/**
 * Env: the Worker's configuration surface.
 *
 * Two independent gates can be turned on by configuration:
 *
 *   StoreKit  (entitlement): set ALLOWED_BUNDLE_IDS + APPLE_ROOT_CA_SHA256.
 *   App Attest (authenticity): set APP_ATTEST_TEAM_ID + APP_ATTEST_BUNDLE_ID.
 *
 * If neither is configured the Worker refuses to run (500). If both are
 * configured a request must clear both.
 *
 * On top of the gates, spend controls decide what an entitled caller may
 * spend: a model allowlist, a per-request max_tokens cap, and a per-caller
 * daily token budget. Each is optional and configuration-driven too.
 */
export interface Env {
  /** Anthropic API key. Set as a secret: `wrangler secret put ANTHROPIC_API_KEY`. */
  ANTHROPIC_API_KEY: string;

  // --- StoreKit entitlement gate (active when both are set) ---

  /** Comma-separated allowlist of app bundle IDs, e.g. "com.example.app". */
  ALLOWED_BUNDLE_IDS?: string;
  /** Comma-separated allowlist of product IDs. Empty/unset = accept any product. */
  ALLOWED_PRODUCT_IDS?: string;
  /** Hex SHA-256 of the DER-encoded "Apple Root CA - G3" certificate.
   *  Obtain and verify from https://www.apple.com/certificateauthority/ */
  APPLE_ROOT_CA_SHA256?: string;

  // --- App Attest authenticity gate (active when both are set) ---

  /** Apple Developer Team ID the app ships under, e.g. "ABCDE12345". */
  APP_ATTEST_TEAM_ID?: string;
  /** Bundle ID the attestation must be bound to, e.g. "com.example.app". */
  APP_ATTEST_BUNDLE_ID?: string;
  /** The "Apple App Attestation Root CA" certificate (PEM or base64 DER).
   *  The attestation's x5c omits the root, so a fingerprint cannot anchor the
   *  chain; the verifier needs the certificate itself. Obtain and verify from
   *  https://www.apple.com/certificateauthority/ */
  APP_ATTEST_ROOT_CA?: string;

  // --- Spend controls (each optional) ---

  /** Comma-separated allowlist of model IDs the proxy will forward. */
  ALLOWED_MODELS?: string;
  /** Upper bound on max_tokens per request, e.g. "4096". */
  MAX_TOKENS_LIMIT?: string;
  /** Tokens each caller may request per UTC day, e.g. "200000". Debited with
   *  the request's max_tokens before forwarding. */
  DAILY_TOKEN_BUDGET?: string;

  // --- Proxy configuration ---

  /** Comma-separated allowlist of upstream paths. Defaults to "/v1/messages". */
  ALLOWED_UPSTREAM_PATHS?: string;
  /** Anthropic API version header. Defaults to "2023-06-01". */
  ANTHROPIC_VERSION?: string;

  // --- Durable Object bindings (declared in wrangler.toml) ---

  /** Per-caller daily token budget. */
  TOKEN_BUDGET?: DurableObjectNamespaceLike;
  /** Registered App Attest public keys and assertion counters, per keyId. */
  ATTEST_KEYS?: DurableObjectNamespaceLike;
  /** One-time App Attest registration challenges. */
  ATTEST_CHALLENGES?: DurableObjectNamespaceLike;
  /** Revocation record per originalTransactionId, written by the webhook. */
  REVOCATIONS?: DurableObjectNamespaceLike;
}

/**
 * Minimal structural type for a Durable Object namespace binding, so the
 * bundle type-checks and tests run with zero installs instead of depending on
 * `@cloudflare/workers-types`. The real binding satisfies this shape.
 */
export interface DurableObjectNamespaceLike {
  idFromName(name: string): unknown;
  get(id: unknown): {
    fetch(input: string, init?: RequestInit): Promise<Response>;
  };
}

export const ANTHROPIC_BASE = "https://api.anthropic.com";
export const DEFAULT_ANTHROPIC_VERSION = "2023-06-01";
export const DEFAULT_UPSTREAM_PATHS = "/v1/messages";

/** Header carrying the StoreKit 2 signed transaction (JWS). */
export const TRANSACTION_HEADER = "X-IAP-Transaction";
/** Header carrying the App Attest assertion (base64). */
export const ASSERTION_HEADER = "X-App-Attest-Assertion";
/** Header carrying the App Attest key identifier the assertion was signed with. */
export const KEY_ID_HEADER = "X-App-Attest-Key-Id";

/** Route Apple's App Store Server Notifications V2 POSTs here. */
export const NOTIFICATIONS_PATH = "/apple/notifications";
/** Route the app's one-time App Attest key registration here. */
export const REGISTER_PATH = "/app-attest/register";
/** Route the app's registration-challenge requests here. */
export const CHALLENGE_PATH = "/app-attest/challenge";
