import { Body, Controller, Delete, Get, Param, Post, Request } from '@nestjs/common';
import type { Request as ExpressRequest } from 'express';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { McpManagerService } from '../services/mcp-manager.service';
import { resolveActor } from '../utils/auth-resolution.util';

/**
 * MCP Server 管理 admin API。
 *
 *   GET    /api/v1/agent/admin/mcp/servers          list
 *   POST   /api/v1/agent/admin/mcp/servers          create + spawn
 *   DELETE /api/v1/agent/admin/mcp/servers/:id      remove + close conn
 *   GET    /api/v1/agent/admin/mcp/status           live connection health
 *
 * 权限：system:admin（与 admin-rules / trajectory 一致）。
 * MCP server endpoint 直接 spawn 子进程，必须收紧到 admin 避免 FFAI_MCP_ENABLED=true
 * 后任意用户注册任意 stdio 命令 → 后端 RCE 面。
 */
@Controller('agent/admin/mcp')
export class McpAdminController {
  constructor(private readonly mcp: McpManagerService) {}

  @Get('servers')
  @RequirePermissions('system:admin')
  async list(@Request() req: ExpressRequest) {
    const { orgId } = resolveActor(req);
    const items = await this.mcp.list(orgId);
    return { items };
  }

  @Post('servers')
  @RequirePermissions('system:admin')
  async create(
    @Body() body: {
      name: string;
      transport: 'stdio' | 'sse';
      endpoint: string;
      args?: string[];
      env?: Record<string, string>;
    },
    @Request() req: ExpressRequest,
  ) {
    const { orgId, userId } = resolveActor(req);
    return this.mcp.create({
      organizationId: orgId,
      createdById: userId,
      ...body,
    });
  }

  @Delete('servers/:id')
  @RequirePermissions('system:admin')
  async remove(@Param('id') id: string, @Request() req: ExpressRequest) {
    const { orgId } = resolveActor(req);
    return this.mcp.remove(id, orgId);
  }

  @Get('status')
  @RequirePermissions('system:admin')
  status() {
    return { connections: this.mcp.connectionStatus() };
  }
}