browser()->timeout(60_000); uses(RefreshDatabase::class); it('Spec412 smokes finding detail hash demotion and provider no-access clarity', function (): void { [$operator, $environment] = createUserWithTenant( role: 'owner', workspaceRole: 'owner', clearCapabilityCaches: true, ); $finding = Finding::factory()->for($environment)->create([ 'workspace_id' => (int) $environment->workspace_id, 'fingerprint' => 'spec412-browser-fingerprint-hidden', 'scope_key' => 'spec412-browser-scope-hidden', 'subject_external_id' => 'spec412-browser-subject-hidden', 'evidence_jsonb' => [ 'display_name' => 'Spec412 Browser Human Finding', 'summary' => [ 'source_fingerprint' => 'spec412-browser-source-hidden', 'affected_scope' => 'Human-readable pilot scope', ], 'artifact' => [ 'detector_key' => 'spec412-browser-detector-hidden', ], ], ]); spec412AuthenticateBrowser($this, $operator, $environment); visit(FindingResource::getUrl('view', ['record' => $finding], tenant: $environment, panel: 'admin')) ->resize(1440, 1100) ->waitForText('Spec412 Browser Human Finding') ->assertSee('Technical identifiers') ->assertSee('Support identifiers stay collapsed by default and are intended for authorized troubleshooting.') ->assertSee('Evidence (Sanitized)') ->assertSee('Sanitized evidence JSON is collapsed so technical payload shape does not become default finding content.') ->assertDontSee('spec412-browser-fingerprint-hidden') ->assertDontSee('spec412-browser-scope-hidden') ->assertDontSee('spec412-browser-source-hidden') ->assertDontSee('spec412-browser-subject-hidden') ->assertNoJavaScriptErrors() ->assertNoConsoleLogs(); $connection = ProviderConnection::factory() ->platform() ->verifiedHealthy() ->create([ 'workspace_id' => (int) $environment->workspace_id, 'managed_environment_id' => (int) $environment->getKey(), 'display_name' => 'Spec412 Browser Provider', ]); [$readonly] = createUserWithTenant( tenant: $environment, role: 'readonly', workspaceRole: 'readonly', clearCapabilityCaches: true, ); visit(spec412BrowserLoginUrl($readonly, $environment, '/admin/no-access?surface=provider-connections&reason=permission')) ->resize(1440, 1000) ->waitForText('You do not have access to provider connections.') ->assertSee('You are signed in, but your current workspace or environment role does not include provider connection access.') ->assertDontSee('You do not have access to a workspace yet.') ->assertDontSee('Ask an administrator to add you to a workspace, then sign in again.') ->assertDontSee('Spec412 Browser Provider') ->assertNoJavaScriptErrors() ->assertNoConsoleLogs(); }); function spec412AuthenticateBrowser( mixed $test, User $user, ManagedEnvironment $environment, ): void { $workspaceId = (int) $environment->workspace_id; $session = [ WorkspaceContext::SESSION_KEY => $workspaceId, WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [ (string) $workspaceId => (int) $environment->getKey(), ], ]; $test->actingAs($user)->withSession($session); foreach ($session as $key => $value) { session()->put($key, $value); } setAdminPanelContext($environment); } function spec412BrowserLoginUrl(User $user, ManagedEnvironment $environment, string $redirect): string { return route('admin.local.smoke-login', [ 'email' => $user->email, 'tenant' => $environment->external_id, 'workspace' => $environment->workspace->slug, 'redirect' => spec412RelativeBrowserPath($redirect), ]); } function spec412RelativeBrowserPath(string $url): string { $parts = parse_url($url); if ($parts === false) { return '/admin'; } return ($parts['path'] ?? '/admin').(isset($parts['query']) ? '?'.$parts['query'] : ''); }