"""keycloak — pre-op seed hooks (Phase 1e HC3). The orchestrator runs these BEFORE the op; the
matching test_<op>.py asserts post-op (assertion-only). The data marker is a realm in mariadb,
written via the keycloak admin API (kc_admin)."""

import os
import sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
import kc_admin  # noqa: E402
from harness import generic  # noqa: E402


def _token(domain):
    return kc_admin.admin_token(domain, kc_admin.admin_password(domain))


def pre_upgrade(domain, meta):
    # create the marker realm (DB data) before the upgrade so the overlay can prove it survives
    assert kc_admin.create_marker_realm(domain, _token(domain)) in (201, 409)


def pre_backup(domain, meta):
    # establish the marker realm before the backup op captures mariadb
    assert kc_admin.create_marker_realm(domain, _token(domain)) in (201, 409)


def pre_restore(domain, meta):
    # backup-bot-two cycles the keycloak container during backup → wait for serving, re-auth, then
    # delete the realm (diverge from the backup) so a successful restore is observable
    generic.assert_serving(domain, meta)
    tok = _token(domain)
    assert kc_admin.delete_marker_realm(domain, tok) in (204, 200)
    assert not kc_admin.marker_realm_exists(domain, tok), "delete did not take"