/**
 * SSE (server-side-encryption) header policy for the S3 backend.
 *
 * Regression (2026-06-03 prod): MinIO with no KMS/KES rejected EVERY
 * PutObject because `put()` unconditionally sent
 * `x-amz-server-side-encryption: AES256`, which a backend without KMS
 * answers with `NotImplemented` ("KMS not configured"). The header must
 * only be sent when SSE is explicitly configured; the default is OFF so
 * a vanilla S3-compatible backend accepts uploads.
 */

import { describe, expect, it } from 'vitest';

import { buildPutObjectMetadata } from '@/lib/storage/s3';

describe('buildPutObjectMetadata', () => {
  it('omits the server-side-encryption header when no SSE is configured', () => {
    const meta = buildPutObjectMetadata('application/pdf', undefined);
    expect(meta['Content-Type']).toBe('application/pdf');
    expect(meta['x-amz-server-side-encryption']).toBeUndefined();
  });

  it('sends the configured SSE algorithm when one is set', () => {
    const meta = buildPutObjectMetadata('image/png', 'AES256');
    expect(meta['Content-Type']).toBe('image/png');
    expect(meta['x-amz-server-side-encryption']).toBe('AES256');
  });
});