<?php

declare(strict_types=1);

use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Models\Finding;
use App\Models\FindingException;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use Filament\Facades\Filament;
use Livewire\Livewire;
use App\Support\Workspaces\WorkspaceContext;

it('returns 404 for non-members on representative action-surface route', function (): void {
    $workspaceA = Workspace::factory()->create();
    $workspaceB = Workspace::factory()->create();

    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspaceA->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'owner',
    ]);

    $tenantB = Tenant::factory()->create([
        'workspace_id' => (int) $workspaceB->getKey(),
    ]);

    $runB = OperationRun::factory()->create([
        'tenant_id' => (int) $tenantB->getKey(),
        'workspace_id' => (int) $workspaceB->getKey(),
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
    ]);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspaceA->getKey()])
        ->get(route('admin.operations.view', ['run' => (int) $runB->getKey()]))
        ->assertNotFound();
});

it('keeps queue approval and rejection actions behind the approval capability', function (): void {
    [$approver, $tenant] = createUserWithTenant(role: 'owner', workspaceRole: 'manager');

    $readonly = User::factory()->create();
    createUserWithTenant(tenant: $tenant, user: $readonly, role: 'readonly', workspaceRole: 'readonly');

    $finding = Finding::factory()->for($tenant)->create();

    $exception = FindingException::query()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'tenant_id' => (int) $tenant->getKey(),
        'finding_id' => (int) $finding->getKey(),
        'requested_by_user_id' => (int) $approver->getKey(),
        'owner_user_id' => (int) $approver->getKey(),
        'status' => FindingException::STATUS_PENDING,
        'current_validity_state' => FindingException::VALIDITY_MISSING_SUPPORT,
        'request_reason' => 'Authorization continuity test',
        'requested_at' => now()->subDay(),
        'review_due_at' => now()->addDay(),
        'evidence_summary' => ['reference_count' => 0],
    ]);

    $this->actingAs($approver);
    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);

    Livewire::withQueryParams([
        'exception' => (int) $exception->getKey(),
    ])
        ->actingAs($approver)
        ->test(FindingExceptionsQueue::class)
        ->assertActionVisible('approve_selected_exception')
        ->assertActionVisible('reject_selected_exception');

    $this->actingAs($readonly)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
        ->get(FindingExceptionsQueue::getUrl(panel: 'admin'))
        ->assertForbidden();
});