<?php
/**
 * Create Tenant Endpoint (Super Admin Only)
 */

use App\Core\Database;
use App\Core\Validator;
use App\Middleware\AuthMiddleware;

$decoded = AuthMiddleware::check();

if ($decoded['role'] !== 'super_admin') {
    json_error('Unauthorized', 403);
}

$data = input();

$errors = Validator::validate($data, [
    'name'  => 'required',
    'email' => 'required|email',
    'phone' => 'required',
    'manager_name' => 'required',
    'manager_password' => 'required'
]);

if ($errors) {
    json_error('Validation Failed', 422, $errors);
}

$db = Database::getInstance();

try {
    $db->beginTransaction();

    // Generate Tenant UUID in PHP so we can use it immediately
    $tenantId = sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
        mt_rand(0, 0x0fff) | 0x4000, mt_rand(0, 0x3fff) | 0x8000,
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
    );

    // 1. Create Tenant
    $encryptedTenantName = \App\Core\Encryption::encrypt($data['name']);
    $encryptedTenantEmail = \App\Core\Encryption::encrypt($data['email']);

    $phone = preg_replace('/[^0-9+]/', '', $data['phone']);
    $phone = ltrim($phone, '+');
    if (str_starts_with($phone, '07')) {
        $phone = '962' . substr($phone, 1);
    } elseif (str_starts_with($phone, '7')) {
        $phone = '962' . $phone;
    }
    
    $encryptedPhone = \App\Core\Encryption::encrypt($phone);
    $phoneHash = hash('sha256', $phone);

    $stmt = $db->prepare("INSERT INTO tenants (id, name, email, phone, status, created_at) VALUES (?, ?, ?, ?, 'active', NOW())");
    $stmt->execute([
        $tenantId,
        $encryptedTenantName,
        $encryptedTenantEmail,
        $phone
    ]);

    // Generate User UUID
    $userId = sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
        mt_rand(0, 0x0fff) | 0x4000, mt_rand(0, 0x3fff) | 0x8000,
        mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
    );

    // Encrypt sensitive user data
    $encryptedName = \App\Core\Encryption::encrypt($data['manager_name']);
    $encryptedEmail = \App\Core\Encryption::encrypt($data['email']);
    $emailHash = hash('sha256', strtolower($data['email']));

    // 2. Create Initial Manager (Admin) for this Tenant
    $stmtUser = $db->prepare("INSERT INTO users (id, tenant_id, name, email, email_hash, phone, phone_hash, password_hash, role, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, 'admin', NOW())");
    $stmtUser->execute([
        $userId,
        $tenantId,
        $encryptedName,
        $encryptedEmail,
        $emailHash,
        $encryptedPhone,
        $phoneHash,
        password_hash($data['manager_password'], PASSWORD_DEFAULT)
    ]);

    $db->commit();
    json_success(null, 'تم إنشاء المكتب ومدير المكتب بنجاح');
} catch (\Exception $e) {
    $db->rollBack();
    safe_error($e, 'tenants/create', 'حدث خطأ أثناء إنشاء المكتب.');
}