ahmido
44898a98ac
## Summary - harden governance artifact truth propagation so stale or partial evidence downgrades evidence snapshots, tenant reviews, review packs, the canonical evidence overview, and the canonical review register consistently - add the full Spec 174 artifact set under `specs/174-evidence-freshness-publication-trust/` including spec, plan, research, data model, contracts, quickstart, checklist, and completed tasks - add focused fixture helpers plus a new browser smoke test for the touched evidence, review, and review-pack trust surfaces ## Testing - `vendor/bin/sail artisan test --compact tests/Feature/Evidence/EvidenceSnapshotResourceTest.php tests/Feature/Evidence/EvidenceOverviewPageTest.php tests/Feature/TenantReview/TenantReviewLifecycleTest.php tests/Feature/TenantReview/TenantReviewRegisterTest.php tests/Feature/ReviewPack/ReviewPackResourceTest.php tests/Feature/Monitoring/ArtifactTruthRunDetailTest.php tests/Browser/Spec174EvidenceFreshnessPublicationTrustSmokeTest.php` - manual integrated-browser smoke pass across Evidence Overview, Review Register, tenant review detail, tenant evidence snapshot detail, and review-packs list ## Notes - Livewire v4 compliance is preserved and no Filament v3/v4 APIs were introduced - no panel or provider changes were made; Laravel 11+ provider registration remains in `bootstrap/providers.php` - no new global-search behavior was introduced; existing resource view pages remain the relevant detail endpoints - destructive actions were not broadened; existing confirmation and authorization behavior remains in place - no new assets were added, so the current Filament asset strategy and deploy-time `php artisan filament:assets` behavior stay unchanged - branch `174-evidence-freshness-publication-trust` is pushed at `7f2c82c26dc83bbc09fbf9e732d5644cdd143113` and targets `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #205
530 lines
18 KiB
PHP
530 lines
18 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\ReviewPackResource;
|
|
use App\Filament\Resources\ReviewPackResource\Pages\ListReviewPacks;
|
|
use App\Filament\Resources\ReviewPackResource\Pages\ViewReviewPack;
|
|
use App\Models\EvidenceSnapshot;
|
|
use App\Models\Finding;
|
|
use App\Models\OperationRun;
|
|
use App\Models\ReviewPack;
|
|
use App\Models\StoredReport;
|
|
use App\Models\Tenant;
|
|
use App\Services\Evidence\EvidenceSnapshotService;
|
|
use App\Services\ReviewPackService;
|
|
use App\Support\Auth\UiTooltips;
|
|
use App\Support\Evidence\EvidenceSnapshotStatus;
|
|
use App\Support\ReviewPackStatus;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Queue;
|
|
use Illuminate\Support\Facades\Storage;
|
|
use Livewire\Livewire;
|
|
use Tests\Feature\Concerns\BuildsGovernanceArtifactTruthFixtures;
|
|
|
|
uses(RefreshDatabase::class, BuildsGovernanceArtifactTruthFixtures::class);
|
|
|
|
beforeEach(function (): void {
|
|
Storage::fake('exports');
|
|
});
|
|
|
|
function seedReviewPackEvidence(Tenant $tenant): EvidenceSnapshot
|
|
{
|
|
StoredReport::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
|
|
'payload' => [
|
|
'required_count' => 1,
|
|
'granted_count' => 1,
|
|
'permissions' => [
|
|
['key' => 'DeviceManagementConfiguration.ReadWrite.All', 'status' => 'granted'],
|
|
],
|
|
],
|
|
]);
|
|
|
|
StoredReport::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
|
|
'payload' => [
|
|
'roles' => [
|
|
['displayName' => 'Global Administrator'],
|
|
],
|
|
],
|
|
]);
|
|
|
|
Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
]);
|
|
|
|
Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
|
]);
|
|
|
|
OperationRun::factory()->forTenant($tenant)->create();
|
|
|
|
/** @var EvidenceSnapshotService $service */
|
|
$service = app(EvidenceSnapshotService::class);
|
|
$payload = $service->buildSnapshotPayload($tenant);
|
|
|
|
$snapshot = EvidenceSnapshot::query()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'status' => EvidenceSnapshotStatus::Active->value,
|
|
'fingerprint' => $payload['fingerprint'],
|
|
'completeness_state' => $payload['completeness'],
|
|
'summary' => $payload['summary'],
|
|
'generated_at' => now(),
|
|
]);
|
|
|
|
foreach ($payload['items'] as $item) {
|
|
$snapshot->items()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'dimension_key' => $item['dimension_key'],
|
|
'state' => $item['state'],
|
|
'required' => $item['required'],
|
|
'source_kind' => $item['source_kind'],
|
|
'source_record_type' => $item['source_record_type'],
|
|
'source_record_id' => $item['source_record_id'],
|
|
'source_fingerprint' => $item['source_fingerprint'],
|
|
'measured_at' => $item['measured_at'],
|
|
'freshness_at' => $item['freshness_at'],
|
|
'summary_payload' => $item['summary_payload'],
|
|
'sort_order' => $item['sort_order'],
|
|
]);
|
|
}
|
|
|
|
return $snapshot->load('items');
|
|
}
|
|
|
|
// ─── List Page ───────────────────────────────────────────────
|
|
|
|
it('renders the list page for an authorized user', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('index', tenant: $tenant))
|
|
->assertOk();
|
|
});
|
|
|
|
it('shows review packs belonging to the active tenant', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $otherTenant->getKey(),
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertCanSeeTableRecords([$pack]);
|
|
});
|
|
|
|
it('displays the empty state when no packs exist', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertSee('No review packs yet');
|
|
});
|
|
|
|
// ─── List Page Header Action ─────────────────────────────────
|
|
|
|
it('shows the generate_pack header action for a MANAGE user', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertActionVisible('generate_pack');
|
|
});
|
|
|
|
it('disables the generate_pack action for a readonly user', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertActionVisible('generate_pack')
|
|
->assertActionDisabled('generate_pack')
|
|
->assertActionExists('generate_pack', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
|
|
});
|
|
|
|
it('reuses an existing ready pack instead of starting a new run', function (): void {
|
|
Queue::fake();
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$snapshot = seedReviewPackEvidence($tenant);
|
|
|
|
$fingerprint = app(ReviewPackService::class)->computeFingerprint($tenant, [
|
|
'include_pii' => true,
|
|
'include_operations' => true,
|
|
]);
|
|
|
|
ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
|
'fingerprint' => $fingerprint,
|
|
'expires_at' => now()->addDay(),
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$operationRunsBefore = OperationRun::query()->count();
|
|
$reviewPacksBefore = ReviewPack::query()->count();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->callAction('generate_pack', [
|
|
'include_pii' => true,
|
|
'include_operations' => true,
|
|
])
|
|
->assertNotified();
|
|
|
|
expect(OperationRun::query()->count())->toBe($operationRunsBefore);
|
|
expect(ReviewPack::query()->count())->toBe($reviewPacksBefore);
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
|
|
it('does not queue generation when no eligible evidence snapshot exists', function (): void {
|
|
Queue::fake();
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->callAction('generate_pack', [
|
|
'include_pii' => true,
|
|
'include_operations' => true,
|
|
])
|
|
->assertNotified();
|
|
|
|
expect(ReviewPack::query()->count())->toBe(0);
|
|
Queue::assertNothingPushed();
|
|
});
|
|
|
|
// ─── Table Row Actions ───────────────────────────────────────
|
|
|
|
it('shows the download action for a ready pack', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$filePath = 'review-packs/test.zip';
|
|
Storage::disk('exports')->put($filePath, 'PK-fake');
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
'file_path' => $filePath,
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertTableActionVisible('download', $pack);
|
|
});
|
|
|
|
it('shows the expire action for a ready pack with confirmation', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$filePath = 'review-packs/expire-test.zip';
|
|
Storage::disk('exports')->put($filePath, 'PK-fake');
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
'file_path' => $filePath,
|
|
'file_disk' => 'exports',
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertTableActionVisible('expire', $pack)
|
|
->callTableAction('expire', $pack);
|
|
|
|
$pack->refresh();
|
|
expect($pack->status)->toBe(ReviewPackStatus::Expired->value);
|
|
Storage::disk('exports')->assertMissing($filePath);
|
|
});
|
|
|
|
// ─── View Page ───────────────────────────────────────────────
|
|
|
|
it('renders the view page for a ready pack', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$snapshot = seedReviewPackEvidence($tenant);
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
|
'summary' => [
|
|
'finding_count' => 5,
|
|
'report_count' => 2,
|
|
'operation_count' => 12,
|
|
'data_freshness' => [
|
|
'permission_posture' => now()->toIso8601String(),
|
|
'entra_admin_roles' => now()->toIso8601String(),
|
|
'findings' => now()->toIso8601String(),
|
|
'hardening' => now()->toIso8601String(),
|
|
],
|
|
'evidence_resolution' => [
|
|
'outcome' => 'resolved',
|
|
'snapshot_id' => (int) $snapshot->getKey(),
|
|
'snapshot_fingerprint' => (string) $snapshot->fingerprint,
|
|
],
|
|
],
|
|
'options' => ['include_pii' => true, 'include_operations' => true],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
|
|
->assertOk()
|
|
->assertSee('Artifact truth')
|
|
->assertSee('Publishable')
|
|
->assertSee('#'.$snapshot->getKey())
|
|
->assertSee('resolved');
|
|
});
|
|
|
|
it('shows blocked publication truth when the source review is no longer publishable', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$snapshot = seedReviewPackEvidence($tenant);
|
|
$review = composeTenantReviewForTest($tenant, $user, $snapshot);
|
|
|
|
$review->update([
|
|
'status' => 'draft',
|
|
'summary' => array_replace_recursive(is_array($review->summary) ? $review->summary : [], [
|
|
'publish_blockers' => ['Review the missing approval note before publication.'],
|
|
]),
|
|
]);
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_review_id' => (int) $review->getKey(),
|
|
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
'summary' => [
|
|
'review_status' => 'draft',
|
|
'review_completeness_state' => 'complete',
|
|
'evidence_resolution' => [
|
|
'outcome' => 'resolved',
|
|
'snapshot_id' => (int) $snapshot->getKey(),
|
|
'snapshot_fingerprint' => (string) $snapshot->fingerprint,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
|
|
->assertOk()
|
|
->assertSee('Publication blocked')
|
|
->assertSee('Open the source review before sharing this pack');
|
|
});
|
|
|
|
it('shows internal-only caveats for packs generated from stale source evidence before download', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$snapshot = seedStaleTenantReviewEvidence($tenant);
|
|
$review = $this->makeArtifactTruthReview(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
snapshot: $snapshot,
|
|
reviewOverrides: [
|
|
'status' => 'published',
|
|
'published_at' => now(),
|
|
'published_by_user_id' => (int) $user->getKey(),
|
|
'completeness_state' => 'complete',
|
|
],
|
|
summaryOverrides: [
|
|
'publish_blockers' => [],
|
|
'section_state_counts' => [
|
|
'complete' => 6,
|
|
'partial' => 0,
|
|
'missing' => 0,
|
|
'stale' => 0,
|
|
],
|
|
],
|
|
);
|
|
|
|
$pack = $this->makeArtifactTruthReviewPack(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
snapshot: $snapshot,
|
|
review: $review,
|
|
summaryOverrides: [
|
|
'review_status' => 'published',
|
|
'review_completeness_state' => 'complete',
|
|
],
|
|
);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListReviewPacks::class)
|
|
->assertTableActionVisible('download', $pack)
|
|
->assertSee('Internal only')
|
|
->assertSee('Refresh the source review before sharing this pack');
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
|
|
->assertOk()
|
|
->assertSee('Internal only')
|
|
->assertSee('Download')
|
|
->assertSee('Refresh the source review before sharing this pack');
|
|
});
|
|
|
|
it('keeps packs from partial evidence internal only instead of publishable', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$snapshot = seedPartialTenantReviewEvidence($tenant);
|
|
$review = $this->makeArtifactTruthReview(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
snapshot: $snapshot,
|
|
reviewOverrides: [
|
|
'status' => 'ready',
|
|
'completeness_state' => 'complete',
|
|
],
|
|
summaryOverrides: [
|
|
'publish_blockers' => [],
|
|
'section_state_counts' => [
|
|
'complete' => 6,
|
|
'partial' => 0,
|
|
'missing' => 0,
|
|
'stale' => 0,
|
|
],
|
|
],
|
|
);
|
|
|
|
$pack = $this->makeArtifactTruthReviewPack(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
snapshot: $snapshot,
|
|
review: $review,
|
|
summaryOverrides: [
|
|
'review_status' => 'ready',
|
|
'review_completeness_state' => 'complete',
|
|
],
|
|
);
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
|
|
->assertOk()
|
|
->assertSee('Internal only')
|
|
->assertSee('Complete the source review before sharing this pack')
|
|
->assertDontSee('Publishable');
|
|
});
|
|
|
|
it('shows download header action on view page for a ready pack', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewReviewPack::class, ['record' => $pack->getKey()])
|
|
->assertActionVisible('download');
|
|
});
|
|
|
|
it('shows regenerate header action on view page', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'initiated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewReviewPack::class, ['record' => $pack->getKey()])
|
|
->assertActionVisible('regenerate');
|
|
});
|
|
|
|
// ─── Non-Member Access ───────────────────────────────────────
|
|
|
|
it('returns 404 for non-members on list page', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
[$user] = createUserWithTenant($otherTenant, role: 'owner');
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('index', tenant: $tenant))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 404 for non-members on view page', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
[$user] = createUserWithTenant($otherTenant, role: 'owner');
|
|
|
|
$pack = ReviewPack::factory()->ready()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
|
|
->assertNotFound();
|
|
});
|