#!/usr/bin/env bash
TEST_CATEGORY=core

level=$1
if [ -z "$level" ]; then
  level=1
else
  shift
fi
echo "starting: ${BASH_SOURCE[@]##*/} <LOG_LEVEL=$level>"

source this
source test.suite

log.level $level

# Assert the github.com / developking source-of-truth invariants on
# $HOME/.ssh/. Run inside any platform.test container or on any post-install
# user shell:
#
#   cd ~/oosh && ./test.suite run ssh.config.invariant 1
#
# What we assert:
#   (1) ~/.ssh/config contains a `Host github.com` block whose IdentityFile
#       is ~/.ssh/ids/ssh.developking/id_rsa (single source of truth).
#   (2) ~/.ssh/config contains NO `Host 2cuGitHub` block (legacy alias gone).
#   (3) ~/.ssh/2cuGitHub standalone deploy-key file does NOT exist (the
#       same key material lives only at ids/ssh.developking/id_rsa).
#   (4) ~/.ssh/ids/ssh.developking/id_rsa exists and is mode 600.

sshDir="$HOME/.ssh"
cfg="$sshDir/config"

test.case $level "ssh.config.invariant: $USER has ~/.ssh/config" test -f "$cfg"
if [ ! -f "$cfg" ]; then
  expect.fail "$cfg missing"
  test.suite.save.results
  return 0 2>/dev/null || exit 0
else
  expect.pass "$cfg present"
fi

# (1) Host github.com block exists
test.case $level "ssh.config.invariant: Host github.com block present" true
if grep -q "^Host github.com\$" "$cfg"; then
  expect.pass "Host github.com present"
else
  expect.fail "Host github.com missing from $cfg"
fi

# (1b) The github.com block uses IdentityFile ~/.ssh/ids/ssh.developking/id_rsa
test.case $level "ssh.config.invariant: github.com IdentityFile is ids/ssh.developking/id_rsa" true
ghBlock=$(awk '
  /^Host github.com$/ {found=1; next}
  found && /^Host / {found=0}
  found {print}
' "$cfg")
if echo "$ghBlock" | grep -Fq "IdentityFile ~/.ssh/ids/ssh.developking/id_rsa"; then
  expect.pass "IdentityFile points to ids/ssh.developking/id_rsa"
else
  actual=$(echo "$ghBlock" | grep -E "^[[:space:]]*IdentityFile" | head -1 | sed 's/^[[:space:]]*//')
  expect.fail "IdentityFile wrong — got: '${actual:-<missing>}'"
fi

# (2) No Host 2cuGitHub block
test.case $level "ssh.config.invariant: no Host 2cuGitHub block" true
if ! grep -q "^Host 2cuGitHub\$" "$cfg"; then
  expect.pass "Host 2cuGitHub absent"
else
  expect.fail "Host 2cuGitHub still present in $cfg — should have been removed"
fi

# (3) No standalone ~/.ssh/2cuGitHub file
test.case $level "ssh.config.invariant: no standalone ~/.ssh/2cuGitHub" true
if [ ! -e "$sshDir/2cuGitHub" ]; then
  expect.pass "$sshDir/2cuGitHub absent"
else
  expect.fail "$sshDir/2cuGitHub still present — should be removed (key lives at ids/ssh.developking/id_rsa)"
fi

# (4) developking id_rsa exists, mode 600
test.case $level "ssh.config.invariant: ids/ssh.developking/id_rsa exists + mode 600" true
dkKey="$sshDir/ids/ssh.developking/id_rsa"
if [ -f "$dkKey" ]; then
  km=$(stat -c '%a' "$dkKey" 2>/dev/null || stat -f '%Lp' "$dkKey" 2>/dev/null)
  if [ "$km" = "600" ]; then
    expect.pass "developking key present with mode 600"
  else
    expect.fail "developking key present but mode is $km, expected 600"
  fi
else
  expect.fail "$dkKey missing — osshLayout.role.developking did not run"
fi

test.suite.save.results