import { describe, it, expect, beforeAll, vi } from 'vitest';
import { resetDb } from '../helpers/db.js';
import { migrateUp } from '../../lib/db/migrate.js';
import { pool } from '../../lib/db/pool.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';
import { mcpAuth, _resetMcpRate } from '../../lib/api/middleware/mcp_auth.js';

const owner = { kind: 'user', id: null };
function mockRes() {
  return { statusCode: 200, body: null,
    status(c) { this.statusCode = c; return this; },
    json(b) { this.body = b; return this; } };
}
async function run(headers) {
  const req = { headers };
  const res = mockRes();
  const next = vi.fn();
  await mcpAuth(req, res, next);
  return { req, res, next };
}

let scopedToken, unscopedToken;
beforeAll(async () => {
  await resetDb(); await migrateUp();
  process.env.OWNER_TOKEN = 'test-token';
  const { rows: [{ id: spaceId }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('s','S') RETURNING id`);
  const scoped = await agentsRepo.create({ slug: `s-${Date.now()}`, name: 'S', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: { space_id: spaceId } }, owner);
  ({ token: scopedToken } = await agentsRepo.createToken(scoped.id, 'mcp'));
  const unscoped = await agentsRepo.create({ slug: `u-${Date.now()}`, name: 'U', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: {} }, owner);
  ({ token: unscopedToken } = await agentsRepo.createToken(unscoped.id, 'mcp'));
});

describe('mcpAuth', () => {
  it('missing bearer → 401', async () => {
    const { res, next } = await run({}); expect(res.statusCode).toBe(401); expect(next).not.toHaveBeenCalled();
  });
  it('owner token → 401 agent_required', async () => {
    const { res } = await run({ authorization: 'Bearer test-token' });
    expect(res.statusCode).toBe(401); expect(res.body.error.code).toBe('agent_required');
  });
  it('invalid token → 401', async () => {
    const { res } = await run({ authorization: 'Bearer vk_nope.nope' }); expect(res.statusCode).toBe(401);
  });
  it('agent without space scope → 403 no_space_scope', async () => {
    const { res } = await run({ authorization: `Bearer ${unscopedToken}` });
    expect(res.statusCode).toBe(403); expect(res.body.error.code).toBe('no_space_scope');
  });
  it('valid scoped agent → next() + req.mcpAgent', async () => {
    const { req, next } = await run({ authorization: `Bearer ${scopedToken}` });
    expect(next).toHaveBeenCalled(); expect(req.mcpAgent.scopes.space_id).toBeTruthy();
  });
  it('rate limit → 429 past the cap', async () => {
    _resetMcpRate(); process.env.MCP_RATE_LIMIT = '2';
    await run({ authorization: `Bearer ${scopedToken}` });
    await run({ authorization: `Bearer ${scopedToken}` });
    const { res } = await run({ authorization: `Bearer ${scopedToken}` });
    expect(res.statusCode).toBe(429);
    delete process.env.MCP_RATE_LIMIT;
  });
});