package audit import ( "testing" ) func TestValidateRecordRequiresDangerousOperationsToCarryReviewID(t *testing.T) { record := Record{ SourceService: "alert", ActorID: "u-1", Action: "policy.update", ObjectType: "notification_policy", ObjectID: "np-1", OperationRisk: RiskDangerous, } if err := ValidateRecord(record); err == nil { t.Fatal("expected dangerous operation without approval id to fail") } record.ApprovalID = "apr-1" if err := ValidateRecord(record); err != nil { t.Fatalf("expected valid dangerous audit record, got %v", err) } } func TestNormalizeRecordClassifiesDangerousActions(t *testing.T) { record := NormalizeRecord(Record{ SourceService: " alert ", Action: "notification_policy.update", ObjectType: " notification_policy ", ObjectID: " np-1 ", ActorID: " u-1 ", }) if record.SourceService != "alert" || record.ObjectType != "notification_policy" || record.ObjectID != "np-1" { t.Fatalf("record was not normalized: %#v", record) } if record.OperationRisk != RiskDangerous { t.Fatalf("notification policy changes must be dangerous, got %q", record.OperationRisk) } } func TestApprovalTransitionAllowsApproveOnlyFromPending(t *testing.T) { req := ApprovalRequest{Status: ApprovalPending} approved, err := Transition(req, ApprovalApproved, "reviewer-1", "ok") if err != nil { t.Fatalf("expected pending approval to approve: %v", err) } if approved.Status != ApprovalApproved { t.Fatalf("unexpected status: %s", approved.Status) } if approved.ReviewerID != "reviewer-1" || approved.ReviewComment != "ok" { t.Fatalf("review metadata not stored: %#v", approved) } if _, err := Transition(approved, ApprovalRejected, "reviewer-2", "late"); err == nil { t.Fatal("expected approved request to reject further transition") } }