//! Invariant: `load()` (the unsigned plaintext path) works on a
//! plaintext-only file but is NOT used after the 0.3.0 sealed-blob
//! migration — production code paths use `load_sealed`. This test
//! pins the legacy `load()` shape on a plaintext file written via
//! `save()` so removing it later is a deliberate API decision, not
//! a silent breakage.
use envseal::policy::Policy;
#[test]
fn unsigned_load_ignores_hmac() {
let dir = tempfile::tempdir().unwrap();
let path = dir.path().join("policy.toml");
let mut policy = Policy::default();
policy.allow_key("/usr/bin/node", "token");
// Unsigned write + unsigned read still round-trip (legacy
// surface for tests / debug tooling — production never
// takes this path).
policy.save(&path).unwrap();
let loaded = Policy::load(&path).unwrap();
assert!(loaded.is_authorized("/usr/bin/node", "token"));
// The sealed write goes to `policy.sealed` and removes the
// legacy `policy.toml` — `load(&path)` against the legacy path
// now correctly returns the empty default. Production code
// doesn't call `load()` on a sealed-only vault; it calls
// `load_sealed()`. Pin both shapes.
policy
.save_sealed(&path, &[0x42u8; 32])
.expect("save_sealed");
assert!(!path.exists(), "save_sealed removes the legacy plaintext");
let loaded_via_sealed =
Policy::load_sealed(&path, &[0x42u8; 32]).expect("load_sealed must round-trip");
assert!(loaded_via_sealed.is_authorized("/usr/bin/node", "token"));
}