#!/usr/bin/env bats
# Unit tests for encryption-setup.sh hook
# Reference: PRD.md FR-001 (Full Disk Encryption)

@test "encryption-setup.sh exists and is executable" {
    [ -f "/workspace/config/hooks/installed/encryption-setup.sh" ]
    [ -x "/workspace/config/hooks/installed/encryption-setup.sh" ]
}

@test "Encryption uses LUKS2 format" {
    grep -q "luks2\|LUKS2" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption uses AES-XTS cipher" {
    grep -q "aes-xts\|aes_xts\|AES-XTS" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption uses 512-bit key" {
    grep -q "512" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup includes cryptsetup" {
    grep -q "cryptsetup" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup configures initramfs" {
    grep -q "initramfs" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup configures crypttab" {
    grep -q "crypttab" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup includes dm-crypt module" {
    grep -q "dm_crypt" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup creates check-encryption.sh" {
    grep -q "check-encryption.sh" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup creates manage-encryption-keys.sh" {
    grep -q "manage-encryption-keys.sh" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup creates systemd service" {
    grep -q "knel-encryption-check.service" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup creates README with recovery info" {
    grep -q "README" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "Encryption setup configures GRUB" {
    grep -q "grub" /workspace/config/hooks/installed/encryption-setup.sh
}

# =============================================================================
# Argon2id KDF Configuration (FINDING-005)
# =============================================================================

@test "Argon2id KDF configuration hook or script exists" {
    # Either a dedicated KDF hook or configuration in encryption-setup.sh
    [ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ] || \
    grep -q "argon2id\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh
}

@test "KDF conversion helper script is created" {
    # encryption-setup.sh should create a helper script for KDF conversion
    grep -q "convert.*kdf\|kdf.*convert\|luksConvertKey" /workspace/config/hooks/installed/encryption-setup.sh || \
    [ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
}

@test "User receives notification about KDF optimization" {
    # A reminder should be created for the user to optimize KDF
    grep -q "profile.d\|motd\|reminder" /workspace/config/hooks/installed/encryption-setup.sh || \
    [ -f "/workspace/config/hooks/installed/luks-kdf-configure.sh" ]
}