create(); $otherWorkspace = Workspace::factory()->create(); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => WorkspaceRole::Readonly->value, ]); $run = OperationRun::factory()->tenantlessForWorkspace($otherWorkspace)->create([ 'type' => 'environment.review.compose', ]); $response = Gate::forUser($user)->inspect('view', $run); expect($response->denied())->toBeTrue() ->and($response->status())->toBe(404); }); it('denies same-workspace wrong-environment operation runs as not found', function (): void { $workspace = Workspace::factory()->create(); $allowedTenant = ManagedEnvironment::factory()->active()->create([ 'workspace_id' => (int) $workspace->getKey(), ]); $deniedTenant = ManagedEnvironment::factory()->active()->create([ 'workspace_id' => (int) $workspace->getKey(), ]); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => WorkspaceRole::Operator->value, ]); ManagedEnvironmentMembership::query()->create([ 'managed_environment_id' => (int) $allowedTenant->getKey(), 'user_id' => (int) $user->getKey(), 'role' => WorkspaceRole::Operator->value, 'source' => 'manual', ]); app(ManagedEnvironmentAccessScopeResolver::class)->clearCache(); $run = OperationRun::factory()->forTenant($deniedTenant)->create([ 'type' => 'provider.connection.check', ]); $response = Gate::forUser($user)->inspect('view', $run); expect($response->denied())->toBeTrue() ->and($response->status())->toBe(404); }); it('keeps in-scope operation capability denials distinct from scope boundaries', function (): void { $workspace = Workspace::factory()->create(); $tenant = ManagedEnvironment::factory()->active()->create([ 'workspace_id' => (int) $workspace->getKey(), ]); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => WorkspaceRole::Readonly->value, ]); $run = OperationRun::factory()->forTenant($tenant)->create([ 'type' => 'inventory.sync', ]); $response = Gate::forUser($user)->inspect('view', $run); expect($response->denied())->toBeTrue() ->and($response->status())->not->toBe(404); });