TenantAtlas/apps/platform/tests/Feature/Guards/Spec118NoLegacyBaselineDriftGuardTest.php

<?php

declare(strict_types=1);

it('prevents legacy fingerprinting/compare helpers from re-entering baseline orchestration (Spec 118)', function (): void {
    $compareForbiddenTokens = [
        'PolicyNormalizer',
        'VersionDiff',
        'flattenForDiff',
        'computeDrift(',
        'effectiveBaselineHash(',
        'resolveBaselinePolicyVersionId(',
        'selectSummaryKind(',
        'buildDriftEvidenceContract(',
        'buildRoleDefinitionEvidencePayload(',
        'resolveRoleDefinitionVersion(',
        'fallbackRoleDefinitionNormalized(',
        'roleDefinitionChangedKeys(',
        'roleDefinitionPermissionKeys(',
        'resolveRoleDefinitionDiff(',
        'severityForRoleDefinitionDiff(',
        'BaselinePolicyVersionResolver',
        'DriftHasher',
        'SettingsNormalizer',
        'AssignmentsNormalizer',
        'ScopeTagsNormalizer',
        'IntuneRoleDefinitionNormalizer',
    ];

    $captureForbiddenTokens = [
        ...$compareForbiddenTokens,
        'SettingsNormalizer',
        'ScopeTagsNormalizer',
        '->hashNormalized(',
        '::hashNormalized(',
    ];

    $compareJob = file_get_contents(base_path('app/Jobs/CompareBaselineToTenantJob.php'));
    expect($compareJob)->toBeString();
    expect($compareJob)->toContain('CurrentStateHashResolver');
    expect($compareJob)->toContain('compareStrategyRegistry->select(');
    expect($compareJob)->toContain('compareStrategyRegistry->resolve(');
    expect($compareJob)->toContain('$strategy->compare(');

    foreach ($compareForbiddenTokens as $token) {
        expect($compareJob)->not->toContain($token);
    }

    $captureJob = file_get_contents(base_path('app/Jobs/CaptureBaselineSnapshotJob.php'));
    expect($captureJob)->toBeString();
    expect($captureJob)->toContain('CurrentStateHashResolver');

    foreach ($captureForbiddenTokens as $token) {
        expect($captureJob)->not->toContain($token);
    }
});