ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a5e9c43f1a
TenantAtlas/specs/044-drift-mvp/data-model.md
ahmido a449ecec5b feat/044-drift-mvp (#58) 
Beschreibung
Implementiert das Drift MVP Feature (Spec: 044-drift-mvp) mit Fokus auf automatische Drift-Erkennung zwischen Inventory Sync Runs und Bulk-Triage für Findings.

Was wurde implementiert?
Drift-Erkennung: Vergleicht Policy-Snapshots, Assignments und Scope Tags zwischen Baseline- und Current-Runs. Deterministische Fingerprints verhindern Duplikate.
Findings UI: Neue Filament Resource für Findings mit Listen- und Detail-Ansicht. DB-only Diffs (keine Graph-Calls zur Laufzeit).
Bulk Acknowledge:
"Acknowledge selected" (Bulk-Action auf der Liste)
"Acknowledge all matching" (Header-Action, respektiert aktuelle Filter; Type-to-Confirm bei >100 Findings)
Scope Tag Fix: Behebt False Positives bei Legacy-Daten ohne scope_tags.ids (inferiert Default-Werte).
Authorization: Tenant-isoliert, Rollen-basiert (Owner/Manager/Operator können acknowledge).
Tests: Vollständige Pest-Coverage (28 Tests, 347 Assertions) für Drift-Logik, UI und Bulk-Actions.
Warum diese Änderungen?
Problem: Keine automatisierte Drift-Erkennung; manuelle Triage bei vielen Findings ist mühsam.
Lösung: Async Drift-Generierung mit persistenter Findings-Tabelle. Safe Bulk-Tools für Massen-Triage ohne Deletes.
Konformität: Folgt AGENTS.md Workflow, Spec-Kit (Tasks + Checklists abgehakt), Laravel/Filament Best Practices.
Technische Details
Neue Dateien: ~40 (Models, Services, Tests, Views, Migrations)
Änderungen: Filament Resources, Jobs, Policies
DB: Neue findings Tabelle (JSONB für Evidence, Indexes für Performance)
Tests: ./vendor/bin/sail artisan test tests/Feature/Drift --parallel → 28 passed
Migration: ./vendor/bin/sail artisan migrate (neue Tabelle + Indexes)
Screenshots / Links
Spec: spec.md
Tasks: tasks.md (alle abgehakt)
UI: Findings-Liste mit Bulk-Actions; Detail-View mit Diffs
Checklist
 Tests passieren (parallel + serial)
 Code formatiert (./vendor/bin/pint --dirty)
 Migration reversibel
 Tenant-Isolation enforced
 No Graph-Calls in Views
 Authorization checks
 Spec + Tasks aligned
Deployment Notes
Neue Migration: create_findings_table
Neue Permissions: drift.view, drift.acknowledge
Queue-Job: GenerateDriftFindingsJob (async, deduped)
2026-01-14 23:16:10 +00:00

58 lines
1.8 KiB
Markdown
Raw Blame History

# Phase 1 Design: Data Model (044)
## Entities
### Finding
New table: `findings`
**Purpose**: Generic, persisted pipeline for analytic findings (Drift now; Audit/Compare later).
**Core fields (MVP)**
- `id` (pk)
- `tenant_id` (fk tenants)
- `finding_type` (`drift` in MVP; later `audit`/`compare`)
- `scope_key` (string; deterministic; reuse Inventory selection hash)
- `baseline_run_id` (nullable fk inventory_sync_runs)
- `current_run_id` (nullable fk inventory_sync_runs)
- `fingerprint` (string; deterministic)
- `subject_type` (string; e.g. policy type)
- `subject_external_id` (string; Graph external id)
- `severity` (`low|medium|high`; MVP default `medium`)
- `status` (`new|acknowledged`)
- `acknowledged_at` (nullable)
- `acknowledged_by_user_id` (nullable fk users)
- `evidence_jsonb` (jsonb; sanitized, small; allowlist)
**Prepared for later (nullable, out of MVP)**
- `rule_id`, `control_id`, `expected_value`, `source`
## Constraints & Indexes
**Uniqueness**
- Unique: `(tenant_id, fingerprint)`
**Lookup indexes (suggested)**
- `(tenant_id, finding_type, status)`
- `(tenant_id, scope_key)`
- `(tenant_id, current_run_id)`
- `(tenant_id, baseline_run_id)`
- `(tenant_id, subject_type, subject_external_id)`
## Relationships
- `Finding` belongs to `Tenant`.
- `Finding` belongs to `User` via `acknowledged_by_user_id`.
- `Finding` belongs to `InventorySyncRun` via `baseline_run_id` (nullable) and `current_run_id` (nullable).
## Evidence shape (MVP allowlist)
For Drift MVP, `evidence_jsonb` should contain only:
- `change_type`
- `changed_fields` (list) and/or `change_counts`
- `run`:
- `baseline_run_id`, `current_run_id`
- `baseline_finished_at`, `current_finished_at`
No raw policy payload dumps; exclude secrets/tokens; exclude volatile fields for hashing.
Reference in New Issue View Git Blame Copy Permalink