active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'name' => 'Security Baseline', ]); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'summary_jsonb' => [ 'total_items' => 3, 'policy_type_counts' => [ 'intuneRoleDefinition' => 1, 'deviceCompliancePolicy' => 1, 'mysteryPolicyType' => 1, ], 'fidelity_counts' => ['content' => 2, 'meta' => 1], 'gaps' => ['count' => 1, 'by_reason' => ['meta_fallback' => 1]], ], ]); $rbacSubjectKey = baselineProviderResourceSubjectKeyForTest( 'intuneRoleDefinition', 'security-reader', SubjectClass::FoundationBacked, ); $complianceSubjectKey = baselineProviderResourceSubjectKeyForTest('deviceCompliancePolicy', 'bitlocker-require'); $fallbackSubjectKey = baselineProviderResourceSubjectKeyForTest('mysteryPolicyType', 'mystery-policy'); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'policy_type' => 'intuneRoleDefinition', 'subject_key' => $rbacSubjectKey, 'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('intuneRoleDefinition', $rbacSubjectKey), 'meta_jsonb' => [ 'display_name' => 'Security Reader', 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => '2026-03-09T12:00:00+00:00', ], 'identity' => ['strategy' => 'provider_resource'], 'rbac' => [ 'is_built_in' => false, 'role_permission_count' => 2, ], 'version_reference' => ['policy_version_id' => 42], ], ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'policy_type' => 'deviceCompliancePolicy', 'subject_key' => $complianceSubjectKey, 'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceCompliancePolicy', $complianceSubjectKey), 'meta_jsonb' => [ 'display_name' => 'Bitlocker Require', 'platform' => 'windows', 'assignment_target_count' => 3, 'evidence' => [ 'fidelity' => 'meta', 'source' => 'inventory', 'observed_at' => '2026-03-09T11:00:00+00:00', ], ], ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'policy_type' => 'mysteryPolicyType', 'subject_key' => $fallbackSubjectKey, 'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('mysteryPolicyType', $fallbackSubjectKey), 'meta_jsonb' => [ 'display_name' => 'Mystery Policy', 'platform' => 'windows', 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => '2026-03-09T10:00:00+00:00', ], ], ]); $this->actingAs($user) ->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin')) ->assertOk() ->assertSee('Outcome summary') ->assertSee('Snapshot status') ->assertSee('Outcome details') ->assertSee('Coverage') ->assertSee('Capture timing') ->assertSee('Related context') ->assertSee(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin'), false) ->assertSeeInOrder(['Outcome summary', 'Coverage summary', 'Captured governed subjects', 'Technical detail']) ->assertSee('Security Reader') ->assertSee('Bitlocker Require') ->assertSee('Mystery Policy') ->assertSee('Intune RBAC Role Definition') ->assertSee('Device Compliance') ->assertSee('Mystery Policy Type') ->assertSee('Governed subject') ->assertDontSee('Artifact truth') ->assertDontSee('Intune RBAC Role Definition References'); $this->actingAs($user) ->get(BaselineSnapshotResource::getUrl(panel: 'admin')) ->assertOk() ->assertSee('View baseline profile') ->assertSee(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin')) ->assertDontSee('>View<', escape: false); }); it('caps baseline snapshot receipt governed-subject rows before internal detail', function (): void { [$user, $tenant] = createUserWithTenant(role: 'readonly'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'name' => 'Spec397 Baseline', ]); $policyTypeCounts = []; $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'summary_jsonb' => [ 'total_items' => 10, 'fidelity_counts' => ['content' => 10, 'meta' => 0], 'gaps' => ['count' => 0, 'by_reason' => []], ], ]); foreach (range(1, 10) as $index) { $policyType = sprintf('spec397PolicyType%02d', $index); $policyTypeCounts[$policyType] = 1; $subjectKey = baselineProviderResourceSubjectKeyForTest($policyType, sprintf('spec397-policy-%02d', $index)); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'policy_type' => $policyType, 'subject_key' => $subjectKey, 'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId($policyType, $subjectKey), 'meta_jsonb' => [ 'display_name' => sprintf('Spec397 Policy %02d', $index), 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => now()->toIso8601String(), ], ], ]); } $snapshot->forceFill([ 'summary_jsonb' => array_merge($snapshot->summary_jsonb, [ 'policy_type_counts' => $policyTypeCounts, ]), ])->save(); $response = $this->actingAs($user) ->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin')); $response ->assertOk() ->assertSee('Showing the first 8 governed subjects for receipt review.') ->assertSee('2 additional subjects stay in internal detail.'); expect(substr_count($response->getContent(), 'Showing the first 8 governed subjects'))->toBeGreaterThanOrEqual(2); });