<?php

namespace App\Support\OpsUx;

final class RunFailureSanitizer
{
    public const string REASON_GRAPH_THROTTLED = 'graph_throttled';

    public const string REASON_GRAPH_TIMEOUT = 'graph_timeout';

    public const string REASON_PERMISSION_DENIED = 'permission_denied';

    public const string REASON_PROVIDER_AUTH_FAILED = 'provider_auth_failed';

    public const string REASON_PROVIDER_OUTAGE = 'provider_outage';

    public const string REASON_VALIDATION_ERROR = 'validation_error';

    public const string REASON_CONFLICT_DETECTED = 'conflict_detected';

    public const string REASON_UNKNOWN_ERROR = 'unknown_error';

    public static function sanitizeCode(string $code): string
    {
        $code = strtolower(trim($code));

        if ($code === '') {
            return 'unknown';
        }

        return substr($code, 0, 80);
    }

    public static function normalizeReasonCode(string $candidate): string
    {
        $candidate = strtolower(trim($candidate));

        if ($candidate === '') {
            return self::REASON_UNKNOWN_ERROR;
        }

        $allowed = [
            self::REASON_GRAPH_THROTTLED,
            self::REASON_GRAPH_TIMEOUT,
            self::REASON_PERMISSION_DENIED,
            self::REASON_PROVIDER_AUTH_FAILED,
            self::REASON_PROVIDER_OUTAGE,
            self::REASON_VALIDATION_ERROR,
            self::REASON_CONFLICT_DETECTED,
            self::REASON_UNKNOWN_ERROR,
        ];

        if (in_array($candidate, $allowed, true)) {
            return $candidate;
        }

        // Compatibility mappings from existing codebase labels.
        $candidate = match ($candidate) {
            'graph_forbidden' => self::REASON_PERMISSION_DENIED,
            'graph_transient' => self::REASON_GRAPH_TIMEOUT,
            'unknown' => self::REASON_UNKNOWN_ERROR,
            default => $candidate,
        };

        if (in_array($candidate, $allowed, true)) {
            return $candidate;
        }

        // Heuristic normalization for ad-hoc codes used across jobs/services.
        if (str_contains($candidate, 'throttle') || str_contains($candidate, '429')) {
            return self::REASON_GRAPH_THROTTLED;
        }

        if (str_contains($candidate, 'invalid_client') || str_contains($candidate, 'invalid_grant') || str_contains($candidate, '401') || str_contains($candidate, 'aadsts')) {
            return self::REASON_PROVIDER_AUTH_FAILED;
        }

        if (str_contains($candidate, 'timeout') || str_contains($candidate, 'transient') || str_contains($candidate, '503') || str_contains($candidate, '504')) {
            return self::REASON_GRAPH_TIMEOUT;
        }

        if (str_contains($candidate, 'outage') || str_contains($candidate, '500') || str_contains($candidate, '502') || str_contains($candidate, 'bad_gateway')) {
            return self::REASON_PROVIDER_OUTAGE;
        }

        if (str_contains($candidate, 'forbidden') || str_contains($candidate, 'permission') || str_contains($candidate, 'unauthorized') || str_contains($candidate, '403')) {
            return self::REASON_PERMISSION_DENIED;
        }

        if (str_contains($candidate, 'validation') || str_contains($candidate, 'not_found') || str_contains($candidate, 'bad_request') || str_contains($candidate, '400') || str_contains($candidate, '422')) {
            return self::REASON_VALIDATION_ERROR;
        }

        if (str_contains($candidate, 'conflict') || str_contains($candidate, '409')) {
            return self::REASON_CONFLICT_DETECTED;
        }

        return self::REASON_UNKNOWN_ERROR;
    }

    public static function sanitizeMessage(string $message): string
    {
        $message = trim(str_replace(["\r", "\n"], ' ', $message));

        // Redact obvious PII (emails).
        $message = preg_replace('/[A-Z0-9._%+\-]+@[A-Z0-9.\-]+\.[A-Z]{2,}/i', '[REDACTED_EMAIL]', $message) ?? $message;

        // Redact obvious auth headers.
        $message = preg_replace('/\bAuthorization\s*:\s*[^\s]+(?:\s+[^\s]+)?/i', '[REDACTED_AUTH]', $message) ?? $message;
        $message = preg_replace('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', '[REDACTED_AUTH]', $message) ?? $message;

        // Redact common secret-like key/value patterns.
        $message = preg_replace('/\b(access_token|refresh_token|client_secret|password)\b\s*[:=]\s*[^\s,;]+/i', '[REDACTED_SECRET]', $message) ?? $message;
        $message = preg_replace('/"(access_token|refresh_token|client_secret|password)"\s*:\s*"[^"]*"/i', '"[REDACTED]":"[REDACTED]"', $message) ?? $message;

        // Redact long opaque blobs that look token-like.
        $message = preg_replace('/\b[A-Za-z0-9\-\._~\+\/]{64,}\b/', '[REDACTED]', $message) ?? $message;

        // Ensure forbidden substrings never leak into stored messages.
        $message = str_ireplace(
            ['client_secret', 'access_token', 'refresh_token', 'authorization', 'bearer '],
            '[REDACTED]',
            $message,
        );

        return substr($message, 0, 120);
    }
}