import pytest
from httpx import ASGITransport, AsyncClient

from gnexus_creds.models import ApiToken
from gnexus_creds.schemas import SecretCreate, SecretFieldIn
from gnexus_creds.services import Actor, create_secret


@pytest.mark.anyio
async def test_mcp_requires_mcp_scope(app, actor):
    actor.channel = "rest"
    actor.api_token = ApiToken(
        user_id=actor.user.id,
        public_id="pub",
        name="test",
        token_hash="hash",
        scopes=["read"],
    )
    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
        response = await client.post("/mcp/tools/search_secrets", json={"arguments": {}})
        assert response.status_code == 403


@pytest.mark.anyio
async def test_mcp_update_requires_secret_allow_mcp(app, db_session, actor):
    actor.channel = "mcp"
    actor.api_token = ApiToken(
        user_id=actor.user.id,
        public_id="mcp",
        name="mcp",
        token_hash="hash",
        scopes=["mcp", "read", "write"],
    )
    secret = create_secret(
        db_session,
        Actor(user=actor.user, channel="ui"),
        SecretCreate(
            title="UI only",
            allow_mcp=False,
            fields=[SecretFieldIn(name="username", value="demo", encrypted=False)],
        ),
    )
    db_session.commit()

    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
        response = await client.post(
            "/mcp/tools/update_secret",
            json={"arguments": {"secret_id": str(secret.id), "title": "Changed"}},
        )
        assert response.status_code == 404