<?php

use App\Services\SystemConfig\SystemConfigService;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Route;

beforeEach(function () {
    $ref = new ReflectionClass(SystemConfigService::class);
    $prop = $ref->getProperty('resolvedSettings');
    $prop->setAccessible(true);
    $prop->setValue(null, null);
    Cache::flush();

    Route::middleware('web')
        ->get('/__sec-probe', fn () => response('ok'));
});

test('X-Content-Type-Options nosniff is present', function () {
    $r = $this->get('/__sec-probe');
    expect($r->headers->get('X-Content-Type-Options'))->toBe('nosniff');
});

test('X-Frame-Options SAMEORIGIN is present', function () {
    $r = $this->get('/__sec-probe');
    expect($r->headers->get('X-Frame-Options'))->toBe('SAMEORIGIN');
});

test('Referrer-Policy is strict-origin-when-cross-origin', function () {
    $r = $this->get('/__sec-probe');
    expect($r->headers->get('Referrer-Policy'))->toBe('strict-origin-when-cross-origin');
});

test('Permissions-Policy locks down camera, microphone, geolocation', function () {
    $r = $this->get('/__sec-probe');
    $pp = $r->headers->get('Permissions-Policy');
    expect($pp)->toContain('camera=()')->toContain('microphone=()')->toContain('geolocation=()');
});

test('X-XSS-Protection header is set', function () {
    $r = $this->get('/__sec-probe');
    expect($r->headers->get('X-XSS-Protection'))->not->toBeNull();
});

test('HSTS is omitted over plain HTTP regardless of setting', function () {
    $r = $this->get('/__sec-probe');
    expect($r->headers->get('Strict-Transport-Security'))->toBeNull();
});