<?php

declare(strict_types=1);

namespace App\Mcp\Tool\Reference;

use App\Repository\UserRepository;
use Mcp\Capability\Attribute\McpTool;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

#[McpTool(name: 'list-users', description: 'List all users with their IDs and usernames. Use this to discover valid user IDs for assignee or time entry parameters.')]
class ListUsersTool
{
    public function __construct(
        private readonly UserRepository $userRepository,
        private readonly Security $security,
    ) {}

    public function __invoke(): string
    {
        if (!$this->security->isGranted('ROLE_ADMIN')) {
            throw new AccessDeniedException('Access denied: ROLE_ADMIN required.');
        }

        $users = $this->userRepository->findBy([], ['username' => 'ASC']);

        return json_encode(array_map(fn ($user) => [
            'id'       => $user->getId(),
            'username' => $user->getUsername(),
        ], $users));
    }
}