#!/usr/bin/env python3
"""
Test script for boundary enforcement.
"""

import sys
from pathlib import Path

# Add parent directory to path
sys.path.insert(0, str(Path(__file__).parent.parent.parent))

from safety.boundaries.policy import get_enforcer

def test_boundaries():
    """Test boundary enforcement."""
    print("=" * 60)
    print("Boundary Enforcement Test")
    print("=" * 60)
    
    enforcer = get_enforcer()
    base_dir = Path(__file__).parent.parent.parent
    
    # Test path access
    print("\n1. Testing path access...")
    
    # Family agent - allowed path
    allowed, reason = enforcer.check_path_access(
        "family",
        base_dir / "data" / "tasks" / "home" / "todo" / "test.md"
    )
    print(f"   ✅ Family agent accessing home tasks: {allowed} - {reason}")
    
    # Family agent - forbidden path (work repo)
    allowed, reason = enforcer.check_path_access(
        "family",
        base_dir.parent / "work-repos" / "something.md"
    )
    print(f"   ✅ Family agent accessing work repo: {allowed} (should be False) - {reason}")
    
    # Work agent - broader access
    allowed, reason = enforcer.check_path_access(
        "work",
        base_dir / "data" / "tasks" / "home" / "todo" / "test.md"
    )
    print(f"   ✅ Work agent accessing home tasks: {allowed} - {reason}")
    
    # Test tool access
    print("\n2. Testing tool access...")
    
    # Family agent - allowed tool
    allowed, reason = enforcer.check_tool_access("family", "add_task")
    print(f"   ✅ Family agent using add_task: {allowed} - {reason}")
    
    # Family agent - forbidden tool (if any)
    # This would fail if we had work-specific tools
    allowed, reason = enforcer.check_tool_access("family", "send_work_email")
    print(f"   ✅ Family agent using send_work_email: {allowed} (should be False) - {reason}")
    
    # Test network access
    print("\n3. Testing network access...")
    
    # Family agent - localhost
    allowed, reason = enforcer.check_network_access("family", "localhost")
    print(f"   ✅ Family agent accessing localhost: {allowed} - {reason}")
    
    # Family agent - GPU VM (might be forbidden)
    allowed, reason = enforcer.check_network_access("family", "10.0.30.63")
    print(f"   ✅ Family agent accessing GPU VM: {allowed} - {reason}")
    
    # Work agent - GPU VM
    allowed, reason = enforcer.check_network_access("work", "10.0.30.63")
    print(f"   ✅ Work agent accessing GPU VM: {allowed} - {reason}")
    
    print("\n" + "=" * 60)
    print("✅ Boundary enforcement tests complete!")
    print("=" * 60)

if __name__ == "__main__":
    test_boundaries()