breakpilot-compliance/backend-compliance/compliance/api/obligation_routes.py

"""
FastAPI routes for Compliance Obligations Tracking.

Endpoints:
  GET    /obligations           — list with filters (status, priority, source, limit, offset)
  POST   /obligations           — create obligation
  GET    /obligations/stats     — counts per status and priority
  GET    /obligations/{id}      — get single obligation
  PUT    /obligations/{id}      — update obligation
  PUT    /obligations/{id}/status — quick status update
  DELETE /obligations/{id}      — delete obligation
"""

import logging
from datetime import datetime, timezone
from typing import Optional, List, Any, Dict

from fastapi import APIRouter, Depends, HTTPException, Query, Header
from pydantic import BaseModel
from sqlalchemy import text
from sqlalchemy.orm import Session

from classroom_engine.database import get_db
from .tenant_utils import get_tenant_id as _get_tenant_id
from .db_utils import row_to_dict as _row_to_dict

logger = logging.getLogger(__name__)
router = APIRouter(prefix="/obligations", tags=["obligations"])


# =============================================================================
# Pydantic Schemas
# =============================================================================

class ObligationCreate(BaseModel):
    title: str
    description: Optional[str] = None
    source: str = "DSGVO"
    source_article: Optional[str] = None
    deadline: Optional[datetime] = None
    status: str = "pending"
    priority: str = "medium"
    responsible: Optional[str] = None
    linked_systems: Optional[List[str]] = None
    assessment_id: Optional[str] = None
    rule_code: Optional[str] = None
    notes: Optional[str] = None


class ObligationUpdate(BaseModel):
    title: Optional[str] = None
    description: Optional[str] = None
    source: Optional[str] = None
    source_article: Optional[str] = None
    deadline: Optional[datetime] = None
    status: Optional[str] = None
    priority: Optional[str] = None
    responsible: Optional[str] = None
    linked_systems: Optional[List[str]] = None
    notes: Optional[str] = None


class ObligationStatusUpdate(BaseModel):
    status: str



# =============================================================================
# Routes
# =============================================================================

@router.get("")
async def list_obligations(
    status: Optional[str] = Query(None),
    priority: Optional[str] = Query(None),
    source: Optional[str] = Query(None),
    search: Optional[str] = Query(None),
    limit: int = Query(100, ge=1, le=500),
    offset: int = Query(0, ge=0),
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
):
    """List obligations with optional filters."""

    where_clauses = ["tenant_id = :tenant_id"]
    params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}

    if status:
        where_clauses.append("status = :status")
        params["status"] = status
    if priority:
        where_clauses.append("priority = :priority")
        params["priority"] = priority
    if source:
        where_clauses.append("source ILIKE :source")
        params["source"] = f"%{source}%"
    if search:
        where_clauses.append("(title ILIKE :search OR description ILIKE :search)")
        params["search"] = f"%{search}%"

    where_sql = " AND ".join(where_clauses)

    total_row = db.execute(
        text(f"SELECT COUNT(*) FROM compliance_obligations WHERE {where_sql}"),
        params,
    ).fetchone()
    total = total_row[0] if total_row else 0

    rows = db.execute(
        text(f"""
            SELECT * FROM compliance_obligations
            WHERE {where_sql}
            ORDER BY
                CASE priority
                    WHEN 'critical' THEN 0
                    WHEN 'high' THEN 1
                    WHEN 'medium' THEN 2
                    ELSE 3
                END,
                CASE status
                    WHEN 'overdue' THEN 0
                    WHEN 'in-progress' THEN 1
                    WHEN 'pending' THEN 2
                    ELSE 3
                END,
                created_at DESC
            LIMIT :limit OFFSET :offset
        """),
        params,
    ).fetchall()

    return {
        "obligations": [_row_to_dict(r) for r in rows],
        "total": total,
    }


@router.get("/stats")
async def get_obligation_stats(
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
):
    """Return obligation counts per status and priority."""

    rows = db.execute(text("""
        SELECT
            COUNT(*) FILTER (WHERE status = 'pending')     AS pending,
            COUNT(*) FILTER (WHERE status = 'in-progress') AS in_progress,
            COUNT(*) FILTER (WHERE status = 'overdue')     AS overdue,
            COUNT(*) FILTER (WHERE status = 'completed')   AS completed,
            COUNT(*) FILTER (WHERE priority = 'critical')  AS critical,
            COUNT(*) FILTER (WHERE priority = 'high')      AS high,
            COUNT(*)                                        AS total
        FROM compliance_obligations
        WHERE tenant_id = :tenant_id
    """), {"tenant_id": tenant_id}).fetchone()

    if rows:
        d = dict(rows._mapping)
        return {k: (v or 0) for k, v in d.items()}
    return {"pending": 0, "in_progress": 0, "overdue": 0, "completed": 0, "critical": 0, "high": 0, "total": 0}


@router.post("", status_code=201)
async def create_obligation(
    payload: ObligationCreate,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
    x_user_id: Optional[str] = Header(None),
):
    """Create a new compliance obligation."""
    logger.info("create_obligation user_id=%s tenant_id=%s title=%s", x_user_id, tenant_id, payload.title)

    import json
    linked_systems = json.dumps(payload.linked_systems or [])

    row = db.execute(text("""
        INSERT INTO compliance_obligations
            (tenant_id, title, description, source, source_article, deadline,
             status, priority, responsible, linked_systems, assessment_id, rule_code, notes)
        VALUES
            (:tenant_id, :title, :description, :source, :source_article, :deadline,
             :status, :priority, :responsible, CAST(:linked_systems AS jsonb), :assessment_id, :rule_code, :notes)
        RETURNING *
    """), {
        "tenant_id": tenant_id,
        "title": payload.title,
        "description": payload.description,
        "source": payload.source,
        "source_article": payload.source_article,
        "deadline": payload.deadline,
        "status": payload.status,
        "priority": payload.priority,
        "responsible": payload.responsible,
        "linked_systems": linked_systems,
        "assessment_id": payload.assessment_id,
        "rule_code": payload.rule_code,
        "notes": payload.notes,
    }).fetchone()
    db.commit()
    return _row_to_dict(row)


@router.get("/{obligation_id}")
async def get_obligation(
    obligation_id: str,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
):
    row = db.execute(text("""
        SELECT * FROM compliance_obligations
        WHERE id = :id AND tenant_id = :tenant_id
    """), {"id": obligation_id, "tenant_id": tenant_id}).fetchone()
    if not row:
        raise HTTPException(status_code=404, detail="Obligation not found")
    return _row_to_dict(row)


@router.put("/{obligation_id}")
async def update_obligation(
    obligation_id: str,
    payload: ObligationUpdate,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
    x_user_id: Optional[str] = Header(None),
):
    """Update an obligation's fields."""
    logger.info("update_obligation user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, obligation_id)
    import json

    updates: Dict[str, Any] = {"id": obligation_id, "tenant_id": tenant_id, "updated_at": datetime.now(timezone.utc)}
    set_clauses = ["updated_at = :updated_at"]

    for field, value in payload.model_dump(exclude_unset=True).items():
        if field == "linked_systems":
            updates["linked_systems"] = json.dumps(value or [])
            set_clauses.append("linked_systems = CAST(:linked_systems AS jsonb)")
        else:
            updates[field] = value
            set_clauses.append(f"{field} = :{field}")

    if len(set_clauses) == 1:
        raise HTTPException(status_code=400, detail="No fields to update")

    row = db.execute(text(f"""
        UPDATE compliance_obligations
        SET {', '.join(set_clauses)}
        WHERE id = :id AND tenant_id = :tenant_id
        RETURNING *
    """), updates).fetchone()
    db.commit()

    if not row:
        raise HTTPException(status_code=404, detail="Obligation not found")
    return _row_to_dict(row)


@router.put("/{obligation_id}/status")
async def update_obligation_status(
    obligation_id: str,
    payload: ObligationStatusUpdate,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
    x_user_id: Optional[str] = Header(None),
):
    """Quick status update for an obligation."""
    logger.info("update_obligation_status user_id=%s tenant_id=%s id=%s status=%s", x_user_id, tenant_id, obligation_id, payload.status)
    valid_statuses = {"pending", "in-progress", "completed", "overdue"}
    if payload.status not in valid_statuses:
        raise HTTPException(status_code=400, detail=f"Invalid status. Must be one of: {', '.join(valid_statuses)}")

    row = db.execute(text("""
        UPDATE compliance_obligations
        SET status = :status, updated_at = :now
        WHERE id = :id AND tenant_id = :tenant_id
        RETURNING *
    """), {"status": payload.status, "now": datetime.now(timezone.utc), "id": obligation_id, "tenant_id": tenant_id}).fetchone()
    db.commit()

    if not row:
        raise HTTPException(status_code=404, detail="Obligation not found")
    return _row_to_dict(row)


@router.delete("/{obligation_id}", status_code=204)
async def delete_obligation(
    obligation_id: str,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
    x_user_id: Optional[str] = Header(None),
):
    logger.info("delete_obligation user_id=%s tenant_id=%s id=%s", x_user_id, tenant_id, obligation_id)
    result = db.execute(text("""
        DELETE FROM compliance_obligations
        WHERE id = :id AND tenant_id = :tenant_id
    """), {"id": obligation_id, "tenant_id": tenant_id})
    db.commit()
    if result.rowcount == 0:
        raise HTTPException(status_code=404, detail="Obligation not found")


# =============================================================================
# Versioning
# =============================================================================

@router.get("/{obligation_id}/versions")
async def list_obligation_versions(
    obligation_id: str,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
):
    """List all versions for an Obligation."""
    from .versioning_utils import list_versions
    return list_versions(db, "obligation", obligation_id, tenant_id)


@router.get("/{obligation_id}/versions/{version_number}")
async def get_obligation_version(
    obligation_id: str,
    version_number: int,
    db: Session = Depends(get_db),
    tenant_id: str = Depends(_get_tenant_id),
):
    """Get a specific Obligation version with full snapshot."""
    from .versioning_utils import get_version
    v = get_version(db, "obligation", obligation_id, version_number, tenant_id)
    if not v:
        raise HTTPException(status_code=404, detail=f"Version {version_number} not found")
    return v