<?php

use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;

it('uses a stable recurrence key independent of hashes and snapshot id', function () {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
    ]);

    $displayName = 'Policy X';
    $subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
    expect($subjectKey)->not->toBeNull();

    $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
        policyType: 'deviceConfiguration',
        subjectKey: (string) $subjectKey,
    );

    $snapshot1 = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => now()->subMinutes(2),
    ]);

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot1->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => $workspaceSafeExternalId,
        'subject_key' => (string) $subjectKey,
        'policy_type' => 'deviceConfiguration',
        'baseline_hash' => hash('sha256', 'baseline-v1'),
        'meta_jsonb' => [
            'display_name' => $displayName,
            'evidence' => [
                'fidelity' => 'meta',
                'source' => 'inventory',
                'observed_at' => now()->toIso8601String(),
            ],
        ],
    ]);

    $snapshot2 = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => now()->subMinute(),
    ]);

    BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot2->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => $workspaceSafeExternalId,
        'subject_key' => (string) $subjectKey,
        'policy_type' => 'deviceConfiguration',
        'baseline_hash' => hash('sha256', 'baseline-v2'),
        'meta_jsonb' => [
            'display_name' => $displayName,
            'evidence' => [
                'fidelity' => 'meta',
                'source' => 'inventory',
                'observed_at' => now()->toIso8601String(),
            ],
        ],
    ]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $tenant,
        statusByType: ['deviceConfiguration' => 'succeeded'],
    );

    InventoryItem::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'external_id' => 'policy-x-uuid',
        'policy_type' => 'deviceConfiguration',
        'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT_1'],
        'display_name' => $displayName,
        'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
        'last_seen_at' => now(),
    ]);

    $opService = app(OperationRunService::class);

    $run1 = $opService->ensureRunWithIdentity(
        tenant: $tenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot1->getKey(),
            'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
        ],
        initiator: $user,
    );

    $job = new CompareBaselineToTenantJob($run1);
    $job->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $finding = Finding::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('source', 'baseline.compare')
        ->sole();

    expect($finding->recurrence_key)->not->toBeNull();
    expect($finding->fingerprint)->toBe($finding->recurrence_key);
    expect($finding->times_seen)->toBe(1);

    $fingerprint = (string) $finding->fingerprint;

    // Retry the same run ID (job retry): times_seen MUST NOT increment twice for the same run.
    $job->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $finding->refresh();
    expect($finding->times_seen)->toBe(1);
    expect((string) $finding->fingerprint)->toBe($fingerprint);

    // Compare against a different baseline snapshot (hash changes), but recurrence identity stays stable.
    $run2 = $opService->ensureRunWithIdentity(
        tenant: $tenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot2->getKey(),
            'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
        ],
        initiator: $user,
    );

    (new CompareBaselineToTenantJob($run2))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        $opService,
    );

    $finding->refresh();
    expect((string) $finding->fingerprint)->toBe($fingerprint);
    expect($finding->times_seen)->toBe(2);
});