#!/usr/bin/env python3
"""
Verification script for ci_validate_repo.py secret scanning.
"""

import sys
import shutil
import subprocess
from pathlib import Path

REPO_ROOT = Path(__file__).resolve().parents[1]
CI_SCRIPT = REPO_ROOT / "scripts" / "ci_validate_repo.py"

def run_check():
    """Runs the validation script and returns returncode."""
    result = subprocess.run(
        [sys.executable, str(CI_SCRIPT)],
        cwd=REPO_ROOT,
        capture_output=True,
        text=True
    )
    return result.returncode, result.stdout, result.stderr

def test_secret_in_tracked_file():
    print("Testing secret in tracked file (should FAIL)...")
    test_file = REPO_ROOT / "scripts" / "temp_secret.py"
    # Create file with a pattern that ci_validate_repo.py detects
    # ghp_ is the prefix, then 36 chars
    # We construct it dynamically so the script itself isn't flagged
    secret = "ghp_" + "1" * 36
    test_file.write_text(f'SECRET_TOKEN = "{secret}"')

    try:
        code, out, err = run_check()
        if code != 0:
            print("PASS: Script correctly failed.")
        else:
            print("FAIL: Script passed but should have failed.")
            print("Output:", out)
            print("Error:", err)
            sys.exit(1)
    finally:
        if test_file.exists():
            test_file.unlink()

def test_secret_in_excluded_dir():
    print("Testing secret in excluded dir (should PASS)...")
    # Make sure we use a directory name that is in the excluded list of ci_validate_repo.py
    # "node_modules" is a safe bet
    excluded_root = REPO_ROOT / "node_modules"

    created_root = False
    if not excluded_root.exists():
        excluded_root.mkdir()
        created_root = True

    test_dir = excluded_root / "test_pkg"
    test_dir.mkdir(exist_ok=True)

    test_file = test_dir / "index.js"
    # Create file with a pattern that ci_validate_repo.py detects
    secret = "ghp_" + "1" * 36
    test_file.write_text(f'const token = "{secret}";')

    try:
        code, out, err = run_check()
        if code == 0:
            print("PASS: Script correctly ignored excluded directory.")
        else:
            print("FAIL: Script failed but should have passed.")
            print("Output:", out)
            print("Error:", err)
            sys.exit(1)
    finally:
        if test_file.exists():
            test_file.unlink()
        if test_dir.exists():
            test_dir.rmdir()
        if created_root and excluded_root.exists():
            excluded_root.rmdir()

if __name__ == "__main__":
    print("Running verification tests...")

    test_secret_in_tracked_file()
    test_secret_in_excluded_dir()

    print("All verification tests passed!")