<?php

use App\Filament\Resources\OperationRunResource;
use App\Models\OperationRun;
use App\Models\Tenant;

it('scopes Monitoring → Operations list to the active tenant', function () {
    $tenantA = Tenant::factory()->create();
    $tenantB = Tenant::factory()->create();

    [$user] = createUserWithTenant($tenantA, role: 'owner');

    $user->tenants()->syncWithoutDetaching([
        $tenantB->getKey() => ['role' => 'owner'],
    ]);

    OperationRun::factory()->create([
        'tenant_id' => $tenantA->getKey(),
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'TenantA',
    ]);

    OperationRun::factory()->create([
        'tenant_id' => $tenantB->getKey(),
        'type' => 'inventory.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'TenantB',
    ]);

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('index', tenant: $tenantA))
        ->assertOk()
        ->assertSee('Policy sync')
        ->assertSee('TenantA')
        ->assertDontSee('Inventory sync')
        ->assertDontSee('TenantB');
});

it('prevents cross-tenant access to Monitoring → Operations detail', function () {
    $tenantA = Tenant::factory()->create();
    $tenantB = Tenant::factory()->create();

    [$user] = createUserWithTenant($tenantA, role: 'owner');

    $user->tenants()->syncWithoutDetaching([
        $tenantB->getKey() => ['role' => 'owner'],
    ]);

    $runB = OperationRun::factory()->create([
        'tenant_id' => $tenantB->getKey(),
        'type' => 'inventory.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'TenantB',
    ]);

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('view', ['record' => $runB], tenant: $tenantA))
        ->assertNotFound();
});