import test from "node:test";
import assert from "node:assert/strict";
import os from "node:os";
import path from "node:path";
import { mkdtemp, rm } from "node:fs/promises";
import { NextRequest } from "next/server";

let runtimeRoot = "";
let data: typeof import("../src/lib/boss-data");
let authCookie = "";
let postRemoteControl: (typeof import("../src/app/api/v1/devices/[deviceId]/codex-remote-control/route"))["POST"];
let baseState: Awaited<ReturnType<typeof import("../src/lib/boss-data")["readState"]>>;

async function setup() {
  if (runtimeRoot) return;
  runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-device-codex-remote-control-"));
  process.env.BOSS_RUNTIME_ROOT = runtimeRoot;
  process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json");

  const [dataModule, authModule, routeModule] = await Promise.all([
    import("../src/lib/boss-data.ts"),
    import("../src/lib/boss-auth.ts"),
    import("../src/app/api/v1/devices/[deviceId]/codex-remote-control/route.ts"),
  ]);
  data = dataModule;
  authCookie = authModule.AUTH_SESSION_COOKIE;
  postRemoteControl = routeModule.POST;
  baseState = structuredClone(await data.readState());
}

test.beforeEach(async () => {
  await setup();
  await rm(runtimeRoot, { recursive: true, force: true });
  const state = structuredClone(baseState);
  const now = "2026-06-04T10:00:00+08:00";
  state.authAccounts = [
    {
      id: "account-owner",
      account: "owner@boss.test",
      passwordHash: "secret",
      displayName: "企业老板",
      role: "highest_admin",
      primaryDeviceId: "mac-1",
      createdAt: now,
      updatedAt: now,
    },
    {
      id: "account-operator",
      account: "operator@boss.test",
      passwordHash: "secret",
      displayName: "设备操作者",
      role: "member",
      primaryDeviceId: "mac-1",
      createdAt: now,
      updatedAt: now,
    },
  ];
  state.authSessions = [];
  state.accountDeviceGrants = [];
  state.permissionAuditLogs = [];
  state.devices = [
    {
      id: "mac-1",
      name: "客户 Mac",
      avatar: "M",
      account: "owner@boss.test",
      source: "production",
      status: "online",
      projects: ["master-agent"],
      quota5h: 0,
      quota7d: 0,
      lastSeenAt: now,
      preferredExecutionMode: "cli",
      capabilities: {
        gui: { connected: true, lastSeenAt: now },
        cli: { connected: true, lastSeenAt: now },
        browserAutomation: { connected: true, lastSeenAt: now },
        computerUse: { connected: true, lastSeenAt: now },
        codexAppServer: {
          connected: true,
          lastSeenAt: now,
          metadata: {
            remoteControlSummary: {
              supported: true,
              startCommandLabel: "codex remote-control start --json",
            },
          },
        },
      },
    },
  ];
  await data.writeState(state);
});

test.after(async () => {
  if (runtimeRoot) {
    await rm(runtimeRoot, { recursive: true, force: true });
  }
});

async function sessionCookie(account: string, role: "member" | "admin" | "highest_admin") {
  const session = await data.createAuthSession({
    account,
    role,
    displayName: account,
    loginMethod: "password",
  });
  return `${authCookie}=${session.sessionToken}`;
}

async function postAs(
  account: string,
  role: "member" | "admin" | "highest_admin",
  body: Record<string, unknown>,
) {
  return postRemoteControl(
    new NextRequest("http://127.0.0.1:3000/api/v1/devices/mac-1/codex-remote-control", {
      method: "POST",
      headers: {
        "content-type": "application/json",
        cookie: await sessionCookie(account, role),
        "x-request-id": "req-remote-control",
      },
      body: JSON.stringify(body),
    }),
    { params: Promise.resolve({ deviceId: "mac-1" }) },
  );
}

test("codex remote control action requires login, explicit confirmation, and computer control permission", async () => {
  await setup();

  const anonymous = await postRemoteControl(
    new NextRequest("http://127.0.0.1:3000/api/v1/devices/mac-1/codex-remote-control", {
      method: "POST",
      body: JSON.stringify({ action: "start", confirmed: true }),
    }),
    { params: Promise.resolve({ deviceId: "mac-1" }) },
  );
  assert.equal(anonymous.status, 401);

  const missingConfirmation = await postAs("owner@boss.test", "highest_admin", { action: "start" });
  assert.equal(missingConfirmation.status, 400);

  const forbidden = await postAs("operator@boss.test", "member", { action: "start", confirmed: true });
  assert.equal(forbidden.status, 403);

  const state = await data.readState();
  assert.equal(state.masterAgentTasks.length, 0);
  assert.equal(state.permissionAuditLogs.at(0)?.action, "task.denied");
});

test("highest admin can queue a device maintenance task for codex remote control start", async () => {
  const response = await postAs("owner@boss.test", "highest_admin", {
    action: "start",
    confirmed: true,
    reason: "开启 Codex Remote Control 供 Boss App 真时控制。",
  });

  assert.equal(response.status, 200);
  const payload = await response.json();
  assert.equal(payload.ok, true);
  assert.equal(payload.task.taskType, "device_maintenance");
  assert.equal(payload.task.maintenanceKind, "codex_remote_control");
  assert.equal(payload.task.codexRemoteControlAction, "start");
  assert.deepEqual(payload.task.requiredPermissions, ["computer.control"]);

  const claimed = await data.claimNextMasterAgentTask("mac-1");
  assert.equal(claimed?.taskId, payload.task.taskId);
  assert.equal(claimed?.maintenanceKind, "codex_remote_control");
  assert.equal(claimed?.codexRemoteControlAction, "start");

  const state = await data.readState();
  const audit = state.permissionAuditLogs.find((item) => item.action === "task.authorized");
  assert.equal(audit?.actorAccount, "owner@boss.test");
  assert.equal(audit?.deviceId, "mac-1");
  assert.equal(audit?.detail, "codex_remote_control:start");
});