<?php

declare(strict_types=1);

/**
 * CI guard: prevent new ad-hoc auth patterns in Filament.
 *
 * Rationale:
 * - We want UiEnforcement (and centralized RBAC services) to be the default.
 * - Gate::allows/denies, abort_if/unless, and similar ad-hoc patterns tend to drift.
 * - We allowlist legacy files so CI only fails on NEW violations.
 *
 * If you migrate a legacy file to UiEnforcement, remove it from the allowlist.
 */
describe('Filament auth guard (no new ad-hoc patterns)', function () {
    it('fails if new files introduce forbidden auth patterns under app/Filament/**', function () {
        $filamentDir = base_path('app/Filament');

        expect(is_dir($filamentDir))->toBeTrue("Filament directory not found: {$filamentDir}");

        /**
         * Legacy allowlist: these files currently contain forbidden patterns.
         *
         * IMPORTANT:
         * - Do NOT add new entries casually.
         * - The goal is to shrink this list over time.
         *
         * Paths are workspace-relative (e.g. app/Filament/Resources/Foo.php).
         */
        $legacyAllowlist = [
            // Pages (page-level authorization or legacy patterns)
        ];

        $patterns = [
            // Gate facade usage
            '/\\bGate::(allows|denies|check|authorize)\\b/',
            '/^\\s*use\\s+Illuminate\\\\Support\\\\Facades\\\\Gate\\s*;\\s*$/m',

            // Ad-hoc abort helpers
            '/\\babort_(if|unless)\\s*\\(/',
        ];

        $iterator = new RecursiveIteratorIterator(
            new RecursiveDirectoryIterator($filamentDir, RecursiveDirectoryIterator::SKIP_DOTS)
        );

        /** @var array<string, array<int, string>> $violations */
        $violations = [];

        foreach ($iterator as $file) {
            if ($file->getExtension() !== 'php') {
                continue;
            }

            $absolutePath = $file->getPathname();
            $relativePath = str_replace(base_path().DIRECTORY_SEPARATOR, '', $absolutePath);
            $relativePath = str_replace(DIRECTORY_SEPARATOR, '/', $relativePath);

            if (in_array($relativePath, $legacyAllowlist, true)) {
                continue;
            }

            $content = file_get_contents($absolutePath);
            if (! is_string($content)) {
                continue;
            }

            $lines = preg_split('/\\R/', $content) ?: [];

            foreach ($lines as $lineNumber => $line) {
                foreach ($patterns as $pattern) {
                    if (preg_match($pattern, $line) === 1) {
                        $violations[$relativePath][] = ($lineNumber + 1).': '.trim($line);
                    }
                }
            }
        }

        if ($violations !== []) {
            $messageLines = [
                'Forbidden ad-hoc auth patterns detected in app/Filament/**.',
                'Migrate to UiEnforcement (preferred) or add a justified temporary entry to the legacy allowlist.',
                '',
            ];

            foreach ($violations as $path => $hits) {
                $messageLines[] = $path;
                foreach ($hits as $hit) {
                    $messageLines[] = '  - '.$hit;
                }
            }

            expect($violations)->toBeEmpty(implode("\n", $messageLines));
        }

        expect(true)->toBeTrue();
    });
});