package shhh

import "context"

// Severity represents the criticality associated with a redaction finding.
type Severity string

const (
	// SeverityLow indicates low-impact findings (e.g. non-production credentials).
	SeverityLow Severity = "low"
	// SeverityMedium indicates medium impact findings (e.g. access tokens).
	SeverityMedium Severity = "medium"
	// SeverityHigh indicates high-impact findings (e.g. private keys).
	SeverityHigh Severity = "high"
)

// RuleConfig defines a redaction rule that SHHH should enforce.
type RuleConfig struct {
	Name                string   `json:"name"`
	Pattern             string   `json:"pattern"`
	ReplacementTemplate string   `json:"replacement_template"`
	Severity            Severity `json:"severity"`
	Tags                []string `json:"tags"`
}

// Config controls sentinel behaviour.
type Config struct {
	// Disabled toggles redaction off entirely.
	Disabled bool `json:"disabled"`
	// RedactionPlaceholder overrides the default placeholder value.
	RedactionPlaceholder string `json:"redaction_placeholder"`
	// DisableDefaultRules disables the built-in curated rule set.
	DisableDefaultRules bool `json:"disable_default_rules"`
	// CustomRules allows callers to append bespoke redaction patterns.
	CustomRules []RuleConfig `json:"custom_rules"`
}

// Finding represents a single rule firing during redaction.
type Finding struct {
	Rule      string     `json:"rule"`
	Severity  Severity   `json:"severity"`
	Tags      []string   `json:"tags,omitempty"`
	Count     int        `json:"count"`
	Locations []Location `json:"locations,omitempty"`
}

// Location describes where a secret was found.
type Location struct {
	Path  string `json:"path"`
	Count int    `json:"count"`
}

// StatsSnapshot exposes aggregate counters for observability.
type StatsSnapshot struct {
	TotalScans      uint64            `json:"total_scans"`
	TotalFindings   uint64            `json:"total_findings"`
	PerRuleFindings map[string]uint64 `json:"per_rule_findings"`
}

// AuditEvent captures a single redaction occurrence for downstream sinks.
type AuditEvent struct {
	Rule     string            `json:"rule"`
	Severity Severity          `json:"severity"`
	Tags     []string          `json:"tags,omitempty"`
	Path     string            `json:"path,omitempty"`
	Hash     string            `json:"hash"`
	Metadata map[string]string `json:"metadata,omitempty"`
}

// AuditSink receives redaction events for long term storage / replay.
type AuditSink interface {
	RecordRedaction(ctx context.Context, event AuditEvent)
}