from fastapi import APIRouter, Depends, HTTPException
from sqlmodel import Session, select
from app.db import get_session
from app.models import Policy, PolicyAcknowledgement, User
from app.schemas import PolicyCreate
from app.security import get_current_user, require_roles, WRITE_ROLES
from app.services.audit import audit
router=APIRouter(prefix="/policies", tags=["policies"])
@router.get("")
def list_policies(user:User=Depends(get_current_user), session:Session=Depends(get_session)):
    return session.exec(select(Policy).where(Policy.tenant_id==user.tenant_id)).all()
@router.post("")
def create_policy(data:PolicyCreate, user:User=Depends(require_roles(*WRITE_ROLES)), session:Session=Depends(get_session)):
    p=Policy(tenant_id=user.tenant_id, **data.model_dump()); session.add(p); session.commit(); session.refresh(p); audit(session,user,"create","policy",p.id,{}); session.commit(); return p
@router.post("/{policy_id}/acknowledge")
def acknowledge(policy_id:int, user:User=Depends(get_current_user), session:Session=Depends(get_session)):
    p=session.get(Policy,policy_id)
    if not p or p.tenant_id!=user.tenant_id: raise HTTPException(404,"Policy not found")
    ack=PolicyAcknowledgement(tenant_id=user.tenant_id, policy_id=policy_id, user_id=user.id); session.add(ack); audit(session,user,"acknowledge","policy",policy_id,{}); session.commit(); return {"ok":True}