import 'dotenv/config';
import { test, expect } from '@playwright/test';

import { login, apiHeaders } from '../smoke/helpers';

/**
 * Real-API spec covering attachment cross-port enforcement (Phase A PR8).
 *
 * The hot-path SMTP+IMAP roundtrip is exercised by smtp-system-send.spec.ts.
 * This spec specifically verifies that attaching a fileId from a different
 * port returns 403 *before* SMTP is touched.
 *
 * Requires SMTP_HOST + a second port slug (PHASE_A_OTHER_PORT_SLUG) seeded
 * with a file the calling user cannot reach. Skips otherwise.
 */

const SMTP_HOST = process.env.SMTP_HOST;
const OTHER_PORT_FILE_ID = process.env.PHASE_A_CROSS_PORT_FILE_ID;

test.describe('Email attachments — port isolation', () => {
  test.skip(!SMTP_HOST || !OTHER_PORT_FILE_ID, 'cross-port fixture not configured');

  test.beforeEach(async ({ page }) => {
    await login(page, 'super_admin');
  });

  test('rejects cross-port fileId with 403 before SMTP', async ({ page }) => {
    const headers = await apiHeaders(page);
    const res = await page.request.post('/api/v1/email/compose', {
      headers,
      data: {
        senderType: 'system',
        to: ['noop@example.test'],
        subject: 'cross-port attempt',
        bodyHtml: '<p>should fail before SMTP</p>',
        attachments: [{ fileId: OTHER_PORT_FILE_ID! }],
      },
    });
    expect(res.status()).toBe(403);
  });
});