ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
cc93329672
TenantAtlas/specs/135-canonical-tenant-context-resolution/quickstart.md
ahmido cc93329672 feat: canonical tenant context resolution (#164) 
## Summary
- introduce a canonical admin tenant filter-state helper and route all in-scope workspace-admin tenant resolution through `OperateHubShell::activeEntitledTenant()`
- align operations monitoring, operation-run deep links, Entra group admin list/view/search behavior, and shared context-bar rendering with the documented scope contract
- add the Spec 135 design artifacts, architecture note, focused guardrail coverage, and non-regression tests for filter persistence, direct-record access, and global search safety

## Validation
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Feature/Monitoring/OperationsKpiHeaderTenantContextTest.php tests/Feature/Monitoring/OperationsTenantScopeTest.php tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php tests/Feature/Spec085/OperationsIndexHeaderTest.php tests/Feature/Spec085/RunDetailBackAffordanceTest.php tests/Feature/Filament/OperationRunListFiltersTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Guards/AdminTenantResolverGuardTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/Filament/Alerts/AlertsKpiHeaderTest.php tests/Feature/Alerts/AlertDeliveryDeepLinkFiltersTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/TableStatePersistenceTest.php tests/Feature/Filament/TenantScopingTest.php tests/Feature/Filament/Alerts/AlertDeliveryViewerTest.php tests/Unit/Support/References/CapabilityAwareReferenceResolverTest.php`

## Notes
- Filament v5 remains on Livewire v4.0+ compliant surfaces only.
- No provider registration changes were needed; Laravel 12 provider registration remains in `bootstrap/providers.php`.
- Entra group global search remains enabled and is now scoped to the canonical admin tenant contract.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #164
2026-03-11 21:24:28 +00:00

4.3 KiB
Raw Blame History

Quickstart: Spec 135 Canonical Tenant Context Resolution

Goal

Implement the canonical tenant-context rule for workspace-admin flows, preserve tenant-panel-native semantics, and leave the feature ready for direct test-driven implementation.

Expected implementation slices

  1. Refine or document the admin resolver contract in the support layer.
  2. Align the Operations monitoring shell and KPI widget to the same canonical admin tenant.
  3. Revalidate OperationRun tenant-sensitive filter defaults, options, and persisted state.
  4. Harden Entra group list, detail, and search behavior to the same scope contract.
  5. Preserve alert delivery as the reference admin pattern.
  6. Add the architecture guardrail and regression tests.

Recommended implementation order

  1. Update the support-layer context contract and any small helper extraction first.
  2. Fix Operations page plus KPI parity and extend existing monitoring tests.
  3. Fix OperationRun filter option/default parity and stale persisted filter handling.
  4. Fix Entra group query, record-resolution, and search behavior.
  5. Add the guardrail test with explicit allowlist entries.
  6. Run formatting and the minimal affected Pest suite.

Focused verification commands

Run all commands from the repository root.

vendor/bin/sail artisan test --compact \
  tests/Feature/Monitoring/OperationsKpiHeaderTenantContextTest.php \
  tests/Feature/Monitoring/OperationsTenantScopeTest.php \
  tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php \
  tests/Feature/Spec085/OperationsIndexHeaderTest.php \
  tests/Feature/Spec085/RunDetailBackAffordanceTest.php \
  tests/Feature/Filament/OperationRunListFiltersTest.php \
  tests/Feature/Filament/EntraGroupAdminScopeTest.php \
  tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php \
  tests/Feature/DirectoryGroups/BrowseGroupsTest.php \
  tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php \
  tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php \
  tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php \
  tests/Feature/Guards/AdminTenantResolverGuardTest.php \
  tests/Feature/OpsUx/OperateHubShellTest.php \
  tests/Feature/Filament/Alerts/AlertsKpiHeaderTest.php \
  tests/Feature/Alerts/AlertDeliveryDeepLinkFiltersTest.php
vendor/bin/sail artisan test --compact \
  tests/Feature/Filament/TableStatePersistenceTest.php \
  tests/Feature/Filament/TenantScopingTest.php \
  tests/Feature/Filament/Alerts/AlertDeliveryViewerTest.php \
  tests/Unit/Support/References/CapabilityAwareReferenceResolverTest.php
vendor/bin/sail bin pint --dirty --format agent

Scenario matrix to cover in tests

Admin monitoring flows

  • remembered-only request resolves one tenant across header, KPIs, and table
  • Filament-only request resolves one tenant across header, KPIs, and table
  • conflicting request prefers Filament tenant everywhere
  • no-context request renders the workspace-scoped All tenants state, clears tenant-default filters, and suppresses tenant-only KPI behavior

OperationRun filters and detail flows

  • tenant filter defaults match canonical tenant
  • tenant filter options never exceed current canonical tenant scope
  • stale persisted filter state is reset, ignored, or replaced after tenant switch
  • direct detail view does not reveal a broader record than the list would show
  • no-context detail rendering is allowed only when the record still satisfies workspace scope and tenant entitlement; otherwise the response is not found

Entra groups

  • list query matches canonical tenant scope
  • direct record URL obeys the same tenant boundary as the list
  • admin list and direct record requests without canonical tenant context return not found
  • out-of-scope requests return not found
  • admin global search returns no tenant-owned Entra-group results without canonical tenant context, or is explicitly disabled

Guardrail

  • a new admin-only Filament::getTenant() or Tenant::current() read fails the architecture test
  • approved tenant-panel-native files remain explicitly allowed

Out of scope during implementation

  • broad tenancy refactors outside the inconsistency class named in the spec
  • dependency additions
  • unrelated tenant-panel resource rewrites for style only
  • new user-facing flows outside the existing admin and tenant-panel surfaces