//! Guard — Mizan SSR is hand-rolled (bare renderer + AFI data injection +
//! injected kernel). No frontend adapter imports an SSR runtime / meta-framework
//! (Next, Nuxt, SvelteKit) or a server-functions layer (RSC / Flight).
//!
//! React Server Components and the Flight serialization protocol carry
//! CVE-2025-55182 ("React2Shell" — unauthenticated remote code execution,
//! CVSS 10.0): the server deserializes a client-supplied Flight payload and an
//! attacker reaches prototype-pollution → RCE.
//!
//! Mizan renders **synchronously from props** — data is fetched server-side
//! through the AFI and passed in, never deserialized from a client payload — so
//! it sits structurally outside that attack surface. This test keeps it there:
//! it goes red the instant any RSC / Flight / streaming surface enters the
//! authored SSR source or its dependencies. Absence is not enough; this is the
//! forcing function that makes re-entry loud.

/// Tokens that only appear when RSC / Flight / streaming rendering is in play.
const FORBIDDEN: &[&str] = &[
    // React Server Components / Flight — CVE-2025-55182 (pre-auth RCE, CVSS 10.0)
    "react-server-dom",
    "renderToReadableStream",
    "renderToPipeableStream",
    "createFromReadableStream",
    "createFromFetch",
    "use server",
    // SSR runtimes / meta-frameworks — forbidden across every frontend adapter
    "next/",
    "nuxt",
    "@sveltejs/kit",
    "sveltekit",
];

const SCANNED: &[&str] = &[
    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/entry.js"),
    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/Hello.js"),
    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/package.json"),
];

#[test]
fn ssr_has_no_rsc_or_flight_surface() {
    for path in SCANNED {
        let Ok(src) = std::fs::read_to_string(path) else {
            continue; // a generated/optional file absent is fine; authored source is the point
        };
        for needle in FORBIDDEN {
            assert!(
                !src.contains(needle),
                "RSC/Flight surface {needle:?} found in {path} — forbidden. \
                 RSC carries CVE-2025-55182 (unauth RCE, CVSS 10.0); Mizan SSR is \
                 classic renderToString-family only, rendered synchronously from props.",
            );
        }
    }
}