<?php

declare(strict_types=1);

use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;
use App\Support\Workspaces\WorkspaceContext;

it('Spec081 returns 404 for non-members on provider connection management routes', function (): void {
    $tenant = Tenant::factory()->create([
        'status' => 'active',
    ]);

    $connection = ProviderConnection::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
    ]);

    $user = User::factory()->create();

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id,
        ])
        ->get(ProviderConnectionResource::getUrl('edit', ['record' => $connection], tenant: $tenant))
        ->assertNotFound();
});

it('Spec081 returns 403 for members without provider manage capability', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id,
        ])
        ->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
        ->assertOk();

    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id,
        ])
        ->get(ProviderConnectionResource::getUrl('create', tenant: $tenant))
        ->assertForbidden();
});