ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
bc906639da
TenantAtlas/specs/042-inventory-dependencies-graph/data-model.md
ahmido da18d3cb14 feat/042-inventory-dependencies-graph (#50) 
Dieses PR liefert den Inventory Dependencies Graph end-to-end: Abhängigkeiten (Edges) werden aus Inventory-Sync-Daten extrahiert, tenant-sicher gespeichert und in der Inventory Item Detailansicht angezeigt.

Ziel: Admins können Prerequisites + Blast Radius (direct) schnell erkennen, ohne Snapshot/Restore anzufassen.

⸻

Was ist drin?

Dependency Graph (Edges)
	•	inventory_links Schema + Indizes + idempotentes Upsert (Unique Key)
	•	Relationship Types (u.a.):
	•	assigned_to_include, assigned_to_exclude
	•	uses_assignment_filter
	•	scoped_by_scope_tag
	•	UI: Inventory Item → Dependencies Section
	•	Direction Filter: All / Inbound / Outbound
	•	Relationship Filter: All + spezifische Relationship Types
	•	Missing-Badge + sicheres Tooltip (safe subset)

Safety / Observability
	•	Unknown/unsupported Shapes erzeugen keine Edges, sondern:
	•	Warning in InventorySyncRun.error_context.warnings[]
	•	optional info-log (ohne Secrets)
	•	Limit-only Semantik (MVP): bis zu 50 Edges pro Richtung (max 100 bei “All”)
	•	Blast Radius in MVP = direct only (kein depth>1 traversal)

Name Resolution (lokal, ohne Entra Calls)
	•	Resolver/DTO Layer für deterministische Labels (kein “Unknown” mehr)
	•	Auflösung aus lokaler DB nur für Foundations, wenn vorhanden:
	•	scope_tag → roleScopeTag
	•	assignment_filter → assignmentFilter
	•	aad_group bleibt bewusst external ref: “Group (external): …” (keine Graph/Entra Lookups im UI)
	•	Zentraler FoundationTypeMap als Source-of-Truth (keine Hardcodings)

⸻

Out of Scope / Follow-up
	•	Entra Group Name Resolution (braucht eigenes “Group Inventory” Modul + Permissions)
	•	Foundations als Inventory Items / Coverage Tab (Scope Tags / Assignment Filters sichtbar & syncbar)
→ folgt als separater PR (Inventory Core/UI), damit 042 sauber “Edges-only” bleibt.

⸻

Tests / Verifikation
	•	Targeted Pest Tests (Unit + Feature + UI smoke) für:
	•	deterministische Edge-Erzeugung + idempotent upsert
	•	tenant isolation (UI/Query)
	•	warnings auf Run Record
	•	resolver/name rendering + links (wo möglich)
	•	pint --dirty ausgeführt

⸻

Manual QA (UI)
	1.	Inventory Sync Run mit include_dependencies=true starten
	2.	Inventory Item öffnen → Dependencies prüfen:
	•	include/exclude + filter + scoped_by sichtbar (wenn vorhanden)
	•	Relationship/Direction Filter funktionieren
	•	keine “Unknown” Labels mehr, sondern deterministische Labels

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #50
2026-01-10 12:50:08 +00:00

2.3 KiB
Raw Blame History

Data Model — Inventory Dependencies Graph (042)

Entities

InventoryItem

Existing entity (Spec 040).

Key fields used by this feature:

  • tenant_id (FK)
  • external_id (string; stable identifier used as edge endpoint)
  • policy_type (string)
  • display_name (nullable string)
  • meta_jsonb (array/jsonb; safe subset)

InventorySyncRun

Existing entity used for observability of sync operations.

Key fields used by this feature:

  • tenant_id
  • selection_hash
  • selection_payload (array)
  • status (running/success/partial/failed/skipped)
  • had_errors (bool)
  • error_codes (array)
  • error_context (array)

For MVP warnings persistence:

  • error_context.warnings[] (array of warning objects)
  • Warning object shape (stable): {type: 'unsupported_reference', policy_id, raw_ref, reason}

InventoryLink

Dependency edge storage.

Fields:

  • tenant_id
  • source_type (string; MVP uses inventory_item)
  • source_id (string; stores InventoryItem.external_id)
  • target_type (string; inventory_item | foundation_object | missing)
  • target_id (nullable string; null when missing)
  • relationship_type (string; values from RelationshipType enum)
  • metadata (jsonb)
  • timestamps

Unique key (idempotency):

  • (tenant_id, source_type, source_id, target_type, target_id, relationship_type)

InventoryLink.metadata

Common keys:

  • last_known_name (nullable string)
  • raw_ref (mixed/array; only when safe)

Required when target_type='foundation_object':

  • foundation_type (string enum-like): aad_group | scope_tag | device_category | assignment_filter Additional metadata (when applicable):
  • filter_mode (string enum-like): include | exclude (for foundation_type='assignment_filter')

Enums

RelationshipType

  • assigned_to
  • assigned_to_include
  • assigned_to_exclude
  • uses_assignment_filter
  • scoped_by
  • targets
  • depends_on

Relationships

  • InventoryItem (source) has many outbound InventoryLinks via source_id + tenant_id.
  • InventoryItem (target) has many inbound InventoryLinks via target_id + tenant_id where target_type='inventory_item'.

Constraints / Limits

  • Query: limit-only, ordered by created_at DESC.
  • UI: max 50 per direction (<=100 combined).
  • Extraction: max 50 outbound edges per item; unknown shapes are warning-only.