<?php

declare(strict_types=1);

use App\Services\TenantConfiguration\EntraRenderableSummaryBuilder;

it('Spec421 renders operator-safe Conditional Access summaries without raw payload dependency', function (): void {
    $summary = app(EntraRenderableSummaryBuilder::class)->build('conditionalAccessPolicy', [
        'id' => 'cap-1',
        'displayName' => 'Require MFA',
        'state' => 'enabled',
        'conditions' => [
            'users' => [
                'includeUsers' => ['All'],
                'excludeUsers' => ['break-glass-user'],
            ],
            'applications' => ['includeApplications' => ['Office365']],
            'clientAppTypes' => ['browser', 'mobileAppsAndDesktopClients'],
        ],
        'grantControls' => [
            'operator' => 'OR',
            'builtInControls' => ['mfa'],
        ],
        'sessionControls' => [
            'signInFrequency' => ['value' => 8, 'type' => 'hours', 'isEnabled' => true],
        ],
    ], [
        'claim_state' => 'internal_only',
        'identity_state' => 'stable',
        'last_captured' => 'Jun 27, 2026 10:00 AM',
    ]);
    $encoded = json_encode($summary, JSON_THROW_ON_ERROR);

    expect($summary)->not->toBeNull()
        ->and($summary['resource_type'])->toBe('Conditional Access policy')
        ->and($summary['display_name'])->toBe('Require MFA')
        ->and($summary['state'])->toBe('enabled')
        ->and($summary['grant_controls'])->toContain('mfa')
        ->and($summary['session_controls'])->toContain('Sign In Frequency')
        ->and($encoded)->toContain('Office365')
        ->and($encoded)->not->toContain('raw_payload')
        ->and($encoded)->not->toContain('source_endpoint');
});