package mxgateway

import (
	"crypto/tls"
	"strings"
	"time"

	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
)

// Options configures gateway connections.
type Options struct {
	// Endpoint is the gateway host:port address to dial.
	Endpoint string
	// APIKey is the bearer token attached to outgoing gRPC metadata.
	APIKey string
	// Plaintext disables TLS and uses insecure credentials when true.
	Plaintext bool
	// CACertFile points to a PEM file used to verify the gateway certificate.
	CACertFile string
	// ServerNameOverride overrides the TLS SNI/SAN name presented to the gateway.
	ServerNameOverride string
	// DialTimeout bounds the blocking Dial; zero applies a built-in default.
	DialTimeout time.Duration
	// CallTimeout bounds each unary RPC; zero applies a built-in default and
	// negative disables the bound entirely.
	CallTimeout time.Duration
	// TLSConfig supplies a custom TLS configuration; takes precedence over
	// CACertFile when TransportCredentials is unset.
	TLSConfig *tls.Config
	// TransportCredentials, when non-nil, overrides every other transport-level
	// option and is used as-is.
	TransportCredentials credentials.TransportCredentials
	// DialOptions are appended to the gRPC dial options after the defaults.
	DialOptions []grpc.DialOption
}

// RedactedAPIKey returns a display-safe representation of the configured API
// key for diagnostics and CLI output.
func (o Options) RedactedAPIKey() string {
	return RedactAPIKey(o.APIKey)
}

// RedactAPIKey hides credential material while keeping enough shape for
// troubleshooting whether a key was supplied.
func RedactAPIKey(apiKey string) string {
	if apiKey == "" {
		return ""
	}

	if len(apiKey) <= 8 {
		return "<redacted>"
	}

	prefix, suffix := apiKey[:4], apiKey[len(apiKey)-4:]
	return prefix + strings.Repeat("*", len(apiKey)-8) + suffix
}