import { describe, it, expect, beforeAll } from 'vitest'

// nuxt.config.ts uses the auto-imported defineNuxtConfig() global. Stub it to
// the identity function so we can dynamically import the config in node and
// assert against the actual runtimeConfig object the build will use.
let nuxtConfig

beforeAll(async () => {
  globalThis.defineNuxtConfig = (config) => config
  const mod = await import('../../../nuxt.config.ts')
  nuxtConfig = mod.default
})

describe('runtimeConfig.public', () => {
  it('does not expose helcimToken in runtimeConfig.public', () => {
    expect('helcimToken' in nuxtConfig.runtimeConfig.public).toBe(false)
  })

  it('does not expose any *ApiToken or *Secret keys in runtimeConfig.public', () => {
    // Keys that are intentionally public despite matching the pattern.
    const allowlist = new Set(['helcimAccountId', 'cloudinaryCloudName'])
    const sensitivePattern = /token|secret|key$/i

    const violations = Object.keys(nuxtConfig.runtimeConfig.public).filter(
      (key) => sensitivePattern.test(key) && !allowlist.has(key)
    )

    expect(violations).toEqual([])
  })

  it('matches public runtime config snapshot', () => {
    // Snapshot only the sorted key list, not values (values come from env).
    const sortedKeys = Object.keys(nuxtConfig.runtimeConfig.public).sort()
    expect(sortedKeys).toMatchSnapshot()
  })
})