import { describe, it, expect, vi } from "vitest";

// Unit tests for partner-auth middleware logic
// Tests the auth extraction and validation behaviour without a live KBDB

function extractBearerToken(authHeader: string | undefined): string | null {
  if (!authHeader?.startsWith("Bearer ")) return null;
  return authHeader.slice(7);
}

describe("partner-auth: token extraction", () => {
  it("returns null when Authorization header is missing", () => {
    expect(extractBearerToken(undefined)).toBeNull();
  });

  it("returns null when header does not start with 'Bearer '", () => {
    expect(extractBearerToken("Basic abc123")).toBeNull();
    expect(extractBearerToken("bearer abc123")).toBeNull();
    expect(extractBearerToken("Token abc123")).toBeNull();
  });

  it("extracts token from valid Bearer header", () => {
    expect(extractBearerToken("Bearer my-secret-key")).toBe("my-secret-key");
  });

  it("handles token with special characters", () => {
    expect(extractBearerToken("Bearer abc.def_ghi-123")).toBe("abc.def_ghi-123");
  });
});

describe("partner-auth: KBDB response validation", () => {
  it("rejects when valid is false", () => {
    const info = { valid: false, org_namespace: "org-a" };
    expect(info.valid).toBe(false);
  });

  it("accepts when valid is true and extracts org_namespace", () => {
    const info = { valid: true, org_namespace: "org-a" };
    expect(info.valid).toBe(true);
    expect(info.org_namespace).toBe("org-a");
  });
});

// HANDOFF §3b / mcp-account-source.md §5.5：self-hosted（MULTI_TENANT=false）下
// Bearer 帶的是 namespace 明碼，不打 KBDB partner 驗證，直接當 org_namespace。
// 與 cypher-executor 的 opaque-key 模型對齊（X-Arcrun-API-Key 不驗證直接當分區 key）。
function resolveNamespace(
  multiTenant: string | undefined,
  token: string,
  validatePartner: (t: string) => { valid: boolean; org_namespace: string },
): { ok: boolean; org_namespace?: string } {
  if (multiTenant === "false") {
    // self-hosted：Bearer 明碼即 namespace，繞 partner 驗證
    return { ok: true, org_namespace: token };
  }
  // SaaS：維持 partner-key 驗證（行為不變）
  const info = validatePartner(token);
  return info.valid ? { ok: true, org_namespace: info.org_namespace } : { ok: false };
}

describe("partner-auth: self-hosted (MULTI_TENANT=false) bypasses partner validation", () => {
  const partnerValidatorThatAlwaysRejects = () => ({ valid: false, org_namespace: "" });

  it("self-hosted: namespace 明碼直接當 org_namespace，不打 partner 驗證", () => {
    const r = resolveNamespace("false", "leo", partnerValidatorThatAlwaysRejects);
    expect(r.ok).toBe(true);
    expect(r.org_namespace).toBe("leo");
  });

  it("SaaS (未設 MULTI_TENANT)：仍走 partner 驗證，明碼被擋", () => {
    const r = resolveNamespace(undefined, "leo", partnerValidatorThatAlwaysRejects);
    expect(r.ok).toBe(false);
  });

  it("SaaS：合法 partner key 通過並取 org_namespace", () => {
    const r = resolveNamespace("true", "pk_live_x", () => ({ valid: true, org_namespace: "org-a" }));
    expect(r.ok).toBe(true);
    expect(r.org_namespace).toBe("org-a");
  });
});