. This provides the structural capability to resolve baseline and posture discrepancies by binding logical entities across source providers to canonical identities.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #452
2026-06-15 18:45:38 +00:00

4.8 KiB
Raw Blame History

Implementation Close-Out: Spec 381 - Provider Resource Identity and Binding Foundation v1

Date: 2026-06-15 Branch: 381-provider-resource-identity-binding Base HEAD observed during close-out: d52b674f spec: record management report pdf staging validation gate (#451)

Scope

Implemented backend-only provider resource identity and managed-environment-scoped binding foundation.

No Filament Resource, page, route, Livewire component, Blade view, navigation item, Graph client, queued job, scheduler behavior, OperationRun type, or customer-facing output was added.

Repo-Truth Notes

  • provider_resource_bindings is tenant-owned operational truth and remains scoped by workspace_id and managed_environment_id.
  • Baseline snapshots are workspace-owned through baseline profiles, not directly tenant-owned. For source_baseline_snapshot_id, managed-environment validity is enforced through baseline_tenant_assignments for the snapshot's baseline_profile_id.
  • No workspace-level, baseline-profile-specific, or subject-only binding scope was introduced.
  • No duplicate active-state truth was introduced; binding_status = active remains the active-binding truth.

Livewire / Filament Contract

  • Livewire v4.0+ compliance: unchanged. No Livewire code changed.
  • Provider registration location: unchanged. Laravel panel providers remain in apps/platform/bootstrap/providers.php.
  • Global search: no Filament Resource was added; ProviderResourceBinding is not globally searchable.
  • Destructive/high-impact actions: no Filament action was added. Backend supersede/revoke decisions require policy authorization and audit logging. Future UI confirmation belongs to Spec 384.
  • Assets: no assets were registered. No Spec 381-specific filament:assets deployment concern beyond normal Filament deploy procedure.

RBAC, Isolation, And Audit

  • Reads and mutations use ProviderResourceBindingPolicy with existing baseline capabilities:
    • view: workspace_baselines.view
    • create/supersede/revoke: workspace_baselines.manage
  • Non-members are denied as not found through managed-environment entitlement checks.
  • Entitled members without manage capability receive forbidden for mutations.
  • Provider connections and source references are validated against the binding workspace and managed environment before persistence.
  • Binding create/supersede/revoke actions write AuditLog records with safe identifiers and hashed/length-only operator note metadata.

OperationRun Semantics

No OperationRun is created, queued, updated, or completed by Spec 381. Binding decisions are DB-only, security-relevant mutations that are audited directly.

Browser Smoke

Not applicable. Spec 381 has no UI, user-facing flow, route, navigation, Filament, Livewire, or asset surface impact.

Validation Commands

Executed during final review and finding fix loop:

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php

Result: passed, 5 tests / 45 assertions.

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php

Result after finding fix: passed, 19 tests / 72 assertions.

cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php

Result: passed, 4 tests / 7 assertions.

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php

Result: passed, 11 tests / 83 assertions.

cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent

Result: passed.

git diff --check

Result: passed.

Deployment Impact

  • Additive migration only: provider_resource_bindings.
  • Staging must run the migration and the PostgreSQL lane before Production promotion.
  • No environment variable, queue, scheduler, storage, reverse-proxy, or asset change is required.
  • Rollback before follow-up specs consume the table is dropping the new table. After follow-up specs consume bindings, rollback must be redesigned.

Residual Risks / Follow-Up

No confirmed in-scope findings remain after the final fix loop.

Follow-up specs remain as planned:

  • Spec 382: matching pipeline consumption.
  • Spec 384: operator resolution UI and destructive/high-impact UI confirmations.
  • Spec 385: evidence/review readiness consumption.