ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
fb2642e941
TenantAtlas/specs/381-provider-resource-identity-binding/implementation-close-out.md
Ahmed Darrazi fb2642e941
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m9s
Details
feat(resources): implement provider resource identity binding 
Added ProviderResourceBinding model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381.
2026-06-15 17:37:06 +02:00

4.8 KiB
Raw Blame History

Implementation Close-Out: Spec 381 - Provider Resource Identity and Binding Foundation v1

Date: 2026-06-15 Branch: 381-provider-resource-identity-binding Base HEAD observed during close-out: d52b674f spec: record management report pdf staging validation gate (#451)

Scope

Implemented backend-only provider resource identity and managed-environment-scoped binding foundation.

No Filament Resource, page, route, Livewire component, Blade view, navigation item, Graph client, queued job, scheduler behavior, OperationRun type, or customer-facing output was added.

Repo-Truth Notes

  • provider_resource_bindings is tenant-owned operational truth and remains scoped by workspace_id and managed_environment_id.
  • Baseline snapshots are workspace-owned through baseline profiles, not directly tenant-owned. For source_baseline_snapshot_id, managed-environment validity is enforced through baseline_tenant_assignments for the snapshot's baseline_profile_id.
  • No workspace-level, baseline-profile-specific, or subject-only binding scope was introduced.
  • No duplicate active-state truth was introduced; binding_status = active remains the active-binding truth.

Livewire / Filament Contract

  • Livewire v4.0+ compliance: unchanged. No Livewire code changed.
  • Provider registration location: unchanged. Laravel panel providers remain in apps/platform/bootstrap/providers.php.
  • Global search: no Filament Resource was added; ProviderResourceBinding is not globally searchable.
  • Destructive/high-impact actions: no Filament action was added. Backend supersede/revoke decisions require policy authorization and audit logging. Future UI confirmation belongs to Spec 384.
  • Assets: no assets were registered. No Spec 381-specific filament:assets deployment concern beyond normal Filament deploy procedure.

RBAC, Isolation, And Audit

  • Reads and mutations use ProviderResourceBindingPolicy with existing baseline capabilities:
    • view: workspace_baselines.view
    • create/supersede/revoke: workspace_baselines.manage
  • Non-members are denied as not found through managed-environment entitlement checks.
  • Entitled members without manage capability receive forbidden for mutations.
  • Provider connections and source references are validated against the binding workspace and managed environment before persistence.
  • Binding create/supersede/revoke actions write AuditLog records with safe identifiers and hashed/length-only operator note metadata.

OperationRun Semantics

No OperationRun is created, queued, updated, or completed by Spec 381. Binding decisions are DB-only, security-relevant mutations that are audited directly.

Browser Smoke

Not applicable. Spec 381 has no UI, user-facing flow, route, navigation, Filament, Livewire, or asset surface impact.

Validation Commands

Executed during final review and finding fix loop:

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php

Result: passed, 5 tests / 45 assertions.

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php

Result after finding fix: passed, 19 tests / 72 assertions.

cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php

Result: passed, 4 tests / 7 assertions.

cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php

Result: passed, 11 tests / 83 assertions.

cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent

Result: passed.

git diff --check

Result: passed.

Deployment Impact

  • Additive migration only: provider_resource_bindings.
  • Staging must run the migration and the PostgreSQL lane before Production promotion.
  • No environment variable, queue, scheduler, storage, reverse-proxy, or asset change is required.
  • Rollback before follow-up specs consume the table is dropping the new table. After follow-up specs consume bindings, rollback must be redesigned.

Residual Risks / Follow-Up

No confirmed in-scope findings remain after the final fix loop.

Follow-up specs remain as planned:

  • Spec 382: matching pipeline consumption.
  • Spec 384: operator resolution UI and destructive/high-impact UI confirmations.
  • Spec 385: evidence/review readiness consumption.