from functools import lru_cache

from pydantic_settings import BaseSettings, SettingsConfigDict


class Settings(BaseSettings):
    model_config = SettingsConfigDict(env_file=".env", extra="ignore")

    # Neon PostgreSQL — two URLs, both pointed at the same branch.
    #   NEON_DATABASE_URL         neondb_owner pooled. Login role for every
    #                             session in the app. Tenant routes drop to
    #                             the `authenticated` role per-transaction
    #                             via SET LOCAL ROLE + pg_session_jwt
    #                             request.jwt.claims (see app.db.session).
    #   NEON_DATABASE_URL_DIRECT  neondb_owner direct (Alembic only — DDL
    #                             needs prepared stmts).
    # Setup: backend/OPERATIONS.md → "Neon RLS".
    NEON_DATABASE_URL: str
    NEON_DATABASE_URL_DIRECT: str = ""

    # Better Auth — JWT verification + internal email signing
    # BETTER_AUTH_URL is the SvelteKit origin where BA is mounted.
    # Its `/api/auth/jwks` endpoint is the JWKS source for verifying Bearer JWTs.
    BETTER_AUTH_URL: str = "http://localhost:3000"
    INTERNAL_EMAIL_SHARED_SECRET: str = ""

    @property
    def BETTER_AUTH_JWKS_URL(self) -> str:
        """Public JWKS endpoint published by Better Auth's jwt() plugin."""
        return f"{self.BETTER_AUTH_URL.rstrip('/')}/api/auth/jwks"

    # Restate
    RESTATE_INGRESS_URL: str = "http://restate:8080"
    # Restate Cloud bearer token. Empty for self-hosted Restate (local dev,
    # Docker compose). When set, every outbound request to RESTATE_INGRESS_URL
    # / RESTATE_ADMIN_URL is signed with `Authorization: Bearer <token>`.
    RESTATE_CLOUD_AUTH_TOKEN: str = ""

    # Redis
    REDIS_URL: str

    # Upstash Redis (REST API — for future use)
    UPSTASH_REDIS_REST_URL: str = ""
    UPSTASH_REDIS_REST_TOKEN: str = ""

    # CORS / Frontend
    FRONTEND_URL: str = "http://localhost:3000"

    # Observability
    LOGFIRE_TOKEN: str = ""
    LANGFUSE_OTLP_ENDPOINT: str = ""
    LANGFUSE_OTLP_HEADERS: str = ""

    # AI — Agents & Embeddings
    APP_OPENAI_API_KEY: str = ""
    APP_ANTHROPIC_API_KEY: str = ""
    ANTHROPIC_MODEL: str = "claude-sonnet-4-6"
    ROUTER_MODEL: str = "claude-haiku-4-5"

    # Payments — Mollie
    MOLLIE_API_KEY: str = ""

    # Email — Scaleway TEM
    SCALEWAY_TEM_ACCESS_KEY: str = ""
    SCALEWAY_TEM_SECRET_KEY: str = ""
    SCALEWAY_PROJECT_ID: str = ""
    SCALEWAY_FROM_EMAIL: str = ""
    SCALEWAY_FROM_NAME: str = "Dineo"

    # App
    ENVIRONMENT: str = "development"
    LOG_LEVEL: str = "INFO"

    # S3-compatible object storage (Scaleway)
    S3_ENDPOINT_URL: str = ""
    S3_ACCESS_KEY_ID: str = ""
    S3_SECRET_ACCESS_KEY: str = ""
    S3_BUCKET_NAME: str = "dineo-media"
    S3_REGION: str = "nl-ams"

    # WhatsApp — Meta Cloud API
    META_APP_ID: str = ""
    META_APP_SECRET: str = ""
    META_WEBHOOK_VERIFY_TOKEN: str = ""
    WHATSAPP_TOKEN_ENCRYPTION_KEY: str = ""
    META_GRAPH_API_VERSION: str = "v21.0"


@lru_cache
def get_settings() -> Settings:
    return Settings()  # type: ignore[call-arg]