actingAs($user) ->get("/admin/tenants/{$tenant->external_id}/required-permissions") ->assertOk(); }); it('returns 404 for workspace members without tenant entitlement on the canonical route', function (): void { $user = User::factory()->create(); $workspace = Workspace::factory()->create(); $tenant = Tenant::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), ]); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => 'owner', ]); $this->actingAs($user) ->withSession([ WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(), ]) ->get("/admin/tenants/{$tenant->external_id}/required-permissions") ->assertNotFound(); }); it('returns 404 for users who are not workspace members', function (): void { $user = User::factory()->create(); $workspace = Workspace::factory()->create(); $tenant = Tenant::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), ]); $this->actingAs($user) ->withSession([ WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(), ]) ->get("/admin/tenants/{$tenant->external_id}/required-permissions") ->assertNotFound(); }); it('returns 404 when the route tenant is invalid instead of falling back to the current tenant context', function (): void { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Tenant::query()->whereKey((int) $tenant->getKey())->update(['is_current' => true]); $this->actingAs($user) ->get('/admin/tenants/invalid-tenant-id/required-permissions') ->assertNotFound(); });