import assert from "node:assert/strict";
import test from "node:test";
import { assertDestructiveDbAllowed } from "./destructive-db-guard.js";
import { assertNexusDbTarget, assertSafeSeedTarget } from "./safe-destructive-env.js";

const ORIGINAL_ENV = { ...process.env };

function setEnv(values: Record<string, string | undefined>) {
  process.env = { ...ORIGINAL_ENV };

  for (const [key, value] of Object.entries(values)) {
    if (value === undefined) {
      delete process.env[key];
      continue;
    }

    process.env[key] = value;
  }
}

test.afterEach(() => {
  process.env = { ...ORIGINAL_ENV };
});

test("assertDestructiveDbAllowed allows an explicitly confirmed disposable nexus test database", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_test",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus_test",
  });

  const target = assertDestructiveDbAllowed({
    commandName: "db:test",
    allowedDatabaseNames: ["nexus_test"],
  });

  assert.equal(target.databaseName, "nexus_test");
  assert.equal(target.hostname, "localhost");
});

test("assertDestructiveDbAllowed rejects protected live database names even if allowlisted", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus",
  });

  assert.throws(
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
        allowedDatabaseNames: ["nexus"],
      }),
    /explicitly protected/u,
  );
});

test("assertDestructiveDbAllowed rejects missing confirmation", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_e2e",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
    CONFIRM_DESTRUCTIVE_DB_NAME: "wrong_db",
  });

  assert.throws(
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
        allowedDatabaseNames: ["nexus_e2e"],
      }),
    /CONFIRM_DESTRUCTIVE_DB_NAME=nexus_e2e/u,
  );
});

test("assertDestructiveDbAllowed rejects missing destructive allow flag", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_ci",
    ALLOW_DESTRUCTIVE_DB_TOOLS: undefined,
    CONFIRM_DESTRUCTIVE_DB_NAME: "nexus_ci",
  });

  assert.throws(
    () =>
      assertDestructiveDbAllowed({
        commandName: "db:test",
        allowedDatabaseNames: ["nexus_ci"],
      }),
    /ALLOW_DESTRUCTIVE_DB_TOOLS=true/u,
  );
});

test("assertSafeSeedTarget rejects unexpected legacy disposable databases", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_test",
    ALLOW_DESTRUCTIVE_DB_TOOLS: "true",
    CONFIRM_DESTRUCTIVE_DB_NAME: "legacy_test",
  });

  assert.throws(() => assertSafeSeedTarget("db:seed"), /not in the destructive-tool allowlist/u);
});

test("assertNexusDbTarget accepts non-destructive nexus targets", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/nexus_dev",
  });

  const target = assertNexusDbTarget("db:seed:holidays");

  assert.equal(target.databaseName, "nexus_dev");
});

test("assertNexusDbTarget rejects legacy non-nexus targets", () => {
  setEnv({
    DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_non_nexus",
  });

  assert.throws(() => assertNexusDbTarget("db:seed:holidays"), /not a valid Nexus target/u);
});

test("assertNexusDbTarget explains missing env loading clearly", () => {
  setEnv({
    DATABASE_URL: undefined,
  });

  assert.throws(
    () => assertNexusDbTarget("db:update:blueprints"),
    /Run the command through the Nexus env wrappers/u,
  );
});