set('graph.client_id', 'platform-client-id'); config()->set('graph.client_secret', 'platform-client-secret'); config()->set('graph.tenant_id', 'platform-home-tenant-id'); $tenant = Tenant::factory()->create([ 'tenant_id' => '22222222-2222-2222-2222-222222222222', ]); $connection = ProviderConnection::factory()->platform()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'tenant_id' => (int) $tenant->getKey(), 'provider' => 'microsoft', 'entra_tenant_id' => '22222222-2222-2222-2222-222222222222', ]); $resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant'])); expect($resolution->resolved)->toBeTrue() ->and($resolution->connectionType)->toBe(ProviderConnectionType::Platform) ->and($resolution->tenantContext)->toBe('22222222-2222-2222-2222-222222222222') ->and($resolution->targetScope)->not->toBeNull() ->and($resolution->targetScope?->scopeKind)->toBe(ProviderConnectionTargetScopeDescriptor::SCOPE_KIND_TENANT) ->and($resolution->targetScope?->scopeIdentifier)->toBe('22222222-2222-2222-2222-222222222222') ->and(collect($resolution->contextualIdentityDetails)->pluck('detailKey')->all()) ->toContain('microsoft_tenant_id', 'authority_tenant', 'redirect_uri'); }); it('keeps dedicated runtime credentials out of the shared target-scope descriptor', function (): void { $connection = ProviderConnection::factory()->dedicated()->create([ 'entra_tenant_id' => '33333333-3333-3333-3333-333333333333', ]); ProviderCredential::factory()->create([ 'provider_connection_id' => (int) $connection->getKey(), 'payload' => [ 'client_id' => 'dedicated-client-id', 'client_secret' => 'dedicated-client-secret', ], ]); $resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant', 'credential'])); expect($resolution->resolved)->toBeTrue() ->and($resolution->targetScope?->toArray())->not->toHaveKey('client_id') ->and($resolution->targetScope?->toArray())->not->toHaveKey('client_secret') ->and($resolution->effectiveClientId)->toBe('dedicated-client-id'); });