284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
507 lines
12 KiB
JSON
507 lines
12 KiB
JSON
[
|
|
{
|
|
"id": "T001",
|
|
"description": "Migration creates tenant MSP SSO login-domain persistence model with expected columns.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F001"
|
|
]
|
|
},
|
|
{
|
|
"id": "T002",
|
|
"description": "Migration rollback removes tenant MSP SSO login-domain persistence objects cleanly.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F001"
|
|
]
|
|
},
|
|
{
|
|
"id": "T003",
|
|
"description": "Schema includes indexes supporting fast lookup by normalized domain and tenant domain listing.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F002"
|
|
]
|
|
},
|
|
{
|
|
"id": "T004",
|
|
"description": "List login-domain action denies unauthorized users and client users.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F003"
|
|
]
|
|
},
|
|
{
|
|
"id": "T005",
|
|
"description": "List login-domain action returns normalized, deduplicated tenant domains.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F003",
|
|
"F005"
|
|
]
|
|
},
|
|
{
|
|
"id": "T006",
|
|
"description": "Save login-domain action persists valid domains for the tenant.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F004"
|
|
]
|
|
},
|
|
{
|
|
"id": "T007",
|
|
"description": "Save login-domain action lowercases and trims domains before persistence.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F005"
|
|
]
|
|
},
|
|
{
|
|
"id": "T008",
|
|
"description": "Save login-domain action rejects malformed domains with a deterministic validation error.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F005",
|
|
"F009"
|
|
]
|
|
},
|
|
{
|
|
"id": "T009",
|
|
"description": "Save login-domain action prevents duplicate domains in one tenant payload.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F005",
|
|
"F006"
|
|
]
|
|
},
|
|
{
|
|
"id": "T010",
|
|
"description": "Cross-tenant domain conflict behavior follows configured policy (reject or mark ambiguous).",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F006",
|
|
"F014"
|
|
]
|
|
},
|
|
{
|
|
"id": "T011",
|
|
"description": "Removing/deactivating a tenant login domain updates subsequent listing and discovery reads.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F004",
|
|
"F006"
|
|
]
|
|
},
|
|
{
|
|
"id": "T012",
|
|
"description": "Providers settings page renders MSP SSO login-domain management section.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F007"
|
|
]
|
|
},
|
|
{
|
|
"id": "T013",
|
|
"description": "Providers UI add-domain flow invokes save action and refreshes rendered domain list.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F008"
|
|
]
|
|
},
|
|
{
|
|
"id": "T014",
|
|
"description": "Providers UI remove-domain flow invokes save action and removes domain row from view.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F008"
|
|
]
|
|
},
|
|
{
|
|
"id": "T015",
|
|
"description": "Providers UI shows malformed-domain validation errors without exposing backend internals.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F009"
|
|
]
|
|
},
|
|
{
|
|
"id": "T016",
|
|
"description": "Providers UI shows conflict/ambiguity error state with neutral language.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F009",
|
|
"F006"
|
|
]
|
|
},
|
|
{
|
|
"id": "T017",
|
|
"description": "Discovery endpoint returns `{ ok: true, providers: [] }` for invalid email input.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F010",
|
|
"F011",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T018",
|
|
"description": "Discovery endpoint normalizes email and extracts domain correctly from mixed-case input.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F011"
|
|
]
|
|
},
|
|
{
|
|
"id": "T019",
|
|
"description": "Discovery endpoint rate-limited calls return the same neutral response schema.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F012",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T020",
|
|
"description": "Known mapped domain with tenant Microsoft configured returns only `azure-ad`.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013",
|
|
"F016",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T021",
|
|
"description": "Known mapped domain with both tenant providers configured returns `google` and `azure-ad`.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013",
|
|
"F015",
|
|
"F016",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T022",
|
|
"description": "Known mapped domain with no tenant providers configured returns empty providers list.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013",
|
|
"F015",
|
|
"F016",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T023",
|
|
"description": "Unresolved domain with app Google fallback configured returns only `google`.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F017",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T024",
|
|
"description": "Unresolved domain with app Microsoft fallback configured returns only `azure-ad`.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F017",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T025",
|
|
"description": "Unresolved domain with no app fallback providers configured returns empty provider list.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F017",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T026",
|
|
"description": "Discovery implementation contract does not branch on specific-user existence lookup results.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T027",
|
|
"description": "Discovery logs avoid raw email and include only safe domain/hash metadata.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F012",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T028",
|
|
"description": "Discovery context cookie is signed and excludes OAuth client IDs/secrets.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F019"
|
|
]
|
|
},
|
|
{
|
|
"id": "T029",
|
|
"description": "Discovery context cookie expires according to configured short TTL.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F019"
|
|
]
|
|
},
|
|
{
|
|
"id": "T030",
|
|
"description": "Discovery endpoint rotates cookie on valid requests and clears stale context on invalid input.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F020"
|
|
]
|
|
},
|
|
{
|
|
"id": "T031",
|
|
"description": "MSP SSO buttons remain disabled for invalid/empty email input.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F021",
|
|
"F022"
|
|
]
|
|
},
|
|
{
|
|
"id": "T032",
|
|
"description": "MSP SSO buttons remain disabled while discovery request is in flight.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F021",
|
|
"F022"
|
|
]
|
|
},
|
|
{
|
|
"id": "T033",
|
|
"description": "MSP login enables only Microsoft button when discovery returns `azure-ad` only.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F023"
|
|
]
|
|
},
|
|
{
|
|
"id": "T034",
|
|
"description": "MSP login enables both buttons when discovery returns both providers.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F023"
|
|
]
|
|
},
|
|
{
|
|
"id": "T035",
|
|
"description": "MSP login keeps unsupported provider buttons disabled based on discovery response.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F023"
|
|
]
|
|
},
|
|
{
|
|
"id": "T036",
|
|
"description": "Last-selected provider preference is persisted locally when user completes provider click.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F024"
|
|
]
|
|
},
|
|
{
|
|
"id": "T037",
|
|
"description": "Remembered provider is only auto-selected when it is still present in discovered provider list.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F024",
|
|
"F023"
|
|
]
|
|
},
|
|
{
|
|
"id": "T038",
|
|
"description": "Clicking a disabled provider button never triggers resolver/start API call.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F023",
|
|
"F026"
|
|
]
|
|
},
|
|
{
|
|
"id": "T039",
|
|
"description": "Resolver consumes valid discovery cookie and uses tenant/source metadata for provider start.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F025"
|
|
]
|
|
},
|
|
{
|
|
"id": "T040",
|
|
"description": "Resolver rejects provider attempts not included in discovered allowed provider set using generic failure response.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F026",
|
|
"F028"
|
|
]
|
|
},
|
|
{
|
|
"id": "T041",
|
|
"description": "Resolver falls back to app-level behavior when discovery cookie is missing, invalid, or expired.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F027",
|
|
"F028"
|
|
]
|
|
},
|
|
{
|
|
"id": "T042",
|
|
"description": "Unknown-user and known-user paths remain externally indistinguishable in resolver responses.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F028",
|
|
"F029"
|
|
]
|
|
},
|
|
{
|
|
"id": "T043",
|
|
"description": "Resolver rate-limit failures preserve the same generic response shape and wording.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F028"
|
|
]
|
|
},
|
|
{
|
|
"id": "T044",
|
|
"description": "Resolver logging excludes raw email and other sensitive identifiers.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F028"
|
|
]
|
|
},
|
|
{
|
|
"id": "T045",
|
|
"description": "OAuth callback flow for unknown users remains unchanged (no discovery-specific account-existence messaging).",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F029"
|
|
]
|
|
},
|
|
{
|
|
"id": "T046",
|
|
"description": "MSP credentials sign-in flow remains functional and independent from SSO discovery outcome.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F030"
|
|
]
|
|
},
|
|
{
|
|
"id": "T047",
|
|
"description": "Client portal sign-in flow remains unchanged with no MSP discovery behavior bleed-through.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F031"
|
|
]
|
|
},
|
|
{
|
|
"id": "T048",
|
|
"description": "CE/EE SSO component wiring continues to route MSP login through shared discovery-enabled SSO entrypoint.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F034"
|
|
]
|
|
},
|
|
{
|
|
"id": "T049",
|
|
"description": "DB-backed integration happy path: mapped tenant domain + tenant Microsoft secrets yields discovery providers `[\"azure-ad\"]`.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013",
|
|
"F016",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T050",
|
|
"description": "DB-backed integration guard path: ambiguous duplicate domain mapping resolves as unresolved and returns neutral provider set.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F014",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T051",
|
|
"description": "DB-backed integration guard path: inactive/deleted domain mappings are ignored by discovery.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F004",
|
|
"F006",
|
|
"F013"
|
|
]
|
|
},
|
|
{
|
|
"id": "T052",
|
|
"description": "Documentation contract includes tenant login-domain setup in provider configuration instructions.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F032"
|
|
]
|
|
},
|
|
{
|
|
"id": "T053",
|
|
"description": "Environment/docs contract explains unresolved-domain app-fallback provider behavior.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F033"
|
|
]
|
|
},
|
|
{
|
|
"id": "T054",
|
|
"description": "Route contract verifies `/auth/msp/signin` path remains unchanged after discovery rollout.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F035"
|
|
]
|
|
},
|
|
{
|
|
"id": "T055",
|
|
"description": "Callback URL passthrough remains intact for MSP login redirects when SSO discovery is active.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F035",
|
|
"F030"
|
|
]
|
|
},
|
|
{
|
|
"id": "T056",
|
|
"description": "Backfill migration populates initial login-domain entries from tenant primary email domain only when unambiguous.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F001",
|
|
"F035"
|
|
]
|
|
},
|
|
{
|
|
"id": "T057",
|
|
"description": "Backfill migration skips conflicting candidate domains and records deterministic no-op behavior.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F001",
|
|
"F006"
|
|
]
|
|
},
|
|
{
|
|
"id": "T058",
|
|
"description": "CE and EE both expose discovery route + resolver gating behavior with identical external API contracts.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F034",
|
|
"F025",
|
|
"F026",
|
|
"F028"
|
|
]
|
|
}
|
|
]
|