<?php

declare(strict_types=1);

use App\Filament\System\Pages\Ops\Runbooks;
use App\Models\AuditLog;
use App\Models\Finding;
use App\Models\OperationalControlActivation;
use App\Models\OperationRun;
use App\Models\PlatformUser;
use App\Models\Tenant;
use App\Support\Audit\AuditActionId;
use App\Support\Auth\PlatformCapabilities;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;

uses(RefreshDatabase::class);

beforeEach(function (): void {
    Filament::setCurrentPanel('system');
    Filament::bootCurrentPanel();

    Tenant::factory()->create([
        'tenant_id' => null,
        'external_id' => 'platform',
        'name' => 'Platform',
    ]);
});

it('blocks all-tenant findings lifecycle runbooks when the control is globally paused', function (): void {
    Queue::fake();

    $platformTenant = Tenant::query()->where('external_id', 'platform')->firstOrFail();

    $tenant = Tenant::factory()->create([
        'workspace_id' => (int) $platformTenant->workspace_id,
    ]);

    Finding::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'due_at' => null,
    ]);

    OperationalControlActivation::factory()->forGlobalScope()->create([
        'control_key' => 'findings.lifecycle.backfill',
        'reason_text' => 'Paused during incident response.',
    ]);

    $user = PlatformUser::factory()->create([
        'capabilities' => [
            PlatformCapabilities::ACCESS_SYSTEM_PANEL,
            PlatformCapabilities::OPS_VIEW,
            PlatformCapabilities::RUNBOOKS_VIEW,
            PlatformCapabilities::RUNBOOKS_RUN,
            PlatformCapabilities::RUNBOOKS_FINDINGS_LIFECYCLE_BACKFILL,
        ],
        'is_active' => true,
    ]);

    $this->actingAs($user, 'platform');

    Livewire::test(Runbooks::class)
        ->callAction('preflight', data: [
            'scope_mode' => 'all_tenants',
        ])
        ->assertSet('preflight.affected_count', 1)
        ->callAction('run', data: [
            'typed_confirmation' => 'BACKFILL',
            'reason_code' => 'DATA_REPAIR',
            'reason_text' => 'Attempt blocked by control',
        ])
        ->assertNotified('Findings lifecycle backfill paused');

    expect(OperationRun::query()->where('type', 'findings.lifecycle.backfill')->count())->toBe(0);

    $audit = AuditLog::query()
        ->where('action', AuditActionId::OperationalControlExecutionBlocked->value)
        ->latest('id')
        ->first();

    expect($audit)->not->toBeNull()
        ->and($audit?->workspace_id)->toBeNull()
        ->and($audit?->tenant_id)->toBeNull()
        ->and($audit?->status)->toBe('blocked')
        ->and($audit?->metadata['control_key'] ?? null)->toBe('findings.lifecycle.backfill')
        ->and($audit?->metadata['requested_scope'] ?? null)->toBe('all_tenants');
});