import { NextResponse } from "next/server";
import { getSessionUser } from "@/lib/session";
import { listSkillActivationRequestsForTenant } from "@/lib/db";
import { canUserSeeTenant } from "@/lib/visibility";
import { getTenant } from "@/lib/k8s";

/**
 * GET /api/skills/requests?tenant=<name>
 *
 * Returns pending and most-recent-rejected skill activation
 * requests for the named tenant. Used by the tenant settings page
 * to render the "Manual review pending" or "Activation rejected"
 * inline states on PackageCard.
 *
 * Authorization: the caller must be able to see the tenant (owner
 * of its org, assigned user, or platform admin).
 */
export async function GET(request: Request) {
  const user = await getSessionUser();
  if (!user) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  const { searchParams } = new URL(request.url);
  const tenantName = searchParams.get("tenant");
  if (!tenantName) {
    return NextResponse.json(
      { error: "Missing tenant parameter" },
      { status: 400 }
    );
  }
  const tenant = await getTenant(tenantName).catch(() => null);
  if (!tenant) {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
  if (!canUserSeeTenant(user, tenant)) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }
  const requests = await listSkillActivationRequestsForTenant(tenantName);
  return NextResponse.json(requests);
}