<?php

declare(strict_types=1);

use App\Services\TenantConfiguration\ClaimGuard;
use App\Support\TenantConfiguration\ClaimState;
use App\Support\TenantConfiguration\CoverageLevel;
use App\Support\TenantConfiguration\IdentityState;
use App\Support\TenantConfiguration\RestoreTier;
use App\Support\TenantConfiguration\SourceClass;

it('Spec420 blocks broad Microsoft 365 customer-facing claims', function (string $claim): void {
    expect(app(ClaimGuard::class)->evaluateStatement($claim))->toBe(ClaimState::ClaimBlocked);
})->with([
    'M365 coverage is certified',
    'Microsoft 365 restore-ready coverage',
    'Complete tenant coverage',
    'All M365 resources are supported',
    '100 percent coverage',
]);

it('Spec420 blocks unsafe Conditional Access customer claims when identity is not stable', function (IdentityState $identityState): void {
    $state = app(ClaimGuard::class)->evaluate(
        scopeKey: 'm365_tcm_registry_detected',
        requestedLevel: CoverageLevel::ContentBacked,
        actualLevel: CoverageLevel::ContentBacked,
        scopeComplete: false,
        customerFacing: true,
        customerClaimsAllowed: false,
        sourceClass: SourceClass::Tcm,
        restoreTier: RestoreTier::NotRestorable,
        identityState: $identityState,
        allowsDerivedIdentityClaims: false,
    );

    expect($state)->toBe(ClaimState::ClaimBlocked);
})->with([
    'missing external id' => [IdentityState::MissingExternalId],
    'unsupported identity' => [IdentityState::UnsupportedIdentity],
    'identity conflict' => [IdentityState::IdentityConflict],
    'derived identity' => [IdentityState::Derived],
]);