//go:build llm_script

package main

import (
	"database/sql"
	"encoding/json"
	"fmt"
	"os"
	"strings"
	"time"
)

type officialImportSignatureAuditRecord struct {
	SourceKey               string
	CheckedAt               time.Time
	Status                  string
	DriftDetected           bool
	BaselineInitialized     bool
	SourceURL               string
	FixturePath             string
	SnapshotPath            string
	SignaturePath           string
	BaselinePath            string
	StructureSHA256         string
	PreviousStructureSHA256 string
	ByteSize                int
	SignaturePayload        any
	ErrorMessage            string
}

func persistOfficialImportSignatureAuditIfConfigured(record officialImportSignatureAuditRecord) error {
	if strings.TrimSpace(os.Getenv("DATABASE_URL")) == "" {
		return nil
	}
	db, err := subscriptionImportDB()
	if err != nil {
		return fmt.Errorf("open db for official import signature audit: %w", err)
	}
	defer db.Close()
	if err := insertOfficialImportSignatureAudit(db, record); err != nil {
		return fmt.Errorf("insert official import signature audit: %w", err)
	}
	return nil
}

func insertOfficialImportSignatureAudit(db *sql.DB, record officialImportSignatureAuditRecord) error {
	if db == nil {
		return fmt.Errorf("official import signature audit db is nil")
	}

	var signaturePayload any
	if record.SignaturePayload != nil {
		payload, err := json.Marshal(record.SignaturePayload)
		if err != nil {
			return fmt.Errorf("marshal signature payload: %w", err)
		}
		signaturePayload = string(payload)
	}

	_, err := db.Exec(
		`INSERT INTO official_import_signature_audit (
			source_key, checked_at, status, drift_detected, baseline_initialized,
			source_url, fixture_path, snapshot_path, signature_path, baseline_path,
			structure_sha256, previous_structure_sha256, byte_size, signature_payload, error_message
		) VALUES (
			$1, $2, $3, $4, $5,
			$6, $7, $8, $9, $10,
			$11, $12, $13, $14::jsonb, $15
		)`,
		record.SourceKey,
		record.CheckedAt,
		record.Status,
		record.DriftDetected,
		record.BaselineInitialized,
		nullIfBlank(record.SourceURL),
		nullIfBlank(record.FixturePath),
		nullIfBlank(record.SnapshotPath),
		nullIfBlank(record.SignaturePath),
		nullIfBlank(record.BaselinePath),
		nullIfBlank(record.StructureSHA256),
		nullIfBlank(record.PreviousStructureSHA256),
		nullIfZeroIntCommon(record.ByteSize),
		signaturePayload,
		nullIfBlank(record.ErrorMessage),
	)
	if err != nil {
		return fmt.Errorf("insert official_import_signature_audit: %w", err)
	}
	return nil
}

func officialImportSignatureAuditStatus(driftDetected bool, baselineInitialized bool, runErr error) string {
	switch {
	case driftDetected:
		return "drift_detected"
	case baselineInitialized:
		return "baseline_initialized"
	case runErr != nil:
		return "failed"
	default:
		return "passed"
	}
}

func errorMessageText(err error) string {
	if err == nil {
		return ""
	}
	return strings.TrimSpace(err.Error())
}