package server

import (
	"github.com/go-chi/chi/v5"

	"git.wntrmute.dev/kyle/mcr/internal/db"
)

// AdminDeps holds the dependencies needed by admin routes.
type AdminDeps struct {
	DB      *db.DB
	Login   LoginClient
	Engine  PolicyReloader
	AuditFn AuditFunc
	GCState *GCState
}

// MountAdminRoutes adds admin REST endpoints to the router.
// Auth middleware is applied at the route group level.
func MountAdminRoutes(r chi.Router, validator TokenValidator, serviceName string, deps AdminDeps) {
	// Health endpoint - no auth required.
	r.Get("/v1/health", AdminHealthHandler())

	// Auth endpoints - no bearer auth required (login uses credentials).
	r.Post("/v1/auth/login", AdminLoginHandler(deps.Login))

	// Authenticated endpoints.
	r.Route("/v1", func(v1 chi.Router) {
		v1.Use(RequireAuth(validator, serviceName))

		// Logout.
		v1.Post("/auth/logout", AdminLogoutHandler())

		// Repositories - list and detail require auth, delete requires admin.
		v1.Get("/repositories", AdminListReposHandler(deps.DB))
		v1.Get("/repositories/*", AdminGetRepoHandler(deps.DB))
		v1.With(RequireAdmin()).Delete("/repositories/*", AdminDeleteRepoHandler(deps.DB, deps.AuditFn))

		// Policy - all require admin.
		v1.Route("/policy/rules", func(pr chi.Router) {
			pr.Use(RequireAdmin())
			pr.Get("/", AdminListPolicyRulesHandler(deps.DB))
			pr.Post("/", AdminCreatePolicyRuleHandler(deps.DB, deps.Engine, deps.AuditFn))
			pr.Get("/{id}", AdminGetPolicyRuleHandler(deps.DB))
			pr.Patch("/{id}", AdminUpdatePolicyRuleHandler(deps.DB, deps.Engine, deps.AuditFn))
			pr.Delete("/{id}", AdminDeletePolicyRuleHandler(deps.DB, deps.Engine, deps.AuditFn))
		})

		// Audit - requires admin.
		v1.With(RequireAdmin()).Get("/audit", AdminListAuditHandler(deps.DB))

		// GC - requires admin.
		v1.With(RequireAdmin()).Post("/gc", AdminTriggerGCHandler(deps.GCState))
		v1.With(RequireAdmin()).Get("/gc/status", AdminGCStatusHandler(deps.GCState))
	})
}