<?php

declare(strict_types=1);

use App\Services\TenantConfiguration\CoverageIdentityStrategyRegistry;

it('Spec417 defines canonical identity strategies for the initial Coverage v2 resource types', function (): void {
    $strategies = app(CoverageIdentityStrategyRegistry::class)->strategies();

    expect(array_keys($strategies))->toBe([
        'deviceAndAppManagementAssignmentFilter',
        'deviceEnrollmentLimitRestriction',
        'deviceEnrollmentPlatformRestriction',
        'deviceEnrollmentStatusPageWindows10',
        'appProtectionPolicyAndroid',
        'appProtectionPolicyiOS',
        'conditionalAccessPolicy',
        'notificationMessageTemplate',
        'roleScopeTag',
    ]);

    foreach ($strategies as $canonicalType => $strategy) {
        expect($strategy['strategy_identifier'])->toBeString()->not->toBe('')
            ->and($strategy['preferred_identity_fields'])->toBeArray()->not->toBeEmpty()
            ->and($strategy['display_fields'])->toContain('displayName')
            ->and($strategy['requires_provider_connection_scope'])->toBeTrue()
            ->and($strategy['derived_claims_allowed'])->toBeFalse("{$canonicalType} must not certify derived identity by default");
    }
});

it('Spec417 keeps beta identity experimental and claim-blocked by default', function (): void {
    $strategy = app(CoverageIdentityStrategyRegistry::class)->strategies()['roleScopeTag'];

    expect($strategy['allows_experimental_identity'])->toBeTrue()
        ->and($strategy['allows_derived_identity'])->toBeTrue()
        ->and($strategy['derived_claims_allowed'])->toBeFalse();
});