#!/usr/bin/env bash
set -euo pipefail

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
OUT="${ROOT}/outputs"
APP="${OUT}/app"

if [[ ! -x "${APP}" ]]; then
  echo "binary missing; run build first" >&2
  exit 1
fi

tmp="$(mktemp -d)"
trap 'rm -rf "${tmp}"' EXIT

# Run without ALLOW_CMD: should be blocked
BLOCK_FILE="${tmp}/blocked.txt"
ALLOW_CMD=0 "${APP}" "echo SHOULD_NOT_RUN" > "${BLOCK_FILE}"
if grep -q "SHOULD_NOT_RUN" "${BLOCK_FILE}"; then
  echo "command unexpectedly executed when ALLOW_CMD=0" >&2
  exit 1
fi

# Run with ALLOW_CMD set: should execute
ALLOW_FILE="${tmp}/allow.txt"
ALLOW_CMD=1 "${APP}" "echo ALLOWED" > "${ALLOW_FILE}"
if ! grep -q "ALLOWED" "${ALLOW_FILE}"; then
  echo "command did not execute when ALLOW_CMD=1" >&2
  exit 1
fi

echo "tests passed"