// workflow-scanner.test.mjs — E11 integration tests against fixtures
// in tests/fixtures/workflows/.{github,forgejo}/workflows/.

import { describe, it, before } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { resetCounter } from '../../scanners/lib/output.mjs';

const { scan, discoverWorkflows } = await import('../../scanners/workflow-scanner.mjs');

const FIXTURE_DIR = resolve(import.meta.dirname, '../fixtures/workflows');

function findingsByFile(findings, fileSubstr) {
  return findings.filter(f => (f.file || '').includes(fileSubstr));
}

describe('workflow-scanner — discoverWorkflows', () => {
  it('finds .yml files in .github/workflows/ and .forgejo/workflows/', async () => {
    const files = await discoverWorkflows(FIXTURE_DIR);
    const githubCount = files.filter(f => f.includes('/.github/workflows/')).length;
    const forgejoCount = files.filter(f => f.includes('/.forgejo/workflows/')).length;
    assert.ok(githubCount >= 5, `expected ≥5 GitHub fixtures, got ${githubCount}`);
    assert.ok(forgejoCount >= 2, `expected ≥2 Forgejo fixtures, got ${forgejoCount}`);
  });

  it('returns empty array for path with no workflow dirs', async () => {
    const files = await discoverWorkflows('/tmp');
    assert.deepEqual(files, []);
  });
});

describe('workflow-scanner — true-positive cases', () => {
  let result;
  before(async () => {
    resetCounter();
    result = await scan(FIXTURE_DIR);
  });

  it('flags github.head_ref under pull_request_target as HIGH', () => {
    const fs = findingsByFile(result.findings, 'tp-prtarget-head-ref.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'high');
    assert.match(fs[0].evidence, /github\.head_ref/);
  });

  it('flags discussion.title under discussion as HIGH (gluestack CVE pattern)', () => {
    const fs = findingsByFile(result.findings, 'tp-discussion-title.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'high');
    assert.match(fs[0].evidence, /discussion\.title/);
  });

  it('flags comment.body under pull_request as MEDIUM', () => {
    const fs = findingsByFile(result.findings, 'tp-pull-request-comment.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'medium');
    assert.match(fs[0].evidence, /comment\.body/);
  });

  it('flags issue.body inside `run: |` block-scalar as HIGH', () => {
    const fs = findingsByFile(result.findings, 'tp-block-scalar-run.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'high');
    assert.match(fs[0].evidence, /issue\.body/);
  });
});

describe('workflow-scanner — false-positive suppression', () => {
  let result;
  before(async () => {
    resetCounter();
    result = await scan(FIXTURE_DIR);
  });

  it('does NOT flag head_ref inside `if:` (sink mismatch)', () => {
    const fs = findingsByFile(result.findings, 'fp-if-context.yml');
    assert.equal(fs.length, 0, `expected no findings, got: ${JSON.stringify(fs)}`);
  });

  it('does NOT flag pull_request.title inside top-level `env:` mapping', () => {
    const fs = findingsByFile(result.findings, 'fp-env-block.yml');
    assert.equal(fs.length, 0);
  });
});

describe('workflow-scanner — INFO classification', () => {
  let result;
  before(async () => {
    resetCounter();
    result = await scan(FIXTURE_DIR);
  });

  it('reports github.event.pull_request.number as INFO (numeric/safe)', () => {
    const fs = findingsByFile(result.findings, 'fp-numeric-field.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'info');
  });
});

describe('workflow-scanner — Forgejo platform', () => {
  let result;
  before(async () => {
    resetCounter();
    result = await scan(FIXTURE_DIR);
  });

  it('flags forgejo.head_ref under pull_request as MEDIUM', () => {
    const fs = findingsByFile(result.findings, 'forgejo-tp.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'medium');
    assert.match(fs[0].file, /\.forgejo\/workflows\//);
    assert.match(fs[0].recommendation, /Forgejo/);
  });

  it('treats workflow_run as privileged on Forgejo (HIGH severity preserved)', () => {
    const fs = findingsByFile(result.findings, 'forgejo-workflow-run.yml');
    assert.equal(fs.length, 1);
    assert.equal(fs[0].severity, 'high');
  });
});

describe('workflow-scanner — output envelope', () => {
  it('returns scannerResult with status=ok and counts', async () => {
    resetCounter();
    const r = await scan(FIXTURE_DIR);
    assert.equal(r.status, 'ok');
    assert.equal(r.scanner, 'workflow');
    assert.ok(r.files_scanned >= 7);
    assert.ok(typeof r.duration_ms === 'number');
    assert.ok(r.counts.high + r.counts.medium + r.counts.info >= 7);
  });

  it('emits findings with WFL scanner prefix in id', async () => {
    resetCounter();
    const r = await scan(FIXTURE_DIR);
    for (const f of r.findings) {
      assert.match(f.id, /^DS-WFL-\d{3}$/);
      assert.equal(f.scanner, 'WFL');
    }
  });

  it('returns ok with no findings on empty target', async () => {
    resetCounter();
    const r = await scan('/tmp');
    assert.equal(r.status, 'ok');
    assert.equal(r.findings.length, 0);
  });
});