defmodule DaProductAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :da_product_app

# The session will be stored in the cookie and signed,
  # this means its contents can be read but not tampered with.
  # Set :encryption_salt if you would also like to encrypt it.
  @session_options [
    store: :cookie,
    key: "_da_product_app_key",
    signing_salt: "3VV41hZ9",
    same_site: "Lax",
    # Only secure cookies in production to allow HTTP in development
    secure: Mix.env() == :prod
  ]

    # Static file cache headers for security and performance
  @static_headers (if Mix.env() == :prod do
    %{
      "cache-control" => "public, max-age=31536000, immutable",
      "x-content-type-options" => "nosniff"
    }
  else
    %{
      "cache-control" => "public, max-age=3600",
      "x-content-type-options" => "nosniff"
    }
  end)

  socket "/live", Phoenix.LiveView.Socket,
    websocket: [connect_info: [session: @session_options]],
    longpoll: [connect_info: [session: @session_options]]

  # Serve at "/" the static files from "priv/static" directory.
  #
  # You should set gzip to true if you are running phx.digest
  # when deploying your static files in production.
  plug Plug.Static,
    at: "/",
    from: :da_product_app,
    gzip: Mix.env() == :prod,
    only: DaProductAppWeb.static_paths(),
    headers: @static_headers

  # Add Tidewave for AI assistant integration
  if Code.ensure_loaded?(Tidewave) do
    plug Tidewave, 
      allow_remote_access: true,
      allowed_origins: [
        "http://demo.ctrmv.com:4040",
        "https://mercurypay.ariticapp.com",
        "http://mercurypay.ariticapp.com:4040",
        "http://localhost:4040",
        "http://127.0.0.1:4040"
      ]
  end

  # Code reloading can be explicitly enabled under the
  # :code_reloader configuration of your endpoint.
  if code_reloading? do
    socket "/phoenix/live_reload/socket", Phoenix.LiveReloader.Socket
    plug Phoenix.LiveReloader
    plug Phoenix.CodeReloader
    plug Phoenix.Ecto.CheckRepoStatus, otp_app: :da_product_app
  end

  plug Phoenix.LiveDashboard.RequestLogger,
    param_key: "request_logger",
    cookie_key: "request_logger"

  # Security headers plug - must be early in the pipeline
  plug DaProductAppWeb.Plugs.SecurityHeaders

  plug Plug.RequestId
  plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]

  # Read raw body for NPCI routes before Plug.Parsers processes it
  plug DaProductAppWeb.Plugs.ConditionalBodyReader

  # Body parsing - exclude XML from JSON parsing to prevent errors
  plug Plug.Parsers,
    parsers: [:urlencoded, :multipart, :json],
    pass: ["text/xml", "application/xml", "*/*"],
    json_decoder: Phoenix.json_library()

  plug Plug.MethodOverride
  plug Plug.Head
  plug Plug.Session, @session_options
  plug DaProductAppWeb.Router

 
end