import {
  Body,
  Controller,
  Delete,
  Get,
  Param,
  ParseUUIDPipe,
  Post,
  Put,
  Query,
  Req,
  UseGuards,
} from '@nestjs/common';
import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
import { PermissionsGuard } from '../auth/guards/permissions.guard';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { Auditable, Sensitive } from '@core/observability/audit/decorators/auditable.decorator';
import { AIToolsService } from './ai-tools.service';
import {
  BatchCreateRoleGrantsDto,
  CreateRoleGrantDto,
  CreateUserGrantDto,
  RoleGrantQueryDto,
  UserGrantQueryDto,
} from './dto';

/**
 * AI 工具授权管理 Controller
 *
 * 路由前缀：/api/v1/ai-tools（沿用 organization 下其他子模块的扁平风格）
 * 权限：读 -> ai_tool:read，写 -> ai_tool:manage（组织级 scope）
 *
 * 配套方案文档：openclaw 仓 docs/enterprise-plan/solution/governance/permissions-mvp-plan.md
 */
@Controller('ai-tools')
@UseGuards(JwtAuthGuard, PermissionsGuard)
export class AIToolsController {
  constructor(private readonly aiToolsService: AIToolsService) {}

  // ==================== 角色级授权 ====================

  /**
   * GET /api/v1/ai-tools/grants
   * 列出角色级授权规则，支持按 roleId 筛选
   */
  @Get('grants')
  @RequirePermissions('ai_tool:read')
  async listRoleGrants(@Query() query: RoleGrantQueryDto) {
    return this.aiToolsService.listRoleGrants(query);
  }

  /**
   * POST /api/v1/ai-tools/grants
   * 单条新增角色级授权
   */
  @Post('grants')
  @Auditable()
  @RequirePermissions('ai_tool:manage')
  async createRoleGrant(
    @Body() dto: CreateRoleGrantDto,
    @Req() req: any,
  ) {
    return this.aiToolsService.createRoleGrant(dto, req.user?.id);
  }

  /**
   * POST /api/v1/ai-tools/grants/batch
   * 批量新增角色级授权（事务 + upsert 语义）
   */
  @Post('grants/batch')
  @Auditable()
  @Sensitive()
  @RequirePermissions('ai_tool:manage')
  async batchCreateRoleGrants(
    @Body() dto: BatchCreateRoleGrantsDto,
    @Req() req: any,
  ) {
    return this.aiToolsService.batchCreateRoleGrants(dto, req.user?.id);
  }

  /**
   * DELETE /api/v1/ai-tools/grants/:id
   */
  @Delete('grants/:id')
  @Auditable()
  @Sensitive()
  @RequirePermissions('ai_tool:manage')
  async deleteRoleGrant(@Param('id', ParseUUIDPipe) id: string) {
    return this.aiToolsService.deleteRoleGrant(id);
  }

  // ==================== 用户级授权 ====================

  /**
   * GET /api/v1/ai-tools/user-grants
   * 列出用户级授权规则，支持按 userId 筛选
   */
  @Get('user-grants')
  @RequirePermissions('ai_tool:read')
  async listUserGrants(@Query() query: UserGrantQueryDto) {
    return this.aiToolsService.listUserGrants(query);
  }

  /**
   * POST /api/v1/ai-tools/user-grants
   * 单条新增用户级授权（reason 必填）
   */
  @Post('user-grants')
  @Auditable()
  @RequirePermissions('ai_tool:manage')
  async createUserGrant(
    @Body() dto: CreateUserGrantDto,
    @Req() req: any,
  ) {
    return this.aiToolsService.createUserGrant(dto, req.user?.id);
  }

  /**
   * DELETE /api/v1/ai-tools/user-grants/:id
   */
  @Delete('user-grants/:id')
  @Auditable()
  @Sensitive()
  @RequirePermissions('ai_tool:manage')
  async deleteUserGrant(@Param('id', ParseUUIDPipe) id: string) {
    return this.aiToolsService.deleteUserGrant(id);
  }

  // ==================== 查询 ====================

  /**
   * GET /api/v1/ai-tools/available-tools
   * 获取当前可用工具清单（MVP 返回静态配置）
   */
  @Get('available-tools')
  @RequirePermissions('ai_tool:read')
  getAvailableTools() {
    return this.aiToolsService.getAvailableTools();
  }

  /**
   * GET /api/v1/ai-tools/user-effective/:userId
   * 某用户最终生效的工具清单 + 每条的来源（角色 / 直接授权）
   */
  @Get('user-effective/:userId')
  @RequirePermissions('ai_tool:read')
  async getUserEffectiveTools(@Param('userId', ParseUUIDPipe) userId: string) {
    return this.aiToolsService.getUserEffectiveTools(userId);
  }

  /**
   * GET /api/v1/ai-tools/tool-subjects/:toolName
   * 反查某工具下的所有生效用户 + 来源
   */
  @Get('tool-subjects/:toolName')
  @RequirePermissions('ai_tool:read')
  async getToolSubjects(@Param('toolName') toolName: string) {
    return this.aiToolsService.getToolSubjects(toolName);
  }

  /**
   * POST /api/v1/ai-tools/sync
   * 信息性接口：告诉管理员授权变更将在 5 分钟内由 OpenClaw 同步脚本自动拉取并生效。
   * Workspace 后端不主动推送；同步是 host crontab 每 5 分钟跑一次的 pull 模式。
   */
  @Post('sync')
  @Auditable()
  @RequirePermissions('ai_tool:manage')
  triggerSync() {
    return this.aiToolsService.triggerSync();
  }

  // ==================== v2.3 新增路由 ====================

  /**
   * GET /api/v1/ai-tools/grants/aggregated
   * 按角色聚合返回（一个角色一条记录 + tools[]）
   */
  @Get('grants/aggregated')
  @RequirePermissions('ai_tool:read')
  async listRoleGrantsAggregated(@Query('search') search?: string) {
    return this.aiToolsService.listRoleGrantsAggregated(search);
  }

  /**
   * PUT /api/v1/ai-tools/grants/role/:roleId
   * 事务设置角色的完整工具集合
   */
  @Put('grants/role/:roleId')
  @Auditable()
  @Sensitive()
  @RequirePermissions('ai_tool:manage')
  async setRoleGrants(
    @Param('roleId', ParseUUIDPipe) roleId: string,
    @Body() body: { tools: string[] },
    @Req() req: any,
  ) {
    return this.aiToolsService.setRoleGrants(roleId, body.tools ?? [], req.user?.id);
  }

  /**
   * PUT /api/v1/ai-tools/user-grants/:userId
   * 设置用户级调整（加减）
   */
  @Put('user-grants/:userId')
  @Auditable()
  @RequirePermissions('ai_tool:manage')
  async setUserGrants(
    @Param('userId', ParseUUIDPipe) userId: string,
    @Body() body: { added: string[]; removed: string[]; reason: string },
    @Req() req: any,
  ) {
    return this.aiToolsService.setUserGrants(
      userId,
      {
        added: body.added ?? [],
        removed: body.removed ?? [],
        reason: body.reason,
      },
      req.user?.id,
    );
  }

  /**
   * GET /api/v1/ai-tools/user-grants-overview
   * 用户授权概览（带多维过滤）
   */
  @Get('user-grants-overview')
  @RequirePermissions('ai_tool:read')
  async getUserGrantsOverview(
    @Query('orgId') orgId?: string,
    @Query('deptId') deptId?: string,
    @Query('roleId') roleId?: string,
    @Query('search') search?: string,
    @Query('hasExtra') hasExtra?: string,
    @Query('hasRevoked') hasRevoked?: string,
    @Query('page') page?: string,
    @Query('pageSize') pageSize?: string,
  ) {
    return this.aiToolsService.getUserGrantsOverview({
      orgId: orgId || undefined,
      deptId: deptId || undefined,
      roleIds: roleId ? roleId.split(',').filter(Boolean) : undefined,
      search: search || undefined,
      hasExtra: hasExtra === 'true',
      hasRevoked: hasRevoked === 'true',
      page: page ? parseInt(page, 10) : undefined,
      pageSize: pageSize ? parseInt(pageSize, 10) : undefined,
    });
  }

  /**
   * GET /api/v1/ai-tools/user-effective-v2/:userId
   * v2.3 增强版：返回所有生效工具 + LOCKED_SET + sources + meta
   */
  @Get('user-effective-v2/:userId')
  @RequirePermissions('ai_tool:read')
  async getUserEffectiveToolsV2(@Param('userId', ParseUUIDPipe) userId: string) {
    return this.aiToolsService.getUserEffectiveToolsV2(userId);
  }
}