"""Public runtime configuration endpoint.

GET /api/v1/config/public
  Returns the small set of runtime flags the frontend needs at app load
  to decide whether to render the self-serve signup flow and which OAuth
  buttons to show. No authentication required.

The response model lives in `app.schemas.config` so it can be reused by
frontend codegen and other call sites if needed.
"""

from __future__ import annotations

from typing import Annotated, Optional

from fastapi import APIRouter, Depends

from app.api.deps import get_current_user_optional
from app.core.config import settings
from app.models.user import User
from app.schemas.config import PublicConfigResponse

router = APIRouter(prefix="/config", tags=["config"])


@router.get("/public", response_model=PublicConfigResponse)
async def get_public_config(
    current_user: Annotated[Optional[User], Depends(get_current_user_optional)],
) -> PublicConfigResponse:
    """Return public-safe runtime config.

    `oauth_providers` reflects which OAuth client IDs are configured server
    side; the frontend uses it to render only buttons that will actually
    succeed. `self_serve_enabled` is the master switch for the new public
    self-serve signup flow; an authenticated caller whose email is on the
    INTERNAL_TESTER_EMAILS allowlist sees `True` even when the global flag
    is off, so internal validation in prod test mode can exercise the full
    surface before the public flip.
    """
    providers: list[str] = []
    if settings.GOOGLE_CLIENT_ID:
        providers.append("google")
    if settings.MS_CLIENT_ID:
        providers.append("microsoft")

    user_email = current_user.email if current_user else None
    return PublicConfigResponse(
        self_serve_enabled=settings.is_self_serve_active_for(user_email),
        oauth_providers=providers,
    )