TenantAtlas/apps/platform/tests/Feature/Findings/FindingWorkflowServiceTest.php

<?php

declare(strict_types=1);

use App\Models\Finding;
use App\Models\User;
use App\Services\Findings\FindingWorkflowService;
use App\Support\Audit\AuditActionId;
use Illuminate\Auth\Access\AuthorizationException;

it('enforces the canonical transition matrix for service-driven status changes', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $service = app(FindingWorkflowService::class);

    $newFinding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
    $triagedFinding = $service->triage($newFinding, $tenant, $user);

    expect($triagedFinding->status)->toBe(Finding::STATUS_TRIAGED)
        ->and($this->latestFindingAudit($triagedFinding, AuditActionId::FindingTriaged))->not->toBeNull();

    $inProgressFinding = $service->startProgress($triagedFinding, $tenant, $user);

    expect($inProgressFinding->status)->toBe(Finding::STATUS_IN_PROGRESS)
        ->and($this->latestFindingAudit($inProgressFinding, AuditActionId::FindingInProgress))->not->toBeNull();

    $resolvedFinding = $service->resolve($inProgressFinding, $tenant, $user, 'patched');

    expect($resolvedFinding->status)->toBe(Finding::STATUS_RESOLVED)
        ->and($resolvedFinding->resolved_reason)->toBe('patched')
        ->and($this->latestFindingAudit($resolvedFinding, AuditActionId::FindingResolved))->not->toBeNull();

    $reopenedFinding = $service->reopen($resolvedFinding, $tenant, $user, 'The issue recurred after remediation.');

    expect($reopenedFinding->status)->toBe(Finding::STATUS_REOPENED)
        ->and($reopenedFinding->reopened_at)->not->toBeNull()
        ->and($this->latestFindingAudit($reopenedFinding, AuditActionId::FindingReopened))->not->toBeNull();

    expect(fn () => $service->startProgress($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user))
        ->toThrow(\InvalidArgumentException::class, 'Finding cannot be moved to in-progress from the current status.');
});

it('enforces tenant-member validation for owner and assignee reassignment', function (): void {
    [$owner, $tenant] = createUserWithTenant(role: 'owner');
    $assignee = User::factory()->create();
    createUserWithTenant(tenant: $tenant, user: $assignee, role: 'operator');
    $outsider = User::factory()->create();

    $finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_TRIAGED);
    $service = app(FindingWorkflowService::class);

    $assignedFinding = $service->assign(
        finding: $finding,
        tenant: $tenant,
        actor: $owner,
        assigneeUserId: (int) $assignee->getKey(),
        ownerUserId: (int) $owner->getKey(),
    );

    expect((int) $assignedFinding->assignee_user_id)->toBe((int) $assignee->getKey())
        ->and((int) $assignedFinding->owner_user_id)->toBe((int) $owner->getKey())
        ->and($this->latestFindingAudit($assignedFinding, AuditActionId::FindingAssigned))->not->toBeNull();

    expect(fn () => $service->assign(
        finding: $assignedFinding,
        tenant: $tenant,
        actor: $owner,
        assigneeUserId: (int) $outsider->getKey(),
        ownerUserId: (int) $owner->getKey(),
    ))->toThrow(\InvalidArgumentException::class, 'assignee_user_id must reference a current tenant member.');
});

it('requires explicit reasons for resolve close and risk accept mutations', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $service = app(FindingWorkflowService::class);

    expect(fn () => $service->resolve($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, '   '))
        ->toThrow(\InvalidArgumentException::class, 'resolved_reason is required.');

    expect(fn () => $service->close($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, '   '))
        ->toThrow(\InvalidArgumentException::class, 'closed_reason is required.');

    expect(fn () => $service->reopen($this->makeFindingForWorkflow($tenant, Finding::STATUS_RESOLVED), $tenant, $user, '   '))
        ->toThrow(\InvalidArgumentException::class, 'reopen_reason is required.');

    expect(fn () => $service->riskAccept($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, '   '))
        ->toThrow(\InvalidArgumentException::class, 'closed_reason is required.');
});

it('returns 403 for in-scope members without the required workflow capability', function (): void {
    [$owner, $tenant] = createUserWithTenant(role: 'owner');
    [$readonly] = createUserWithTenant(tenant: $tenant, role: 'readonly');
    $finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);

    expect(fn () => app(FindingWorkflowService::class)->resolve($finding, $tenant, $readonly, 'patched'))
        ->toThrow(AuthorizationException::class);

    expect(app(FindingWorkflowService::class)->resolve($finding, $tenant, $owner, 'patched')->status)
        ->toBe(Finding::STATUS_RESOLVED);
});