<?php

declare(strict_types=1);

use App\Services\TenantConfiguration\EntraCoverageComparator;
use App\Services\TenantConfiguration\EntraRenderableSummaryBuilder;

it('Spec421 keeps secret-bearing values out of render and compare output', function (): void {
    $payload = [
        'id' => 'cap-1',
        'displayName' => 'Require MFA',
        'state' => 'enabled',
        'conditions' => ['users' => ['includeUsers' => ['All']]],
        'grantControls' => ['builtInControls' => ['mfa']],
        'clientSecret' => 'spec421-client-secret',
        'privateKey' => 'spec421-private-key',
        'headers' => ['Authorization' => 'Bearer spec421-token'],
        'cookies' => ['set-cookie' => 'spec421-cookie'],
        'auditMetadata' => ['raw_payload' => ['secret' => 'spec421-audit-secret']],
        'operationRunContext' => ['access_token' => 'spec421-run-token'],
    ];

    $summary = app(EntraRenderableSummaryBuilder::class)->build('conditionalAccessPolicy', $payload);
    $compare = app(EntraCoverageComparator::class)->compare('conditionalAccessPolicy', $payload, [
        ...$payload,
        'modifiedDateTime' => '2026-06-27T12:00:00Z',
    ]);
    $encoded = json_encode([$summary, $compare], JSON_THROW_ON_ERROR);

    expect($encoded)->not->toContain('spec421-client-secret')
        ->and($encoded)->not->toContain('spec421-private-key')
        ->and($encoded)->not->toContain('spec421-token')
        ->and($encoded)->not->toContain('spec421-cookie')
        ->and($encoded)->not->toContain('spec421-audit-secret')
        ->and($encoded)->not->toContain('spec421-run-token')
        ->and($summary['redacted_fields'])->toContain('clientSecret', 'privateKey', 'headers.Authorization', 'cookies', 'auditMetadata.raw_payload.secret', 'operationRunContext.access_token');
});