create(); $this->actingAs($tenantUser)->get($url)->assertNotFound(); })->with([ '/system/login', '/system', '/system/ops/runbooks', '/system/ops/runs', ]); it('returns 403 for platform users missing required system page capabilities', function (string $url, array $capabilities) { $platformUser = PlatformUser::factory()->create([ 'capabilities' => $capabilities, 'is_active' => true, ]); $this->actingAs($platformUser, 'platform') ->get($url) ->assertForbidden(); })->with([ ['/system', []], ['/system/ops/runbooks', [PlatformCapabilities::ACCESS_SYSTEM_PANEL]], ['/system/ops/runs', [PlatformCapabilities::ACCESS_SYSTEM_PANEL]], ]); it('uses a distinct session cookie name for /system versus /admin', function () { $systemCookieName = Str::slug((string) config('app.name', 'laravel')).'-system-session'; $adminCookieName = (string) config('session.cookie'); expect($systemCookieName)->not->toBe($adminCookieName); $this->get('/system/login') ->assertSuccessful() ->assertCookie($systemCookieName); $this->get('/admin/login')->assertSuccessful(); });