oxirs-gql 0.2.4

//! Production-Ready Features for Enterprise Deployment
//!
//! This module provides comprehensive production features:
//! - **CORS Configuration**: Fine-grained CORS control with preflight caching
//! - **JWT Authentication**: RSA/HMAC-based JWT with automatic refresh
//! - **OpenTelemetry Tracing**: Distributed tracing with automatic span propagation
//! - **Connection Pooling**: Adaptive connection pool with health monitoring
//! - **Health Checks**: Comprehensive health endpoints with dependencies
//! - **Request Logging**: Structured logging with correlation IDs
//! - **Metrics Export**: Prometheus-compatible metrics endpoint
//! - **Rate Limiting Integration**: Production-grade rate limiting
//! - **Circuit Breaker**: Automatic failure detection and recovery

use anyhow::{anyhow, Result};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fmt;
use std::sync::Arc;
use std::time::{Duration, Instant, SystemTime};
use tokio::sync::RwLock;
use tracing::{info, warn};

// SciRS2 Core integration for secure random generation and metrics
use scirs2_core::random::secure::SecureRandom;

// Cryptography for JWT
use sha2::Sha256;

// ============================================================================
// CORS Configuration
// ============================================================================

/// Comprehensive CORS configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CorsConfig {
    /// Allowed origins (e.g., ["<https://example.com>", "<http://localhost:3000>"])
    /// Use "*" for all origins (not recommended for production)
    pub allowed_origins: Vec<String>,

    /// Allowed HTTP methods
    pub allowed_methods: Vec<String>,

    /// Allowed headers
    pub allowed_headers: Vec<String>,

    /// Exposed headers (headers that browser can access)
    pub exposed_headers: Vec<String>,

    /// Allow credentials (cookies, authorization headers)
    pub allow_credentials: bool,

    /// Max age for preflight cache (in seconds)
    pub max_age: Option<u64>,

    /// Whether to use wildcard origin matching
    pub wildcard_origins: bool,
}

impl Default for CorsConfig {
    fn default() -> Self {
        Self {
            allowed_origins: vec!["*".to_string()],
            allowed_methods: vec!["GET".to_string(), "POST".to_string(), "OPTIONS".to_string()],
            allowed_headers: vec![
                "Content-Type".to_string(),
                "Authorization".to_string(),
                "X-Requested-With".to_string(),
            ],
            exposed_headers: vec!["Content-Length".to_string()],
            allow_credentials: false,
            max_age: Some(3600), // 1 hour
            wildcard_origins: false,
        }
    }
}

impl CorsConfig {
    /// Create production-ready CORS configuration
    pub fn production(origins: Vec<String>) -> Self {
        Self {
            allowed_origins: origins,
            allowed_methods: vec!["GET".to_string(), "POST".to_string(), "OPTIONS".to_string()],
            allowed_headers: vec![
                "Content-Type".to_string(),
                "Authorization".to_string(),
                "X-Request-ID".to_string(),
                "X-API-Key".to_string(),
            ],
            exposed_headers: vec!["Content-Length".to_string(), "X-Request-ID".to_string()],
            allow_credentials: true,
            max_age: Some(86400), // 24 hours
            wildcard_origins: false,
        }
    }

    /// Check if origin is allowed
    pub fn is_origin_allowed(&self, origin: &str) -> bool {
        if self.allowed_origins.contains(&"*".to_string()) {
            return true;
        }

        if self.wildcard_origins {
            for allowed in &self.allowed_origins {
                if Self::wildcard_match(allowed, origin) {
                    return true;
                }
            }
        }

        self.allowed_origins.contains(&origin.to_string())
    }

    /// Wildcard pattern matching for origins
    fn wildcard_match(pattern: &str, origin: &str) -> bool {
        if pattern.contains('*') {
            let parts: Vec<&str> = pattern.split('*').collect();
            if parts.len() == 2 {
                origin.starts_with(parts[0]) && origin.ends_with(parts[1])
            } else {
                false
            }
        } else {
            pattern == origin
        }
    }
}

// ============================================================================
// JWT Authentication
// ============================================================================

/// JWT authentication configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct JwtConfig {
    /// JWT secret or public key for verification
    pub secret: String,

    /// JWT signing algorithm (HS256, HS384, HS512, RS256, RS384, RS512)
    pub algorithm: JwtAlgorithm,

    /// Token expiration time (in seconds)
    pub expiration: u64,

    /// Token issuer
    pub issuer: Option<String>,

    /// Token audience
    pub audience: Option<Vec<String>>,

    /// Required claims
    pub required_claims: Vec<String>,

    /// Enable automatic token refresh
    pub enable_refresh: bool,

    /// Refresh token expiration (in seconds)
    pub refresh_expiration: u64,
}

impl Default for JwtConfig {
    fn default() -> Self {
        Self {
            secret: "".to_string(), // Must be set by user
            algorithm: JwtAlgorithm::HS256,
            expiration: 3600, // 1 hour
            issuer: None,
            audience: None,
            required_claims: vec!["sub".to_string()],
            enable_refresh: true,
            refresh_expiration: 604800, // 7 days
        }
    }
}

/// JWT signing algorithms
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum JwtAlgorithm {
    /// HMAC with SHA-256
    HS256,
    /// HMAC with SHA-384
    HS384,
    /// HMAC with SHA-512
    HS512,
    /// RSA with SHA-256
    RS256,
    /// RSA with SHA-384
    RS384,
    /// RSA with SHA-512
    RS512,
}

impl fmt::Display for JwtAlgorithm {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            JwtAlgorithm::HS256 => write!(f, "HS256"),
            JwtAlgorithm::HS384 => write!(f, "HS384"),
            JwtAlgorithm::HS512 => write!(f, "HS512"),
            JwtAlgorithm::RS256 => write!(f, "RS256"),
            JwtAlgorithm::RS384 => write!(f, "RS384"),
            JwtAlgorithm::RS512 => write!(f, "RS512"),
        }
    }
}

/// JWT token claims
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct JwtClaims {
    /// Subject (user ID)
    pub sub: String,

    /// Expiration time (as UTC timestamp)
    pub exp: u64,

    /// Issued at time (as UTC timestamp)
    pub iat: u64,

    /// Issuer
    #[serde(skip_serializing_if = "Option::is_none")]
    pub iss: Option<String>,

    /// Audience
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aud: Option<Vec<String>>,

    /// Custom claims
    #[serde(flatten)]
    pub custom: HashMap<String, serde_json::Value>,
}

impl JwtClaims {
    /// Create new JWT claims
    pub fn new(sub: String, expiration: u64) -> Self {
        let now = SystemTime::now()
            .duration_since(SystemTime::UNIX_EPOCH)
            .expect("SystemTime should be after UNIX_EPOCH")
            .as_secs();

        Self {
            sub,
            exp: now + expiration,
            iat: now,
            iss: None,
            aud: None,
            custom: HashMap::new(),
        }
    }

    /// Add custom claim
    pub fn with_claim(mut self, key: String, value: serde_json::Value) -> Self {
        self.custom.insert(key, value);
        self
    }

    /// Check if token is expired
    pub fn is_expired(&self) -> bool {
        let now = SystemTime::now()
            .duration_since(SystemTime::UNIX_EPOCH)
            .expect("SystemTime should be after UNIX_EPOCH")
            .as_secs();
        now >= self.exp
    }
}

/// JWT token manager
pub struct JwtManager {
    config: JwtConfig,
}

impl JwtManager {
    /// Create new JWT manager
    pub fn new(config: JwtConfig) -> Result<Self> {
        if config.secret.is_empty() {
            return Err(anyhow!("JWT secret cannot be empty"));
        }
        Ok(Self { config })
    }

    /// Generate a cryptographically secure JWT secret using scirs2_core
    ///
    /// This generates a 64-character alphanumeric secret suitable for HMAC-SHA256 signing.
    /// The secret has high entropy and is suitable for production use.
    ///
    /// # Example
    /// ```rust,ignore
    /// let secret = JwtManager::generate_secure_secret();
    /// let config = JwtConfig {
    ///     secret,
    ///     algorithm: JwtAlgorithm::HS256,
    ///     expiration: 3600,
    /// };
    /// ```
    pub fn generate_secure_secret() -> String {
        let mut rng = SecureRandom::new();
        rng.random_alphanumeric(64)
    }

    /// Generate JWT token with HMAC-SHA256 signing
    ///
    /// This implementation uses HMAC-SHA256 for signing JWT tokens.
    /// The token format is: `header.payload.signature` (standard JWT format)
    ///
    /// For production use with additional algorithms (RS256, ES256), consider using the `jsonwebtoken` crate.
    pub fn generate_token(&self, claims: &JwtClaims) -> Result<String> {
        if self.config.secret.is_empty() {
            return Err(anyhow!("JWT secret not configured"));
        }

        // Create JWT header
        let header = serde_json::json!({
            "typ": "JWT",
            "alg": self.config.algorithm.to_string()
        });

        // Encode header and payload
        let header_b64 = base64_url_encode(&serde_json::to_string(&header)?);
        let payload_b64 = base64_url_encode(&serde_json::to_string(claims)?);

        // Create signing input
        let signing_input = format!("{}.{}", header_b64, payload_b64);

        // Generate signature using HMAC-SHA256
        let signature = self.sign_hmac_sha256(&signing_input)?;
        let signature_b64 = base64_url_encode(&hex::encode(&signature));

        // Construct final JWT token
        Ok(format!("{}.{}", signing_input, signature_b64))
    }

    /// Sign data using HMAC-SHA256
    fn sign_hmac_sha256(&self, data: &str) -> Result<Vec<u8>> {
        use hmac::{Hmac, Mac};
        type HmacSha256 = Hmac<Sha256>;

        let mut mac = HmacSha256::new_from_slice(self.config.secret.as_bytes())
            .map_err(|e| anyhow!("Invalid key length: {}", e))?;

        mac.update(data.as_bytes());
        Ok(mac.finalize().into_bytes().to_vec())
    }

    /// Verify JWT token with HMAC-SHA256 signature validation
    ///
    /// This implementation verifies JWT tokens signed with HMAC-SHA256.
    /// It checks:
    /// 1. Token format (header.payload.signature)
    /// 2. Signature validity
    /// 3. Token expiration
    ///
    /// For production use with additional algorithms (RS256, ES256), consider using the `jsonwebtoken` crate.
    pub fn verify_token(&self, token: &str) -> Result<JwtClaims> {
        // Split token into parts
        let parts: Vec<&str> = token.split('.').collect();
        if parts.len() != 3 {
            return Err(anyhow!(
                "Invalid token format: expected 3 parts, got {}",
                parts.len()
            ));
        }

        // Verify signature
        let signing_input = format!("{}.{}", parts[0], parts[1]);
        let expected_signature = self.sign_hmac_sha256(&signing_input)?;
        let expected_signature_b64 = base64_url_encode(&hex::encode(&expected_signature));

        if parts[2] != expected_signature_b64 {
            return Err(anyhow!("Invalid token signature"));
        }

        // Decode and parse payload
        let payload_json = base64_url_decode(parts[1])?;
        let claims: JwtClaims = serde_json::from_str(&payload_json)
            .map_err(|e| anyhow!("Invalid token payload: {}", e))?;

        // Check expiration
        if claims.is_expired() {
            return Err(anyhow!("Token expired at {}", claims.exp));
        }

        Ok(claims)
    }
}

// Base64 URL-safe encoding/decoding for JWT
// Note: JWT uses URL-safe base64 (RFC 4648 §5) without padding

/// Base64 URL-safe encoding (no padding)
fn base64_url_encode(data: &str) -> String {
    // Simple base64 URL-safe encoding
    // In production, consider using the `base64` crate for better performance
    const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";

    let bytes = data.as_bytes();
    let mut result = String::with_capacity((bytes.len() * 4 / 3) + 4);

    for chunk in bytes.chunks(3) {
        let b1 = chunk[0];
        let b2 = chunk.get(1).copied().unwrap_or(0);
        let b3 = chunk.get(2).copied().unwrap_or(0);

        let n = (b1 as u32) << 16 | (b2 as u32) << 8 | (b3 as u32);

        result.push(CHARSET[((n >> 18) & 0x3F) as usize] as char);
        result.push(CHARSET[((n >> 12) & 0x3F) as usize] as char);

        if chunk.len() > 1 {
            result.push(CHARSET[((n >> 6) & 0x3F) as usize] as char);
        }
        if chunk.len() > 2 {
            result.push(CHARSET[(n & 0x3F) as usize] as char);
        }
    }

    // JWT doesn't use padding
    result
}

/// Base64 URL-safe decoding (no padding)
fn base64_url_decode(data: &str) -> Result<String> {
    // Simple base64 URL-safe decoding
    // In production, consider using the `base64` crate for better performance
    let data = data.replace('-', "+").replace('_', "/");

    // Add padding if needed
    let padding = match data.len() % 4 {
        2 => "==",
        3 => "=",
        _ => "",
    };
    let data_with_padding = format!("{}{}", data, padding);

    // Decode base64
    let decoded_bytes = decode_base64_standard(&data_with_padding)?;
    String::from_utf8(decoded_bytes).map_err(|e| anyhow!("Invalid UTF-8 in decoded data: {}", e))
}

/// Internal base64 decoding helper
fn decode_base64_standard(data: &str) -> Result<Vec<u8>> {
    const DECODE_TABLE: [u8; 256] = {
        let mut table = [0xFF; 256];
        let chars = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
        let mut i = 0;
        while i < 64 {
            table[chars[i] as usize] = i as u8;
            i += 1;
        }
        table
    };

    let bytes = data.as_bytes();
    let mut result = Vec::with_capacity((bytes.len() * 3) / 4);
    let mut buffer = 0u32;
    let mut bits = 0;

    for &byte in bytes {
        if byte == b'=' {
            break;
        }

        let value = DECODE_TABLE[byte as usize];
        if value == 0xFF {
            continue; // Skip invalid characters
        }

        buffer = (buffer << 6) | (value as u32);
        bits += 6;

        if bits >= 8 {
            bits -= 8;
            result.push((buffer >> bits) as u8);
            buffer &= (1 << bits) - 1;
        }
    }

    Ok(result)
}

// ============================================================================
// OpenTelemetry Tracing
// ============================================================================

/// OpenTelemetry configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OpenTelemetryConfig {
    /// Service name
    pub service_name: String,

    /// Service version
    pub service_version: String,

    /// OTLP endpoint (e.g., "http://localhost:4317")
    pub otlp_endpoint: Option<String>,

    /// Sampling rate (0.0 to 1.0)
    pub sampling_rate: f64,

    /// Enable trace export
    pub enable_export: bool,

    /// Export timeout (in seconds)
    pub export_timeout: u64,

    /// Batch span processor configuration
    pub batch_config: BatchConfig,
}

impl Default for OpenTelemetryConfig {
    fn default() -> Self {
        Self {
            service_name: "oxirs-gql".to_string(),
            service_version: env!("CARGO_PKG_VERSION").to_string(),
            otlp_endpoint: None,
            sampling_rate: 1.0,
            enable_export: true,
            export_timeout: 30,
            batch_config: BatchConfig::default(),
        }
    }
}

/// Batch span processor configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchConfig {
    /// Maximum queue size
    pub max_queue_size: usize,

    /// Maximum batch size
    pub max_export_batch_size: usize,

    /// Scheduled delay (in milliseconds)
    pub scheduled_delay_millis: u64,

    /// Maximum export timeout (in milliseconds)
    pub max_export_timeout_millis: u64,
}

impl Default for BatchConfig {
    fn default() -> Self {
        Self {
            max_queue_size: 2048,
            max_export_batch_size: 512,
            scheduled_delay_millis: 5000,
            max_export_timeout_millis: 30000,
        }
    }
}

/// Trace context for distributed tracing
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TraceContext {
    /// Trace ID (128-bit)
    pub trace_id: String,

    /// Span ID (64-bit)
    pub span_id: String,

    /// Parent span ID
    pub parent_span_id: Option<String>,

    /// Trace flags
    pub trace_flags: u8,

    /// Custom baggage
    pub baggage: HashMap<String, String>,
}

impl Default for TraceContext {
    fn default() -> Self {
        Self::new()
    }
}

impl TraceContext {
    /// Create new trace context
    pub fn new() -> Self {
        Self {
            trace_id: generate_trace_id(),
            span_id: generate_span_id(),
            parent_span_id: None,
            trace_flags: 1, // Sampled
            baggage: HashMap::new(),
        }
    }

    /// Create child context
    pub fn create_child(&self) -> Self {
        Self {
            trace_id: self.trace_id.clone(),
            span_id: generate_span_id(),
            parent_span_id: Some(self.span_id.clone()),
            trace_flags: self.trace_flags,
            baggage: self.baggage.clone(),
        }
    }

    /// Parse from W3C traceparent header
    pub fn from_traceparent(header: &str) -> Result<Self> {
        let parts: Vec<&str> = header.split('-').collect();
        if parts.len() != 4 {
            return Err(anyhow!("Invalid traceparent format"));
        }

        Ok(Self {
            trace_id: parts[1].to_string(),
            span_id: parts[2].to_string(),
            parent_span_id: None,
            trace_flags: u8::from_str_radix(parts[3], 16)?,
            baggage: HashMap::new(),
        })
    }

    /// Convert to W3C traceparent header
    pub fn to_traceparent(&self) -> String {
        format!(
            "00-{}-{}-{:02x}",
            self.trace_id, self.span_id, self.trace_flags
        )
    }
}

fn generate_trace_id() -> String {
    // Use UUID v4 for simplicity (128-bit)
    uuid::Uuid::new_v4().to_string().replace("-", "")
}

fn generate_span_id() -> String {
    // Generate 64-bit ID
    format!("{:016x}", fastrand::u64(..))
}

// ============================================================================
// Connection Pooling
// ============================================================================

/// Connection pool configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ConnectionPoolConfig {
    /// Minimum number of connections
    pub min_connections: usize,

    /// Maximum number of connections
    pub max_connections: usize,

    /// Connection timeout (in seconds)
    pub connection_timeout: u64,

    /// Idle timeout (in seconds)
    pub idle_timeout: u64,

    /// Maximum lifetime of connection (in seconds)
    pub max_lifetime: u64,

    /// Enable connection health checks
    pub enable_health_check: bool,

    /// Health check interval (in seconds)
    pub health_check_interval: u64,
}

impl Default for ConnectionPoolConfig {
    fn default() -> Self {
        Self {
            min_connections: 5,
            max_connections: 100,
            connection_timeout: 30,
            idle_timeout: 600,  // 10 minutes
            max_lifetime: 1800, // 30 minutes
            enable_health_check: true,
            health_check_interval: 30,
        }
    }
}

/// Connection pool statistics
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PoolStats {
    /// Total connections
    pub total_connections: usize,

    /// Active connections
    pub active_connections: usize,

    /// Idle connections
    pub idle_connections: usize,

    /// Waiting requests
    pub waiting_requests: usize,

    /// Total requests served
    pub total_requests: u64,

    /// Failed connection attempts
    pub failed_connections: u64,
}

/// Adaptive connection pool
pub struct ConnectionPool {
    config: ConnectionPoolConfig,
    stats: Arc<RwLock<PoolStats>>,
    last_adjusted: Arc<RwLock<Instant>>,
}

impl ConnectionPool {
    /// Create new connection pool
    pub fn new(config: ConnectionPoolConfig) -> Self {
        Self {
            config,
            stats: Arc::new(RwLock::new(PoolStats {
                total_connections: 0,
                active_connections: 0,
                idle_connections: 0,
                waiting_requests: 0,
                total_requests: 0,
                failed_connections: 0,
            })),
            last_adjusted: Arc::new(RwLock::new(Instant::now())),
        }
    }

    /// Get pool statistics
    pub async fn get_stats(&self) -> PoolStats {
        self.stats.read().await.clone()
    }

    /// Adjust pool size based on load
    pub async fn adjust_pool_size(&self, load_factor: f64) -> Result<()> {
        let mut last_adjusted = self.last_adjusted.write().await;
        let now = Instant::now();

        // Only adjust every 60 seconds
        if now.duration_since(*last_adjusted) < Duration::from_secs(60) {
            return Ok(());
        }

        let mut stats = self.stats.write().await;
        let current_size = stats.total_connections;

        // Calculate target size based on load
        let target_size = if load_factor > 0.8 {
            // High load - increase pool size
            std::cmp::min(
                current_size + (current_size as f64 * 0.2) as usize,
                self.config.max_connections,
            )
        } else if load_factor < 0.3 && current_size > self.config.min_connections {
            // Low load - decrease pool size
            std::cmp::max(
                current_size - (current_size as f64 * 0.1) as usize,
                self.config.min_connections,
            )
        } else {
            current_size
        };

        if target_size != current_size {
            info!(
                "Adjusting connection pool size: {} -> {} (load: {:.2})",
                current_size, target_size, load_factor
            );
            stats.total_connections = target_size;
        }

        *last_adjusted = now;
        Ok(())
    }
}

// ============================================================================
// Health Checks
// ============================================================================

/// Health check status
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum HealthStatus {
    /// Service is healthy
    Healthy,
    /// Service is degraded but operational
    Degraded,
    /// Service is unhealthy
    Unhealthy,
}

impl fmt::Display for HealthStatus {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            HealthStatus::Healthy => write!(f, "healthy"),
            HealthStatus::Degraded => write!(f, "degraded"),
            HealthStatus::Unhealthy => write!(f, "unhealthy"),
        }
    }
}

/// Health check result
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct HealthCheckResult {
    /// Overall status
    pub status: HealthStatus,

    /// Service version
    pub version: String,

    /// Uptime (in seconds)
    pub uptime: u64,

    /// Timestamp
    pub timestamp: String,

    /// Individual component checks
    pub checks: HashMap<String, ComponentHealth>,
}

/// Component health status
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ComponentHealth {
    /// Component status
    pub status: HealthStatus,

    /// Response time (in milliseconds)
    pub response_time_ms: Option<u64>,

    /// Error message (if unhealthy)
    pub error: Option<String>,

    /// Additional metadata
    pub metadata: HashMap<String, serde_json::Value>,
}

/// Health checker
pub struct HealthChecker {
    start_time: Instant,
    checks: HashMap<String, Box<dyn Fn() -> ComponentHealth + Send + Sync>>,
}

impl Default for HealthChecker {
    fn default() -> Self {
        Self::new()
    }
}

impl HealthChecker {
    /// Create new health checker
    pub fn new() -> Self {
        Self {
            start_time: Instant::now(),
            checks: HashMap::new(),
        }
    }

    /// Register component health check
    pub fn register_check<F>(&mut self, name: String, check: F)
    where
        F: Fn() -> ComponentHealth + Send + Sync + 'static,
    {
        self.checks.insert(name, Box::new(check));
    }

    /// Perform health check
    pub fn check_health(&self) -> HealthCheckResult {
        let mut checks = HashMap::new();
        let mut overall_status = HealthStatus::Healthy;

        for (name, check) in &self.checks {
            let component_health = check();

            match component_health.status {
                HealthStatus::Unhealthy => overall_status = HealthStatus::Unhealthy,
                HealthStatus::Degraded if overall_status == HealthStatus::Healthy => {
                    overall_status = HealthStatus::Degraded
                }
                _ => {}
            }

            checks.insert(name.clone(), component_health);
        }

        HealthCheckResult {
            status: overall_status,
            version: env!("CARGO_PKG_VERSION").to_string(),
            uptime: self.start_time.elapsed().as_secs(),
            timestamp: chrono::Utc::now().to_rfc3339(),
            checks,
        }
    }
}

// ============================================================================
// Request Logging
// ============================================================================

/// Request log entry
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RequestLog {
    /// Request ID
    pub request_id: String,

    /// HTTP method
    pub method: String,

    /// Request path
    pub path: String,

    /// Query string
    pub query_string: Option<String>,

    /// Status code
    pub status_code: u16,

    /// Response time (in milliseconds)
    pub response_time_ms: u64,

    /// Request size (in bytes)
    pub request_size: u64,

    /// Response size (in bytes)
    pub response_size: u64,

    /// Client IP
    pub client_ip: String,

    /// User agent
    pub user_agent: Option<String>,

    /// Timestamp
    pub timestamp: String,

    /// Trace context
    pub trace_context: Option<TraceContext>,
}

impl RequestLog {
    /// Create new request log
    pub fn new(request_id: String, method: String, path: String, client_ip: String) -> Self {
        Self {
            request_id,
            method,
            path,
            query_string: None,
            status_code: 200,
            response_time_ms: 0,
            request_size: 0,
            response_size: 0,
            client_ip,
            user_agent: None,
            timestamp: chrono::Utc::now().to_rfc3339(),
            trace_context: None,
        }
    }

    /// Log as JSON
    pub fn to_json(&self) -> Result<String> {
        Ok(serde_json::to_string(self)?)
    }
}

// ============================================================================
// Metrics Export
// ============================================================================

/// Prometheus-compatible metrics
#[derive(Debug, Clone)]
pub struct Metrics {
    /// Request counter
    pub requests_total: u64,

    /// Error counter
    pub errors_total: u64,

    /// Request duration histogram (in milliseconds)
    pub request_duration_ms: Vec<u64>,

    /// Active connections gauge
    pub active_connections: usize,

    /// Pool size gauge
    pub pool_size: usize,
}

impl Default for Metrics {
    fn default() -> Self {
        Self::new()
    }
}

impl Metrics {
    /// Create new metrics
    pub fn new() -> Self {
        Self {
            requests_total: 0,
            errors_total: 0,
            request_duration_ms: Vec::new(),
            active_connections: 0,
            pool_size: 0,
        }
    }

    /// Export as Prometheus format
    pub fn to_prometheus(&self) -> String {
        let mut output = String::new();

        // Request counter
        output.push_str("# HELP oxirs_gql_requests_total Total number of requests\n");
        output.push_str("# TYPE oxirs_gql_requests_total counter\n");
        output.push_str(&format!(
            "oxirs_gql_requests_total {}\n",
            self.requests_total
        ));

        // Error counter
        output.push_str("# HELP oxirs_gql_errors_total Total number of errors\n");
        output.push_str("# TYPE oxirs_gql_errors_total counter\n");
        output.push_str(&format!("oxirs_gql_errors_total {}\n", self.errors_total));

        // Active connections
        output.push_str("# HELP oxirs_gql_active_connections Current active connections\n");
        output.push_str("# TYPE oxirs_gql_active_connections gauge\n");
        output.push_str(&format!(
            "oxirs_gql_active_connections {}\n",
            self.active_connections
        ));

        // Pool size
        output.push_str("# HELP oxirs_gql_pool_size Current connection pool size\n");
        output.push_str("# TYPE oxirs_gql_pool_size gauge\n");
        output.push_str(&format!("oxirs_gql_pool_size {}\n", self.pool_size));

        output
    }
}

// ============================================================================
// Circuit Breaker
// ============================================================================

/// Circuit breaker state
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CircuitState {
    /// Circuit is closed (normal operation)
    Closed,
    /// Circuit is open (failing fast)
    Open,
    /// Circuit is half-open (testing recovery)
    HalfOpen,
}

/// Circuit breaker configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CircuitBreakerConfig {
    /// Failure threshold (number of failures before opening)
    pub failure_threshold: usize,

    /// Success threshold (number of successes before closing)
    pub success_threshold: usize,

    /// Timeout before entering half-open state (in seconds)
    pub timeout: u64,

    /// Window size for failure counting (in seconds)
    pub window_size: u64,
}

impl Default for CircuitBreakerConfig {
    fn default() -> Self {
        Self {
            failure_threshold: 5,
            success_threshold: 2,
            timeout: 60,
            window_size: 60,
        }
    }
}

/// Circuit breaker for automatic failure recovery
pub struct CircuitBreaker {
    config: CircuitBreakerConfig,
    state: Arc<RwLock<CircuitState>>,
    failures: Arc<RwLock<usize>>,
    successes: Arc<RwLock<usize>>,
    last_failure_time: Arc<RwLock<Option<Instant>>>,
}

impl CircuitBreaker {
    /// Create new circuit breaker
    pub fn new(config: CircuitBreakerConfig) -> Self {
        Self {
            config,
            state: Arc::new(RwLock::new(CircuitState::Closed)),
            failures: Arc::new(RwLock::new(0)),
            successes: Arc::new(RwLock::new(0)),
            last_failure_time: Arc::new(RwLock::new(None)),
        }
    }

    /// Check if operation is allowed
    pub async fn is_allowed(&self) -> bool {
        let state = *self.state.read().await;

        match state {
            CircuitState::Closed => true,
            CircuitState::Open => {
                // Check if timeout has passed
                if let Some(last_failure) = *self.last_failure_time.read().await {
                    if last_failure.elapsed() > Duration::from_secs(self.config.timeout) {
                        // Move to half-open state
                        *self.state.write().await = CircuitState::HalfOpen;
                        true
                    } else {
                        false
                    }
                } else {
                    false
                }
            }
            CircuitState::HalfOpen => true,
        }
    }

    /// Record success
    pub async fn record_success(&self) {
        let state = *self.state.read().await;

        match state {
            CircuitState::HalfOpen => {
                let mut successes = self.successes.write().await;
                *successes += 1;

                if *successes >= self.config.success_threshold {
                    *self.state.write().await = CircuitState::Closed;
                    *successes = 0;
                    *self.failures.write().await = 0;
                    info!("Circuit breaker closed after successful recovery");
                }
            }
            CircuitState::Closed => {
                // Reset failure count on success
                *self.failures.write().await = 0;
            }
            _ => {}
        }
    }

    /// Record failure
    pub async fn record_failure(&self) {
        let state = *self.state.read().await;

        match state {
            CircuitState::Closed | CircuitState::HalfOpen => {
                let mut failures = self.failures.write().await;
                *failures += 1;

                if *failures >= self.config.failure_threshold {
                    *self.state.write().await = CircuitState::Open;
                    *self.last_failure_time.write().await = Some(Instant::now());
                    *self.successes.write().await = 0;
                    warn!("Circuit breaker opened due to failures");
                }
            }
            _ => {}
        }
    }

    /// Get current state
    pub async fn get_state(&self) -> CircuitState {
        *self.state.read().await
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_cors_config_default() {
        let config = CorsConfig::default();
        assert!(config.is_origin_allowed("https://example.com"));
        assert_eq!(config.max_age, Some(3600));
    }

    #[test]
    fn test_cors_origin_check() {
        let config = CorsConfig::production(vec!["https://example.com".to_string()]);
        assert!(config.is_origin_allowed("https://example.com"));
        assert!(!config.is_origin_allowed("https://evil.com"));
    }

    #[test]
    fn test_cors_wildcard_matching() {
        let config = CorsConfig {
            allowed_origins: vec!["https://*.example.com".to_string()],
            wildcard_origins: true,
            ..Default::default()
        };

        assert!(config.is_origin_allowed("https://app.example.com"));
        assert!(config.is_origin_allowed("https://api.example.com"));
        assert!(!config.is_origin_allowed("https://example.com"));
    }

    #[test]
    fn test_jwt_algorithm_display() {
        assert_eq!(JwtAlgorithm::HS256.to_string(), "HS256");
        assert_eq!(JwtAlgorithm::RS512.to_string(), "RS512");
    }

    #[test]
    fn test_jwt_claims_creation() {
        let claims = JwtClaims::new("user123".to_string(), 3600);
        assert_eq!(claims.sub, "user123");
        assert!(!claims.is_expired());
    }

    #[test]
    fn test_jwt_claims_custom() {
        let claims = JwtClaims::new("user123".to_string(), 3600)
            .with_claim("role".to_string(), serde_json::json!("admin"));

        assert_eq!(
            claims.custom.get("role").expect("should succeed"),
            &serde_json::json!("admin")
        );
    }

    #[test]
    fn test_trace_context_creation() {
        let ctx = TraceContext::new();
        assert!(!ctx.trace_id.is_empty());
        assert!(!ctx.span_id.is_empty());
        assert_eq!(ctx.trace_flags, 1);
    }

    #[test]
    fn test_trace_context_child() {
        let parent = TraceContext::new();
        let child = parent.create_child();

        assert_eq!(child.trace_id, parent.trace_id);
        assert_ne!(child.span_id, parent.span_id);
        assert_eq!(child.parent_span_id, Some(parent.span_id.clone()));
    }

    #[test]
    fn test_trace_context_traceparent() {
        let ctx = TraceContext::new();
        let header = ctx.to_traceparent();

        assert!(header.starts_with("00-"));
        assert_eq!(header.split('-').count(), 4);
    }

    #[test]
    fn test_connection_pool_config() {
        let config = ConnectionPoolConfig::default();
        assert_eq!(config.min_connections, 5);
        assert_eq!(config.max_connections, 100);
    }

    #[tokio::test]
    async fn test_connection_pool_stats() {
        let pool = ConnectionPool::new(ConnectionPoolConfig::default());
        let stats = pool.get_stats().await;

        assert_eq!(stats.total_connections, 0);
        assert_eq!(stats.active_connections, 0);
    }

    #[test]
    fn test_health_status_display() {
        assert_eq!(HealthStatus::Healthy.to_string(), "healthy");
        assert_eq!(HealthStatus::Degraded.to_string(), "degraded");
        assert_eq!(HealthStatus::Unhealthy.to_string(), "unhealthy");
    }

    #[test]
    fn test_health_checker() {
        let mut checker = HealthChecker::new();

        checker.register_check("database".to_string(), || ComponentHealth {
            status: HealthStatus::Healthy,
            response_time_ms: Some(5),
            error: None,
            metadata: HashMap::new(),
        });

        let result = checker.check_health();
        assert_eq!(result.status, HealthStatus::Healthy);
        assert!(result.checks.contains_key("database"));
    }

    #[test]
    fn test_request_log_creation() {
        let log = RequestLog::new(
            "req-123".to_string(),
            "POST".to_string(),
            "/graphql".to_string(),
            "127.0.0.1".to_string(),
        );

        assert_eq!(log.request_id, "req-123");
        assert_eq!(log.method, "POST");
        assert_eq!(log.status_code, 200);
    }

    #[test]
    fn test_metrics_prometheus_export() {
        let mut metrics = Metrics::new();
        metrics.requests_total = 100;
        metrics.errors_total = 5;
        metrics.active_connections = 10;

        let output = metrics.to_prometheus();
        assert!(output.contains("oxirs_gql_requests_total 100"));
        assert!(output.contains("oxirs_gql_errors_total 5"));
        assert!(output.contains("oxirs_gql_active_connections 10"));
    }

    #[test]
    fn test_circuit_breaker_config() {
        let config = CircuitBreakerConfig::default();
        assert_eq!(config.failure_threshold, 5);
        assert_eq!(config.success_threshold, 2);
    }

    #[tokio::test]
    async fn test_circuit_breaker_state() {
        let breaker = CircuitBreaker::new(CircuitBreakerConfig::default());

        assert!(breaker.is_allowed().await);
        assert_eq!(breaker.get_state().await, CircuitState::Closed);
    }

    #[tokio::test]
    async fn test_circuit_breaker_failure() {
        let config = CircuitBreakerConfig {
            failure_threshold: 2,
            ..Default::default()
        };

        let breaker = CircuitBreaker::new(config);

        breaker.record_failure().await;
        assert_eq!(breaker.get_state().await, CircuitState::Closed);

        breaker.record_failure().await;
        assert_eq!(breaker.get_state().await, CircuitState::Open);
        assert!(!breaker.is_allowed().await);
    }

    #[tokio::test]
    async fn test_circuit_breaker_recovery() {
        let config = CircuitBreakerConfig {
            failure_threshold: 1,
            success_threshold: 1,
            timeout: 0, // Immediate recovery test
            ..Default::default()
        };

        let breaker = CircuitBreaker::new(config);

        breaker.record_failure().await;
        assert_eq!(breaker.get_state().await, CircuitState::Open);

        // Simulate timeout
        tokio::time::sleep(Duration::from_millis(100)).await;

        assert!(breaker.is_allowed().await);
        assert_eq!(breaker.get_state().await, CircuitState::HalfOpen);

        breaker.record_success().await;
        assert_eq!(breaker.get_state().await, CircuitState::Closed);
    }
}