ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ad16eee591
TenantAtlas/apps/platform/config/tenantpilot.php
ahmido ad16eee591 Spec 204: harden platform core vocabulary (#234) 
## Summary
- add the Spec 204 platform vocabulary foundation, including canonical glossary terms, registry ownership descriptors, canonical operation type and alias resolution, and explicit reason ownership and platform reason-family metadata
- harden platform-facing compare, snapshot, evidence, monitoring, review, and reporting surfaces so they prefer governed-subject and canonical operation semantics while preserving intentional Intune-owned terminology
- extend Spec 204 unit, feature, Filament, and architecture coverage and add the full spec artifacts, checklist, and completed task ledger

## Verification
- ran the focused recent-change Sail verification pack for the new glossary and reason-semantics work
- ran the full Spec 204 quickstart verification pack under Sail
- ran `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- ran an integrated-browser smoke pass covering tenant dashboard, operations, operation detail, baseline compare, evidence, reviews, review packs, provider connections, inventory items, backup schedules, onboarding, and the system dashboard/operations/failures/run-detail surfaces

## Notes
- provider registration is unchanged and remains in `bootstrap/providers.php`
- no new destructive actions or asset-registration changes are introduced by this branch

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #234
2026-04-14 06:09:42 +00:00

849 lines
40 KiB
PHP
Raw Blame History

<?php
return [
'break_glass' => [
'enabled' => (bool) env('BREAK_GLASS_ENABLED', false),
'ttl_minutes' => (int) env('BREAK_GLASS_TTL_MINUTES', 15),
],
'system_console' => [
'stuck_thresholds' => [
'queued_minutes' => (int) env('TENANTPILOT_SYSTEM_CONSOLE_STUCK_QUEUED_MINUTES', 15),
'running_minutes' => (int) env('TENANTPILOT_SYSTEM_CONSOLE_STUCK_RUNNING_MINUTES', 30),
],
],
'operations' => [
'lifecycle' => [
'reconciliation' => [
'batch_limit' => (int) env('TENANTPILOT_OPERATION_RUN_RECONCILIATION_BATCH_LIMIT', 100),
'schedule_minutes' => (int) env('TENANTPILOT_OPERATION_RUN_RECONCILIATION_SCHEDULE_MINUTES', 5),
],
'covered_types' => [
'baseline_capture' => [
'job_class' => \App\Jobs\CaptureBaselineSnapshotJob::class,
'queued_stale_after_seconds' => 600,
'running_stale_after_seconds' => 1800,
'expected_max_runtime_seconds' => 300,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'baseline_compare' => [
'job_class' => \App\Jobs\CompareBaselineToTenantJob::class,
'queued_stale_after_seconds' => 600,
'running_stale_after_seconds' => 1800,
'expected_max_runtime_seconds' => 300,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'inventory_sync' => [
'job_class' => \App\Jobs\RunInventorySyncJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 1200,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'policy.sync' => [
'job_class' => \App\Jobs\SyncPoliciesJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 180,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'policy.sync_one' => [
'job_class' => \App\Jobs\SyncPoliciesJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 180,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'entra_group_sync' => [
'job_class' => \App\Jobs\EntraGroupSyncJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
'directory_role_definitions.sync' => [
'job_class' => \App\Jobs\SyncRoleDefinitionsJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
'backup_schedule_run' => [
'job_class' => \App\Jobs\RunBackupScheduleJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 1200,
'expected_max_runtime_seconds' => 300,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
'restore.execute' => [
'job_class' => \App\Jobs\ExecuteRestoreRunJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 1500,
'expected_max_runtime_seconds' => 420,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
'tenant.review_pack.generate' => [
'job_class' => \App\Jobs\GenerateReviewPackJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
'tenant.review.compose' => [
'job_class' => \App\Jobs\ComposeTenantReviewJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => true,
'scheduled_reconciliation' => true,
],
'tenant.evidence.snapshot.generate' => [
'job_class' => \App\Jobs\GenerateEvidenceSnapshotJob::class,
'queued_stale_after_seconds' => 300,
'running_stale_after_seconds' => 900,
'expected_max_runtime_seconds' => 240,
'direct_failed_bridge' => false,
'scheduled_reconciliation' => true,
],
],
],
],
'backup_health' => [
'freshness_hours' => (int) env('TENANTPILOT_BACKUP_HEALTH_FRESHNESS_HOURS', 24),
'schedule_overdue_grace_minutes' => (int) env('TENANTPILOT_BACKUP_HEALTH_SCHEDULE_OVERDUE_GRACE_MINUTES', 30),
'browser_smoke_fixture' => [
'workspace' => [
'name' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_WORKSPACE_NAME', 'Spec 180 Backup Health Smoke'),
'slug' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_WORKSPACE_SLUG', 'spec-180-backup-health-smoke'),
],
'user' => [
'name' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_USER_NAME', 'Spec 180 Requester'),
'email' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_USER_EMAIL', 'smoke-requester+180@tenantpilot.local'),
'password' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_USER_PASSWORD', 'password'),
],
'blocked_drillthrough' => [
'tenant_name' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_TENANT_NAME', 'Spec 180 Blocked Backup Tenant'),
'tenant_external_id' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_TENANT_EXTERNAL_ID', '18000000-0000-4000-8000-000000000180'),
'tenant_id' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_TENANT_ID', '18000000-0000-4000-8000-000000000180'),
'app_client_id' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_APP_CLIENT_ID', '18000000-0000-4000-8000-000000000182'),
'policy_external_id' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_POLICY_EXTERNAL_ID', 'spec-180-rbac-stale-policy'),
'policy_type' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_POLICY_TYPE', 'settingsCatalogPolicy'),
'policy_name' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_POLICY_NAME', 'Spec 180 RBAC Smoke Policy'),
'backup_set_name' => env('TENANTPILOT_BACKUP_HEALTH_SMOKE_BACKUP_SET_NAME', 'Spec 180 Blocked Stale Backup'),
'stale_age_hours' => (int) env('TENANTPILOT_BACKUP_HEALTH_SMOKE_STALE_AGE_HOURS', 48),
'capability_denials' => [
\App\Support\Auth\Capabilities::TENANT_VIEW,
],
],
],
],
'allow_admin_maintenance_actions' => (bool) env('ALLOW_ADMIN_MAINTENANCE_ACTIONS', false),
'supported_policy_types' => [
[
'type' => 'deviceConfiguration',
'label' => 'Device Configuration',
'category' => 'Configuration',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceConfigurations',
'filter' => "not isof('microsoft.graph.windowsUpdateForBusinessConfiguration')",
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'groupPolicyConfiguration',
'label' => 'Administrative Templates',
'category' => 'Configuration',
'platform' => 'windows',
'endpoint' => 'deviceManagement/groupPolicyConfigurations',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'settingsCatalogPolicy',
'label' => 'Settings Catalog Policy',
'category' => 'Configuration',
'platform' => 'windows',
'endpoint' => 'deviceManagement/configurationPolicies',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'windowsUpdateRing',
'label' => 'Software Update Ring',
'category' => 'Update Management',
'platform' => 'windows',
'endpoint' => 'deviceManagement/deviceConfigurations',
'filter' => "isof('microsoft.graph.windowsUpdateForBusinessConfiguration')",
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'windowsFeatureUpdateProfile',
'label' => 'Feature Updates (Windows)',
'category' => 'Update Management',
'platform' => 'windows',
'endpoint' => 'deviceManagement/windowsFeatureUpdateProfiles',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'high',
],
[
'type' => 'windowsQualityUpdateProfile',
'label' => 'Quality Updates (Windows)',
'category' => 'Update Management',
'platform' => 'windows',
'endpoint' => 'deviceManagement/windowsQualityUpdateProfiles',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'high',
],
[
'type' => 'windowsDriverUpdateProfile',
'label' => 'Driver Updates (Windows)',
'category' => 'Update Management',
'platform' => 'windows',
'endpoint' => 'deviceManagement/windowsDriverUpdateProfiles',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'high',
],
[
'type' => 'deviceCompliancePolicy',
'label' => 'Device Compliance',
'category' => 'Compliance',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceCompliancePolicies',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'appProtectionPolicy',
'label' => 'App Protection (MAM)',
'category' => 'Apps/MAM',
'platform' => 'mobile',
'endpoint' => 'deviceAppManagement/managedAppPolicies',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'mamAppConfiguration',
'label' => 'App Configuration (MAM)',
'category' => 'Apps/MAM',
'platform' => 'mobile',
'endpoint' => 'deviceAppManagement/targetedManagedAppConfigurations',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'managedDeviceAppConfiguration',
'label' => 'App Configuration (Device)',
'category' => 'Apps/MAM',
'platform' => 'mobile',
'endpoint' => 'deviceAppManagement/mobileAppConfigurations',
'filter' => "microsoft.graph.androidManagedStoreAppConfiguration/appSupportsOemConfig eq false or isof('microsoft.graph.androidManagedStoreAppConfiguration') eq false",
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'conditionalAccessPolicy',
'label' => 'Conditional Access',
'category' => 'Conditional Access',
'platform' => 'all',
'endpoint' => 'identity/conditionalAccess/policies',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'deviceManagementScript',
'label' => 'PowerShell Scripts',
'category' => 'Scripts',
'platform' => 'windows',
'endpoint' => 'deviceManagement/deviceManagementScripts',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'deviceShellScript',
'label' => 'macOS Shell Scripts',
'category' => 'Scripts',
'platform' => 'macOS',
'endpoint' => 'deviceManagement/deviceShellScripts',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'deviceHealthScript',
'label' => 'Proactive Remediations',
'category' => 'Scripts',
'platform' => 'windows',
'endpoint' => 'deviceManagement/deviceHealthScripts',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'deviceComplianceScript',
'label' => 'Custom Compliance Scripts',
'category' => 'Compliance',
'platform' => 'windows',
'endpoint' => 'deviceManagement/deviceComplianceScripts',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'windowsAutopilotDeploymentProfile',
'label' => 'Windows Autopilot Profiles',
'category' => 'Autopilot',
'platform' => 'windows',
'endpoint' => 'deviceManagement/windowsAutopilotDeploymentProfiles',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'windowsEnrollmentStatusPage',
'label' => 'Enrollment Status Page (ESP)',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium',
],
[
'type' => 'deviceEnrollmentLimitConfiguration',
'label' => 'Enrollment Limits',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'deviceEnrollmentPlatformRestrictionsConfiguration',
'label' => 'Platform Restrictions (Enrollment)',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'deviceEnrollmentNotificationConfiguration',
'label' => 'Enrollment Notifications',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
'filter' => "deviceEnrollmentConfigurationType eq 'EnrollmentNotificationsConfiguration'",
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'enrollmentRestriction',
'label' => 'Enrollment Restrictions',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'termsAndConditions',
'label' => 'Terms & Conditions',
'category' => 'Enrollment',
'platform' => 'all',
'endpoint' => 'deviceManagement/termsAndConditions',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'medium-high',
],
[
'type' => 'endpointSecurityIntent',
'label' => 'Endpoint Security Intents',
'category' => 'Endpoint Security',
'platform' => 'windows',
'endpoint' => 'deviceManagement/intents',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'high',
],
[
'type' => 'endpointSecurityPolicy',
'label' => 'Endpoint Security Policies',
'category' => 'Endpoint Security',
'platform' => 'windows',
'endpoint' => 'deviceManagement/configurationPolicies',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'high',
],
[
'type' => 'securityBaselinePolicy',
'label' => 'Security Baselines',
'category' => 'Endpoint Security',
'platform' => 'windows',
'endpoint' => 'deviceManagement/configurationPolicies',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
],
[
'type' => 'mobileApp',
'label' => 'Applications (Metadata only)',
'category' => 'Applications',
'platform' => 'all',
'endpoint' => 'deviceAppManagement/mobileApps',
'backup' => 'metadata-only',
'restore' => 'enabled',
'risk' => 'low-medium',
],
],
'foundation_types' => [
[
'type' => 'assignmentFilter',
'label' => 'Assignment Filter',
'category' => 'Foundations',
'platform' => 'all',
'endpoint' => 'deviceManagement/assignmentFilters',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'low',
'baseline_compare' => [
'supported' => true,
'identity_strategy' => 'display_name',
'resolution' => [
'subject_class' => 'foundation_backed',
'resolution_path' => 'foundation_inventory',
'compare_capability' => 'limited',
'capture_capability' => 'limited',
'source_model_expected' => 'inventory',
],
],
],
[
'type' => 'roleScopeTag',
'label' => 'Scope Tag',
'category' => 'Foundations',
'platform' => 'all',
'endpoint' => 'deviceManagement/roleScopeTags',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'low',
'baseline_compare' => [
'supported' => true,
'identity_strategy' => 'display_name',
'resolution' => [
'subject_class' => 'foundation_backed',
'resolution_path' => 'foundation_inventory',
'compare_capability' => 'limited',
'capture_capability' => 'limited',
'source_model_expected' => 'inventory',
],
],
],
[
'type' => 'intuneRoleDefinition',
'label' => 'Intune RBAC Role Definition',
'category' => 'RBAC',
'platform' => 'all',
'endpoint' => 'deviceManagement/roleDefinitions',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
'baseline_compare' => [
'supported' => true,
'identity_strategy' => 'external_id',
'resolution' => [
'subject_class' => 'foundation_backed',
'resolution_path' => 'foundation_policy',
'compare_capability' => 'supported',
'capture_capability' => 'supported',
'source_model_expected' => 'policy',
],
],
],
[
'type' => 'intuneRoleAssignment',
'label' => 'Intune RBAC Role Assignment',
'category' => 'RBAC',
'platform' => 'all',
'endpoint' => 'deviceManagement/roleAssignments',
'backup' => 'full',
'restore' => 'preview-only',
'risk' => 'high',
'baseline_compare' => [
'supported' => false,
'identity_strategy' => 'external_id',
'resolution' => [
'subject_class' => 'foundation_backed',
'resolution_path' => 'foundation_policy',
'compare_capability' => 'unsupported',
'capture_capability' => 'unsupported',
'source_model_expected' => 'policy',
],
],
],
[
'type' => 'notificationMessageTemplate',
'label' => 'Notification Message Template',
'category' => 'Foundations',
'platform' => 'all',
'endpoint' => 'deviceManagement/notificationMessageTemplates',
'backup' => 'full',
'restore' => 'enabled',
'risk' => 'low',
'baseline_compare' => [
'supported' => true,
'identity_strategy' => 'display_name',
'resolution' => [
'subject_class' => 'foundation_backed',
'resolution_path' => 'foundation_inventory',
'compare_capability' => 'limited',
'capture_capability' => 'limited',
'source_model_expected' => 'inventory',
],
],
],
],
'features' => [
'conditional_access' => true,
],
'bulk_operations' => [
'chunk_size' => (int) env('TENANTPILOT_BULK_CHUNK_SIZE', 10),
'poll_interval_seconds' => (int) env('TENANTPILOT_BULK_POLL_INTERVAL_SECONDS', 3),
'recent_finished_seconds' => (int) env('TENANTPILOT_BULK_RECENT_FINISHED_SECONDS', 12),
'progress_widget_enabled' => (bool) env('TENANTPILOT_BULK_PROGRESS_WIDGET_ENABLED', true),
'concurrency' => [
'per_target_scope_max' => (int) env('TENANTPILOT_BULK_CONCURRENCY_PER_TARGET_SCOPE_MAX', 1),
'lock_ttl_seconds' => (int) env('TENANTPILOT_BULK_CONCURRENCY_LOCK_TTL_SECONDS', 900),
],
],
'inventory_sync' => [
'concurrency' => [
'global_max' => (int) env('TENANTPILOT_INVENTORY_SYNC_CONCURRENCY_GLOBAL_MAX', 2),
'per_tenant_max' => (int) env('TENANTPILOT_INVENTORY_SYNC_CONCURRENCY_PER_TENANT_MAX', 1),
],
],
'alerts' => [
'enabled' => (bool) env('TENANTPILOT_ALERTS_ENABLED', true),
'evaluate_initial_lookback_minutes' => (int) env('TENANTPILOT_ALERTS_EVALUATE_INITIAL_LOOKBACK_MINUTES', 15),
'delivery_retention_days' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETENTION_DAYS', 90),
'delivery_max_attempts' => (int) env('TENANTPILOT_ALERTS_DELIVERY_MAX_ATTEMPTS', 3),
'delivery_retry_base_seconds' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETRY_BASE_SECONDS', 60),
'delivery_retry_max_seconds' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETRY_MAX_SECONDS', 900),
'deliver_batch_size' => (int) env('TENANTPILOT_ALERTS_DELIVER_BATCH_SIZE', 200),
'http_timeout_seconds' => (int) env('TENANTPILOT_ALERTS_HTTP_TIMEOUT_SECONDS', 10),
],
'stored_reports' => [
'retention_days' => (int) env('TENANTPILOT_STORED_REPORTS_RETENTION_DAYS', 90),
],
'display' => [
'show_script_content' => (bool) env('TENANTPILOT_SHOW_SCRIPT_CONTENT', false),
'max_script_content_chars' => (int) env('TENANTPILOT_MAX_SCRIPT_CONTENT_CHARS', 5000),
],
'review_pack' => [
'retention_days' => (int) env('TENANTPILOT_REVIEW_PACK_RETENTION_DAYS', 90),
'hard_delete_grace_days' => (int) env('TENANTPILOT_REVIEW_PACK_HARD_DELETE_GRACE_DAYS', 30),
'download_url_ttl_minutes' => (int) env('TENANTPILOT_REVIEW_PACK_DOWNLOAD_URL_TTL_MINUTES', 60),
'include_pii_default' => (bool) env('TENANTPILOT_REVIEW_PACK_INCLUDE_PII_DEFAULT', true),
'include_operations_default' => (bool) env('TENANTPILOT_REVIEW_PACK_INCLUDE_OPERATIONS_DEFAULT', true),
],
'baselines' => [
'full_content_capture' => [
'enabled' => (bool) env('TENANTPILOT_BASELINE_FULL_CONTENT_CAPTURE_ENABLED', false),
'max_items_per_run' => (int) env('TENANTPILOT_BASELINE_EVIDENCE_MAX_ITEMS_PER_RUN', 200),
'max_concurrency' => (int) env('TENANTPILOT_BASELINE_EVIDENCE_MAX_CONCURRENCY', 5),
'max_retries' => (int) env('TENANTPILOT_BASELINE_EVIDENCE_MAX_RETRIES', 3),
'retention_days' => (int) env('TENANTPILOT_BASELINE_EVIDENCE_RETENTION_DAYS', 90),
],
],
'platform_vocabulary' => [
'terms' => [
'governed_subject' => [
'term_key' => 'governed_subject',
'canonical_label' => 'Governed subject',
'canonical_description' => 'The platform-facing noun for a governed object across compare, snapshot, evidence, and review surfaces.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['compare', 'snapshot', 'evidence', 'review', 'reporting'],
'legacy_aliases' => ['policy_type'],
'alias_retirement_path' => 'Retire false-universal policy_type wording from platform-owned summaries and descriptors while preserving Intune-owned storage.',
'forbidden_platform_aliases' => ['policy_type'],
],
'domain_key' => [
'term_key' => 'domain_key',
'canonical_label' => 'Governance domain',
'canonical_description' => 'The canonical domain discriminator for cross-domain and platform-near contracts.',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['governance', 'compare', 'snapshot', 'reporting'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'subject_class' => [
'term_key' => 'subject_class',
'canonical_label' => 'Subject class',
'canonical_description' => 'The canonical subject-class discriminator for governed-subject contracts.',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['governance', 'compare', 'snapshot'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'subject_type_key' => [
'term_key' => 'subject_type_key',
'canonical_label' => 'Governed subject key',
'canonical_description' => 'The domain-owned subject-family key used by platform-near descriptors.',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['governance', 'compare', 'snapshot', 'evidence'],
'legacy_aliases' => ['policy_type'],
'alias_retirement_path' => 'Prefer subject_type_key on platform-near payloads and keep policy_type only where the owning model is Intune-specific.',
'forbidden_platform_aliases' => ['policy_type'],
],
'subject_type_label' => [
'term_key' => 'subject_type_label',
'canonical_label' => 'Governed subject label',
'canonical_description' => 'The operator-facing label for a governed subject family.',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['snapshot', 'evidence', 'compare', 'review'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'resource_type' => [
'term_key' => 'resource_type',
'canonical_label' => 'Resource type',
'canonical_description' => 'Optional resource-shaped noun for platform-facing summaries when a governed subject also needs a resource family label.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['reporting', 'review'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'operation_type' => [
'term_key' => 'operation_type',
'canonical_label' => 'Operation type',
'canonical_description' => 'The canonical platform operation identifier shown on monitoring and launch surfaces.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['monitoring', 'reporting', 'launch_surfaces'],
'legacy_aliases' => ['type'],
'alias_retirement_path' => 'Expose canonical operation_type on read models while operation_runs.type remains a compatibility storage seam during rollout.',
'forbidden_platform_aliases' => [],
],
'platform_reason_family' => [
'term_key' => 'platform_reason_family',
'canonical_label' => 'Platform reason family',
'canonical_description' => 'The cross-domain platform family that explains the top-level cause category without erasing domain ownership.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['reason_translation', 'monitoring', 'review', 'reporting'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'reason_owner.owner_namespace' => [
'term_key' => 'reason_owner.owner_namespace',
'canonical_label' => 'Reason owner namespace',
'canonical_description' => 'The explicit namespace that marks whether a translated reason is provider-owned, governance-owned, access-owned, or runtime-owned.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['reason_translation', 'review', 'reporting'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'reason_code' => [
'term_key' => 'reason_code',
'canonical_label' => 'Reason code',
'canonical_description' => 'The original domain-owned or provider-owned reason identifier preserved for diagnostics and translation lookup.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['reason_translation', 'diagnostics'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'registry_key' => [
'term_key' => 'registry_key',
'canonical_label' => 'Registry key',
'canonical_description' => 'The stable identifier for a contributor-facing registry or catalog.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['governance', 'contributor_guidance'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'boundary_classification' => [
'term_key' => 'boundary_classification',
'canonical_label' => 'Boundary classification',
'canonical_description' => 'The explicit classification that marks a term or registry as platform_core, cross_domain_governance, or intune_specific.',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'allowed_contexts' => ['governance', 'contributor_guidance'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => [],
],
'policy_type' => [
'term_key' => 'policy_type',
'canonical_label' => 'Intune policy type',
'canonical_description' => 'The Intune-specific discriminator that remains valid on adapter-owned or Intune-owned models but must not be treated as a universal platform noun.',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'domain_owned',
'allowed_contexts' => ['intune_adapter', 'intune_inventory', 'intune_backup'],
'legacy_aliases' => [],
'alias_retirement_path' => null,
'forbidden_platform_aliases' => ['governed_subject'],
],
],
'reason_namespaces' => [
'tenant_operability' => [
'owner_namespace' => 'tenant_operability',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'compatibility_notes' => 'Tenant operability reasons are platform-core guardrails for workspace and tenant context.',
],
'execution_denial' => [
'owner_namespace' => 'execution_denial',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'compatibility_notes' => 'Execution denial reasons remain platform-core run-legitimacy semantics.',
],
'operation_lifecycle' => [
'owner_namespace' => 'operation_lifecycle',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'compatibility_notes' => 'Lifecycle reconciliation reasons remain platform-core monitoring semantics.',
],
'governance.baseline_compare' => [
'owner_namespace' => 'governance.baseline_compare',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'domain_owned',
'compatibility_notes' => 'Baseline-compare reason codes are governance-owned details translated through the platform boundary.',
],
'governance.artifact_truth' => [
'owner_namespace' => 'governance.artifact_truth',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'domain_owned',
'compatibility_notes' => 'Artifact-truth reason codes remain governance-owned and are surfaced through platform-safe summaries.',
],
'provider.microsoft_graph' => [
'owner_namespace' => 'provider.microsoft_graph',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'provider_owned',
'compatibility_notes' => 'Microsoft Graph provider reasons remain provider-owned and Intune-specific.',
],
'provider.intune_rbac' => [
'owner_namespace' => 'provider.intune_rbac',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'provider_owned',
'compatibility_notes' => 'Provider-owned Intune RBAC reasons remain Intune-specific.',
],
'rbac.intune' => [
'owner_namespace' => 'rbac.intune',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'domain_owned',
'compatibility_notes' => 'RBAC detail remains Intune-specific domain context.',
],
'reason_translation.fallback' => [
'owner_namespace' => 'reason_translation.fallback',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'compatibility_notes' => 'Fallback translation remains a platform-core compatibility seam until a domain owner is known.',
],
],
'registries' => [
'governance_subject_taxonomy_registry' => [
'registry_key' => 'governance_subject_taxonomy_registry',
'boundary_classification' => 'cross_domain_governance',
'owner_layer' => 'platform_core',
'source_class_or_file' => App\Support\Governance\GovernanceSubjectTaxonomyRegistry::class,
'canonical_nouns' => ['domain_key', 'subject_class', 'subject_type_key', 'subject_type_label'],
'allowed_consumers' => ['baseline_scope', 'compare', 'snapshot', 'review'],
'compatibility_notes' => 'Provides the governed-subject source of truth, resolves legacy policy-type payloads, and preserves inactive or future-domain entries without exposing them as active operator choices.',
],
'operation_catalog' => [
'registry_key' => 'operation_catalog',
'boundary_classification' => 'platform_core',
'owner_layer' => 'platform_core',
'source_class_or_file' => App\Support\OperationCatalog::class,
'canonical_nouns' => ['operation_type'],
'allowed_consumers' => ['monitoring', 'reporting', 'launch_surfaces', 'audit'],
'compatibility_notes' => 'Resolves canonical operation meaning from historical storage values without treating every stored raw string as equally canonical.',
],
'provider_reason_codes' => [
'registry_key' => 'provider_reason_codes',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'provider_owned',
'source_class_or_file' => App\Support\Providers\ProviderReasonCodes::class,
'canonical_nouns' => ['reason_code'],
'allowed_consumers' => ['reason_translation'],
'compatibility_notes' => 'Provider-owned reason codes remain namespaced domain details and become platform-safe only through the reason-translation boundary.',
],
'inventory_policy_type_catalog' => [
'registry_key' => 'inventory_policy_type_catalog',
'boundary_classification' => 'intune_specific',
'owner_layer' => 'domain_owned',
'source_class_or_file' => App\Support\Inventory\InventoryPolicyTypeMeta::class,
'canonical_nouns' => ['policy_type'],
'allowed_consumers' => ['intune_adapter', 'inventory', 'backup'],
'compatibility_notes' => 'The supported Intune policy-type list is not a universal platform registry and must be wrapped before reuse on platform-near summaries.',
],
],
],
'hardening' => [
'intune_write_gate' => [
'enabled' => (bool) env('TENANTPILOT_INTUNE_WRITE_GATE_ENABLED', true),
'freshness_threshold_hours' => (int) env('TENANTPILOT_INTUNE_WRITE_GATE_FRESHNESS_HOURS', 24),
],
],
];
Reference in New Issue View Git Blame Copy Permalink