ahmido
8e34b6084f
Kontext / Ziel
Diese PR liefert den einzigen kanonischen Onboarding-Entry unter /admin/onboarding (workspace-first, tenantless bis zur Aktivierung) und ergänzt einen tenantless OperationRun-Viewer unter /admin/operations/{run} mit membership→404 Semantik.
Was ist enthalten?
Single entry point: /admin/onboarding ist der einzige Einstieg; Legacy Entry Points liefern echte 404 (keine Redirects).
Wizard v1 (Enterprise): idempotentes Identifizieren eines Managed Tenants (per Entra Tenant ID), resumable Session-Flow.
Provider Connection Step: Auswahl oder Erstellung, Secrets werden nie erneut gerendert / nicht in Session-State persistiert.
Verification als OperationRun: async/queued, DB-only Rendering im Wizard (keine Graph-Calls beim Rendern).
Tenantless Run Viewing: /admin/operations/{run} funktioniert ohne ausgewählten Workspace/Tenant, aber bleibt über Workspace-Mitgliedschaft autorisiert (non-member → 404).
RBAC-UX Semantik: non-member → 404, member ohne Capability → UI disabled + tooltip, server-side Action → 403.
Auditability: Aktivierung/Overrides sind auditierbar, stable action IDs, keine Secrets.
Tech / Version-Safety
Filament v5 / Livewire v4.0+ kompatibel.
Laravel 11+: Panel Provider Registrierung in providers.php (unverändert).
Tests / Format
vendor/bin/sail bin pint --dirty
Full suite: vendor/bin/sail artisan test --no-ansi → 984 passed, 5 skipped (exit 0)
Ops / Deployment Notes
Keine zusätzlichen Services vorausgesetzt.
Falls Assets registriert wurden: Deployment weiterhin mit php artisan filament:assets (wie üblich im Projekt).
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.fritz.box>
Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #90
119 lines
5.3 KiB
Markdown
119 lines
5.3 KiB
Markdown
# Implementation Plan: Managed Tenant Onboarding Wizard V1 (Enterprise)
|
|
|
|
**Branch**: `073-unified-managed-tenant-onboarding-wizard` | **Date**: 2026-02-04 | **Spec**: specs/073-unified-managed-tenant-onboarding-wizard/spec.md
|
|
**Input**: Feature specification from specs/073-unified-managed-tenant-onboarding-wizard/spec.md
|
|
|
|
## Summary
|
|
|
|
Deliver a single onboarding entry point at `/admin/onboarding` that is workspace-first and tenantless until activation. Verification and optional bootstrap actions run asynchronously as `OperationRun`s and are viewable via a tenantless URL `/admin/operations/{run}` with workspace-membership based 404 semantics.
|
|
|
|
This requires:
|
|
- Updating onboarding routing and removing legacy entry points.
|
|
- Making the operations run viewer safe and usable without a selected workspace and without tenant routing.
|
|
- Ensuring RBAC-UX semantics (non-member → 404, member missing capability → 403) while keeping UI discoverability (disabled+tooltip).
|
|
|
|
## Technical Context
|
|
|
|
**Language/Version**: PHP 8.4 (Laravel 12)
|
|
**Primary Dependencies**: Filament v5, Livewire v4
|
|
**Storage**: PostgreSQL (Sail)
|
|
**Testing**: Pest v4
|
|
**Target Platform**: macOS dev + Sail containers; deployed in containers (Dokploy)
|
|
**Project Type**: Web application
|
|
**Performance Goals**: Wizard + Monitoring pages render DB-only (no external calls); queued work for Graph
|
|
**Constraints**:
|
|
- Canonical entry `/admin/onboarding` only
|
|
- Tenantless operations viewer `/admin/operations/{run}` must not require selected workspace and must not auto-switch workspaces
|
|
- Secrets never rendered after capture; no secrets in operation run failures/audits
|
|
**Scale/Scope**: Multi-workspace admin app; onboarding must be safe, resumable, and regression-tested
|
|
|
|
## Constitution Check
|
|
|
|
*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
|
|
|
|
- Inventory-first: Not directly impacted.
|
|
- Read/write separation: activation + overrides are write paths → audit + tests.
|
|
- Graph contract path: verification/bootstrap Graph calls only via `GraphClientInterface` and `config/graph_contracts.php` (including connectivity probes like `organization` and service-principal permission lookups).
|
|
- Deterministic capabilities: wizard uses canonical capability registry; no role-string checks.
|
|
- RBAC-UX: enforce 404/403 semantics; server-side authorizes all actions; UI disabled state is informational only.
|
|
- Authorization planes: tenant plane (Entra users) only; no platform plane (`/system`) routes or cross-plane behavior.
|
|
- Run observability: verification/bootstrap runs use `OperationRun`; render remains DB-only.
|
|
- Data minimization: never persist secrets in session/state/report/audit.
|
|
- Badge semantics: status chips use centralized badge mapping.
|
|
|
|
## Project Structure
|
|
|
|
### Documentation (this feature)
|
|
|
|
```text
|
|
specs/073-unified-managed-tenant-onboarding-wizard/
|
|
├── plan.md
|
|
├── research.md
|
|
├── data-model.md
|
|
├── quickstart.md
|
|
├── contracts/
|
|
│ ├── http.openapi.yaml
|
|
│ └── onboarding-actions.md
|
|
└── tasks.md
|
|
```
|
|
|
|
### Source Code (repository root)
|
|
|
|
```text
|
|
app/
|
|
├── Filament/Pages/
|
|
├── Filament/Resources/
|
|
├── Http/Middleware/
|
|
├── Models/
|
|
├── Policies/
|
|
├── Services/
|
|
└── Support/
|
|
|
|
database/migrations/
|
|
tests/Feature/
|
|
```
|
|
|
|
**Structure Decision**: Implement onboarding as a Filament Page under `app/Filament/Pages` and keep operations viewing on `OperationRunResource`, but change authorization/middleware to support tenantless viewing.
|
|
|
|
## Phase 0 — Research
|
|
|
|
See: specs/073-unified-managed-tenant-onboarding-wizard/research.md
|
|
|
|
## Phase 1 — Design & Contracts
|
|
|
|
See:
|
|
- specs/073-unified-managed-tenant-onboarding-wizard/data-model.md
|
|
- specs/073-unified-managed-tenant-onboarding-wizard/contracts/http.openapi.yaml
|
|
- specs/073-unified-managed-tenant-onboarding-wizard/contracts/onboarding-actions.md
|
|
- specs/073-unified-managed-tenant-onboarding-wizard/quickstart.md
|
|
|
|
## Phase 2 — Planning (implementation outline)
|
|
|
|
1) Routing
|
|
- Add `/admin/onboarding` (canonical, sole entry point).
|
|
- Remove legacy entry points (404; no redirects): `/admin/new`, `/admin/managed-tenants/onboarding`, and any tenant-scoped onboarding/create entry points.
|
|
|
|
2) Tenantless operations run viewer
|
|
- Exempt `/admin/operations/{run}` from forced workspace selection (`EnsureWorkspaceSelected`) and from tenant auto-selection side effects when needed.
|
|
- Authorize `OperationRun` viewing by workspace membership derived from the run (non-member → 404).
|
|
|
|
3) OperationRun model + schema alignment
|
|
- Add `operation_runs.workspace_id` and support tenantless runs (`tenant_id` nullable) if onboarding verification/bootstraps start before activation.
|
|
- Preserve DB-level active-run dedupe with partial unique indexes for both tenant-bound and tenantless runs.
|
|
|
|
4) Wizard authorization model
|
|
- Gate wizard actions per canonical capabilities; keep controls visible-but-disabled with tooltip; server-side returns 403 for execution.
|
|
- Activation is owner-only; blocked override requires reason + audit.
|
|
|
|
5) Tests
|
|
- Add/extend Pest feature tests for:
|
|
- canonical `/admin/onboarding` routing
|
|
- legacy entry points 404
|
|
- `/admin/operations/{run}` membership→404 behavior without selected workspace
|
|
- 403 for member action attempts without capability
|
|
- owner-only activation + override audit reason
|
|
|
|
## Complexity Tracking
|
|
|
|
No constitution violations expected; changes are localized and gated by tests.
|