import { describe, expect, it } from "vitest";
import type { ChannelPlugin } from "../channels/plugins/types.js";
import type { OpenClawConfig } from "../config/config.js";
import { collectChannelSecurityFindings } from "./audit-channel.js";

describe("security audit channel dm policy", () => {
  it("warns when multiple DM senders share the main session", async () => {
    const cfg: OpenClawConfig = {
      session: { dmScope: "main" },
      channels: { whatsapp: { enabled: true } },
    };
    const plugins: ChannelPlugin[] = [
      {
        id: "whatsapp",
        meta: {
          id: "whatsapp",
          label: "WhatsApp",
          selectionLabel: "WhatsApp",
          docsPath: "/channels/whatsapp",
          blurb: "Test",
        },
        capabilities: { chatTypes: ["direct"] },
        config: {
          listAccountIds: () => ["default"],
          resolveAccount: () => ({}),
          isEnabled: () => true,
          isConfigured: () => true,
        },
        security: {
          resolveDmPolicy: () => ({
            policy: "allowlist",
            allowFrom: ["user-a", "user-b"],
            policyPath: "channels.whatsapp.dmPolicy",
            allowFromPath: "channels.whatsapp.",
            approveHint: "approve",
          }),
        },
      },
    ];

    const findings = await collectChannelSecurityFindings({
      cfg,
      plugins,
    });

    expect(findings).toEqual(
      expect.arrayContaining([
        expect.objectContaining({
          checkId: "channels.whatsapp.dm.scope_main_multiuser",
          severity: "warn",
          remediation: expect.stringContaining('config set session.dmScope "per-channel-peer"'),
        }),
      ]),
    );
  });
});