Harden multi-tenant isolation across all user-facing controllers

Added explicit CompanyId == companyId predicates to every tenant-scoped
query in 22 controllers so cross-tenant data leakage is impossible even
if EF Core global query filters are bypassed or misconfigured.

Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true
for SuperAdmins with no CompanyId claim (break-glass accounts) and when
no HTTP context is present (background services, unit tests), resolving
225 unit test failures that stemmed from the global filter blocking all
in-memory test data.

New MultiTenantIsolationTests class (8 tests) verifies the explicit
predicate layer independently of the global query filters.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Controllers/JobsController.cs

@@ -499,7 +499,7 @@ public class JobsController : Controller
             ViewBag.MaterialsUsed = allJobTransactions;
 
             // Inventory items for the manual log-material modal
-            var inventoryItemsForModal = (await _unitOfWork.InventoryItems.GetAllAsync())
+            var inventoryItemsForModal = (await _unitOfWork.InventoryItems.FindAsync(i => i.CompanyId == job.CompanyId))
                 .OrderBy(i => i.Name)
                 .Select(i => new { i.Id, i.Name, i.Manufacturer, i.UnitOfMeasure, i.QuantityOnHand })
                 .ToList();
@@ -528,7 +528,7 @@ public class JobsController : Controller
             ViewBag.JobPhotoMax = photoMax;
 
             // Customer list for inline customer-change dropdown
-            var allCustomers = await _unitOfWork.Customers.GetAllAsync();
+            var allCustomers = await _unitOfWork.Customers.FindAsync(c => c.CompanyId == job.CompanyId);
             ViewBag.CustomerSelectList = allCustomers
                 .Where(c => c.IsActive)
                 .Select(c => new SelectListItem
@@ -634,7 +634,8 @@ public class JobsController : Controller
 
         if (job == null) return NotFound();
 
-        var allStatuses = (await _unitOfWork.JobStatusLookups.GetAllAsync())
+        var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
+        var allStatuses = (await _unitOfWork.JobStatusLookups.FindAsync(s => s.CompanyId == companyId))
             .OrderBy(s => s.DisplayOrder).ToList();
 
         ViewBag.AllStatuses = allStatuses;
@@ -657,7 +658,7 @@ public class JobsController : Controller
 
         if (job == null) return NotFound();
 
-        var allStatuses = (await _unitOfWork.JobStatusLookups.GetAllAsync()).ToList();
+        var allStatuses = (await _unitOfWork.JobStatusLookups.FindAsync(s => s.CompanyId == job.CompanyId)).ToList();
         var newStatus = allStatuses.FirstOrDefault(s => s.Id == newStatusId);
         if (newStatus == null) return BadRequest("Invalid status.");
 
@@ -845,7 +846,7 @@ public class JobsController : Controller
         // Optionally advance status to In Preparation
         if (advanceToInPreparation && jobToUpdate.JobStatus.StatusCode != AppConstants.StatusCodes.Job.InPreparation)
         {
-            var allStatuses = await _unitOfWork.JobStatusLookups.GetAllAsync();
+            var allStatuses = await _unitOfWork.JobStatusLookups.FindAsync(s => s.CompanyId == jobToUpdate.CompanyId);
             var inPrepStatus = allStatuses.FirstOrDefault(s => s.StatusCode == AppConstants.StatusCodes.Job.InPreparation);
             if (inPrepStatus != null)
             {
@@ -902,7 +903,7 @@ public class JobsController : Controller
 
         if (advanceToInPreparation && job.JobStatus.StatusCode != AppConstants.StatusCodes.Job.InPreparation && !job.JobStatus.IsTerminalStatus)
         {
-            var allStatuses = await _unitOfWork.JobStatusLookups.GetAllAsync();
+            var allStatuses = await _unitOfWork.JobStatusLookups.FindAsync(s => s.CompanyId == job.CompanyId);
             var inPrepStatus = allStatuses.FirstOrDefault(s => s.StatusCode == AppConstants.StatusCodes.Job.InPreparation);
             if (inPrepStatus != null)
             {
@@ -1809,7 +1810,7 @@ public class JobsController : Controller
         ViewBag.AiPhotoQuotesEnabled = await _subscriptionService.CanUseAiPhotoQuoteAsync(companyId);
 
         await PopulateDropdowns();
-        await PopulatePrepServicesAsync();
+        await PopulatePrepServicesAsync(companyId);
         var costs = await _pricingService.GetOperatingCostsAsync(companyId);
         await PopulateJobItemDropDownsAsync(companyId, costs?.OvenOperatingCostPerHour ?? 45m);
         ViewBag.TaxPercent                = costs?.TaxPercent               ?? 0m;
@@ -1829,7 +1830,9 @@ public class JobsController : Controller
     /// </summary>
     private async Task PopulateDropdowns()
     {
-        var customers = await _unitOfWork.Customers.GetAllAsync();
+        var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
+
+        var customers = await _unitOfWork.Customers.FindAsync(c => c.CompanyId == companyId);
         ViewBag.Customers = new SelectList(
             customers.Where(c => c.IsActive).Select(c => new
             {
@@ -1840,8 +1843,6 @@ public class JobsController : Controller
             }).OrderBy(c => c.DisplayName),
             "Id",
             "DisplayName");
-
-        var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
         var users = await _userManager.Users
             .Where(u => u.CompanyId == companyId && u.IsActive && u.CompanyRole != null)
             .OrderBy(u => u.FirstName).ThenBy(u => u.LastName)
@@ -2223,13 +2224,13 @@ public class JobsController : Controller
     /// Loads all active prep services into ViewBag for the item wizard's prep services step.
     /// Prep services are ordered by DisplayOrder so they appear in the intended workflow sequence.
     /// </summary>
-    private async Task PopulatePrepServicesAsync()
+    private async Task PopulatePrepServicesAsync(int companyId)
     {
-        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive);
+        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive && ps.CompanyId == companyId);
         ViewBag.PrepServices = prepServices.OrderBy(ps => ps.DisplayOrder).ToList();
         _logger.LogInformation("Populated {Count} active prep services", prepServices.Count());
 
-        var blastSetups = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive);
+        var blastSetups = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive && b.CompanyId == companyId);
         ViewBag.BlastSetups = blastSetups.OrderBy(b => b.DisplayOrder)
             .Select(b => new { id = b.Id, name = b.Name, derivedRate = ShopCapabilityCalculator.GetBlastRateSqFtPerHour(b), isDefault = b.IsDefault })
             .ToList();
@@ -3166,7 +3167,7 @@ public class JobsController : Controller
     /// </summary>
     private async Task PopulateJobItemDropDownsAsync(int companyId, decimal fallbackOvenRate)
     {
-        var inventory = await _unitOfWork.InventoryItems.GetAllAsync(false, i => i.InventoryCategory);
+        var inventory = await _unitOfWork.InventoryItems.FindAsync(i => i.CompanyId == companyId, false, i => i.InventoryCategory);
         ViewBag.InventoryCoatings = inventory
             .Where(i => i.IsActive && i.InventoryCategory?.IsActive == true && i.InventoryCategory.IsCoating)
             .OrderBy(i => i.IsIncoming ? 1 : 0).ThenBy(i => i.InventoryCategory!.DisplayOrder).ThenBy(i => i.ColorName ?? i.Name)
@@ -3186,12 +3187,12 @@ public class JobsController : Controller
                 isIncoming = i.IsIncoming
             }).ToList();
 
-        var vendors = await _unitOfWork.Vendors.GetAllAsync(false);
+        var vendors = await _unitOfWork.Vendors.FindAsync(s => s.CompanyId == companyId, false);
         ViewBag.Vendors = vendors
             .Where(s => s.IsActive).OrderBy(s => s.CompanyName)
             .Select(s => new { value = s.Id.ToString(), text = s.CompanyName }).ToList();
 
-        var catalogItems = await _unitOfWork.CatalogItems.GetAllAsync(false, i => i.Category, i => i.Category.ParentCategory);
+        var catalogItems = await _unitOfWork.CatalogItems.FindAsync(i => i.CompanyId == companyId, false, i => i.Category, i => i.Category.ParentCategory);
         ViewBag.CatalogItems = catalogItems
             .Where(i => i.IsActive)
             .OrderBy(i => i.Category.DisplayOrder).ThenBy(i => i.DisplayOrder)
@@ -3220,10 +3221,10 @@ public class JobsController : Controller
                 description = i.Description
             }).ToList();
 
-        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive);
+        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive && ps.CompanyId == companyId);
         ViewBag.PrepServices = prepServices.OrderBy(ps => ps.DisplayOrder).ToList();
 
-        var blastSetupsForEditItems = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive);
+        var blastSetupsForEditItems = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive && b.CompanyId == companyId);
         ViewBag.BlastSetups = blastSetupsForEditItems.OrderBy(b => b.DisplayOrder)
             .Select(b => new { id = b.Id, name = b.Name, derivedRate = ShopCapabilityCalculator.GetBlastRateSqFtPerHour(b), isDefault = b.IsDefault })
             .ToList();