<?php

declare(strict_types=1);

use App\Models\Tenant;
use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Support\Providers\ProviderNextStepsRegistry;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('includes an admin consent next step when provider consent is missing', function () {
    $tenant = Tenant::create([
        'tenant_id' => 'tenant-1',
        'name' => 'Contoso',
    ]);

    $registry = app(ProviderNextStepsRegistry::class);

    $steps = $registry->forReason($tenant, ProviderReasonCodes::ProviderConsentMissing);

    expect($steps)->toBeArray()
        ->and($steps)->not->toBeEmpty()
        ->and($steps[0]['label'])->toBe('Grant admin consent')
        ->and($steps[0]['url'])->toContain('learn.microsoft.com');
});

it('links to the real admin consent endpoint when provider credentials exist', function () {
    $tenant = Tenant::factory()->create([
        'app_client_id' => null,
    ]);

    $connection = ProviderConnection::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'provider' => 'microsoft',
        'entra_tenant_id' => (string) $tenant->graphTenantId(),
        'is_default' => true,
    ]);

    ProviderCredential::factory()->create([
        'provider_connection_id' => (int) $connection->getKey(),
        'payload' => [
            'client_id' => 'derived-client-id',
            'client_secret' => 'derived-client-secret',
        ],
    ]);

    $registry = app(ProviderNextStepsRegistry::class);

    $steps = $registry->forReason($tenant, ProviderReasonCodes::ProviderConsentMissing, $connection);

    expect($steps)->toBeArray()
        ->and($steps)->not->toBeEmpty()
        ->and($steps[0]['label'])->toBe('Grant admin consent')
        ->and($steps[0]['url'])->toContain('login.microsoftonline.com')
        ->and($steps[0]['url'])->toContain('adminconsent');
});