defmodule Mv.Authorization.Checks.NoActorTest do
  @moduledoc """
  Tests for the NoActor Ash Policy Check.

  This check allows actions without an actor ONLY in test environment.
  In production/dev, all operations without an actor are denied.
  """
  use ExUnit.Case, async: true

  alias Mv.Authorization.Checks.NoActor

  describe "match?/3" do
    test "returns true when actor is nil in test environment" do
      # In test environment (config :allow_no_actor_bypass = true), NoActor allows operations
      result = NoActor.match?(nil, %{}, [])
      assert result == true
    end

    test "returns false when actor is present" do
      actor = %{id: "user-123"}
      result = NoActor.match?(actor, %{}, [])
      assert result == false
    end

    test "uses compile-time config (not runtime Mix.env)" do
      # The @allow_no_actor_bypass is set via Application.compile_env at compile time
      # In test.exs: config :mv, :allow_no_actor_bypass, true
      # In prod/dev: not set (defaults to false)
      # This ensures the check is release-safe (no runtime Mix.env dependency)
      result = NoActor.match?(nil, %{}, [])

      # In test environment (as compiled), should allow
      assert result == true

      # Note: We cannot test "production mode" here because the flag is compile-time.
      # Production safety is guaranteed by:
      # 1. Config only set in test.exs
      # 2. Default is false (fail-closed)
      # 3. No runtime environment checks
    end
  end

  describe "describe/1" do
    test "returns description based on compile-time config" do
      description = NoActor.describe([])
      assert is_binary(description)

      # In test environment (compiled with :allow_no_actor_bypass = true)
      assert description =~ "test environment"
    end
  end
end