import pytest
from core_shared.secrets import EncryptedSecret, SecretCipher


def test_secret_cipher_round_trips_json_payload() -> None:
    cipher = SecretCipher(key="test-key")
    payload = {"api_key": "secret-value", "nested": {"token": "abc"}}

    encrypted = cipher.encrypt_json(payload)
    decrypted = cipher.decrypt_json(encrypted)

    assert encrypted.ciphertext
    assert encrypted.ciphertext != "secret-value"
    assert encrypted.fingerprint
    assert decrypted == payload


def test_secret_cipher_rejects_tampered_payload() -> None:
    cipher = SecretCipher(key="test-key")
    encrypted = cipher.encrypt_json({"api_key": "secret-value"})

    tampered = EncryptedSecret(
        ciphertext=encrypted.ciphertext[:-2] + "AA",
        fingerprint=encrypted.fingerprint,
        algorithm=encrypted.algorithm)

    with pytest.raises(ValueError):
        cipher.decrypt_json(tampered)