<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Models\TenantConfigurationResource;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use App\Services\TenantConfiguration\GenericContentEvidenceCaptureService;
use App\Services\TenantConfiguration\ResourceTypeRegistry;
use App\Support\TenantConfiguration\ClaimState;

it('Spec420 captured generic M365 evidence remains internal-only and not customer-ready', function (): void {
    app(ResourceTypeRegistry::class)->syncDefaults();

    [$user, $environment] = createMinimalUserWithTenant(role: 'owner');
    $connection = ProviderConnection::factory()->withCredential()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
    ]);
    app()->instance(GraphClientInterface::class, spec420NoOverclaimGraphClient());

    $run = spec420NoOverclaimRun($user, $environment, $connection);

    app(GenericContentEvidenceCaptureService::class)->capture(
        tenant: $environment,
        providerConnection: $connection,
        operationRun: $run,
        canonicalTypes: ['conditionalAccessPolicy'],
    );

    $resource = TenantConfigurationResource::query()->sole();

    expect($resource->latest_claim_state)->toBe(ClaimState::InternalOnly)
        ->and($resource->source_metadata['source_contract_key'])->toBe('conditionalAccessPolicy')
        ->and($resource->source_metadata)->not->toHaveKey('certified')
        ->and($resource->source_metadata)->not->toHaveKey('restore_ready')
        ->and($resource->source_metadata)->not->toHaveKey('customer_ready');
});

function spec420NoOverclaimGraphClient(): GraphClientInterface
{
    return new class implements GraphClientInterface
    {
        public function listPolicies(string $policyType, array $options = []): GraphResponse
        {
            return new GraphResponse(true, [
                ['id' => 'cap-1', 'displayName' => 'Require MFA'],
            ]);
        }

        public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
        {
            return new GraphResponse(false, [], 501);
        }

        public function getOrganization(array $options = []): GraphResponse
        {
            return new GraphResponse(false, [], 501);
        }

        public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
        {
            return new GraphResponse(false, [], 501);
        }

        public function getServicePrincipalPermissions(array $options = []): GraphResponse
        {
            return new GraphResponse(false, [], 501);
        }

        public function request(string $method, string $path, array $options = []): GraphResponse
        {
            return new GraphResponse(false, [], 501);
        }
    };
}

function spec420NoOverclaimRun($user, $environment, ProviderConnection $connection): \App\Models\OperationRun
{
    return \App\Models\OperationRun::factory()->withUser($user)->forTenant($environment)->create([
        'type' => \App\Support\OperationRunType::TenantConfigurationCapture->value,
        'status' => \App\Support\OperationRunStatus::Queued->value,
        'outcome' => \App\Support\OperationRunOutcome::Pending->value,
        'context' => [
            'target_scope' => [
                'workspace_id' => (int) $environment->workspace_id,
                'managed_environment_id' => (int) $environment->getKey(),
                'provider_connection_id' => (int) $connection->getKey(),
            ],
            'resource_types' => ['conditionalAccessPolicy'],
            'required_capability' => 'evidence.manage',
        ],
    ]);
}