import pytest
from pyra.security.boundaries import VaultAccessError, PyraSecurityError, assert_safe_path


def test_vault_path_blocked(tmp_pyra_home):
    from pyra.security.boundaries import VAULT_PATH
    with pytest.raises(VaultAccessError):
        assert_safe_path(VAULT_PATH / "secrets" / "api_keys.json")


def test_vault_root_blocked(tmp_pyra_home):
    from pyra.security.boundaries import VAULT_PATH
    with pytest.raises(VaultAccessError):
        assert_safe_path(VAULT_PATH)


def test_memory_path_allowed(tmp_pyra_home):
    memory_path = tmp_pyra_home / "memory" / "user" / "profile.md"
    memory_path.parent.mkdir(parents=True, exist_ok=True)
    memory_path.touch()
    assert_safe_path(memory_path)  # must not raise


def test_config_path_allowed(tmp_pyra_home):
    config = tmp_pyra_home / "config.yaml"
    config.touch()
    assert_safe_path(config)  # must not raise


def test_check_vault_lock_passes(tmp_pyra_home):
    from pyra.security.boundaries import check_vault_lock
    check_vault_lock()  # sentinel exists, must not raise


def test_check_vault_lock_fails_when_missing(tmp_pyra_home):
    from pyra.security.boundaries import check_vault_lock
    lock = tmp_pyra_home / "vault" / ".vault_lock"
    lock.unlink()
    with pytest.raises(PyraSecurityError):
        check_vault_lock()