<?php

use App\Models\AdminUser;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

beforeEach(function (): void {
    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
});

test('super admin can provision agent line with aligned root code', function (): void {
    $admin = AdminUser::query()->create([
        'username' => 'line_super',
        'name' => 'Line Super',
        'email' => null,
        'password' => Hash::make('secret-strong'),
        'status' => 0,
    ]);
    grantSuperAdminRole($admin);

    $token = $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;

    $response = $this->withHeader('Authorization', 'Bearer '.$token)
        ->postJson('/api/v1/admin/agent-lines', [
            'code' => 'line-alpha',
            'name' => 'Line Alpha',
            'username' => 'line_alpha_owner',
            'password' => 'secret-strong',
            'currency_code' => 'NPR',
            'status' => 1,
        ])
        ->assertCreated()
        ->assertJsonPath('data.code', 'line-alpha')
        ->assertJsonPath('data.agent_node.code', 'line-alpha')
        ->assertJsonPath('data.line_root.site_code', 'line-alpha')
        ->assertJsonPath('data.secrets.sso_jwt_secret', fn ($v) => is_string($v) && $v !== '')
        ->assertJsonPath('data.secrets.wallet_api_key', fn ($v) => is_string($v) && $v !== '');

    $siteId = (int) DB::table('admin_sites')->where('code', 'line-alpha')->value('id');
    expect($siteId)->toBeGreaterThan(0);

    $root = DB::table('agent_nodes')
        ->where('admin_site_id', $siteId)
        ->where('depth', 0)
        ->first();

    expect($root)->not->toBeNull();
    expect((string) $root->code)->toBe('line-alpha');

    expect(
        DB::table('admin_user_agents')->where('agent_node_id', (int) $root->id)->count()
    )->toBe(1);
});

test('non super admin cannot create integration site directly', function (): void {
    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
    $admin = AdminUser::query()->create([
        'username' => 'line_ops',
        'name' => 'Ops',
        'email' => null,
        'password' => Hash::make('secret-strong'),
        'status' => 0,
    ]);

    $roleId = DB::table('admin_roles')->insertGetId([
        'slug' => 'integration_ops',
        'code' => 'integration_ops',
        'name' => 'Integration Ops',
        'description' => null,
        'status' => 1,
        'is_system' => false,
        'sort_order' => 0,
        'created_at' => now(),
        'updated_at' => now(),
    ]);

    $actionId = DB::table('admin_menu_actions')
        ->where('permission_code', 'integration.site.manage')
        ->value('id');
    if ($actionId !== null) {
        DB::table('admin_role_menu_actions')->insert([
            'role_id' => $roleId,
            'menu_action_id' => (int) $actionId,
        ]);
    }

    DB::table('admin_user_site_roles')->insert([
        'admin_user_id' => $admin->id,
        'site_id' => $siteId,
        'role_id' => $roleId,
        'granted_at' => now(),
    ]);

    $token = $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->postJson('/api/v1/admin/integration-sites', [
            'code' => 'blocked-site',
            'name' => 'Blocked',
        ])
        ->assertForbidden();
});