import test from 'node:test';
import assert from 'node:assert/strict';
import { can } from '../src/services/policy.js';

test('orders.read requires client scope and matching tenant/business scope', async () => {
  const allowed = await can(
    'orders.read',
    'order',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
        business: { businessId: 'business-1' },
      },
    },
    { params: { tenantId: 'tenant-1' }, query: { businessId: 'business-1' } }
  );

  const denied = await can(
    'orders.read',
    'order',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
        business: { businessId: 'business-1' },
      },
    },
    { params: { tenantId: 'tenant-2' }, query: { businessId: 'business-1' } }
  );

  assert.equal(allowed, true);
  assert.equal(denied, false);
});

test('shifts.read requires staff scope', async () => {
  const allowed = await can(
    'shifts.read',
    'shift',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1' },
        staff: { staffId: 'staff-1' },
      },
    },
    { params: {} }
  );

  const denied = await can(
    'shifts.read',
    'shift',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1' },
        business: { businessId: 'business-1' },
      },
    },
    { params: {} }
  );

  assert.equal(allowed, true);
  assert.equal(denied, false);
});

test('attendance.read allows tenant-scoped actor', async () => {
  const allowed = await can(
    'attendance.read',
    'attendance',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1' },
      },
    },
    { params: { tenantId: 'tenant-1' } }
  );

  assert.equal(allowed, true);
});