<?php

declare(strict_types=1);

use App\Models\OnboardingEvidence;
use App\Models\Tenant;
use App\Services\Onboarding\OnboardingEvidenceWriter;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('records sanitized evidence message and payload', function (): void {
    $tenant = Tenant::factory()->create();

    $writer = app(OnboardingEvidenceWriter::class);

    $evidence = $writer->record(
        tenant: $tenant,
        taskType: 'onboarding.permissions.verify',
        status: 'fail',
        reasonCode: 'invalid_client',
        message: 'Authorization: Bearer abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz',
        payload: [
            'access_token' => 'super-secret-token',
            'nested' => [
                'client_secret' => 'dont-store-this',
                'detail' => 'user@example.com',
            ],
        ],
    );

    expect($evidence)->toBeInstanceOf(OnboardingEvidence::class);
    expect($evidence->tenant_id)->toBe($tenant->getKey());

    expect($evidence->reason_code)->toBe('provider_auth_failed');
    expect($evidence->message)->toContain('[REDACTED_AUTH]');

    expect($evidence->payload['access_token'])->toBe('[REDACTED]');
    expect($evidence->payload['nested']['client_secret'])->toBe('[REDACTED]');
    expect($evidence->payload['nested']['detail'])->toBe('[REDACTED_EMAIL]');
});