<?php

use App\Models\AuditLog;
use App\Models\Role;
use App\Models\User;
use Laravel\Sanctum\Sanctum;

it('requires authentication to list audit logs', function (): void {
    $response = $this->getJson('/api/audit-logs');

    $response->assertStatus(401);
});

it('forbids non-admin audit log access', function (): void {
    $user = User::factory()->create();
    Sanctum::actingAs($user);

    $response = $this->getJson('/api/audit-logs');

    $response->assertStatus(403);
});

it('lists audit logs for admins', function (): void {
    $admin = User::factory()->create();
    $role = Role::firstOrCreate(['name' => 'ROLE_ADMIN'], ['color' => '#111111']);
    $admin->roles()->attach($role);

    $log = AuditLog::create([
        'user_id' => $admin->id,
        'action' => 'test.action',
        'subject_type' => null,
        'subject_id' => null,
        'metadata' => ['foo' => 'bar'],
        'ip_address' => '127.0.0.1',
        'user_agent' => 'test',
    ]);

    Sanctum::actingAs($admin);
    $response = $this->getJson('/api/audit-logs');

    $response->assertOk();
    $response->assertJsonFragment([
        'id' => $log->id,
        'action' => 'test.action',
    ]);
});