import type { IRouteConfig } from '@push.rocks/smartproxy';
import type { IDcRouterRouteConfig } from './remoteingress.js';

// Derive IRouteSecurity from IRouteConfig since it's not directly exported
export type IRouteSecurity = NonNullable<IRouteConfig['security']>;

// ============================================================================
// Route Management Data Types
// ============================================================================

export type TApiTokenScope =
  | 'routes:read' | 'routes:write'
  | 'config:read'
  | 'tokens:read' | 'tokens:manage'
  | 'source-profiles:read' | 'source-profiles:write'
  | 'target-profiles:read' | 'target-profiles:write'
  | 'targets:read' | 'targets:write'
  | 'dns-providers:read' | 'dns-providers:write'
  | 'domains:read' | 'domains:write'
  | 'dns-records:read' | 'dns-records:write'
  | 'acme-config:read' | 'acme-config:write';

// ============================================================================
// Source Profile Types (source-side: who can access)
// ============================================================================

/**
 * A reusable, named source profile that can be referenced by routes.
 * Stores the full IRouteSecurity shape from SmartProxy.
 *
 * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
 * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
 */
export interface ISourceProfile {
  id: string;
  name: string;
  description?: string;
  /** The security configuration — mirrors SmartProxy's IRouteSecurity. */
  security: IRouteSecurity;
  /** IDs of profiles this one extends (resolved top-down, later overrides earlier). */
  extendsProfiles?: string[];
  createdAt: number;
  updatedAt: number;
  createdBy: string;
}

// ============================================================================
// Network Target Types
// ============================================================================

/**
 * A reusable, named network target (host + port) that can be referenced by routes.
 */
export interface INetworkTarget {
  id: string;
  name: string;
  description?: string;
  host: string | string[];
  port: number;
  createdAt: number;
  updatedAt: number;
  createdBy: string;
}

// ============================================================================
// Route Metadata Types
// ============================================================================

/**
 * Metadata on a stored route tracking where its resolved values came from.
 */
export interface IRouteMetadata {
  /** ID of the SourceProfileDoc used to resolve this route's security. */
  sourceProfileRef?: string;
  /** ID of the NetworkTargetDoc used to resolve this route's targets. */
  networkTargetRef?: string;
  /** Snapshot of the profile name at resolution time, for display. */
  sourceProfileName?: string;
  /** Snapshot of the target name at resolution time, for display. */
  networkTargetName?: string;
  /** Timestamp of last reference resolution. */
  lastResolvedAt?: number;
}

/**
 * A route entry returned by the route management API.
 */
export interface IMergedRoute {
  route: IDcRouterRouteConfig;
  id: string;
  enabled: boolean;
  origin: 'config' | 'email' | 'dns' | 'api';
  createdAt?: number;
  updatedAt?: number;
  metadata?: IRouteMetadata;
}

/**
 * A warning generated during route startup/apply.
 */
export interface IRouteWarning {
  type: 'disabled-route';
  routeName: string;
  message: string;
}

/**
 * Public info about an API token (never includes the hash).
 */
export interface IApiTokenInfo {
  id: string;
  name: string;
  scopes: TApiTokenScope[];
  createdAt: number;
  expiresAt: number | null;
  lastUsedAt: number | null;
  enabled: boolean;
}

// ============================================================================
// Storage Schemas (persisted via StorageManager)
// ============================================================================

/**
 * A route persisted in the database.
 */
export interface IRoute {
  id: string;
  route: IDcRouterRouteConfig;
  enabled: boolean;
  createdAt: number;
  updatedAt: number;
  createdBy: string;
  origin: 'config' | 'email' | 'dns' | 'api';
  metadata?: IRouteMetadata;
}

/**
 * A stored API token, stored in /config-api/tokens/{id}.json
 */
export interface IStoredApiToken {
  id: string;
  name: string;
  tokenHash: string;
  scopes: TApiTokenScope[];
  createdAt: number;
  expiresAt: number | null;
  lastUsedAt: number | null;
  createdBy: string;
  enabled: boolean;
}