package lib

import "database/sql"

// VaultField represents a single field within a vault entry.
type VaultField struct {
	Label   string `json:"label"`
	Value   string `json:"value"`
	Kind    string `json:"kind"` // text|password|totp|url|file
	Section string `json:"section,omitempty"`
	L2      bool   `json:"l2,omitempty"` // true = client-side decrypt only
}

// VaultFile represents an attached file.
type VaultFile struct {
	Name     string `json:"name"`
	MimeType string `json:"mime_type"`
	Size     int64  `json:"size"`
	Data     []byte `json:"data"`
}

// VaultData is the JSON structure packed into Entry.Data.
type VaultData struct {
	Title   string       `json:"title"`
	Type    string       `json:"type"`
	Fields  []VaultField `json:"fields"`
	URLs    []string     `json:"urls,omitempty"`
	Tags    []string     `json:"tags,omitempty"`
	Expires string       `json:"expires,omitempty"` // YYYY-MM-DD
	Notes   string       `json:"notes,omitempty"`
	Files   []VaultFile  `json:"files,omitempty"`
}

// Entry is the core data model — single table for all vault items.
type Entry struct {
	EntryID   string  `json:"entry_id"`
	ParentID  string  `json:"parent_id"` // folder entry_id, or "" for root
	Type      string  `json:"type"`      // credential|note|identity|card|ssh_key|totp|folder|custom
	Title     string  `json:"title"`     // plaintext for UI
	TitleIdx  []byte  `json:"-"`         // HMAC-SHA256 blind index for search
	Data      []byte  `json:"-"`         // packed: zstd + AES-256-GCM
	DataLevel int     `json:"data_level"` // 1=L1, 2=L2
	CreatedAt int64   `json:"created_at"`
	UpdatedAt int64   `json:"updated_at"`
	Version   int     `json:"version"` // optimistic locking
	DeletedAt *int64  `json:"deleted_at,omitempty"`

	// Unpacked field (not stored directly, populated after decrypt)
	VaultData *VaultData `json:"data,omitempty"`
}

// Session represents an authenticated session.
type Session struct {
	Token     string `json:"token"`
	CreatedAt int64  `json:"created_at"`
	ExpiresAt int64  `json:"expires_at"`
	Actor     string `json:"actor"` // web|extension|mcp
}

// AuditEvent represents a security audit log entry.
type AuditEvent struct {
	EventID   string `json:"event_id"`
	EntryID   string `json:"entry_id,omitempty"`
	Title     string `json:"title,omitempty"` // snapshot of entry title
	Action    string `json:"action"`          // read|fill|ai_read|create|update|delete|import|export
	Actor     string `json:"actor"`           // web|extension|mcp
	IPAddr    string `json:"ip_addr,omitempty"`
	CreatedAt int64  `json:"created_at"`
}

// WebAuthnCredential stores a registered WebAuthn credential.
type WebAuthnCredential struct {
	CredID    string `json:"cred_id"`
	Name      string `json:"name"`
	PublicKey []byte `json:"public_key"`
	PRFSalt   []byte `json:"prf_salt"`
	SignCount int    `json:"sign_count"`
	CreatedAt int64  `json:"created_at"`
}

// DB wraps the database connection.
type DB struct {
	Conn *sql.DB
}

// Entry types
const (
	TypeCredential = "credential"
	TypeCard       = "card"
	TypeIdentity   = "identity"
	TypeNote       = "note"
	TypeSSHKey     = "ssh_key"
	TypeTOTP       = "totp"
	TypeFolder     = "folder"
	TypeCustom     = "custom"
)

// Data levels
const (
	DataLevelL1 = 1 // Server-side encrypted (AI-readable)
	DataLevelL2 = 2 // Client-side only (WebAuthn PRF)
)

// Actor types
const (
	ActorWeb       = "web"
	ActorExtension = "extension"
	ActorMCP       = "mcp"
)

// Action types
const (
	ActionRead   = "read"
	ActionFill   = "fill"
	ActionAIRead = "ai_read"
	ActionCreate = "create"
	ActionUpdate = "update"
	ActionDelete = "delete"
	ActionImport = "import"
	ActionExport = "export"
)