"""DetectionRule model — detection rules from multiple sources."""

import uuid
from datetime import datetime

from sqlalchemy import Column, String, Text, Boolean, DateTime, Index
from sqlalchemy.dialects.postgresql import UUID, JSONB

from app.database import Base


class DetectionRule(Base):
    """
    Detection rule from an external source (Sigma, Elastic, Splunk, custom).

    Each rule is mapped to one MITRE ATT&CK technique via
    ``mitre_technique_id`` and stores the complete rule content in
    ``rule_content``.
    """
    __tablename__ = "detection_rules"

    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
    mitre_technique_id = Column(String, nullable=False)            # e.g. "T1059.001"
    title = Column(String, nullable=False)
    description = Column(Text, nullable=True)
    source = Column(String, nullable=False)                        # sigma / elastic / splunk / custom
    source_id = Column(String, nullable=True)                      # ID in the source repo (for dedup)
    source_url = Column(String, nullable=True)
    rule_content = Column(Text, nullable=False)                    # YAML / KQL / SPL content
    rule_format = Column(String, nullable=False)                   # sigma_yaml / kql / spl / custom
    severity = Column(String, nullable=True)                       # informational / low / medium / high / critical
    platforms = Column(JSONB, nullable=True, default=[])
    log_sources = Column(JSONB, nullable=True)                     # e.g. {"product": "windows", "service": "sysmon"}
    false_positive_rate = Column(String, nullable=True)            # low / medium / high
    is_active = Column(Boolean, default=True)
    created_at = Column(DateTime, default=datetime.utcnow)

    __table_args__ = (
        Index('ix_detection_rules_mitre_technique_id', 'mitre_technique_id'),
        Index('ix_detection_rules_source', 'source'),
        Index('ix_detection_rules_severity', 'severity'),
    )