gitr/tests/core_flow.rs

use std::{
    fs,
    path::{Path, PathBuf},
    process::Command,
    sync::Arc,
    time::{SystemTime, UNIX_EPOCH},
};

use actix_http::Request;
use actix_web::{
    App,
    body::BoxBody,
    dev::{Service, ServiceResponse},
    http::StatusCode,
    test,
};
use gitr::{
    app::AppState,
    conf::{AppConfig, CoreAppConfig, DatabaseConfig, RepositoryConfig, ServerConfig},
    db::Database,
    http::build_scope,
    models::{
        AccessMode, ApiCollaboratorResponse, ApiLoginResponse, ApiPullRequestDetailResponse,
        ApiPullRequestResponse, ApiRepositoryResponse, ApiUser, Branch, CompareResponse,
        CreateAccessTokenResponse, PullRequestStatus,
    },
};
use serde_json::Value;

#[actix_web::test]
async fn create_user_and_bare_repo_via_http() {
    let env = TestEnv::new("bare");
    let app = env.app().await;

    let user = create_user(&app, "alice").await;
    assert_eq!(user.name, "alice");

    let token = login(&app, "alice").await.token;
    let repo = create_repo(&app, &token, "demo", false).await;
    assert_eq!(repo.owner.name, "alice");
    assert_eq!(repo.repo.name, "demo");
    assert!(repo.repo.is_bare);

    let repo_path = env.repo_path("alice", "demo");
    assert!(repo_path.exists());
    assert!(repo_path.join("HEAD").exists());
    assert_eq!(
        git(&repo_path, &["symbolic-ref", "HEAD"]),
        "refs/heads/main"
    );
}

#[actix_web::test]
async fn create_repo_with_auto_init_creates_first_commit() {
    let env = TestEnv::new("autoinit");
    let app = env.app().await;

    create_user(&app, "bob").await;
    let token = login(&app, "bob").await.token;
    let repo = create_repo(&app, &token, "seeded", true).await;
    assert!(!repo.repo.is_bare);

    let repo_path = env.repo_path("bob", "seeded");
    let head = git(&repo_path, &["rev-parse", "refs/heads/main"]);
    assert_eq!(head.len(), 40);

    let readme = git(&repo_path, &["show", "refs/heads/main:README.md"]);
    assert_eq!(readme, "# seeded");
}

#[actix_web::test]
async fn duplicate_user_is_rejected() {
    let env = TestEnv::new("duplicate-user");
    let app = env.app().await;

    create_user(&app, "carol").await;
    let admin_token = login(&app, "carol").await.token;

    let request = test::TestRequest::post()
        .uri("/api/admin/users")
        .insert_header(("authorization", format!("Bearer {admin_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"username":"carol","email":"carol@example.com","password":"password123"}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::CONFLICT);
    assert_error_response(
        response,
        StatusCode::CONFLICT,
        "conflict",
        "user already exists: carol",
    )
    .await;
}

#[actix_web::test]
async fn duplicate_repo_is_rejected() {
    let env = TestEnv::new("duplicate-repo");
    let app = env.app().await;

    create_user(&app, "dave").await;
    let token = login(&app, "dave").await.token;
    create_repo(&app, &token, "demo", false).await;

    let request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"demo","description":"again","auto_init":false}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::CONFLICT);
}

#[actix_web::test]
async fn missing_authorization_is_rejected() {
    let env = TestEnv::new("missing-auth");
    let app = env.app().await;

    let request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"demo","description":"demo","auto_init":false}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_error_response(
        response,
        StatusCode::UNAUTHORIZED,
        "unauthorized",
        "missing authorization header",
    )
    .await;
}

#[actix_web::test]
async fn invalid_repo_name_is_rejected() {
    let env = TestEnv::new("invalid-repo");
    let app = env.app().await;

    create_user(&app, "erin").await;
    let token = login(&app, "erin").await.token;

    let request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"bad/name","description":"demo","auto_init":false}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_error_response(
        response,
        StatusCode::BAD_REQUEST,
        "validation_error",
        "repository name must contain only ASCII letters, digits, '-', '_' or '.'",
    )
    .await;
}

#[actix_web::test]
async fn invalid_user_name_is_rejected() {
    let env = TestEnv::new("invalid-user");
    let app = env.app().await;

    let request = test::TestRequest::post()
        .uri("/api/admin/users")
        .insert_header(("content-type", "application/json"))
        .set_payload(
            r#"{"username":"bad/name","email":"bad@example.com","password":"password123"}"#,
        )
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}

#[actix_web::test]
async fn git_init_failure_does_not_leave_repo_record() {
    let env = TestEnv::new("git-init-failure");
    let app = env
        .app_with_git_binary("definitely-not-a-real-git-binary")
        .await;

    create_user(&app, "frank").await;
    let token = login(&app, "frank").await.token;

    let request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"blocked","description":"demo","auto_init":false}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_error_response(
        response,
        StatusCode::INTERNAL_SERVER_ERROR,
        "internal_error",
        "internal server error",
    )
    .await;

    let get_request = test::TestRequest::get()
        .uri("/api/repos/frank/blocked")
        .to_request();
    let get_response = test::call_service(&app, get_request).await;

    assert_eq!(get_response.status(), StatusCode::NOT_FOUND);
}

#[actix_web::test]
async fn login_rejects_bad_password() {
    let env = TestEnv::new("bad-login");
    let app = env.app().await;

    create_user(&app, "grace").await;

    let request = test::TestRequest::post()
        .uri("/api/user/login")
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"login":"grace","password":"wrong-password"}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
}

#[actix_web::test]
async fn token_endpoint_creates_second_token() {
    let env = TestEnv::new("token-endpoint");
    let app = env.app().await;

    create_user(&app, "heidi").await;
    let login = login(&app, "heidi").await;

    let request = test::TestRequest::post()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"cli"}"#)
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    let token: CreateAccessTokenResponse = test::read_body_json(response).await;
    assert_eq!(token.name, "cli");
    assert!(!token.token.is_empty());
    assert_eq!(token.updated_unix, 0);
}

#[actix_web::test]
async fn access_token_names_must_be_unique_per_user() {
    let env = TestEnv::new("token-unique");
    let app = env.app().await;

    create_user(&app, "alice").await;
    let login = login(&app, "alice").await;

    let first = test::TestRequest::post()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"cli"}"#)
        .to_request();
    let first_response = test::call_service(&app, first).await;
    assert_eq!(first_response.status(), StatusCode::OK);

    let second = test::TestRequest::post()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"cli"}"#)
        .to_request();
    let second_response = test::call_service(&app, second).await;
    assert_eq!(second_response.status(), StatusCode::CONFLICT);
}

#[actix_web::test]
async fn access_token_can_be_listed_and_deleted() {
    let env = TestEnv::new("token-list-delete");
    let app = env.app().await;

    create_user(&app, "alice").await;
    let login = login(&app, "alice").await;

    let create = test::TestRequest::post()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"cli"}"#)
        .to_request();
    let create_response = test::call_service(&app, create).await;
    assert_eq!(create_response.status(), StatusCode::OK);
    let token: CreateAccessTokenResponse = test::read_body_json(create_response).await;
    assert_eq!(token.updated_unix, 0);

    let list = test::TestRequest::get()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .to_request();
    let list_response = test::call_service(&app, list).await;
    assert_eq!(list_response.status(), StatusCode::OK);
    let list_body: Value = test::read_body_json(list_response).await;
    let list_entries = list_body
        .as_array()
        .expect("token list response should be an array");
    assert_eq!(list_entries.len(), 2);
    assert!(list_entries
        .iter()
        .any(|entry| entry.get("id").and_then(Value::as_i64) == Some(token.id)));
    assert!(list_entries.iter().all(|entry| entry.get("token").is_none()));

    let delete = test::TestRequest::delete()
        .uri(&format!("/api/user/tokens/{}", token.id))
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .to_request();
    let delete_response = test::call_service(&app, delete).await;
    assert_eq!(delete_response.status(), StatusCode::NO_CONTENT);

    let list_again = test::TestRequest::get()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .to_request();
    let list_again_response = test::call_service(&app, list_again).await;
    assert_eq!(list_again_response.status(), StatusCode::OK);
    let list_again_body: Value = test::read_body_json(list_again_response).await;
    let list_again_entries = list_again_body
        .as_array()
        .expect("token list response should be an array");
    assert_eq!(list_again_entries.len(), 1);
    assert!(list_again_entries
        .iter()
        .all(|entry| entry.get("id").and_then(Value::as_i64) != Some(token.id)));
}

#[actix_web::test]
async fn access_token_updated_unix_changes_after_use() {
    let env = TestEnv::new("token-touch");
    let app = env.app().await;

    create_user(&app, "alice").await;
    let login = login(&app, "alice").await;

    let create = test::TestRequest::post()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"cli"}"#)
        .to_request();
    let create_response = test::call_service(&app, create).await;
    assert_eq!(create_response.status(), StatusCode::OK);
    let token: CreateAccessTokenResponse = test::read_body_json(create_response).await;
    assert_eq!(token.updated_unix, 0);

    let use_cli = test::TestRequest::get()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", token.token)))
        .to_request();
    let use_cli_response = test::call_service(&app, use_cli).await;
    assert_eq!(use_cli_response.status(), StatusCode::OK);

    let list = test::TestRequest::get()
        .uri("/api/user/tokens")
        .insert_header(("authorization", format!("Bearer {}", login.token)))
        .to_request();
    let list_response = test::call_service(&app, list).await;
    assert_eq!(list_response.status(), StatusCode::OK);
    let list_body: Value = test::read_body_json(list_response).await;
    let list_entries = list_body
        .as_array()
        .expect("token list response should be an array");
    let cli_entry = list_entries
        .iter()
        .find(|entry| entry.get("id").and_then(Value::as_i64) == Some(token.id))
        .expect("cli token should exist");
    assert!(
        cli_entry
            .get("updated_unix")
            .and_then(Value::as_i64)
            .unwrap_or_default()
            > 0
    );
}

#[actix_web::test]
async fn admin_user_creation_requires_bootstrap_or_admin_token() {
    let env = TestEnv::new("admin-auth");
    let app = env.app().await;

    create_user(&app, "admin").await;
    let admin_token = login(&app, "admin").await.token;

    let anonymous = test::TestRequest::post()
        .uri("/api/admin/users")
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"username":"member","email":"member@example.com","password":"password123"}"#)
        .to_request();
    let anonymous_response = test::call_service(&app, anonymous).await;
    assert_eq!(anonymous_response.status(), StatusCode::UNAUTHORIZED);

    let member = create_user_as_admin(&app, &admin_token, "member").await;
    assert_eq!(member.name, "member");
}

#[actix_web::test]
async fn api_responses_do_not_expose_password_hash() {
    let env = TestEnv::new("redaction");
    let app = env.app().await;

    create_user(&app, "alice").await;
    let token = login(&app, "alice").await.token;

    let user_request = test::TestRequest::get().uri("/api/users/alice").to_request();
    let user_response = test::call_service(&app, user_request).await;
    assert_eq!(user_response.status(), StatusCode::OK);
    let user_body: Value = test::read_body_json(user_response).await;
    assert!(user_body.get("password_hash").is_none());
    assert_eq!(user_body.get("email").and_then(Value::as_str), Some(""));

    let repo_request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"demo","description":"demo","auto_init":false}"#)
        .to_request();
    let repo_response = test::call_service(&app, repo_request).await;
    assert_eq!(repo_response.status(), StatusCode::OK);
    let repo_body: Value = test::read_body_json(repo_response).await;
    assert!(
        repo_body
            .get("owner")
            .and_then(|owner| owner.get("password_hash"))
            .is_none()
    );
}

#[actix_web::test]
async fn private_repo_metadata_is_not_visible_without_read_access() {
    let env = TestEnv::new("private-repo-opaque");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_repo_with_visibility(&app, &owner_token, "secret", true, true).await;
    create_user_as_admin(&app, &owner_token, "outsider").await;
    let outsider_token = login(&app, "outsider").await.token;

    let anonymous = test::TestRequest::get()
        .uri("/api/repos/owner/secret")
        .to_request();
    let anonymous_response = test::call_service(&app, anonymous).await;
    assert_error_response(
        anonymous_response,
        StatusCode::NOT_FOUND,
        "not_found",
        "repository not found: owner/secret",
    )
    .await;

    let outsider = test::TestRequest::get()
        .uri("/api/repos/owner/secret")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let outsider_response = test::call_service(&app, outsider).await;
    assert_error_response(
        outsider_response,
        StatusCode::NOT_FOUND,
        "not_found",
        "repository not found: owner/secret",
    )
    .await;
}

#[actix_web::test]
async fn private_repo_read_endpoints_are_not_visible_without_access() {
    let env = TestEnv::new("private-repo-read-opaque");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_repo_with_visibility(&app, &owner_token, "secret", true, true).await;
    create_user_as_admin(&app, &owner_token, "outsider").await;
    let outsider_token = login(&app, "outsider").await.token;

    let branches = test::TestRequest::get()
        .uri("/api/repos/owner/secret/branches")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let branches_response = test::call_service(&app, branches).await;
    assert_eq!(branches_response.status(), StatusCode::NOT_FOUND);

    let pulls = test::TestRequest::get()
        .uri("/api/repos/owner/secret/pulls")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let pulls_response = test::call_service(&app, pulls).await;
    assert_eq!(pulls_response.status(), StatusCode::NOT_FOUND);

    let forks = test::TestRequest::post()
        .uri("/api/repos/owner/secret/forks")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"secret-fork","description":"x"}"#)
        .to_request();
    let forks_response = test::call_service(&app, forks).await;
    assert_eq!(forks_response.status(), StatusCode::NOT_FOUND);

    let compare = test::TestRequest::get()
        .uri("/api/repos/owner/secret/compare?base=main&head_owner=owner&head_repo=secret&head_branch=main")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let compare_response = test::call_service(&app, compare).await;
    assert_eq!(compare_response.status(), StatusCode::NOT_FOUND);

    let create_pr = test::TestRequest::post()
        .uri("/api/repos/owner/secret/pulls")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(
            r#"{"head_owner":"owner","head_repo":"secret","head_branch":"main","base_branch":"main","title":"x","body":""}"#,
        )
        .to_request();
    let create_pr_response = test::call_service(&app, create_pr).await;
    assert_eq!(create_pr_response.status(), StatusCode::NOT_FOUND);
}

#[actix_web::test]
async fn list_user_repositories_hides_private_repos_without_access() {
    let env = TestEnv::new("list-user-repos");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_repo_with_visibility(&app, &owner_token, "public", true, false).await;
    create_repo_with_visibility(&app, &owner_token, "secret", true, true).await;
    create_user_as_admin(&app, &owner_token, "outsider").await;
    let outsider_token = login(&app, "outsider").await.token;

    let anonymous_repos = list_user_repositories(&app, None, "owner", "").await;
    assert_eq!(anonymous_repos.len(), 1);
    assert_eq!(anonymous_repos[0].repo.name, "public");
    assert_eq!(anonymous_repos[0].permission.mode, AccessMode::Read);

    let outsider_repos = list_user_repositories(&app, Some(&outsider_token), "owner", "").await;
    assert_eq!(outsider_repos.len(), 1);
    assert_eq!(outsider_repos[0].repo.name, "public");
    assert!(outsider_repos[0].permission.can_read);
    assert!(!outsider_repos[0].permission.can_write);

    let owner_repos = list_user_repositories(&app, Some(&owner_token), "owner", "").await;
    assert_eq!(owner_repos.len(), 2);
    assert!(owner_repos.iter().any(|repo| repo.repo.name == "secret"));
    assert!(owner_repos.iter().all(|repo| repo.permission.is_owner));
}

#[actix_web::test]
async fn current_user_repo_list_includes_visible_repositories() {
    let env = TestEnv::new("current-user-repos");
    let app = env.app().await;

    create_user(&app, "alice").await;
    let alice_token = login(&app, "alice").await.token;
    create_repo_with_visibility(&app, &alice_token, "own-public", true, false).await;
    create_repo_with_visibility(&app, &alice_token, "own-private", true, true).await;

    create_user_as_admin(&app, &alice_token, "bob").await;
    let bob_token = login(&app, "bob").await.token;
    create_repo_with_visibility(&app, &bob_token, "bob-public", true, false).await;
    create_repo_with_visibility(&app, &bob_token, "bob-shared", true, true).await;
    add_collaborator(&app, &bob_token, "bob", "bob-shared", "alice", "read").await;

    let repos = list_current_user_repositories(&app, &alice_token, "").await;
    assert_eq!(repos.len(), 4);
    assert!(repos.iter().any(|repo| {
        repo.owner.name == "alice" && repo.repo.name == "own-private" && repo.permission.is_owner
    }));
    assert!(repos.iter().any(|repo| {
        repo.owner.name == "bob"
            && repo.repo.name == "bob-public"
            && repo.permission.can_read
            && !repo.permission.can_write
    }));
    assert!(repos.iter().any(|repo| {
        repo.owner.name == "bob"
            && repo.repo.name == "bob-shared"
            && repo.permission.can_read
            && !repo.permission.can_write
    }));
}

#[actix_web::test]
async fn repository_search_filters_to_visible_results() {
    let env = TestEnv::new("search-repos");
    let app = env.app().await;

    create_user(&app, "searcher").await;
    let searcher_token = login(&app, "searcher").await.token;
    create_user_as_admin(&app, &searcher_token, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_repo_with_visibility(&app, &owner_token, "rust-public", true, false).await;
    create_repo_with_visibility(&app, &owner_token, "python-public", true, false).await;
    create_repo_with_visibility(&app, &owner_token, "rust-secret", true, true).await;
    add_collaborator(&app, &owner_token, "owner", "rust-secret", "searcher", "read").await;

    let anonymous = search_repositories(&app, None, "rust").await;
    assert_eq!(anonymous.len(), 1);
    assert_eq!(anonymous[0].repo.name, "rust-public");

    let authed = search_repositories(&app, Some(&searcher_token), "rust").await;
    assert_eq!(authed.len(), 2);
    assert!(authed.iter().any(|repo| repo.repo.name == "rust-public"));
    assert!(authed.iter().any(|repo| repo.repo.name == "rust-secret"));
}

#[actix_web::test]
async fn invalid_collaborator_permission_is_rejected() {
    let env = TestEnv::new("invalid-collab-permission");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_user_as_admin(&app, &owner_token, "guest").await;
    create_repo_with_visibility(&app, &owner_token, "shared", true, true).await;

    let request = test::TestRequest::post()
        .uri("/api/repos/owner/shared/collaborators")
        .insert_header(("authorization", format!("Bearer {owner_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"username":"guest","permission":"super"}"#)
        .to_request();
    let response = test::call_service(&app, request).await;
    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}

#[actix_web::test]
async fn collaborator_list_and_check_return_expected_permissions() {
    let env = TestEnv::new("list-collaborators");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_user_as_admin(&app, &owner_token, "reader").await;
    create_user_as_admin(&app, &owner_token, "adminer").await;
    create_repo_with_visibility(&app, &owner_token, "shared", true, true).await;
    add_collaborator(&app, &owner_token, "owner", "shared", "reader", "read").await;
    add_collaborator(&app, &owner_token, "owner", "shared", "adminer", "admin").await;

    let collaborators = list_collaborators(&app, Some(&owner_token), "owner", "shared").await;
    assert_eq!(collaborators.len(), 2);
    assert_eq!(collaborators[0].user.name, "adminer");
    assert_eq!(collaborators[1].user.name, "reader");

    let reader = get_collaborator(&app, Some(&owner_token), "owner", "shared", "reader").await;
    assert_eq!(reader.user.name, "reader");
    assert_eq!(format!("{:?}", reader.mode), "Read");
}

#[actix_web::test]
async fn private_collaborator_endpoints_are_not_visible_without_access() {
    let env = TestEnv::new("private-collaborator-opaque");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_repo_with_visibility(&app, &owner_token, "secret", true, true).await;
    create_user_as_admin(&app, &owner_token, "outsider").await;
    let outsider_token = login(&app, "outsider").await.token;

    let list = test::TestRequest::get()
        .uri("/api/repos/owner/secret/collaborators")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let list_response = test::call_service(&app, list).await;
    assert_eq!(list_response.status(), StatusCode::NOT_FOUND);

    let get = test::TestRequest::get()
        .uri("/api/repos/owner/secret/collaborators/outsider")
        .insert_header(("authorization", format!("Bearer {outsider_token}")))
        .to_request();
    let get_response = test::call_service(&app, get).await;
    assert_eq!(get_response.status(), StatusCode::NOT_FOUND);
}

#[actix_web::test]
async fn public_git_info_refs_allows_anonymous_pull() {
    let env = TestEnv::new("public-git-http");
    let app = env.app().await;

    create_user(&app, "ivan").await;
    let token = login(&app, "ivan").await.token;
    create_repo_with_visibility(&app, &token, "public", true, false).await;

    let request = test::TestRequest::get()
        .uri("/ivan/public.git/info/refs?service=git-upload-pack")
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    assert_eq!(
        response
            .headers()
            .get("content-type")
            .and_then(|v| v.to_str().ok()),
        Some("application/x-git-upload-pack-advertisement")
    );
}

#[actix_web::test]
async fn private_git_info_refs_requires_basic_auth() {
    let env = TestEnv::new("private-git-http");
    let app = env.app().await;

    create_user(&app, "judy").await;
    let token = login(&app, "judy").await.token;
    create_repo_with_visibility(&app, &token, "private", true, true).await;

    let unauthenticated = test::TestRequest::get()
        .uri("/judy/private.git/info/refs?service=git-upload-pack")
        .to_request();
    let unauthenticated_response = test::call_service(&app, unauthenticated).await;
    assert_eq!(unauthenticated_response.status(), StatusCode::UNAUTHORIZED);

    let basic = basic_auth_header("judy", "password123");
    let authenticated = test::TestRequest::get()
        .uri("/judy/private.git/info/refs?service=git-upload-pack")
        .insert_header(("authorization", basic))
        .to_request();
    let authenticated_response = test::call_service(&app, authenticated).await;
    assert_eq!(authenticated_response.status(), StatusCode::OK);
}

#[actix_web::test]
async fn private_git_info_refs_allows_read_collaborator() {
    let env = TestEnv::new("private-collab-read");
    let app = env.app().await;

    create_user(&app, "kate").await;
    let owner_token = login(&app, "kate").await.token;
    create_user_as_admin(&app, &owner_token, "louis").await;
    create_repo_with_visibility(&app, &owner_token, "shared", true, true).await;
    add_collaborator(&app, &owner_token, "kate", "shared", "louis", "read").await;

    let collaborator = test::TestRequest::get()
        .uri("/kate/shared.git/info/refs?service=git-upload-pack")
        .insert_header(("authorization", basic_auth_header("louis", "password123")))
        .to_request();
    let collaborator_response = test::call_service(&app, collaborator).await;
    assert_eq!(collaborator_response.status(), StatusCode::OK);
}

#[actix_web::test]
async fn read_collaborator_cannot_advertise_receive_pack() {
    let env = TestEnv::new("private-collab-read-no-push");
    let app = env.app().await;

    create_user(&app, "mike").await;
    let owner_token = login(&app, "mike").await.token;
    create_user_as_admin(&app, &owner_token, "nina").await;
    create_repo_with_visibility(&app, &owner_token, "shared", true, true).await;
    add_collaborator(&app, &owner_token, "mike", "shared", "nina", "read").await;

    let collaborator = test::TestRequest::get()
        .uri("/mike/shared.git/info/refs?service=git-receive-pack")
        .insert_header(("authorization", basic_auth_header("nina", "password123")))
        .to_request();
    let collaborator_response = test::call_service(&app, collaborator).await;
    assert_eq!(collaborator_response.status(), StatusCode::FORBIDDEN);
}

#[actix_web::test]
async fn fork_repository_clones_base_repo() {
    let env = TestEnv::new("fork-repository");
    let app = env.app().await;

    create_user(&app, "olivia").await;
    let owner_token = login(&app, "olivia").await.token;
    create_user_as_admin(&app, &owner_token, "peter").await;
    let forker_token = login(&app, "peter").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;

    let request = test::TestRequest::post()
        .uri("/api/repos/olivia/origin/forks")
        .insert_header(("authorization", format!("Bearer {forker_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"name":"origin-fork","description":"forked"}"#)
        .to_request();
    let response = test::call_service(&app, request).await;
    assert_eq!(response.status(), StatusCode::OK);

    let fork_path = env.repo_path("peter", "origin-fork");
    assert!(fork_path.exists());
    let head = git(&fork_path, &["rev-parse", "refs/heads/main"]);
    assert_eq!(head.len(), 40);
}

#[actix_web::test]
async fn list_branches_returns_main_branch() {
    let env = TestEnv::new("list-branches");
    let app = env.app().await;

    create_user(&app, "quinn").await;
    let token = login(&app, "quinn").await.token;
    create_repo_with_visibility(&app, &token, "branches", true, false).await;

    let request = test::TestRequest::get()
        .uri("/api/repos/quinn/branches/branches")
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(&app, request).await;
    assert_eq!(response.status(), StatusCode::OK);
    let branches: Vec<Branch> = test::read_body_json(response).await;
    assert!(branches.iter().any(|branch| branch.name == "main"));
}

#[actix_web::test]
async fn create_pull_request_from_fork_succeeds() {
    let env = TestEnv::new("create-pr");
    let app = env.app().await;

    create_user(&app, "rachel").await;
    let owner_token = login(&app, "rachel").await.token;
    create_user_as_admin(&app, &owner_token, "sam").await;
    let forker_token = login(&app, "sam").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "rachel", "origin", "origin-fork").await;

    push_commit_to_branch(
        &env.repo_path("sam", "origin-fork"),
        "main",
        "feature-one",
        "sam",
        "sam@example.com",
        "feature.txt",
        "hello from fork\n",
    );

    let pull = create_pull_request(
        &app,
        &forker_token,
        "rachel",
        "origin",
        "sam",
        "origin-fork",
        "feature-one",
        "main",
        "Add feature one",
    )
    .await;

    assert_eq!(pull.base_repo.owner.name, "rachel");
    assert_eq!(pull.base_repo.repo.name, "origin");
    assert_eq!(pull.head_repo.owner.name, "sam");
    assert_eq!(pull.head_repo.repo.name, "origin-fork");
    assert_eq!(pull.pull_request.index, 1);
    assert_eq!(pull.pull_request.head_branch, "feature-one");
    assert_eq!(pull.pull_request.base_branch, "main");
    assert_eq!(pull.pull_request.status, PullRequestStatus::Mergeable);
    assert!(!pull.pull_request.merge_base.is_empty());
}

#[actix_web::test]
async fn compare_endpoint_returns_commit_and_file_stats() {
    let env = TestEnv::new("compare-pr");
    let app = env.app().await;

    create_user(&app, "rhea").await;
    let owner_token = login(&app, "rhea").await.token;
    create_user_as_admin(&app, &owner_token, "sora").await;
    let forker_token = login(&app, "sora").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "rhea", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("sora", "origin-fork"),
        "main",
        "feature-compare",
        "sora",
        "sora@example.com",
        "compare.txt",
        "compare body\n",
    );

    let compare = compare_repositories(
        &app,
        &forker_token,
        "rhea",
        "origin",
        "main",
        "sora",
        "origin-fork",
        "feature-compare",
    )
    .await;

    assert_eq!(compare.base_branch, "main");
    assert_eq!(compare.head_branch, "feature-compare");
    assert_eq!(compare.status, PullRequestStatus::Mergeable);
    assert_eq!(compare.commits.len(), 1);
    assert_eq!(compare.files.len(), 1);
    assert_eq!(compare.files[0].path, "compare.txt");
    assert!(!compare.head_commit_id.is_empty());
    assert!(!compare.merge_base.is_empty());
}

#[actix_web::test]
async fn duplicate_unmerged_pull_request_is_rejected() {
    let env = TestEnv::new("duplicate-pr");
    let app = env.app().await;

    create_user(&app, "tina").await;
    let owner_token = login(&app, "tina").await.token;
    create_user_as_admin(&app, &owner_token, "uma").await;
    let forker_token = login(&app, "uma").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "tina", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("uma", "origin-fork"),
        "main",
        "feature-one",
        "uma",
        "uma@example.com",
        "feature.txt",
        "duplicate pr check\n",
    );

    let _ = create_pull_request(
        &app,
        &forker_token,
        "tina",
        "origin",
        "uma",
        "origin-fork",
        "feature-one",
        "main",
        "First PR",
    )
    .await;

    let request = test::TestRequest::post()
        .uri("/api/repos/tina/origin/pulls")
        .insert_header(("authorization", format!("Bearer {forker_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(
            r#"{"head_owner":"uma","head_repo":"origin-fork","head_branch":"feature-one","base_branch":"main","title":"First PR","body":""}"#,
        )
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::CONFLICT);
}

#[actix_web::test]
async fn list_pull_requests_returns_created_pull_request() {
    let env = TestEnv::new("list-prs");
    let app = env.app().await;

    create_user(&app, "victor").await;
    let owner_token = login(&app, "victor").await.token;
    create_user_as_admin(&app, &owner_token, "wendy").await;
    let forker_token = login(&app, "wendy").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "victor", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("wendy", "origin-fork"),
        "main",
        "feature-list",
        "wendy",
        "wendy@example.com",
        "list.txt",
        "list pull requests\n",
    );

    let created = create_pull_request(
        &app,
        &forker_token,
        "victor",
        "origin",
        "wendy",
        "origin-fork",
        "feature-list",
        "main",
        "List PR",
    )
    .await;

    let request = test::TestRequest::get()
        .uri("/api/repos/victor/origin/pulls")
        .insert_header(("authorization", format!("Bearer {owner_token}")))
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    let pulls: Vec<ApiPullRequestResponse> = test::read_body_json(response).await;
    assert_eq!(pulls.len(), 1);
    assert_eq!(pulls[0].pull_request.id, created.pull_request.id);
    assert_eq!(pulls[0].pull_request.title, "List PR");
    assert_eq!(pulls[0].head_repo.repo.name, "origin-fork");
}

#[actix_web::test]
async fn get_pull_request_detail_returns_compare_payload() {
    let env = TestEnv::new("pr-detail");
    let app = env.app().await;

    create_user(&app, "trent").await;
    let owner_token = login(&app, "trent").await.token;
    create_user_as_admin(&app, &owner_token, "ursula").await;
    let forker_token = login(&app, "ursula").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "trent", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("ursula", "origin-fork"),
        "main",
        "feature-detail",
        "ursula",
        "ursula@example.com",
        "detail.txt",
        "detail body\n",
    );

    let created = create_pull_request(
        &app,
        &forker_token,
        "trent",
        "origin",
        "ursula",
        "origin-fork",
        "feature-detail",
        "main",
        "Detail PR",
    )
    .await;

    let detail = get_pull_request(&app, &owner_token, "trent", "origin", 1).await;
    assert_eq!(detail.pull_request.id, created.pull_request.id);
    assert_eq!(detail.pull_request.title, "Detail PR");
    assert_eq!(detail.compare.status, PullRequestStatus::Mergeable);
    assert_eq!(detail.compare.commits.len(), 1);
    assert_eq!(detail.compare.files.len(), 1);
    assert_eq!(detail.compare.files[0].path, "detail.txt");
}

#[actix_web::test]
async fn merge_pull_request_updates_base_branch() {
    let env = TestEnv::new("merge-pr");
    let app = env.app().await;

    create_user(&app, "xavier").await;
    let owner_token = login(&app, "xavier").await.token;
    create_user_as_admin(&app, &owner_token, "yara").await;
    let forker_token = login(&app, "yara").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "xavier", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("yara", "origin-fork"),
        "main",
        "feature-merge",
        "yara",
        "yara@example.com",
        "merged.txt",
        "merged by pr\n",
    );

    let created = create_pull_request(
        &app,
        &forker_token,
        "xavier",
        "origin",
        "yara",
        "origin-fork",
        "feature-merge",
        "main",
        "Merge PR",
    )
    .await;

    let merged = merge_pull_request(&app, &owner_token, "xavier", "origin", 1).await;
    assert_eq!(merged.pull_request.id, created.pull_request.id);
    assert!(merged.pull_request.has_merged);
    assert!(merged.pull_request.is_closed);

    let merged_file = git(
        &env.repo_path("xavier", "origin"),
        &["show", "refs/heads/main:merged.txt"],
    );
    assert_eq!(merged_file, "merged by pr");
}

#[actix_web::test]
async fn merged_pull_request_detail_excludes_base_only_commits() {
    let env = TestEnv::new("merged-pr-compare");
    let app = env.app().await;

    create_user(&app, "owner").await;
    let owner_token = login(&app, "owner").await.token;
    create_user_as_admin(&app, &owner_token, "forker").await;
    let forker_token = login(&app, "forker").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "owner", "origin", "origin-fork").await;

    push_commit_to_branch(
        &env.repo_path("forker", "origin-fork"),
        "main",
        "feature-merged",
        "forker",
        "forker@example.com",
        "feature.txt",
        "feature body\n",
    );

    let _ = create_pull_request(
        &app,
        &forker_token,
        "owner",
        "origin",
        "forker",
        "origin-fork",
        "feature-merged",
        "main",
        "Merged PR",
    )
    .await;

    push_commit_to_existing_branch(
        &env.repo_path("owner", "origin"),
        "main",
        "owner",
        "owner@example.com",
        "base.txt",
        "base only\n",
    );

    let merged = merge_pull_request(&app, &owner_token, "owner", "origin", 1).await;
    assert!(merged.pull_request.has_merged);

    let detail = get_pull_request(&app, &owner_token, "owner", "origin", 1).await;
    assert_eq!(detail.compare.commits.len(), 1);
    assert_eq!(detail.compare.files.len(), 1);
    assert_eq!(detail.compare.files[0].path, "feature.txt");
}

#[actix_web::test]
async fn pull_request_poster_can_close_and_reopen() {
    let env = TestEnv::new("close-reopen-pr");
    let app = env.app().await;

    create_user(&app, "zoe").await;
    let owner_token = login(&app, "zoe").await.token;
    create_user_as_admin(&app, &owner_token, "abby").await;
    let forker_token = login(&app, "abby").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "zoe", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("abby", "origin-fork"),
        "main",
        "feature-close",
        "abby",
        "abby@example.com",
        "close.txt",
        "close reopen\n",
    );

    let created = create_pull_request(
        &app,
        &forker_token,
        "zoe",
        "origin",
        "abby",
        "origin-fork",
        "feature-close",
        "main",
        "Close PR",
    )
    .await;
    assert!(!created.pull_request.is_closed);

    let closed = close_pull_request(&app, &forker_token, "zoe", "origin", 1).await;
    assert!(closed.pull_request.is_closed);
    assert!(!closed.pull_request.has_merged);

    let reopened = reopen_pull_request(&app, &forker_token, "zoe", "origin", 1).await;
    assert!(!reopened.pull_request.is_closed);
    assert_eq!(reopened.pull_request.status, PullRequestStatus::Mergeable);
}

#[actix_web::test]
async fn reopen_pull_request_rejects_duplicate_open_pair() {
    let env = TestEnv::new("reopen-duplicate-pr");
    let app = env.app().await;

    create_user(&app, "brad").await;
    let owner_token = login(&app, "brad").await.token;
    create_user_as_admin(&app, &owner_token, "cora").await;
    let forker_token = login(&app, "cora").await.token;
    create_repo_with_visibility(&app, &owner_token, "origin", true, false).await;
    fork_repo(&app, &forker_token, "brad", "origin", "origin-fork").await;
    push_commit_to_branch(
        &env.repo_path("cora", "origin-fork"),
        "main",
        "feature-dup",
        "cora",
        "cora@example.com",
        "dup.txt",
        "duplicate reopen\n",
    );

    let _ = create_pull_request(
        &app,
        &forker_token,
        "brad",
        "origin",
        "cora",
        "origin-fork",
        "feature-dup",
        "main",
        "Closed PR",
    )
    .await;
    let _ = close_pull_request(&app, &forker_token, "brad", "origin", 1).await;
    let _ = create_pull_request(
        &app,
        &forker_token,
        "brad",
        "origin",
        "cora",
        "origin-fork",
        "feature-dup",
        "main",
        "Open PR",
    )
    .await;

    let request = test::TestRequest::post()
        .uri("/api/repos/brad/origin/pulls/1/reopen")
        .insert_header(("authorization", format!("Bearer {forker_token}")))
        .to_request();
    let response = test::call_service(&app, request).await;

    assert_eq!(response.status(), StatusCode::CONFLICT);
}

async fn create_user<S>(app: &S, username: &str) -> ApiUser
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let email = format!("{username}@example.com");
    let body = format!(
        r#"{{"username":"{username}","email":"{email}","password":"password123","full_name":"{username}"}}"#
    );

    let request = test::TestRequest::post()
        .uri("/api/admin/users")
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn create_user_as_admin<S>(app: &S, admin_token: &str, username: &str) -> ApiUser
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let email = format!("{username}@example.com");
    let body = format!(
        r#"{{"username":"{username}","email":"{email}","password":"password123","full_name":"{username}"}}"#
    );

    let request = test::TestRequest::post()
        .uri("/api/admin/users")
        .insert_header(("authorization", format!("Bearer {admin_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn login<S>(app: &S, login: &str) -> ApiLoginResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let body = format!(r#"{{"login":"{login}","password":"password123"}}"#);
    let request = test::TestRequest::post()
        .uri("/api/user/login")
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn create_repo<S>(
    app: &S,
    token: &str,
    name: &str,
    auto_init: bool,
) -> ApiRepositoryResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    create_repo_with_visibility(app, token, name, auto_init, false).await
}

async fn create_repo_with_visibility<S>(
    app: &S,
    token: &str,
    name: &str,
    auto_init: bool,
    is_private: bool,
) -> ApiRepositoryResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let body = format!(
        r#"{{"name":"{name}","description":"repo {name}","auto_init":{auto_init},"is_private":{is_private}}}"#
    );

    let request = test::TestRequest::post()
        .uri("/api/repos")
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn fork_repo<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    fork_name: &str,
) -> ApiRepositoryResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let body = format!(r#"{{"name":"{fork_name}","description":"fork {fork_name}"}}"#);
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/forks"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn create_pull_request<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    head_owner: &str,
    head_repo: &str,
    head_branch: &str,
    base_branch: &str,
    title: &str,
) -> ApiPullRequestResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let body = format!(
        r#"{{"head_owner":"{head_owner}","head_repo":"{head_repo}","head_branch":"{head_branch}","base_branch":"{base_branch}","title":"{title}","body":"{title} body"}}"#
    );
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/pulls"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn compare_repositories<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    base: &str,
    head_owner: &str,
    head_repo: &str,
    head_branch: &str,
) -> CompareResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::get()
        .uri(&format!(
            "/api/repos/{owner}/{repo}/compare?base={base}&head_owner={head_owner}&head_repo={head_repo}&head_branch={head_branch}"
        ))
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn get_pull_request<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    index: i64,
) -> ApiPullRequestDetailResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::get()
        .uri(&format!("/api/repos/{owner}/{repo}/pulls/{index}"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn merge_pull_request<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    index: i64,
) -> ApiPullRequestResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/pulls/{index}/merge"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(r#"{"message":""}"#)
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn close_pull_request<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    index: i64,
) -> ApiPullRequestResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/pulls/{index}/close"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn reopen_pull_request<S>(
    app: &S,
    token: &str,
    owner: &str,
    repo: &str,
    index: i64,
) -> ApiPullRequestResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/pulls/{index}/reopen"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(app, request).await;

    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

fn basic_auth_header(username: &str, password: &str) -> String {
    format!("Basic {}", encode_base64(&format!("{username}:{password}")))
}

async fn add_collaborator<S>(
    app: &S,
    owner_token: &str,
    owner: &str,
    repo: &str,
    username: &str,
    permission: &str,
) where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let body = format!(r#"{{"username":"{username}","permission":"{permission}"}}"#);
    let request = test::TestRequest::post()
        .uri(&format!("/api/repos/{owner}/{repo}/collaborators"))
        .insert_header(("authorization", format!("Bearer {owner_token}")))
        .insert_header(("content-type", "application/json"))
        .set_payload(body)
        .to_request();
    let response = test::call_service(app, request).await;
    assert_eq!(response.status(), StatusCode::OK);
}

async fn assert_error_response(
    response: ServiceResponse<BoxBody>,
    expected_status: StatusCode,
    expected_code: &str,
    expected_message: &str,
) {
    assert_eq!(response.status(), expected_status);
    let body: Value = test::read_body_json(response).await;
    assert_eq!(body.get("code").and_then(Value::as_str), Some(expected_code));
    assert_eq!(
        body.get("message").and_then(Value::as_str),
        Some(expected_message)
    );
    assert_eq!(
        body.get("status").and_then(Value::as_u64),
        Some(expected_status.as_u16() as u64)
    );
}

async fn list_current_user_repositories<S>(
    app: &S,
    token: &str,
    query: &str,
) -> Vec<ApiRepositoryResponse>
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let request = test::TestRequest::get()
        .uri(&format!("/api/user/repos?q={query}"))
        .insert_header(("authorization", format!("Bearer {token}")))
        .to_request();
    let response = test::call_service(app, request).await;
    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn list_user_repositories<S>(
    app: &S,
    token: Option<&str>,
    username: &str,
    query: &str,
) -> Vec<ApiRepositoryResponse>
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let mut request = test::TestRequest::get().uri(&format!("/api/users/{username}/repos?q={query}"));
    if let Some(token) = token {
        request = request.insert_header(("authorization", format!("Bearer {token}")));
    }
    let response = test::call_service(app, request.to_request()).await;
    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn search_repositories<S>(
    app: &S,
    token: Option<&str>,
    query: &str,
) -> Vec<ApiRepositoryResponse>
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let mut request = test::TestRequest::get().uri(&format!("/api/repos/search?q={query}"));
    if let Some(token) = token {
        request = request.insert_header(("authorization", format!("Bearer {token}")));
    }
    let response = test::call_service(app, request.to_request()).await;
    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn list_collaborators<S>(
    app: &S,
    token: Option<&str>,
    owner: &str,
    repo: &str,
) -> Vec<ApiCollaboratorResponse>
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let mut request =
        test::TestRequest::get().uri(&format!("/api/repos/{owner}/{repo}/collaborators"));
    if let Some(token) = token {
        request = request.insert_header(("authorization", format!("Bearer {token}")));
    }
    let response = test::call_service(app, request.to_request()).await;
    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

async fn get_collaborator<S>(
    app: &S,
    token: Option<&str>,
    owner: &str,
    repo: &str,
    username: &str,
) -> ApiCollaboratorResponse
where
    S: Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
{
    let mut request = test::TestRequest::get()
        .uri(&format!("/api/repos/{owner}/{repo}/collaborators/{username}"));
    if let Some(token) = token {
        request = request.insert_header(("authorization", format!("Bearer {token}")));
    }
    let response = test::call_service(app, request.to_request()).await;
    assert_eq!(response.status(), StatusCode::OK);
    test::read_body_json(response).await
}

fn encode_base64(input: &str) -> String {
    const TABLE: &[u8; 64] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    let bytes = input.as_bytes();
    let mut out = String::new();
    let mut index = 0;
    while index < bytes.len() {
        let b0 = bytes[index];
        let b1 = *bytes.get(index + 1).unwrap_or(&0);
        let b2 = *bytes.get(index + 2).unwrap_or(&0);

        out.push(TABLE[(b0 >> 2) as usize] as char);
        out.push(TABLE[((b0 & 0b0000_0011) << 4 | (b1 >> 4)) as usize] as char);

        if index + 1 < bytes.len() {
            out.push(TABLE[((b1 & 0b0000_1111) << 2 | (b2 >> 6)) as usize] as char);
        } else {
            out.push('=');
        }

        if index + 2 < bytes.len() {
            out.push(TABLE[(b2 & 0b0011_1111) as usize] as char);
        } else {
            out.push('=');
        }

        index += 3;
    }
    out
}

fn git(repo_path: &Path, args: &[&str]) -> String {
    let output = Command::new("git")
        .arg("--git-dir")
        .arg(repo_path)
        .args(args)
        .output()
        .expect("run git");

    assert!(
        output.status.success(),
        "git command failed: {}",
        String::from_utf8_lossy(&output.stderr)
    );

    String::from_utf8_lossy(&output.stdout).trim().to_string()
}

fn push_commit_to_branch(
    repo_path: &Path,
    base_branch: &str,
    branch: &str,
    author_name: &str,
    author_email: &str,
    file_name: &str,
    content: &str,
) {
    let unique = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .expect("clock")
        .as_nanos();
    let worktree = std::env::temp_dir().join(format!("gitr-pr-work-{branch}-{unique}"));
    let _ = fs::remove_dir_all(&worktree);

    let clone = Command::new("git")
        .arg("clone")
        .arg(repo_path)
        .arg(&worktree)
        .output()
        .expect("clone repo");
    assert!(
        clone.status.success(),
        "git clone failed: {}",
        String::from_utf8_lossy(&clone.stderr)
    );

    let checkout = Command::new("git")
        .current_dir(&worktree)
        .arg("checkout")
        .arg("-b")
        .arg(branch)
        .arg(format!("origin/{base_branch}"))
        .output()
        .expect("checkout branch");
    assert!(
        checkout.status.success(),
        "git checkout failed: {}",
        String::from_utf8_lossy(&checkout.stderr)
    );

    fs::write(worktree.join(file_name), content).expect("write test file");

    let add = Command::new("git")
        .current_dir(&worktree)
        .arg("add")
        .arg(file_name)
        .output()
        .expect("git add");
    assert!(
        add.status.success(),
        "git add failed: {}",
        String::from_utf8_lossy(&add.stderr)
    );

    let commit = Command::new("git")
        .current_dir(&worktree)
        .env("GIT_AUTHOR_NAME", author_name)
        .env("GIT_AUTHOR_EMAIL", author_email)
        .env("GIT_COMMITTER_NAME", author_name)
        .env("GIT_COMMITTER_EMAIL", author_email)
        .arg("commit")
        .arg("-m")
        .arg(format!("Add {file_name}"))
        .output()
        .expect("git commit");
    assert!(
        commit.status.success(),
        "git commit failed: {}",
        String::from_utf8_lossy(&commit.stderr)
    );

    let push = Command::new("git")
        .current_dir(&worktree)
        .arg("push")
        .arg("origin")
        .arg(format!("HEAD:refs/heads/{branch}"))
        .output()
        .expect("git push");
    assert!(
        push.status.success(),
        "git push failed: {}",
        String::from_utf8_lossy(&push.stderr)
    );

    let _ = fs::remove_dir_all(&worktree);
}

fn push_commit_to_existing_branch(
    repo_path: &Path,
    branch: &str,
    author_name: &str,
    author_email: &str,
    file_name: &str,
    content: &str,
) {
    let unique = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .expect("clock")
        .as_nanos();
    let worktree = std::env::temp_dir().join(format!("gitr-base-work-{branch}-{unique}"));
    let _ = fs::remove_dir_all(&worktree);

    let clone = Command::new("git")
        .arg("clone")
        .arg(repo_path)
        .arg(&worktree)
        .output()
        .expect("clone repo");
    assert!(
        clone.status.success(),
        "git clone failed: {}",
        String::from_utf8_lossy(&clone.stderr)
    );

    let checkout = Command::new("git")
        .current_dir(&worktree)
        .arg("checkout")
        .arg(branch)
        .output()
        .expect("checkout branch");
    assert!(
        checkout.status.success(),
        "git checkout failed: {}",
        String::from_utf8_lossy(&checkout.stderr)
    );

    fs::write(worktree.join(file_name), content).expect("write test file");

    let add = Command::new("git")
        .current_dir(&worktree)
        .arg("add")
        .arg(file_name)
        .output()
        .expect("git add");
    assert!(
        add.status.success(),
        "git add failed: {}",
        String::from_utf8_lossy(&add.stderr)
    );

    let commit = Command::new("git")
        .current_dir(&worktree)
        .env("GIT_AUTHOR_NAME", author_name)
        .env("GIT_AUTHOR_EMAIL", author_email)
        .env("GIT_COMMITTER_NAME", author_name)
        .env("GIT_COMMITTER_EMAIL", author_email)
        .arg("commit")
        .arg("-m")
        .arg(format!("Add {file_name}"))
        .output()
        .expect("git commit");
    assert!(
        commit.status.success(),
        "git commit failed: {}",
        String::from_utf8_lossy(&commit.stderr)
    );

    let push = Command::new("git")
        .current_dir(&worktree)
        .arg("push")
        .arg("origin")
        .arg(format!("HEAD:refs/heads/{branch}"))
        .output()
        .expect("git push");
    assert!(
        push.status.success(),
        "git push failed: {}",
        String::from_utf8_lossy(&push.stderr)
    );

    let _ = fs::remove_dir_all(&worktree);
}

struct TestEnv {
    root: PathBuf,
}

impl TestEnv {
    fn new(label: &str) -> Self {
        let unique = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .expect("clock")
            .as_nanos();
        let root = std::env::temp_dir().join(format!("gitr-test-{label}-{unique}"));
        fs::create_dir_all(&root).expect("create temp root");
        Self { root }
    }

    async fn app(
        &self,
    ) -> impl Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error> {
        self.app_with_git_binary("git").await
    }

    async fn app_with_git_binary(
        &self,
        git_binary: &str,
    ) -> impl Service<Request, Response = ServiceResponse<BoxBody>, Error = actix_web::Error> {
        let database_path = self.root.join("data").join("gitr.db");
        let repository_root = self.root.join("data").join("repositories");
        fs::create_dir_all(&repository_root).expect("repo root");

        let config = AppConfig {
            server: ServerConfig {
                bind: "127.0.0.1:0".to_string(),
                external_url: "http://127.0.0.1:3000/".to_string(),
            },
            database: DatabaseConfig {
                path: database_path,
            },
            repository: RepositoryConfig {
                root: repository_root,
                default_branch: "main".to_string(),
                git_binary: git_binary.to_string(),
            },
            app: CoreAppConfig {
                run_user: "git".to_string(),
            },
        };

        config.prepare().expect("prepare config");
        let db = Database::open(&config.database.path).expect("open db");
        db.init_schema().expect("init schema");

        test::init_service(App::new().service(build_scope(Arc::new(AppState::new(config, db)))))
            .await
    }

    fn repo_path(&self, owner: &str, repo: &str) -> PathBuf {
        self.root
            .join("data")
            .join("repositories")
            .join(owner)
            .join(format!("{repo}.git"))
    }
}

impl Drop for TestEnv {
    fn drop(&mut self) {
        let _ = fs::remove_dir_all(&self.root);
    }
}