"""Tests for scripts/check_principals_drift.py."""
import subprocess
import sys
from pathlib import Path

import yaml

ROOT = Path(__file__).resolve().parents[1]
SCRIPT = ROOT / "scripts" / "check_principals_drift.py"


def test_no_drift_when_aligned(tmp_path):
    inv = tmp_path / "inventory.yaml"
    infra = tmp_path / "ssh_principals.yaml"
    inv.write_text(yaml.dump({
        "actors": {"agt-test": {"type": "agt", "principals": ["agt-task-bridge"], "ttl_hours": 24}},
        "hosts": {"host1": {"allowed_principals": {"agt": ["agt-task-bridge"]}}},
    }))
    infra.write_text(yaml.dump({
        "ssh_principals": {"Host1": {"users": {"user1": ["agt-task-bridge"]}}},
    }))
    result = subprocess.run(
        [sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
        cwd=ROOT,
        capture_output=True,
        text=True,
    )
    assert result.returncode == 0
    assert "OK" in result.stdout


def test_drift_detected(tmp_path):
    inv = tmp_path / "inventory.yaml"
    infra = tmp_path / "ssh_principals.yaml"
    inv.write_text(yaml.dump({
        "hosts": {"host1": {"allowed_principals": {"agt": ["agt-missing"]}}},
    }))
    infra.write_text(yaml.dump({
        "ssh_principals": {"Host1": {"users": {"user1": ["agt-other"]}}},
    }))
    result = subprocess.run(
        [sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
        cwd=ROOT,
        capture_output=True,
        text=True,
    )
    assert result.returncode == 1
    assert "DRIFT" in result.stdout