evaluate( scopeKey: null, requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::ContentBacked, scopeComplete: true, unscoped: true, percentage: 100, ))->toBe(ClaimState::ClaimBlocked); }); it('Spec414 blocks certified claims for beta experimental resource types by default', function () { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::Certified, actualLevel: CoverageLevel::Certified, scopeComplete: true, sourceClass: SourceClass::GraphBetaExperimental, allowsBetaClaims: false, allowsCertifiedClaims: false, ))->toBe(ClaimState::ClaimBlocked); }); it('Spec414 blocks restore claims when the resource type is not restorable', function () { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::Restorable, actualLevel: CoverageLevel::Restorable, scopeComplete: true, restoreTier: RestoreTier::PreviewOnly, restoreClaim: true, ))->toBe(ClaimState::ClaimBlocked); }); it('Spec414 blocks customer-facing claims for incomplete supported scopes', function () { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::ContentBacked, scopeComplete: false, customerFacing: true, ))->toBe(ClaimState::ClaimBlocked); }); it('Spec414 allows exact scope and level claims', function () { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::Comparable, scopeComplete: true, customerFacing: true, ))->toBe(ClaimState::ClaimAllowed); }); it('Spec417 blocks unsafe identity states before customer claims can be made', function (IdentityState $identityState): void { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::ContentBacked, scopeComplete: true, identityState: $identityState, ))->toBe(ClaimState::ClaimBlocked); })->with([ 'identity conflict' => IdentityState::IdentityConflict, 'missing external id' => IdentityState::MissingExternalId, 'unsupported identity' => IdentityState::UnsupportedIdentity, ]); it('Spec417 limits derived identity unless explicitly allowed', function (): void { $guard = new ClaimGuard; expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::ContentBacked, scopeComplete: true, identityState: IdentityState::Derived, ))->toBe(ClaimState::ClaimLimited); expect($guard->evaluate( scopeKey: 'intune_tcm_core', requestedLevel: CoverageLevel::ContentBacked, actualLevel: CoverageLevel::ContentBacked, scopeComplete: true, customerFacing: true, identityState: IdentityState::Derived, ))->toBe(ClaimState::ClaimBlocked); });