#!/usr/bin/env bats
#
# End-to-end host -> list -> close roundtrip with a stubbed PARTY_TMUX.
# The dispatch layer talks to tmux exclusively through PARTY_TMUX, so we
# hand it a recorder script and verify the side effects party owns
# directly: per-party private dirs, the roster file inside them, the
# notify helper, and the tmux command stream itself.

load 'helpers'

setup() {
  setup_party_sandbox
  # Use the caller's primary group, which they are guaranteed to be in.
  # require_caller_in_group and chgrp both succeed regardless of the
  # default 'party' group existing on the host.
  export TMUX_PARTY_GROUP="$(id -gn)"

  # Spawn a long-lived sleeper so cmd_list's is_party_alive check sees a
  # live PID for the "fake server". setup_party_sandbox provides PARTY_TMP.
  ( exec sleep 60 ) &
  export FAKE_SERVER_PID=$!

  # Recorder: appends every invocation to TMUX_LOG, fakes the few tmux
  # subcommands cmd_host depends on (creating a placeholder socket file,
  # answering display-message -p '#{pid}' with the sleeper's PID so
  # is_party_alive sees it as live), and returns 0 for the rest.
  export TMUX_LOG="$PARTY_TMP/tmux.log"
  : > "$TMUX_LOG"
  cat > "$PARTY_TMP/tmux-stub" <<'STUB'
#!/bin/sh
printf '%s\n' "$*" >> "$TMUX_LOG"
sock=
prev=
for a in "$@"; do
  if [ "$prev" = "-S" ]; then sock="$a"; fi
  prev="$a"
done
case "$*" in
  *"new-session -d "*)
    # cmd_host expects the socket file to exist for apply_party_perms_file.
    [ -n "$sock" ] && : > "$sock"
    ;;
  *"display-message -p "*)
    # Caller is fishing for #{pid}; emit the sleeper's PID.
    echo "$FAKE_SERVER_PID"
    ;;
  *"set-hook -g client-attached "*)
    # Optional injection point for the rollback test: a failure here
    # exits cmd_host between new-session and roster_write.
    [ -n "${FAIL_ON_SETHOOK:-}" ] && exit 17
    ;;
esac
exit 0
STUB
  chmod +x "$PARTY_TMP/tmux-stub"
  export PARTY_TMUX="$PARTY_TMP/tmux-stub"
}

teardown() {
  if [ -n "${FAKE_SERVER_PID:-}" ]; then
    kill "$FAKE_SERVER_PID" 2>/dev/null || true
    wait "$FAKE_SERVER_PID" 2>/dev/null || true
  fi
  teardown_party_sandbox
}

# Helper: per-party roster path under the new layout.
party_rec() { printf '%s/party-%s:%s.d/roster\n' "$PARTY_SOCKET_DIR" "$USER" "$1"; }

@test "host -> list -> close roundtrip with stubbed tmux" {
  # host
  run "$PARTY_BIN" host roundtrip
  [ "$status" -eq 0 ]

  rec=$(party_rec roundtrip)
  [ -f "$rec" ]
  grep -q "^HOST_USER=$USER$"  "$rec"
  grep -q "^PARTY_NAME=roundtrip$" "$rec"
  grep -q "^GROUP=$TMUX_PARTY_GROUP$" "$rec"
  grep -q "^SERVER_PID=[0-9][0-9]*$" "$rec"

  # The per-party directory and its socket placeholder are present, mode
  # 0750 on the dir.
  party_dir="$PARTY_SOCKET_DIR/party-$USER:roundtrip.d"
  [ -d "$party_dir" ]
  [ -f "$party_dir/sock" ]
  [ -x "$party_dir/.party-notify" ]
  m=$(stat -c '%a' "$party_dir" 2>/dev/null || stat -f '%Lp' "$party_dir")
  [ "$m" = "750" ]

  # tmux command stream: the host is on the access list, hooks are set,
  # status-right widget is configured.
  grep -q "server-access -aw $USER"     "$TMUX_LOG"
  grep -q "set-hook -g client-attached" "$TMUX_LOG"
  grep -q "set-hook -g client-detached" "$TMUX_LOG"
  grep -q "status-right"                "$TMUX_LOG"

  # list shows the running party.
  run "$PARTY_BIN" list
  [ "$status" -eq 0 ]
  [[ "$output" == *"roundtrip"* ]]

  # close removes the per-party directory entirely (which takes the
  # roster file with it) and runs kill-server.
  run "$PARTY_BIN" close roundtrip
  [ "$status" -eq 0 ]
  [ ! -d "$party_dir" ]
  [ ! -f "$rec" ]
  grep -q "kill-server" "$TMUX_LOG"
}

@test "host --group <name> records the chosen group in the roster" {
  # The stub doesn't care which group we pick — exercise the path that
  # plumbs --group through to the GROUP= field. Use the caller's primary
  # group so chgrp succeeds.
  primary=$(id -gn)
  run "$PARTY_BIN" host grouped --group "$primary"
  [ "$status" -eq 0 ]

  rec=$(party_rec grouped)
  [ -f "$rec" ]
  grep -q "^GROUP=$primary$" "$rec"

  "$PARTY_BIN" close grouped
}

@test "host with --group works without any pre-existing shared install dir" {
  # Regression: the old layout required /tmp/roster to be installed at
  # mode 1770 g=$TMUX_PARTY_GROUP at install time. The new layout has
  # nothing of the sort — every party is self-contained under PARTY_SOCKET_DIR.
  # Confirm `party host --group` succeeds with a clean sandbox that
  # never had a shared roster directory.
  primary=$(id -gn)
  run "$PARTY_BIN" host noshareddir --group "$primary"
  [ "$status" -eq 0 ]
  rec=$(party_rec noshareddir)
  [ -f "$rec" ]
  "$PARTY_BIN" close noshareddir
}

@test "host refuses a non-trustworthy PARTY_SOCKET_DIR" {
  bad="$PARTY_TMP/bad"
  mkdir -p "$bad"
  chmod 0777 "$bad"   # not sticky, world-writable
  PARTY_SOCKET_DIR="$bad" run "$PARTY_BIN" host shouldfail
  [ "$status" -ne 0 ]
  [[ "$output" == *"refusing to operate"* ]]
}

@test "host refuses group-writable, non-sticky PARTY_SOCKET_DIR" {
  # Owned by us, mode 0770, no sticky. The parent's group may differ
  # from TMUX_PARTY_GROUP, so its members would be outside the trust
  # perimeter yet able to rename or unlink the per-party dir.
  bad="$PARTY_TMP/groupw"
  mkdir -p "$bad"
  chmod 0770 "$bad"
  PARTY_SOCKET_DIR="$bad" run "$PARTY_BIN" host shouldfail
  [ "$status" -ne 0 ]
  [[ "$output" == *"refusing to operate"* ]]
}

@test "host party_dir ends at mode 0750 even with permissive umask" {
  # Regression for the umask race: with umask 0002, plain `mkdir` would
  # produce 0775 until the later chmod 0750 closed the window. mkdir -m
  # 0700 in cmd_host removes the window entirely — and the postcondition
  # is still 0750.
  ( umask 0002 && "$PARTY_BIN" host umasked )
  party_dir="$PARTY_SOCKET_DIR/party-$USER:umasked.d"
  m=$(stat -c '%a' "$party_dir" 2>/dev/null || stat -f '%Lp' "$party_dir")
  [ "$m" = "750" ]
  "$PARTY_BIN" close umasked
}

@test "host refuses to bind a socket path past AF_UNIX sun_path" {
  # Build a long-but-trustworthy parent under PARTY_TMP, then host with a
  # near-max-length name. Total length should exceed the ~100-byte cap
  # cmd_host enforces. The error must come from us, not from tmux.
  pad=$(printf '%080s' '' | tr ' ' p)   # 80-char component
  long="$PARTY_TMP/$pad"
  mkdir "$long" && chmod 0700 "$long"
  longname=$(printf '%050s' '' | tr ' ' n)  # 50 chars, within validator's 63
  PARTY_SOCKET_DIR="$long" run "$PARTY_BIN" host "$longname"
  [ "$status" -ne 0 ]
  [[ "$output" == *"socket path too long"* ]]
  # And the tmux stub never got invoked for new-session.
  ! grep -q "new-session" "$TMUX_LOG"
}

@test "roster record is mode 0640, not group-writable" {
  # If the roster is g+w, peers can rewrite SOCKET= to point cmd_close at
  # arbitrary host-owned paths. Lock it to g+r.
  "$PARTY_BIN" host modecheck
  rec=$(party_rec modecheck)
  m=$(stat -c '%a' "$rec" 2>/dev/null || stat -f '%Lp' "$rec")
  [ "$m" = "640" ]
  "$PARTY_BIN" close modecheck
}

@test "join refuses when caller is not in the party's recorded group" {
  # The cmd_join group check uses RR_GROUP (per-party), not env
  # TMUX_PARTY_GROUP. Forge a roster record whose GROUP= names a group
  # nobody is in, point SERVER_PID at the live sleeper so it looks
  # alive, and verify cmd_join rejects with the friendly diagnostic
  # before any tmux work.
  bogus="party_no_such_group_$$"
  party_dir="$PARTY_SOCKET_DIR/party-$USER:groupgated.d"
  mkdir -p "$party_dir"
  chmod 0750 "$party_dir"
  : > "$party_dir/sock"
  rec="$party_dir/roster"
  cat > "$rec" <<EOF
HOST_USER=$USER
PARTY_NAME=groupgated
SOCKET=$party_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$bogus
CREATED=2026-04-28T00:00:00Z
EOF

  run "$PARTY_BIN" join groupgated
  [ "$status" -ne 0 ]
  [[ "$output" == *"uses group '$bogus'"* ]]
  [[ "$output" == *"not a member"* ]]
}

@test "close ignores forged SOCKET= field; uses derived path" {
  # roster_read derives RR_SOCKET from $d/sock and ignores the file's
  # SOCKET= field, and cmd_close derives both paths from $USER + $name
  # without consulting the roster at all. A forged SOCKET= cannot
  # redirect the destructive ops at unrelated paths.
  "$PARTY_BIN" host tampered

  rec=$(party_rec tampered)
  party_dir="$PARTY_SOCKET_DIR/party-$USER:tampered.d"
  [ -d "$party_dir" ]

  sentinel="$PARTY_TMP/sentinel"
  mkdir -p "$sentinel"
  : > "$sentinel/canary"

  # Forge SOCKET= to point inside the sentinel.
  awk -v new="$sentinel/sock" 'BEGIN{FS=OFS="="} $1=="SOCKET"{$2=new}1' \
      "$rec" > "$rec.new" && mv "$rec.new" "$rec"

  run "$PARTY_BIN" close tampered
  [ "$status" -eq 0 ]

  # Sentinel survives: cmd_close used the derived path, not the forged
  # SOCKET=. This is the security property.
  [ -d "$sentinel" ]
  [ -f "$sentinel/canary" ]
  # The real per-party dir is cleaned up regardless.
  [ ! -d "$party_dir" ]
}

@test "close refuses to operate on a symlinked per-party dir" {
  # With a sticky parent (e.g. /tmp), another local user can pre-create
  # party-$USER:<name>.d as a symlink before we ever host. cmd_close
  # must lstat-and-refuse before reading the (potentially forged) roster
  # or invoking tmux against a symlinked socket path.
  victim="$PARTY_TMP/victim"
  mkdir -p "$victim"
  : > "$victim/sock"
  cat > "$victim/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=hijack
SOCKET=$victim/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF

  party_dir="$PARTY_SOCKET_DIR/party-$USER:hijack.d"
  ln -s "$victim" "$party_dir"

  run "$PARTY_BIN" close hijack
  [ "$status" -ne 0 ]
  [[ "$output" == *"symlink"* ]]
  # tmux must not have been touched: the recorder log has nothing for
  # this party.
  ! grep -q "kill-server" "$TMUX_LOG"
  # Symlink and victim contents both intact — we did not chase the
  # symlink to delete the attacker's tree.
  [ -L "$party_dir" ]
  [ -d "$victim" ]
  [ -f "$victim/roster" ]
}

@test "host warns when PARTY_SOCKET_DIR is not group/world readable" {
  # The sandbox parent is mode 0700 — trustworthy but undiscoverable to
  # invitees. cmd_host should accept it (validator is happy) but emit
  # a warning so the host notices before sending invites.
  run "$PARTY_BIN" host noreach
  [ "$status" -eq 0 ]
  [[ "$output" == *"not readable"* ]]
  [[ "$output" == *"discover"* ]]
  "$PARTY_BIN" close noreach
}

@test "resolve_authoritative_party skips symlinked party dirs but roster_list does not" {
  load_party_lib
  ensure_party_dir "$USER" real
  rec_real="$PARTY_SOCKET_DIR/party-$USER:real.d/roster"
  cat >"$rec_real" <<EOF
HOST_USER=$USER
PARTY_NAME=real
SOCKET=$PARTY_SOCKET_DIR/party-$USER:real.d/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec_real"

  # Forge a symlink-shaped fake dir pointing at attacker-controlled content.
  victim="$BATS_TEST_TMPDIR/victim"
  mkdir -p "$victim"
  cat >"$victim/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=fake
SOCKET=/tmp/attacker.sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  ln -s "$victim" "$PARTY_SOCKET_DIR/party-$USER:fake.d"

  # roster_list is the cross-user discovery primitive; it must surface
  # both entries so guests can find host-foreign parties.
  out=$(roster_list)
  [[ "$out" == *"party-$USER:real.d/roster"* ]]
  [[ "$out" == *"party-$USER:fake.d/roster"* ]]

  # resolve_authoritative_party is the host-only walker; without its
  # symlink gate, two candidates would match HOST_USER=$USER and the
  # forged one could redirect host-only commands. With the gate, only
  # the real entry resolves.
  resolve_authoritative_party ""
  [ "$RR_PARTY_NAME" = "real" ]
}

@test "no-arg cmd_close ignores forged symlinked party dirs" {
  # Set up one real party dir with a roster that looks host-owned.
  ensure_party_dir "$USER" real
  rec_real="$PARTY_SOCKET_DIR/party-$USER:real.d/roster"
  cat >"$rec_real" <<EOF
HOST_USER=$USER
PARTY_NAME=real
SOCKET=$PARTY_SOCKET_DIR/party-$USER:real.d/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec_real"
  # Create a placeholder socket so apply_party_perms_file in close doesn't
  # choke; close runs kill-server then rm -rf, so just a file is enough.
  : > "$PARTY_SOCKET_DIR/party-$USER:real.d/sock"

  # Forge a symlinked fake dir: attacker plants party-$USER:fake.d -> victim.
  victim="$BATS_TEST_TMPDIR/victim"
  mkdir -p "$victim"
  cat >"$victim/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=fake
SOCKET=$victim/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  ln -s "$victim" "$PARTY_SOCKET_DIR/party-$USER:fake.d"

  # no-arg close: should find exactly one candidate (real), close it, exit 0.
  # If the forged dir were not filtered, it would see two candidates and
  # exit 1 with "you host multiple parties".
  run "$PARTY_BIN" close
  [ "$status" -eq 0 ]
  [[ "$output" == *"real"* ]]

  # The real party dir must be gone.
  [ ! -d "$PARTY_SOCKET_DIR/party-$USER:real.d" ]

  # kill-server must not have been invoked against any path under victim.
  ! grep -q "$victim" "$TMUX_LOG"
}

@test "roster_read derives RR_SOCKET from dir; ignores file SOCKET= field" {
  load_party_lib

  ensure_party_dir "$USER" derived
  rec="$PARTY_SOCKET_DIR/party-$USER:derived.d/roster"
  cat >"$rec" <<EOF
HOST_USER=$USER
PARTY_NAME=derived
SOCKET=/tmp/decoy-sock-$$
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"

  roster_read "$rec"
  # RR_SOCKET is the co-located sock, not the forged path in the file.
  [ "$RR_SOCKET" = "$PARTY_SOCKET_DIR/party-$USER:derived.d/sock" ]
}

@test "roster_read derives RR_HOST_USER and RR_PARTY_NAME from basename; ignores file fields" {
  load_party_lib

  ensure_party_dir "$USER" bona-fide
  rec="$PARTY_SOCKET_DIR/party-$USER:bona-fide.d/roster"
  # File claims wrong HOST_USER and PARTY_NAME; basename is authoritative.
  cat >"$rec" <<EOF
HOST_USER=lies
PARTY_NAME=alsolies
SOCKET=/wrong/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"

  roster_read "$rec"
  [ "$RR_HOST_USER"  = "$USER" ]
  [ "$RR_PARTY_NAME" = "bona-fide" ]
}

@test "roster_read rejects roster whose sock is a symlink" {
  load_party_lib

  ensure_party_dir "$USER" symtrap
  d="$PARTY_SOCKET_DIR/party-$USER:symtrap.d"
  rm -f "$d/sock"

  victim="$BATS_TEST_TMPDIR/victim_sock"
  : > "$victim"
  ln -s "$victim" "$d/sock"

  rec="$d/roster"
  cat >"$rec" <<EOF
HOST_USER=$USER
PARTY_NAME=symtrap
SOCKET=$d/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"

  ! roster_read "$rec"
}

@test "roster_read rejects dir whose owner does not match basename HOST_USER" {
  [ "$USER" = "root" ] && skip "running as root: -user root would trivially match"
  load_party_lib

  # Basename claims the dir is hosted by 'root', but mkdir runs as us.
  fake="$PARTY_SOCKET_DIR/party-root:foo.d"
  mkdir -p "$fake"
  chmod 0750 "$fake"
  : > "$fake/sock"

  rec="$fake/roster"
  cat >"$rec" <<EOF
HOST_USER=root
PARTY_NAME=foo
SOCKET=$fake/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"

  # Owner of $fake is $USER, but basename says root → reject.
  ! roster_read "$rec"
}

@test "cmd_leave ignores forged roster pointing at a different socket" {
  # Set up a legitimate party that the "victim" (us) is joined to.
  # The stub answers has-session with success so _disconnect_user fires.
  legit_dir="$PARTY_SOCKET_DIR/party-$USER:legit.d"
  mkdir -p "$legit_dir" && chmod 0750 "$legit_dir"
  : > "$legit_dir/sock"
  cat >"$legit_dir/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=legit
SOCKET=$legit_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$legit_dir/roster"

  # Mallory plants a forged party dir whose roster points at a victim socket.
  victim_sock="$BATS_TEST_TMPDIR/victim-sock"
  trap_dir="$PARTY_SOCKET_DIR/party-mallory:trap.d"
  mkdir -p "$trap_dir" && chmod 0750 "$trap_dir"
  cat >"$trap_dir/roster" <<EOF
HOST_USER=mallory
PARTY_NAME=trap
SOCKET=$victim_sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$trap_dir/roster"

  # Wire up the stub: has-session returns 0 for the legit party so
  # cmd_leave considers us attached there; list-clients returns our USER.
  cat > "$PARTY_TMP/tmux-stub" <<STUB
#!/bin/sh
printf '%s\n' "\$*" >> "\$TMUX_LOG"
sock=
prev=
for a in "\$@"; do
  if [ "\$prev" = "-S" ]; then sock="\$a"; fi
  prev="\$a"
done
case "\$*" in
  *"new-session -d "*)
    [ -n "\$sock" ] && : > "\$sock"
    ;;
  *"display-message -p "*)
    echo "\$FAKE_SERVER_PID"
    ;;
  *"has-session"*)
    exit 0
    ;;
  *"list-clients"*)
    printf '#{client_user}\n' | sed "s/.*/$USER/"
    ;;
esac
exit 0
STUB
  chmod +x "$PARTY_TMP/tmux-stub"

  run "$PARTY_BIN" leave

  # cmd_leave must not have contacted the victim socket.
  ! grep -qF "$victim_sock" "$TMUX_LOG"

  # It must have operated on the legit party socket instead.
  grep -q "$legit_dir/sock" "$TMUX_LOG"
}

@test "host rolls back on partial setup failure (no orphan dir or server)" {
  # Without rollback, a failure between new-session and roster_write
  # leaves a live tmux server with no record. The trap inside cmd_host
  # must kill-server and rm -rf the per-party dir before exiting.
  party_dir="$PARTY_SOCKET_DIR/party-$USER:rollback.d"

  FAIL_ON_SETHOOK=1 run "$PARTY_BIN" host rollback
  [ "$status" -ne 0 ]

  # Trap fired: kill-server invoked against the derived socket.
  grep -q "$party_dir/sock kill-server" "$TMUX_LOG"

  # Per-party dir is gone — no leftover roster, no leftover sock.
  [ ! -e "$party_dir" ]
}

@test "host refuses leftover per-party dir without a roster" {
  # Simulate a prior incarnation that left a per-party dir behind with
  # no roster (the rollback trap couldn't fire — SIGKILL or panic).
  # cmd_host's mkdir-as-lock acquisition will fail with EEXIST. We
  # deliberately do NOT auto-clean: the same code path triggers on a
  # concurrent in-flight host attempt for the same name, and racing
  # rm -rf calls would wipe each other's fresh dirs.
  # Recovery is a manual `rm -rf` per the error message.
  party_dir="$PARTY_SOCKET_DIR/party-$USER:resurrect.d"
  mkdir -p "$party_dir"
  : > "$party_dir/sock"

  run "$PARTY_BIN" host resurrect
  [ "$status" -ne 0 ]
  [[ "$output" == *"already exists"* ]]
  [[ "$output" == *"rm -rf $party_dir"* ]]

  # The leftover dir is untouched — proves we did not race-clean.
  [ -d "$party_dir" ]
  [ -e "$party_dir/sock" ]

  # And we never spoke to tmux at all on the refusal path.
  ! grep -q "kill-server" "$TMUX_LOG"
  ! grep -q "new-session" "$TMUX_LOG"
}

@test "roster_read rejects per-party dir with other-readable mode bits" {
  # cmd_host writes the per-party dir as 0750 (no other-bits). A non-member
  # outside TMUX_PARTY_GROUP cannot traverse such a dir. Anything appearing
  # in roster_list with o+r/o+w/o+x is a spoof attempt: a local user planted
  # a world-readable party-attacker:foo.d under a sticky parent (e.g. /tmp)
  # to inject a fake party into someone else's `party list`. roster_read
  # must reject before tmux is contacted.
  load_party_lib
  ensure_party_dir "$USER" worldread
  d="$PARTY_SOCKET_DIR/party-$USER:worldread.d"
  chmod 0755 "$d"
  rec="$d/roster"
  cat >"$rec" <<EOF
HOST_USER=$USER
PARTY_NAME=worldread
SOCKET=$d/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"
  ! roster_read "$rec"
}

@test "roster_read rejects basename whose party name fails validate_party_name" {
  # The basename glob (party-*:*.d) is permissive — names like '.' (basename
  # party-USER:..d) match it. cmd_host's validate_party_name rejects '.' as
  # a reserved name; roster_read runs the same check on read so a forged
  # dir whose basename derives an illegal name can't pass.
  load_party_lib
  d="$PARTY_SOCKET_DIR/party-$USER:..d"
  mkdir -p "$d"
  chmod 0750 "$d"
  : > "$d/sock"
  rec="$d/roster"
  cat >"$rec" <<EOF
HOST_USER=$USER
PARTY_NAME=.
SOCKET=$d/sock
SERVER_PID=$$
GROUP=${TMUX_PARTY_GROUP:-party}
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$rec"
  ! roster_read "$rec"
}

@test "cmd_list skips parties whose tmux list-clients fails" {
  # SERVER_PID liveness alone doesn't prove a party is real — init's PID 1
  # always passes, and a non-tmux daemon (or `nc -lU`) can hold a real
  # AF_UNIX socket. cmd_list must run list-clients and treat non-zero as
  # "not a real party," skipping the entry rather than reporting it with
  # 0 attendees.
  legit_dir="$PARTY_SOCKET_DIR/party-$USER:legit.d"
  mkdir -p "$legit_dir" && chmod 0750 "$legit_dir"
  : > "$legit_dir/sock"
  cat >"$legit_dir/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=legit
SOCKET=$legit_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$legit_dir/roster"

  fake_dir="$PARTY_SOCKET_DIR/party-$USER:imposter.d"
  mkdir -p "$fake_dir" && chmod 0750 "$fake_dir"
  : > "$fake_dir/sock"
  cat >"$fake_dir/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=imposter
SOCKET=$fake_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-29T00:00:00Z
EOF
  chmod 0640 "$fake_dir/roster"

  # Stub: list-clients exits 1 against the imposter sock, 0 (empty list)
  # against the legit one. Anything else is a no-op so the rest of cmd_list
  # behaves normally.
  cat > "$PARTY_TMUX" <<STUB
#!/bin/sh
printf '%s\n' "\$*" >> "\$TMUX_LOG"
case "\$*" in
  *list-clients*)
    case "\$*" in
      *party-$USER:imposter.d*) exit 1 ;;
    esac
    ;;
esac
exit 0
STUB
  chmod +x "$PARTY_TMUX"

  run "$PARTY_BIN" list
  [ "$status" -eq 0 ]
  [[ "$output" == *"legit"* ]]
  [[ "$output" != *"imposter"* ]]
}

@test "invite warns when invitee is not in the party's group" {
  # Need a real OS user that's not in TMUX_PARTY_GROUP. 'nobody' exists
  # on Linux, FreeBSD, OpenBSD, macOS, and illumos; on the matrix it
  # is never a member of the host's primary group.
  id -u nobody >/dev/null 2>&1 || skip "no 'nobody' user on this host"
  if id -nG nobody 2>/dev/null | tr ' ' '\n' | grep -qx "$TMUX_PARTY_GROUP"; then
    skip "nobody is unexpectedly a member of $TMUX_PARTY_GROUP on this host"
  fi

  "$PARTY_BIN" host inv >/dev/null

  run "$PARTY_BIN" invite nobody --party inv
  [ "$status" -eq 0 ]
  # Warning surfaces with the right group name and remediation.
  [[ "$output" == *"not in group '$TMUX_PARTY_GROUP'"* ]]
  [[ "$output" == *"usermod -aG $TMUX_PARTY_GROUP nobody"* ]]
  # Warn-and-proceed: the auth-list mutation still happened, so a later
  # group grant doesn't require a re-invite.
  [[ "$output" == *"Invited nobody"* ]]
  grep -q "server-access -aw nobody" "$TMUX_LOG"
}

@test "find_party_by_name skips parties whose tmux list-clients fails" {
  # Parity with test 76 ('cmd_list skips parties...'), but for the join
  # resolver. A roster can have a live SERVER_PID (PID reuse, init's pid 1)
  # and an [ -S ]-passing socket (planted via `nc -lU`) yet not be a real
  # tmux server. is_party_alive must probe list-clients on every resolver,
  # not just cmd_list — otherwise `party join
  # imposter` would resolve to the imposter and try to attach.
  legit_dir="$PARTY_SOCKET_DIR/party-$USER:legit2.d"
  mkdir -p "$legit_dir" && chmod 0750 "$legit_dir"
  : > "$legit_dir/sock"
  cat >"$legit_dir/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=legit2
SOCKET=$legit_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-30T00:00:00Z
EOF
  chmod 0640 "$legit_dir/roster"

  fake_dir="$PARTY_SOCKET_DIR/party-$USER:imposter2.d"
  mkdir -p "$fake_dir" && chmod 0750 "$fake_dir"
  : > "$fake_dir/sock"
  cat >"$fake_dir/roster" <<EOF
HOST_USER=$USER
PARTY_NAME=imposter2
SOCKET=$fake_dir/sock
SERVER_PID=$FAKE_SERVER_PID
GROUP=$TMUX_PARTY_GROUP
CREATED=2026-04-30T00:00:00Z
EOF
  chmod 0640 "$fake_dir/roster"

  cat > "$PARTY_TMUX" <<STUB
#!/bin/sh
printf '%s\n' "\$*" >> "\$TMUX_LOG"
case "\$*" in
  *list-clients*)
    case "\$*" in
      *party-$USER:imposter2.d*) exit 1 ;;
    esac
    ;;
esac
exit 0
STUB
  chmod +x "$PARTY_TMUX"

  # cmd_join refuses to attach when already inside tmux; force-clear so
  # the resolver runs to completion without the early bail.
  unset TMUX

  run "$PARTY_BIN" join imposter2
  [ "$status" -ne 0 ]
  [[ "$output" == *"not found"* ]]
}

@test "host refuses to start when tmux lacks server-access (auth gate missing)" {
  # cmd_host MUST require server-access at runtime, not just in the
  # README. tmux < 3.3 doesn't support the command, and silently
  # swallowing its failure (the prior behavior) would degrade the auth
  # gate to nothing — group members with FS access could attach without
  # being invited.
  cat > "$PARTY_TMUX" <<'STUB'
#!/bin/sh
printf '%s\n' "$*" >> "$TMUX_LOG"
sock=
prev=
for a in "$@"; do
  if [ "$prev" = "-S" ]; then sock="$a"; fi
  prev="$a"
done
case "$*" in
  *"new-session -d "*)
    [ -n "$sock" ] && : > "$sock"
    ;;
  *"display-message -p "*)
    echo "$FAKE_SERVER_PID"
    ;;
  *"server-access "*)
    # Simulate tmux < 3.3 — command unknown.
    echo "unknown command: server-access" >&2
    exit 1
    ;;
esac
exit 0
STUB
  chmod +x "$PARTY_TMUX"

  run "$PARTY_BIN" host noauth
  [ "$status" -ne 0 ]
  [[ "$output" == *"server-access"* ]]
  [[ "$output" == *"3.3"* ]]

  # Rollback: trap fired, party dir is gone, no roster.
  party_dir="$PARTY_SOCKET_DIR/party-$USER:noauth.d"
  [ ! -d "$party_dir" ]

  # And we never widened the socket: chmod g+rw runs only after the
  # capability probe passes. apply_party_perms_file lives on the file
  # itself, so confirm the cmd stream stopped before that path.
  ! grep -q "server-access -aw $USER" "$TMUX_LOG" || \
    fail "should not have attempted -aw before capability check"
}