TenantAtlas/apps/platform/tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php

<?php

declare(strict_types=1);

use App\Models\Finding;

it('passes shared canonical control references through tenant review composition', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $snapshot = seedTenantReviewEvidence($tenant, findingCount: 0, driftCount: 1);

    $review = composeTenantReviewForTest($tenant, $user, $snapshot);
    $openRisks = $review->sections->firstWhere('section_key', 'open_risks');
    $executiveSummary = $review->sections->firstWhere('section_key', 'executive_summary');

    expect($review->canonicalControlReferences())->toHaveCount(1)
        ->and($review->canonicalControlReferences()[0]['control_key'])->toBe('endpoint_hardening_compliance')
        ->and($executiveSummary->summary_payload['canonical_control_count'])->toBe(1)
        ->and($executiveSummary->summary_payload['canonical_controls'][0]['control_key'])->toBe('endpoint_hardening_compliance')
        ->and($openRisks->summary_payload['canonical_controls'][0]['control_key'] ?? null)->toBe('endpoint_hardening_compliance');
});

it('excludes removed acknowledged findings from open risk highlights', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    Finding::factory()->for($tenant)->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'status' => 'acknowledged',
        'subject_external_id' => 'legacy-acknowledged',
    ]);

    $triagedFinding = Finding::factory()->for($tenant)->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'status' => Finding::STATUS_TRIAGED,
        'subject_external_id' => 'canonical-triaged',
    ]);

    $snapshot = seedTenantReviewEvidence($tenant, findingCount: 0, driftCount: 0);
    $review = composeTenantReviewForTest($tenant, $user, $snapshot);
    $openRisks = $review->sections->firstWhere('section_key', 'open_risks');
    $entries = $openRisks->render_payload['entries'] ?? [];

    expect($entries)->toHaveCount(1)
        ->and($entries[0]['id'] ?? null)->toBe((int) $triagedFinding->getKey())
        ->and(collect($entries)->pluck('status')->all())->not->toContain('acknowledged');
});