<?php

namespace App\Services;

use App\Models\AuditLog;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Intune\AuditLogger;
use App\Support\Audit\AuditActions;
use Illuminate\Support\Arr;

class TenantOnboardingAuditService
{
    public function __construct(public AuditLogger $auditLogger)
    {
    }

    public function credentialsUpdated(Tenant $tenant, ?User $actor = null, array $context = []): AuditLog
    {
        $context = $this->sanitizeContext($context);

        return $this->auditLogger->log(
            tenant: $tenant,
            action: AuditActions::TENANT_ONBOARDING_CREDENTIALS_UPDATED,
            context: $context,
            actorId: $actor?->id,
            actorEmail: $actor?->email,
            actorName: $actor?->name,
            resourceType: 'tenant',
            resourceId: (string) $tenant->getKey(),
        );
    }

    public function onboardingCompleted(Tenant $tenant, ?User $actor = null, array $context = []): AuditLog
    {
        $context = $this->sanitizeContext($context);

        return $this->auditLogger->log(
            tenant: $tenant,
            action: AuditActions::TENANT_ONBOARDING_COMPLETED,
            context: $context,
            actorId: $actor?->id,
            actorEmail: $actor?->email,
            actorName: $actor?->name,
            resourceType: 'tenant',
            resourceId: (string) $tenant->getKey(),
        );
    }

    /**
     * @param  array<string, mixed>  $context
     * @return array<string, mixed>
     */
    private function sanitizeContext(array $context): array
    {
        $keysToStrip = [
            'secret',
            'client_secret',
            'app_client_secret',
            'app_secret',
            'token',
            'access_token',
            'refresh_token',
        ];

        return Arr::except($context, $keysToStrip);
    }
}