import pytest
from httpx import ASGITransport, AsyncClient

from gnexus_creds.models import ApiToken


@pytest.mark.anyio
async def test_mcp_requires_mcp_scope(app, actor):
    actor.channel = "rest"
    actor.api_token = ApiToken(
        user_id=actor.user.id,
        public_id="pub",
        name="test",
        token_hash="hash",
        scopes=["read"],
    )
    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
        response = await client.post("/mcp/tools/search_secrets", json={"arguments": {}})
        assert response.status_code == 403