fix: prevent null workspace_id in tenant_permissions

app/Services/Intune/TenantPermissionService.php

@@ -143,7 +143,7 @@ public function compare(
         $hasErrors = false;
         $checkedAt = now();
 
-        $canPersist = $persist;
+        $canPersist = $persist && $tenant->workspace_id !== null;
 
         if ($canPersist && $liveCheckMeta['attempted'] === true && $liveCheckMeta['succeeded'] === false) {
             // Enterprise-safe: never overwrite stored inventory when we could not refresh it.
@@ -191,6 +191,7 @@ public function compare(
                         'permission_key' => $key,
                     ],
                     [
+                        'workspace_id' => $tenant->workspace_id,
                         'status' => $status,
                         'details' => $details,
                         'last_checked_at' => $checkedAt,

tests/Unit/TenantPermissionServiceTest.php

@@ -31,7 +31,7 @@ function requiredPermissions(): array
             ]));
     });
 
-    $tenant = Tenant::create([
+    $tenant = Tenant::factory()->create([
         'tenant_id' => 'tenant-ok',
         'name' => 'Tenant OK',
     ]);
@@ -64,7 +64,7 @@ function requiredPermissions(): array
             ]));
     });
 
-    $tenant = Tenant::create([
+    $tenant = Tenant::factory()->create([
         'tenant_id' => 'tenant-missing',
         'name' => 'Tenant Missing',
     ]);
@@ -100,7 +100,7 @@ function requiredPermissions(): array
             ->andReturn(new GraphResponse(false, [], 500, ['Graph API error']));
     });
 
-    $tenant = Tenant::create([
+    $tenant = Tenant::factory()->create([
         'tenant_id' => 'tenant-error',
         'name' => 'Tenant Error',
     ]);
@@ -159,3 +159,37 @@ function requiredPermissions(): array
     config()->set('intune_permissions.permissions', $originalPermissions);
     config()->set('intune_permissions.granted_stub', $originalStub);
 });
+
+it('persists permissions with workspace_id even when model events are disabled', function () {
+    $tenant = Tenant::factory()->create();
+
+    ensureDefaultProviderConnection($tenant, 'microsoft');
+
+    TenantPermission::withoutEvents(function () use ($tenant): void {
+        app(TenantPermissionService::class)->compare($tenant);
+    });
+
+    $this->assertDatabaseHas('tenant_permissions', [
+        'tenant_id' => $tenant->id,
+        'workspace_id' => $tenant->workspace_id,
+    ]);
+});
+
+it('does not persist when tenant workspace_id is missing', function () {
+    $tenant = Tenant::withoutEvents(function (): Tenant {
+        return Tenant::create([
+            'tenant_id' => 'tenant-no-workspace',
+            'external_id' => 'tenant-no-workspace',
+            'name' => 'Tenant No Workspace',
+            'status' => Tenant::STATUS_ACTIVE,
+            'environment' => 'other',
+            'workspace_id' => null,
+        ]);
+    });
+
+    ensureDefaultProviderConnection($tenant, 'microsoft');
+
+    app(TenantPermissionService::class)->compare($tenant, persist: true);
+
+    expect(TenantPermission::query()->where('tenant_id', (int) $tenant->getKey())->count())->toBe(0);
+});