"""API-level checks: the /api routes serve the public case through gradio.Server and
never leak sealed fields. Uses Starlette's TestClient against the real Server instance.
"""

from __future__ import annotations

import json

from starlette.testclient import TestClient

from case_zero.api import build_server

_LEAK_TOKENS = ('"sealed"', '"killer"', '"correctMotive"', '"keyEvidence"', '"present"', '"default"', '"d":')


def _client() -> TestClient:
    return TestClient(build_server())


def test_healthz() -> None:
    assert _client().get("/healthz").json() == {"ok": True}


def test_post_case_returns_public_case_without_leak() -> None:
    resp = _client().post("/api/case", json={"caseId": "GRAYMOOR-3107"})
    assert resp.status_code == 200
    body = resp.json()
    assert body["caseId"] == "GRAYMOOR-3107"
    assert len(body["runId"]) >= 16
    case = body["case"]
    assert len(case["suspects"]) == 4
    assert len(case["evidence"]) == 6
    assert case["suspects"][0]["suggestedQuestions"]
    blob = json.dumps(body)
    for token in _LEAK_TOKENS:
        assert token not in blob, f"sealed token leaked through the API: {token}"


def test_get_unknown_case_is_404() -> None:
    assert _client().get("/api/case/NOPE-0000").status_code == 404