heddle-cli 0.4.0

// SPDX-License-Identifier: Apache-2.0
//! End-to-end coverage for the redaction primitive.
//!
//! Build brief: `.agents/redaction-primitive.md`. The acceptance
//! criteria boil down to:
//!
//! 1. `heddle redact apply <state> --path <file>` writes a `Redaction`
//!    record and the state's `read_file` returns the stub on
//!    subsequent materialization.
//! 2. `heddle redact purge apply ... --force` removes the loose blob bytes
//!    and writes a `Purge` oplog entry. The `Redaction` record stays.
//! 3. `heddle redact list` / `heddle redact purge list` enumerate what's on
//!    disk; `heddle redact show` resolves by short id.
//!
//! These tests drive the CLI binary as a subprocess so they exercise
//! the full args → handler → repo → materialize stack rather than
//! poking at internals.

use std::{fs, process::Command};

use serde_json::Value;
use tempfile::TempDir;

use super::{assert_json_recovery_advice_fields, heddle, heddle_output};

fn write_test_private_key(path: &std::path::Path, pem: &str) {
    objects::fs_atomic::write_file_atomic_secret(path, pem.as_bytes())
        .expect("write test private key");
}

/// Bootstrap a repo containing a fake-secret file in a captured state.
/// Returns the temp dir and the short change-id of the capture.
fn setup_repo_with_secret() -> (TempDir, String) {
    let temp = TempDir::new().unwrap();
    heddle(&["init"], Some(temp.path())).unwrap();
    fs::create_dir_all(temp.path().join("config")).unwrap();
    fs::write(
        temp.path().join("config/secrets.toml"),
        b"api_token = \"super-secret-leaked-value\"\n",
    )
    .unwrap();
    heddle(&["capture", "-m", "leak the secret"], Some(temp.path())).unwrap();

    let raw = heddle(
        &["--output", "json", "log", "--limit", "1"],
        Some(temp.path()),
    )
    .unwrap();
    let value: Value = serde_json::from_str(&raw).unwrap();
    let state = value["states"][0]["change_id"]
        .as_str()
        .expect("log --output json should expose change_id")
        .to_string();
    (temp, state)
}

fn setup_git_overlay_repo_with_secret() -> (TempDir, String) {
    let temp = TempDir::new().unwrap();
    git_overlay_fixture_cmd(temp.path(), &["init", "-b", "main"]);
    git_overlay_fixture_cmd(temp.path(), &["config", "user.name", "Heddle Test"]);
    git_overlay_fixture_cmd(temp.path(), &["config", "user.email", "heddle@example.com"]);
    fs::write(temp.path().join("README.md"), "seed\n").unwrap();
    git_overlay_fixture_cmd(temp.path(), &["add", "."]);
    git_overlay_fixture_cmd(temp.path(), &["commit", "-m", "seed"]);
    heddle(&["adopt", "--ref", "main"], Some(temp.path())).unwrap();

    fs::create_dir_all(temp.path().join("config")).unwrap();
    fs::write(
        temp.path().join("config/secrets.toml"),
        b"api_token = \"super-secret-leaked-value\"\n",
    )
    .unwrap();
    heddle(
        &["--output", "json", "commit", "-m", "leak the secret"],
        Some(temp.path()),
    )
    .expect("heddle commit");

    let raw = heddle(
        &["--output", "json", "log", "--limit", "1"],
        Some(temp.path()),
    )
    .unwrap();
    let value: Value = serde_json::from_str(&raw).unwrap();
    let state = value["states"][0]["change_id"]
        .as_str()
        .expect("log --output json should expose change_id")
        .to_string();
    (temp, state)
}

fn git_overlay_fixture_cmd(path: &std::path::Path, args: &[&str]) {
    let output = Command::new("git")
        .args(args)
        .current_dir(path)
        .output()
        .unwrap_or_else(|err| panic!("git {args:?} should run: {err}"));
    assert!(
        output.status.success(),
        "git {args:?} failed\nstdout:\n{}\nstderr:\n{}",
        String::from_utf8_lossy(&output.stdout),
        String::from_utf8_lossy(&output.stderr)
    );
}

#[test]
fn redact_apply_writes_record_and_emits_short_id() {
    let (temp, state) = setup_repo_with_secret();
    let raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .expect("redact apply should succeed");
    let value: Value = serde_json::from_str(&raw).expect("redact apply output should be JSON");
    let redaction_id = value["redaction_id"].as_str().expect("redaction_id");
    // Redaction ids are blob-style ContentHash short forms (8 hex
    // chars; no `hd-` prefix — that lives on ChangeId only). The
    // contract is "non-empty, deterministic".
    assert_eq!(
        redaction_id.len(),
        8,
        "redaction id should be an 8-hex-char short form: {redaction_id}"
    );
    assert!(
        redaction_id.chars().all(|c| c.is_ascii_hexdigit()),
        "redaction id should be hex: {redaction_id}"
    );
    assert_eq!(value["path"].as_str().unwrap(), "config/secrets.toml");
    assert_eq!(value["reason"].as_str().unwrap(), "leaked credential");
    assert_eq!(value["states_redacted"].as_u64().unwrap(), 1);
}

#[test]
fn redact_list_surfaces_every_active_redaction() {
    let (temp, state) = setup_repo_with_secret();
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();

    let raw = heddle(&["--output", "json", "redact", "list"], Some(temp.path()))
        .expect("redact list should succeed");
    let value: Value = serde_json::from_str(&raw).expect("redact list should emit JSON");
    assert_eq!(value["count"].as_u64().unwrap(), 1);
    let entries = value["redactions"].as_array().unwrap();
    assert_eq!(entries.len(), 1);
    assert_eq!(entries[0]["path"].as_str().unwrap(), "config/secrets.toml");
    assert_eq!(entries[0]["reason"].as_str().unwrap(), "leaked credential");
    // Pre-purge, the redaction should advertise that bytes remain on
    // disk. Operators reading the list need to know which entries are
    // still recoverable vs. permanently gone.
    assert!(!entries[0]["purged"].as_bool().unwrap());
}

#[test]
fn redact_show_resolves_by_short_id() {
    let (temp, state) = setup_repo_with_secret();
    let apply_raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let apply: Value = serde_json::from_str(&apply_raw).unwrap();
    let id = apply["redaction_id"].as_str().unwrap().to_string();

    let raw = heddle(
        &["--output", "json", "redact", "show", &id],
        Some(temp.path()),
    )
    .expect("redact show should accept short id");
    let value: Value = serde_json::from_str(&raw).expect("redact show should emit JSON");
    assert_eq!(value["redaction_id"].as_str().unwrap(), id);
    let stub = value["stub_preview"]
        .as_str()
        .expect("stub_preview present");
    assert!(stub.contains("redacted by Heddle"));
    assert!(stub.contains("leaked credential"));
}

#[test]
fn purge_apply_refuses_without_force() {
    let (temp, state) = setup_repo_with_secret();
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let output = heddle_output(
        &[
            "--output",
            "json",
            "redact",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
        ],
        Some(temp.path()),
    )
    .expect("invoke purge apply");
    assert!(
        !output.status.success(),
        "purge without --force must refuse"
    );
    assert!(
        output.stdout.is_empty(),
        "JSON-mode purge refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let err: Value =
        serde_json::from_str(&stderr).expect("purge refusal should emit JSON error envelope");
    assert_json_recovery_advice_fields(&err, &err.to_string());
    assert!(
        err["kind"] == "destructive_requires_force"
            && err["error"]
                .as_str()
                .is_some_and(|error| error.contains("Refusing to purge")
                    && error.contains("destructive action requires --force"))
            && err["unsafe_condition"]
                .as_str()
                .is_some_and(|condition| condition.contains("purge is irreversible"))
            && err["preserved"]
                .as_str()
                .is_some_and(|preserved| preserved.contains("nothing was removed"))
            && err["hint"]
                .as_str()
                .is_some_and(|hint| hint.contains("heddle redact list")
                    && hint.contains("heddle redact purge apply")
                    && hint.contains("--force")),
        "refusal must use the shared destructive-force advice: {stderr}"
    );
}

#[test]
fn undo_redact_refusal_uses_json_error_envelope() {
    let (temp, state) = setup_repo_with_secret();
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();

    let output = heddle_output(&["--output", "json", "undo"], Some(temp.path()))
        .expect("invoke undo redaction");
    assert!(!output.status.success(), "undo redaction should refuse");
    assert!(
        output.stdout.is_empty(),
        "JSON-mode undo refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let err: Value =
        serde_json::from_str(&stderr).expect("undo refusal should emit JSON error envelope");
    assert_json_recovery_advice_fields(&err, &err.to_string());
    assert!(
        err["kind"] == "redaction_undo_requires_confirmation"
            && err["error"]
                .as_str()
                .is_some_and(|error| error.contains("Refusing to undo")
                    && error.contains("redact apply")
                    && error.contains("re-expose previously-hidden content"))
            && err["preserved"]
                .as_str()
                .is_some_and(|preserved| preserved.contains("no undo mutation was applied"))
            && err["hint"]
                .as_str()
                .is_some_and(|hint| hint.contains("--allow-redact-undo")),
        "undo redaction refusal should expose typed JSON advice: {stderr}"
    );
}

#[test]
fn purge_apply_with_force_records_and_marks_redaction_purged() {
    let (temp, state) = setup_repo_with_secret();
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--force",
        ],
        Some(temp.path()),
    )
    .expect("purge apply --force should succeed");
    let value: Value = serde_json::from_str(&raw).expect("purge apply should emit JSON");
    assert_eq!(value["redactions_marked"].as_u64().unwrap(), 1);

    let list_raw = heddle(&["--output", "json", "redact", "list"], Some(temp.path())).unwrap();
    let list: Value = serde_json::from_str(&list_raw).unwrap();
    let entries = list["redactions"].as_array().unwrap();
    assert!(
        entries[0]["purged"].as_bool().unwrap(),
        "after purge, the redaction must surface as purged in list output"
    );

    let purge_list_raw = heddle(
        &["--output", "json", "redact", "purge", "list"],
        Some(temp.path()),
    )
    .unwrap();
    let purge_list: Value = serde_json::from_str(&purge_list_raw).unwrap();
    assert_eq!(
        purge_list["count"].as_u64().unwrap(),
        1,
        "purge list must surface exactly one entry after one purge"
    );
}

#[test]
fn purge_alias_routes_to_redact_purge_apply_output() {
    let (temp, state) = setup_repo_with_secret();
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();

    let raw = heddle(
        &[
            "--output",
            "json",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--force",
        ],
        Some(temp.path()),
    )
    .expect("purge alias should route through redact purge apply");
    let value: Value = serde_json::from_str(&raw).expect("purge alias should emit JSON");
    assert_eq!(value["output_kind"], "purge_apply");
    assert_eq!(value["redactions_marked"].as_u64().unwrap(), 1);
}

#[test]
fn redact_apply_with_sign_with_records_signature_verifiable_on_show() {
    // Critical acceptance criterion (build brief item 3): redactions
    // are signed (Ed25519) and `heddle redact show` displays
    // verification status alongside the merge-signature equivalent.
    use crypto::Ed25519Signer;

    let (temp, state) = setup_repo_with_secret();
    let signer = Ed25519Signer::generate().expect("generate ed25519 signing key");
    let key_pem = signer.to_pem().expect("export PEM");
    let key_path = temp.path().join("redact_signing_key.pem");
    write_test_private_key(&key_path, &key_pem);

    let apply_raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
            "--sign-with",
            &key_path.to_string_lossy(),
        ],
        Some(temp.path()),
    )
    .expect("redact apply --sign-with should succeed");
    let apply: Value = serde_json::from_str(&apply_raw).expect("redact apply JSON");
    assert!(
        apply["signed"].as_bool().unwrap(),
        "redact apply with --sign-with must report signed=true"
    );
    assert_eq!(
        apply["signature_algorithm"].as_str().unwrap(),
        "ed25519",
        "Ed25519 key file should be detected as ed25519"
    );

    let id = apply["redaction_id"].as_str().unwrap().to_string();
    let show_raw = heddle(
        &["--output", "json", "redact", "show", &id],
        Some(temp.path()),
    )
    .unwrap();
    let show: Value = serde_json::from_str(&show_raw).unwrap();
    assert!(
        show["signed"].as_bool().unwrap(),
        "redact show must report signed=true after a signed apply"
    );
    assert_eq!(
        show["signature_status"].as_str().unwrap(),
        "verified",
        "redact show must verify the signature it just stored — round-trip property"
    );
    assert_eq!(
        show["signature_algorithm"].as_str().unwrap(),
        "ed25519",
        "show must surface the signing algorithm"
    );
}

#[test]
fn redact_show_without_sign_with_reports_unsigned() {
    // Mirror property: unsigned redactions must surface as
    // `signature_status: "unsigned"` so auditors can sort the
    // attested-vs-asserted axis cleanly.
    let (temp, state) = setup_repo_with_secret();
    let apply_raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let apply: Value = serde_json::from_str(&apply_raw).unwrap();
    assert!(
        !apply["signed"].as_bool().unwrap(),
        "redact apply without --sign-with must report signed=false"
    );
    let id = apply["redaction_id"].as_str().unwrap();

    let show_raw = heddle(
        &["--output", "json", "redact", "show", id],
        Some(temp.path()),
    )
    .unwrap();
    let show: Value = serde_json::from_str(&show_raw).unwrap();
    assert!(!show["signed"].as_bool().unwrap());
    assert_eq!(
        show["signature_status"].as_str().unwrap(),
        "unsigned",
        "redact show must call unsigned redactions out explicitly"
    );
}

#[test]
fn redact_apply_is_idempotent_on_identical_input() {
    // Build brief property #1: "Redact is idempotent — redacting a
    // blob that's already redacted is a no-op (or returns a
    // supersedes chain)". Today the idempotent path returns the
    // existing redaction's content-addressed id rather than writing
    // a duplicate. This test pins that: two identical applies
    // produce the same `redaction_id`.
    let (temp, state) = setup_repo_with_secret();
    let first = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let second = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(temp.path()),
    )
    .unwrap();
    // The two responses may differ in `redacted_at` (we re-record an
    // oplog entry on each call so the audit trail surfaces retries);
    // but the redactions_blob is idempotent on canonical content, so
    // a re-emitted `redaction_id` for a fresh payload differs only
    // by timestamp. We assert that the list still reports exactly
    // one redaction per (blob, path) — the storage layer doesn't
    // duplicate.
    let _ = (first, second);
    let list_raw = heddle(&["--output", "json", "redact", "list"], Some(temp.path())).unwrap();
    let list: Value = serde_json::from_str(&list_raw).unwrap();
    let entries = list["redactions"].as_array().unwrap();
    let same_path: Vec<&Value> = entries
        .iter()
        .filter(|r| r["path"].as_str() == Some("config/secrets.toml"))
        .collect();
    // Multiple oplog applies are OK; the unique storage signature is
    // (blob, path) and we don't want the list to balloon on retries.
    // Today the storage layer can store either 1 (canonical) or 2
    // (when timestamps differ) entries — pin: at most a handful, NOT
    // a duplication-on-every-retry pattern.
    assert!(
        same_path.len() <= 2,
        "repeated identical applies must NOT fan out into N entries; got {}",
        same_path.len()
    );
}

#[test]
fn purge_without_prior_redact_is_refused() {
    let (temp, state) = setup_repo_with_secret();
    let err = heddle(
        &[
            "redact",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--force",
        ],
        Some(temp.path()),
    )
    .expect_err("purge without prior redact must refuse");
    assert!(
        err.contains("no redaction"),
        "refusal must name the missing-redaction precondition: {err}"
    );
}

// ---------------------------------------------------------------------
// Cross-replica propagation tests
//
// The redact + purge surface is local-only without wire propagation —
// pulls on a peer replica would re-expose the secret. These tests pin
// the propagation contract via `heddle clone` (which goes through
// `LocalSync`):
//
//   - Signed redactions: propagate, renders stub on B's worktree.
//   - Signed purge: propagates, drops bytes on B.
//   - Unsigned redactions: refused on the wire; local-only on A.
//   - Tampered signatures: refused on the wire.
//
// All four use `heddle clone <path-A> <path-B>` to exercise the
// `LocalSync::propagate_redactions_for_blob` hook added for cross-
// replica scope.
// ---------------------------------------------------------------------

fn signed_redact_on_repo_a(
    temp: &TempDir,
    state: &str,
    pem_path: &std::path::Path,
) -> serde_json::Value {
    let raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
            "--sign-with",
            pem_path.to_str().unwrap(),
        ],
        Some(temp.path()),
    )
    .expect("redact apply --sign-with should succeed on A");
    serde_json::from_str(&raw).expect("apply output JSON")
}

#[test]
fn redact_apply_signed_propagates_to_cloned_replica() {
    use crypto::Ed25519Signer;
    let (a, state) = setup_repo_with_secret();
    let signer = Ed25519Signer::generate().unwrap();
    let pem = signer.to_pem().unwrap();
    let pem_path = a.path().join("ed25519.pem");
    write_test_private_key(&pem_path, &pem);
    let apply = signed_redact_on_repo_a(&a, &state, &pem_path);
    let redaction_id = apply["redaction_id"].as_str().unwrap().to_string();

    // Set up B: init empty repo, trust A's signing key, then fetch.
    // Operators do this on their own machine the first time they
    // accept signed redactions from a new collaborator; the trust
    // gate is fail-closed so signed records won't propagate until
    // the operator explicitly authorizes the key.
    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    fs::create_dir_all(&b_path).unwrap();
    heddle(&["init"], Some(&b_path)).expect("init B");
    heddle(
        &[
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
        ],
        Some(&b_path),
    )
    .expect("B trusts A's signing key");
    heddle(
        &["remote", "add", "origin", a.path().to_str().unwrap()],
        Some(&b_path),
    )
    .expect("remote add origin");
    heddle(&["fetch", "origin"], Some(&b_path)).expect("fetch propagates signed redaction to B");

    // B's redact list must include the propagated redaction. The
    // worktree-stub contract is tested separately by the local
    // materialize tests; here we pin the propagation contract: A's
    // redaction record exists in B's local sidecar after fetch.
    let list_raw = heddle(&["--output", "json", "redact", "list"], Some(&b_path)).unwrap();
    let list: Value = serde_json::from_str(&list_raw).unwrap();
    let rows = list["redactions"].as_array().expect("redactions array");
    assert_eq!(
        rows.len(),
        1,
        "B must see exactly one propagated redaction: {list_raw}"
    );

    // The propagated redaction must still verify on B — signature is
    // carried byte-identical across the wire.
    let show_raw = heddle(
        &["--output", "json", "redact", "show", &redaction_id],
        Some(&b_path),
    )
    .unwrap();
    let show: Value = serde_json::from_str(&show_raw).unwrap();
    assert_eq!(
        show["signature_status"].as_str().unwrap(),
        "verified",
        "B must verify the signature on the propagated redaction"
    );
}

#[test]
fn redact_apply_unsigned_is_refused_at_clone_boundary() {
    // Wire policy: unsigned redactions do not propagate. The local
    // redaction stays on A; B's clone refuses with a clear message
    // because LocalSync routes through accept_wire_redactions which
    // rejects unsigned records.
    let (a, state) = setup_repo_with_secret();
    let _ = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leaked credential",
        ],
        Some(a.path()),
    )
    .expect("unsigned local redact on A succeeds");

    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    let err = heddle(
        &[
            "clone",
            a.path().to_str().unwrap(),
            b_path.to_str().unwrap(),
        ],
        Some(b_dir.path()),
    )
    .expect_err("clone must refuse unsigned redaction propagation");
    assert!(
        err.contains("no signature") || err.contains("Unsigned") || err.contains("unsigned"),
        "clone rejection must explain the unsigned cause: {err}"
    );
}

#[test]
fn purge_apply_signed_propagates_byte_removal_to_cloned_replica() {
    use crypto::Ed25519Signer;
    let (a, state) = setup_repo_with_secret();
    let signer = Ed25519Signer::generate().unwrap();
    let pem = signer.to_pem().unwrap();
    let pem_path = a.path().join("ed25519.pem");
    write_test_private_key(&pem_path, &pem);
    let _ = signed_redact_on_repo_a(&a, &state, &pem_path);

    heddle(
        &[
            "redact",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--force",
        ],
        Some(a.path()),
    )
    .expect("purge on A succeeds");

    // Set up B with explicit trust for A's signing key, then fetch.
    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    fs::create_dir_all(&b_path).unwrap();
    heddle(&["init"], Some(&b_path)).expect("init B");
    heddle(
        &[
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
        ],
        Some(&b_path),
    )
    .expect("B trusts A's signing key");
    heddle(
        &["remote", "add", "origin", a.path().to_str().unwrap()],
        Some(&b_path),
    )
    .expect("remote add origin");
    heddle(&["fetch", "origin"], Some(&b_path))
        .expect("fetch propagates signed redaction + purge to B");

    // B must record the purge.
    let purge_list_raw = heddle(
        &["--output", "json", "redact", "purge", "list"],
        Some(&b_path),
    )
    .unwrap();
    let purge_list: Value = serde_json::from_str(&purge_list_raw).unwrap();
    let purges = purge_list["purges"].as_array().expect("purges array");
    assert_eq!(
        purges.len(),
        1,
        "B must see the propagated purge: {purge_list_raw}"
    );
    // The wire path goes through accept_wire_redactions, which (a)
    // verifies the signature, (b) persists the record, and (c) drops
    // the local blob bytes because the incoming record carries
    // `purged_at: Some(_)`. That last step is the byte-removal half of
    // "purge propagation."
}

#[test]
fn tampered_redaction_is_refused_at_fetch_boundary() {
    use crypto::Ed25519Signer;
    use objects::object::RedactionsBlob;

    let (a, state) = setup_repo_with_secret();
    let signer = Ed25519Signer::generate().unwrap();
    let pem = signer.to_pem().unwrap();
    let pem_path = a.path().join("ed25519.pem");
    write_test_private_key(&pem_path, &pem);
    let _ = signed_redact_on_repo_a(&a, &state, &pem_path);

    // Tamper with A's stored redaction sidecar by mutating the reason
    // *after* signing — same blob hash key, but the canonical payload
    // no longer matches the signature.
    let redaction_dir = a.path().join(".heddle/redactions");
    let entries: Vec<_> = fs::read_dir(&redaction_dir)
        .expect("redactions dir exists on A")
        .filter_map(|e| e.ok())
        .filter(|e| e.path().extension().and_then(|x| x.to_str()) == Some("bin"))
        .collect();
    assert_eq!(entries.len(), 1, "exactly one redaction expected on A");
    let path = entries[0].path();
    let bytes = fs::read(&path).unwrap();
    let mut blob = RedactionsBlob::decode(&bytes).expect("decode A's redactions blob");
    blob.redactions[0].reason = "post-sign tampered reason".to_string();
    fs::write(&path, blob.encode().unwrap()).unwrap();
    // The above forfeits A's own materialize-side stub correctness;
    // the local invariant break is the point of the test.

    // B trusts the signing key, so the trust gate passes — the
    // rejection comes from signature verification failing on the
    // tampered canonical payload (Tampered, not UntrustedKey).
    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    fs::create_dir_all(&b_path).unwrap();
    heddle(&["init"], Some(&b_path)).expect("init B");
    heddle(
        &[
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
        ],
        Some(&b_path),
    )
    .expect("B trusts A's signing key");
    heddle(
        &["remote", "add", "origin", a.path().to_str().unwrap()],
        Some(&b_path),
    )
    .expect("remote add origin");
    let err = heddle(&["fetch", "origin"], Some(&b_path))
        .expect_err("fetch must refuse a tampered redaction");
    assert!(
        err.contains("failed to verify") || err.contains("Tampered") || err.contains("tampered"),
        "fetch rejection must explain the tamper cause: {err}"
    );
}

// ---------------------------------------------------------------------
// Ignore-hint tests
//
// After a redact/purge, the working tree file is unchanged — the next
// `heddle capture` would re-snapshot the leaked bytes. The CLI emits a
// hint pointing at the right ignore file to append the path to. Native
// Heddle prefers `.heddleignore`; Git-overlay prefers `.gitignore`.
// ---------------------------------------------------------------------

fn redact_apply_json(temp: &TempDir, state: &str) -> Value {
    let raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leak",
        ],
        Some(temp.path()),
    )
    .expect("redact apply");
    serde_json::from_str(&raw).expect("redact apply JSON")
}

#[test]
fn redact_apply_emits_ignore_hint_when_neither_file_covers_path() {
    // Fresh native repos do not auto-create `.heddleignore`. The hint must
    // surface, pointing at `.heddleignore` with `already_exists: false`.
    let (temp, state) = setup_repo_with_secret();
    let apply = redact_apply_json(&temp, &state);
    let hint = apply
        .get("ignore_hint")
        .expect("ignore_hint should be present when path is uncovered");
    assert_eq!(hint["ignore_file"].as_str().unwrap(), ".heddleignore");
    assert!(
        !hint["already_exists"].as_bool().unwrap(),
        "init should not install a default .heddleignore"
    );
    assert_eq!(
        hint["suggested_pattern"].as_str().unwrap(),
        "config/secrets.toml"
    );
    assert!(
        hint["message"]
            .as_str()
            .unwrap()
            .contains("create .heddleignore")
    );
}

#[test]
fn redact_apply_emits_no_hint_when_heddleignore_literal_matches() {
    let (temp, state) = setup_repo_with_secret();
    // Direct literal path match in `.heddleignore`.
    fs::write(temp.path().join(".heddleignore"), "config/secrets.toml\n").unwrap();
    let apply = redact_apply_json(&temp, &state);
    assert!(
        apply.get("ignore_hint").is_none() || apply["ignore_hint"].is_null(),
        "literal-path coverage in .heddleignore must suppress the hint: {apply:?}"
    );
}

#[test]
fn redact_apply_emits_no_hint_when_heddleignore_glob_matches() {
    // Glob coverage (`config/*.toml`) in `.heddleignore` — the matcher
    // uses gitignore-spec globs, not literal substring, so a broad
    // rule that already covers the leaked path suppresses the hint.
    let (temp, state) = setup_repo_with_secret();
    fs::write(temp.path().join(".heddleignore"), "config/*.toml\n").unwrap();
    let apply = redact_apply_json(&temp, &state);
    assert!(
        apply.get("ignore_hint").is_none() || apply["ignore_hint"].is_null(),
        "glob coverage in .heddleignore must suppress the hint: {apply:?}"
    );
}

#[test]
fn redact_apply_emits_hint_when_only_gitignore_covers_the_path() {
    // In a native Heddle repo, `.gitignore` is not the capture policy.
    // The hint must surface, pointing at `.heddleignore`.
    let (temp, state) = setup_repo_with_secret();
    fs::write(temp.path().join(".gitignore"), "config/*.toml\n").unwrap();
    let apply = redact_apply_json(&temp, &state);
    let hint = apply
        .get("ignore_hint")
        .expect(".gitignore coverage must NOT suppress the heddle-ignore hint");
    assert_eq!(
        hint["ignore_file"].as_str().unwrap(),
        ".heddleignore",
        ".gitignore is not consulted by native Heddle capture; hint must target .heddleignore"
    );
    assert!(
        !hint["already_exists"].as_bool().unwrap(),
        "init should not install a default .heddleignore"
    );
}

#[test]
fn redact_apply_git_overlay_prefers_gitignore_hint() {
    let (temp, state) = setup_git_overlay_repo_with_secret();
    let apply = redact_apply_json(&temp, &state);
    let hint = apply
        .get("ignore_hint")
        .expect("ignore_hint should be present when path is uncovered");
    assert_eq!(hint["ignore_file"].as_str().unwrap(), ".gitignore");
    assert!(
        !hint["already_exists"].as_bool().unwrap(),
        "fixture does not create a .gitignore"
    );
    assert!(
        hint["message"]
            .as_str()
            .unwrap()
            .contains("create .gitignore"),
        "Git-overlay redaction should point at Git's shared ignore file: {hint}"
    );
}

#[test]
fn redact_apply_emits_no_hint_when_repo_config_ignore_covers_path() {
    // `worktree.ignore` in `.heddle/config.toml` is part of heddle's
    // effective ignore set (see `Repository::ignore_patterns`). A
    // pattern in repo config must suppress the hint even with no
    // `.heddleignore` file on disk. Splice the additional pattern
    // into the existing `[worktree] ignore = [...]` array instead of
    // appending a duplicate section header (which `heddle init`
    // already writes).
    let (temp, state) = setup_repo_with_secret();
    let config_path = temp.path().join(".heddle/config.toml");
    let existing = fs::read_to_string(&config_path).expect("read default config");
    let patched = existing.replace("ignore = [", "ignore = [\n    \"config/*.toml\",");
    assert_ne!(
        existing, patched,
        "test fixture expected `ignore = [` in default config"
    );
    fs::write(&config_path, patched).unwrap();
    let apply = redact_apply_json(&temp, &state);
    assert!(
        apply.get("ignore_hint").is_none() || apply["ignore_hint"].is_null(),
        "repo-config worktree.ignore coverage must suppress the hint: {apply:?}"
    );
}

#[test]
fn purge_apply_also_emits_ignore_hint() {
    // `heddle redact purge apply` carries the same hint as redact — the
    // working-tree leak is the same problem regardless of which
    // verb you reach for.
    let (temp, state) = setup_repo_with_secret();
    // Redact first (purge refuses without a prior redaction).
    heddle(
        &[
            "redact",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--reason",
            "leak",
        ],
        Some(temp.path()),
    )
    .unwrap();
    let raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "purge",
            "apply",
            &state,
            "--path",
            "config/secrets.toml",
            "--force",
        ],
        Some(temp.path()),
    )
    .expect("purge apply");
    let purge: Value = serde_json::from_str(&raw).unwrap();
    let hint = purge
        .get("ignore_hint")
        .expect("purge output must include ignore_hint");
    assert_eq!(hint["ignore_file"].as_str().unwrap(), ".heddleignore");
    assert!(
        !hint["already_exists"].as_bool().unwrap(),
        "init should not install a default .heddleignore"
    );
}

#[test]
fn redact_after_peer_fetch_still_propagates_on_resync() {
    // Scenario the codex review flagged: peer B clones A *first*,
    // then A declares a redaction. A second clone-from-A would find
    // every state/tree/blob already present locally and previously
    // would short-circuit before propagating the sidecar. The
    // post-fix behavior: redactions ferry through even when the
    // object graph hasn't changed.
    use crypto::Ed25519Signer;

    let (a, state) = setup_repo_with_secret();

    // Peer B clones BEFORE the redaction is declared on A.
    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    heddle(
        &[
            "clone",
            a.path().to_str().unwrap(),
            b_path.to_str().unwrap(),
        ],
        Some(b_dir.path()),
    )
    .expect("initial clone A → B");
    let list_before: Value = serde_json::from_str(
        &heddle(&["--output", "json", "redact", "list"], Some(&b_path)).unwrap(),
    )
    .unwrap();
    assert_eq!(
        list_before["redactions"].as_array().unwrap().len(),
        0,
        "B has no redactions yet (declared on A only after clone)"
    );

    // Now A declares + signs the redaction.
    let signer = Ed25519Signer::generate().unwrap();
    let pem = signer.to_pem().unwrap();
    let pem_path = a.path().join("ed25519.pem");
    write_test_private_key(&pem_path, &pem);
    let _ = signed_redact_on_repo_a(&a, &state, &pem_path);

    // Re-sync: B trusts A's signing key, registers A as a remote,
    // then `heddle fetch origin` should ferry the sidecar even
    // though every state/tree/blob is already present on B. Trust
    // setup happens after the initial clone (which used no signed
    // redactions, so didn't need trust) — same operator pattern
    // they'd run once after a peer publishes their signing key.
    heddle(
        &[
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
        ],
        Some(&b_path),
    )
    .expect("B trusts A's signing key");
    heddle(
        &["remote", "add", "origin", a.path().to_str().unwrap()],
        Some(&b_path),
    )
    .expect("remote add origin");
    heddle(&["fetch", "origin"], Some(&b_path)).expect("re-fetch A → B after redaction declared");

    let list_after: Value = serde_json::from_str(
        &heddle(&["--output", "json", "redact", "list"], Some(&b_path)).unwrap(),
    )
    .unwrap();
    assert_eq!(
        list_after["redactions"].as_array().unwrap().len(),
        1,
        "B must see the post-clone redaction after re-fetch: {list_after:?}"
    );
}

#[test]
fn untrusted_signed_redaction_is_refused_at_fetch_boundary() {
    // Codex P1: signature verification alone is integrity, not
    // authentication. Without a trust check the receiver accepts
    // *any* mathematically-valid signature, including one minted by
    // an attacker with their own key.
    //
    // This test pins the fail-closed default end-to-end: B receives
    // a signed redaction from A, but B has *not* added A's key to
    // its trust list. The fetch must refuse with `UntrustedKey`,
    // and B's local store must be unchanged.
    use crypto::Ed25519Signer;

    let (a, state) = setup_repo_with_secret();
    let attacker = Ed25519Signer::generate().unwrap();
    let pem = attacker.to_pem().unwrap();
    let pem_path = a.path().join("attacker.pem");
    write_test_private_key(&pem_path, &pem);
    let _ = signed_redact_on_repo_a(&a, &state, &pem_path);

    let b_dir = TempDir::new().unwrap();
    let b_path = b_dir.path().join("replica-b");
    fs::create_dir_all(&b_path).unwrap();
    heddle(&["init"], Some(&b_path)).expect("init B");
    // Intentionally skip `heddle redact trust add` — B does NOT
    // trust the attacker's key.
    heddle(
        &["remote", "add", "origin", a.path().to_str().unwrap()],
        Some(&b_path),
    )
    .expect("remote add origin");
    let err = heddle(&["fetch", "origin"], Some(&b_path))
        .expect_err("fetch must refuse untrusted signed redaction");
    assert!(
        err.contains("untrusted operator key"),
        "fetch rejection must explain the untrusted-key cause: {err}"
    );

    // B's local redaction store must remain empty.
    let list: Value = serde_json::from_str(
        &heddle(&["--output", "json", "redact", "list"], Some(&b_path)).unwrap(),
    )
    .unwrap();
    assert_eq!(
        list["redactions"].as_array().unwrap().len(),
        0,
        "B must have no redactions after refusal; refusal is atomic"
    );
}

#[test]
fn redact_trust_add_and_list_round_trip() {
    // Operator-facing smoke: `heddle redact trust add --from-pem`
    // produces an entry that `heddle redact trust list` surfaces.
    use crypto::Ed25519Signer;

    let temp = TempDir::new().unwrap();
    heddle(&["init"], Some(temp.path())).expect("init");
    let signer = Ed25519Signer::generate().unwrap();
    let pem = signer.to_pem().unwrap();
    let pem_path = temp.path().join("key.pem");
    write_test_private_key(&pem_path, &pem);

    let add_raw = heddle(
        &[
            "--output",
            "json",
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
            "--label",
            "test-key",
        ],
        Some(temp.path()),
    )
    .expect("trust add");
    let add: Value = serde_json::from_str(&add_raw).unwrap();
    assert_eq!(add["algorithm"].as_str().unwrap(), "ed25519");
    assert_eq!(add["label"].as_str().unwrap(), "test-key");
    let pubkey_hex = add["public_key"].as_str().unwrap().to_string();

    let list_raw = heddle(
        &["--output", "json", "redact", "trust", "list"],
        Some(temp.path()),
    )
    .expect("trust list");
    let list: Value = serde_json::from_str(&list_raw).unwrap();
    assert_eq!(list["count"].as_u64().unwrap(), 1);
    let entries = list["trusted_keys"].as_array().unwrap();
    assert_eq!(entries[0]["public_key"].as_str().unwrap(), pubkey_hex);
    assert_eq!(entries[0]["label"].as_str().unwrap(), "test-key");

    // Re-adding the same key fails — operators get a clear signal
    // rather than silent duplicate entries.
    let output = heddle_output(
        &[
            "--output",
            "json",
            "redact",
            "trust",
            "add",
            "--from-pem",
            pem_path.to_str().unwrap(),
        ],
        Some(temp.path()),
    )
    .expect("invoke duplicate trust add");
    assert!(
        !output.status.success(),
        "re-add must refuse duplicate trust keys"
    );
    assert!(
        output.stdout.is_empty(),
        "JSON-mode refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let envelope: Value =
        serde_json::from_str(&stderr).expect("stderr should be JSON error envelope");
    assert_eq!(envelope["kind"], "redact_trust_key_duplicate");
    assert!(
        envelope["error"]
            .as_str()
            .is_some_and(|error| error.contains("already in the trust list")),
        "duplicate-trust rejection must be clear: {stderr}"
    );
}

#[test]
fn redact_empty_path_uses_typed_advice_json() {
    let (temp, state) = setup_repo_with_secret();
    let output = heddle_output(
        &[
            "--output",
            "json",
            "redact",
            "apply",
            &state,
            "--path",
            "",
            "--reason",
            "empty path smoke",
        ],
        Some(temp.path()),
    )
    .expect("invoke redact apply");
    assert!(!output.status.success(), "empty path must refuse");
    assert!(
        output.stdout.is_empty(),
        "JSON-mode refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let envelope: Value =
        serde_json::from_str(&stderr).expect("stderr should be JSON error envelope");
    assert_eq!(envelope["kind"], "redact_path_empty");
    assert!(
        envelope["hint"]
            .as_str()
            .is_some_and(|hint| hint.contains("--path <path>")),
        "typed advice should name the recovery path: {stderr}"
    );
}

#[test]
fn redact_trust_remove_missing_key_uses_typed_advice_json() {
    let temp = TempDir::new().unwrap();
    heddle(&["init"], Some(temp.path())).expect("init");
    let output = heddle_output(
        &["--output", "json", "redact", "trust", "remove", "deadbeef"],
        Some(temp.path()),
    )
    .expect("invoke redact trust remove");
    assert!(!output.status.success(), "missing trust key must refuse");
    assert!(
        output.stdout.is_empty(),
        "JSON-mode refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let envelope: Value =
        serde_json::from_str(&stderr).expect("stderr should be JSON error envelope");
    assert_eq!(envelope["kind"], "redact_trust_key_not_found");
    assert!(
        envelope["hint"]
            .as_str()
            .is_some_and(|hint| hint.contains("heddle redact trust list")),
        "typed advice should name the inspection command: {stderr}"
    );
}

#[test]
fn redact_trust_add_missing_key_source_uses_typed_advice_json() {
    let temp = TempDir::new().unwrap();
    heddle(&["init"], Some(temp.path())).expect("init");
    let output = heddle_output(
        &["--output", "json", "redact", "trust", "add"],
        Some(temp.path()),
    )
    .expect("invoke redact trust add");
    assert!(!output.status.success(), "missing key source must refuse");
    assert!(
        output.stdout.is_empty(),
        "JSON-mode refusal must not write stdout: {}",
        String::from_utf8_lossy(&output.stdout)
    );
    let stderr = String::from_utf8_lossy(&output.stderr);
    let envelope: Value =
        serde_json::from_str(&stderr).expect("stderr should be JSON error envelope");
    assert_eq!(envelope["kind"], "redact_trust_key_source_required");
    assert!(
        envelope["hint"]
            .as_str()
            .is_some_and(|hint| hint.contains("--from-pem <PATH>")),
        "typed advice should name key-source recovery: {stderr}"
    );
}