<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationAssistViewModelBuilder;
use App\Support\Verification\VerificationReportWriter;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('adds capability-first guidance to managed tenant onboarding permission assist', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $connection = ProviderConnection::factory()->consentGranted()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'entra_tenant_id' => (string) $tenant->managed_environment_id,
        'provider' => 'microsoft',
        'verification_status' => 'blocked',
    ]);

    $report = VerificationReportWriter::build('provider.connection.check', [[
        'key' => 'permissions.directory_groups',
        'title' => 'Directory & group read access',
        'status' => 'fail',
        'severity' => 'critical',
        'blocking' => true,
        'reason_code' => ProviderReasonCodes::ProviderPermissionMissing,
        'message' => 'Missing required provider permissions.',
        'evidence' => [],
        'next_steps' => [],
    ]]);

    $assist = app(VerificationAssistViewModelBuilder::class)->build(
        tenant: $tenant,
        verificationReport: $report,
        providerConnection: $connection,
        verificationStatus: 'blocked',
    );

    expect(data_get($assist, 'overview.capability_groups'))->toBeArray()
        ->and(data_get($assist, 'overview.primary_capability_group.label'))->toBeString()
        ->and(collect(data_get($assist, 'overview.capability_groups'))->pluck('label')->all())
        ->toContain('Directory groups read');
});