from __future__ import annotations

import pytest

from engine.devops_agent.policies import PolicyViolation, RuntimePolicy


def test_policy_allows_declared_safe_output() -> None:
    policy = RuntimePolicy(
        safe_outputs={"add_comment": {"max": 2}},
        path_scope=["engine/devops_agent/", "README.md"],
    )

    policy.assert_operation_allowed("add_comment")


def test_policy_rejects_undeclared_write_action() -> None:
    policy = RuntimePolicy(
        safe_outputs={"add_comment": {"max": 2}},
        path_scope=[],
    )

    with pytest.raises(PolicyViolation, match="close_issue"):
        policy.assert_operation_allowed("close_issue")


def test_policy_rejects_paths_outside_scope() -> None:
    policy = RuntimePolicy(
        safe_outputs={"write_file": {"max": 5}},
        path_scope=["engine/devops_agent/"],
    )

    with pytest.raises(PolicyViolation, match="outside allowed path scope"):
        policy.assert_path_allowed("skills/gitea-issue-devops-agent/SKILL.md")