ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a4f2629493
TenantAtlas/specs/152-livewire-context-locking/tasks.md
ahmido 5ec62cd117 feat: harden livewire trusted state boundaries (#182) 
## Summary
- add the shared trusted-state model and resolver helpers for first-slice Livewire and Filament surfaces
- harden managed tenant onboarding, tenant required permissions, and system runbooks against forged or stale public state
- add focused Pest guard and regression coverage plus the complete spec 152 artifact set

## Validation
- `vendor/bin/sail artisan test --compact`
- manual smoke validated on `/admin/onboarding/{onboardingDraft}`
- manual smoke validated on `/admin/tenants/{tenant}/required-permissions`
- manual smoke validated on `/system/ops/runbooks`

## Notes
- Livewire v4.0+ / Filament v5 stack unchanged
- no new panels, routes, assets, or global-search changes
- provider registration remains in `bootstrap/providers.php`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #182
2026-03-18 23:01:14 +00:00

211 lines
16 KiB
Markdown
Raw Blame History

# Tasks: Livewire Context Locking and Trusted-State Reduction
**Input**: Design documents from `/specs/152-livewire-context-locking/`
**Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/, quickstart.md
**Tests**: Tests are REQUIRED for this feature because it changes runtime authorization, Livewire trusted-state handling, tenant and workspace isolation, and forged-state fail-closed behavior in a Laravel/Pest codebase.
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Establish the shared trusted-state scaffolding and guard baseline used by all stories.
- [x] T001 Create the first-slice trusted-state file skeleton and initial policy inventory stubs in `app/Support/Livewire/TrustedState/TrustedStateClass.php`, `app/Support/Livewire/TrustedState/TrustedStatePolicy.php`, and `app/Support/Livewire/TrustedState/TrustedStateResolver.php`
- [x] T002 [P] Create the Livewire trusted-state architectural guard test harness and first-slice fixture list in `tests/Feature/Guards/LivewireTrustedStateGuardTest.php`
- [x] T003 [P] Add shared Pest helpers `mutateTrustedStatePayload()` and `assertScopedSelectorRejected()` in `tests/Pest.php` for reuse by onboarding, tenant required permissions, and runbook selector suites
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Put the reusable trusted-state and resolver rules in place before component-specific work starts.
**⚠️ CRITICAL**: No user story work can begin until this phase is complete.
- [x] T004 Implement the shared trusted-state lane and resolver contract in `app/Support/Livewire/TrustedState/TrustedStateClass.php`, `app/Support/Livewire/TrustedState/TrustedStatePolicy.php`, and `app/Support/Livewire/TrustedState/TrustedStateResolver.php`
- [x] T005 [P] Wire shared workspace, tenant, and onboarding authority re-resolution into `app/Support/Workspaces/WorkspaceContext.php`, `app/Filament/Concerns/ResolvesPanelTenantContext.php`, `app/Services/Onboarding/OnboardingDraftResolver.php`, and `app/Services/Onboarding/OnboardingDraftMutationService.php`
- [x] T006 [P] Wire shared platform selector validation into `app/Services/System/AllowedTenantUniverse.php` and `app/Filament/System/Pages/Ops/Runbooks.php`
- [x] T007 Update the architectural guard allowlists for the first-slice surfaces in `tests/Feature/Guards/AdminTenantResolverGuardTest.php` and `tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php`
**Checkpoint**: The trusted-state contract, canonical resolver seams, and guard baseline exist, so user story work can proceed in parallel.
---
## Phase 3: User Story 1 - Trust ownership-sensitive wizard actions (Priority: P1) 🎯 MVP
**Goal**: Ensure onboarding wizard actions derive draft, workspace, tenant, and provider truth from locked or server-resolved state instead of mutable public Livewire authority.
**Independent Test**: A user can resume and operate a valid onboarding draft normally, while forged or stale draft, workspace, tenant, or provider values fail closed and execute no protected action.
### Tests for User Story 1
- [x] T008 [P] [US1] Extend forged-draft and stale-workspace coverage in `tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php`, `tests/Feature/Onboarding/OnboardingDraftAccessTest.php`, and `tests/Feature/Onboarding/OnboardingDraftMultiTabTest.php`
- [x] T009 [P] [US1] Extend forged provider-selection and stale-target coverage in `tests/Feature/Onboarding/OnboardingProviderConnectionTest.php`, `tests/Feature/Onboarding/OnboardingActivationTest.php`, and `tests/Feature/Onboarding/OnboardingVerificationTest.php`
- [x] T010 [P] [US1] Extend onboarding 404 versus 403 parity coverage for trusted-state failures in `tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php` and `tests/Feature/Rbac/OnboardingWizardUiEnforcementTest.php`
- [x] T011 [P] [US1] Preserve onboarding audit-log and operation-history coverage during trusted-state hardening in `tests/Feature/Onboarding/OnboardingActivationTest.php`, `tests/Feature/Onboarding/OnboardingVerificationAssistTest.php`, and `tests/Feature/Onboarding/OnboardingVerificationTest.php`
### Implementation for User Story 1
- [x] T012 [US1] Replace ownership-relevant public model authority in `app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php` with locked scalar identity or resolver-backed access while preserving wizard continuity
- [x] T013 [US1] Rework protected onboarding actions in `app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php` and `app/Services/Onboarding/OnboardingDraftMutationService.php` to re-resolve draft, workspace, and tenant truth before verify, bootstrap, cancel, delete, and activate paths
- [x] T014 [US1] Re-scope mutable provider selection through canonical draft and tenant validation in `app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php` and `app/Services/Onboarding/OnboardingDraftResolver.php`
- [x] T015 [US1] Preserve resume and display behavior through computed or resolver-backed model access in `app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php` and `resources/views/filament/pages/workspaces/managed-tenant-onboarding-wizard.blade.php`
**Checkpoint**: The onboarding wizard is independently safe against forged state and remains fully usable as the MVP slice.
---
## Phase 4: User Story 2 - Keep non-wizard stateful pages safe under forged state (Priority: P1)
**Goal**: Ensure tenant-context and system pages treat public selectors and filters as untrusted input while keeping legitimate UX intact.
**Independent Test**: A route-bound tenant page and a system runbook page continue to work with normal filters and selectors, but forged tenant-like or runbook target state cannot redefine authority or execute against unauthorized targets.
### Tests for User Story 2
- [x] T016 [P] [US2] Add tenant-context trusted-state coverage in `tests/Feature/Rbac/TenantRequiredPermissionsTrustedStateTest.php` and `tests/Feature/Rbac/CrossResourceNavigationAuthorizationTest.php`
- [x] T017 [P] [US2] Extend system runbook selector forged-state coverage in `tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php`, `tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php`, and `tests/Feature/System/Spec113/AllowedTenantUniverseTest.php`
- [x] T018 [P] [US2] Add explicit positive-path continuity coverage for normal tenant filters and allowed runbook selections in `tests/Feature/Rbac/TenantRequiredPermissionsTrustedStateTest.php` and `tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php`
- [x] T019 [P] [US2] Extend cross-plane and capability-parity coverage for covered non-wizard surfaces in `tests/Feature/System/Spec113/AuthorizationSemanticsTest.php` and `tests/Feature/System/Spec113/TenantPlaneCannotAccessSystemTest.php`
- [x] T020 [P] [US2] Preserve system runbook audit-log and operation-history coverage during trusted-state hardening in `tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php` and `tests/Feature/System/OpsRunbooks/OpsUxStartSurfaceContractTest.php`
### Implementation for User Story 2
- [x] T021 [US2] Convert tenant authority on `app/Filament/Pages/TenantRequiredPermissions.php` to route- or resolver-derived scope while keeping `status`, `type`, `features`, and `search` presentation-only
- [x] T022 [US2] Re-validate runbook tenant selectors against the platform operator universe on every protected path in `app/Filament/System/Pages/Ops/Runbooks.php` and `app/Services/System/AllowedTenantUniverse.php`
- [x] T023 [US2] Normalize deny-as-not-found versus forbidden semantics for covered non-wizard stateful flows in `app/Filament/Pages/TenantRequiredPermissions.php`, `app/Filament/System/Pages/Ops/Runbooks.php`, and `app/Services/Runbooks/FindingsLifecycleBackfillRunbookService.php`
**Checkpoint**: Covered tenant-context and system pages are independently safe against forged selector state without relying on the onboarding wizard changes.
---
## Phase 5: User Story 3 - Apply one reusable trusted-state standard to future components (Priority: P2)
**Goal**: Make the trusted-state model reusable and enforceable so future Livewire components do not reintroduce mutable authority by convention.
**Independent Test**: The repo contains a reusable guard and first-slice field inventory that fail when ownership-relevant public model state or mutable foreign identifiers reappear on covered surfaces without the approved pattern.
### Tests for User Story 3
- [x] T024 [P] [US3] Implement the trusted-state architectural guard assertions in `tests/Feature/Guards/LivewireTrustedStateGuardTest.php`
- [x] T025 [P] [US3] Extend existing resolver and action-surface guard coverage for the first-slice surfaces in `tests/Feature/Guards/AdminTenantResolverGuardTest.php`, `tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php`, and `tests/Feature/Guards/ActionSurfaceContractTest.php`
### Implementation for User Story 3
- [x] T026 [US3] Finalize the reusable first-slice field inventory and trusted-state policy map in `app/Support/Livewire/TrustedState/TrustedStatePolicy.php` and `specs/152-livewire-context-locking/data-model.md`
- [x] T027 [US3] Encode reusable locked-versus-derived helper usage in `app/Support/Livewire/TrustedState/TrustedStateResolver.php`, `app/Support/Livewire/TrustedState/TrustedStateClass.php`, and `specs/152-livewire-context-locking/research.md`
- [x] T028 [US3] Align the logical contract and rollout checklist with the implemented patterns in `specs/152-livewire-context-locking/contracts/trusted-state-logical.openapi.yaml`, `specs/152-livewire-context-locking/contracts/trusted-state-guard.schema.json`, and `specs/152-livewire-context-locking/quickstart.md`
**Checkpoint**: The trusted-state pattern is reusable, documented, and guarded in CI for future component work.
---
## Phase 6: Polish & Cross-Cutting Concerns
**Purpose**: Validate the rollout, keep the branch releasable, and confirm the spec's manual verification paths.
- [x] T029 [P] Run the focused Pest validation suite from `specs/152-livewire-context-locking/quickstart.md`
- [x] T030 [P] Add automated non-regression assertions for first-slice render continuity and canonical resolver-query boundaries in `tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php` and `tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php`
- [x] T031 Run formatting with `vendor/bin/sail bin pint --dirty --format agent`
- [x] T032 [P] Validate the manual smoke checklist in `specs/152-livewire-context-locking/quickstart.md` against `/admin/onboarding/{onboardingDraft}`, `/admin/tenants/{tenant}/required-permissions`, and `/system/ops/runbooks`
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: No dependencies, can start immediately.
- **Foundational (Phase 2)**: Depends on Setup completion and blocks all user stories.
- **User Story 1 (Phase 3)**: Starts after Foundational completion.
- **User Story 2 (Phase 4)**: Starts after Foundational completion and can proceed in parallel with US1.
- **User Story 3 (Phase 5)**: Starts after Foundational completion and should land after at least one first-slice surface has adopted the pattern.
- **Polish (Phase 6)**: Runs after the desired user stories are complete.
### User Story Dependencies
- **US1**: No dependency on other stories. This is the recommended MVP slice.
- **US2**: Depends only on the foundational trusted-state and resolver layer, not on US1 completion.
- **US3**: Depends on the foundational layer and benefits from US1 and US2 landing first so the guard inventory reflects real adoption.
### Within Each User Story
- Tests MUST be written and fail before implementation.
- Shared resolver and trusted-state seams must exist before surface-specific rewrites begin.
- Protected action re-resolution must land before cleanup of public model authority is considered complete.
- Guard updates should happen after at least one representative implementation proves the pattern.
### Parallel Opportunities
- T002 and T003 can run in parallel.
- T005 and T006 can run in parallel.
- US1 test tasks T008, T009, T010, and T011 can run in parallel.
- US2 test tasks T016, T017, T018, T019, and T020 can run in parallel.
- US3 test tasks T024 and T025 can run in parallel.
- Polish tasks T029, T030, and T032 can run in parallel after implementation is complete.
---
## Parallel Example: User Story 1
```bash
# Launch the onboarding forged-state regressions together:
Task: "Extend forged-draft and stale-workspace coverage in tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php, tests/Feature/Onboarding/OnboardingDraftAccessTest.php, and tests/Feature/Onboarding/OnboardingDraftMultiTabTest.php"
Task: "Extend forged provider-selection and stale-target coverage in tests/Feature/Onboarding/OnboardingProviderConnectionTest.php, tests/Feature/Onboarding/OnboardingActivationTest.php, and tests/Feature/Onboarding/OnboardingVerificationTest.php"
Task: "Extend onboarding 404 versus 403 parity coverage for trusted-state failures in tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php and tests/Feature/Rbac/OnboardingWizardUiEnforcementTest.php"
# Then land the wizard implementation in sequence:
Task: "Replace ownership-relevant public model authority in app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php with locked scalar identity or resolver-backed access while preserving wizard continuity"
Task: "Rework protected onboarding actions in app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php and app/Services/Onboarding/OnboardingDraftMutationService.php to re-resolve draft, workspace, and tenant truth before verify, bootstrap, cancel, delete, and activate paths"
```
---
## Parallel Example: User Story 2
```bash
# Launch the tenant-context and system-page regressions together:
Task: "Add tenant-context trusted-state coverage in tests/Feature/Rbac/TenantRequiredPermissionsTrustedStateTest.php and tests/Feature/Rbac/CrossResourceNavigationAuthorizationTest.php"
Task: "Extend system runbook selector forged-state coverage in tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillPreflightTest.php, tests/Feature/System/OpsRunbooks/FindingsLifecycleBackfillStartTest.php, and tests/Feature/System/Spec113/AllowedTenantUniverseTest.php"
Task: "Extend cross-plane and capability-parity coverage for covered non-wizard surfaces in tests/Feature/System/Spec113/AuthorizationSemanticsTest.php and tests/Feature/System/Spec113/TenantPlaneCannotAccessSystemTest.php"
```
---
## Parallel Example: User Story 3
```bash
# Launch the reusable guard work together:
Task: "Implement the trusted-state architectural guard in tests/Feature/Guards/LivewireTrustedStateGuardTest.php"
Task: "Extend existing resolver and action-surface guard coverage for the first-slice surfaces in tests/Feature/Guards/AdminTenantResolverGuardTest.php, tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php, and tests/Feature/Guards/ActionSurfaceContractTest.php"
```
---
## Implementation Strategy
### MVP First (User Story 1 Only)
1. Complete Phase 1: Setup.
2. Complete Phase 2: Foundational.
3. Complete Phase 3: User Story 1.
4. Validate onboarding resume, verification, bootstrap, and activation behavior against forged-state regressions.
### Incremental Delivery
1. Land the shared trusted-state and resolver layer.
2. Harden onboarding as the MVP trust surface.
3. Add tenant-context and system-page selector hardening.
4. Finish with the reusable guard and contract alignment so future components inherit the pattern.
### Parallel Team Strategy
1. One developer lands the foundational trusted-state scaffolding.
2. A second developer can harden the onboarding wizard while another works on tenant-context and system-page regressions.
3. A final pass lands the reusable guard and rollout-inventory alignment after the first-slice surfaces are proven.
## Notes
- [P] tasks are limited to work on different files with no incomplete dependency overlap.
- US1 is the recommended MVP because it closes the highest-risk Livewire trust boundary first.
- US2 proves the pattern is not wizard-specific by covering both admin tenant-context and system platform surfaces.
- US3 turns the first-slice implementation into a reusable, CI-enforced repository standard.
Reference in New Issue View Git Blame Copy Permalink