ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c44f683aa6
TenantAtlas/specs/277-stored-reports-surface/quickstart.md
ahmido c44f683aa6 277-stored-reports-surface → platform-dev (#333) 
Auto-created PR: committing all local changes and pushing branch `277-stored-reports-surface` to remote.

Please review and adjust the title/description as needed.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #333
2026-05-06 00:04:53 +00:00

4.5 KiB
Raw Blame History

Quickstart: Stored Reports Surface v1

Date: 2026-05-06
Branch: 277-stored-reports-surface

This quickstart is the intended reviewer flow after implementation. It stays bounded to tenant-scoped stored-report browsing, detail inspection, family-aware authorization, and the canonical widget drilldown.

Prerequisites

  1. Start the local platform stack.
    • export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail up -d
  2. Ensure one tenant has:
    • one current permission_posture stored report
    • one current entra.admin_roles stored report
    • one historical entra.admin_roles stored report
  3. Ensure one actor can view both report families in the tenant, one actor can view only Entra admin roles, and one actor is not a tenant member.
  4. Keep AdminRolesSummaryWidget available on the tenant overview page so the canonical drilldown can be verified.

Scenario 1: Browse the tenant stored-reports register

  1. Open /admin/t/{tenant}/stored-reports as an entitled actor.
  2. Confirm the register shows only visible report families for the active tenant.
  3. Confirm the current row for each visible family shows:
    • report family
    • current versus historical truth
    • measured time
    • concise family summary
  4. Reveal history.
  5. Confirm historical rows stay readable and clearly distinct from the current row.
  6. Filter by one family and search by family label or stored-report reference.

Scenario 2: Inspect a current permission-posture report

  1. Open the current permission-posture row from the register.
  2. Confirm the detail page shows stored-report identity, lifecycle truth, retention truth, measured time, and the integrity anchor when present before any raw payload.
  3. Confirm the page shows the bounded permission-posture summary:
    • posture score
    • required count
    • granted count
    • missing or at-risk permission context
  4. Confirm raw payload remains collapsed and secondary.

Scenario 3: Inspect a historical Entra admin-roles report

  1. Open a historical Entra admin-roles row.
  2. Confirm the detail page clearly states that the row is retained history and not the current report.
  3. Confirm the page shows the bounded Entra admin-roles summary:
    • roles total
    • assignments total
    • high-privilege assignment count
    • highest-risk assignment context
  4. Confirm the page exposes Open current report as the one dominant next action.

Scenario 4: Verify family-aware authorization and deny semantics

  1. Sign in as the actor who can view only Entra admin roles.
  2. Confirm the register does not show permission-posture rows or a permission-posture family filter.
  3. Attempt to open a permission-posture stored-report detail route directly.
  4. Confirm the response is 403 after tenant membership is established.
  5. Sign in as the non-member actor and attempt to open the register or a detail route.
  6. Confirm the response is 404 and no stored-report presence leaks.

Scenario 5: Follow the canonical widget drilldown

  1. Open the tenant overview page that renders AdminRolesSummaryWidget.
  2. Confirm the widget exposes a report link only when the actor can view Entra admin roles.
  3. Follow the link.
  4. Confirm the app opens the canonical stored-report detail route for the current tenant and current Entra admin-roles report.
  5. Confirm no additional evidence, review, or review-pack pseudo-view was introduced as part of this slice.

Targeted Validation Commands

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/StoredReports/StoredReportResourceTest.php tests/Feature/StoredReports/StoredReportEntitlementEnforcementTest.php

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/StoredReports/StoredReportDetailPresentationTest.php tests/Feature/EntraAdminRoles/AdminRolesSummaryWidgetTest.php

export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Out of Scope Confirmations

While validating this slice, confirm that implementation does not add or imply:

  • report generation, rerun, or scheduling from the stored-report surface
  • raw JSON download or export from the stored-report surface
  • cross-tenant or workspace-wide stored-report browsing
  • global-search exposure for stored reports
  • a generic report registry or analytics console
  • new local report cards or pseudo-view links on evidence or review pages when no repo-real launch affordance already exists