<?php

declare(strict_types=1);

use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\User;
use App\Services\Evidence\EvidenceSnapshotService;
use App\Services\Findings\FindingExceptionService;
use App\Services\Findings\FindingRiskGovernanceResolver;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('counts only valid governed accepted risk in the findings summary evidence payload', function (): void {
    [$requester, $tenant] = createUserWithTenant(role: 'owner');
    $approver = User::factory()->create();
    createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');

    StoredReport::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
    ]);

    StoredReport::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
    ]);

    OperationRun::factory()->forTenant($tenant)->create();

    /** @var FindingExceptionService $exceptionService */
    $exceptionService = app(FindingExceptionService::class);

    $createApprovedException = function (Finding $finding, string $expiresAt) use ($exceptionService, $requester, $tenant, $approver): Finding {
        $requested = $exceptionService->request($finding, $tenant, $requester, [
            'owner_user_id' => (int) $requester->getKey(),
            'request_reason' => 'Temporary exception',
            'review_due_at' => now()->addDays(5)->toDateTimeString(),
            'expires_at' => now()->addDays(14)->toDateTimeString(),
        ]);

        $exceptionService->approve($requested, $approver, [
            'effective_from' => now()->subDays(10)->toDateTimeString(),
            'expires_at' => $expiresAt,
            'approval_reason' => 'Approved with controls',
        ]);

        return $finding;
    };

    $validFinding = $createApprovedException(
        Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
        now()->addDays(14)->toDateTimeString(),
    );

    $expiredFinding = $createApprovedException(
        Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
        now()->subDay()->toDateTimeString(),
    );

    app(FindingRiskGovernanceResolver::class)->syncExceptionState($expiredFinding->findingException()->firstOrFail());

    $revokedFinding = $createApprovedException(
        Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
        now()->addDays(14)->toDateTimeString(),
    );

    $exceptionService->revoke($revokedFinding->findingException()->firstOrFail(), $requester, [
        'revocation_reason' => 'Controls removed',
    ]);

    $missingFinding = Finding::factory()->for($tenant)->create([
        'status' => Finding::STATUS_RISK_ACCEPTED,
    ]);

    Finding::factory()->for($tenant)->create([
        'status' => Finding::STATUS_REOPENED,
    ]);

    /** @var EvidenceSnapshotService $snapshotService */
    $snapshotService = app(EvidenceSnapshotService::class);
    $payload = $snapshotService->buildSnapshotPayload($tenant);

    $findingsItem = collect($payload['items'])->firstWhere('dimension_key', 'findings_summary');
    $summary = $findingsItem['summary_payload']['risk_acceptance'] ?? null;
    $entries = collect($findingsItem['summary_payload']['entries'] ?? []);

    expect($summary)->toBe([
        'status_marked_count' => 4,
        'valid_governed_count' => 1,
        'warning_count' => 3,
        'expired_count' => 1,
        'revoked_count' => 1,
        'missing_exception_count' => 1,
    ]);

    expect($entries->firstWhere('id', (int) $validFinding->getKey())['governance_state'] ?? null)
        ->toBe('valid_exception')
        ->and($entries->firstWhere('id', (int) $expiredFinding->getKey())['governance_state'] ?? null)->toBe('expired_exception')
        ->and($entries->firstWhere('id', (int) $revokedFinding->getKey())['governance_state'] ?? null)->toBe('revoked_exception')
        ->and($entries->firstWhere('id', (int) $missingFinding->getKey())['governance_state'] ?? null)->toBe('risk_accepted_without_valid_exception');
});