package api

import (
	"strconv"

	"github.com/alexei/tinyforge/internal/store"
)

// generateWebhookSecret is a one-line bridge to store.GenerateWebhookSecret
// so the api handlers and the store CRUD share one secret-generation
// path — no panic-vs-UUID-fallback divergence.
func generateWebhookSecret() string { return store.GenerateWebhookSecret() }

// webhookURLResponse is the common payload returned by every webhook
// endpoint. Clients never see raw secrets except at issue/rotate time via
// these fields; the URL shape is "/api/webhook/..." so callers can prepend
// their own origin.
type webhookURLResponse struct {
	WebhookURL              string `json:"webhook_url"`
	WebhookSecret           string `json:"webhook_secret"`
	HasSigningSecret        bool   `json:"has_signing_secret"`
	WebhookRequireSignature bool   `json:"webhook_require_signature"`
}

// signingSecretResponse is returned when a signing secret is issued or rotated.
type signingSecretResponse struct {
	SigningSecret string `json:"signing_secret"`
}

// parseLimit clamps a query-string limit to [1, max], falling back to def.
func parseLimit(raw string, def, max int) int {
	if raw == "" {
		return def
	}
	n, err := strconv.Atoi(raw)
	if err != nil || n <= 0 {
		return def
	}
	if n > max {
		return max
	}
	return n
}