// tools/askuser-answer-parser-floor-escape.test.mjs
import { describe, it, expect } from 'vitest';
import { signFloorEscapeRecord, verifyFloorEscapeRecord } from './askuser-answer-parser.mjs';
import { signApprovalRecord } from './askuser-answer-parser.mjs';

const KEY = 'test-receipt-key';
const REC = { type: 'floor_escape', action: 'bash:git push --force', ts: 1000 };

describe('signFloorEscapeRecord / verifyFloorEscapeRecord', () => {
  it('подписывает (+sig 64hex) и верифицирует целую запись', () => {
    const signed = signFloorEscapeRecord(REC, KEY);
    expect(signed.sig).toMatch(/^[0-9a-f]{64}$/);
    expect(signed.action).toBe(REC.action);
    expect(verifyFloorEscapeRecord(signed, KEY)).toBe(true);
  });
  it('false на подделке / без sig / без ключа / чужом ключе', () => {
    const signed = signFloorEscapeRecord(REC, KEY);
    expect(verifyFloorEscapeRecord({ ...signed, action: 'bash:rm -rf /' }, KEY)).toBe(false);
    expect(verifyFloorEscapeRecord(REC, KEY)).toBe(false); // нет sig
    expect(verifyFloorEscapeRecord(signed, null)).toBe(false);
    expect(verifyFloorEscapeRecord(signed, 'other-key')).toBe(false);
  });
  it('доменная изоляция: approval-подпись НЕ проходит как floor-escape', () => {
    const asApproval = signApprovalRecord(REC, KEY); // домен APPROVAL
    expect(verifyFloorEscapeRecord(asApproval, KEY)).toBe(false);
  });
  it('без ключа → sig:null', () => {
    expect(signFloorEscapeRecord(REC, null).sig).toBe(null);
  });
});