<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Services\Providers\ProviderIdentityResolver;
use App\Support\Providers\ProviderConnectionType;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('exposes effective client identity and provider context without shared tenantContext naming', function (): void {
    config()->set('graph.client_id', 'platform-client-id');
    config()->set('graph.client_secret', 'platform-client-secret');
    config()->set('graph.managed_environment_id', 'platform-home-tenant-id');

    [, $tenant] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $connection = ProviderConnection::factory()->platform()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => '22222222-2222-2222-2222-222222222222',
    ]);

    $resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant']));
    $providerContextDetails = collect($resolution->providerContext()['details']);

    expect($resolution->resolved)->toBeTrue()
        ->and($resolution->connectionType)->toBe(ProviderConnectionType::Platform)
        ->and(property_exists($resolution, 'tenantContext'))->toBeFalse()
        ->and($resolution->targetScopeIdentifier())->toBe('22222222-2222-2222-2222-222222222222')
        ->and($resolution->effectiveClientIdentity())->toBe([
            'client_id' => 'platform-client-id',
            'credential_source' => 'platform_config',
        ])
        ->and($providerContextDetails->contains(
            fn (array $detail): bool => ($detail['detail_key'] ?? null) === 'microsoft_tenant_id'
                && ($detail['detail_value'] ?? null) === '22222222-2222-2222-2222-222222222222',
        ))->toBeTrue();
});

it('keeps dedicated runtime secrets out of target scope and provider context', function (): void {
    $connection = ProviderConnection::factory()->dedicated()->create([
        'entra_tenant_id' => '33333333-3333-3333-3333-333333333333',
    ]);

    ProviderCredential::factory()->create([
        'provider_connection_id' => (int) $connection->getKey(),
        'payload' => [
            'client_id' => 'dedicated-client-id',
            'client_secret' => 'dedicated-client-secret',
        ],
    ]);

    $resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant', 'credential']));
    $providerContextDetails = collect($resolution->providerContext()['details']);

    expect($resolution->resolved)->toBeTrue()
        ->and($resolution->targetScope?->toArray())->not->toHaveKey('client_secret')
        ->and($providerContextDetails->contains(
            fn (array $detail): bool => str_contains((string) ($detail['detail_value'] ?? ''), 'dedicated-client-secret'),
        ))->toBeFalse()
        ->and($resolution->effectiveClientId)->toBe('dedicated-client-id');
});