active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => now()->subMinute(), ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $inventorySyncRun = \App\Models\OperationRun::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'type' => OperationRunType::InventorySync->value, 'status' => OperationRunStatus::Completed->value, 'outcome' => OperationRunOutcome::Succeeded->value, 'completed_at' => now(), 'context' => [ 'inventory' => [ 'coverage' => [ 'policy_types' => [ 'deviceConfiguration' => ['status' => 'succeeded'], ], 'foundation_types' => [], ], ], ], ]); $opService = app(OperationRunService::class); $compareRun = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $compareRun->refresh(); expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(0); expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoSubjectsInScope->value); }); it('records no_drift_detected when subjects are processed but no drift findings are produced', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => now()->subMinute(), ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $externalId = 'policy-uuid'; $displayName = 'Stable Policy'; $subjectKey = BaselineSubjectKey::fromDisplayName($displayName); expect($subjectKey)->not->toBeNull(); $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId( policyType: 'deviceConfiguration', subjectKey: (string) $subjectKey, ); $metaJsonb = [ 'odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_STABLE', ]; $baselineHash = app(BaselineSnapshotIdentity::class)->hashItemContent( policyType: 'deviceConfiguration', subjectExternalId: $externalId, metaJsonb: $metaJsonb, ); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'deviceConfiguration', 'baseline_hash' => $baselineHash, 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'meta', 'source' => 'inventory', 'observed_at' => now()->toIso8601String(), ], ], ]); $inventorySyncRun = \App\Models\OperationRun::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'type' => OperationRunType::InventorySync->value, 'status' => OperationRunStatus::Completed->value, 'outcome' => OperationRunOutcome::Succeeded->value, 'completed_at' => now(), 'context' => [ 'inventory' => [ 'coverage' => [ 'policy_types' => [ 'deviceConfiguration' => ['status' => 'succeeded'], ], 'foundation_types' => [], ], ], ], ]); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => $externalId, 'policy_type' => 'deviceConfiguration', 'display_name' => $displayName, 'meta_jsonb' => $metaJsonb, 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => now(), ]); $opService = app(OperationRunService::class); $compareRun = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $compareRun->refresh(); expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(1); expect(data_get($compareRun->context, 'result.findings_total'))->toBe(0); expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value); }); it('records no_drift_detected and unchanged RBAC summary counts when intune role definitions match baseline', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => ['intuneRoleDefinition'], ], ]); $snapshotCapturedAt = CarbonImmutable::parse('2026-03-08T12:00:00Z'); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $snapshotCapturedAt, ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $policy = Policy::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'external_id' => 'rbac-role-stable', 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'display_name' => 'Stable RBAC Role', ]); $baselineVersion = PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => 1, 'captured_at' => $snapshotCapturedAt, 'snapshot' => [ 'displayName' => 'Stable RBAC Role', 'description' => 'Stable role', 'isBuiltIn' => false, 'rolePermissions' => [ [ 'resourceActions' => [ [ 'allowedResourceActions' => ['Microsoft.Intune/deviceConfigurations/read'], ], ], ], ], 'roleScopeTagIds' => ['0'], ], 'assignments' => [], 'scope_tags' => [], ]); $currentVersion = PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => 2, 'captured_at' => $snapshotCapturedAt->addMinutes(5), 'snapshot' => $baselineVersion->snapshot, 'assignments' => [], 'scope_tags' => [], ]); $subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', 'Stable RBAC Role', 'rbac-role-stable'); $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy( 'intuneRoleDefinition', 'Stable RBAC Role', 'rbac-role-stable', ); expect($subjectKey)->not->toBeNull(); expect($workspaceSafeExternalId)->not->toBeNull(); $baselineHash = app(\App\Services\Baselines\Evidence\ContentEvidenceProvider::class)->fromPolicyVersion( version: $baselineVersion, subjectExternalId: (string) $workspaceSafeExternalId, )->hash; BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => (string) $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'intuneRoleDefinition', 'baseline_hash' => $baselineHash, 'meta_jsonb' => [ 'display_name' => 'Stable RBAC Role', 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => $baselineVersion->captured_at?->toIso8601String(), ], 'identity' => [ 'strategy' => 'external_id', 'subject_key' => (string) $subjectKey, 'workspace_subject_external_id' => (string) $workspaceSafeExternalId, ], 'version_reference' => [ 'policy_version_id' => (int) $baselineVersion->getKey(), ], 'rbac' => [ 'is_built_in' => false, 'role_permission_count' => 1, ], ], ]); $inventorySyncRun = \App\Models\OperationRun::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'type' => OperationRunType::InventorySync->value, 'status' => OperationRunStatus::Completed->value, 'outcome' => OperationRunOutcome::Succeeded->value, 'completed_at' => now(), 'context' => [ 'inventory' => [ 'coverage' => [ 'policy_types' => [ 'deviceConfiguration' => ['status' => 'succeeded'], ], 'foundation_types' => [ 'intuneRoleDefinition' => ['status' => 'succeeded'], ], ], ], ], ]); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => 'rbac-role-stable', 'policy_type' => 'intuneRoleDefinition', 'display_name' => 'Stable RBAC Role', 'category' => 'RBAC', 'platform' => 'all', 'meta_jsonb' => [ 'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition', 'is_built_in' => false, 'role_permission_count' => 1, ], 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => now(), ]); expect($currentVersion->getKey())->toBeGreaterThan(0); $opService = app(OperationRunService::class); $compareRun = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => ['intuneRoleDefinition'], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $compareRun->refresh(); expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(1); expect(data_get($compareRun->context, 'result.findings_total'))->toBe(0); expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value); expect(data_get($compareRun->context, 'baseline_compare.rbac_role_definitions'))->toBe([ 'total_compared' => 1, 'unchanged' => 1, 'modified' => 0, 'missing' => 0, 'unexpected' => 0, ]); }); it('records no_drift_detected when full-content compare reuses an older identical version', function (): void { config()->set('tenantpilot.baselines.full_content_capture.enabled', true); [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'capture_mode' => BaselineCaptureMode::FullContent->value, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshotCapturedAt = CarbonImmutable::parse('2026-03-06 00:41:38'); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $snapshotCapturedAt, ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $policy = Policy::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_type' => 'deviceConfiguration', 'external_id' => 'stable-policy', 'platform' => 'windows', 'display_name' => 'Stable Policy', ]); $snapshotPayload = [ 'settings' => [ ['displayName' => 'SettingStable', 'value' => 1], ], ]; $baselineHash = expectedPolicyVersionContentHash( snapshot: $snapshotPayload, policyType: 'deviceConfiguration', platform: 'windows', ); $subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name); expect($subjectKey)->not->toBeNull(); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId( policyType: (string) $policy->policy_type, subjectKey: (string) $subjectKey, ), 'subject_key' => (string) $subjectKey, 'policy_type' => (string) $policy->policy_type, 'baseline_hash' => $baselineHash, 'meta_jsonb' => [ 'display_name' => (string) $policy->display_name, 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => $snapshotCapturedAt->subMinutes(10)->toIso8601String(), 'observed_operation_run_id' => null, ], ], ]); $inventorySyncRun = createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['deviceConfiguration' => 'succeeded'], attributes: [ 'completed_at' => $snapshotCapturedAt->addSeconds(5), ], ); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => (string) $policy->external_id, 'policy_type' => (string) $policy->policy_type, 'display_name' => (string) $policy->display_name, 'meta_jsonb' => [ 'odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'W/"stable"', 'scope_tag_ids' => [], 'assignment_target_count' => 1, ], 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => $snapshotCapturedAt->addSeconds(5), ]); $existingVersion = PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => (string) $policy->policy_type, 'platform' => (string) $policy->platform, 'captured_at' => $snapshotCapturedAt->subMinutes(10), 'snapshot' => $snapshotPayload, 'assignments' => [], 'scope_tags' => [], 'capture_purpose' => PolicyVersionCapturePurpose::BaselineCompare, 'baseline_profile_id' => (int) $profile->getKey(), ]); $fakeOrchestrator = new class($existingVersion) extends PolicyCaptureOrchestrator { public function __construct( private readonly PolicyVersion $existingVersion, ) {} public function capture( Policy $policy, \App\Models\Tenant $tenant, bool $includeAssignments = false, bool $includeScopeTags = false, ?string $createdBy = null, array $metadata = [], PolicyVersionCapturePurpose $capturePurpose = PolicyVersionCapturePurpose::Backup, ?int $operationRunId = null, ?int $baselineProfileId = null, ): array { return [ 'version' => $this->existingVersion->fresh(), 'captured' => [ 'payload' => $this->existingVersion->snapshot, 'assignments' => $this->existingVersion->assignments, 'scope_tags' => $this->existingVersion->scope_tags, ], ]; } }; $contentCapturePhase = new BaselineContentCapturePhase($fakeOrchestrator); $opService = app(OperationRunService::class); $compareRun = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, contentCapturePhase: $contentCapturePhase, ); $compareRun->refresh(); expect($compareRun->outcome)->toBe(OperationRunOutcome::Succeeded->value); expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value); expect(data_get($compareRun->context, 'baseline_compare.coverage.resolved_content'))->toBe(1); expect(data_get($compareRun->context, 'baseline_compare.evidence_gaps.count'))->toBe(0); expect( Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->count(), )->toBe(0); }); it('records coverage_unproven when findings are suppressed due to missing coverage proof', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => now()->subMinute(), ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $opService = app(OperationRunService::class); $compareRun = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $compareRun->refresh(); expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value); expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::CoverageUnproven->value); });