namespace ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient;

/// <summary>
///     OPC UA Client (gateway) driver configuration. Bound from <c>DriverConfig</c> JSON at
///     driver-host registration time. Models the settings documented in
///     <c>docs/v2/driver-specs.md</c> §8.
/// </summary>
/// <remarks>
///     This driver connects to a REMOTE OPC UA server and re-exposes its address space
///     through the local OtOpcUa server — the opposite direction from the usual "server
///     exposes PLC data" flow. Tier A (pure managed, OPC Foundation reference SDK); universal
///     protections cover it.
/// </remarks>
public sealed class OpcUaClientDriverOptions
{
    /// <summary>
    ///     Remote OPC UA endpoint URL, e.g. <c>opc.tcp://plc.internal:4840</c>. Convenience
    ///     shortcut for a single-endpoint deployment — equivalent to setting
    ///     <see cref="EndpointUrls"/> to a list with this one URL. When both are provided,
    ///     the list wins and <see cref="EndpointUrl"/> is ignored.
    /// </summary>
    public string EndpointUrl { get; init; } = "opc.tcp://localhost:4840";

    /// <summary>
    ///     Ordered list of candidate endpoint URLs for failover. The driver tries each in
    ///     order at <see cref="OpcUaClientDriver.InitializeAsync"/> and on session drop;
    ///     the first URL that successfully connects wins. Typical use-case: an OPC UA server
    ///     pair running in hot-standby (primary 4840 + backup 4841) where either can serve
    ///     the same address space. Leave unset (or empty) to use <see cref="EndpointUrl"/>
    ///     as a single-URL shortcut.
    /// </summary>
    public IReadOnlyList<string> EndpointUrls { get; init; } = [];

    /// <summary>
    ///     Per-endpoint connect-attempt timeout during the failover sweep. Short enough that
    ///     cycling through several dead servers doesn't blow the overall init budget, long
    ///     enough to tolerate a slow TLS handshake on a healthy server. Applied independently
    ///     of <see cref="Timeout"/> which governs steady-state operations.
    /// </summary>
    public TimeSpan PerEndpointConnectTimeout { get; init; } = TimeSpan.FromSeconds(3);

    /// <summary>
    ///     Security policy to require when selecting an endpoint. Either a
    ///     <see cref="OpcUaSecurityPolicy"/> enum constant or a free-form string (for
    ///     forward-compatibility with future OPC UA policies not yet in the enum).
    ///     Matched against <c>EndpointDescription.SecurityPolicyUri</c> suffix — the driver
    ///     connects to the first endpoint whose policy name matches AND whose mode matches
    ///     <see cref="SecurityMode"/>. When set to <see cref="OpcUaSecurityPolicy.None"/>
    ///     the driver picks any unsecured endpoint regardless of policy string.
    /// </summary>
    public OpcUaSecurityPolicy SecurityPolicy { get; init; } = OpcUaSecurityPolicy.None;

    /// <summary>Security mode.</summary>
    public OpcUaSecurityMode SecurityMode { get; init; } = OpcUaSecurityMode.None;

    /// <summary>Authentication type.</summary>
    public OpcUaAuthType AuthType { get; init; } = OpcUaAuthType.Anonymous;

    /// <summary>User name (required only for <see cref="OpcUaAuthType.Username"/>).</summary>
    public string? Username { get; init; }

    /// <summary>Password (required only for <see cref="OpcUaAuthType.Username"/>).</summary>
    public string? Password { get; init; }

    /// <summary>
    ///     Filesystem path to the user-identity certificate (PFX/PEM). Required when
    ///     <see cref="AuthType"/> is <see cref="OpcUaAuthType.Certificate"/>. The driver
    ///     loads the cert + private key, which the remote server validates against its
    ///     <c>TrustedUserCertificates</c> store to authenticate the session's user token.
    ///     Leave unset to use the driver's application-instance certificate as the user
    ///     token (not typical — most deployments have a separate user cert).
    /// </summary>
    public string? UserCertificatePath { get; init; }

    /// <summary>
    ///     Optional password that unlocks <see cref="UserCertificatePath"/> when the PFX is
    ///     protected. PEM files generally have their password on the adjacent key file; this
    ///     knob only applies to password-locked PFX.
    /// </summary>
    public string? UserCertificatePassword { get; init; }

    /// <summary>Server-negotiated session timeout. Default 120s per driver-specs.md §8.</summary>
    public TimeSpan SessionTimeout { get; init; } = TimeSpan.FromSeconds(120);

    /// <summary>Client-side keep-alive interval.</summary>
    public TimeSpan KeepAliveInterval { get; init; } = TimeSpan.FromSeconds(5);

    /// <summary>Initial reconnect delay after a session drop.</summary>
    public TimeSpan ReconnectPeriod { get; init; } = TimeSpan.FromSeconds(5);

    /// <summary>
    ///     When <c>true</c>, the driver accepts any self-signed / untrusted server certificate.
    ///     Dev-only — must be <c>false</c> in production so MITM attacks against the opc.tcp
    ///     channel fail closed.
    /// </summary>
    public bool AutoAcceptCertificates { get; init; } = false;

    /// <summary>
    ///     Application URI the driver reports during session creation. Must match the
    ///     subject-alt-name on the client certificate if one is used, which is why it's a
    ///     config knob rather than hard-coded.
    /// </summary>
    public string ApplicationUri { get; init; } = "urn:localhost:OtOpcUa:GatewayClient";

    /// <summary>
    ///     Friendly name sent to the remote server for diagnostics. Shows up in the remote
    ///     server's session-list so operators can identify which gateway instance is calling.
    /// </summary>
    public string SessionName { get; init; } = "OtOpcUa-Gateway";

    /// <summary>Connect + per-operation timeout.</summary>
    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(10);

    /// <summary>
    ///     Root NodeId to mirror. Default <c>null</c> = <c>ObjectsFolder</c> (i=85). Set to
    ///     a scoped root to restrict the address space the driver exposes locally — useful
    ///     when the remote server has tens of thousands of nodes and only a subset is
    ///     needed downstream.
    /// </summary>
    public string? BrowseRoot { get; init; }

    /// <summary>
    ///     Cap on total nodes discovered during <c>DiscoverAsync</c>. Default 10_000 —
    ///     bounds memory on runaway remote servers without being so low that normal
    ///     deployments hit it. When the cap is reached discovery stops and a warning is
    ///     written to the driver health surface; the partially-discovered tree is still
    ///     projected into the local address space.
    /// </summary>
    public int MaxDiscoveredNodes { get; init; } = 10_000;

    /// <summary>
    ///     Max hierarchical depth of the browse. Default 10 — deep enough for realistic
    ///     OPC UA information models, shallow enough that cyclic graphs can't spin the
    ///     browse forever.
    /// </summary>
    public int MaxBrowseDepth { get; init; } = 10;
}

/// <summary>OPC UA message security mode.</summary>
public enum OpcUaSecurityMode
{
    None,
    Sign,
    SignAndEncrypt,
}

/// <summary>
///     OPC UA security policies recognized by the driver. Maps to the standard
///     <c>http://opcfoundation.org/UA/SecurityPolicy#</c> URI suffixes the SDK uses for
///     endpoint matching.
/// </summary>
/// <remarks>
///     <see cref="Basic128Rsa15"/> and <see cref="Basic256"/> are <b>deprecated</b> per OPC UA
///     spec v1.04 — they remain in the enum only for brownfield interop with older servers.
///     Prefer <see cref="Basic256Sha256"/>, <see cref="Aes128_Sha256_RsaOaep"/>, or
///     <see cref="Aes256_Sha256_RsaPss"/> for new deployments.
/// </remarks>
public enum OpcUaSecurityPolicy
{
    /// <summary>No security. Unsigned, unencrypted wire.</summary>
    None,
    /// <summary>Deprecated (OPC UA 1.04). Retained for legacy server interop.</summary>
    Basic128Rsa15,
    /// <summary>Deprecated (OPC UA 1.04). Retained for legacy server interop.</summary>
    Basic256,
    /// <summary>Recommended baseline for current deployments.</summary>
    Basic256Sha256,
    /// <summary>Current OPC UA policy; AES-128 + SHA-256 + RSA-OAEP.</summary>
    Aes128_Sha256_RsaOaep,
    /// <summary>Current OPC UA policy; AES-256 + SHA-256 + RSA-PSS.</summary>
    Aes256_Sha256_RsaPss,
}

/// <summary>User authentication type sent to the remote server.</summary>
public enum OpcUaAuthType
{
    Anonymous,
    Username,
    Certificate,
}