TenantAtlas/apps/platform/tests/Unit/Baselines/SnapshotRendering/BaselineSnapshotPresenterTest.php

<?php

declare(strict_types=1);

use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Services\Baselines\SnapshotRendering\BaselineSnapshotPresenter;
use App\Services\Baselines\SnapshotRendering\Renderers\DeviceComplianceSnapshotTypeRenderer;
use App\Services\Baselines\SnapshotRendering\Renderers\FallbackSnapshotTypeRenderer;
use App\Services\Baselines\SnapshotRendering\Renderers\IntuneRoleDefinitionSnapshotTypeRenderer;
use App\Services\Baselines\SnapshotRendering\SnapshotTypeRendererRegistry;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\Baselines\SubjectClass;
use Illuminate\Database\Eloquent\Collection as EloquentCollection;

it('builds summary rows and grouped output for mixed snapshot types', function (): void {
    $presenter = new BaselineSnapshotPresenter(
        new SnapshotTypeRendererRegistry(
            renderers: [
                new IntuneRoleDefinitionSnapshotTypeRenderer,
                new DeviceComplianceSnapshotTypeRenderer,
            ],
            fallbackRenderer: new FallbackSnapshotTypeRenderer,
        ),
    );

    $snapshot = new BaselineSnapshot([
        'id' => 130,
        'snapshot_identity_hash' => 'snapshot-hash-130',
        'captured_at' => now(),
        'summary_jsonb' => [
            'total_items' => 3,
            'policy_type_counts' => [
                'intuneRoleDefinition' => 1,
                'deviceCompliancePolicy' => 1,
                'mysteryPolicyType' => 1,
            ],
            'fidelity_counts' => [
                'content' => 2,
                'meta' => 1,
            ],
            'gaps' => [
                'count' => 1,
                'by_reason' => ['missing_evidence' => 1],
            ],
        ],
    ]);

    $snapshot->setRelation('baselineProfile', new BaselineProfile(['name' => 'Security Baseline']));
    $rbacSubjectKey = baselineProviderResourceSubjectKeyForTest(
        'intuneRoleDefinition',
        'security-reader',
        SubjectClass::FoundationBacked,
    );
    $complianceSubjectKey = baselineProviderResourceSubjectKeyForTest('deviceCompliancePolicy', 'bitlocker-require');
    $fallbackSubjectKey = baselineProviderResourceSubjectKeyForTest('mysteryPolicyType', 'mystery-policy');
    $snapshot->setRelation('items', new EloquentCollection([
        new BaselineSnapshotItem([
            'id' => 1,
            'policy_type' => 'intuneRoleDefinition',
            'subject_key' => $rbacSubjectKey,
            'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('intuneRoleDefinition', $rbacSubjectKey),
            'meta_jsonb' => [
                'display_name' => 'Security Reader',
                'evidence' => [
                    'fidelity' => 'content',
                    'source' => 'policy_version',
                    'observed_at' => '2026-03-09T12:00:00+00:00',
                ],
                'identity' => ['strategy' => 'provider_resource'],
                'rbac' => [
                    'is_built_in' => false,
                    'role_permission_count' => 2,
                ],
                'version_reference' => ['policy_version_id' => 42],
            ],
        ]),
        new BaselineSnapshotItem([
            'id' => 2,
            'policy_type' => 'deviceCompliancePolicy',
            'subject_key' => $complianceSubjectKey,
            'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceCompliancePolicy', $complianceSubjectKey),
            'meta_jsonb' => [
                'display_name' => 'Bitlocker Require',
                'platform' => 'windows',
                'assignment_target_count' => 3,
                'evidence' => [
                    'fidelity' => 'meta',
                    'source' => 'inventory',
                    'observed_at' => '2026-03-09T11:00:00+00:00',
                ],
            ],
        ]),
        new BaselineSnapshotItem([
            'id' => 3,
            'policy_type' => 'mysteryPolicyType',
            'subject_key' => $fallbackSubjectKey,
            'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('mysteryPolicyType', $fallbackSubjectKey),
            'meta_jsonb' => [
                'display_name' => 'Mystery Policy',
                'category' => 'Other',
                'platform' => 'windows',
                'evidence' => [
                    'fidelity' => 'content',
                    'source' => 'policy_version',
                    'observed_at' => '2026-03-09T10:00:00+00:00',
                ],
            ],
        ]),
    ]));

    $rendered = $presenter->present($snapshot)->toArray();

    expect(data_get($rendered, 'snapshot.snapshotId'))->toBe(130)
        ->and(data_get($rendered, 'snapshot.baselineProfileName'))->toBe('Security Baseline')
        ->and(data_get($rendered, 'snapshot.overallFidelity'))->toBe('partial')
        ->and(data_get($rendered, 'snapshot.overallGapCount'))->toBe(1)
        ->and($rendered['summaryRows'])->toHaveCount(3)
        ->and(data_get($rendered, 'summaryRows.0.subjectDescriptor.platform_noun'))->toBe('Governed subject')
        ->and(collect($rendered['groups'])->pluck('label')->all())
        ->toContain('Intune RBAC Role Definition', 'Device Compliance', 'Mystery Policy Type')
        ->and(data_get($rendered, 'technicalDetail.defaultCollapsed'))->toBeTrue();
});