use dirigent_fermata::core::{Decision, Policy};
use std::fs;
use tempfile::TempDir;

fn project_with(botsecrets: &str) -> TempDir {
    let tmp = TempDir::new().unwrap();
    fs::write(tmp.path().join(".botsecrets"), botsecrets).unwrap();
    tmp
}

#[test]
fn deny_substring_blocks() {
    let tmp = project_with("[policy.bash]\ndeny = [\"rm -rf /\"]\n");
    let p = Policy::load(tmp.path()).unwrap();
    assert!(matches!(p.check_command("sudo rm -rf / now").unwrap(), Decision::Deny(_)));
}

#[test]
fn deny_glob_blocks() {
    let tmp = project_with("[policy.bash]\ndeny = [\"git push --force*\"]\n");
    let p = Policy::load(tmp.path()).unwrap();
    assert!(matches!(p.check_command("git push --force-with-lease").unwrap(), Decision::Deny(_)));
}

#[test]
fn ask_returns_ask() {
    let tmp = project_with("[policy.bash]\nask = [\"rm *\"]\n");
    let p = Policy::load(tmp.path()).unwrap();
    assert!(matches!(p.check_command("rm somefile").unwrap(), Decision::Ask(_)));
}

#[test]
fn allow_prefixes_allows() {
    let tmp = project_with("[policy.bash]\nallow_prefixes = [\"make test\"]\n");
    let p = Policy::load(tmp.path()).unwrap();
    assert_eq!(p.check_command("make test").unwrap(), Decision::Allow);
    assert_eq!(p.check_command("make test-unit").unwrap(), Decision::Allow);
}

#[test]
fn no_rules_means_allow() {
    let tmp = project_with("");
    let p = Policy::load(tmp.path()).unwrap();
    assert_eq!(p.check_command("anything goes").unwrap(), Decision::Allow);
}

#[test]
fn deny_takes_precedence_over_allow_prefix() {
    let tmp = project_with("[policy.bash]\ndeny = [\"rm -rf /\"]\nallow_prefixes = [\"rm\"]\n");
    let p = Policy::load(tmp.path()).unwrap();
    assert!(matches!(p.check_command("rm -rf /").unwrap(), Decision::Deny(_)));
}