"""
Security and compliance utilities.

This module provides a unified interface for security features
including audit logging, GDPR compliance, and encryption.

Usage:
    from security import (
        audit_logger, AuditAction,
        gdpr_service, ConsentType,
        field_encryption
    )
"""
from .audit import (
    AuditLogger,
    AuditAction,
    AuditEntry,
    audit_logger,
    log_login_success,
    log_login_failure,
    log_data_access,
    log_data_modification,
    log_security_event,
    SENSITIVE_FIELDS
)

from .gdpr import (
    GDPRService,
    ConsentType,
    DataCategory,
    DeletionStatus,
    ExportStatus,
    Consent,
    DeletionRequest,
    ExportRequest,
    gdpr_service,
    consent_required
)

from .encryption import (
    FieldEncryption,
    EncryptedValue,
    EncryptionError,
    DecryptionError,
    EncryptionNotConfigured,
    field_encryption,
    encrypt_sensitive_fields,
    decrypt_sensitive_fields,
    generate_encryption_key,
    mask_sensitive_value,
    ENCRYPTED_FIELDS
)


__all__ = [
    # Audit
    "AuditLogger",
    "AuditAction",
    "AuditEntry",
    "audit_logger",
    "log_login_success",
    "log_login_failure",
    "log_data_access",
    "log_data_modification",
    "log_security_event",
    "SENSITIVE_FIELDS",
    
    # GDPR
    "GDPRService",
    "ConsentType",
    "DataCategory",
    "DeletionStatus",
    "ExportStatus",
    "Consent",
    "DeletionRequest",
    "ExportRequest",
    "gdpr_service",
    "consent_required",
    
    # Encryption
    "FieldEncryption",
    "EncryptedValue",
    "EncryptionError",
    "DecryptionError",
    "EncryptionNotConfigured",
    "field_encryption",
    "encrypt_sensitive_fields",
    "decrypt_sensitive_fields",
    "generate_encryption_key",
    "mask_sensitive_value",
    "ENCRYPTED_FIELDS"
]


def get_security_stats() -> dict:
    """Get combined security statistics"""
    return {
        "audit": audit_logger.stats,
        "gdpr": gdpr_service.stats,
        "encryption": {
            "configured": field_encryption.is_configured,
            "encrypted_tables": list(ENCRYPTED_FIELDS.keys())
        }
    }


def initialize_security(db=None) -> None:
    """
    Initialize all security services.
    
    Args:
        db: Database instance for persistent storage
    """
    if db:
        audit_logger.set_database(db)
        gdpr_service.set_database(db)


# Security checklist for compliance
SECURITY_CHECKLIST = {
    "authentication": {
        "password_hashing": "bcrypt with salt",
        "session_management": "JWT with short expiry",
        "2fa": "TOTP-based",
        "brute_force_protection": "Rate limiting"
    },
    "authorization": {
        "model": "RBAC",
        "admin_separation": True,
        "principle_of_least_privilege": True
    },
    "data_protection": {
        "encryption_at_rest": "Field-level AES-256",
        "encryption_in_transit": "TLS 1.3",
        "data_classification": True,
        "backup_encryption": True
    },
    "audit_compliance": {
        "audit_logging": True,
        "log_retention": "7 years",
        "tamper_protection": "Append-only logs"
    },
    "gdpr_compliance": {
        "consent_management": True,
        "data_export": True,
        "data_deletion": True,
        "privacy_policy": True
    },
    "security_headers": {
        "hsts": True,
        "csp": True,
        "x_frame_options": "DENY",
        "x_content_type_options": "nosniff"
    }
}