shellfirm 0.3.7

`shellfirm` will intercept any risky patterns (default or defined by you) and prompt you a small challenge for double verification, kinda like a captcha for your terminal.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823

//! Manage the app configuration by creating, deleting and modify the
//! configuration

use std::{
    collections::{HashMap, HashSet},
    env, fmt, fs,
    io::{Read, Write},
    path::PathBuf,
};

use crate::error::{Error, Result};
use crate::{checks, checks::Severity, context::ContextConfig};
use serde_derive::{Deserialize, Serialize};
use tracing::debug;

/// Configuration for the optional LLM-powered command analysis.
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct LlmConfig {
    /// LLM provider name: "anthropic" or "openai-compatible".
    #[serde(default = "default_llm_provider")]
    pub provider: String,
    /// Model ID to use (e.g. "claude-sonnet-4-20250514").
    #[serde(default = "default_llm_model")]
    pub model: String,
    /// Custom base URL for openai-compatible providers.
    #[serde(default)]
    pub base_url: Option<String>,
    /// Request timeout in milliseconds.
    #[serde(default = "default_llm_timeout_ms")]
    pub timeout_ms: u64,
    /// Max tokens in the LLM response.
    #[serde(default = "default_llm_max_tokens")]
    pub max_tokens: u32,
}

fn default_llm_provider() -> String {
    "anthropic".into()
}

fn default_llm_model() -> String {
    "claude-sonnet-4-20250514".into()
}

const fn default_llm_timeout_ms() -> u64 {
    5000
}

const fn default_llm_max_tokens() -> u32 {
    512
}

impl Default for LlmConfig {
    fn default() -> Self {
        Self {
            provider: default_llm_provider(),
            model: default_llm_model(),
            base_url: None,
            timeout_ms: default_llm_timeout_ms(),
            max_tokens: default_llm_max_tokens(),
        }
    }
}

/// Configuration for AI agent guardrails.
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct AgentConfig {
    /// Auto-deny commands at or above this severity when running in agent mode.
    #[serde(default = "default_auto_deny_severity")]
    pub auto_deny_severity: Severity,
    /// Require human approval for agent-denied commands (reserved for future use).
    #[serde(default)]
    pub require_human_approval: bool,
}

const fn default_auto_deny_severity() -> Severity {
    Severity::High
}

impl Default for AgentConfig {
    fn default() -> Self {
        Self {
            auto_deny_severity: default_auto_deny_severity(),
            require_human_approval: false,
        }
    }
}

/// Configuration for the `shellfirm wrap` PTY proxy.
#[derive(Debug, Deserialize, Serialize, Clone, Default)]
pub struct WrappersConfig {
    /// Per-tool overrides keyed by program name (e.g. "psql", "redis-cli").
    #[serde(default)]
    pub tools: HashMap<String, WrapperToolConfig>,
}

/// Per-tool configuration for the `shellfirm wrap` proxy.
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct WrapperToolConfig {
    /// Statement delimiter: ";" for SQL tools, "\n" for line-oriented tools.
    #[serde(default = "default_wrap_delimiter")]
    pub delimiter: String,
    /// Override which check groups are active (empty = use global setting).
    #[serde(default)]
    pub check_groups: Vec<String>,
}

fn default_wrap_delimiter() -> String {
    ";".into()
}

impl Default for WrapperToolConfig {
    fn default() -> Self {
        Self {
            delimiter: default_wrap_delimiter(),
            check_groups: vec![],
        }
    }
}

/// Configuration for severity-based challenge escalation.
///
/// When enabled (the default), checks at higher severity levels automatically
/// receive harder challenges — `Critical` → `Yes`, `High` → `Enter`.
/// Each mapping acts as a floor: `max_challenge(base, severity_floor)`.
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct SeverityEscalationConfig {
    /// Whether severity-based escalation is active.
    #[serde(default = "default_severity_escalation_enabled")]
    pub enabled: bool,
    /// Minimum challenge for Critical severity checks.
    #[serde(default = "default_severity_critical")]
    pub critical: Challenge,
    /// Minimum challenge for High severity checks.
    #[serde(default = "default_severity_high")]
    pub high: Challenge,
    /// Minimum challenge for Medium severity checks.
    #[serde(default = "default_severity_medium")]
    pub medium: Challenge,
    /// Minimum challenge for Low severity checks.
    #[serde(default = "default_severity_low")]
    pub low: Challenge,
    /// Minimum challenge for Info severity checks.
    #[serde(default = "default_severity_info")]
    pub info: Challenge,
}

const fn default_severity_escalation_enabled() -> bool {
    true
}
const fn default_severity_critical() -> Challenge {
    Challenge::Yes
}
const fn default_severity_high() -> Challenge {
    Challenge::Enter
}
const fn default_severity_medium() -> Challenge {
    Challenge::Math
}
const fn default_severity_low() -> Challenge {
    Challenge::Math
}
const fn default_severity_info() -> Challenge {
    Challenge::Math
}

impl Default for SeverityEscalationConfig {
    fn default() -> Self {
        Self {
            enabled: default_severity_escalation_enabled(),
            critical: default_severity_critical(),
            high: default_severity_high(),
            medium: default_severity_medium(),
            low: default_severity_low(),
            info: default_severity_info(),
        }
    }
}

impl SeverityEscalationConfig {
    /// Return the challenge floor for the given severity, or `None` if
    /// severity escalation is disabled.
    #[must_use]
    pub const fn challenge_for_severity(&self, severity: Severity) -> Option<Challenge> {
        if !self.enabled {
            return None;
        }
        Some(match severity {
            Severity::Critical => self.critical,
            Severity::High => self.high,
            Severity::Medium => self.medium,
            Severity::Low => self.low,
            Severity::Info => self.info,
        })
    }
}

const DEFAULT_SETTING_FILE_NAME: &str = "settings.yaml";

pub const DEFAULT_CHALLENGE: Challenge = Challenge::Math;

fn default_enabled_groups() -> Vec<String> {
    DEFAULT_ENABLED_GROUPS
        .iter()
        .map(|s| (*s).to_string())
        .collect()
}

const fn default_audit_enabled() -> bool {
    true
}

const fn default_blast_radius() -> bool {
    true
}

pub const DEFAULT_ENABLED_GROUPS: [&str; 16] = [
    "aws",
    "azure",
    "base",
    "database",
    "docker",
    "fs",
    "gcp",
    "git",
    "heroku",
    "kubernetes",
    "mongodb",
    "mysql",
    "network",
    "psql",
    "redis",
    "terraform",
];

/// The user challenge when user need to confirm the command.
#[derive(Debug, Deserialize, Serialize, Clone, Copy, PartialEq, Eq)]
pub enum Challenge {
    /// Math challenge.
    Math,
    /// Only enter will approve the command.
    Enter,
    /// only yes typing will approve the command.
    Yes,
}

#[derive(Debug)]
/// describe configuration folder
pub struct Config {
    /// Configuration folder path.
    pub root_folder: PathBuf,
    /// config file.
    pub setting_file_path: PathBuf,
}

/// Describe the configuration yaml
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct Settings {
    /// Type of the challenge.
    #[serde(default)]
    pub challenge: Challenge,
    /// Whitelist of check groups to enable (default: all 12 groups).
    #[serde(default = "default_enabled_groups")]
    pub enabled_groups: Vec<String>,
    /// Blacklist of check groups to disable (applied after whitelist).
    #[serde(default)]
    pub disabled_groups: Vec<String>,
    /// List of all ignore checks
    #[serde(default)]
    pub ignores_patterns_ids: Vec<String>,
    /// List of pattens id to prevent
    #[serde(default)]
    pub deny_patterns_ids: Vec<String>,
    /// Context-aware protection configuration.
    #[serde(default)]
    pub context: ContextConfig,
    /// Enable audit trail (log intercepted commands).
    #[serde(default = "default_audit_enabled")]
    pub audit_enabled: bool,
    /// Enable blast radius computation (shows impact details for risky commands).
    #[serde(default = "default_blast_radius")]
    pub blast_radius: bool,
    /// Minimum severity for a check to trigger a challenge.
    /// When `None`, all severities trigger. When set, checks below this
    /// threshold are skipped (but still logged to audit as `Skipped`).
    #[serde(default)]
    pub min_severity: Option<Severity>,
    /// AI agent guardrail configuration.
    #[serde(default)]
    pub agent: AgentConfig,
    /// LLM-powered analysis configuration (requires `llm` feature).
    /// `None` means LLM is not configured (disabled by default).
    #[serde(default)]
    pub llm: Option<LlmConfig>,
    /// PTY wrapper configuration (requires `wrap` feature).
    #[serde(default)]
    pub wrappers: WrappersConfig,
    /// Severity-based challenge escalation (enabled by default).
    #[serde(default)]
    pub severity_escalation: SeverityEscalationConfig,
    /// Per-group minimum challenge overrides (group name → challenge).
    #[serde(default)]
    pub group_escalation: HashMap<String, Challenge>,
    /// Per-check-ID minimum challenge overrides (check ID → challenge).
    #[serde(default)]
    pub check_escalation: HashMap<String, Challenge>,
}

impl fmt::Display for Challenge {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Math => write!(f, "Math"),
            Self::Enter => write!(f, "Enter"),
            Self::Yes => write!(f, "Yes"),
        }
    }
}

impl Default for Challenge {
    fn default() -> Self {
        DEFAULT_CHALLENGE
    }
}

impl Challenge {
    /// Convert challenge string to enum
    ///
    /// # Errors
    /// when the given challenge string is not supported
    pub fn from_string(str: &str) -> Result<Self> {
        match str.to_lowercase().as_str() {
            "math" => Ok(Self::Math),
            "enter" => Ok(Self::Enter),
            "yes" => Ok(Self::Yes),
            _ => Err(Error::Config("given challenge name not found".into())),
        }
    }

    /// Return the stricter of two challenges.
    /// Order: Math < Enter < Yes
    #[must_use]
    pub fn stricter(self, other: Self) -> Self {
        let rank = |c: Self| match c {
            Self::Math => 0,
            Self::Enter => 1,
            Self::Yes => 2,
        };
        if rank(self) >= rank(other) {
            self
        } else {
            other
        }
    }
}

impl Default for Settings {
    fn default() -> Self {
        Self {
            challenge: DEFAULT_CHALLENGE,
            enabled_groups: default_enabled_groups(),
            disabled_groups: vec![],
            ignores_patterns_ids: vec![],
            deny_patterns_ids: vec![],
            context: ContextConfig::default(),
            audit_enabled: default_audit_enabled(),
            blast_radius: default_blast_radius(),
            min_severity: None,
            agent: AgentConfig::default(),
            llm: None,
            wrappers: WrappersConfig::default(),
            severity_escalation: SeverityEscalationConfig::default(),
            group_escalation: HashMap::new(),
            check_escalation: HashMap::new(),
        }
    }
}

impl Config {
    /// Get application  setting config.
    ///
    /// # Errors
    ///
    /// Will return `Err` error return on load/save config
    pub fn new(path: Option<&str>) -> Result<Self> {
        let package_name = env!("CARGO_PKG_NAME");

        let config_folder = match path {
            Some(p) => PathBuf::from(p),
            None => match dirs::config_dir() {
                Some(conf_dir) => conf_dir.join(package_name),
                None => return Err(Error::Config("could not get directory path".into())),
            },
        };

        let setting_file_path = config_folder.join(DEFAULT_SETTING_FILE_NAME);
        let setting_config = Self {
            root_folder: config_folder,
            setting_file_path,
        };

        debug!("configuration settings: {setting_config:?}");
        Ok(setting_config)
    }

    /// Get the path to the audit log file.
    #[must_use]
    pub fn audit_log_path(&self) -> PathBuf {
        self.root_folder.join("audit.log")
    }

    /// Get the path to the custom checks directory.
    #[must_use]
    pub fn custom_checks_dir(&self) -> PathBuf {
        self.root_folder.join("checks")
    }

    /// Convert user settings yaml to struct.
    ///
    /// # Errors
    ///
    /// Will return `Err` has an error when loading the config file
    pub fn get_settings_from_file(&self) -> Result<Settings> {
        match self.read_config_file() {
            Ok(content) => match serde_yaml::from_str(&content) {
                Ok(settings) => Ok(settings),
                Err(e) => {
                    tracing::warn!(
                        "Settings file could not be parsed, using defaults: {e}. \
                         Run `shellfirm config reset` to fix."
                    );
                    Ok(Settings::default())
                }
            },
            Err(_) if !self.setting_file_path.exists() => Ok(Settings::default()),
            Err(e) => Err(e),
        }
    }

    /// Reset user configuration to the default app.
    ///
    /// # Errors
    ///
    /// Will return `Err` if the config directory cannot be created or the file
    /// cannot be written.
    pub fn reset_config(&self) -> Result<()> {
        self.ensure_config_dir()?;
        // Write an empty file — serde defaults fill in all fields at load time.
        // The interactive setup will add only the keys the user picks.
        fs::File::create(&self.setting_file_path)?;
        Ok(())
    }

    /// Create config folder (and parent directories) if not exists.
    fn ensure_config_dir(&self) -> Result<()> {
        if let Err(err) = fs::create_dir_all(&self.root_folder) {
            if err.kind() != std::io::ErrorKind::AlreadyExists {
                return Err(Error::Config(format!("could not create folder: {err}")));
            }
            debug!("configuration folder found: {}", self.root_folder.display());
        } else {
            debug!(
                "configuration created in path: {}",
                self.root_folder.display()
            );
        }
        Ok(())
    }

    /// Convert the given config to YAML format and save to file.
    ///
    /// # Arguments
    ///
    /// * `settings` - Config struct
    ///
    /// # Errors
    ///
    /// Will return `Err` if the config directory cannot be created or the file
    /// cannot be written.
    pub fn save_settings_file_from_struct(&self, settings: &Settings) -> Result<()> {
        self.ensure_config_dir()?;
        let content = serde_yaml::to_string(settings)?;
        let mut file = fs::File::create(&self.setting_file_path)?;
        file.write_all(content.as_bytes())?;
        debug!(
            "settings file crated in path: {}. config data: {:?}",
            self.setting_file_path.display(),
            settings
        );
        Ok(())
    }

    /// Return config content.
    ///
    /// # Errors
    ///
    /// Will return `Err` if the config file cannot be opened or read.
    pub fn read_config_file(&self) -> Result<String> {
        let mut file = std::fs::File::open(&self.setting_file_path)?;
        let mut content = String::new();
        file.read_to_string(&mut content)?;
        Ok(content)
    }

    /// Load settings as a raw [`serde_yaml::Value`] tree.
    ///
    /// # Errors
    ///
    /// Will return `Err` if the config file cannot be read or parsed.
    pub fn read_config_as_value(&self) -> Result<serde_yaml::Value> {
        let empty_mapping = || serde_yaml::Value::Mapping(serde_yaml::Mapping::default());
        match self.read_config_file() {
            Ok(content) => {
                let value: serde_yaml::Value = serde_yaml::from_str(&content)?;
                // serde_yaml::from_str("") returns Null — treat as empty mapping
                if value.is_null() {
                    Ok(empty_mapping())
                } else {
                    Ok(value)
                }
            }
            Err(_) if !self.setting_file_path.exists() => Ok(empty_mapping()),
            Err(e) => Err(e),
        }
    }

    /// Validate a [`serde_yaml::Value`] tree by round-tripping through
    /// [`Settings`] deserialization, then save the YAML to disk.
    ///
    /// # Errors
    ///
    /// Will return `Err` if validation fails or the file cannot be written.
    pub fn save_config_from_value(&self, value: &serde_yaml::Value) -> Result<()> {
        self.ensure_config_dir()?;
        let yaml_str = serde_yaml::to_string(value)?;
        // Validate: round-trip through Settings deserialization
        let _settings: Settings = serde_yaml::from_str(&yaml_str)?;
        let mut file = fs::File::create(&self.setting_file_path)?;
        file.write_all(yaml_str.as_bytes())?;
        Ok(())
    }
}

impl Settings {
    /// Return list of active patterns by user groups
    ///
    /// # Errors
    ///
    /// Will return `Err` when could not load config file
    pub fn get_active_checks(&self) -> Result<Vec<checks::Check>> {
        let enabled: HashSet<&str> = self.enabled_groups.iter().map(String::as_str).collect();
        let disabled: HashSet<&str> = self.disabled_groups.iter().map(String::as_str).collect();
        let ignores: HashSet<&str> = self
            .ignores_patterns_ids
            .iter()
            .map(String::as_str)
            .collect();
        // Filter from the static cache directly — only clone checks that pass
        // all filters, instead of cloning all ~100 checks then discarding.
        Ok(checks::all_checks_cached()
            .iter()
            .filter(|c| enabled.contains(c.from.as_str()))
            .filter(|c| !disabled.contains(c.from.as_str()))
            .filter(|c| !ignores.contains(c.id.as_str()))
            .cloned()
            .collect())
    }

    #[must_use]
    pub const fn get_active_groups(&self) -> &Vec<String> {
        &self.enabled_groups
    }
}

/// Set a value at a dot-notation path, creating intermediate mappings as
/// needed.
///
/// # Errors
///
/// Will return `Err` if an intermediate value exists but is not a mapping.
pub fn value_set(
    root: &mut serde_yaml::Value,
    path: &str,
    new_value: serde_yaml::Value,
) -> Result<()> {
    let segments: Vec<&str> = path.split('.').collect();
    let mut current = root;

    for (i, segment) in segments.iter().enumerate() {
        if i == segments.len() - 1 {
            // Final segment — set the value
            let map = current.as_mapping_mut().ok_or_else(|| {
                Error::Config(format!("expected a mapping at parent of '{path}'"))
            })?;
            map.insert(serde_yaml::Value::String((*segment).to_string()), new_value);
            return Ok(());
        }
        // Intermediate segment — descend or create
        let key = serde_yaml::Value::String((*segment).to_string());
        if !current.as_mapping().is_some_and(|m| m.contains_key(&key)) {
            let map = current
                .as_mapping_mut()
                .ok_or_else(|| Error::Config(format!("expected a mapping at '{segment}'")))?;
            map.insert(
                key.clone(),
                serde_yaml::Value::Mapping(serde_yaml::Mapping::default()),
            );
        }
        current = current
            .get_mut(segment)
            .ok_or_else(|| Error::Config(format!("failed to descend into '{segment}'")))?;
    }
    Ok(())
}

#[cfg(test)]
mod test_config {
    use std::fs::read_dir;

    use tree_fs::Tree;

    use super::*;

    fn initialize_config_folder(temp_dir: &Tree) -> Config {
        let temp_dir = temp_dir.root.join("app");
        Config::new(Some(&temp_dir.display().to_string())).unwrap()
    }

    fn initialize_config_folder_with_file(temp_dir: &Tree) -> Config {
        let config = initialize_config_folder(temp_dir);
        config.reset_config().unwrap();
        config
    }

    #[test]
    fn new_config_does_not_create_files() {
        let temp_dir = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = initialize_config_folder(&temp_dir);
        assert!(!config.root_folder.is_dir());
        assert!(!config.setting_file_path.is_file());
    }

    #[test]
    fn get_settings_returns_defaults_without_file() {
        let temp_dir = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = initialize_config_folder(&temp_dir);
        let settings = config.get_settings_from_file().unwrap();
        assert_eq!(settings.challenge, DEFAULT_CHALLENGE);
        assert_eq!(settings.enabled_groups, default_enabled_groups());
        assert!(settings.audit_enabled);
    }

    #[test]
    fn can_reset_config() {
        let temp_dir = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = initialize_config_folder_with_file(&temp_dir);
        let mut settings = config.get_settings_from_file().unwrap();
        settings.challenge = Challenge::Yes;
        config.save_settings_file_from_struct(&settings).unwrap();
        assert_eq!(
            config.get_settings_from_file().unwrap().challenge,
            Challenge::Yes
        );
        config.reset_config().unwrap();
        assert_eq!(
            config.get_settings_from_file().unwrap().challenge,
            Challenge::Math
        );
        assert_eq!(read_dir(&config.root_folder).unwrap().count(), 1);
    }

    #[test]
    fn read_config_as_value_empty_file_returns_empty_mapping() {
        let temp_dir = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = initialize_config_folder_with_file(&temp_dir);
        // reset_config writes an empty file — read_config_as_value must return
        // an empty Mapping (not Null) so that value_set can work on it.
        let root = config.read_config_as_value().unwrap();
        let mapping = root
            .as_mapping()
            .expect("should be a Mapping, not Null");
        assert!(mapping.is_empty());
        // Verify value_set succeeds on the result
        let mut root = root;
        value_set(
            &mut root,
            "challenge",
            serde_yaml::Value::String("Enter".into()),
        )
        .unwrap();
        assert_eq!(
            root.get("challenge").unwrap().as_str().unwrap(),
            "Enter"
        );
    }

    #[test]
    fn sparse_config_on_fresh_install() {
        let temp_dir = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = initialize_config_folder(&temp_dir);
        // initialize_config_folder does not create any files — fresh install
        assert!(!config.setting_file_path.exists());
        // read_config_as_value should return empty mapping
        let root = config.read_config_as_value().unwrap();
        assert!(root.as_mapping().unwrap().is_empty());
        // Setting a value and saving should produce a sparse file
        let mut root = root;
        value_set(
            &mut root,
            "challenge",
            serde_yaml::Value::String("Yes".into()),
        )
        .unwrap();
        config.save_config_from_value(&root).unwrap();
        let content = config.read_config_file().unwrap();
        assert!(content.contains("challenge"));
        assert!(!content.contains("enabled_groups"));
        // Settings should still load with defaults filled in
        let settings = config.get_settings_from_file().unwrap();
        assert_eq!(settings.challenge, Challenge::Yes);
        assert_eq!(settings.enabled_groups, default_enabled_groups());
    }
}

#[cfg(test)]
mod test_settings {
    use super::*;

    #[test]
    fn can_get_active_checks() {
        // Uses Settings::default() — no file needed
        assert!(Settings::default().get_active_checks().is_ok());
    }

    #[test]
    fn can_get_settings_from_file() {
        let groups = Settings::default().get_active_groups().clone();
        assert_eq!(
            groups,
            vec![
                "aws",
                "azure",
                "base",
                "database",
                "docker",
                "fs",
                "gcp",
                "git",
                "heroku",
                "kubernetes",
                "mongodb",
                "mysql",
                "network",
                "psql",
                "redis",
                "terraform",
            ]
        );
    }

    #[test]
    fn settings_yaml_roundtrip_preserves_enabled_groups() {
        let original = Settings::default();
        let yaml = serde_yaml::to_string(&original).unwrap();
        let restored: Settings = serde_yaml::from_str(&yaml).unwrap();
        assert_eq!(restored.enabled_groups, original.enabled_groups);
        assert!(
            !restored.enabled_groups.is_empty(),
            "enabled_groups must not be empty after roundtrip"
        );
    }

    #[test]
    fn default_settings_produce_nonempty_active_checks() {
        let checks = Settings::default().get_active_checks().unwrap();
        assert!(
            !checks.is_empty(),
            "Settings::default() must produce active checks"
        );
        let groups: std::collections::HashSet<&str> =
            checks.iter().map(|c| c.from.as_str()).collect();
        assert!(groups.contains("fs"), "fs group must be active");
        assert!(groups.contains("git"), "git group must be active");
    }

    #[test]
    fn settings_file_roundtrip_produces_matches() {
        let temp = tree_fs::TreeBuilder::default()
            .create()
            .expect("create tree");
        let config = Config::new(Some(&temp.root.join("app").display().to_string())).unwrap();
        config.reset_config().unwrap();
        let settings = config.get_settings_from_file().unwrap();
        let checks = settings.get_active_checks().unwrap();
        assert!(
            !checks.is_empty(),
            "Active checks must not be empty after file roundtrip"
        );
        let matches = crate::checks::run_check_on_command(&checks, "git push --force origin main");
        assert!(
            !matches.is_empty(),
            "git push --force must match after file roundtrip"
        );
    }

    #[test]
    fn old_includes_field_falls_back_to_default_enabled_groups() {
        let old_yaml = "challenge: Math\nincludes:\n  - base\n  - fs\n  - git\n";
        let settings: Settings = serde_yaml::from_str(old_yaml).unwrap();
        // Old `includes` is unknown → ignored; enabled_groups gets serde default
        assert_eq!(settings.enabled_groups, default_enabled_groups());
        let checks = settings.get_active_checks().unwrap();
        assert!(!checks.is_empty());
    }
}