import secrets
import sys
from os import getenv
from pathlib import Path

from dotenv import load_dotenv

load_dotenv()


def _required(key: str) -> str:
    val = getenv(key)
    if not val:
        print(f"missing required env var: {key}", file=sys.stderr)
        sys.exit(1)
    return val


# --- Admin bootstrap ----------------------------------------------------------
# On first boot the web service seeds this user as an admin in the database.
# Afterwards the user record in SQLite is authoritative: changing the hash in
# env does NOT rotate the DB password — use the /einstellungen UI.
AUTH_USERNAME: str = _required("AUTH_USERNAME")
AUTH_PASSWORD_HASH: str = _required("AUTH_PASSWORD_HASH")

# --- Session cookie -----------------------------------------------------------
SESSION_SECRET: str = getenv("SESSION_SECRET") or secrets.token_urlsafe(48)
SESSION_COOKIE_NAME: str = "lazyflat_session"
SESSION_MAX_AGE_SECONDS: int = int(getenv("SESSION_MAX_AGE_SECONDS", str(60 * 60 * 24 * 7)))
COOKIE_SECURE: bool = getenv("COOKIE_SECURE", "true").lower() in ("true", "1", "yes", "on")

# --- Internal service auth ----------------------------------------------------
INTERNAL_API_KEY: str = _required("INTERNAL_API_KEY")

# --- Apply service ------------------------------------------------------------
APPLY_URL: str = getenv("APPLY_URL", "http://apply:8000")
APPLY_TIMEOUT: int = int(getenv("APPLY_TIMEOUT", "600"))
APPLY_FAILURE_THRESHOLD: int = int(getenv("APPLY_FAILURE_THRESHOLD", "3"))

# --- Alert service knob (mirrored so web can predict the next scrape) ---------
ALERT_SCRAPE_INTERVAL_SECONDS: int = int(getenv("ALERT_SCRAPE_INTERVAL_SECONDS", getenv("SLEEP_INTERVALL", "60")))

# --- Storage ------------------------------------------------------------------
DATA_DIR: Path = Path(getenv("DATA_DIR", "/data"))
DATA_DIR.mkdir(parents=True, exist_ok=True)
DB_PATH: Path = DATA_DIR / "lazyflat.sqlite"

# Retention (errors / audit / application forensics). Default 14 days.
RETENTION_DAYS: int = int(getenv("RETENTION_DAYS", "14"))
RETENTION_RUN_INTERVAL_SECONDS: int = int(getenv("RETENTION_RUN_INTERVAL_SECONDS", str(60 * 60)))

# --- Rate limiting ------------------------------------------------------------
LOGIN_RATE_LIMIT: int = int(getenv("LOGIN_RATE_LIMIT", "5"))
LOGIN_RATE_WINDOW_SECONDS: int = int(getenv("LOGIN_RATE_WINDOW_SECONDS", "900"))

# --- App URL (used to build links in notifications) ---------------------------
PUBLIC_URL: str = getenv("PUBLIC_URL", "https://flat.lab.moritz.run")

# --- LLM enrichment (Anthropic Haiku) -----------------------------------------
ANTHROPIC_API_KEY: str = getenv("ANTHROPIC_API_KEY", "")
ANTHROPIC_MODEL: str = getenv("ANTHROPIC_MODEL", "claude-haiku-4-5-20251001")

# --- Build info --------------------------------------------------------------
# The Dockerfile writes /git_commit at build time by parsing the repo's .git
# dir (Coolify doesn't expose the SHA as an env var). Env GIT_COMMIT overrides
# the file so local dev can fake a value. Rendered in the site footer so the
# running commit is visible at a glance.
def _read_git_commit() -> str:
    env_val = getenv("GIT_COMMIT", "").strip()
    if env_val:
        return env_val
    try:
        with open("/git_commit") as _f:
            return _f.read().strip() or "dev"
    except OSError:
        return "dev"


GIT_COMMIT: str = _read_git_commit()