<?php

use App\Jobs\CaptureBaselineSnapshotJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\InventoryItem;
use App\Models\OperationRun;
use App\Models\Policy;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\InventoryMetaContract;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineCaptureMode;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;

it('Baseline snapshot items do not persist tenant identifiers', function () {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => $tenant->workspace_id,
        'capture_mode' => BaselineCaptureMode::Opportunistic->value,
        'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
    ]);

    $policy = Policy::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_type' => 'deviceConfiguration',
        'external_id' => 'tenant-policy-external-id',
        'platform' => 'windows',
        'display_name' => 'Isolated Policy',
    ]);

    $lastSeenRun = OperationRun::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'type' => OperationRunType::InventorySync->value,
        'status' => OperationRunStatus::Completed->value,
        'outcome' => OperationRunOutcome::Succeeded->value,
        'completed_at' => now(),
    ]);

    InventoryItem::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_type' => (string) $policy->policy_type,
        'external_id' => (string) $policy->external_id,
        'display_name' => (string) $policy->display_name,
        'meta_jsonb' => [
            'odata_type' => '#microsoft.graph.deviceConfiguration',
            'etag' => 'E_ISOLATION',
            'scope_tag_ids' => [],
            'assignment_target_count' => 1,
        ],
        'last_seen_operation_run_id' => (int) $lastSeenRun->getKey(),
        'last_seen_at' => now()->subHour(),
    ]);

    $opService = app(OperationRunService::class);
    $run = $opService->ensureRunWithIdentity(
        tenant: $tenant,
        type: 'baseline_capture',
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'source_tenant_id' => (int) $tenant->getKey(),
            'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
        ],
        initiator: $user,
    );

    (new CaptureBaselineSnapshotJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(InventoryMetaContract::class),
        app(AuditLogger::class),
        $opService,
    );

    $snapshot = BaselineSnapshot::query()
        ->where('baseline_profile_id', (int) $profile->getKey())
        ->sole();

    $subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
    expect($subjectKey)->not->toBeNull();

    $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
        policyType: (string) $policy->policy_type,
        subjectKey: (string) $subjectKey,
    );

    $item = BaselineSnapshotItem::query()
        ->where('baseline_snapshot_id', (int) $snapshot->getKey())
        ->where('subject_key', (string) $subjectKey)
        ->sole();

    expect($item->subject_external_id)->toBe($workspaceSafeExternalId);
    expect($item->subject_external_id)->not->toBe((string) $policy->external_id);

    $meta = is_array($item->meta_jsonb) ? $item->meta_jsonb : [];
    expect(data_get($meta, 'meta_contract.subject_external_id'))->toBeNull();
    expect(data_get($meta, 'evidence.observed_operation_run_id'))->toBeNull();
    expect(data_get($meta, 'evidence.policy_version_id'))->toBeNull();
});