import { describe, it, expect, beforeAll } from 'vitest';
import { fileURLToPath } from 'url';
import request from 'supertest';
import { pool } from '../../lib/db/pool.js';
import { createApp } from '../../server.js';
import { resetDb } from '../helpers/db.js';
import { migrateUp } from '../../lib/db/migrate.js';

const FAKE = fileURLToPath(new URL('../fixtures/fake-claude-security.js', import.meta.url));
let app;
beforeAll(async () => {
  await resetDb(); await migrateUp();
  process.env.OWNER_TOKEN = 'test-token';
  app = createApp();
  app.locals.claudeExe = FAKE;
});
const auth = (r) => r.set('Authorization', 'Bearer test-token');

describe('Yerin security API', () => {
  it('GET creates the global conversation and returns Yerin + empty history', async () => {
    const res = await auth(request(app).get('/api/security/yerin'));
    expect(res.status).toBe(200);
    expect(res.body.agent.slug).toBe('yerin');
    expect(res.body.conversation_id).toBeTruthy();
    expect(res.body.messages).toEqual([]);
  });
  it('POST /turn streams SSE and persists user+assistant; no draft event', async () => {
    const res = await auth(request(app).post('/api/security/yerin/turn')).send({ text: 'any new threats?' });
    expect(res.status).toBe(200);
    expect(res.headers['content-type']).toMatch(/text\/event-stream/);
    expect(res.text).toMatch(/event: delta/);
    expect(res.text).toMatch(/event: tool/);
    expect(res.text).toMatch(/event: done/);
    expect(res.text).not.toMatch(/event: draft/);
    const { rows: msgs } = await pool.query(`SELECT role, body FROM messages ORDER BY created_at`);
    expect(msgs.map(m => m.role)).toEqual(['user', 'assistant']);
    expect(msgs[1].body).toBe('No new threats.');
  });
});