TenantAtlas/apps/platform/tests/Unit/Governance/CanonicalControlCatalogTest.php

<?php

declare(strict_types=1);

use App\Support\Governance\Controls\CanonicalControlCatalog;
use App\Support\Governance\Controls\DetectabilityClass;
use App\Support\Governance\Controls\EvaluationStrategy;

it('loads stable provider-neutral seed definitions with complete metadata', function (): void {
    $catalog = app(CanonicalControlCatalog::class);

    expect($catalog->all())->toHaveCount(7);

    foreach ($catalog->all() as $definition) {
        expect($definition->controlKey)->toMatch('/^[a-z][a-z0-9_]*$/')
            ->and($definition->name)->not->toBeEmpty()
            ->and($definition->domainKey)->not->toContain('microsoft')
            ->and($definition->domainKey)->not->toContain('intune')
            ->and($definition->subdomainKey)->not->toBeEmpty()
            ->and($definition->controlClass)->not->toBeEmpty()
            ->and($definition->summary)->not->toBeEmpty()
            ->and($definition->operatorDescription)->not->toBeEmpty()
            ->and($definition->detectabilityClass)->toBeInstanceOf(DetectabilityClass::class)
            ->and($definition->evaluationStrategy)->toBeInstanceOf(EvaluationStrategy::class)
            ->and($definition->evidenceArchetypes)->not->toBeEmpty()
            ->and(array_keys($definition->artifactSuitability->toArray()))->toBe([
                'baseline',
                'drift',
                'finding',
                'exception',
                'evidence',
                'review',
                'report',
            ])
            ->and($definition->historicalStatus)->toBeIn(['active', 'retired']);
    }
});

it('seeds the first-slice high-value control families', function (): void {
    $keys = array_map(
        static fn ($definition): string => $definition->controlKey,
        app(CanonicalControlCatalog::class)->all(),
    );

    expect($keys)->toEqualCanonicalizing([
        'audit_log_retention',
        'conditional_access_enforcement',
        'delegated_admin_boundaries',
        'endpoint_hardening_compliance',
        'external_sharing_boundaries',
        'privileged_access_governance',
        'strong_authentication',
    ]);
});

it('keeps Microsoft bindings secondary to the definition payload', function (): void {
    $catalog = app(CanonicalControlCatalog::class);
    $definition = $catalog->find('endpoint_hardening_compliance');

    expect($definition?->toArray())->not->toHaveKey('microsoft_bindings')
        ->and($catalog->microsoftBindingsForControl('endpoint_hardening_compliance'))->not->toBeEmpty()
        ->and($catalog->microsoftBindingsForControl('endpoint_hardening_compliance')[0]->toArray()['provider'])->toBe('microsoft');
});

it('preserves honest detectability, evaluation, and suitability distinctions', function (): void {
    $catalog = app(CanonicalControlCatalog::class);

    expect($catalog->find('endpoint_hardening_compliance')?->detectabilityClass)->toBe(DetectabilityClass::DirectTechnical)
        ->and($catalog->find('endpoint_hardening_compliance')?->evaluationStrategy)->toBe(EvaluationStrategy::StateEvaluated)
        ->and($catalog->find('audit_log_retention')?->detectabilityClass)->toBe(DetectabilityClass::ExternalEvidenceOnly)
        ->and($catalog->find('audit_log_retention')?->evaluationStrategy)->toBe(EvaluationStrategy::ExternallyAttested)
        ->and($catalog->find('audit_log_retention')?->artifactSuitability->baseline)->toBeFalse()
        ->and($catalog->find('audit_log_retention')?->artifactSuitability->review)->toBeTrue();
});