ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
fb2642e941
TenantAtlas/specs/381-provider-resource-identity-binding/tasks.md
Ahmed Darrazi fb2642e941
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m9s
Details
feat(resources): implement provider resource identity binding 
Added ProviderResourceBinding model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381.
2026-06-15 17:37:06 +02:00

14 KiB
Raw Blame History

Tasks: Spec 381 - Provider Resource Identity and Binding Foundation v1

Input: specs/381-provider-resource-identity-binding/spec.md, specs/381-provider-resource-identity-binding/plan.md Prerequisites: Spec and plan are complete. Spec 163 and Spec 380 are historical/context only and must not be rewritten. This task list is for a later implementation loop, not for this preparation step. Tests: Unit, Feature, PostgreSQL, and targeted no-op baseline/evidence/review regression tests are required. Browser tests are not required because no UI surface changes.

Test Governance Checklist

  • Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
  • New tests stay in the smallest honest family; no heavy-governance or browser family is introduced.
  • Shared helpers, factories, seeds, fixtures, provider setup, workspace membership context, and fake-provider defaults stay cheap by default.
  • PostgreSQL validation is used only for migration/partial unique/composite foreign key/index behavior that SQLite cannot prove.
  • Planned validation commands cover identity, binding service behavior, authorization, audit, PostgreSQL uniqueness, workspace/environment integrity, source-reference scoping, and current-runtime no-op behavior.
  • Any material budget, baseline, trend, or escalation note is recorded in the implementation close-out.

Phase 1: Baseline And Guardrail Reconfirmation

Purpose: Confirm repo truth and protect completed-spec history before implementation.

  • T001 Record current branch, HEAD, dirty state, and intended touched-file set in the implementation close-out notes for specs/381-provider-resource-identity-binding/.
  • T002 Re-read specs/381-provider-resource-identity-binding/spec.md, specs/381-provider-resource-identity-binding/plan.md, and specs/381-provider-resource-identity-binding/tasks.md.
  • T003 Re-read specs/163-baseline-subject-resolution/spec.md, specs/163-baseline-subject-resolution/plan.md, and specs/163-baseline-subject-resolution/tasks.md as completed/historical context without editing Spec 163.
  • T004 Re-read apps/platform/app/Support/Baselines/BaselineSubjectKey.php, apps/platform/app/Support/Baselines/SubjectClass.php, apps/platform/app/Support/Baselines/ResolutionOutcome.php, and apps/platform/app/Support/Baselines/Compare/CompareSubjectIdentity.php.
  • T005 Re-read apps/platform/app/Models/ProviderConnection.php, apps/platform/app/Models/ManagedEnvironment.php, apps/platform/app/Models/AuditLog.php, apps/platform/app/Support/Auth/Capabilities.php, and existing provider/baseline policy tests.
  • T006 Confirm no Filament resource/page/action, route, Livewire component, Blade view, Graph client, provider adapter, OperationRun type, or evidence/review behavior change is planned; if one appears necessary, stop and update spec/plan before continuing.

Phase 2: Identity And Canonical Key Foundation

Purpose: Represent provider identity and canonical subject keys without display names as primary identity.

  • T007 [P] [US1] Add unit coverage in apps/platform/tests/Unit/Support/Resources/ResourceIdentityTest.php for tenant-owned, built-in, default, virtual, unsupported, and unknown identities.
  • T008 [P] [US1] Add unit coverage in apps/platform/tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php proving canonical keys use provider/resource identity or canonical discriminator and do not collapse same-label distinct resources.
  • T009 [P] [US1] Add unit coverage in apps/platform/tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php for descriptor serialization, source references, last-seen metadata, fingerprints, and fake-provider data.
  • T010 [US1] Implement apps/platform/app/Support/Resources/ResourceIdentity.php with named constructors for provider resource, canonical built-in/default, virtual target, unsupported, and unknown identities.
  • T011 [US1] Extend apps/platform/app/Support/Baselines/BaselineSubjectKey.php with canonical provider-resource key helpers rather than creating a parallel CanonicalSubjectKey class.
  • T012 [US1] Implement apps/platform/app/Support/Resources/ProviderResourceDescriptor.php as a small serializable descriptor over ResourceIdentity.
  • T013 [US1] Run the focused identity unit tests for ResourceIdentity, BaselineSubjectKeyCanonicalIdentity, and ProviderResourceDescriptor.

Phase 3: Binding Persistence And Integrity

Purpose: Persist managed-environment-scoped binding decisions with active uniqueness and no duplicate active truth.

  • T014 [P] [US2] Add PostgreSQL migration/index coverage in apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php for active partial unique index, composite (managed_environment_id, workspace_id) foreign key integrity, managed-environment non-null scope, enum/check-constraint validity where practical, and index-backed lookup assumptions.
  • T015 [P] [US2] Add feature coverage in apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php for create, supersede, revoke, required note, single-active binding behavior, provider-default-as-canonical-built-in behavior, fake-provider service persistence, and every resolution mode listed in spec.md.
  • T016 [US2] Create apps/platform/database/migrations/<timestamp>_create_provider_resource_bindings_table.php with non-null workspace_id, non-null managed_environment_id, composite (managed_environment_id, workspace_id) foreign key to managed_environments(id, workspace_id), provider/subject/resource descriptor fields, binding status, resolution mode, source references, actor fields, timestamps, indexes, and a PostgreSQL partial unique index on active bindings.
  • T017 [US2] Implement apps/platform/app/Support/Resources/ProviderResourceBindingStatus.php with active, superseded, and revoked.
  • T018 [US2] Implement apps/platform/app/Support/Resources/ProviderResourceResolutionMode.php with the modes listed in spec.md.
  • T019 [US2] Implement apps/platform/app/Models/ProviderResourceBinding.php with casts, relationships, active lookup scope, DerivesWorkspaceIdFromTenant or equivalent workspace-derivation invariant, and managed-environment/workspace helpers.
  • T020 [US2] Implement apps/platform/database/factories/ProviderResourceBindingFactory.php with cheap defaults and explicit fake-provider/provider-resource states.
  • T021 [US2] Run the PostgreSQL binding migration/index test through cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php.

Phase 4: Binding Service, RBAC, And Audit

Purpose: Make binding decisions safe, authorized, note-backed, and auditable.

  • T022 [P] [US2] Add authorization coverage in apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php for allowed manager, read-only denial, missing capability 403, cross-workspace deny-as-not-found, and cross-managed-environment deny-as-not-found for records and source references.
  • T023 [P] [US2] Add audit assertions to apps/platform/tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php for create, supersede, exclusion, accepted limitation, unsupported coverage, missing expected, revocation, old binding ID where applicable, new binding ID where applicable, resolution mode, safe source references, and redacted/safe operator note metadata.
  • T024 [US2] Implement apps/platform/app/Policies/ProviderResourceBindingPolicy.php using existing workspace_baselines.view and workspace_baselines.manage capability semantics unless the spec is updated first.
  • T025 [US2] Register the ProviderResourceBindingPolicy in apps/platform/app/Providers/AuthServiceProvider.php unless implementation updates plan.md with a stronger adjacent provider-registration precedent first.
  • T026 [US2] Implement apps/platform/app/Services/Resources/ProviderResourceBindingService.php with transactional methods for manual binding, exclusion, accepted limitation, unsupported coverage, missing expected, supersession, and revocation, including provider-connection/provider-key validation and scoped source-reference validation before persistence.
  • T027 [US2] Add stable audit action IDs for provider resource binding decisions in apps/platform/app/Support/Audit/AuditActionId.php.
  • T028 [US2] Ensure service audit metadata excludes secrets, tokens, raw credentials, raw provider payloads, raw Graph response bodies, signed URLs, stack traces, raw sensitive JSON, and unchecked raw operator note text.
  • T029 [US2] Run the binding service and authorization feature tests.

Phase 5: No-Op Runtime Regression

Purpose: Prove Spec 381 does not silently change current compare, evidence, review, or report behavior.

  • T030 [P] [US3] Add no-op regression coverage in apps/platform/tests/Feature/Baselines/BaselineCompareProviderResourceBindingNoOpTest.php proving existing compare behavior does not automatically consume bindings in v1.
  • T031 [P] [US3] Add no-op regression coverage in apps/platform/tests/Feature/Evidence/BaselineDriftPostureSourceTest.php or a focused adjacent test proving existing evidence posture output is unchanged when bindings exist.
  • T032 [P] [US3] Add no-op regression coverage in apps/platform/tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php or a focused adjacent test proving review guidance/readiness does not treat accepted limitation as no-drift in v1.
  • T033 [US3] Run targeted existing baseline/evidence/review tests listed in plan.md.
  • T034 [US3] Confirm the migration does not alter or backfill existing baseline snapshots, baseline snapshot items, inventory items, policy versions, operation runs, evidence snapshots, stored reports, or review packs.
  • T035 [US3] Confirm no code path in current baseline compare, evidence readiness, review readiness, or review-pack publication automatically resolves subjects through ProviderResourceBindingService; if implementation needs that, stop and prepare Spec 382/385 instead.

Phase 6: Final Validation And Artifact Hygiene

Purpose: Close implementation with bounded proof and no hidden scope.

  • T036 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Support/Resources/ResourceIdentityTest.php tests/Unit/Support/Resources/ProviderResourceDescriptorTest.php tests/Unit/Support/Baselines/BaselineSubjectKeyCanonicalIdentityTest.php.
  • T037 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderResources/ProviderResourceBindingServiceTest.php tests/Feature/ProviderResources/ProviderResourceBindingAuthorizationTest.php.
  • T038 Run cd apps/platform && ./vendor/bin/sail php vendor/bin/pest -c phpunit.pgsql.xml tests/Feature/ProviderResources/ProviderResourceBindingPostgresTest.php.
  • T039 Run cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Baselines/BaselineCompareGapClassificationTest.php tests/Feature/Evidence/BaselineDriftPostureSourceTest.php tests/Feature/ReviewPack/Spec349ReviewPackResolutionGuidanceTest.php.
  • T040 Run cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent.
  • T041 Run git diff --check.
  • T042 Scan changed files for secrets, tokens, raw credentials, raw provider payloads, raw Graph payloads, signed URLs, stack traces, SQL errors, and unnecessary customer-sensitive data.
  • T043 Complete implementation close-out with Livewire v4 compliance, provider registration location, global-search status, high-impact action handling, asset strategy, validation commands, and deployment impact.

Non-Goals

  • NT001 Do not add a Baseline Subject Resolution UI, Filament resource, route, navigation item, Livewire component, or Blade view.
  • NT002 Do not implement baseline matching pipeline consumption, automatic Microsoft built-in mapping, or provider adapter canonicalization.
  • NT003 Do not change evidence snapshot readiness, environment review readiness, review-pack publication, or customer-facing output.
  • NT004 Do not add Graph calls, provider runtime calls, queued jobs, OperationRun types, terminal notifications, or scheduler behavior.
  • NT005 Do not add workspace-level, baseline-profile-specific, or subject-only binding scopes in v1.
  • NT006 Do not add an is_active column or other duplicate active-binding truth.
  • NT007 Do not rewrite completed Spec 163 or Spec 380 artifacts or remove their close-out/completed-task history.

Dependencies And Ordering

  • Phase 1 must complete before code changes.
  • Phase 2 identity primitives must exist before descriptors and binding service payloads depend on them.
  • Phase 3 migration/model/enums must complete before the service persists decisions.
  • Phase 4 policy/service/audit depends on Phase 3 persistence.
  • Phase 5 no-op regression runs after bindings can exist.
  • Phase 6 runs last.

Parallel Opportunities

  • T007, T008, and T009 can run in parallel.
  • T014 and T015 can run in parallel.
  • T022 and T023 can run in parallel.
  • T030, T031, and T032 can run in parallel.
  • Final validation commands T036 through T039 may run in parallel if Sail resources allow.

Implementation Strategy

  1. Prove identity primitives first.
  2. Add persistence and PostgreSQL uniqueness.
  3. Add authorized/audited service mutations.
  4. Prove current compare/evidence/review behavior is unchanged.
  5. Run focused validation and stop before follow-up matching/UI/evidence scopes.