import type { Prompter } from './prompts.js';
import type { ConfigBuilder } from './config.js';

const TOOL_PROFILES = [
  { label: 'full (recommended)', value: 'full' },
  { label: 'coding (fs + runtime)', value: 'coding' },
  { label: 'messaging (read + services, no shell/writes)', value: 'messaging' },
  { label: 'minimal (status only)', value: 'minimal' },
];

const RESEARCH_AGENT_TIERS = [
  { label: 'complex (recommended)', value: 'complex' as const },
  { label: 'default', value: 'default' as const },
  { label: 'fast', value: 'fast' as const },
  { label: 'local', value: 'local' as const },
];

export async function setupSecurity(p: Prompter, builder: ConfigBuilder): Promise<void> {
  p.println('  Docker sandboxing runs tool commands in isolated containers.');
  p.println('  Requires Docker installed and running.');
  const sandbox = await p.confirm('Enable Docker sandboxing?', true);
  if (sandbox) {
    builder.setSandboxEnabled(true);
    p.println('✓ Docker sandboxing enabled');
  }

  p.println();
  p.println('  DM pairing requires unknown senders to enter a code before chatting.');
  p.println('  Generate codes via the gateway or TUI /pair command.');
  const pairing = await p.confirm('Enable DM pairing for unknown senders?', true);
  if (pairing) {
    builder.setPairingEnabled(true);
    p.println('✓ DM pairing enabled');
  }

  p.println();
  p.println('  Tool profiles control which tools the agent can use:');
  p.println('    full        — all tools available (file, shell, web, memory, messaging) (default)');
  p.println('    coding      — file system + shell + sessions + memory');
  p.println('    messaging   — read-only + web/memory + connected services (no file writes/shell)');
  p.println('    minimal     — status checks only (read-only, safest)');
  const profile = await p.choose('Tool policy profile:', TOOL_PROFILES);
  builder.setToolProfile(profile);
  builder.setSensitiveMode('confirm_without_elevation');

  p.println();
  p.println('  Research agent adds a dedicated specialist for deep web research.');
  p.println('  Enables /research command and automatic routing for messages starting with "research ..." or "look up ...".');
  const enableResearchAgent = await p.confirm('Enable a dedicated research agent?', true);
  if (enableResearchAgent) {
    const tier = await p.choose('Research agent model tier:', RESEARCH_AGENT_TIERS);
    builder.setResearchAgentEnabled({ modelTier: tier });
    p.println(`✓ Research agent enabled (tier=${tier})`);
  }
}