package stacks

import (
	"os"
	"path/filepath"
	"testing"
)

// TestDataKeyParsing proves the catalog `data_key: true` annotation flows through .felhom.yml parsing
// into Metadata.DataKeyEnvVars() — the capture-side half of the Phase 2b fail-closed mechanism. The
// fail-closed gate itself is unit-tested in internal/backup (reconcileRestoreSecrets).
func TestDataKeyParsing(t *testing.T) {
	dir := t.TempDir()
	// Mirrors adventurelog/.felhom.yml: SECRET_KEY is a data-encrypting key, DB_PASSWORD is resettable.
	yml := `display_name: AdventureLog
deploy_fields:
  - env_var: SECRET_KEY
    label: "Titkosítási kulcs"
    type: secret
    data_key: true
  - env_var: DB_PASSWORD
    label: "Adatbázis jelszó"
    type: secret
`
	if err := os.WriteFile(filepath.Join(dir, ".felhom.yml"), []byte(yml), 0644); err != nil {
		t.Fatal(err)
	}

	meta := LoadMetadata(dir)
	dk := meta.DataKeyEnvVars()
	if len(dk) != 1 || dk[0] != "SECRET_KEY" {
		t.Fatalf("DataKeyEnvVars() = %v, want [SECRET_KEY]", dk)
	}

	// Both secrets are sensitive (stripped from the unit); only SECRET_KEY is a data_key (fail-closed).
	sens := SensitiveEnvVars(&meta)
	if len(sens) != 2 {
		t.Errorf("SensitiveEnvVars() = %v, want both SECRET_KEY and DB_PASSWORD", sens)
	}
}