crewli

bert.hausmans/crewli

Fork 0

Commit Graph

Author	SHA1	Message	Date
bert.hausmans	b688ec26f0	feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04 Refactors OrganisationScope to support a declarative, recursive FK-chain resolver and registers the scope on 14 models that previously relied on caller-discipline for tenant isolation. Scope resolver (app/Models/Scopes/OrganisationScope.php): Models now declare their strategy via: public static function tenantScopeStrategy(): array { return ['column' => 'organisation_id']; // terminal // OR return ['via' => FormSchema::class, 'fk' => 'form_schema_id']; } The apply() path walks the chain recursively, building whereIn subqueries against parent models until it hits a column-based strategy. Max 3 hops; deeper chains raise App\Exceptions\TenantScopeResolutionException. The walker accepts BOTH the new tenantScopeStrategy() and the legacy $organisationScopeColumn property at every hop — so PersonIdentityMatch can chain via Person, which still uses the legacy event_id bridge, without requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the new convention in this work package. That migration is a separate backlog ticket — explicitly scope-controlled per the addendum. Fourteen newly-scoped models: Form-builder child models (D-03): FormSchemaSection via FormSchema (1 hop) FormField via FormSchema (1 hop) FormSubmission column organisation_id (Commit 2) FormValue via FormSubmission (1 hop) FormValueOption via FormValue -> FormSubmission (2 hops) FormSubmissionSectionStatus via FormSubmission (1 hop) FormSubmissionDelegation via FormSubmission (1 hop) FormSchemaWebhook via FormSchema (1 hop) FormWebhookDelivery via FormSubmission (1 hop) Event-data models (D-04 event-data subset): ShiftAssignment via Shift (legacy festival_section_id) ShiftWaitlist via Shift VolunteerAvailability via TimeSlot (legacy event_id) PersonSectionPreference via FestivalSection (legacy event_id) PersonIdentityMatch via Person (legacy event_id) Note — task directive specified VolunteerAvailability "via: Event, fk: event_id", but the table has no event_id column (only person_id + time_slot_id). Rerouted via TimeSlot, which carries the legacy event_id bridge; same end result, correct FK. Security-relevant callers made explicit: PublicFormSchemaResource::toArray() now eagerly loads fields + sections with withoutGlobalScope(OrganisationScope::class). Prior to this commit the public form endpoint silently relied on those relations being unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still pass — behaviour unchanged, intent now explicit. Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was flaky (factory randomly picked EVENT_REGISTRATION which requires bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest covers the binding-enforcement path. Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope filters by route org, withoutGlobalScope() still exposes cross-org rows. The test's original purpose ("pin current behaviour so a future refactor is intentional") is now satisfied by Commit 3 being that intentional refactor. Docs: SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented; the 14 newly-scoped models enumerated; link to addendum Q2. ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain" with the hop-count table for all 14 chains and the withoutGlobalScope pattern for cross-org callers. Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with fully-populated record chains down to each of the 14 leaf models; asserts scoped queries never cross, withoutGlobalScope still does. Plus: three- hop chain (FormValueOption) explicitly exercised, legacy-column bridge verified, over-deep chain raises TenantScopeResolutionException. 16 tests / 31 new assertions. Full suite: 1000 passed (2706 assertions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 17:08:33 +02:00
bert.hausmans	a92ddc48ec	refactor(schema): migrate eleven pivot/EAV tables to ULID per addendum Q1 Retires the "integer AI PK for join performance" exception documented in earlier migrations and SCHEMA.md §3.5.11 Rule 1. Every business and pivot table now uses ULID primary keys, per /dev-docs/ARCH-CONSOLIDATION-ADDENDUM-2026-04-24.md Q1. Tables migrated (WS-1 A-01 through A-11): - Pure pivots: organisation_user, event_user_roles, crowd_list_persons, event_person_activations - Model-backed: user_organisation_tags, person_section_preferences, mfa_backup_codes, mfa_email_codes, form_submission_section_statuses, form_values, form_value_options Migration pattern: one new migration per table (plus one combined for the form_values / form_value_options FK pair), timestamped today, dropping + recreating with the new ULID PK. Pre-launch — no backfill required. Original migrations remain in place; the new migrations apply in timestamp order for a clean schema history. Pivot model correction (addendum drift): The addendum's "no model required for pure pivots" reading did not account for Laravel's BelongsToMany::attach() — it cannot auto-generate a pivot ULID without a Pivot subclass. Minimal Pivot classes under app/Models/Pivots/ (OrganisationUser, EventUserRole, CrowdListPerson, EventPersonActivation) carry HasUlids so attach() works. The six belongsToMany relations (User.organisations / .events, Organisation.users, Event.users, CrowdList.persons, Person.crowdLists) now ->using(...) the appropriate Pivot class. DB::table()->insert() on event_person_activations in DevSeeder populates the ULID inline via Str::ulid(). FormValueObserver uses bulk FormValueOption::insert() which bypasses model events — ULIDs are now generated inline there too. Docs: - SCHEMA.md §3.5.11 Rule 1 rewritten to mandate ULID on pivots too, with legacy note citing the addendum. - All eleven table entries updated from "int AI PK" to "ULID PK" with addendum Q1 references. - form_values and form_submission_section_statuses prose blocks updated to drop the retired ARCH §4.4 / "high-volume pivot" rationale. - form_value_options.form_value_id column type corrected from "int FK" to "ULID FK". Tests: tests/Feature/Schema/UlidPrimaryKeyTest.php covers HasUlids trait presence, ULID shape + 26-char Crockford pattern, Route::bind resolution, distinct + sortable pivot ULIDs, attach() auto-generation on pure pivots, and the A-10/A-11 FK chain. 10 tests / 28 new assertions. Full suite: 977 passed (2662 assertions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 16:38:08 +02:00
bert.hausmans	85815ccb16	feat(forms): add Eloquent models, observer, events, activity-log helpers Phase 4 of S1. Models (app/Models/FormBuilder/): FormSchema, FormSchemaSection, FormField, FormSubmission, FormValue, FormValueOption, FormTemplate, FormFieldLibrary, FormSchemaWebhook, FormWebhookDelivery, FormSubmissionSectionStatus, FormSubmissionDelegation. Plus UserProfile at app/Models/ (user-universal). OrganisationScope applied on: FormSchema, FormTemplate, FormFieldLibrary. FormSchemaWebhook documents inherited-scope discipline (OrganisationScope's strategies — organisation_id/event_id/festival_section_id — don't cover form_schema_id; direct queries would leak across orgs, so must go via $schema->webhooks()). User::profile()/getOrCreateProfile(), Event::formSchemas() (morphMany), Person::formSubmissions() (morphMany). Morph map enforced in AppServiceProvider with 28 keys covering every model that appears as activitylog subject/causer. Also updated OrganisationDashboardService (and its test) to query activitylog via getMorphClass() instead of FQCN. Activity log strategy: nuanced explicit calls (logSchemaChange on FormSchema, logFieldChange on FormField) — no LogsActivity trait. Suppression for bulk fixtures via App\Support\ActivityLog::suppressed(fn() => ...) which flips config('activitylog.enabled') around a callback. Both our explicit calls and spatie's trait on Organisation respect the flag via ActivityLogger::log(). FormValueObserver (app/Observers/FormBuilder/) populates value_indexed/ value_number/value_date/value_bool on save per field.value_storage_hint, rebuilds form_value_options pivot on multi-value filterable fields, cleans up on delete. Memoised field cache avoids N+1. Registered in AppServiceProvider. 9 lightweight event classes (app/Events/FormBuilder/) as SerializesModels containers — submission lifecycle signatures lock in for S2 services, no listeners yet. Factories for all models with Dutch fake data (fake('nl_NL')). FormSchema factory uses defaultSubmissionMode(); FormField factory uses recommendedValueStorageHint(). Tests: 9 new observer tests (all pass); full suite 910/910 (up from 901). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-17 12:35:41 +02:00

Author

SHA1

Message

Date

bert.hausmans

b688ec26f0

feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04

Refactors OrganisationScope to support a declarative, recursive FK-chain
resolver and registers the scope on 14 models that previously relied on
caller-discipline for tenant isolation.

Scope resolver (app/Models/Scopes/OrganisationScope.php):
Models now declare their strategy via:

    public static function tenantScopeStrategy(): array
    {
        return ['column' => 'organisation_id'];           // terminal
        // OR
        return ['via' => FormSchema::class, 'fk' => 'form_schema_id'];
    }

The apply() path walks the chain recursively, building whereIn subqueries
against parent models until it hits a column-based strategy. Max 3 hops;
deeper chains raise App\Exceptions\TenantScopeResolutionException. The
walker accepts BOTH the new tenantScopeStrategy() and the legacy
$organisationScopeColumn property at every hop — so PersonIdentityMatch
can chain via Person, which still uses the legacy event_id bridge, without
requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the
new convention in this work package. That migration is a separate
backlog ticket — explicitly scope-controlled per the addendum.

Fourteen newly-scoped models:

  Form-builder child models (D-03):
    FormSchemaSection             via FormSchema                    (1 hop)
    FormField                     via FormSchema                    (1 hop)
    FormSubmission                column organisation_id (Commit 2)
    FormValue                     via FormSubmission                (1 hop)
    FormValueOption               via FormValue -> FormSubmission   (2 hops)
    FormSubmissionSectionStatus   via FormSubmission                (1 hop)
    FormSubmissionDelegation      via FormSubmission                (1 hop)
    FormSchemaWebhook             via FormSchema                    (1 hop)
    FormWebhookDelivery           via FormSubmission                (1 hop)

  Event-data models (D-04 event-data subset):
    ShiftAssignment               via Shift (legacy festival_section_id)
    ShiftWaitlist                 via Shift
    VolunteerAvailability         via TimeSlot (legacy event_id)
    PersonSectionPreference       via FestivalSection (legacy event_id)
    PersonIdentityMatch           via Person (legacy event_id)

Note — task directive specified VolunteerAvailability "via: Event, fk: event_id",
but the table has no event_id column (only person_id + time_slot_id).
Rerouted via TimeSlot, which carries the legacy event_id bridge; same
end result, correct FK.

Security-relevant callers made explicit:
  PublicFormSchemaResource::toArray() now eagerly loads fields + sections
  with withoutGlobalScope(OrganisationScope::class). Prior to this commit
  the public form endpoint silently relied on those relations being
  unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still
  pass — behaviour unchanged, intent now explicit.

Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was
flaky (factory randomly picked EVENT_REGISTRATION which requires
bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest
covers the binding-enforcement path.

Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped
renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope
filters by route org, withoutGlobalScope() still exposes cross-org rows.
The test's original purpose ("pin current behaviour so a future refactor
is intentional") is now satisfied by Commit 3 being that intentional
refactor.

Docs:
  SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented;
    the 14 newly-scoped models enumerated; link to addendum Q2.
  ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain"
    with the hop-count table for all 14 chains and the withoutGlobalScope
    pattern for cross-org callers.

Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with
fully-populated record chains down to each of the 14 leaf models; asserts
scoped queries never cross, withoutGlobalScope still does. Plus: three-
hop chain (FormValueOption) explicitly exercised, legacy-column bridge
verified, over-deep chain raises TenantScopeResolutionException. 16 tests /
31 new assertions. Full suite: 1000 passed (2706 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 17:08:33 +02:00

bert.hausmans

a92ddc48ec

refactor(schema): migrate eleven pivot/EAV tables to ULID per addendum Q1

Retires the "integer AI PK for join performance" exception documented
in earlier migrations and SCHEMA.md §3.5.11 Rule 1. Every business and
pivot table now uses ULID primary keys, per
/dev-docs/ARCH-CONSOLIDATION-ADDENDUM-2026-04-24.md Q1.

Tables migrated (WS-1 A-01 through A-11):
- Pure pivots: organisation_user, event_user_roles, crowd_list_persons,
  event_person_activations
- Model-backed: user_organisation_tags, person_section_preferences,
  mfa_backup_codes, mfa_email_codes, form_submission_section_statuses,
  form_values, form_value_options

Migration pattern: one new migration per table (plus one combined for
the form_values / form_value_options FK pair), timestamped today,
dropping + recreating with the new ULID PK. Pre-launch — no backfill
required. Original migrations remain in place; the new migrations
apply in timestamp order for a clean schema history.

Pivot model correction (addendum drift):
The addendum's "no model required for pure pivots" reading did not
account for Laravel's BelongsToMany::attach() — it cannot auto-generate
a pivot ULID without a Pivot subclass. Minimal Pivot classes under
app/Models/Pivots/ (OrganisationUser, EventUserRole, CrowdListPerson,
EventPersonActivation) carry HasUlids so attach() works. The six
belongsToMany relations (User.organisations / .events, Organisation.users,
Event.users, CrowdList.persons, Person.crowdLists) now ->using(...) the
appropriate Pivot class. DB::table()->insert() on event_person_activations
in DevSeeder populates the ULID inline via Str::ulid(). FormValueObserver
uses bulk FormValueOption::insert() which bypasses model events — ULIDs
are now generated inline there too.

Docs:
- SCHEMA.md §3.5.11 Rule 1 rewritten to mandate ULID on pivots too, with
  legacy note citing the addendum.
- All eleven table entries updated from "int AI PK" to "ULID PK" with
  addendum Q1 references.
- form_values and form_submission_section_statuses prose blocks updated
  to drop the retired ARCH §4.4 / "high-volume pivot" rationale.
- form_value_options.form_value_id column type corrected from
  "int FK" to "ULID FK".

Tests: tests/Feature/Schema/UlidPrimaryKeyTest.php covers HasUlids trait
presence, ULID shape + 26-char Crockford pattern, Route::bind resolution,
distinct + sortable pivot ULIDs, attach() auto-generation on pure pivots,
and the A-10/A-11 FK chain. 10 tests / 28 new assertions. Full suite:
977 passed (2662 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 16:38:08 +02:00

bert.hausmans

85815ccb16

feat(forms): add Eloquent models, observer, events, activity-log helpers

Phase 4 of S1.

Models (app/Models/FormBuilder/): FormSchema, FormSchemaSection, FormField,
FormSubmission, FormValue, FormValueOption, FormTemplate, FormFieldLibrary,
FormSchemaWebhook, FormWebhookDelivery, FormSubmissionSectionStatus,
FormSubmissionDelegation. Plus UserProfile at app/Models/ (user-universal).

OrganisationScope applied on: FormSchema, FormTemplate, FormFieldLibrary.
FormSchemaWebhook documents inherited-scope discipline (OrganisationScope's
strategies — organisation_id/event_id/festival_section_id — don't cover
form_schema_id; direct queries would leak across orgs, so must go via
$schema->webhooks()).

User::profile()/getOrCreateProfile(), Event::formSchemas() (morphMany),
Person::formSubmissions() (morphMany).

Morph map enforced in AppServiceProvider with 28 keys covering every model
that appears as activitylog subject/causer. Also updated
OrganisationDashboardService (and its test) to query activitylog via
getMorphClass() instead of FQCN.

Activity log strategy: nuanced explicit calls (logSchemaChange on FormSchema,
logFieldChange on FormField) — no LogsActivity trait. Suppression for bulk
fixtures via App\Support\ActivityLog::suppressed(fn() => ...) which flips
config('activitylog.enabled') around a callback. Both our explicit calls
and spatie's trait on Organisation respect the flag via ActivityLogger::log().

FormValueObserver (app/Observers/FormBuilder/) populates value_indexed/
value_number/value_date/value_bool on save per field.value_storage_hint,
rebuilds form_value_options pivot on multi-value filterable fields, cleans
up on delete. Memoised field cache avoids N+1. Registered in AppServiceProvider.

9 lightweight event classes (app/Events/FormBuilder/) as SerializesModels
containers — submission lifecycle signatures lock in for S2 services, no
listeners yet.

Factories for all models with Dutch fake data (fake('nl_NL')). FormSchema
factory uses defaultSubmissionMode(); FormField factory uses
recommendedValueStorageHint().

Tests: 9 new observer tests (all pass); full suite 910/910 (up from 901).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-17 12:35:41 +02:00

3 Commits