ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
421261a517
TenantAtlas/apps/platform/tests/Feature/Findings/FindingAuditBackstopTest.php
ahmido 421261a517
Some checks failed
Main Confidence / confidence (push) Failing after 48s
Details
feat: implement finding outcome taxonomy (#267) 
## Summary
- implement the finding outcome taxonomy end-to-end with canonical resolve, close, reopen, and verification semantics
- align finding UI, filters, audit metadata, review summaries, and export/read-model consumers to the shared outcome semantics
- add focused Pest coverage and complete the spec artifacts for feature 231

## Details
- manual resolve is limited to the canonical `remediated` outcome
- close and reopen flows now use bounded canonical reasons
- trusted system clear and reopen distinguish verified-clear from verification-failed and recurrence paths
- duplicate lifecycle backfill now closes findings canonically as `duplicate`
- accepted-risk recording now uses the canonical `accepted_risk` reason
- finding detail and list surfaces now expose terminal outcome and verification summaries
- review, snapshot, and review-pack consumers now propagate the same outcome buckets

## Filament / Platform Contract
- Livewire v4.0+ compatibility remains intact
- provider registration is unchanged and remains in `bootstrap/providers.php`
- no new globally searchable resource was introduced; `FindingResource` still has a View page and `TenantReviewResource` remains globally searchable false
- lifecycle mutations still run through confirmed Filament actions with capability enforcement
- no new asset family was added; the existing `filament:assets` deploy step is unchanged

## Verification
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Findings/FindingWorkflowServiceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/FindingsListFiltersTest.php tests/Feature/Filament/FindingResolvedReferencePresentationTest.php tests/Feature/Findings/FindingOutcomeSummaryReportingTest.php tests/Feature/Findings/FindingRiskGovernanceProjectionTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Findings tests/Feature/Filament/FindingResolvedReferencePresentationTest.php tests/Feature/Models/FindingResolvedTest.php tests/Unit/Findings/FindingWorkflowServiceTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantReview/TenantReviewExplanationSurfaceTest.php tests/Feature/TenantReview/TenantReviewRegisterTest.php tests/Feature/ReviewPack/TenantReviewDerivedReviewPackTest.php`
- browser smoke: `/admin/findings/my-work` -> finding detail resolve flow -> queue regression check passed

## Notes
- this commit also includes the existing `.github/agents/copilot-instructions.md` workspace change that was already present in the worktree when all changes were committed

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #267
2026-04-23 07:29:05 +00:00

136 lines
5.9 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\AuditLog;
use App\Models\Finding;
use App\Models\Tenant;
use App\Services\Audit\AuditRecorder;
use App\Services\Findings\FindingWorkflowService;
use App\Support\Audit\AuditActionId;
use App\Support\Audit\AuditActorSnapshot;
use App\Support\Audit\AuditActorType;
use App\Support\Audit\AuditTargetSnapshot;
it('writes exactly one canonical audit row per successful workflow mutation', function (): void {
[$user, $tenant] = $this->actingAsFindingOperator('owner');
$service = app(FindingWorkflowService::class);
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
$service->triage($finding, $tenant, $user);
$service->assign($finding->refresh(), $tenant, $user, null, (int) $user->getKey());
$service->resolve($finding->refresh(), $tenant, $user, Finding::RESOLVE_REASON_REMEDIATED);
$service->reopen($finding->refresh(), $tenant, $user, Finding::REOPEN_REASON_MANUAL_REASSESSMENT);
$service->close($finding->refresh(), $tenant, $user, Finding::CLOSE_REASON_DUPLICATE);
expect(AuditLog::query()
->where('tenant_id', (int) $tenant->getKey())
->where('resource_type', 'finding')
->where('resource_id', (string) $finding->getKey())
->count())->toBe(5);
$closedAudit = $this->latestFindingAudit($finding, AuditActionId::FindingClosed);
expect($closedAudit)->not->toBeNull();
expect($closedAudit->actorSnapshot()->type)->toBe(AuditActorType::Human)
->and($closedAudit->targetDisplayLabel())->toContain('finding')
->and(data_get($closedAudit->metadata, 'before_status'))->toBe(Finding::STATUS_REOPENED)
->and(data_get($closedAudit->metadata, 'after_status'))->toBe(Finding::STATUS_CLOSED)
->and(data_get($closedAudit->metadata, 'closed_reason'))->toBe(Finding::CLOSE_REASON_DUPLICATE)
->and(data_get($closedAudit->metadata, 'before.evidence_jsonb'))->toBeNull()
->and(data_get($closedAudit->metadata, 'after.evidence_jsonb'))->toBeNull();
$reopenedAudit = $this->latestFindingAudit($finding, AuditActionId::FindingReopened);
expect($reopenedAudit)->not->toBeNull()
->and(data_get($reopenedAudit->metadata, 'reopened_reason'))->toBe(Finding::REOPEN_REASON_MANUAL_REASSESSMENT);
});
it('deduplicates repeated finding audit writes for the same successful mutation payload', function (): void {
$tenant = Tenant::factory()->create();
$finding = Finding::factory()->for($tenant)->resolved()->create();
$recorder = app(AuditRecorder::class);
$payload = [
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'before_status' => Finding::STATUS_TRIAGED,
'after_status' => Finding::STATUS_RESOLVED,
'before' => ['status' => Finding::STATUS_TRIAGED],
'after' => ['status' => Finding::STATUS_RESOLVED],
'_dedupe_key' => 'finding-resolved-'.$finding->getKey(),
],
];
$first = $recorder->record(
action: AuditActionId::FindingResolved,
context: $payload,
workspace: $tenant->workspace,
tenant: $tenant,
actor: AuditActorSnapshot::fromLegacy(AuditActorType::Human, 1, 'owner@example.com', 'Owner'),
target: new AuditTargetSnapshot(type: 'finding', id: (string) $finding->getKey(), label: 'Permission posture finding #'.$finding->getKey()),
outcome: 'success',
);
$second = $recorder->record(
action: AuditActionId::FindingResolved,
context: $payload,
workspace: $tenant->workspace,
tenant: $tenant,
actor: AuditActorSnapshot::fromLegacy(AuditActorType::Human, 1, 'owner@example.com', 'Owner'),
target: new AuditTargetSnapshot(type: 'finding', id: (string) $finding->getKey(), label: 'Permission posture finding #'.$finding->getKey()),
outcome: 'success',
);
expect((int) $first->getKey())->toBe((int) $second->getKey())
->and(AuditLog::query()
->where('tenant_id', (int) $tenant->getKey())
->where('action', AuditActionId::FindingResolved->value)
->where('resource_type', 'finding')
->where('resource_id', (string) $finding->getKey())
->count())->toBe(1);
});
it('stores system-origin audit metadata without raw evidence payloads', function (): void {
$tenant = Tenant::factory()->create();
$finding = Finding::factory()->for($tenant)->resolved()->create([
'evidence_jsonb' => [
'secret' => 'should-never-appear',
'payload' => ['a' => 'b'],
],
]);
$audit = app(AuditRecorder::class)->record(
action: AuditActionId::FindingReopened,
context: [
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'before_status' => Finding::STATUS_RESOLVED,
'after_status' => Finding::STATUS_REOPENED,
'before' => [
'status' => Finding::STATUS_RESOLVED,
'evidence_jsonb' => ['secret' => 'leak'],
],
'after' => [
'status' => Finding::STATUS_REOPENED,
'evidence_jsonb' => ['secret' => 'leak'],
],
'system_origin' => true,
'_actor_type' => AuditActorType::System->value,
],
],
workspace: $tenant->workspace,
tenant: $tenant,
actor: AuditActorSnapshot::fromLegacy(AuditActorType::System),
target: new AuditTargetSnapshot(type: 'finding', id: (string) $finding->getKey(), label: 'Drift finding #'.$finding->getKey()),
outcome: 'success',
);
expect($audit->actorSnapshot()->type)->toBe(AuditActorType::System)
->and(data_get($audit->metadata, 'system_origin'))->toBeTrue()
->and(data_get($audit->metadata, 'before.evidence_jsonb'))->toBeNull()
->and(data_get($audit->metadata, 'after.evidence_jsonb'))->toBeNull();
});
Reference in New Issue View Git Blame Copy Permalink