active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration', 'deviceCompliancePolicy'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $builder = app(InventoryMetaContract::class); $hasher = app(DriftHasher::class); $coveredContract = $builder->build( policyType: 'deviceConfiguration', subjectExternalId: 'covered-uuid', metaJsonb: ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_BASELINE'], ); $coveredDisplayName = 'Covered Policy'; $coveredSubjectKey = BaselineSubjectKey::fromDisplayName($coveredDisplayName); expect($coveredSubjectKey)->not->toBeNull(); $coveredWorkspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceConfiguration', (string) $coveredSubjectKey); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => $coveredWorkspaceSafeExternalId, 'subject_key' => (string) $coveredSubjectKey, 'policy_type' => 'deviceConfiguration', 'baseline_hash' => $hasher->hashNormalized($coveredContract), 'meta_jsonb' => ['display_name' => $coveredDisplayName], ]); $uncoveredContract = $builder->build( policyType: 'deviceCompliancePolicy', subjectExternalId: 'uncovered-uuid', metaJsonb: ['odata_type' => '#microsoft.graph.deviceCompliancePolicy', 'etag' => 'E_BASELINE'], ); $uncoveredDisplayName = 'Uncovered Policy'; $uncoveredSubjectKey = BaselineSubjectKey::fromDisplayName($uncoveredDisplayName); expect($uncoveredSubjectKey)->not->toBeNull(); $uncoveredWorkspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceCompliancePolicy', (string) $uncoveredSubjectKey); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => $uncoveredWorkspaceSafeExternalId, 'subject_key' => (string) $uncoveredSubjectKey, 'policy_type' => 'deviceCompliancePolicy', 'baseline_hash' => $hasher->hashNormalized($uncoveredContract), 'meta_jsonb' => ['display_name' => $uncoveredDisplayName], ]); $inventorySyncRun = OperationRun::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'type' => OperationRunType::InventorySync->value, 'status' => OperationRunStatus::Completed->value, 'outcome' => OperationRunOutcome::PartiallySucceeded->value, 'completed_at' => now(), 'context' => [ 'inventory' => [ 'coverage' => [ 'policy_types' => [ 'deviceConfiguration' => ['status' => 'succeeded'], 'deviceCompliancePolicy' => ['status' => 'failed'], ], 'foundation_types' => [], ], ], ], ]); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => 'covered-uuid', 'policy_type' => 'deviceConfiguration', 'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT'], 'display_name' => $coveredDisplayName, 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => now(), ]); $operationRuns = app(OperationRunService::class); $compareRun = $operationRuns->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration', 'deviceCompliancePolicy'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $operationRuns, ); $compareRun->refresh(); expect($compareRun->status)->toBe('completed'); expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value); $counts = is_array($compareRun->summary_counts) ? $compareRun->summary_counts : []; expect((int) ($counts['errors_recorded'] ?? 0))->toBe(1); $findings = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->get(); expect($findings)->toHaveCount(1); expect((string) data_get($findings->first(), 'evidence_jsonb.change_type'))->toBe('different_version'); }); it('emits zero findings when there is no completed inventory sync run (fail-safe)', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), ]); $builder = app(InventoryMetaContract::class); $hasher = app(DriftHasher::class); $contract = $builder->build( policyType: 'deviceConfiguration', subjectExternalId: 'policy-uuid', metaJsonb: ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_BASELINE'], ); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => 'policy-uuid', 'policy_type' => 'deviceConfiguration', 'baseline_hash' => $hasher->hashNormalized($contract), ]); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => 'policy-uuid', 'policy_type' => 'deviceConfiguration', 'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT'], 'display_name' => 'Policy Changed', ]); $operationRuns = app(OperationRunService::class); $compareRun = $operationRuns->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $operationRuns, ); $compareRun->refresh(); expect($compareRun->status)->toBe('completed'); expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value); $counts = is_array($compareRun->summary_counts) ? $compareRun->summary_counts : []; expect((int) ($counts['errors_recorded'] ?? 0))->toBe(1); expect((int) ($counts['total'] ?? -1))->toBe(0); expect( Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->count() )->toBe(0); }); it('emits zero findings when coverage payload is missing (fail-safe)', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), ]); OperationRun::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'type' => OperationRunType::InventorySync->value, 'status' => OperationRunStatus::Completed->value, 'outcome' => OperationRunOutcome::Succeeded->value, 'completed_at' => now(), 'context' => [ 'selection_hash' => 'latest', ], ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => 'policy-uuid', 'policy_type' => 'deviceConfiguration', 'baseline_hash' => hash('sha256', 'baseline'), ]); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => 'policy-uuid', 'policy_type' => 'deviceConfiguration', 'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT'], 'display_name' => 'Policy Changed', ]); $operationRuns = app(OperationRunService::class); $compareRun = $operationRuns->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['deviceConfiguration'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $operationRuns, ); $compareRun->refresh(); expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value); $counts = is_array($compareRun->summary_counts) ? $compareRun->summary_counts : []; expect((int) ($counts['errors_recorded'] ?? 0))->toBe(1); expect((int) ($counts['total'] ?? -1))->toBe(0); expect( Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->count() )->toBe(0); }); it('emits a warning and zero findings when effective scope expands to zero types', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => ['unsupported_type'], 'foundation_types' => [], ], ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), ]); $operationRuns = app(OperationRunService::class); $compareRun = $operationRuns->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => ['unsupported_type'], 'foundation_types' => [], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($compareRun))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $operationRuns, ); $compareRun->refresh(); expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value); $counts = is_array($compareRun->summary_counts) ? $compareRun->summary_counts : []; expect((int) ($counts['errors_recorded'] ?? 0))->toBe(1); expect((int) ($counts['total'] ?? -1))->toBe(0); expect( Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->count() )->toBe(0); });