ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
fc794b67e1
TenantAtlas/specs/204-platform-core-vocabulary-hardening/plan.md
Ahmed Darrazi fc794b67e1 Spec 204: harden platform core vocabulary
2026-04-14 08:07:40 +02:00

27 KiB
Raw Blame History

Implementation Plan: Platform Core Vocabulary Hardening

Branch: 204-platform-core-vocabulary-hardening | Date: 2026-04-13 | Spec: /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/204-platform-core-vocabulary-hardening/spec.md Input: Feature specification from /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/204-platform-core-vocabulary-hardening/spec.md

Note: This plan hardens platform-core and platform-near vocabulary by extending the existing governance, operation, and reason-translation layers already in the codebase, rather than introducing a parallel framework or broad rename sweep.

Summary

Reuse the existing App\Support\Governance, App\Support\OperationCatalog, App\Support\OperationRunType, and App\Support\ReasonTranslation seams to define one maintained code-side platform vocabulary glossary, resolve mixed stored operation type codes through one canonical domain-aware operation vocabulary, classify platform reason families separately from domain-owned reason codes, and harden platform-near compare, snapshot, monitoring, review, and reporting contracts to prefer governed-subject descriptors over false-universal policy_type wording. Keep Intune-owned tables, Graph contracts, and adapter-local metadata intentionally Intune-specific, preserve historical run and filter compatibility through alias resolution instead of a mass rewrite, and add regression guards so touched platform surfaces cannot drift back into implicit Intune-as-universal semantics.

Technical Context

Language/Version: PHP 8.4.15
Primary Dependencies: Laravel 12, Filament v5, Livewire v4, Pest v4, Laravel Sail, existing GovernanceSubjectTaxonomyRegistry, BaselineScope, CompareStrategyRegistry, OperationCatalog, OperationRunType, ReasonTranslator, ReasonResolutionEnvelope, ProviderReasonTranslator, and current Filament monitoring or review surfaces
Storage: PostgreSQL via existing operation_runs.type, operation_runs.context, baseline_profiles.scope_jsonb, baseline_snapshot_items, findings, evidence payloads, and current config-backed registries; no new top-level tables planned
Testing: Pest unit, feature, architecture, and focused Filament Livewire tests run through Laravel Sail
Target Platform: Laravel monolith web application under apps/platform with queue-backed operations and Filament admin or operator surfaces
Project Type: web application in a monorepo (apps/platform plus apps/website)
Performance Goals: Keep operation label and reason translation resolution fully in-process, avoid new remote calls on monitoring or review pages, preserve current operation list and filter responsiveness, and avoid request-path schema rewrites or query fan-out caused by vocabulary hardening
Constraints: No repo-wide rename sweep, no fake generic rewrite of Intune adapters, no new panel or provider, no new assets, no break in historical run filtering or labeling, no change to current 404 or 403 semantics, keep compatibility explicitly transitional, and prefer wrapper or alias hardening over broad schema churn
Scale/Scope: One existing governance namespace, one existing operation vocabulary seam, one existing reason-translation seam, several monitoring or review surfaces, a small set of platform-near compare and snapshot contracts, optional targeted platform-owned persistence wrappers, and focused regression coverage across monitoring, reason translation, and baseline compare or snapshot surfaces

Constitution Check

GATE: Passed before Phase 0 research. Re-checked after Phase 1 design and still passing with narrow proportionality exceptions documented below.

Principle Pre-Research Post-Design Notes
Inventory-first / snapshots-second PASS PASS The feature hardens vocabulary only; inventory, snapshots, and external Microsoft truth sources remain unchanged.
Read/write separation PASS PASS Most work is read-path and presentation-path hardening. Any touched persisted write path stays on existing model or service flows and keeps existing audit and authorization behavior.
Graph contract path PASS PASS No new Microsoft Graph path or graph_contracts.php entry is introduced. Intune-owned Graph terminology remains in the adapter layer.
Deterministic capabilities PASS PASS Existing taxonomy, compare strategy, and operation catalog seams remain deterministic and testable. Any new vocabulary mapping is code-side and snapshot-testable.
Workspace + tenant isolation PASS PASS Monitoring, compare, and review surfaces keep current workspace and tenant scope enforcement. Vocabulary hardening must not expose hidden records through labels or explanations.
RBAC-UX authorization semantics PASS PASS No new authorization plane or capability family is added. Non-members remain 404, in-scope capability denials remain 403, and no new raw capability strings are introduced.
Run observability / Ops-UX PASS PASS Existing OperationRun lifecycle, summary counts, notifications, and DB-only monitoring rules remain unchanged. Operation type hardening is alias and presentation aware, not a run-lifecycle redesign.
Data minimization PASS PASS No new persisted entity or external payload is introduced. Existing JSON context and derived presentation payloads are hardened in place.
Proportionality / anti-bloat PASS PASS The plan extends existing governance, operation, and reason translation seams instead of introducing a second registry framework or presentation pipeline.
No premature abstraction PASS PASS The glossary, alias map, and reason-family classification are narrow extensions to already-existing abstractions rather than brand-new plugin points.
Persisted truth / behavioral state PASS PASS No new top-level persisted truth is added. Any touched reason-family or operation-type classification remains derived unless a platform-owned field cannot be safely wrapped.
UI semantics / few layers PASS PASS Reason ownership and canonical labels are derived through the existing translation and catalog layers. The plan does not add a second operator-semantics framework.
Filament v5 / Livewire v4 compliance PASS PASS All touched UI surfaces remain on existing Filament v5 + Livewire v4 resources, pages, widgets, and detail views.
Provider registration location PASS PASS No panel or provider change is required. Laravel 11+ provider registration remains in bootstrap/providers.php.
Global search hard rule PASS PASS No new globally searchable resource is introduced. Touched resources continue their current search behavior and existing view-detail capability.
Destructive action safety PASS PASS No new destructive action is introduced. Existing destructive actions remain unchanged and must keep confirmation plus authorization.
Asset strategy PASS PASS No new global or on-demand assets are planned. Existing deployment handling of cd apps/platform && php artisan filament:assets remains unchanged.

Filament-Specific Compliance Notes

  • Livewire v4.0+ compliance: The touched monitoring and review surfaces stay on Filament v5 + Livewire v4 and the plan introduces no legacy API usage.
  • Provider registration location: No new panel or provider is required; bootstrap/providers.php remains the only relevant provider registration location.
  • Global search: No new globally searchable resource is added. OperationRunResource already has a detail surface, and touched baseline surfaces keep their existing view or search posture.
  • Destructive actions: This feature adds no new destructive action. Existing destructive actions must retain ->requiresConfirmation() and server-side authorization.
  • Asset strategy: No asset registration changes are planned. Deployment handling of cd apps/platform && php artisan filament:assets remains unchanged.
  • Testing plan: Extend unit coverage for glossary and alias resolution, extend reason-translation and architecture guard coverage for ownership boundaries, extend monitoring and Filament operation-run coverage for canonical labels and filter continuity, and extend baseline snapshot or compare coverage for platform-near subject vocabulary hardening.

Phase 0 Research

Research outcomes are captured in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/204-platform-core-vocabulary-hardening/research.md.

Key decisions:

  • Keep the maintained glossary inside the existing App\Support\Governance namespace rather than creating a second documentation-only or config-only source of truth.
  • Treat existing stored operation type codes as compatibility aliases and resolve them through one canonical domain-aware operation vocabulary contract.
  • Evolve OperationCatalog into the central canonical operation registry rather than introducing a parallel catalog.
  • Keep ProviderReasonCodes, RbacReason, and BaselineCompareReasonCode domain-owned and derive platform reason families at the existing ReasonTranslation boundary.
  • Prefer governed-subject descriptors built from subject_type_key and subject_type_label on platform-owned or platform-near payloads while preserving Intune-owned policy_type where the object is truly adapter-owned.
  • Use wrapper-first and alias-first hardening for platform-owned JSON and presentation contracts before considering any schema change.
  • Limit registry hardening to explicit ownership descriptors around current registries instead of building a universal plugin system.
  • Add regression guards that prevent false-universal Intune vocabulary from reappearing on touched platform surfaces.

Phase 1 Design

Design artifacts are created under /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/204-platform-core-vocabulary-hardening/:

  • research.md: architecture decisions and rejected alternatives for vocabulary ownership, operation types, reason families, and platform-near discriminator hardening
  • data-model.md: glossary, operation alias resolution, platform reason family, registry ownership, and platform subject descriptor contracts
  • contracts/platform-core-vocabulary-hardening.logical.openapi.yaml: logical internal contract for glossary lookup, operation type resolution, reason translation, registry ownership lookup, and platform subject descriptor normalization
  • quickstart.md: implementation and verification sequence for the feature

Design decisions:

  • Reuse the current governance namespace for canonical term definitions and ownership descriptors instead of creating a second top-level framework.
  • Keep OperationRunType and OperationCatalog as the existing operation vocabulary seam, but add canonical operation codes, domain grouping, and explicit legacy alias resolution.
  • Extend ReasonResolutionEnvelope and ReasonTranslator so operator-facing explanations carry explicit ownership and platform reason-family metadata without renaming domain reason codes.
  • Harden platform-near compare, snapshot, monitoring, and review payloads to prefer domain_key, subject_class, subject_type_key, and subject_type_label semantics rather than using policy_type as a universal noun.
  • Preserve Intune-owned tables, config registries, Graph contracts, and adapter metadata as intentionally Intune-specific.
  • Keep compatibility explicitly temporary and visible in code so old names are readable but not treated as equally canonical.

Project Structure

Documentation (this feature)

specs/204-platform-core-vocabulary-hardening/
├── plan.md
├── research.md
├── data-model.md
├── quickstart.md
├── spec.md
├── contracts/
│   └── platform-core-vocabulary-hardening.logical.openapi.yaml
└── checklists/
    └── requirements.md

Source Code (repository root)

apps/platform/
├── app/
│   ├── Filament/
│   │   ├── Pages/
│   │   │   ├── BaselineCompareLanding.php
│   │   │   └── BaselineCompareMatrix.php
│   │   ├── Resources/
│   │   │   ├── OperationRunResource.php
│   │   │   └── EvidenceSnapshotResource.php
│   │   ├── System/
│   │   │   └── Pages/
│   │   │       ├── Ops/
│   │   │       │   ├── Runs.php
│   │   │       │   ├── Failures.php
│   │   │       │   └── Stuck.php
│   │   │       └── Directory/
│   │   │           ├── ViewTenant.php
│   │   │           └── ViewWorkspace.php
│   │   │   └── Widgets/
│   │   │       ├── ControlTowerRecentFailures.php
│   │   │       └── ControlTowerTopOffenders.php
│   │   └── Widgets/
│   │       └── Dashboard/RecentOperations.php
│   ├── Jobs/
│   │   └── CompareBaselineToTenantJob.php
│   ├── Models/
│   │   └── OperationRun.php
│   ├── Services/
│   │   ├── Audit/
│   │   │   └── AuditEventBuilder.php
│   │   └── Baselines/
│   │       └── SnapshotRendering/
│   │           └── BaselineSnapshotPresenter.php
│   └── Support/
│       ├── Governance/
│       │   ├── GovernanceDomainKey.php
│       │   ├── GovernanceSubjectClass.php
│       │   ├── GovernanceSubjectTaxonomyRegistry.php
│       │   ├── GovernanceSubjectType.php
│       │   ├── PlatformVocabularyGlossary.php
│       │   ├── PlatformVocabularyTerm.php
│       │   ├── RegistryOwnershipDescriptor.php
│       │   ├── PlatformSubjectDescriptor.php
│       │   └── PlatformSubjectDescriptorNormalizer.php
│       ├── Providers/
│       │   ├── ProviderReasonCodes.php
│       │   └── ProviderReasonTranslator.php
│       ├── ReasonTranslation/
│       │   ├── Contracts/
│       │   ├── ReasonResolutionEnvelope.php
│       │   ├── ReasonTranslator.php
│       │   └── ReasonPresenter.php
│       ├── Baselines/
│       │   ├── BaselineCompareReasonCode.php
│       │   ├── BaselineScope.php
│       │   └── Compare/
│       │       ├── CompareSubjectProjection.php
│       │       └── CompareSubjectResult.php
│       ├── Filament/
│       │   └── FilterOptionCatalog.php
│       ├── OperationCatalog.php
│       └── OperationRunType.php
├── config/
│   └── tenantpilot.php
└── tests/
    ├── Architecture/
    │   └── ReasonTranslationPrimarySurfaceGuardTest.php
    ├── Feature/
    │   ├── Authorization/
    │   │   └── ReasonTranslationScopeSafetyTest.php
    │   ├── Baselines/
    │   │   ├── BaselineCompareExecutionGuardTest.php
    │   │   ├── BaselineCompareDriftEvidenceContractTest.php
    │   │   └── BaselineCompareWhyNoFindingsReasonCodeTest.php
    │   ├── Filament/
    │   │   ├── OperationRunListFiltersTest.php
    │   │   ├── OperationRunEnterpriseDetailPageTest.php
    │   │   ├── OperationRunBaselineTruthSurfaceTest.php
    │   │   ├── BaselineCompareLandingWhyNoFindingsTest.php
    │   │   └── BaselineCompareSummaryConsistencyTest.php
    │   ├── Monitoring/
    │   │   └── OperationRunResolvedReferencePresentationTest.php
    │   └── ReasonTranslation/
    │       ├── GovernanceReasonPresentationTest.php
    │       └── ReasonTranslationExplanationTest.php
    └── Unit/
        ├── Baselines/
        │   └── SnapshotRendering/BaselineSnapshotPresenterTest.php
        └── Support/
            ├── Governance/
            │   ├── PlatformVocabularyGlossaryTest.php
            │   ├── RegistryOwnershipDescriptorTest.php
            │   └── PlatformSubjectDescriptorNormalizerTest.php
            ├── OperationTypeResolutionTest.php
            ├── ReasonTranslation/
            │   ├── ExecutionDenialReasonTranslationTest.php
            │   ├── ProviderReasonTranslationTest.php
            │   ├── RbacReasonTranslationTest.php
            │   ├── ReasonResolutionEnvelopeTest.php
            │   └── TenantOperabilityReasonTranslationTest.php

Structure Decision: Keep the work inside the existing governance, operation, baseline compare, and reason-translation seams. Add one narrow glossary and ownership layer under app/Support/Governance and small extensions to current catalogs or envelopes rather than introducing a second cross-cutting framework. The intended implementation surface is one glossary, one operation-resolution seam, one reason-owner extension, and one subject normalizer; any additional named contracts from the data model should be realized only as small value objects under those seams when keeping them inline would duplicate meaning across multiple touched surfaces.

Complexity Tracking

Violation Why Needed Simpler Alternative Rejected Because
Code-side platform vocabulary glossary and ownership descriptors The codebase already has governance and compare vocabulary primitives, but it lacks one maintained source that explains canonical platform terms, registry ownership, and where Intune-native terms remain valid A spec-only note or scattered inline comments would not keep code, tests, and review surfaces aligned once changes start landing
Canonical operation type alias resolution Historical stored operation codes are mixed between canonical domain-aware names and older underscore names; the platform needs one future-safe vocabulary model without breaking current run history or filters An immediate rewrite of all persisted operation types is too risky, while leaving the mixed names equally canonical defeats the purpose of the hardening
Platform reason-family classification at the translation boundary Platform surfaces need to distinguish domain-neutral cause families from domain-owned causes without flattening Provider, RBAC, and baseline compare reasons into one misleading universal enum Renaming every existing domain reason code into a platform-wide code family would add churn, blur ownership, and break current translation paths unnecessarily

Proportionality Review

  • Current operator problem: Monitoring, compare, evidence, and review surfaces still expose platform meaning through a mix of Intune-shaped operation names, reason codes, and subject terms, which makes the product's architecture harder to understand and more error-prone for future work.
  • Existing structure is insufficient because: Current governance taxonomy, compare strategy, operation catalog, and reason translation seams exist, but they do not yet define one canonical boundary for platform vocabulary ownership, alias handling, or subject descriptor hardening across touched platform surfaces.
  • Narrowest correct implementation: Extend the existing governance namespace, operation catalog, and reason translation envelope with glossary, ownership, alias, and descriptor metadata; harden only the touched platform-near payloads and surfaces; preserve Intune-owned persistence and catalogs where they are legitimately domain-specific.
  • Implementation preference: Extend existing seams first and add standalone support types only where they replace repeated array-shape ambiguity across multiple touched surfaces.
  • Ownership cost created: Ongoing glossary maintenance, explicit alias retirement review, additional architecture and regression tests, and careful review of touched platform-near payloads to keep compatibility temporary.
  • Alternative intentionally rejected: A broad repo-wide rename or a brand-new platform vocabulary framework. The rename sweep creates churn without enough boundary discipline, and the new framework would over-abstract a problem that current seams can solve more narrowly.
  • Release truth: current-release platform-boundary clarification with compatibility support, not speculative multi-domain infrastructure

Implementation Strategy

Phase A - Canonical Glossary and Ownership Boundaries

  • Add a narrow code-side glossary under app/Support/Governance that defines canonical platform terms and ownership layers.
  • Make the contributor boundary explicit so touched concepts can be classified as platform_core, cross_domain_governance, or intune_specific without relying on historical naming.
  • Classify current registries and catalogs as platform_core, cross_domain_governance, or intune_specific, starting with governance taxonomy, operation catalog, provider reason registries, and Intune policy type config.
  • Document forbidden false-universal aliases for platform contexts, especially policy_type where the surface is not explicitly Intune-owned.

Phase B - Operation Vocabulary Canonicalization

  • Extend OperationCatalog and related helpers to resolve one canonical domain-aware operation code from stored or legacy operation type values.
  • Update touched run-creating services, jobs, and launch surfaces to emit canonical operation codes on new writes wherever this spec changes the flow.
  • Expose canonical operation_type on touched read models, summaries, filters, and exports even where persisted storage continues to use operation_runs.type.
  • Keep OperationRunType readable for current services and jobs, but add alias and grouping metadata so monitoring, filters, audit prose, and run detail surfaces render canonical meaning consistently.
  • Update touched monitoring and review surfaces to rely on canonical in-process resolution rather than raw stored strings, without introducing render-time external calls or query fan-out.

Phase C - Reason Ownership and Platform Reason Families

  • Extend ReasonResolutionEnvelope and ReasonTranslator so translated explanations carry explicit ownership and platform reason-family metadata.
  • Keep ProviderReasonCodes, RbacReason, and BaselineCompareReasonCode domain-owned and namespaced.
  • Ensure operator-facing surfaces show platform reason meaning first and domain-specific cause detail second when both are present.

Phase D - Platform-Neutral Subject and Contract Hardening

  • Harden platform-near compare, snapshot, monitoring, and review payloads to prefer domain_key, subject_class, subject_type_key, and subject_type_label descriptors where available.
  • Audit platform-owned persisted payloads, especially operation_runs.context, compare subcontext payloads, and evidence payloads touched by this spec, and normalize them through wrapper or presenter contracts before any rename is considered.
  • Reduce or remove false-universal policy_type usage from touched run context, compare payloads, snapshot rendering, and reporting summaries while keeping Intune-owned persistence untouched.
  • Prefer wrapper or projection hardening for platform-owned JSON and presenter contracts before any schema change is considered.

Phase E - Transition, Guardrails, and Verification

  • Keep compatibility explicitly temporary with one canonical name per platform concept and documented legacy aliases.
  • Add regression and architecture guards so touched platform surfaces cannot reintroduce raw mixed operation codes, false-universal Intune vocabulary, non-in-process resolution paths, or request-time query fan-out on monitoring and review reads.
  • Validate no-regression Intune-first behavior across monitoring, compare, evidence, review, and snapshot surfaces touched by the hardening.

Risk Assessment

Risk Impact Likelihood Mitigation
Canonical operation aliasing turns into permanent dual vocabulary High Medium Define one canonical operation code per stored alias, make alias status explicit in code, and add tests that new writes on touched flows do not introduce new legacy names.
A platform surface still leaks policy_type after wrapper hardening High Medium Audit touched compare, snapshot, run-context, and presenter contracts; add feature and architecture tests around those surfaces.
Reason-family hardening duplicates or conflicts with existing explanation semantics Medium Medium Extend the current envelope and translator instead of adding a second explanation pipeline, and validate against existing reason-translation and baseline compare explanation tests.
Monitoring filters, labels, or audit prose break when operation types are canonicalized Medium Medium Route filters and labels through canonical resolution and extend OperationRunListFiltersTest, monitoring presentation tests, and audit-event coverage.
The implementation drifts into Intune adapter rewrites or schema churn Medium Low Keep ownership descriptors explicit, prefer wrapper-first hardening, and require a focused proportionality review before any schema change on a platform-owned field.

Test Strategy

  • Add focused unit coverage for the platform glossary and operation vocabulary alias resolution.
  • Extend tests/Unit/Support/ReasonTranslation/ReasonResolutionEnvelopeTest.php, ProviderReasonTranslationTest.php, and RbacReasonTranslationTest.php for ownership and platform reason-family metadata.
  • Extend tests/Architecture/ReasonTranslationPrimarySurfaceGuardTest.php so platform surfaces cannot bypass canonical translation or leak raw domain-owned codes as universal platform reasons.
  • Extend tests/Feature/Filament/OperationRunListFiltersTest.php, OperationRunEnterpriseDetailPageTest.php, OperationRunBaselineTruthSurfaceTest.php, RecentOperationsSummaryWidgetTest.php, ProviderConnectionsDbOnlyTest.php, InventoryItemResourceTest.php, BackupScheduleCrudTest.php, and OnboardingEntryPointTest.php for canonical operation labels, grouping, launch-surface wording, and filter continuity.
  • Extend tests/Feature/Monitoring/OperationRunResolvedReferencePresentationTest.php and tests/Feature/System/Spec114/ControlTowerDashboardTest.php so historical and canonical operation codes render the same operator meaning during transition across both monitoring pages and monitoring widgets.
  • Extend tests/Feature/ReasonTranslation/GovernanceReasonPresentationTest.php and ReasonTranslationExplanationTest.php so platform and domain explanation layering remains explicit.
  • Extend tests/Unit/Baselines/SnapshotRendering/BaselineSnapshotPresenterTest.php, tests/Feature/Evidence/EvidenceSnapshotResourceTest.php, tests/Feature/Baselines/BaselineCompareDriftEvidenceContractTest.php, and BaselineCompareWhyNoFindingsReasonCodeTest.php for platform-near subject vocabulary hardening without Intune behavior regression.
  • Extend tests/Feature/TenantReview/TenantReviewExplanationSurfaceTest.php, tests/Feature/TenantReview/TenantReviewExecutivePackTest.php, tests/Feature/TenantReview/TenantReviewUiContractTest.php, tests/Feature/ReviewPack/ReviewPackGenerationTest.php, and tests/Feature/ReviewPack/ReviewPackWidgetTest.php so reporting and executive-pack summaries honor the same canonical vocabulary and explanation ownership rules.
  • The focused completion gate for this spec is the full quickstart verification pack, which includes every suite named in the story-level and continuity test tasks plus the final architecture and authorization guard suites.
  • Keep existing compare start-surface, baseline summary, and RBAC-related coverage green so vocabulary hardening does not change authorization or workflow semantics.