"""Tests for tamper-evident audit logging."""

import json
from pathlib import Path

import pytest

from aegis_gitea_mcp.audit import AuditLogger, validate_audit_log_integrity


def test_audit_log_integrity_valid(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
    """Fresh audit log should validate with intact hash chain."""
    monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
    monkeypatch.setenv("GITEA_TOKEN", "token-123")
    monkeypatch.setenv("MCP_API_KEYS", "a" * 64)

    log_path = tmp_path / "audit.log"
    logger = AuditLogger(log_path=log_path)
    logger.log_tool_invocation("list_repositories", result_status="pending")
    logger.log_tool_invocation("list_repositories", result_status="success")
    logger.close()

    valid, errors = validate_audit_log_integrity(log_path)
    assert valid
    assert errors == []


def test_audit_log_integrity_detects_tamper(
    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
) -> None:
    """Integrity validation should fail when entries are modified."""
    monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
    monkeypatch.setenv("GITEA_TOKEN", "token-123")
    monkeypatch.setenv("MCP_API_KEYS", "a" * 64)

    log_path = tmp_path / "audit.log"
    logger = AuditLogger(log_path=log_path)
    logger.log_tool_invocation("list_repositories", result_status="pending")
    logger.log_tool_invocation("list_repositories", result_status="success")
    logger.close()

    lines = log_path.read_text(encoding="utf-8").splitlines()
    first_entry = json.loads(lines[0])
    first_entry["payload"]["tool_name"] = "tampered"
    lines[0] = json.dumps(first_entry)
    log_path.write_text("\n".join(lines) + "\n", encoding="utf-8")

    valid, errors = validate_audit_log_integrity(log_path)
    assert not valid
    assert errors