<?php

declare(strict_types=1);

use App\Models\ManagedEnvironment;
use App\Models\ManagedEnvironmentMembership;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Support\Facades\Gate;

it('authorizes provider connections from workspace role without environment membership rows', function (): void {
    $workspace = Workspace::factory()->create();
    $tenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'operator',
    ]);

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'managed_environment_id' => (int) $tenant->getKey(),
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    expect(Gate::forUser($user)->allows('view', $connection))->toBeTrue();
});

it('denies out-of-scope provider connections as not found before capability checks', function (): void {
    $workspace = Workspace::factory()->create();
    $allowedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);
    $deniedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'operator',
    ]);
    ManagedEnvironmentMembership::query()->create([
        'managed_environment_id' => (int) $allowedTenant->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'operator',
        'source' => 'manual',
    ]);
    app(ManagedEnvironmentAccessScopeResolver::class)->clearCache();

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'managed_environment_id' => (int) $deniedTenant->getKey(),
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $response = Gate::forUser($user)->inspect('view', $connection);

    expect($response->denied())->toBeTrue()
        ->and($response->status())->toBe(404);
});

it('keeps in-scope capability denials distinct from not-found boundaries', function (): void {
    $workspace = Workspace::factory()->create();
    $tenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
    ]);

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'managed_environment_id' => (int) $tenant->getKey(),
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $response = Gate::forUser($user)->inspect('update', $connection);

    expect($response->denied())->toBeTrue()
        ->and($response->status())->not->toBe(404);
});