"""Tests fuer das DSE-Applicability-Gate (_classification_gate).

Deckt die reine Split-Logik (apply_gate) und das defensive Verhalten von
load_dse_gate ohne DB ab. Die DB-Abfrage selbst ist I/O und wird hier nicht
gegen eine echte DB getestet (defensiver Pfad: kein DSN -> leeres Dict)."""

import asyncio
import os

from compliance.services.specialist_agents.dse._classification_gate import (
    apply_gate,
    load_dse_gate,
)


def test_apply_gate_splits_findings_and_organizational():
    controls = [
        {"control_id": "AUTH-2051-A02", "title": "Speicherdauer nennen"},
        {"control_id": "AUTH-2049-A01", "title": "VVT fuehren"},
    ]
    gate = {
        "AUTH-2049-A01": {
            "obligation_type": "EVIDENCE",
            "check_intent": "DIRECT_EVIDENCE",
            "applicable_artifacts": ["VVT", "AUDIT"],
            "reference_allowed": "NO",
        }
    }
    kept, organizational = apply_gate(controls, gate)
    assert [c["control_id"] for c in kept] == ["AUTH-2051-A02"]
    assert len(organizational) == 1
    org = organizational[0]
    assert org["control_id"] == "AUTH-2049-A01"
    assert org["title"] == "VVT fuehren"
    assert org["applicable_artifacts"] == ["VVT", "AUDIT"]
    assert org["check_intent"] == "DIRECT_EVIDENCE"


def test_apply_gate_empty_gate_keeps_all():
    controls = [{"control_id": "X-1"}, {"control_id": "X-2"}]
    kept, organizational = apply_gate(controls, {})
    assert len(kept) == 2
    assert organizational == []


def test_load_dse_gate_without_dsn_is_defensive():
    """Kein DSN + keine Env -> leeres Dict (kein Filter), kein Fehler."""
    saved = (
        os.environ.pop("DATABASE_URL", None),
        os.environ.pop("COMPLIANCE_DATABASE_URL", None),
    )
    try:
        result = asyncio.run(load_dse_gate(""))
        assert result == {}
    finally:
        if saved[0] is not None:
            os.environ["DATABASE_URL"] = saved[0]
        if saved[1] is not None:
            os.environ["COMPLIANCE_DATABASE_URL"] = saved[1]