//! Shared route helpers — validation, permission checks, markdown rendering, enforcement.

use axum::{
    http::StatusCode,
    response::{IntoResponse, Response},
};
use chrono::{DateTime, Duration, Utc};
use uuid::Uuid;

use mt_core::types::{CommunityRole, CommunityState, ModAction};

use crate::auth;
use crate::templates::*;
use crate::AppState;

// ============================================================================
// Rate limiting constants
// ============================================================================

/// Per-user rate limit: max posts per window (complements per-IP tower-governor).
pub(crate) const USER_POST_RATE_LIMIT: i64 = 15;
pub(crate) const USER_POST_RATE_WINDOW_SECS: i64 = 60;

// ============================================================================
// Markdown rendering
// ============================================================================

/// Render markdown to HTML, stripping raw HTML events to prevent XSS.
///
/// Strict preset: no images, no raw HTML, dangerous-scheme filtering. Use this
/// for content from non-Fan+ users. Fan+ subscribers get image embeds via
/// [`render_markdown_plus`].
pub(crate) fn render_markdown(input: &str) -> String {
    docengine::render_strict(input)
}

/// Render markdown to HTML with image embeds permitted. Otherwise identical to
/// the strict preset — raw HTML is still stripped, dangerous schemes filtered,
/// links get `nofollow`. Use for Fan+ subscriber content.
pub(crate) fn render_markdown_plus(input: &str) -> String {
    docengine::Renderer::strict()
        .with_strip_images(false)
        .render(input)
}

/// Render markdown to HTML, resolving `@mentions` to profile links for valid community members.
pub(crate) fn render_markdown_with_mentions(
    input: &str,
    community_slug: &str,
    valid_usernames: &std::collections::HashSet<String>,
    allow_images: bool,
) -> String {
    let template = format!("/p/{community_slug}/u/{{username}}");
    let resolved = docengine::resolve_mentions(input, valid_usernames, &template);
    if allow_images {
        render_markdown_plus(&resolved)
    } else {
        docengine::render_strict(&resolved)
    }
}

/// Reject submissions that contain image embeds. Used to give non-Fan+ users
/// a clear error rather than silently stripping their image at render time.
///
/// Only matches the markdown image syntax `![alt](url)`. Raw HTML `<img>` /
/// `<video>` / `<iframe>` are stripped by all renderers (`strip_raw_html` is
/// true in both `render_strict` and `render_markdown_plus`), so we don't need
/// to reject them here — and rejecting them would surprise users pasting code
/// blocks containing HTML.
#[allow(clippy::result_large_err)]
pub(crate) fn reject_embeds_for_free_user(body: &str) -> Result<(), Response> {
    static EMBED_RE: std::sync::LazyLock<regex_lite::Regex> = std::sync::LazyLock::new(|| {
        regex_lite::Regex::new(r"!\[[^\]]*\]\([^\)]+\)").unwrap()
    });
    if EMBED_RE.is_match(body) {
        return Err((
            StatusCode::UNPROCESSABLE_ENTITY,
            "Image embeds are a Fan+ feature.",
        )
            .into_response());
    }
    Ok(())
}

// ============================================================================
// Common helpers — reduce boilerplate in handlers
// ============================================================================

/// Fetch community by slug, returning 404/500 on failure.
#[tracing::instrument(skip_all)]
pub(crate) async fn get_community(
    db: &sqlx::PgPool,
    slug: &str,
) -> Result<mt_db::queries::CommunityRow, Response> {
    mt_db::queries::get_community_by_slug(db, slug)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error fetching community");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?
        .ok_or_else(|| (StatusCode::NOT_FOUND, "Not found").into_response())
}

/// Fetch thread with breadcrumb, returning 404/500 on failure.
#[tracing::instrument(skip_all)]
pub(crate) async fn get_thread(
    db: &sqlx::PgPool,
    thread_id_str: &str,
) -> Result<mt_db::queries::ThreadWithBreadcrumb, Response> {
    let thread_id = parse_uuid(thread_id_str)?;
    mt_db::queries::get_thread_with_breadcrumb(db, thread_id)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error fetching thread");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?
        .ok_or_else(|| (StatusCode::NOT_FOUND, "Not found").into_response())
}

/// Parse a UUID from a string, returning 404 on failure.
#[allow(clippy::result_large_err)]
pub(crate) fn parse_uuid(id_str: &str) -> Result<Uuid, Response> {
    Uuid::parse_str(id_str).map_err(|_| (StatusCode::NOT_FOUND, "Not found").into_response())
}

/// Fetch a user's role in a community, returning 500 on DB error.
#[tracing::instrument(skip_all)]
pub(crate) async fn get_role(
    db: &sqlx::PgPool,
    user_id: Uuid,
    community_id: Uuid,
) -> Result<Option<CommunityRole>, Response> {
    mt_db::queries::get_user_role(db, user_id, community_id)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error fetching role");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })
}

/// Look up a user by username, returning 422 if not found.
#[tracing::instrument(skip_all)]
pub(crate) async fn get_user_by_username(
    db: &sqlx::PgPool,
    username: &str,
) -> Result<Uuid, Response> {
    mt_db::queries::get_user_by_username(db, username)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error looking up user");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?
        .ok_or_else(|| (StatusCode::UNPROCESSABLE_ENTITY, "User not found.").into_response())
}

/// Fire-and-forget mod log entry. Logs errors but never fails the request.
pub(crate) async fn log_mod_action(
    db: &sqlx::PgPool,
    community_id: Option<Uuid>,
    actor_id: Uuid,
    action: ModAction,
    target_user: Option<Uuid>,
    target_id: Option<Uuid>,
    reason: Option<&str>,
) {
    if let Err(e) = mt_db::mutations::insert_mod_log(
        db, community_id, actor_id, action, target_user, target_id, reason,
    )
    .await
    {
        tracing::error!(error = %e, "failed to insert mod log");
    }
}

/// Convert a session user to a template session user.
pub(crate) fn template_user(
    user: &auth::SessionUser,
    platform_admin_id: Option<Uuid>,
) -> TemplateSessionUser {
    TemplateSessionUser {
        is_platform_admin: platform_admin_id == Some(user.user_id),
        username: user.username.clone(),
    }
}

/// Validate a title field (1-256 chars).
#[allow(clippy::result_large_err)]
pub(crate) fn validate_title(text: &str) -> Result<&str, Response> {
    let t = text.trim();
    if t.is_empty() || t.len() > 256 {
        return Err((
            StatusCode::UNPROCESSABLE_ENTITY,
            "Title must be between 1 and 256 characters.",
        )
            .into_response());
    }
    Ok(t)
}

/// Validate a body/content field (1 to max chars).
#[allow(clippy::result_large_err)]
pub(crate) fn validate_body<'a>(text: &'a str, max: usize, field: &str) -> Result<&'a str, Response> {
    let t = text.trim();
    if t.is_empty() || t.len() > max {
        return Err((
            StatusCode::UNPROCESSABLE_ENTITY,
            format!("{field} must be between 1 and {max} characters."),
        )
            .into_response());
    }
    Ok(t)
}

// ============================================================================
// Permission helpers
// ============================================================================

/// Is this user a moderator or owner in the community?
pub(crate) fn is_mod_or_owner(role: &Option<CommunityRole>) -> bool {
    role.is_some_and(|r| r.is_mod_or_owner())
}

/// Is this user an owner of the community?
pub(crate) fn is_owner(role: &Option<CommunityRole>) -> bool {
    role.is_some_and(|r| r.is_owner())
}

// ============================================================================
// Enforcement helpers
// ============================================================================

/// Check community suspension + user ban. For read handlers.
#[tracing::instrument(skip_all)]
pub(crate) async fn check_community_access(
    db: &sqlx::PgPool,
    community: &mt_db::queries::CommunityRow,
    user_id: Option<Uuid>,
) -> Result<(), Response> {
    if community.suspended_at.is_some() {
        return Err((StatusCode::FORBIDDEN, "This community has been suspended.").into_response());
    }
    if let Some(uid) = user_id {
        let banned = mt_db::queries::is_user_banned(db, community.id, uid)
            .await
            .map_err(|e| {
                tracing::error!(error = ?e, "db error checking ban status");
                (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
            })?;
        if banned {
            return Err((StatusCode::FORBIDDEN, "You are banned from this community.").into_response());
        }
    }
    Ok(())
}

/// Check community suspension + platform suspension + user ban + user mute. For write handlers.
#[tracing::instrument(skip_all)]
pub(crate) async fn check_write_access(
    db: &sqlx::PgPool,
    community_id: Uuid,
    user_id: Uuid,
    community_suspended: bool,
) -> Result<(), Response> {
    if community_suspended {
        return Err((StatusCode::FORBIDDEN, "This community has been suspended.").into_response());
    }
    let suspended = mt_db::queries::is_user_suspended(db, user_id)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error checking user suspension");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?;
    if suspended {
        return Err((StatusCode::FORBIDDEN, "Your account has been suspended.").into_response());
    }
    let banned = mt_db::queries::is_user_banned(db, community_id, user_id)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error checking ban status");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?;
    if banned {
        return Err((StatusCode::FORBIDDEN, "You are banned from this community.").into_response());
    }
    let muted = mt_db::queries::is_user_muted(db, community_id, user_id)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error checking mute status");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?;
    if muted {
        return Err((StatusCode::FORBIDDEN, "You are muted in this community.").into_response());
    }
    Ok(())
}

/// Per-user posting rate limit. Returns 429 if the user has exceeded the limit.
#[tracing::instrument(skip_all)]
pub(crate) async fn check_user_post_rate(
    db: &sqlx::PgPool,
    user_id: Uuid,
) -> Result<(), Response> {
    let count = mt_db::queries::count_recent_posts_by_user(db, user_id, USER_POST_RATE_WINDOW_SECS)
        .await
        .map_err(|e| {
            tracing::error!(error = ?e, "db error checking user post rate");
            (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error").into_response()
        })?;
    if count >= USER_POST_RATE_LIMIT {
        return Err((StatusCode::TOO_MANY_REQUESTS, "You are posting too quickly. Please wait a moment.").into_response());
    }
    Ok(())
}

/// Parse a ban duration string into an optional expiration datetime.
/// Returns `Err` for unrecognized durations to prevent accidental permanent bans.
pub(crate) fn parse_duration(duration: &str) -> Result<Option<DateTime<Utc>>, Response> {
    match duration {
        "permanent" => Ok(None),
        "1h" => Ok(Some(Utc::now() + Duration::hours(1))),
        "1d" => Ok(Some(Utc::now() + Duration::days(1))),
        "7d" => Ok(Some(Utc::now() + Duration::days(7))),
        "30d" => Ok(Some(Utc::now() + Duration::days(30))),
        _ => Err((StatusCode::UNPROCESSABLE_ENTITY, "Invalid duration.").into_response()),
    }
}

/// Helper: fetch community + verify owner role, returning 403 if not owner.
#[tracing::instrument(skip_all)]
pub(crate) async fn require_owner(
    state: &AppState,
    slug: &str,
    user: &auth::SessionUser,
) -> Result<mt_db::queries::CommunityRow, Response> {
    let community = get_community(&state.db, slug).await?;
    let role = get_role(&state.db, user.user_id, community.id).await?;
    if !is_owner(&role) {
        return Err((StatusCode::FORBIDDEN, "Forbidden").into_response());
    }
    Ok(community)
}

/// Helper: fetch community + verify mod_or_owner role, returning 403 if not.
#[tracing::instrument(skip_all)]
pub(crate) async fn require_mod_or_owner(
    state: &AppState,
    slug: &str,
    user: &auth::SessionUser,
) -> Result<(mt_db::queries::CommunityRow, Option<CommunityRole>), Response> {
    let community = get_community(&state.db, slug).await?;
    let role = get_role(&state.db, user.user_id, community.id).await?;
    if !is_mod_or_owner(&role) {
        return Err((StatusCode::FORBIDDEN, "Forbidden").into_response());
    }
    Ok((community, role))
}

// ============================================================================
// Superadmin authorization
// ============================================================================

/// Whether `user` is the configured platform admin.
///
/// Platform admin is a single user (env var `PLATFORM_ADMIN_ID`); a real
/// permissions system is deferred. See `docs/todo.md` § Community Moderation
/// Enforcement.
pub(crate) fn is_platform_admin(state: &AppState, user: &auth::SessionUser) -> bool {
    state
        .config
        .platform_admin_id
        .is_some_and(|id| id == user.user_id)
}

/// True if the user can perform mod actions in this community: either a
/// community Owner/Moderator, or the platform admin (who can act on any
/// community). Used by [`check_community_state`] and by the state-change route.
pub(crate) fn is_mod_or_superadmin(
    state: &AppState,
    user: &auth::SessionUser,
    role: &Option<CommunityRole>,
) -> bool {
    is_mod_or_owner(role) || is_platform_admin(state, user)
}

/// Fetch community + verify the user is a mod, owner, or platform admin.
///
/// Returns `(community, role)` — `role` is `None` when the user is the platform
/// admin but holds no role in this specific community.
#[tracing::instrument(skip_all)]
pub(crate) async fn require_mod_or_superadmin(
    state: &AppState,
    slug: &str,
    user: &auth::SessionUser,
) -> Result<(mt_db::queries::CommunityRow, Option<CommunityRole>), Response> {
    let community = get_community(&state.db, slug).await?;
    let role = get_role(&state.db, user.user_id, community.id).await?;
    if !is_mod_or_superadmin(state, user, &role) {
        return Err((StatusCode::FORBIDDEN, "Forbidden").into_response());
    }
    Ok((community, role))
}

// ============================================================================
// Community state enforcement
// ============================================================================

/// Whether a write attempt is starting a new thread or extending an existing
/// one. Restricted communities block `NewThread` for non-mods but still accept
/// `ContinueExisting` writes.
#[derive(Debug, Clone, Copy)]
pub(crate) enum WriteScope {
    NewThread,
    ContinueExisting,
}

/// Convenience: combine role lookup with [`check_community_state`]. Use this
/// in write handlers that don't already need the role for other purposes.
#[tracing::instrument(skip_all)]
pub(crate) async fn check_write_state(
    state: &AppState,
    community: &mt_db::queries::CommunityRow,
    user: &auth::SessionUser,
    scope: WriteScope,
) -> Result<(), Response> {
    let role = get_role(&state.db, user.user_id, community.id).await?;
    let is_mod_or_super = is_mod_or_superadmin(state, user, &role);
    check_community_state(community.state, scope, is_mod_or_super)
}

/// Gate a write against the community's [`CommunityState`].
///
/// Mods/owners and the platform admin bypass all state restrictions. Members
/// follow the state's `allows_*` predicates. Returns 403 with a state-specific
/// message on denial — message text is what the user will see in the toast.
///
/// Note: this is independent of [`check_write_access`] (which covers
/// suspension/ban/mute). Call both in write handlers.
/// Pure decision for [`check_community_state`]: returns `None` when the write
/// is allowed, `Some(message)` when denied (message is what the user sees).
///
/// Mods/owners and the platform admin bypass restrictions. Members go through
/// the state's `allows_*` predicates.
pub(crate) fn community_state_denial_message(
    community_state: CommunityState,
    scope: WriteScope,
    is_mod_or_super: bool,
) -> Option<&'static str> {
    if is_mod_or_super {
        return None;
    }
    let allowed = match scope {
        WriteScope::NewThread => community_state.allows_new_threads_for_members(),
        WriteScope::ContinueExisting => community_state.allows_writes_for_members(),
    };
    if allowed {
        return None;
    }
    Some(match (community_state, scope) {
        (CommunityState::Restricted, WriteScope::NewThread) => {
            "New threads are restricted in this community."
        }
        (CommunityState::Frozen, _) => "This community is frozen.",
        (CommunityState::Archived, _) => "This community is archived.",
        _ => "Action not allowed in the community's current state.",
    })
}

#[allow(clippy::result_large_err)]
pub(crate) fn check_community_state(
    community_state: CommunityState,
    scope: WriteScope,
    is_mod_or_super: bool,
) -> Result<(), Response> {
    match community_state_denial_message(community_state, scope, is_mod_or_super) {
        None => Ok(()),
        Some(msg) => Err((StatusCode::FORBIDDEN, msg).into_response()),
    }
}

#[cfg(test)]
mod validation_tests {
    use super::*;

    // ── validate_title (1..=256 chars after trim) ──

    #[test]
    fn title_rejects_empty() {
        assert!(validate_title("").is_err());
    }

    #[test]
    fn title_rejects_whitespace_only() {
        // The function trims first, so whitespace-only collapses to empty.
        assert!(validate_title("   \t\n  ").is_err());
    }

    #[test]
    fn title_accepts_single_char() {
        assert_eq!(validate_title("x").unwrap(), "x");
    }

    #[test]
    fn title_trims_surrounding_whitespace() {
        // Pins the `.trim()` step: returned slice excludes leading/trailing whitespace.
        assert_eq!(validate_title("  hello  ").unwrap(), "hello");
    }

    #[test]
    fn title_accepts_exactly_256_chars() {
        let s = "a".repeat(256);
        assert_eq!(validate_title(&s).unwrap().len(), 256);
    }

    #[test]
    fn title_rejects_257_chars() {
        // Pins `t.len() > 256` vs `>= 256`. At exactly 257, must reject.
        let s = "a".repeat(257);
        assert!(validate_title(&s).is_err());
    }

    // ── validate_body (1..=max chars after trim) ──

    #[test]
    fn body_rejects_empty() {
        assert!(validate_body("", 100, "Body").is_err());
    }

    #[test]
    fn body_accepts_one_char() {
        assert_eq!(validate_body("x", 100, "Body").unwrap(), "x");
    }

    #[test]
    fn body_accepts_at_exact_max() {
        let s = "a".repeat(50);
        assert_eq!(validate_body(&s, 50, "Body").unwrap().len(), 50);
    }

    #[test]
    fn body_rejects_one_over_max() {
        // Pins `t.len() > max` vs `>= max`. Length max+1 must reject.
        let s = "a".repeat(51);
        assert!(validate_body(&s, 50, "Body").is_err());
    }

    #[test]
    fn body_trims_before_length_check() {
        // Trimmed length, not raw length, is what counts. " a " (3 raw) → "a"
        // (1 trimmed) fits within max=1.
        assert_eq!(validate_body(" a ", 1, "Body").unwrap(), "a");
    }

    #[test]
    fn body_or_chain_requires_either_condition() {
        // Pins `is_empty() || len > max` vs `&&` (which would never reject).
        // An empty body alone (under max) must reject.
        assert!(validate_body("   ", 100, "Body").is_err());
        // A too-long body alone (non-empty) must reject.
        let s = "x".repeat(101);
        assert!(validate_body(&s, 100, "Body").is_err());
    }

    // ── is_mod_or_owner / is_owner Option wrappers ──

    #[test]
    fn is_mod_or_owner_none_role_is_false() {
        assert!(!is_mod_or_owner(&None));
    }

    #[test]
    fn is_mod_or_owner_some_roles() {
        assert!(is_mod_or_owner(&Some(CommunityRole::Owner)));
        assert!(is_mod_or_owner(&Some(CommunityRole::Moderator)));
        assert!(!is_mod_or_owner(&Some(CommunityRole::Member)));
    }

    #[test]
    fn is_owner_none_role_is_false() {
        assert!(!is_owner(&None));
    }

    #[test]
    fn is_owner_some_roles() {
        assert!(is_owner(&Some(CommunityRole::Owner)));
        assert!(!is_owner(&Some(CommunityRole::Moderator)));
        assert!(!is_owner(&Some(CommunityRole::Member)));
    }

    // ── community_state_denial_message ──

    #[test]
    fn state_denial_mod_bypasses_everything() {
        // Pins the `if is_mod_or_super { return None; }` early return — a mod
        // can write to Archived/Frozen/Restricted communities for any scope.
        for state in [
            CommunityState::Active,
            CommunityState::Restricted,
            CommunityState::Frozen,
            CommunityState::Archived,
        ] {
            for scope in [WriteScope::NewThread, WriteScope::ContinueExisting] {
                assert_eq!(
                    community_state_denial_message(state, scope, true),
                    None,
                    "mod must bypass: state={state:?} scope={scope:?}"
                );
            }
        }
    }

    #[test]
    fn state_denial_active_allows_members_both_scopes() {
        assert_eq!(
            community_state_denial_message(CommunityState::Active, WriteScope::NewThread, false),
            None
        );
        assert_eq!(
            community_state_denial_message(CommunityState::Active, WriteScope::ContinueExisting, false),
            None
        );
    }

    #[test]
    fn state_denial_restricted_blocks_new_thread_only() {
        // Restricted: members can reply but not start threads.
        assert_eq!(
            community_state_denial_message(CommunityState::Restricted, WriteScope::NewThread, false),
            Some("New threads are restricted in this community.")
        );
        assert_eq!(
            community_state_denial_message(
                CommunityState::Restricted,
                WriteScope::ContinueExisting,
                false
            ),
            None,
            "Restricted must allow replies"
        );
    }

    #[test]
    fn state_denial_frozen_blocks_all_member_writes() {
        assert_eq!(
            community_state_denial_message(CommunityState::Frozen, WriteScope::NewThread, false),
            Some("This community is frozen.")
        );
        assert_eq!(
            community_state_denial_message(CommunityState::Frozen, WriteScope::ContinueExisting, false),
            Some("This community is frozen.")
        );
    }

    #[test]
    fn state_denial_archived_blocks_all_member_writes() {
        assert_eq!(
            community_state_denial_message(CommunityState::Archived, WriteScope::NewThread, false),
            Some("This community is archived.")
        );
        assert_eq!(
            community_state_denial_message(
                CommunityState::Archived,
                WriteScope::ContinueExisting,
                false
            ),
            Some("This community is archived.")
        );
    }

    // ── parse_duration ──

    #[test]
    fn parse_duration_permanent_returns_none() {
        // Pins the `"permanent" => Ok(None)` arm; a mutation swapping arms
        // would either reject "permanent" or produce a non-None expiry.
        let r = parse_duration("permanent").unwrap();
        assert!(r.is_none());
    }

    #[test]
    fn parse_duration_known_strings_produce_offsets() {
        // Each known string maps to a specific Duration arm. Assert the
        // returned datetime is roughly the expected offset from now.
        let before = Utc::now();
        let h1 = parse_duration("1h").unwrap().unwrap();
        let after = Utc::now();
        let expected_min = before + Duration::hours(1);
        let expected_max = after + Duration::hours(1);
        assert!(h1 >= expected_min - Duration::seconds(2));
        assert!(h1 <= expected_max + Duration::seconds(2));

        let d1 = parse_duration("1d").unwrap().unwrap();
        let d7 = parse_duration("7d").unwrap().unwrap();
        let d30 = parse_duration("30d").unwrap().unwrap();
        // Ordering must be strict (catches arm-swap mutations).
        assert!(h1 < d1);
        assert!(d1 < d7);
        assert!(d7 < d30);
    }

    #[test]
    fn parse_duration_arm_offsets_are_distinct() {
        // Compare relative day gaps. From d1 to d7 should be ~6 days, from
        // d7 to d30 should be ~23 days. Catches mutations swapping arms.
        let d1 = parse_duration("1d").unwrap().unwrap();
        let d7 = parse_duration("7d").unwrap().unwrap();
        let d30 = parse_duration("30d").unwrap().unwrap();

        let gap_1_to_7 = (d7 - d1).num_days();
        let gap_7_to_30 = (d30 - d7).num_days();
        assert!((5..=7).contains(&gap_1_to_7), "1d→7d gap was {gap_1_to_7}");
        assert!((22..=24).contains(&gap_7_to_30), "7d→30d gap was {gap_7_to_30}");
    }

    #[test]
    fn parse_duration_unknown_is_rejected() {
        // Pins the `_ => Err(...)` arm: anything not in the allowlist must
        // return Err rather than (e.g.) defaulting to permanent.
        assert!(parse_duration("forever").is_err());
        assert!(parse_duration("").is_err());
        assert!(parse_duration("1d ").is_err(), "trailing whitespace must not match");
        assert!(parse_duration("1H").is_err(), "case-sensitive: 1H is not 1h");
    }

    // ── parse_uuid ──

    #[test]
    fn parse_uuid_valid_string() {
        let raw = "11111111-2222-3333-4444-555555555555";
        let parsed = parse_uuid(raw).unwrap();
        assert_eq!(parsed.to_string(), raw);
    }

    #[test]
    fn parse_uuid_invalid_string_is_err() {
        assert!(parse_uuid("not-a-uuid").is_err());
        assert!(parse_uuid("").is_err());
        assert!(parse_uuid("11111111-2222-3333-4444").is_err());
    }

    #[test]
    fn state_denial_message_distinct_per_state() {
        // Distinct error text per state — mutations that swap arms (e.g.
        // Frozen → Archived) would surface here.
        let frozen = community_state_denial_message(
            CommunityState::Frozen,
            WriteScope::NewThread,
            false,
        )
        .unwrap();
        let archived = community_state_denial_message(
            CommunityState::Archived,
            WriteScope::NewThread,
            false,
        )
        .unwrap();
        let restricted = community_state_denial_message(
            CommunityState::Restricted,
            WriteScope::NewThread,
            false,
        )
        .unwrap();
        assert_ne!(frozen, archived);
        assert_ne!(frozen, restricted);
        assert_ne!(archived, restricted);
    }
}