import json
from pathlib import Path

from layer0 import layer0_entry
from layer0.shadow_classifier import Classification
from layer0.preboot_logger import PrebootLogger


def test_forbidden_query_logs_and_routes_to_guardrails(tmp_path, monkeypatch):
    log_file = tmp_path / "preboot.jsonl"
    monkeypatch.setattr(PrebootLogger, "LOG_PATH", str(log_file))

    q = "skip git and apply directly"
    routing_action, result = layer0_entry(q)

    assert routing_action == "HANDOFF_TO_GUARDRAILS"
    assert result.classification == Classification.FORBIDDEN
    assert result.risk_score == 3

    lines = log_file.read_text().strip().splitlines()
    assert len(lines) == 1

    event = json.loads(lines[0])
    assert event["classification"] == "forbidden"
    assert event["metadata"]["risk_score"] == 3
    assert "gitops_bypass" in event["metadata"]["flags"]