<?php

use App\Models\AuditLog;
use App\Models\Tenant;
use App\Models\User;
use App\Services\TenantOnboardingAuditService;
use App\Support\Audit\AuditActions;

it('logs credential updates without storing secrets', function () {
    $tenant = Tenant::factory()->create();
    $actor = User::factory()->create();

    $service = app(TenantOnboardingAuditService::class);

    $service->credentialsUpdated($tenant, $actor, [
        'app_client_id_set' => true,
        'client_secret' => 'should-not-be-stored',
    ]);

    $audit = AuditLog::query()->latest('id')->firstOrFail();

    expect($audit->action)->toBe(AuditActions::TENANT_ONBOARDING_CREDENTIALS_UPDATED);
    expect($audit->tenant_id)->toBe($tenant->id);
    expect($audit->actor_id)->toBe($actor->id);
    expect($audit->metadata)->toMatchArray([
        'app_client_id_set' => true,
    ]);
    expect($audit->metadata)->not->toHaveKey('client_secret');
});

it('logs onboarding completion with a stable action id', function () {
    $tenant = Tenant::factory()->create();
    $actor = User::factory()->create();

    $service = app(TenantOnboardingAuditService::class);

    $service->onboardingCompleted($tenant, $actor, [
        'onboarding_status' => 'completed',
    ]);

    $audit = AuditLog::query()->latest('id')->firstOrFail();

    expect($audit->action)->toBe(AuditActions::TENANT_ONBOARDING_COMPLETED);
    expect($audit->metadata['onboarding_status'])->toBe('completed');
});