import { NextResponse } from 'next/server'
import { sessionRepo } from '@/lib/database/repositories/session.repo'
import { clearSessionAllowances } from '@/lib/engine/adapters/claude/permission-bridge'
import { isAuthError, requireUser, requireWorkspaceReadAccess } from '@/lib/auth/session'

// GET /api/sessions/:id
export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
  let user
  try { user = await requireUser() } catch (err) { if (isAuthError(err)) return err; throw err }
  const { id } = await params
  const session = sessionRepo.findByIdAndUser(id, user.id)
  if (!session) return NextResponse.json({ error: 'Not found' }, { status: 404 })
  if (session.workspace) {
    try { await requireWorkspaceReadAccess(session.workspace) } catch (err) { if (isAuthError(err)) return err; throw err }
  }
  return NextResponse.json(session)
}

// PATCH /api/sessions/:id — update title, model, etc.
export async function PATCH(req: Request, { params }: { params: Promise<{ id: string }> }) {
  let user
  try { user = await requireUser() } catch (err) { if (isAuthError(err)) return err; throw err }
  const { id } = await params
  const body = await req.json()

  const fields: { title?: string; model?: string; workspace?: string; status?: 'active' | 'archived' } = {}

  if (typeof body.title === 'string') { fields.title = body.title }
  if (typeof body.model === 'string') { fields.model = body.model }
  if (typeof body.workspace === 'string') {
    if (body.workspace) {
      try { await requireWorkspaceReadAccess(body.workspace) } catch (err) { if (isAuthError(err)) return err; throw err }
    }
    fields.workspace = body.workspace
  }
  if (body.status === 'active' || body.status === 'archived') { fields.status = body.status }

  if (Object.keys(fields).length === 0) {
    return NextResponse.json({ error: 'No fields to update' }, { status: 400 })
  }

  const updated = sessionRepo.updateFields(id, fields)
  // Re-read scoped by user so we never leak a row the caller does not own
  const session = updated ? sessionRepo.findByIdAndUser(id, user.id) : undefined
  return NextResponse.json(session)
}

// DELETE /api/sessions/:id
export async function DELETE(_req: Request, { params }: { params: Promise<{ id: string }> }) {
  let user
  try { user = await requireUser() } catch (err) { if (isAuthError(err)) return err; throw err }
  const { id } = await params
  sessionRepo.deleteByIdAndUser(id, user.id)
  clearSessionAllowances(id)
  return NextResponse.json({ ok: true })
}
