<?php
/**
 * Workflow/Status Transitions Management API
 * CRUD operations for status_transitions table
 */

ini_set('display_errors', 0);
error_reporting(E_ALL);

require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
require_once dirname(__DIR__) . '/models/WorkflowModel.php';
RateLimitMiddleware::apply('api');

try {
    require_once dirname(__DIR__) . '/config/config.php';

    // Check authentication
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        http_response_code(401);
        echo json_encode(['success' => false, 'error' => 'Authentication required']);
        exit;
    }

    // Check admin privileges
    if (!$_SESSION['user']['is_admin']) {
        http_response_code(403);
        echo json_encode(['success' => false, 'error' => 'Admin privileges required']);
        exit;
    }

    // CSRF Protection for write operations
    if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
        require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
        $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
        if (!CsrfMiddleware::validateToken($csrfToken)) {
            http_response_code(403);
            echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
            exit;
        }
    }

    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );

    if ($conn->connect_error) {
        throw new Exception("Database connection failed");
    }

    header('Content-Type: application/json');

    $method = $_SERVER['REQUEST_METHOD'];
    $id = isset($_GET['id']) ? (int)$_GET['id'] : null;

    switch ($method) {
        case 'GET':
            if ($id) {
                // Get single transition
                $stmt = $conn->prepare("SELECT * FROM status_transitions WHERE transition_id = ?");
                $stmt->bind_param('i', $id);
                $stmt->execute();
                $result = $stmt->get_result();
                $transition = $result->fetch_assoc();
                $stmt->close();
                echo json_encode(['success' => true, 'transition' => $transition]);
            } else {
                // Get all transitions
                $result = $conn->query("SELECT * FROM status_transitions ORDER BY from_status, to_status");
                $transitions = [];
                while ($row = $result->fetch_assoc()) {
                    $transitions[] = $row;
                }
                echo json_encode(['success' => true, 'transitions' => $transitions]);
            }
            break;

        case 'POST':
            $data = json_decode(file_get_contents('php://input'), true);

            $stmt = $conn->prepare("INSERT INTO status_transitions (from_status, to_status, requires_comment, requires_admin, is_active)
                                    VALUES (?, ?, ?, ?, ?)");
            $stmt->bind_param('ssiii',
                $data['from_status'],
                $data['to_status'],
                $data['requires_comment'] ?? 0,
                $data['requires_admin'] ?? 0,
                $data['is_active'] ?? 1
            );

            if ($stmt->execute()) {
                WorkflowModel::clearCache(); // Clear workflow cache
                echo json_encode(['success' => true, 'transition_id' => $conn->insert_id]);
            } else {
                echo json_encode(['success' => false, 'error' => $stmt->error]);
            }
            $stmt->close();
            break;

        case 'PUT':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $data = json_decode(file_get_contents('php://input'), true);

            $stmt = $conn->prepare("UPDATE status_transitions SET
                                    from_status = ?, to_status = ?, requires_comment = ?, requires_admin = ?, is_active = ?
                                    WHERE transition_id = ?");
            $stmt->bind_param('ssiiii',
                $data['from_status'],
                $data['to_status'],
                $data['requires_comment'] ?? 0,
                $data['requires_admin'] ?? 0,
                $data['is_active'] ?? 1,
                $id
            );

            $success = $stmt->execute();
            if ($success) {
                WorkflowModel::clearCache(); // Clear workflow cache
            }
            echo json_encode(['success' => $success]);
            $stmt->close();
            break;

        case 'DELETE':
            if (!$id) {
                echo json_encode(['success' => false, 'error' => 'ID required']);
                exit;
            }

            $stmt = $conn->prepare("DELETE FROM status_transitions WHERE transition_id = ?");
            $stmt->bind_param('i', $id);
            $success = $stmt->execute();
            if ($success) {
                WorkflowModel::clearCache(); // Clear workflow cache
            }
            echo json_encode(['success' => $success]);
            $stmt->close();
            break;

        default:
            http_response_code(405);
            echo json_encode(['success' => false, 'error' => 'Method not allowed']);
    }

    $conn->close();

} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['success' => false, 'error' => $e->getMessage()]);
}