//! Contract tests for client install-time security defaults.
//!
//! Scope: inspect the client installer shell contract without running it.
//! Targets: `scripts/install/client.sh`.
//! Why: secure-by-default relay transport depends on installing the server-issued
//! client cert bundle exactly where the desktop app auto-discovers it.

const CLIENT_INSTALL: &str = include_str!("../../scripts/install/client.sh");

#[test]
fn client_install_accepts_server_generated_tls_bundle() {
    for expected in [
        "LESAVKA_CLIENT_PKI_BUNDLE",
        "CLIENT_PKI_DIR",
        "ca.crt",
        "client.crt",
        "client.key",
        "install_client_pki_bundle",
        "fetch_client_pki_bundle",
        "LESAVKA_CLIENT_PKI_SSH_SOURCE",
        "LESAVKA_CLIENT_CAPTURE_DIR",
        "theia:/etc/lesavka/lesavka-client-pki.tar.gz",
        "Pictures/lesavka",
        "HTTPS/mTLS relay connections will not work until this bundle is installed",
        "TLS identity:",
        "Captures:",
    ] {
        assert!(
            CLIENT_INSTALL.contains(expected),
            "client installer should include TLS bundle contract fragment {expected}"
        );
    }
    assert!(
        CLIENT_INSTALL.contains(".config/lesavka/pki"),
        "client cert bundle should land in the same path the desktop app auto-loads"
    );
    assert!(
        CLIENT_INSTALL.contains("0600"),
        "client private key should be installed with private permissions"
    );
    assert!(
        CLIENT_INSTALL.contains("scp -q -o BatchMode=yes"),
        "client installer should auto-fetch the server enrollment bundle without hanging"
    );
}