"""Superadmin model."""
import logging
from datetime import datetime, timezone

from gatehouse_app.extensions import db
from gatehouse_app.models.base import BaseModel


logger = logging.getLogger(__name__)


class Superadmin(BaseModel):
    """Superadmin model for SaaS platform operators.
    
    Completely separate from User model - has its own email/password auth.
    """
    
    __tablename__ = "superadmins"
    
    email = db.Column(db.String(255), unique=True, nullable=False, index=True)
    password_hash = db.Column(db.String(255), nullable=False)
    full_name = db.Column(db.String(255), nullable=True)
    is_active = db.Column(db.Boolean, default=True, nullable=False)
    last_login_at = db.Column(db.DateTime, nullable=True)
    
    # Relationship to sessions
    sessions = db.relationship(
        "SuperadminSession",
        back_populates="superadmin",
        cascade="all, delete-orphan"
    )
    
    # Relationship to audit logs
    audit_logs = db.relationship(
        "SuperadminAuditLog",
        back_populates="superadmin",
        cascade="all, delete-orphan"
    )
    
    def __repr__(self):
        return f"<Superadmin {self.email}>"
    
    def has_password_auth(self):
        """Check if superadmin has password authentication."""
        return bool(self.password_hash)
    
    def has_totp_enabled(self):
        """Check if superadmin has TOTP enabled."""
        # TODO: Implement TOTP for superadmin if needed
        return False
    
    def to_dict(self, exclude=None):
        """Convert to dictionary, excluding sensitive fields."""
        exclude = exclude or []
        exclude.append("password_hash")
        return super().to_dict(exclude=exclude)