"""Contract test for the standalone CRA assess endpoint.

Mounts only the cra_assess router on a minimal app — no full app/DB startup.
"""
from fastapi import FastAPI
from fastapi.testclient import TestClient

from compliance.api.cra_assess_routes import router

app = FastAPI()
app.include_router(router, prefix="/api")
client = TestClient(app)


def test_assess_maps_findings_with_crosswalk():
    r = client.post("/api/v1/cra/assess", json={"findings": [
        {"id": "x", "title": "default password", "cwe": "CWE-259", "severity": "critical"},
        {"id": "y", "category": "dependency", "title": "outdated lib", "severity": "high"},
    ]})
    assert r.status_code == 200
    d = r.json()
    assert d["findings_total"] == 2
    by_id = {m["finding_id"]: m for m in d["mapped"]}
    assert by_id["x"]["primary_requirement"] == "CRA-AI-8"
    assert by_id["x"]["risk_level"] == "CRITICAL"
    assert "IA-5" in by_id["x"]["nist_refs"]
    assert by_id["y"]["primary_requirement"] == "CRA-AI-22"
    assert any(o["code"] == "A06:2021" for o in by_id["y"]["owasp_refs"])


def test_assess_empty_is_ok():
    r = client.post("/api/v1/cra/assess", json={"findings": []})
    assert r.status_code == 200
    assert r.json()["findings_total"] == 0


def test_assess_requires_finding_id():
    # id is required by the schema -> 422
    r = client.post("/api/v1/cra/assess", json={"findings": [{"title": "no id"}]})
    assert r.status_code == 422


def test_assess_prioritizes_with_weights():
    r = client.post("/api/v1/cra/assess", json={
        "findings": [
            {"id": "mfa", "cwe": "CWE-306", "severity": "high"},
            {"id": "log", "cwe": "CWE-778", "severity": "high"},
        ],
        "weights": {"access": "high", "monitoring": "low"},
    })
    assert r.status_code == 200
    d = r.json()
    order = [m["finding_id"] for m in d["mapped"]]
    assert order.index("mfa") < order.index("log")
    assert all("priority_tier" in m for m in d["mapped"])


def test_assess_p0_floor_on_safety_impact():
    r = client.post("/api/v1/cra/assess", json={"findings": [
        {"id": "s", "cwe": "CWE-319", "severity": "low", "safety_impact": True},
    ]})
    assert r.status_code == 200
    assert r.json()["mapped"][0]["priority_tier"] == "P0"