ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c7b38606a9
TenantAtlas/specs/285-workspace-rbac-environment-access/checklists/requirements.md
ahmido c7b38606a9 feat: implement spec 285 workspace-first environment access (#344) 
Implements platform feature branch `285-workspace-rbac-environment-access`.

Summary:
- switch managed environment authorization to workspace-first role resolution with explicit environment-scope narrowing
- rewire Filament pages, resources, policies, and user tenant access helpers to the shared access-scope resolver
- add Spec 285 coverage across unit, feature, and browser tests plus full spec artifacts

Validation:
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceFirstCapabilityResolverTest.php tests/Unit/Auth/ManagedEnvironmentAccessScopeResolverTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Filament/WorkspaceMembershipRoleManagementTest.php tests/Feature/Rbac/GovernanceArtifactsWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php tests/Feature/ProviderConnections/ProviderConnectionHealthCheckStartSurfaceTest.php tests/Feature/Tenants/TenantProviderBackedActionStartTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Audit/TenantMembershipAuditLogTest.php tests/Feature/Filament/TenantMembersTest.php tests/Feature/TenantRBAC/TenantMembershipCrudTest.php tests/Feature/TenantRBAC/TenantSwitcherScopeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

Target branch: `platform-dev`.

Follow-up integration path after merge:
- `platform-dev` -> `dev`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #344
2026-05-09 12:40:50 +00:00

3.0 KiB
Raw Blame History

Requirements Checklist: Workspace-first RBAC & Environment Access Scoping

Scope and problem framing

  • The package describes the real repo problem as dual role-bearing authorization truth, not generic missing RBAC.
  • The package keeps WorkspaceMembership as the only role-bearing truth.
  • The package treats the current ManagedEnvironmentMembership semantics as a narrow access-scope overlay or in-place successor only.
  • The package keeps environment scope optional and narrowing-only.
  • The package does not absorb provider capability, source taxonomy, copy/localization, or cutover-guardrail work from adjacent specs.

Repo-truth anchoring

  • The package reflects the current repo term ManagedEnvironmentMembership rather than the stale raw-candidate term TenantMembership.
  • The package references the existing workspace-first seams: WorkspaceMembership, WorkspaceCapabilityResolver, and WorkspaceContext.
  • The package references the current environment-owned seams that must be retargeted: CapabilityResolver, User::canAccessTenant(), key policies, and the tenant-membership Filament surfaces.
  • The package keeps OperationRun authorization split between workspace-bound and environment-bound runs.

Authorization contract

  • Non-membership or out-of-scope access remains 404.
  • In-scope members missing capability remain 403.
  • Provider capability and operability remain downstream gates after local RBAC passes.
  • No scope row can grant access without workspace membership.
  • No second role selector survives on the managed-environment access-scope surface.
  • Touched searchable-resource results remain non-member-safe and out-of-scope-safe.
  • Denied-access diagnostics are modeled as derived, boundary-safe logging rather than new persisted truth.

Filament and UI guardrails

  • Filament remains v5 on Livewire v4.
  • Provider registration remains in apps/platform/bootstrap/providers.php.
  • Touched destructive actions remain ->action(...) plus ->requiresConfirmation().
  • ProviderConnectionResource remains non-globally-searchable and no touched searchable resource loses its valid View or Edit destination.
  • Asset strategy remains unchanged and does not introduce new filament:assets requirements beyond existing deployment expectations.

Testing and readiness

  • The package defines bounded proof through unit, feature, and one browser smoke.
  • The same validation commands appear in spec.md, plan.md, and quickstart.md.
  • The package states that Specs 280, 281, and 283 are external prerequisites for runtime implementation.
  • The package stays prep-only and does not claim implementation has already landed.

Outcome

  • Review outcome class: blocked-by-prerequisites
  • Workflow outcome: keep
  • Test-governance outcome: keep
  • Readiness note: implementation is externally gated until Specs 280, 281, and 283 are present on the branch