<?php

declare(strict_types=1);

namespace Tests\Feature\Observability;

use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Route;
use RuntimeException;
use Sentry\ClientBuilder;
use Sentry\Event as SentryEvent;
use Sentry\EventHint;
use Sentry\SentrySdk;
use Sentry\State\Hub;
use Symfony\Component\Uid\Ulid;
use Tests\TestCase;

/**
 * Verifies that AuthScopeContextListener auth-scope tags actually bind on
 * a live HTTP request flow — not just when the Authenticated event is
 * dispatched directly from a test.
 *
 * Reproduces the bug surfaced after the WS-7 PR-2 architectural-fixes
 * deployment: offline tests passed because they called
 * `event(new Authenticated(...))` directly, but Crewli's bearer-token
 * Sanctum flow only fires `Laravel\Sanctum\Events\TokenAuthenticated`
 * (vendor/laravel/sanctum/src/Guard.php:77), never `Authenticated`. Live
 * captured events therefore carried no user_id / actor_type / actor_scope
 * tags. The fix listens to both events.
 *
 * To exercise the real Sanctum Guard, this test creates a personal-access
 * token via $user->createToken() and passes Authorization: Bearer in the
 * request — Sanctum::actingAs() short-circuits the Guard layer and would
 * NOT detect the regression.
 */
final class AuthScopeBindingHttpFlowTest extends TestCase
{
    use RefreshDatabase;

    /**
     * Captured events from the recording before_send hook.
     *
     * @var list<array{event: SentryEvent, hint: ?EventHint}>
     */
    private static array $captured = [];

    protected function setUp(): void
    {
        parent::setUp();
        $this->seed(RoleSeeder::class);
        self::$captured = [];

        $clientBuilder = ClientBuilder::create([
            'dsn' => 'https://test@localhost/1',
            'environment' => 'testing',
            'release' => 'crewli-api@test',
            'send_default_pii' => false,
            'traces_sample_rate' => 0.0,
            'profiles_sample_rate' => 0.0,
            'before_send' => static function (SentryEvent $event, ?EventHint $hint = null): ?SentryEvent {
                self::$captured[] = ['event' => $event, 'hint' => $hint];

                return null;
            },
        ]);
        SentrySdk::setCurrentHub(new Hub($clientBuilder->getClient()));
    }

    /**
     * @return array<string, string>
     */
    private function authHeader(User $user): array
    {
        $token = $user->createToken('regression-test')->plainTextToken;

        return ['Authorization' => 'Bearer '.$token];
    }

    public function test_authenticated_http_request_captures_auth_scope_tags_on_thrown_exception(): void
    {
        $user = User::factory()->create();
        $user->assignRole('super_admin');

        Route::middleware(['auth:sanctum', \App\Http\Middleware\BindSentryRouteContext::class])->group(function (): void {
            Route::get('_obs_authflow_throw', static fn () => throw new RuntimeException('regression-test'))
                ->name('test.obs.authflow_throw');
        });

        $response = $this->withHeaders($this->authHeader($user))->getJson('/_obs_authflow_throw');
        $response->assertStatus(500);

        $this->assertCount(1, self::$captured, 'Sentry event must be captured for thrown RuntimeException');
        $tags = self::$captured[0]['event']->getTags();

        $this->assertSame($user->id, $tags['user_id'] ?? null, 'user_id tag missing on live HTTP flow');
        $this->assertSame('super_admin', $tags['actor_type'] ?? null, 'actor_type tag missing on live HTTP flow');
        $this->assertArrayHasKey('actor_scope', $tags, 'actor_scope tag missing on live HTTP flow');
    }

    public function test_authenticated_http_request_to_admin_route_tags_actor_scope_platform(): void
    {
        $user = User::factory()->create();
        $user->assignRole('super_admin');

        Route::middleware(['auth:sanctum', \App\Http\Middleware\BindSentryRouteContext::class])
            ->name('admin.')
            ->group(function (): void {
                Route::get('_obs_admin_throw', static fn () => throw new RuntimeException('regression-test'))
                    ->name('platform_throw');
            });

        $this->withHeaders($this->authHeader($user))->getJson('/_obs_admin_throw');

        $tags = self::$captured[0]['event']->getTags();

        $this->assertSame('platform', $tags['actor_scope'] ?? null,
            'super_admin on admin.* route must tag actor_scope=platform');
        $this->assertArrayNotHasKey('organisation_id', $tags,
            'organisation_id MUST be absent on platform-scoped events');
    }

    public function test_authenticated_http_request_to_organisation_route_tags_organisation_scope(): void
    {
        $org = Organisation::factory()->create();
        $user = User::factory()->create();
        $org->users()->attach($user, ['role' => 'org_admin']);
        $user->assignRole('org_admin');

        Route::middleware(['auth:sanctum', \App\Http\Middleware\BindSentryRouteContext::class])->group(function (): void {
            Route::get('_obs_org_throw/{organisation}', static fn () => throw new RuntimeException('regression-test'))
                ->name('test.obs.org_throw');
        });

        $this->withHeaders($this->authHeader($user))->getJson('/_obs_org_throw/'.$org->id);

        $tags = self::$captured[0]['event']->getTags();

        $this->assertSame('organisation', $tags['actor_scope'] ?? null);
        $this->assertSame($org->id, $tags['organisation_id'] ?? null);
        $this->assertTrue(Ulid::isValid($tags['organisation_id']));
    }
}