"""Regression test for Dockerfile UID/GID.

QA-round-3 B1: the production stage of the Dockerfile must create the
``appuser`` account with UID 1000 / GID 1000.  Previously this used
``adduser --system`` which on Debian-slim assigns UID 100 / GID 65534
(nogroup), causing PermissionError when the scraper tried to create new
listing directories on the NFS-backed PVC (owned 1000:1000 mode 775).
"""
from pathlib import Path


REPO_ROOT = Path(__file__).resolve().parents[2]
DOCKERFILE = REPO_ROOT / "Dockerfile"


class TestDockerfileAppUser:
    """The Dockerfile production stage must run as uid 1000 / gid 1000."""

    def test_production_stage_creates_user_with_uid_1000(self) -> None:
        contents = DOCKERFILE.read_text()
        # The fix uses `useradd --uid 1000 --gid 1000` (and a matching
        # groupadd) instead of `adduser --system` which would assign uid 100.
        assert "--uid 1000" in contents, (
            "Dockerfile must create appuser with explicit --uid 1000 to "
            "match NFS-backed data PVC ownership"
        )
        assert "--gid 1000" in contents, (
            "Dockerfile must create appuser with explicit --gid 1000"
        )

    def test_production_stage_does_not_use_adduser_system(self) -> None:
        """`adduser --system` assigns uid 100 — must not be used."""
        contents = DOCKERFILE.read_text()
        assert "adduser --system" not in contents, (
            "Dockerfile must not use `adduser --system` for appuser — "
            "it assigns uid 100 which can't write to the 1000:1000 NFS mount"
        )