ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
92f39d9749
TenantAtlas/app/Support/RbacReason.php
ahmido 92f39d9749 feat: add shared reason translation contract (#187) 
## Summary
- introduce a shared reason-translation contract with envelopes, presenter helpers, fallback handling, and provider translation support
- adopt translated operator-facing reason presentation across operation runs, notifications, provider guidance, tenant operability, and RBAC-related surfaces
- add Spec 157 design artifacts and targeted regression coverage for translation quality, diagnostics retention, and authorization-safe guidance

## Validation
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Architecture/ReasonTranslationPrimarySurfaceGuardTest.php tests/Unit/Support/ReasonTranslation/ReasonResolutionEnvelopeTest.php tests/Unit/Support/ReasonTranslation/ExecutionDenialReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/TenantOperabilityReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/RbacReasonTranslationTest.php tests/Unit/Support/ReasonTranslation/ProviderReasonTranslationTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php tests/Feature/Operations/TenantlessOperationRunViewerTest.php tests/Feature/ReasonTranslation/GovernanceReasonPresentationTest.php tests/Feature/Authorization/ReasonTranslationScopeSafetyTest.php tests/Feature/Monitoring/OperationRunBlockedSpec081Test.php tests/Feature/ProviderConnections/ProviderOperationBlockedGuidanceSpec081Test.php tests/Feature/ProviderConnections/ProviderGatewayRuntimeSmokeSpec081Test.php`

## Notes
- Livewire v4.0+ compliance remains unchanged within the existing Filament v5 stack.
- No new panel was added; provider registration remains in `bootstrap/providers.php`.
- No new globally searchable resource was introduced.
- No new destructive action family was introduced.
- No new assets were added; the existing `filament:assets` deployment behavior remains unchanged.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #187
2026-03-22 20:19:43 +00:00

98 lines
4.2 KiB
PHP
Raw Blame History

<?php
namespace App\Support;
use App\Support\ReasonTranslation\NextStepOption;
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
enum RbacReason: string
{
case MissingArtifacts = 'missing_artifacts';
case ServicePrincipalMissing = 'sp_missing';
case GroupMissing = 'group_missing';
case ServicePrincipalNotMember = 'sp_not_member';
case AssignmentMissing = 'assignment_missing';
case RoleMismatch = 'role_mismatch';
case ScopeMismatch = 'scope_mismatch';
case CanaryFailed = 'canary_failed';
case ManualAssignmentRequired = 'manual_assignment_required';
case UnsupportedApi = 'unsupported_api';
public function operatorLabel(): string
{
return match ($this) {
self::MissingArtifacts => 'RBAC setup incomplete',
self::ServicePrincipalMissing => 'Service principal missing',
self::GroupMissing => 'RBAC group missing',
self::ServicePrincipalNotMember => 'Service principal not in RBAC group',
self::AssignmentMissing => 'RBAC assignment missing',
self::RoleMismatch => 'RBAC role mismatch',
self::ScopeMismatch => 'RBAC scope mismatch',
self::CanaryFailed => 'RBAC validation needs review',
self::ManualAssignmentRequired => 'Manual role assignment required',
self::UnsupportedApi => 'RBAC API unsupported',
};
}
public function shortExplanation(): string
{
return match ($this) {
self::MissingArtifacts => 'TenantPilot could not find the RBAC artifacts required for this tenant.',
self::ServicePrincipalMissing => 'The provider app service principal could not be resolved in Microsoft Graph.',
self::GroupMissing => 'The configured Intune RBAC group could not be found.',
self::ServicePrincipalNotMember => 'The provider app service principal is not currently a member of the configured RBAC group.',
self::AssignmentMissing => 'No matching Intune RBAC assignment could be confirmed for this tenant.',
self::RoleMismatch => 'The existing Intune RBAC assignment uses a different role than expected.',
self::ScopeMismatch => 'The existing Intune RBAC assignment targets a different scope than expected.',
self::CanaryFailed => 'The RBAC canary checks reported a mismatch after setup completed.',
self::ManualAssignmentRequired => 'This tenant requires a manual Intune RBAC role assignment outside the automated API path.',
self::UnsupportedApi => 'This account type does not support the required Intune RBAC API path.',
};
}
public function actionability(): string
{
return match ($this) {
self::CanaryFailed => 'retryable_transient',
self::ManualAssignmentRequired => 'prerequisite_missing',
self::UnsupportedApi => 'non_actionable',
default => 'prerequisite_missing',
};
}
/**
* @return array<int, NextStepOption>
*/
public function nextSteps(): array
{
return match ($this) {
self::UnsupportedApi => [],
self::ManualAssignmentRequired => [
NextStepOption::instruction('Complete the Intune role assignment manually, then refresh RBAC status.', scope: 'tenant'),
],
self::CanaryFailed => [
NextStepOption::instruction('Review the RBAC canary checks and rerun the health check.', scope: 'tenant'),
],
default => [
NextStepOption::instruction('Review the RBAC setup and refresh the tenant RBAC status.', scope: 'tenant'),
],
};
}
/**
* @param array<string, mixed> $context
*/
public function toReasonResolutionEnvelope(string $surface = 'detail', array $context = []): ReasonResolutionEnvelope
{
return new ReasonResolutionEnvelope(
internalCode: $this->value,
operatorLabel: $this->operatorLabel(),
shortExplanation: $this->shortExplanation(),
actionability: $this->actionability(),
nextSteps: $this->nextSteps(),
showNoActionNeeded: $this->actionability() === 'non_actionable',
diagnosticCodeLabel: $this->value,
);
}
}
Reference in New Issue View Git Blame Copy Permalink