['auth', 'login', 'logout', 'profile', 'frontend'], 'authorization' => ['roles', 'permissions', 'switch-role', 'impersonate'], 'student_privacy' => ['students', 'parents', 'family', 'guardian'], 'attendance_safety' => ['attendance', 'late', 'dismissal', 'absence'], 'academic_records' => ['scores', 'grades', 'report-card', 'certificate'], 'financial_records' => ['finance', 'invoice', 'payment', 'refund', 'receipt'], 'files' => ['upload', 'download', 'import', 'export', 'print'], 'external_integrations' => ['webhook', 'callback', 'paypal', 'email', 'whatsapp'], 'operations' => ['settings', 'configuration', 'health', 'debug', 'logs'], ]; foreach ($riskRegister as $risk => $needles) { $this->assertNotEmpty($this->apiRoutesContainingAny($needles), 'Batch 12 risk register missing route family: '.$risk); } } public function test_mutating_high_risk_routes_have_specific_route_names_when_available(): void { foreach (array_slice($this->apiRoutesContainingAny(['finance', 'attendance', 'users', 'roles', 'permissions', 'settings', 'import', 'webhook']), 0, 180) as $route) { if (! in_array($this->primaryMethod($route), ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { continue; } $name = $route->getName(); $this->assertTrue($name === null || ! preg_match('/(^|\.)(store|update|destroy)$/', $name) || substr_count((string) $name, '.') >= 2, 'High-risk route name is too generic: '.($name ?? '[unnamed]').' '.$route->uri()); } } }