<?php

declare(strict_types=1);

namespace App\Module\Core\Infrastructure\Console;

use App\Module\Core\Domain\Entity\User;
use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
use App\Module\Core\Domain\Repository\UserRepositoryInterface;
use App\Module\Core\Domain\Security\SystemRoles;
use App\Shared\Domain\Contract\SiteProviderInterface;
use Doctrine\ORM\EntityManagerInterface;
use RuntimeException;
use Symfony\Component\Console\Attribute\AsCommand;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;

/**
 * Seed dedie aux tests E2E Playwright (frontend/tests/e2e).
 *
 * Cree 6 personas (e2e.*) qui couvrent les cases nominales de la matrice
 * RBAC : super-admin, user-full, user-readonly, user-users-only,
 * user-audit-only, user-nothing. Cette liste est la replique back du
 * fichier `frontend/tests/e2e/_fixtures/personas.ts` — si tu modifies
 * l'une des deux, met a jour l'autre.
 *
 * Idempotent : supprime les users prefixes `e2e.` avant de les recreer.
 * Ne touche PAS aux fixtures dev (admin/alice/bob) ni aux sites.
 *
 * Pre-requis : `bin/console app:sync-permissions` doit avoir tourne pour
 * que les permissions soient en base. La commande echoue en erreur explicite
 * si une permission attendue est absente du catalogue.
 */
#[AsCommand(
    name: 'app:seed-e2e',
    description: 'Seed les 6 personas utilises par les tests E2E Playwright.',
)]
final class SeedE2ECommand extends Command
{
    private const string SHARED_PASSWORD     = 'e2e-secret';
    private const string E2E_USERNAME_PREFIX = 'e2e.';
    private const string DEFAULT_SITE_NAME   = 'Chatellerault';

    public function __construct(
        private readonly EntityManagerInterface $em,
        private readonly UserRepositoryInterface $userRepository,
        private readonly RoleRepositoryInterface $roleRepository,
        private readonly PermissionRepositoryInterface $permissionRepository,
        private readonly SiteProviderInterface $siteProvider,
        private readonly UserPasswordHasherInterface $passwordHasher,
    ) {
        parent::__construct();
    }

    protected function execute(InputInterface $input, OutputInterface $output): int
    {
        $io = new SymfonyStyle($input, $output);

        // Garde-fou : cette commande cree un compte admin avec un mot de passe
        // hardcode. Elle ne doit JAMAIS tourner hors dev/test, meme si le
        // fichier se retrouve embarque dans une image prod par accident (le
        // .dockerignore a la racine est la premiere ligne de defense).
        $env = $_SERVER['APP_ENV'] ?? 'prod';
        if (!in_array($env, ['dev', 'test'], true)) {
            $io->error(sprintf('app:seed-e2e est refuse en environnement "%s". Autorise uniquement en dev/test.', $env));

            return Command::FAILURE;
        }

        $userRole = $this->roleRepository->findByCode(SystemRoles::USER_CODE);

        if (null === $userRole) {
            $io->error(sprintf(
                'Le role systeme "%s" est introuvable. Lance les migrations + fixtures ou `app:sync-permissions` avant ce seed.',
                SystemRoles::USER_CODE,
            ));

            return Command::FAILURE;
        }

        $defaultSite = $this->siteProvider->findByName(self::DEFAULT_SITE_NAME);

        // Pas de fail fatal si le site manque : les tests sidebar/login
        // n'en dependent pas. Les tests sites-scope-bypass (a venir) le feront.
        if (null === $defaultSite) {
            $io->note(sprintf(
                'Site "%s" absent : les personas seront crees sans site. Lance `make fixtures` si tu as besoin des sites.',
                self::DEFAULT_SITE_NAME,
            ));
        }

        $this->wipeExistingE2EUsers($io);

        foreach ($this->personasDefinition() as $persona) {
            $user = new User();
            $user->setUsername($persona['username']);
            $user->setPassword($this->passwordHasher->hashPassword($user, self::SHARED_PASSWORD));
            $user->setIsAdmin($persona['isAdmin']);
            $user->addRbacRole($userRole);

            foreach ($persona['permissions'] as $code) {
                $permission = $this->permissionRepository->findByCode($code);

                if (null === $permission) {
                    throw new RuntimeException(sprintf(
                        'Permission "%s" introuvable en base. Lance `app:sync-permissions` avant `app:seed-e2e`.',
                        $code,
                    ));
                }

                $user->addDirectPermission($permission);
            }

            if (null !== $defaultSite && 'e2e.user-nothing' !== $persona['username']) {
                // user-nothing reste sans site pour pouvoir tester un flow
                // "aucune permission et aucun site".
                $user->addSite($defaultSite);
                $user->setCurrentSite($defaultSite);
            }

            $this->userRepository->save($user);

            $io->text(sprintf(
                '  - %s (admin=%s, permissions=%d)',
                $persona['username'],
                $persona['isAdmin'] ? 'oui' : 'non',
                count($persona['permissions']),
            ));
        }

        $io->success(sprintf('%d personas E2E seedes.', count($this->personasDefinition())));

        return Command::SUCCESS;
    }

    private function wipeExistingE2EUsers(SymfonyStyle $io): void
    {
        $removed = 0;

        foreach ($this->personasDefinition() as $persona) {
            $existing = $this->userRepository->findByUsername($persona['username']);

            if (null === $existing) {
                continue;
            }

            $this->em->remove($existing);
            ++$removed;
        }

        if ($removed > 0) {
            $this->em->flush();
            $io->text(sprintf('Nettoyage : %d users E2E supprimes.', $removed));
        }
    }

    /**
     * Liste des personas — source back, miroir de
     * `frontend/tests/e2e/_fixtures/personas.ts`.
     *
     * @return list<array{username: string, isAdmin: bool, permissions: list<string>}>
     */
    private function personasDefinition(): array
    {
        return [
            [
                'username'    => self::E2E_USERNAME_PREFIX.'super-admin',
                'isAdmin'     => true,
                'permissions' => [],
            ],
            [
                'username'    => self::E2E_USERNAME_PREFIX.'user-full',
                'isAdmin'     => false,
                'permissions' => [
                    'core.users.view',
                    'core.users.manage',
                    'core.roles.view',
                    'core.roles.manage',
                    'core.audit_log.view',
                    'sites.view',
                    'sites.manage',
                    'sites.bypass_scope',
                    'catalog.categories.view',
                    'catalog.categories.manage',
                    // Commercial — Repertoire clients (M1). Mappe ici sur le
                    // persona "tout" en attendant les vrais roles metier
                    // (bureau/compta/commerciale/usine) seedes par ERP-74.
                    // Miroir de frontend/tests/e2e/_fixtures/personas.ts.
                    'commercial.clients.view',
                    'commercial.clients.manage',
                    'commercial.clients.accounting.view',
                    'commercial.clients.accounting.manage',
                    'commercial.clients.archive',
                ],
            ],
            [
                'username'    => self::E2E_USERNAME_PREFIX.'user-readonly',
                'isAdmin'     => false,
                'permissions' => [
                    'core.users.view',
                    'core.roles.view',
                    'core.audit_log.view',
                    'sites.view',
                ],
            ],
            [
                'username'    => self::E2E_USERNAME_PREFIX.'user-users-only',
                'isAdmin'     => false,
                'permissions' => ['core.users.view', 'core.users.manage'],
            ],
            [
                'username'    => self::E2E_USERNAME_PREFIX.'user-audit-only',
                'isAdmin'     => false,
                'permissions' => ['core.audit_log.view'],
            ],
            [
                'username'    => self::E2E_USERNAME_PREFIX.'user-nothing',
                'isAdmin'     => false,
                'permissions' => [],
            ],
        ];
    }
}