package config

import (
	"os"
	"path/filepath"
	"strings"
	"testing"
)

func TestRedactedMasksSecret(t *testing.T) {
	c := Default()
	c.Proxmox.Token = "felhom-agent@pve!agent=b6547d9d-08ec-4f22-beb8-a551dc2cd69d"
	got := c.Redacted().Proxmox.Token
	if strings.Contains(got, "b6547d9d") {
		t.Fatalf("secret leaked in redacted token: %q", got)
	}
	if !strings.HasPrefix(got, "felhom-agent@pve!agent=") {
		t.Errorf("redacted token lost its public prefix: %q", got)
	}
	// The original must be untouched (Redacted returns a copy).
	if !strings.Contains(c.Proxmox.Token, "b6547d9d") {
		t.Errorf("Redacted mutated the original config")
	}
}

func TestValidate(t *testing.T) {
	c := Default()
	c.Proxmox.Node = "demo-felhom"
	c.Proxmox.Token = "felhom-agent@pve!agent=secret"
	if err := c.Validate(); err != nil {
		t.Fatalf("valid config rejected: %v", err)
	}
	c.Proxmox.Token = "no-bang-no-eq"
	if err := c.Validate(); err == nil {
		t.Errorf("malformed token accepted")
	}
}

func TestLoadFileThenEnvOverride(t *testing.T) {
	dir := t.TempDir()
	path := filepath.Join(dir, "agent.json")
	if err := os.WriteFile(path, []byte(`{"proxmox":{"node":"file-node","token":"u@pve!t=filesecret"}}`), 0o600); err != nil {
		t.Fatal(err)
	}
	t.Setenv("FELHOM_AGENT_PROXMOX_NODE", "env-node")
	cfg, err := Load(path)
	if err != nil {
		t.Fatalf("Load: %v", err)
	}
	if cfg.Proxmox.Node != "env-node" {
		t.Errorf("env did not override node: %q", cfg.Proxmox.Node)
	}
	if cfg.Proxmox.Token != "u@pve!t=filesecret" {
		t.Errorf("token from file lost: %q", cfg.Proxmox.Token)
	}
	if cfg.Proxmox.Endpoint != "https://127.0.0.1:8006" {
		t.Errorf("default endpoint lost: %q", cfg.Proxmox.Endpoint)
	}
}