set('tenantpilot.hardening.intune_write_gate.enabled', true); config()->set('tenantpilot.hardening.intune_write_gate.freshness_threshold_hours', 24); }); test('gate blocks when rbac_status is null', function () { $tenant = Tenant::factory()->create([ 'rbac_status' => null, 'rbac_last_checked_at' => null, ]); $gate = app(WriteGateInterface::class); expect(fn () => $gate->evaluate($tenant, 'restore.execute')) ->toThrow(ProviderAccessHardeningRequired::class); try { $gate->evaluate($tenant, 'restore.execute'); } catch (ProviderAccessHardeningRequired $e) { expect($e->reasonCode)->toBe('intune_rbac.not_configured') ->and($e->tenantId)->toBe((int) $tenant->getKey()) ->and($e->operationType)->toBe('restore.execute'); } }); test('gate blocks when rbac_status is not_configured', function () { $tenant = Tenant::factory()->create([ 'rbac_status' => 'not_configured', 'rbac_last_checked_at' => null, ]); $gate = app(WriteGateInterface::class); try { $gate->evaluate($tenant, 'restore.execute'); $this->fail('Expected ProviderAccessHardeningRequired to be thrown'); } catch (ProviderAccessHardeningRequired $e) { expect($e->reasonCode)->toBe('intune_rbac.not_configured') ->and($e->tenantId)->toBe((int) $tenant->getKey()); } }); test('wouldBlock returns true when rbac_status is null', function () { $tenant = Tenant::factory()->create([ 'rbac_status' => null, 'rbac_last_checked_at' => null, ]); expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeTrue(); }); test('wouldBlock returns true when rbac_status is not_configured', function () { $tenant = Tenant::factory()->create([ 'rbac_status' => 'not_configured', 'rbac_last_checked_at' => null, ]); expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeTrue(); });