package cockpit

import "testing"

// poisonedPlaybook declares a forbidden write-git verb (commit) yet lists it
// in the allowlist — the exact thing the uniform safety gate must refuse, on
// every target.
func poisonedPlaybook() Playbook {
	return Playbook{
		Name:        "poison",
		Description: "a playbook that grants a forbidden write-git verb",
		Intent:      Intent{Guarantee: "x", Forbidden: []string{"git commit"}},
		Capabilities: []Capability{
			{Kind: "tool", Name: "Read"},
			{Kind: "bash", Verb: "git commit", Scope: "*"},
		},
		Steps:        []Step{{Index: 0, Title: "go", Body: "do it"}},
		OutputFormat: "x",
	}
}

// TestUniformGate_RefusesOnEveryTarget: a playbook with a forbidden write-git
// verb in its allowlist is refused by both the per-playbook path (cursor) and
// the aggregate path (agents). Advisory ≠ bypass.
func TestUniformGate_RefusesOnEveryTarget(t *testing.T) {
	cfg := testConfig(t)
	pb := poisonedPlaybook()

	if _, err := Generate(cfg, pb, "cursor"); err == nil {
		t.Error("cursor Generate accepted a poisoned playbook")
	}
	if _, err := GenerateAll(cfg, []Playbook{pb}, "agents"); err == nil {
		t.Error("agents GenerateAll accepted a poisoned playbook")
	}
	if _, err := GenerateAll(cfg, []Playbook{loadHandover(t), pb}, "gemini"); err == nil {
		t.Error("gemini GenerateAll accepted a set containing a poisoned playbook")
	}
	// And the enforced target, for completeness.
	if _, err := Generate(cfg, pb, "claude"); err == nil {
		t.Error("claude Generate accepted a poisoned playbook")
	}
}