ahmido
cc93329672
## Summary - introduce a canonical admin tenant filter-state helper and route all in-scope workspace-admin tenant resolution through `OperateHubShell::activeEntitledTenant()` - align operations monitoring, operation-run deep links, Entra group admin list/view/search behavior, and shared context-bar rendering with the documented scope contract - add the Spec 135 design artifacts, architecture note, focused guardrail coverage, and non-regression tests for filter persistence, direct-record access, and global search safety ## Validation - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Feature/Monitoring/OperationsKpiHeaderTenantContextTest.php tests/Feature/Monitoring/OperationsTenantScopeTest.php tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php tests/Feature/Spec085/OperationsIndexHeaderTest.php tests/Feature/Spec085/RunDetailBackAffordanceTest.php tests/Feature/Filament/OperationRunListFiltersTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Guards/AdminTenantResolverGuardTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/Filament/Alerts/AlertsKpiHeaderTest.php tests/Feature/Alerts/AlertDeliveryDeepLinkFiltersTest.php` - `vendor/bin/sail artisan test --compact tests/Feature/Filament/TableStatePersistenceTest.php tests/Feature/Filament/TenantScopingTest.php tests/Feature/Filament/Alerts/AlertDeliveryViewerTest.php tests/Unit/Support/References/CapabilityAwareReferenceResolverTest.php` ## Notes - Filament v5 remains on Livewire v4.0+ compliant surfaces only. - No provider registration changes were needed; Laravel 12 provider registration remains in `bootstrap/providers.php`. - Entra group global search remains enabled and is now scoped to the canonical admin tenant contract. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #164
91 lines
4.3 KiB
Markdown
91 lines
4.3 KiB
Markdown
# Quickstart: Spec 135 Canonical Tenant Context Resolution
|
|
|
|
## Goal
|
|
|
|
Implement the canonical tenant-context rule for workspace-admin flows, preserve tenant-panel-native semantics, and leave the feature ready for direct test-driven implementation.
|
|
|
|
## Expected implementation slices
|
|
|
|
1. Refine or document the admin resolver contract in the support layer.
|
|
2. Align the Operations monitoring shell and KPI widget to the same canonical admin tenant.
|
|
3. Revalidate OperationRun tenant-sensitive filter defaults, options, and persisted state.
|
|
4. Harden Entra group list, detail, and search behavior to the same scope contract.
|
|
5. Preserve alert delivery as the reference admin pattern.
|
|
6. Add the architecture guardrail and regression tests.
|
|
|
|
## Recommended implementation order
|
|
|
|
1. Update the support-layer context contract and any small helper extraction first.
|
|
2. Fix Operations page plus KPI parity and extend existing monitoring tests.
|
|
3. Fix OperationRun filter option/default parity and stale persisted filter handling.
|
|
4. Fix Entra group query, record-resolution, and search behavior.
|
|
5. Add the guardrail test with explicit allowlist entries.
|
|
6. Run formatting and the minimal affected Pest suite.
|
|
|
|
## Focused verification commands
|
|
|
|
Run all commands from the repository root.
|
|
|
|
```bash
|
|
vendor/bin/sail artisan test --compact \
|
|
tests/Feature/Monitoring/OperationsKpiHeaderTenantContextTest.php \
|
|
tests/Feature/Monitoring/OperationsTenantScopeTest.php \
|
|
tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php \
|
|
tests/Feature/Spec085/OperationsIndexHeaderTest.php \
|
|
tests/Feature/Spec085/RunDetailBackAffordanceTest.php \
|
|
tests/Feature/Filament/OperationRunListFiltersTest.php \
|
|
tests/Feature/Filament/EntraGroupAdminScopeTest.php \
|
|
tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php \
|
|
tests/Feature/DirectoryGroups/BrowseGroupsTest.php \
|
|
tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php \
|
|
tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php \
|
|
tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php \
|
|
tests/Feature/Guards/AdminTenantResolverGuardTest.php \
|
|
tests/Feature/OpsUx/OperateHubShellTest.php \
|
|
tests/Feature/Filament/Alerts/AlertsKpiHeaderTest.php \
|
|
tests/Feature/Alerts/AlertDeliveryDeepLinkFiltersTest.php
|
|
vendor/bin/sail artisan test --compact \
|
|
tests/Feature/Filament/TableStatePersistenceTest.php \
|
|
tests/Feature/Filament/TenantScopingTest.php \
|
|
tests/Feature/Filament/Alerts/AlertDeliveryViewerTest.php \
|
|
tests/Unit/Support/References/CapabilityAwareReferenceResolverTest.php
|
|
vendor/bin/sail bin pint --dirty --format agent
|
|
```
|
|
|
|
## Scenario matrix to cover in tests
|
|
|
|
### Admin monitoring flows
|
|
|
|
- remembered-only request resolves one tenant across header, KPIs, and table
|
|
- Filament-only request resolves one tenant across header, KPIs, and table
|
|
- conflicting request prefers Filament tenant everywhere
|
|
- no-context request renders the workspace-scoped `All tenants` state, clears tenant-default filters, and suppresses tenant-only KPI behavior
|
|
|
|
### OperationRun filters and detail flows
|
|
|
|
- tenant filter defaults match canonical tenant
|
|
- tenant filter options never exceed current canonical tenant scope
|
|
- stale persisted filter state is reset, ignored, or replaced after tenant switch
|
|
- direct detail view does not reveal a broader record than the list would show
|
|
- no-context detail rendering is allowed only when the record still satisfies workspace scope and tenant entitlement; otherwise the response is not found
|
|
|
|
### Entra groups
|
|
|
|
- list query matches canonical tenant scope
|
|
- direct record URL obeys the same tenant boundary as the list
|
|
- admin list and direct record requests without canonical tenant context return not found
|
|
- out-of-scope requests return not found
|
|
- admin global search returns no tenant-owned Entra-group results without canonical tenant context, or is explicitly disabled
|
|
|
|
### Guardrail
|
|
|
|
- a new admin-only `Filament::getTenant()` or `Tenant::current()` read fails the architecture test
|
|
- approved tenant-panel-native files remain explicitly allowed
|
|
|
|
## Out of scope during implementation
|
|
|
|
- broad tenancy refactors outside the inconsistency class named in the spec
|
|
- dependency additions
|
|
- unrelated tenant-panel resource rewrites for style only
|
|
- new user-facing flows outside the existing admin and tenant-panel surfaces
|