atproto_devtool/commands/test/labeler/

create_report.rs

//! `report` stage: exercises the labeler's authenticated
//! `com.atproto.moderation.createReport` path.
//!
//! The `sentinel` submodule builds the pollution-avoidance reason string
//! that every committed report body carries.

use std::borrow::Cow;
use std::sync::Arc;
use std::time::{Duration, SystemTime, UNIX_EPOCH};
use url::Url;

use async_trait::async_trait;
use miette::{Diagnostic, NamedSource, SourceSpan};
use reqwest::StatusCode;
use thiserror::Error;

use crate::commands::test::labeler::identity::IdentityFacts;
use crate::commands::test::labeler::report::{CheckResult, CheckStatus, Stage};
use crate::common::diagnostics::pretty_json_for_display;
use crate::common::identity::{Did, is_local_labeler_hostname};

pub mod did_doc_server;
pub mod pollution;
pub mod self_mint;
pub mod sentinel;

/// Raw HTTP response from POSTing `com.atproto.moderation.createReport`.
///
/// Mirrors `RawXrpcResponse` from the HTTP stage but specialized for the
/// createReport shape: no typed decode (positive and negative checks need
/// different decode strategies) and the raw body is kept for diagnostic
/// rendering via miette.
#[derive(Debug)]
pub struct RawCreateReportResponse {
    /// HTTP status code.
    pub status: StatusCode,
    /// Content-Type header value, if present. Lowercased for matching.
    pub content_type: Option<String>,
    /// Raw response body bytes.
    pub raw_body: Arc<[u8]>,
    /// The URL that was POSTed to (for diagnostics).
    pub source_url: String,
}

/// Error type for `CreateReportTee` operations.
///
/// Kept intentionally narrow: either a transport failure (TCP / TLS / DNS /
/// reqwest internal), or a well-formed HTTP response that we return as-is.
/// Callers — i.e., the stage — decide what each non-2xx status means per
/// check.
#[derive(Debug, Error, Diagnostic)]
pub enum CreateReportStageError {
    /// Transport-level failure: the request never reached a well-formed
    /// HTTP exchange.
    #[error("createReport transport error: {source}")]
    #[diagnostic(code = "labeler::report::transport_error")]
    Transport {
        /// Underlying error.
        #[source]
        source: Box<dyn std::error::Error + Send + Sync>,
    },
}

/// Trait for POSTing `com.atproto.moderation.createReport`. Production
/// impl (`RealCreateReportTee`) wraps a `reqwest::Client`; tests inject
/// `FakeCreateReportTee` from `tests/common/mod.rs`.
///
/// The body is serialized from a `serde_json::Value` so negative-shape
/// tests can POST intentionally invalid bodies without fighting the type
/// system.
#[async_trait]
pub trait CreateReportTee: Send + Sync {
    /// POST the given body to the labeler's `com.atproto.moderation.createReport`
    /// endpoint.
    ///
    /// # Arguments
    /// * `auth` — optional Bearer token. `None` ⇒ no `Authorization` header
    ///   (for the `unauthenticated_rejected` check). `Some(token)` is
    ///   included as `Authorization: Bearer {token}`.
    /// * `body` — JSON body to POST. The impl sends `Content-Type: application/json`.
    async fn post_create_report(
        &self,
        auth: Option<&str>,
        body: &serde_json::Value,
    ) -> Result<RawCreateReportResponse, CreateReportStageError>;
}

/// Raw HTTP response from XRPC calls to the PDS.
///
/// Similar to `RawCreateReportResponse` but used for PDS-specific calls
/// (createSession, getServiceAuth) where the response needs to be parsed
/// as JSON by the caller.
#[derive(Debug)]
pub struct RawPdsXrpcResponse {
    /// HTTP status code.
    pub status: StatusCode,
    /// Raw response body bytes.
    pub raw_body: Arc<[u8]>,
    /// Content-Type header value, if present. Lowercased for matching.
    pub content_type: Option<String>,
    /// The URL that was requested (for diagnostics).
    pub source_url: String,
}

/// Narrow seam for POSTing/GETting against the user's PDS.
///
/// The existing `HttpClient` in `src/common/identity.rs` is GET-only and
/// does not support bearer headers or request bodies. This trait exists
/// to keep those capabilities out of the identity-resolution seam.
#[async_trait]
pub trait PdsXrpcClient: Send + Sync {
    /// POST `body` (JSON-serialized) to the PDS endpoint at the given path
    /// (e.g., `"xrpc/com.atproto.server.createSession"`). Optional bearer
    /// and `atproto-proxy` headers.
    async fn post(
        &self,
        path: &str,
        bearer: Option<&str>,
        atproto_proxy: Option<&str>,
        body: &serde_json::Value,
    ) -> Result<RawPdsXrpcResponse, CreateReportStageError>;

    /// GET the PDS endpoint at the given path with optional bearer and
    /// URL-encoded query pairs.
    async fn get(
        &self,
        path: &str,
        bearer: Option<&str>,
        query: &[(&str, &str)],
    ) -> Result<RawPdsXrpcResponse, CreateReportStageError>;
}

/// Real `PdsXrpcClient` implementation using reqwest.
pub struct RealPdsXrpcClient {
    client: reqwest::Client,
    base: Url,
}

impl RealPdsXrpcClient {
    /// Create a new `RealPdsXrpcClient` using the given shared reqwest
    /// client and PDS base URL.
    pub fn new(client: reqwest::Client, base: Url) -> Self {
        Self { client, base }
    }
}

#[async_trait]
impl PdsXrpcClient for RealPdsXrpcClient {
    async fn post(
        &self,
        path: &str,
        bearer: Option<&str>,
        atproto_proxy: Option<&str>,
        body: &serde_json::Value,
    ) -> Result<RawPdsXrpcResponse, CreateReportStageError> {
        let mut url = self.base.clone();
        url.set_path(path);
        let source_url = url.to_string();
        let mut req = self
            .client
            .post(url.as_str())
            .header("Content-Type", "application/json")
            .body(serde_json::to_vec(body).expect("serde_json::Value always serializes"));
        if let Some(b) = bearer {
            req = req.header("Authorization", format!("Bearer {b}"));
        }
        if let Some(p) = atproto_proxy {
            req = req.header("atproto-proxy", p);
        }
        let resp = req
            .send()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;
        let status = resp.status();
        let content_type = resp
            .headers()
            .get(reqwest::header::CONTENT_TYPE)
            .and_then(|h| h.to_str().ok())
            .map(|s| s.to_ascii_lowercase());
        let body = resp
            .bytes()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;
        Ok(RawPdsXrpcResponse {
            status,
            raw_body: Arc::from(body.as_ref()),
            content_type,
            source_url,
        })
    }

    async fn get(
        &self,
        path: &str,
        bearer: Option<&str>,
        query: &[(&str, &str)],
    ) -> Result<RawPdsXrpcResponse, CreateReportStageError> {
        let mut url = self.base.clone();
        url.set_path(path);
        {
            let mut pairs = url.query_pairs_mut();
            for (k, v) in query {
                pairs.append_pair(k, v);
            }
        }
        let source_url = url.to_string();
        let mut req = self.client.get(url.as_str());
        if let Some(b) = bearer {
            req = req.header("Authorization", format!("Bearer {b}"));
        }
        let resp = req
            .send()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;
        let status = resp.status();
        let content_type = resp
            .headers()
            .get(reqwest::header::CONTENT_TYPE)
            .and_then(|h| h.to_str().ok())
            .map(|s| s.to_ascii_lowercase());
        let body = resp
            .bytes()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;
        Ok(RawPdsXrpcResponse {
            status,
            raw_body: Arc::from(body.as_ref()),
            content_type,
            source_url,
        })
    }
}

/// Real `CreateReportTee` implementation using reqwest.
pub struct RealCreateReportTee {
    client: reqwest::Client,
    endpoint: Url,
}

impl RealCreateReportTee {
    /// Create a new `RealCreateReportTee` using the given shared reqwest
    /// client and labeler endpoint. The endpoint is the labeler's service
    /// URL (e.g., `https://labeler.example.com`); the POST path
    /// `/xrpc/com.atproto.moderation.createReport` is appended.
    pub fn new(client: reqwest::Client, endpoint: Url) -> Self {
        Self { client, endpoint }
    }
}

#[async_trait]
impl CreateReportTee for RealCreateReportTee {
    async fn post_create_report(
        &self,
        auth: Option<&str>,
        body: &serde_json::Value,
    ) -> Result<RawCreateReportResponse, CreateReportStageError> {
        let mut url = self.endpoint.clone();
        url.set_path("xrpc/com.atproto.moderation.createReport");
        let source_url = url.to_string();

        tracing::debug!(
            url = %source_url,
            auth_kind = match auth {
                None => "none",
                Some(t) if !t.starts_with("ey") => "malformed",
                Some(_) => "jwt",
            },
            "report stage: issuing createReport POST"
        );

        let mut req = self
            .client
            .post(url.as_str())
            .header("Content-Type", "application/json")
            .body(serde_json::to_vec(body).expect("serde_json::Value always serializes"));
        if let Some(token) = auth {
            req = req.header("Authorization", format!("Bearer {token}"));
        }

        let response = req
            .send()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;

        let status = response.status();
        let content_type = response
            .headers()
            .get(reqwest::header::CONTENT_TYPE)
            .and_then(|h| h.to_str().ok())
            .map(|s| s.to_ascii_lowercase());

        let body_bytes = response
            .bytes()
            .await
            .map_err(|e| CreateReportStageError::Transport {
                source: Box::new(e),
            })?;

        tracing::debug!(
            url = %source_url,
            status = %status,
            body_len = body_bytes.len(),
            "report stage: createReport response received"
        );

        Ok(RawCreateReportResponse {
            status,
            content_type,
            raw_body: Arc::from(body_bytes.as_ref()),
            source_url,
        })
    }
}

/// Error type for `PdsJwtFetcher` operations.
///
/// Carries a human-readable message; every PDS-side failure is treated as
/// a `NetworkError` by the report stage (per AC5.3 / AC6.3).
#[derive(Debug)]
pub enum PdsJwtFetchError {
    Transport(CreateReportStageError),
    Failed(RawPdsXrpcResponse),
    InvalidBody {
        resp: RawPdsXrpcResponse,
        error: serde_json::Error,
    },
    MissingToken(RawPdsXrpcResponse),
}

impl std::fmt::Display for PdsJwtFetchError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            PdsJwtFetchError::Transport(e) => write!(f, "getServiceAuth transport: {e}"),
            PdsJwtFetchError::Failed(resp) => {
                write!(f, "getServiceAuth returned status {}", resp.status)
            }
            PdsJwtFetchError::InvalidBody { error, .. } => {
                write!(f, "getServiceAuth body not JSON: {error}")
            }
            PdsJwtFetchError::MissingToken(_) => write!(f, "getServiceAuth response missing token"),
        }
    }
}

impl PdsJwtFetchError {
    fn into_diagnostic(self) -> Option<Box<dyn miette::Diagnostic + Send + Sync>> {
        match self {
            Self::Transport(_) => None,
            Self::Failed(resp) | Self::InvalidBody { resp, .. } | Self::MissingToken(resp) => {
                let (source_code, span) = body_as_named_source_from_pds(&resp);
                let diag = CreateReportDiagnostic::PdsServiceAuthRejected {
                    origin: ResponseOrigin::Pds,
                    status: resp.status.as_u16(),
                    source_code,
                    span,
                };
                Some(Box::new(diag))
            }
        }
    }
}

/// Fetches a service-auth JWT from a PDS by first creating a session and
/// then calling `getServiceAuth`. Used in mode-2 (`pds_service_auth_accepted`).
pub struct PdsJwtFetcher<'a> {
    client: &'a dyn PdsXrpcClient,
}

impl<'a> PdsJwtFetcher<'a> {
    /// Create a new `PdsJwtFetcher` using the given PDS client.
    pub fn new(client: &'a dyn PdsXrpcClient) -> Self {
        Self { client }
    }

    /// Call `getServiceAuth` using the provided access JWT, returning the
    /// minted service-auth JWT. The access JWT should come from a prior
    /// `createSession` call.
    pub async fn fetch_with_jwt(
        &self,
        access_jwt: &str,
        aud: &str,
        lxm: &str,
        exp_absolute_unix: i64,
    ) -> Result<String, PdsJwtFetchError> {
        // getServiceAuth (GET with query params).
        let exp_s = exp_absolute_unix.to_string();
        let resp = self
            .client
            .get(
                "xrpc/com.atproto.server.getServiceAuth",
                Some(access_jwt),
                &[("aud", aud), ("lxm", lxm), ("exp", &exp_s)],
            )
            .await
            .map_err(PdsJwtFetchError::Transport)?;
        if !resp.status.is_success() {
            return Err(PdsJwtFetchError::Failed(resp));
        }
        let token = match serde_json::from_slice::<serde_json::Value>(&resp.raw_body) {
            Err(error) => Err(PdsJwtFetchError::InvalidBody { resp, error }),
            Ok(auth) => auth["token"]
                .as_str()
                .map(|s| s.to_string())
                .ok_or_else(|| PdsJwtFetchError::MissingToken(resp)),
        }?;

        Ok(token)
    }
}

/// Posts `com.atproto.moderation.createReport` to the PDS (not the
/// labeler) with the `atproto-proxy` header, letting the PDS mint and
/// forward the JWT itself.
pub struct PdsProxiedPoster<'a> {
    client: &'a dyn PdsXrpcClient,
}

impl<'a> PdsProxiedPoster<'a> {
    /// Create a new `PdsProxiedPoster` using the given PDS client.
    pub fn new(client: &'a dyn PdsXrpcClient) -> Self {
        Self { client }
    }

    /// Post the createReport body through the PDS with the given user
    /// access JWT. Returns the `RawPdsXrpcResponse` so the caller can
    /// classify success / labeler-side rejection / PDS-side rejection.
    pub async fn post(
        &self,
        labeler_did: &str,
        access_jwt: &str,
        body: &serde_json::Value,
    ) -> Result<RawPdsXrpcResponse, CreateReportStageError> {
        self.client
            .post(
                "xrpc/com.atproto.moderation.createReport",
                Some(access_jwt),
                Some(&format!("{labeler_did}#atproto_labeler")),
                body,
            )
            .await
    }
}

/// Minimal per-check outcome facts for possible future consumer stages.
/// All three `Option<bool>` fields are `None` unless the corresponding
/// positive check ran and produced a concrete outcome.
#[derive(Debug, Clone, Default)]
pub struct CreateReportFacts {
    /// `self_mint_accepted` outcome: `Some(true)` on Pass, `Some(false)` on
    /// SpecViolation, `None` on Skipped/NetworkError.
    pub self_mint_succeeded: Option<bool>,
    /// `pds_service_auth_accepted` outcome (see above).
    pub pds_service_auth_succeeded: Option<bool>,
    /// `pds_proxied_accepted` outcome (see above).
    pub pds_proxied_succeeded: Option<bool>,
}

/// Stage output: facts (populated only when the stage produced meaningful
/// outcome data) and the full 10-row results vector.
#[derive(Debug)]
pub struct CreateReportStageOutput {
    pub facts: Option<CreateReportFacts>,
    pub results: Vec<CheckResult>,
}

/// Stable check identifiers for the `report` stage.
///
/// Order MUST match the DoD ordering (AC7.2): contract, unauth, malformed,
/// wrong-aud, wrong-lxm, expired, rejected-shape, self-mint, pds-service-auth,
/// pds-proxied.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Check {
    ContractPublished,
    UnauthenticatedRejected,
    MalformedBearerRejected,
    WrongAudRejected,
    WrongLxmRejected,
    ExpiredRejected,
    RejectedShapeReturns400,
    SelfMintAccepted,
    PdsServiceAuthAccepted,
    PdsProxiedAccepted,
}

impl Check {
    /// Stable `CheckResult.id` string.
    pub fn id(self) -> &'static str {
        match self {
            Check::ContractPublished => "report::contract_published",
            Check::UnauthenticatedRejected => "report::unauthenticated_rejected",
            Check::MalformedBearerRejected => "report::malformed_bearer_rejected",
            Check::WrongAudRejected => "report::wrong_aud_rejected",
            Check::WrongLxmRejected => "report::wrong_lxm_rejected",
            Check::ExpiredRejected => "report::expired_rejected",
            Check::RejectedShapeReturns400 => "report::rejected_shape_returns_400",
            Check::SelfMintAccepted => "report::self_mint_accepted",
            Check::PdsServiceAuthAccepted => "report::pds_service_auth_accepted",
            Check::PdsProxiedAccepted => "report::pds_proxied_accepted",
        }
    }

    /// Canonical iteration order for the 10 checks, matching AC7.2.
    pub const ORDER: [Check; 10] = [
        Check::ContractPublished,
        Check::UnauthenticatedRejected,
        Check::MalformedBearerRejected,
        Check::WrongAudRejected,
        Check::WrongLxmRejected,
        Check::ExpiredRejected,
        Check::RejectedShapeReturns400,
        Check::SelfMintAccepted,
        Check::PdsServiceAuthAccepted,
        Check::PdsProxiedAccepted,
    ];

    /// Build a `Pass` result for this check with a default summary.
    pub fn pass(self) -> CheckResult {
        CheckResult {
            id: self.id(),
            stage: Stage::Report,
            status: CheckStatus::Pass,
            summary: Cow::Borrowed(self.default_summary_pass()),
            diagnostic: None,
            skipped_reason: None,
        }
    }

    /// Build a `SpecViolation` result for this check with an optional
    /// diagnostic.
    pub fn spec_violation(self, diagnostic: CreateReportDiagnostic) -> CheckResult {
        CheckResult {
            id: self.id(),
            stage: Stage::Report,
            status: CheckStatus::SpecViolation,
            summary: Cow::Borrowed(self.default_summary_fail()),
            diagnostic: Some(Box::new(diagnostic) as _),
            skipped_reason: None,
        }
    }

    /// Build an `Advisory` result (used by `rejected_shape_returns_400` AC3.6).
    pub fn advisory(self, diagnostic: CreateReportDiagnostic) -> CheckResult {
        CheckResult {
            id: self.id(),
            stage: Stage::Report,
            status: CheckStatus::Advisory,
            summary: Cow::Borrowed(self.default_summary_fail()),
            diagnostic: Some(Box::new(diagnostic) as _),
            skipped_reason: None,
        }
    }

    /// Build a `NetworkError` result (used by PDS-side failure modes).
    pub fn network_error(self, message: String) -> CheckResult {
        CheckResult {
            id: self.id(),
            stage: Stage::Report,
            status: CheckStatus::NetworkError,
            summary: Cow::Owned(format!("{}: {message}", self.default_summary_fail())),
            diagnostic: None,
            skipped_reason: None,
        }
    }

    /// Build a `Skipped` result with the supplied reason.
    pub fn skip(self, reason: &'static str) -> CheckResult {
        CheckResult {
            id: self.id(),
            stage: Stage::Report,
            status: CheckStatus::Skipped,
            summary: Cow::Borrowed(self.default_summary_pass()),
            diagnostic: None,
            skipped_reason: Some(Cow::Borrowed(reason)),
        }
    }

    fn default_summary_pass(self) -> &'static str {
        match self {
            Check::ContractPublished => "Labeler advertises reportable shape",
            Check::UnauthenticatedRejected => "Unauthenticated report rejected",
            Check::MalformedBearerRejected => "Malformed bearer rejected",
            Check::WrongAudRejected => "JWT with wrong `aud` rejected",
            Check::WrongLxmRejected => "JWT with wrong `lxm` rejected",
            Check::ExpiredRejected => "Expired JWT rejected",
            Check::RejectedShapeReturns400 => "Invalid shape returns 400 InvalidRequest",
            Check::SelfMintAccepted => "Self-mint report accepted",
            Check::PdsServiceAuthAccepted => "PDS-minted JWT accepted",
            Check::PdsProxiedAccepted => "PDS-proxied report accepted",
        }
    }

    fn default_summary_fail(self) -> &'static str {
        match self {
            Check::ContractPublished => "Labeler does not advertise a reportable shape",
            Check::UnauthenticatedRejected => {
                "Unauthenticated report accepted (should have been rejected)"
            }
            Check::MalformedBearerRejected => {
                "Malformed bearer accepted (should have been rejected)"
            }
            Check::WrongAudRejected => "JWT with wrong `aud` accepted",
            Check::WrongLxmRejected => "JWT with wrong `lxm` accepted",
            Check::ExpiredRejected => "Expired JWT accepted",
            Check::RejectedShapeReturns400 => "Rejection status was not 400 InvalidRequest",
            Check::SelfMintAccepted => "Self-mint report rejected",
            Check::PdsServiceAuthAccepted => "PDS-minted JWT rejected",
            Check::PdsProxiedAccepted => "PDS-proxied report rejected",
        }
    }
}

/// Aggregate of the stage-relevant options, extracted from `LabelerOptions`
/// by the pipeline and passed to `run`. Having a local, narrow shape
/// avoids forcing `run`'s signature to take everything in `LabelerOptions`.
pub struct CreateReportRunOptions<'a> {
    pub commit_report: bool,
    pub force_self_mint: bool,
    pub self_mint_curve: self_mint::SelfMintCurve,
    pub report_subject_override: Option<&'a crate::common::identity::Did>,
    pub self_mint_signer: Option<&'a self_mint::SelfMintSigner>,
    pub pds_credentials: Option<&'a crate::commands::test::labeler::pipeline::PdsCredentials>,
    pub pds_xrpc_client: Option<&'a dyn PdsXrpcClient>,
    /// Populated by the pipeline when `--handle` was supplied but resolving
    /// the handle to the reporter's PDS endpoint failed. Surfaced as a
    /// `NetworkError` on both PDS-mediated checks so the operator can tell
    /// a resolution failure apart from a missing-credentials skip.
    pub pds_resolution_error: Option<&'a str>,
    pub run_id: &'a str,
}

/// Run the report stage.
///
/// Stage inputs are passed via `LabelerOptions` (or directly as arguments
/// here, to keep the signature mirroring the other stages). The stage
/// always emits exactly 10 `report::*` CheckResults (AC7.1) in canonical
/// order (AC7.2), regardless of gating decisions.
pub async fn run(
    identity_facts: Option<&crate::commands::test::labeler::identity::IdentityFacts>,
    report_tee: &dyn CreateReportTee,
    opts: &CreateReportRunOptions<'_>,
) -> CreateReportStageOutput {
    let mut results = Vec::with_capacity(10);

    // If identity didn't land, every check is blocked by the identity
    // stage. Emit 10 Skipped rows and return.
    let Some(id_facts) = identity_facts else {
        for c in Check::ORDER {
            results.push(c.skip("blocked by identity stage"));
        }
        return CreateReportStageOutput {
            facts: None,
            results,
        };
    };

    // Examine the published contract (from Task 0's extended IdentityFacts).
    let reason_types = id_facts.reason_types.as_ref();
    let subject_types = id_facts.subject_types.as_ref();
    let has_reason_types = reason_types.map(|v| !v.is_empty()).unwrap_or(false);
    let has_subject_types = subject_types.map(|v| !v.is_empty()).unwrap_or(false);
    let contract_advertised = has_reason_types && has_subject_types;

    // AC1: compute the contract_published row and the blocking reason for
    // all downstream checks if the contract is missing.
    //
    // Control-flow contract: each branch below pushes EXACTLY 10 rows
    // (1 contract row + 9 downstream) and returns. No fallthrough — the
    // "contract advertised" branch is the one that invokes the
    // authenticated negative checks and the committing positive checks.
    if !contract_advertised {
        if opts.commit_report {
            // AC1.3: commit requested, contract missing ⇒ SpecViolation +
            // every other check blocked by this one.
            let diag = CreateReportDiagnostic::ContractMissing {
                has_reason_types,
                has_subject_types,
            };
            results.push(Check::ContractPublished.spec_violation(diag));
            for c in Check::ORDER.iter().skip(1).copied() {
                results.push(c.skip("blocked by `report::contract_published`"));
            }
        } else {
            // AC1.2: no commit, contract missing ⇒ whole stage skipped.
            results.push(
                Check::ContractPublished.skip("labeler does not advertise report acceptance"),
            );
            for c in Check::ORDER.iter().skip(1).copied() {
                results.push(c.skip("labeler does not advertise report acceptance"));
            }
        }
        return CreateReportStageOutput {
            facts: None,
            results,
        };
    }

    // Contract advertised. Emit the Pass row and fall through into the
    // per-check logic.
    results.push(Check::ContractPublished.pass());

    // Minimal body for negative checks. The labeler should reject at auth
    // before examining body shape; we nonetheless supply a plausible body so
    // a labeler that performs body validation first doesn't return 400
    // instead of 401, which would make the test ambiguous.
    let negative_body = build_minimal_report_body(id_facts);

    // AC2.1/AC2.2/AC2.5 — unauthenticated:
    match report_tee.post_create_report(None, &negative_body).await {
        Ok(resp) => match RejectionShape::classify(&resp) {
            RejectionShape::Conformant { .. } => {
                results.push(Check::UnauthenticatedRejected.pass());
            }
            RejectionShape::ConformantStatusNonConformantShape => {
                results.push(CheckResult {
                    summary: Cow::Borrowed(
                        "Unauthenticated report rejected (status 401, non-conformant envelope)",
                    ),
                    ..Check::UnauthenticatedRejected.pass()
                });
            }
            RejectionShape::WrongStatus { status } => {
                let status_u16 = status.as_u16();
                let (source_code, span) = body_as_named_source(&resp);
                let diag = CreateReportDiagnostic::UnauthenticatedAccepted {
                    status: status_u16,
                    source_code,
                    span,
                };
                results.push(Check::UnauthenticatedRejected.spec_violation(diag));
            }
        },
        Err(CreateReportStageError::Transport { source }) => {
            results.push(Check::UnauthenticatedRejected.network_error(source.to_string()));
        }
    }

    // AC2.3/AC2.4 — malformed bearer:
    match report_tee
        .post_create_report(Some("not-a-jwt"), &negative_body)
        .await
    {
        Ok(resp) => match RejectionShape::classify(&resp) {
            RejectionShape::Conformant { .. } => {
                results.push(Check::MalformedBearerRejected.pass());
            }
            RejectionShape::ConformantStatusNonConformantShape => {
                results.push(CheckResult {
                    summary: Cow::Borrowed(
                        "Malformed bearer rejected (status 401, non-conformant envelope)",
                    ),
                    ..Check::MalformedBearerRejected.pass()
                });
            }
            RejectionShape::WrongStatus { status } => {
                let status_u16 = status.as_u16();
                let (source_code, span) = body_as_named_source(&resp);
                let diag = CreateReportDiagnostic::MalformedBearerAccepted {
                    status: status_u16,
                    source_code,
                    span,
                };
                results.push(Check::MalformedBearerRejected.spec_violation(diag));
            }
        },
        Err(CreateReportStageError::Transport { source }) => {
            results.push(Check::MalformedBearerRejected.network_error(source.to_string()));
        }
    }

    // Recompute self_mint_viable using the *actual* labeler endpoint now
    // that identity has run.
    let is_local_labeler = is_local_labeler_hostname(&id_facts.labeler_endpoint);
    let self_mint_viable = opts.force_self_mint || is_local_labeler;

    let signer_for_negative = if self_mint_viable {
        opts.self_mint_signer
    } else {
        None
    };

    // Compute `now` once for all JWT-based checks.
    let now = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .map(|d| d.as_secs() as i64)
        .unwrap_or(0);

    // CRITICAL: this block either emits 4 Skipped rows OR emits 4 real-check
    // rows, then falls through to the committing checks for SelfMintAccepted,
    // PdsServiceAuthAccepted, PdsProxiedAccepted. Do NOT `return` here — the
    // stage always emits 10 rows total, and the later checks need to run
    // regardless of self-mint viability.
    if let Some(signer) = signer_for_negative {
        // Mint per-check tokens from the valid-claims template. All four
        // checks share the same `now`, `lxm`, and `template`. Each check
        // inlines its own `match` rather than using a shared helper —
        // nested `async fn` is unsupported in stable Rust, and a closure
        // returning `Box<dyn Diagnostic>` across `await` would force `Send`
        // bounds that complicate the call site.
        let lxm = "com.atproto.moderation.createReport";
        let template =
            signer.valid_claims_template(&id_facts.did, lxm, now, Duration::from_secs(60));

        let negative_body = build_minimal_report_body(id_facts);

        // AC3.1/AC3.2 — wrong aud:
        {
            let mut claims = template.clone();
            claims.aud = "did:plc:0000000000000000000000000".to_string();
            let token = signer.sign_jwt(claims);
            match report_tee
                .post_create_report(Some(&token), &negative_body)
                .await
            {
                Ok(resp) => match RejectionShape::classify(&resp) {
                    RejectionShape::Conformant { .. } => {
                        results.push(Check::WrongAudRejected.pass())
                    }
                    RejectionShape::ConformantStatusNonConformantShape => {
                        results.push(CheckResult {
                            summary: Cow::Borrowed(
                                "Rejected with 401 but envelope is non-conformant",
                            ),
                            ..Check::WrongAudRejected.pass()
                        })
                    }
                    RejectionShape::WrongStatus { .. } => {
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::WrongAudAccepted {
                            status: resp.status.as_u16(),
                            source_code,
                            span,
                        };
                        results.push(Check::WrongAudRejected.spec_violation(diag));
                    }
                },
                Err(CreateReportStageError::Transport { source }) => {
                    results.push(Check::WrongAudRejected.network_error(source.to_string()));
                }
            }
        }

        // AC3.3 — wrong lxm:
        {
            let mut claims = template.clone();
            claims.lxm = "com.atproto.server.getSession".to_string();
            let token = signer.sign_jwt(claims);
            match report_tee
                .post_create_report(Some(&token), &negative_body)
                .await
            {
                Ok(resp) => match RejectionShape::classify(&resp) {
                    RejectionShape::Conformant { .. } => {
                        results.push(Check::WrongLxmRejected.pass())
                    }
                    RejectionShape::ConformantStatusNonConformantShape => {
                        results.push(CheckResult {
                            summary: Cow::Borrowed(
                                "Rejected with 401 but envelope is non-conformant",
                            ),
                            ..Check::WrongLxmRejected.pass()
                        })
                    }
                    RejectionShape::WrongStatus { .. } => {
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::WrongLxmAccepted {
                            status: resp.status.as_u16(),
                            source_code,
                            span,
                        };
                        results.push(Check::WrongLxmRejected.spec_violation(diag));
                    }
                },
                Err(CreateReportStageError::Transport { source }) => {
                    results.push(Check::WrongLxmRejected.network_error(source.to_string()));
                }
            }
        }

        // AC3.4 — expired:
        {
            let mut claims = template.clone();
            claims.exp = now - 300;
            claims.iat = now - 360;
            let token = signer.sign_jwt(claims);
            match report_tee
                .post_create_report(Some(&token), &negative_body)
                .await
            {
                Ok(resp) => match RejectionShape::classify(&resp) {
                    RejectionShape::Conformant { .. } => {
                        results.push(Check::ExpiredRejected.pass())
                    }
                    RejectionShape::ConformantStatusNonConformantShape => {
                        results.push(CheckResult {
                            summary: Cow::Borrowed(
                                "Rejected with 401 but envelope is non-conformant",
                            ),
                            ..Check::ExpiredRejected.pass()
                        })
                    }
                    RejectionShape::WrongStatus { .. } => {
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::ExpiredAccepted {
                            status: resp.status.as_u16(),
                            source_code,
                            span,
                        };
                        results.push(Check::ExpiredRejected.spec_violation(diag));
                    }
                },
                Err(CreateReportStageError::Transport { source }) => {
                    results.push(Check::ExpiredRejected.network_error(source.to_string()));
                }
            }
        }

        // AC3.5/AC3.6 — rejected shape:
        {
            let claims = template.clone();
            let token = signer.sign_jwt(claims);
            // Invalid body: a reasonType that is NOT in id_facts.reason_types.
            let bogus_reason_type = synth_unadvertised_reason_type(id_facts);
            let invalid_body = {
                let mut body = negative_body.clone();
                if let Some(obj) = body.as_object_mut() {
                    obj.insert(
                        "reasonType".to_string(),
                        serde_json::Value::String(bogus_reason_type),
                    );
                }
                body
            };
            match report_tee
                .post_create_report(Some(&token), &invalid_body)
                .await
            {
                Ok(resp) => {
                    let envelope = XrpcErrorEnvelope::parse(&resp.raw_body);
                    let error_name = envelope.as_ref().and_then(|e| e.error.clone());
                    if resp.status == reqwest::StatusCode::BAD_REQUEST
                        && error_name.as_deref() == Some("InvalidRequest")
                    {
                        // AC3.5: 400 InvalidRequest → Pass.
                        results.push(Check::RejectedShapeReturns400.pass());
                    } else if resp.status == reqwest::StatusCode::UNAUTHORIZED
                        || resp.status.is_server_error()
                    {
                        // AC3.6: 401 or 5xx → Advisory with shape_not_400.
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::ShapeNot400 {
                            status: resp.status.as_u16(),
                            error_name: error_name.clone(),
                            source_code,
                            span,
                        };
                        results.push(Check::RejectedShapeReturns400.advisory(diag));
                    } else if resp.status == reqwest::StatusCode::BAD_REQUEST {
                        // 400 but not `InvalidRequest` name → Advisory.
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::ShapeNot400 {
                            status: 400,
                            error_name: error_name.clone(),
                            source_code,
                            span,
                        };
                        results.push(Check::RejectedShapeReturns400.advisory(diag));
                    } else {
                        // Catch-all: 200 accepted → Advisory. A 200 for an invalid
                        // shape is a labeler looseness issue, not the same category
                        // as the `self_mint_accepted` SpecViolation (which expects
                        // a *valid* shape to be accepted).
                        let (source_code, span) = body_as_named_source(&resp);
                        let diag = CreateReportDiagnostic::ShapeNot400 {
                            status: resp.status.as_u16(),
                            error_name,
                            source_code,
                            span,
                        };
                        results.push(Check::RejectedShapeReturns400.advisory(diag));
                    }
                }
                Err(CreateReportStageError::Transport { source }) => {
                    results.push(Check::RejectedShapeReturns400.network_error(source.to_string()));
                }
            }
        }
    } else {
        let reason = "self-mint required; labeler endpoint appears non-local (override with --force-self-mint)";
        for c in [
            Check::WrongAudRejected,
            Check::WrongLxmRejected,
            Check::ExpiredRejected,
            Check::RejectedShapeReturns400,
        ] {
            results.push(c.skip(reason));
        }
    }

    // Fallthrough to the committing check logic below. Keeping this block
    // fallthrough-safe is why the `if let Some(signer)` above does NOT
    // `return`.

    // AC4.4 — gate on commit_report.
    if !opts.commit_report {
        results.push(Check::SelfMintAccepted.skip("commit gated behind --commit-report"));
    } else if let Some(signer) = signer_for_negative {
        // AC4.1/AC4.2 — construct a positive POST with pollution-avoidance.
        // Reads the contract from the `reason_types` / `subject_types` fields
        // on `IdentityFacts`.
        let reason_type = pollution::choose_reason_type(
            id_facts.reason_types.as_deref().unwrap_or(&[]),
            is_local_labeler,
        );
        let subject = pollution::choose_subject(
            id_facts.subject_types.as_deref().unwrap_or(&[]),
            signer.issuer_did(),
            opts.report_subject_override,
            is_local_labeler,
        );
        let sentinel = sentinel::build(opts.run_id, SystemTime::now());
        let positive_body = serde_json::json!({
            "reasonType": reason_type,
            "subject": subject,
            "reason": sentinel,
        });

        // AC4.6 — the built body carries the sentinel; the integration test
        // in Task 4 asserts it via FakeCreateReportTee::last_request().

        let claims = signer.valid_claims_template(
            &id_facts.did,
            "com.atproto.moderation.createReport",
            now,
            Duration::from_secs(60),
        );
        let token = signer.sign_jwt(claims);

        match report_tee
            .post_create_report(Some(&token), &positive_body)
            .await
        {
            Ok(resp) if resp.status.is_success() => {
                // AC4.1/AC4.2: Pass. Optionally inspect body for createReport#output
                // shape — loose check: `id` is a number.
                let body_ok = serde_json::from_slice::<serde_json::Value>(&resp.raw_body)
                    .ok()
                    .and_then(|v| v.get("id").and_then(|id| id.as_i64()))
                    .is_some();
                if body_ok {
                    results.push(Check::SelfMintAccepted.pass());
                } else {
                    // 2xx but body doesn't look like createReport#output. Accept as
                    // Pass per design (status alone suffices), but note the
                    // non-conformant body in the summary.
                    results.push(CheckResult {
                        summary: Cow::Borrowed(
                            "Self-mint report accepted (2xx), body did not match createReport#output shape",
                        ),
                        ..Check::SelfMintAccepted.pass()
                    });
                }
            }
            Ok(resp) => {
                // AC4.3: non-2xx ⇒ SpecViolation.
                let (source_code, span) = body_as_named_source(&resp);
                let diag = CreateReportDiagnostic::SelfMintRejected {
                    status: resp.status.as_u16(),
                    source_code,
                    span,
                };
                results.push(Check::SelfMintAccepted.spec_violation(diag));
            }
            Err(CreateReportStageError::Transport { source }) => {
                results.push(Check::SelfMintAccepted.network_error(source.to_string()));
            }
        }
    } else {
        // AC4.5: commit requested but no signer available (non-viable or not provided).
        // Skip with the same viability reason as the AC3 checks.
        let reason = "self-mint required; labeler endpoint appears non-local (override with --force-self-mint)";
        results.push(Check::SelfMintAccepted.skip(reason));
    }

    // AC5/AC6 — PDS-mediated modes (modes 2 and 3).
    // Compute the gating precondition common to both PDS checks.
    let pds_gate_reason: &'static str = "requires --handle, --app-password, and --commit-report";
    let pds_ready =
        opts.commit_report && opts.pds_credentials.is_some() && opts.pds_xrpc_client.is_some();
    // Distinguish "no credentials" (skip) from "credentials supplied but the
    // reporter's PDS could not be resolved" (network error) so the operator
    // sees a useful failure mode rather than a silent skip.
    let pds_resolution_failed = opts.commit_report
        && opts.pds_credentials.is_some()
        && opts.pds_xrpc_client.is_none()
        && opts.pds_resolution_error.is_some();

    if pds_resolution_failed {
        let msg = opts
            .pds_resolution_error
            .expect("pds_resolution_failed implies Some")
            .to_string();
        results.push(Check::PdsServiceAuthAccepted.network_error(msg.clone()));
        results.push(Check::PdsProxiedAccepted.network_error(msg));
    } else if !pds_ready {
        results.push(Check::PdsServiceAuthAccepted.skip(pds_gate_reason));
        results.push(Check::PdsProxiedAccepted.skip(pds_gate_reason));
    } else {
        // Safe to unwrap thanks to pds_ready.
        let creds = opts.pds_credentials.expect("pds_ready implies creds");
        let pds_client = opts.pds_xrpc_client.expect("pds_ready implies client");

        // Reuse locality computed earlier.
        let is_local = is_local_labeler;
        let reason_type = pollution::choose_reason_type(
            id_facts.reason_types.as_deref().unwrap_or(&[]),
            is_local,
        );

        // Fetch the user session (DID and access JWT). Both PDS modes need
        // these upfront.
        match fetch_session_and_did(pds_client, &creds.handle, &creds.app_password).await {
            Err(message) => {
                results.push(Check::PdsServiceAuthAccepted.network_error(message.clone()));
                // AC6.3: if session fetch fails, proxied mode also fails at PDS.
                results.push(Check::PdsProxiedAccepted.network_error(message));
            }
            Ok(session) => {
                let user_did = Did(session.did);
                let access_jwt = session.access_jwt;
                let subject = pollution::choose_subject(
                    id_facts.subject_types.as_deref().unwrap_or(&[]),
                    &user_did,
                    opts.report_subject_override,
                    is_local,
                );
                let sentinel = sentinel::build(opts.run_id, SystemTime::now());
                let pds_body = serde_json::json!({
                    "reasonType": reason_type,
                    "subject": subject,
                    "reason": sentinel,
                });

                // Mode 2: getServiceAuth direct-POST.
                let exp_abs = now + 60;
                let fetcher = PdsJwtFetcher::new(pds_client);
                match fetcher
                    .fetch_with_jwt(
                        &access_jwt,
                        &id_facts.did.0,
                        "com.atproto.moderation.createReport",
                        exp_abs,
                    )
                    .await
                {
                    Err(e) => {
                        let message = e.to_string();
                        let diagnostic = e.into_diagnostic();
                        results.push(CheckResult {
                            diagnostic,
                            ..Check::PdsServiceAuthAccepted.network_error(message)
                        });
                    }
                    Ok(service_jwt) => {
                        match report_tee
                            .post_create_report(Some(&service_jwt), &pds_body)
                            .await
                        {
                            Ok(resp) if resp.status.is_success() => {
                                results.push(Check::PdsServiceAuthAccepted.pass());
                            }
                            Ok(resp) => {
                                let (source_code, span) = body_as_named_source(&resp);
                                let diag = CreateReportDiagnostic::PdsServiceAuthRejected {
                                    origin: ResponseOrigin::Labeler,
                                    status: resp.status.as_u16(),
                                    source_code,
                                    span,
                                };
                                results.push(Check::PdsServiceAuthAccepted.spec_violation(diag));
                            }
                            Err(CreateReportStageError::Transport { source }) => {
                                // Labeler-side transport failure during direct POST.
                                results.push(
                                    Check::PdsServiceAuthAccepted.network_error(source.to_string()),
                                );
                            }
                        }
                    }
                }

                // Mode 3: PDS-proxied.
                let proxier = PdsProxiedPoster::new(pds_client);
                match proxier.post(&id_facts.did.0, &access_jwt, &pds_body).await {
                    Err(CreateReportStageError::Transport { source }) => {
                        // Transport to the PDS itself; classify PDS-side.
                        results.push(Check::PdsProxiedAccepted.network_error(source.to_string()));
                    }
                    Ok(resp) if resp.status.is_success() => {
                        results.push(Check::PdsProxiedAccepted.pass());
                    }
                    Ok(resp) => {
                        // PDS surfaced a non-2xx. Interpret per envelope to
                        // distinguish PDS-side vs labeler-side:
                        let (source_code, span) = body_as_named_source_from_pds(&resp);
                        let envelope = XrpcErrorEnvelope::parse(&resp.raw_body);
                        let err_name = envelope.as_ref().and_then(|e| e.error.clone());
                        let is_upstream_label_error = matches!(
                            err_name.as_deref(),
                            Some("UpstreamError") | Some("UpstreamFailure")
                        ) || resp.status.as_u16() == 502
                            || resp.status.as_u16() == 504;
                        if is_upstream_label_error {
                            // AC6.2: labeler-side rejection surfaced by PDS.
                            let diag = CreateReportDiagnostic::PdsProxiedRejected {
                                origin: ResponseOrigin::Labeler,
                                status: resp.status.as_u16(),
                                source_code,
                                span,
                            };
                            results.push(Check::PdsProxiedAccepted.spec_violation(diag));
                        } else {
                            // AC6.3: PDS-side rejection of the proxy attempt.
                            let diag = CreateReportDiagnostic::PdsProxiedRejected {
                                origin: ResponseOrigin::Pds,
                                status: resp.status.as_u16(),
                                source_code,
                                span,
                            };
                            results.push(CheckResult {
                                diagnostic: Some(Box::new(diag)),
                                ..Check::PdsProxiedAccepted.network_error(format!(
                                    "PDS rejected proxy attempt with status {}",
                                    resp.status
                                ))
                            });
                        }
                    }
                }
            }
        }
    }

    CreateReportStageOutput {
        facts: None,
        results,
    }
}

/// Convenience wrapper that does createSession and returns both the DID
/// and the accessJwt. Needed by both PDS check modes to populate the body
/// with the correct subject DID.
struct SessionResult {
    did: String,
    access_jwt: String,
}

async fn fetch_session_and_did(
    client: &dyn PdsXrpcClient,
    handle: &str,
    app_password: &str,
) -> Result<SessionResult, String> {
    let body = serde_json::json!({ "identifier": handle, "password": app_password });
    let resp = client
        .post("xrpc/com.atproto.server.createSession", None, None, &body)
        .await
        .map_err(|e| format!("createSession transport: {e}"))?;
    if !resp.status.is_success() {
        return Err(format!("createSession returned {}", resp.status));
    }
    let session: serde_json::Value =
        serde_json::from_slice(&resp.raw_body).map_err(|e| format!("createSession body: {e}"))?;
    let did = session["did"]
        .as_str()
        .ok_or("createSession missing did")?
        .to_string();
    let access_jwt = session["accessJwt"]
        .as_str()
        .ok_or("createSession missing accessJwt")?
        .to_string();
    Ok(SessionResult { did, access_jwt })
}

/// Synthesize a `reasonType` string that is definitely NOT in the
/// labeler's advertised `reason_types`. NSID syntax (segments alphanumeric +
/// period only, fragment after `#`) is strictly valid so the labeler does
/// not reject for wrong reason (malformed NSID) before checking membership.
fn synth_unadvertised_reason_type(facts: &IdentityFacts) -> String {
    let empty = Vec::new();
    let advertised: &[String] = facts.reason_types.as_ref().unwrap_or(&empty);
    for i in 0..1000 {
        let candidate = format!("xyz.atprotodevtool.conformance.defs#unadvertised{i:03}");
        if !advertised.iter().any(|r| r == &candidate) {
            return candidate;
        }
    }
    // Unreachable in practice.
    "xyz.atprotodevtool.conformance.defs#unadvertisedFallback".to_string()
}

#[cfg(test)]
mod check_tests {
    use super::*;

    #[test]
    fn check_ids_are_unique_and_report_namespaced() {
        let mut seen = std::collections::HashSet::new();
        for c in Check::ORDER {
            let id = c.id();
            assert!(id.starts_with("report::"), "{id} not in report:: namespace");
            assert!(seen.insert(id), "duplicate check id: {id}");
        }
        assert_eq!(Check::ORDER.len(), 10, "DoD requires exactly 10 checks");
    }
}

/// A loosely-parsed atproto XRPC error envelope. Missing fields are
/// rendered as `None` rather than failing the parse — the "loose
/// assertion" philosophy in the design (see "Error envelope assertion
/// is deliberately loose").
#[derive(Debug, Clone)]
pub struct XrpcErrorEnvelope {
    /// The `error` field (PascalCase error name). `None` if absent or
    /// not a string.
    pub error: Option<String>,
    /// The `message` field. `None` if absent or not a string.
    pub message: Option<String>,
}

impl XrpcErrorEnvelope {
    /// Try to parse an atproto error envelope from the response body.
    /// Returns `None` only when the body is not valid JSON at all.
    /// Otherwise returns an envelope with whatever fields we could find.
    pub fn parse(body: &[u8]) -> Option<Self> {
        let v: serde_json::Value = serde_json::from_slice(body).ok()?;
        let obj = v.as_object()?;
        Some(Self {
            error: obj.get("error").and_then(|x| x.as_str()).map(String::from),
            message: obj
                .get("message")
                .and_then(|x| x.as_str())
                .map(String::from),
        })
    }

    /// `true` when the envelope has a non-empty `error` string.
    pub fn has_nonempty_error(&self) -> bool {
        self.error
            .as_deref()
            .map(|s| !s.is_empty())
            .unwrap_or(false)
    }
}

/// Outcome of the 401-envelope assertion.
pub enum RejectionShape {
    /// 401 with a non-empty `error` field — full-conformant.
    Conformant {
        /// The envelope for diagnostic rendering.
        envelope: XrpcErrorEnvelope,
    },
    /// 401 but the envelope is missing or has an empty `error` field.
    /// Treated as Pass on status alone per AC2.5 but the summary
    /// notes the non-conformant response shape.
    ConformantStatusNonConformantShape,
    /// Any non-401 status.
    WrongStatus {
        /// The observed status code.
        status: reqwest::StatusCode,
    },
}

impl RejectionShape {
    /// Classify a createReport response against the 401-envelope rubric.
    pub fn classify(resp: &RawCreateReportResponse) -> Self {
        if resp.status != reqwest::StatusCode::UNAUTHORIZED {
            return Self::WrongStatus {
                status: resp.status,
            };
        }
        match XrpcErrorEnvelope::parse(&resp.raw_body) {
            Some(env) if env.has_nonempty_error() => Self::Conformant { envelope: env },
            _ => Self::ConformantStatusNonConformantShape,
        }
    }
}

#[derive(Debug, Error, Diagnostic)]
pub enum CreateReportDiagnostic {
    /// Diagnostic for the `contract_missing` spec violation (AC1.3).
    ///
    /// Emitted when `--commit-report` is set and the identity-stage
    /// `labeler_policies` does not advertise a non-empty `reasonTypes` and
    /// `subjectTypes`. The body of the labeler record is attached as source
    /// so users can see what _was_ published.
    #[error("Labeler does not advertise a reportable `LabelerPolicies` shape")]
    #[diagnostic(
        code = "labeler::report::contract_missing",
        help = "`reasonTypes` and `subjectTypes` must both be present and non-empty on the labeler's published policies; the tool cannot verify reporting conformance without them."
    )]
    ContractMissing {
        /// `reasonTypes` present and non-empty?
        has_reason_types: bool,
        /// `subjectTypes` present and non-empty?
        has_subject_types: bool,
    },

    /// Diagnostic for AC2.2: labeler accepted an unauthenticated createReport POST.
    #[error("Labeler accepted unauthenticated createReport (status {status})")]
    #[diagnostic(
        code = "labeler::report::unauthenticated_accepted",
        help = "A labeler must reject createReport with 401 when no Authorization header is supplied."
    )]
    UnauthenticatedAccepted {
        /// Observed status code, e.g., 200.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("accepted here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC2.4: labeler accepted a malformed bearer token.
    #[error("Labeler accepted malformed Bearer token (status {status})")]
    #[diagnostic(
        code = "labeler::report::malformed_bearer_accepted",
        help = "A labeler must reject createReport with 401 when the Authorization header carries a non-JWT string."
    )]
    MalformedBearerAccepted {
        /// Observed status code, e.g., 200.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("accepted here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC3.2: labeler accepted JWT with wrong `aud` claim.
    #[error("Labeler accepted JWT with wrong `aud` (status {status})")]
    #[diagnostic(
        code = "labeler::report::wrong_aud_accepted",
        help = "A labeler must reject JWTs whose `aud` claim does not match its own DID."
    )]
    WrongAudAccepted {
        /// Observed status code, e.g., 200.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("accepted here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC3.3: labeler accepted JWT with wrong `lxm` claim.
    #[error("Labeler accepted JWT with wrong `lxm` (status {status})")]
    #[diagnostic(
        code = "labeler::report::wrong_lxm_accepted",
        help = "A labeler must reject JWTs whose `lxm` claim does not match the invoked Lexicon method."
    )]
    WrongLxmAccepted {
        /// Observed status code, e.g., 200.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("accepted here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC3.4: labeler accepted expired JWT.
    #[error("Labeler accepted expired JWT (status {status})")]
    #[diagnostic(
        code = "labeler::report::expired_accepted",
        help = "A labeler must reject JWTs whose `exp` claim is in the past."
    )]
    ExpiredAccepted {
        /// Observed status code, e.g., 200.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("accepted here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC3.6: labeler rejected invalid shape with wrong status.
    #[error(
        "Unadvertised `reasonType` was rejected with status {status}, expected 400 InvalidRequest"
    )]
    #[diagnostic(
        code = "labeler::report::shape_not_400",
        help = "A labeler should return 400 InvalidRequest (not 401 or 500) for a `reasonType` not listed in its published LabelerPolicies.reasonTypes."
    )]
    ShapeNot400 {
        /// Observed status code.
        status: u16,
        /// Error name from the response envelope, if present.
        error_name: Option<String>,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("rejected with wrong status here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC4.3: self-mint report rejected by the labeler.
    #[error("Self-mint report rejected (status {status})")]
    #[diagnostic(
        code = "labeler::report::self_mint_rejected",
        help = "A labeler that advertises reportable shape should accept a well-formed, authenticated createReport. Check the labeler's service-auth validation and its acceptance of the advertised reasonType/subject shape."
    )]
    SelfMintRejected {
        /// Observed HTTP status code.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("rejected here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC5.2 / AC5.3: the PDS-mediated service-auth flow
    /// produced a non-2xx response. `origin` identifies whether the
    /// rejection came from the labeler (AC5.2 spec violation) or the
    /// user's PDS during `getServiceAuth` (AC5.3 network error).
    #[error("{origin} rejected PDS-minted service-auth createReport (status {status})")]
    #[diagnostic(
        code = "labeler::report::pds_service_auth_rejected",
        help = "When `origin` is `Labeler`, the PDS issued a service-auth JWT bound to the labeler's DID and the createReport NSID; the labeler should have accepted it. When `origin` is `PDS`, the user's PDS refused to mint the service-auth JWT — verify the handle and app password, and confirm `--handle` resolves to a PDS that can mint service-auth tokens for this user."
    )]
    PdsServiceAuthRejected {
        /// Which party produced the non-2xx response.
        origin: ResponseOrigin,
        /// Observed HTTP status code.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("rejected here")]
        span: SourceSpan,
    },

    /// Diagnostic for AC6.2 / AC6.3: the PDS-proxied `createReport` flow
    /// produced a non-2xx response. `origin` identifies whether the
    /// rejection came from the labeler via upstream envelope (AC6.2 spec
    /// violation) or the user's PDS refusing the proxy attempt before
    /// forwarding (AC6.3 network error).
    #[error("{origin} rejected PDS-proxied createReport (status {status})")]
    #[diagnostic(
        code = "labeler::report::pds_proxied_rejected",
        help = "When `origin` is `Labeler`, the PDS forwarded the createReport call on the user's behalf; the downstream labeler reached it but rejected the submission. When `origin` is `PDS`, the user's PDS rejected the proxied call before it could reach the labeler — verify the handle, app password, and that the PDS is configured to proxy moderation calls to the target labeler."
    )]
    PdsProxiedRejected {
        /// Which party produced the non-2xx response.
        origin: ResponseOrigin,
        /// Observed HTTP status code.
        status: u16,
        /// Response body for context.
        #[source_code]
        source_code: NamedSource<Arc<[u8]>>,
        /// Span covering the response body so miette renders `source_code`.
        #[label("rejected here")]
        span: SourceSpan,
    },
}

/// Identifies which party in the PDS-mediated flow produced a non-2xx
/// response. Used to discriminate labeler-side spec violations from
/// PDS-side network errors within a single diagnostic variant, keeping
/// the one-diagnostic-per-check shape the report stage documents.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ResponseOrigin {
    /// The labeler itself produced the response (either directly, or via
    /// the PDS surfacing an upstream-labeler error envelope).
    Labeler,
    /// The user's PDS produced the response without the labeler being
    /// reached (e.g., `getServiceAuth` refused, or proxy rejected before
    /// forwarding).
    Pds,
}

impl std::fmt::Display for ResponseOrigin {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            ResponseOrigin::Labeler => f.write_str("Labeler"),
            ResponseOrigin::Pds => f.write_str("PDS"),
        }
    }
}

/// Construct a `NamedSource` and a span covering the whole body.
///
/// The span must be non-empty (and present on a `#[label]` field) for miette's
/// `GraphicalReportHandler` to actually render the `source_code` block; a
/// `None` span causes the source to be silently dropped from the rendered
/// diagnostic. We therefore return the span alongside the source and expect
/// every `accepted_*` / `rejected_*` diagnostic to wire both through.
pub(crate) fn body_as_named_source(
    resp: &RawCreateReportResponse,
) -> (NamedSource<Arc<[u8]>>, SourceSpan) {
    let pretty = pretty_json_for_display(&resp.raw_body);
    let span = SourceSpan::new(0.into(), pretty.len());
    (NamedSource::new(resp.source_url.clone(), pretty), span)
}

/// Construct a `NamedSource` and whole-body span from the PDS. Used for
/// PDS-mediated mode diagnostics where the response comes from the PDS not
/// the labeler.
pub(crate) fn body_as_named_source_from_pds(
    resp: &RawPdsXrpcResponse,
) -> (NamedSource<Arc<[u8]>>, SourceSpan) {
    let pretty = pretty_json_for_display(&resp.raw_body);
    let span = SourceSpan::new(0.into(), pretty.len());
    (NamedSource::new(resp.source_url.clone(), pretty), span)
}

/// Build a minimal, plausible createReport body for negative tests.
///
/// Chooses the lex-first advertised `reasonType` and the first advertised
/// `subjectType`, pointing at a safe subject (the labeler's own DID —
/// labelers never take action on themselves). The body is well-formed so
/// any validation short-circuit returns auth-layer rejection rather than
/// shape-layer rejection.
pub(crate) fn build_minimal_report_body(facts: &IdentityFacts) -> serde_json::Value {
    // Unwrap the contract — run() has already guaranteed it's present
    // and non-empty before this function is reachable.
    let reason_type = facts
        .reason_types
        .as_ref()
        .and_then(|v| v.first())
        .cloned()
        .unwrap_or_else(|| "com.atproto.moderation.defs#reasonOther".to_string());

    let subject_types: &[String] = facts.subject_types.as_deref().unwrap_or(&[]);
    let subject = if subject_types.iter().any(|t| t == "account") {
        serde_json::json!({
            "$type": "com.atproto.admin.defs#repoRef",
            "did": facts.did.0,
        })
    } else if subject_types.iter().any(|t| t == "record") {
        serde_json::json!({
            "$type": "com.atproto.repo.strongRef",
            // Ghost AT-URI targeting the labeler's own DID. Negative-path
            // only; positive paths use the real pollution-avoidance logic
            // in `self_mint_accepted`.
            "uri": format!("at://{}/app.bsky.feed.post/not-real", facts.did.0),
            "cid": "bafyreiaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
        })
    } else {
        // Fallback: account shape against the labeler itself.
        serde_json::json!({
            "$type": "com.atproto.admin.defs#repoRef",
            "did": facts.did.0,
        })
    };

    serde_json::json!({
        "reasonType": reason_type,
        "subject": subject,
    })
}

#[cfg(test)]
mod envelope_tests {
    use super::*;

    #[test]
    fn parse_well_formed_envelope() {
        let body = br#"{"error":"BadJwt","message":"invalid token"}"#;
        let env = XrpcErrorEnvelope::parse(body).expect("parses");
        assert_eq!(env.error.as_deref(), Some("BadJwt"));
        assert_eq!(env.message.as_deref(), Some("invalid token"));
        assert!(env.has_nonempty_error());
    }

    #[test]
    fn parse_empty_envelope() {
        let body = br#"{}"#;
        let env = XrpcErrorEnvelope::parse(body).expect("parses empty object");
        assert_eq!(env.error, None);
        assert!(!env.has_nonempty_error());
    }

    #[test]
    fn parse_non_json_returns_none() {
        assert!(XrpcErrorEnvelope::parse(b"<html>").is_none());
    }

    #[test]
    fn parse_empty_error_field_treated_as_missing() {
        let body = br#"{"error":""}"#;
        let env = XrpcErrorEnvelope::parse(body).unwrap();
        assert!(!env.has_nonempty_error());
    }
}