TenantAtlas/apps/platform/tests/Browser/Spec418CoverageV2OperatorSurfaceSmokeTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\TenantConfiguration\CoverageV2Readiness;
use App\Models\ManagedEnvironment;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\TenantConfigurationResource;
use App\Models\TenantConfigurationResourceEvidence;
use App\Models\TenantConfigurationResourceType;
use App\Models\TenantConfigurationSupportedScope;
use App\Models\User;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use App\Support\TenantConfiguration\CaptureOutcome;
use App\Support\TenantConfiguration\ClaimState;
use App\Support\TenantConfiguration\CoverageLevel;
use App\Support\TenantConfiguration\EvidenceState;
use App\Support\TenantConfiguration\IdentityState;
use App\Support\TenantConfiguration\SourceClass;
use App\Support\TenantConfiguration\SupportState;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

pest()->browser()->timeout(60_000);

it('Spec418 smokes the Coverage v2 operator surface without exposing raw evidence payloads', function (): void {
    [$user, $environment] = spec418CoverageV2BrowserFixture();
    spec418AuthenticateCoverageV2Browser($this, $user, $environment);

    $page = visit(CoverageV2Readiness::getUrl(tenant: $environment, panel: 'admin'))
        ->resize(1440, 1100)
        ->waitForText('Coverage v2 Readiness')
        ->waitForText('Spec418 Browser conflicting assignment')
        ->assertSee('Resource type registry')
        ->assertSee('Resource instances')
        ->assertSee('Reason')
        ->assertSee('Identity conflict is the highest-priority activation blocker.')
        ->assertSee('Next step')
        ->assertSee('Inspect Spec418 Browser conflicting assignment and resolve the blocker before cutover planning.')
        ->assertSee('Coverage level')
        ->assertSee('Evidence state')
        ->assertSee('Identity state')
        ->assertSee('Claim state')
        ->assertSee('Source class')
        ->assertSee('Supported scope')
        ->assertSee('Top activation blockers')
        ->assertSee('Identity conflict')
        ->assertSee('Permission blocked')
        ->assertSee('Claim blocked')
        ->assertSee('Spec418 Browser captured assignment')
        ->assertDontSee('raw-response-secret')
        ->assertDontSee('normalized-secret')
        ->assertDontSee('permission-secret')
        ->assertDontSee('customer-ready')
        ->assertDontSee('Evidence gaps')
        ->assertScript('typeof window.Livewire !== "undefined"', true)
        ->assertScript('(() => document.querySelectorAll("table tbody tr").length > 0)()', true)
        ->assertScript("(() => performance.getEntriesByType('resource').filter((entry) => /graph\\.microsoft\\.com|\\/tcm\\b|provider-remote/i.test(entry.name)).length)()", 0)
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs();

    $page->script(<<<'JS'
        (() => {
            const rows = Array.from(document.querySelectorAll('table tbody tr'));
            const row = rows.find((candidate) => candidate.textContent.includes('Spec418 Browser conflicting assignment'));
            const inspect = Array.from(row?.querySelectorAll('button, a') ?? [])
                .find((element) => element.textContent.includes('Spec418 Browser conflicting assignment'));

            inspect?.click();
        })()
    JS);

    $page
        ->waitForText('Activation blockers')
        ->assertSee('Coverage: Detected')
        ->assertSee('Evidence: Permission blocked')
        ->assertSee('Identity: Identity conflict')
        ->assertSee('Spec418 Browser Microsoft provider')
        ->assertSee('same_scope_derived_identity_collision')
        ->assertSee('spec418-browser-schema-hash')
        ->assertSee('Operation #')
        ->assertDontSee('raw-response-secret')
        ->assertDontSee('normalized-secret')
        ->assertDontSee('permission-secret')
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs()
        ->screenshot(true, 'spec418-coverage-v2-operator-surface-readiness');
});

/**
 * @return array{0: User, 1: ManagedEnvironment}
 */
function spec418CoverageV2BrowserFixture(): array
{
    $environment = ManagedEnvironment::factory()->active()->create([
        'name' => 'Spec418 Browser Environment',
        'external_id' => 'spec418-browser-environment',
    ]);

    [$user, $environment] = createUserWithTenant(
        tenant: $environment,
        role: 'owner',
        workspaceRole: 'owner',
        clearCapabilityCaches: true,
    );

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'display_name' => 'Spec418 Browser Microsoft provider',
    ]);

    $contentType = TenantConfigurationResourceType::factory()->create([
        'canonical_type' => 'spec418BrowserContentType',
        'display_name' => 'Spec418 Browser content type',
        'source_class' => SourceClass::Tcm->value,
        'support_state' => SupportState::Supported->value,
        'default_coverage_level' => CoverageLevel::ContentBacked->value,
        'default_claim_state' => ClaimState::ClaimAllowed->value,
    ]);

    $blockedType = TenantConfigurationResourceType::factory()->create([
        'canonical_type' => 'spec418BrowserBlockedType',
        'display_name' => 'Spec418 Browser blocked type',
        'source_class' => SourceClass::GraphV1Fallback->value,
        'support_state' => SupportState::FallbackSupported->value,
        'default_coverage_level' => CoverageLevel::Detected->value,
        'default_claim_state' => ClaimState::ClaimLimited->value,
    ]);

    TenantConfigurationSupportedScope::factory()->create([
        'scope_key' => 'spec418_browser_scope',
        'display_name' => 'Spec418 Browser scope',
        'minimum_coverage_level' => CoverageLevel::ContentBacked->value,
        'included_resource_types' => [$contentType->canonical_type],
        'allow_graph_fallback' => false,
        'allow_beta' => false,
        'customer_claims_allowed' => false,
    ]);

    $contentResource = TenantConfigurationResource::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'provider_connection_id' => (int) $connection->getKey(),
        'resource_type_id' => (int) $contentType->getKey(),
        'canonical_type' => $contentType->canonical_type,
        'canonical_resource_key' => 'spec418-browser-content-key',
        'source_display_name' => 'Spec418 Browser captured assignment',
        'source_class' => SourceClass::Tcm->value,
        'latest_evidence_state' => EvidenceState::ContentBacked->value,
        'latest_identity_state' => IdentityState::Stable->value,
        'latest_claim_state' => ClaimState::ClaimAllowed->value,
        'latest_captured_at' => now(),
    ]);

    $blockedResource = TenantConfigurationResource::factory()
        ->identityConflict()
        ->create([
            'workspace_id' => (int) $environment->workspace_id,
            'managed_environment_id' => (int) $environment->getKey(),
            'provider_connection_id' => (int) $connection->getKey(),
            'resource_type_id' => (int) $blockedType->getKey(),
            'canonical_type' => $blockedType->canonical_type,
            'canonical_resource_key' => 'spec418-browser-blocked-key',
            'source_display_name' => 'Spec418 Browser conflicting assignment',
            'source_class' => SourceClass::GraphV1Fallback->value,
            'latest_evidence_state' => EvidenceState::PermissionBlocked->value,
            'latest_captured_at' => now(),
        ]);

    spec418AttachCoverageV2Evidence($contentResource, CoverageLevel::ContentBacked, CaptureOutcome::Captured, str_repeat('c', 64));
    spec418AttachCoverageV2Evidence($blockedResource, CoverageLevel::Detected, CaptureOutcome::BlockedPermission, str_repeat('d', 64));

    return [$user, $environment->refresh()];
}

function spec418AttachCoverageV2Evidence(
    TenantConfigurationResource $resource,
    CoverageLevel $coverageLevel,
    CaptureOutcome $captureOutcome,
    string $payloadHash,
): void {
    $run = OperationRun::factory()->create([
        'workspace_id' => (int) $resource->workspace_id,
        'managed_environment_id' => (int) $resource->managed_environment_id,
        'type' => OperationRunType::TenantConfigurationCapture->value,
        'status' => OperationRunStatus::Completed->value,
        'outcome' => OperationRunOutcome::Succeeded->value,
    ]);

    $evidence = TenantConfigurationResourceEvidence::factory()->create([
        'resource_id' => (int) $resource->getKey(),
        'workspace_id' => (int) $resource->workspace_id,
        'managed_environment_id' => (int) $resource->managed_environment_id,
        'provider_connection_id' => (int) $resource->provider_connection_id,
        'resource_type_id' => (int) $resource->resource_type_id,
        'operation_run_id' => (int) $run->getKey(),
        'payload_hash' => $payloadHash,
        'raw_payload' => ['secret' => 'raw-response-secret'],
        'normalized_payload' => ['secret' => 'normalized-secret'],
        'permission_context' => ['token' => 'permission-secret'],
        'evidence_state' => $resource->latest_evidence_state->value,
        'coverage_level' => $coverageLevel->value,
        'capture_outcome' => $captureOutcome->value,
        'source_contract_key' => 'spec418.browser.contract',
        'source_version' => 'v1.0',
        'source_schema_hash' => 'spec418-browser-schema-hash',
        'captured_at' => now(),
    ]);

    $resource->forceFill([
        'latest_evidence_id' => (int) $evidence->getKey(),
        'latest_payload_hash' => $payloadHash,
    ])->save();
}

function spec418AuthenticateCoverageV2Browser(
    mixed $test,
    User $user,
    ManagedEnvironment $environment,
): void {
    $workspaceId = (int) $environment->workspace_id;

    $test->actingAs($user)->withSession([
        WorkspaceContext::SESSION_KEY => $workspaceId,
        WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
            (string) $workspaceId => (int) $environment->getKey(),
        ],
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, $workspaceId);
    session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
        (string) $workspaceId => (int) $environment->getKey(),
    ]);
}