ahmido d90fb0f963 065-tenant-rbac-v1 (#79 )

PR Body
Implements Spec 065 “Tenant RBAC v1” with capabilities-first RBAC, tenant membership scoping (Option 3), and consistent Filament action semantics.

Key decisions / rules

Tenancy Option 3: tenant switching is tenantless (ChooseTenant), tenant-scoped routes stay scoped, non-members get 404 (not 403).
RBAC model: canonical capability registry + role→capability map + Gates for each capability (no role-string checks in UI logic).
UX policy: for tenant members lacking permission → actions are visible but disabled + tooltip (avoid click→403).
Security still enforced server-side.
What’s included

Capabilities foundation:
Central capability registry (Capabilities::*)
Role→capability mapping (RoleCapabilityMap)
Gate registration + resolver/manager updates to support tenant-scoped authorization
Filament enforcement hardening across the app:
Tenant registration & tenant CRUD properly gated
Backup/restore/policy flows aligned to “visible-but-disabled” where applicable
Provider operations (health check / inventory sync / compliance snapshot) guarded and normalized
Directory groups + inventory sync start surfaces normalized
Policy version maintenance actions (archive/restore/prune/force delete) gated
SpecKit artifacts for 065:
spec.md, plan/tasks updates, checklists, enforcement hitlist
Security guarantees

Non-member → 404 via tenant scoping/membership guards.
Member without capability → 403 on execution, even if UI is disabled.
No destructive actions execute without proper authorization checks.
Tests

Adds/updates Pest coverage for:
Tenant scoping & membership denial behavior
Role matrix expectations (owner/manager/operator/readonly)
Filament surface checks (visible/disabled actions, no side effects)
Provider/Inventory/Groups run-start authorization
Verified locally with targeted vendor/bin/sail artisan test --compact …
Deployment / ops notes

No new services required.
Safe change: behavior is authorization + UI semantics; no breaking route changes intended.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #79

2026-01-28 21:09:47 +00:00

1.8 KiB

Raw Blame History

Capability Contracts: Tenant RBAC v1

This document defines the canonical set of capabilities for the Tenant RBAC system. Feature code MUST use these capability strings when checking permissions with Laravel Gates (e.g., Gate::allows('tenant.members.manage')).

Naming Convention

Capabilities follow the format: tenant.<domain>.<verb>

Capability List (v1)

Core

tenant.core.view: View the tenant dashboard and basic information.

Membership

tenant.members.view: View the list of members in a tenant.
tenant.members.manage: Add, remove, or change the roles of members in a tenant. (Owner-only)

Settings

tenant.settings.view: View tenant settings.
tenant.settings.manage: Modify tenant settings.

Providers

tenant.providers.view: View provider connections.
tenant.providers.manage: Add, edit, or remove provider connections.
tenant.providers.credentials.rotate: Rotate credentials for a provider connection.
tenant.providers.run_ops: Execute operations using a provider.

Operations & Monitoring

tenant.operations.view: View tenant operations and monitoring data.
tenant.operations.start: Start new tenant operations.

Inventory & Drift

tenant.inventory.view: View tenant inventory.
tenant.inventory.sync: Trigger a synchronization of the tenant inventory.
tenant.drift.view: View drift detection reports.
tenant.drift.ack: Acknowledge drift alerts.

Policies, Backups, & Restore

tenant.policies.view: View policies.
tenant.policies.sync: Synchronize policies.
tenant.policies.delete: Delete policies.
tenant.backups.manage: Manage backups.
tenant.restore.execute: Execute a restore from a backup.
tenant.danger_zone: Access to destructive "danger zone" actions. (Owner-only)

1.8 KiB Raw Blame History