"""Regression: a pre-existing loose `~/.sibyl-memory` must be tightened to 0700.

`mkdir(mode=0o700)` is a no-op when the directory already exists, so a dir that
was created earlier at 0755 kept loose permissions on the credentials directory.
`write_credentials_atomic` now chmods the parent to 0700 explicitly.
Source: beta security report (dor_alpha, 2026-06-01).
"""
import os
import stat
from sibyl_memory_cli.cli import write_credentials_atomic


def test_preexisting_loose_dir_is_tightened(tmp_path):
    d = tmp_path / ".sibyl-memory"
    d.mkdir()
    os.chmod(d, 0o755)  # simulate a pre-existing loose directory
    assert stat.S_IMODE(d.stat().st_mode) == 0o755

    write_credentials_atomic({"tenant_id": "t"}, path=d / "credentials.json")

    assert stat.S_IMODE(d.stat().st_mode) == 0o700, "parent dir not tightened to 0700"
    assert stat.S_IMODE((d / "credentials.json").stat().st_mode) == 0o600