# Copyright (c) 2025 Patrick Motsch
# All rights reserved.
"""
Authentication and authorization modules for routes and services.
High-level security functionality that depends on FastAPI and interfaces.

Multi-Tenant Design:
- RequestContext: Per-request context with user, mandate, feature instance, roles
- getRequestContext: FastAPI dependency to extract context from X-Mandate-Id header
- requireSysAdmin: FastAPI dependency for INFRASTRUCTURE-level operations
                   (logs, tokens, DB-health, i18n-master). Includes RBAC bypass.
- requirePlatformAdmin: FastAPI dependency for CROSS-MANDATE GOVERNANCE
                        (user-/mandate-/RBAC-/feature-registry mgmt). No bypass.
"""

from .authentication import (
    getCurrentUser,
    limiter,
    SECRET_KEY,
    ALGORITHM,
    cookieAuth,
    RequestContext,
    getRequestContext,
    requireSysAdmin,
    requirePlatformAdmin,
)
from .jwtService import (
    createAccessToken,
    createRefreshToken,
    setAccessTokenCookie,
    setRefreshTokenCookie,
    clearAccessTokenCookie,
    clearRefreshTokenCookie
)
from .tokenManager import TokenManager
from .tokenRefreshService import token_refresh_service, TokenRefreshService
from .tokenRefreshMiddleware import TokenRefreshMiddleware, ProactiveTokenRefreshMiddleware
from .csrf import CSRFMiddleware

__all__ = [
    # Authentication
    "getCurrentUser",
    "limiter",
    "SECRET_KEY",
    "ALGORITHM",
    "cookieAuth",
    # Multi-Tenant Context
    "RequestContext",
    "getRequestContext",
    "requireSysAdmin",
    "requirePlatformAdmin",
    # JWT Service
    "createAccessToken",
    "createRefreshToken",
    "setAccessTokenCookie",
    "setRefreshTokenCookie",
    "clearAccessTokenCookie",
    "clearRefreshTokenCookie",
    # Token Management
    "TokenManager",
    "token_refresh_service",
    "TokenRefreshService",
    "TokenRefreshMiddleware",
    "ProactiveTokenRefreshMiddleware",
    # CSRF
    "CSRFMiddleware",
]