<?php

use App\Filament\Pages\BaselineCompareLanding;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineTenantAssignment;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use Filament\Facades\Filament;
use Livewire\Livewire;

it('shows RBAC-specific baseline compare labels and assignment exclusion messaging', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $this->actingAs($user);

    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'RBAC Baseline',
        'scope_jsonb' => [
            'policy_types' => [],
            'foundation_types' => ['intuneRoleDefinition'],
        ],
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
    ]);

    $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);

    BaselineTenantAssignment::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'tenant_id' => (int) $tenant->getKey(),
        'baseline_profile_id' => (int) $profile->getKey(),
    ]);

    OperationRun::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'type' => OperationRunType::BaselineCompare->value,
        'status' => OperationRunStatus::Completed->value,
        'outcome' => OperationRunOutcome::Succeeded->value,
        'completed_at' => now(),
        'context' => [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'baseline_compare' => [
                'reason_code' => 'drift_detected',
                'rbac_role_definitions' => [
                    'total_compared' => 4,
                    'unchanged' => 1,
                    'modified' => 1,
                    'missing' => 1,
                    'unexpected' => 1,
                ],
                'coverage' => [
                    'effective_types' => ['intuneRoleDefinition'],
                    'covered_types' => ['intuneRoleDefinition'],
                    'uncovered_types' => [],
                    'proof' => true,
                ],
                'fidelity' => 'content',
            ],
        ],
    ]);

    Finding::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'finding_type' => Finding::FINDING_TYPE_DRIFT,
        'source' => 'baseline.compare',
        'scope_key' => 'baseline_profile:'.$profile->getKey(),
        'severity' => Finding::SEVERITY_HIGH,
        'status' => Finding::STATUS_NEW,
        'subject_type' => 'policy',
        'subject_external_id' => 'rbac-role-1',
        'evidence_fidelity' => 'content',
        'evidence_jsonb' => [
            'change_type' => 'different_version',
            'policy_type' => 'intuneRoleDefinition',
            'subject_key' => hash('sha256', 'intuneRoleDefinition|rbac-role-1'),
            'display_name' => 'Security Reader',
            'summary' => [
                'kind' => 'rbac_role_definition',
            ],
            'baseline' => ['policy_version_id' => 10],
            'current' => ['policy_version_id' => 11],
            'rbac_role_definition' => [
                'diff_kind' => 'permission_change',
            ],
            'fidelity' => 'content',
            'provenance' => [
                'baseline_profile_id' => (int) $profile->getKey(),
                'baseline_snapshot_id' => (int) $snapshot->getKey(),
                'compare_operation_run_id' => 1,
                'inventory_sync_run_id' => 1,
            ],
        ],
    ]);

    Livewire::test(BaselineCompareLanding::class)
        ->assertSee('Intune RBAC Role Definitions')
        ->assertSee('Compared')
        ->assertSee('Modified')
        ->assertSee('Missing')
        ->assertSee('Unexpected')
        ->assertSee('Role Assignments are not included')
        ->assertDontSee('RBAC restore');
});