import { requireUser } from "../../utils/auth";
import { usePrisma } from "../../utils/prisma";

/**
 * POST /api/protection/dev-force-disabled
 *
 * DEV/STAGING-ONLY: Setzt protectionDisabledAt = NOW() ohne Cooldown-Vorlauf.
 * Frontend-Debug-Button für Screenshot-Capture (Android-a11y-reset-flow).
 *
 * Production-Guard: appUrl enthält "rebreak.org" aber NICHT "staging" → 403.
 *
 * Sobald gesetzt:
 *  - /api/protection/state gibt protectionShouldBeActive=false zurück
 *  - Frontend's enforceProtection-Loop feuert KEINE Auto-Reactivation mehr
 *  - User kann a11y-Settings öffnen und manuell den ReBreak-Service off-toggeln
 *
 * Zum Wiedereinschalten: POST /api/protection/mark-active (clear flag).
 */
export default defineEventHandler(async (event) => {
  const user = await requireUser(event);

  const config = useRuntimeConfig(event);
  const appUrl = (config.public?.appUrl as string) ?? "";
  const isProductionUrl =
    appUrl.includes("rebreak.org") && !appUrl.includes("staging");
  if (isProductionUrl) {
    throw createError({ statusCode: 403, message: "dev-only" });
  }

  const db = usePrisma();
  await db.profile.update({
    where: { id: user.id },
    data: { protectionDisabledAt: new Date() },
  });

  return { success: true };
});