DMARC-Sentinel/tests/test_llm.py

from app.config import Settings
from app.llm import LLMClient, normalize_alert_explanation
from app.models import Alert


def test_llm_json_validation_fallback():
    client = LLMClient(Settings.model_validate({"alerts": {"email": {"enabled": False}}}))
    alert = Alert(
        fingerprint="x",
        inbox_id="tukutoi",
        domain="tukutoi.com",
        severity="critical",
        type="unknown_source_failed_both",
        title="Unknown source failed SPF and DKIM for tukutoi.com",
        summary="Deterministic summary",
        details_json="{}",
    )

    explanation = client.explain_alert(alert)

    assert explanation.confidence == "fallback"
    assert "DMARC aggregate data alone" in explanation.risk


def test_alert_explanation_accepts_explanation_action_items_shape():
    alert = Alert(
        fingerprint="x",
        inbox_id="tukutoi",
        domain="tukutoi.com",
        severity="warning",
        type="new_authenticated_source",
        title="New authenticated source observed for tukutoi.com",
        summary="Deterministic summary",
        details_json="{}",
    )

    explanation = normalize_alert_explanation(
        {
            "explanation": "A new authenticated source was observed for tukutoi.com.",
            "action_items": ["Confirm whether this source is authorized.", "Add it to known senders if approved."],
            "confidence": "high",
        },
        alert,
    )

    assert explanation.summary == "A new authenticated source was observed for tukutoi.com."
    assert "aggregate data alone" in explanation.risk
    assert "Confirm whether this source is authorized" in explanation.recommended_action
    assert explanation.confidence == "high"