ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a4f2629493
TenantAtlas/specs/153-evidence-domain-foundation/spec.md
ahmido a74ab12f04 feat: implement evidence domain foundation (#183) 
## Summary
- add the Evidence Snapshot domain with immutable tenant-scoped snapshots, per-dimension items, queued generation, audit actions, badge mappings, and Filament list/detail surfaces
- add the workspace evidence overview, capability and policy wiring, Livewire update-path hardening, and review-pack integration through explicit evidence snapshot resolution
- add spec 153 artifacts, migrations, factories, and focused Pest coverage for evidence, review-pack reuse, authorization, action-surface regressions, and audit behavior

## Testing
- `vendor/bin/sail artisan test --compact --stop-on-failure`
- `CI=1 vendor/bin/sail artisan test --compact`
- `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- branch: `153-evidence-domain-foundation`
- commit: `b7dfa279`
- spec: `specs/153-evidence-domain-foundation/`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #183
2026-03-19 13:32:52 +00:00

20 KiB
Raw Blame History

Feature Specification: Evidence Domain Foundation

Feature Branch: 153-evidence-domain-foundation
Created: 2026-03-19
Status: Draft
Input: User description: "erstell den spec aus spec candidate der strategisch am besten ist als nächstes"

Spec Scope Fields (mandatory)

  • Scope: workspace + tenant + canonical-view
  • Primary Routes:
    • /admin/t/{tenant}/evidence as the tenant-scoped evidence inventory and snapshot surface
    • /admin/t/{tenant}/evidence/{snapshot} as the canonical evidence snapshot inspection route
    • Workspace-scoped evidence overview surfaces that summarize snapshot coverage across managed tenants without exposing foreign-tenant detail
    • Existing downstream consumers such as review-pack generation and future readiness/reporting flows that consume evidence snapshots rather than assembling raw artifacts ad hoc
  • Data Ownership:
    • Tenant-owned: evidence snapshots, evidence completeness state, artifact references, generation metadata, and immutable historical evidence packages
    • Tenant-owned inputs: findings, stored reports, baseline posture summaries, operational health signals, and related tenant-governance artifacts that are curated into the evidence domain without changing their original systems of record
    • Workspace-owned: aggregate evidence overview filters, rollup summaries, and canonical-view presentation state that never persist foreign-tenant evidence as workspace-owned domain records
    • Downstream exports and stakeholder-facing reports remain separate consumers and are not redefined by this feature
  • RBAC:
    • Workspace membership remains the prerequisite for any evidence-domain access
    • Tenant entitlement remains required to inspect tenant-scoped evidence detail
    • evidence.view permits listing and inspecting evidence snapshots within authorized scope
    • evidence.manage permits creating, refreshing, and expiring evidence snapshots
    • Non-members or users outside the relevant tenant scope remain deny-as-not-found; in-scope members lacking the required capability remain forbidden

For canonical-view specs, the spec MUST define:

  • Default filter behavior when tenant-context is active: Tenant evidence lists and detail routes default to the routed tenant only. Workspace evidence overview surfaces may carry a tenant prefilter only when the operator explicitly navigates from tenant context, and that prefilter is limited to entitled tenants and remains removable from the shared canonical view.
  • Explicit entitlement checks preventing cross-tenant leakage: Evidence queries, completeness summaries, filter options, snapshot labels, and artifact references must always be assembled after workspace and tenant entitlement checks. Unauthorized users must not learn whether another tenant has evidence gaps, artifacts, or snapshots.

User Scenarios & Testing (mandatory)

User Story 1 - Create an immutable evidence snapshot (Priority: P1)

As a governance operator, I want to capture the current evidence state for a tenant into one immutable snapshot, so that later exports, reviews, and audit conversations refer to a stable package instead of a moving collection of live records.

Why this priority: This is the foundation of the entire capability. Without immutable snapshots, every downstream review artifact remains ad hoc and non-reproducible.

Independent Test: Can be fully tested by generating a tenant evidence snapshot from existing findings, stored reports, and governance summaries, then changing the live source records and confirming the captured snapshot remains unchanged.

Acceptance Scenarios:

  1. Given a tenant has findings, stored reports, and baseline-related governance signals, When an authorized operator creates an evidence snapshot, Then the system produces one immutable snapshot that records what evidence items were included and their completeness state at capture time.
  2. Given a snapshot has already been created, When live findings or stored reports change later, Then the original snapshot remains unchanged and a new snapshot is required to reflect the newer evidence state.
  3. Given required evidence inputs are partially missing, When a snapshot is created, Then the snapshot still completes and records explicit completeness gaps rather than pretending the evidence set is complete.

User Story 2 - Understand evidence completeness before downstream reporting (Priority: P1)

As a governance operator, I want to see which evidence dimensions are present, stale, or missing before I generate review outputs, so that downstream reports are based on known coverage instead of hidden gaps.

Why this priority: The evidence domain is only valuable if it exposes completeness clearly. Otherwise it becomes another opaque storage layer.

Independent Test: Can be fully tested by preparing tenants with complete, partial, and stale evidence inputs and confirming that the evidence surface reports the correct completeness and freshness state for each dimension.

Acceptance Scenarios:

  1. Given a tenant has current findings and stored reports for all in-scope evidence dimensions, When the operator inspects evidence status, Then the tenant shows a complete evidence state for those dimensions.
  2. Given one or more evidence dimensions are missing or stale, When the operator inspects evidence status or a snapshot detail view, Then the missing or stale dimensions are clearly identified with no false claim of readiness.
  3. Given an operator opens a specific snapshot, When they inspect it, Then they can see which evidence dimensions were included, omitted, or incomplete at the time of capture.

User Story 3 - Reuse one evidence package across downstream consumers (Priority: P2)

As a product owner, I want review packs and future readiness/reporting surfaces to consume curated evidence snapshots instead of reassembling raw artifacts independently, so that evidence logic stays consistent across the product.

Why this priority: The strategic value is architectural reuse. If every downstream feature keeps rebuilding its own evidence assembly logic, the foundation does not actually exist.

Independent Test: Can be fully tested by generating a snapshot and verifying that downstream consumers resolve included evidence artifacts through the snapshot contract rather than directly reading live source artifacts for the same workflow.

Acceptance Scenarios:

  1. Given a downstream export or readiness flow requests tenant evidence, When an eligible snapshot already exists, Then the downstream flow resolves evidence through the snapshot contract instead of rebuilding the same evidence set from scratch.
  2. Given the operator needs refreshed evidence, When they explicitly request a new snapshot, Then the newer snapshot becomes available alongside older snapshots rather than mutating them in place.
  3. Given two downstream consumers use the same snapshot, When they inspect included evidence dimensions, Then both consumers see the same inclusion and completeness truth.

Edge Cases

  • A tenant has some evidence dimensions available and others never generated; the snapshot must be captured as partial rather than blocked indefinitely.
  • A stored report or findings source is stale but still readable; the foundation must preserve freshness metadata instead of silently treating stale evidence as current.
  • A source artifact referenced by an older snapshot is later deleted or superseded; the older snapshot must remain intelligible from stored snapshot metadata.
  • An operator triggers snapshot creation twice in quick succession with unchanged inputs; the system must avoid creating duplicate immutable artifacts when the evidence state is unchanged.
  • A workspace operator can view workspace-level evidence summaries but is not entitled to inspect every tenant represented in the workspace; unauthorized tenant detail must remain hidden.
  • A downstream consumer requests evidence for a tenant with no snapshot yet; the system must fail with a clear absence state rather than silently falling back to untracked live assembly.

Requirements (mandatory)

Constitution alignment (required): This feature introduces a new evidence-domain data model, write behavior for immutable snapshot capture, and queued generation work that assembles evidence from existing internal artifacts only. It does not introduce new Microsoft Graph calls. The feature must define tenant isolation, completeness semantics, snapshot immutability, and run observability for snapshot generation. Because evidence capture is a high-value governance mutation, every snapshot creation and expiration path must be auditable and test-covered.

Constitution alignment (OPS-UX): This feature creates a new OperationRun family for evidence snapshot generation and must comply with the Ops-UX 3-surface feedback contract. Start actions may show intent-only feedback. Progress belongs only in the active-ops widget and Monitoring run detail. Evidence snapshot detail surfaces may link to the canonical run detail but must not render a parallel progress surface. Terminal notification behavior remains service-owned through OperationRunService. Any summary counts recorded for evidence snapshot generation must use allowed operation summary keys and numeric-only values. Scheduled or system-initiated snapshot generation must not create initiator-only terminal database notifications.

Constitution alignment (RBAC-UX): This feature operates in the tenant/admin plane for tenant-scoped evidence surfaces and in workspace-admin canonical views for cross-tenant evidence overview. Cross-plane access remains deny-as-not-found. Non-members or users outside workspace or tenant scope receive 404. In-scope users lacking evidence.view or evidence.manage receive 403 according to the action attempted. Authorization must be enforced server-side for snapshot generation, inspection, expiration, and any downstream evidence resolution entry point. The canonical capability registry remains the only capability source. Any destructive-like expiration action requires confirmation.

Constitution alignment (OPS-EX-AUTH-001): Not applicable. No authentication handshake behavior is changed.

Constitution alignment (BADGE-001): Evidence completeness, freshness, and snapshot status are status-like values and must use centralized badge semantics rather than local page-level color mapping. Tests must cover all newly introduced status values.

Constitution alignment (UI-NAMING-001): The target object is the evidence snapshot. Operator-facing verbs are Create snapshot, View snapshot, Refresh evidence, and Expire snapshot. Source/domain disambiguation is needed only where a snapshot references specific evidence dimensions such as findings, permission posture, or baseline posture. The same evidence vocabulary must be preserved across action labels, modal titles, run titles, notifications, and audit prose. Implementation-first terms such as materialize, denormalize, or projection rebuild must not become primary operator-facing labels.

Constitution alignment (Filament Action Surfaces): This feature adds a Filament evidence resource or page family for list and detail inspection plus snapshot-generation actions. The Action Surface Contract is satisfied if creation remains an explicit header action, list inspection uses a canonical inspect affordance, destructive expiration requires confirmation, and all mutations are authorization-gated and auditable.

Constitution alignment (UX-001 — Layout & Information Architecture): Evidence list screens must provide search, sort, and filters for core dimensions such as tenant, snapshot status, completeness state, and capture date. Snapshot detail must use an Infolist-style inspection surface rather than a disabled edit form. Empty states must include a specific title, explanation, and exactly one CTA. If snapshot creation uses a modal instead of a dedicated create page, that is an explicit exemption because snapshot creation is an operation trigger, not freeform data entry.

Functional Requirements

  • FR-153-001: The system MUST provide a first-class evidence domain that curates existing governance artifacts into immutable evidence snapshots.
  • FR-153-002: Each evidence snapshot MUST record the workspace, tenant, creation time, initiating actor class, included evidence dimensions, completeness state, and freshness metadata for each included dimension.
  • FR-153-003: The first implementation slice MUST support at least findings summaries, permission posture evidence, Entra admin-role evidence, baseline or drift posture summaries, and one explicit operations_summary dimension composed from recent tenant-scoped OperationRun rollups relevant to downstream review-pack and readiness evidence.
  • FR-153-004: Evidence snapshots MUST be immutable after successful creation. Refreshing evidence MUST create a new snapshot rather than mutating an existing one.
  • FR-153-005: The system MUST capture evidence completeness explicitly, including complete, partial, missing, and stale states for each evidence dimension.
  • FR-153-006: The system MUST allow snapshot creation to succeed when evidence is partial, provided the missing or stale dimensions are recorded clearly in snapshot metadata.
  • FR-153-007: Evidence snapshot generation MUST use existing internal evidence sources and MUST NOT trigger live Microsoft Graph collection during snapshot creation.
  • FR-153-008: The system MUST provide one canonical tenant-scoped evidence inventory surface where authorized operators can list snapshots and inspect their completeness and freshness state.
  • FR-153-009: The system MUST provide a canonical snapshot inspection surface that shows included evidence dimensions, completeness state, freshness metadata, source references, and downstream readiness suitability.
  • FR-153-010: Workspace-scoped evidence overview surfaces MUST summarize evidence availability and completeness across authorized tenants without revealing unauthorized tenant detail.
  • FR-153-011: The system MUST define a deduplication rule for unchanged evidence state so that repeated snapshot requests with identical included evidence do not create unnecessary duplicate immutable artifacts.
  • FR-153-012: The system MUST expose whether a downstream consumer is using a specific snapshot or whether no eligible snapshot exists for the requested evidence scope.
  • FR-153-013: Downstream consumers in scope for this foundation MUST be able to resolve evidence through the snapshot contract instead of rebuilding the same evidence set directly from live source records.
  • FR-153-014: The system MUST preserve enough snapshot metadata that an older snapshot remains intelligible even if one or more underlying source artifacts are later superseded, expired, or removed from active views.
  • FR-153-015: The feature MUST define retention and lifecycle semantics for evidence snapshots, including active, superseded, and expired states.
  • FR-153-016: Expiring an evidence snapshot MUST be an explicit, confirmed, auditable action and MUST NOT retroactively change what the snapshot contained.
  • FR-153-017: Evidence snapshot generation and expiration MUST be recorded in audit history with workspace scope, tenant scope, actor, action, and outcome.
  • FR-153-018: The feature MUST introduce at least one positive and one negative authorization test for evidence snapshot viewing and management.
  • FR-153-019: The feature MUST introduce regression tests proving snapshot immutability, completeness-state accuracy, downstream consumer reuse, and cross-tenant isolation.

UI Action Matrix (mandatory when Filament is changed)

Surface Location Header Actions Inspect Affordance (List/Table) Row Actions (max 2 visible) Bulk Actions (grouped) Empty-State CTA(s) View Header Actions Create/Edit Save+Cancel Audit log? Notes / Exemptions
Evidence Snapshot List Tenant-context evidence page or resource under /admin/t/{tenant}/evidence Create snapshot (evidence.manage) Clickable row to snapshot detail View snapshot, Expire snapshot (evidence.manage, destructive) None in v1 Create first snapshot None N/A Yes Create uses an action modal as an operation trigger, not a CRUD create page
Evidence Snapshot Detail Canonical detail route under /admin/t/{tenant}/evidence/{snapshot} Refresh evidence (evidence.manage) N/A None None N/A Refresh evidence, Expire snapshot N/A Yes Detail is an inspection surface and must use Infolist-style composition
Workspace Evidence Overview Workspace-admin canonical evidence overview Contextual filter actions only Row or linked-card drill-down to authorized tenant evidence view View tenant evidence None Clear filters None N/A No direct mutation Must suppress unauthorized tenant rows and filter options

Key Entities (include if feature involves data)

  • Evidence Snapshot: An immutable, timestamped evidence package for one tenant within one workspace, capturing which evidence dimensions were included and how complete they were at a specific point in time.
  • Evidence Dimension: A named evidence category such as findings summary, permission posture, baseline posture, or operational health summary that can be included, missing, stale, or partial in a snapshot.
  • Evidence Source Reference: A structured reference to the underlying artifact or summary that supplied a given evidence dimension at snapshot time.
  • Evidence Completeness State: The normalized assessment of whether the snapshot is complete, partial, missing required dimensions, or stale for downstream governance use.

Success Criteria (mandatory)

Measurable Outcomes

  • SC-001: An authorized operator can create a tenant evidence snapshot and inspect its completeness state in under 2 minutes without leaving the product.
  • SC-002: 100% of evidence snapshots created in automated tests remain unchanged after their underlying live source artifacts are modified.
  • SC-003: Operators can identify missing or stale evidence dimensions for a tenant from the evidence surface in one inspection step, without manually cross-checking multiple source pages.
  • SC-004: Repeated snapshot requests with unchanged evidence state do not create duplicate artifacts in automated deduplication tests.
  • SC-005: Downstream consumers covered by the first rollout resolve evidence from the snapshot contract instead of rebuilding equivalent live evidence sets in automated integration tests.
  • SC-006: Negative authorization tests prove that non-members receive deny-as-not-found behavior and in-scope users without the proper capability cannot create or expire evidence snapshots.

Assumptions

  • Review pack export, permission posture, Entra admin-role evidence, findings workflow, and baseline or drift posture outputs are sufficiently mature to act as the first evidence-domain inputs.
  • The first rollout focuses on internal evidence curation and inspection, not on stakeholder-facing readiness presentation.
  • Evidence snapshot generation is DB-backed and can rely on existing stored or summarized artifacts rather than live recollection.
  • The downstream consumer contract begins with one or more existing export or reporting flows and expands later.

Non-Goals

  • Building executive, customer-facing, or framework-oriented readiness presentations
  • Replacing review-pack export with a new export format
  • Acting as a generic BI warehouse or arbitrary reporting engine
  • Triggering new Microsoft Graph scans during snapshot creation
  • Defining formal compliance certification claims or legal attestations