Fix tenant permission inserts missing workspace_id (#118)

Fixes a production/queue-worker failure where `tenant_permissions.workspace_id` could be omitted from INSERTs when persisting permission check results.

Changes:
- Ensure `workspace_id` is included in the `updateOrCreate()` attributes array (lookup + create merge).
- Add a regression test covering a tenant instance without `workspace_id` loaded.

Notes:
- Queue workers should be restarted (`queue:restart`) after deploy so they pick up the new code.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #118

app/Services/Intune/TenantPermissionService.php

@@ -142,8 +142,9 @@ public function compare(
         $hasMissing = false;
         $hasErrors = false;
         $checkedAt = now();
+        $tenantWorkspaceId = $this->resolveTenantWorkspaceId($tenant);
 
-        $canPersist = $persist && $tenant->workspace_id !== null;
+        $canPersist = $persist && $tenantWorkspaceId !== null;
 
         if ($canPersist && $liveCheckMeta['attempted'] === true && $liveCheckMeta['succeeded'] === false) {
             // Enterprise-safe: never overwrite stored inventory when we could not refresh it.
@@ -189,9 +190,9 @@ public function compare(
                     [
                         'tenant_id' => $tenant->id,
                         'permission_key' => $key,
+                        'workspace_id' => $tenantWorkspaceId,
                     ],
                     [
-                        'workspace_id' => $tenant->workspace_id,
                         'status' => $status,
                         'details' => $details,
                         'last_checked_at' => $checkedAt,
@@ -328,6 +329,29 @@ private function configuredGrantedKeys(): array
         return config('intune_permissions.granted_stub', []);
     }
 
+    private function resolveTenantWorkspaceId(Tenant $tenant): ?int
+    {
+        $workspaceId = $tenant->getAttribute('workspace_id');
+
+        if (is_numeric($workspaceId)) {
+            return (int) $workspaceId;
+        }
+
+        if (! $tenant->exists) {
+            return null;
+        }
+
+        $workspaceId = Tenant::query()
+            ->whereKey($tenant->getKey())
+            ->value('workspace_id');
+
+        if (! is_numeric($workspaceId)) {
+            return null;
+        }
+
+        return (int) $workspaceId;
+    }
+
     /**
      * Fetch actual granted permissions from Graph API.
      *

tests/Unit/TenantPermissionServiceTest.php

@@ -175,6 +175,25 @@ function requiredPermissions(): array
     ]);
 });
 
+it('persists permissions when the tenant instance does not have workspace_id loaded', function () {
+    $tenant = Tenant::factory()->create();
+
+    ensureDefaultProviderConnection($tenant, 'microsoft');
+
+    $tenantWithoutWorkspaceId = Tenant::query()
+        ->select(['id', 'tenant_id', 'external_id', 'name', 'status', 'environment'])
+        ->findOrFail((int) $tenant->getKey());
+
+    expect($tenantWithoutWorkspaceId->getAttribute('workspace_id'))->toBeNull();
+
+    app(TenantPermissionService::class)->compare($tenantWithoutWorkspaceId);
+
+    $this->assertDatabaseHas('tenant_permissions', [
+        'tenant_id' => (int) $tenant->getKey(),
+        'workspace_id' => (int) $tenant->workspace_id,
+    ]);
+});
+
 it('does not persist when tenant workspace_id is missing', function () {
     $tenant = Tenant::withoutEvents(function (): Tenant {
         return Tenant::create([
@@ -187,8 +206,6 @@ function requiredPermissions(): array
         ]);
     });
 
-    ensureDefaultProviderConnection($tenant, 'microsoft');
-
     app(TenantPermissionService::class)->compare($tenant, persist: true);
 
     expect(TenantPermission::query()->where('tenant_id', (int) $tenant->getKey())->count())->toBe(0);