"""Axis 3 restricted canary - policy map (canonical, PYTHONPATH-agnostic).

chair_authorization_id = CHAIR-AUTH-AXIS-3-CANARY-20260524-JJONGS-RESTRICTED-001
Restricted canary scope ONLY. Default AUDIT_ONLY.
"""

from __future__ import annotations

CHAIR_AUTHORIZATION_ID = "CHAIR-AUTH-AXIS-3-CANARY-20260524-JJONGS-RESTRICTED-001"

DECISION_AUDIT_ONLY = "AUDIT_ONLY"
DECISION_WARN = "WARN"
DECISION_BLOCK = "BLOCK"

# Destructive 5 — only categories permitted to BLOCK during restricted canary.
DESTRUCTIVE_RULE_IDS = (
    "destructive.rm_rf_root",
    "destructive.git_push_force_main",
    "destructive.git_reset_hard_other_branch",
    "destructive.git_branch_delete_main",
    "destructive.cokacdir_cron_remove",
)

# Forbidden path WARN list (initial). 24h monitoring 전 BLOCK 승격 금지.
FORBIDDEN_PATH_PREFIXES = (
    "/usr/local/bin/cokacdir",
    "/home/jay/workspace/utils/callback_registration.py",
    "/home/jay/workspace/utils/callback_authority_validator.py",
    "/home/jay/workspace/utils/callback_source_cross_checker.py",
    "/home/jay/workspace/utils/callback_collector_helper_integration.py",
    "/home/jay/workspace/utils/callback_adjudicator_v2.py",
    "/home/jay/workspace/utils/callback_next_action_runner_v2.py",
    "/home/jay/workspace/utils/source_attribution_guard_v2.py",
    "/home/jay/workspace/dispatch.py",
    "/home/jay/workspace/scripts/finish-task.sh",
    "/home/jay/.claude/hooks/session_start_anu_callback_collector_v2.py",
    "/home/jay/.claude/hooks/stop_anu_callback_collector_verifier_v2.py",
    "/home/jay/.claude/hooks/user_prompt_submit_hook_callback_inbox_v2.py",
    "/home/jay/.claude/settings.local.json",
)

FORBIDDEN_PATH_GLOB_SUFFIXES = (
    ".env",
    "credentials",
    "credentials.json",
)

# Credential heuristics (canary initially WARN only).
CREDENTIAL_PATTERNS = (
    r"AKIA[0-9A-Z]{16}",            # AWS access key id
    r"AIza[0-9A-Za-z\-_]{35}",      # google api key
    r"ghp_[0-9A-Za-z]{30,}",        # github personal token
    r"github_pat_[0-9A-Za-z_]{40,}",
    r"xox[abposr]-[0-9A-Za-z\-]+",  # slack tokens
    r"sk-[A-Za-z0-9]{20,}",         # generic openai-style
    r"-----BEGIN [A-Z ]*PRIVATE KEY-----",
)


def is_destructive_rule(rule_id: str) -> bool:
    return rule_id in DESTRUCTIVE_RULE_IDS


def initial_decision_for_category(category: str) -> str:
    """Map detector category to canary initial decision."""
    if category == "destructive":
        return DECISION_BLOCK
    if category in ("forbidden_path", "credential_pattern"):
        return DECISION_WARN
    return DECISION_AUDIT_ONLY


def downgrade(decision: str) -> str:
    """false positive 1건 → 강등. BLOCK → WARN → AUDIT_ONLY."""
    if decision == DECISION_BLOCK:
        return DECISION_WARN
    if decision == DECISION_WARN:
        return DECISION_AUDIT_ONLY
    return DECISION_AUDIT_ONLY