"""ResolutionFlow system service account.

This module manages the platform-level service account used as the author
for system/default content (seeded trees, synced step library entries, etc.).

The service account ID is resolved once at startup and cached on app.state
so that sync operations can use it without a DB query per request.
"""
from __future__ import annotations

import uuid
import logging

from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

logger = logging.getLogger(__name__)

SERVICE_ACCOUNT_EMAIL = "noreply@resolutionflow.com"
SERVICE_ACCOUNT_NAME = "ResolutionFlow"


async def ensure_service_account(db: AsyncSession) -> uuid.UUID:
    """Ensure the ResolutionFlow service account exists and return its ID.

    Idempotent — safe to call on every startup. Creates the account if it
    does not exist. The account has no usable password and is_service_account=True
    so it can never log in via normal auth flows.
    """
    from app.models.user import User

    result = await db.execute(
        select(User).where(User.email == SERVICE_ACCOUNT_EMAIL)
    )
    user = result.scalar_one_or_none()

    if user is not None:
        if not user.is_service_account:
            user.is_service_account = True
            await db.commit()
        return user.id

    # Create the service account with a random, unusable password hash
    new_user = User(
        id=uuid.uuid4(),
        email=SERVICE_ACCOUNT_EMAIL,
        name=SERVICE_ACCOUNT_NAME,
        password_hash="!service-account-no-login",  # bcrypt can't produce this prefix
        role="engineer",
        is_super_admin=False,
        is_team_admin=False,
        is_active=True,
        is_service_account=True,
        must_change_password=False,
        account_role="engineer",
    )
    db.add(new_user)
    await db.commit()
    logger.info(f"[service_account] Created service account (id={new_user.id})")
    return new_user.id