"""User entity.

Admin is a single ``is_superuser`` flag — no role system in Phase 1 (kept
deliberately minimal; granular permissions are deferred, see plan §3.5).
``User`` is the outward-facing entity and never carries the password hash;
the hash lives on :class:`Credentials`, used only inside the auth service.
"""

import datetime as dt
import uuid
from dataclasses import dataclass


@dataclass(frozen=True, slots=True)
class User:
    """A person with access to the instance. The password hash is intentionally
    absent — see :class:`Credentials`."""

    id: uuid.UUID
    username: str
    is_superuser: bool
    is_active: bool
    created_at: dt.datetime
    updated_at: dt.datetime


@dataclass(frozen=True, slots=True)
class Credentials:
    """A user paired with their stored password hash. Stays inside the
    application layer — never serialized to clients."""

    user: User
    password_hash: str


@dataclass(frozen=True, slots=True)
class SubsonicCredentials:
    """A user paired with their *encrypted* Subsonic app-password.

    ``password_enc`` is ``None`` until the user generates one. Stays inside the
    application layer; the plaintext is only recovered for auth verification."""

    user: User
    password_enc: str | None