// Security contract for relay TLS and client identity handling.
//
// Scope: verify installers and runtime keep mTLS assets explicit and avoid
// silently treating plaintext relay access as production-safe.
// Targets: `scripts/install/server.sh`, `scripts/install/client.sh`, and
// `server/src/security.rs`.
// Why: the relay carries HID, clipboard, microphone, and camera data; transport
// security should be intentional rather than an accidental deployment detail.

const SERVER_INSTALL: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/scripts/install/server.sh"
));
const CLIENT_INSTALL: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/scripts/install/client.sh"
));
const SECURITY: &str = include_str!(concat!(
    env!("CARGO_MANIFEST_DIR"),
    "/server/src/security.rs"
));

#[test]
fn relay_tls_assets_are_created_packaged_and_required_by_default() {
    for marker in [
        "LESAVKA_REQUIRE_TLS:-1",
        "LESAVKA_TLS_CERT",
        "LESAVKA_TLS_KEY",
        "LESAVKA_TLS_CLIENT_CA",
        "lesavka-client-pki.tar.gz",
        "chmod 0600",
    ] {
        assert!(
            SERVER_INSTALL.contains(marker),
            "server installer should preserve TLS marker {marker}"
        );
    }

    for marker in [
        "LESAVKA_CLIENT_PKI_BUNDLE",
        "ca.crt",
        "client.crt",
        "client.key",
        "HTTPS/mTLS relay connections will not work until this bundle is installed",
    ] {
        assert!(
            CLIENT_INSTALL.contains(marker),
            "client installer should preserve TLS client marker {marker}"
        );
    }

    for marker in [
        "LESAVKA_REQUIRE_TLS",
        "LESAVKA_TLS_CLIENT_CA",
        "serving plaintext gRPC for local/dev use",
        "ServerTlsConfig",
        "client_ca_root",
    ] {
        assert!(
            SECURITY.contains(marker),
            "runtime security module should preserve marker {marker}"
        );
    }
}