ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c7b38606a9
TenantAtlas/specs/285-workspace-rbac-environment-access/checklists/requirements.md
ahmido c7b38606a9 feat: implement spec 285 workspace-first environment access (#344) 
Implements platform feature branch `285-workspace-rbac-environment-access`.

Summary:
- switch managed environment authorization to workspace-first role resolution with explicit environment-scope narrowing
- rewire Filament pages, resources, policies, and user tenant access helpers to the shared access-scope resolver
- add Spec 285 coverage across unit, feature, and browser tests plus full spec artifacts

Validation:
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceFirstCapabilityResolverTest.php tests/Unit/Auth/ManagedEnvironmentAccessScopeResolverTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Filament/WorkspaceMembershipRoleManagementTest.php tests/Feature/Rbac/GovernanceArtifactsWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php tests/Feature/ProviderConnections/ProviderConnectionHealthCheckStartSurfaceTest.php tests/Feature/Tenants/TenantProviderBackedActionStartTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Audit/TenantMembershipAuditLogTest.php tests/Feature/Filament/TenantMembersTest.php tests/Feature/TenantRBAC/TenantMembershipCrudTest.php tests/Feature/TenantRBAC/TenantSwitcherScopeTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php`
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`

Target branch: `platform-dev`.

Follow-up integration path after merge:
- `platform-dev` -> `dev`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #344
2026-05-09 12:40:50 +00:00

49 lines
3.0 KiB
Markdown
Raw Blame History

# Requirements Checklist: Workspace-first RBAC & Environment Access Scoping
## Scope and problem framing
- [x] The package describes the real repo problem as dual role-bearing authorization truth, not generic missing RBAC.
- [x] The package keeps `WorkspaceMembership` as the only role-bearing truth.
- [x] The package treats the current `ManagedEnvironmentMembership` semantics as a narrow access-scope overlay or in-place successor only.
- [x] The package keeps environment scope optional and narrowing-only.
- [x] The package does not absorb provider capability, source taxonomy, copy/localization, or cutover-guardrail work from adjacent specs.
## Repo-truth anchoring
- [x] The package reflects the current repo term `ManagedEnvironmentMembership` rather than the stale raw-candidate term `TenantMembership`.
- [x] The package references the existing workspace-first seams: `WorkspaceMembership`, `WorkspaceCapabilityResolver`, and `WorkspaceContext`.
- [x] The package references the current environment-owned seams that must be retargeted: `CapabilityResolver`, `User::canAccessTenant()`, key policies, and the tenant-membership Filament surfaces.
- [x] The package keeps `OperationRun` authorization split between workspace-bound and environment-bound runs.
## Authorization contract
- [x] Non-membership or out-of-scope access remains `404`.
- [x] In-scope members missing capability remain `403`.
- [x] Provider capability and operability remain downstream gates after local RBAC passes.
- [x] No scope row can grant access without workspace membership.
- [x] No second role selector survives on the managed-environment access-scope surface.
- [x] Touched searchable-resource results remain non-member-safe and out-of-scope-safe.
- [x] Denied-access diagnostics are modeled as derived, boundary-safe logging rather than new persisted truth.
## Filament and UI guardrails
- [x] Filament remains v5 on Livewire v4.
- [x] Provider registration remains in `apps/platform/bootstrap/providers.php`.
- [x] Touched destructive actions remain `->action(...)` plus `->requiresConfirmation()`.
- [x] `ProviderConnectionResource` remains non-globally-searchable and no touched searchable resource loses its valid View or Edit destination.
- [x] Asset strategy remains unchanged and does not introduce new `filament:assets` requirements beyond existing deployment expectations.
## Testing and readiness
- [x] The package defines bounded proof through unit, feature, and one browser smoke.
- [x] The same validation commands appear in `spec.md`, `plan.md`, and `quickstart.md`.
- [x] The package states that Specs `280`, `281`, and `283` are external prerequisites for runtime implementation.
- [x] The package stays prep-only and does not claim implementation has already landed.
## Outcome
- **Review outcome class**: `blocked-by-prerequisites`
- **Workflow outcome**: `keep`
- **Test-governance outcome**: `keep`
- **Readiness note**: implementation is externally gated until Specs `280`, `281`, and `283` are present on the branch
Reference in New Issue View Git Blame Copy Permalink