TenantAtlas/tests/Feature/Audit/ProviderConnectionMigrationAuditTest.php

<?php

declare(strict_types=1);

use App\Models\AuditLog;
use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Models\Tenant;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('audits classification backfill orchestration and applied migration outcomes', function (): void {
    config()->set('graph.client_id', 'platform-client-id');
    config()->set('graph.client_secret', 'platform-client-secret');

    $tenant = Tenant::factory()->create([
        'tenant_id' => 'audit-classification-tenant-id',
        'app_client_id' => 'legacy-tenant-client-id',
        'app_client_secret' => 'legacy-tenant-client-secret',
    ]);

    $connection = ProviderConnection::factory()->platform()->verifiedHealthy()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'provider' => 'microsoft',
        'entra_tenant_id' => 'audit-classification-tenant-id',
        'is_default' => true,
    ]);

    ProviderCredential::factory()->create([
        'provider_connection_id' => (int) $connection->getKey(),
        'source' => null,
        'payload' => [
            'client_id' => 'legacy-different-client-id',
            'client_secret' => 'legacy-different-client-secret',
        ],
    ]);

    $this->artisan('tenantpilot:provider-connections:classify', ['--write' => true])
        ->assertSuccessful();

    $started = AuditLog::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('action', 'provider_connection.migration_classification_started')
        ->latest('id')
        ->first();

    $applied = AuditLog::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('action', 'provider_connection.migration_classification_applied')
        ->latest('id')
        ->first();

    expect($started)->not->toBeNull()
        ->and($started?->status)->toBe('success')
        ->and($started?->metadata)->toMatchArray([
            'source' => 'tenantpilot:provider-connections:classify',
            'candidate_count' => 1,
            'write' => true,
        ]);

    expect($applied)->not->toBeNull()
        ->and($applied?->status)->toBe('success')
        ->and($applied?->resource_type)->toBe('provider_connection')
        ->and($applied?->resource_id)->toBe((string) $connection->getKey())
        ->and($applied?->metadata)->toMatchArray([
            'source' => 'tenantpilot:provider-connections:classify',
            'provider_connection_id' => (int) $connection->getKey(),
            'provider' => 'microsoft',
            'connection_type' => 'dedicated',
            'migration_review_required' => true,
        ]);
});