"""
Tool Access Control for Multi-Agent System

This module defines which tools each agent can access and which bash commands
are forbidden, removing the need to document these restrictions in agent prompts.
"""

import re
from typing import List, Dict, Set, Tuple
from enum import Enum


# Dangerous bash command patterns that should NEVER be executed
DANGEROUS_COMMAND_PATTERNS: List[Tuple[str, str]] = [
    # Docker commands that affect ALL containers
    (r'docker\s+rm\s+.*\$\(docker\s+ps', 'Bulk container removal'),
    (r'docker\s+stop\s+.*\$\(docker\s+ps', 'Bulk container stop'),
    (r'docker\s+kill\s+.*\$\(docker\s+ps', 'Bulk container kill'),
    (r'docker\s+container\s+prune', 'Container prune'),
    (r'docker\s+system\s+prune', 'System prune'),
    (r'docker\s+image\s+prune\s+-a', 'Remove all images'),
    (r'docker\s+volume\s+prune', 'Volume prune'),
    (r'docker\s+network\s+prune', 'Network prune'),

    # Dangerous system commands (only match truly dangerous patterns)
    # Note: rm -rf /app/xxx is allowed, only rm -rf / or rm -rf /* is blocked
    (r'rm\s+(-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*|-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*)\s+/\s*$', 'Remove root filesystem'),
    (r'rm\s+(-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*|-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*)\s+/\s*[;&|]', 'Remove root filesystem'),
    (r'rm\s+(-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*|-[a-zA-Z]*f[a-zA-Z]*r[a-zA-Z]*)\s+/\*', 'Remove all files'),
    (r'rm\s+-rf\s+~', 'Remove home directory'),
    (r'mkfs\.', 'Format filesystem'),
    (r'dd\s+if=.*of=/dev/', 'Write to device'),
    (r'>\s*/dev/sd', 'Overwrite disk'),

    # Fork bombs and resource exhaustion
    (r':\(\)\s*\{\s*:\|:&\s*\};:', 'Fork bomb'),
    (r'while\s+true.*done', 'Infinite loop (use with caution)'),
]


class AgentType(Enum):
    """Enumeration of agent types in the system"""
    ANALYZER = "analyzer"
    GENERATOR = "generator"
    BUILDER = "builder"
    VALIDATOR = "validator"
    SOLVER = "solver"
    CHECKER = "checker"


class ToolController:
    """
    Controls tool access permissions for each agent type.

    Orchestrator uses this to configure Claude Code SDK sessions,
    so agents don't need to know about tool restrictions.
    """

    # Common tools available to all agents
    COMMON_TOOLS: Set[str] = {
        'Task',           # Sub-agent spawning
        'TodoWrite',      # Task tracking
        'BashOutput',     # Read background bash output
        'KillShell',      # Kill background processes
        'ExitPlanMode',   # Exit planning mode
        'EnterPlanMode',  # Enter planning mode
    }

    # Base tools available to all agents
    BASE_TOOLS: Set[str] = {
        'Read',
        'Write',
        'Edit',
        'Bash',
        'Glob',
        'Grep',
    }

    # Additional tools for specific agents
    EXTRA_TOOLS: Dict[AgentType, Set[str]] = {
        AgentType.ANALYZER: {'WebSearch', 'WebFetch'},
        AgentType.GENERATOR: {'WebSearch', 'WebFetch'},
    }

    # Define tool sets for each agent (simplified: all agents have base tools)
    TOOL_PERMISSIONS: Dict[AgentType, Set[str]] = {
        AgentType.ANALYZER: BASE_TOOLS | {'WebSearch', 'WebFetch'},
        AgentType.GENERATOR: BASE_TOOLS | {'WebSearch', 'WebFetch'},
        AgentType.BUILDER: BASE_TOOLS,
        AgentType.VALIDATOR: BASE_TOOLS,
        AgentType.SOLVER: BASE_TOOLS,
        AgentType.CHECKER: BASE_TOOLS,
    }

    @classmethod
    def get_allowed_tools(cls, agent_type: AgentType) -> List[str]:
        """
        Get list of tools allowed for a specific agent type.

        Args:
            agent_type: The type of agent

        Returns:
            List of tool names the agent can use
        """
        # Combine agent-specific tools with common tools
        agent_tools = cls.TOOL_PERMISSIONS.get(agent_type, set())
        all_tools = agent_tools | cls.COMMON_TOOLS
        return sorted(list(all_tools))

    @classmethod
    def is_tool_allowed(cls, agent_type: AgentType, tool_name: str) -> bool:
        """
        Check if a specific tool is allowed for an agent type.

        Args:
            agent_type: The type of agent
            tool_name: Name of the tool to check

        Returns:
            True if tool is allowed, False otherwise
        """
        # Check both agent-specific tools and common tools
        agent_tools = cls.TOOL_PERMISSIONS.get(agent_type, set())
        return tool_name in agent_tools or tool_name in cls.COMMON_TOOLS

    @classmethod
    def get_tool_restrictions_summary(cls, agent_type: AgentType) -> str:
        """
        Get a human-readable summary of tool restrictions.
        Used for logging/debugging, NOT for agent prompts.

        Args:
            agent_type: The type of agent

        Returns:
            String describing tool permissions
        """
        allowed = cls.get_allowed_tools(agent_type)
        return f"{agent_type.value}: {', '.join(allowed)}"

    @classmethod
    def get_all_tool_configs(cls) -> Dict[str, List[str]]:
        """
        Get complete tool configuration for all agents.
        Useful for configuration export or validation.

        Returns:
            Dictionary mapping agent names to their allowed tools
        """
        return {
            agent_type.value: cls.get_allowed_tools(agent_type)
            for agent_type in AgentType
        }


# Convenience function for quick access
def get_agent_tools(agent_name: str) -> List[str]:
    """
    Quick access function to get tools for an agent by name.

    Args:
        agent_name: Name of agent (e.g., 'analyzer', 'builder')

    Returns:
        List of allowed tool names

    Raises:
        ValueError: If agent name is not recognized
    """
    try:
        agent_type = AgentType(agent_name.lower())
        return ToolController.get_allowed_tools(agent_type)
    except ValueError:
        raise ValueError(f"Unknown agent type: {agent_name}")


class CommandFilter:
    """
    Filters dangerous bash commands to prevent destructive operations.
    """

    @classmethod
    def is_dangerous(cls, command: str) -> Tuple[bool, str]:
        """
        Check if a bash command matches any dangerous pattern.

        Args:
            command: The bash command to check

        Returns:
            Tuple of (is_dangerous, reason)
        """
        for pattern, reason in DANGEROUS_COMMAND_PATTERNS:
            if re.search(pattern, command, re.IGNORECASE):
                return True, reason
        return False, ""

    @classmethod
    def validate_command(cls, command: str) -> str:
        """
        Validate a command and raise exception if dangerous.

        Args:
            command: The bash command to validate

        Returns:
            The command if safe

        Raises:
            ValueError: If command is dangerous
        """
        is_dangerous, reason = cls.is_dangerous(command)
        if is_dangerous:
            raise ValueError(f"Dangerous command blocked: {reason}")
        return command

    @classmethod
    def get_blocked_patterns(cls) -> List[str]:
        """
        Get list of blocked command patterns for documentation.

        Returns:
            List of pattern descriptions
        """
        return [f"{reason}: {pattern}" for pattern, reason in DANGEROUS_COMMAND_PATTERNS]


def is_command_safe(command: str) -> Tuple[bool, str]:
    """
    Quick access function to check if a command is safe.

    Args:
        command: The bash command to check

    Returns:
        Tuple of (is_safe, reason_if_blocked)
    """
    is_dangerous, reason = CommandFilter.is_dangerous(command)
    return not is_dangerous, reason


if __name__ == "__main__":
    # Print tool configurations for verification
    print("Agent Tool Permissions Configuration\n" + "=" * 50)
    for agent_type in AgentType:
        print(f"\n{agent_type.value.upper()}:")
        tools = ToolController.get_allowed_tools(agent_type)
        for tool in tools:
            print(f"  - {tool}")

    print("\n\nBlocked Command Patterns\n" + "=" * 50)
    for pattern, reason in DANGEROUS_COMMAND_PATTERNS:
        print(f"  - {reason}")
