create(); $this->actingAs($outsider) ->get(CoverageV2Readiness::getUrl(tenant: $environment)) ->assertNotFound(); }); it('Spec423 keeps Coverage v2 readiness access deny-as-not-found for wrong managed environment scope', function (): void { [$owner, $environment] = createUserWithTenant(role: 'owner'); $otherEnvironment = ManagedEnvironment::factory()->create(['workspace_id' => (int) $environment->workspace_id]); $outsider = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $environment->workspace_id, 'user_id' => (int) $outsider->getKey(), 'role' => 'owner', ]); DB::table('managed_environment_memberships')->insert([ 'id' => (string) Str::uuid(), 'managed_environment_id' => (int) $otherEnvironment->getKey(), 'user_id' => (int) $outsider->getKey(), 'role' => 'owner', 'source' => 'manual', 'created_at' => now(), 'updated_at' => now(), ]); $this->actingAs($outsider); $environment->makeCurrent(); Filament::setTenant($environment, true); $this->get(CoverageV2Readiness::getUrl(tenant: $environment)) ->assertNotFound(); }); it('Spec423 keeps Coverage v2 readiness access forbidden for in-scope members missing capability', function (): void { [$user, $environment] = createUserWithTenant(role: 'owner'); $this->actingAs($user); $environment->makeCurrent(); Filament::setTenant($environment, true); app()->instance(ManagedEnvironmentAccessScopeResolver::class, new class { public function decision(User $user, ManagedEnvironment $environment, ?string $requiredCapability = null): ManagedEnvironmentAccessDecision { return new ManagedEnvironmentAccessDecision( workspaceId: (int) $environment->workspace_id, managedEnvironmentId: (int) $environment->getKey(), userId: (int) $user->getKey(), workspaceMember: true, workspaceRole: 'owner', explicitScopeRowsPresent: false, managedEnvironmentAllowed: true, failedBoundary: 'capability', requiredCapability: $requiredCapability, capabilityAllowed: false, denialHttpStatus: 403, ); } }); try { $this->get(CoverageV2Readiness::getUrl(tenant: $environment)) ->assertForbidden(); } finally { app()->forgetInstance(ManagedEnvironmentAccessScopeResolver::class); } });