ahmido
90bfe1516e
Implements Spec 090 (Action Surface Contract Compliance & RBAC Hardening). Highlights: - Adds/updates action surface declarations and shrinks baseline exemptions. - Standardizes Filament action grouping/order and empty-state CTAs. - Enforces RBAC UX semantics (non-member -> 404, member w/o capability -> disabled + tooltip, server-side 403). - Adds audit logging for successful side-effect actions. - Fixes Provider Connections list context so header create + row actions resolve tenant correctly. Tests (focused): - vendor/bin/sail artisan test --compact tests/Feature/090/ - vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php - vendor/bin/sail bin pint --dirty Livewire/Filament: - Filament v5 + Livewire v4 compliant. - No panel provider registration changes (Laravel 11+ registration remains in bootstrap/providers.php). Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #108
1.5 KiB
1.5 KiB
Quickstart — Spec 090 (Action Surface Contract Compliance & RBAC Hardening)
Prereqs
- Run inside Sail.
Run the guard tests (fast feedback)
vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php
Run targeted RBAC/action tests (after implementation)
Planned additions for Spec 090 will include feature tests for:
- Policy “Capture snapshot” authorization + audit log
- Findings list action ordering + acknowledge gating
- Provider connections action surface + RBAC gating
- Backup schedules action surface + empty-state CTA gating
- Workspace resource access semantics (non-member 404, member missing capability 403)
Run the smallest set first, e.g.:
vendor/bin/sail artisan test --compact --filter=ActionSurfaceContract
Run only Spec 090 tests
vendor/bin/sail artisan test --compact tests/Feature/090/vendor/bin/sail artisan test --compact --filter=Spec090
Formatting
vendor/bin/sail bin pint --dirty
Manual verification checklist (post-implementation)
- Confirm each in-scope list/table provides an inspection affordance (View action or clickable row/primary link), consistent “More” grouping, and ≤2 primary row actions.
- Confirm destructive actions require confirmation.
- Confirm tenant/workspace isolation: non-members get 404 semantics; members without capability get 403 on execution and disabled + tooltip in UI.
- Confirm successful side-effect actions create an
audit_logsentry with sanitized metadata.