"""P7/P9 env-driven config contracts.

These tests pin the .env.example contract surface so a missing or renamed
env var is caught early. Pure file-read checks; no runtime needed.
"""

from __future__ import annotations

from pathlib import Path

_REPO_ROOT = Path(__file__).resolve().parents[2]
_ENV_EXAMPLE = (_REPO_ROOT / ".env.example").read_text(encoding="utf-8")


def test_captcha_env_vars_documented_in_env_example() -> None:
    """P7: captcha provider + secret must be opt-in via env. Document the
    knobs in .env.example so operators discover them."""
    for key in ("CAPTCHA_PROVIDER", "CAPTCHA_SECRET_KEY", "CAPTCHA_SITE_KEY"):
        assert key in _ENV_EXAMPLE, f"Missing {key} in .env.example"


def test_better_auth_secrets_plural_documented() -> None:
    """P5: BETTER_AUTH_SECRETS (plural) must be documented as the rotation
    knob alongside the singular secret."""
    assert "BETTER_AUTH_SECRETS" in _ENV_EXAMPLE


def test_better_auth_cookie_domain_documented() -> None:
    """P-ish: cross-subdomain cookie config must be discoverable."""
    assert "BETTER_AUTH_COOKIE_DOMAIN" in _ENV_EXAMPLE


def test_operations_md_documents_audit_alerts() -> None:
    """P11/P12: audit retention + Logfire alert SQL must be in OPERATIONS.md."""
    ops = (_REPO_ROOT / "backend" / "OPERATIONS.md").read_text(encoding="utf-8")
    for marker in (
        "auth.user.create",
        "auth.member.role_change",
        "internal_auth_email_sent",
        "orphan_team_cleanup_complete",
        # SQL alert snippets
        "rate_limited",
        "Privilege escalation audit",
    ):
        assert marker in ops, f"OPERATIONS.md missing audit/alert marker: {marker}"