<?php

declare(strict_types=1);

namespace App\Filament\System\Pages\Security;

use App\Models\AuditLog;
use App\Models\PlatformUser;
use App\Support\Auth\PlatformCapabilities;
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
use Filament\Pages\Page;
use Filament\Tables\Columns\TextColumn;
use Filament\Tables\Concerns\InteractsWithTable;
use Filament\Tables\Contracts\HasTable;
use Filament\Tables\Table;
use Illuminate\Database\Eloquent\Builder;

class AccessLogs extends Page implements HasTable
{
    use InteractsWithTable;

    protected static ?string $navigationLabel = 'Access logs';

    protected static string|\BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';

    protected static string|\UnitEnum|null $navigationGroup = 'Security';

    protected static ?string $slug = 'security/access-logs';

    protected string $view = 'filament.system.pages.security.access-logs';

    public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
    {
        return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog)
            ->exempt(ActionSurfaceSlot::ListHeader, 'Access logs remain scan-first and do not expose page header actions.')
            ->exempt(ActionSurfaceSlot::InspectAffordance, 'Access logs intentionally keep auth and break-glass events inline without a separate inspect view.')
            ->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Access logs are immutable and intentionally omit bulk actions.')
            ->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains when no platform auth or break-glass events match the current log scope.')
            ->exempt(ActionSurfaceSlot::DetailHeader, 'The access log page does not open per-record detail headers; review stays inline in the table.');
    }

    public static function canAccess(): bool
    {
        $user = auth('platform')->user();

        return $user instanceof PlatformUser
            && $user->hasCapability(PlatformCapabilities::CONSOLE_VIEW);
    }

    public function mount(): void
    {
        $this->mountInteractsWithTable();
    }

    public function table(Table $table): Table
    {
        return $table
            ->defaultSort('recorded_at', 'desc')
            ->paginated(\App\Support\Filament\TablePaginationProfiles::customPage())
            ->query(function (): Builder {
                return AuditLog::query()
                    ->where(function (Builder $query): void {
                        $query
                            ->where('action', 'platform.auth.login')
                            ->orWhere('action', 'like', 'platform.break_glass.%');
                    });
            })
            ->columns([
                TextColumn::make('recorded_at')
                    ->label('Recorded')
                    ->since(),
                TextColumn::make('action')
                    ->label('Action')
                    ->searchable(),
                TextColumn::make('status')
                    ->badge()
                    ->color(fn (?string $state): string => $state === 'failure' ? 'danger' : 'success'),
                TextColumn::make('actor_email')
                    ->label('Actor')
                    ->formatStateUsing(fn (?string $state): string => $state ?: 'Unknown'),
            ])
            ->emptyStateHeading('No access logs found')
            ->emptyStateDescription('Platform login and break-glass events will appear here.');
    }
}