"""
Security invariant tests — Wave 0 xfail stubs for Phase 4.

All tests in this file are xfail stubs. They will be implemented in Plans
04-06 and 04-08 (security hardening). The stubs ensure pytest collects them
and keeps CI green before implementation code exists.

Requirements: SEC-08 (credentials_enc exclusion), SEC-09 (delete-user-cleans-files).
"""
from __future__ import annotations

import os

import pytest


# ---------------------------------------------------------------------------
# SEC-08: credentials_enc never in API response
# ---------------------------------------------------------------------------


@pytest.mark.xfail(strict=False)
async def test_credentials_enc_not_in_response(async_client, auth_user):
    """No API response for current user includes credentials_enc field."""
    pytest.xfail("not implemented yet")


# ---------------------------------------------------------------------------
# SEC-09: Delete user cleans up MinIO objects
# ---------------------------------------------------------------------------


@pytest.mark.xfail(strict=False)
async def test_delete_user_cleans_files(async_client, admin_user):
    """Admin DELETE /api/admin/users/{id} triggers MinIO object deletion before DB removal."""
    pytest.xfail("not implemented yet")