package cli

import (
	"path/filepath"
	"testing"

	"git.dcglab.co.uk/steve/emcli/internal/crypto"
	"git.dcglab.co.uk/steve/emcli/internal/store"
)

func TestCommandRole(t *testing.T) {
	admin := []string{"account", "whitelist", "config", "audit"}
	agent := []string{"list", "get", "search", "ack", "send", "doctor"}
	for _, c := range admin {
		if commandRole(c) != store.RoleAdmin {
			t.Errorf("%s should be admin", c)
		}
	}
	for _, c := range agent {
		if commandRole(c) != store.RoleAgent {
			t.Errorf("%s should be agent", c)
		}
	}
}

func TestAgentCommandWorksWithOnlyAdminKey(t *testing.T) {
	// A human holding only the admin key can still run agent commands
	// (admin is a superset → agent-role unlock falls back to the admin slot).
	db := filepath.Join(t.TempDir(), "emcli.db")
	t.Setenv("EMCLI_ADMIN_KEY", b64Key())
	t.Setenv("EMCLI_KEY", b64AgentKey())
	t.Setenv("EMCLI_DB", db)
	st, _ := store.Open(db)
	ak, _ := crypto.AdminKeyFromEnv()
	gk, _ := crypto.AgentKeyFromEnv()
	st.InitKeys(ak, gk)
	st.Close()

	// Only the admin key now; agent command must still open the store.
	t.Setenv("EMCLI_KEY", "")
	s2, err := openStore(store.RoleAgent)
	if err != nil {
		t.Fatalf("agent role with only admin key should open: %v", err)
	}
	s2.Close()
}