<?php

declare(strict_types=1);

use App\Filament\Resources\EvidenceSnapshotResource;
use App\Filament\Resources\FindingResource;
use App\Filament\Resources\InventoryItemResource;
use App\Filament\Resources\StoredReportResource;
use App\Filament\Resources\TenantReviewResource;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\ManagedEnvironment;
use App\Models\StoredReport;
use App\Support\Workspaces\WorkspaceContext;

it('renders descriptor-first artifact source sections before provider details', function (): void {
    [$user, $tenant] = createUserWithTenant(ensureDefaultMicrosoftProviderConnection: true);
    $connection = $tenant->providerConnections()->where('provider', 'microsoft')->where('is_default', true)->firstOrFail();

    $finding = Finding::factory()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'subject_external_id' => 'compliance-policy-1',
        'evidence_jsonb' => [
            'provider_connection_id' => (int) $connection->getKey(),
            'policy_type' => 'deviceCompliancePolicy',
            'policy_id' => 'compliance-policy-1',
        ],
    ]);
    $inventory = InventoryItem::factory()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'policy_type' => 'deviceCompliancePolicy',
        'display_name' => 'Compliance Inventory',
    ]);
    $report = StoredReport::factory()->permissionPosture([
        'provider_connection_id' => (int) $connection->getKey(),
    ])->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
    ]);
    $snapshot = seedTenantReviewEvidence($tenant, findingCount: 1, driftCount: 1);
    $review = composeTenantReviewForTest($tenant, $user, $snapshot);

    $this->actingAs($user)
        ->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
        ->assertOk()
        ->assertSeeInOrder(['Artifact source', 'Source family', 'Finding', 'Provider object type', 'Finding'])
        ->assertSee('Provider finding type');

    $this->actingAs($user)
        ->get(InventoryItemResource::getUrl('view', ['record' => $inventory], tenant: $tenant))
        ->assertOk()
        ->assertSeeInOrder(['Artifact source', 'Source family', 'Inventory', 'Inventory Item', 'Canonical type', 'Endpoint Compliance Policy'])
        ->assertSee('Provider display type')
        ->assertSee('Legacy policy type');

    $this->actingAs($user)
        ->get(StoredReportResource::getUrl('view', ['record' => $report], tenant: $tenant))
        ->assertOk()
        ->assertSeeInOrder(['Outcome summary', 'Artifact source', 'Source family', 'Stored Report', 'Stored report', 'Provider report type'])
        ->assertSee('Permission posture summary');

    $this->actingAs($user)
        ->get(EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $tenant))
        ->assertOk()
        ->assertSeeInOrder(['Evidence dimensions', 'Source family', 'Source kind', 'Source target'])
        ->assertSee('Artifact source')
        ->assertSee('Provider source detail');

    $this->actingAs($user)
        ->get(TenantReviewResource::getUrl('view', ['record' => $review], tenant: $tenant))
        ->assertOk()
        ->assertSee('Artifact source')
        ->assertSee('Source family')
        ->assertSee('Source kind')
        ->assertSee('Source target');
});

it('preserves inherited tenant boundary and capability responses on descriptor-first surfaces', function (): void {
    $tenant = ManagedEnvironment::factory()->create();
    [$owner, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
    $finding = Finding::factory()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
    ]);
    [$outsider] = createUserWithTenant(role: 'owner');

    $this->actingAs($outsider)
        ->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
        ->assertNotFound();

    $this->actingAs($owner)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id,
            WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
                (string) $tenant->workspace_id => (int) $tenant->getKey(),
            ],
        ])
        ->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
        ->assertOk()
        ->assertSee('Artifact source');
});