"""Tests for the read-only posture conformance checker (WP-0015 T3)."""
from __future__ import annotations

import importlib.util
from pathlib import Path

import pytest

from warden.posture import load_posture

# Load the script module by path (it lives under scripts/, not the package).
_SCRIPT = Path(__file__).resolve().parent.parent / "scripts" / "check_secret_posture_conformance.py"
_spec = importlib.util.spec_from_file_location("check_secret_posture_conformance", _SCRIPT)
conformance = importlib.util.module_from_spec(_spec)
_spec.loader.exec_module(conformance)


@pytest.fixture
def cat():
    return load_posture()


def test_example_manifest_reports_expected_deny(cat):
    """The shipped example deliberately includes one denied flow (dev/M0 <- M3)."""
    import yaml

    manifest = yaml.safe_load(
        (Path(__file__).resolve().parent.parent / "examples" / "posture-conformance.example.yaml").read_text()
    )
    violations = conformance.run(manifest, cat)
    assert len(violations) == 1
    assert "regulated-export-cred" in violations[0]
    assert "DENIED" in violations[0]


def test_fully_conformant_manifest_has_no_violations(cat):
    manifest = {
        "environments": {"prod": {"backend": "openbao-sealed-shamir"}},
        "workloads": [{"id": "w1", "env_posture": "prod", "maturity": "M3"}],
        "secret_requests": [
            {"secret": "s1", "to_workload": "w1", "required_maturity": "M2", "dataclass": "confidential"}
        ],
    }
    assert conformance.run(manifest, cat) == []


def test_env_posture_mismatch_flagged(cat):
    manifest = {"environments": {"prod": {"backend": "mock-or-contract-double"}}}
    violations = conformance.run(manifest, cat)
    assert any("backend" in v and "prod" in v for v in violations)


def test_unknown_environment_flagged(cat):
    violations = conformance.run({"environments": {"staging": {}}}, cat)
    assert any("staging" in v for v in violations)


def test_lattice_denies_non_prod_env(cat):
    manifest = {
        "workloads": [{"id": "w", "env_posture": "test", "maturity": "M3"}],
        "secret_requests": [{"secret": "s", "to_workload": "w", "required_maturity": "M0"}],
    }
    violations = conformance.run(manifest, cat)
    assert any("env posture" in v for v in violations)


def test_missing_target_workload_flagged(cat):
    manifest = {
        "secret_requests": [{"secret": "s", "to_workload": "ghost", "required_maturity": "M0"}],
    }
    violations = conformance.run(manifest, cat)
    assert any("ghost" in v for v in violations)


def test_main_exit_codes(tmp_path, capsys):
    import yaml

    conformant = tmp_path / "ok.yaml"
    conformant.write_text(
        yaml.safe_dump(
            {
                "workloads": [{"id": "w", "env_posture": "prod", "maturity": "M3"}],
                "secret_requests": [
                    {"secret": "s", "to_workload": "w", "required_maturity": "M3", "dataclass": "restricted"}
                ],
            }
        )
    )
    import sys

    argv = sys.argv
    try:
        sys.argv = ["check", "--manifest", str(conformant)]
        assert conformance.main() == 0
        sys.argv = ["check", "--manifest", str(tmp_path / "missing.yaml")]
        assert conformance.main() == 2
    finally:
        sys.argv = argv