<?php

declare(strict_types=1);

namespace App\Domain\Vault\Migrations;

use App\Framework\Database\ConnectionInterface;
use App\Framework\Database\Migration\Migration;
use App\Framework\Database\Migration\MigrationVersion;
use App\Framework\Database\Schema\Blueprint;
use App\Framework\Database\Schema\Schema;

/**
 * Create Vault tables for secure secrets storage
 */
final class CreateVaultTables implements Migration
{
    public function up(ConnectionInterface $connection): void
    {
        $schema = new Schema($connection);

        // Main Vault Secrets Table
        $schema->createIfNotExists('vault_secrets', function (Blueprint $table) {
            $table->string('id', 36)->primary();
            $table->string('secret_key', 255)->unique();
            $table->text('encrypted_value');
            $table->string('encryption_nonce', 255);
            $table->integer('encryption_version')->default(1);
            $table->timestamp('created_at')->useCurrent();
            $table->timestamp('updated_at')->nullable();
            $table->string('created_by', 255)->nullable();
            $table->string('updated_by', 255)->nullable();
            $table->integer('access_count')->default(0);
            $table->timestamp('last_accessed_at')->nullable();

            $table->index('secret_key');
            $table->index('updated_at');

            // Table options
            $table->engine('InnoDB');
            $table->charset('utf8mb4');
            $table->collation('utf8mb4_unicode_ci');
        });

        // Vault Audit Log
        $schema->createIfNotExists('vault_audit_log', function (Blueprint $table) {
            $table->bigIncrements('id');
            $table->string('secret_key', 255);
            $table->enum('action', ['read', 'write', 'delete', 'rotate', 'export']);
            $table->string('user_id', 255)->nullable();
            $table->string('ip_address', 45)->nullable();
            $table->text('user_agent')->nullable();
            $table->boolean('success')->default(true);
            $table->text('error_message')->nullable();
            $table->timestamp('timestamp')->useCurrent();

            $table->index('secret_key');
            $table->index('action');
            $table->index('timestamp');
            $table->index('user_id');

            // Table options
            $table->engine('InnoDB');
            $table->charset('utf8mb4');
            $table->collation('utf8mb4_unicode_ci');
        });

        // Encryption Key Versions
        $schema->createIfNotExists('vault_encryption_keys', function (Blueprint $table) {
            $table->increments('id');
            $table->integer('version')->unique();
            $table->string('key_hash', 255);
            $table->string('algorithm', 50)->default('libsodium');
            $table->timestamp('created_at')->useCurrent();
            $table->timestamp('rotated_at')->nullable();
            $table->boolean('is_active')->default(true);

            $table->index('version');
            $table->index('is_active');

            // Table options
            $table->engine('InnoDB');
            $table->charset('utf8mb4');
            $table->collation('utf8mb4_unicode_ci');
        });

        $schema->execute();
    }

    public function down(ConnectionInterface $connection): void
    {
        $schema = new Schema($connection);
        $schema->dropIfExists('vault_encryption_keys');
        $schema->dropIfExists('vault_audit_log');
        $schema->dropIfExists('vault_secrets');
        $schema->execute();
    }

    public function getVersion(): MigrationVersion
    {
        return MigrationVersion::fromTimestamp("2025_10_05_090000");
    }

    public function getDescription(): string
    {
        return "Create Vault tables for secure secrets storage";
    }
}