/**
 * Federation Audit Service
 *
 * Logs security-sensitive operations for compliance and monitoring.
 * Uses application logger since ActivityLog requires workspace context.
 */

import { Injectable, Logger } from "@nestjs/common";

@Injectable()
export class FederationAuditService {
  private readonly logger = new Logger(FederationAuditService.name);

  /**
   * Log instance keypair regeneration (system-level operation)
   * Logged to application logs for security audit trail
   */
  logKeypairRegeneration(userId: string, instanceId: string): void {
    this.logger.warn({
      event: "FEDERATION_KEYPAIR_REGENERATED",
      userId,
      instanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log instance configuration update (system-level operation)
   * Logged to application logs for security audit trail
   */
  logInstanceConfigurationUpdate(
    userId: string,
    instanceId: string,
    updates: Record<string, unknown>
  ): void {
    this.logger.log({
      event: "FEDERATION_INSTANCE_CONFIG_UPDATED",
      userId,
      instanceId,
      updates,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log federated authentication initiation
   */
  logFederatedAuthInitiation(userId: string, remoteInstanceId: string): void {
    this.logger.log({
      event: "FEDERATION_AUTH_INITIATED",
      userId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
    });
  }

  /**
   * Log federated identity linking
   */
  logFederatedIdentityLinked(userId: string, remoteInstanceId: string): void {
    this.logger.log({
      event: "FEDERATION_IDENTITY_LINKED",
      userId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log federated identity revocation
   */
  logFederatedIdentityRevoked(userId: string, remoteInstanceId: string): void {
    this.logger.warn({
      event: "FEDERATION_IDENTITY_REVOKED",
      userId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log identity verification attempt
   */
  logIdentityVerification(userId: string, remoteInstanceId: string, success: boolean): void {
    const level = success ? "log" : "warn";
    this.logger[level]({
      event: "FEDERATION_IDENTITY_VERIFIED",
      userId,
      remoteInstanceId,
      success,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log identity linking (create mapping)
   */
  logIdentityLinking(localUserId: string, remoteInstanceId: string, remoteUserId: string): void {
    this.logger.log({
      event: "FEDERATION_IDENTITY_LINKED",
      localUserId,
      remoteUserId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log identity revocation (remove mapping)
   */
  logIdentityRevocation(localUserId: string, remoteInstanceId: string): void {
    this.logger.warn({
      event: "FEDERATION_IDENTITY_REVOKED",
      localUserId,
      remoteInstanceId,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }

  /**
   * Log capability denial (security event)
   * Logged when remote instance attempts operation without required capability
   */
  logCapabilityDenied(
    remoteInstanceId: string,
    requiredCapability: string,
    requestedUrl: string
  ): void {
    this.logger.warn({
      event: "FEDERATION_CAPABILITY_DENIED",
      remoteInstanceId,
      requiredCapability,
      requestedUrl,
      timestamp: new Date().toISOString(),
      securityEvent: true,
    });
  }
}