<?php

declare(strict_types=1);

use App\Domain\Auth\Role;
use Monolog\Level;

$appEnv = getenv('APP_ENV') ?: 'production';

if ($appEnv === 'development' && file_exists(__DIR__ . '/../.env')) {
    $dotenv = Dotenv\Dotenv::createImmutable(__DIR__ . '/..');
    $dotenv->safeLoad();
}

$logLevelName = strtoupper((string) (getenv('LOG_LEVEL') ?: 'info'));
$logLevel = match ($logLevelName) {
    'DEBUG' => Level::Debug,
    'NOTICE' => Level::Notice,
    'WARNING' => Level::Warning,
    'ERROR' => Level::Error,
    'CRITICAL' => Level::Critical,
    'ALERT' => Level::Alert,
    'EMERGENCY' => Level::Emergency,
    default => Level::Info,
};

$oidcDefaultRoleName = strtolower((string) (getenv('OIDC_DEFAULT_ROLE') ?: 'viewer'));
$oidcDefaultRole = $oidcDefaultRoleName === 'none'
    ? null
    : (Role::tryFrom($oidcDefaultRoleName) ?? Role::Viewer);

return [
    'app_env' => $appEnv,
    'log_level' => $logLevel,
    'db' => [
        'driver' => getenv('DB_DRIVER') ?: 'sqlite',
        'sqlite_path' => getenv('DB_SQLITE_PATH') ?: '/data/irdb.sqlite',
        'mysql_host' => getenv('DB_MYSQL_HOST') ?: '',
        'mysql_port' => (int) (getenv('DB_MYSQL_PORT') ?: 3306),
        'mysql_database' => getenv('DB_MYSQL_DATABASE') ?: '',
        'mysql_username' => getenv('DB_MYSQL_USERNAME') ?: '',
        'mysql_password' => getenv('DB_MYSQL_PASSWORD') ?: '',
    ],
    'ui_service_token' => getenv('UI_SERVICE_TOKEN') ?: '',
    'internal_job_token' => getenv('INTERNAL_JOB_TOKEN') ?: '',
    'internal_cidr_allowlist' => (string) (getenv('INTERNAL_CIDR_ALLOWLIST') ?: ''),
    'ui_origin' => getenv('UI_ORIGIN') ?: 'http://localhost:8080',
    // SEC_REVIEW F68: gate `/api/docs` and `/api/v1/openapi.yaml`
    // behind an explicit env flag. The OpenAPI spec leaks the full
    // surface (admin endpoints, internal-job endpoints, expected
    // body shapes, error contracts); reachable-by-default would
    // hand a recon attacker the entire menu. Operators who want
    // public docs (open APIs, dev environments) set
    // `API_DOCS_PUBLIC=true`. Default false → both routes 404.
    'api_docs_public' => filter_var(getenv('API_DOCS_PUBLIC') ?: 'false', FILTER_VALIDATE_BOOL),
    'oidc_default_role' => $oidcDefaultRole,
    'score_hard_cutoff_days' => (int) (getenv('SCORE_REPORT_HARD_CUTOFF_DAYS') ?: 365),
    'rate_limit_per_second' => (int) (getenv('API_RATE_LIMIT_PER_SECOND') ?: 60),
    'job_recompute_max_runtime_seconds' => (int) (getenv('JOB_RECOMPUTE_MAX_RUNTIME_SECONDS') ?: 240),
    'job_recompute_max_rows_per_tick' => (int) (getenv('JOB_RECOMPUTE_MAX_ROWS_PER_TICK') ?: 5000),
    'job_audit_retention_days' => (int) (getenv('JOB_AUDIT_RETENTION_DAYS') ?: 180),
    'cidr_evaluator_ttl_seconds' => (int) (getenv('CIDR_EVALUATOR_TTL_SECONDS') ?: 60),
    'blocklist_cache_ttl_seconds' => (int) (getenv('BLOCKLIST_CACHE_TTL_SECONDS') ?: 30),
    'geoip' => [
        'enabled' => filter_var(getenv('GEOIP_ENABLED') ?: 'true', FILTER_VALIDATE_BOOL),
        'provider' => strtolower((string) (getenv('GEOIP_PROVIDER') ?: 'dbip')),
        'country_db' => getenv('GEOIP_COUNTRY_DB') ?: '/data/geoip/country.mmdb',
        'asn_db' => getenv('GEOIP_ASN_DB') ?: '/data/geoip/asn.mmdb',
        'maxmind_license_key' => getenv('MAXMIND_LICENSE_KEY') ?: '',
        'ipinfo_token' => getenv('IPINFO_TOKEN') ?: '',
        'refresh_interval_days' => (int) (getenv('JOB_GEOIP_REFRESH_INTERVAL_DAYS') ?: 7),
    ],
];