# NEGATIVE-001: Safe TLS Configuration
#
# This is a NEGATIVE test - the code is secure and should NOT trigger
# any TLS-related findings. Tests for false positives.

[metadata]
id = "negative-001"
name = "Safe TLS configuration (no findings expected)"
category = "negative"
language = "python"
difficulty = "easy"
source = "hand-curated"
created = "2025-02-05"
notes = "Negative test - should produce no findings"

[input]
filename = "secure_client.py"
content = """
import requests
import certifi

def fetch_data(url: str) -> dict:
    # Use system CA bundle for proper verification
    response = requests.get(
        url,
        verify=certifi.where(),  # Explicit CA bundle
        timeout=30
    )
    response.raise_for_status()
    return response.json()
"""

[expected]
# No must_contain - this is a negative test
must_contain = []

must_not_contain = [
    { subject = "tls/cert_verification", predicate = "enabled", value = false, rationale = "verify is set to a CA bundle, not disabled" },
    { subject = "tls/cert_verification", predicate = "disabled", value = true, rationale = "TLS verification is properly enabled" }
]

[scoring]
weight = 1.0
min_confidence = 0.9