TenantAtlas/apps/platform/tests/Feature/ProviderConnections/ProviderConnectionCutoverSpec081Test.php

<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Models\ManagedEnvironment;
use App\Services\Providers\ProviderOperationStartGate;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Verification\VerificationReportSchema;
use Illuminate\Support\Facades\DB;

it('Spec081 blocks provider operation starts when default connection is missing', function (): void {
    $tenant = ManagedEnvironment::factory()->create();
    $dispatched = 0;

    $result = app(ProviderOperationStartGate::class)->start(
        tenant: $tenant,
        connection: null,
        operationType: 'provider.connection.check',
        dispatcher: function () use (&$dispatched): void {
            $dispatched++;
        },
    );

    expect($dispatched)->toBe(0)
        ->and($result->status)->toBe('blocked')
        ->and($result->run->status)->toBe(OperationRunStatus::Completed->value)
        ->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
        ->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionMissing)
        ->and($result->run->context['next_steps'] ?? [])->not->toBeEmpty()
        ->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
});

it('Spec081 blocks provider operation starts when default connection has no credential', function (): void {
    $tenant = ManagedEnvironment::factory()->create();

    $connection = ProviderConnection::factory()->dedicated()->consentGranted()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'is_default' => true,
        'consent_status' => 'granted',
    ]);

    $result = app(ProviderOperationStartGate::class)->start(
        tenant: $tenant,
        connection: null,
        operationType: 'provider.connection.check',
        dispatcher: static function (): void {},
    );

    expect($result->status)->toBe('blocked')
        ->and($result->run->context['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
        ->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::DedicatedCredentialMissing)
        ->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
        ->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
});

it('Spec081 returns deterministic invalid reason when data corruption creates multiple defaults', function (): void {
    $tenant = ManagedEnvironment::factory()->create();

    DB::statement('DROP INDEX IF EXISTS provider_connections_default_unique');

    $first = ProviderConnection::factory()->dedicated()->consentGranted()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'is_default' => true,
        'consent_status' => 'granted',
    ]);
    ProviderCredential::factory()->create([
        'provider_connection_id' => (int) $first->getKey(),
    ]);

    $second = ProviderConnection::factory()->dedicated()->consentGranted()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'is_default' => true,
        'consent_status' => 'granted',
    ]);
    ProviderCredential::factory()->create([
        'provider_connection_id' => (int) $second->getKey(),
    ]);

    $result = app(ProviderOperationStartGate::class)->start(
        tenant: $tenant,
        connection: null,
        operationType: 'provider.connection.check',
        dispatcher: static function (): void {},
    );

    expect($result->status)->toBe('blocked')
        ->and($result->run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConnectionInvalid)
        ->and($result->run->context['reason_code_extension'] ?? null)->toBe('ext.multiple_defaults_detected')
        ->and($result->run->outcome)->toBe(OperationRunOutcome::Blocked->value)
        ->and(VerificationReportSchema::isValidReport($result->run->context['verification_report'] ?? []))->toBeTrue();
});