/**
 * FederationContext — attached to inbound federation requests after successful
 * mTLS + grant validation by FederationAuthGuard.
 *
 * Downstream verb controllers access this via `request.federationContext`.
 */

/**
 * Augment FastifyRequest so TypeScript knows about the federation context
 * property that FederationAuthGuard attaches on success.
 */
declare module 'fastify' {
  interface FastifyRequest {
    federationContext?: FederationContext;
  }
}

/**
 * Typed context object attached to the request by FederationAuthGuard.
 * Carries all data extracted from the mTLS cert + grant DB row needed
 * by downstream federation verb handlers.
 */
export interface FederationContext {
  /** The federation grant ID extracted from OID 1.3.6.1.4.1.99999.1 */
  grantId: string;

  /** The local subject user whose data is accessible under this grant */
  subjectUserId: string;

  /** The peer gateway ID (from the grant's peerId FK) */
  peerId: string;

  /**
   * Grant scope — determines which resources the peer may query.
   * Typed as Record<string, unknown> because the full scope schema lives in
   * scope-schema.ts; downstream handlers should narrow via parseFederationScope.
   */
  scope: Record<string, unknown>;
}