actingAs($user); Filament::setTenant($tenant, true); $finding = Finding::factory()->for($tenant)->create([ 'status' => Finding::STATUS_NEW, ]); $component = Livewire::test(ListFindings::class); $component ->callTableAction('triage', $finding) ->assertHasNoTableActionErrors(); $finding->refresh(); expect($finding->status)->toBe(Finding::STATUS_TRIAGED) ->and($finding->triaged_at)->not->toBeNull(); $component ->callTableAction('start_progress', $finding) ->assertHasNoTableActionErrors(); $finding->refresh(); expect($finding->status)->toBe(Finding::STATUS_IN_PROGRESS) ->and($finding->in_progress_at)->not->toBeNull(); $component ->callTableAction('resolve', $finding, [ 'resolved_reason' => 'patched', ]) ->assertHasNoTableActionErrors(); $finding->refresh(); expect($finding->status)->toBe(Finding::STATUS_RESOLVED) ->and($finding->resolved_reason)->toBe('patched') ->and($finding->resolved_at)->not->toBeNull(); $component ->filterTable('open', false) ->callTableAction('reopen', $finding, [ 'reopen_reason' => 'The issue recurred in a later scan.', ]) ->assertHasNoTableActionErrors(); $finding->refresh(); expect($finding->status)->toBe(Finding::STATUS_REOPENED) ->and($finding->reopened_at)->not->toBeNull() ->and($finding->due_at)->not->toBeNull(); }); it('supports close and request exception via row actions', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $this->actingAs($user); Filament::setTenant($tenant, true); $closeFinding = Finding::factory()->for($tenant)->create([ 'status' => Finding::STATUS_NEW, ]); $exceptionFinding = Finding::factory()->for($tenant)->create([ 'status' => Finding::STATUS_NEW, ]); $component = Livewire::test(ListFindings::class); $component ->callTableAction('close', $closeFinding, [ 'closed_reason' => 'duplicate ticket', ]) ->assertHasNoTableActionErrors(); $component ->callTableAction('request_exception', $exceptionFinding, [ 'owner_user_id' => (int) $user->getKey(), 'request_reason' => 'accepted by security', 'review_due_at' => now()->addDays(14)->toDateTimeString(), 'expires_at' => now()->addDays(30)->toDateTimeString(), ]) ->assertHasNoTableActionErrors(); expect($closeFinding->refresh()->status)->toBe(Finding::STATUS_CLOSED) ->and($closeFinding->closed_reason)->toBe('duplicate ticket'); $exception = FindingException::query() ->where('finding_id', (int) $exceptionFinding->getKey()) ->first(); expect($exception)->toBeInstanceOf(FindingException::class) ->and($exception?->status)->toBe(FindingException::STATUS_PENDING) ->and($exception?->request_reason)->toBe('accepted by security'); }); it('keeps unchanged roles intact and exposes explicit assignment help text on row actions', function (): void { [$manager, $tenant] = createUserWithTenant(role: 'manager'); $this->actingAs($manager); Filament::setTenant($tenant, true); $initialOwner = User::factory()->create(); createUserWithTenant(tenant: $tenant, user: $initialOwner, role: 'manager'); $initialAssignee = User::factory()->create(); createUserWithTenant(tenant: $tenant, user: $initialAssignee, role: 'operator'); $replacementOwner = User::factory()->create(); createUserWithTenant(tenant: $tenant, user: $replacementOwner, role: 'manager'); $replacementAssignee = User::factory()->create(); createUserWithTenant(tenant: $tenant, user: $replacementAssignee, role: 'operator'); $outsider = User::factory()->create(); $finding = Finding::factory()->for($tenant)->create([ 'status' => Finding::STATUS_NEW, 'owner_user_id' => (int) $initialOwner->getKey(), 'assignee_user_id' => (int) $initialAssignee->getKey(), ]); $component = Livewire::test(ListFindings::class) ->mountTableAction('assign', $finding) ->assertFormFieldExists('owner_user_id', function (Select $field): bool { $helperText = collect($field->getChildSchema(Field::BELOW_CONTENT_SCHEMA_KEY)?->getComponents() ?? []) ->filter(fn (mixed $component): bool => $component instanceof Text) ->map(fn (Text $component): string => (string) $component->getContent()) ->implode(' '); return $field->getLabel() === 'Accountable owner' && str_contains($helperText, 'accountable for ensuring the finding reaches a governed outcome'); }) ->assertFormFieldExists('assignee_user_id', function (Select $field): bool { $helperText = collect($field->getChildSchema(Field::BELOW_CONTENT_SCHEMA_KEY)?->getComponents() ?? []) ->filter(fn (mixed $component): bool => $component instanceof Text) ->map(fn (Text $component): string => (string) $component->getContent()) ->implode(' '); return $field->getLabel() === 'Active assignee' && str_contains($helperText, 'currently expected to perform or coordinate the remediation work'); }); $component ->callTableAction('assign', $finding, [ 'assignee_user_id' => (int) $replacementAssignee->getKey(), 'owner_user_id' => (int) $initialOwner->getKey(), ]) ->assertHasNoTableActionErrors(); $finding->refresh(); expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey()) ->and((int) $finding->owner_user_id)->toBe((int) $initialOwner->getKey()); $component ->callTableAction('assign', $finding, [ 'assignee_user_id' => (int) $replacementAssignee->getKey(), 'owner_user_id' => (int) $replacementOwner->getKey(), ]) ->assertHasNoTableActionErrors(); $finding->refresh(); expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey()) ->and((int) $finding->owner_user_id)->toBe((int) $replacementOwner->getKey()); $component ->callTableAction('assign', $finding, [ 'assignee_user_id' => (int) $outsider->getKey(), 'owner_user_id' => (int) $replacementOwner->getKey(), ]); $finding->refresh(); expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey()) ->and((int) $finding->owner_user_id)->toBe((int) $replacementOwner->getKey()); }); it('returns 404 when a forged foreign-tenant assign row action is mounted', function (): void { $tenantA = Tenant::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = Tenant::factory()->create([ 'workspace_id' => (int) $tenantA->workspace_id, ]); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $foreignFinding = Finding::factory()->for($tenantB)->create([ 'status' => Finding::STATUS_NEW, ]); $this->actingAs($user); Filament::setCurrentPanel('admin'); Filament::setTenant(null, true); Filament::bootCurrentPanel(); session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id); session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [ (string) $tenantA->workspace_id => (int) $tenantA->getKey(), ]); $component = Livewire::actingAs($user)->test(ListFindings::class); expect(fn () => $component->instance()->mountTableAction('assign', (string) $foreignFinding->getKey())) ->toThrow(NotFoundHttpException::class); }); it('keeps the admin workflow surface scoped to the canonical tenant', function (): void { $tenantA = Tenant::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = Tenant::factory()->create([ 'workspace_id' => (int) $tenantA->workspace_id, ]); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $visibleFinding = Finding::factory()->for($tenantA)->create([ 'status' => Finding::STATUS_NEW, ]); $hiddenFinding = Finding::factory()->for($tenantB)->create([ 'status' => Finding::STATUS_NEW, ]); $this->actingAs($user); Filament::setCurrentPanel('admin'); Filament::setTenant(null, true); Filament::bootCurrentPanel(); session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id); session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [ (string) $tenantA->workspace_id => (int) $tenantA->getKey(), ]); Livewire::actingAs($user)->test(ListFindings::class) ->assertCanSeeTableRecords([$visibleFinding]) ->assertCanNotSeeTableRecords([$hiddenFinding]); });