ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
788efee1c2
TenantAtlas/specs/382-baseline-matching-canonicalization/implementation-close-out.md
ahmido 788efee1c2 feat(baselines): implement baseline matching canonicalization (#453) 
Replaced legacy tenant and environment bindings in the BaselineDriftEngine with the new ProviderResourceIdentity framework as defined in Spec 382. This ensures cross-environment compatibility and deterministic baseline matching.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #453
2026-06-15 22:48:48 +00:00

69 lines
4.8 KiB
Markdown
Raw Blame History

# Implementation Close-Out: Spec 382 - Baseline Matching Pipeline and Canonicalization v1
Date: 2026-06-15
## Scope Delivered
- Added provider-resource canonical key validation to prevent display-derived strings from being accepted as canonical provider subject keys.
- Added matching support objects and services:
- `BaselineSubjectDescriptor`
- `MatchingOutcome`
- `FoundationCoverageResolver`
- `SubjectMatchingPipeline`
- Integrated matching into baseline compare before `policy_type|subject_key` keying can collapse candidates.
- Kept payload drift/no-drift ownership inside existing compare strategies.
- Removed legacy subject-key matching, display-name matching fallback, display-name-derived canonical key generation, and old compare payload readers from the Spec 382 matching path.
- Added binding-aware compare coverage, identity-required gap coverage, and fake-provider canonical identity coverage.
- Added a Spec 382 migration that drops `provider_resource_bindings.legacy_subject_key` because the column was introduced by the committed Spec 381 migration.
## No Surface Impact
- UI impact: none.
- Filament impact: none.
- Livewire impact: none; project remains on Livewire v4.1.4.
- Panel/provider registration impact: none; Laravel 12 panel providers remain registered through `bootstrap/providers.php`.
- Global search impact: none; no resources/pages were added or changed.
- Destructive/high-impact actions: none added. Existing provider-resource binding decisions keep existing authorization and audit behavior.
- Asset strategy: none added; no global or on-demand assets changed. `filament:assets` deployment behavior is unchanged.
- Migrations/schema impact: `provider_resource_bindings.legacy_subject_key` is dropped by a Spec 382 migration. No new persisted entity, index family, env var, queue, scheduler, storage, route, UI, asset, Filament, or Livewire surface is introduced.
- Environment variables: none.
- Queues/scheduler/storage: no new queue names, scheduler entries, or storage paths.
- Browser smoke: not run because this spec has no UI surface.
## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Baselines/Matching tests/Unit/Services/Baselines/Matching tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php`
- 19 passed, 103 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php`
- 20 passed, 75 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingCanonicalIdentityTest.php tests/Feature/Baselines/BaselineCompareAmbiguousMatchGapTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php`
- 4 passed, 70 assertions.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php`
- 9 passed, 43 assertions.
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- pass.
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent`
- pass.
- `git diff --check`
- pass.
## PostgreSQL Lane
Targeted database-backed Sail tests ran through Laravel migrations, including the Spec 382 drop-column migration. No new indexes, constraints, locks, or PostgreSQL-specific query behavior were added.
## Post-Implementation Analysis
- No changes were made to completed dependency specs `specs/163-baseline-subject-resolution/`, `specs/380-management-report-pdf-staging-runtime-validation/`, or `specs/381-provider-resource-identity-binding/`.
- No matching code calls `GraphClientInterface`, provider gateways, or provider runtime clients.
- Matching proof metadata is sanitized and does not include raw operator notes.
- Core matching does not branch on Microsoft display labels.
- Display names are labels/descriptions only; they are not matching inputs, canonical-key inputs, binding lookup inputs, or successful compare resolution inputs.
- No UI, Filament, Livewire, Blade, route, config, scheduler, queue-name, storage, env, or asset file changed.
- No in-scope post-implementation findings remain open.
## Deployment Impact
- Staging: normal application deployment and test validation are sufficient.
- Production: run normal Laravel migrations so the legacy identity column is dropped. No queue worker, scheduler, volume, or environment-variable step is required.
- Rollback: rolling back the Spec 382 migration restores the dropped column, but product behavior intentionally remains no-legacy-identity unless code is rolled back too.
Reference in New Issue View Git Blame Copy Permalink