using StellaOps.Cli.Commands;

namespace StellaOps.Cli.Output;

public static class OfflineKitReasonCodes
{
    public const string HashMismatch = "HASH_MISMATCH";
    public const string SigFailCosign = "SIG_FAIL_COSIGN";
    public const string SigFailManifest = "SIG_FAIL_MANIFEST";
    public const string DsseVerifyFail = "DSSE_VERIFY_FAIL";
    public const string RekorVerifyFail = "REKOR_VERIFY_FAIL";
    public const string SelfTestFail = "SELFTEST_FAIL";
    public const string VersionNonMonotonic = "VERSION_NON_MONOTONIC";
    public const string PolicyDeny = "POLICY_DENY";

    public static string? Normalize(string? reasonCode)
        => string.IsNullOrWhiteSpace(reasonCode) ? null : reasonCode.Trim().ToUpperInvariant();

    public static int GetExitCode(string? reasonCode)
    {
        reasonCode = Normalize(reasonCode);
        return reasonCode switch
        {
            HashMismatch => OfflineExitCodes.ChecksumMismatch,
            SigFailCosign => OfflineExitCodes.SignatureFailure,
            SigFailManifest => OfflineExitCodes.SignatureFailure,
            DsseVerifyFail => OfflineExitCodes.DsseVerificationFailed,
            RekorVerifyFail => OfflineExitCodes.RekorVerificationFailed,
            VersionNonMonotonic => OfflineExitCodes.VersionNonMonotonic,
            PolicyDeny => OfflineExitCodes.PolicyDenied,
            SelfTestFail => OfflineExitCodes.SelftestFailed,
            null => OfflineExitCodes.ImportFailed,
            _ => OfflineExitCodes.ImportFailed
        };
    }

    public static string? GetRemediation(string? reasonCode)
    {
        reasonCode = Normalize(reasonCode);
        return reasonCode switch
        {
            HashMismatch =>
                "Re-download the bundle and re-run import. If using removable media, verify the device is healthy and that the bundle digest matches the manifest.",
            SigFailCosign =>
                "Verify the Cosign signature and trust roots. Ensure you imported the correct signing public keys and that the signature matches the bundle.",
            SigFailManifest =>
                "Verify the manifest signature and trust roots. Ensure the manifest and its detached signature belong to the same kit version.",
            DsseVerifyFail =>
                "Verify DSSE trust roots and that the envelope key ID matches an allowed signer. Re-export the kit if the envelope is missing or malformed.",
            RekorVerifyFail =>
                "Verify Rekor inclusion proof settings (offline snapshot, UUID/index) and re-run verification. Check for time skew and stale transparency data.",
            VersionNonMonotonic =>
                "The incoming kit version is older than the active version. Import a newer kit, or use --force-activate (with a reason) for emergency rollback testing only.",
            PolicyDeny =>
                "The current policy denies activation. Review policy gates, waivers, and VEX precedence; then re-run import after updating policy inputs.",
            SelfTestFail =>
                "Run the Offline Kit self-test and review its output. Confirm required binaries, permissions, and disk space are available in the air-gapped environment.",
            null => null,
            _ => null
        };
    }
}