<?php

declare(strict_types=1);

namespace App\Framework\Vault;

use App\Framework\Config\Environment;
use App\Framework\Config\EnvKey;
use App\Framework\Database\ConnectionInterface;
use App\Framework\DI\Container;
use App\Framework\DI\Initializer;
use App\Framework\Http\ServerEnvironment;
use RuntimeException;

/**
 * Vault Initializer für DI Container
 */
final readonly class VaultInitializer
{
    public function __construct(
        private Environment $environment,
        private ConnectionInterface $connection,
        private ServerEnvironment $serverEnvironment
    ) {
    }

    #[Initializer]
    public function __invoke(Container $container): Vault
    {
        // Encryption Key aus Environment
        $encodedKey = $this->environment->get(EnvKey::VAULT_ENCRYPTION_KEY);

        if ($encodedKey === null) {
            throw new RuntimeException(
                'VAULT_ENCRYPTION_KEY not set in environment. ' .
                'Generate one with: php console.php vault:generate-key'
            );
        }

        // Decode base64-encoded key
        $encryptionKey = DatabaseVault::decodeKey($encodedKey);

        // Audit Logger
        $auditLogger = new VaultAuditLogger($this->connection);

        // Client IP und User Agent für Audit Logging
        $clientIp = $this->serverEnvironment->getClientIp();
        $userAgent = $this->serverEnvironment->getUserAgent();

        // DatabaseVault instance
        return new DatabaseVault(
            connection: $this->connection,
            encryptionKey: $encryptionKey,
            auditLogger: $auditLogger,
            clientIp: $clientIp,
            userAgent: $userAgent
        );
    }
}