ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b182f55562
TenantAtlas/specs/139-verify-access-permissions-assist/tasks.md
ahmido b182f55562 feat: add verify access required permissions assist (#168) 
## Summary
- add an in-place Required Permissions assist to the onboarding Verify Access step via a Filament slideover
- route permission-related verification remediation links into the assist first and keep deep-dive links opening in a new tab
- add view-model and link-behavior helpers plus focused feature, browser, RBAC, and unit coverage for the new assist

## Scope
- onboarding wizard Verify Access UX
- Required Permissions assist rendering and link behavior
- Spec 139 artifacts, contracts, and checklist updates

## Notes
- branch: `139-verify-access-permissions-assist`
- commit: `b4193f1`
- worktree was clean at PR creation time

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #168
2026-03-14 02:00:28 +00:00

187 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
description: "Task list for Spec 139 implementation"
---
# Tasks: Verify Access Required Permissions Assist
**Input**: Design documents from `/specs/139-verify-access-permissions-assist/`
**Prerequisites**: `plan.md` (required), `spec.md` (required), `research.md`, `data-model.md`, `contracts/`, `quickstart.md`
**Tests**: REQUIRED (Pest) for all runtime behavior changes.
**RBAC (required)**:
- Non-member / not entitled to workspace or tenant scope → 404 (deny-as-not-found)
- Member but missing capability → policy-consistent denial
- Capabilities MUST come from `App\Support\Auth\Capabilities`
**Badges (required)**:
- Reuse existing verification / permission badge domains via `BadgeCatalog` / `BadgeRenderer`
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Confirm the touched surfaces and baseline behavior before implementation.
- [X] T001 Validate the manual flow in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/139-verify-access-permissions-assist/quickstart.md against the current onboarding Verify Access and Required Permissions surfaces
- [X] T002 Capture current Verify Access link-rendering and assist-touchpoint seams in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/forms/components/managed-tenant-onboarding-verification-report.blade.php
- [X] T003 [P] Run baseline verification coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationClustersTest.php
- [X] T004 [P] Confirm existing Required Permissions summary/copy primitives in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/TenantRequiredPermissionsViewModelBuilder.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/RequiredPermissionsLinksTest.php
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Shared primitives used by all user stories.
**⚠️ CRITICAL**: No user story work should begin until this phase is complete.
- [X] T005 Create the assist view-model builder in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php using the contract from /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/139-verify-access-permissions-assist/contracts/verification-assist.view-model.json
- [X] T006 [P] Create the reusable link-classification helper in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationLinkBehavior.php using the rules from /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/139-verify-access-permissions-assist/contracts/verification-link-behavior.md
- [X] T007 [P] Add unit coverage for assist visibility, summary shaping, and copy availability in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/VerificationAssistViewModelBuilderTest.php
- [X] T008 [P] Add unit coverage for internal-vs-external deep-dive link classification, including Required Permissions and admin Provider Connection routes, in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/VerificationLinkBehaviorTest.php
- [X] T009 Add non-UI wizard helper methods for assist visibility and assist view-model access in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php without changing routes or onboarding draft persistence
**Checkpoint**: Assist view-model and link-behavior primitives are ready for story work.
---
## Phase 3: User Story 1 - Recover blocked verification in place (Priority: P1) 🎯 MVP
**Goal**: Add a contextual in-place Required Permissions assist inside Verify Access that preserves wizard continuity.
**Independent Test**: Run Verify Access for a permission-blocked tenant, open the assist, review the summary and missing permissions, close it, and confirm the wizard remains on the same Verify Access state.
### Tests (write first)
- [X] T010 [P] [US1] Add feature coverage for assist visibility in blocked, needs-attention, and ready states in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
- [X] T011 [P] [US1] Add Livewire coverage for assist open/close continuity on the Verify Access step in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
- [X] T012 [P] [US1] Add rendering coverage for summary metadata and missing application/delegated permissions in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
### Implementation
- [X] T013 [US1] Register the `View required permissions` slideover action in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php using the foundational helper methods from T009
- [X] T014 [P] [US1] Create the assist slideover Blade view in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/actions/verification-required-permissions-assist.blade.php
- [X] T015 [US1] Implement compact assist payload generation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php by reusing /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/TenantRequiredPermissionsViewModelBuilder.php and existing verification-report data
- [X] T016 [US1] Render the assist trigger near verification result and next-step guidance in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/forms/components/managed-tenant-onboarding-verification-report.blade.php
- [X] T017 [US1] Render assist summary, missing-permission groups, and safe empty-state fallback in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/actions/verification-required-permissions-assist.blade.php
- [X] T018 [US1] Preserve wizard continuity by ensuring assist open/close does not mutate draft step or verification state in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php
**Checkpoint**: The Verify Access step exposes a working in-place permissions assist without leaving the wizard.
---
## Phase 4: User Story 2 - Deep dive safely without breaking wizard continuity (Priority: P1)
**Goal**: Keep the full-page Required Permissions deep dive as a secondary new-tab escape hatch and harden relevant verification-report links to stop replacing the onboarding tab.
**Independent Test**: From Verify Access, open the assist, launch the full-page deep dive, confirm it opens in a new tab, then keep using the onboarding tab normally.
### Tests (write first)
- [X] T019 [P] [US2] Add feature coverage for internal diagnostic links and external remediation links rendering with correct new-tab behavior and explicit new-tab semantics in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationClustersTest.php
- [X] T020 [P] [US2] Add browser coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Browser/OnboardingDraftVerificationResumeTest.php proving that opening the full-page deep dive does not replace the onboarding tab, the onboarding tab remains usable afterward, and the slideover does not break normal wizard controls
- [X] T021 [P] [US2] Add feature coverage for full-page deep-dive availability and secondary visual placement in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
### Implementation
- [X] T022 [US2] Implement reusable deep-dive link classification in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationLinkBehavior.php for external links, Required Permissions routes, and admin Provider Connection management routes
- [X] T023 [US2] Harden Verify Access next-step link rendering to use the new classification helper and explicit operator-visible new-tab semantics in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/forms/components/managed-tenant-onboarding-verification-report.blade.php
- [X] T024 [US2] Add full-page, admin-consent, and manage-provider-connection action shaping to /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php using /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Links/RequiredPermissionsLinks.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Providers/ProviderNextStepsRegistry.php
- [X] T025 [US2] Render the full-page deep-dive action as clearly secondary and explicitly new-tab in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/actions/verification-required-permissions-assist.blade.php
**Checkpoint**: Deep-dive actions preserve onboarding continuity and remain visually secondary to the in-place assist.
---
## Phase 5: User Story 3 - Get clear recovery cues in degraded states (Priority: P2)
**Goal**: Keep the assist safe and actionable when permission detail is incomplete, stale, single-type only, or not copyable.
**Independent Test**: Exercise incomplete detail, stale verification, no-copy payload, consent-unavailable, and single-type permission states, then verify the assist degrades safely with clear feedback.
### Tests (write first)
- [X] T026 [P] [US3] Add degraded-state rendering coverage for incomplete detail, permission-data freshness warnings, verification-run staleness after provider-connection changes, and single-type permission gaps in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
- [X] T027 [P] [US3] Add copy-feedback and no-copy-availability coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php
- [X] T028 [P] [US3] Add explicit authorization coverage for assist surfaces in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Rbac/OnboardingWizardUiEnforcementTest.php, including non-member or out-of-scope `404`, in-scope member missing capability denial, and positive authorized rendering
### Implementation
- [X] T029 [US3] Implement degraded-state fallback, permission-data freshness signaling, and consent-unavailable handling in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php
- [X] T030 [US3] Render copy actions only when payloads exist and provide explicit copied-state feedback in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/actions/verification-required-permissions-assist.blade.php
- [X] T031 [US3] Surface verification-run staleness from provider-connection changes and rerun guidance consistently in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php
- [X] T032 [US3] Enforce authorization-safe assist visibility and action availability in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php using capability-registry checks and explicit `404` vs denial semantics
**Checkpoint**: The assist remains understandable, authorized, and feedback-rich across degraded states.
---
## Phase 6: Polish & Cross-Cutting Concerns
**Purpose**: Final formatting, regression validation, and quickstart confirmation.
- [X] T033 Run formatting on touched files with `vendor/bin/sail bin pint --dirty --format agent`
- [X] T034 Run targeted Pest coverage with `vendor/bin/sail artisan test --compact tests/Feature/Onboarding/OnboardingVerificationAssistTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Onboarding/OnboardingVerificationClustersTest.php tests/Feature/Onboarding/OnboardingVerificationV1_5UxTest.php tests/Browser/OnboardingDraftVerificationResumeTest.php tests/Unit/VerificationAssistViewModelBuilderTest.php tests/Unit/VerificationLinkBehaviorTest.php`
- [X] T035 Validate the manual flow in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/139-verify-access-permissions-assist/quickstart.md and update the file if any step or expectation changed during implementation
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: No dependencies.
- **Foundational (Phase 2)**: Depends on Setup; blocks all user stories.
- **User Story 1 (Phase 3)**: Depends on Foundational completion.
- **User Story 2 (Phase 4)**: Depends on Foundational completion and is best completed after US1 because it extends the assist surface.
- **User Story 3 (Phase 5)**: Depends on Foundational completion and is best completed after US1 because degraded-state handling lives inside the assist.
- **Polish (Phase 6)**: Depends on all desired user stories being complete.
### User Story Dependencies
- **US1 (P1)**: First deliverable and recommended MVP.
- **US2 (P1)**: Builds on the assist delivered in US1.
- **US3 (P2)**: Builds on the assist delivered in US1 and hardens edge cases.
### Dependency Graph (stories)
- Foundation → US1
- US1 → US2
- US1 → US3
---
## Parallel Execution Examples
### US1 parallelizable tasks
- T010, T011, and T012 can run in parallel in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Onboarding/OnboardingVerificationAssistTest.php as separate scenarios.
- T014 and T015 can run in parallel across /Users/ahmeddarrazi/Documents/projects/TenantAtlas/resources/views/filament/actions/verification-required-permissions-assist.blade.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationAssistViewModelBuilder.php.
### US2 parallelizable tasks
- T019, T020, and T021 can run in parallel across feature and browser coverage.
### US3 parallelizable tasks
- T026, T027, and T028 can run in parallel across degraded-state, copy-feedback, and authorization coverage.
---
## Implementation Strategy
### MVP First (recommended)
1. Complete Phase 1 and Phase 2.
2. Implement US1 tests first and verify they fail.
3. Implement US1 code and get the assist working in place.
4. Validate with T033T035 before expanding scope.
### Incremental Delivery
1. Add US2 to harden new-tab deep-dive behavior and keep the full page secondary.
2. Add US3 to harden degraded states, copy feedback, and authorization edges.
3. Re-run the full targeted suite and quickstart at the end.
Reference in New Issue View Git Blame Copy Permalink