(in-package :passepartout)

(defvar *permission-table* (make-hash-table :test 'equal))

(defun permission-set (tool-name level)
  "Sets the permission level for a tool."
  (setf (gethash (string-downcase (string tool-name)) *permission-table*) level))

(defun permission-get (tool-name)
  "Retrieves the permission level for a tool. Defaults to :ask."
  (gethash (string-downcase (string tool-name)) *permission-table* :ask))

(defskill :passepartout-security-permissions
  :priority 600
  :trigger (lambda (ctx) (declare (ignore ctx)) nil))

(eval-when (:compile-toplevel :load-toplevel :execute)
  (ql:quickload :fiveam :silent t))

(defpackage :passepartout-security-permissions-tests
  (:use :cl :fiveam :passepartout)
  (:export #:permissions-suite))

(in-package :passepartout-security-permissions-tests)

(def-suite permissions-suite :description "Verification of Tool Permissions")
(in-suite permissions-suite)

(test test-permission-round-trip
  "Contract 1: permission-set stores a level; permission-get retrieves it."
  (permission-set "test-tool" :allow)
  (is (eq :allow (permission-get "test-tool")))
  ;; Clean up
  (permission-set "test-tool" nil))

(test test-permission-default
  "Contract 2: unregistered tools default to :ask."
  (is (eq :ask (permission-get "never-registered-tool-xyz"))))

(test test-permission-case-insensitive
  "Contract 3: tool names are normalized to lowercase."
  (permission-set :CapitalTool :deny)
  (is (eq :deny (permission-get :capitaltool)))
  (permission-set "CapitalTool" nil))