using Microsoft.AspNetCore.Authentication;
using Microsoft.EntityFrameworkCore;
using StellaOps.Signer.Infrastructure;
using StellaOps.Signer.Infrastructure.Options;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.WebService.Endpoints;
using StellaOps.Signer.WebService.Security;
using StellaOps.Cryptography.DependencyInjection;
using StellaOps.Router.AspNet;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddLogging();
builder.Services.AddAuthentication(StubBearerAuthenticationDefaults.AuthenticationScheme)
    .AddScheme<AuthenticationSchemeOptions, StubBearerAuthenticationHandler>(
        StubBearerAuthenticationDefaults.AuthenticationScheme,
        _ => { });

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("KeyManagement", policy => policy.RequireAuthenticatedUser());
});

builder.Services.AddSignerPipeline();

// Configure TimeProvider for deterministic testing support
builder.Services.AddSingleton(TimeProvider.System);

var keyManagementConnection = builder.Configuration.GetConnectionString("KeyManagement");
if (string.IsNullOrWhiteSpace(keyManagementConnection))
{
    builder.Services.AddDbContext<KeyManagementDbContext>(options =>
        options.UseInMemoryDatabase("SignerKeyManagement"));
}
else
{
    builder.Services.AddDbContext<KeyManagementDbContext>(options =>
        options.UseNpgsql(keyManagementConnection));
}

builder.Services.AddScoped<IKeyRotationService, KeyRotationService>();
builder.Services.AddScoped<ITrustAnchorManager, TrustAnchorManager>();

builder.Services.Configure<SignerEntitlementOptions>(options =>
{
    // Note: Using 1-hour expiry for demo/test tokens. 
    // Actual expiry is calculated at runtime relative to TimeProvider.
    options.Tokens["valid-poe"] = new SignerEntitlementDefinition(
        LicenseId: "LIC-TEST",
        CustomerId: "CUST-TEST",
        Plan: "pro",
        MaxArtifactBytes: 128 * 1024,
        QpsLimit: 5,
        QpsRemaining: 5,
        ExpiresAtUtc: DateTimeOffset.UtcNow.AddHours(1));
});
builder.Services.Configure<SignerReleaseVerificationOptions>(options =>
{
    options.TrustedScannerDigests.Add("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef");
});
builder.Services.Configure<SignerCryptoOptions>(_ => { });
builder.Services.AddStellaOpsCryptoRu(builder.Configuration, CryptoProviderRegistryValidator.EnforceRuLinuxDefaults);

// Stella Router integration
var routerOptions = builder.Configuration.GetSection("Signer:Router").Get<StellaRouterOptionsBase>();
builder.Services.TryAddStellaRouter(
    serviceName: "signer",
    version: typeof(Program).Assembly.GetName().Version?.ToString() ?? "1.0.0",
    routerOptions: routerOptions);

var app = builder.Build();

app.UseAuthentication();
app.UseAuthorization();
app.TryUseStellaRouter(routerOptions);

app.MapGet("/", () => Results.Ok("StellaOps Signer service ready."));
app.MapSignerEndpoints();
app.MapKeyRotationEndpoints();

// Refresh Router endpoint cache
app.TryRefreshStellaRouterEndpoints(routerOptions);

app.Run();

// Expose Program class for WebApplicationFactory in tests
public partial class Program;