TenantAtlas/apps/platform/tests/Feature/Guards/AdminTenantResolverGuardTest.php

<?php

declare(strict_types=1);

function adminTenantResolverGuardedFiles(): array
{
    return [
        'app/Filament/Pages/BaselineCompareLanding.php',
        'app/Filament/Pages/TenantDiagnostics.php',
        'app/Filament/Pages/InventoryCoverage.php',
        'app/Filament/Widgets/Inventory/InventoryKpiHeader.php',
        'app/Filament/Pages/Monitoring/Operations.php',
        'app/Filament/Pages/Operations/TenantlessOperationRunViewer.php',
        'app/Filament/Widgets/Operations/OperationsKpiHeader.php',
        'app/Filament/Resources/OperationRunResource.php',
        'app/Filament/Resources/PolicyResource.php',
        'app/Filament/Resources/BackupScheduleResource.php',
        'app/Filament/Resources/BackupScheduleResource/Pages/ListBackupSchedules.php',
        'app/Filament/Resources/BackupSetResource.php',
        'app/Filament/Resources/BackupSetResource/Pages/ListBackupSets.php',
        'app/Filament/Resources/BackupSetResource/Pages/ViewBackupSet.php',
        'app/Filament/Resources/FindingResource.php',
        'app/Filament/Resources/FindingResource/Pages/ListFindings.php',
        'app/Filament/Resources/InventoryItemResource.php',
        'app/Filament/Resources/InventoryItemResource/Pages/ListInventoryItems.php',
        'app/Filament/Resources/PolicyVersionResource.php',
        'app/Filament/Resources/PolicyVersionResource/Pages/ListPolicyVersions.php',
        'app/Filament/Resources/ProviderConnectionResource.php',
        'app/Filament/Resources/AlertDeliveryResource.php',
        'app/Filament/Resources/AlertDeliveryResource/Pages/ListAlertDeliveries.php',
        'app/Filament/Pages/Monitoring/AuditLog.php',
        'app/Filament/Pages/TenantRequiredPermissions.php',
        'app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php',
        'app/Filament/Resources/ProviderConnectionResource/Pages/ListProviderConnections.php',
        'app/Filament/Resources/RestoreRunResource.php',
        'app/Filament/Resources/RestoreRunResource/Pages/CreateRestoreRun.php',
    ];
}

function adminTenantResolverExceptionFiles(): array
{
    return [
        'app/Filament/Pages/ChooseTenant.php',
        'app/Http/Controllers/SelectTenantController.php',
        'app/Support/Middleware/EnsureFilamentTenantSelected.php',
        'app/Filament/Concerns/ResolvesPanelTenantContext.php',
    ];
}

it('keeps raw panel-native tenant reads out of canonical admin resolver surfaces', function (): void {
    $forbiddenPatterns = [
        '/\bFilament::getTenant\s*\(/',
        '/\bTenant::current\s*\(/',
    ];

    $violations = [];

    foreach (adminTenantResolverGuardedFiles() as $relativePath) {
        $contents = file_get_contents(base_path($relativePath));

        expect($contents)->not->toBeFalse();

        foreach ($forbiddenPatterns as $pattern) {
            if (preg_match($pattern, (string) $contents) === 1) {
                $violations[] = $relativePath;

                break;
            }
        }
    }

    expect($violations)
        ->toBeEmpty('Canonical admin surfaces must delegate tenant resolution to OperateHubShell. Offenders: '.implode(', ', $violations));
});

it('documents the approved panel-native exception inventory', function (): void {
    $notes = file_get_contents(repo_path('docs/research/admin-canonical-tenant-rollout.md'));

    expect($notes)->not->toBeFalse();

    foreach (adminTenantResolverExceptionFiles() as $relativePath) {
        expect($notes)->toContain($relativePath);
    }
});

it('keeps the shared panel resolver explicit about admin and tenant-panel resolution', function (): void {
    $resolverContents = file_get_contents(base_path('app/Filament/Concerns/ResolvesPanelTenantContext.php'));
    $contents = file_get_contents(base_path('app/Filament/Resources/EntraGroupResource.php'));

    expect($resolverContents)->not->toBeFalse()
        ->and($resolverContents)->toContain('tenantOwnedPanelContext(request())')
        ->and($resolverContents)->toContain('Tenant::current()');

    expect($contents)->not->toBeFalse()
        ->and($contents)->toContain('use ResolvesPanelTenantContext;')
        ->and($contents)->not->toContain('activeEntitledTenant(request())')
        ->and($contents)->not->toContain('Tenant::current()');
});

it('keeps first-slice admin trusted-state surfaces inside the canonical admin resolver guard inventory', function (): void {
    $guardedFiles = adminTenantResolverGuardedFiles();

    expect($guardedFiles)
        ->toContain('app/Filament/Pages/TenantRequiredPermissions.php')
        ->toContain('app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php');
});