import { describe, it, expect } from 'vitest'
import { existsSync } from 'node:fs'
import { resolve } from 'node:path'

/**
 * Regression: `events/[id]/payment.post.js` was deleted because its
 * unauthenticated POST allowed any caller to spam-register an existing
 * member to any paid event by supplying their email. See
 * docs/superpowers/specs/2026-04-25-fix-3.md.
 *
 * With the route file gone, Nitro's filesystem router will not register
 * a handler at `/api/events/{id}/payment`, so a POST returns 404 — the
 * spam-register attack surface no longer exists at the network layer.
 */
describe('events/[id]/payment route deletion', () => {
  it('the payment.post.js route file no longer exists', () => {
    const routePath = resolve(
      import.meta.dirname,
      '../../../../server/api/events/[id]/payment.post.js'
    )
    expect(existsSync(routePath)).toBe(false)
  })

  it('the secure replacement at tickets/purchase.post.js still exists', () => {
    const replacementPath = resolve(
      import.meta.dirname,
      '../../../../server/api/events/[id]/tickets/purchase.post.js'
    )
    expect(existsSync(replacementPath)).toBe(true)
  })
})