/**
 * test-session-permissions.ts — Verify payment operation permissions in session.ts.
 *
 * Tests that the new payment:x402, payment:safe-propose, and payment:safe-execute
 * operations are properly defined in OPERATION_PERMISSIONS.
 *
 * Usage:
 *   bun run scripts/test-session-permissions.ts
 */

import { OPERATION_PERMISSIONS, AuthLevel } from '../src/encryptid/session';

let passed = 0;
let failed = 0;

function assert(condition: boolean, msg: string) {
  if (condition) {
    console.log(`  ✓ ${msg}`);
    passed++;
  } else {
    console.error(`  ✗ ${msg}`);
    failed++;
  }
}

function main() {
  console.log('=== Session Permission Tests ===\n');

  // Test 1: payment:x402 exists with correct settings
  console.log('[1] payment:x402');
  const x402 = OPERATION_PERMISSIONS['payment:x402'];
  assert(x402 !== undefined, 'payment:x402 is defined');
  assert(x402.minAuthLevel === AuthLevel.STANDARD, 'Requires STANDARD auth');
  assert(x402.requiresCapability === 'wallet', 'Requires wallet capability');
  assert(x402.maxAgeSeconds === undefined, 'No max age (not time-sensitive)');

  // Test 2: payment:safe-propose exists with correct settings
  console.log('\n[2] payment:safe-propose');
  const propose = OPERATION_PERMISSIONS['payment:safe-propose'];
  assert(propose !== undefined, 'payment:safe-propose is defined');
  assert(propose.minAuthLevel === AuthLevel.ELEVATED, 'Requires ELEVATED auth');
  assert(propose.requiresCapability === 'wallet', 'Requires wallet capability');
  assert(propose.maxAgeSeconds === 60, 'Max age is 60 seconds');

  // Test 3: payment:safe-execute exists with correct settings
  console.log('\n[3] payment:safe-execute');
  const execute = OPERATION_PERMISSIONS['payment:safe-execute'];
  assert(execute !== undefined, 'payment:safe-execute is defined');
  assert(execute.minAuthLevel === AuthLevel.CRITICAL, 'Requires CRITICAL auth');
  assert(execute.requiresCapability === 'wallet', 'Requires wallet capability');
  assert(execute.maxAgeSeconds === 60, 'Max age is 60 seconds');

  // Test 4: Existing operations still intact
  console.log('\n[4] Existing operations unchanged');
  assert(OPERATION_PERMISSIONS['rspace:view-public'] !== undefined, 'rspace:view-public still exists');
  assert(OPERATION_PERMISSIONS['rwallet:send-small'] !== undefined, 'rwallet:send-small still exists');
  assert(OPERATION_PERMISSIONS['account:delete'] !== undefined, 'account:delete still exists');
  assert(OPERATION_PERMISSIONS['rspace:view-public'].minAuthLevel === AuthLevel.BASIC, 'rspace:view-public still BASIC');
  assert(OPERATION_PERMISSIONS['account:delete'].minAuthLevel === AuthLevel.CRITICAL, 'account:delete still CRITICAL');

  // Test 5: Auth level ordering
  console.log('\n[5] Auth level escalation (x402 < propose < execute)');
  assert(x402.minAuthLevel < propose.minAuthLevel, 'x402 < propose');
  assert(propose.minAuthLevel < execute.minAuthLevel, 'propose < execute');

  console.log(`\n=== Results: ${passed} passed, ${failed} failed ===`);
  process.exit(failed > 0 ? 1 : 0);
}

main();