"""ResolutionFlow system service account.

This module manages the platform-level service account used as the author
for system/default content (seeded trees, synced step library entries, etc.).

The service account ID is resolved once at startup and cached on app.state
so that sync operations can use it without a DB query per request.
"""
from __future__ import annotations

import uuid
import logging

from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

logger = logging.getLogger(__name__)

SERVICE_ACCOUNT_EMAIL = "noreply@resolutionflow.com"
SERVICE_ACCOUNT_NAME = "ResolutionFlow"
SYSTEM_ACCOUNT_NAME = "ResolutionFlow System"
SYSTEM_ACCOUNT_DISPLAY_CODE = "RF-SYS-1"


async def _ensure_system_account(db: AsyncSession) -> uuid.UUID:
    """Get or create the ResolutionFlow system account. Returns its ID."""
    from app.models.account import Account
    from sqlalchemy import text

    result = await db.execute(
        select(Account).where(Account.display_code == SYSTEM_ACCOUNT_DISPLAY_CODE)
    )
    account = result.scalar_one_or_none()
    if account is not None:
        return account.id

    new_account = Account(
        id=uuid.uuid4(),
        name=SYSTEM_ACCOUNT_NAME,
        display_code=SYSTEM_ACCOUNT_DISPLAY_CODE,
    )
    db.add(new_account)
    await db.flush()
    logger.info(f"[service_account] Created system account (id={new_account.id})")
    return new_account.id


async def ensure_service_account(db: AsyncSession) -> uuid.UUID:
    """Ensure the ResolutionFlow service account exists and return its ID.

    Idempotent — safe to call on every startup. Creates the account if it
    does not exist. The account has no usable password and is_service_account=True
    so it can never log in via normal auth flows.
    """
    from app.models.user import User

    result = await db.execute(
        select(User).where(User.email == SERVICE_ACCOUNT_EMAIL)
    )
    user = result.scalar_one_or_none()

    if user is not None:
        if not user.is_service_account:
            user.is_service_account = True
            await db.commit()
        return user.id

    account_id = await _ensure_system_account(db)

    new_user = User(
        id=uuid.uuid4(),
        email=SERVICE_ACCOUNT_EMAIL,
        name=SERVICE_ACCOUNT_NAME,
        password_hash="!service-account-no-login",  # bcrypt can't produce this prefix
        role="engineer",
        is_super_admin=False,
        is_team_admin=False,
        is_active=True,
        is_service_account=True,
        must_change_password=False,
        account_id=account_id,
        account_role="engineer",
    )
    db.add(new_user)
    await db.commit()
    logger.info(f"[service_account] Created service account (id={new_user.id})")
    return new_user.id