create(); $this->actingAs($user)->get($url)->assertNotFound(); })->with([ '/system/login', '/system', '/system/ops/runbooks', '/system/ops/runs', ]); it('returns 403 when a platform user lacks the required capability on system pages', function (string $url) { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [], 'is_active' => true, ]); $this->actingAs($platformUser, 'platform') ->get($url) ->assertForbidden(); })->with([ '/system', '/system/ops/runbooks', '/system/ops/runs', ]); it('returns 404 when a tenant session accesses a system operation detail route', function () { $user = User::factory()->create(); $run = OperationRun::factory()->create(); $this->actingAs($user) ->get(SystemOperationRunLinks::view($run)) ->assertNotFound(); }); it('returns 403 when a platform user lacks operations capability on system operation detail', function () { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, ], 'is_active' => true, ]); $run = OperationRun::factory()->create(); $this->actingAs($platformUser, 'platform') ->get(SystemOperationRunLinks::view($run)) ->assertForbidden(); }); it('returns 200 on system operation detail when a platform user has operations capability', function () { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, PlatformCapabilities::OPERATIONS_VIEW, ], 'is_active' => true, ]); $run = OperationRun::factory()->create(); $this->actingAs($platformUser, 'platform') ->get(SystemOperationRunLinks::view($run)) ->assertSuccessful(); }); it('returns 200 when a platform user has the required capability', function () { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, PlatformCapabilities::CONSOLE_VIEW, ], 'is_active' => true, ]); $this->actingAs($platformUser, 'platform') ->get('/system') ->assertSuccessful(); }); it('returns 403 on runbooks when a platform user lacks the runbooks view capability even with system access', function () { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, PlatformCapabilities::OPS_VIEW, ], 'is_active' => true, ]); $this->actingAs($platformUser, 'platform') ->get('/system/ops/runbooks') ->assertForbidden(); }); it('returns 200 on runbooks when a platform user has the required runbooks capability set', function () { $platformUser = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, PlatformCapabilities::OPS_VIEW, PlatformCapabilities::RUNBOOKS_VIEW, ], 'is_active' => true, ]); $this->actingAs($platformUser, 'platform') ->get('/system/ops/runbooks') ->assertSuccessful(); }); it('keeps system workspace detail route semantics separate from commercial business-state blocks', function (): void { $workspace = Workspace::factory()->create(); $this->actingAs(User::factory()->create()) ->get(SystemDirectoryLinks::workspaceDetail($workspace)) ->assertNotFound(); auth()->guard('web')->logout(); $platformWithoutDirectoryView = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, ], 'is_active' => true, ]); $this->actingAs($platformWithoutDirectoryView, 'platform') ->get(SystemDirectoryLinks::workspaceDetail($workspace)) ->assertForbidden(); $directoryViewer = PlatformUser::factory()->create([ 'capabilities' => [ PlatformCapabilities::ACCESS_SYSTEM_PANEL, PlatformCapabilities::DIRECTORY_VIEW, ], 'is_active' => true, ]); $this->actingAs($directoryViewer, 'platform') ->get(SystemDirectoryLinks::workspaceDetail($workspace)) ->assertSuccessful() ->assertSee('Commercial lifecycle') ->assertDontSee('Change commercial state'); });