"""P4: CORS allow-list must accept a comma-separated FRONTEND_URL so the
production subdomain split (app.dineo.io + api.dineo.io) works while
localhost stays usable for dev.

Tests the pure resolver in `app.main` so we don't pay the cost of spinning
up a FastAPI lifespan (which would pull in Restate discovery + httpx client
construction) for what is fundamentally string-list parsing.
"""

from __future__ import annotations

from app.main import _resolve_cors_origins


def test_single_frontend_url_is_allowed() -> None:
    origins = _resolve_cors_origins("https://app.dineo.dev")
    assert "https://app.dineo.dev" in origins
    assert "http://localhost:3000" in origins  # always permitted for dev


def test_comma_separated_frontend_urls_all_allowed() -> None:
    origins = _resolve_cors_origins("https://app.dineo.dev,https://api.dineo.dev")
    assert "https://app.dineo.dev" in origins
    assert "https://api.dineo.dev" in origins


def test_whitespace_is_trimmed() -> None:
    origins = _resolve_cors_origins(" https://app.dineo.dev , https://api.dineo.dev ")
    assert "https://app.dineo.dev" in origins
    assert "https://api.dineo.dev" in origins
    for origin in origins:
        assert origin == origin.strip()


def test_localhost_is_added_only_once() -> None:
    origins = _resolve_cors_origins("http://localhost:3000,https://app.dineo.dev")
    assert origins.count("http://localhost:3000") == 1


def test_empty_entries_dropped() -> None:
    origins = _resolve_cors_origins("https://app.dineo.dev,,,https://api.dineo.dev,")
    assert origins.count("https://app.dineo.dev") == 1
    assert origins.count("https://api.dineo.dev") == 1
    assert "" not in origins


def test_duplicates_dropped() -> None:
    origins = _resolve_cors_origins(
        "https://app.dineo.dev,https://app.dineo.dev,https://api.dineo.dev"
    )
    assert origins.count("https://app.dineo.dev") == 1
    assert origins.count("https://api.dineo.dev") == 1