<?php

namespace App\Support;

use App\Models\AdminSite;
use App\Models\AdminUser;
use App\Models\AgentNode;
use App\Lottery\ErrorCode;
use App\Support\ApiMessage;
use App\Support\ApiResponse;
use Illuminate\Http\JsonResponse;

final class AdminAgentNodeAccess
{
    public static function resolveAdminSiteId(AdminUser $admin, ?int $requestedSiteId): ?int
    {
        if ($admin->isSuperAdmin()) {
            if ($requestedSiteId !== null && $requestedSiteId > 0) {
                return $requestedSiteId;
            }

            return (int) (AdminSite::query()->where('is_default', true)->value('id')
                ?? AdminSite::query()->orderBy('id')->value('id'));
        }

        // Check if admin is a platform account (bound via admin_user_site_roles)
        $accessibleSiteIds = $admin->accessibleAdminSiteIds();
        if ($accessibleSiteIds !== null) {
            // Platform account (site admin)
            if ($requestedSiteId !== null && $requestedSiteId > 0) {
                if (in_array($requestedSiteId, $accessibleSiteIds, true)) {
                    return $requestedSiteId;
                }
                return null;
            }

            // Return first accessible site if no specific site requested
            return $accessibleSiteIds[0] ?? null;
        }

        // Agent account (bound via agent node)
        $actor = AdminAgentScope::primaryAgentNode($admin);
        if ($actor === null) {
            return null;
        }

        if ($requestedSiteId !== null && $requestedSiteId > 0 && $requestedSiteId !== (int) $actor->admin_site_id) {
            return null;
        }

        return (int) $actor->admin_site_id;
    }

    public static function denyUnlessSiteResolved(AdminUser $admin, ?int $siteId): ?JsonResponse
    {
        if ($siteId !== null && $siteId > 0) {
            return null;
        }

        return ApiMessage::errorResponse(
            request(),
            'admin.agent_site_access_denied',
            ErrorCode::AdminForbidden->value,
            null,
            403,
        );
    }

    public static function denyUnlessNodeVisible(AdminUser $admin, AgentNode $node): ?JsonResponse
    {
        if (AdminAgentScope::nodeVisibleTo($admin, $node)) {
            return null;
        }

        return ApiMessage::errorResponse(
            request(),
            'admin.agent_node_access_denied',
            ErrorCode::AdminForbidden->value,
            null,
            403,
        );
    }

    public static function denyUnlessCanManageParent(AdminUser $admin, AgentNode $parent): ?JsonResponse
    {
        if (! AdminAgentScope::nodeManageableBy($admin, $parent)) {
            return ApiMessage::errorResponse(
                request(),
                'admin.agent_node_manage_denied',
                ErrorCode::AdminForbidden->value,
                null,
                403,
            );
        }

        if ($parent->isRoot() && ! $admin->isSuperAdmin()) {
            return ApiMessage::errorResponse(
                request(),
                'admin.agent_root_create_denied',
                ErrorCode::AdminForbidden->value,
                null,
                403,
            );
        }

        return null;
    }
}