ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
92f39d9749
TenantAtlas/app/Support/OpsUx/RunFailureSanitizer.php
ahmido 92f39d9749 feat: add shared reason translation contract (#187) 
## Summary
- introduce a shared reason-translation contract with envelopes, presenter helpers, fallback handling, and provider translation support
- adopt translated operator-facing reason presentation across operation runs, notifications, provider guidance, tenant operability, and RBAC-related surfaces
- add Spec 157 design artifacts and targeted regression coverage for translation quality, diagnostics retention, and authorization-safe guidance

## Validation
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Architecture/ReasonTranslationPrimarySurfaceGuardTest.php tests/Unit/Support/ReasonTranslation/ReasonResolutionEnvelopeTest.php tests/Unit/Support/ReasonTranslation/ExecutionDenialReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/TenantOperabilityReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/RbacReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/ProviderReasonTranslationTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php tests/Feature/Operations/TenantlessOperationRunViewerTest.php tests/Feature/ReasonTranslation/GovernanceReasonPresentationTest.php tests/Feature/Authorization/ReasonTranslationScopeSafetyTest.php tests/Feature/Monitoring/OperationRunBlockedSpec081Test.php tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php tests/Feature/ProviderConnections/ProviderGatewayRuntimeSmokeSpec081Test.php`

## Notes
- Livewire v4.0+ compliance remains unchanged within the existing Filament v5 stack.
- No new panel was added; provider registration remains in `bootstrap/providers.php`.
- No new globally searchable resource was introduced.
- No new destructive action family was introduced.
- No new assets were added; the existing `filament:assets` deployment behavior remains unchanged.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #187
2026-03-22 20:19:43 +00:00

152 lines
6.1 KiB
PHP
Raw Blame History

<?php
namespace App\Support\OpsUx;
use App\Services\Intune\SecretClassificationService;
use App\Support\Operations\ExecutionDenialReasonCode;
use App\Support\Providers\ProviderReasonCodes;
final class RunFailureSanitizer
{
public const string REASON_GRAPH_THROTTLED = 'graph_throttled';
public const string REASON_GRAPH_TIMEOUT = 'graph_timeout';
public const string REASON_PERMISSION_DENIED = 'permission_denied';
public const string REASON_PROVIDER_AUTH_FAILED = 'provider_auth_failed';
public const string REASON_PROVIDER_OUTAGE = 'provider_outage';
public const string REASON_VALIDATION_ERROR = 'validation_error';
public const string REASON_CONFLICT_DETECTED = 'conflict_detected';
public const string REASON_UNKNOWN_ERROR = 'unknown_error';
public static function sanitizeCode(string $code): string
{
$code = strtolower(trim($code));
if ($code === '') {
return 'unknown';
}
return substr($code, 0, 80);
}
public static function normalizeReasonCode(string $candidate): string
{
$candidate = strtolower(trim($candidate));
if ($candidate === '') {
return ProviderReasonCodes::UnknownError;
}
if (self::isStructuredOperatorReasonCode($candidate) || in_array($candidate, ['ok', 'not_applicable'], true)) {
return $candidate;
}
if (str_starts_with($candidate, 'ext.')) {
return $candidate;
}
/**
* Appendix-A taxonomy mappings:
* - `graph_throttled`/`throttled` -> `rate_limited`
* - transport/transient/outage classes -> `network_unreachable`
* - auth failures -> `provider_auth_failed`
* - permission denied classes -> `provider_permission_denied`
* - generic missing/invalid configuration classes -> `provider_connection_*`
*/
// Compatibility mappings from existing codebase labels.
$candidate = match ($candidate) {
self::REASON_GRAPH_THROTTLED,
'throttled' => ProviderReasonCodes::RateLimited,
self::REASON_GRAPH_TIMEOUT,
self::REASON_PROVIDER_OUTAGE,
'graph_transient',
'dependency_unreachable' => ProviderReasonCodes::NetworkUnreachable,
self::REASON_PERMISSION_DENIED,
'graph_forbidden',
'permission_denied' => ProviderReasonCodes::ProviderPermissionDenied,
self::REASON_PROVIDER_AUTH_FAILED,
'authentication_failed' => ProviderReasonCodes::ProviderAuthFailed,
self::REASON_VALIDATION_ERROR,
self::REASON_CONFLICT_DETECTED,
'invalid_state' => ProviderReasonCodes::ProviderConnectionInvalid,
'missing_configuration' => ProviderReasonCodes::ProviderConnectionMissing,
'unknown',
self::REASON_UNKNOWN_ERROR => ProviderReasonCodes::UnknownError,
default => $candidate,
};
if (self::isStructuredOperatorReasonCode($candidate) || in_array($candidate, ['ok', 'not_applicable'], true)) {
return $candidate;
}
// Heuristic normalization for ad-hoc inputs is bounded fallback behavior only.
if (str_contains($candidate, 'throttle') || str_contains($candidate, '429')) {
return ProviderReasonCodes::RateLimited;
}
if (str_contains($candidate, 'invalid_client') || str_contains($candidate, 'invalid_grant') || str_contains($candidate, '401') || str_contains($candidate, 'aadsts')) {
return ProviderReasonCodes::ProviderAuthFailed;
}
if (str_contains($candidate, 'timeout') || str_contains($candidate, 'transient') || str_contains($candidate, '503') || str_contains($candidate, '504')) {
return ProviderReasonCodes::NetworkUnreachable;
}
if (str_contains($candidate, 'outage') || str_contains($candidate, '500') || str_contains($candidate, '502') || str_contains($candidate, 'bad_gateway')) {
return ProviderReasonCodes::NetworkUnreachable;
}
if (str_contains($candidate, 'forbidden') || str_contains($candidate, 'permission') || str_contains($candidate, 'unauthorized') || str_contains($candidate, '403')) {
return ProviderReasonCodes::ProviderPermissionDenied;
}
if (str_contains($candidate, 'validation') || str_contains($candidate, 'not_found') || str_contains($candidate, 'bad_request') || str_contains($candidate, '400') || str_contains($candidate, '422')) {
return ProviderReasonCodes::ProviderConnectionInvalid;
}
if (str_contains($candidate, 'conflict') || str_contains($candidate, '409')) {
return ProviderReasonCodes::ProviderConnectionInvalid;
}
return ProviderReasonCodes::UnknownError;
}
public static function isStructuredOperatorReasonCode(string $candidate): bool
{
$candidate = strtolower(trim($candidate));
if ($candidate === '') {
return false;
}
$executionDenialReasonCodes = array_map(
static fn (ExecutionDenialReasonCode $reasonCode): string => $reasonCode->value,
ExecutionDenialReasonCode::cases(),
);
return ProviderReasonCodes::isKnown($candidate) || in_array($candidate, $executionDenialReasonCodes, true);
}
public static function sanitizeMessage(string $message): string
{
$message = trim(str_replace(["\r", "\n"], ' ', $message));
$message = self::classifier()->sanitizeOpsFailureString($message);
$message = preg_replace('/\b[A-Za-z0-9\-\._~\+\/]{64,}\b/', '[REDACTED]', $message) ?? $message;
$message = preg_replace('/\b(access_token|refresh_token|client_secret|password)\b\s*=\s*\[REDACTED_SECRET\]/i', '[REDACTED_SECRET]', $message) ?? $message;
$message = preg_replace('/"(access_token|refresh_token|client_secret|password)"\s*:\s*"\[REDACTED_SECRET\]"/i', '"[REDACTED_SECRET]"', $message) ?? $message;
return substr($message, 0, 120);
}
private static function classifier(): SecretClassificationService
{
return app(SecretClassificationService::class);
}
}
Reference in New Issue View Git Blame Copy Permalink