create(); $tenantB = ManagedEnvironment::factory()->create(); [$user] = createUserWithTenant($tenantA, role: 'owner'); $tenantB->forceFill(['workspace_id' => (int) $tenantA->workspace_id])->save(); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $runA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'TenantA', ]); $runB = OperationRun::factory()->create([ 'managed_environment_id' => $tenantB->getKey(), 'type' => 'inventory_sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'TenantB', ]); setAdminPanelContext($tenantA); $this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]); session([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]); Livewire::withHeaders(['referer' => route('admin.operations.index', ['workspace' => $tenantA->workspace])]) ->actingAs($user) ->withQueryParams(['environment_id' => (int) $tenantA->getKey()]) ->test(Operations::class) ->assertCanSeeTableRecords([$runA]) ->assertCanNotSeeTableRecords([$runB]) ->assertSet('tableFilters.managed_environment_id.value', (string) $tenantA->getKey()); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]) ->get(\App\Support\OperationRunLinks::index()) ->assertOk() ->assertSee('Policy sync') ->assertSee('Inventory sync') ->assertSee(__('localization.shell.all_environments')) ->assertDontSee(__('localization.shell.environment_scope').': '.$tenantA->name); }); it('does not default Monitoring → Operations list to the remembered tenant', function () { $tenantA = ManagedEnvironment::factory()->create(); $tenantB = ManagedEnvironment::factory()->create(); [$user] = createUserWithTenant($tenantA, role: 'owner'); $tenantB->forceFill(['workspace_id' => (int) $tenantA->workspace_id])->save(); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $runA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'TenantA', ]); $runB = OperationRun::factory()->create([ 'managed_environment_id' => $tenantB->getKey(), 'type' => 'inventory_sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'TenantB', ]); setAdminPanelContext(); $workspaceId = (int) $tenantA->workspace_id; app(WorkspaceContext::class)->rememberLastTenantId($workspaceId, (int) $tenantA->getKey()); $this->withSession([WorkspaceContext::SESSION_KEY => $workspaceId]); session([WorkspaceContext::SESSION_KEY => $workspaceId]); Livewire::withHeaders(['referer' => route('admin.operations.index', ['workspace' => $tenantA->workspace])]) ->actingAs($user) ->test(Operations::class) ->assertCanSeeTableRecords([$runA, $runB]) ->assertSet('tableFilters.managed_environment_id.value', null); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => $workspaceId]) ->get(\App\Support\OperationRunLinks::index()) ->assertOk() ->assertSee($tenantA->name) ->assertSee('Policy sync') ->assertSee('Inventory sync') ->assertSee(__('localization.shell.all_environments')) ->assertDontSee(__('localization.shell.environment_scope').': '.$tenantA->name); }); it('scopes Monitoring → Operations tabs to the workspace unless an explicit page filter is active', function () { $tenantA = ManagedEnvironment::factory()->create(); $tenantB = ManagedEnvironment::factory()->create(); [$user] = createUserWithTenant($tenantA, role: 'owner'); $tenantB->forceFill(['workspace_id' => (int) $tenantA->workspace_id])->save(); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $runActiveA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'A-active', ]); $runStaleA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'inventory_sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'A-stale', 'created_at' => now()->subHour(), ]); $runSucceededA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'completed', 'outcome' => 'succeeded', 'initiator_name' => 'A-succeeded', ]); $runPartialA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'completed', 'outcome' => 'partially_succeeded', 'initiator_name' => 'A-partial', ]); $runBlockedA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'completed', 'outcome' => 'blocked', 'initiator_name' => 'A-blocked', ]); $runFailedA = OperationRun::factory()->create([ 'managed_environment_id' => $tenantA->getKey(), 'type' => 'policy.sync', 'status' => 'completed', 'outcome' => 'failed', 'initiator_name' => 'A-failed', ]); $runActiveB = OperationRun::factory()->create([ 'managed_environment_id' => $tenantB->getKey(), 'type' => 'inventory_sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'B-active', ]); $runFailedB = OperationRun::factory()->create([ 'managed_environment_id' => $tenantB->getKey(), 'type' => 'inventory_sync', 'status' => 'completed', 'outcome' => 'failed', 'initiator_name' => 'B-failed', ]); setAdminPanelContext($tenantA); $this->withSession([ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, ]); session([ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, ]); Livewire::withHeaders(['referer' => route('admin.operations.index', ['workspace' => $tenantA->workspace])]) ->actingAs($user) ->test(Operations::class) ->assertCanSeeTableRecords([$runActiveA, $runStaleA, $runSucceededA, $runPartialA, $runBlockedA, $runFailedA, $runActiveB, $runFailedB]) ->set('activeTab', 'active') ->assertCanSeeTableRecords([$runActiveA, $runActiveB]) ->assertCanNotSeeTableRecords([$runStaleA, $runSucceededA, $runPartialA, $runBlockedA, $runFailedA, $runFailedB]) ->set('activeTab', OperationRun::PROBLEM_CLASS_ACTIVE_STALE_ATTENTION) ->assertCanSeeTableRecords([$runStaleA]) ->assertCanNotSeeTableRecords([$runActiveA, $runSucceededA, $runPartialA, $runBlockedA, $runFailedA, $runActiveB, $runFailedB]) ->set('activeTab', OperationRun::PROBLEM_CLASS_TERMINAL_FOLLOW_UP) ->assertCanSeeTableRecords([$runPartialA, $runBlockedA, $runFailedA, $runFailedB]) ->assertCanNotSeeTableRecords([$runActiveA, $runStaleA, $runSucceededA, $runActiveB]) ->set('activeTab', 'succeeded') ->assertCanSeeTableRecords([$runSucceededA]) ->assertCanNotSeeTableRecords([$runActiveA, $runStaleA, $runPartialA, $runBlockedA, $runFailedA, $runActiveB, $runFailedB]) ->set('activeTab', 'partial') ->assertCanSeeTableRecords([$runPartialA]) ->assertCanNotSeeTableRecords([$runActiveA, $runStaleA, $runSucceededA, $runBlockedA, $runFailedA, $runActiveB, $runFailedB]) ->set('activeTab', 'failed') ->assertCanSeeTableRecords([$runFailedA, $runFailedB]) ->assertCanNotSeeTableRecords([$runActiveA, $runStaleA, $runSucceededA, $runPartialA, $runBlockedA, $runActiveB]); $this->actingAs($user) ->withSession([ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, ]) ->get(\App\Support\OperationRunLinks::index()) ->assertOk() ->assertSee('Likely stale') ->assertSee('Terminal follow-up') ->assertSee('Succeeded') ->assertSee('Partial') ->assertSee('Failed'); }); it('prevents cross-workspace access to Monitoring → Operations detail', function () { $tenantA = ManagedEnvironment::factory()->create(); [$user, $tenantA] = createUserWithTenant($tenantA, role: 'owner'); $tenantB = ManagedEnvironment::factory()->create(); $runB = OperationRun::factory()->create([ 'managed_environment_id' => $tenantB->getKey(), 'type' => 'inventory_sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'TenantB', ]); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]) ->get(\App\Support\OperationRunLinks::tenantlessView($runB)) ->assertNotFound(); });