fb2642e941
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m9s
Added ProviderResourceBinding model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381.
102 lines
4.8 KiB
Markdown
102 lines
4.8 KiB
Markdown
# Implementation Close-Out: Spec 381 - Provider Resource Identity and Binding Foundation v1
|
|
|
|
Date: 2026-06-15
|
|
Branch: `381-provider-resource-identity-binding`
|
|
Base HEAD observed during close-out: `d52b674f spec: record management report pdf staging validation gate (#451)`
|
|
|
|
## Scope
|
|
|
|
Implemented backend-only provider resource identity and managed-environment-scoped binding foundation.
|
|
|
|
No Filament Resource, page, route, Livewire component, Blade view, navigation item, Graph client, queued job, scheduler behavior, OperationRun type, or customer-facing output was added.
|
|
|
|
## Repo-Truth Notes
|
|
|
|
- `provider_resource_bindings` is tenant-owned operational truth and remains scoped by `workspace_id` and `managed_environment_id`.
|
|
- Baseline snapshots are workspace-owned through baseline profiles, not directly tenant-owned. For `source_baseline_snapshot_id`, managed-environment validity is enforced through `baseline_tenant_assignments` for the snapshot's `baseline_profile_id`.
|
|
- No workspace-level, baseline-profile-specific, or subject-only binding scope was introduced.
|
|
- No duplicate active-state truth was introduced; `binding_status = active` remains the active-binding truth.
|
|
|
|
## Livewire / Filament Contract
|
|
|
|
- Livewire v4.0+ compliance: unchanged. No Livewire code changed.
|
|
- Provider registration location: unchanged. Laravel panel providers remain in `apps/platform/bootstrap/providers.php`.
|
|
- Global search: no Filament Resource was added; `ProviderResourceBinding` is not globally searchable.
|
|
- Destructive/high-impact actions: no Filament action was added. Backend supersede/revoke decisions require policy authorization and audit logging. Future UI confirmation belongs to Spec 384.
|
|
- Assets: no assets were registered. No Spec 381-specific `filament:assets` deployment concern beyond normal Filament deploy procedure.
|
|
|
|
## RBAC, Isolation, And Audit
|
|
|
|
- Reads and mutations use `ProviderResourceBindingPolicy` with existing baseline capabilities:
|
|
- view: `workspace_baselines.view`
|
|
- create/supersede/revoke: `workspace_baselines.manage`
|
|
- Non-members are denied as not found through managed-environment entitlement checks.
|
|
- Entitled members without manage capability receive forbidden for mutations.
|
|
- Provider connections and source references are validated against the binding workspace and managed environment before persistence.
|
|
- Binding create/supersede/revoke actions write `AuditLog` records with safe identifiers and hashed/length-only operator note metadata.
|
|
|
|
## OperationRun Semantics
|
|
|
|
No OperationRun is created, queued, updated, or completed by Spec 381. Binding decisions are DB-only, security-relevant mutations that are audited directly.
|
|
|
|
## Browser Smoke
|
|
|
|
Not applicable. Spec 381 has no UI, user-facing flow, route, navigation, Filament, Livewire, or asset surface impact.
|
|
|
|
## Validation Commands
|
|
|
|
Executed during final review and finding fix loop:
|
|
|
|
```bash
|
|
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php
|
|
```
|
|
|
|
Result: passed, 5 tests / 45 assertions.
|
|
|
|
```bash
|
|
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php
|
|
```
|
|
|
|
Result after finding fix: passed, 19 tests / 72 assertions.
|
|
|
|
```bash
|
|
cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php
|
|
```
|
|
|
|
Result: passed, 4 tests / 7 assertions.
|
|
|
|
```bash
|
|
cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php
|
|
```
|
|
|
|
Result: passed, 11 tests / 83 assertions.
|
|
|
|
```bash
|
|
cd apps/platform && ./vendor/bin/sail bin pint --dirty --test --format agent
|
|
```
|
|
|
|
Result: passed.
|
|
|
|
```bash
|
|
git diff --check
|
|
```
|
|
|
|
Result: passed.
|
|
|
|
## Deployment Impact
|
|
|
|
- Additive migration only: `provider_resource_bindings`.
|
|
- Staging must run the migration and the PostgreSQL lane before Production promotion.
|
|
- No environment variable, queue, scheduler, storage, reverse-proxy, or asset change is required.
|
|
- Rollback before follow-up specs consume the table is dropping the new table. After follow-up specs consume bindings, rollback must be redesigned.
|
|
|
|
## Residual Risks / Follow-Up
|
|
|
|
No confirmed in-scope findings remain after the final fix loop.
|
|
|
|
Follow-up specs remain as planned:
|
|
|
|
- Spec 382: matching pipeline consumption.
|
|
- Spec 384: operator resolution UI and destructive/high-impact UI confirmations.
|
|
- Spec 385: evidence/review readiness consumption.
|