TenantAtlas/tests/Feature/Findings/FindingWorkflowGuardTest.php

<?php

declare(strict_types=1);

use App\Models\AuditLog;
use App\Models\Finding;
use App\Services\Findings\FindingWorkflowService;
use App\Services\Intune\AuditLogger;
use App\Support\Audit\AuditActionId;
use Mockery\MockInterface;

use function Pest\Laravel\mock;

it('registers canonical findings workflow audit actions', function (): void {
    expect(AuditActionId::knownValues())
        ->toContain(AuditActionId::FindingTriaged->value)
        ->toContain(AuditActionId::FindingInProgress->value)
        ->toContain(AuditActionId::FindingAssigned->value)
        ->toContain(AuditActionId::FindingResolved->value)
        ->toContain(AuditActionId::FindingClosed->value)
        ->toContain(AuditActionId::FindingRiskAccepted->value)
        ->toContain(AuditActionId::FindingReopened->value);
});

it('does not expose direct finding lifecycle mutators', function (): void {
    expect(method_exists(Finding::class, 'acknowledge'))->toBeFalse()
        ->and(method_exists(Finding::class, 'resolve'))->toBeFalse()
        ->and(method_exists(Finding::class, 'reopen'))->toBeFalse();
});

it('rolls back finding workflow persistence when audit logging fails', function (): void {
    [$user, $tenant] = $this->actingAsFindingOperator('owner');

    $finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);

    mock(AuditLogger::class, function (MockInterface $mock): void {
        $mock->shouldReceive('log')
            ->once()
            ->andThrow(new \RuntimeException('Audit write unavailable.'));
    });

    expect(fn () => app(FindingWorkflowService::class)->triage($finding, $tenant, $user))
        ->toThrow(\RuntimeException::class, 'Audit write unavailable.');

    expect($finding->refresh()->status)->toBe(Finding::STATUS_NEW)
        ->and(AuditLog::query()
            ->where('tenant_id', (int) $tenant->getKey())
            ->where('resource_type', 'finding')
            ->where('resource_id', (string) $finding->getKey())
            ->count())->toBe(0);
});