import { describe, expect, it } from 'vitest';

import { AGENTS_ACCOUNT_DATA_TYPE, AgentTokenStore } from '../agent-store.js';
import type { AppserviceIntent } from '../intent.js';

/** Fake intent: in-memory account_data, no-op user provisioning. Only the
 * surface AgentTokenStore touches is implemented. */
const makeFakeIntent = () => {
  const store: Record<string, Record<string, unknown>> = {};
  const fake = {
    domain: 'hs.example',
    getSenderAccountData: async (type: string): Promise<Record<string, unknown> | null> =>
      store[type] ?? null,
    setSenderAccountData: async (type: string, content: Record<string, unknown>): Promise<void> => {
      store[type] = structuredClone(content);
    },
    ensureRegistered: async (agent: string): Promise<string> => `@agent-${agent}:hs.example`,
    setDisplayName: async (): Promise<void> => {},
  };
  return { intent: fake as unknown as AppserviceIntent, store };
};

describe('AgentTokenStore', () => {
  it('mints a magt_ token and stores only its sha256 (never plaintext)', async () => {
    const { intent, store } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });

    expect(agentUserId).toBe('@agent-pi0-web1:hs.example');
    expect(token.startsWith('magt_')).toBe(true);

    const raw = JSON.stringify(store[AGENTS_ACCOUNT_DATA_TYPE]);
    expect(raw).not.toContain(token);
    // The stored hash is sha256hex(token), 64 hex chars.
    const { createHash } = await import('node:crypto');
    const hash = createHash('sha256').update(token).digest('hex');
    expect(raw).toContain(hash);
  });

  it('verifyToken returns the agentUserId for a fresh token, null otherwise', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });

    expect(await s.verifyToken(token)).toBe(agentUserId);
    expect(await s.verifyToken('magt_garbage')).toBeNull();
    expect(await s.verifyToken('not-a-token')).toBeNull();
    expect(await s.verifyToken('')).toBeNull();
  });

  it('revoke invalidates tokens, returns count, and hides agent from list', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token } = await s.register({ alias: 'pi0', host: 'web1' });

    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);

    const count = await s.revoke(agentUserId);
    expect(count).toBe(1);
    expect(await s.verifyToken(token)).toBeNull();
    expect((await s.list()).map((a) => a.agent_user_id)).not.toContain(agentUserId);

    // Idempotent on unknown / already-revoked.
    expect(await s.revoke(agentUserId)).toBe(0);
    expect(await s.revoke('@agent-nope:hs.example')).toBe(0);
  });

  it('re-register after revoke yields a working token and the agent reappears', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const { agentUserId, token: t1 } = await s.register({ alias: 'pi0', host: 'web1' });
    await s.revoke(agentUserId);

    const { token: t2 } = await s.register({ alias: 'pi0', host: 'web1' });
    expect(await s.verifyToken(t1)).toBeNull();
    expect(await s.verifyToken(t2)).toBe(agentUserId);
    expect((await s.list()).map((a) => a.agent_user_id)).toContain(agentUserId);
  });

  it('agent A token never verifies as agent B', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    const a = await s.register({ alias: 'pi0', host: 'web1' });
    const b = await s.register({ alias: 'pi1', host: 'web2' });

    expect(await s.verifyToken(a.token)).toBe(a.agentUserId);
    expect(await s.verifyToken(b.token)).toBe(b.agentUserId);
    expect(a.agentUserId).not.toBe(b.agentUserId);
  });

  it('rejects an ambiguous re-registration that collides on one Matrix id', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    // alias="a-b",host="c" and alias="a",host="b-c" both -> @agent-a-b-c.
    const first = await s.register({ alias: 'a-b', host: 'c' });
    expect(first.agentUserId).toBe('@agent-a-b-c:hs.example');

    await expect(s.register({ alias: 'a', host: 'b-c' })).rejects.toThrow(/collision/);

    // The original registration is untouched: still one active token, correct pair.
    expect(await s.verifyToken(first.token)).toBe(first.agentUserId);
    const summary = (await s.list()).find((x) => x.agent_user_id === first.agentUserId);
    expect(summary?.alias).toBe('a-b');
    expect(summary?.host).toBe('c');
    expect(summary?.active_token_count).toBe(1);
  });

  it('display_name is stored and surfaced in list', async () => {
    const { intent } = makeFakeIntent();
    const s = new AgentTokenStore(intent);
    await s.register({ alias: 'pi0', host: 'web1', displayName: 'Pi Zero' });
    const summary = (await s.list())[0];
    expect(summary?.display_name).toBe('Pi Zero');
    expect(summary?.active_token_count).toBe(1);
  });
});