import type { ExtensionAPI } from "../_shared/pi-api.js";
import { getCommandText, setTextWidget } from "../_shared/pi-api.js";
import { getAuditEvents } from "../_shared/permissions.js";

export default function securityGate(pi: ExtensionAPI): void {
  pi.registerCommand("security-audit", {
    description: "Show fail-closed OMP approval status and historical local audit events.",
    handler: async (args, ctx) => {
      const limit = Number.parseInt(getCommandText(args).trim(), 10);
      const lines = getAuditEvents()
        .slice(Number.isFinite(limit) ? -limit : -20)
        .map((event) => `${event.timestamp} ${event.decision} ${event.toolOrCommand} ${event.target}`);
      setTextWidget(ctx, "security-audit", [
        "security-gate is disabled in miloc-pi.",
        "OMP approval policy is the source truth for tool approval tiers, per-tool policies, prompts, deny handling, and safety overrides.",
        "This extension does not block tool calls until an OMP approval wrapper is ported here.",
        "",
        lines.length ? lines.join("\n") : "No historical local security audit events.",
      ].join("\n"));
    },
  });
}