"""Contract test for the standalone CRA assess endpoint.

Mounts only the cra_assess router on a minimal app — no full app/DB startup.
"""
from fastapi import FastAPI
from fastapi.testclient import TestClient

from compliance.api.cra_assess_routes import router

app = FastAPI()
app.include_router(router, prefix="/api")
client = TestClient(app)


def test_assess_maps_findings_with_crosswalk():
    r = client.post("/api/v1/cra/assess", json={"findings": [
        {"id": "x", "title": "default password", "cwe": "CWE-259", "severity": "critical"},
        {"id": "y", "category": "dependency", "title": "outdated lib", "severity": "high"},
    ]})
    assert r.status_code == 200
    d = r.json()
    assert d["findings_total"] == 2
    by_id = {m["finding_id"]: m for m in d["mapped"]}
    assert by_id["x"]["primary_requirement"] == "CRA-AI-8"
    assert by_id["x"]["risk_level"] == "CRITICAL"
    assert "IA-5" in by_id["x"]["nist_refs"]
    assert by_id["y"]["primary_requirement"] == "CRA-AI-22"
    assert any(o["code"] == "A06:2021" for o in by_id["y"]["owasp_refs"])


def test_assess_empty_is_ok():
    r = client.post("/api/v1/cra/assess", json={"findings": []})
    assert r.status_code == 200
    assert r.json()["findings_total"] == 0


def test_assess_requires_finding_id():
    # id is required by the schema -> 422
    r = client.post("/api/v1/cra/assess", json={"findings": [{"title": "no id"}]})
    assert r.status_code == 422