ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c7b38606a9
TenantAtlas/specs/281-provider-connection-scope/checklists/requirements.md
ahmido 023274c46c feat: normalize provider connection scope contracts (#339) 
## Summary
- normalize provider-neutral target-scope and identity contracts across provider connection resolution, operation-start gating, verification reporting, and boundary configuration
- align provider connection resource, onboarding, tenant summaries, and operation follow-up on the same shared scope contract while keeping Microsoft-specific profile details in provider-owned metadata
- add Spec 281 artifacts and focused feature/browser coverage for the new provider-scope contract
- move the tenant dashboard context-chip rail into Filament header widgets so the metadata row renders directly under the page subtitle

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Providers/ProviderConnectionTargetScopeNeutralityTest.php tests/Feature/Providers/ProviderIdentityResolutionNeutralityTest.php tests/Feature/Providers/ProviderOperationStartGateTargetScopeContextTest.php tests/Feature/Filament/ProviderConnectionResourceScopeSummaryTest.php tests/Feature/Onboarding/ManagedTenantOnboardingProviderConnectionScopeTest.php tests/Feature/Guards/ProviderConnectionMicrosoftScopeLeakGuardTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Dashboard/TenantDashboardProductizationSummaryTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Dashboard/TenantDashboardProductizationSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Filament remains on v5 with Livewire v4-compatible surfaces only.
- Provider registration location is unchanged; Laravel 11+ providers stay in `apps/platform/bootstrap/providers.php`.
- `ProviderConnectionResource` remains non-globally-searchable and still exposes View/Edit pages.
- No new asset registration was added; deploy-time `filament:assets` expectations are unchanged.
- No new destructive action path was introduced; existing server authorization and confirmation handling remain in place where applicable.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #339
2026-05-07 19:28:42 +00:00

6.9 KiB
Raw Blame History

Specification Quality Checklist: Provider Connection Scope & Microsoft Profile Extraction

Purpose: Validate package completeness, boundedness, and readiness before implementation
Created: 2026-05-07
Feature: spec.md

Content Quality

  • The package stays on reserved slot 281 and does not silently absorb Spec 280 or Specs 282-287.
  • The stale candidate wording about provider_connections.tenant_id is explicitly corrected to current repo truth.
  • The package explicitly documents the second candidate deviation: the raw provider_key / external_account_id / provider_metadata / run-context proposal is narrowed to existing repo truth through target_scope, effective_client_identity, nested provider_context, and existing provider-owned metadata.
  • The package stays focused on the verified provider-boundary hotspot instead of reading like a speculative provider-platform rewrite.
  • No new provider-profile table, registry, capability engine, or artifact taxonomy is pulled into scope.
  • plan.md, research.md, data-model.md, quickstart.md, and the contract artifact all describe the same bounded slice.

Requirement Completeness

  • No [NEEDS CLARIFICATION] markers remain in spec.md, plan.md, research.md, data-model.md, or quickstart.md.
  • Requirements remain testable and bounded to the current provider-connection, target-scope, identity-resolution, onboarding, and operation-start seams.
  • Shared target_scope fields are explicit and neutral across the package.
  • Provider-specific Microsoft detail is explicitly nested under provider-owned profile or context disclosure instead of shared contract truth.
  • Scope boundaries, assumptions, risks, and deferred adjacent candidates remain explicit.

Repo Truth Anchoring

  • The package reflects that ProviderConnection already belongs to ManagedEnvironment via managed_environment_id.
  • The package reflects that current platform-core seams still leak Microsoft semantics through tenantContext and target_scope.entra_tenant_id.
  • The package reflects that config/provider_boundaries.php already classifies provider identity, connection resolution, and operation-start seams as platform-core follow-up hotspots.
  • The package reflects that ProviderConnectionResource exists with Create, View, and Edit pages and remains non-globally-searchable.
  • The package reflects that ManagedTenantOnboardingWizard and managed-environment related-context seams already reuse provider summaries and therefore need one summary contract.

Feature Readiness

  • Filament v5 and Livewire v4 expectations remain explicit across the package.
  • Provider registration location remains explicit as apps/platform/bootstrap/providers.php.
  • ProviderConnectionResource global-search status and touched searchable-surface notes remain explicit.
  • Destructive action confirmation and authorization expectations remain explicit for touched provider-connection mutations.
  • The unchanged asset strategy and deployment note remain explicit.
  • The test strategy and minimal proving commands are explicit and aligned across artifacts.
  • The Candidate Selection Gate still explains why 281 is chosen now and why 282-287 are deferred.
  • The Completed-Spec Guardrail still keeps 279 and 280 separate from this package.

Artifact Alignment

  • research.md records the same bounded extraction decisions reflected in plan.md.
  • data-model.md models the same neutral target_scope, provider-context, effective-client-identity, onboarding, and run-context contracts reflected in the plan and contract file.
  • quickstart.md uses the same bounded reviewer flow and proof commands as plan.md.
  • contracts/provider-connection-scope.logical.openapi.yaml models the same shared summary, identity-resolution, provider-profile, onboarding-readiness, and operation-start contracts described in the plan.
  • Canonical proof commands match across spec.md, plan.md, and quickstart.md.

Test Governance

  • Planned proof stays bounded to focused feature coverage, one browser smoke, and the existing guard concept for Microsoft-shaped shared-contract leaks.
  • No new heavy-governance family or broad browser matrix is introduced.
  • Workspace, managed-environment, provider-connection, and optional credential fixture cost is acknowledged instead of hidden.
  • Reviewer handoff includes exact minimal validation commands and concrete stop questions.

Notes

  • Reviewed against .specify/memory/constitution.md, specs/279-workspace-managed-environment-core/spec.md, specs/280-workspace-tenancy-environment-routing/spec.md, apps/platform/app/Models/ProviderConnection.php, apps/platform/app/Filament/Resources/ProviderConnectionResource.php, apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php, apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/ViewProviderConnection.php, apps/platform/app/Filament/Resources/ProviderConnectionResource/Pages/EditProviderConnection.php, apps/platform/app/Filament/Resources/TenantResource.php, apps/platform/app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php, apps/platform/app/Services/Providers/ProviderConnectionResolver.php, apps/platform/app/Services/Providers/ProviderConnectionResolution.php, apps/platform/app/Services/Providers/ProviderIdentityResolver.php, apps/platform/app/Services/Providers/ProviderIdentityResolution.php, apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php, apps/platform/app/Services/Providers/ProviderOperationStartGate.php, apps/platform/app/Services/Providers/CredentialManager.php, apps/platform/app/Services/Providers/AdminConsentUrlFactory.php, apps/platform/app/Services/Providers/ProviderGateway.php, apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeDescriptor.php, apps/platform/app/Support/Providers/TargetScope/ProviderConnectionTargetScopeNormalizer.php, apps/platform/app/Support/Providers/TargetScope/ProviderConnectionSurfaceSummary.php, apps/platform/app/Support/Providers/TargetScope/ProviderIdentityContextMetadata.php, apps/platform/app/Support/Providers/Boundary/ProviderBoundaryCatalog.php, and apps/platform/config/provider_boundaries.php on 2026-05-07.
  • No application implementation, test execution, or runtime validation was performed while preparing this package.

Review Outcome

  • Outcome class: implementation-ready
  • Workflow outcome: keep
  • Test-governance outcome: keep
  • Reason: The package turns the ready spec into an implementation-ready plan set that neutralizes shared provider-connection and target-scope contracts, confines Microsoft profile detail to provider-owned seams, and keeps all adjacent routing, taxonomy, RBAC, copy, and quality-gate work deferred.