<?php

declare(strict_types=1);

use App\Filament\Resources\FindingResource\Pages\ListFindings;
use App\Jobs\BackfillFindingLifecycleJob;
use App\Models\AuditLog;
use App\Models\Finding;
use App\Models\OperationalControlActivation;
use App\Models\OperationRun;
use App\Support\Audit\AuditActionId;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;

uses(RefreshDatabase::class);

it('keeps the findings backfill action visible but blocks execution when a control is active', function (): void {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'owner');

    Finding::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'due_at' => null,
    ]);

    OperationalControlActivation::factory()->workspaceScoped()->create([
        'control_key' => 'findings.lifecycle.backfill',
        'workspace_id' => (int) $tenant->workspace_id,
        'reason_text' => 'Workspace-specific pause.',
    ]);

    $this->actingAs($user);
    Filament::setTenant($tenant, true);

    Livewire::test(ListFindings::class)
        ->assertActionExists('backfill_lifecycle')
        ->assertActionEnabled('backfill_lifecycle')
        ->callAction('backfill_lifecycle')
        ->assertNotified('Findings lifecycle backfill paused');

    expect(OperationRun::query()->where('type', 'findings.lifecycle.backfill')->count())->toBe(0);

    $audit = AuditLog::query()
        ->where('action', AuditActionId::OperationalControlExecutionBlocked->value)
        ->latest('id')
        ->first();

    expect($audit)->not->toBeNull()
        ->and($audit?->workspace_id)->toBe((int) $tenant->workspace_id)
        ->and($audit?->tenant_id)->toBe((int) $tenant->getKey())
        ->and($audit?->status)->toBe('blocked')
        ->and($audit?->metadata['control_key'] ?? null)->toBe('findings.lifecycle.backfill')
        ->and($audit?->metadata['workspace_id'] ?? null)->toBe((int) $tenant->workspace_id);
});

it('does not block findings backfill for a different workspace when the pause is workspace-scoped', function (): void {
    Queue::fake();

    [$blockedUser, $blockedTenant] = createUserWithTenant(role: 'owner');
    [$allowedUser, $allowedTenant] = createUserWithTenant(role: 'owner');

    Finding::factory()->create([
        'tenant_id' => (int) $allowedTenant->getKey(),
        'due_at' => null,
    ]);

    OperationalControlActivation::factory()->workspaceScoped()->create([
        'control_key' => 'findings.lifecycle.backfill',
        'workspace_id' => (int) $blockedTenant->workspace_id,
        'reason_text' => 'Paused only for the blocked workspace.',
    ]);

    $this->actingAs($allowedUser);
    Filament::setTenant($allowedTenant, true);

    Livewire::test(ListFindings::class)
        ->assertActionExists('backfill_lifecycle')
        ->assertActionEnabled('backfill_lifecycle')
        ->callAction('backfill_lifecycle');

    $run = OperationRun::query()
        ->where('type', 'findings.lifecycle.backfill')
        ->where('tenant_id', (int) $allowedTenant->getKey())
        ->latest('id')
        ->first();

    expect($run)->not->toBeNull();

    Queue::assertPushed(BackfillFindingLifecycleJob::class, function (BackfillFindingLifecycleJob $job) use ($allowedTenant): bool {
        return $job->tenantId === (int) $allowedTenant->getKey()
            && $job->workspaceId === (int) $allowedTenant->workspace_id;
    });

    expect(AuditLog::query()
        ->where('action', AuditActionId::OperationalControlExecutionBlocked->value)
        ->where('tenant_id', (int) $allowedTenant->getKey())
        ->exists())->toBeFalse();
});