<?php

use Illuminate\Support\Collection;

function trustedStateFirstSliceSurfaces(): array
{
    return [
        'app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php',
        'app/Filament/Pages/TenantRequiredPermissions.php',
        'app/Filament/System/Pages/Ops/Runbooks.php',
    ];
}

it('does not introduce ad-hoc authorization patterns in app/Filament (allowlist-driven)', function () {
    $root = base_path();
    $self = realpath(__FILE__);

    $directories = [
        $root.'/app/Filament',
    ];

    $excludedPaths = [
        $root.'/vendor',
        $root.'/storage',
        $root.'/specs',
        $root.'/spechistory',
        $root.'/references',
        $root.'/public/build',
    ];

    $allowlist = [
        // NOTE: Shrink this list as files are migrated to UiEnforcement (Feature 066b).
        'app/Filament/Pages/ChooseTenant.php',
        'app/Filament/Pages/Tenancy/RegisterTenant.php',
        'app/Filament/Resources/BackupScheduleResource.php',
        'app/Filament/Resources/FindingResource.php',
        'app/Filament/Resources/FindingResource/Pages/ListFindings.php',
        'app/Filament/Resources/PolicyResource.php',
        'app/Filament/Resources/PolicyResource/Pages/ListPolicies.php',
        'app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php',
        'app/Filament/Resources/PolicyVersionResource.php',
        'app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php',
        'app/Filament/System/Pages/Dashboard.php',
    ];

    $forbiddenPatterns = [
        '/\\bGate::\\b/',
        '/\\babort_(?:if|unless)\\b/',
    ];

    /** @var Collection<int, string> $files */
    $files = collect($directories)
        ->filter(fn (string $dir): bool => is_dir($dir))
        ->flatMap(function (string $dir): array {
            $iterator = new RecursiveIteratorIterator(
                new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS)
            );

            $paths = [];

            foreach ($iterator as $file) {
                if (! $file->isFile()) {
                    continue;
                }

                $path = $file->getPathname();

                if (! str_ends_with($path, '.php')) {
                    continue;
                }

                $paths[] = $path;
            }

            return $paths;
        })
        ->filter(function (string $path) use ($excludedPaths, $self): bool {
            if ($self && realpath($path) === $self) {
                return false;
            }

            foreach ($excludedPaths as $excluded) {
                if (str_starts_with($path, $excluded)) {
                    return false;
                }
            }

            return true;
        })
        ->values();

    $hits = [];

    foreach ($files as $path) {
        $relative = str_replace($root.'/', '', $path);

        if (in_array($relative, $allowlist, true)) {
            continue;
        }

        $contents = file_get_contents($path);

        if (! is_string($contents) || $contents === '') {
            continue;
        }

        foreach ($forbiddenPatterns as $pattern) {
            if (! preg_match($pattern, $contents)) {
                continue;
            }

            $lines = preg_split('/\R/', $contents) ?: [];

            foreach ($lines as $index => $line) {
                if (preg_match($pattern, $line)) {
                    $hits[] = $relative.':'.($index + 1).' -> '.trim($line);
                }
            }
        }
    }

    expect($hits)->toBeEmpty(
        "Ad-hoc Filament auth patterns found (remove allowlist entries as you migrate):\n".implode("\n", $hits)
    );
});

it('keeps shared tenant-owned helper entry points free of ad-hoc authorization patterns', function (): void {
    $sharedEntryPoints = [
        'app/Filament/Concerns/InteractsWithTenantOwnedRecords.php',
        'app/Filament/Concerns/ResolvesPanelTenantContext.php',
    ];

    $forbiddenPatterns = [
        '/\\bGate::\\b/',
        '/\\babort_(?:if|unless)\\b/',
    ];

    foreach ($sharedEntryPoints as $relativePath) {
        $contents = file_get_contents(base_path($relativePath));

        expect($contents)->not->toBeFalse();

        foreach ($forbiddenPatterns as $pattern) {
            expect(preg_match($pattern, (string) $contents))
                ->toBe(0, "Shared tenant-owned helper entry point should stay free of ad-hoc auth patterns: {$relativePath}");
        }
    }
});

it('keeps first-slice trusted-state surfaces inside the standard Filament auth scan', function (): void {
    $root = base_path();

    foreach (trustedStateFirstSliceSurfaces() as $relativePath) {
        expect(file_exists($root.'/'.$relativePath))->toBeTrue();
    }
});

it('keeps first-slice trusted-state surfaces free of broad ad-hoc authorization shortcuts', function (): void {
    $forbiddenPatterns = [
        '/\\bGate::\\b/',
        '/\\babort_(?:if|unless)\\b/',
    ];

    foreach (trustedStateFirstSliceSurfaces() as $relativePath) {
        $contents = file_get_contents(base_path($relativePath));

        expect($contents)->not->toBeFalse();

        foreach ($forbiddenPatterns as $pattern) {
            expect(preg_match($pattern, (string) $contents))
                ->toBe(0, "First-slice trusted-state surface should stay free of broad ad-hoc auth shortcuts: {$relativePath}");
        }
    }
});