TenantAtlas/apps/platform/tests/Unit/Support/References/ModelBackedReferenceResolverTest.php

<?php

declare(strict_types=1);

use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Support\References\ReferenceClass;
use App\Support\References\ReferenceDescriptor;
use App\Support\References\ReferenceResolutionState;
use App\Support\References\Resolvers\BaselineSnapshotReferenceResolver;
use App\Support\References\Resolvers\PolicyVersionReferenceResolver;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('resolves policy versions as label-first tenant references', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $this->actingAs($user);
    Filament::setTenant($tenant, true);

    $policy = Policy::factory()->for($tenant)->create([
        'display_name' => 'Windows Lockdown',
    ]);

    $version = PolicyVersion::factory()->for($tenant)->create([
        'policy_id' => $policy->getKey(),
        'version_number' => 3,
    ]);

    $resolved = app(PolicyVersionReferenceResolver::class)->resolve(new ReferenceDescriptor(
        referenceClass: ReferenceClass::PolicyVersion,
        rawIdentifier: (string) $version->getKey(),
        tenantId: (int) $tenant->getKey(),
        linkedModelId: (int) $version->getKey(),
    ));

    expect($resolved->state)->toBe(ReferenceResolutionState::Resolved)
        ->and($resolved->primaryLabel)->toBe('Windows Lockdown')
        ->and($resolved->secondaryLabel)->toContain('Version 3')
        ->and($resolved->linkTarget?->actionLabel)->toBe('View policy version');
});

it('marks workspace references as inaccessible when the actor lacks workspace access', function (): void {
    [$owner, $tenant] = createUserWithTenant(role: 'owner');
    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Security Baseline',
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
    ]);

    $outsider = \App\Models\User::factory()->create();
    $this->actingAs($outsider);

    $resolved = app(BaselineSnapshotReferenceResolver::class)->resolve(new ReferenceDescriptor(
        referenceClass: ReferenceClass::BaselineSnapshot,
        rawIdentifier: (string) $snapshot->getKey(),
        workspaceId: (int) $tenant->workspace_id,
        linkedModelId: (int) $snapshot->getKey(),
    ));

    expect($resolved->state)->toBe(ReferenceResolutionState::Inaccessible)
        ->and($resolved->linkTarget)->toBeNull();
});