ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ae0e0a0674
TenantAtlas/specs/282-governance-artifact-retargeting/research.md
ahmido f50d57370f feat: cut over workspace-first admin environment surfaces (#341) 
## Summary
- cut over the admin runtime to the workspace-first environment and operations routes from spec 280
- retarget governance artifact resources, related navigation, and operation drillthroughs to the surviving admin panel contract from spec 282
- add focused feature and browser coverage plus spec close-out updates for the shipped 280/282 slice

## Validation
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/WorkspaceFoundation tests/Feature/Workspaces tests/Feature/ManagedEnvironment tests/Feature/RequiredPermissions tests/Feature/Operations tests/Feature/MonitoringOperationsTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactAdminPanelRegistrationTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactEnvironmentContextTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactDeepLinkContractTest.php tests/Feature/Filament/GovernanceArtifacts/GovernanceArtifactLegacyTenantPanelGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec282GovernanceArtifactRetargetingSmokeTest.php`

## Notes
- provider registration remains in `apps/platform/bootstrap/providers.php`
- Filament stays on v5 with Livewire v4 semantics
- touched searchable governance surfaces remain truthful or disabled in the same slice

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #341
2026-05-07 23:50:36 +00:00

84 lines
6.1 KiB
Markdown
Raw Blame History

# Research: Governance Artifact Retargeting to ManagedEnvironment
## Decision Summary
### Decision 1: Treat 282 as a surface-ownership slice, not a schema slice
- **Decision**: `282` will retarget existing governance artifact resources and drillthroughs to the workspace-first admin runtime. It will not reopen `tenant_id` to `managed_environment_id` persistence work.
- **Why**: repo truth already shows `managed_environment_id` plus `workspace_id` on the relevant models, and the real remaining gap is surface registration, route ownership, and context resolution.
- **Evidence**:
- `OperationRun`, `Finding`, `Policy`, `BackupSet`, `RestoreRun`, `EvidenceSnapshot`, `ReviewPack`, `TenantReview`, and `StoredReport` already persist `managed_environment_id`
- many models use `DerivesWorkspaceIdFromTenant` or equivalent workspace derivation seams
### Decision 2: Scope the implementation around current resource families
- **Decision**: the primary implementation unit is the current environment-owned Filament resource families, not a generic artifact abstraction.
- **Why**: the route and admin-registration drift is expressed in concrete resources such as `FindingResource`, `PolicyResource`, `BackupSetResource`, `RestoreRunResource`, `EvidenceSnapshotResource`, `ReviewPackResource`, and `StoredReportResource`.
- **Evidence**:
- several resources still include admin-hide guards through `shouldRegisterNavigation()` checks against the `admin` panel
- read-only artifact resources still use `ManagedEnvironment::current()` or mixed fallback chains that imply tenant-panel ownership
### Decision 3: Reuse shared context and link seams
- **Decision**: reuse `ResolvesPanelTenantContext`, `InteractsWithTenantOwnedRecords`, `RelatedNavigationResolver`, `CanonicalNavigationContext`, and `OperationRunLinks` instead of creating a new route-helper layer.
- **Why**: the repo already has one shared environment-resolution seam and one shared navigation contract; the drift is in how existing resources still call them under tenant-panel assumptions.
- **Evidence**:
- `ResolvesPanelTenantContext` already branches for `admin` versus `tenant` panels
- `OperationRunLinks` already owns canonical operations URLs
### Decision 4: Keep artifact lifecycle and stored-report productization deferred
- **Decision**: defer lifecycle semantics to Spec `267` and broader stored-report surface/productization work to Spec `277`.
- **Why**: both packages already exist and would broaden `282` beyond route ownership and context resolution.
- **Evidence**:
- `specs/267-artifact-lifecycle-retention/spec.md` is already `Ready for implementation`
- `specs/277-stored-reports-surface/spec.md` is already `Ready for implementation`
### Decision 5: Keep provider, RBAC, copy, and no-legacy follow-through deferred
- **Decision**: defer Specs `283` through `287` unchanged.
- **Why**: `282` is already broad enough at the resource-surface layer. Capability registries, taxonomies, RBAC redesign, vocabulary cleanup, and global cutover quality gates belong to the later reserved slots.
### Decision 6: Keep adjacent pages out of scope for 282
- **Decision**: pages such as `TenantDiagnostics`, `InventoryCoverage`, and `BaselineCompareLanding` remain out of scope for `282` unless a later implementation produces a concrete, isolated follow-up need.
- **Why**: repo truth shows these are adjacent seams, not part of the minimum route-ownership contract needed for the current governance artifact resource families.
## Touched Resource Inventory
| Family | Representative resources | Current repo issue |
|---|---|---|
| Governance registers | `InventoryItemResource`, `PolicyResource`, `PolicyVersionResource`, `FindingResource`, `FindingExceptionResource` | admin-hidden registration or environment-context drift |
| Recovery and backup | `BackupScheduleResource`, `BackupSetResource`, `RestoreRunResource` | admin-hidden registration plus many related links and action URLs |
| Evidence and reporting | `EvidenceSnapshotResource`, `TenantReviewResource`, `ReviewPackResource`, `StoredReportResource` | environment resolution still assumes tenant-panel truth in fallbacks |
## Candidate Deviations From Raw Backlog Text
- The raw candidate reads like a model and route retarget combined. Repo truth shows the model retarget already happened in Spec `279`.
- The raw candidate mentions renaming review concepts and removing remaining `/admin/t` links broadly. For `282`, this is narrowed to the touched governance artifact surface families only; broader copy cleanup remains Spec `286`.
- The raw candidate's `operation_runs` move is already satisfied at the persistence layer; `282` only retargets artifact-origin links into the workspace-first operations routes reused from Spec `280`.
- The raw candidate's `backup items` note remains nested under backup-set and restore-run surfaces and does not become a separate top-level route family in `282`.
## Implementation Risks To Hold During Tasks Generation
- Do not widen into lifecycle or reporting semantics just because `ReviewPackResource` and `StoredReportResource` are touched.
- Do not create new route helpers or a generic artifact surface layer.
- Do not leave any touched family half-migrated, where list pages move but action URLs or related links still emit tenant-panel destinations.
## Files Reviewed
- `.specify/memory/constitution.md`
- `docs/product/spec-candidates.md`
- `docs/product/roadmap.md`
- `specs/267-artifact-lifecycle-retention/spec.md`
- `specs/277-stored-reports-surface/spec.md`
- `specs/279-workspace-managed-environment-core/spec.md`
- `specs/280-workspace-tenancy-environment-routing/spec.md`
- `specs/281-provider-connection-scope/spec.md`
- `apps/platform/app/Models/OperationRun.php`
- `apps/platform/app/Filament/Concerns/ResolvesPanelTenantContext.php`
- `apps/platform/app/Filament/Resources/FindingResource.php`
- `apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php`
- `apps/platform/app/Filament/Resources/ReviewPackResource.php`
- `apps/platform/app/Filament/Resources/StoredReportResource.php`
- repo-wide searches for admin-hide guards and environment-context helper usage in Filament resources and pages
Reference in New Issue View Git Blame Copy Permalink