docs: add class docblocks, business-rule comments, and transaction wrapper

- Add single-line class docblocks to all 59 repository classes and interfaces
  describing scope and responsibility
- Add multi-line docblocks to key services documenting business rules:
  AuthService (6-step login cascade), ImportService (3-phase CSV workflow),
  TenantScopeService (strict/permissive modes), PermissionService (RBAC
  resolution + two-tier caching), UserAccountService (atomicity + audit)
- Add transaction(callable) wrapper to DatabaseSessionRepository to DRY up
  begin/commit/rollback boilerplate

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 21:58:51 +01:00
parent aaea038619
commit f4ce9f3378
71 changed files with 181 additions and 0 deletions

View File

@@ -7,6 +7,19 @@ use MintyPHP\Repository\Tenant\TenantRepositoryInterface;
use MintyPHP\Repository\Tenant\UserTenantRepositoryInterface;
use MintyPHP\Service\Access\PermissionService;
/**
* Enforces tenant-boundary access control across the application.
*
* Core rules:
* - Users with TENANT_SCOPE_GLOBAL permission bypass all tenant checks.
* - canAccess() resolves the resource's tenant IDs, intersects with the user's
* tenant IDs, and grants access only on overlap.
* - In strict mode (default): unscoped resources (no tenant assigned) are denied.
* - In permissive mode: unscoped resources are allowed.
* - Resources whose tenants all became inactive are always denied (not treated as unscoped).
* - mergeTenantIdsPreservingOutOfScope() ensures that a scoped admin cannot
* accidentally remove tenant assignments outside their own scope.
*/
class TenantScopeService
{
public function __construct(