TenantAtlas/apps/platform/tests/Feature/Filament/BaselineSnapshotStructuredRenderingTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\BaselineProfileResource;
use App\Filament\Resources\BaselineSnapshotResource;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\Baselines\SubjectClass;

it('renders the baseline snapshot detail page as summary-first with grouped governed-subject browsing', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Security Baseline',
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'summary_jsonb' => [
            'total_items' => 3,
            'policy_type_counts' => [
                'intuneRoleDefinition' => 1,
                'deviceCompliancePolicy' => 1,
                'mysteryPolicyType' => 1,
            ],
            'fidelity_counts' => ['content' => 2, 'meta' => 1],
            'gaps' => ['count' => 1, 'by_reason' => ['meta_fallback' => 1]],
        ],
    ]);

    $rbacSubjectKey = baselineProviderResourceSubjectKeyForTest(
        'intuneRoleDefinition',
        'security-reader',
        SubjectClass::FoundationBacked,
    );
    $complianceSubjectKey = baselineProviderResourceSubjectKeyForTest('deviceCompliancePolicy', 'bitlocker-require');
    $fallbackSubjectKey = baselineProviderResourceSubjectKeyForTest('mysteryPolicyType', 'mystery-policy');

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'subject_key' => $rbacSubjectKey,
        'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('intuneRoleDefinition', $rbacSubjectKey),
        'meta_jsonb' => [
            'display_name' => 'Security Reader',
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => '2026-03-09T12:00:00+00:00',
            ],
            'identity' => ['strategy' => 'provider_resource'],
            'rbac' => [
                'is_built_in' => false,
                'role_permission_count' => 2,
            ],
            'version_reference' => ['policy_version_id' => 42],
        ],
    ]);

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'policy_type' => 'deviceCompliancePolicy',
        'subject_key' => $complianceSubjectKey,
        'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceCompliancePolicy', $complianceSubjectKey),
        'meta_jsonb' => [
            'display_name' => 'Bitlocker Require',
            'platform' => 'windows',
            'assignment_target_count' => 3,
            'evidence' => [
                'fidelity' => 'meta',
                'source' => 'inventory',
                'observed_at' => '2026-03-09T11:00:00+00:00',
            ],
        ],
    ]);

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'policy_type' => 'mysteryPolicyType',
        'subject_key' => $fallbackSubjectKey,
        'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('mysteryPolicyType', $fallbackSubjectKey),
        'meta_jsonb' => [
            'display_name' => 'Mystery Policy',
            'platform' => 'windows',
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => '2026-03-09T10:00:00+00:00',
            ],
        ],
    ]);

    $this->actingAs($user)
        ->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin'))
        ->assertOk()
        ->assertSee('Outcome summary')
        ->assertSee('Snapshot status')
        ->assertSee('Outcome details')
        ->assertSee('Coverage')
        ->assertSee('Capture timing')
        ->assertSee('Related context')
        ->assertSee(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin'), false)
        ->assertSeeInOrder(['Outcome summary', 'Coverage summary', 'Captured governed subjects', 'Technical detail'])
        ->assertSee('Security Reader')
        ->assertSee('Bitlocker Require')
        ->assertSee('Mystery Policy')
        ->assertSee('Intune RBAC Role Definition')
        ->assertSee('Device Compliance')
        ->assertSee('Mystery Policy Type')
        ->assertSee('Governed subject')
        ->assertDontSee('Artifact truth')
        ->assertDontSee('Intune RBAC Role Definition References');

    $this->actingAs($user)
        ->get(BaselineSnapshotResource::getUrl(panel: 'admin'))
        ->assertOk()
        ->assertSee('View baseline profile')
        ->assertSee(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin'))
        ->assertDontSee('>View<', escape: false);
});

it('caps baseline snapshot receipt governed-subject rows before internal detail', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Spec397 Baseline',
    ]);

    $policyTypeCounts = [];

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'summary_jsonb' => [
            'total_items' => 10,
            'fidelity_counts' => ['content' => 10, 'meta' => 0],
            'gaps' => ['count' => 0, 'by_reason' => []],
        ],
    ]);

    foreach (range(1, 10) as $index) {
        $policyType = sprintf('spec397PolicyType%02d', $index);
        $policyTypeCounts[$policyType] = 1;
        $subjectKey = baselineProviderResourceSubjectKeyForTest($policyType, sprintf('spec397-policy-%02d', $index));

        BaselineSnapshotItem::factory()->create([
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'policy_type' => $policyType,
            'subject_key' => $subjectKey,
            'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId($policyType, $subjectKey),
            'meta_jsonb' => [
                'display_name' => sprintf('Spec397 Policy %02d', $index),
                'evidence' => [
                    'fidelity' => 'content',
                    'source' => 'policy_version',
                    'observed_at' => now()->toIso8601String(),
                ],
            ],
        ]);
    }

    $snapshot->forceFill([
        'summary_jsonb' => array_merge($snapshot->summary_jsonb, [
            'policy_type_counts' => $policyTypeCounts,
        ]),
    ])->save();

    $response = $this->actingAs($user)
        ->get(BaselineSnapshotResource::getUrl('view', ['record' => $snapshot], panel: 'admin'));

    $response
        ->assertOk()
        ->assertSee('Showing the first 8 governed subjects for receipt review.')
        ->assertSee('2 additional subjects stay in internal detail.');

    expect(substr_count($response->getContent(), 'Showing the first 8 governed subjects'))->toBeGreaterThanOrEqual(2);
});