<?php

declare(strict_types=1);

namespace App\Support\Audit;

final class AuditContextSanitizer
{
    private const REDACTED = '[REDACTED]';

    public static function sanitize(mixed $value): mixed
    {
        if (is_array($value)) {
            $sanitized = [];

            foreach ($value as $key => $item) {
                if (is_string($key) && self::shouldRedactKey($key)) {
                    $sanitized[$key] = self::REDACTED;

                    continue;
                }

                $sanitized[$key] = self::sanitize($item);
            }

            return $sanitized;
        }

        if (is_string($value)) {
            return self::sanitizeString($value);
        }

        return $value;
    }

    private static function shouldRedactKey(string $key): bool
    {
        $key = strtolower(trim($key));

        return str_contains($key, 'token')
            || str_contains($key, 'secret')
            || str_contains($key, 'password')
            || str_contains($key, 'authorization')
            || str_contains($key, 'private_key')
            || str_contains($key, 'client_secret');
    }

    private static function sanitizeString(string $value): string
    {
        $candidate = trim($value);

        if ($candidate === '') {
            return $value;
        }

        if (preg_match('/\bBearer\s+[A-Za-z0-9\-\._~\+\/]+=*\b/i', $candidate)) {
            return self::REDACTED;
        }

        if (preg_match('/\b[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\b/', $candidate)) {
            return self::REDACTED;
        }

        return $value;
    }
}