import { describe, it } from "node:test";
import assert from "node:assert/strict";
import {
  isInsideProject,
  isMemoryFileTarget,
  isSafeBash,
  scanForSecrets,
} from "../extensions/helpers.ts";

describe("isSafeBash", () => {
  it("allows simple safe binaries", () => {
    assert.equal(isSafeBash("ls -la", []), true);
    assert.equal(isSafeBash("pwd", []), true);
  });

  it("allows safe git subcommands", () => {
    assert.equal(isSafeBash("git status", []), true);
    assert.equal(isSafeBash("git diff", []), true);
  });

  it("rejects unsafe git subcommands", () => {
    assert.equal(isSafeBash("git push", []), false);
  });

  it("rejects shell wrappers", () => {
    assert.equal(isSafeBash("bash -c 'rm -rf /'", []), false);
    assert.equal(isSafeBash("sh script.sh", []), false);
  });

  it("rejects commands with dangerous sequences", () => {
    assert.equal(isSafeBash("ls && rm -rf /", []), false);
    assert.equal(isSafeBash("cat file | xargs", []), false);
  });

  it("respects the extra-safe list", () => {
    assert.equal(isSafeBash("custom-tool arg", ["custom-tool"]), true);
  });

  it("rejects empty commands", () => {
    assert.equal(isSafeBash("", []), false);
    assert.equal(isSafeBash("   ", []), false);
  });
});

describe("isInsideProject", () => {
  it("returns true for paths inside the cwd", () => {
    assert.equal(isInsideProject("src/index.ts", "/home/user/project"), true);
    assert.equal(isInsideProject("/home/user/project/src/index.ts", "/home/user/project"), true);
  });

  it("returns false for paths outside the cwd", () => {
    assert.equal(isInsideProject("/etc/passwd", "/home/user/project"), false);
    assert.equal(isInsideProject("../secrets.txt", "/home/user/project"), false);
  });

  it("returns true for the cwd itself", () => {
    assert.equal(isInsideProject("/home/user/project", "/home/user/project"), true);
  });
});

describe("scanForSecrets", () => {
  it("detects an AWS access key", () => {
    assert.deepEqual(scanForSecrets("AKIAIOSFODNN7EXAMPLE"), ["AWS access key"]);
  });

  it("detects an OpenAI-style secret key", () => {
    assert.deepEqual(scanForSecrets("sk-abcdefghijklmnopqrstuvwxyz1234"), [
      "OpenAI/Anthropic-style secret key",
    ]);
  });

  it("detects assigned password values", () => {
    assert.deepEqual(scanForSecrets("DB_PASSWORD = 'supersecret12345'"), [
      "assigned secret/token/password/key value",
    ]);
  });

  it("detects private key blocks", () => {
    assert.deepEqual(scanForSecrets("-----BEGIN OPENSSH PRIVATE KEY-----"), ["private key block"]);
  });

  it("returns an empty array for clean content", () => {
    assert.deepEqual(scanForSecrets("hello world"), []);
  });

  it("reports every matched pattern type", () => {
    const content = "AKIAIOSFODNN7EXAMPLE and sk-abcdefghijklmnopqrstuvwxyz1234";
    const found = scanForSecrets(content);
    assert.equal(found.includes("AWS access key"), true);
    assert.equal(found.includes("OpenAI/Anthropic-style secret key"), true);
  });
});

describe("isMemoryFileTarget", () => {
  it("returns true for memory file names", () => {
    assert.equal(isMemoryFileTarget("AGENTS.md"), true);
    assert.equal(isMemoryFileTarget("/project/GEMINI.md"), true);
    assert.equal(isMemoryFileTarget("CLAUDE.md"), true);
  });

  it("returns false for non-memory files", () => {
    assert.equal(isMemoryFileTarget("README.md"), false);
    assert.equal(isMemoryFileTarget("package.json"), false);
  });

  it("returns false for undefined", () => {
    assert.equal(isMemoryFileTarget(undefined), false);
  });
});
