import { BadRequestException, Controller, Get, Query, Request } from '@nestjs/common';
import type { Request as ExpressRequest } from 'express';
import { PrismaService } from '@core/database/prisma/prisma.service';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { resolveOrgId } from '../utils/auth-resolution.util';

/**
 * GET /api/v1/agent/routing/decisions
 *
 * PRD §1.12.7 admin transparency — 仅 admin 可查路由决策（含 reasoning + cost）。
 * 普通用户不应能枚举本 org 的决策记录（安全 review 反馈 2026-05-16）。
 */
@Controller('agent/routing')
export class AgentRoutingController {
  constructor(private readonly prisma: PrismaService) {}

  @Get('decisions')
  @RequirePermissions('system:admin')
  async listDecisions(
    @Query() query: { sessionId?: string; limit?: string },
    @Request() req: ExpressRequest,
  ) {
    const orgId = resolveOrgId(req);
    if (!orgId) throw new BadRequestException('organizationId required');

    const items = await this.prisma.modelRoutingDecision.findMany({
      where: {
        organizationId: orgId,
        ...(query.sessionId ? { sessionId: query.sessionId } : {}),
      },
      orderBy: { createdAt: 'desc' },
      take: query.limit ? Math.min(Number(query.limit), 200) : 50,
    });
    return { items };
  }
}