TenantAtlas/apps/platform/tests/Feature/TenantReview/TenantReviewCanonicalControlReferenceTest.php

<?php

declare(strict_types=1);

use App\Models\Finding;
use App\Support\Governance\Controls\ComplianceEvidenceMappingV1;

it('passes shared canonical control references through tenant review composition', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $snapshot = seedTenantReviewEvidence($tenant, findingCount: 0, driftCount: 1);

    $review = composeTenantReviewForTest($tenant, $user, $snapshot);
    $openRisks = $review->sections->firstWhere('section_key', 'open_risks');
    $executiveSummary = $review->sections->firstWhere('section_key', 'executive_summary');
    $controlInterpretation = $review->sections->firstWhere('section_key', ComplianceEvidenceMappingV1::SECTION_KEY);
    $controlEntries = $review->controlInterpretationControls();

    expect($review->canonicalControlReferences())->toHaveCount(1)
        ->and($review->canonicalControlReferences()[0]['control_key'])->toBe('endpoint_hardening_compliance')
        ->and($executiveSummary->summary_payload['canonical_control_count'])->toBe(1)
        ->and($executiveSummary->summary_payload['canonical_controls'][0]['control_key'])->toBe('endpoint_hardening_compliance')
        ->and($openRisks->summary_payload['canonical_controls'][0]['control_key'] ?? null)->toBe('endpoint_hardening_compliance')
        ->and($review->controlInterpretationVersion())->toBe(ComplianceEvidenceMappingV1::VERSION_KEY)
        ->and($review->controlInterpretation()['non_certification_disclosure'] ?? null)->toBeString()
        ->and($review->controlInterpretation()['mapped_control_count'] ?? null)->toBe(1)
        ->and($controlEntries)->toHaveCount(1)
        ->and($controlEntries[0]['control_key'] ?? null)->toBe('endpoint_hardening_compliance')
        ->and($controlEntries[0]['readiness_bucket'] ?? null)->toBe('follow_up_required')
        ->and($controlEntries[0]['proof_access_state'] ?? null)->toBe('available')
        ->and($controlInterpretation?->summary_payload['version_key'] ?? null)->toBe(ComplianceEvidenceMappingV1::VERSION_KEY)
        ->and($controlInterpretation?->render_payload['entries'][0]['control_key'] ?? null)->toBe('endpoint_hardening_compliance');
});

it('excludes removed acknowledged findings from open risk highlights', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    Finding::factory()->for($tenant)->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'status' => 'acknowledged',
        'subject_external_id' => 'legacy-acknowledged',
    ]);

    $triagedFinding = Finding::factory()->for($tenant)->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'status' => Finding::STATUS_TRIAGED,
        'subject_external_id' => 'canonical-triaged',
    ]);

    $snapshot = seedTenantReviewEvidence($tenant, findingCount: 0, driftCount: 0);
    $review = composeTenantReviewForTest($tenant, $user, $snapshot);
    $openRisks = $review->sections->firstWhere('section_key', 'open_risks');
    $entries = $openRisks->render_payload['entries'] ?? [];

    expect($entries)->toHaveCount(1)
        ->and($entries[0]['id'] ?? null)->toBe((int) $triagedFinding->getKey())
        ->and(collect($entries)->pluck('status')->all())->not->toContain('acknowledged');
});