#!/usr/bin/env bats
# Comprehensive security compliance tests

@test "Full Disk Encryption configured" {
    grep -q "crypto" /workspace/config/preseed.cfg
}

@test "Password complexity configured" {
    grep -q "pwquality" /workspace/config/preseed.cfg
}

@test "WiFi blacklisted" {
    grep -q "cfg80211" /workspace/src/security-hardening.sh
}

@test "Bluetooth blacklisted" {
    grep -q "btusb" /workspace/src/security-hardening.sh
}

@test "Firewall configured" {
    grep -q "nftables" /workspace/config/package-lists/knel-football.list.chroot
}

# FR-006: SSH Access - Key-Based Authentication Only
@test "SSH password authentication disabled" {
    grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
}

@test "SSH root login disabled" {
    grep -q "PermitRootLogin no" /workspace/src/security-hardening.sh
}