ahmido
421261a517
Some checks failed
Main Confidence / confidence (push) Failing after 48s
## Summary - implement the finding outcome taxonomy end-to-end with canonical resolve, close, reopen, and verification semantics - align finding UI, filters, audit metadata, review summaries, and export/read-model consumers to the shared outcome semantics - add focused Pest coverage and complete the spec artifacts for feature 231 ## Details - manual resolve is limited to the canonical `remediated` outcome - close and reopen flows now use bounded canonical reasons - trusted system clear and reopen distinguish verified-clear from verification-failed and recurrence paths - duplicate lifecycle backfill now closes findings canonically as `duplicate` - accepted-risk recording now uses the canonical `accepted_risk` reason - finding detail and list surfaces now expose terminal outcome and verification summaries - review, snapshot, and review-pack consumers now propagate the same outcome buckets ## Filament / Platform Contract - Livewire v4.0+ compatibility remains intact - provider registration is unchanged and remains in `bootstrap/providers.php` - no new globally searchable resource was introduced; `FindingResource` still has a View page and `TenantReviewResource` remains globally searchable false - lifecycle mutations still run through confirmed Filament actions with capability enforcement - no new asset family was added; the existing `filament:assets` deploy step is unchanged ## Verification - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Findings/FindingWorkflowServiceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/FindingsListFiltersTest.php tests/Feature/Filament/FindingResolvedReferencePresentationTest.php tests/Feature/Findings/FindingOutcomeSummaryReportingTest.php tests/Feature/Findings/FindingRiskGovernanceProjectionTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Findings tests/Feature/Filament/FindingResolvedReferencePresentationTest.php tests/Feature/Models/FindingResolvedTest.php tests/Unit/Findings/FindingWorkflowServiceTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/TenantReview/TenantReviewExplanationSurfaceTest.php tests/Feature/TenantReview/TenantReviewRegisterTest.php tests/Feature/ReviewPack/TenantReviewDerivedReviewPackTest.php` - browser smoke: `/admin/findings/my-work` -> finding detail resolve flow -> queue regression check passed ## Notes - this commit also includes the existing `.github/agents/copilot-instructions.md` workspace change that was already present in the worktree when all changes were committed Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #267
197 lines
8.0 KiB
PHP
197 lines
8.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\FindingExceptionResource\Pages\ListFindingExceptions;
|
|
use App\Filament\Resources\FindingResource\Pages\ViewFinding;
|
|
use App\Models\Finding;
|
|
use App\Models\FindingException;
|
|
use App\Models\User;
|
|
use App\Services\Evidence\Sources\FindingsSummarySource;
|
|
use App\Services\Findings\FindingExceptionService;
|
|
use App\Services\Findings\FindingRiskGovernanceResolver;
|
|
use App\Support\Findings\FindingOutcomeSemantics;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('shows an expiring governance cue on finding detail for entitled viewers', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
FindingException::query()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'requested_by_user_id' => (int) $requester->getKey(),
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'approved_by_user_id' => (int) $approver->getKey(),
|
|
'status' => FindingException::STATUS_EXPIRING,
|
|
'current_validity_state' => FindingException::VALIDITY_EXPIRING,
|
|
'request_reason' => 'Short-lived exception while remediation is scheduled',
|
|
'approval_reason' => 'Compensating controls accepted',
|
|
'requested_at' => now()->subDays(8),
|
|
'approved_at' => now()->subDays(7),
|
|
'effective_from' => now()->subDays(7),
|
|
'expires_at' => now()->addDays(2),
|
|
'review_due_at' => now()->addDay(),
|
|
'evidence_summary' => ['reference_count' => 0],
|
|
]);
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('Risk governance')
|
|
->assertSee('Expiring');
|
|
});
|
|
|
|
it('shows a governance warning when a finding is marked as accepted risk without a valid exception', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('Risk governance')
|
|
->assertSee('without a valid exception record');
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh()))
|
|
->toBe('risk_accepted_without_valid_exception');
|
|
});
|
|
|
|
it('surfaces expired and revoked exceptions as governance warnings instead of valid accepted risk', function (string $mode, string $expectedWarning, string $expectedState): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
/** @var FindingExceptionService $service */
|
|
$service = app(FindingExceptionService::class);
|
|
|
|
$requested = $service->request($finding, $tenant, $requester, [
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'request_reason' => 'Temporary exception',
|
|
'review_due_at' => now()->addDays(5)->toDateTimeString(),
|
|
'expires_at' => now()->addDays(14)->toDateTimeString(),
|
|
]);
|
|
|
|
$exception = $service->approve($requested, $approver, [
|
|
'effective_from' => now()->subDays(10)->toDateTimeString(),
|
|
'expires_at' => $mode === 'expired'
|
|
? now()->subDay()->toDateTimeString()
|
|
: now()->addDays(14)->toDateTimeString(),
|
|
'approval_reason' => 'Approved with controls',
|
|
]);
|
|
|
|
if ($mode === 'expired') {
|
|
$exception = app(FindingRiskGovernanceResolver::class)->syncExceptionState($exception->fresh());
|
|
} else {
|
|
$exception = $service->revoke($exception->fresh(), $requester, [
|
|
'revocation_reason' => 'Compensating controls were removed.',
|
|
]);
|
|
}
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee($expectedWarning);
|
|
|
|
Livewire::test(ListFindingExceptions::class)
|
|
->assertSee($expectedWarning);
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh('findingException')))
|
|
->toBe($expectedState);
|
|
})->with([
|
|
'expired exception' => ['expired', 'expired and no longer governs accepted risk', 'expired_exception'],
|
|
'revoked exception' => ['revoked', 'was revoked and no longer governs accepted risk', 'revoked_exception'],
|
|
]);
|
|
|
|
it('keeps historical exceptions visible while requiring a fresh decision after a finding reopens', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
/** @var FindingExceptionService $service */
|
|
$service = app(FindingExceptionService::class);
|
|
|
|
$requested = $service->request($finding, $tenant, $requester, [
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'request_reason' => 'Temporary exception while remediation is scheduled',
|
|
'review_due_at' => now()->addDays(7)->toDateTimeString(),
|
|
'expires_at' => now()->addDays(20)->toDateTimeString(),
|
|
]);
|
|
|
|
$service->approve($requested, $approver, [
|
|
'effective_from' => now()->subDay()->toDateTimeString(),
|
|
'expires_at' => now()->addDays(20)->toDateTimeString(),
|
|
'approval_reason' => 'Approved with controls',
|
|
]);
|
|
|
|
$finding->forceFill([
|
|
'status' => Finding::STATUS_REOPENED,
|
|
'reopened_at' => now(),
|
|
'closed_reason' => null,
|
|
'closed_at' => null,
|
|
])->save();
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('fresh decision is required');
|
|
|
|
Livewire::test(ListFindingExceptions::class)
|
|
->assertSee('fresh decision is required');
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh('findingException')))
|
|
->toBe('ungoverned');
|
|
});
|
|
|
|
it('keeps accepted risk in a separate reporting bucket from administrative closures', function (): void {
|
|
[, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
'closed_reason' => Finding::CLOSE_REASON_ACCEPTED_RISK,
|
|
]);
|
|
|
|
Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_CLOSED,
|
|
'closed_reason' => Finding::CLOSE_REASON_DUPLICATE,
|
|
]);
|
|
|
|
$summary = app(FindingsSummarySource::class)->collect($tenant)['summary_payload'] ?? [];
|
|
|
|
expect(data_get($summary, 'outcome_counts.'.FindingOutcomeSemantics::OUTCOME_RISK_ACCEPTED))->toBe(1)
|
|
->and(data_get($summary, 'outcome_counts.'.FindingOutcomeSemantics::OUTCOME_CLOSED_DUPLICATE))->toBe(1)
|
|
->and(data_get($summary, 'report_bucket_counts.accepted_risk'))->toBe(1)
|
|
->and(data_get($summary, 'report_bucket_counts.administrative_closure'))->toBe(1);
|
|
});
|