"""MA3: the frozen RBAC seed in the initial migration must keep matching
the runtime F11 matrix in `mimic.rbac.matrix`. When they drift, *do not* edit
the migration in place — write a new migration. This test enforces it.
"""

from __future__ import annotations

import importlib

from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission


def _load_migration():
    return importlib.import_module("mimic.db.migrations.versions.202605210001_initial_schema")


def test_frozen_permission_list_matches_runtime() -> None:
    migration = _load_migration()
    runtime_codes = {p.value for p in Permission}
    frozen_codes = set(migration._PERMISSIONS_FROZEN)
    assert runtime_codes == frozen_codes, (
        "Permission enum drifted from the migration freeze; "
        "write a new migration, do not edit the existing one."
    )


def test_frozen_group_membership_matches_runtime() -> None:
    migration = _load_migration()
    runtime = {gn.value: {p.value for p in perms} for gn, perms in GROUP_PERMISSIONS.items()}
    frozen = {gn: set(perms) for gn, perms in migration._GROUP_PERMISSIONS_FROZEN.items()}
    assert runtime == frozen, (
        "GROUP_PERMISSIONS drifted from the migration freeze; "
        "write a new migration, do not edit the existing one."
    )


def test_frozen_group_names_match_enum() -> None:
    migration = _load_migration()
    assert set(migration._GROUP_PERMISSIONS_FROZEN.keys()) == {g.value for g in GroupName}