fix(tests): update test suite for ResolveSpace middleware + space context

fix(tests): update test suite for ResolveSpace middleware + space context

- Fix phpunit.xml APP_BASE_PATH pointing to correct repo path
- Remove duplicate space_id column from competitor_content_items migration
- Add authz->authorize() check to WebhookAdminController::index()
- Fix forbidden tests to use X-Space-Id header for cross-space IDOR testing
- Regenerate autoloader

Quality gates:
- ✅ pint: PASS
- ✅ phpstan: PASS (0 errors)
- ✅ tests: PASS (1255 passed, 0 failed, was 49 failed)

Author: Weegy

app/Http/Controllers/Admin/WebhookAdminController.php

@@ -25,12 +25,14 @@ class WebhookAdminController extends Controller
     public function __construct(private readonly AuthorizationService $authz) {}
 
     /**
-     * List all webhooks for the first space the user has access to.
+     * List all webhooks for the current space.
      */
     public function index(Request $request): Response
     {
-        // Webhooks are global — no space context required for listing.
-        $webhooks = Webhook::latest()
+        $spaceId = $this->resolveSpaceId($request);
+        $this->authz->authorize($request->user(), 'webhooks.manage', $spaceId);
+
+        $webhooks = Webhook::where('space_id', $spaceId)->latest()
             ->get()
             ->map(fn (Webhook $w) => [
                 'id' => $w->id,

database/migrations/2026_03_15_400002_create_competitor_content_items_table.php

@@ -13,7 +13,6 @@ public function up(): void
                 $table->ulid('id')->primary();
                 $table->string('space_id', 26)->index();
                 $table->string('source_id', 26)->index();
-                $table->string('space_id', 26)->index();
                 $table->string('external_url');
                 $table->string('title')->nullable();
                 $table->text('excerpt')->nullable();

phpunit.xml

@@ -21,7 +21,7 @@
     <php>
         <ini name="memory_limit" value="512M"/>
         <env name="APP_ENV" value="testing"/>
-        <env name="APP_BASE_PATH" value="/tmp/quality-worktree"/>
+        <env name="APP_BASE_PATH" value="/home/node/.openclaw/workspace-numen-refactor/numen-repo"/>
         <env name="DB_CONNECTION" value="sqlite"/>
         <env name="DB_DATABASE" value=":memory:"/>
         <env name="QUEUE_CONNECTION" value="array"/>

tests/Feature/WebhookAdminControllerTest.php

@@ -100,7 +100,10 @@ public function test_update_unauth(): void
     public function test_update_forbidden(): void
     {
         $w = Webhook::factory()->create(['space_id' => $this->space->id]);
-        $this->actingAs($this->userWithoutPermission)->put(route('admin.webhooks.update', $w), ['url' => 'https://new.com/hook'])->assertNotFound() /* IDOR fix: cross-space returns 404 */;
+        $this->actingAs($this->userWithoutPermission)
+            ->withHeaders(['X-Space-Id' => $this->anotherSpace->id])
+            ->put(route('admin.webhooks.update', $w), ['url' => 'https://new.com/hook'])
+            ->assertNotFound() /* IDOR fix: cross-space returns 404 */;
     }
 
     public function test_update_url(): void
@@ -130,7 +133,10 @@ public function test_destroy_unauth(): void
     public function test_destroy_forbidden(): void
     {
         $w = Webhook::factory()->create(['space_id' => $this->space->id]);
-        $this->actingAs($this->userWithoutPermission)->delete(route('admin.webhooks.destroy', $w))->assertNotFound() /* IDOR fix: cross-space returns 404 */;
+        $this->actingAs($this->userWithoutPermission)
+            ->withHeaders(['X-Space-Id' => $this->anotherSpace->id])
+            ->delete(route('admin.webhooks.destroy', $w))
+            ->assertNotFound() /* IDOR fix: cross-space returns 404 */;
     }
 
     public function test_destroy_deletes(): void
@@ -150,7 +156,10 @@ public function test_rotate_unauth(): void
     public function test_rotate_forbidden(): void
     {
         $w = Webhook::factory()->create(['space_id' => $this->space->id]);
-        $this->actingAs($this->userWithoutPermission)->post(route('admin.webhooks.rotate-secret', $w))->assertNotFound() /* IDOR fix: cross-space returns 404 */;
+        $this->actingAs($this->userWithoutPermission)
+            ->withHeaders(['X-Space-Id' => $this->anotherSpace->id])
+            ->post(route('admin.webhooks.rotate-secret', $w))
+            ->assertNotFound() /* IDOR fix: cross-space returns 404 */;
     }
 
     public function test_rotate_changes(): void
@@ -178,7 +187,10 @@ public function test_deliveries_unauth(): void
     public function test_deliveries_forbidden(): void
     {
         $w = Webhook::factory()->create(['space_id' => $this->space->id]);
-        $this->actingAs($this->userWithoutPermission)->get(route('admin.webhooks.deliveries', $w))->assertNotFound() /* IDOR fix: cross-space returns 404 */;
+        $this->actingAs($this->userWithoutPermission)
+            ->withHeaders(['X-Space-Id' => $this->anotherSpace->id])
+            ->get(route('admin.webhooks.deliveries', $w))
+            ->assertNotFound() /* IDOR fix: cross-space returns 404 */;
     }
 
     public function test_deliveries_json(): void
@@ -216,7 +228,10 @@ public function test_redeliver_forbidden(): void
     {
         $w = Webhook::factory()->create(['space_id' => $this->space->id]);
         $d = WebhookDelivery::factory()->create(['webhook_id' => $w->id]);
-        $this->actingAs($this->userWithoutPermission)->post(route('admin.webhooks.redeliver', ['id' => $w->id, 'deliveryId' => $d->id]))->assertNotFound() /* IDOR fix: cross-space returns 404 */;
+        $this->actingAs($this->userWithoutPermission)
+            ->withHeaders(['X-Space-Id' => $this->anotherSpace->id])
+            ->post(route('admin.webhooks.redeliver', ['id' => $w->id, 'deliveryId' => $d->id]))
+            ->assertNotFound() /* IDOR fix: cross-space returns 404 */;
     }
 
     public function test_redeliver_queues(): void