ahmido
c17255f854
## Summary - add the structured subject-resolution foundation for baseline compare and baseline capture, including capability guards, subject descriptors, resolution outcomes, and operator action categories - persist structured evidence-gap subject records and update compare/capture surfaces, landing projections, and cleanup tooling to use the new contract - add Spec 163 artifacts and focused Pest coverage for classification, determinism, cleanup, and DB-only rendering ## Validation - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Unit/Support/Baselines tests/Feature/Baselines tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php` ## Notes - verified locally that a fresh post-restart baseline compare run now writes structured `baseline_compare.evidence_gaps.subjects` records instead of the legacy broad payload shape - excluded the separate `docs/product/spec-candidates.md` worktree change from this branch commit and PR Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #193
441 lines
17 KiB
PHP
441 lines
17 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\BackupSet;
|
|
use App\Models\OperationRun;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Testing\TestResponse;
|
|
use Tests\Feature\Baselines\Support\BaselineSubjectResolutionFixtures;
|
|
|
|
function visiblePageText(TestResponse $response): string
|
|
{
|
|
$html = (string) $response->getContent();
|
|
$html = preg_replace('/<script\b[^>]*>.*?<\/script>/is', '', $html) ?? $html;
|
|
$html = preg_replace('/<style\b[^>]*>.*?<\/style>/is', '', $html) ?? $html;
|
|
$html = preg_replace('/\s+wire:snapshot="[^"]*"/', '', $html) ?? $html;
|
|
$html = preg_replace('/\s+wire:effects="[^"]*"/', '', $html) ?? $html;
|
|
|
|
return trim((string) preg_replace('/\s+/', ' ', strip_tags($html)));
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $overrides
|
|
* @return array<string, mixed>
|
|
*/
|
|
function baselineCompareGapContext(array $overrides = []): array
|
|
{
|
|
return array_replace_recursive(BaselineSubjectResolutionFixtures::compareContext([
|
|
BaselineSubjectResolutionFixtures::structuredGap([
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'WiFi-Corp-Profile',
|
|
'resolution_outcome' => 'ambiguous_match',
|
|
'reason_code' => 'ambiguous_match',
|
|
'operator_action_category' => 'inspect_subject_mapping',
|
|
]),
|
|
BaselineSubjectResolutionFixtures::structuredGap([
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'VPN-Always-On',
|
|
'resolution_outcome' => 'ambiguous_match',
|
|
'reason_code' => 'ambiguous_match',
|
|
'operator_action_category' => 'inspect_subject_mapping',
|
|
]),
|
|
BaselineSubjectResolutionFixtures::structuredGap([
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'Email-Exchange-Config',
|
|
'resolution_outcome' => 'ambiguous_match',
|
|
'reason_code' => 'ambiguous_match',
|
|
'operator_action_category' => 'inspect_subject_mapping',
|
|
]),
|
|
BaselineSubjectResolutionFixtures::structuredGap([
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'Deleted-Policy-ABC',
|
|
'resolution_outcome' => 'policy_record_missing',
|
|
'reason_code' => 'policy_record_missing',
|
|
'operator_action_category' => 'run_policy_sync_or_backup',
|
|
]),
|
|
BaselineSubjectResolutionFixtures::structuredGap([
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'Removed-Config-XYZ',
|
|
'resolution_outcome' => 'policy_record_missing',
|
|
'reason_code' => 'policy_record_missing',
|
|
'operator_action_category' => 'run_policy_sync_or_backup',
|
|
]),
|
|
]), [
|
|
'baseline_compare' => [
|
|
'subjects_total' => 50,
|
|
'reason_code' => 'evidence_capture_incomplete',
|
|
'fidelity' => 'meta',
|
|
'coverage' => [
|
|
'proof' => true,
|
|
'covered_types' => ['deviceConfiguration'],
|
|
'uncovered_types' => [],
|
|
'effective_types' => ['deviceConfiguration'],
|
|
],
|
|
'evidence_capture' => [
|
|
'requested' => 50,
|
|
'succeeded' => 47,
|
|
'skipped' => 0,
|
|
'failed' => 3,
|
|
'throttled' => 0,
|
|
],
|
|
],
|
|
], $overrides);
|
|
}
|
|
|
|
it('renders operation runs with summary content before counts and technical context', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'policy.sync',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'initiator_name' => 'Alice Example',
|
|
'summary_counts' => [
|
|
'total' => 10,
|
|
'processed' => 10,
|
|
'succeeded' => 10,
|
|
],
|
|
'context' => [
|
|
'target_scope' => [
|
|
'entra_tenant_name' => 'Contoso',
|
|
'entra_tenant_id' => '11111111-1111-1111-1111-111111111111',
|
|
],
|
|
],
|
|
]);
|
|
|
|
$response = $this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Current state')
|
|
->assertSee('Timing')
|
|
->assertSee('Contoso');
|
|
|
|
$pageText = visiblePageText($response);
|
|
|
|
$policySyncPosition = mb_strpos($pageText, 'Policy sync');
|
|
$runSummaryPosition = mb_strpos($pageText, 'Run summary');
|
|
$relatedContextPosition = mb_strpos($pageText, 'Related context');
|
|
$countsPosition = mb_strpos($pageText, 'Counts');
|
|
$identityHashPosition = mb_strpos($pageText, 'Identity hash');
|
|
|
|
expect($policySyncPosition)->not->toBeFalse()
|
|
->and($runSummaryPosition)->not->toBeFalse()
|
|
->and($relatedContextPosition)->not->toBeFalse()
|
|
->and($countsPosition)->not->toBeFalse()
|
|
->and($identityHashPosition)->not->toBeFalse()
|
|
->and($policySyncPosition)->toBeLessThan($runSummaryPosition)
|
|
->and($runSummaryPosition)->toBeLessThan($relatedContextPosition)
|
|
->and($relatedContextPosition)->toBeLessThan($countsPosition)
|
|
->and($countsPosition)->toBeLessThan($identityHashPosition);
|
|
|
|
expect((string) $response->getContent())
|
|
->toMatch('/fi-section-header-heading[^>]*>\s*Current state\s*</')
|
|
->toMatch('/fi-section-header-heading[^>]*>\s*Timing\s*</');
|
|
});
|
|
|
|
it('keeps header navigation and related context visible for tenant-bound operation runs', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$backupSet = BackupSet::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'name' => 'Nightly backup',
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'backup_set.add_policies',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'context' => [
|
|
'backup_set_id' => (int) $backupSet->getKey(),
|
|
'target_scope' => [
|
|
'entra_tenant_name' => 'Contoso',
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Back to Operations')
|
|
->assertSee('Refresh')
|
|
->assertSee('Related context')
|
|
->assertSee('/admin/t/'.$tenant->external_id.'/backup-sets/'.$backupSet->getKey(), false);
|
|
});
|
|
|
|
it('renders mismatch context above the enterprise detail content without blocking the page', function (): void {
|
|
$runTenant = Tenant::factory()->create([
|
|
'name' => 'Run Tenant',
|
|
]);
|
|
[$user, $runTenant] = createUserWithTenant(tenant: $runTenant, role: 'owner');
|
|
|
|
$currentTenant = Tenant::factory()->create([
|
|
'name' => 'Current Tenant',
|
|
'workspace_id' => (int) $runTenant->workspace_id,
|
|
]);
|
|
|
|
createUserWithTenant(tenant: $currentTenant, user: $user, role: 'owner');
|
|
|
|
Filament::setTenant($currentTenant, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $runTenant->workspace_id,
|
|
'tenant_id' => (int) $runTenant->getKey(),
|
|
'type' => 'policy.sync',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
]);
|
|
|
|
$response = $this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $runTenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Current tenant context differs from this run')
|
|
->assertSee('Run summary')
|
|
->assertSee('Related context');
|
|
|
|
$pageText = visiblePageText($response);
|
|
|
|
$bannerPosition = mb_strpos($pageText, 'Current tenant context differs from this run');
|
|
$summaryPosition = mb_strpos($pageText, 'Run summary');
|
|
|
|
expect($bannerPosition)->not->toBeFalse()
|
|
->and($summaryPosition)->not->toBeFalse()
|
|
->and($bannerPosition)->toBeLessThan($summaryPosition);
|
|
});
|
|
|
|
it('renders explicit sparse-data fallbacks for operation runs', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Failed->value,
|
|
'summary_counts' => [],
|
|
'failure_summary' => [],
|
|
'context' => [],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('No target scope details were recorded for this run.')
|
|
->assertSee('Verification report')
|
|
->assertSee('Verification report unavailable')
|
|
->assertDontSee('Counts');
|
|
});
|
|
|
|
it('renders lifecycle reconciliation diagnostics for reconciled runs', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'restore.execute',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Failed->value,
|
|
'context' => [
|
|
'reason_code' => 'run.adapter_out_of_sync',
|
|
'reconciliation' => [
|
|
'reconciled_at' => now()->toIso8601String(),
|
|
'reason' => 'run.adapter_out_of_sync',
|
|
'reason_code' => 'run.adapter_out_of_sync',
|
|
'source' => 'adapter_reconciler',
|
|
],
|
|
],
|
|
'failure_summary' => [[
|
|
'code' => 'run.adapter_out_of_sync',
|
|
'reason_code' => 'run.adapter_out_of_sync',
|
|
'message' => 'A related restore record reached terminal truth before the operation run was updated.',
|
|
]],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Lifecycle reconciliation')
|
|
->assertSee('Automatically reconciled')
|
|
->assertSee('Reconciled by')
|
|
->assertSee('Adapter reconciler');
|
|
});
|
|
|
|
it('renders evidence gap details section for baseline compare runs with gap subjects', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'partially_succeeded',
|
|
'context' => baselineCompareGapContext(),
|
|
'completed_at' => now(),
|
|
]);
|
|
|
|
$response = $this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Evidence gap details')
|
|
->assertSee('Search gap details')
|
|
->assertSee('Search by reason, type, class, outcome, action, or subject key')
|
|
->assertSee('Reason')
|
|
->assertSee('Ambiguous inventory match')
|
|
->assertSee('Policy record missing')
|
|
->assertSee('3 affected')
|
|
->assertSee('2 affected')
|
|
->assertSee('WiFi-Corp-Profile')
|
|
->assertSee('Deleted-Policy-ABC')
|
|
->assertSee('Policy type')
|
|
->assertSee('Subject class')
|
|
->assertSee('Outcome')
|
|
->assertSee('Next action')
|
|
->assertSee('Subject key');
|
|
});
|
|
|
|
it('renders baseline compare evidence-gap details without invoking graph during canonical run detail render', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
bindFailHardGraphClient();
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'partially_succeeded',
|
|
'context' => baselineCompareGapContext(),
|
|
'completed_at' => now(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Evidence gap details')
|
|
->assertSee('WiFi-Corp-Profile');
|
|
});
|
|
|
|
it('distinguishes missing recorded gap detail from no-gap runs on the canonical run detail surface', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$legacyRun = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'partially_succeeded',
|
|
'context' => baselineCompareGapContext([
|
|
'baseline_compare' => [
|
|
'evidence_gaps' => [
|
|
'subjects' => null,
|
|
],
|
|
],
|
|
]),
|
|
'completed_at' => now(),
|
|
]);
|
|
|
|
$cleanRun = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'succeeded',
|
|
'context' => baselineCompareGapContext([
|
|
'baseline_compare' => [
|
|
'reason_code' => 'no_drift_detected',
|
|
'evidence_gaps' => [
|
|
'count' => 0,
|
|
'by_reason' => [],
|
|
'subjects' => [],
|
|
],
|
|
],
|
|
]),
|
|
'completed_at' => now(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $legacyRun->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Evidence gap details')
|
|
->assertSee('Detailed rows were not recorded for this run')
|
|
->assertSee('Baseline compare evidence');
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $cleanRun->getKey()]))
|
|
->assertOk()
|
|
->assertDontSee('Evidence gap details')
|
|
->assertSee('Baseline compare evidence');
|
|
});
|
|
|
|
it('returns 404 for workspace members without tenant entitlement when evidence-gap details exist on the canonical surface', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'partially_succeeded',
|
|
'context' => baselineCompareGapContext(),
|
|
'completed_at' => now(),
|
|
]);
|
|
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertNotFound();
|
|
});
|