from fastapi import APIRouter, Depends, HTTPException
from sqlmodel import Session, select
from app.db import get_session
from app.models import Assessment, Control, User
from app.schemas import AssessmentUpdate
from app.security import get_current_user, require_roles, WRITE_ROLES
from app.services.audit import audit
router=APIRouter(prefix="/assessments", tags=["assessments"])
@router.get("")
def list_assessments(user: User=Depends(get_current_user), session: Session=Depends(get_session)):
    rows=session.exec(select(Assessment, Control).join(Control, Assessment.control_id==Control.id).where(Assessment.tenant_id==user.tenant_id)).all()
    return [{"assessment":a,"control":c} for a,c in rows]
@router.put("/{assessment_id}")
def update_assessment(assessment_id:int, data: AssessmentUpdate, user: User=Depends(require_roles(*WRITE_ROLES)), session: Session=Depends(get_session)):
    a=session.get(Assessment, assessment_id)
    if not a or a.tenant_id!=user.tenant_id: raise HTTPException(404,"Assessment not found")
    for k,v in data.model_dump().items(): setattr(a,k,v)
    session.add(a); audit(session,user,"update","assessment",a.id,data.model_dump(mode='json')); session.commit(); session.refresh(a); return a