import sys

from django.conf import settings
from django.core.checks import Error, Warning, register


@register()
def security_settings_check(app_configs, **kwargs):
    # Keep production checks strict in normal runtime, but avoid blocking the
    # entire Django test runner before per-test overrides can take effect.
    if 'test' in sys.argv and not settings.RUN_SECURITY_CHECKS_DURING_TESTS:
        return []

    issues = []

    if not settings.DEBUG and settings.SECRET_KEY == 'unsafe-dev-key':
        issues.append(
            Error(
                'DJANGO_SECRET_KEY is using the development fallback while DEBUG is disabled.',
                id='workdock.E001',
            )
        )

    if not settings.DEBUG and not settings.ALLOWED_HOSTS:
        issues.append(
            Error(
                'ALLOWED_HOSTS must be configured when DEBUG is disabled.',
                id='workdock.E002',
            )
        )

    if not settings.DEBUG and not settings.SESSION_COOKIE_SECURE:
        issues.append(
            Error(
                'Secure session cookies must be enabled when DEBUG is disabled.',
                id='workdock.E003',
            )
        )

    if not settings.DEBUG and not settings.CSRF_COOKIE_SECURE:
        issues.append(
            Error(
                'Secure CSRF cookies must be enabled when DEBUG is disabled.',
                id='workdock.E004',
            )
        )

    if not settings.DEBUG and not settings.SECURE_SSL_REDIRECT:
        issues.append(
            Warning(
                'SECURE_SSL_REDIRECT is disabled while DEBUG is off.',
                hint='Enable DJANGO_SECURE_SSL_REDIRECT=1 behind HTTPS-aware proxying.',
                id='workdock.W001',
            )
        )

    return issues