"""User schemas. ``password_hash`` is never exposed — only ``UserResponse``
fields leave the service."""

import datetime as dt
import uuid

from pydantic import BaseModel, ConfigDict, Field

from app.domain.entities import User


class UserResponse(BaseModel):
    model_config = ConfigDict(from_attributes=True)

    id: uuid.UUID
    username: str
    is_superuser: bool
    is_active: bool
    created_at: dt.datetime
    updated_at: dt.datetime

    @classmethod
    def from_entity(cls, user: User) -> UserResponse:
        return cls.model_validate(user)


class CreateUserRequest(BaseModel):
    username: str = Field(min_length=1, max_length=64)
    password: str = Field(min_length=8)
    is_superuser: bool = False


class UpdateUserRequest(BaseModel):
    """Admin patch — every field optional; only provided ones change."""

    is_superuser: bool | None = None
    is_active: bool | None = None


class ResetPasswordRequest(BaseModel):
    new_password: str = Field(min_length=8)


class ChangePasswordRequest(BaseModel):
    current_password: str = Field(min_length=1)
    new_password: str = Field(min_length=8)