TenantAtlas/apps/platform/tests/Feature/OperationalControls/NoAdHocOperationalControlBypassTest.php

<?php

declare(strict_types=1);

use Tests\Support\OpsUx\SourceFileScanner;

it('keeps the in-scope operational controls on the shared service and evaluator paths', function (): void {
    $root = SourceFileScanner::projectRoot();

    $checks = [
        [
            'file' => $root.'/app/Filament/Resources/FindingResource/Pages/ListFindings.php',
            'required' => [
                'FindingsLifecycleBackfillRunbookService',
                'OperationalControlBlockedException',
                'FindingsLifecycleBackfillScope::singleTenant(',
            ],
            'forbidden' => [
                "config('tenantpilot.allow_admin_maintenance_actions'",
                'allow_admin_maintenance_actions',
                'OperationalControlActivation::',
            ],
        ],
        [
            'file' => $root.'/app/Filament/System/Pages/Ops/Runbooks.php',
            'required' => [
                'FindingsLifecycleBackfillRunbookService',
                'OperationalControlBlockedException',
                '$runbookService->start(',
            ],
            'forbidden' => [
                'OperationalControlActivation::',
                "config('tenantpilot.allow_admin_maintenance_actions'",
            ],
        ],
        [
            'file' => $root.'/app/Filament/Resources/RestoreRunResource.php',
            'required' => [
                'guardRestoreExecutionOperationalControl(',
                'OperationalControlEvaluator::class',
                'OperationalControlBlockedException',
            ],
            'forbidden' => [
                'OperationalControlActivation::',
                "config('tenantpilot.allow_admin_maintenance_actions'",
            ],
        ],
        [
            'file' => $root.'/config/tenantpilot.php',
            'required' => [],
            'forbidden' => [
                'allow_admin_maintenance_actions',
                'ALLOW_ADMIN_MAINTENANCE_ACTIONS',
            ],
        ],
    ];

    foreach ($checks as $check) {
        $source = SourceFileScanner::read($check['file']);

        foreach ($check['required'] as $needle) {
            expect($source)->toContain($needle);
        }

        foreach ($check['forbidden'] as $needle) {
            expect($source)->not->toContain($needle);
        }
    }
})->group('surface-guard');