ahmido
c86b399b43
Some checks failed
Main Confidence / confidence (push) Failing after 53s
## Summary This PR delivers three related improvements: ### 1. Finding Ownership Semantics (Spec 219) - Add responsibility/accountability labels to findings and finding exceptions - `owner_user_id` = accountable party (governance owner) - `assignee_user_id` = responsible party (technical implementer) - Expose Assign/Reassign actions in FindingResource with audit logging - Add ownership columns and filters to finding list - Propagate owner from finding to exception on creation - Tests: ownership semantics, assignment audit, workflow actions ### 2. Constitution v2.7.0 — LEAN-001 Pre-Production Lean Doctrine - New principle forbidding legacy aliases, migration shims, dual-write logic, and compatibility fixtures in a pre-production codebase - AI-agent 4-question verification gate before adding any compatibility path - Review rule: compatibility shims without answering the gate questions = merge blocker - Exit condition: LEAN-001 expires at first production deployment - Spec template: added default "Compatibility posture" block - Agent instructions: added "Pre-production compatibility check" section ### 3. Backup Set Operation Type Unification - Unified `backup_set.add_policies` and `backup_set.remove_policies` into single canonical `backup_set.update` - Removed all legacy aliases, constants, and test fixtures - Added lifecycle coverage for `backup_set.update` in config - Updated all 14+ test files referencing legacy types ### Spec Artifacts - `specs/219-finding-ownership-semantics/` — full spec, plan, tasks, research, data model, contracts, checklist ### Tests - All affected tests pass (OperationCatalog, backup set, finding workflow, ownership semantics) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #256
132 lines
6.0 KiB
PHP
132 lines
6.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\Finding;
|
|
use App\Models\User;
|
|
use App\Services\Findings\FindingWorkflowService;
|
|
use App\Support\Audit\AuditActionId;
|
|
use Illuminate\Auth\Access\AuthorizationException;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
it('enforces the canonical transition matrix for service-driven status changes', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$service = app(FindingWorkflowService::class);
|
|
|
|
$newFinding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
|
|
$triagedFinding = $service->triage($newFinding, $tenant, $user);
|
|
|
|
expect($triagedFinding->status)->toBe(Finding::STATUS_TRIAGED)
|
|
->and($this->latestFindingAudit($triagedFinding, AuditActionId::FindingTriaged))->not->toBeNull();
|
|
|
|
$inProgressFinding = $service->startProgress($triagedFinding, $tenant, $user);
|
|
|
|
expect($inProgressFinding->status)->toBe(Finding::STATUS_IN_PROGRESS)
|
|
->and($this->latestFindingAudit($inProgressFinding, AuditActionId::FindingInProgress))->not->toBeNull();
|
|
|
|
$resolvedFinding = $service->resolve($inProgressFinding, $tenant, $user, 'patched');
|
|
|
|
expect($resolvedFinding->status)->toBe(Finding::STATUS_RESOLVED)
|
|
->and($resolvedFinding->resolved_reason)->toBe('patched')
|
|
->and($this->latestFindingAudit($resolvedFinding, AuditActionId::FindingResolved))->not->toBeNull();
|
|
|
|
$reopenedFinding = $service->reopen($resolvedFinding, $tenant, $user, 'The issue recurred after remediation.');
|
|
|
|
expect($reopenedFinding->status)->toBe(Finding::STATUS_REOPENED)
|
|
->and($reopenedFinding->reopened_at)->not->toBeNull()
|
|
->and($this->latestFindingAudit($reopenedFinding, AuditActionId::FindingReopened))->not->toBeNull();
|
|
|
|
expect(fn () => $service->startProgress($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user))
|
|
->toThrow(\InvalidArgumentException::class, 'Finding cannot be moved to in-progress from the current status.');
|
|
});
|
|
|
|
it('enforces tenant-member validation for owner and assignee reassignment', function (): void {
|
|
[$owner, $tenant] = createUserWithTenant(role: 'owner');
|
|
$assignee = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $assignee, role: 'operator');
|
|
$outsider = User::factory()->create();
|
|
|
|
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_TRIAGED);
|
|
$service = app(FindingWorkflowService::class);
|
|
|
|
$assignedFinding = $service->assign(
|
|
finding: $finding,
|
|
tenant: $tenant,
|
|
actor: $owner,
|
|
assigneeUserId: (int) $assignee->getKey(),
|
|
ownerUserId: (int) $owner->getKey(),
|
|
);
|
|
|
|
$audit = $this->latestFindingAudit($assignedFinding, AuditActionId::FindingAssigned);
|
|
|
|
expect((int) $assignedFinding->assignee_user_id)->toBe((int) $assignee->getKey())
|
|
->and((int) $assignedFinding->owner_user_id)->toBe((int) $owner->getKey())
|
|
->and($audit)->not->toBeNull()
|
|
->and(data_get($audit?->metadata, 'responsibility_change_classification'))->toBe('owner_and_assignee')
|
|
->and(data_get($audit?->metadata, 'responsibility_change_summary'))->toBe('Updated the accountable owner and the active assignee.');
|
|
|
|
expect(fn () => $service->assign(
|
|
finding: $assignedFinding,
|
|
tenant: $tenant,
|
|
actor: $owner,
|
|
assigneeUserId: (int) $outsider->getKey(),
|
|
ownerUserId: (int) $owner->getKey(),
|
|
))->toThrow(\InvalidArgumentException::class, 'assignee_user_id must reference a current tenant member.');
|
|
});
|
|
|
|
it('keeps 404 and 403 semantics distinct for assignment authorization', function (): void {
|
|
[$owner, $tenant] = createUserWithTenant(role: 'owner');
|
|
[$readonly] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
|
$outsider = User::factory()->create();
|
|
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
|
|
|
|
$service = app(FindingWorkflowService::class);
|
|
|
|
expect(fn () => $service->assign(
|
|
finding: $finding,
|
|
tenant: $tenant,
|
|
actor: $outsider,
|
|
assigneeUserId: null,
|
|
ownerUserId: (int) $owner->getKey(),
|
|
))->toThrow(NotFoundHttpException::class);
|
|
|
|
expect(fn () => $service->assign(
|
|
finding: $finding,
|
|
tenant: $tenant,
|
|
actor: $readonly,
|
|
assigneeUserId: null,
|
|
ownerUserId: (int) $owner->getKey(),
|
|
))->toThrow(AuthorizationException::class);
|
|
});
|
|
|
|
it('requires explicit reasons for resolve close and risk accept mutations', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$service = app(FindingWorkflowService::class);
|
|
|
|
expect(fn () => $service->resolve($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, ' '))
|
|
->toThrow(\InvalidArgumentException::class, 'resolved_reason is required.');
|
|
|
|
expect(fn () => $service->close($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, ' '))
|
|
->toThrow(\InvalidArgumentException::class, 'closed_reason is required.');
|
|
|
|
expect(fn () => $service->reopen($this->makeFindingForWorkflow($tenant, Finding::STATUS_RESOLVED), $tenant, $user, ' '))
|
|
->toThrow(\InvalidArgumentException::class, 'reopen_reason is required.');
|
|
|
|
expect(fn () => $service->riskAccept($this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW), $tenant, $user, ' '))
|
|
->toThrow(\InvalidArgumentException::class, 'closed_reason is required.');
|
|
});
|
|
|
|
it('returns 403 for in-scope members without the required workflow capability', function (): void {
|
|
[$owner, $tenant] = createUserWithTenant(role: 'owner');
|
|
[$readonly] = createUserWithTenant(tenant: $tenant, role: 'readonly');
|
|
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
|
|
|
|
expect(fn () => app(FindingWorkflowService::class)->resolve($finding, $tenant, $readonly, 'patched'))
|
|
->toThrow(AuthorizationException::class);
|
|
|
|
expect(app(FindingWorkflowService::class)->resolve($finding, $tenant, $owner, 'patched')->status)
|
|
->toBe(Finding::STATUS_RESOLVED);
|
|
});
|