*/ function governanceArtifactLegacyTenantGuardedFiles(): array { $root = SourceFileScanner::projectRoot(); return [ $root.'/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php', $root.'/app/Filament/Pages/Reviews/ReviewRegister.php', $root.'/app/Filament/Resources/BackupScheduleResource.php', $root.'/app/Filament/Resources/BackupSetResource.php', $root.'/app/Filament/Resources/EvidenceSnapshotResource.php', $root.'/app/Filament/Resources/FindingExceptionResource.php', $root.'/app/Filament/Resources/FindingResource.php', $root.'/app/Filament/Resources/InventoryItemResource.php', $root.'/app/Filament/Resources/PolicyResource.php', $root.'/app/Filament/Resources/PolicyVersionResource.php', $root.'/app/Filament/Resources/RestoreRunResource.php', $root.'/app/Filament/Resources/ReviewPackResource.php', $root.'/app/Filament/Resources/StoredReportResource.php', $root.'/app/Filament/Resources/TenantReviewResource.php', $root.'/app/Support/GovernanceInbox/GovernanceInboxSectionBuilder.php', $root.'/app/Support/Navigation/RelatedNavigationResolver.php', $root.'/app/Support/OperationRunLinks.php', $root.'/app/Support/SupportDiagnostics/SupportDiagnosticBundleBuilder.php', $root.'/app/Support/Ui/GovernanceArtifactTruth/ArtifactTruthPresenter.php', ]; } /** * @return list */ function governanceArtifactLegacyTenantForbiddenPatterns(): array { return [ [ 'pattern' => "/panel:\\s*'tenant'/", 'reason' => 'Touched governance artifact surfaces must not emit tenant-panel URLs directly.', ], [ 'pattern' => '/\\/admin\\/t\\//', 'reason' => 'Touched governance artifact surfaces must not hardcode legacy /admin/t route language.', ], [ 'pattern' => "/TenantReviewResource::tenantScopedUrl\\([^\\n]*,\\s*'tenant'\\)/", 'reason' => 'Touched review drillthrough call-sites must not carry a stale tenant-panel hint.', ], [ 'pattern' => '/\\bManagedEnvironment::current\\s*\\(/', 'reason' => 'Touched governance artifact surfaces must not rely on tenant-panel-only current-environment fallbacks.', ], [ 'pattern' => '/\\bFilament::getTenant\\s*\\(/', 'reason' => 'Touched governance artifact surfaces must resolve admin context through the shared panel resolver, not raw Filament tenant reads.', ], [ 'pattern' => "/getCurrentPanel\\(\\)\\?->getId\\(\\)\\s*===\\s*'admin'/", 'reason' => 'Touched governance artifact resources must not stay hidden behind admin-only registration guards.', ], ]; } it('keeps touched governance artifact sources free of tenant-panel route language and fallback guards', function (): void { $violations = []; foreach (governanceArtifactLegacyTenantGuardedFiles() as $path) { $source = SourceFileScanner::read($path); $lines = preg_split('/\R/', $source) ?: []; foreach ($lines as $index => $line) { foreach (governanceArtifactLegacyTenantForbiddenPatterns() as $pattern) { if (preg_match($pattern['pattern'], $line) !== 1) { continue; } $violations[] = [ 'file' => SourceFileScanner::relativePath($path), 'line' => $index + 1, 'snippet' => SourceFileScanner::snippet($source, $index + 1), 'reason' => $pattern['reason'], ]; } } } expect($violations)->toBeEmpty(); })->group('surface-guard'); it('keeps tenant review scoped urls on workspace-first admin routes even when a legacy tenant hint is supplied', function (): void { $tenant = ManagedEnvironment::factory()->create(); [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner', setUiContext: false); $snapshot = seedTenantReviewEvidence($tenant); $review = composeTenantReviewForTest($tenant, $user, $snapshot); $workspace = Workspace::query()->whereKey((int) $tenant->workspace_id)->firstOrFail(); setAdminPanelContext(); $path = parse_url( TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant, 'tenant'), PHP_URL_PATH, ); expect($path) ->toBe('/admin/workspaces/'.$workspace->getRouteKey().'/environments/'.$tenant->getRouteKey().'/reviews/'.$review->getRouteKey()) ->not->toContain('/admin/t/'); })->group('surface-guard');