ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b0a724acef
TenantAtlas/docs/product/discoveries.md
ahmido b0a724acef feat: harden canonical run viewer and onboarding draft state (#173) 
## Summary
- harden the canonical operation run viewer so mismatched, missing, archived, onboarding, and selector-excluded tenant context no longer invalidates authorized canonical run viewing
- extend canonical route, header-context, deep-link, and presentation coverage for Spec 144 and add the full spec artifact set under `specs/144-canonical-operation-viewer-context-decoupling/`
- harden onboarding draft provider-connection resume logic so stale persisted provider connections fall back to the connect-provider step instead of resuming invalid state
- add architecture-audit follow-up candidate material and prompt assets for the next governance hardening wave

## Testing
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Feature/144/CanonicalOperationViewerContextMismatchTest.php tests/Feature/144/CanonicalOperationViewerDeepLinkTrustTest.php tests/Feature/Operations/TenantlessOperationRunViewerTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/Monitoring/OperationsTenantScopeTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php tests/Feature/Monitoring/HeaderContextBarTest.php tests/Feature/Monitoring/OperationRunResolvedReferencePresentationTest.php tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Unit/Onboarding/OnboardingDraftStageResolverTest.php tests/Unit/Onboarding/OnboardingLifecycleServiceTest.php`

## Notes
- branch: `144-canonical-operation-viewer-context-decoupling`
- base: `dev`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #173
2026-03-15 18:32:04 +00:00

112 lines
5.7 KiB
Markdown
Raw Blame History

# Discoveries
> Things found during implementation that don't belong in the current spec.
> Review weekly. Promote to [spec-candidates.md](spec-candidates.md) or discard.
Items that are already tracked in [spec-candidates.md](spec-candidates.md) or [roadmap.md](roadmap.md) should not remain here.
**Last reviewed**: 2026-03-15
---
## 2026-03-15 — Queued execution trust relies too much on dispatch-time authority
- **Source**: architecture audit
- **Observation**: Queued jobs still rely too heavily on the actor, tenant, and authorization state captured at dispatch time. Execution-time scope continuity and reauthorization are not yet hardened as a canonical backend contract.
- **Category**: hardening
- **Priority**: high
- **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate A: queued execution reauthorization and scope continuity.
---
## 2026-03-15 — Tenant-owned query canon remains too ad hoc
- **Source**: architecture audit
- **Observation**: Tenant isolation is broadly present, but many tenant-owned reads still depend on repeated local `tenant_id` filtering instead of a reusable canonical query path. This increases drift risk and weakens wrong-tenant regression discipline.
- **Category**: hardening
- **Priority**: high
- **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate B: tenant-owned query canon and wrong-tenant guards.
---
## 2026-03-15 — Findings lifecycle truth is stronger in docs than in enforcement
- **Source**: architecture audit
- **Observation**: Findings workflow semantics are well-defined at spec level, but architectural enforcement still depends too much on service-path discipline. Direct or bypassing status mutations remain too plausible.
- **Category**: hardening
- **Priority**: high
- **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate C: findings workflow enforcement and audit backstop.
---
## 2026-03-15 — Livewire trust-boundary hardening is still convention-driven
- **Source**: architecture audit
- **Observation**: Complex Livewire and Filament flows still expose too much ownership-relevant context in public component state. This is not a proven exploit in the repo today, but the hardening standard is not yet explicit or reusable.
- **Category**: hardening
- **Priority**: medium
- **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate D: Livewire context locking and trusted-state reduction.
---
## 2026-03-08 — Alert `sla_due` event type is dead code
- **Source**: Spec 109 (Review Pack Export)
- **Observation**: `sla_due` alert rule event type exists in the schema but no producer dispatches it. Dead code path.
- **Category**: cleanup
- **Priority**: low
- **Suggested follow-up**: Remove or implement. If SLA alerting is a future feature, document the intent; otherwise delete.
---
## 2026-03-08 — Alert Deliveries header-action exemption needs permanent documentation
- **Source**: Spec 122 (Empty State Consistency)
- **Observation**: Alert Deliveries is the first resource with an explicit UX-001 relocation exemption — its CTA exists only in the empty state and does NOT relocate to the header. This needs to remain documented so future developers don't "fix" it.
- **Category**: documentation
- **Priority**: low
- **Suggested follow-up**: Ensure the exemption is captured in the Action Surface Contract guard tests and/or resource-level comments.
---
## 2026-03-08 — Historical findings backfill for `source` field
- **Source**: Spec 101 (Golden Master Baseline Governance)
- **Observation**: The `source` field on findings was added but historical findings may not be backfilled. Reporting accuracy depends on this.
- **Category**: data integrity
- **Priority**: medium
- **Suggested follow-up**: One-time migration or backfill job to classify existing findings by source.
---
## 2026-03-08 — Baseline profile hard-delete deferred
- **Source**: Spec 101 (Golden Master Baseline Governance)
- **Observation**: Baseline profiles can only be archived, not hard-deleted, in v1. If archive accumulation becomes a problem, a hard-delete with cascade needs to be built.
- **Category**: feature gap
- **Priority**: low
- **Suggested follow-up**: Monitor archive count. Spec only if it becomes a user-reported issue.
---
## 2026-03-08 — Drift engine hard-fail when no Inventory Sync exists
- **Source**: Spec 119 (Baseline Drift Engine Cutover)
- **Observation**: Currently drift capture does NOT hard-fail when no completed Inventory Sync exists. This was deferred as a "larger product behavior change."
- **Category**: hardening
- **Priority**: medium
- **Suggested follow-up**: Evaluate whether capturing drift without a baseline sync produces misleading results. If so, enforce the prerequisite.
---
## 2026-03-08 — Performance indexes for system console windowed queries
- **Source**: Spec 114 (System Console Control Tower)
- **Observation**: EXPLAIN baselines don't show pressure yet, but windowed queries on operation_runs could become slow at scale. Indexes were explicitly deferred.
- **Category**: performance
- **Priority**: low
- **Suggested follow-up**: Monitor query times. Add indexes proactively if run count exceeds ~100k.
---
## Template
```md
## YYYY-MM-DD — Short title
- **Source**: Spec NNN (Name) | chat | audit | coding
- **Observation**:
- **Category**: feature gap | cleanup | hardening | UX polish | performance | documentation | data integrity
- **Priority**: low | medium | high
- **Suggested follow-up**:
```
Reference in New Issue View Git Blame Copy Permalink