# [DEF:backend.tests.api.routes.test_clean_release_source_policy:Module]
# @TIER: STANDARD
# @SEMANTICS: tests, api, clean-release, source-policy
# @PURPOSE: Validate API behavior for source isolation violations in clean release preparation.
# @LAYER: Domain
# @RELATION: TESTS -> backend.src.api.routes.clean_release
# @INVARIANT: External endpoints must produce blocking violation entries.

from datetime import datetime, timezone
from fastapi.testclient import TestClient

from src.app import app
from src.dependencies import get_clean_release_repository
from src.models.clean_release import (
    CleanProfilePolicy,
    ProfileType,
    ReleaseCandidate,
    ReleaseCandidateStatus,
    ResourceSourceEntry,
    ResourceSourceRegistry,
)
from src.services.clean_release.repository import CleanReleaseRepository


def _repo_with_seed_data() -> CleanReleaseRepository:
    repo = CleanReleaseRepository()

    repo.save_candidate(
        ReleaseCandidate(
            candidate_id="2026.03.03-rc1",
            version="2026.03.03",
            profile=ProfileType.ENTERPRISE_CLEAN,
            created_at=datetime.now(timezone.utc),
            created_by="tester",
            source_snapshot_ref="git:abc123",
            status=ReleaseCandidateStatus.DRAFT,
        )
    )

    repo.save_registry(
        ResourceSourceRegistry(
            registry_id="registry-internal-v1",
            name="Internal",
            entries=[
                ResourceSourceEntry(
                    source_id="src-1",
                    host="repo.intra.company.local",
                    protocol="https",
                    purpose="artifact-repo",
                    enabled=True,
                )
            ],
            updated_at=datetime.now(timezone.utc),
            updated_by="tester",
            status="active",
        )
    )

    repo.save_policy(
        CleanProfilePolicy(
            policy_id="policy-enterprise-clean-v1",
            policy_version="1.0.0",
            active=True,
            prohibited_artifact_categories=["test-data"],
            required_system_categories=["system-init"],
            external_source_forbidden=True,
            internal_source_registry_ref="registry-internal-v1",
            effective_from=datetime.now(timezone.utc),
            profile=ProfileType.ENTERPRISE_CLEAN,
        )
    )
    return repo


def test_prepare_candidate_blocks_external_source():
    repo = _repo_with_seed_data()
    app.dependency_overrides[get_clean_release_repository] = lambda: repo

    try:
        client = TestClient(app)
        response = client.post(
            "/api/clean-release/candidates/prepare",
            json={
                "candidate_id": "2026.03.03-rc1",
                "artifacts": [
                    {"path": "cfg/system.yaml", "category": "system-init", "reason": "required"}
                ],
                "sources": ["repo.intra.company.local", "pypi.org"],
                "operator_id": "release-manager",
            },
        )
        assert response.status_code == 200
        data = response.json()
        assert data["status"] == "blocked"
        assert any(v["category"] == "external-source" for v in data["violations"])
    finally:
        app.dependency_overrides.clear()