TenantAtlas/apps/platform/tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php

<?php

declare(strict_types=1);

use App\Models\PlatformUser;
use App\Models\User;
use Filament\PanelRegistry;

it('keeps tenant users scoped to the admin panel contract', function (): void {
    $user = User::factory()->make();

    expect($user->canAccessPanel(app(PanelRegistry::class)->get('admin')))->toBeTrue()
        ->and($user->canAccessPanel(app(PanelRegistry::class)->get('system')))->toBeFalse();
});

it('redirects unauthenticated direct admin panel access to admin login', function (): void {
    $this->get('/admin')->assertRedirectContains('/admin/login');
});

it('denies platform sessions on admin panel routes as not found', function (): void {
    $platformUser = PlatformUser::factory()->create();

    $this->actingAs($platformUser, 'platform')
        ->get('/admin')
        ->assertNotFound();
});

it('does not render workspace admin surfaces for users without workspace authority', function (): void {
    $user = User::factory()->create();

    $this->actingAs($user)
        ->get('/admin')
        ->assertRedirect('/admin/choose-workspace');

    $this->actingAs($user)
        ->get('/admin/alerts')
        ->assertRedirect('/admin/choose-workspace');
});