Skip to content

feat: add cross-tenant command and retire drift#52

Merged
TacoRocket merged 2 commits intomainfrom
phase4-cross-tenant-drift
Apr 5, 2026
Merged

feat: add cross-tenant command and retire drift#52
TacoRocket merged 2 commits intomainfrom
phase4-cross-tenant-drift

Conversation

@TacoRocket
Copy link
Copy Markdown
Owner

@TacoRocket TacoRocket commented Apr 5, 2026

What changed

  • added the new cross-tenant command across the normal AzureFox command surfaces, schemas, help, writer, and table rendering
  • added fixture, golden, CLI, help, terminal UX, schema, and collector coverage for the new command
  • retired the current command-intent drift items for principals, privesc, and vms
  • applied the CCR follow-up patch so externally owned service principals stay visible even without a principals() RBAC join, and so Lighthouse ties keep subscription scope ahead of resource-group scope

Why it changed

  • cross-tenant gives analysts one joined view for outside-tenant control, pivot, and entry cues instead of forcing them to correlate Lighthouse, external service principals, and tenant policy manually
  • the drift fixes move high-value identity and operator-facing rows earlier in the default output, which matches the command intent notes and makes first-screen triage stronger
  • the CCR follow-up closed two review findings where the implementation was narrower than the command doc and where Lighthouse ordering could drift from the documented subscription-first rule

Impact

  • AzureFox now ships a first-slice cross-tenant command with JSON/table/help coverage and contract tests
  • cross-tenant output is more truthful about what is known versus what is only visible after RBAC joins
  • principals, privesc, and vms now surface more useful rows earlier without changing their command boundaries

Validation

  • python3 -m ruff check src tests scripts
  • PYTHONPATH=src python3 scripts/generate_schemas.py
  • PYTHONPATH=src python3 -m pytest -o cache_dir=/private/tmp/pytest-cache-dns tests/test_collectors.py tests/test_golden_outputs.py tests/test_contract_schemas.py tests/test_cli_smoke.py tests/test_help.py tests/test_terminal_ux.py tests/test_models.py
  • PYTHONPATH=src python3 -m pytest -o cache_dir=/private/tmp/pytest-cache-all
  • AZUREFOX_FIXTURE_DIR=tests/fixtures/lab_tenant PYTHONPATH=src python3 -m azurefox --outdir /tmp/azurefox-cross-tenant-check --output table cross-tenant
  • final clean-context CCR rerun: No implementation-vs-plan drift found.

@TacoRocket TacoRocket marked this pull request as ready for review April 5, 2026 03:14
@TacoRocket TacoRocket merged commit 31dda8d into main Apr 5, 2026
4 checks passed
@TacoRocket TacoRocket deleted the phase4-cross-tenant-drift branch April 5, 2026 03:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TacoRocket