import {
  Body,
  Controller,
  Get,
  Param,
  ParseUUIDPipe,
  Post,
  Query,
} from '@nestjs/common';
import { AccessReviewService } from '@common/services/access-review.service';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { CurrentUser } from '@common/decorators/current-user.decorator';
import { Auditable, Sensitive } from '@core/observability/audit/decorators/auditable.decorator';
import { IsOptional, IsString } from 'class-validator';

class ReviewCommentDto {
  @IsOptional()
  @IsString()
  comment?: string;
}

/**
 * Access Review REST API（规则 §5.3.15）
 *
 * 鉴权策略：
 * - 列表 / 保留 / 撤销：access_review:manage 或 system:admin
 */
@Controller('iam/access-review')
export class AccessReviewController {
  constructor(private readonly service: AccessReviewService) {}

  @Get('pending')
  @RequirePermissions('access_review:manage')
  async listPending(@Query('days') days?: string) {
    const parsed = days ? parseInt(days, 10) : undefined;
    return this.service.listPending(
      Number.isFinite(parsed) ? parsed : undefined,
    );
  }

  @Post(':id/approve')
  @RequirePermissions('access_review:manage')
  @Auditable()
  @Sensitive()
  async approve(
    @Param('id', ParseUUIDPipe) id: string,
    @Body() body: ReviewCommentDto,
    @CurrentUser('userId') reviewerId: string,
  ) {
    return this.service.approve(id, reviewerId, body?.comment);
  }

  @Post(':id/revoke')
  @RequirePermissions('access_review:manage')
  @Auditable()
  @Sensitive()
  async revoke(
    @Param('id', ParseUUIDPipe) id: string,
    @Body() body: ReviewCommentDto,
    @CurrentUser('userId') reviewerId: string,
  ) {
    await this.service.revoke(id, reviewerId, body?.comment);
    return { ok: true };
  }
}