/**
 * authConfig.js — Tech Client (Staff Plane)
 *
 * ┌─────────────────────────────────────────────────────────────────────────┐
 * │  PRODUCTION MIGRATION — only these values change at handoff:            │
 * │                                                                         │
 * │  STAFF_AUTHORITY  →  'https://login.microsoftonline.com/{ORG_TENANT}'  │
 * │  STAFF_TENANT_ID  →  new company org tenant ID                         │
 * │  STAFF_CLIENT_ID  →  staff app registration in org tenant              │
 * │                                                                         │
 * │  No other code changes required anywhere.                               │
 * └─────────────────────────────────────────────────────────────────────────┘
 *
 * DEV NOTE: Staff currently authenticate against the CIAM tenant (same as
 * clients) because no org tenant exists yet. The login screen looks identical
 * to the client login — this is cosmetic only. API isolation is enforced by
 * audience: staff tokens are rejected by Gateway, client tokens by Management.
 */

// ── Staff Identity Config ─────────────────────────────────────────────────────

const STAFF_TENANT_ID = 'f56a3c51-9b5c-4356-920f-b4dcf932a96b'; 
const STAFF_CLIENT_ID = '217928a9-4591-4dff-9f09-5b233824cf4f';               

// PROD: swap to         →  'https://login.microsoftonline.com/' + STAFF_TENANT_ID
const STAFF_AUTHORITY = 'https://login.microsoftonline.com/' + STAFF_TENANT_ID;

// ── MSAL Config ───────────────────────────────────────────────────────────────

export const msalConfig = {
    auth: {
        clientId:              STAFF_CLIENT_ID,
        authority:             STAFF_AUTHORITY,
        redirectUri:           window.location.origin,
        postLogoutRedirectUri: window.location.origin,
        navigateToLoginRequestUrl: true,
    },
    cache: {
        cacheLocation:  'sessionStorage',
        storeAuthStateInCookie: false,
    },
    system: {
        loggerOptions: {
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) return;
                switch (level) {
                    case 0: console.error(message);  break;
                    case 1: console.warn(message);   break;
                    case 2: console.info(message);   break;
                    case 3: console.debug(message);  break;
                }
            },
            logLevel: 3,
        },
    },
};

export const loginRequest = {
    scopes: ["api://4e4d69c3-558a-4a27-a689-17bd397175e5/access_as_user"]
};

// ── API Endpoints ─────────────────────────────────────────────────────────────

export const API_BASE  = 'https://adpapi.usimdev.com';     // Gateway API
export const MGMT_BASE = 'https://adpmgmt.usimdev.com';    // Management API

// Legacy — kept for backward compatibility with apiClient.js
export const SESSION_ENDPOINT = `${API_BASE}/api/auth/session`;