<?php

declare(strict_types=1);

use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Drift\DriftFindingDiffBuilder;
use App\Services\Drift\DriftHasher;
use App\Services\Drift\Normalizers\AssignmentsNormalizer;
use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
use App\Services\Drift\Normalizers\SettingsNormalizer;
use App\Services\Intune\AuditLogger;
use App\Services\Intune\PolicySnapshotRedactor;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
use Carbon\CarbonImmutable;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('creates a drift finding for secret-only snapshot changes and surfaces protected-change evidence', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
    ]);

    $baselineCapturedAt = CarbonImmutable::parse('2026-03-01 00:00:00');

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => $baselineCapturedAt,
    ]);

    $profile->update(['active_snapshot_id' => $snapshot->getKey()]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $tenant,
        statusByType: ['deviceConfiguration' => 'succeeded'],
    );

    $policy = Policy::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_type' => 'deviceConfiguration',
        'external_id' => 'policy-secret',
        'platform' => 'windows',
        'display_name' => 'Protected Policy',
    ]);

    /** @var PolicySnapshotRedactor $redactor */
    $redactor = app(PolicySnapshotRedactor::class);
    /** @var DriftHasher $hasher */
    $hasher = app(DriftHasher::class);
    /** @var SettingsNormalizer $settingsNormalizer */
    $settingsNormalizer = app(SettingsNormalizer::class);
    /** @var AssignmentsNormalizer $assignmentsNormalizer */
    $assignmentsNormalizer = app(AssignmentsNormalizer::class);
    /** @var ScopeTagsNormalizer $scopeTagsNormalizer */
    $scopeTagsNormalizer = app(ScopeTagsNormalizer::class);

    $baselineProtected = $redactor->protect(
        workspaceId: (int) $tenant->workspace_id,
        payload: [
            'wifi' => [
                'ssid' => 'Corp',
                'password' => 'baseline-secret',
            ],
        ],
    );

    $baselineHash = $hasher->hashNormalized([
        'settings' => $settingsNormalizer->normalizeForDiff($baselineProtected->snapshot, 'deviceConfiguration', 'windows'),
        'assignments' => $assignmentsNormalizer->normalizeForDiff([]),
        'scope_tag_ids' => $scopeTagsNormalizer->normalizeIds([]),
        'secret_fingerprints' => $baselineProtected->secretFingerprints,
        'redaction_version' => $baselineProtected->redactionVersion,
    ]);

    $subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
    expect($subjectKey)->not->toBeNull();

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId(
            policyType: (string) $policy->policy_type,
            subjectKey: (string) $subjectKey,
        ),
        'subject_key' => (string) $subjectKey,
        'policy_type' => (string) $policy->policy_type,
        'baseline_hash' => $baselineHash,
        'meta_jsonb' => [
            'display_name' => (string) $policy->display_name,
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => $baselineCapturedAt->toIso8601String(),
                'observed_operation_run_id' => null,
            ],
        ],
    ]);

    InventoryItem::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'external_id' => (string) $policy->external_id,
        'policy_type' => (string) $policy->policy_type,
        'display_name' => (string) $policy->display_name,
        'meta_jsonb' => [
            'odata_type' => '#microsoft.graph.deviceConfiguration',
            'etag' => 'W/"same-etag"',
            'scope_tag_ids' => [],
            'assignment_target_count' => 1,
        ],
        'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
        'last_seen_at' => now(),
    ]);

    $baselineVersion = PolicyVersion::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_id' => (int) $policy->getKey(),
        'version_number' => 1,
        'policy_type' => (string) $policy->policy_type,
        'platform' => (string) $policy->platform,
        'captured_at' => $baselineCapturedAt,
        'snapshot' => $baselineProtected->snapshot,
        'secret_fingerprints' => $baselineProtected->secretFingerprints,
        'redaction_version' => $baselineProtected->redactionVersion,
    ]);

    $currentProtected = $redactor->protect(
        workspaceId: (int) $tenant->workspace_id,
        payload: [
            'wifi' => [
                'ssid' => 'Corp',
                'password' => 'rotated-secret',
            ],
        ],
    );

    $currentVersion = PolicyVersion::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_id' => (int) $policy->getKey(),
        'version_number' => 2,
        'policy_type' => (string) $policy->policy_type,
        'platform' => (string) $policy->platform,
        'captured_at' => $baselineCapturedAt->addHour(),
        'snapshot' => $currentProtected->snapshot,
        'secret_fingerprints' => $currentProtected->secretFingerprints,
        'redaction_version' => $currentProtected->redactionVersion,
    ]);

    $opService = app(OperationRunService::class);
    $run = $opService->ensureRunWithIdentity(
        tenant: $tenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
        ],
        initiator: $user,
    );

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $finding = Finding::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('subject_external_id', (string) $policy->external_id)
        ->first();

    expect($finding)->toBeInstanceOf(Finding::class);
    expect($finding?->evidence_jsonb['summary']['kind'] ?? null)->toBe('policy_snapshot');

    $diff = app(DriftFindingDiffBuilder::class)->buildSettingsDiff($baselineVersion, $currentVersion);

    expect($diff['summary']['message'] ?? null)->toContain('protected value change');
    expect($diff['changed'])->toHaveKey('Protected > /wifi/password (value changed)');
});