<?php

namespace App\Support\OpsUx;

use App\Services\Intune\SecretClassificationService;
use App\Support\Baselines\BaselineReasonCodes;
use App\Support\Operations\ExecutionDenialReasonCode;
use App\Support\Operations\LifecycleReconciliationReason;
use App\Support\Providers\ProviderReasonCodes;

final class RunFailureSanitizer
{
    /**
     * Restore reconciliation reason codes are intentionally bounded here instead of
     * becoming a new persisted enum/status family.
     *
     * @var array<int, string>
     */
    private const array RESTORE_RECONCILIATION_REASON_CODES = [
        'restore.audit_missing',
        'restore.cancelled',
        'restore.evidence_missing',
        'restore.execution_proof_missing',
        'restore.failed',
        'restore.preview_only',
        'restore.proof_complete',
        'restore.proof_missing',
        'restore.provider_proof_missing',
        'restore.provider_rejected',
        'restore.results_missing',
        'restore.results_mixed',
        'restore.run_deleted',
        'restore.scope_mismatch',
        'restore.verification_required',
    ];

    public const string REASON_GRAPH_THROTTLED = 'graph_throttled';

    public const string REASON_GRAPH_TIMEOUT = 'graph_timeout';

    public const string REASON_PERMISSION_DENIED = 'permission_denied';

    public const string REASON_PROVIDER_AUTH_FAILED = 'provider_auth_failed';

    public const string REASON_PROVIDER_OUTAGE = 'provider_outage';

    public const string REASON_VALIDATION_ERROR = 'validation_error';

    public const string REASON_CONFLICT_DETECTED = 'conflict_detected';

    public const string REASON_UNKNOWN_ERROR = 'unknown_error';

    public static function sanitizeCode(string $code): string
    {
        $code = strtolower(trim($code));

        if ($code === '') {
            return 'unknown';
        }

        return substr($code, 0, 80);
    }

    public static function normalizeReasonCode(string $candidate): string
    {
        $candidate = strtolower(trim($candidate));

        if ($candidate === '') {
            return ProviderReasonCodes::UnknownError;
        }

        if (self::isStructuredOperatorReasonCode($candidate) || in_array($candidate, ['ok', 'not_applicable'], true)) {
            return $candidate;
        }

        if (str_starts_with($candidate, 'ext.')) {
            return $candidate;
        }

        /**
         * Appendix-A taxonomy mappings:
         * - `graph_throttled`/`throttled` -> `rate_limited`
         * - transport/transient/outage classes -> `network_unreachable`
         * - auth failures -> `provider_auth_failed`
         * - permission denied classes -> `provider_permission_denied`
         * - generic missing/invalid configuration classes -> `provider_connection_*`
         */
        // Compatibility mappings from existing codebase labels.
        $candidate = match ($candidate) {
            self::REASON_GRAPH_THROTTLED,
            'throttled' => ProviderReasonCodes::RateLimited,
            self::REASON_GRAPH_TIMEOUT,
            self::REASON_PROVIDER_OUTAGE,
            'graph_transient',
            'dependency_unreachable' => ProviderReasonCodes::NetworkUnreachable,
            self::REASON_PERMISSION_DENIED,
            'graph_forbidden',
            'permission_denied' => ProviderReasonCodes::ProviderPermissionDenied,
            self::REASON_PROVIDER_AUTH_FAILED,
            'authentication_failed' => ProviderReasonCodes::ProviderAuthFailed,
            self::REASON_VALIDATION_ERROR,
            self::REASON_CONFLICT_DETECTED,
            'invalid_state' => ProviderReasonCodes::ProviderConnectionInvalid,
            'missing_configuration' => ProviderReasonCodes::ProviderConnectionMissing,
            'unknown',
            self::REASON_UNKNOWN_ERROR => ProviderReasonCodes::UnknownError,
            default => $candidate,
        };

        if (self::isStructuredOperatorReasonCode($candidate) || in_array($candidate, ['ok', 'not_applicable'], true)) {
            return $candidate;
        }

        // Heuristic normalization for ad-hoc inputs is bounded fallback behavior only.
        if (str_contains($candidate, 'throttle') || str_contains($candidate, '429')) {
            return ProviderReasonCodes::RateLimited;
        }

        if (str_contains($candidate, 'invalid_client') || str_contains($candidate, 'invalid_grant') || str_contains($candidate, '401') || str_contains($candidate, 'aadsts')) {
            return ProviderReasonCodes::ProviderAuthFailed;
        }

        if (str_contains($candidate, 'timeout') || str_contains($candidate, 'transient') || str_contains($candidate, '503') || str_contains($candidate, '504')) {
            return ProviderReasonCodes::NetworkUnreachable;
        }

        if (str_contains($candidate, 'outage') || str_contains($candidate, '500') || str_contains($candidate, '502') || str_contains($candidate, 'bad_gateway')) {
            return ProviderReasonCodes::NetworkUnreachable;
        }

        if (str_contains($candidate, 'forbidden') || str_contains($candidate, 'permission') || str_contains($candidate, 'unauthorized') || str_contains($candidate, '403')) {
            return ProviderReasonCodes::ProviderPermissionDenied;
        }

        if (str_contains($candidate, 'validation') || str_contains($candidate, 'not_found') || str_contains($candidate, 'bad_request') || str_contains($candidate, '400') || str_contains($candidate, '422')) {
            return ProviderReasonCodes::ProviderConnectionInvalid;
        }

        if (str_contains($candidate, 'conflict') || str_contains($candidate, '409')) {
            return ProviderReasonCodes::ProviderConnectionInvalid;
        }

        return ProviderReasonCodes::UnknownError;
    }

    public static function isStructuredOperatorReasonCode(string $candidate): bool
    {
        $candidate = strtolower(trim($candidate));

        if ($candidate === '') {
            return false;
        }

        $executionDenialReasonCodes = array_map(
            static fn (ExecutionDenialReasonCode $reasonCode): string => $reasonCode->value,
            ExecutionDenialReasonCode::cases(),
        );

        $lifecycleReasonCodes = array_map(
            static fn (LifecycleReconciliationReason $reasonCode): string => $reasonCode->value,
            LifecycleReconciliationReason::cases(),
        );

        return ProviderReasonCodes::isKnown($candidate)
            || BaselineReasonCodes::isKnown($candidate)
            || in_array($candidate, $executionDenialReasonCodes, true)
            || in_array($candidate, $lifecycleReasonCodes, true)
            || in_array($candidate, self::RESTORE_RECONCILIATION_REASON_CODES, true);
    }

    public static function sanitizeMessage(string $message): string
    {
        $message = trim(str_replace(["\r", "\n"], ' ', $message));
        $message = self::classifier()->sanitizeOpsFailureString($message);
        $message = preg_replace('/\b[A-Za-z0-9\-\._~\+\/]{64,}\b/', '[REDACTED]', $message) ?? $message;
        $message = preg_replace('/\b(access_token|refresh_token|client_secret|password)\b\s*=\s*\[REDACTED_SECRET\]/i', '[REDACTED_SECRET]', $message) ?? $message;
        $message = preg_replace('/"(access_token|refresh_token|client_secret|password)"\s*:\s*"\[REDACTED_SECRET\]"/i', '"[REDACTED_SECRET]"', $message) ?? $message;

        return substr($message, 0, 120);
    }

    private static function classifier(): SecretClassificationService
    {
        return app(SecretClassificationService::class);
    }
}