import XCTest
@testable import Ten31Transcripts

/// The TLS bypass is an opt-in escape hatch scoped to the configured backend host.
/// These cover the security gate (`allowsTrustOverride`) so a regression can't widen
/// it back to "trust any server". The gate is pure, so no network or SecTrust needed.
final class InsecureTrustDelegateTests: XCTestCase {
    private func space(host: String,
                       method: String = NSURLAuthenticationMethodServerTrust) -> URLProtectionSpace {
        URLProtectionSpace(host: host, port: 62419, protocol: "https",
                           realm: nil, authenticationMethod: method)
    }

    func testFiresForMatchingHost() {
        let d = InsecureTrustDelegate(allowedHost: "192.0.2.1")
        XCTAssertTrue(d.allowsTrustOverride(for: space(host: "192.0.2.1")))
    }

    func testRejectsMismatchedHost() {
        let d = InsecureTrustDelegate(allowedHost: "192.0.2.1")
        XCTAssertFalse(d.allowsTrustOverride(for: space(host: "evil.example.com")))
    }

    func testNilAllowedHostNeverFires() {
        let d = InsecureTrustDelegate(allowedHost: nil)
        XCTAssertFalse(d.allowsTrustOverride(for: space(host: "192.0.2.1")))
    }

    func testOnlyServerTrustMethodFires() {
        // Matching host but a non-server-trust challenge (e.g. HTTP Basic) must not override.
        let d = InsecureTrustDelegate(allowedHost: "192.0.2.1")
        XCTAssertFalse(d.allowsTrustOverride(
            for: space(host: "192.0.2.1", method: NSURLAuthenticationMethodHTTPBasic)))
    }
}