from pam_deploy_graph.logging_utils import json_for_log, redact_for_log


def test_redact_for_log_masks_sensitive_keys_and_inline_assignments():
    payload = {
        "CLIENT_SECRET": "home-secret",
        "api_key": "llm-key",
        "nested": {
            "Authorization": "Bearer token-value",
            "message": "CLIENT_SECRET=abc api_key:xyz Authorization=Bearer raw-token header Bearer plain-token",
        },
    }

    redacted = redact_for_log(payload)
    serialized = json_for_log(payload)

    assert redacted["CLIENT_SECRET"] == "***"
    assert redacted["api_key"] == "***"
    assert redacted["nested"]["Authorization"] == "***"
    assert "home-secret" not in serialized
    assert "llm-key" not in serialized
    assert "token-value" not in serialized
    assert "CLIENT_SECRET=***" in serialized
    assert "api_key:***" in serialized
    assert "Authorization=***" in serialized
    assert "Bearer ***" in serialized
    assert "raw-token" not in serialized
    assert "plain-token" not in serialized