package cli

import (
	"path/filepath"
	"testing"

	"git.dcglab.co.uk/steve/emcli/internal/crypto"
	"git.dcglab.co.uk/steve/emcli/internal/store"
)

func TestCommandRole(t *testing.T) {
	adminCmds := [][]string{
		{"whitelist"}, {"config"}, {"audit"},
		{"account"}, {"account", "add"}, {"account", "edit"}, {"account", "remove"},
	}
	agentCmds := [][]string{
		{"list"}, {"get"}, {"search"}, {"ack"}, {"send"}, {"doctor"},
		{"account", "list"},
	}
	for _, c := range adminCmds {
		if commandRole(c) != store.RoleAdmin {
			t.Errorf("%v should be admin", c)
		}
	}
	for _, c := range agentCmds {
		if commandRole(c) != store.RoleAgent {
			t.Errorf("%v should be agent", c)
		}
	}
}

func TestAgentCommandWorksWithOnlyAdminKey(t *testing.T) {
	// A human holding only the admin key can still run agent commands
	// (admin is a superset → agent-role unlock falls back to the admin slot).
	db := filepath.Join(t.TempDir(), "emcli.db")
	t.Setenv("EMCLI_ADMIN_KEY", b64Key())
	t.Setenv("EMCLI_KEY", b64AgentKey())
	t.Setenv("EMCLI_DB", db)
	st, _ := store.Open(db)
	ak, _ := crypto.AdminKeyFromEnv()
	gk, _ := crypto.AgentKeyFromEnv()
	st.InitKeys(ak, gk)
	st.Close()

	// Only the admin key now; agent command must still open the store.
	t.Setenv("EMCLI_KEY", "")
	s2, err := openStore(store.RoleAgent)
	if err != nil {
		t.Fatalf("agent role with only admin key should open: %v", err)
	}
	s2.Close()
}