<?php

declare(strict_types=1);

namespace App\Framework\DI;

use App\Framework\Config\Environment;
use App\Framework\Config\EnvKey;
use App\Framework\Database\ConnectionInterface;
use App\Framework\DateTime\Clock;
use App\Framework\Vault\DatabaseVault;
use App\Framework\Vault\Vault;
use App\Framework\Vault\VaultAuditLogger;

/**
 * Vault Service Initializer
 *
 * Placed in DI directory for guaranteed discovery
 */
final readonly class VaultServiceInitializer
{
    public function __construct(
        private Environment $environment,
        private ConnectionInterface $connection,
        private Clock $clock
    ) {
    }

    #[Initializer]
    public function __invoke(): Vault
    {
        // Encryption Key aus Environment
        $encodedKey = $this->environment->get(EnvKey::VAULT_ENCRYPTION_KEY);

        if ($encodedKey === null) {
            throw new \RuntimeException(
                'VAULT_ENCRYPTION_KEY not set in environment. ' .
                'Generate one with: php console.php vault:generate-key'
            );
        }

        // Decode base64-encoded key
        $encryptionKey = DatabaseVault::decodeKey($encodedKey);

        // Audit Logger
        $auditLogger = new VaultAuditLogger($this->connection);

        // Client IP und User Agent für Audit Logging (CLI context = null)
        $clientIp = null;
        $userAgent = null;

        // DatabaseVault instance
        return new DatabaseVault(
            connection: $this->connection,
            encryptionKey: $encryptionKey,
            auditLogger: $auditLogger,
            clock: $this->clock,
            clientIp: $clientIp,
            userAgent: $userAgent
        );
    }
}