from __future__ import annotations

from fastapi import FastAPI
from fastapi.testclient import TestClient

from src.api.v1.agents import router


def test_runtime_surface_inventory_endpoint_returns_committed_snapshot():
    app = FastAPI()
    app.include_router(router, prefix="/api/v1")
    client = TestClient(app)

    response = client.get("/api/v1/agents/runtime-surface-inventory")

    assert response.status_code == 200
    data = response.json()
    assert data["schema_version"] == "runtime_surface_inventory_v1"
    assert "192.168.0." not in response.text
    assert data["program_status"]["overall_completion_percent"] == 100
    assert data["program_status"]["read_only_mode"] is True
    assert data["program_status"]["current_task_id"] == "P1-001"
    assert data["program_status"]["next_task_id"] == "P1-002"
    assert data["rollups"]["total_surfaces"] == len(data["runtime_surfaces"]) == 22
    assert data["rollups"]["by_kind"]["deployment"] == 4
    assert data["rollups"]["by_kind"]["service"] == 2
    assert data["rollups"]["by_kind"]["ingress"] == 1
    assert data["rollups"]["by_kind"]["cronjob"] == 4
    assert data["rollups"]["by_kind"]["secret"] == 4
    assert data["rollups"]["by_status"]["action_required"] == 6
    assert data["rollups"]["secret_surface_ids"] == [
        "awoooi_secrets",
        "awoooi_repair_ssh_key_secret",
        "awoooi_repair_known_hosts_secret",
        "ssh_mcp_key_secret",
    ]
    assert data["operation_boundaries"]["read_only_api_allowed"] is True
    assert data["operation_boundaries"]["live_k8s_query_allowed"] is False
    assert data["operation_boundaries"]["kubectl_allowed"] is False
    assert data["operation_boundaries"]["secret_plaintext_allowed"] is False
    assert data["operation_boundaries"]["production_route_change_allowed"] is False
    assert data["approval_boundaries"]["runtime_execution_authorized"] is False
    assert any(surface["surface_id"] == "awoooi_api_deployment" for surface in data["runtime_surfaces"])
    assert any(
        surface["surface_id"] == "external_nginx_gateway_route" and surface["status"] == "action_required"
        for surface in data["runtime_surfaces"]
    )
    assert any(
        surface["surface_id"] == "hpa_vpa_autoscaler_contract" and surface["live_check_status"] == "required"
        for surface in data["runtime_surfaces"]
    )
    assert "Secret 已驗證或可讀取" in data["operator_contract"]["must_not_interpret_as"]