Harden multi-tenant isolation across all user-facing controllers

Added explicit CompanyId == companyId predicates to every tenant-scoped
query in 22 controllers so cross-tenant data leakage is impossible even
if EF Core global query filters are bypassed or misconfigured.

Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true
for SuperAdmins with no CompanyId claim (break-glass accounts) and when
no HTTP context is present (background services, unit tests), resolving
225 unit test failures that stemmed from the global filter blocking all
in-memory test data.

New MultiTenantIsolationTests class (8 tests) verifies the explicit
predicate layer independently of the global query filters.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Controllers/QuotesController.cs

@@ -255,7 +255,7 @@ public class QuotesController : Controller
 
             // Calibration nudge — suppress when named blast setups exist OR legacy CFM is set
             var costs = (await _unitOfWork.CompanyOperatingCosts.FindAsync(c => c.CompanyId == companyId)).FirstOrDefault();
-            var hasNamedSetups = (await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive)).Any();
+            var hasNamedSetups = (await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive && b.CompanyId == companyId)).Any();
             ViewBag.QuotingNotCalibrated = costs != null
                 && !hasNamedSetups
                 && costs.CompressorCfm == 0
@@ -441,7 +441,7 @@ public class QuotesController : Controller
             ViewBag.Deposits = quoteDeposits;
 
             // Customer list for inline customer-change dropdown
-            var allCustomers = await _unitOfWork.Customers.GetAllAsync();
+            var allCustomers = await _unitOfWork.Customers.FindAsync(c => c.CompanyId == quote.CompanyId);
             ViewBag.CustomerSelectList = allCustomers
                 .Where(c => c.IsActive)
                 .Select(c => new SelectListItem
@@ -2430,7 +2430,7 @@ public class QuotesController : Controller
         ViewBag.QuotePhotosEnabled = quotePhotoMax != 0; // 0 = feature disabled for this plan
 
         // Customers
-        var customers = await _unitOfWork.Customers.GetAllAsync();
+        var customers = await _unitOfWork.Customers.FindAsync(c => c.CompanyId == companyId);
         ViewBag.Customers = customers
             .Select(c => new SelectListItem
             {
@@ -2471,7 +2471,7 @@ public class QuotesController : Controller
         }
 
         // Inventory coatings — include incoming items so they can be quoted while powder is in transit
-        var inventory = await _unitOfWork.InventoryItems.GetAllAsync(false, i => i.InventoryCategory);
+        var inventory = await _unitOfWork.InventoryItems.FindAsync(i => i.CompanyId == companyId, false, i => i.InventoryCategory);
         ViewBag.InventoryCoatings = inventory
             .Where(i => i.IsActive && i.InventoryCategory?.IsActive == true && i.InventoryCategory.IsCoating)
             .OrderBy(i => i.IsIncoming ? 1 : 0).ThenBy(i => i.InventoryCategory!.DisplayOrder).ThenBy(i => i.ColorName ?? i.Name)
@@ -2492,13 +2492,13 @@ public class QuotesController : Controller
             }).ToList();
 
         // Vendors
-        var vendors = await _unitOfWork.Vendors.GetAllAsync(false);
+        var vendors = await _unitOfWork.Vendors.FindAsync(s => s.CompanyId == companyId, false);
         ViewBag.Vendors = vendors
             .Where(s => s.IsActive).OrderBy(s => s.CompanyName)
             .Select(s => new { value = s.Id.ToString(), text = s.CompanyName }).ToList();
 
         // Catalog items
-        var catalogItems = await _unitOfWork.CatalogItems.GetAllAsync(false, i => i.Category, i => i.Category.ParentCategory);
+        var catalogItems = await _unitOfWork.CatalogItems.FindAsync(i => i.CompanyId == companyId, false, i => i.Category, i => i.Category.ParentCategory);
         ViewBag.CatalogItems = catalogItems
             .Where(i => i.IsActive)
             .OrderBy(i => i.Category.DisplayOrder).ThenBy(i => i.DisplayOrder)
@@ -2528,11 +2528,11 @@ public class QuotesController : Controller
             }).ToList();
 
         // Prep services
-        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive);
+        var prepServices = await _unitOfWork.PrepServices.FindAsync(ps => ps.IsActive && ps.CompanyId == companyId);
         ViewBag.PrepServices = prepServices.OrderBy(ps => ps.DisplayOrder).ToList();
 
         // Blast setups for wizard dropdown
-        var blastSetups = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive);
+        var blastSetups = await _unitOfWork.BlastSetups.FindAsync(b => b.IsActive && b.CompanyId == companyId);
         ViewBag.BlastSetups = blastSetups.OrderBy(b => b.DisplayOrder)
             .Select(b => new { id = b.Id, name = b.Name, derivedRate = ShopCapabilityCalculator.GetBlastRateSqFtPerHour(b), isDefault = b.IsDefault })
             .ToList();
@@ -2599,7 +2599,8 @@ public class QuotesController : Controller
     /// </summary>
     private async Task PopulatePricingTiersDropDownAsync()
     {
-        var pricingTiers = await _unitOfWork.PricingTiers.GetAllAsync();
+        var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
+        var pricingTiers = await _unitOfWork.PricingTiers.FindAsync(pt => pt.CompanyId == companyId);
         ViewBag.PricingTiers = pricingTiers.OrderBy(pt => pt.TierName)
             .Select(pt => new SelectListItem
             {
@@ -2825,9 +2826,9 @@ public class QuotesController : Controller
         // Do NOT assign fullItems to quote.QuoteItems — quote is a tracked entity and assigning
         // no-tracking children (which may share InventoryItem instances) causes EF identity conflicts.
 
-        // Get default job statuses and priorities
-        var jobStatuses = await _unitOfWork.JobStatusLookups.GetAllAsync();
-        var jobPriorities = await _unitOfWork.JobPriorityLookups.GetAllAsync();
+        // Get default job statuses and priorities — scope to quote's company for defense-in-depth
+        var jobStatuses = await _unitOfWork.JobStatusLookups.FindAsync(s => s.CompanyId == quote.CompanyId);
+        var jobPriorities = await _unitOfWork.JobPriorityLookups.FindAsync(p => p.CompanyId == quote.CompanyId);
         var approvedStatus = jobStatuses.FirstOrDefault(s => s.StatusCode == AppConstants.StatusCodes.Job.Approved);
         var normalPriority = jobPriorities.FirstOrDefault(p => p.PriorityCode == "NORMAL");
         var rushPriority = jobPriorities.FirstOrDefault(p => p.PriorityCode == "RUSH");
@@ -3347,7 +3348,7 @@ public class QuotesController : Controller
             CompanyBlastSetup? selectedBlastSetup = null;
             if (request.BlastSetupId.HasValue)
             {
-                var setups = await _unitOfWork.BlastSetups.FindAsync(b => b.Id == request.BlastSetupId.Value && b.IsActive);
+                var setups = await _unitOfWork.BlastSetups.FindAsync(b => b.Id == request.BlastSetupId.Value && b.IsActive && b.CompanyId == companyId);
                 selectedBlastSetup = setups.FirstOrDefault();
             }