package tool import ( "strings" "testing" ) func TestCheckAuthoring_AllowsAnyone(t *testing.T) { r := NewRegistry() _ = r.Register(&fakeTool{name: "calc", perm: Permission{AuthoringRequirement: RequirementAnyone}}) if err := CheckAuthoring(r, []string{"calc"}, false); err != nil { t.Fatalf("expected anyone to pass, got %v", err) } } func TestCheckAuthoring_BlocksNonAdminFromAdminTool(t *testing.T) { r := NewRegistry() _ = r.Register(&fakeTool{name: "db_select", perm: Permission{AuthoringRequirement: RequirementAdmin}}) err := CheckAuthoring(r, []string{"db_select"}, false) if err == nil || !strings.Contains(err.Error(), "requires admin authoring") { t.Fatalf("expected admin-required error, got %v", err) } } func TestCheckAuthoring_AllowsAdminWithAdminTool(t *testing.T) { r := NewRegistry() _ = r.Register(&fakeTool{name: "db_select", perm: Permission{AuthoringRequirement: RequirementAdmin}}) if err := CheckAuthoring(r, []string{"db_select"}, true); err != nil { t.Fatalf("expected admin to pass, got %v", err) } } func TestCheckAuthoring_UnknownTool(t *testing.T) { r := NewRegistry() err := CheckAuthoring(r, []string{"missing"}, true) if err == nil || !strings.Contains(err.Error(), "unknown tool") { t.Fatalf("expected unknown-tool error, got %v", err) } } func TestCheckShareSafety_Pass(t *testing.T) { r := NewRegistry() _ = r.Register(&fakeTool{name: "search", perm: Permission{SafeForShare: true}}) if err := CheckShareSafety(r, []string{"search"}); err != nil { t.Fatalf("expected safe tool to pass, got %v", err) } } func TestCheckShareSafety_BlocksUnsafe(t *testing.T) { r := NewRegistry() _ = r.Register(&fakeTool{name: "balance", perm: Permission{SafeForShare: false}}) err := CheckShareSafety(r, []string{"balance"}) if err == nil || !strings.Contains(err.Error(), "operates on the caller's own data") { t.Fatalf("expected share-safety error, got %v", err) } }