import { NextRequest, NextResponse } from 'next/server'
import { getSessionFromCookie, logAudit } from '@/lib/auth'

export async function POST(request: NextRequest) {
  const session = await getSessionFromCookie()
  if (!session) {
    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
  }

  const body = await request.json()
  const { action, details, slide_id } = body

  if (!action || typeof action !== 'string') {
    return NextResponse.json({ error: 'action required' }, { status: 400 })
  }

  // Only allow known client-side actions
  const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
  if (!allowedActions.includes(action)) {
    return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
  }

  await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)

  return NextResponse.json({ success: true })
}