import logging         # log parse failures and malformed feeds without crashing

import feedparser      # universal RSS/Atom parser — handles most feed quirks
from dateutil import parser as dateparser, tz

def fetch(source: dict, max_articles: int = 20) -> list[dict]:
    """
    Fetch articles from one RSS/Atom feed and return normalised dicts.
    """
    try:
        resp = _requests.get(source["url"], timeout=15)
        feed = feedparser.parse(resp.content)
    except Exception as e:
        log.warning("RSS parse failed %s: %s", source["url"], e)
        return []

articles.append({
    "source_id":   source["id"],            # UUID — foreign key to sources table
    "source_name": source["name"],          # human-readable name — used in drop logs
    "client_id":   source["client_id"],     # UUID — which client owns this source
    "trust_score": source["trust_score"],   # 0.0–1.0 — used by Gate 1 rule 2

    "client_keywords": source["keywords"] or [],          # TEXT[] from DB
    "client_excluded": source["excluded_topics"] or [],   # TEXT[] from DB

    "url":          url,
    "title":        title,
    "summary":      summary[:2000],   # cap to prevent very long articles
    "published_at": published_at,     # datetime or None
})

articles = []

for entry in feed.entries[:max_articles]:
    url   = entry.get("link", "").strip()
    title = entry.get("title", "").strip()

    if not url or not title:
        continue  # skip this entry and move to the next

    articles.append({ ... })

return articles

@router.post("/admin/sources/{source_id}/toggle")
def admin_toggle_source(request: Request, source_id: str, client_id: str = Form(...)):
    _require_admin(request)
    ...
    return RedirectResponse(f"/admin/clients/{client_id}?flash=Source+updated", status_code=303)

def get_db():
    # Open a new Postgres connection using the DATABASE_URL from the K8s Secret.
    # connect_timeout=10 prevents the handler from hanging indefinitely if the DB
    # is temporarily unreachable — without this, psycopg2 blocks forever and
    # Cloudflare returns a 524 to the browser.
    # Caller is responsible for calling conn.close() — always use try/finally.
    return psycopg2.connect(DATABASE_URL, connect_timeout=10)

conn = get_db()
try:
    with conn.cursor() as cur:
        cur.execute("""
            SELECT id, source_type, name, url, trust_score, active, ...
            FROM sources WHERE client_id = %s ORDER BY source_type, name
        """, (client_id,))
        sources = cur.fetchall()
finally:
    conn.close()

with conn.cursor() as cur:
    cur.execute(
        "UPDATE sources SET active = NOT active WHERE id=%s RETURNING active",
        (source_id,),
    )
    new_state = cur.fetchone()[0]
conn.commit()

cur.execute("""
    SELECT id, source_type, name, url, trust_score, active, last_fetched, ...
    FROM sources WHERE client_id = %s ORDER BY source_type, name
""", (client_id,))
sources = cur.fetchall()
# sources = [
#   ("a1b2...", "rss", "Skift", "https://skift.com/feed", 0.8, True, ...),
#   ("c3d4...", "rss", "Hospitality Net", "https://...", 0.7, True, ...),
# ]

return templates.TemplateResponse("admin_client_edit.html", {
    "request": request,
    "client": client,
    "sources": sources,   # the list of tuples from cur.fetchall()
    "now": datetime.now(timezone.utc),
})

{% for sid, stype, sname, surl, strust, sactive, slast, serr, serrcount,
       serrat, ssugg, squarantined, squarcount, sauto in sources %}
{% if stype != 'competitor' %}
<tr>
  <td>{{ sname }}</td>
  <td>{{ surl }}</td>
  <td>{{ strust }}</td>
  <td>
    {% if sactive %}<span class="badge green">On</span>
    {% else %}<span class="badge red">Off</span>{% endif %}
  </td>
</tr>
{% endif %}
{% endfor %}

<form class="inline-form" method="POST" action="/admin/sources/{{ sid }}/toggle">
  <input type="hidden" name="client_id" value="{{ client.id }}">
  <button class="btn btn-sm">Toggle</button>
</form>

while True:
    try:
        # block=5000 → wait up to 5 seconds for new messages before looping.
        # count=5    → process up to 5 messages per batch.
        # ">"        → only undelivered messages (not pending/unacked ones).
        messages = r.xreadgroup(
            CONSUMER_GROUP, CONSUMER_NAME,
            {STREAM_IN: ">"},
            count=5,
            block=5000,
        )
    except redislib.ConnectionError as e:
        log.error("Redis connection lost: %s — retrying in 5s", e)
        time.sleep(5)
        continue

    for stream, msgs in messages:
        for msg_id, fields in msgs:
            process_message(fields)   # runs Gates 2-4 for one news item

class Gate1Rules:
    def __init__(self, min_content_length=50, source_trust_min=0.4,
                 max_age_hours=48, urgency_keywords=None):
        # Pre-compute a lowercase set for O(1) membership checks in the hot path.
        # A set lookup is O(1) vs O(n) for a list — matters when called 1000x/day.
        self.urgency_keywords = set(k.lower() for k in (urgency_keywords or []))

    def check(self, item, keywords, excluded):
        text = f"{item.get('title', '')} {item.get('summary', '')}".strip()

        # Rule 1: minimum content length
        if len(text) < self.min_content_length:
            return False, "too_short"

        # Rule 2: source trust score — fail-open (default 1.0 if missing)
        if item.get("trust_score", 1.0) < self.source_trust_min:
            return False, "low_trust_source"

        # Rule 3: recency check
        pub = item.get("published_at")
        if pub:
            if pub.tzinfo is None:           # feedparser returns naive datetimes
                pub = pub.replace(tzinfo=timezone.utc)
            cutoff = datetime.now(timezone.utc) - timedelta(hours=self.max_age_hours)
            if pub < cutoff:
                return False, "stale"

        text_lower = text.lower()            # compute once, use below

        # Rule 4: hard exclusions (checked BEFORE keyword match)
        for exc in (excluded or []):
            if exc.lower() in text_lower:
                return False, f"excluded:{exc}"

        # Rule 5: urgency override — breaking news bypasses keyword check
        if self.urgency_keywords and any(kw in text_lower for kw in self.urgency_keywords):
            return True, "urgency_override"

        # Rule 6: keyword match — the core relevance gate
        if not any(kw.lower() in text_lower for kw in (keywords or [])):
            return False, "no_keyword_match"

        return True, "passed"

BATCH_SIZE = 8    # 8 articles per API call (sweet spot — larger batches confuse indexing)
MIN_SCORE  = 60   # articles below this score are dropped

def _score_batch(provider, articles, client_profile, prompt_template):
    # Build the batch text — each article gets an index number.
    # Haiku uses these indexes in its JSON response: {"scores": [{"index": 0, "score": 78, ...}]}
    articles_text = "\n---\n".join([
        f"[{i}] TITLE: {a['title']}\nSUMMARY: {(a.get('summary') or '')[:200]}"
        for i, a in enumerate(articles)
    ])

    # The system prompt contains the CLIENT'S PROFILE — same for all batches in a run.
    # Caching this is the key cost saving.
    system_prompt = prompt_template.format(
        industry_type    = client_profile.get("industry_type", "general"),
        target_geo       = ", ".join(client_profile.get("target_geo") or ["global"]),
        keywords         = ", ".join(client_profile.get("keywords") or []),
        excluded_topics  = ", ".join(client_profile.get("excluded_topics") or []),
    )

    # cache_system=True adds cache_control to the system prompt.
    # After the first API call, Anthropic serves the system prompt from cache.
    response = provider.complete(
        system=system_prompt,
        user=f'Score each article 0-100. Return JSON: {{"scores": [{{"index": 0, "score": N, "matched_keywords": []}}]}}\n\n{articles_text}',
        max_tokens=256,
        cache_system=True,   # ← the magic flag
    )

    result = json.loads(response.text)
    scores = {s["index"]: s for s in result.get("scores", [])}

    # Filter: keep only articles above MIN_SCORE threshold
    passed = []
    for i, article in enumerate(articles):
        score = scores.get(i, {}).get("score", 0)
        if score >= MIN_SCORE:
            article["relevance_score"]  = score
            article["matched_keywords"] = scores[i].get("matched_keywords", [])
            passed.append(article)
    return passed

def run_gate2(provider, articles, client_profile, prompt_template):
    passed = []
    # Iterate in steps of BATCH_SIZE: 0, 8, 16, 24, ...
    for i in range(0, len(articles), BATCH_SIZE):
        batch = articles[i:i + BATCH_SIZE]
        passed.extend(_score_batch(provider, batch, client_profile, prompt_template))
    return passed

def _source_spread(conn, title: str, hours: int = 2) -> int:
    # Extract 5 meaningful words from the title for full-text matching.
    # Filter out short stop-words ("the", "and", "for") — they match everything.
    words = [w.strip(".,!?\"'") for w in title.split() if len(w) > 3][:5]

    # OR query: article matches if ANY keyword appears (broad catch)
    tsquery = " | ".join(words)

    with conn.cursor() as cur:
        cur.execute("""
            SELECT COUNT(DISTINCT source_id)
            FROM news_items
            WHERE to_tsvector('english', title) @@ to_tsquery('english', %s)
              AND published_at > NOW() - INTERVAL '%s hours'
        """, (tsquery, hours))
        return cur.fetchone()[0] or 1

# Map raw count to a 0–100 score
def _spread_score(count: int) -> int:
    if count >= 5:  return 100   # 5+ sources = definitely breaking
    if count >= 3:  return 60    # trending across outlets
    if count >= 2:  return 40    # gaining traction
    return 20                    # isolated report

trend_score = (spread_score * 0.6) + (seo_opportunity * 0.4)
# 60/40 weighting: spread is more reliable (our own data)
# Trends complements with demand-side intent but can be rate-limited

# Urgency detection overrides the score threshold entirely:
# - "breaking" / "emergency" in title → urgency = "breaking" → Gate 3 bypassed
# - 3+ sources covering topic       → urgency = "high"     → Gate 3 bypassed

# If Claude decides the news is irrelevant to the client's geo:
{"selected_angle": "skip", "reason": "geo_not_impacted"}

# If it decides to generate:
{
  "selected_angle": "local_impact",
  "blog": {
    "title":            "Why should Australian mortgage brokers reconsider fixed rates in 2026?",
    "slug":             "australian-mortgage-brokers-fixed-rates-2026",
    "meta_description": "The RBA's latest decision changes the fixed vs variable ...",
    "body_markdown":    "...(full article 1200-3500 words)...",
    "keywords":         ["mortgage broker", "fixed rate", "RBA 2026"],
    "faq_schema":       [{"question": "...", "answer": "..."}, ...]
  },
  "linkedin_post":      "..."
}

sections = [
    "Quick Answer (40–60 words, no heading, standalone prose)",
    "What You Will Learn (4–6 bullets)",
    "What Is [Topic]? (80–120 words)",
    "Why Does [Problem] Happen? (100–150 words, 4–6 bullets)",
    "At-a-Glance Summary (Markdown table, 5–8 rows)",
    "How to [Solve It] (200–300 words, numbered H3 steps)",
    "What Happens If You Ignore This? (80–120 words, 3–5 bullets)",
    "",          # Pexels image placeholder
    "Common Mistakes to Avoid (table: Mistake | Why | What to Do Instead)",
    "Expert Tips (100–150 words, ≥2 tips with measurable checks)",
    "",          # second image
    "Frequently Asked Questions (exactly 5 FAQs)",
    "Key Takeaways (60–80 words, 4–5 bullets)",
    "References (3–5 entries as [Title](URL))",
]

# Any "critical" issue (factual_risk, fabrication, off_topic, brand_safety)
# → hard-blocks the draft until an admin overrides with a written reason
if has_critical:
    return "blocked_factual_review", score

# Review itself errored — high-risk industries fail safe to admin review
if review_failed:
    if industry_type in {"mortgage", "finance", "health", "cybersecurity"}:
        return "needs_admin_review", None
    return "review_failed", None

if not passed:
    return "needs_admin_review", score

# Clean bill of health — safe to fast-track
if score is not None and score >= 85 and not has_major:
    return "ready_for_approval", score

# NEW in PR3 — "almost there", worth one automated fix attempt
if score is not None and score >= 70:
    return "needs_auto_revision", score

return "needs_admin_review", score

async def poll_loop():
    while True:
        # Fetch all active, non-quarantined sources from Postgres
        sources = get_active_sources(conn)

        for source in sources:
            articles = fetch_rss(source["feed_url"])   # parse RSS/Atom feed

            for article in articles:
                url_hash = sha256(normalize_url(article["url"])).hexdigest()

                # Deduplication: skip if we've already processed this URL
                if url_hash in seen_hashes:
                    continue

                # Gate 1: zero-cost rules filter (per-client)
                for client in source["clients"]:
                    passes, reason = gate1.check(article, client["keywords"], client["excluded"])
                    if passes:
                        # Publish to Redis Stream for intelligence-worker to consume
                        redis.xadd("news.filtered", {
                            "article_id": article_id,
                            "client_id":  client["id"],
                            "reason":     reason,
                        })

        await asyncio.sleep(POLL_INTERVAL_SECONDS)   # default: 120s

def normalize_url(url: str) -> str:
    """Strip UTM/tracking params so the same article isn't processed twice
    if it appears with different tracking params in different RSS feeds."""
    from urllib.parse import urlparse, urlencode, parse_qsl
    parsed = urlparse(url)
    # Keep only non-tracking query params (strip utm_*, fbclid, etc.)
    clean_params = [(k, v) for k, v in parse_qsl(parsed.query)
                    if not k.startswith(("utm_", "fbclid", "gclid", "ref"))]
    return parsed._replace(query=urlencode(clean_params)).geturl()

# URL hash is stored in news_items table — SHA256 of the normalized URL
url_hash = hashlib.sha256(normalize_url(article["url"]).encode()).hexdigest()

async def process_message(msg, client_id, article):
    client = get_client_profile(client_id)

    # 1. Gate 2 — Haiku relevance scoring (batched, prompt-cached)
    relevant = run_gate2(provider, [article], client, PROMPT_RELEVANCE)
    if not relevant:
        ack(msg); return

    # 2. Gate 3 — Signal detection (spread + Google Trends)
    signal = detect_signal(conn, article["title"], client["target_geo"])
    if signal.trend_score < GATE3_MIN_TREND_SCORE and signal.urgency == "normal":
        ack(msg); return

    # 3. Competitor analysis — what angles have competitors taken?
    comp = analyze_competitors(conn, article, client)
    # comp.avoid_angles = ["local_impact", "action_list"]
    # comp.trend_score_boost = 15 (first-mover bonus)

    # 4. Evidence pipeline
    enrichment = quick_enrich(article, client["keywords"])          # Tier 1: Serper
    evidence   = gather_evidence(article, enrichment, llm_haiku)    # Tier 2: deep pack

    # 5. Topic clustering — find related published articles for internal links
    cluster = get_cluster_links(conn, article, client_id)

    # 6. Gate 4 — Sonnet generation
    draft = run_gate4(
        provider=llm_sonnet,
        article=article,
        client=client,
        comp_analysis=comp,
        evidence_pack=evidence,
        cluster_links=cluster,
    )

    if draft.get("selected_angle") == "skip":
        ack(msg); return    # geo_not_impacted — skip silently

    # 7. Save to Postgres, publish to content.drafts stream
    save_draft(conn, draft, client_id)
    redis.xadd("content.drafts", {"draft_id": draft["id"], "client_id": client_id})
    ack(msg)  # ← critical: only ack AFTER successful save

REVIEW_SECRET = os.environ["REVIEW_SECRET"]  # from K8s Secret

def create_review_token(draft_id: str, action: str) -> str:
    """Create a signed URL token. Format: {token}:{action}:{expiry}"""
    expiry = int(time.time()) + 7 * 24 * 3600    # 7 days from now
    payload = f"{draft_id}:{action}:{expiry}"
    sig = hmac.new(REVIEW_SECRET.encode(), payload.encode(), hashlib.sha256).hexdigest()
    return f"{sig}:{action}:{expiry}"

def verify_review_token(token: str, draft_id: str) -> tuple[bool, str]:
    """Verify a token from an email link. Returns (valid, action)."""
    try:
        sig, action, expiry = token.split(":")
        if int(expiry) < time.time():
            return False, ""     # expired

        payload = f"{draft_id}:{action}:{expiry}"
        expected = hmac.new(REVIEW_SECRET.encode(), payload.encode(), hashlib.sha256).hexdigest()

        # Constant-time comparison — prevents timing attacks
        if not hmac.compare_digest(sig, expected):
            return False, ""    # tampered

        return True, action
    except Exception:
        return False, ""

MAX_RETRIES  = 3
RETRY_DELAYS = [5, 15, 30]    # seconds — exponential-ish backoff

for attempt in range(MAX_RETRIES):
    try:
        result = publisher.publish(draft, config)
        # Record success in publications table
        record_publication(conn, draft_id, platform, "published", result["url"])
        break

    except Exception as e:
        if attempt == MAX_RETRIES - 1:
            # All retries exhausted — send to dead-letter queue
            redis.xadd("content.failed", {"draft_id": draft_id, "error": str(e)})
            record_publication(conn, draft_id, platform, "failed", error=str(e))
        else:
            time.sleep(RETRY_DELAYS[attempt])

def publish(self, draft: dict, config: dict) -> dict:
    blog = draft["blog"]
    body = blog["body_markdown"]

    # Strip the FAQ section from body — it's added separately as structured HTML
    # to prevent duplicates (once inline, once as schema markup at the bottom).
    body_without_faq = strip_faq_section(body)

    # Convert Markdown to HTML (using markdown library)
    html_body = markdown.markdown(
        body_without_faq,
        extensions=["fenced_code", "tables", "nl2br"]
    )

    # Append FAQ as structured HTML (better for Google FAQ rich results)
    if blog.get("faq_schema"):
        html_body += build_faq_html(blog["faq_schema"])

    # WordPress REST API call
    response = requests.post(
        f"{config['site_url']}/wp-json/wp/v2/posts",
        auth=(config["username"], config["app_password"]),  # Application Passwords
        json={
            "title":   blog["title"],
            "slug":    blog["slug"],
            "content": html_body,
            "excerpt": blog.get("meta_description", ""),
            "status":  "publish",
            "categories": resolve_categories(config),
        }
    )
    return {"url": response.json()["link"]}

# Create consumer group (run once at startup)
redis.xgroup_create("news.filtered", "intelligence-workers", id="0", mkstream=True)

# Read NEW messages (> means "messages after my last position")
messages = redis.xreadgroup(
    groupname="intelligence-workers",
    consumername="worker-pod-1",
    streams={"news.filtered": ">"},
    count=10,
    block=5000,   # block for up to 5 seconds waiting for new messages
)

# Process each message...
for stream_name, msg_list in (messages or []):
    for msg_id, fields in msg_list:
        try:
            process(fields)
            # ACK only AFTER successful processing
            # If this line is never reached (crash), Redis re-delivers the message
            redis.xack("news.filtered", "intelligence-workers", msg_id)
        except Exception as e:
            # Don't ACK on failure — message will be re-delivered
            log.error("Processing failed: %s", e)

# How many messages are waiting in the pipeline?
kubectl exec -n content-intelligence deploy/ci-redis -- redis-cli xlen news.filtered
kubectl exec -n content-intelligence deploy/ci-redis -- redis-cli xlen content.drafts

# How many messages are in the dead-letter queue?
kubectl exec -n content-intelligence deploy/ci-redis -- redis-cli xlen content.failed

# Inspect last 5 messages in a stream
kubectl exec -n content-intelligence deploy/ci-redis -- redis-cli xrevrange news.filtered + - COUNT 5

from abc import ABC, abstractmethod
from dataclasses import dataclass

@dataclass
class LLMResponse:
    text:               str
    input_tokens:       int
    output_tokens:      int
    cache_read_tokens:  int = 0   # Anthropic prompt caching
    cache_write_tokens: int = 0

class LLMProvider(ABC):
    @property
    @abstractmethod
    def model_id(self) -> str: ...

    @abstractmethod
    def complete(
        self,
        system:       str,
        user:         str,
        max_tokens:   int  = 512,
        cache_system: bool = False,   # Anthropic-specific, ignored by others
    ) -> LLMResponse: ...

def get_provider(model: str) -> LLMProvider:
    """Return the correct provider instance based on model name prefix."""
    api_key_map = {
        "claude-":     ("ANTHROPIC_API_KEY", AnthropicProvider),
        "gpt-":        ("OPENAI_API_KEY",    OpenAIProvider),
        "o1-":         ("OPENAI_API_KEY",    OpenAIProvider),
        "o3-":         ("OPENAI_API_KEY",    OpenAIProvider),
        "gemini-":     ("GOOGLE_API_KEY",    GoogleProvider),
        "deepseek-":   ("DEEPSEEK_API_KEY",  DeepSeekProvider),
    }

    for prefix, (env_var, ProviderClass) in api_key_map.items():
        if model.startswith(prefix):
            api_key = os.environ.get(env_var)
            if not api_key:
                raise EnvironmentError(f"{env_var} not set for model {model!r}")
            return ProviderClass(api_key=api_key, model=model)

    raise ValueError(f"Unknown model: {model!r}")

def _resolve_default_model(conn, setting_key, env_default) -> str:
    """platform_settings override of the Helm env var — no restart needed."""
    with conn.cursor() as cur:
        cur.execute("SELECT value FROM platform_settings WHERE key = %s", (setting_key,))
        row = cur.fetchone()
    return row[0] if row else env_default

# Layer 2: admin-edited platform default, falling back to the Helm env var
gate2_default = _resolve_default_model(conn, "default_gate2_model", GATE2_MODEL)

# Layer 1: per-client override wins if set
try:
    gate2_provider = get_provider(client.get("gate2_model") or gate2_default)
except EnvironmentError as exc:
    # configured provider's API key missing — fall back to the Helm default
    log.warning("Gate2 provider key missing (%s) — falling back to %s", exc, GATE2_MODEL)
    gate2_provider = get_provider(GATE2_MODEL)

def complete(self, system: str, user: str, max_tokens: int = 512,
             cache_system: bool = False) -> LLMResponse:

    # Without caching: system is just a string
    # With caching: wrap it in a block with cache_control
    if cache_system:
        system_block = [{
            "type": "text",
            "text": system,
            "cache_control": {"type": "ephemeral"},  # ← this is the magic
        }]
    else:
        system_block = system   # plain string — no caching

    response = self._client.messages.create(
        model=self._model,
        max_tokens=max_tokens,
        system=system_block,
        messages=[{"role": "user", "content": user}],
    )

    return LLMResponse(
        text=response.content[0].text,
        input_tokens=response.usage.input_tokens,
        output_tokens=response.usage.output_tokens,
        # These fields tell you how the caching is performing:
        cache_read_tokens  = getattr(response.usage, "cache_read_input_tokens", 0) or 0,
        cache_write_tokens = getattr(response.usage, "cache_creation_input_tokens", 0) or 0,
    )

# Batch 1 — system prompt is WRITTEN to cache (full price for system tokens)
# cache_write_tokens = 800 (the client profile system prompt)
# input_tokens       = 800 + 1200 (system + 8 article titles)

# Batch 2–13 — system prompt is READ from cache (10% of normal price)
# cache_read_tokens  = 800 (same system prompt, served from cache)
# input_tokens       = 1200 (only the 8 article titles — system not billed at full rate)

# Net saving: 12 batches × 800 tokens × 90% discount = 8,640 tokens saved
# At $0.00025/1K input tokens (Haiku): saves ~$0.002/run/client
# Across 365 days: ~$0.73/year/client from caching alone

# JWT format: base64url(header) . base64url(payload) . base64url(signature)

def _b64(data: bytes) -> str:
    # URL-safe base64 with "=" padding stripped (JWT spec requires unpadded)
    return urlsafe_b64encode(data).rstrip(b"=").decode()

def create_jwt(client_id: str, email: str) -> str:
    header  = _b64(json.dumps({"alg": "HS256", "typ": "JWT"}).encode())
    payload = _b64(json.dumps({
        "client_id": client_id,
        "email":     email,
        "exp":       int(time.time()) + JWT_EXPIRY_MINS * 60,
        "iat":       int(time.time()),
    }).encode())

    signing_input = f"{header}.{payload}"
    sig = _b64(hmac.new(
        JWT_SECRET.encode(),
        signing_input.encode(),
        hashlib.sha256,
    ).digest())

    return f"{signing_input}.{sig}"

def decode_jwt(token: str) -> Optional[dict]:
    try:
        header, payload, sig = token.split(".")
        signing_input = f"{header}.{payload}"
        expected = _b64(hmac.new(JWT_SECRET.encode(), signing_input.encode(), hashlib.sha256).digest())

        # Constant-time comparison — prevents timing side-channel attacks
        if not hmac.compare_digest(sig, expected):
            return None   # tampered token

        data = json.loads(_unb64(payload))
        if data.get("exp", 0) < time.time():
            return None   # expired

        return data
    except Exception:
        return None       # never raises — bad tokens always return None

def hash_password(password: str) -> str:
    """Hash a password for storage. Format: {hex_salt}:{hex_hash}"""
    salt = secrets.token_hex(16)   # 16 bytes of cryptographic randomness
    h = hashlib.pbkdf2_hmac("sha256", password.encode(), salt.encode(), 260_000)
    return f"{salt}:{h.hex()}"

def _verify_password(password: str, stored_hash: str) -> bool:
    salt, hex_hash = stored_hash.split(":", 1)
    h = hashlib.pbkdf2_hmac("sha256", password.encode(), salt.encode(), 260_000)
    return hmac.compare_digest(h.hex(), hex_hash)  # constant-time

# 260,000 iterations: ~100ms on a modern CPU.
# This means an attacker can only try ~10 passwords/second per core.
# bcrypt would also work — PBKDF2 is chosen because it's in Python stdlib (no dependency).

_DUMMY_HASH = "dummy:000000000000000000000000000000000000000000000000000000000000000"

def _dummy_hash_check(password: str) -> None:
    """Run a full PBKDF2 computation even for non-existent users.

    Without this: login for unknown@email.com returns in 1ms (DB miss).
                  login for real@email.com returns in 100ms (hash computed).
    An attacker measures the difference to discover which emails are registered.

    With this: both paths take ~100ms regardless. Side channel eliminated.
    """
    hashlib.pbkdf2_hmac("sha256", password.encode(), b"dummy", 260_000)
    # Result is discarded — we only run this for its timing effect

response.set_cookie(
    key      = "ci_session",
    value    = token,
    httponly = True,       # JS cannot read this cookie — protects against XSS token theft
    secure   = True,       # browser only sends it over HTTPS — prevents network sniffing
    samesite = "lax",      # sent on top-level same-site navigations — CSRF protection
    max_age  = JWT_EXPIRY_MINS * 60,
)

# Every protected route extracts client_id from the JWT:
@router.get("/dashboard")
def dashboard(request: Request):
    client = require_client(request)         # decodes JWT, returns payload dict
    client_id = client["client_id"]          # ← from JWT signature, not request params

    # All DB queries are scoped to this client_id
    drafts = get_drafts(conn, client_id)     # SELECT ... WHERE client_id = %s
    return render("dashboard.html", drafts)

# What an attacker CANNOT do:
# GET /dashboard?client_id=  → client_id from URL is IGNORED
# POST /approve with body {"client_id": "..."}  → body client_id is IGNORED
# The client_id is read exclusively from the signed cookie/Bearer JWT.

-- One row per tenant
CREATE TABLE clients (
    id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    business_name TEXT NOT NULL,
    email         TEXT UNIQUE NOT NULL,
    industry_type TEXT,
    target_geo    JSONB,
    keywords      JSONB,
    active        BOOLEAN DEFAULT TRUE
);

-- All tenant-scoped tables have client_id FK
CREATE TABLE content_drafts (
    id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    client_id     UUID NOT NULL REFERENCES clients(id) ON DELETE CASCADE,
    title         TEXT,
    body_markdown TEXT,
    status        TEXT DEFAULT 'pending',    -- pending / approved / rejected / published
    created_at    TIMESTAMPTZ DEFAULT NOW()
);

-- news_items is SHARED across all clients (Gate 1 runs once per article)
-- client_relevance maps articles to clients (Gate 2 runs per-client)
CREATE TABLE client_relevance (
    id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    client_id       UUID NOT NULL REFERENCES clients(id) ON DELETE CASCADE,
    news_item_id    UUID NOT NULL REFERENCES news_items(id),
    relevance_score INT,
    processed       BOOLEAN DEFAULT FALSE
);

def quick_enrich(article: dict, keywords: list[str]) -> list[dict]:
    """Fetch 5 Serper snippets for evidence context. Degrades gracefully."""
    api_key = os.environ.get("SERPER_API_KEY")
    if not api_key:
        return []    # feature disabled — Gate 4 runs without enrichment

    query = f"{article['title']} {' '.join(keywords[:3])}"
    try:
        resp = requests.post(
            "https://google.serper.dev/search",
            headers={"X-API-KEY": api_key},
            json={"q": query, "num": 5},
            timeout=10,
        )
        results = resp.json().get("organic", [])
        return [{"title": r["title"], "snippet": r["snippet"],
                 "url": r["link"], "source": r.get("displayLink")}
                for r in results]
    except Exception:
        return []    # any error → degrade gracefully, never block Gate 4

# Haiku produces a structured evidence pack:
evidence_pack = {
    "verified_claims": [
        {
            "claim":      "The RBA raised rates by 25bps to 4.35%",
            "source":     "RBA official statement",
            "confidence": "high",
            "safe_phrasing": "According to the RBA's official statement...",
        }
    ],
    "claims_to_avoid": [
        {
            "claim":  "Rates will fall by end of 2024",
            "reason": "Prediction without verifiable source"
        }
    ],
    "recommended_references": [
        {"title": "RBA Rate Decision — May 2026", "url": "https://rba.gov.au/..."}
    ],
    "source_classifications": [
        {"url": "...", "type": "government_or_regulator", "allowed_to_use": True}
    ]
}

# This entire pack is injected into the Gate 4 system prompt.
# Gate 4 is instructed: "Only use statistics and dates from VERIFIED CLAIMS.
#                        Never use anything in CLAIMS TO AVOID."

# Competitor angles are inferred from title patterns — no AI cost
ANGLE_PATTERNS = {
    "local_impact":       [r"what .+ means for .+", r"how .+ affects .+"],
    "action_list":        [r"\d+ things? (to|you should)", r"what (to do|businesses should)"],
    "contrarian":         [r"why .+ (is|might be) wrong", r"the truth about"],
    "faq_explainer":      [r"everything you need to know", r"what is .+ and why"],
    "expert_commentary":  [r"why .+ matters", r"what .+ means for the industry"],
}

def infer_competitor_angle(title: str) -> Optional[str]:
    title_lower = title.lower()
    for angle, patterns in ANGLE_PATTERNS.items():
        if any(re.search(p, title_lower) for p in patterns):
            return angle
    return None

# Result: competitor analysis returns avoid_angles = ["local_impact", "faq_explainer"]
# These are injected into the Gate 4 prompt:
# "DO NOT use local_impact — Competitor X already published that angle.
#  DO NOT use faq_explainer — Competitor Y already published that angle.
#  Choose a different angle that provides unique value."

H1_RULES = """
H1 TITLE RULES (mandatory):
- Must be a question format: How / Why / What / When / Should / Can / Is
- Primary keyword must appear within the first 8 words
- Include "2026" for informational, how-to, FAQ, and local SEO articles

FORBIDDEN TITLE PATTERNS (never use these):
- "5 things", "5 steps", "10 ways" (numbered lists)
- "Understanding [topic]"
- "Everything you need to know about"
- "changes everything" / "ultimate guide"
- "What X needs to know" (where X = the reader's role)
"""

# Example of good titles:
# "Why should Australian mortgage brokers rethink fixed rates in 2026?"
# "How does the RBA cash rate affect first-home buyers in Brisbane in 2026?"
# "What do cybersecurity teams need to know about the new APRA ruling?"