<?php

declare(strict_types=1);

use App\Models\PlatformUser;
use App\Models\User;
use App\Support\Auth\PlatformCapabilities;
use Filament\PanelRegistry;

it('keeps platform users scoped to the system panel contract', function (): void {
    $platformUser = PlatformUser::factory()->make([
        'capabilities' => [PlatformCapabilities::ACCESS_SYSTEM_PANEL],
    ]);

    expect($platformUser->canAccessPanel(app(PanelRegistry::class)->get('system')))->toBeTrue()
        ->and($platformUser->canAccessPanel(app(PanelRegistry::class)->get('admin')))->toBeFalse();
});

it('denies ordinary workspace users on system panel routes as not found', function (): void {
    [$user] = createUserWithTenant(role: 'owner');

    $this->actingAs($user)
        ->get('/system')
        ->assertNotFound();

    $this->actingAs($user)
        ->get('/system/directory/workspaces')
        ->assertNotFound();
});

it('keeps missing system capability as forbidden for platform users', function (): void {
    $platformUser = PlatformUser::factory()->create([
        'capabilities' => [],
        'is_active' => true,
    ]);

    $this->actingAs($platformUser, 'platform')
        ->get('/system')
        ->assertForbidden();
});