Implement tenant-aware temporal role tests

[kevalyq]

Implement Tenant-Aware Temporal Role Tests

Context

PR #109 (RBAC Phase 1) implements the temporal role foundation (TemporalRoleUser model, migration, User relationship override) but does not include tests due to architectural constraints.

Problem

Initial test implementation failed because:

1. Multi-tenancy constraint: model_has_roles.tenant_id is NOT NULL, but tests didn't set tenant context
2. UUID mismatch: assigned_by column expects UUID (foreign key to users.id), but tests passed integer user IDs
3. Missing tenant fixtures: No reusable test fixtures for tenant-aware role assignments

Required Tests (12 test cases)

Temporal Filtering

• Can assign role with temporal validity (valid_from + valid_until)
• Filters out future roles (valid_from > now)
• Filters out expired roles (valid_until < now)
• Includes currently active roles (valid_from <= now <= valid_until)
• Includes permanent roles (no temporal bounds)

Query Scopes

• active() scope returns only active roles
• expired() scope returns only expired roles (with auto_revoke=true)

Helper Methods

• isActive() correctly identifies active assignment
• isActive() correctly identifies inactive assignment (future)
• isExpired() correctly identifies expired assignment
• isExpired() correctly identifies non-expired assignment

Auto-Revoke

• Respects auto_revoke flag (only auto_revoke=true roles appear in expired() scope)

Implementation Requirements

Test Infrastructure

1. Create tenant-aware test fixture helper:

   // Example structure
   trait HasTenantContext {
       protected function assignRoleWithTenant(User $user, Role $role, array $pivotData = []): void
       {
           // Set tenant context via setPermissionTeam()
           // Ensure tenant_id is set in pivot data
           // Handle UUID conversion for assigned_by
       }
   }

2. Use RefreshDatabase trait

3. Set proper tenant context before role assignments

4. Use UUID strings for assigned_by field (or null)

Test Location

• Path: tests/Feature/Models/TemporalRoleUserTest.php
• Use Pest PHP syntax (matching project convention)
• Group under describe('TemporalRoleUser Pivot Model', ...)

Acceptance Criteria

• All 12 test cases implemented
• Tests pass without modifications to production code
• Proper tenant isolation (roles from different tenants don't interfere)
• No skipped tests
• Coverage meets 80% minimum for TemporalRoleUser model

Dependencies

• Depends on: PR feat: RBAC Phase 1 - Temporal Role Foundation #109 (RBAC Phase 1) being merged
• Blocks: Phase 2 complete sign-off

Related

• PR feat: RBAC Phase 1 - Temporal Role Foundation #109: RBAC Phase 1 - Temporal Role Foundation
• Issue RBAC Phase 1: Foundation & Temporal Extensions #105: RBAC Phase 1 - Temporal Role Foundation
• Issue 🔐 Implement RBAC System (Role-Based Access Control) #5: Implement Role-Based Access Control (RBAC) System (parent epic)

Notes

This is a Quality First decision: Better to ship production code without tests and track them properly, than to ship broken/skipped tests that provide no value.

[github-actions]

✅ This issue has been added to the SecPal Feature Roadmap with status: 💡 Ideas

New idea - needs discussion and evaluation

Status Flow:
💡 Ideas → 💬 Discussion → 📥 Backlog → 📋 Planned → 🚧 In Progress → 👀 In Review → ✅ Done

Note: Ideas that won't be implemented should be moved to 🚫 Won't Do with a reason.