"""Tests for secret detection and sanitization helpers."""

from aegis_gitea_mcp.security import detect_secrets, sanitize_data


def test_detect_secrets_api_key_pattern() -> None:
    """Secret detector should identify common token formats."""
    findings = detect_secrets("token=sk-test12345678901234567890")
    assert findings


def test_sanitize_data_mask_mode() -> None:
    """Mask mode should preserve structure while redacting values."""
    payload = {"content": "api_key=AKIA1234567890ABCDEF"}
    sanitized = sanitize_data(payload, mode="mask")

    assert sanitized["content"] != payload["content"]
    assert "AKIA" in sanitized["content"]


def test_sanitize_data_block_mode() -> None:
    """Block mode should replace secret-bearing fields entirely."""
    payload = {"nested": ["Bearer eyJhbGciOiJIUzI1NiJ9.abcd.efgh"]}
    sanitized = sanitize_data(payload, mode="block")

    assert sanitized["nested"][0] == "[REDACTED_SECRET]"